[Infowarrior] - U.S. Plans Attack and Defense in Cyberspace Warfare

[Richard Forno]

April 28, 2009
U.S. Plans Attack and Defense in Cyberspace Warfare
By DAVID E. SANGER, JOHN MARKOFF and THOM SHANKER


http://www.nytimes.com/2009/04/28/us/28cyber.html?_r=1&hp=&pagewanted=print

This article was reported by David E. Sanger, John Markoff and Thom  
Shanker and written by Mr. Sanger.

When American forces in Iraq wanted to lure members of Al Qaeda into a  
trap, they hacked into one of the group’s computers and altered  
information that drove them into American gun sights.

When President George W. Bush ordered new ways to slow Iran’s progress  
toward a nuclear bomb last year, he approved a plan for an  
experimental covert program — its results still unclear — to bore into  
their computers and undermine the project.

And the Pentagon has commissioned military contractors to develop a  
highly classified replica of the Internet of the future. The goal is  
to simulate what it would take for adversaries to shut down the  
country’s power stations, telecommunications and aviation systems, or  
freeze the financial markets — in an effort to build better defenses  
against such attacks, as well as a new generation of online weapons.

Just as the invention of the atomic bomb changed warfare and  
deterrence 64 years ago, a new international race has begun to develop  
cyberweapons and systems to protect against them.

Thousands of daily attacks on federal and private computer systems in  
the United States — many from China and Russia, some malicious and  
some testing chinks in the patchwork of American firewalls — have  
prompted the Obama administration to review American strategy.

President Obama is expected to propose a far larger defensive effort  
in coming days, including an expansion of the $17 billion, five-year  
program that Congress approved last year, the appointment of a White  
House official to coordinate the effort, and an end to a running  
bureaucratic battle over who is responsible for defending against  
cyberattacks.

But Mr. Obama is expected to say little or nothing about the nation’s  
offensive capabilities, on which the military and the nation’s  
intelligence agencies have been spending billions. In interviews over  
the past several months, a range of military and intelligence  
officials, as well as outside experts, have described a huge increase  
in the sophistication of American cyberwarfare capabilities.

Because so many aspects of the American effort to develop cyberweapons  
and define their proper use remain classified, many of those officials  
declined to speak on the record. The White House declined several  
requests for interviews or to say whether Mr. Obama as a matter of  
policy supports or opposes the use of American cyberweapons.

The most exotic innovations under consideration would enable a  
Pentagon programmer to surreptitiously enter a computer server in  
Russia or China, for example, and destroy a “botnet” — a potentially  
destructive program that commandeers infected machines into a vast  
network that can be clandestinely controlled — before it could be  
unleashed in the United States.

Or American intelligence agencies could activate malicious code that  
is secretly embedded on computer chips when they are manufactured,  
enabling the United States to take command of an enemy’s computers by  
remote control over the Internet. That, of course, is exactly the kind  
of attack officials fear could be launched on American targets, often  
through Chinese-made chips or computer servers.

So far, however, there are no broad authorizations for American forces  
to engage in cyberwar. The invasion of the Qaeda computer in Iraq  
several years ago and the covert activity in Iran were each  
individually authorized by Mr. Bush. When he issued a set of  
classified presidential orders in January 2008 to organize and improve  
America’s online defenses, the administration could not agree on how  
to write the authorization.

A principal architect of that order said the issue had been passed on  
to the next president, in part because of the complexities of cyberwar  
operations that, by necessity, would most likely be conducted on both  
domestic and foreign Internet sites. After the controversy surrounding  
domestic spying, Mr. Bush’s aides concluded, the Bush White House did  
not have the credibility or the political capital to deal with the  
subject.

Electronic Vulnerabilities

Cyberwar would not be as lethal as atomic war, of course, nor as  
visibly dramatic. But when Mike McConnell, the former director of  
national intelligence, briefed Mr. Bush on the threat in May 2007, he  
argued that if a single large American bank were successfully attacked  
“it would have an order-of-magnitude greater impact on the global  
economy” than the Sept. 11, 2001, attacks. Mr. McConnell, who left  
office three months ago, warned last year that “the ability to  
threaten the U.S. money supply is the equivalent of today’s nuclear  
weapon.”

The scenarios developed last year for the incoming president by Mr.  
McConnell and his coordinator for cybersecurity, Melissa Hathaway,  
went further. They described vulnerabilities including an attack on  
Wall Street and one intended to bring down the nation’s electric power  
grid. Most were extrapolations of attacks already tried.

Today, Ms. Hathaway is the primary author of White House cyberstrategy  
and has been traveling the country talking in vague terms about  
recent, increasingly bold attacks on the computer networks that keep  
the country running. Government officials will not discuss the details  
of a recent attack on the air transportation network, other than to  
say the attack never directly affected air traffic control systems.

