12 February, 2020
How Russian hackers used nine seconds of computing time to steal information about the Strategic Defense Initiative … in 1986
In computer-science time, the year 1986 seems like an almost impossibly distant past. The World Wide Web did not yet exist, computer users paid handsomely for clunky boxes whose RAM measured in a handful of megabytes and cellular phones used first-generation wireless networking.
But in terms of computer security, we haven’t come as far from 1986 as we would like to think.
That year, Clifford Stoll, an astronomer turned computer systems administrator at Lawrence Berkeley National Laboratory, was asked to reconcile a discrepancy in his institution’s computer usage logs. Someone had used about nine seconds of computing time that did not get properly attributed, resulting in a $0.75 shortfall. That seemingly trivial mismatch led Stoll down a year-long rabbit hole of investigation that resulted in the unmasking of a Russian-sponsored international group of hackers working out of Germany to steal US military secrets for the KGB.
You read that right. The hackers were led by Markus Hess, who had found a series of institutional weaknesses in different computing systems that allowed him to leapfrog his way from computers at the University of Bremen in Germany, across the Atlantic, into the Jet Propulsion Laboratory in Pasadena, Calif., and into military networks like ARPANET and MILNET.
Stoll’s system at Berkeley Labs was just one of many hops along the way. What distinguished Stoll from the other system administrators whom Hess hoodwinked and exploited was simply that Stoll noticed the discrepancy—and kept asking questions.
The Lone Voice in the Wilderness
How could Hess’ group hack into our critical defense networks? Chalk it up to poor password security, unpatched vulnerabilities and overall user laxity throughout the business, educational and government systems they encountered. The net effect of these systemic security lapses meant that enemy spies could easily obtain sensitive and confidential records. But at the individual level, most of the affected systems were only incidentally touched. It was easy to overlook a nine-second discrepancy, especially when investigating a problem worth $0.75 ultimately occupied a senior employee nearly full time for almost a year. Few had Stoll’s single-mindedness of purpose, and Hess’ group took advantage of that.
Hess’ group also took advantage of the fact that most organizations were disinclined to undertake costly measures to enhance their security unless they had been directly victimized. But in a networked world, that meant those insecure organizations weakened all of their neighbors.
Strikingly, Stoll also faced challenges in getting the government to take the risk seriously. As a hippie-adjacent college scientist in Berkeley, he was naturally suspicious of government agencies, but ironically frustrated by their sluggish responses. Weren’t these government spooks supposed to happily trample over people’s privacy when national security was at risk? he thought. Instead, the FBI, CIA, NSA, Air Force and German authorities all struggled to work out where this novel problem fell in their respective jurisdictions and remits.
Stoll had worked out that the hackers, whoever they were, were primarily interested in information about the United States’ proposed Strategic Defense Initiative (SDI), nicknamed “Star Wars.” Eventually, Stoll laid a trap by building a so-called “honeypot” of fake SDI documents he invented for the purpose of attracting the hackers’ attention long enough to trace their connections. This was the first documented use of the “honeypot” technique.
The Cuckoo’s Egg
We know about the intricacies of Stoll’s work because he kept extensive and prodigious records, and ultimately published the story in 1989 as the true-life cyber-espionage thriller The Cuckoo’s Egg.
In the book, Stoll noted, “The hacker didn’t succeed through sophistication. Rather he poked at obvious places, trying to enter through unlocked doors. Persistence, not wizardry, let him through.”
This is but one of the many lessons Stoll learned in the 1980s that resonates today. Law enforcement agencies still struggle with information sharing; individual institutions still fall short of protecting their digital assets; users still rely on insecure passwords like “password” and “1234”; and the political schisms among ideologies still color how we think and talk about information security, devolving into arguments between national security versus individual privacy, as if it were an either/or proposition.
The Cybersecurity Act of 2015 sought to shore up these gaps by creating a framework for cybersecurity information sharing among the intelligence agencies and private companies. To the disappointment of its supporters, only six non-governmental entities have chosen to participate in the information sharing network. In many ways, information security professionals face the same challenges today that Stoll did all those years ago.
Hess was tried in Germany in 1990 and found guilty of espionage. He was sentenced to just 20 months, and that sentence was suspended as long as did not get into any more trouble. He withdrew from hacking and has avoided the public spotlight ever since. He has never openly discussed the case.
For further information, please contact:
Stuart Witchell, Managing Director, Berkeley Research Group
switchell@thinkbrg.com