Computer Crime Research Center

library/arquillap.jpg

Interview John Arquilla

Date: October 15, 2003
Source: Computer Crime Research Center



Take us back to sort of the first occasion when you first thought about the cyber world as a potential place for problems. "Cyber war" is a term that you, in fact, invented.
When did it first sort of dawn on you? What were you thinking?


Cyber war is like Carl Sandburg's fog. It comes in on little cat feet, and it's hardly noticed. <br /> That's its greatest potential.

I come to the whole cyber war business as a bombs and bullets guy. I didn't know a whole lot about computers. But when I was working for the Central Command in the last Gulf War, it became very apparent to me that our biggest advantages came from what we knew and what
our opponent didn't. On the spot, we cobbled together something called a Joint Surveillance and Target Acquisition Radar System. This allowed us to know exactly where the opponent was and how to strike him.


It occurred to me, in the wake of that tremendous and lopsided victory of ours, that much of what we did could have been held hostage to the disruption of any of those information systems. That was the beginnings of cyber war -- the idea that the vulnerability of communications could cripple an advanced army. What made it strong also made it weak.

Then it was only a baby step from there to think about this happening across our entire society, commercially and socially. The crippling of information systems could have profound disruptive effects. What made that thought even more chilling was the notion that this power existed in the hands of a few hackers. The disruptive power of this small group was growing by leaps and bounds. This was something that we were vaguely aware of through the 1980s, but really came into its own in the 1990s.

What bothers me more than anything else, as I look at the data each year coming out of the various computer emergency response teams, is that hackers could do a tremendous amount more damage than they choose to do. This says to me the threat is real. We need to get our arms around it before people do get serious about making costly, costly disruptions a way of life. ...

When you had conversations with people at higher levels at that point, what were their thoughts? Did they think you're a nut? Did they think this is something that we really do have to deal with?

In my checkered career, I've had, I think, the good fortune to always be thinking a few years ahead of events. That has been useful in terms of anticipating threats. It has also created a fair amount of social friction in terms of presenting ideas that are intended to be dismissed initially. The idea that cyber war is coming, which was the title of the article that introduced this idea that I wrote with my colleague, David Ronfeldt, also of the Rand Corporation, was greeted with hoots and howls for the most part. So we felt we had to show everybody how serious this was by giving the article an exclamation point: "Cyber War Is Coming!"



I'm sure that convinced them.

It still hasn't.



It's been said that, in fact, we did use cyber tactics to some extent in that first Gulf War. To what extent, at that point, was anything possible?

Well, when we think about cyber, we need to reflect on the Greek root of the word, "kybernan," which means to control or to govern. The cyber things we did in the last Gulf War had much to do with the management of our own information. Yes, we did some things to the systems of the Iraqis at that time. The things that can be acknowledged would be the bombs dropped on particular systems of communications, and the foil strips that disrupted power flows. But beyond that, I think we can't really talk too much. ...



Some people will say, "There's no proof. Nothing has happened. Nothing has ever happened in this regard, and there are so many threats out there. Why focus any attention, money, energy on this issue?"

In the realm of cyberspace-based disruptive threats, we haven't yet had what they call the electronic Pearl Harbor. I think part of that is a function of our skillful defense of our systems. It's not that we're bereft of attacks. Tens of thousands of attacks occur every week against Department of Defense systems alone. In the intifada between the Israelis and the Palestinians, we've seen a cyber jihad that's been waged with a fair amount of infrastructure attacks -- against which the Israelis have defended quite skillfully. So efforts are being made in this area, but there hasn't been a Pearl Harbor.

Does that mean the threat doesn't exist? I don't think so. ... What we really are talking about is a social gulf between those who have the skills to do costly disruption and those who are radical enough to want to do it. Terrorists who probably want to do this don't yet have the technical skill. Those with the technical skill don't have the desire yet to become terrorists. But I think it's only a matter of time before that gap is bridged. ...



[Can the electrical grid be taken down by cyber tactics?] Why might that be a possibility?

It is certainly possible to disrupt electronic power flows by cyberspace-based means. I think one has to consider the various sorts of systems that regulate a great deal of the flows. Again, I would follow a philosophy of striking at the seams, which has to do with the automated sharing that's done between one part of our country and another. If it's very hot in one part of the country, and they need more air conditioning, electricity, a cooler part of the country will automatically share that. This is all software-driven. So any intrusion into that and any resetting of commands can make a great mess of things.

Now, we have people responsible for protecting these, who spend all of their time, and they're very able people, and do a very good job of this. I think we have to recognize the fact that, in the future, others will think of these systems as targets and will develop skillful ways to try to intrude upon those systems.



But some people will say the electrical grid is a creature with many heads. There's lots of organizations. There's a lot of different districts. It's interconnected, but it's not really interconnected, and there's lots of protection between systems. Why are they wrong?

I think that we do have a great deal of compartmentalization in our electronic infrastructure, the power grid system. At the same time, we have a variety of connections that run entirely through the system. I believe any skillful attacker will look for an avenue of advance that takes them to the most interconnected areas of the power grid system. That said, the attack doesn't have to be of a tremendous magnitude in order to have a great psychological effect. So there are many enclaves within the electronic power grid, small areas, cities, counties, even subdivisions that can be affected from time to time.

So we shouldn't think in terms of the "I" bomb, that information bomb that has as much disruptive effect as a nuclear bomb. We need to think about the possibility of pinpoint attacks on areas, and perhaps persisting over some period of days or weeks that cause disruptions, that have economic, but I think also great psychological effect.



After 9/11, an event took place just north of here, Mountain View, where there were intrusions. When you heard something like that, when you heard about that story to begin with, what did you think? What should we make of that? Why is that story significant?

We need to look at the various events that have occurred in cyberspace since Sept. 11, 2001 as the heralds of perhaps an era of cyber terror. I think it's important not to overstate or to hype this threat; after all, we're talking about things that disrupt, that don't kill, for the most part.

But these disruptions can be very, very costly. It seems to me when we have evidence of people getting into California's independent system operator, for example, or just the week after 9/11, the Nimda virus comes out -- that's "admin" spelled backwards -- we still don't know who did that. And the cost of the disruptions caused by this run into the many billions of dollars. In fact, the several viruses over the past few years have generated economic costs in the hundreds of billions of dollars.

So this is a non-trivial problem. If we had had this kind of damage done with explosives, people would be rioting in the streets and asking their government to be properly protected. But the fact of the matter is that cyber war is like Carl Sandburg's fog. It comes in on little cat feet, and it's hardly noticed. That's its greatest potential.



[Why was Mountain View significant?]

I think the key part of the story of the intrusion into the California Independent System Operator is that it went on so long without being detected. Again, it goes back to a theme that resonates with me always: Hackers do far less damage than they could. An intruder who has a free run for many days inside a system can do many things. So, again, it comes back to the social question: Why don't they want to do more damage than they do, and how do we prevent a linkup between those with advanced hacking skills, and those who do have a desire to do great disruption?



[What is] the significance of the connections to Pakistan and to other Middle Eastern areas that seem [to be] where these probes are coming from?

We always have to be careful about trying to...

Page 1 2 3 4 5 Next
Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo