WATCHSCHEDULETOPICSABOUT FRONTLINESHOPTEACHER CENTER
Cyber War!
homeinterviewsvulnerabilitieswarningsdiscussionblank

vulnerabilities: how real is the threat

Many authorities on national defense and the Internet are warning that the critical infrastructure of the U.S. -- including electrical power, finance, telecommunications, health care, transportation, water, defense, and the Internet -- is highly vulnerable to cyber attack. How imminent is such a threat? And how prepared are we? Here are excerpts from interviews with Richard Clarke, former White House adviser on cyberspace security; Amit Yoran of Symantec; O. Sami Saydjari of Cyber Defense Agency; former FBI security expert Ron Dick; James Lewis of the Center for Strategic and International Studies; John Arquilla of the Naval Postgraduate School; former Deputy Secretary of Defense John Hamre; and Scott Charney of Microsoft.

photo of yoran

Amit Yoran
Vice President, Managed Security Services Operations, Symantec Corp.

read the full interview

It's almost like the adoption of air power. There are some very forward-thinking people that understand the capabilities [needed for launching a damaging attack] and what might be able to occur down the road. But they're very few and far between and different countries and different infrastructures have increasing or decreasing levels of vulnerability depending on what their infrastructure looks like.

So, there's little doubt in my mind that years from now that this will be a primary method of attack, a primary theater of operations, if you will. But I don't think we're there yet.

photo of clarke

richard clarke
Presidential Adviser for Cyberspace Security (2001-2003)

read the full interview

We have what we call red teams. They're hackers that are employed by the government to hack into government systems with the knowledge and permission of the owners of the government systems. Every time the red team has attempted to hack into a sensitive government computer, the red team has succeeded. Not only has it gotten in, but it's gained total control of the networks involved, without the people who own or operate those networks in the government even knowing that it happened. Every single time. And the red team only uses hacking techniques that are available to the public on the Internet.

Yes, I think we're vulnerable. We don't use our red teams to attack privately-owned companies like electric power grids, but we do encourage privately-owned companies to go out and get private companies that have red teams to attack them. My information is that when private companies ask for security audits like that, the same thing happens that's happened in the government. The bad guy gets in, takes control of the system and the people running the system don't even know it happened. ...

It doesn't matter whether the attacker looks like bin Laden or looks like a Cali cartel member from Colombia, or the attacker looks like the girl next door. What matters is that the attacker can succeed, because our defenses are so weak. That's where the focus has to be -- not on who is going to do it, but the fact that they can do it -- until we find the vulnerabilities in cyberspace and fix them.

We've been going around trying to find the vulnerabilities. In the last two years the number of reported vulnerabilities in cyberspace has doubled every year [as] reported to the Carnegie Mellon computer center.

Some day someone will use those vulnerabilities to do great economic damage to the United States, or to slow and degrade our military response to a crisis. Let's say we have to rush U.S. forces to Korea, and the American buildup is slowed down because the trains that have to take our troops and equipment to port are all confused, because someone has gotten into the computer control system for the trains. Or, when the supplies for our American troops show up at the front line and they open the boxes and instead of it being ammunition, it's sneakers, because someone has gotten into the unclassified logistic system of the Pentagon and changed all the orders.

Yes, in the future, in a war, we could have our military capability degraded by cyber attack. In the future, an enemy group, foreigners or Americans, criminals or terrorists, could hurt our economy by shutting down or causing confusion to the systems. Just as we had the disruption of the anthrax attacks and the disruption of the sniper here in Washington, we could have a steady stream of cyber disruptions that could occur throughout the country.

No, it's not going to cause 3,000 deaths in an hour, but it could be part of an otherwise large terrorist attack and make it worse. It could be directed at the economy and have as great a financial effect as the 9/11 attacks, and it could make it harder for our military to win on the battlefield in a future conflict.

photo of saydjari

o. sami saydjari
President, Cyber Defense Agency

read the full interview

The number of probes we're detecting is going up significantly. And more importantly, the number of stealthy probes has gone up. We have just deployed some technology ... that can see what are called "low and slow probes" that come in over a long, long period of time, and they're intentionally trying to be hidden. There are on the order of 100 to 1,000 times more probes than we actually see if you start turning on these anti-stealth kind of detectors.

These aren't your average, everyday hackers. ... I think they would be adversaries who are interested in doing reconnaissance without tipping their hand that they're doing reconnaissance in our networks.

Why are they doing it?

To prepare for attack, or to prepare for getting information out of our systems to understand our vulnerabilities. That's why you're probing scan networks.

Can we tell how far into their probes or their reconnaissance they are?

Very difficult to tell. You can kind of look what they're probing on and see. We have some technologies called honeypots, for example, which [are] fake systems. They're systems that are out there that really don't have a lot of content, but they have some keywords that may look interesting, and they're full-blown systems, and we can kind of see where they're trying to head within those systems and get indications from those.

So you sort of basically stick out a honeypot and wait for the bees to come, and try to figure out who the bees are?

