|
The infrastructures are 90 percent owned by private sector. How does that complicate issues when it comes to security?
It is a challenge. But it's one of the great things about living in the United States, that most of the critical infrastructures are, as you correctly pointed out, owned by the private sector. So that brings into play the building of this public/private sector partnership to identify, not only the cyber vulnerabilities, but also the physical vulnerabilities, and build a risk management model. [The risk model allows you to] identify what are the threats, which is generally known by the various law enforcement as well as intelligence agencies within the federal government, state and local governments, and the vulnerabilities that are generally known by the private sector, so that you can discern what is your risk, whether it's a physical or a cyber attack.
Once you've discerned what your risks are, then it's up to federal government to secure its system, whether they're physical or cyber, but also to make a business case for the private sector to invest in those kinds of security measures. It's a huge challenge, [in] which the entities, like Dick Clarke's role in the White House to the national cyber security, the role of the FBI and the agency that I headed for a while, the National Infrastructure Protection Center, to work together very cooperatively with the private sector to resolve those issues.
Define the threat for us.
First of all, the threat is real, in my opinion. Having been the director of the National Infrastructure Protection Center for over two and a half years and involved in the center for four years, I've seen numerous cases that support that the threat is real, and it's real on a number of levels. The number one priority for us in law enforcement and in the political community is those foreign nations, foreign states that would use cyberspace to prepare the battle space, if you will, if in the event [of] war, people would look at cyberspace. In particular, since the United States is 100 percent dependent upon information systems and computer systems to run our nation -- from an economic standpoint, as well as national security standpoint -- it's a huge, huge issue for us.
The second priority is the use of cyberspace for foreign intelligence operation or espionage, so as to intrude into whether they're government contractors or U.S. government systems to try and secrete confidential or even classified information out of these systems for which they are maintained.
The third priority from a threat standpoint is criminal activity. We've seen examples of this on numerous occasions in the newspaper, where systems are intruded into, hundreds of thousands of credit card numbers are stolen. There's even a market now on the Internet for the sale and distribution of these stolen credit card numbers.
The fourth priority would be the viruses. Recently we saw with the Slammer virus, which infected I think over 75,000 machines, caused estimates of $950 million to $1.2 billion in damage. The real threat there is the impact on how it slowed the Internet down to almost a crawl, and that was the real concern if it got to the extent where we couldn't communicate. Then you obviously had the national security and economic well-being issues associated with that in the United States.
Last priority, obviously, are those that commit criminal acts, the hacking of young people, if you will, but it's still a criminal act that disrupts communications.
Can you tell us any case dealing with national security issues that, to you, was an important case or event that helps define what the threat is?
From a national security standpoint, for which the FBI has worked a number of cases, obviously they're still classified, and I can't go into any details associated with those ongoing investigations or even prior investigations of a classified nature. However, if you look at what has been written by other nation-states, such as China and Russia, where they openly talk about using cyberspace, cyber technology, so as to prepare the battle space. Two Chinese generals not long ago wrote a book about how cyberspace would be an integral part of their nation's planning, as far as conducting a war in the future and today.
Recently, there was in the newspaper here in Washington, D.C. discussion about getting presidential findings as to whether the United States government could, or how the United States government could and should use cyber weapons in the event of any kind of a war.
There are people out there who say that in a world of bioweapons threat, dirty bombs, worries about war with North Korea, this is really low down on the totem pole.
I disagree with "We don't need to deal with that." Now, do I put cyber warfare, cyber espionage, cyber terrorism -- which is a term of art lately -- on the same level as the events that happened on Sept. 11? No, I don't. However, the thing that we have not seen yet, and the thing that keeps me awake at night, is the physical attack on a U.S. infrastructure, combined with a cyber attack which disrupts the ability of first responders to access 911 systems, that disrupts our power grids such that, again, first responders can't respond to an incident. Those are the things that keep me awake, and those are very real possibilities
The significance of the sophisticated probing that we've all seen and that is talked about a lot, very sophisticated probing into control systems, electrical power companies, gas companies, water companies -- what's the significance of these probes?
One of the things that makes cyberspace so unique, particularly from a preparing battlespace standpoint, espionage or even criminal activity, is that you don't know who's doing these particular acts until you actually trace back to find the person that's behind that keyboard.
Until you were able to discern who is behind that keyboard, you didn't really know what the motive was for that kind of probing. Could it be a foreign power that was looking for opportunities to prepare the battlespace? Was it a nation-state that was looking to conduct espionage? Was it a criminal organization that was looking to use those various systems that they found vulnerable to conduct other criminal activities?
Is there a problem, at least with the technology as it is today, that it's almost impossible to trace back to the actual person who is involved with this attack?
Is it a challenge? It absolutely is. And because of the technology and the ability to remain anonymous on the Internet, it is a huge challenge for law enforcement and the military, as well as other nations. However, it is not impossible. There are a number of examples where the FBI and other law enforcement agencies, we have been able to discern who is doing this. ...
How do you folks at the FBI view the fact that our system is being probed in this manner? Some people have said we're already at war.
I think it is absolutely one of the things that we have to address, both from a public/private partnership standpoint. Technology, as we all know, is increasing at an exponential rate. As technology increases, there are vulnerabilities that are built into it.
The thing that has to happen is that we have to make information security a part of our daily lives, just like we've made having seatbelts and airbags in our automobiles -- demanded by the public and consumers of those products. We have to get to the point with our computer systems and software that's provided with those computer systems that security is first in mind, or one of the things that's first in mind, when it begins to be developed.
It's not just a U.S. issue. As I said, the United States is almost 100 percent dependent upon computer systems. But the rest of the world is also dependent on those computer systems, and the reality is we're only as secure as our weakest link. That's kind of a cliche, but it is absolutely true. Unless we can get international cooperation because of the interconnectivity [of] all the systems across the world, we're never going to really solve this problem.
The ability to probe systems, as we saw with the Slammer worm not long ago, and used automated tools to do it -- it proliferated across the world at probably 250 times faster than the Code Red virus proliferated. These are huge, huge vulnerabilities and risk, not only to the private sector, but government agencies.
The Mountain View case. Your opinion?
When I was the director of the National Infrastructure Protection Center, there was an incident that occurred in Mountain View, California. In that incident, there was probing going on regarding certain cities' public utilities out there. The importance of that investigation and the importance of that kind of probing is that it was right after, fairly shortly after Sept. 11.
We issued from the National Infrastructure Protection Center a warning that people needed to look at what they had on their Web sites. The reason that they needed to look at what they had on their Web sites is that we were conveying information to terrorist organizations as to how they could attack -- not only from a cyber standpoint, but from a physical infrastructure standpoint.
So one of the things that we wanted to highlight in our warnings was [to] look at what's out there -- while the public has a right to know certain things, they don't necessarily have a right to know where your vulnerabilities are or how you can be attacked -- that you needed to look at those things on your Web sites, [and] to only put out there what is necessary for the public to do business with [local governments and the] federal government.
That kind of probing is the kinds of things that nation-states and terrorist organizations are looking for in an open society like the United States.
Was the fact significant that they were looking at electrical and water systems?
Sure. Under Presidential Decision Directive 63, one of the infrastructures or critical infrastructures that were identified was electrical power systems and water supply systems. Obviously, if you can disrupt the flow of electricity or water to the general public in an area or nationally, that's going to have a dramatic impact on their ability to do business in that area, as well as the national security.
What was the conclusion of the Mountain View case?
The conclusion of the Mountain View case is that it's still pending, at least when I left the NIPC, or the National Infrastructure Protection Center. We never were necessarily able to tie it back into any terrorist organizations. However, again, until you are able to find out who is behind the keyboard and what the motive is for that kind of program, you're never really clear as to what the intent was.
