These are the people who are responsible for this problem, the people who are worried about this problem, and the people who know about technically the threat, some of the people who were involved in the development of the Internet, people who are involved in the development of defenses over the last several years. These are the people who are worried, and these are the people whose opinion, I think, really counts when we're advising our national leadership.
In a Washington today that has missiles to shoot down airplanes, where the threats of biological and dirty bombs and nuclear weapons is all over the airwaves, is there a reaction which fights against what you're calling for?
Absolutely. I think that people can easily grasp biological warfare, because they have experience with getting the flu. They can easily grasp chemical warfare. It's very difficult to grasp that our society is run by computers, and that our infrastructure, power grids, water systems, you name it, we depend on it. The lifestyle that we enjoy as Americans depends completely on computers. If we were to lose the ability to network and to compute, we wouldn't be able to have the America that we have today.
So the stakes are extremely high. But I think there is a lack of understanding of the degree of dependency we have on that infrastructure.
Imagine for a second that you're Al Qaeda. Why is cyber warfare tactics of interest to them?
Well, the way I would see it, it allows you to get access to the country from far away with anonymity. You can make your way into a power plant sitting back in whatever country that you happen to be in, without a lot of effort, as long as you have a network connection. So it's a way into a place that's vulnerable and a place that we depend on. The time that you have to prepare is not a long time, and you can do it perhaps without having to get struck.
Now, there's a reaction out there that sort of says, "All right, it's one thing to say that this is a possibility in the future. Certainly China and other nations that might want to use it against us in a future war is a possibility, and something that needs to be looked at. But how realisitic a scenario is it for terrorists?"
I think the scenario is quite realistic. As I said earlier, about 300 people and tens of millions of dollars would be necessary to mount an attack like this. This notion that it's a Third World country, therefore, they can't have computer scientists and computers and connection -- that's absurd.
Even if that were true -- which it's not -- some of the best computer scientists that are trained in our country, in our universities, go back to these countries. But even if that weren't true, you can always buy mercenaries. You can always buy people who are willing to take these actions for you
So what's the equation? How realistic is it? What would it take for a group like this? What would it take for them to mount an offensive like this?
It is easy to do a small attack against the country. For example, to bring down a bank for a half a day, I don't think that takes very much at all. I think 10 people working maybe a month could do that. But to bring down, let's say, the power grid for two weeks across the entire country, that requires a lot of planning. That's the kind of national threat that I'm talking about.
That's the kind that I think would take about 300 people and about, as I said, about a half a million dollars to do, and about three years to mount an attack like that. You actually to have a thorough understanding of how we depend on our infrastructure, how the power grid works, where we do our backups. You have to have a very, very firm understanding of that to carry out a plan like that. It's a military campaign, in effect, and you need time to do that.
What is a cyber war? What are the nuts and the bolts of what it might look like?
I think a cyber war starts with reconnaissance. If you think about a regular war, the first thing in a regular war is they figure out how to get to some national security-related, or national threat objective. They begin developing a campaign to achieve that objective, which starts with reconnaissance -- learning how our networks work, learning how we depend on our computers, learning how to achieve that objective through the computer.
Then they develop a campaign plan that says, "OK, you take out this computer. Then you take out that computer." For example, you want to be careful not to take out the network before you have been able to make use of that network in order to do your attacks. It makes what order you do the attack in.
So then you plan your attack. Then you test your attack. You make sure that your attack works, wherever you're going to do it. Then you execute the attack, when the time is right. So it's the exact same process that our military planners use to plan military campaigns.
So, day one of this war, whether it's an Al Qaeda or Iraq, the Armageddon day of the real attack that we fear might happen -- what happens? What do we see? What are they doing? Are they doing it in one room in one Afghanistan village? How would it play out?
I think you would want to have it come from multiple places. Whether you really have one command center or not is not really important. But the most effective attacks we've seen are where you have a large number of computers spread around the country where the computers have been infiltrated and taken over. Then these computers are instructed to mount the attacks.
So then we would see attacks coming in from everywhere. We wouldn't really know where it truly is coming from, where it's originating from. You'd see it coming from China. You would see it coming from Russia. You would see it coming from Africa and South America, all of the world. And you just wouldn't be able to tell, because they would have pre-placed these assets in these computers, ready to attack us.
Then you would begin to see the unfolding of the attack, whatever their objective is. For example, you might see power outages. You might see water systems being corrupted. You might see somebody trying to blow up a pipeline, an oil pipeline. Whatever it takes really, to achieve their objective. You might see them going after the railroads. We have seven critical infrastructures who are identified by the President's Commission. Those [are] all known to be vulnerable. You'd go after those in whatever order made sense in the campaign and the objectives you were achieving.
So tell me, even in more detail, what kind of computers are they using? I mean, are they using supercomputers? And when you talk about taking over other computers, zombie computers or whatever -- define what that means.
The attacker would not need to use specialized high-performance computers. They can use the average everyday computers that are on our desk which have the power of supercomputers 20 years ago. The kind of computers we have today are extremely powerful. The amount of network capacity that they have at their disposal is very, very large. Those are the two things you need. You need an average everyday computer you can buy off the shelf, and you need network capacity which you can provision from a network provider at a very, very reasonable cost. So that's the resource level that you need.
