Information Age: News, analysis & insight for IT & business leaders

Superhacker McKinnon tells Information Age how his experiences highlight the security shortcomings of corporate IT

The strange case of Gary McKinnon is one that will preoccupy security analysts, prosecutors, extradition lawyers, biographers and no doubt conspiracy theorists for years to come. A self-effacing, self-confessed IT geek, inspired by clichéd 1980s hacker thrillers, McKinnon is in many respects an unlikely cyber-terrorist.

Yet the Glasgow-born, London-based former systems administrator stands accused of hacking into 97 US government computer networks during 2001 and 2002, including those owned by NASA, the US Army, US Navy, Department of Defense and the US Air Force, resulting in an alleged $900,000 worth of damage. So dramatic was McKinnon’s undertaking, US officials have claimed, that he is single-handedly responsible for “the greatest military hack in history”. No small feat for a self-taught technie nerd operating from his girlfriend’s flat in North London.

McKinnon, 42, does not deny penetrating US military networks or “very serious places”, as he calls them, but he does deny causing any damage. Following a string of failed appeals, at the beginning of November he was facing extradition to the US, where he faces up to 60 years’ imprisonment if convicted.

Ironically McKinnon, who previously held several IT positions at prestigious City firms, possesses no formal technology training or qualifications but, as he observes without any irony, he has lots of “practical” experience.

“When I first started in IT, those were the days when experience was valued over a qualification,” he adds. McKinnon worked at the investment banking arm of JPMorgan for a time (where “the guys on the trading floor treated you like the tea lady”), in a career that saw him climb his way up from basic installation and software configuration management to systems administrator. As someone who regards himself as an IT professional, it was work he hugely enjoyed. “It was a passion of mine and I always enjoyed helping others to use IT as a tool to ease the workflow process,” he explains.

This so-called passion for all things IT perhaps explains, at least to some extent, why he became so engrossed in the act of hacking. “There is a kind of intellectual process going on there which part of you enjoys,” he explains. “But I didn’t feel like I was getting ‘one over on anyone’. I had an issue in mind.”

This “issue”, as he puts it, was an obsessive desire to uncover suppressed evidence of UFO technology, a pursuit McKinnon has frequently restated without compunction or qualification. Cogent as he may appear, however, his motivation has served to undermine his credibility as a witness to US military IT incompetence and in turn cloud the fundamentals of the case: the “embarrassing complete lack” of IT security, as McKinnon describes it, allowing him to access top-secret military information using a self-penned Perl script and a remote access programme.

Dangerous fringe

But McKinnon says that “people shouldn’t be surprised” that he was able to penetrate the military perimeter. In his experience, smaller firms and commercial organisations tend to have stronger security. “But if you’re like the military or any large global company, of course you’re going to have exploitable pockets on the fringes, and of course the further away you are from centralised control the less secure you’re going to be – even if you are the military,” he says. As McKinnon observes, the so-called de-perimeterisation of the enterprise – an issue that has long been highlighted by industry groups such as the Jericho Forum – is putting vital company data at ever-increasing risk.

Yet few organisations, he continues, have mastered many of the basic security tools designed to protect the data at source. “The one point that almost everyone falls down on all the time is data encryption: it’s fine having firewalls, but if someone can get through all that and steal your data then you’ve got no chance.” In particular, the failure to encrypt data that is archived and data to which users need frequent, real-time access is prevalent.

Real-time data encryption, especially for data transferred in email exchanges – a major source of accidental data breaches – remains a challenge for many organisations, but McKinnon believes it is one that tends to be overstated. “It’s totally possible, if you have fast enough computers – if it’s done on a local level, not on the server but on everyone’s workstation. Then it can be done in real time and it’s transparent to the user.” But the age-old tendency of companies to put productivity ahead of security, he continues, is a perennial obstacle to company-wide data encryption and, for that matter, many other security measures.

