Cyberterrorism and cyberwarfare thus become a plausible alternative(By Judge William H. Webster and Arnaud de Borchgrave)
Foreword & Summary of RecommendationsSource: www.csis.org
The United States is now exposed to a host of new threats to the economy, indeed to the whole of society. It has erected immensely complex information systems on insecure foundations. The ability to network has far outpaced the ability to protect networks. The economy is totally dependent on these systems. America's adversaries and enemies recognize this dependency and are developing weapons of mass disruption and destruction.
In today's electronic environment, many haters can become a Saddam Hussein and take on the world's most technologically vulnerable nation. America's most wanted transnational terrorist Osama bin Laden uses laptops with satellite uplinks and heavily encrypted messages to liaise across national borders with his global underground network. There is no shortage of terrorist recipes on the Internet, step-by-step cookbooks for hackers and crackers (criminal hackers) and cyberterrorists.
Testifying before a congressional committee in June 1996, Director of Central Intelligence John Deutch said criminal hackers were offering their services to so-called rogue states with "various schemes to undo vital U.S. interests through computer intrusions" and warned that an "electronic Pearl Harbor" was now a real threat. In his commencement address to the U.S. Naval Academy in May 1998, President Clinton outlined the magnitude of the new electronic perils:
Our security is challenged increasingly by nontraditional threats from adversaries, both old and new, not only hostile regimes, but also international criminals and terrorists who cannot defeat us in traditional theaters of battle, but search instead for new ways to attack by exploiting new technologies and the world's increasing openness.
The president was not referring to the future when he added, "Intentional attacks against our critical systems are already under way." Even traditionally friendly nations have used their electronic capabilities to penetrate triple firewalls protecting the systems of high-tech corporations and have stolen billions in proprietary secrets. Tomorrow's frontline commanders will be drawn from the ranks of computer wizards. The sandal culture is challenging the wingtips. The National Security Agency's (NSA) new electronic sheriff, responsible for protecting NSA's ground stations, is a 23-year-old GS-14. In the civilian sector, "techies" have moved into senior management positions.
Computers Are the Weapons and the Front Line Is Everywhere is the subtitle of the recently published (Simon & Schuster) book, The Next World War, by James Adams. What is at stake is a redefinition of U.S. security interests. And that is the challenge that this report has confronted. Keyboard attacks do not draw blood or emotion but they can paralyze the nation's critical nerve centers. A smoking keyboard does not convey the same drama as a smoking gun, but it has already proved just as destructive. Armed with the tools of cyberwarfare, substate or nonstate or even individual actors are now powerful enough to destabilize and eventually destroy targeted states and societies.
Security is no longer defined by armed forces standing between the aggressor and the homeland. The weapons of information warfare can outflank and circumvent military establishments and compromise the common underpinnings of both U.S. military and civilian infrastructure, which is now one and the same. Almost all of the Fortune 500 corporations have been penetrated electronically by cybercriminals. The FBI estimates that electronic crimes are running at about $10 billion a year. But only 17 percent of the companies victimized report these intrusions to law enforcement agencies. Their main concern is protecting consumer confidence and shareholder value. They say that reporting cyberrobberies exposes them to leaks and that there is no substitute for constantly enhancing their own defensive electronic security.
Internet scams are also proliferating. Almost 100,000 investors were lured to a Web site touting a high-tech start-up with revolutionary Internet devices, a partnership with Microsoft, and an initial public offering (IPO) with the Securities and Exchange Commission (SEC) — all phony. But the imaginative perpetrator pulled in $190,000, including $10,000 wired from Hong Kong. Soon 14 million will have on-line trading accounts and millions more are surfing the 'Net for stock tips. Slick looking ghost sites, perfect replicas of legitimate logos, are clever Ponzi schemes. The SEC's Internet cyberforce scans the Web for scams and investigates 100-odd complaints each day.