Describe how one takes over other computers.
To take over a computer is not a lot of work. There are a lot of known vulnerabilities out there. Most of these vulnerabilities actually have patches to them, and a lot of people don't put the patches on. There are scripts available that you can go download from sites to actually exploit these vulnerabilities. So it's a matter of knocking on a large number of doors, finding the doors that are open, walking in through one of these vulnerabilities, taking control of that computer, putting your program on that does the attack, and waiting until the right time to actually mount that attack.
If it's very easy to scan the computers across the world and find those computers that are vulnerable, and find a large number of them, then you can take over.
So you're talking about taking over thousands and thousands of, I guess, it's what they call "zombie farms" for a large attack?
I think tens of thousands. If you took over tens of thousands of computers, you could have a serious effect, for example, denial of service attack, which is taking out the ability of the computer to work any more, especially work on a network which we require now in order to actually accomplish the mission of the system. If you want to have a specific effect on a specific computer, let's say, a control computer for a power grid or for trains, that doesn't require a lot of computers. That's requires getting after a particular computer that does a particular function.
So that's not a matter of taking over 100,000 computers or 10,000 computers. That's a matter of studying very carefully the vulnerabilities of that particular system and the systems that connect to that systems, and the systems that connect to the systems that connect to that system. Ultimately, if you study it hard enough, you'll find some vulnerability trail that will get you into that if you're patient enough and you have enough resources.
So we're still in day one of the attack. How do we realize it? What do we see? What are our first defense steps?
I think the Slammer worm is a good example of the kinds of things you see. Code Red, Nimda are also good examples, but Slammer is the most recent one. I think the first people to see will actually be our industry base, the people who are being affected by it. Unfortunately, that's the case, because we don't have a national center where this data comes into and for somebody to be able to say, "Yes, we're under attack."
So you'll get calls. If the banking community is under attack, or the power grid community, you'll have them call in, and say, "Hey, you know, something is going on here." We'll begin to see it by ATMs going down, which was the case in Slammer, where we begin to lose services. People recognize it's down and that we have some problem, because the systems are down. That's how we'll see it -- we'll see the effects first. Our industry will see it first, and let the government know.
So in places like Symantec, their sort of control center, that's probably one of the first places they're going to see it?
Symantec, the Internet service providers, the backbone providers, the bank, the bank front line security officers -- I think those are the places you'll see it. Symantec, as well, security providers, security service providers will see it as well.
So the government is warned that something is going on? What happens next?
The ability to react to a cyber attack is fairly limited. That's part of the reason why we're recommending a cyber Manhattan Project-style. Even when we recognize it, we'll recognize it too late. We'll recognize it when we have the effects as opposed to when the reconnaissance is going on, because we don't have the capability to really see it coming before it really gets here. But even the worst part of that is that our response capability, the options that we have, are limited, because we don't have national-scale defenses.
So what can the president do when we say, "Yes, we're under attack by terrorist group X, and their objectives appear to be the power grid, and we have attacks coming in from all over the world?" There's not much. We could potentially cut off all of our networks from the rest of the world, but that actually does quite a bit of damage itself. We could close the military networks off from the rest of the network. But the military may not be a primary target. I think that's one thing that we need to understand -- that our military doesn't defend U.S. cyberspace. The military defends soil. We don't have somebody right now who is defending U.S. cyberspace. There are no troops to call when we have this kind of event.
In this scenario, in a real sense as to what would happen, you don't have a group of government, sort of the cyber military or whatever sitting down at their computers and noticing where things are coming from, and blocking things. No scenario like that might happen?
Well, we do have people with a mission to do that. U.S. Strategic Command has the responsibility for a computer network attack and computer network defense. There are operation centers that have this responsibility. Their primary feeds are from the military systems, and their primary function is military. Computer network attack is for military objectives.
Now, one could see if we could do a computer network attack response as something in our arsenal. Currently, the government is considering the rules of engagement, and how one might employ such weapons in a situation where we're under attack. But our capability is fairly limited. As I say, it's mostly, at the current time, targeted against military.
So do we even know who we're under attack from when it's taking place? We're still day one, and the electrical grid has just gone out in the Northeast, ATMs are down, railroad lines are getting messed up. It's obvious something is happening. Do we know who's hitting us?
No. The problem with the network today is that it's anonymous, and it's very, very difficult to trace where something is coming from. As I say, when you do an attack, you first pre-place your computer assets all around the world. Then you activate them from some control center or control centers that are behind those. When we see the attack, it's going to appear to come from everywhere, and the ability to trace those back to the original controlling entities is extremely limited.
We don't know who did Code Red. We don't know who did Nimda. We probably will never be able to find out, because of this level of indirection in the attacks, and the inability to be able to trace actions within the Internet.
Day two. We now realize that we were attacked, possibly are still under attack. We've got some damage. What's the next step?
The next step would be to try to recover from whatever damages that we had, and begin to try to put up whatever defenses we can. So, for example, if we see it coming from a particular place, if we're lucky enough that it's coming from one set of network addresses, we can try to block those addresses. Of course, the attackers can adapt to that countermeasure. So it's a matter of attack, countermeasure, new attack, new countermeasure. That's how the campaign would proceed.
