Cyber War!
homeinterviewsvulnerabilitieswarningsdiscussionblank

interview: hacker
photo of hacker

He runs a company which is listed by the U.S. government as a professional military company. He has 20 years experience in defense, intelligence, information operations, corporate finance and technology development, and consults on critical infrastructure protection, information security and assurance, intelligence, finance, and technology for multinationals and governments. For this interview he asked FRONTLINE to disguise his appearance and voice. He tells FRONTLINE about the nature of information warfare, the U.S.'s vulnerabilities, Al Qaeda's capabilities, and the prospects for solving cyberspace's security problems.

You've been described to me as a master hacker. What does that mean?

I don't know if would necessarily use that description regarding myself. I would simply say that my expertise includes understanding the deep internals of information systems and communication systems, which I guess is what defines a master hacker. But, for example, you can find other master hackers who can't do the other things that I can do. They can't think conceptually about the target. They can't do field operational work, which I can do as well.

So describe yourself.

I run a firm, and I'm actually the primary expert in what is now referred to as information operations. It used to be referred to as information warfare. ...

äthe U.S. is an open target.  You can hit just about anything that you want to hit one way or another.  For terrorists to acquire those capabilities, all they finally have to do is decide it would be cost effective for them to use those sorts of operations, rather than explosives.

We're classified as a professional military company: PMC. That's actually even a U.N. designation. ... Military intelligent services, that's what we provide for clients.

A lot of military intelligence work now is defined by technology. As the war with Iraq will define, most of what occurs in the initial strikes against Iraq are going to be defined by the technology, not necessarily kinetic weapons. So the world of information technology is becoming the primary operational sphere for a whole new class of warrior and adversary.

What do you do for your clients? What do they ask you to do?

Clients either have offensive or defensive concerns. Some of them know that they need an operational capability, but for some reason don't want to develop it themselves, or simply just want a problem solved, and don't care how it gets solved. And a number of them have significant defensive concerns, where they are directly opposed to very, very large operators, or people who are developing these capabilities, and don't know the place to start, and so they recognize that they need outside help. So that's the sort of thing that we provide, information operations.

We also do intelligence work. And it's an area that you will not see discussed very often, particularly because it gets left out of a lot of U.S. doctrine, which unfortunately is the defining standard in IO, information operations.

They don't talk about, for example, if I can break into a corporate network, or if I can break into an adversary's command and control network. The immediate thought is I want to shut that command and control network down. It's just simply a case of operational denial. It's so much more interesting to monitor that network, or if you can, send subversive information through that network.

Even selectively removing a message here or there would be enough to cause significant problems, or if you can fake messages, that would be wonderful. So the capabilities you pick up in IO provide whoever is willing to pay for them a significant strategic advantage.

So you do this for countries.

Countries, transnationals, and high net worth individuals, yes.

Give me an example of why a country might come to you and ask you to do something.

Sometimes countries don't trust their internal organizations to either be competent or they just don't trust them, because everyone has their own loyalties, everyone has their own mechanisms. We can provide a reality check.

Did you ever have any run-ins with the law?

Well, you're always playing cat and mouse. Corporations don't like anybody with my profile, unless they of course can hire them, and the law certainly frowns upon it. If I were to sit and demonstrate anything that I do professionally for you, I would be in violation of the Patriot Act. ...

Are you one of many, or are you--

... Very few, yes. My personal ethic is to believe that anything that I can do, somebody else can do. There is a concept that goes back quite a ways and it's something very simple: You cannot entrust the security of a system to anything other than one ephemeral piece of data, whether it's a key, or a password, or something. You have to assume that an attacker knows the full internals of your system, how it works, every piece of technology, everything possible that somebody could learn, and that's my approach to the world. I assume that anything I can do, anything that I know, somebody else can.

Your typical hacker underground is12 to 16. ... So the elite at the top, to use a bad term, are simply people who figure out where the problems are. Then it passes down the food chain after they've made an automated system ... to people who just simply know how to type in the right command onto their computer, and attack a remote site.

The problem comes in where the capabilities available to the 12 and 14-year-old computer hacker are also available to a foreign terrorist hostile to whoever, my client, or whoever you want to designate as "the enemy." The problem here, of course, is that to go back to the concept, you don't try to hide the system. You don't try to rely on security through on security. In fact, you publish the security of your system so that other people can find the conceptual flaws. ...

Computer hackers are always going to find vulnerabilities -- closed system, open system, it doesn't matter what it is. They will then write an exploit and it will go out into the computer hacker underground, where it will be shared back and forth between many, many hundreds of thousands of people. ...

The problem is that the government and the corporations are now stifling the exchange of knowledge using the Digital Millennium Copyright Act to prevent people from talking about these things.

So what do you do? You sit at a supercomputer sort of somewhere in the United States and do all your operations?

You really can't do this inside the United States. First of all, to do it inside the United States means you're inside their jurisdiction and the U.S. frowns upon that. So what I do is I've got clients essentially everywhere but the United States. And what I do depends on what the client needs done. Sometimes it involves doing a lot of time at a computer; sometimes it involves breaking codes, which involves a lot of computer time; sometimes it involves going out to the field and doing things that you can't do with a computer.

The U.S. is encountering the same problems of building its own IO capability. For example, they would love to attack Saddam Hussein's computers. How much of Saddam Hussein's computers are connected up to something that can be reached from the outside? Well, we don't know. So that then the U.S. needs to fall back and rather than using their own team, computer hackers will use missiles that use EMPs [electromagnetic pulses] in exchange.

Do you carry a laptop? I mean, can you do what you need to do with a laptop from cyber coffee houses?

I can start cold, because there are some borders that you do not try to carry high-tech equipment across, not because you're worried about it, because they'll seize it because they want it for their own. Sometimes high-tech equipment is difficult to come by in some countries and they'll decide to steal it from you at the border.

So I can go in cold, buy local resources. I can do it from a dumb terminal and tap into remote systems. You can acquire what we refer to in the industry as zombies through a large number of vulnerable systems throughout the world. Where an attack is coming from has nothing to do with where the attack is actually originating from. It's one of the beauties and troubles of information operations. ... I could take down scores, thousands of systems, for example, in Taiwan and then turn those systems through its high-speed pipe against any other nation in the world. Does it mean the attack is originating in Taiwan? Not at all.

So the problem that the U.S. has with terrorist attacks, where we still don't know where the anthrax came from, is the same problem you have with information operations. If you do the job correctly, there are no fingerprints and nobody can trail you back.

How vulnerable are the vital U.S. infrastructures?

U.S. vital infrastructures are highly vulnerable. The U.S. is probably the most vulnerable nation-state. And the reason is that information technology and communications technology has become an absolute essential. Everything that works here is dependent upon IT for the communications infrastructure.

So just as Sept. 11 proved that America is no longer an island, that the capabilities inherent in the way America works can be turned against it -- crashing our own jets into our own skyscrapers -- once the bad guys, whoever they may be, figure out that the U.S. infrastructure really is vulnerable, really is as porous as it truly is, then the attacks won't stop.

Give me the nightmare scenario. What's the worst thing, when you wake up at night, at four o'clock in the morning, and think about what could happen to the United States? ...

There's two schools of thought in the community about information operations. ...

One camp is referred to as the Pearl Harbor camp. And largely the concept of the Pearl Harbor info-war is that terrorist group X or rogue nation Y will decide to attack the United States using an all-out onslaught against the infrastructure. And the targets will be anything from water to power, anything with SCADA control systems, which are generally running off of Windows NT or Windows 2000, which essentially means that you can cut through them like a hot knife through butter.

The argument against that is the fact that, well, when your computer at home crashes, what do you do? You power it down and you reboot. And so the argument against Pearl Harbor is that we would re-stabilize systems inside, to be generous, 24 hours, and the inertia that society has in terms of everybody knows that they're going to wake up tomorrow and everything is fine, will be enough to hold society together.

What's the other scenario?

... The threat is that rather than attacking a system from the outside and denying, somebody will penetrate the system and subvert it. And once that system is subverted, you can either turn it against other systems or you can monitor or alter that system's function in such a way that the legitimate user may not know that's occurring.

To give a military example, there's a manufacturing concept called Six Sigma, which means that the component that you're manufacturing is precise to six decimal places. What needs Six Sigma precision? Tank armor, stealth armor, the things that absolutely require completely interchangeable parts to be replaced every time.

