The electrical grid going out in North America is one of those scenarios that people focus on a lot, because there's a lot of interest, a lot of sophisticated probing of systems going on. As a nightmare scenario, a lot of times people do point to this and say that it is possible, that a domino effect can take place. If you can control certain systems, you can get it sort of starting to roll, system after system after system going out. ... What's your take on that nightmare scenario?
It certainly is a theory that has a lot of currency in the security community. It was kind of a core element of Eligible Receiver, this exercise that we conducted with the Defense Department, now five years ago. And five years ago, it was shocking that that could happen.
But over the last five years, there's been a tremendous increase in awareness of the problem. There's been a lot of, I think, improvements in the community, probably not to the degree that's required, but I don't think it's like we haven't thought about this. Again, I think we tend to have this impression that computers are just silently running everything and there's nobody watching it, and if something goes haywire, we're just going to watch everything crash on the floor. I don't think that's the case.
There are lots of ways in which you can grab control of the system, and I think that they're attuned to that. There's an awareness in the IT community now about security that wasn't there five years ago. So I don't discount it. It is certainly theoretically possible. But the cyber security awareness today is thousands of times stronger than it was five years ago, when we first conducted Eligible Receiver. ...
Back when you were deputy secretary of defense, you had said a couple times that the U.S. was in the middle of cyber war -- at least twice in 1999. Your position has changed, to some extent, on that. But give me an idea of what you were talking about back then, and with the wisdom of time, how you view it now.
Yes. Well, at the time I said that, I thought we were at war in cyberspace, when we did not know what was going on. We had only rudimentary capacities even to monitor our own systems at that stage, so the attacks looked more serious than they turned out to have been. I don't regret a single thing I said or did at the time. It helped to motivate the department into a fairly robust security plan now, and they've done a very good job of following through and trying to secure DOD's part of cyberspace.
What startled me at the time was how we had basically brought around us this powerful new technology with virtually no security awareness. We didn't have a discipline to think our way through the security issues. We didn't have standard protocols for how to configure things. We didn't have disciplined protocols and procedures in place for how people could connect to the wider Internet. It was just absolutely -- we let a thousand flowers bloom. And as you would expect in that environment, there were countless opportunities for mischief.
Since that time, there's been a tremendous improvement in the security situation at the Defense Department. I think the bulk of American society, candidly, is where DOD was three and four years ago, today. There's a great deal more security awareness, but you still are finding people that don't update their virus software. You're still finding people that are undisciplined. They will download software and use it themselves, off the Internet. Bad security practices still tend to be the norm, and we have a very large installed base of software that's vulnerable. It is still the norm in the software industry to put a [product] quickly to [market], and then to fix it after it's out and operating. ...
If we were under attack, if a cyber war or terrorist activity -- specifically cyber war -- were to be launched on the United States, give me an idea of what you think that would mean and how serious it might or might not be. How do you envision it?
Well, first, I do think cyber warfare is a very real possibility. Cyber terrorism is, too. But for both cases, cyber war or cyber terrorism, the activity of the terrorist or the war makers is really part of a broader plan. They're really trying to use a computer attack as a way to augment or strengthen their primary attack. So if there is going to be a cyber terrorism event, it's really, in my view, going to be used to try to amplify the effect of the primary attack, which is going to be physical. The same will be said for cyber warfare. ...
That means the larger political security environment is an important indication about are we under attack or not? I mean, the hardest thing about cyber disruption is: How do you distinguish intentional attack from failure, from your systems breaking down? Because that then triggers your ability to provide preventive and protective measures. Theorizing what's possible -- a country that sees itself on the edge of warfare with us would [seek] to augment whatever capacities they could, to make it more difficult for us to put our forces in the field -- that could very well be cyber efforts.
But let me just say something, if I could, about the difficulty of that. When the terrorists decided to try to hit us with airplanes, they mapped out the normal routine with a great deal of precision: How does an airplane operate every day? What are the ticket takers like at the desk? What is security like at the airport? They were mapping the routine. And the trade towers didn't move; they're in one spot. So you simply had to figure out, "How do I get to that spot and then fly into them?"
Cyberspace is changing all the time. I mean, it's constantly changing. People are forever picking up new versions of their operating system. They're introducing new anti-virus software. They're frequently changing e-mail addresses and accounts. So it's constantly changing. It's not like the physical world, where routines are fairly stable, or the physical attack, the target you're trying to hit doesn't move.
