The computer bug that ravaged systems throughout the world over the weekend showed how the increasing use of the Internet by businesses, banks and local governments has created vulnerabilities where few ever suspected them.
In just a few hours, the "Sapphire" worm, consisting of a minute bit of software code, shut down some Bank of America Corp. ATMs, fouled Continental Airlines' online ticketing system and essentially blacked out an emergency call center in Seattle, where computers slowed to a crawl. At the same time, it cut off access to the Internet for millions of personal computer users, including most of those in South Korea.
The worm, also known as "Slammer," spread quickly after it was introduced onto the Internet. Using a well-known flaw in a Microsoft Corp. database program, the worm overwhelmed computers with data. Many other systems quickly suffered ancillary effects as packets of information seeking ways around the vulnerable machines backed up in the ensuing congestion. Specialists described the impact as a sort of global traffic jam, like the ones that occur on Washington area highways when main arteries are shut down.
While similar in many ways to earlier worms, Sapphire raises new questions about the pace at which companies and government agencies are linking critical networks and computer systems to the Internet, often without a clear understanding of the risks.
"It's showing us the cutting edge of where people or organizations are becoming prematurely reliant on the Internet," said Kevin Poulsen, a security specialist and editorial director of SecurityFocus. "It's showing us interdependencies that we didn't know existed."
The attack also highlights growing weaknesses in the Internet Age's social compact: While everyone must share what is in effect a free medium, many companies still do not take the time or spend the money to apply "security patches" to widely publicized vulnerabilities, even though their computers might be used to mount or propel attacks.
And it is forcing some computer specialists to rethink their practices of sometimes posting details about the vulnerabilities they find, in part as a service to technicians trying to ward off such attacks. A British security specialist, for instance, published details of how to exploit Microsoft's database program, called SQL Server 2000, at a security conference in the United States last year. He said his presentation was intended to help others guard against the flaw.
"You have this ideal vision of doing something for the greater good," said David Litchfield, managing director of Next Generation Security Software Ltd. of London, who acknowledged that a small bit of his code might have been used in the attack. "I will probably no longer publish such code."
The number of reported computer intrusions, including worms and hacker attacks, has soared in the past several years, from 3,734 in 1998 to 82,094 last year, as more computers were linked to the Internet, according to the CERT Coordination Center at Carnegie Mellon University. Each of those attacks could involve one site or, as in Sapphire's case, thousands.
It's still too early to say how Sapphire was launched and who was responsible. The FBI is investigating. But the very design of the Internet, with a decentralized structure that ties together telephone wires and cable lines around the world, will hamper that probe. So will the extraordinary efficiency of the self-replicating worm, which specialists said sought out gaps in security at lightning speed.
"It's going to be a very difficult investigation," said Paul Bresson, an FBI spokesman. "It's kind of like looking at a body of water and determining where a drop of water came from."
Some specialists have found indications that might point to a Chinese hacker group.
Microsoft publicly warned of the vulnerability in its server software and offered a fix in July 2002. But the software giant itself suffered slowdowns over the weekend because it had not patched all the computers that run its networks, according to wire reports.
In the past, viruses, worms and their kin targeted specific Web sites or e-mail programs. But this new attack was different because it hobbled systems that were not supposed to be affected.
About 13,000 Bank of America cash machines had to be shut down. The bank's ATMs sent encrypted information through the Internet, and when the data slowed to a crawl, it stymied transactions, according to a source, who said customer financial information was never in danger of being stolen.
Some Continental Airlines flights were canceled after the airline's online ticketing systems and electronic kiosks could not process orders. And in Washington state, emergency dispatchers had to resort to pencil and paper for several hours starting around 1:30 a.m. Saturday, when they noticed their computers were becoming unmanageably slow.
Officer Marcia Harnden with the Bellevue Police Department, which oversees a community neighboring Seattle, said the people who answer the 911 calls depend on computers to log calls and to send the information to dispatchers. This computer-assisted dispatch system is not directly connected to the Internet, although it uses the same servers as the rest of the city. When those servers began to fail, it affected an emergency communications system that serves a population of 680,000, 14 fire departments and two police departments.
Harnden said technicians have begun to investigate how to better separate the systems.
"We don't want this to ever happen again," Harnden said.
Eugene Spafford, a computer security professor at Purdue University, questioned why those critical systems were connected to the Internet in the first place. "The trend of hooking everything up to the network is an extremely dangerous trend," he said.
But specialists note that configuring computer systems properly and keeping up with newly exposed vulnerabilities can be costly and time consuming. With so many computers being used by so many people, just keeping track of the software people are using is difficult, let alone staying on top of the regular maintenance required, said Roman Danyliw, an Internet security analyst at CERT. "It's like a car. You can't just buy a car and that's it," he said.
The White House is preparing to release its long-awaited National Strategy to Secure Cyberspace in the next week or two, and a significant portion of it will address the need to study interdependencies among electronic systems, according to someone who has read the report.
The Homeland Security Act authorized funding for a research center -- to be run by the Los Alamos and Sandia National laboratories -- to study these types of vulnerabilities, but it has not been created.