Cyber War: The Next Threat to National Security and What to Do About It
Page 15
Unfortunately, one thing that is too often believed is that there is a threat from “cyber terrorism.” Cyber terrorism is largely a red herring and, in general, the two words “cyber” and “terrorism” should not be used in conjunction because they conjure up images of bin Laden waging cyber war from his cave. He probably can’t, at least not yet. (Moreover, he’s probably not in a cave, more likely a cushy villa.) Indeed, we do not have any good evidence that terrorists have ever staged cyber war attacks on infrastructure.
To date, terrorists haven’t so much attacked the Internet or used the Internet to attack physical systems as they have used it to plan and coordinate attacks on embassies, railroads, and hotels. They have also used the Internet to raise funds, recruit, and train. After al Qaeda lost their training grounds in Afghanistan following 9/11, much of what went on there shifted to the web. Training videos on how to build improvised explosive devices or how to stage beheadings were just as effective delivered over a remote learning system as they were at a remote training camp. The web kept terrorists from having to travel for training, which used to be a very good opportunity for international law enforcement to catch a would-be terrorist. Remote training also kept a bunch of terrorists from congregating in one place long enough for a cruise missile strike. While Internet training has been a huge danger, spawning “lone wolf” attacks by terrorists who never had any connection to al Qaeda central, what al Qaeda and other groups really excel at is using the Internet for propaganda. Producing videos of beheadings and spreading radical interpretations of the Koran across the Internet has allowed terrorist groups to reach a wide audience and to do so with relative anonymity.
While al Qaeda has thus far not been capable of staging a cyber attack, that could very well change. As with any developing technology, the cost and other barriers to entry are going down each year. Staging a devastating cyber attack would not require a major industrial effort like building a nuclear bomb. Understanding the control software for an electric grid, however, is not a widely available skill. It is one thing to find a way to hack into a network, and quite another to know what to do once you’re inside. A well-funded terrorist group might find a highly skilled hacker club that would do a cyber attack in return for a lot of money, but that has not happened to date. One of the reasons for that may simply be that most hackers think that al Qaeda members are crazy, dangerous, and un-trustworthy. When criminal hacker groups think of others that way, you know the real terrorists are pretty far out there.
5. MONEY TALKS
Another reason for inertia is that some people like things the way they are. Some of those people have bought themselves access. I mentioned earlier that George W. Bush’s first reaction when told of a possible cyber security crisis was to ask what a certain computer industry CEO who was one of his biggest campaign donors thought about it. You had probably already guessed that the Bush Administration was not interested in playing hardball with the private sector. The first Homeland Security Strategy of the United States, put out in 2003, reads like a conservative economic textbook on the power of the free market. You may be surprised, however, at how Democratic administrations have also been captured by these arguments. You might think that the new Democratic administration would be in favor of finally solving the market failure on cyber security by introducing some new regulation, but you would be wrong. To understand why, let’s go to a party.
It was a lavish affair. All the big names in Washington were there. Over 250 guests joined to celebrate the marriage of Melody Barnes to Marland Buckner. Barnes, President Obama’s domestic policy advisor, had known her husband-to-be for years before they started dating; their acquaintance goes back to her time on Capitol Hill, working for Ted Kennedy, and to his as Chief of Staff to Harold Ford, Jr., of Tennessee. After a short ceremony at the People’s Congregational United Church of Christ, the newlyweds and their guests retired to Washington’s Mellon Auditorium, which had been converted into a “South Beach–style” lounge, with hints of silver and a floral theme for each table that was heavy on orchids. The locally sourced, carbon-neutral menu featured short ribs, sea bass, and a selection of spring vegetables elegantly arranged in bento boxes, followed by sliders and fries to keep the guests’ energy up until they were released at some point after midnight.
What the New York Times Weddings and Celebrations reporter described as “a bevy of Obama Administration officials” in attendance included White House Chief of Staff Rahm Emanuel and Valerie Jarrett, a White House senior advisor and Assistant to the President for Intergovernmental Relations. My friend Mona Sutphen, Deputy Chief of Staff, danced the night away, as did former Clinton Chief of Staff John Podesta. Also in attendance, but not noted by the Times, were a bevy of Microsoft executives. Buckner, a former director of government affairs at the world’s largest software company and now an independent registered lobbyist, had also invited some friends. Since going out on his own in 2008, Buckner took in lobbying fees, more than a third of which were from Microsoft. It is too bad Mother Jones doesn’t do weddings. Their reporter might have noted that on that night, the Obama Administration was, quite literally, in bed with Microsoft.
Microsoft makes OpenSecret.org’s top 30 list of “Heavy Hitters,” donating to political causes. While most of the organizations on that list are trade associations, Microsoft is one of only seven companies that make the cut. Of course, Microsoft was making up for lost time. Before the company’s battle with the Justice Department over antitrust issues in the late 1990s, the West Coast–based company wanted nothing more than to be left alone and stayed out of politics. Before 1998, Microsoft and its employees were little inclined to spend their stock options supporting East Coast politicians. That all changed when Clinton Administration lawyers argued that the marketing of Windows was intended to create a monopoly. Donations started pouring in from newly established political action committees and Microsoft employees alike. And in the years 1998 through 2002, the majority of that money went to Republicans. Then, in 2004, maybe disgusted by the war or maybe misunderestimating the Bush campaign, Microsoft began donating to Democrats at almost twice the rate than to Republicans. In 2008, Microsoft beat those numbers, giving $2.3 million to Democrats and only $900,000 to Republicans.