Correct. Our sensor capability in this area is extremely weak. And we're seeing a lot with the sensors that we do have, which are not very capable. And with the new sensors that are being developed we're seeing a heck of a lot more. We don't what we don't know, and there's probably a lot of reconnaissance that's going on that we just don't have the capability to see yet.

photo of lewis

james lewis
Center for Strategic and International Studies

read the full interview

One of the things I ask myself is, "If I was a terrorist, what would I want to do," because I have specific goals as a terrorist. ...

And the answer in most cases is, when I look at the portfolio of weapons and attacks I have, cyber's at the bottom. I'd much rather use an explosive. We know that weapons of mass destruction, bioweapons, or germ warfare are much more likely to induce panic in a population than is a cyber attack. You could shut down the Internet, and it's quite possible no one would notice for a couple days. So I don't think terrorists are out there thinking about this. ...

Then why all the hubbub? Why all the very distinguished people who say this is a problem.

One thing that I would say is that a lot of the people who think about the seriousness of cyber warfare tend to be computer people. And what you need to do is you need to get more national security people, more military people thinking about it -- people whose job is to win wars or to defend the nation, not whose job is to administer computer networks. So you've got to broaden the debate. ...

And we still need to do the research. People assert vulnerability. They say, "I did an exercise. Here's a hypothetical situation." I want to get to the nuts and bolts. I want to say, "Show me the attack. Show me the vulnerability. Trace for me the line from the guy sitting in front of his keyboard all the way to the floodgate on the dam. Show me the links." You'd be shocked to discover how infrequently we have done that. And that's what we need to do. And then we'll get a better assessment of how real this threat is. ...

photo of dick

ron dick
FBI, National Infrastructure Protection Center (2001-2002)

read the full interview

Do I put cyber warfare, cyber espionage, cyber terrorism, if you will, which is a term of art lately, in the same level as the events that happened on Sept. 11? No, I don't. However, the thing that we have not seen yet and the thing that keeps me awake at night is the physical attack on a U.S. infrastructure which is combined with a cyber attack which disrupts the ability of first responders to access 911 systems, that disrupts our power grids such that, again, first responders can't respond to an incident. ...

Are we prepared to the extent that we need to be as a nation or as a world? No. There are tremendous amounts of vulnerabilities that are still out there. The company I work for now, Computer Sciences Corporation, has a team of people that do what we call red teaming, where we actually go out and have a look at what are the vulnerabilities in the systems, attack those vulnerabilities and see if we can intrude. Even though these companies that have hired us know that we're coming, we have always been successful ...

Is the private sector secure enough? No. Can we respond in a fashion that minimizes the impact of that? I believe we can. In Code Red and Slammer and a number of these, the Internet was slowed and the response times were dramatically reduced, but we've never had it shut down. Was that a concern for Dick Clarke and myself and other people in the department? It absolutely was. But the technology is robust enough that, so far, the Internet has been able to sustain this kind of attack. Does that mean it will always happen? I don't know. Hasn't happened yet. But it's one of the things we're very concerned about.

photo of arquilla

John Arquilla
Naval Postgraduate School

read the full interview

I think there is a line, if I may talk about this debate between the two sides. It's the one that says there's no threat, and the one that says there's a terrible threat. I think the real answer is, like in almost any debate on any serious issue, the truth lies in between.

The potential threat of cyber attack I believe is very high. I think existing hacker activities, the amount of damage that could be done but isn't, and the increasing dependence not only of our armed forces, but society in general and information systems suggests a great and growing vulnerability to disruption.

At the same time, the lack of physical attacks of a very serious nature on the system suggests that we aren't at a point yet where this threat is imminent, is immediately upon us. And so I think that we have to look at this as a situation where we have warning of something that's coming. We have to think about how to prepare for it now, and have to consider the various policies which if enacted -- whatever the merits of the debate, we can enact policies now that will protect us against this problem if it is going to become something serious, and we can do so in a way that's not terribly costly. In part, the strong encryption solution is one that people should be doing anyway, and would mitigate this problem very, very seriously. ...

There's an analogy to the Vietnam War that I think is useful here. Ninety percent of the firefights in the Vietnam War were started by the Viet Cong or the North Vietnamese Army. They could choose when and where to attack, and they knew the moment they did this, that they would soon come under American attack from artillery, from aircraft, and from reinforcements being brought in by helicopter. I think the skillful hackers are like the Viet Cong. They know that they have a short period in which they will hold the advantage, and then they must disengage. And so we have to watch out for those kind of tactics.

I think we also in the future we have to worry about the possibility of a campaign approach being taken by the cyber attackers in which they mount several attacks over a period of hours, or perhaps over days. Think about, for example, a Nimda virus, something like that, that would be deployed once a week for three months. Think about the economic impact of something like that. ...

Another analogy that you talk and write about is how akin to the rise of air power 80 years ago this is.

When I think about cyberspace-based warfare, I think about air power. Eighty years ago the great theorists of air power thought about having the ability to attack another society from the air without having the engage their armies or fleets first. And cyber warfare has some of those elements too. You don't have to engage in military. In fact, you don't even need a military in order to engage in this fashion. So it is a form of strategic bombardment. ...

I take heart from the notion that in the eight decades or so of strategic aerial bombardment, their campaigns have almost never worked. And it says to me that cyber bombardment campaigns are probably not likely to work either.

Now, both physical bombing and cyber bombing will have great costs associated with them, but I don't think a people will fold under that kind of pressure. So, for me, the real meaning of cyber warfare is on the battlefield. Much as aircraft which couldn't break societies with bombardment transformed 20th century warfare, I think cyber attacks will transform 21st century warfare, as militaries which are highly dependent on secure information systems will be absolutely crippled. Just as if they didn't have aircraft above to protect them in the 20th century, if they don't have good cyber defenses within in the 21st, they'll be absolutely helpless. ...

photo of hamre

John Hamre
Deputy Secretary of Defense (1997-1999)

read the full interview

I think cyber terrorism is a theoretical possibility. It's a real prospect for some countries where harassment is more of a problem. But will cyber terrorism be like Sept. 11? No, I don't think so, not right now.

Why?

Terrorists are after the shock effect of their actions and it's very hard to see the shock effect when you can't get your ATM machine to give you $20 dollars. When we had this last worm, or whatever it was -- I went down to the bank, tried to get money out of the ATM machine. I couldn't get any money out. Well, it was frustrating to me personally, but it doesn't translate in the same way that flying an airplane into a building does.

Now if it's possible, for example, to have rolling blackouts in entire cities, that, of course, does have more potential implications. That was much more likely four and five years ago, but in all honesty, I think we've done a lot to warn ourselves about this.

If there is going to be a cyber terrorism event, it's really, in my view, going to be used to try to amplify the effect of the primary attack, which is going to be physical. The same will be said for cyber warfare. ...

That means I think the larger political security environment is an important indication about are we under attack or not. I mean the hardest thing about cyber disruption is, you know, how do you distinguish intentional attack from failure, your systems breaking down? Because that then triggers your ability to provide preventive and protective measures. I think that theorizing what's possible, a country that sees itself on the edge of warfare with us would to augment whatever capacities they could to make it more difficult for us to put our forces in the field. That could very well be cyber efforts.

But let me just say something, if I could, about the difficulty of that. Cyberspace is constantly changing. So what we don't tend to fully appreciate, I think, is how much more complicated it is to do what the military calls is terrain analysis. You know, what is the terrain like where I have to march my forces and attack the opponent? Terrain analysis in cyberspace is very difficult. It's complicated. It's hard to know which computer is doing really important things and which one is sitting there, you know, doing Freecell in the afternoon. Who is really operating that computer terminal, and is it really John Hamre, or does it turn out it's John Hamre's secretary who's operating that computer? This is all very hard to figure out remotely. And so if you want absolute predictable results, it's hard to do in cyberspace, because the environment changes so dramatically. That's another reason why I think that if there is cyber disruption, it's going to be ancillary to a physical attack. It's not going to be directly.

Some will argue that ... if your intention is to hurt and psychologically hit us, [cyber attackers] will do anything they want. So in some ways, the argument is that it actually fits the mold of what they want to do.

Well, I think that's right. But they're after predictable shock effect more than anything. And you just have to ask yourself: If they truly could turn off all the lights in New York City, that would be pretty shocking, but is that a likely thing that they could do? My personal sense is that it is theoretically possible at the hands of very skilled hackers, very skilled hackers. It's certainly more likely, but it is a very hard thing to do, to break in. And we, I believe, are making changes as we go along. We're not sitting still. We're not sitting as dumb and innocent as we were five years ago when we did Eligible Receiver. ...

photo of charney

scott charney
Chief Security Strategist, Microsoft Corp.

read the full interview

I think it's important to understand that historically we have not seen cyber terrorism attacks. And, I think, there may be some reasons for that. First and foremost, it's not as easy to take down the Internet as some might believe. There's a lot of redundancy, there's a lot of resiliency in the system. The second thing is you have to think about the motives of the attacker. An attack on the Internet will not yield the kind of graphic pictures that you saw, for example, on 9/11.

And the other thing to remember, of course, is that when you attack the Internet, a lot of the harm so far has been economic. And the economy has absorbed a lot of that harm, and it's actually reconstituted itself fairly quickly. So, the question is this really a good target for terrorist activity? I think most of us in the field are more concerned that someone would have a targeted terrorist attack coordinated with a physical attack.

When I think about the various threats we face, I think that certain threats like bio-terrorism, or nuclear weapon, is a more severe threat and will do much more harm than a cyber attack. Having said that, we're capable of defending against multiple threats, and we have to take the cyber threat seriously too.

 

 

home :introduction : interviews : experts' answers : faqs : vulnerabilities : warnings?
discussion : readings & links : maps : producer's chat
tapes & transcripts : press reaction : credits : privacy policy
FRONTLINE : wgbh : pbsi

published apr. 24, 2003

background photograph copyright © photodisc
web site copyright WGBH educational foundation

 

 
SUPPORT PROVIDED BY