Clarke's fourth trend is the rate of propagation of the attacks. "In July 2001, Code Red was a big deal," said Clarke. "I was the White House cybersecurity guy at that time and we knew something was going on, but we didn't know what. We knew it was a big threat, though. So, we reached out to all the security-related agencies -- the NSA, CIA, FBI, even the private sector -- and by 4pm on that day, we had broken the code and knew what was going to happen: At 8pm Eastern Time, 300,000 machines were going to launch a distributed denial of service attack (DDoS) on the White House's domain."
To mitigate the attack's impact, he asked the major Internet backbone providers to black-hole all traffic destined for whitehouse.gov. "So, when the tsunami hit the edge routers, it just died," said Clark.
Comparing Code Red to the Slammer worm, which originated from South Korea, Clarke said: "We saw the same phenomenon earlier this year. It involved 300,000 computers from five continents, but instead of taking a day, it all happened in 14 minutes. So, when you combine the six hours of vulnerability-to-exploit with the 14 minutes it takes to complete an attack, not only are "they" evolving, but reaction time is shrinking. Bottom line: if you don't have defences already set up to deal with problem, you will be a victim."
The fifth trend to watch is the rising cost of cleanup. Precise cost estimates are difficult to come by, said Clarke, because too little is known about the reporting methodologies used to collect the data. Still, Clarke said, "The numbers may not be accurate, but the trend lines are. According to the data we have, the worldwide cost in 2002 was $48bn. This past August [when Sobig.f struck], the cost for one month alone was $35bn. Depending on whom you talk to, the total projected worldwide cost for 2003 is $119bn to $145bn. Compared to the $35bn from the year before, that's a huge upward curve."
Another trend that Clarke discussed had to do with identity theft. According to Clarke, recent data suggests that approximately 27 million Americans were victimised by some form of identity theft in the past five years. "Of those 27 million, 9.9 million of them -- more than a third -- came in the last year," said Clarke. "The FTC estimates that each incidence of an identity theft costs the company involved an average of $10,000. With almost 10 million happening in one year, you do the math."