So what we don't tend to fully appreciate is how much more complicated it is to do what the military calls "terrain analysis": What is the terrain like where I have to march my forces and attack the opponent? Terrain analysis in cyberspace is very difficult. It's complicated. It's hard to know which computer is doing really important things and which one is sitting there doing Freecell in the afternoon. Who is really operating that computer terminal, and is it really John Hamre, or does it turn out it's John Hamre's secretary who's operating that computer? This is all very hard to figure out remotely.
So if you want absolute predictable results, it's hard to do in cyberspace, because the environment changes so dramatically. That's another reason why I think that if there is cyber disruption, it's going to be ancillary to a physical attack. It's not going to be directly.
Some will argue that cyber terrorists are different though. ... If their intention is to hurt us and to psychologically hit us, they'll do anything they want. So in some ways, the argument is, cyber terrorism actually fits the mold of what they want to do.
Well, I think that's right. But they're after predictable shock effect more than anything. And you just have to ask yourself, if they truly could turn off all the lights in New York City, that would be pretty shocking, but is that a likely thing that they could do? My personal sense is that it is theoretically possible at the hands of very skilled hackers, very skilled hackers. It's certainly more likely, but it is a very hard thing to do, to break in. And we, I believe, are making changes as we go along. We're not sitting still. We're not sitting as dumb and innocent as we were five years ago when we did Eligible Receiver. ...
[What was the first instance of cyber warfare tactics being used?]
The first instance that I know of that you could say was genuinely cyber warfare was a very small, very inconsequential attack on a computer system by the Tamil Tigers. The attack took place here in the U.S., but it wasn't directed against us. It was directed against -- I don't know who the heck they were upset with -- the Sri Lankan government, I guess, their Information Office, or something. That was the first time, and that was six years [ago]. These were the people that invented suicide bombing. They're pretty serious characters. But that was the first instance. ...
Since then we've seen lots of efforts to disrupt using computer attacks. The Serbians tried like crazy to disrupt computers all over the world during the Kosovo air war. Any time that there is an attack in Israel against the Gaza Strip, there are Palestinians that are always trying to attack Israeli computer systems. So it's now gotten to be the norm. People are trying to do this all the time.
To what effect?
They will occasionally break into somebody's computer and they'll deface a Web site; they'll put embarrassing information on a Web page, homepage. But it isn't bringing the end of civilization or anything like that.
So does this tell us that this is not a significant event? Or is it something that warns us that these guys are going to use it?
Oh, I think it tells you that they'll use whatever they can. It tends to be ancillary. It doesn't tend to be the primary attack, but they will certainly try to do it. It also tends to demonstrate the widespread vulnerability of cyberspace to disruption, because there's such a huge installed base of flawed software and inadequate ethic of security in the cyber community.
So we see that. I think it's evidence of that. But nobody's yet found a way to turn off the lights in New York. Nobody's yet found out a way to stop all the trains in London, you know? ...
You were talking about the carefulness of Al Qaeda, for instance, in analyzing their targets and analyzing the way ticket takers take the tickets and how the airplanes flew. An analogy that one could make -- and I'd like to get your opinion on -- is that a lot of people will talk about very sophisticated probing of the systems these days, all throughout the infrastructures of the United States, probing of electrical grids and probing of waterworks. Some people point this out because it's so sophisticated, because of the way that they end-run around any attempts to sort of figure out who's doing it, that what this could be is the preparation for a future attack: to know our systems, to kick the back doors in where you need it; if it comes to the point where you're gong to come out after us, you're ready to go. Is that an analogy worth making? Is it something that sort of helps define an Al Qaeda way of doing it? And whether it's Al Qaeda or China or someone else, what's your take on that?
Well, real sophisticated probing, you're not going to know it happened. So if you have experienced probing or intentional anomalies, frankly, you're not dealing with the more skillful threat that we face, number one. Number two -- and I don't mean to be cavalier about this -- but frankly, clumsy probing is helpful. It's like exercise. It's the way we learn about vulnerabilities and get better in dealing with them.
Now the question: Are these folks insinuating time bombs in software that they can then trigger at a later date? It certainly is a theoretical possibility. Again, part of the difficulty of that is that cyberspace changes so dynamically, is that people are taking down their old version of Microsoft Office and putting up a new version. So all of a sudden that's off, where it was loaded is gone. This sort of thing is happening all the time.
So you don't have a lot of confidence that you could plant a surreptitious code designed as a back door or a trap door, and come back to it three years later. You could come back two months later, maybe, but not two years later. So again, I think there tend to be some self-correcting qualities that are a byproduct of a very dynamic industry, a very dynamic media. ...
What was your position on offensive [cyber tactics] and the importance of it [in Kosovo]? What did you learn from it, and how does that affect how you think now?
Well, if you can accomplish your military mission by disrupting another person's command and control, it's better to do that than it is to blow up lots of things. So it is preferable, in my mind, if you can reliably accomplish political objectives through cyber disruption, that's preferable than physical destruction. I do not have a moral inhibition to using cyber techniques to accomplish goals that otherwise you're prepared to use through destructive methods.
The difficulty, I think, that you have anytime -- that you certainly had in Kosovo, but that you would have anytime -- is that it is a very dynamic environment. Doing the terrain analysis, again, of the opponent is dramatic. You can take a picture from an airplane looking down on a city, and the power plant is never going to move. So you can do all of your planning to attack that physically, with confidence that that plant's never going to move.
But if you want to try to attack it through a computer technique, you are constantly in doubt that you really understand reliably the electronic terrain, which you have to move through. One of the things that I personally learned in the episodes in the past is that you just will never have the same confidence in preparing for war in cyberspace that you can have preparing for war in physical reality.
What did we try to accomplish there? I mean, there's talk about the telephone system and financial maneuvering, and things like that. What's the reality, and why was that attempted?
I'm embarrassed to say, but my only recollection of this traces back to a time when that was all quite classified. So I can't really talk about it. It really is, in my mind, an extension of what we do with electronic jamming or communications jamming. We're trying to prevent the opponent from reliably using the tools that they are using to communicate. So we send jammers in to try to stop tactical radios from working on the battlefield. We send jammers in to try to blind radar, so they can't see our airplanes. We're trying to use cyber techniques to accomplish the same good. We're trying to prevent them from moving as quickly as we're moving, shatter their confidence in their ability to control their own forces, and break their will to fight. That's what we're trying to do.
I think one of the arguments by proponents of the fact that this is a real danger that we need to deal with -- and deal with in a stronger way than we're dealing with it now -- is the interest of the United States government in the tactic in the past. Is that fair? I mean, if the United States government thinks enough of these tactics that you can really do some damage with them, should we understand that the other guy is going to do the same sort of stuff? And as successful as we can be in this world, we also better have our defenses backed before we use them offensively?
We thought a lot about that. I think we were of the view that any society that's highly dependent on computers, as we are, is more vulnerable than is a society where computers are rudimentarily used in the economy. So it doesn't make a lot of sense to think about cyber warfare on Somalia, because Somalia doesn't have many things that, frankly, are controlled by computers, whereas the United States has a lot that's controlled by computers. So you have to be very mindful about what you're doing.
It does mean that we need to be much better than we are right now in cyber protection. But I would argue we should be doing that just so that we could have more reliable business operations in this country. I'm a strong advocate for cyber security.
But I think that we've approached it by calling it cyber warfare, and frankly, that's turned off the bulk of the American business community, because they don't see it as warfare. To them, warfare is about dropping bombs, and they say, "That's your problem. That's you, the government. I don't do warfare. I'm no involved with this." So our whole rhetoric of cyber warfare, I think, is counterproductive to getting the private sector to do what we want them to do, which is to improve cyber security in their operations.
I think we'd be a lot better off to talk about continuity of operations, continuity of business operations, reliability of service. "You are going to lose money, CEO, if your computer system goes down and you miss two days worth of sales." That has more resonance to the businessman than does rhetoric about cyber warfare.
But in Washington, where the resonance is the fact that this is a national security issue, it turns out that, in this wild world that we live in now, 85 percent of the infrastructure of all these very important, essential aspects of American life are all in the hands of the private sector -- which makes it a very strange world to deal in.
