15 December 1998
DoD News Briefing
Tuesday, December 15, 1998 - 1:40 p.m.
Mr. Kenneth H. Bacon, ASD PA
Q: Different subject.
The Center for Strategic International Studies put out a report today warning about the threat of cyber-terrorism, and it's something new. The Defense Science Board put out one in '96. There have been other [words] in this building. The Center study, they said the main reason was to try to get the nation to pay attention to this thing -- a serious threat that nobody's concentrating enough on.
What's the feeling here? Is the nation doing what it needs to to counter the possibility of an electronic Pearl Harbor?
A: I haven't read the report so I can't comment specifically on that report.
The threat of an electronic Pearl Harbor or the threat of cyber-terrorism -- which could be much less hyperbolic than an electronic Pearl Harbor -- is clearly one that's getting increasing attention in this building and throughout the government.
There was, as you know, a critical infrastructure task force and report last year or early this year, that has led to some reorganization within the government, and a new focus on ways to protect our critical infrastructure -- whether it's the power system or whether it's the water systems or whether it's our computer systems. So increasing attention is being paid to that.
I think it's an area in which it's very difficult to say that enough attention is being paid, in part because the question always arises, how much is enough? But clearly, it's one that's of growing concern to the military and growing concern to this Administration as well.
So it's getting more attention in the building, and more attention outside the building. And I might add, I believe it's getting more attention from private industry as well.
Center for Strategic and International Studies (CSIS)
December 15, 1998
Averting An Electronic Waterloo
A Report of the CSIS Global Organized Crime Project
William H. Webster, project chair
Arnaud de Borchgrave, project director
Patrick R. Gallagher, task force chair
Frank J. Cilluffo, task force director & editor
Bruce D. Berkowitz, task force editor
Stephanie Lanz, task force research assistant & editor
The United States today faces a new and unprecedented threat: strategic information warfare. There is now the potential for a dedicated, sophisticated adversary to conduct coordinated strikes against the computers, communications systems, and databases that underpin modern society. This is not mere hacking or computer crime; rather, the objectives are geopolitical and economic. And traditional national security solutions will be ineffective. U.S. leaders must prepare for this threat, unseen until it is unleashed, and work effectively with the private sector owners and operators of the information infrastructure-the primary targets-to thwart attacks on the foundation of U.S. prosperity and strength. This report assesses that threat and points the way toward practical responses.
William H. Webster is a former director of the CIA and the FBI and serves as chair of the Global Organized Crime Project. Arnaud de Borchgrave is a senior adviser at CSIS and director of the Global Organized Crime Project.
Summary of Recommendations
|CSIS Panel Report||96 pp.||November 1998|
Order the Report
The United States is now exposed to a host of new threats to the economy, indeed to the whole of society. It has erected immensely complex information systems on insecure foundations. The ability to network has far outpaced the ability to protect networks. The economy is totally dependent on these systems. America's adversaries and enemies recognize this dependency and are developing weapons of mass disruption and destruction.
In today's electronic environment, many haters can become a Saddam Hussein and take on the world's most technologically vulnerable nation. America's most wanted transnational terrorist Osama bin Laden uses laptops with satellite uplinks and heavily encrypted messages to liaise across national borders with his global underground network. There is no shortage of terrorist recipes on the Internet, step-by-step cookbooks for hackers and crackers (criminal hackers) and cyberterrorists.
Testifying before a congressional committee in June 1996, Director of Central Intelligence John Deutch said criminal hackers were offering their services to so-called rogue states with "various schemes to undo vital U.S. interests through computer intrusions" and warned that an "electronic Pearl Harbor" was now a real threat. In his commencement address to the U.S. Naval Academy in May 1998, President Clinton outlined the magnitude of the new electronic perils:
Our security is challenged increasingly by nontraditional threats from adversaries, both old and new, not only hostile regimes, but also international criminals and terrorists who cannot defeat us in traditional theaters of battle, but search instead for new ways to attack by exploiting new technologies and the world's increasing openness.
The president was not referring to the future when he added, "Intentional attacks against our critical systems are already under way." Even traditionally friendly nations have used their electronic capabilities to penetrate triple firewalls protecting the systems of high-tech corporations and have stolen billions in proprietary secrets. Tomorrow's frontline commanders will be drawn from the ranks of computer wizards. The sandal culture is challenging the wingtips. The National Security Agency's (NSA) new electronic sheriff, responsible for protecting NSA's ground stations, is a 23-year-old GS-14. In the civilian sector, "techies" have moved into senior management positions.
Computers Are the Weapons and the Front Line Is Everywhere is the subtitle of the recently published (Simon & Schuster) book, The Next World War, by James Adams. What is at stake is a redefinition of U.S. security interests. And that is the challenge that this report has confronted. Keyboard attacks do not draw blood or emotion but they can paralyze the nation's critical nerve centers. A smoking keyboard does not convey the same drama as a smoking gun, but it has already proved just as destructive. Armed with the tools of cyberwarfare, substate or nonstate or even individual actors are now powerful enough to destabilize and eventually destroy targeted states and societies.
Security is no longer defined by armed forces standing between the aggressor and the homeland. The weapons of information warfare can outflank and circumvent military establishments and compromise the common underpinnings of both U.S. military and civilian infrastructure, which is now one and the same. Almost all of the Fortune 500 corporations have been penetrated electronically by cybercriminals. The FBI estimates that electronic crimes are running at about $10 billion a year. But only 17 percent of the companies victimized report these intrusions to law enforcement agencies. Their main concern is protecting consumer confidence and shareholder value. They say that reporting cyberrobberies exposes them to leaks and that there is no substitute for constantly enhancing their own defensive electronic security.
Internet scams are also proliferating. Almost 100,000 investors were lured to a Web site touting a high-tech start-up with revolutionary Internet devices, a partnership with Microsoft, and an initial public offering (IPO) with the Securities and Exchange Commission (SEC) all phony. But the imaginative perpetrator pulled in $190,000, including $10,000 wired from Hong Kong. Soon 14 million will have on-line trading accounts and millions more are surfing the 'Net for stock tips. Slick looking ghost sites, perfect replicas of legitimate logos, are clever Ponzi schemes. The SEC's Internet cyberforce scans the Web for scams and investigates 100-odd complaints each day.
Probing attacks against the Pentagon there are tens of thousands a year are routed and looped through half a dozen other countries to camouflage where the attack originated. Information warfare specialists at the Pentagon estimate that a properly prepared and well-coordinated attack by fewer than 30 computer virtuosos strategically located around the world, with a budget of less than $10 million, could bring the United States to its knees. Such a strategic attack, mounted by a cyberterrorist group, either substate or nonstate actors, would shut down everything from electric power grids to air traffic control centers. A combination of cyberweapons, poison gas, and even nuclear devices could produce a global Waterloo for the United States.
A red team put together by the intelligence community in 1997 pretended to be North Korea. Some 35 men and women specialists, using hacking tools freely available on 1,900 Web sites, managed to shut down large segments of America's power grid and silenced the command and control system of the Pacific Command in Honolulu. The Defense Information Systems Agency (DISA) launched some 38,000 attacks against its own systems to test their vulnerabilities. Only 4 percent of the people in charge of targeted systems realized they were under attack and of these only 1 in 150 reported the intrusion to superior authority. Ninety-five percent of DISA's traffic the equivalent of one entire Library of Congress every four hours moves along highly vulnerable public lines.
Hacker attacks on federal agencies have grown exponentially, as have the 'Netizens on the World Wide Web. Internet users now number 120 million 70 million of them in the United States. An estimated 1 billion people one-sixth of humanity will be on-line by 2005, two-thirds of them abroad. There is a new Web site every four seconds. The challenges to intelligence and law enforcement agencies grow at the same dizzying pace. At the beginning of the 1990s, a computer hard drive seized in a criminal investigation would contain some 50,000 pages of text. Now law enforcement agents have to deal with 5 million to 50 million pages of data. But the ability of these agencies to retain computer talent is seriously jeopardized by the compensation packages offered by the private sector.
Logic bombs, Trojan horses, worms, viruses, denial of service, and other information warfare tools are now the arsenal in a new geopolitical calculus whereby foes can take on a superpower that can no longer be challenged with conventional weapons. No enemy can match the U.S. military, as demonstrated in the Gulf War. Cyberterrorism and cyberwarfare thus become a plausible alternative.
They are no longer the stuff of science fiction. America's adversaries know that the country's real assets are in electronic storage, not in Fort Knox. Virtual corporations, cashless electronic transactions, and economies without inventories based on just-in-time deliveries will make attacks on data just as destructive as attacks on actual physical inventories. Bytes, not bullets, are the new ammo. Or, most dramatically, a combination of bytes, bullets, and bombs.
The forces of global integration also lubricate the counterforces of disintegration and corruption. The criminal economy has gone global and is branching out as fast as the legal economy. But these transnational criminals are not interested in bringing down the system. They know that technology and the Internet have changed the landscape for financial services. A new breed of transnational criminals with high-tech methodologies has made its debut. They are recruiting top-drawer computer skills for their global operations that know no borders. Law enforcement, on the other hand, is stymied by frontiers that are not even lines on the map in cyberspace. In fact, law enforcement's electronic capabilities are from 5 to 10 years behind the transnational crime curve. Budget-constrained government agencies average about 49 months to order, acquire, and install new computer systems vs. about 9 months in the private sector. Crime syndicates purchase state-of-the-art as soon as it becomes available. Ten thousand high-powered scanners are being smuggled in from Asia every month. They can intercept and record law enforcement agencies' mobile phones, faxes, and even landline communications. They are also used by organized crime groups to steal proprietary secrets from high-tech companies. As law enforcement's computer crimes detectives follow cybertrails, they often find themselves being followed by the same criminals they are tracking. Imagine a serial killer shadowing the homicide detectives to find out how much they knew, which would provide the killer the opportunity to perfect the technique of killing, explained one cybersleuth.
The National Computer Security Center has reported a sharp rise in cybercrimes and other information security breaches. Of the 520 large U.S. corporations, government agencies, and universities that responded, 64 percent reported intrusions, up 16 percent in a year. The Internet was the main point of attack.
The Internet is already its own global state, with its own economy and its own digicash, and is starting to change the way the world economy functions. Direct sales over the 'Net are expected to reach $5 trillion in the United States and Europe by 2005.
Cyberterrorists, acting for rogue states or groups that have declared holy war against the United States, are known to be plotting America's demise as a superpower. Director of Central Intelligence George Tenet says, "an adversary capable of implanting the right virus or accessing the right terminal can cause massive damage." And hackers from around the world have proved they can do just that. They have crashed systems from abroad (a 16-year-old English boy took down some 100 U.S. defense systems in 1994); rerouted calls from 911 emergency numbers in Florida to Yellow Pages sex-service numbers from Sweden; disrupted troop deployments to the Gulf in February 1998 from California where two youngsters, directed by a hacker in Israel (codenamed The Analyzer), launched attacks against the Pentagon's systems, NSA, and a nuclear weapons research lab. The deployment disruptions were described by Deputy Secretary of Defense John Hamre as "the most organized and systematic attack" on U.S. defense systems ever detected. In fact, they were so expertly conducted that President Clinton was warned in the early phases that Iraq was most probably the electronic attacker.
The new pervasive tools of information technology blend truth and fiction in ways not easily discernible to decisionmakers. The Internet is also a global superhighway for disinformation. Thus, potentially damaging decisions can be taken as shortened time lines mandate immediate action. Cyberterrorists clearly perceive a new global reach for their activities as they train themselves with tools of information warfare. People are trained to become Rangers and Seals, supersonic fighter pilots and astronauts, and daredevil mercenaries. Hackers and crackers similarly can be turned into a network of global terrorists whose mission might be, as it was for the Supreme Truth cult in Japan when it launched a sarin gas attack against the Tokyo subway system in 1995, the collapse of capitalism in the United States
Using the tools of information warfare, cyberterrorists can overload telephone lines with special software; disrupt the operations of air traffic control as well as shipping and railroad computers; scramble the software used by major financial institutions, hospitals and other emergency services; alter by remote control the formulas for medication at pharmaceutical plants; change the pressure in gas pipelines to cause a valve failure; sabotage the New York Stock Exchange.
More and more, 'Net watchers see groups of activists and extremists even terrorist groups with their own Web sites, from the unreconstructed Marxist left to the neo-Nazi far right interfacing with like-minded individuals in a process that bypasses national governments, unbeknownst even to their intelligence services. Civil protests in cyberspace are also becoming more common. A hacker group that supports the Mexican Zapatista rebels recently attempted to deny service of the Pentagon's primary information Internet site, DefenseLink. The attacks protested U.S. counternarcotics technology transfers to Mexican authorities. Monitoring the 'Net now entails 500 million pages, soon to be several billion.
Mr. Hamre believes "the new tools of terror," which can be used against civilian as well as military targets, have posed "a very real and increasing danger to national security." And these information warfare tools are acquiring doomsday potential with the electronic equivalent of the deadly human Ebola virus.
In 1986, a book entitled SOFTWAR documented how the Warsaw Pact countries could soon cripple the West by launching attacks against U.S. and NATO military and financial computer systems. The geometric growth in the power and speed of personal computers had barely begun. Bill Gates was not on anyone's radar screen. Then, three years later, the Cold War ended. Now the threat is real and constant. Eight nations have developed cyberwarfare capabilities comparable to America's. More than 100 countries are trying to develop them. Twenty-three nations have cybertargeted U.S. systems, according to knowledgeable intelligence sources. The head of the French equivalent of NSA was quoted in a French magazine as saying, "information warfare is a permanent warfare."
China's army newspaper, Jiefangjun Bao, in a March 24, 1998, article emphasized the need "to learn to launch an electronic attack on an enemy" and ensure electromagnetic control in a area and at a time favorable to us. To this end, we should cultivate partial information superiority by combining active interference with passive interference, electronic interference with repressive interference . In a system confrontation, we should learn to conduct a structural analysis and study ways of structural sabotage.
Not since the advent of the atomic age in 1945 has the United States confronted weapons that have the potential for altering the way wars are waged. The United States has readied a powerful arsenal of cyberweapons (e.g., planting logic bombs in foreign computer networks to paralyze a would-be opponent's air defense system and shut down power and phone service, and project video onto his TV stations), but at the same time the United States keeps testing its own vulnerabilities. They are enormous. There is still no technology for pinpointing the source of a cyberattack. Nor are there laws or regulations for deciding when to launch a cyberattack or counterattack. There has been no debate in Congress about the use and nonuse of cyberweapons. Under what circumstances would the United States resort to taking down the computer-dependent infrastructure of a foreign country? U.S. regional commanders have been ordered to review war plans in the context of cyberweapons with the aim of conducting deadly but bloodless operations.
Most political leaders are reluctant to face the fact that not only are the traditional prerogatives of national sovereignty being challenged by the Information Revolution but they are disappearing rapidly in cyberspace. The nineteenth-century model of an independent state has become one of trappings rather than substance. Information technology is also eroding hierarchies that have long served as information filters for the people they rule or govern, thus constraining the actions of officials within government structures.
The ever increasing speed of the technological revolution makes today's snapshot irrelevant tomorrow. In the past four years, the computer chip has gone from 1.1 million transistors to 120 million (Intel engineers believe they can reach 400 million and, beyond that, 1 billion before they run out of silicon gas), and supercomputers from 256 billion moves per second to a mind-numbing 1 trillion. By coupling supercomputers, scientists and engineers have achieved 10 trillion operations per second. The latest desktop personal computers have now acquired the speed of yesterday's supercomputer.
Intelligence augmentation is displacing artificial intelligence. Already a man has been able to control a computer by thought alone after receiving an electronic implant that fused with his brain cells. Emory University's Roy Bakay got a volunteer's brain cells to grow into his implant, thus linking up with its electronics. Quantum computing and neural connectivity computing, based on the 73 trillion cells in the human body, will be the next technological breakthroughs.
The mainstream media have been inexplicably silent in reporting life and death developments in cyberspace. Ignored was the November 1996 report by the Defense Science Board Task Force on Information Warfare. It called for "extraordinary action" because, it said, "current practices and assumptions are the ingredients in a recipe for a national security disaster." It also predicted that shortly after the turn of the century attacks on U.S. information systems by terrorists, transnational crime syndicates, and foreign espionage agencies would be "widespread."
A year later, in November 1997, the Presidential Commission on Critical Infrastructure Vulnerabilities said its fundamental conclusion was that "[w]aiting for disaster is a dangerous strategy. Now is the time to act to protect our future." The commission said that skilled computer operators have demonstrated their ability to gain access to networks without authorization . Whatever the motivation, their success in entering networks to alter data, extract financial or proprietary information, or introduce viruses demonstrates that in the future, some party wishing to do serious damage to the United States will do so by the same means.
Computerized interaction within and among infrastructures has become so complex, the report warned, that we may be faced with harm "in ways we cannot yet conceive."
This commission's report spawned two presidential decision directives that are designed to protect the nation's critical computer infrastructure. Now overseeing America's defense against cyberattack are two NSC staff members: Richard Clarke, national coordinator for security, infrastructure protection and counterterrorism; and Jeffrey Hunker, director of the critical infrastructure assurance office. They have been empowered to craft a national protection plan. The CSIS Task Force concluded that these presidential decision directives were good as far as they went but that they did not go far enough. The battleground of the future will encompass the very foundations of America's knowledge-based high-tech economy. There are now info-guerrillas intent on doing major damage to the citadel of capitalism, and cybergeniuses in their late teens and early 20s are the new frontline fighters, arguably more important to the nation's defense than the men and women who fought the country's wars in the past.
A national protection plan cannot be accomplished without private and public partnerships because many of the key targets for cyberattack power and telecom grids, financial flows, transportation systems are in private hands. Such a partnership is a prerequisite of designing and developing a defense system to protect both the private and the public sectors against critical infrastructure attack. These partnerships extend beyond humans to the technology itself. The National Research Council recently completed its report, Trust in Cyberspace, which advocated the need to build trustworthy systems from untrustworthy components.
The president's commission has identified only the tip of a very large iceberg. The national security threat is strategic information warfare. This CSIS report explores the hidden part of the iceberg and makes recommendations for a strategy designed to avert an electronic Waterloo.
Judge William H. Webster
Arnaud de Borchgrave
Explain the threat
The most important step U.S. officials can take is to articulate and explain to the leaderships of critical infrastructure providers and major, dependent users the nature of the strategic information warfare (SIW) threat, the threat's significance, and the need to prepare for it. The public develops its perceptions of threats from many sources, but the public is more likely to take these threats seriously if leaders demonstrate their seriousness by implementing effective organizational reforms and resource allocation priorities.
Develop national security policies for the Information Revolution
A policy to protect the United States against an information warfare (IW) attack should be part of a broader strategy that addresses the total impact of the Information Revolution on U.S. national security. To date, no U.S. policy review has considered how the Information Revolution has affected the country's beliefs about security or proper preparations for dealing with such threats.
Make strategic information dominance a national security objective
Currently the United States is a leader in the development and application of information technology, and it is important that the United States maintain this strategic information dominance (SID).
To retain leadership in the development and application of information technology and the dominance of U.S. firms in the computer, communications, and media industries, the United States must maintain a friendly environment for businesses in the information industries. The United States should undertake a review of policies and statutes that affect the ability of the United States to maintain its SID; areas to be reviewed should include antitrust policies, trade policies, technology export controls, and other regulations that affect the business environment and U.S. competitiveness.
Adopt policies that ensure critical government services
Federal, state, and local governments have unique roles in ensuring vital government services national defense, rule of law, and emergency services readiness even under the stressful conditions of IW attack. Maintaining continuity in these areas can prove challenging and expensive. Government officials need to identify those functions that only government can perform and ensure that government has secure information systems and processes to maintain these functions. This requires updating and expanding government plans for the Information Age and securing the essential infrastructures upon which all levels of government depend.
Understand and work with the private sector
Most experts agree that commercial telecommunications and information systems supporting critical infrastructures will likely be the primary targets in preparation for an IW strike against the United States. Cooperation by industry will be critical to the ability of the United States to defend against, detect, and contain such attacks. Reports by industry leaders suggest that the federal government mind-set still is "government leads, industry follows."
Indeed, government and business have different objectives and operating modes and often have good reasons to limit their cooperation. The cultures of government and the U.S. telecommunications and information industries are very different. The private sector will need to assume much of the responsibility for protecting itself. Government can help in specific, but limited, areas:
Prepare U.S. military for Information Age conflict
U.S. officials should review the role of IW in U.S. military policy to ensure that U.S. military forces are prepared:
Prepare U.S. intelligence for Information Age threats
Information warfare threats, which can be generated quickly and from many sources, will require the United States to rethink many of its most entrenched concepts about how intelligence is supposed to work. U.S. officials should develop new intelligence methods necessary to monitor SIW threats:
More on the CSIS Task Force on Information Warfare & Security
Order the Report
E-mail the CSIS bookstore