People say it was the first time that we got it, I suppose, that this was a vulnerable area, and so therefore the story is important, because it was a red flag that taught us something. So define, from your point of view, the importance of this case. Was it the first? Was it something that sort of raised the flag?
The Mountain View case and the concern by the federal government and the National Infrastructure Protection Center about what information was on certain Web sites is not a particularly new issue. We had a number of discussions prior to Sept. 11, for example, regarding the Environmental Protection Agency putting out certain information about chemical plants and so forth. We were discussing with them, from a Department of Justice and FBI standpoint, how much information do you really need to put out there now.
After the events of Sept. 11, that kind of information took on a whole new significance. The Mountain View case was one of the first examples after Sept. 11 where we, as a community -- meaning the federal government, state and local government and the private sector -- realized, "Wait a minute. Perhaps we have too much information out there, so that we're playing into the hands of the terrorist organizations. We need to take a look at that."
We also needed to look at what other probing is going on and what are they looking for. ...
With a war in Iraq, your cohorts or people that are still in government, what would they be looking for? Are there warning signs? What might we be sort of very wary of at this point?
Within the Department of Defense, which is one of the systems that is talked about quite often, about attempted intrusions into it -- but if you look at the number of intrusions or attempted intrusions and their actual success rate, it's relatively low. ... One of the things that they are most concerned with is monitoring their network to see when and if they come under attack, so that they can then respond appropriately. ...
Now, the biggest thing that we have done in the last four years is to build a very responsive public/private partnership, because frankly, if there is an attack or cyber attack, we are more likely to learn about it from the private sector than we are from U.S. government agencies. ...
There are a number of things that we have done together, and I think quite successfully. One is the creation of information sharing and analysis centers for electrical power, oil and gas, water supply systems. When I left the NIPC, the National Infrastructure Protection Center, I think they had about 14, 15 information sharing agreements with these various information sharing and analysis centers.
A great example is the recent Slammer virus that occurred. The Information Technology Information Sharing and Analysis Center was one of the first ones that picked up on the Slammer virus, shared the information with the federal government through the Department of Homeland Security, for which advisories and alerts were put out. That's a great example from this public/private partnership.
Code Red was a precursor to that one, where we identified what the vulnerability was in a particular vendor software. We worked cooperatively with that vendor as well as the router manufacturers for it. We went out publicly to gather and tell the public what the vulnerability was and what the solutions were for it.
So that's the kind of things that are going to occur. If there's a cyber attack during any war, the first notifications are going to come from the private sector.
Are we prepared at this point to stop a real attack, a malicious attack, that had more of a payload that just sort of irritating control of systems or shutting down a few systems here and there?
Are we prepared to the extent that we need to be as a nation or as a world? No. There are tremendous amounts of vulnerabilities that are still out there. The company I work for now, Computer Sciences Corporation, has a team of people that do what we call red teaming, where we actually go out and have a look at what are the vulnerabilities in the systems, attack those vulnerabilities and see if we can intrude. Even though these companies that have hired us know that we're coming, we have always been successful. ...
Is the private sector secure enough? No. Can we respond in a fashion that minimizes the impact of that? Yes, I believe we can. We've had a number of incidents, in Code Red and Slammer and a number of these, where the Internet was slowed and the response times were dramatically reduced, but we've never had it shut down. Was that a concern for Dick Clarke and myself and other people in the department? It absolutely was. But the technology is such and robust enough that, so far, the Internet has been able to sustain this kind of attack. Does that mean it will always happen? I don't know. Hasn't happened yet. But it's one of the things we're very concerned about.
Why hasn't it happened?
Some of the technology is very hard to use and utilize. If you look from a nation-state standpoint, if you're conducting warfare, obviously you're going to use those kind of tools. However, we have not been in a war or been in a war with an adversary that has those kinds of capabilities, in the United States or anyone else. So is it particularly surprising that we haven't seen it used in a war? Probably not. ...