Yes. Well, it's probably 97 percent is in the private sector, and it always will be thus. You can motivate some elements with talking about warfare. But for the bulk of the private sector, they just don't see it that way. They don't experience it that way, and I think we need to develop a new vocabulary when we talk to them. "It's about reliability of service. It's about maintaining your competitive edge against your opponents. You can't afford to be out of service for two days." ...
That, I think, gets us more down the road at protecting cyberspace than talking about warfare, because I don't think it connects with the private sector of the United States. ...
We've already talked about Operation Eligible Receiver. It's something that comes up a lot. Give me your point of view on how successful the folks at NSA were in their endeavor. I mean, there are different points of view about how successful they were or they weren't. They say they could have taken down the entire grid of the United States. They could have, for two weeks, stymied a Pacific command. What's the truth? How successful were they and what does that mean?
Well, we do know that they were very successful in penetrating DOD computers. I mean, we physically got messages from the bad guys on our own computers. So we do know that they were quite successful at doing that. I think it's a derived knowledge about success as to the physical infrastructure of the United States. The technique that they were using was really quite simple for telephone disruption. You know, that was not a very sophisticated thing, widely known. Now there are automated procedures to stop that kind of an attack. For the electric systems, I know it is said that they demonstrated the capacity. My guess is that they laid out a theoretical argument on how they would do it. ...
What Eligible Receiver really demonstrated was the real lack of consciousness about cyber warfare. I mean, really, the first three days of Eligible Receiver, nobody believed we were under cyber attack. That wouldn't be the case now. But back then, it was so novel and unpredictable, that the game players just genuinely didn't know that that's what was going on. And the red force, the attacking force, did a very good job of masking their attack profile, so that it didn't look like it was a cyber warfare.
But again, I think our consciousness is so different now. It's just like Sept. 11 changed our consciousness about the vulnerability of airplanes. Eligible Receiver changed a lot of our consciousness about the vulnerability of cyber warfare -- not completely through society, by any means -- but certainly within the defense establishment. I think within the security establishment in general, we've got a much better appreciation.
We now have a huge arsenal of trained people around the country who are ready to jump in on a problem that comes up. Every time we get one of these viruses, it exercises the system. Frankly, I think we're getting stronger by the day. ...
The argument is made that, yes, you can see a lot of the stuff -- a lot of the stuff, 99 percent of stuff out there, is kids or hackers -- but it's the 1 percent that you have to worry about that you don't see.
Oh, I think that's probably right. During Eligible Receiver, the success of the red team was only one-tenth of 1 percent, but that's enough to get control of the entire network. If you get superuser control of one node, you basically can get into a network.
Pristine protection, absolute sanitary protection, is what's required, and you'll never get it. So you have to constantly be exercising yourself to stay healthy and well in cyberspace. It isn't about not getting sick. It's about how do you recover your health. It's a different mind set for cyber security than it is for physical security.
And we're doing that? You think that society's evolved?
In varying degrees. It varies dramatically. I mean, it's still pretty shocking when you find a major university that has kids breaking into it, changing their own records and their exams; you hear this every now and then. That's really shocking to know that that's going on. I think you find very wide variability in the protective consciousness or security consciousness among the private sector.
But again, look at where we were five years ago, and look at where we are now. Five years ago, you couldn't find 100 people that could come to a conference that talked about cyber security. Now you can get 100 companies in Washington alone that are trying to sell cyber security services. It's a good thing. I mean, the profit motive has come to the rescue. ...
There's a famous group of scientists who wrote the president early on, when Dick Clarke was sort of working towards this report, saying, "We need a Manhattan Project. This is such a serious problem out there. The government doesn't get it. We need a Manhattan Project type of effort to deal with the cyber terrorism, cyber warfare issue." [Do you think] that's blowing it out of proportion?
I think it is blowing it out of proportion. It's not that it isn't a real problem, in theory, but that isn't what's moving people on a day-to-day basis. What's moving people on a day-to-day basis is when you can't get money out of your cash machine at the bank, or you can't get through on a telephone call to try to make a reservation on an airline. That's what really moves people, and that's what moves the private sector to improve their security.
I mean, our countless lectures about cyber security in Washington don't do anything compared to a businessman saying, "I just missed a half a day's worth of sales." That's what really motivates people to change.
So then, what's the government's role in all of this?
