Info War: Pearl Harbor of the future?
There are no front lines in an information war, no fiery explosions. The enemy's
camp is a cube on the other side of the globe. Their target? Your business.
Six months from now China sends an invasion armada steaming across the straits
of Taiwan. The still-green Bush White House faces a fresh national security
crisis. To discourage Washington from coming to Taiwan's aid, the People's
Liberation Army information warfare units quietly take aim at the U.S. network
infrastructure.
--------------------------------------------------------------------------------
In this story:
Info War
The threat
Department of Corporate Defense?
CIA for the Private Sector
You are the target
Sleep easier
-------------------------------------------------------------------------------
First, they attack computer networks at the New York Stock Exchange and the NASDAQ,
disrupting trading for several hours every day for a week. Investors fly into a panic.
Then an air traffic control tower at O'Hare goes offline, diverting hundreds of flights to
Detroit, Indianapolis, and St. Louis, shuttering the nation's busiest airport for three
days.
What next? The computer networks that power one or all of the massive retail banks -
like Chase, or Citibank, or Wells Fargo - go down for four days. Dallas loses power for 24
hours. Then Atlanta. Then Denver. The Grand Coulee Dam's spillway opens, causing flooding
along the Columbia River. Would we even know where these attacks came from? Or that a
hostile political force was responsible? Most likely, no.
Beyond China, experts like Dan Kuehl of the National Defense University add to the list
of potential cyberthreats: Russia, Iraq, Libya, and terrorist groups like Osama Bin
Laden's Al Qaeda-plus a slew of friendly nations including Japan, France, Norway,
England, Australia, South Korea, and Israel. The U.S. Department of Defense, to be sure,
is also honing its skills. It launched a cyberattack against Serbia and Slobodan Milosovic
during the 1999 NATO bombing campaign.
Most experts believe the United States is widely exposed to this kind of attack. As you
read this, U.S. networks are undergoing large-scale probing and mapping. "As a
country we are still terribly underprepared," says John Arquilla, an associate
professor of information technology at the Naval Postgraduate School. "We haven't
seen anything that serious happen yet, but it's coming."
The threat
-------------------------------------------------------------------------------
Our country's biggest weakness is its ever-expanding globally linked business networks.
They belong mostly to publicly traded companies whose primary goal is profit, not national
security.
In March 1999 at a Senate Armed Services Committee hearing on terrorism, then - deputy
defense secretary John Hamre stated that an "electronic Pearl Harbor" was a
credible threat to the country. It wasn't military defenses Hamre was worried about, but
the infrastructure that keeps the country running.
"This Pearl Harbor's going to be different," Hamre told the committee.
"It's not going to be against Navy ships . . . it's going to be against commercial
infrastructure, and we don't control that."
In other words, our country's biggest weakness is its ever- expanding globally linked
business networks, which don't belong to the military. They belong mostly to publicly
traded companies whose primary goal is profit, not national security.
While executives preach the ubenefits of these networks in corporate boardrooms
everywhere, the downside is that anybody with a computer and an Internet connection from
Saskatoon to Ulan Bator is armed for battle. You don't need to train and arm an airborne
division to cause havoc in the United States. You can spend a lot less money training 20
technologists.
"Increasingly, government agencies are relying on the public infrastructure,"
admits Scott Charney, who left his job as chief of the computer crime and intellectual
property section of the Justice Department in 1999 and is now a partner at
PricewaterhouseCoopers, consulting with companies on shoring up their defenses.
"Companies like AOL, UUNet-companies that provide communications infrastructure
and other public infrastructures-are targets," he says. "ATM networks are
at risk. An enemy might attack our power grid. As a practical matter this is not easy to
do, but I can envision scenarios where it could work."
As a measure of how vulnerable the public networks are, according to the Center for
Strategic and International Studies, most of the world's 250 largest companies have
already been hit by some sort of cyberattack, usually multiple attacks. A 1999 study by
PricewaterhouseCoopers and the American Society for Industrial Security reports that the
1,000 largest companies in the country have sustained losses of $45 billion from theft of
company secrets, in part due to holes in their networks.
It was in 1997 that the government first began to understand what kind of attack
scenarios would be most damaging to the private sector. That June a team from the National
Security Agency participating in a war game called Eligible Receiver discovered they could
shut down the nation's power grid and disrupt 911 calling centers nationwide with tools
gleaned off the Internet.
Lieutenant General Ken Minihan of the NSA told a Senate committee that Eligible
Receiver was just the beginning. "A sophisticated adversary could develop and use
more advanced tools and dedicate greater resources and time to support his campaign,"
he warned. "In short, our adversaries will have oppor tunities and advantages that
were not available to Eligible Receiver."
Even less-skilled adversaries proved troublesome. In 1996 a teenage hacker broke into
the air traffic control system at the Worcester, Massachusetts, airport, and a Swedish
hacker tied up 911 lines in 11 Florida counties for two weeks.
By 1999 an investigation code-named Moonlight Maze (which continues today under a
secret name) revealed wholesale mapping and looting of U.S. government and private
computer networks. The Pentagon's public computer network was thoroughly excavated, as was
the Space and Naval Warfare Systems Command's network. NASA also came under intense
attacks, spurring the space agency's inspector general to tell reporters that the breaches
were "massive, really very massive."
