Cyber War: The Next Threat to National Security and What to Do About It
Page 12
Important facilities got translated into bureaucratese as “critical infrastructure,” a phrase that continues, and continues to confuse, today. The new panel got the moniker Presidential Commission on Critical Infrastructure Protection (PCCIP). Not surprisingly, then, most people referred to it using the name of its Chairman, retired Air Force General Robert Marsh. The Marsh Commission was a full-time endeavor for a large panel and a professional staff. They held meetings throughout the country and talked to experts in numerous industries, universities, and government agencies. What they came back with in 1997 was not what we expected. Rather than focusing on right-wingers like McVeigh and Nichols or al Qaeda terrorists like those who had attacked the World Trade Center in 1993, Marsh sounded a loud alarm about the Internet. Noting what was then a recent trend, the Marsh Commission said that important functions from rail to banking, from electricity to manufacturing were all being connected to the Internet and yet that network of networks was completely insecure. By hacking from the Internet, an attacker could shut down or damage “critical infrastructure.”
Raising the prospect of nation-states creating “information war” attack units, Marsh called for a massive effort to protect the U.S. He identified the chief challenge as being the role of the private sector, which owned most of what counted as “critical infrastructure.” Industries were wary of the government regulating them to promote cyber security. Instead of doing that, Marsh called for a “public-private partnership,” heightened awareness, sharing of information, and research into more secure designs.
I was disappointed, although in time I came to understand that General Marsh was right. As the senior White House official in charge of security and counterterrorism issues, I had hoped for a report that would have helped me get the funding and structure I needed to deal with al Qaeda and others. Instead, Marsh was talking about computers, which was not my job. My close friend Randy Beers, then Special Assistant to the President for Intelligence and the man who had been shepherding the Marsh Commission for the White House, walked next door to my office (with its twenty-foot-high ceiling and great view of the National Mall), plunked himself down in a chair, and announced, “You have to take over critical infrastructure. I can’t do it because of the Clipper chip.”
The Clipper chip had been a plan, developed in 1993 by NSA, in which the government would require anyone in the U.S. using encryption to install a chip that would let NSA listen in, with a court order. Privacy, civil liberties, and technology interest groups united in vehement opposition. For some reason, they did not trust that NSA would only listen in when they had a warrant (which, under George W. Bush, later proved to be true). The Clipper chip got killed by 1996, but it had left a lot of distrust between the growing information technology (IT) industry and the U.S. intelligence community. Beers, being an intelligence guy, felt he could not gain the trust of the IT industry. So he dumped it in my lap. Moreover, he had already wired that decision with the National Security Advisor, Sandy Berger, who asked me to write a Presidential Decision Document stating our policy on the issue, and putting me in charge of it.
The result was a clear statement of the problem and our goal, but within a structure with limitations that prevented us from achieving it. The problem was that “because of our military strength, future enemies…may seek to harm us…with non-traditional attacks on our infrastructure and information systems…capable of significantly harming both our military power and our economy.” So far so good. The goal was that “any interruptions or manipulations of critical functions must be brief, infrequent, manageable, geographically isolated, and minimally detrimental.” Pretty good stuff.
But how to do it? By the time every agency in government had watered the decision down, it read: “The incentives that the market provides are the first choice for addressing the problem of critical infrastructure protection…. [We will consider] regulation only in the event of a material failure of the market…[and even then] agencies will identify alternatives to direct regulation.” I got a new title in the Decision Document, but it would not fit on a business card: “National Coordinator for Security, Infrastructure Protection, and Counter-terrorism.” Little wonder the media used the term “czar” no one could remember the real title. The Decision Document made clear, however, that the czar could not direct anyone to do anything. The Cabinet members had been adamant about that. No regulation and no decision-making authority meant little potential for results.
Nonetheless, we set off to work with the private sector and with government agencies. The more I worked on the issue, the more concerned I became. Marsh had not really been alarmist, I came to appreciate; he and his commission had actually understated the problem. Our work on the Y2K computer glitch (the fact that most software could not roll over from 1999 to 2000 and might, therefore simply freeze up) greatly added to my understanding of just how much everything was rapidly becoming dependent upon computer-controlled systems and networks connected in some way to the Internet. In the 2000 federal budget, I was able to add $2 billion for improved cyber security efforts, but it was a fraction of what was needed.
By 2000, we had developed a National Plan for Information Systems Protection, but there was still no willingness in the government to attempt to regulate the industries that ran the vulnerable critical infrastructure. To highlight the ideological correctness of the decision to avoid regulation, I used the phrase “eschew regulation” in the decision document, mimicking Maoist rhetoric. (Mao had directed, “dig tunnels deeper, bury food everywhere, eschew hegemonism.”) No one saw the irony. Nor would the Cabinet departments even do enough to protect their own networks, as called for in the Presidential Directive. Thus, the plan was toothless. It did, however, make clear to industry and to the public what the stakes were. Bill Clinton’s cover letter left no doubt that the IT revolution had changed how the economy and national defense were done. From turning on the lights, to calling 911, to boarding an aircraft, we now relied upon computer-driven systems. A “concerted attack” on the computers of an important economic sector would “have catastrophic results.” This was not a theoretical potential; rather, “we know the threat is real.” Opponents that had relied on “bombs and bullets” could now use “a laptop…[as] a weapon capable of…enormous damage.”