There are some classes of problem where you can define the problem, but you can't ever solve it -- [for example] adultery. We know it's wrong, and lecture against it, and you're never stopping. Murder -- I hate to say it -- it's illegal, we execute people that do it, but murders keep happening. I actually think cyber security falls into this category. We know it's wrong, we know it's disruptive, we know it can be destructive, and yet it's just a problem that you're never going to be stopping.
So I think what the government should be doing is stigmatizing cyber disruption. It is wrong, it's criminal activity. We need to stigmatize people that do this. We need to have in place a legal framework so that we can pursue legal recourse against people that do it. We need to prosecute anybody we can catch. ...
I think that's what the ultimate strategy is going to have to be, because a strategy that presumes we can force the people that own the infrastructure to do things that they don't see a need to do is doomed to failure. We've got to find ways to communicate to them to do things that they should do for their own best interests, and find a vocabulary that they understand. I think you can do that if you emphasize things like continuity of operations, reliability of service -- that which really motivates the private sector.
So the [National Strategy to Secure Cyberspace] that just got released last week -- you're pretty much on board with the direction they're taking?
I think it reflects the kind of inevitable balance the government has to take. There is not a will to seize cyberspace, nationalize it and force the private sector to do it the way we want to do it. There's no will in the country to do that. Nobody thinks that's the right answer. ...
[What is] your opinion of the [notion] that this is a weapon of mass destruction, this is something the government has got to grab hold of and take that Internet and protect your citizens from it, because if you don't use the stick, if you don't use regulations and stop thinking you can use just the carrot, there's going to be hell to pay. Your thoughts on that?
I spend hours a day worrying about biological warfare. I spend hours a day worrying about nuclear warfare. I do not spend minutes a day worrying about cyber warfare as a means of mass destruction. In the scale of things you want your government to worry about that can really cause existential threats to society, biological warfare and nuclear warfare are far, far bigger than cyber warfare.
Do you believe that's in the thoughts of those that are in power today?
I think that's the consensus of the security community. Cyber warfare is certainly a theoretical possibility. It is certainly a growing worry. It's one that reflects a vulnerability that we have. But it is not going to bring the end of American civilization like an infectious biological agent spread by terrorists, or a nuclear device detonated in a major U.S. city. That would constitute a far, far more serious threat to America. ...
Moonlight Maze -- let's deal with that topic. It's talked about a lot. Why is this thing so important -- or isn't it -- that people keep focusing, keep saying, "You've got to understand Moonlight Maze if you're going to understand vulnerabilities?"
Moonlight Maze was underway while I was in the government. That's now three years ago. At the time it was occurring, it was very highly classified. The word had leaked out about it, startlingly, from Congress. So I can only comment in a very general way about my personal experiences with Moonlight Maze.
A couple of comments. It was very sophisticated. This was not two kids from Cloverdale, California using an automated technique to bust into as many computers as they could after school. This was a very sophisticated set of techniques, number one.
Number two, they had strong operational doctrine on how they operated. These were people who not only had strong computer skills, but they also had very strong security skills. It suggested that it was potentially perpetrators who came more out of an intelligence background than a warfare background.
Number three, the penetrations were primarily not through the Internet, but through the very large-scale science and engineering cyber environment that's been created in the science community over the last 10 years.
What do you mean?
These were not attacks done through laptop computers. These were big machines, and the techniques of penetration were through the very open protocols that exist in the science community. I think that's changed. We certainly ordered changes, at least in the part that DOD controls. But the science community is wide open. Its ethic, its philosophy, is that you make accessible your knowledge and your techniques. So a lot of the penetration occurred through that culture of openness.
I assumed that it was through DOD. The target was DOD, and DOD doesn't have a scholarly segment.
Oh, yes, it does. DOD has fairly extensive connections to the science community. We operate big computer farms of supercomputers, and it's widely available to researchers in universities, in laboratories. That's a very large open environment. And it was through that environment that these penetrators came.
They used fairly sophisticated techniques to mask their identity. They took huge amounts of information, huge amounts of information, and there was not a clear pattern to information that they took. So what we had was sophisticated computer techniques, very good operational discipline, from a cyber intrusion standpoint, very strong security discipline on their part. They came into us through a community that by design is open and very porous to the outside world. That's a fairly startling thing to learn when you're with it that long.
Why?