Still, the specter of an attack that could blind air traffic  
controllers and, perhaps, the military’s aerospace defense networks  
haunts military and intelligence officials. (The saving grace of the  
air traffic control system, officials say, is that it is so old that  
it is not directly connected to the Internet.)

Studies, with code names like Dark Angel, have focused on whether  
cellphone towers, emergency-service communications and hospital  
systems could be brought down, to sow chaos.

But the theoretical has, at times, become real.

“We have seen Chinese network operations inside certain of our  
electricity grids,” said Joel F. Brenner, who oversees  
counterintelligence operations for Dennis Blair, Mr. McConnell’s  
successor as national intelligence director, speaking at the  
University of Texas at Austin this month. “Do I worry about those  
grids, and about air traffic control systems, water supply systems,  
and so on? You bet I do.”

But the broader question — one the administration so far declines to  
discuss — is whether the best defense against cyberattack is the  
development of a robust capability to wage cyberwar.

As Mr. Obama’s team quickly discovered, the Pentagon and the  
intelligence agencies both concluded in Mr. Bush’s last years in  
office that it would not be enough to simply build higher firewalls  
and better virus detectors or to restrict access to the federal  
government’s own computers.

“The fortress model simply will not work for cyber,” said one senior  
military officer who has been deeply engaged in the debate for several  
years. “Someone will always get in.”

That thinking has led to a debate over whether lessons learned in the  
nuclear age — from the days of “mutually assured destruction” — apply  
to cyberwar.

But in cyberwar, it is hard to know where to strike back, or even who  
the attacker might be. Others have argued for borrowing a page from  
Mr. Bush’s pre-emption doctrine by going into foreign computers to  
destroy malicious software before it is unleashed into the world’s  
digital bloodstream. But that could amount to an act of war, and many  
argue it is a losing game, because the United States is more dependent  
on a constantly running Internet system than many of its potential  
adversaries, and therefore could suffer more damage in a counterattack.

In a report scheduled to be released Wednesday, the National Research  
Council will argue that although an offensive cybercapability is an  
important asset for the United States, the nation is lacking a clear  
strategy, and secrecy surrounding preparations has hindered national  
debate, according to several people familiar with the report.

The advent of Internet attacks — especially those suspected of being  
directed by nations, not hackers — has given rise to a new term inside  
the Pentagon and the National Security Agency: “hybrid warfare.”

It describes a conflict in which attacks through the Internet can be  
launched as a warning shot — or to pave the way for a traditional  
attack.

Early hints of this new kind of warfare emerged in the confrontation  
between Russia and Estonia in April 2007. Clandestine groups — it was  
never determined if they had links to the Russian government —  
commandeered computers around the globe and directed a fire hose of  
data at Estonia’s banking system and its government Web sites.

The computer screens of Estonians trying to do business with the  
government online were frozen, if they got anything at all. It was  
annoying, but by the standards of cyberwar, it was child’s play.

In August 2008, when Russia invaded Georgia, the cyberattacks grew  
more widespread. Georgians were denied online access to news, cash and  
air tickets. The Georgian government had to move its Internet activity  
to servers in Ukraine when its own servers locked up, but the attacks  
did no permanent damage.

Every few months, it seems, some agency, research group or military  
contractor runs a war game to assess the United States’ vulnerability.  
Senior intelligence officials were shocked to discover how easy it was  
to permanently disable a large power generator. That prompted further  
studies to determine if attackers could take down a series of  
generators, bringing whole parts of the country to a halt.

Another war game that the Department of Homeland Security sponsored in  
March 2008, called Cyber Storm II, envisioned a far larger,  
coordinated attack against the United States, Britain, Canada,  
Australia and New Zealand. It studied a disruption of chemical plants,  
rail lines, oil and gas pipelines and private computer networks. That  
study and others like it concluded that when attacks go global, the  
potential economic repercussions increase exponentially.

To prove the point, Mr. McConnell, then the director of national  
intelligence, spent much of last summer urging senior government  
officials to examine the Treasury Department’s scramble to contain the  
effects of the collapse of Bear Stearns. Markets froze, he said,  
because “what backs up that money is confidence — an accounting system  
that is reconcilable.” He began studies of what would happen if the  
system that clears market trades froze.

“We were halfway through the study,” one senior intelligence official  
said last month, “and the markets froze of their own accord. And we  
looked at each other and said, ‘Our market collapse has just given  
every cyberwarrior out there a playbook.’ ”

Just before Mr. Obama was elected, the Center for Strategic and  
International Studies, a policy research group in Washington, warned  
in a report that “America’s failure to protect cyberspace is one of  
the most urgent national security problems facing the new  
administration.”