If you were to break into a system that manufactures Six Sigma parts and changed the calibration so that nobody knew that they were no longer up to that level of specification, the first you would know about it is when somebody blew up the tank or the stealth airplane didn't work.

So this is the death by a thousand cuts?

Yes, and you may not know it's even occurring.

So not only do you hit one system but you hit multiple systems and you're doing it in a constant flow of attacks?

And you do them over a long period of time. For example, if you were to break into a mission-critical system and slowly change its data over a period of months or perhaps years, by the time somebody recognized there was a problem, they may not have clean backups or clean systems to revert to.

An example: If I were to break into a hospital system, I could deny that hospital system from the outside. The hospital would very quickly recognize they were under attack, cut themselves off and restore. If I were to break into that hospital system and alter the little flag on patient records that indicated whether they were a diabetic or not, the first thing you know you have a problem is that somebody is dead from an insulin injection they didn't need. But you may not know that until months, years later.

So if you and a group of friends decided to do it, which you wouldn't, but if you decided to do it, would you be able to take down the electrical grid of the United States?

I don't know if you'd be able to take down the whole grid, but I know that you could take down significant pieces of it for, let's say, operationally useful periods of time. Right now, the length of time that the effect of an IO operation would last I don't think is that long. So you buy yourself 20 minutes, four hours, who knows how long until they can solve the problem. The question is: What do you do during that 20 minutes or four hours?

Some people who know this area say that there is a potential through hacking to get into the electrical grid and do damage by burning out generators. It's been described to me from an electrical consultant that if you didn't have your warning signs up, you could burn the wires off poles basically, off the high power transmission lines. So to an extent, it would take a lot longer to bring it back up.

Yes, it is possible to do physical damage through the Internet. ... But again, for example, in the power grid situation, the reason that you had a knowledgeable insider telling you that a knowledgeable insider could do this is, again, because they have the same sort of inside track that I do. I know that breaking into arbitrary company X, that I could destroy arbitrary company X's intellectual property assets, I could destroy their databases, their corporate communications, I could destroy everything that that corporation relied upon in terms of its virtual functions as opposed to its physical functions.

Would I be able to cross over into the physical world? It depends on the industry. If you have a knowledgeable insider in the power industry who sits there and says if you did it right and you created surges, then you confuse certain kinds of circuits or destroy other kinds of equipment. That's certainly true, because you can blow off the engineering tolerances that systems will normally require in proper functioning. But again, that requires a knowledgeable insider working with you to do that.

People will say this is all scare-mongering stuff -- the whole idea that somebody could do something to hurt an infrastructure so much that it would cause a cascading effect on the electrical grid, the closing down of businesses, hospitals shut down, etc. ...

The critical part is: What does your information acquisition cost? In information operations, you have to be paying attention to costs and what it takes to get the information you need. The information acquisition cost to learn how to fly an airplane [on 9/11] just cost them thousands of dollars. Not a significant amount.

To learn how to operate a SCADA system and to then learn about the power grid and all the necessary information to launch a sophisticated attack on the system, the question to ask is: What is my information acquisition cost to acquire the knowledge necessary to do serious harm, to acquire the hacker skills? The information acquisition costs are essentially what does it cost to have an ISP for a month?

In 90 days you could become a fairly competent computer hacker if you were open to looking in some very strange places on the Internet. The problem comes after that, of learning the sophisticated technical information needed to target the power grid, air traffic control, telecommunication systems, water systems.

I learned how to take advantage of the phone system, by reading the old Bell System technical journals that Bell Labs at the time use to publish on how the phone system was engineered and how it worked. ... The knowledge necessary to launch a sophisticated attack is provided by our own side for free.

What's the fear of a group like Al Qaeda taking on tactics like this?

They are the prototype of the next generation terrorist group, which the world is only beginning to see right now. They are willing to take the time and energy and money to learn whatever they want to learn to be effective, to carry out the operation.

So, information acquisition for Al Qaeda is a primary tool that could be used against them, but it's also one of their primary capabilities.

What would it take to create an army that could hit our infrastructure?

To create a capability, you really only need a handful of people. Six to 10 can be incredibly effective at this, as long as you know what to select for and who to pick. The amount of money is trivial. A few million dollars would be the Lexus of operations. Most of what you need you can acquire very cheaply or free. You can go to any consumer electronics store and buy what you need. The problem is your personnel, and then your timeline.

The right people could be effective inside 90 days. In 90 days they could be taking out huge sections of American infrastructure.

Now you're saying also on the other side that it's not that easy to do when we're talking about the grid. So what am I missing here?

It depends on your attack profile. What does it take to learn about how to operate the power grid? That's an arbitrary length of time that would extend your operation out. To attack an eBay or a Yahoo, some kind of virtual company that would taint the stock market, requires no special knowledge. It just requires the knowledge of being able to break in.

Digital control systems are at work for every single company -- lighting company, gas lines, chemical makers, pharmaceutical companies, electrical grid. If you were Al Qaeda, would you be sending your people to school to learn SCADA systems?

SCADA is a hot spot for IO. I know for a fact that if you, as a corporation, bring in the FBI to lecture you on computer security to tell you what you need to worry about, SCADA is at the very top of the list.

What would an attack look like? Describe what we would see or not see.

Well, I'm not as actually concerned about the power grid, because I believe that very rapidly, because so many things happen with power grids, that that situation can be corrected.

The one that I think is more probable, is the communications network. I think that's going to be a target because, to use an example, during Desert Storm, you'll hear some estimates as high as 95 percent of military traffic went over the civilian communications network. If you were going to try and impact on military operations, you would want to cripple the civilian communications infrastructure.

In the United States there are two network nodes that you can hit electronically, and one that you would be more effective to hit physically using a truck bomb. But if you hit those three nodes, then you would be able to destroy American communications for a significant length of time.

How well known is that?

If you were to talk to anybody who works at any one of those network operating centers, or anyone who works in security for the telecommunications industry, they already know where their targets are. They already know the problems that they have.

Al Qaeda -- what do we know about their capabilities?

Al Qaeda uses information technology and computers for a number of purposes. We know that they use them for communications. The FBI has two terabytes of data sitting that they're running analysis on. Everyone is very, very happy in the intelligence committee when an Al Qaeda computer is seized because they know that that's used for plans and communications.

... Al Qaeda as a network has known connections to ISI, Inter Services Intelligence, which is Pakistani intelligence, which then has contacts established to some of these hacker groups, that are then operating against other targets.

The belief is that if you accept that there is a connection between Al Qaeda and the ISI, and that the ISI would be, for example, operating against the Indians, Al Qaeda then has a conjoint interest with the ISI, either against India or other targets that Al Qaeda would be able to gain access to or task those computer hackers to do what they need done.

You mentioned that we have in our hands from laptops two terabytes, or whatever, of material. Do we know what that stuff is, or are we still stymied by the fact that they were sophisticated enough to code it?

As an example, the U.S. and British intelligence acquired in Manchester a copy of Al Qaeda's tradecraft manual. In the version that the U.K. and the U.S. released to the public of this tradecraft manual, the section on Al Qaeda's use of cryptography was removed because nobody wanted the world to see that Al Qaeda was communicating to its own members how to use cryptography. ...

Give me one example of sophisticated cryptography using communications?

As an example of Al Qaeda using sophisticated technical means to communicate, one of the members of Al Qaeda was receiving what looks to be spam e-mail. That spam e-mail was not structured the way other spam e-mail is. I don't want to go into the forensic details on that. But, what it was is it looked like a link to a sex site where there was an image. And every time the piece of spam e-mail was sent, it was actually a mailbox flag. Because what that meant is that somebody had changed the message inside the image. The image was the same, the byte count was different. What happened was that the person receiving the message knew to go and pull the coded information back out because it was new. It was a mailbox flag. That's extremely sophisticated, and that's extremely difficult to track back using electronic means.

The basic information is that using a Web-based electronic dead drop, essentially, Al Qaeda members were clueing each other in that they were exchanging coded secret messages and planning information across what looks to be normal Web sites, and then they were informing each other of this through electronic mail. So there was no way for somebody intercepting the mail to figure out what was going on or looking at the Web site.

So they were getting it all using a pornographic website to transfer communications?

Yes.

How did they do that?

Well, you can throw up any kind of a Web site on the Web that you want. You can use any one of numerous free mechanisms on the Web. They've been a big user of Yahoo Groups where they set themselves up a little discussion group that was being used back and forth between ... to plan their trips through Pakistan to Afghanistan.

So all you do is go to Yahoo, set a free group, just the way anybody else can set up a group on Yahoo, and they were using that mechanism to set up their travel plans.

The other sophisticated use that you were talking about is one time only e-mail addresses? How did that work?

Using actually very, very simple mathematics, two people could exchange a secret, whether it's over the phone or when they meet in person. So that in the future they would be able to coordinate creating e-mail addresses, whether it's at Hotmail or some other free service, such that only they would know what the next e-mail address was going to be. So that they would use an e-mail address once to send or receive a message, and then they would never use it again, so that there is no forensics and no way of looking at prior traffic to tell where the next traffic is going or coming from.

So what does it say about their ability to translate this into using cyberspace as a method of hitting us tactically?

If you looked at Al Qaeda as sort of going from the core outward, the communications amongst the core members -- bin Laden and his inner circle -- is occurring using non-electronic means because they recognize that intercept technology from the U.S., and the U.K., and other players is extremely sophisticated.

Where Al Qaeda gets interesting is, once you move out of that core, they become very high tech, because the group is acting without positive control, without somebody delivering specific orders. You'll hear this referred to as the franchise model, where Al Qaeda has partners or loose connections with other groups who will operate independently, who are given support. Those organizations are coordinated with using very, very sophisticated technical means. The technical means that they would use are such that they are already a participant in the very same communities that are exchanging computer vulnerabilities, vulnerable systems, other sorts of attack information, including knowledge of how to attack U.S. infrastructure.

So, the very fact that they're using very, very sophisticated communications technology, it doesn't happen in a vacuum. It occurs as part of a community. The same community that exchanges once set of information, is exchanging other information. I can't believe that Al Qaeda is only listening to a very, very small part of the chatter in the community and ignoring all the rest.

How do you know this stuff about their communications?

I've been tracking Al Qaeda and actually bin Laden and his group forward since the late 1980s. And it's simply because as a group that is operating in what can be referred to as best practice, they really are very good at what they do. I'm always willing to learn from somebody who may learn something that I should know. So I've been watching them for quite a while. And they are very, very good at everything from money laundering, to secure communications. And to underestimate them at any point in time is suicidal.

A lot of people have said to us that there is a lot of probing going on. And what it looks like is that either people are preparing for an attack or they're getting ready to sell their information to people who might eventually want to attack. What do you see?

There are two different forms of mapping going on right now. One form of mapping is automated systems run by computer hackers to try and acquire more assets. So this is what we refer to as zombies. If you find a system that isn't properly secured, what you do is you break into it, you take over system resources. The first thing you do is you fix all the problems with the system, and the reason you do that is that you now own the system and the legitimate owner does not know you're there, and nobody else can break in to take that system away from you. So what you then do with that system is your own business. You can turn it on anybody you want in the world and have it attack them.

The other form of mapping is much more sophisticated, where what they are doing is they are looking for critical systems. Somebody must be doing the same thing that we do, which is that you map systems out and you build maps. You want to know what the network topology looks like, you want to know what part of that network topology is doing what function, and then you want to know what are the vulnerabilities of that set of topology, so that later on when you want to target a kind of function, you know what part of the network to attack.

So we're under attack.

Well, you're under attack in the same sense that you are being painted by a missile designator, or you're under attack in the same sense that somebody is probing your lines looking for how to attack you, yes.

Well if somebody was probing our major infrastructures for missile attack, I think we'd be pretty excited about it.

I think you would too. I think that, again, it's not clearly understood. Because you don't see the blood on the floor, because there's no smoke in the air and there's no loud bang and there's no flash, nobody thinks that this is warfare. And because of that, it's very, very easy to discount.

It's the same school that tells you that this isn't possible at all. Because they sit there and they say, oh well, you know, they're just conducting automated mapping and it doesn't mean anything. Well, what it means is that I can tell in a sophisticated network what the choke points are, I can figure out by attacking two or three of those systems in a corporate network that the whole corporate enterprise goes down, at which point in time the corporation can't function anymore. It's not just a corporation then, it can also be a national infrastructure. It can be a power grid, it can be water supply, who knows?

SCADA systems -- how big a target? Why do we keep on hearing people say you gotta understand SCADA systems?

... SCADA control systems are mechanisms used to control distributed networks without having to pay for a lot of people. It's a cost-cutting measure. You'd rather [have] automation than you'd rather have people.

The problem is that any sort of automation can be denied or subverted. The reason that SCADA is particularly dangerous is that SCADA is a standard approach towards control systems that pervades everything from water supply to fuel lines. The problem is that most SCADA systems are running Microsoft operating systems, and if you are running a Microsoft operating system, you have a target painted on your forehead.

What do you mean?

Out of the box as a basic install or even with a sophisticated system operator, making Windows secure -- any of the Windows varieties, Windows NT or Windows 2000, which are your common SCADA platforms -- is an incredibly sophisticated and complicated task. It is not the kind of thing that you can do easily or simply, and it is not the skill base normally available to a low-end infrastructure job. It is the kind of skill base that's available at the high end of the transnational. It's the kind of thing that we bring to the table and that Joe Power Supply Company doesn't have available to them.

The National Security Agency, the U.S. agency responsible for protecting the cyberinfrastructure, has many, many hundreds of pages of how to close the security holes in Windows NT. I mean, it's a huge volume of material. But the knowledge it would take even to follow their step-by-step instructions is very, very high. And so the number of vulnerabilities are extreme and the knowledge base necessary to protect it is too much for your ordinary group.

So is Microsoft a problem or is it part of the solution?

Microsoft has very bad system design regarding security. Microsoft knows this. It's a directive now right from the very top at Bill Gates to try and find some way to solve the problems that Microsoft has regarding security. The problem runs in when you are in a monopoly position, such as Microsoft is, as the dominant operating system not just in the United States but around the world. It's why other governments other than the United States are moving to other standards other than Microsoft.

They recognized that Microsoft is a national security threat to their economy by the very fact that when you buy a computer it comes with Windows installed, and most people don't know what to do after that. So what these people do is they take their computer home and they plug it into the network, and then somebody like me can then break into that computer and turn it against anybody anywhere else in the world.

Even if it's got a firewall?

Trust me, there is no measure built into Microsoft Windows that keeps somebody like me out. Firewalls do not protect you. ... I can tell you professionally, inside the computer security industry, firewalls are referred to as "speed bumps".

Microsoft halted production in January of last year to look at how to deal with the problems. Is that not significant?

The problem is that Microsoft maintains that they can solve the problems internally as opposed to, for example, the open source movement, where anyone, such as myself, can review the source code and if we find a problem we can fix it, we can notify others of the problem, and in general you have a lot of people working to make sure that your software is secure.

But Microsoft does code review all the time, does it not?

The sophistication of an operating system, particularly the size of Microsoft's operating system, is that it's over a million lines of code. I don't know any organization that can keep track of a project that size looking for security problems. One of the most common security problems in the world is a buffer overflow. You do not understand exactly how many people keep writing buffer overflow vulnerabilities into their systems simply because they do not follow good and accepted programming practice, let alone accepting security practice. Security is not a domain that is well understood by the guys who write products.

[Editor's Note: See FRONTLINE's interview with Scott Charney, chief security strategist of Microsoft Corporation, who discusses the company's security measures regarding software.]

But this is just the nature of the beast -- you can't create perfect software.

You can't create perfect software but you can create better software and software that works securely. The two are not incompatible.

How big a problem is the fact that a large proportion of software is written offshore, for instance?

Prior to Y2K, a lot of systems were being outsourced to Indian software engineers, largely because they are incredibly cheap compared to what you'll pay for in Silicon Valley. It finally dawned on somebody over in Defense that this was a potential problem. You know, what you're doing is you're handing over a source code to working systems to an outside vendor.

Second of all, nobody knew what was going to come back. As an engineer, it would be very easy for me ... to put in things that a normal engineer wouldn't necessarily know what they're looking at, that gave me a back door or opened up a covert channel, meaning it covertly transmitted data back out. So, the National Security Agency then issued an order that defense systems could not be outsourced to outside noncleared personnel.

But as far as worries about offshore stuff -- is it possible to check the stuff that comes in?

Well, as an example, I could sneak something into a keyboard driver that specifically was looking for your passwords. The size of that code would be miniscule. It would be looking for a needle in a haystack. You'd have to know what you were looking for. Since people are outsourcing their software production offshore, outside the United States because it's a cost concern, by definition, they don't want to pay for somebody to go through and read what was just written offshore. And actually, the skill base necessary to review software is far more expensive than just paying for it all over again. So, because they outsourced software for cost concerns, those very cost concerns prevent them from doing anything about security.

The electrical grid -- if you wanted to jump into a SCADA system, how long would it take you?

Penetrating a SCADA system that's running a Microsoft operating system takes less than two minutes.

Are other systems more secure?

No. But again, this is where you're dealing with the issue of monoculture.

Once you're into the box, though, then you have the question of what do you use?

Right. I know for a fact this has occurred in the past, that SCADA systems of critical infrastructure have been broken into. The hacker who broke into them had no idea what they were looking at. To them, it was just one more insecure Windows box. And then, it was used for whatever purposes that you would use an insecure Windows box for. The fact that it was a controlled system for something very complicated and dangerous to play with was not understood by the person who broke into it.

What's government's role here? What should government be doing? What they're not doing? Is regulation an answer?

Regulation will solve computer security problems the way regulation will get rid of HIV. It won't. You can't legislate a problem out of existence that is, in nature, technical. What the United States government could do is quit cobbling the problem, meaning don't provide the protection to the Microsofts or the business model that most of the security providers have. And get out of the way. For many, many years, security products could not use cryptography because the United States government would either not allow you to integrate cryptography in it and sell offshore, at which point in time, you'd have to have two production lines. Or for a long period of time, was actually resisting strong cryptography of any sort.

So is encryption the Holy Grail, the only way to do it?

Well, I could tell you that encryption is a useful tool. It provides you with mechanisms that, if you could rely on it, if you knew it was always available universally, then, for example, two systems on the Internet could require each other to authenticate in very certain ways. At which point in time, if somebody can't authenticate, you don't talk to them. If SCADA System B that controls a power grid knew that the person talking to it was the legitimate person who had rights of access to that SCADA system, there's no problem. You have to worry about the insider problem at that point. You don't have to worry about a 12- or 14-year-old computer hacker if cryptography is available. The problem is that also, you know, crypto is not, in and of itself, the Holy Grail. Crypto is about to fall apart as well.

Why?

At some point in time, you hear that public-key cryptography is going to suffer a fatal blow. Public-key cryptography is, right now, the key exchange mechanism for the financial world. It is also largely what protects your Internet exchanges. Mathematical systems are coming online that may seriously impact the security of public-key cryptography to the point where it will not take a great deal of resources necessary to break any public e-system.

What's the reason it's coming out?

Public key cryptography relies upon the fact that very, very big numbers are very, very difficult to factor. Right now, there's a couple of mechanisms. ... One, it may become much more efficient to factor very, very large numbers. And two, it may be possible to actually calculate, in advance, all prime numbers. Not all, since it's an infinite set, but the prime numbers inside a certain bit depth. If you do that, you now have a known key space attack, at which point in time, people using public key cryptography will fall apart.

There are people out there that say the clock is ticking, and that this is a need to deal with very quickly, that we are under attack already and the possibilities of a much worse attack is inevitable. Where do you fall in that scenario?

Being mapped currently, the way critical infrastructure is, is the intelligence preparation of the battlefield. In the military, it's IPB. You scope out who your target is, and you get ready to go after them. So somebody is essentially preparing for a large-scale attack, or perhaps more subtle attacks on American critical infrastructure. That, by definition, means you have a problem today. How fast can you solve that problem? Well, how fast could you change the entire face of computing? ...

If you wanted to break into DOD classified computers, could you do it?