Is law enforcement, the FBI, the CIA involvement in this ready for this threat?
I think we're as ready as we can be for this kind of threat. The FBI, the Secret Service, the investigative agencies for the Department of Defense have spent a lot of time and energy to train and bring investigators up to speed as to what the current technologies are, and how to be able to use that technology and to discern who is behind the keyboard.
We've also been able to develop a really good partnership with the private sector insofar as sharing information with law enforcement and the intelligence community as to what the vulnerabilities are, and who they believe may lead us to who is behind that keyboard.
One of the things that has happened with the recent Homeland Security Act is the ability for the private sector now to share information with the government, so that they won't be used for any detrimental purposes for that private sector company. That's a huge step. It was a big issue when I was the director of the NIPC for sharing of information. The key to this is two things: one, the private sector and the government agencies taking information security seriously, and two, being able to share those vulnerabilities and threats amongst each other to better protect ourselves.
Al Qaeda's expertise in using the Net for communication -- which seemed to be pretty sophisticated, when one breaks apart what they report that they were doing -- does that translate into an expertise to use cyber as a weapon?
It certainly translates into a knowledge of the capability. I mean, there had to be some research done on the part of various terrorist organizations that use a command and control communications purposes as to how they use it. I don't know that I'd call this sophisticated techniques, but obviously techniques that were more than just what the home user would normally know. In doing that kind of research or having that kind of knowledge, you also would be able to discern that you can use it for malicious purposes.
Why haven't terrorist organizations used it in that fashion? I don't know. I mean, that's the $64 million question. The response, though, is that we have to be as prepared as we can be for any kind of eventuality, which is what President Bush has talked about after the events of Sept. 11 and in the waging of a war against terrorism. We have known for some time that terrorist organizations have been looking at those things and trying to acquire the skills to utilize those kinds of tools or weapons.
My opinion is that it doesn't have the impact that they're looking for. Most terrorist organizations want to have visuals, if you will, for the media, of loss of life and destruction of various buildings and so forth. If you have an attack in cyberspace, you're not going to have those kind of visuals that terrorist organizations are looking for.
That's why what keeps me awake at night -- that if they use visuals in conjunction with a cyber attack, it can dramatically compound the impact of that.
We've been told by hackers and SCADA experts and scientists that sophisticated hackers could bring down the electrical grid and that they'd all get different scenarios. Some people say, "Give me six guys, a couple million dollars and a couple months, and we can bring down the entire system and we can keep it down." We had an engineer say that it's not only that you can keep it down for a minute; you can actually keep it down for months. Is this a reality?
We've worked very closely with the North American Electric Reliability Council, which is the information sharing and analysis center for the electrical power industry. Is it possible from a cyber standpoint to attack electrical power systems and their Supervisory Control and Data Acquisition systems? Yes, it's possible. Is it possible to bring them down for substantial periods of time? I don't think anybody knows the answer to that.
We've worked really closely with them. The power grids are very redundant across the United States, to include Canada, such that the ability to do that nationally or even regionally is really hard to do, based upon the work that we've done in the industry. Does it mean that it's impossible? No. Does it mean that if you give it enough money, millions of dollars, and the right kind of people, it can't be accomplished? No. But is it something that is easy? No.
Moonlight Maze. Define the FBI's involvement in Moonlight Maze. How involved is the FBI?
I can't comment on that.
What did this event teach us?
Dr. Hamre, who was formerly with the Department of Defense, commented several years ago regarding a series of events that was known as Moonlight Maze. What he characterized is that there were a series of intrusions into various DOD systems, wherein the intruders were looking for certain classified information or information that, if you took it in its whole, would be very sensitive and absolutely classified.