We would probably also begin trying to isolate some of our networks, trying to make it harder for somebody to navigate through these networks. There's a lot of motivation to connect up our systems, because we get a lot of functional effectiveness in our society from the connection of our computers. I think, in an attack scenario, we're going to have to sacrifice some of that efficiency for our protection or defense.
Can the defense come up quick enough to prevent the major damage that an attacker would want to create?
It depends on the attack. One interesting thing about Slammer is that it happened a hundred times faster than any of the attacks that we've seen before.
When Slammer hit -- I think 247,000 hosts is the latest figure I've seen, and it accomplished that in 10 minutes. In 10 minutes, it accomplished that level of propagation, and it was worldwide. Fifty-five million hosts per second were being scanned for this vulnerability, and it compromised several hundred thousand hosts. That's, as they say, beyond our ability to react, certainly at the government level. But even on the front line, 10 minutes is not enough time.
How damaging was Slammer? And how damaging could it have been?
Slammer was very damaging in its unintended side effects. All right, so it brought down the ATM network. That's a very bad thing. It brought down 911 services. Those are bad things, and we could have lost lives as a result of that. But the damage is rather minor. It affected 247,000 hosts. That's a lot. I'm sure the damages are probably in the hundreds of millions of dollars in terms of capability that we had, and financial losses, when the all the money comes in and is counted for.
But the fact is that Slammer did not have a malicious payload. That is, its mission wasn't to do bad things, like erase everything on the computer or go out and begin attacking very, very sensitive systems or bring down the banks, or whatever. Its goal was simply to prove that one could get through this vulnerability that was in the system. So if one were to have a serious payload, the damages could have been very, very serious. They could have been in the billions, and it could have been picking out significant capabilities within our country.
One of the problems is, we don't know how we depend on, for example, these database servers. What systems depend on these databases? If we took out all those database servers, what would we lose? It's hard to predict. My guess is it would be pretty serious. ...
So what are the lessons learned from Slammer?
A key lesson learned is that these worms can propagate at extremely fast speeds, that these attacks are becoming more sophisticated, that our systems are vulnerable, that our systems continue to be vulnerable even after we know about the vulnerability. The vulnerability was known months before the vulnerability was exploited.
The patch was known for months. We had the patch in hand. It was available. It was just too complicated to install, and some people didn't bother to install it. So it doesn't suffice to know. It doesn't suffice to have the patch. It's important to have a system to actual deploy the defense, deploy the correction in our critical systems.
Give me, in your thinking, the nightmare scenario of a cyber war. What could happen that you fear the most?
I think the one infrastructure that we depend most on as a society is the power grid. That's the one scenario I fear the most. I don't fear the power grid in one area of the country being taken down for a day. We, as a country, can survive that quite well.
What I fear is a campaign that holds down the entire power grid for a long period of time. You bring down the power grid, you bring down every other infrastructure. You bring down water. You bring down transportation. Once you do that, the whole fabric of our society is decayed significantly. It's not clear how we, as a society, would survive a two-month downtime of our power grid. That would be a significant event. That is the nightmare scenario that I am worried about.
Why is that even a possibility to think about?
In the design of the systems which design those systems, you'll see that, if you go back far enough, if you think about this deeply enough, and you figure out how we actually operate things, it's possible, if you have enough time, if you go back in time far enough, that you can do these things.
Now, I don't know for a fact that one can do these things. Nobody has developed the scientific case for it. That's part of the problem. That's part of what we're concerned about, that the full nature of the threat has not yet been identified. We think this is an important and urgent problem to do. But a number of us who have seen failures within these systems, accidental failures, extrapolate those failures forward, and believe that it's possible to mount attacks that are pretty serious.
Dick Clarke and other people who talked to us say, "All right, yes, it's possible to bring down an electrical, part of the electrical grid for a day or two. It's not possible to take it down for a couple of weeks, or a couple of months. That's just unrealistic."
I strongly believe that it's possible, because we've seen it happen in the small failure scenarios as opposed to the intentional attack scenarios. I think one of the things that we did in our letter to the president was to run through a scenario, and what we used was failures that have happened. Any failure -- for example, the Pacific Northwest grid -- failed for reasons that had to do with errors in how it was operated and lack of understanding of how our systems actually work.
If you take a look at these failures, any failure that can happen can be induced. If you actually do it intentionally, you can probably do it to a much larger level than it actually happened. But we believe, very strongly, it's possible.
So you bring down the entire grid in North America? It's a possibility, because everything is interconnected?
Yes. The way the power system works today is that if a piece of our power grid goes down, you use the neighboring power grids to provide enough power in order to bring the generators back up again. Well, if the neighboring power grid is down, how do you do that? So if you bring down the entire power grid simultaneously, you're going to have to bootstrap the entire system, from the smallest generators getting enough power somewhere working to boot the next piece of the power grid, which can be used to then get the next piece of the power grid back up again. And nobody knows how to do that.
My guess is that it's doable, but it's going to be very, very hard to do, because we're going to have to figure out how to engineer that answer when it happens to us, as opposed to now.
Clarify something for me. A nightmare scenario for some worried about this issue is bringing down the Internet. If you bring down the Internet, you bring down computers and their ability to deal with each other. That, in itself, is a nightmare scenario, because so much business, so much commerce depends upon computers themselves. How possible is this?
