Computer Crime Research Center

library/arquillap.jpg

Interview John Arquilla

Date: October 15, 2003
Source: Computer Crime Research Center


Page 1 2 3 4 5 Next
... />

People who oppose the view that this is a significant topic, that [believe] cyber terrorism is not the threat that I think you believe in, and other people we talked to believe in, say that Eligible Receiver proves nothing. The grid was not taken down. They didn't get into the grid. There's no proof to the fact, though some people supposedly said that they could have taken down the grid, for instance, and taken over command control of the South Pacific fleet so that they wouldn't be able to do anything. They say that it proves nothing. What's your opinion of that?

... I think there is a line, if I may talk about this debate between two sides. It's the one that says there's no threat, and the one that says there's a terrible threat. I think the real answer is, like in almost any debate on any serious issue, the truth lies in between. The potential threat of cyber attack, I believe, is very high. I think existing hacker activities, the amount of damage that could be done but isn't, and the increasing dependence, not only of our armed forces, but society in general and information systems suggests a great and growing vulnerability to disruption.

At the same time, the lack of physical attacks of a very serious nature on the system suggests that we aren't at a point yet where this threat is imminent, is immediately upon us. So I think that we have to look at this as a situation where we have warning of something that's coming. We have to think about how to prepare for it now. We have to consider the various policies which, if enacted -- whatever the merits of the debate, we can enact policies now that will protect us against this problem if it is going to become something serious, and we can do so in a way that's not terribly costly. In part, the strong encryption solution is one that people should be doing anyway, and would mitigate this problem very, very seriously. ...



If [Eligible Receiver] was run today, would they be able to repeat their successes?

Yes. If Eligible Receiver were run today, I believe that the successes of the attacking team that I'm aware of could be replicated, and perhaps even built upon.



Then what were the lessons learned? I mean, it did have an effect on DOD, and that's the other sign that this was significant.

Yes. Eligible Receiver happened several years ago. Like in any area of military affairs, there is an action and reaction process between those who would protect information systems and those who would attack them. Since the time of that exercise, we've made strides forward in good information security. But the attacking capabilities of those who would disrupt the system have increased also, and I think at a far greater pace than the pace of our changes on the defensive side. In the realm of cyber warfare, those on the offensive have an inherent advantage right now. ...


Hamre's an interesting guy, because he was a real proponent and a real cheerleader for a lot of these issues early on. Now the pendulum has swung, and now he sort of discounts it, and he says, "I spend hours a day worrying about biowarfare and chemical warfare. Do I spend minutes on cyber? No." So what happened there? Explain that, and why that's important.

I worked for a little while for Dr. Hamre. In my view, he is one of the leading defense intellectuals of his time. When I was first involved with him, he took a very serious view of the cyber dimension. I think it's only natural, in more recent years, that his focus has tended to go away from the cyber realm to the realm of physical terror. The events of Sept. 11, 2001, have focused many minds in that direction.

What I would say in response to that, though, is that there is a very, very big virtual dimension to the terror war. Our ability to detect, to track, and to preempt the terror attacks is often a function of our skillful exploitation of cyberspace. Our adversaries increasingly use advance information systems for the management of their organizations, and there's also a considerable evidence that they're trying to develop some attacking capabilities. They're beginning to explore this area.

I would say this about the convergence of terror and cyber warfare: If I were establishing a terror organization today, I would be more interested in doing costly disruption by cyberspace-based means. If I did physical destruction, I would know that I would have to deal with a bunch of angry Americans who would track me to the ends of the Earth. On the other hand, if I could engage in acts that would cause hundreds of billions of dollars worth of costly economic damage, and I could do it relatively secretly, why wouldn't I pursue that aim? And why wouldn't that make me a great hero to the constituency I was serving, my people, those who believe as I would? So if I were a terrorist, I would be thinking these days about mass disruption rather than mass destruction. ...



There's a couple of things I want to talk about Al Qaeda. We've covered some of them. What out there has been reported upon and that you've talked to people about, that concerns you about what was found -- for instance, like the Al Qaeda computers? What is out there that you can talk about that concerns you?

Some of the things that concern me about the increasing awareness Al Qaeda has of advanced information technologies is the apparent evidence that some of their operatives were undergoing advanced hacking training. It's very clear from intercepted communications, as well as discs that were found, that there is an extremely vigorous use of the Web and the Net. There is a surprisingly small amount of strong encryption being used, but that doesn't mean their messages are uncoded. It appears that there's a lot of low-tech coding going on with simple word substitution codes or, perhaps, book codes being used, which are also very hard.

This is why we need a new Bletchley Park of codebreakers for the Information Age, because it's not all going to be codes broken by high-performance computers. It's also going to be about intuitive insights that are generated into what kind of paradigm are they using for securing their communications. It's also clear that all money movement is basically done with e-mails, rather than the physical movements of money.

Now it's also important, as a last point, not to consider Al Qaeda 10 feet tall in this area. We're looking at [Khalid] Sheikh Mohammed, for example, who was simply using the e-mail account of a relative or friend, and assuming that maybe that relative or friend wasn't going to be monitored in some fashion. Very, very sloppy in that particular case, and there are other examples of sloppiness that we can't talk about in more detail.



But from the evidence that's out there, is there enough evidence to believe that they could be gearing up? And if they are -- or if they're not -- would we know it?

When we think about Al Qaeda and its potential for cyber terror or other sympathetic Muslim groups, we're now in an area that's very proprietary in nature. All I can say on this subject is that there is a cyber jihad going on right now against Israel. We see some people that we associate with modern terrorism who are trying to use cyberspace-based means to pursue their ends. Beyond that, I'm afraid we're in a very classified area.



What about states like China, Russian, North Korea, Iraq? Do you deal with this area? Is Washington concerned about this area?

As a defense analyst, I am, of course, interested in what other countries or other organizations are doing in the cyber warfare realm. What I find in the case of the People's Republic of China is an extremely lively and intelligent interest in this issue area. They understand that very simple technologies can achieve very complex effects. They have a character in their language which transliterates at "networkization." They understand the organizational dimension extremely well.

Some years ago, I was also asked to chair a meeting with the leading cyber warfare experts in Russia, and came away deeply impressed by, again, their own appreciation of the seriousness of the problem. They were concerned very much more about vulnerabilities, whereas I think the People's Republic of China is more interested in the opportunities posed in this area.



So what would you tell Washington they should be worried about as far as, for instance, China?

I think we need to be concerned that there is a new kind of arms race emerging, this one being an information arms race, and this is something about which Washington is very concerned. During the Kosovo war, there were things that could have been done in the cyber realm that weren't done, because the United States wanted to send a clear message that it took cyber warfare seriously, and didn't want to be the first ones to go down that road and make it appear an acceptable form of warfare.

Now, we did things in the military realm in Kosovo that helped and enhanced the effectiveness of our physical military assets. But the other sorts of things associated with hacking and making money disappear, things like that, were all refrained from. So I think Washington has a very serious attitude about this. ...



Should we be concerned at this point about a lack of interest or lack of focus due to the fact, the real fact that there are many, many threats, and many serious threats that Washington is dealing with? Should we be concerned that, in Washington and in the private sector by people like Governor Ridge and others, this area is getting scant attention?

In a world with a lot of...

Page 1 2 3 4 5 Next
Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo