Sunday, June 15, 2008

Insider Attacks: School as Target

As I was checking legal databases to see what’s new in cybercrime, I found an opinion involving an insider attack.

In the opinion, the court rejects a defendant’s request to vacate the sentence it imposed after he pled guilty to “unauthorized computer intrusion . . . in violation of” 18 U.S. Code § 1030, the basic federal computer crime statute. Underwood v. U.S., 2008 WL 648459 (U.S. District Court – Western District of Missouri 2008).

The defendant – Henry Curtis Underwood – claimed his sentence should be set aside because of ineffective assistance of counsel.

Mr. Underwood lost, as defendants usually do when they raise this issue. The reason for that, basically, is that in order to prevail a defendant has to show that his attorney’s performance was “constitutionally deficient” and that this deficiency prejudiced the outcome of the case, i.e., resulted in his erroneously pleading guilty in a case like this. Strickland v. Washington, 466 U.S. 668, 687 (1984). The court in this case found that the arguments Mr. Underwood advanced as to why his attorney was ineffective were not well-grounded; one particular point that didn’t help was that at the hearing at which he pled guilty, he said “she had neither done anything that Underwood did not want her to do nor had she failed to do anything [he] asked her to do.” Underwood v. U.S. supra.

This post, though, is not about Mr. Underwood’s trying to get his plea and sentence set aside. I thought the facts in the case were a good example of the kind of damage an “insider” can do. Here’s how a US Department of Justice Press Release described what led to his being charged with unauthorized access in violation of § 1030:
Underwood was employed as the [Northeast Nodaway R-V School District’s] technology coordinator, but had been placed on administrative leave at the time of the offense. Underwood had been convicted of bank robbery in 1995 in federal court in Texas and sentenced to five years and three months in federal prison, but Underwood did not reveal his criminal history in his job application.

In the course of investigating a $200 theft from the Parnell Elementary School in December 2004, a Nodaway County Deputy Sheriff uncovered Underwood's bank robbery conviction. Underwood was placed on administrative leave on Jan. 27, 2005, and the next day sent an instant message to the principal at Parnell Elementary saying that he could not understand why he was accused of taking the missing money. On Saturday, Jan. 29, 2005, while working in her office, the principal was abruptly logged off her school computer and she could not log back on. An investigation revealed that only two accounts were still functioning, the `cunderwood’ account and the `Administrator’ account. All other accounts on the school district's network had been disabled and could not be accessed, and all computer work stations at both Parnell Elementary and Ravenwood High School had been disabled.

At the time Underwood was suspended, school district officials were unaware he had provided himself with remote access to the district's computer network through a Virtual Private Network. Underwood had established a VPN link from his home, using a laptop computer, to the Ravenwood school.

Underwood admitted that he established a remote connection to the district's computer system on Jan. 29, 2005. Underwood used the unauthorized access to initiate a program that locked out or disabled every user of the system with the exception of the account `cunderwood’ and the administrator's account.
Press Release, supra.

According to the Press Release, the lockout was “highly disruptive of the operations of the school district. Full access to the system was not restored until March 2005, and the school district . . incurred remediation costs in the form of payments to consultants to repair the network and reestablish account access.”

On November 16, 2005, Underwood was charged with one count of violating 18 U.S. Code § 1030. Press Release, supra. On February 21, 2006, he pled guilty. Press Release, supra. On June 14, 2006, the judge who was assigned the case sentenced him “to one year and six months in federal prison without parole. The court also ordered Underwood to pay $15,600 in restitution to the school district.” Press Release, supra. That seems a reasonable sentence, I’d say, given the standards and factors that go into sentencing in general and sentencing for a § 1030 case.

What I think is notable about this case is that (assuming the facts alleged above are true), here we have a classic “insider” who is able to do a great deal of damage to a computer system. As I’ve noted before, people often tend to equate cybercrime with “outsiders,” with “hackers” (usually disgruntled teenagers) who “break into” computer systems. There are, of course, lots and lots of outsiders who do precisely that, most of whom are not teenagers, disgruntled or gruntled.

What many people tend to overlook, especially in educational institutions, small businesses and other environments that may not have had occasion to consider this problem, is the threat an unhappy employee, or a contractor, can pose. (A few years ago I spoke to a group of lawyers and judges. After I had described various kinds of cybercrime, including unauthorized intrusions of varying types, a judge raised his hand and asked me if the court systems at his court were secure. I suggested he take that up with their IT people. I hope he did.)

The U.S. Secret Service has done two very good studies of the insider threat, which I suggest you take a look at if you’re interested in this problem.

Dealing with insiders is, I think, much more difficult than dealing with the outsiders. The task of dealing with outsiders is to a great extent analogous to the task of fending off attackers in the real, physical world: You barricade points of entry and lock down as much as you can to try to prevent their getting inside. It's like being in a castle and fending off invaders.

You don't have that clear boundary with insider attacks. The insiders are, of course, already inside, and keeping controlling them can be a very dicey undertaking. Obviously, one solution is to monitor everything everyone does, but that is probably going to be logistically impossible and will certainly not endear an organization to its employees. I could go on in that vein, but I’d recommend you check out the Secret Service studies, as they include some suggested “proactive practices” for dealing with the problem.

1 comment:

Henry Curtis Underwood, Jr. said...

We need to talk because the truth has yet to be told. I tried to get the truth out but I want to clear the air.

Henry Curtis Underwood