I think bringing down the Internet would be damaging to our commerce, for sure. We would feel a slowdown of our economy if one were to bring down the Net and hold it down for a while, which could be an objective of an adversary -- both Third World adversaries, as well as strategic adversaries of the country. But if you really want to have a long-term damaging effect, I think you actually want to keep the Internet up and use it as a medium of your attack as long as you possibly can, and go after the infrastructures that we depend on for day-to-day living, like power, like telephone, like water, like transportation. So if I were attacking, I would want to keep the Internet up as a vehicle.
Al Qaeda is a known opponent who has said they want to bring us down economically. They see that as a way of destroying the infidels, basically. So this seems to be a weapon that they would very much be interested in. Is there sort of evidence that you've seen or that you know about that defines the fact that they just certainly are interested in this direction?
The only evidence I've seen is a report that I think was released out of Richard Clarke's office. There was intelligence information captured off of computers from Al Qaeda and some of its companions that look like they were targeting our infrastructure, that they had charts of pieces of our infrastructure, which is something you would want to do as a reconnaissance step before you begin an attack. So that's the one piece of evidence that we do know. At the same time, it's understood that it would be very difficult to collect evidence, other than through capturing of computers, and know in advance that something was being tried.
What a lot of people have told us is that the way you get into an electrical system, or the way you would control it is you'd control the SCADA system. So there's thousands and thousands of switches on any mechanical line or electrical system, power system, or whatever, and the reality is that these are very difficult to protect. They are more and more all connected to the Internet, and that is a weak link in the system.
Right. Because our systems are so complicated now, they have to be controlled by computers. And SCADAs are particular kind of systems that we use to control real-world things, like chemical processing, like dams, like power grids. As you try to make these systems more and more capable, you like to interconnect them to other systems, so that you can sense, for example, that there's going to be a higher power load on the system because of some event happening outside of the system. So if you could connect your SCADA system out to some real world event, for example, there's a heat wave coming, and you could automatically scan that, it would be useful.
So people are beginning to want to connect these systems up to have more capability to have the system smarter. But at the same time, as we do these connections, it makes them more vulnerable. It makes it more possible to bring them down.
Switching directions here -- software creation offshore. What's the reality about the software that makes all these systems work, and is there a vulnerability due to this?
Nothing runs without software. Software is the heart of every system that we have, and the software is developed in non-protected environments by people whose interests are unknown. So, for example, even if it's within this country, a software development house could provide the lowest bid and have a second agenda in developing that software. For example, if it's going into a SCADA system, perhaps they have been paid by somebody to put a control in there that can be activated later on. This is what I mean by pre-placing assets in an adversary to trigger at some future time.
Also, it's understood that a lot of our software is developed offshore because it's less expensive. So we have a lot of development going on in countries like India and places like that, where it's cheaper for us to do it. They are much more productive than the average software programmer here, and they're less expensive. So clearly, there's a motivation to do it there, and the opportunities for subverting that process by an adversary are pretty significant, because there is no control on the development process.
Playing the devil advocate here -- so you scan for malicious code and get rid of it, and you make sure that you patch any problems. That's not a problem, plus, Microsoft and other companies they have got security in place.
Well, there's two problems. One is it is very, very difficult to find embedded malicious code, in fact, and the general problem is known to be not solvable. To find a piece of malicious code in any program, an arbitrary program that's been written, is not solvable. It's possible to do it in particular constraint situations. For very small programs, one can look through and potentially find malicious code. But we have no capability to scan large amounts of code automatically and be able to find pieces of malicious code. It's very, very easy to write a piece of software that is going to hide itself, and it's not going to be easy to detect by any human or machine review. So that's the first thing; it's difficult to find this malicious code.
Second of all, just because Microsoft is doing it doesn't mean that all of it's being developed in Redmond. Microsoft has people offshore developing this software. They have people that are hired from other countries that are doing this software in-house there. They are using device drivers that are developed offshore; these are the pieces of software that run the little cards that are inside of our computers. So the software is coming from everywhere, even though it appears as coming from a company that we would want to trust.
So the fear is what? You got an Al Qaeda group three years ago decided or 10 years ago decided, "You know what, if we could get some computer specialists involved in software companies in India, and they could start installing trap doors in the software that's going to go to America using the SCADA systems."
That's exactly the fear. The fear is that somebody will get into the development process, whether it be offshore in India or whether it be here in the United States. It really doesn't matter which of the two. But they'll get involved in the development process of our key systems, routers that we use to control the network, switches that we use to control the telephone networks, SCADA systems. And they will have pre-placed bugs, Trojan horses, trap doors into these computers.
Sometimes people argue that it would be very hard to come from the outside, penetrate into the insides of these SCADA systems and be able to get control of these inside assets because there's all these firewalls and protections. But the fact is that you can bypass all of that by going through and getting into the development process.
The fact is also that there are not firewalls involved in SCADA systems in most of these places?
Yes. SCADA systems are particularly not well protected. ... If we applied our technology that we have today, [they] could be much more well protected than they are today.
Microsoft's willingness a year ago to halt production for a bit and look at the security concerns -- how important was that, and was that enough?
It was laudable. I think it was a step forward, but I don't think it's enough. Whether it is Microsoft or other companies, we don't develop our software with the intention of making it hardened against adversaries who are willing, interested and have the resources to go up against our systems. We have far too many vulnerabilities in the software that's being developed today. We need to fix that problem long term, both through the education process by developing better software engineers, and by the processes that are being used by our companies.
Why hasn't that problem been fixed?
There's not a financial incentive to fix the problem. So when a vulnerability gets discovered in a piece of software, what happens today is we pay for an upgrade. Now, we as users tolerate that. I think at some point the liability is going to be sufficiently high, and the damages are going to sufficiently larger. People are going to demand something higher quality than what we're getting today.
The Clarke report came out, the draft. What was your group's response was to the report?
Well, in the late summer [2002] timeframe, we became aware that this report was being worked on, and we were invited to comment. At that time, we were just the signers of the letter to the president. So we decided to form the Professionals for Cyber Defense, which was a subset of the signers, who then formed a panel to look at this report. Our findings were that it was a good step. It had a lot of interesting things in it. There's certainly necessary conditions that we needed to follow in order to defend ourselves, but they weren't sufficient.
In particular, it appeared to us the assumption of the report, the nature of the adversary was a hacker-quality person, somebody who is sort of doing this advocationally, as opposed to a nation-state concerted campaign against the United States. So it's pretty clear that the assumed threat model behind the plan was very different than the level of threat that we, as scientists, felt was real. So our main comment back to the government on this was, "You should really rethink your threat. And, in particular, if you think this is the threat, then maybe it's time to engage in a study to validate the level of threat we have to our country."
I think it's a big problem to write a national strategy against the threat when you don't fully understand and you have not fully scoped the threat. So our primary recommendation was to scope the threat, and do it quickly.
So here's a threat which some people say is imminent, but we're sort of at the level where we should be trying to figure out if there is a threat?
Yes. I think part of the problem is that, although you have 50 or more of us right now standing up and saying, "This is a major threat to our country," and extrapolating these various scenarios, this is how bad bad can be, you'll find some professionals who will stand up and testify that there isn't a threat of this proportion, that this is being overblown.
What's necessary for the government to do is step in to actually do a scientific study to scope, validate and understand the depth of this threat. Is it as bad as we say it is? We think it is. But we think more urgently it needs to be determined what it is. That's something that we believe the government is responsible for, and we think they need to do it now.
Does the Clarke report have the teeth? Is it strong enough, and if not, why not?
The plan is, as they say, a step in the right direction. But there appears to be a reluctance to change anything with respect to what we require of our industry, [who are] on the front line of this attack. I think the big controversy centers around who pays. It is unreasonable, I think, for our government, we as citizens, to expect those who are on the front line of the cyber war, or the potential attack that we might face, to pay for it. So I think industry has pushed back very, very strongly from having any kind of teeth in any plan requiring them to do anything, because they feel they will have to be ultimately paying for it.
I think the real important thing to understand is that we, as a country, have to step up and defend whoever is on the front line, and pay for it as necessary, and help the people who are on the front line defend themselves and defend us.
In the Clarke report, why the absolute lack of the use of regulations to sort of help move this situation along?
I think that reflects the preferences of the administration. I don't know that for a fact, since I wasn't on the inside of the process. But it appears to be industry had quite a bit of say into the writing of the report, because industry people were involved during the development of the report, and the administration has their viewpoints and their preferences.
Regarding the private sector, there's another issue there -- the lack of sharing of information.
There's a lot of disincentives within our current structure to share information. In particular, one of the biggest is economic. If a bank shares information that's been attacked, that bank loses depositors. If a Fortune 500 company says it's been attacked, it loses investors. So there is no good reason to publicly share your information.
Secondly, if you share your information that you're under attack with the government, you might get help before you're really interested in getting help. But it's not always helpful help. I mean, it's people coming in to investigate, ask a lot of questions [while] you're trying to defend on the front line. So these people don't really want to share their information, and these people believe that for attacks that are against them, sort of economic-level attacks, things that they would be concerned with, it's really their business.
The problem is that when it becomes a national security threat, it's no longer just their business, it's beyond their business. But it's very, very hard to tell in the early stages that is a national security threat, and not just a local attack against them. So they don't seem to be willing to set up a system where they can activate in the event of a national attack, because they're worried that it will be activated in the case of local attacks that they consider their business.
Let's talk about the sophisticated probes that are going on right now. There seems to be a lot going on out there. What's happening, and what's the significance?
The number of probes that we're detecting is going up significantly. More importantly, the number of stealthy probes has gone up. We have just deployed some technology that has recently come out of the research programs that can see what are called low and slow probes -- probes that come in over a long, long period of time, and they're intentionally trying to be hidden. There are on the order of 100 to 1,000 times more probes than we actually see if you start turning on these anti-stealth kind of detectors.
There's clearly a lot of people out there doing reconnaissance, and they don't want to be seen. So these aren't your average everyday hackers.
Who might they be?
I think they would be adversaries who are interested in doing reconnaissance without tipping their hand that they're doing reconnaissance in our networks.
Why are they doing it?
To prepare for attack, or to prepare for getting information out of our systems to understand our vulnerabilities. That's why you're probing scan networks.
Can we tell how far into their probes or their reconnaissance they are?
Very difficult to tell. You can kind of look what they're probing on and see. We have some technologies called honeypots, for example, which [are] fake systems. They're systems that are out there that really don't have a lot of content, but they have some key words that may look interesting. They're full-blown systems, and we can kind of see where they're trying to head within those systems and get indications from those.
So you sort of basically stick out a honeypot, wait for the bees to come, and try to figure out who the bees are?
Correct.
That's interesting. But, meanwhile, all you're getting to see are the bees that tend to go in your direction?
Correct.
How blind are we to the bees out there going everywhere else?
I think our sensor capability in this area is extremely weak. We're seeing a lot with the sensors that we do have, which are not very capable. With the new sensors that are being developed out of research, we're seeing a heck of a lot more. We don't what we don't know, and there's probably a lot of reconnaissance that's going on that we just don't have the capability to see yet.
Someone defined what's going on right now as possibly being some nations out there that are going to use this against us, or sort of mercenary hackers of a very high status who are out there, basically finding the information, setting up systems so that they're ready for an attack, and then would be able to turn around and sell their abilities and their connections to the highest bidder. Explain some of the scenarios that are out there on who might be doing this probing and what it means.
I think you have different classes of people doing the probing. At the very, very top end, you have nation-states who are developing the campaign plans, whether they be for gaining intelligence against our systems, or whether they be to attack our systems -- probably both. They're developing the capability now to be able to use it in some future time when they feel it's necessary to accomplish whatever objective they want to accomplish.
On the next tier down, you probably have mercenaries, who could be used by nation-states, developing capabilities that would be sold to the highest bidder in some future time. So you could then put a price list, a menu list up, saying, "If you want this out of the United States, check here. That's $100,000."
At the lowest level, I think there is some amount of just regular, off-the-street hackers who are beginning to develop toolkits which do low and slow probes, stealthy probes as part of the toolkit of the scripts that they just generally use. So it's becoming part of the state of the practice of even the lowest tech hackers. The lowest capability hackers are using stealthy probes because they can. They're just built into the scripts that they use to do their attacks.
What are the systems that are being probed? What seems to be the focus of these probes?
There is no system that goes on the Internet that is not probed. In fact, I think the estimation is, within one minute of connecting to the Internet, your system is already being probed, and has probably been probed several times. So any system that goes up -- any and every system that goes up -- is being probed. It depends on who's doing the probing as to what they want. We have clearly seen evidence that somebody wants intelligence on our military systems, our development systems, our advanced R&D systems. So people are explicitly going after that.
I'm sure people are going after a lot other targets, depending on their objectives. It just depends on what they're going after.
Moonlight Maze has been talked about. Why do people keep focusing on it?
What's in the press about Moonlight Maze is that it was a concerted effort by someone, probably a nation-state, to gain intelligence about our computer systems -- what kind of weapons we're developing, what the state of our research was. It seemed to be, from the press reports, a widescale attempt to gather intelligence through cyberspace.
What did it tell us about our abilities, or inabilities, to protect our DOD system?
Well, I think it was detected accidentally. I mean, it was detected because of blunders and how it was deployed. So, first of all, I think it tells us that our ability to find these kind of activities is extremely limited. I think it also tells us that as an open society, we have a lot of valuable information on the Internet that's available for our adversaries to just come and get.
Why the sensitivity out there? I assume that you have some level of classified status, to some extent. Why the sensitivity for people in the know about dealing and talking about Moonlight Maze? Some of that took place several years ago. Why still the sensitivity about talking about Moonlight Maze?
The government has a policy that any vulnerability in any classified system is classified at the level that that system is protecting. So, for example, if somebody is going after a system that contains secret information, and there's a vulnerability in some system, that would be considered a secret vulnerability, even if it's an openly known vulnerability. That's the policy. The wisdom of that policy is a different issue. But that's their policy.
So this appears to be going after data and systems of a very, very wide scope, and they're sensitive about talking about, I guess, how far it's gone.
That's very interesting, because when you talk to scientists and people involved in this world, everybody keeps pointing you back to Moonlight Maze -- "If you understand Moonlight Maze, you understand the threat." Explain that.
I think Moonlight Maze is one example of a pervasive attack, an attack that was mounted in many stages, an attack where there was clearly reconnaissance that went on beforehand, an attack where you had a stage where they got assets all across the country. When I say "assets," I mean they infiltrated a number of computers for a specific purpose, to gain intelligence. So it was an activity over a long period of time to reach an objective, with a lot of different stages, a lot of planning, and a lot of careful thought and execution.
That is an example of a cyber-related activity, a campaign that was concerted and thoughtful against this country. That's one example. I think the other examples are denial of service. A military campaign would look very, very different than that. So I don't think it's the only one example, but it's a good example of a well-orchestrated attack.
So this does not fit into the world of sophisticated probes. This actually fits more into espionage?
Yes. You would have to do sophisticated probes in order to do what they did, in terms of getting as pervasive a network as they did to get our systems. But then the goal of that was probing at a much higher level -- probing to get information out of the system. Once you probed to get information about how our systems worked, then what they tried to do with that information was to get the intelligence out of our systems, to get the data that was openly there out of our unclassified systems.
With quite a lot of success?
Yes.
How does that worry us about how successful they could have been?
I think that if you had a different mission in mind, the level of damage that they could have caused with that level of sophistication is serious. So they were able to get a large number of computers and a large number of sensitive sites, military sites; again -- not classified, but sensitive. Had they done that with the intention of destroying, and having some triggered effect at some point, it could have been very damaging.
The classified systems aspect of this -- is there a worry out there in Washington and elsewhere that nothing is safe?
I think there is an understanding that, even though computers appear to be disconnected from the Internet, there is always some path and some way, through some route, especially in the development cycle of the software. So, yes, even through there are protections, and even though these systems are isolated, we do worry about our classified systems.
Eligible Receiver. That was an exercise the U.S. conducted. Tell me about how that showed us back in 1989 the vulnerabilities of our infrastructure?
I believe what's available in the press on Eligible Receiver shows that, when we as a country go against our own systems and model an adversary that we would be worried about, we tend to achieve whatever objective we set out to achieve. That's chilling, and the full effect of that, I think, has not been realized. That is, when we see that happening, I think our country should stand up and get much more worried than they have. We tend to do exercises like that, see them as being extremely successful from the attacker's perspective, and then move on. [We don't seem to] really realize fully how to extrapolate that, and what the meaning is in terms of what resources we need to put up against the defense of these things.
Why should our audience really care about this issue? I mean, why should they not turn the television off immediately when this things comes on, instead of saying, "Oh, God, another scary film about the vulnerabilities of this country." Why do you think that this issue is essential to deal with, is essential to not ignore at this point?
America's lifestyle depends on our computers. I think there is a lack of understanding within our society of the degree to which we depend on our computers. So that which we enjoy everyday, the ability to travel, the ability to make a phone call, the ability to use power in our houses, depends on these computers. The more one is educated in this area, those people, those scientists who think about this every day are very, very worried. So I think those who are out there who understand this better will become more concerned about it, and perhaps will stand up and insist on action by the government to do something about this problem before it has a significant impact on our society.
Do we get it yet? And does Washington get it?
I think Washington does not get it yet. I think Washington has an inkling that there is a problem here. I don't think they get the degree to which this is a problem. I don't think they get the damages which we can incur as a country, and I don't think they get the nature of what we have to do to solve this problem. That's the most urgent and important problem for us as citizens -- to help the nation's leadership get it.
If everybody got on board, and the money was there, and people were pushing in this direction to put the fixes in, how long is it going to take us to feel that we're pretty safe, that we've defended the infrastructure?
Given top priority and the amount of resources we think are necessary, which is in the billions of dollars, we'd say it would take about three years to develop a significant national defense capability in this area. That's why we think it's urgent, because the clock has started ticking at some point, probably before today. Developing an intact capability on this order is not much longer than that. So three years is not a long time, and we think we need to start now.
Who are you most worried about?
I think we're most worried about terrorist organizations who don't have a lot to lose by attacking us. I think nation-states like China have strategic interests and would likely pre-place assets, and have a capability against our country, but we'd be much less likely to use them, except in rather dire circumstances or in some lower level benign way. They wouldn't try to take apart our society as readily as a terrorist group who haven't much to lose by a major attack against this country.
Is this the future of war?
I believe so. I think the fight over soil will certainly continue, but the value in our society is increasingly in the information. This is where information is -- cyberspace is where the assets are. It's where the value is, and that's what warfare happens over. It happens over value, not over dirt.
Why is the government not acting?
I think there is a failure to act here for several reasons. One is there isn't a clear person in charge in Washington for this problem. I mean, Dick Clarke's position was one of an adviser to the president. He really didn't have authority to work this problem. This problem has people who have pieces of it across Washington. Twenty or so other different organizations and government agencies already have some stake in this, which makes it, in some sense, worse, because they all fight over who ought to do this, or in pieces that they don't want to do. So nobody is in charge, I think, is the first problem.
The second problem is the resource level to solve this problem is large, and there isn't a willingness to step up to the resource level and the kinds of things we have to do, which may slow the economy down somewhat. It may be somewhat painful for us to do some of these activities, like regulation. These are all hard pills to swallow, and I think that there is a belief within the government that the U.S. citizens wouldn't want to buy that, wouldn't want to do that. But I think part of the education process here is, as people understand it, they not only will want to do it, but they'll demand that it be done.
Before you can define the problems and define the solutions, do you have to fight for the attention of people in Washington?
Yes, because there's a lot of things in Washington that are requiring national leadership attention. There's an impending war with Iraq. There's the chemical warfare, biological warfare, terrorist threats in the physical world. So there's so many different things vying for their attention, and this possibility is not imminent in their minds.
I think there's also worry in Washington that to solve this problem might require us to develop sensor systems that might impede on privacy, and they feel that the citizens won't want that. The belief for the scientists in the community is that we, in fact, can develop these systems while being sensitive to privacy. Some of the signers of the letter to the president were privacy advocates. These are people who believed that we need to solve this problem, and believe we can do it without impinging on the rights of the people in the country.
But to do it, don't you actually have to sift through all communications, and all through networks, and sort of eavesdrop on people?