Well, it opens up an awareness of something that you just hadn't thought through before. What is the process by which we monitor who comes and goes in our supercomputer centers? How do we know that legitimate work is being done in our supercomputer centers? You just don't think to ask that question until all of a sudden you learn about this sort of a problem. We do not now -- at least at the time I was in government -- we do not know who did it. We do know back a certain direction where the attack came from, but we don't know that that as the ultimate source of the attack. It could have been a front operation.
So what we had to do is to put in place on a very expedited basis, stronger security procedures. But we also found that the opponent was learning as he or she went along; they were getting better as we were getting better at cracking it. That worried you, because that meant that they had some type of a monitoring system to observe us while we were observing them. So we're obviously dealing with a very sophisticated opponent.
Could it happen today?
Oh, I would guess so. Yes. My sense is that the techniques that they were perfecting back then have undoubtedly gotten stronger, and it was hard to monitor back then.
So the tactics used, the sophisticated tactics -- this is espionage?
That's my guess, that it was economic espionage. That's my personal hypothesis about what was going on. But I have nothing to base that on other than just my instinct.
For what purpose?
Trying to grab trade secrets, trying to get the benefit of our intellectual property without having to buy it or license it.
So I guess the question is, if this sophisticated a probe of espionage, if there's that kind of character, that kind of enemy out there, could they use the same sophistication to hurt us, to take down our infrastructures?
We were quite worried that an opponent of this skill could insinuate surreptitious code inside machines. That was very much a worry, yes. Again, this code is changing all the time. Where would it be lodged in a reliable way that you could come back later to execute?
Again, the best protection in cyberspace is its volatility and its continuing changing nature.
But that didn't stop these guys from doing what they did.
Well, this was over a relatively compact period of time. But if you were to say, "I'm going to implant a bug or a time bomb, in a piece of software," and then trigger it two years from now, well, you don't have any confidence that it would still be there. You'd have to go back and check to see if it was still there.
A high-level official -- someone who should know what they're talking about -- told us that the other worry in this realm is that, again everybody always said that this was the unclassified realm that they were dealing in.
Well, yes. But I'll tell you, they were all unclassified. But one of their search routines was for he word "secret." They were looking. Believe me, they were looking for classified information. They looked for it.
Did they get it?
We don't think so, but again, I'm going back on my knowledge, which is now three years old. ...
So lessons learned, as far as dealing with an opponent such as Al Qaeda and what they might want to use?
Oh, I think this is a very different scale of sophistication. I mean, Al Qaeda, they're not computer illiterate. They do use computers. They use encryption. They encrypt things that are stored on files. So they're not without some consciousness of using modern tools. But that's not at the same sort of level of sophistication that we saw with Moonlight Maze.
One of the things that did come out, though, is on [Al Qaeda's] laptops, or the laptops we got our hands on, there were all these probing of sites dealing with programming of SCADA systems and control of SCADA systems within electrical and other power company scenarios. Should we be worried about that? Or is this, again, not essential, because they don't have the capability?
No, I think we should worry about it. But these are the same people that had drawings of nuclear power plants and treatises about how to make ricin out of castor beans. You know, it's very clear these people have been listening to us more intensively than, frankly, our own country has, about the risks and the threats we faced.
The fact that there is evidence that they're aware of our debate doesn't mean that that is evidence of their capability. I think we have to take a much more seasoned and dispassionate assessment before we simply jump to a conclusion that, because there's a file where some guy is referencing the vulnerability of SCADAs or cyber attack, that that equals capability. I'd have to see a lot more evidence that indicated that just simply an awareness constitutes capability. ...
A lot of people say the DOD has gone a long way in cyber security, that the private sector is nowhere near. How long is it going to take to drag along--
Well, from my own personal experience, you do not do anything about cyber security until you experience cyber failure, and we did in consecutive little ways. Eligible Receiver was one. It was more theoretical, but it was still, nonetheless, a very searing experience. Moonlight Maze was one. Solar Sunrise was another. These were consecutive experiences of failure that led us to say, "We've got to do something about it."
I think they've done a very good job. I really do. Are we totally protected? No. But it is dramatically better than it was. My guess is that the private sector is way behind on that, because they haven't experienced the same kind of failure. ... The private sector is getting better, but so are the bad guys. It's just simply a continuing race. We are on a treadmill. We have to just run like this forever.
|