. . . During the cold war, we knew who the bad guys were, and they had nuclear weapons. There was a finite group, and there was a deterrent, because they knew that if they attacked us, we would know that they attacked us and we would attack them back. That's a significant deterrent. But now, anybody who goes down to Best Buy or Radio Shack can buy a computer for two or three hundred dollars, and they have internet connectivity. And these individuals can . . . have a weapon of mass destruction sitting on their desk in their bedroom.

And you're learning that defending against such an attack is no little thing?

Absolutely. And I don't think that the big machines of government are tooled to address this yet. It's hard to make that adjustment quickly. There's another big difference, and that's the commercial sector. The commercial sector today, whether they like it or not, whether they want it or not, now have a role in national security. If you take down an infrastructure, the military, the intelligence community, and the economic security of a nation may depend on a private sector infrastructure, which the government doesn't have any control over securing.

Are we likely to see the growth of a private cyberpolice--Pinkertons of the cyberworld protecting private corporate interests?

. . . I don't think you're going to find private sector cops out there. You will find private sector security monitoring and securing. But once you have a problem, you're probably going to have to call law enforcement. And law enforcement is starting to gear up for that, at least at the federal level. We still have a way to go at the local level here in the United States. . . .

What percentage would you put on the chance of an electronic Pearl Harbor, or at least a cybercatastrophe?

I don't think it will be tomorrow, but I think it could be tomorrow. I think that countries and traditional terrorist organizations have not really adopted this doctrine yet. But it's only a matter of time. . . . When the new generation of leadership in terrorist organizations and nation-states moves into positions where they can affect things, I think you will find that that's going to eventually happen to us.

And you're convinced of that?

Absolutely.



Chief of the Justice Department's Computer Crime and Intellectual Property Section.

. . . The [Department of Defense] . . . tests the security of its own network by "red teaming" or "tiger teaming" it. Industry is increasingly doing this as well. They have hackers--good hackers who follow the rules--trying to hack into their own networks. . . . One pretty steady figure is that they're able, over the course of a week, to get into about 88 percent of them. And keep in mind that, in doing this, DOD is not writing elaborate hacker code. . . . They're not diving through dumpsters looking through phonebooks. They are using tools, hacking tools, which are accessible from the Net--garden variety, nothing exotic. And they have been able, over some span of years, to get in about 88 percent of the time.

Once they get in, they watch to see what percentage of the system administrators know they're there. That number has varied over the years, but my understanding is it is quite low--something on the order of three or four or five percent of system administrators know that the system has been penetrated. Of the system administrators who know that the system has been violated, something like 25 percent of those report it up their chain to a law enforcement agency. So if you do the math, if those numbers are accurate at all and if we can extrapolate from them, every reported intrusion within DOD represents something 150 unreported intrusions. . . .

We keep hearing Osama bin Laden's name mentioned in the content of hacking and vulnerability to international terrorism. Is this real?

It is real. It's a rational concern. Look at how easy it is for people who are not tremendously skillful and don't have a lot of resources to affect our communications networks, to steal information, to get root control, to shut things down. It doesn't take a great intuitive leap to assume that this could be employed for other purposes. . . .



Chief Executive Officer & Co-Founder of iDefense, a private agency specializing in information intelligence

How has the digital age changed the nature of global conflict?

What's been happening for the last few years is a migration from the terrestrial to the virtual. . . . In the same way that we've had down the centuries, terrestrially, the seeds of conflict--power, money, political influence, territory and so on--they're all being replicated in the virtual space. And with it, conflict is migrating too. The significant difference though, is that down the years, it's been soldier, sailor and the marine that's been in the front lines. That's true to some extent still; you'll still have Bosnia, you'll still have Somalia, Rwanda and so on. They're different types of conflicts, but still very serious. In the virtual space, it's going to be the private sector, as well as government, that is going to be in the front line. It's the soft underbelly. That's where you attack because you get maximum leverage, more bangs for your buck. That's a different paradigm from any one that's been before. It's not simply a matter of the CIA or the NSA defending the government, or intelligence agencies serving governments around the world. It needs to be done differently.. . . .

What you see being replicated is all the problems that existed terrestrially. You've got vandals, you've got organized crime, you've got extensive economic espionage, you've got 30 nation-states with very aggressive offensive information warfare programs. So you're seeing all the stuff that we had before. But it's also very different, because you and I can go into our local computer store and buy what is essentially an immensely powerful weapon: the computer. And you can load that weapon with very powerful bullets, which are hacks downloaded from the web, and you can fire that weapon at pretty much anybody you choose. . . .

Historically, it's been governments that have invested in some new gizmo or other. . . . Now you and I have control. That's a huge shift. And it's a shift that governments are ill equipped to deal with, because it's a fundamental change in how you look at national security, what you look at as defense and offense. And the world in which we are currently living in, this kind of different environment, is essentially a world of chaos. There is no arms control. There are no mechanisms by which we can produce order out of chaos---not yet. There will be, in time, but there isn't at the moment. So it's a sort of free-for-all in the virtual space. . . .

It's a very different world, and we're only just beginning to see the dimensions of it. And nobody yet has a true handle on the threat, the opportunity, what is effective defense, what can we do to create an effective offense. Nobody has got that yet. But we're getting a picture, even though it's a little blurred.

But what are we defending against here?

. . . For example, when I was in Moscow a couple of years ago, it was very clear to me, from talking to the senior people in the scientific and intelligence communities, that they already feel they're at war. They are convinced that they are engaged in the next world war, that it is happening in cyberspace, and that they're losing. They're very active in the area, but they think that America has a very significant advantage, which is why the Russians have come up with two proposals for arms control agreements in cyberspace. Well, they haven't got much of a reception for that, because America and its allies think that we're winning the war, so why should we have a treaty?. . . .

Given the fact that the United States is so far ahead of everybody else, are we looking at a whole new era of American imperialism?

Well, I think that there is a both a yes and a no. America is the most advanced technology country in the world, no question. It is also the most vulnerable, because we are so connected. The capabilities that currently exist to wage information warfare, to attack a system, to destroy a network, to turn off a city or devastate a country are around.

The problem is, America is a huge and largely inert bureaucracy. I can attack a nation that I know is attacking me today--Russia, for example. I know that they have created significant damage to me. Now, can I retaliate? Do I have the capability? Yes. Can I do it? Well, that depends. You need legal sign-off. Is it an act of war or is it aggression or can you allow it? Is it a breach of a convention ? Will the politicians bear that? Can you actually convincingly supply the evidence? And on and on and on and on.

Now, if I am a market-state, as CEO, I can arbitrarily take decisions. If I am a small nation-state, a dictatorship if you like, that creates a very different dynamic. It's not a question of my needing to have ten tank divisions to have any impact at all. I just need a couple of smart guys with a really cool computer who understand how to do stuff. I can achieve an awful lot more with very little, provided I'm flexible and dynamic.

I could argue that you can achieve all that because you're not hamstrung by values like democracy and accountability.

Absolutely. Of course, that's true. . . .

Are we heading to a whole new realm of dictatorship?

We're looking at a change in the dynamic. The influence of the nation-state is absolutely declining. Nobody argues that. The influence of the market-state, the big global companies, is rising very powerfully. Many of them are more powerful than nations, in fact. . . . So the challenge for the nation-state is to continue to remain relevant. . . .

Why is the ability of government, of the traditional nation-state, falling so far behind the new market-state in terms of delivering value?

Because the nation-states, as they should in a democracy, slowly evolve. They take pressure and they absorb pressure and then they bring out change in a slow and well-paced way. That's a great strength in a democracy. This is a revolutionary environment, however. And the pace of change is enormous. We've all seen it--how many new chips do we get each year for our computer, what how many new PDAs or Palm Pilots have we seen emerge in the last 12 months? The pace is enormous. And it's going to continue in this way, everybody seems to agree, for as far as one can see. . . . What can government do to move at that kind of pace? . . .

Governments can always do something. The question is, can they do something fast enough? And if you look at the way the process is currently working, you have to agree that the pace of change is not matching the challenge. . . . All I have done my whole life is cover war and its consequences . All of the seeds of war are here: tremendous conflict and tension in society; the growth of the disenfranchised; all the things that you can see as points of potential conflict are around. And yet, governments, because they're largely inert, are treating business as if it's business as usual. Well, it very definitely is not. And it's a big concern, frankly, because I think democracy is going to find it very hard to adapt to these kind of very fundamental changes that are occurring. And most political leaders have no idea--none--because they're out of touch with the people. . . .



Former Chief of the National Infrastructure Protection Center

It's sort of an image of our times--a 16-year-old geek in his bedroom hacking away and inviting the wrath of the state on him. It doesn't necessarily look well upon the FBI, ultimately, that you're running around knocking on the doors of teenagers all over the world.

We investigate crimes that are reported to us. And when we follow the trail back, we will act appropriately, regardless of the age or the location of the perpetrator. And so I think the image has been somewhat misleading to people, because it suggests that this problem is really one of individual young hackers. In fact, we are focused on a much more worrisome part of this problem. We are really much more concerned about some of the organized threats from foreign countries engaged in intelligence gathering, or preparation for information warfare from terrorist organizations. They will use these tools to commit violent acts against critical infrastructure systems, and organized crime groups, who really want to steal money or valuable information.

. . . But I guess the problem the public is still having is that there hasn't been a terrorist incident as far as we know. Other than Phonemasters, there hasn't really been a successful organized crime bust in cyberspace.

I think we just recently had a very good example that disproves that notion. We've had two subjects from Kazakhstan who were engaged in an intrusion and extortion plot against Bloomberg LP. And that case was successfully investigated because of close cooperation between the FBI and authorities in both the United Kingdom and Kazakhstan. That case involves a number of subjects, who are engaged in a traditional organized crime activity--extortion--but they carried out through cyber means. So I differ strongly with the notion that we haven't had successful organized crime investigations. We've had quite a few.

When you look at the internet and at the interconnectivity of the world, what is your greatest fear?

My greatest fear is that the level of vulnerability is still so high that we are really open to a devastating attack on a broad scale against the computer networks that run vital systems, such as our electrical power systems, government operations, the banking and finance system. . . . And another significant challenge for us is dealing with espionage. The "Cuckoo's Egg" case, which involved the KGB hiring hackers to break into U.S. Defense Department systems, is now a 14-year-old case. I think if hostile intelligence services were engaged in that sort of activity 14 years ago, it doesn't take a great leap of the imagination to imagine what some of those sorts of intelligence services might be doing or planning to do today. . . .

What does the future hold? Can we fix this problem?

I think we can fix the problem. I think that, in the near term, we might see the problem get worse before it gets better. There's a power curve, and right now security is behind the power curve, because it takes some time for good security products to be put out there and integrated into networks and operating systems. And I think we need to make sure that the government has the resources in place to investigate crimes and, more importantly, to get information and get warnings out to try to try to prevent crime before it happens. That's really our number one consideration. But I think we will see an increase in the number of crimes being committed on the internet before good security is ubiquitous.

That raises the process of private police or Pinkertons of cyberspace. There's a huge growth in private security companies. There must be a temptation among them to just go and take action, whatever action, themselves. Does that concern you?

. . . What's most important is that, as people get into the security business, that they realize that this is not an area where the private sector can go it alone. If we're going to deter people from engaging in computer crime, we have to have an effective law enforcement response. That means that victims really need to report to law enforcement so that we can catch the bad guys, punish them appropriately, and deter other would-be bad guys from engaging in the same sort of activity.

Some critics say that government just can't move fast enough, that it's a big bureaucracy, that it's a huge infrastructure in and of itself. They say that it just isn't going to be able to keep up with the crime.

Well, there are certainly challenges to bringing the government around to deal with this sort of fast-evolving environment. But look at the track record that we've established in the two and a half years since the NIPC was founded. We have created a program in the FBI and for the federal government as a whole that is now capable of investigating some very complex international investigations. And I think the speed with which we are able to investigate things such as the "Melissa" virus, the "I Love You" virus, the distributed denial of service attacks, the Bloomberg extortion, the Curador case and on and on and on shows that we've made a tremendous amount of progress in a very short time.

But we can't sit on our hands or rest on our laurels, because the problem continues to grow. And it's imperative that the executive branch of government and the Congress realize that we need to keep making progress, that we need to put more resources into this area to make sure that we can stay at the cutting edge.