Probing attacks against the Pentagon — there are tens of thousands a year — are routed and looped through half a dozen other countries to camouflage where the attack originated. Information warfare specialists at the Pentagon estimate that a properly prepared and well-coordinated attack by fewer than 30 computer virtuosos strategically located around the world, with a budget of less than $10 million, could bring the United States to its knees. Such a strategic attack, mounted by a cyberterrorist group, either substate or nonstate actors, would shut down everything from electric power grids to air traffic control centers. A combination of cyberweapons, poison gas, and even nuclear devices could produce a global Waterloo for the United States.
A red team put together by the intelligence community in 1997 pretended to be North Korea. Some 35 men and women specialists, using hacking tools freely available on 1,900 Web sites, managed to shut down large segments of America's power grid and silenced the command and control system of the Pacific Command in Honolulu. The Defense Information Systems Agency (DISA) launched some 38,000 attacks against its own systems to test their vulnerabilities. Only 4 percent of the people in charge of targeted systems realized they were under attack and of these only 1 in 150 reported the intrusion to superior authority. Ninety-five percent of DISA's traffic — the equivalent of one entire Library of Congress every four hours — moves along highly vulnerable public lines.
Hacker attacks on federal agencies have grown exponentially, as have the 'Netizens on the World Wide Web. Internet users now number 120 million — 70 million of them in the United States. An estimated 1 billion people — one-sixth of humanity — will be on-line by 2005, two-thirds of them abroad. There is a new Web site every four seconds. The challenges to intelligence and law enforcement agencies grow at the same dizzying pace. At the beginning of the 1990s, a computer hard drive seized in a criminal investigation would contain some 50,000 pages of text. Now law enforcement agents have to deal with 5 million to 50 million pages of data. But the ability of these agencies to retain computer talent is seriously jeopardized by the compensation packages offered by the private sector.
Logic bombs, Trojan horses, worms, viruses, denial of service, and other information warfare tools are now the arsenal in a new geopolitical calculus whereby foes can take on a superpower that can no longer be challenged with conventional weapons. No enemy can match the U.S. military, as demonstrated in the Gulf War. Cyberterrorism and cyberwarfare thus become a plausible alternative.
They are no longer the stuff of science fiction. America's adversaries know that the country's real assets are in electronic storage, not in Fort Knox. Virtual corporations, cashless electronic transactions, and economies without inventories — based on just-in-time deliveries — will make attacks on data just as destructive as attacks on actual physical inventories. Bytes, not bullets, are the new ammo. Or, most dramatically, a combination of bytes, bullets, and bombs.
The forces of global integration also lubricate the counterforces of disintegration and corruption. The criminal economy has gone global and is branching out as fast as the legal economy. But these transnational criminals are not interested in bringing down the system. They know that technology and the Internet have changed the landscape for financial services. A new breed of transnational criminals with high-tech methodologies has made its debut. They are recruiting top-drawer computer skills for their global operations that know no borders. Law enforcement, on the other hand, is stymied by frontiers that are not even lines on the map in cyberspace. In fact, law enforcement's electronic capabilities are from 5 to 10 years behind the transnational crime curve. Budget-constrained government agencies average about 49 months to order, acquire, and install new computer systems vs. about 9 months in the private sector. Crime syndicates purchase state-of-the-art as soon as it becomes available. Ten thousand high-powered scanners are being smuggled in from Asia every month. They can intercept and record law enforcement agencies' mobile phones, faxes, and even landline communications. They are also used by organized crime groups to steal proprietary secrets from high-tech companies. As law enforcement's computer crimes detectives follow cybertrails, they often find themselves being followed by the same criminals they are tracking. Imagine a serial killer shadowing the homicide detectives to find out how much they knew, which would provide the killer the opportunity to perfect the technique of killing, explained one cybersleuth.
The National Computer Security Center has reported a sharp rise in cybercrimes and other information security breaches. Of the 520 large U.S. corporations, government agencies, and universities that responded, 64 percent reported intrusions, up 16 percent in a year. The Internet was the main point of attack.
The Internet is already its own global state, with its own economy and its own digicash, and is starting to change the way the world economy functions. Direct sales over the 'Net are expected to reach $5 trillion in the United States and Europe by 2005.
Cyberterrorists, acting for rogue states or groups that have declared holy war against the United States, are known to be plotting America's demise as a superpower. Director of Central Intelligence George Tenet says, "an adversary capable of implanting the right virus or accessing the right terminal can cause massive damage." And hackers from around the world have proved they can do just that. They have crashed systems from abroad (a 16-year-old English boy took down some 100 U.S. defense systems in 1994); rerouted calls from 911 emergency numbers in Florida to Yellow Pages sex-service numbers from Sweden; disrupted troop deployments to the Gulf in February 1998 from California where two youngsters, directed by a hacker in Israel (codenamed The Analyzer), launched attacks against the Pentagon's systems, NSA, and a nuclear weapons research lab. The deployment disruptions were described by Deputy Secretary of Defense John Hamre as "the most organized and systematic attack" on U.S. defense systems ever detected. In fact, they were so expertly conducted that President Clinton was warned in the early phases that Iraq was most probably the electronic attacker.
The new pervasive tools of information technology blend truth and fiction in ways not easily discernible to decisionmakers. The Internet is also a global superhighway for disinformation. Thus, potentially damaging decisions can be taken as shortened time lines mandate immediate action. Cyberterrorists clearly perceive a new global reach for their activities as they train themselves with tools of information warfare. People are trained to become Rangers and Seals, supersonic fighter pilots and astronauts, and daredevil mercenaries. Hackers and crackers similarly can be turned into a network of global terrorists whose mission might be, as it was for the Supreme Truth cult in Japan when it launched a sarin gas attack against the Tokyo subway system in 1995, the collapse of capitalism in the United States
Using the tools of information warfare, cyberterrorists can overload telephone lines with special software; disrupt the operations of air traffic control as well as shipping and railroad computers; scramble the software used by major financial institutions, hospitals and other emergency services; alter by remote control the formulas for medication at pharmaceutical plants; change the pressure in gas pipelines to cause a valve failure; sabotage the New York Stock Exchange.
More and more, 'Net watchers see groups of activists and extremists — even terrorist groups with their own Web sites, from the unreconstructed Marxist left to the neo-Nazi far right — interfacing with like-minded individuals in a process that bypasses national governments, unbeknownst even to their intelligence services. Civil protests in cyberspace are also becoming more common. A hacker group that supports the Mexican Zapatista rebels recently attempted to deny service of the Pentagon's primary information Internet site, DefenseLink. The attacks protested U.S. counternarcotics technology transfers to Mexican authorities. Monitoring the 'Net now entails 500 million pages, soon to be several billion.
Mr. Hamre believes "the new tools of terror," which can be used against civilian as well as military targets, have posed "a very real and increasing danger to national security." And these information warfare tools are acquiring doomsday potential with the electronic equivalent of the deadly human Ebola virus.
In 1986, a book entitled SOFTWAR documented how the Warsaw Pact countries could soon cripple the West by launching attacks against U.S. and NATO military and financial computer systems. The geometric growth in the power and speed of personal computers had barely begun. Bill Gates was not on anyone's radar screen. Then, three years later, the Cold War ended. Now the threat is real and constant. Eight nations have developed cyberwarfare capabilities comparable to America's. More than 100 countries are trying to develop them. Twenty-three nations have cybertargeted U.S. systems, according to knowledgeable intelligence sources. The head of the French equivalent of NSA was quoted in a French magazine as saying, "information warfare is a permanent warfare."
China's army newspaper, Jiefangjun Bao, in a March 24, 1998, article emphasized the need "to learn to launch an electronic attack on an enemy" and ensure electromagnetic control in a area and at a time favorable to us. To this end, we should cultivate partial information superiority by combining active interference with passive interference, electronic interference with repressive interference…. In a system confrontation, we should learn to conduct a structural analysis and study ways of structural sabotage.
Not since the advent of the atomic age in 1945 has the United States confronted weapons that have the potential for altering the way wars are waged. The United States has readied a powerful arsenal of cyberweapons (e.g., planting logic bombs in foreign computer networks to paralyze a would-be opponent's air defense system and shut down power and phone service, and project video onto his TV stations), but at the same time the United States keeps testing its own vulnerabilities. They are enormous. There is still no technology for pinpointing the source of a cyberattack. Nor are there laws or regulations for deciding when to launch a cyberattack or counterattack. There has been no debate in Congress about the use and nonuse of cyberweapons. Under what circumstances would the United States resort to taking down the computer-dependent infrastructure of a foreign country? U.S. regional commanders have been ordered to review war plans in the context of cyberweapons with the aim of conducting deadly but bloodless operations.
Most political leaders are reluctant to face the fact that not only are the traditional prerogatives of national sovereignty being challenged by the Information Revolution but they are disappearing rapidly in cyberspace. The nineteenth-century model of an independent state has become one of trappings rather than substance. Information technology is also eroding hierarchies that have long served as information filters for the people they rule or govern, thus constraining the actions of officials within government structures.
The ever increasing speed of the technological revolution makes today's snapshot irrelevant tomorrow. In the past four years, the computer chip has gone from 1.1 million transistors to 120 million (Intel engineers believe they can reach 400 million and, beyond that, 1 billion before they run out of silicon gas), and supercomputers from 256 billion moves per second to a mind-numbing 1 trillion. By coupling supercomputers, scientists and engineers have achieved 10 trillion operations per second. The latest desktop personal computers have now acquired the speed of yesterday's supercomputer.
Intelligence augmentation is displacing artificial intelligence. Already a man has been able to control a computer by thought alone after receiving an electronic implant that fused with his brain cells. Emory University's Roy Bakay got a volunteer's brain cells to grow into his implant, thus linking up with its electronics. Quantum computing and neural connectivity computing, based on the 73 trillion cells in the human body, will be the next technological breakthroughs.
The mainstream media have been inexplicably silent in reporting life and death developments in cyberspace. Ignored was the November 1996 report by the Defense Science Board Task Force on Information Warfare. It called for "extraordinary action" because, it said, "current practices and assumptions are the ingredients in a recipe for a national security disaster." It also predicted that shortly after the turn of the century attacks on U.S. information systems by terrorists, transnational crime syndicates, and foreign espionage agencies would be "widespread."
A year later, in November 1997, the Presidential Commission on Critical Infrastructure Vulnerabilities said its fundamental conclusion was that "[w]aiting for disaster is a dangerous strategy. Now is the time to act to protect our future." The commission said that skilled computer operators have demonstrated their ability to gain access to networks without authorization…. Whatever the motivation, their success in entering networks to alter data, extract financial or proprietary information, or introduce viruses demonstrates that…in the future, some party wishing to do serious damage to the United States will do so by the same means.
Computerized interaction within and among infrastructures has become so complex, the report warned, that we may be faced with harm "in ways we cannot yet conceive."
This commission's report spawned two presidential decision directives that are designed to protect the nation's critical computer infrastructure. Now overseeing America's defense against cyberattack are two NSC staff members: Richard Clarke, national coordinator for security, infrastructure protection and counterterrorism; and Jeffrey Hunker, director of the critical infrastructure assurance office. They have been empowered to craft a national protection plan. The CSIS Task Force concluded that these presidential decision directives were good as far as they went but that they did not go far enough. The battleground of the future will encompass the very foundations of America's knowledge-based high-tech economy. There are now info-guerrillas intent on doing major damage to the citadel of capitalism, and cybergeniuses in their late teens and early 20s are the new frontline fighters, arguably more important to the nation's defense than the men and women who fought the country's wars in the past.
A national protection plan cannot be accomplished without private and public partnerships because many of the key targets for cyberattack — power and telecom grids, financial flows, transportation systems — are in private hands. Such a partnership is a prerequisite of designing and developing a defense system to protect both the private and the public sectors against critical infrastructure attack. These partnerships extend beyond humans to the technology itself. The National Research Council recently completed its report, Trust in Cyberspace, which advocated the need to build trustworthy systems from untrustworthy components.
The president's commission has identified only the tip of a very large iceberg. The national security threat is strategic information warfare. This CSIS report explores the hidden part of the iceberg and makes recommendations for a strategy designed to avert an electronic Waterloo.