That investigation and that series of events is a great example of how espionage can be conducted through the use of cyber technology against the United States. The dependency of doing research and collecting the kind of information that you need from a military standpoint are most of the time on a computer system; such that the FBI did work very closely with the other departments of the Department of Defense, or agencies of the Department of Defense, to try and resolve it.
Operation Eligible Receiver. The NSA said that they were able, along with taking over or completely messing up communications or command and control, they also were able to take down the electrical grid. Can one believe organizations like NSA when they say they could have taken down the electrical grid? Is that real?
The vulnerabilities are so numerous out there in various systems that if you had the right talent, the right amount of money, the right access to various systems, then I can't exclude anything from the realm of possibility. I mean, [it's] one of the biggest concerns for the private sector, as well as the public sector is the insider.
The insider knows the system as well as you do, because he works for you. The insider knows where those vulnerabilities are and how to attack them. The insider can place certain back doors or tools on your systems, such that if they want to come back into it later on, that they can.
A great example of that I saw recently happened in Australia. A disgruntled employee for the sewage company in Australia left a back door in there when he left the company, came back in, and was able to spew sewage onto the streets of Sydney, I believe it was. That's an example of where we, as an industry with these supervisory SCADA systems, need to be concerned about who has access to them -- not only from the standpoint from the outsider, which has been a lot written about it, but who has access to it from the insider standpoint, who can later on come back in.
When you hire someone, background checks need to be done on who these people are. There has been a recent terrorist that was come into custody who had an engineering background, technical background, was looking at water systems, such that with that kind of knowledge from an insider standpoint, could place in the cyber realm tools by which to cause some [damage].
The Code Red hit. Where were you at that point?
When Code Red occurred, I was director of the National Infrastructure Protection Center. I was here in Washington, D.C. We began to get reports of that worm or virus from the private sector initially, saying that they were seeing huge spikes on the Internet, to the point that the concern was the Internet was beginning to rattle. There was great concern that it might fail.
To this day, we don't know who wrote that particular virus. However, what we did know is how to prepare for it. It is a great example where this was a known vulnerability for which the vendor had publicly provided a patch, for which many systems administrators and others in the industry had not applied the patch. Whoever the individual was that was taking advantage of this knew it, and would begin scanning the Internet to find out who was vulnerable.
With this system of patching, in the end, is it that it just doesn't do it? Do we have a fix here that is not being used because it's just too hard?
Is there a fix? Yes. Is it today too hard? In my opinion, it is. That's why we have so many vulnerabilities out there, even though there are known patches to various systems. It becomes, from a systems administrator standpoint, "How many of these have I got to apply? How much cost am I going to incur to do that?" It becomes a risk assessment, insofar as doing business is concerned.
What has to happen is that security has to become a part of our everyday life, wherein consumers demand that security is already built into the products that are delivered to them. I think Microsoft is changing its stance that it had a few years ago. They're putting a huge effort into building security into their systems, such that it makes it easier for the consumer to set the various switches, and prepare, or to apply the patches.
Is it hard right now? Yes, it is hard for systems administrators to manage that. Do we need to make it easier? Yes, we do. ...
The Nimda attack. How did you hear about it, what was it about? What is the significance?
Nimda was actually more significant, but Nimda frankly didn't get media attention, mainly because Nimda occurred right after Sept. 11. It was another example of the public/private sector cooperation. I was the director of the National Infrastructure Protection Center. I was up to my neck in responding to the events of Sept. 11 through the command post there at the headquarters. Then right on top of that, the Nimda virus struck.
Fortunately, we had built the kind of communication with the private sector that we were sharing information, pushing information out to the NIPC as to what the corrective actions were. Even with all of that, it proliferated across the world at a far greater rate than Code Red did. It rattled the Internet. But again, demonstrated the flexibility of the Internet -- it didn't come down, but it rattled significantly. It caused billions of dollars of damage, and we still don't know who proliferated that virus.