Maybe Microsoft’s PACs and employees have good intentions, like so many Americans who donated money and time to the Obama campaign who wanted nothing more than to see Obama in office. Marland Buckner told a reporter for Media General News Service that he would “follow White House rules ‘to the letter’ to avoid any conflict of interest due to Barnes’s new job, and promised not to use his relationship with his spouse to attract clients. But Microsoft the corporation has an agenda that is very clear: don’t regulate security in the software industry, don’t let the Pentagon stop using our software no matter how many security flaws it has, and don’t say anything about software production overseas or deals with China.
Microsoft has vast resources, literally billions of dollars in cash, or liquid asset reserves. Microsoft is an incredibly successful empire built on the premise of market dominance with low-quality goods. For years, Microsoft’s operating system and applications, like its ubiquitous Internet browser, have been prepackaged on the computers we buy. Getting an alternative was a time-consuming and problematic task, until Apple began to open stores and advertise in the last decade.
To be fair, Microsoft did not originally intend its software to be running critical systems. Therefore, its goal was to get the product out the door fast and at a low cost of production. It did not originally see any point to investing in the kind of rigorous quality assurance and quality control processes that NASA insisted on for the software used in human space-flight systems. The problem is that people did start using Microsoft products in critical systems, from military weapons platforms to core banking and finance networks. They were, after all, much cheaper than custom-built applications.
Every once in a while there is a wave of government efficiency improvement
s that brings federal government agencies up to date with the cost-saving approaches being used in industry. One of them was called the COTS campaign. The idea was to use commercial off-the-shelf (COTS) software to replace specialized software that in the past the government would have ordered up. Throughout the Cold War, the Pentagon had led much of this country’s technological innovation. I remember being told that there were cameras without film that had been developed for the government. (I could not quite understand how that would work—until I bought one at Best Buy a decade later.) Only after military applications were developed did the technology eventually leak out for commercial use.
COTS stood that process on its head. Before the 1990s, most of the Pentagon’s software applications were purpose-built in-house or by a small number of trusted defense contractors. No two systems were alike, which was how the defense contractors wanted it. The systems they built were extremely expensive. They also made it very difficult for defense systems to work interoperably. The COTS movement reduced the costs and allowed the Pentagon to create interoperable systems because they all used the same computer languages and the same operating systems. More and more applications were developed. Sensor grids were netted together. The 5.5-million-computer Global Information Grid, or GIG, was created. Netcentric warfare provided a huge advantage for the U.S. military, but it also introduced a huge vulnerability.
COTS brought to the Pentagon all the same bugs and vulnerabilities that exist on your own computer. In 1997, the U.S. Navy found out just how dangerous it could be to rely on these systems for combat operations. The USS Yorktown, a Ticonderoga-class cruiser, was retrofitted as the test bed for the Navy’s “smart ship” program. The Yorktown had been outfitted with a network of twenty-seven Pentium-powered workstations all running Windows NT, all tied to a Windows server. The system controlled every aspect of ship operations, from bridge operations to fire control to engine speed. When the Windows system crashed, as Windows often does, the cruiser became a floating i-brick, dead in the water.
In response to the Yorktown incident and a legion of other failures of Windows-based systems, the Pentagon began to look at Unix and the related Linux systems for critical operations. Linux is an open-source system. What that means is that the computer code for the operating system can be viewed and edited by the user. With Windows (and most other commercial software), the source code is considered to be proprietary and is heavily guarded. Open source had a number of advantages for the Pentagon. First, Pentagon programmers and defense contractors could customize the software to make it operate the way they wanted. They could slice and dice the code to eliminate parts of the operating system that they did not need and that could introduce bugs into the system. Second, after reducing the size of the operating system, they could then run what the software industry refers to as “tools” on the remaining lines of code to try and identify bugs, malicious code, and other vulnerabilities.
Microsoft went on the warpath against Linux to slow the adoption of it by government agencies, complete with appearances before congressional committees, including by Bill Gates. Nonetheless, because there were government agencies using Linux, I asked NSA to do an assessment of it. In a move that startled the open-source community, NSA joined that community by publicly offering fixes to the Linux operating system that would improve its security. Microsoft gave me the very clear impression that if the U.S. government promoted Linux, Microsoft would stop cooperating with the U.S. government. While that did not faze me, it may have had an effect on others. Microsoft’s software is still being bought by most federal agencies, even though Linux is free.
The banking and finance industry also started to look at open-source alternatives after the repeated failure of Microsoft systems had cost the finance industry hundreds of millions a year. In 2004, a banking industry group, the Financial Services Roundtable, sent a delegation of computer security specialists from the banks to Redmond, Washington, to confront Microsoft. They demanded access to the secret Microsoft code. They were denied. They demanded to see the quality-assurance standards Microsoft used so that they could compare them with other software companies. They were denied. Microsoft’s position with the U.S. banks is in contrast to the program the company had announced in 2003 whereby, pursuant to agreement, Microsoft provide participating national and international bodies access to its Windows source code, a move designed to address concerns about the security of its operating system. Russia, China, NATO, and the United Kingdom were early participants.
The banks threatened to start using Linux. Microsoft told them the conversion to Linux would be very expensive for them. Moreover, the next version of Windows was being developed under the code name Longhorn. Longhorn would be much better. Longhorn became Vista. Vista went to market later than expected, delayed by flaws discovered in Microsoft’s expanded tests program. When Vista was sold, many corporate users experienced problems. Word spread and many companies decided not to buy the new system. Microsoft suggested that it would stop providing support for some of its older systems, forcing customers to upgrade.
Microsoft insiders have admitted to me that the company really did not take security seriously, even when they were being embarrassed by frequent highly publicized hacks. Why should they? There was no real alternative to its software, and they were swimming in money from their profits. When Linux appeared, and later when Apple started to compete directly, Microsoft did take steps to improve its quality. What they did first, however, was to employ a lot of spokesmen to go to conferences, to customers, and to government agencies lobbying against moves to force improvements in security. Microsoft can buy a lot of spokesmen and lobbyists for a fraction of the cost of creating more secure systems. They are one of several dominant companies in the cyber industry for whom life is good right now and change may be bad.
6. NO, I THOUGHT YOU WERE DOING IT
Change, however, is coming. Like the United States, more and more nations are establishing offensive cyber war organizations. U.S. Cyber Command also has a defensive mission, to defend the Department of Defense. Who defends the rest?
As it stands now, the Department of Homeland Security defends the non-DoD part of the federal government. The rest of us are on our own. There is no federal agency that has the mission to defend the banking system, the transportation networks, or the power grid from cyber attack. Cyber Command and DHS think that by defending their government customers they may coincidentally help the private sector a little, maybe. The government thinks it is the responsibility of individual corporations to defend themselves from cyber war. Government officials will tell you that the private sector wants it that way, wants to keep the government out of their systems. After all, they are right that no one in government would know how to run a big bank’s networks, or a railroad’s, or a power grid’s.
When you talk to CEOs and the other C-level types in big companies (chief operating officers, chief security officers, chief information officers, chief information security officers), they all say pretty much the same things: we will spend enough on computer security to protect against the day-to-day threat of cyber crime. We cannot, they say, be expected to know how to, or spend the money to, defend against a nation-state attack in a cyber war. Then they usually add words to the effect of, “Defending against other nations’ militaries is the government’s job, it’s what we pay taxes for.”
At the beginning of the era of strategic nuclear war capability, the U.S. deployed thousands of air defense fighter aircraft and ground-based missiles to defend the population and the industrial base, not just to protect military facilities. Every major city was ringed with Nike missile bases to shoot down Soviet bombers. At the beginning of the age of cyber war, the U.S. government is telling the population and industry to defend themselves. As one friend of mine asked, “Can you imagine if in 1958 the Pentagon told U.S. Steel and General Motors to go buy their own Nike missiles to protect themselves? That’s in effect what the Obama Administration is saying to industry tod
ay.”
On this fundamental issue of whose job it is to defend America’s infrastructure in a cyber war, the government and industry are talking past each other. As a result, no one is defending the likely targets in a cyber war, at least not in the U.S. In other countries, some of whom might be cyber war adversaries someday, the defense part of cyber war might be doing a little better than it is here.
THE CYBER WAR GAP
We noted earlier that the U.S. may have the most sophisticated and complex cyber war capability, followed soon thereafter by Russia. China and perhaps France are in a close second tier, but over twenty nations have some capability, including Iran and North Korea. Whether or not this ranking is accurate, it is widely believed by cyber warriors. So, one can almost imagine the American geek fighters sitting around after work in some secure location drinking their Red Bulls and chanting “U-S-A, U-S-A,” as at the Olympics, or “We’re Number One!” as at a high school football game. (My high school was so nerdy we chanted “Sumus Primi!”) But are we really number one? That obviously depends upon what criteria you employ.
In cyber offensive capability, the United States probably would rank first if you could develop an appropriate contest. But there is more to cyber war than cyber offensive. There is also cyber dependence, the degree to which a nation relies upon cyber-controlled systems. In a two-way cyber war, that matters. As I discovered when I asked for a cyber war plan to go after Afghanistan in 2001, there are sometimes no targets for cyber warriors. In a two-way cyber war, that gives Afghanistan an advantage of sorts. If they had any offensive cyber capability (they didn’t), the cyber war balance would have shifted in an interesting way. There is also the issue of whether a nation can defend itself from cyber war. Obviously, Afghanistan can protect itself just by being there and having no networks, but theoretically a nation may have networks and, unlike us, be able to protect them. Cyber defense capability is also, therefore, a criterion: Can a nation shut off its cyber connectivity to the rest of the world, or spot cyber attacks coming from inside its geographical boundaries and stop them?