I don't think you have to eavesdrop on all communications. You certainly don't need to know all of the content of the communications. You need to look at key things that are going on within the networks. For example, you can look at simple network loadings and see spikes in the loads on the networks. You can look for patterns that would indicate a worm that's propagating, like Slammer, through the network. There's all sorts of things you can look at without actually having to look through the content of everything that gets communicated within our networks and within our telephone system.
What is the responsibility of an individual? I mean, how could they be involved in these scenarios, and what should they be wary of?
I think it would be sad for one to find out that one's computer was hijacked and used in an attack against one's country. So I think people ought to be worried about protecting their computers from being hijacked for the purposes of mounting these attacks. Everybody's computer is vulnerable to that. When you put a computer on the network, especially through things like cable modems, and always on connections, your computer becomes a target for the adversary to then use. Not that he wants to get the information off of your hard disk, but rather he wants to use your computer as a platform of attack, because he's going to find whatever vulnerabilities are on there.
So I think it's incumbent on people if they want to do something, to protect their computers by putting firewalls in front of them, by taking some of the measures that are recommended in the national strategy to prevent their computers from being part of the adversary's arsenal.
That is part of the big picture. You define the fact that it's individuals who really need to deal with it, and software companies, and the financial infrastructure. It's something that the government can't control themselves. So it is a difficult nut to crack.
The problem is that the front line of this war is not the U.S. territory boundaries. It's not the where the military is used to defending us. It's in a place where we do business every day where we do banking, where we do management of our power systems, where we do management of our transportation systems. This is not a place that we're familiar with defending. These are people who have a job to do every day. So we can't, for example, go nationalize it and put a bunch of officers in charge of these systems and have them run it, because, in fact the best people qualified to run these systems are the people who are currently running them.
So you can't have a national plan to have the military parachute into our national infrastructure, and then all of a sudden we're OK. You have to pre-place defensive capabilities that have to be engineered over time with a lot of expense, and then have a thoughtful policy and a thoughtful strategy to actually use those mechanisms in the time of a cyber conflict.
Define for us this moment in history. Is this sort of akin to the late 1940s in the nuclear age? Are we sort of on the forefront of a complete foreign territory when it comes to the threats of warfare, of how nation-states will deal with each other?
Yes. Cyberspace doesn't have clear boundaries, so we're all connected to each other. That's a problem, and that's actually a disincentive for the large nation-states with a stake in the infrastructure to attack it. But it's also not very much of a disincentive for terrorist groups, for example, who don't have a large stake in the infrastructure. The information on our networks are the key asset, and it is the thing that people are going to be going after, and it's something that we're not used to. So I think it is a new form of warfare.
The other thing I would observe is that we have, as a society, interconnected our computers and become dependent on them far faster than we really ought to -- far faster than we really should depend on them. This vulnerability of terrorist attack is just one example. There's also failures that we are subject to that could really be devastating. So I think it is a new era, where we have to start consciously thinking about safety, vulnerability, security in the area of cyberspace, and how to construct cyberspace in a way that's safe.
Cyberspace, to date, has been constructed in an ad hoc way, where computer networks were sort of hooked together for research purposes, and then it became the Internet all of a sudden. I think the time will come very soon where we have to architect cyberspace, and there will have to be fire codes. There will have to be safety codes and security codes in the architecture specifications for them.
In a mere 10 years, have we become absolutely dependent upon a system that we still don't understand?
Yes. The systems are so complicated today that, even within a given sector, there is nobody who fully understands how our systems actually work. That's not a good thing.
How did 9/11 redefine the way we needed to look at the vulnerability?
I think 9/11 tells us that people will use our infrastructure against us. The other big lesson from 9/11 is that the damage level that we incur as a country is far, far greater than any one instance. So the damages of the destruction of two buildings in New York City is significant. It's a large amount of money. But the damages that came to our society as a result of grounding all of our airplanes, as a result of the suppression of travel, the cost of business of not traveling because of 9/11, the cost to our economy, was many, many times of the specific event.
So I think what we learn is that we are a very brittle society, and a society where these kind of costs amplify quite quickly.
The fact is that we're very interested in offensive use of this tactic -- what does that say? How much credence does that therefore to your argument that this is something that we had better beware of?
I think our interest in offensive capabilities suggest that it's a significant strategic tool in the arsenal. I think anybody who thinks about it for a very brief amount of time will realize that this is important. So, yes, that we consider this important, that we consider this a national capability with precedential authority to pull the trigger in some cases on some of these attacks, suggest that the attacks have strategic impacts on our potential adversaries to the United States. Any other country who has such strategic interests against us will have certainly thought about this and have certainly developed a capability.
Do your military types, military scientists look at these cyber weapons, cyber tactics, cyber warfare tactics as equivalent to weapons of mass destruction?
Some do. Cyber attacks can have very, very pervasive effects, in the same way that weapons of mass destruction can have pervasive effects. Some people have thought about them in that way. Some people have thought about them as surgical strike weapons, where you have a very, very narrow impact. Some people have thought about it as the opposite of sort of the neutron bomb, where you just destroy the infrastructure, but you don't hurt people, and that's another interesting weapon to have in our arsenal. So it's thought about in many different ways, because the tool and techniques have such a great variety of different ways of being used.
|