Meanwhile, the Washington Times reported that the NSA traced an attack at Los Alamos
National Laboratory to a research institute in Beijing. The hackers reportedly retrieved
hundreds of documents related to nuclear weapons production.
And on it goes. Robert West, a Navy captain and special assistant to the commander of
the Joint Task Force - Computer Network Operations, admits that the Pentagon's public
sites are scanned and surveyed every day. "They're being sucked dry by people with
Chinese IP addresses. Is it state sponsored? You can't tell," he says.
Starting last October and into January Microsoft fell under repeated and well-organized
attacks thought to be based in Russia. Microsoft officials declined to comment, but it is
believed that a large-scale mapping of the software giant's networks was under way.
"They're having the guts sucked out of them either by Russian intelligence or Russian
organized crime," says a former high-level military official. If enemies can disable
the software that runs most of the computers in the United States, then they're halfway to
shutting down most of the nation's computer networks. "In the military we call it
preparing the battlefield," says Arquilla of the Naval Postgraduate School.
The Microsoft attacks also beg the question: If Microsoft can be infiltrated, who can't
be?
Department of Corporate Defense?
-------------------------------------------------------------------------------
Corporate America tends to watch its bottom line more than its back. And national
security isn't their job anyway. So the NIPC was put on the lookout.
If you are a tech company or a financial company or a conglomerate, is it your
responsibility to defend the free world against a cyberattack? Probably not. That's the
government's job, but public companies control the country's vital infrastructures. Which
brings the question full circle: Are public companies responsible for protecting national
security?
With these problems in mind, former president Clinton issued Presidential Decision
Directive 63 in 1998, which set up the National Infrastructure Protection Center. The NIPC
was put under the jurisdiction of the FBI. Its mandate was to investigate cyberattacks and
to stimulate information sharing between the government and the private sector.
The problem is that many industries, technology in particular, are wary of sharing
anything with the government. For an executive, the thought of releasing information about
a network attack conjures investor relations nightmares.
Beyond the NIPC, the Department of Defense has also set up a Joint Task Force for
Computer Network Defense to protect the Pentagon's networks. Meanwhile, several industry
groups are setting up the Information Technology Information Sharing and Analysis Center
to pool resources, and, it is hoped, share information with the NIPC.
Ron Dick, a 24-year veteran of the FBI and director of the NIPC, is frustrated with the
lack of trust between the government and the private sector. "There is going to be a
reluctance to share information," Dick laments. "But we have a great
relationship with the electrical power industry and sharing information has helped both of
us. We hope that will be a model. You've got to start somewhere."
Still, many experts criticize the government's efforts and point to the distinct fear
that these efforts could lead to an increase in federal regulation and oversight. Bill
Crowell is the president and CEO of network security provider Cylink and served as deputy
director of the NSA until he retired after the Eligible Receiver war games in 1997.
"They don't have the ability legally because they don't own the infrastructure, and
the only way that's going to change is to increase regulation," Crowell says.
"In this political environment, that doesn't seem likely. And it's difficult to make
the case that there should be more involvement."
Crowell, whose company provides network security to the financial services industry,
argues that ultimately it will be the insurance industry that goes furthest to protect
vital infrastructures by refusing to provide coverage to firms that don't have protective
measures in place. Indeed, American International Group, the insurance behemoth, has
recently started offering coverage against cyberattacks.
Since PricewaterhouseCoopers' Charney left the attorney general's office, he has spent
much of his time at the consulting firm persuading companies to at least assess their risk
to network attacks. "The reception to that is mixed, because risk is hard to
quantify," he says. "They want to know how much money it's going to cost to
defend against an attack. Does the business model sustain that kind of investment? If your
company has $40 million in revenues, it doesn't make sense to spend $50 million on a
security solution. You could go bankrupt protecting yourself."
Companies will never be able to create a totally impenetrable network, but Cylink's
Crowell says they can build security systems that will cause enough confusion and enough
difficulty that cyberattackers will move on to easier prey. "It's easier to go after
weaker targets than to devote a lot of time to a difficult target," he says. "We
argue for a layered approach. The first layer is protecting your network with encryption
programs. The second is to protect access to your internal networks with strong
authentication like smart cards."
CIA for the Private Sector
-------------------------------------------------------------------------------
"Looking at how societies have defended themselves, intelligence has always been
critical.... [But] this country is preparing for the last war, not the next one."
Just under the flight path of Dulles International Airport in the suburbs of
Washington, D.C., sit the offices of iDefense, a company that aspires to be the Central
Intelligence Agency for the private sector. iDefense is the brainchild of James Adams, a
former CEO of United Press International, who has written several books on warfare and
espionage. It was his most recent book, The Next World War (Simon & Schuster, 1998),
that launched him into the private sector. Adams gives an exhaustive history of
information warfare, as well as the U.S. military's capabilities, stating categorically
that the Air Force can track hackers back to their computers and launch "computer
bombs." Many of our enemies, he insists, have the same skills.
