U.S. Steps Up Effort on Digital Defenses

[Eugen Leitl]

http://www.nytimes.com/2009/04/28/us/28cyber.html?_r=2&ref=global-home&pagewanted=print 

April 28, 2009

U.S. Steps Up Effort on Digital Defenses

By DAVID E. SANGER, JOHN MARKOFF and THOM SHANKER

This article was reported by David E. Sanger, John Markoff and Thom Shanker
and written by Mr. Sanger.

When American forces in Iraq wanted to lure members of Al Qaeda into a trap,
they hacked into one of the groupbs computers and altered information that
drove them into American gun sights.

When President George W. Bush ordered new ways to slow Iranbs progress toward
a nuclear bomb last year, he approved a plan for an experimental covert
program b its results still unclear b to bore into their computers and
undermine the project.

And the Pentagon has commissioned military contractors to develop a highly
classified replica of the Internet of the future. The goal is to simulate
what it would take for adversaries to shut down the countrybs power stations,
telecommunications and aviation systems, or freeze the financial markets b in
an effort to build better defenses against such attacks, as well as a new
generation of online weapons.

Just as the invention of the atomic bomb changed warfare and deterrence 64
years ago, a new international race has begun to develop cyberweapons and
systems to protect against them.

Thousands of daily attacks on federal and private computer systems in the
United States b many from China and Russia, some malicious and some testing
chinks in the patchwork of American firewalls b have prompted the Obama
administration to review American strategy.

President Obama is expected to propose a far larger defensive effort in
coming days, including an expansion of the $17 billion, five-year program
that Congress approved last year, the appointment of a White House official
to coordinate the effort, and an end to a running bureaucratic battle over
who is responsible for defending against cyberattacks.

But Mr. Obama is expected to say little or nothing about the nationbs
offensive capabilities, on which the military and the nationbs intelligence
agencies have been spending billions. In interviews over the past several
months, a range of military and intelligence officials, as well as outside
experts, have described a huge increase in the sophistication of American
cyberwarfare capabilities.

Because so many aspects of the American effort to develop cyberweapons and
define their proper use remain classified, many of those officials declined
to speak on the record. The White House declined several requests for
interviews or to say whether Mr. Obama as a matter of policy supports or
opposes the use of American cyberweapons.

The most exotic innovations under consideration would enable a Pentagon
programmer to surreptitiously enter a computer server in Russia or China, for
example, and destroy a bbotnetb b a potentially destructive program that
commandeers infected machines into a vast network that can be clandestinely
controlled b before it could be unleashed in the United States.

Or American intelligence agencies could activate malicious code that is
secretly embedded on computer chips when they are manufactured, enabling the
United States to take command of an enemybs computers by remote control over
the Internet. That, of course, is exactly the kind of attack officials fear
could be launched on American targets, often through Chinese-made chips or
computer servers.

So far, however, there are no broad authorizations for American forces to
engage in cyberwar. The invasion of the Qaeda computer in Iraq several years
ago and the covert activity in Iran were each individually authorized by Mr.
Bush. When he issued a set of classified presidential orders in January 2008
to organize and improve Americabs online defenses, the administration could
not agree on how to write the authorization.

A principal architect of that order said the issue had been passed on to the
next president, in part because of the complexities of cyberwar operations
that, by necessity, would most likely be conducted on both domestic and
foreign Internet sites. After the controversy surrounding domestic spying,
Mr. Bushbs aides concluded, the Bush White House did not have the credibility
or the political capital to deal with the subject.

Electronic Vulnerabilities

Cyberwar would not be as lethal as atomic war, of course, nor as visibly
dramatic. But when Mike McConnell, the former director of national
intelligence, briefed Mr. Bush on the threat in May 2007, he argued that if a
single large American bank were successfully attacked bit would have an
order-of-magnitude greater impact on the global economyb than the Sept. 11,
2001, attacks. Mr. McConnell, who left office three months ago, warned last
year that bthe ability to threaten the U.S. money supply is the equivalent of
todaybs nuclear weapon.b

The scenarios developed last year for the incoming president by Mr. McConnell
and his coordinator for cybersecurity, Melissa Hathaway, went further. They
described vulnerabilities including an attack on Wall Street and one intended
to bring down the nationbs electric power grid. Most were extrapolations of
attacks already tried.

Today, Ms. Hathaway is the primary author of White House cyberstrategy and
has been traveling the country talking in vague terms about recent,
increasingly bold attacks on the computer networks that keep the country
running. Government officials will not discuss the details of a recent attack
on the air transportation network, other than to say the attack never
directly affected air traffic control systems.

Still, the specter of an attack that could blind air traffic controllers and,
perhaps, the militarybs aerospace defense networks haunts military and
intelligence officials. (The saving grace of the air traffic control system,
officials say, is that it is so old that it is not directly connected to the
Internet.)

Studies, with code names like Dark Angel, have focused on whether cellphone
towers, emergency-service communications and hospital systems could be
brought down, to sow chaos.

But the theoretical has, at times, become real.

bWe have seen Chinese network operations inside certain of our electricity
grids,b said Joel F. Brenner, who oversees counterintelligence operations for
Dennis Blair, Mr. McConnellbs successor as national intelligence director,
speaking at the University of Texas at Austin this month. bDo I worry about
those grids, and about air traffic control systems, water supply systems, and
so on? You bet I do.b

But the broader question b one the administration so far declines to discuss
b is whether the best defense against cyberattack is the development of a
robust capability to wage cyberwar.

As Mr. Obamabs team quickly discovered, the Pentagon and the intelligence
agencies both concluded in Mr. Bushbs last years in office that it would not
be enough to simply build higher firewalls and better virus detectors or to
restrict access to the federal governmentbs own computers.

bThe fortress model simply will not work for cyber,b said one senior military
officer who has been deeply engaged in the debate for several years. bSomeone
will always get in.b

That thinking has led to a debate over whether lessons learned in the nuclear
age b from the days of bmutually assured destructionb b apply to cyberwar.

But in cyberwar, it is hard to know where to strike back, or even who the
attacker might be. Others have argued for borrowing a page from Mr. Bushbs
pre-emption doctrine by going into foreign computers to destroy malicious
software before it is unleashed into the worldbs digital bloodstream. But
that could amount to an act of war, and many argue it is a losing game,
because the United States is more dependent on a constantly running Internet
system than many of its potential adversaries, and therefore could suffer
more damage in a counterattack.

In a report scheduled to be released Wednesday, the National Research Council
will argue that although an offensive cybercapability is an important asset
for the United States, the nation is lacking a clear strategy, and secrecy
surrounding preparations has hindered national debate, according to several
people familiar with the report.

The advent of Internet attacks b especially those suspected of being directed
by nations, not hackers b has given rise to a new  That prompted further
studies to determine if attackers could take down a series of generators,
bringing whole parts of the country to a halt.

Another war game that the Department of Homeland Security sponsored in March
2008, called Cyber Storm II, envisioned a far larger, coordinated attack
against the United States, Britain, Canada, Australia and New Zealand. It
studied a disruption of chemical plants, rail lines, oil and gas pipelines
and private computer networks. That study and others like it concluded that
when attacks go global, the potential economic repercussions increase
exponentially.

To prove the point, Mr. McConnell, then the director of national
intelligence, spent much of last summer urging senior government officials to
examine the Treasury Departmentbs scramble to contain the effects of the
collapse of Bear Stearns. Markets froze, he said, because bwhat backs up that
money is confidence b an accounting system that is reconcilable.b He began
studies of what would happen if the system that clears market trades froze.

bWe were halfway through the study,b one senior intelligence official said
last month, band the markets froze of their own accord. And we looked at each
other and said, bOur market collapse has just given every cyberwarrior out
there a playbook.b b

Just before Mr. Obama was elected, the Center for Strategic and International
Studies, a policy research group in Washington, warned in a report that
bAmericabs failure to protect cyberspace is one of the most urgent national
security problems facing the new administration.b

What alarmed the panel was not the capabilities of individual hackers but of
nations b China and Russia among them b that experts believe are putting huge
resources into the development of cyberweapons. A research company called
Team Cymru recently examined bscansb that came across the Internet seeking
ways to get inside industrial control systems, and discovered more than 90
percent of them came from computers in China.