The real problem for organisations, however, is the people tasked with applying the technology, McKinnon argues. Echoing a complaint voiced by many security experts, McKinnon contends that the IT industry is characterised by a “definite lack of expertise” surrounding the security products on the market and the types of IT security defence methods available. “Your legitimate good guy IT staff [member], who is trained to build, maintain and run computer systems, [is] not generally trained in IT security.”

Worryingly, this problem also applies, he argues, to critical government functions – military defence being, of course, the most pertinent and familiar example. In his experience, the military IT function has traditionally lacked thoroughbred security enthusiasts. “Certainly, you do not get computer specialists; you get military personnel who are trained up to use computers. So they weren’t passionate or particularly interested.” Contrast this, he continues, with the types of individuals recruited by organised cyber-crime networks: the young, highly talented, and motivated – that is, “the sort of person I was,” he adds matter-of-factly. As such, there is in his view an “imbalance,” between the quality of IT expertise found in the criminal world and that which prevails within commerce and industry.

It is not only the IT skillset that is found wanting, however. The user, he says, is and always has been the “weakest line of defence”, as the ongoing success of social engineering-based IT scams, most notably phishing attacks, underlines. Failure to fully acknowledge this IT security truism leads many organisations to rely too heavily on what McKinnon describes as an “install and forget” strategy, with scant attention paid to the role of the user. “You need a very live data security [policy], and you have to have a very good user agreement that has to be constantly monitored and enforced,” he contends.

Furthermore, he adds, IT security strategies should be “kept simple”. Many companies make the mistake of over-complicating security controls (the use of two-factor authentication for identity and access management being a primary example), overlooking even the most basic security measures. “Just turning your machine off at night is a really good security measure: I was on networks at night-time and machines were still on,” he recalls of his hacking exploits. “So your data should be encrypted, and your data and log servers should be offsite.” The operating system, he adds, should be considered the first line of defence. “Use what’s inside Windows itself before turning to anti-virus software and so on,” he adds.

Clever tactics

McKinnon concedes, however, that it remains a huge challenge to educate the end user against the ever-sophisticated tactics used by cyber-criminals: “They’re getting very clever.” To this extent, he sees a disquieting long-term trend in the unprecedented reports, issued by MI5 nearly a year ago, that gangs of cyber-criminals, some of whom are widely believed to be state sponsored, are now turning their hand to systemic cyber-attack. “We do need to be prepared for cyber-economic warfare: I know that sounds futuristic and alarmist, but it is coming,” he says, adding: “There will be attacks on financial centres.”

Following a long string of legal hearings, including three separate and ultimately unsuccessful appeals to the High Court, the House of Lords, and finally the European Court of Human Rights (ECHR), McKinnon now faces imminent extradition to the US, notwithstanding an eleventh-hour challenge to the ECHR, or a further appeal to the Home Office. The fact that he has been diagnosed as suffering from Asperger’s syndrome has added further complexity to the case, prompting his local MP, the Conservative front bench spokesman on justice David Burrowes, to call for assurances that, if convicted, McKinnon will serve his sentence in the UK.

Meanwhile, the legal process is proving costly for both the McKinnon camp and the taxpayer. At last count, this extraordinary case, that has fast become something of a soap opera, has already cost the taxpayer some £90,000, says McKinnon, and counting.

McKinnon is aware that his peculiar case, that has attracted both ridicule and sympathy in almost equal measure, strikes at the heart of broader popular and, in some pockets, political disenchantment regarding the US/UK 2006 extradition treaty, under which the hacker is to be forcibly removed from the UK, and by which he has been rendered something of a cause célèbre. “It’s a huge case and has massive implications for the whole of Europe, and for America,” says McKinnon, who believes the treaty is being badly abused by US prosecutors. But if he is extradited, as is likely, the US courts will resound with tales of lapses in security, audacious hacking exploits and military secrets. Not to mention UFOs.

Further reading

The threat agenda
Information Age’s Enterprise Security 08 conference saw delegates tackle the evolving threats to IT security

Wise guys on the web
The Mafia are well-versed in computer crime, according to the original Donnie Brasco

The China security threat
The threat that China poses to IT security is making Western business executives nervous

Find more stories in the Security & Continuity Briefing Room