I added in a cover letter of my own that “More than any other nation, America is dependent upon cyberspace.” Cyber attacks could “crash electric grids…transportation systems…financial institutions. We know other governments are developing that capability.” So were we, but I didn’t say that.
SIX FUNNY NAMES
During those initial years of my focusing on cyber security there were six major incidents that convinced me that this was a serious problem. First, in 1997, I worked with NSA on a test of the Pentagon’s cyber security in an exercise the military called “Eligible Receiver.” Within two days, our attack team had penetrated the classified command network and was in position to issue bogus orders. I stopped the exercise early. The Deputy Defense Secretary was shocked at the Pentagon’s vulnerability and ordered all components to buy and install intrusion detection systems. They quickly discovered that there were thousands of attempts a day to hack into DoD networks. And those were the ones they knew about.
In 1998, during a crisis with Iraq, someone hacked into the unclassified DoD computers that were needed to manage the U.S. military buildup. The FBI gave the attack the appropriate name “Solar Sunrise” (it was a wake-up call for many). After a few days of panic, the attackers were discovered to be not Iraqi but Israeli. Specifically, a teenager in Israel and two more in California had proved how poorly secured our military logistics network was.
In 1999, an Air Force base noticed something odd about its computer network. The Air Force called the FBI, which called NSA. What emerged was that huge amounts of data were being exfiltrated from the research files at the airbase. Indeed, gigantic amounts of data were being shipped out from a lot of computers in the Defense network and from man
y data systems in the national nuclear laboratories of the Energy Department. The FBI case file for this one was called “Moonlight Maze,” which also turned out to be apt because no one could throw much light on what was happening other than to say the data was being sent through a long series of stops in many countries before ending up somewhere. The two deeply disturbing aspects of this were that the computer security specialists could not stop the data from being stolen, even when they knew about the problem, and no one was really sure where it all was going (although some people later publicly attributed the attack to Russians). Every time new defenses were put in place, the attacker beat them. Then, one day, the attacks stopped. Or, more likely, they started attacking in a way we could not see.
Early in 2000, when we were still glowing from our success in avoiding a Y2K problem, a number of the new Internet commerce sites (AOL, Yahoo, Amazon, E-Trade) crashed from what I was told was a DDOS, a term new to most people in 2000. This was the first “big one,” hitting numerous companies simultaneously and knocking them down. The motive was hard to discern. There were no monetary demands, nor was there a real political message. Somebody seemed to be trying out the concept of covertly taking over lots of people’s computers and secretly using them to attack. (That somebody later turned out to be a busboy from Montreal.) I saw the DDOS as an opportunity to have the government remind the private sector that they needed to take cyber attacks seriously.
President Clinton agreed to host the leaders of the companies that had been attacked as well as other CEOs from important infrastructures and from the IT industry. It was the first presidential White House meeting with private-sector leadership concerning a cyber attack. It was also the last, thus far. Although it was a remarkably detailed and frank meeting, eye-opening for many, it essentially resulted in everyone agreeing to work harder on the problem.
In 2001, the new Bush Administration got a taste of the problem when the Code Red worm infected over 300,000 computers in a few hours and then turned them all into zombies programmed to launch a DDOS attack on the White House webpage. I was able to distribute the White House website onto 20,000 servers using a company called Akamai and thereby avoided the effects of the attack (we also persuaded some of the major ISPs to divert the attack traffic). Cleaning up the infected computers turned out to be a harder job. Many companies and individuals could not be bothered to remove the worm software, despite its repeated disruptive effects on the Internet. Nor did we have any ability to deny those machines access to the Internet, even though they were pumping out malware on a regular basis. In the days after the 9/11 terrorist attack, another, more serious worm spread quickly. The NIMDA (Admin spelled backward) worm was targeted at computers running in the most well secured private-sector industry vertical, the financial industry. Despite their sophisticated security, many banks and Wall Street firms were knocked offline.
CYBER SECURITY GETS BUSHED
The Bush Administration took some convincing that cyber security was an important problem, but agreed by the summer of 2001 to set up a separate office in the White House to handle its coordination (Executive Order 13231). I ran that office as Special Advisor to the President for Cybersecurity from the autumn of 2001 to early 2003. Most of the rest of the Bush White House (the Science Advisor, the Economic Advisor, the Budget Director) sought to limit the authority of the new cyber security position.
Unfazed by that, my team took the Clinton National Plan and modified it based on input from twelve industry teams we established and from citizen input at ten town halls held around the country. (The kind of crowd that shows up for a cyber security town hall is, thankfully, more civilized than the nut jobs who showed up in 2009 at health-care town halls.) The result was the National Strategy to Secure Cyberspace, which Bush signed in February 2003. Substantively, there was little difference between the Clinton and Bush approaches, except that the Republican administration not only continued to eschew regulation, they downright hated the idea of the federal government issuing any new regulations on anything at all. Bush left jobs vacant for long periods at several regulatory commissions and then appointed commissioners who did not enforce the regulations that did exist.
Bush’s personal understanding and interest in cyber security early in his administration were best summed up by a question he asked me in 2002. I had gone to him in the Oval Office with news of a discovery of a pervasive flaw in software, a flaw that would allow hackers to run amok unless we could quietly persuade most major networks and corporations to fix the flaw. Bush’s only reaction was: “What does John think?” John was the CEO of a large information-technology company and a major donor to the Bush election committee.
With the creation of the Department of Homeland Security, I had thought there would be an opportunity to take many of the scattered entities working on cyber security and merge them into one center of excellence. As a result, some cyber security offices from the Commerce Department, FBI, and DoD were brought together in Homeland. The sum turned out to be much less than the parts, as many of the best people in the merged offices took the opportunity to leave government. When I also took my exit from the Bush Administration shortly before it began the disastrous Iraq War, the White House chose not to replace me as Special Advisor. The most senior official in government charged with coordinating cyber security was then in an office buried several layers down in what was turning into the most dysfunctional department in government, DHS. Several very good people tried to make that job work, but each one quit in frustration. The media began talking about the “cyber czar of the week.” The high-level private-sector focus on the issue we had achieved faded.
Four years later, Bush made a decision much more quickly than his staff had assumed he would. There was a covert action that the President had to approve personally. The President’s scheduler had booked an hour for the decision briefing. It took five minutes. Bush never saw a covert-action proposal he didn’t like. Now, with fifty-five minutes left in the meeting, the Director of National Intelligence, Mike McConnell, saw an opening. All the right people were in the room, senior national security cabinet members. McConnell asked if he could discuss a threat to the financial industry and the U.S. economy. Given the floor, he talked about cyber war and how vulnerable we were to it. Particularly vulnerable was the financial sector, which would not know how to recover from a data-shredding attack, an attack that could do unimaginable damage to the economy. Stunned, Bush turned to Treasury Secretary Hank Paulson, who agreed with the assessment.
At this point, Bush, who had been sitting behind the large desk in the Oval Office, almost jumped in the air. He moved quickly to the front of the desk and began gesturing for emphasis as he spoke. “Information technology is supposed to be our advantage, not our weakness. I want this fixed. I want a plan, soon, real soon.” The result was the Comprehensive National Cybersecurity Initiative (CNCI) and National Security Presidential Decision 54. Neither has ever become public. Both documents call, appropriately enough, for a twelve-step plan. They focus, however, on securing the government’s networks. Oddly, the plan did not address the problem that had started the discussion in the Oval Office, the vulnerability of the financial sector to cyber war.
Nonetheless, Bush requested $50 billion over five years for the Comprehensive National Cybersecurity Initiative, which is neither comprehensive nor national. The initiative is an effort to, in the words of one knowledgeable insider, “stop the bleeding” out of DoD and intelligence-community systems, with a secondary focus on the rest of the government. Also described as a multibillion-dollar “patch and pray program,” the initiative does not address vulnerabilities in the private sector, including in our critical infrastructures. That tougher problem was left to the next administration.
The initiative was also supposed to develop an “information warfare deterrence strategy and declaratory doctrine.” That part has almost totally been put on hold. In May 2008, the Senate Armed Services Committee criticized the initiative’s secrecy in
a public report, with the comment that “it is difficult to conceive how the United States could promulgate a meaningful deterrence doctrine if every aspect of our capabilities and operational concepts is classified.” Reading that, I could not help but think of Dr. Strangelove when, in the movie of the same name, he berates the Soviet Ambassador for Moscow’s keeping the existence of its nuclear-deterrent Doomsday Machine a secret: “Of course, the whole point of a Doomsday Machine is lost if you keep it a secret! Why didn’t you tell the world?” The reason we are keeping our cyber deterrence strategy secret is probably that we do not have a good one.
OBAMA’S OVERFLOWING PLATE
It was another vulnerability of the financial sector, brought on as a result of industry successfully lobbying against government regulation, that Barack Obama was forced to focus on when he became President in 2009. The subprime-mortgage meltdown and the complex dealings in the derivatives markets had created the worst financial crisis since 1929. With that, in addition to the war in Iraq, the war in Afghanistan, threatening flu pandemics, health-care reform, and global warming all requiring his attention, Obama did not focus on cyber security. He had, however, addressed the issue during the 2008 campaign. Although I had signed on to the campaign as a terrorism advisor, I used that access to pester the candidate and his advisors about cyber war. It was not surprising to me that Obama “got” the issue, since he was running the most technologically advanced, cyber-dependent presidential campaign in history.