Scanning alone does no damage, but it could be the prelude to an attack that
scrambles databases or seeks to control computers. But Team Cymru ran into a
brick wall as soon as it tried to trace who, exactly, was probing these
industrial systems. It could not determine whether military organizations,
intelligence agencies, terrorist groups, criminals or inventive teenagers
were behind the efforts.

The good news, some government officials argue, is that the Chinese are
deterred from doing real damage: Because they hold more than a trillion
dollars in United States government debt, they have little interest in
freezing up a system they depend on for their own invBB and it is
creating the kind of infrastructure that was built around nuclear weapons in
the 1940s and b50s.

Defense Secretary Robert M. Gates is considering proposals to create a Cyber
Command b initially as a new headquarters within the Strategic Command, which
controls the American nuclear arsenal and assets in space. Right now, the
responsibility for computer network security is part of Strategic Command,
and military officials there estimate that over the past six months, the
government has spent $100 million responding to probes and attacks on
military systems. Air Force officials confirm that a large network of
computers at Maxwell Air Force Base in Alabama was temporarily taken off-line
within the past eight months when it was put at risk of widespread infection
from computer viruses.

But Mr. Gates has concluded that the militarybs cyberwarfare effort requires
a sharper focus b and thus a specific command. It would build the defenses
for military computers and communications systems and b the part the Pentagon
is reluctant to discuss b develop and deploy cyberweapons.

In fact, that effort is already under way b it is part of what the National
Cyber Range is all about. The range is a replica of the Internet of the
future, and it is being built to be attacked. Competing teams of contractors
b including BAE Systems, the Applied Physics Laboratory at Johns Hopkins
University and Sparta Inc. b are vying to build the Pentagon a system it can
use to simulate attacks. The National Security Agency already has a smaller
version of a similar system, in Millersville, Md.

In short, the Cyber Range is to the digital age what the Bikini Atoll b the
islands the Army vaporized in the 1950s to measure the power of the hydrogen
bomb b was to the nuclear age. But once the tests at Bikini Atoll
demonstrated to the world the awesome destructive power of the bomb, it
became evident to the United States and the Soviet Union b and other nuclear
powers b that the risks of a nuclear exchange were simply too high. In the
case of cyberattacks, where the results can vary from the annoying to the
devastating, there are no such rules.

The Deterrence Conundrum

During the cold war, if a strategic missile had been fired at the United
States, screens deep in a mountain in Colorado would have lighted up and
American commanders would have some time to decide whether to launch a
counterattack. Today, when Pentagon computers are subjected to a barrage, the
origin is often a mystery. Absent certainty about the source, it is almost
impossible to mount a counterattack.

In th of pre-emption, with all of its Bush-era connotations. The questions
range from whether an online attack should be mounted on that system to, in
an extreme case, blowing those computers up.

Some officials argue that if the United States engaged in such pre-emption b
and demonstrated that it was watching the development of hostile cyberweapons
b it could begin to deter some attacks. Others believe it will only justify
pre-emptive attacks on the United States. bRussia and China have lots of
nationalistic hackers,b one senior military officer said. bThey seem very,
very willing to take action on their own.b

Senior Pentagon and military officials also express deep concern that the
laws and understanding of armed conflict have not kept current with the
challenges of offensive cyberwarfare.

Over the decades, a number of limits on action have been accepted b if not
always practiced. One is the prohibition against assassinating government
leaders. Another is avoiding attacks aimed at civilians. Yet in the
cyberworld, where the most vulnerable targets are civilian, there are no such
rules or understandings. If a military base is attacked, would it be a
proportional, legitimate response to bring down the attackerbs power grid if
that would also shut down its hospital systems, its air traffic control
system or its banking system?

bWe donbt have that for cyber yet,b one senior Defense Department official
said, band thatbs a little bit dangerous.b