How should we view Slammer, Code Red, Nimda? Are these attacks precursors to--
They are warnings. Someone can attack or scan the Internet for vulnerabilities, be able to identify systems that can be intruded into, tools placed on them such that they can then continue to scan the Internet for other vulnerabilities, and then turn those tools on a particular enterprise or a particular network, such that you can even begin to rattle the Internet and bring it down. We need to significantly concerned about that, because our nation, as well as others, is so dependent on the Internet for our commerce and national security that we can't afford for it to come down.
They are warning signs. Even though no one has actually taken it to the point where they've used it for necessarily for malicious activities, other than the millions and billions of dollars to clean it up, it does not mean that it can't be turned for substantial attacks on the United States or others.
There are two sort of schools of thought here. There are the Pearl Harbor scenarios, where we're going to be hit all at once with a big attack. Then there's the side that thinks the way we would be vulnerable is death by a thousand cuts. A sophisticated attacker comes at us and hits us in various ways. One day you take the electrical system out in the Southeast. Then, the next day, you cause another trouble with the financial situation and close down NASDAQ. You slowly erode confidence, hurt systems, and slowly psychologically do us harm.
Whether it's the scenario of the cyber Pearl Harbor or it's a death by a thousand cuts, when I was the director of the National Infrastructure Protection Center, I didn't really care, because the end result was the same. It was the degrading in confidence in the United States' ability to do business. It would dramatically impact our economy. It would dramatically impact our national security.
The reality is that the solution for the protection of our national interests is the same. It's the building of a partnership with the private sector, making security a requirement for the products that are produced, whether they're in the United States [or abroad], and deploying those security measures across the board. If you have a death by a thousand cuts or a Pearl Harbor attack, but your systems are secure, they're redundant enough that you can sustain it, it really doesn't matter, because you've been able to sustain whichever one it is, because the method is the same, the end result is the same.
Create for me, if you could, sort of the potential sophistication and abilities of the following to use this against us. China?
High.
Al Qaeda?
Moderate.
Iraq?
Probably moderate.
Russia?
Probably high.
Where do you see the biggest threat coming from for this type of warfare to be waged against us?
The biggest threat, I mean, in the context of warfare would be nation-states. ...
Software. How big a problem is it that 80 percent of code is written offshore, and the fact that the trend is more and more systems are using the same software?
Most of the vulnerabilities that have been identified, attacked, are vulnerabilities in particular pieces of software. We went through a period of time of the Y2K wherein that was a very well-known vulnerability that we spent millions, if not billions of dollars to repair. One of the things I was always curious about is, a lot of the repairs done to these systems in the Y2K were done offshore.
One of the things I used to bring up to the private sector is, "Do you know who is doing those repairs, and do you know what they're putting into the systems? Is there a review process, quality control process, to ensure that what you specifically wanted done is being done, and nothing else is added to it?"
The same kind of thing needs to be done in any kind of software that's being developed, whether for Y2K or into the future. There has to be a quality control process. One of the things I think is probably not too far on the horizon, wherein federal government will want some sort of accreditation, if you will, of how particular pieces of software are developed and the security [of who] built them. ...
Do you see that as happening? Is the private sector getting it? Does the private sector understand the need to be connected to organizations like the one you're in now?
Oh, absolutely. The private sector, particularly the major corporations that are involved in information technology, like Computer Science Corporation or IBM, pick any of them, they get it. That's why they're very much involved in working with the federal government insofar as determining what best practices are, working with the federal government and other nations as to what kind of security best practices should be out there.
They certainly do get it. I can't think of any major company here in the United States or abroad in the United States that is not involved in an information sharing and analysis center, because they understand the value of information sharing, not only for their individual companies, but for the United States as well. ...
Everybody understands the significance of this. What is in debate is how to solve it, or what's the best way, the most cost-effective way, to solve it. There's a threat, there's a vulnerability, there's a need to build security into our systems -- there's no debate over that. It's really [about] how.
| 