In fact, he says, an enemy's ability to launch an info war is a foregone conclusion.
"This country is preparing for the last war, not the next one," Adams sighs, and
picks up Unrestricted Warfare, a voluminous treaty on the future of war, which pays
particular attention to cyberattacks on the commercial infrastructure. All of which leads
Adams to believe that after companies have purchased their security platforms, what they
really need is reliable human intelligence.
"Looking at how societies have defended themselves, intelligence has always been
critical," Adams says. In the Civil War, for example, the armies used hot-air
balloons to spy. "So if you accept that this is a global environment, and that the
front line embraces the private sector, then the private sector needs intelligence."
iDefense, which doesn't offer security software, maintains a 24-hour
intelligence-gathering team, spearheaded by Dan Owen (pictured), a retired Air Force
intelligence officer, and Ben Venzke, a specialist in Middle East terrorism. The company's
experts spend the day scouring everything from hacker chat rooms to secret Web sites. Many
of them spend hours working the phones and even e-mailing hackers to uncover their
motives. iDefense also claims to have paid informants sprinkled around the world. Its goal
is to determine if its clients, including Microsoft and Citibank, are about to be
attacked.
As proof of his company's success, Adams points to a recent "major" high-tech
company whose server farm in France was on the verge of being hacked. "We woke their
security officers up in the middle of the night and told them they were under
attack," Adams says. "And I can tell you they were quite surprised."
Adams also claims that his company warned Starbucks-not a client-of an
impending attack. Indeed, Venzke (pictured) says, they spend much of their time calling
companies that aren't even paying customers. "We've called people up and said,
'You're under attack,' and they'll have no idea what's going on. Many companies just don't
believe it when they are under attack."
Providing security and intelligence to the private sector is big business. Ubizen, for
example, which is one of the top three Internet security firms in Europe and just expanded
into the United States, also offers an intelligence service.
Since Eligible Receiver sent Washington into a frenzy back in 1997, no major attacks
have occurred. No dams have been breached, no cities have been thrown into darkness, and
the financial system seems secure. Yet everyone interviewed for this story believes info
war is inevitable.
West of the Joint Task Force-Computer Network Operations argues that the
government and the private sector have both made impressive gains. "Today, if a
terrorist or another enemy wants to shut down power grids, SCATA systems [control and data
systems], trains, subway systems, dams, any of that, they would probably have better
success walking into the control room and threatening to blow someone's head off. Today
that is a more likely scenario and threat. I won't say that's the case for tomorrow,
though."
And Adams? He picks up his copy of Unrestricted Warfare and begins to leaf through it.
"I have no doubt that the virtual world is where the next war will be waged," he
says. "Why? For the first time in history, the weapons are available to
everyone."
You are the target
-------------------------------------------------------------------------------
There's even a manual for launching a cyber campaign. But is it a real threat or just a
scare tactic?
A few years ago, two Chinese air force colonels, Qiao Liang and Wang Xiangsui,
published Unrestricted Warfare (PLA Literature and Arts Publishing House, 1999), a
treatise explaining how underdeveloped nations could attack the United States. The tactic?
Mount cybercampaigns against the U.S. infrastructure, and American businesses are fair
game.
They write: "If the attacking side secretly . . . launches a sneak attack against
its financial markets, then after causing a financial crisis, buries a computer virus and
hacker detachment in the opponent's computer system in the advance, while at the same time
carrying out a network attack against the enemy so that the civilian electricity network,
traffic dispatching network, financial transaction network, telephone communications
network, and mass media network are completely paralyzed, this will cause the enemy nation
to fall into social panic, street riots, and a political crisis."
According to Captain Robert West of the Joint Task Force-Computer Network
Operations, the book has stirred wide debate about whether we are prepared for such an
attack. But is it really a threat or just a scare tactic? West argues, "You have to
assume that is being discussed over there as an option."
Sleep easier
-------------------------------------------------------------------------------
Hackers siphoned $377 million from U.S. businesses' bottom lines last year. Now insurance
companies are trying to mitigate the risk.
Feeling vulnerable to cyberattack? You should be. "We regard these threats,
attacks on companies' networks, to be a fundamental risk of doing business today,"
says Ty R. Sagalow, COO of American International Group's eBusiness Risk Solutions group.
"Whether it's a result of an info war, or a script kiddie, or a criminal, we don't
care, but you've got to protect your business."
Indeed, according to a recent study by the Computer Security Institute and the San
Francisco office of the FBI, 85 percent of businesses surveyed had their online security
systems breached last year, and 35 percent of the companies actually quantified a loss
from the attacks. The tally? About $377 million. And that's just from the 186 companies
that came clean.
AIG now offers insurance policies against attacks. If your company needs more than $5
million in coverage, AIG will conduct a free onsite security check (done in partnership
with Unisys and Global Integrity). The assessments include analyzing your current security
and ethical hacking, in which they try to break into your company's networks. For more
information, visit www.aignetadvantage.com.
Meanwhile, the rest of the insurance industry is following suit. Chubb Group and
Lloyd's of London offer cyberprotection policies as well.