The U.S. Department of Defense Network Security, even on its classified systems, for example, SIPRNET, their own secure version of the Internet - if you can break into a network node that has shared access, then you can move from an unsecured portion of the network to the secured portion of the network. I can tell you that there are numerous nodes that are poorly secured, that have access across unsecured and secured networks.

Once you get into a network, you have to know what you're looking at, and how to surf the network to get secure information. But it's entirely possible to do so.

... What I can show you is that somebody has, as an example, mapped the U.S. National Security Agency's computer security arm. This is, in fact, the very group that should be the most diligent. It is the group most responsible for U.S. cyber security. My argument is that, if NSA were doing its job, we wouldn't be in this mess. They either have been deliberately ignoring their job, or not doing their job.

And as an example, many hundreds of their machines have been mapped as part of an ongoing mapping process that other people have engaged. And for example, the mapping will tell you an IP address, in other words, what machine to target. And as just another piece of it, will show you a symbolic name.

Now, why is that important? What it means is that, again, somebody over at NSA was sloppy and they named work groups using the same kinds of clusters of names. For example, one work group is named after popular soda drinks. So you've got Coke and Pepsi and Sprite. That's how the machines are named. So now you know that work group, and you know its IP addresses. All it takes is a little work from that point to figure out what that work group does. And if you wanted to target that explicit function of NSA, you know what machines to attack.

Does the FBI have a handle on this?

Right now, I could tell you that there are two players in government who actually have managed to buy themselves a clue. One is the FBI, and the other is the CIA. ... You would expect that the people to actually have a clue would be the Department of Defense and the National Security Agency. Oddly enough, the grass roots of the FBI are fully competent in terms of what's going on and, also, completely scared by what they see.

They are just as scared as we are. ... The surprise is CIA, as opposed to NSA, because it's not technically inside CIA's charter. But they are fully cognizant of that -- when they're looking overseas, this is what they're looking at. And it's also looking back at them. For example, the mapping.

And so, they are trying to come up to speed. But, again, it's not purely in their charter. When you think technical people in the United States government, you push them over to NSA. You don't look at CIA. So, again, as much as I disagree on other issues, I'm not going to fault FBI or CIA. They're actually trying to work.

But again, the naysayer says that with cyberspace there are no body bags. It seems pretty bloodless.

... There's a quote from T.E. Lawrence, who was writing about the Arabs at the turn of the century who made the comment that weapons were viewed as only as effective as the amount of noise that they made. So the Arab troops that he was attempting to support thought that cannon were great weapons. They thought they were incredibly effective. They weren't. They killed your mobility.

So again, it was that view, unless there's an explosion or there's a large sound, it's not effective. If the way you view operational effectiveness is body bags, then fine. Stay in the conventional kinetic realm. If you want to get the job done, go into IO.

In the end, does Washington get it?

No. Washington doesn't get it. And the proof that Washington doesn't get it is, every time they try to define information operations -- across the last numerous military publications, there has never been a consistent definition of what information operations is. And if you don't know how to define it, you can't have people working on doctrine. If you don't have doctrine, you can't train people. And if you don't have trained people, you can't conduct operations.

Ninety percent of the infrastructure is in the hands of the private sphere?

Yes.

Do private companies get it?

No. The economic bargain is that government is a consumer, but government supports your security. Government provides your security function. Everyone is relying upon government to solve the problem. And government is not going to solve the problem. The problem is going to have to be solved by the private sector.

What's going to have to happen to make that happen?

People started to look at airport security after somebody hijacked some jets and rammed them into some skyscrapers. The only thing that's going to be a wake-up call here is for a serious damaging attack to occur, and it won't even be an economic attack.I'm sure there will be economic attacks, but I don't think that would be enough motivation because, again, that will be a couple of vulnerable players. It's not until you have bodies in the street that people are going to recognize that there's a problem. And short of that, the vulnerability will stay in place. And this will simmer as a low-scale conflict for a long period of time.

 

 

home :introduction : interviews : experts' answers : faqs : vulnerabilities : warnings?
discussion : readings & links : maps : producer's chat
tapes & transcripts : press reaction : credits : privacy policy
FRONTLINE : wgbh : pbsi

published apr. 24, 2003

background photograph copyright © photodisc
web site copyright WGBH educational foundation

 

 
SUPPORT PROVIDED BY