What alarmed the panel was not the capabilities of individual hackers  
but of nations — China and Russia among them — that experts believe  
are putting huge resources into the development of cyberweapons. A  
research company called Team Cymru recently examined “scans” that came  
across the Internet seeking ways to get inside industrial control  
systems, and discovered more than 90 percent of them came from  
computers in China.

Scanning alone does no damage, but it could be the prelude to an  
attack that scrambles databases or seeks to control computers. But  
Team Cymru ran into a brick wall as soon as it tried to trace who,  
exactly, was probing these industrial systems. It could not determine  
whether military organizations, intelligence agencies, terrorist  
groups, criminals or inventive teenagers were behind the efforts.

The good news, some government officials argue, is that the Chinese  
are deterred from doing real damage: Because they hold more than a  
trillion dollars in United States government debt, they have little  
interest in freezing up a system they depend on for their own  
investments.

Then again, some of the scans seemed to originate from 14 other  
countries, including Taiwan, Russia and, of course, the United States.

Bikini Atoll for an Online Age

Because “cyberwar” contains the word “war,” the Pentagon has argued  
that it should be the locus of American defensive and offensive  
strategy — and it is creating the kind of infrastructure that was  
built around nuclear weapons in the 1940s and ’50s.

Defense Secretary Robert M. Gates is considering proposals to create a  
Cyber Command — initially as a new headquarters within the Strategic  
Command, which controls the American nuclear arsenal and assets in  
space. Right now, the responsibility for computer network security is  
part of Strategic Command, and military officials there estimate that  
over the past six months, the government has spent $100 million  
responding to probes and attacks on military systems. Air Force  
officials confirm that a large network of computers at Maxwell Air  
Force Base in Alabama was temporarily taken off-line within the past  
eight months when it was put at risk of widespread infection from  
computer viruses.

But Mr. Gates has concluded that the military’s cyberwarfare effort  
requires a sharper focus — and thus a specific command. It would build  
the defenses for military computers and communications systems and —  
the part the Pentagon is reluctant to discuss — develop and deploy  
cyberweapons.

In fact, that effort is already under way — it is part of what the  
National Cyber Range is all about. The range is a replica of the  
Internet of the future, and it is being built to be attacked.  
Competing teams of contractors — including BAE Systems, the Applied  
Physics Laboratory at Johns Hopkins University and Sparta Inc. — are  
vying to build the Pentagon a system it can use to simulate attacks.  
The National Security Agency already has a smaller version of a  
similar system, in Millersville, Md.

In short, the Cyber Range is to the digital age what the Bikini Atoll  
— the islands the Army vaporized in the 1950s to measure the power of  
the hydrogen bomb — was to the nuclear age. But once the tests at  
Bikini Atoll demonstrated to the world the awesome destructive power  
of the bomb, it became evident to the United States and the Soviet  
Union — and other nuclear powers — that the risks of a nuclear  
exchange were simply too high. In the case of cyberattacks, where the  
results can vary from the annoying to the devastating, there are no  
such rules.

The Deterrence Conundrum

During the cold war, if a strategic missile had been fired at the  
United States, screens deep in a mountain in Colorado would have  
lighted up and American commanders would have some time to decide  
whether to launch a counterattack. Today, when Pentagon computers are  
subjected to a barrage, the origin is often a mystery. Absent  
certainty about the source, it is almost impossible to mount a  
counterattack.

In the rare case where the preparations for an attack are detected in  
a foreign computer system, there is continuing debate about whether to  
embrace the concept of pre-emption, with all of its Bush-era  
connotations. The questions range from whether an online attack should  
be mounted on that system to, in an extreme case, blowing those  
computers up.

Some officials argue that if the United States engaged in such pre- 
emption — and demonstrated that it was watching the development of  
hostile cyberweapons — it could begin to deter some attacks. Others  
believe it will only justify pre-emptive attacks on the United States.  
“Russia and China have lots of nationalistic hackers,” one senior  
military officer said. “They seem very, very willing to take action on  
their own.”

Senior Pentagon and military officials also express deep concern that  
the laws and understanding of armed conflict have not kept current  
with the challenges of offensive cyberwarfare.

Over the decades, a number of limits on action have been accepted — if  
not always practiced. One is the prohibition against assassinating  
government leaders. Another is avoiding attacks aimed at civilians.  
Yet in the cyberworld, where the most vulnerable targets are civilian,  
there are no such rules or understandings. If a military base is  
attacked, would it be a proportional, legitimate response to bring  
down the attacker’s power grid if that would also shut down its  
hospital systems, its air traffic control system or its banking system?

“We don’t have that for cyber yet,” one senior Defense Department  
official said, “and that’s a little bit dangerous.”