Book Read Free

Cyber War: The Next Threat to National Security and What to Do About It

Page 18

by Richard A. Clarke


  The second prong of a Defensive Triad is a secure power grid. The simplest way to think about this idea is to ask, as some have, why the hell is the power grid connected to cyberspace at all, anyway? Without electricity, most other things we rely on do not work, or at least not for long. The easiest thing a nation-state cyber attacker could do today to have a major impact on the U.S. would be to shut down sections of the Eastern or Western Interconnects, the two big grids that cover the U.S. and Canada. (Texas has its own, third, grid). Backup power systems are limited in duration and notorious for not coming on when needed (as happened at my house last night when a lightning storm hit the rural power net, creating a localized blackout. My automatic starting generator sat there like an oversized door stop). Could those three North American power-sharing systems, composed of hundreds of generation and transmission companies, be secured?

  Yes, but not without additional federal regulation. That regulation would be focused on disconnecting the control network for the power generation and distribution companies from the Internet and then making access to those networks require authentication. It would really not be all that expensive, but try telling that to the power companies. When asked what assets of theirs were critical and should be covered by cyber security regulations, the industry replied that 95 percent of their assets should be left unregulated with regard to cyber security. One cyber security expert who works with the major cyber security auditing firms said he asked each audit firm that had worked with power companies if they had been able in their audits to get to the power grid controls from the Internet. All six firms said they had. How long did it take them? None had taken longer than an hour. That hour was spent hacking into the company’s public website, then from there into the company’s intranet, then through “the bridge” they all have to their control systems. Some audits cut the time by hacking into the Internet-based phones (voice over Internet protocol, or VOIP, phones) that were sitting in the control rooms. These phones are by definition connected to the Internet; that’s how they connect to the telephone network. If they are in the control room, they are also probably connected to the network that runs the power system. Good thinking, huh? Oh, it gets better. In some places the commands to electrical grid components are sent in the clear (that is, unencrypted) via radio, including microwave. Just sit nearby, transmit on the same frequency with more energy in your signal than the power company is using, and you are giving the commands (if you know what the command software looks like).

  The Federal Energy Regulatory Commission (FERC) promises that in 2010 it really will start penalizing power companies that do not have secure cyber systems. What they have not said is how the Commission will know who is in violation, since the FERC doesn’t have the staff to regularly inspect. The U.S. Department of Energy, however, has hired two cyber security experts to determine if the $3.4 billion in Smart Grid grants are going to new programs that are adequately secured. Smart Grid is the Obama Administration’s idea to make the power grid even more integrated and digitized. Power companies can ask for some of that money by submitting proposals to the Energy Department. When they do, the two experts will read the proposals to see if there is a section somewhere that says “cyber security.” The Energy Department refuses to say who the two experts are or what they will be looking for in the “cyber security” section of the grant proposal. There are no publicly available standards. One idea for a standard might be that the taxpayers don’t give any of the $3.4 billion in Smart Grid money to companies that haven’t secured their current systems. Don’t expect the Energy Department to use that standard anytime soon, because that would mean taking advantage of this unique federal giveaway program to incentivize people to make things more secure. That smacks of regulation, which, of course, is just like socialism, which is un-American. So, we will soon have a more digital Smart Grid, which will also be a Less Secure Grid. How could we make the U.S. national electrical system a Smart and Secure Grid?

  The first step in that direction would be issuing and enforcing serious regulations to require electric companies to make it next to impossible to obtain unauthorized access to the control network for the power grid. That would mean no pathway at all from the Internet to the control system. In addition, the same kind of deep-packet inspection boxes I proposed placing on the Internet backbone could be placed on the points where the control systems link to the power companies’ intranets. Then, just to make things even harder for an attacking cyber warrior, we could require that the actual control signals sent to generators, transformers, and other key components be both encrypted and authenticated. Encrypting the signals would mean that even if you could hack your way in and try to give an instruction to a generator, you would not have the secret code to do so. Authenticating the commands would mean that through a proof of identity procedure, or electronic “handshake,” the generator or transformer would know for sure that the command signal it was getting was coming from the right place. Because some parts of the grid might still be taken over by a nation-state hacker, certain key sections should have a backup communication system for sending command and control signals so that they could restore service.

  Many people dismiss the significance of an attack on the power grid. As one senior U.S. government official said to me, “Power blackouts take place all the time. After a few hours, the lights come back.” Maybe not. The power comes back after a few hours when what has caused it to fail is a lightning storm. If the failure is the result of intentional activity, it will likely be a much longer blackout. In what is known as the “Repeated Smackdown Scenario,” cyber attacks take down the power grid, and keep it down for months.

  If the attacks destroy generators, as in the Aurora tests, replacing them can take up to six months, because each must be custom built. Having an attack take place in many locations simultaneously, and then happen again when the grid comes back up, could cripple the economy by halting the distribution of food and other consumer goods, shutting down factories, and forcing the closure of financial markets.

  Do we really need improved regulation? Should we force power companies to spend more to secure their networks? Is the need real? Let’s ask the head of U.S. Cyber Command, General Keith Alexander, the man whose cyber warriors would attack other nations’ electric grids. Knowing what he knows he can do to others, does the General think we need to do more to protect our own power grid? That’s essentially what he was asked in a congressional hearing in 2009. He replied, “So the power companies are going to have to go out and change the configuration of their networks…. [T]o upgrade their networks to make sure they are secure is a jump in cost for them…. And now you’re going to have to work through their regulatory committees to get the rate increases so that they can actually secure their networks…. [H]ow does government, because we’re interested in perhaps having reliable power, how do we ensure that that happens as a critical infrastructure?” It was a little rambling, but General Alexander seemed to be saying that power companies need to reconfigure so we can have secure, reliable electricity, that this may mean they have to spend more, and that the regulatory organizations will have to help make that happen. He’s right.

  The third prong of the Defensive Triad is Defense itself, as in the Department of Defense. There is little chance that a nation-state would stage a major cyber attack against the U.S. without trying to cripple DoD in the process. Why? While a nation-state actor might try to cripple our country and our will by destroying private-sector systems like the power grid, pipelines, transportation, or banking, it is hard to imagine such actions coming as a bolt from the blue. Cyber attacks would only likely come in a period of heightened tensions between the U.S. and the attacker nation. In such an atmosphere, the attacker would probably already fear the possibility of conventional, or kinetic, action by the U.S. military. Moreover, if an opponent were going to hit us with a large cyber attack, they would have to assume that we might respond kinetically. A cyber attack on the U.S. military would likely conc
entrate on DoD’s networks.

  For simplicity, let’s say that there are basically three DoD networks. The first, NIPRNET, is the unclassified intranet. Systems on that network use the dot-mil addresses. The NIPRNET connects to the public Internet at sixteen nodes. While it is unclassified data that moves on NIPRNET, unclassified does not mean unimportant. Most logistical information, like supplying Army units with food, is on the NIPRNET. Most U.S. military units cannot sustain themselves for long without support from private-sector companies, and most of that communication goes through the NIPRNET.

  The second DoD network is called SIPRNET and is used to pass secret-level classified information. Many military orders are transmitted over the SIPRNET. There is supposed to be an “air gap” between the unclassified and secret-level networks. Users of the classified network download things from the Internet and upload them to the SIPRNET, thus sometimes passing malware along unknowingly. Pentagon information security specialists call this problem the “sneakernet threat.”

  In November 2008, a Russian-origin piece of spyware began looking around cyberspace for dot-mil addresses, the unclassified NIPRNET. Once the spyware hacked its way into NIPRNET computers, it began looking for thumb drives and downloaded itself onto them. Then the “sneakernet effect” kicked in. Some of those thumb drives were then inserted by their users into classified computers on the SIPRNET. So much for the air gap. Because the secret network is not supposed to be connected to the Internet, it is not supposed to get viruses or worms. Therefore, most of the computers on the network had no antivirus protection, no desktop firewalls or similar security software. In short, computers on DoD’s most important network had less protection than you probably have on your home computer.

  Within hours, the spyware had infected thousands of secret-level U.S. military computers in Afghanistan, Iraq, Qatar, and elsewhere in the Central Command. Within a few more hours, the highest-ranking U.S. military officer, Admiral Mike Mullen, the Chairman of the Joint Chiefs of Staff, was realizing how vulnerable his military really was. According to a high-ranking Pentagon source, Mullen screamed, “You mean to tell me that I can’t rely on our operational network?” at the network specialists briefing him. The network experts on the Joint Staff acknowledged the Admiral’s conclusion. They did not seem surprised; hadn’t he known that already? Horrified at a huge weakness that Majors and Captains seemed to take for granted, but which had been kept from him, Mullen looked around for a senior officer. “Where’s the J-3?” he demanded, looking for the Director of Operations. “Does he know this?”

  Shortly thereafter, Mullen and his boss, Secretary of Defense Robert Gates, were explaining their discovery to President Bush. The SIPRNET was probably compromised. The netcentric advantage the U.S. military thought it enjoyed might just prove to be its Achilles’ heel. Perhaps Mullen should not have been surprised. There are over 100,000 SIPRNET terminals around the world. If you can get time alone with one terminal for a few minutes, you can upload malware or run a covert connection to the Internet. One friend of mine described a SIPRNET terminal in the Balkans that a Russian “peacekeeper” could easily get to without being observed. Just as in World War II, when the Allies needed only one German Enigma code machine in order to break the Nazis’ encryption, so, too, if one SIPRNET terminal is compromised, can malware be inserted that could affect the entire network. Several experts who worked on SIPRNET security-related issues confirmed to me the scary conclusion. As one said, “You got to assume that it’s not going to work when we need it.” He explained that if, in a crisis, that command and control network were brought down by an enemy, or, worse, if the enemy issued bogus commands, “the U.S. military would be severely disadvantaged.” That’s putting it mildly.

  The third major DoD network is the Top Secret/Sensitive Compartmented Information (TS/SCI) network called JWICS. This more limited network is designed to pass along intelligence information to the military. Its terminals are in special highly secured rooms known as Secret Compartmentalized Information Facilities, or SCIFs. People also refer to those rooms as “the vault.” Access to these terminals is more restricted because of their location, but the information flowing on the network still has to go across fiber-optic cables and through routers and servers, just as with any other network. Routers can be attacked to cut communications. The hardware used in computers, servers, routers, and switches can all be compromised at the point of manufacture or later on. Therefore, we cannot assume that even this network is reliable.

  Under the CNCI plan, DoD is embarked on an extensive program to upgrade security on all three kinds of networks. Some of what is being done is classified, much of it is expensive, and some of it will take a long time. A real possibility is the use of high-bandwidth lasers to carry communications to and from satellites. Assuming the satellites were secure from hacking, such a system would reduce the vulnerabilities associated with fiber-optic cable and routers strung out around the world. There are, however, a few important design concepts using currently available technology that should be included in the DoD upgrade program quickly, and they are not budget busters:

  in addition to protecting the network itself, guard the end points; install desktop firewalls and antivirus and intrusion-prevention software on all computers on all DoD networks, whether or not they are connected to the Internet;

  require all users on all DoD networks to prove who they are when they sign on through at least two factors of authentication;

  segment the networks into subnets with limited “need to know” access rules for connecting out of the subnets;

  go beyond the current limited practice of bulk encrypting, which scrambles all traffic as it moves on trunk fiber cables, and encrypt all files on all computers, including data at rest in data-storage servers;

  monitor all networks for new unauthorized connections to the network, automatically shutting off unknown devices.

  Even if its networks are secure, DoD runs the risk that the software and/or hardware it has running its weapons systems may be compromised. We know the plans for the new F-35 fighter were stolen by hack into a defense contractor. What if the hacker also added to the plans, perhaps a hidden program that causes the aircraft to malfunction in the air when it receives a certain command that could be radioed in from an enemy fighter? Logic bombs like that can be hidden in the millions of lines of code on the F-35, or in the many pieces of firmware and computer hardware that run the aircraft. As one pilot told me, “Aircraft these days, whether it’s the F-22 Raptor or the Boeing 787…all they are is a bunch of software that happens to be flying through the air. Mess with the software and it stops flying through the air.” I thought of the Air France Airbus that crashed in the South Atlantic because its computer made a wrong decision.

  The computer chips U.S. weapons use, as well as some of the computers or their components, are made in other countries. DoD’s most ubiquitous operating system is Microsoft Windows, which is developed around the world on development networks that have proven vulnerable in the past. This supply-chain concern is not easily or quickly solved. It is one of the areas that the 2008 Bush plan focused on. New chip factories, or fabs, are being built in the U.S. Some private-sector companies are developing software to check other software for bugs. In addition to adding quickly to the security of its networks, one of the most important things the Pentagon could do would be to develop a rigorous standards, inspection, and research program to ensure that the software and hardware being used in key weapons systems, in command control, and in logistics are not laced with trapdoors or logic bombs.

  So that’s the Defensive Triad strategy. If the Obama Administration and the Congress were to agree to harden the Internet backbone, separate and secure the controls for the power grid, and vigorously pursue security upgrades for Defense IT systems, we could cast doubt in the minds of potential nation-state attackers about how well they would do in launching a large-scale attack against us. And even if they did attack, the Defensive Triad could mit
igate the effects. It is admittedly difficult to measure the financial cost of these programs at this point in their development, but in terms of implementation difficulty, they could all be phased in over five years. If implemented with the thought in mind that we want to be able to derive some benefit from the improvements even before they are fully deployed, there could be a steady increase over those five years in the degree of difficulty for a nation-state thinking about cyber war against us. Unless and until this plan or some similar defensive strategy that includes the private-sector networks is implemented, being in a cyber war would probably not be good news for the United States.

  If we do the Defensive Triad, we will have the credibility to say some things that will add further to our ability to deter cyber attack. Sometimes just saying things, things that do not always cost money, can buy you added security, if you have credibility. The capstone of the triad is our “declaratory posture” toward those nation-states that would think about attacking us through cyberspace. A declaratory posture is a formally articulated statement of the policy and intention of the government. We do not have an authoritatively articulated policy today about how we would regard a cyber attack and what we would do in response. Some in the councils of a potential attacker could argue that the U.S. response to a cyber attack might be fairly minimal, or confused.

  We do not want to be in a situation similar to what John Kennedy found himself in after he discovered that there were nuclear-armed missiles in Cuba. He declared that any such missile fired by anyone (Russian or Cuban) from Cuba toward “any nation in this hemisphere would be regarded as an attack, by the Soviet Union, upon the United States, requiring a full retaliatory response.” Those words were chilling when I first heard them as a twelve-year-old; they remain so today. If the U.S. had said that before the missiles went to Cuba, the Kremlin might not have sent them.

 

‹ Prev