Computer Crime Research Center

library/arquillap.jpg

Interview John Arquilla

Date: October 15, 2003
Source: Computer Crime Research Center


Page 1 2 3 4 5
... scant attention?

In a world with a lot of threats, it's going be easy for cyber warfare to be tucked away into a corner for a while -- perhaps for a long while. I think it's going to be dangerous for us to let that happen, in part, because terrorists themselves already use the Web and the Net very substantially, and often quite effectively. ...

[But] every day, I see how much attention is being paid to this problem from the services and the private sector. We have gone through the looking glass, and we know that this is an area to which me must pay attention. So I'm not worried about this. I understand that other things may cause our attention to be focused on other matters for some period of time, maybe for a long time. But once you begin the process of examining an issue area like cyberspace-based conflict, you don't walk away from that, and we haven't. We will continue to get better. I think, ultimately, we'll grapple with the problems that will confront us. ...


What does Slammer teach us? Why is it important?

Slammer is interesting to me, because of the speed with which it affected the systems that it could intrude upon. It suggests that the tempo of operations of particular tools and devices may be accelerating, and this is something that should trouble us. ...


[The National Strategy to Secure Cyberspace] is out. Some people say it's not enough, that partnership with the private sector itself does not do it, does not cut it, that, in fact, this is a major failure of governance.

I think we have suffered something of a failure of governance in terms of moving toward good information security in this country. Part of it is the institutional resistance of the private sector and the government to work closely together on things that are sometimes apparently inimical to each other's interests. Undue intrusions in the private sector and the marketing of very sensitive systems by companies, private companies out there that the government perhaps doesn't want to see out there, which is why we have still export controls on supercomputers and some forms of encryption.

So there are some tensions there. But I think the greatest failure is in the lack of recognition, both in the private sector and in the government, of the profound benefits that would come with strong encryption for all. This is the message the American people simply are not hearing. The release of some legal constraints is a far cry from using the bully pulpit of government to encourage everyone to be properly protective.



I'm going to ask you a stupid question. Why shouldn't the government just go in, march in, and say, "Listen, the Internet is integral to our national security. We're taking it over, and this is what we're going to do. And, private sector, you've got to do it. Let's regulate this. Let's use the stick instead of the carrot, because this is essential, and the clock is ticking?"

One possible solution for the government would be to assert central control in an effort to solve the problem. I think this might actually impede the process of securing this, because of the resistance it would generate. I also think it would choke off all the wonderful ideas coming out of the private sector and into government. The last thing we need to do socially is to create even more of an adversarial environment, make it like labor and management in baseball if government tried to come in and just say, "We're from government. We're here to solve this problem." I think the relationship, while sometimes edgy, is overall quite healthy. I don't think we should imperil that as we move ahead.



We've talked about the software being a huge problem. How big a problem is software? Is, for instance, is Microsoft part of the problem, or part of the solution at this point?

In the area of software, Microsoft and others have all emphasized, in general, the efficiency and simplicity over security. There are good economic reasons why that's been the case. The fact that Microsoft has acknowledged the need to think more about security is an important admission. I think their toes have to be held in the fire to continue to do that -- both Microsoft and others in the software business -- because the security dimension is absolutely integral. In the future, you're not going to have prosperity and efficiency without security.


What's the problem?

I think the most serious problem in terms of getting the private sector, particularly the software developers, on board to a good security regime is that it will cost something on the bottom line. It will reduce profits, at least in the short run. The answer to that may be that the first software designer to really build in good efficiency with great security, in the long run, is going to generate enormous economic benefits. ...



One last thing. In July, Bush ordered [National Security Presidential Directive] 16 to go into the guidance for when U.S. should launch cyber attacks. It sounds from just the information that's already released that it certainly shows that our government is very interested still in the use of cyberspace in war, and takes it very seriously. What's the significance specifically of NSPD 16?

I think the presidential directive on information warfare is prima facie evidence of how seriously the government does take cyber warfare. It also marks a shift away from a far more prudential approach to information warfare. In the last administration, there was a great concern about using techniques of cyber warfare that would then be emulated by others, and, by suggesting to the world that the Americans think this is a legitimate form of warfare, others might want to begin doing this as well. There was a great deal of concern about that. This administration is suggesting that we need to pull out all the stops to defeat terrorism. It is an admission, if only a tacit one, that cyberspace-based means of warfare are an essential part of the campaign against global terrorism.


How so? Can you define that a little bit better?

The ways in which cyber warfare can be used against terrorism largely go to breaking into the systems used by various terrorist networks. We create a capability that will sow the seeds of doubt in every terrorist's mind as he's tapping off the message to his attack team, or trying to move money to a particular cell or a node in some part of the world. Then we will slow them down. If we intrude without them having any idea that we're there, we'll be able to rip these various networks apart, because the true way to detecting who they are, where they are, and what they're doing lies in getting the kind of intelligence that's virtually human in nature.

We spend about $30 billion a year on intelligence today -- most of it for satellites that look down. They can see the tent in the desert. They can't tell you who's in there, or what they're saying. A sliver of the money we spend on intelligence goes to cyber warfare-based need, what's called clandestine technical collection. And yet, this sliver is giving us very, very high-resolution information about what our adversaries are up to. Just imagine what we might achieve if we invest even more heavily in this area. ...

Has there been anything that you've tried to sell, especially in those early days, and called for, that was rejected, that maybe now is being reconsidered or that you wish would be reconsidered, besides the encryption?

... When I think about the last 10 years, I'm surprised at how many of the things I've suggested are being adopted. Talk about the rise of Net war, a whole realm of conflict arising. Well, the Navy now has a network warfare command, NETWARCOM, and there's a three-star admiral running it. So these are good things. We talk about building networks among our various services. I think we have succeeded greatly in doing this. It is amazing to me that, just 10 years after Operation Desert Storm in Iraq, Operation Enduring Freedom in Afghanistan featured a small nimble network force that was extremely information-savvy, which achieved our national aims with a minimum of bloodshed in a very short time. These are powerful and profound changes in our military.

What hasn't changed is, I think, back in the Pentagon, where the organizational stovepipes still keep the whole issue of information security as a province of each individual service. Now we have people who are supposed to be chief information officers, and they're at bully pulpits, but they can't make the services give away what the services think is power; that is, the control over their own procurement of advanced technologies. I guess what I'm saying is that the real need for change is organizational, rather than technological, and that's where the greatest resistance lies.



Arquilla is associate professor of defense analysis at the Naval Postgraduate School. An expert on unconventional warfare, he tells FRONTLINE that the world is now experiencing an "information arms race." In this interview, Arquilla discusses some of the offensive cyber tactics the U.S. has used in the first Gulf War, Kosovo and Afghanistan. He also warns that hackers have the ability to do much more damage than they have yet done. "What we are really talking about is a social gulf between those who have the skills to do costly disruption and those who are radical enough to do it," he says. This interview was conducted on March 4, 2003.

Page 1 2 3 4 5
Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo