April 21, 1997
THE DAILY FED
A high-powered Pentagon advisory group warns that America's tightly interconnected computer systems are so vulnerable that the nation may one day face "an electronic Pearl Harbor."
By Graeme Browning, National Journal
A bell marking the opening of business sounds on the cavernous trading floor of the New York Stock Exchange. It is Feb. 4, 2006, a decade after the White House sent the aircraft carrier Nimitz into the Strait of Taiwan, infuriating China, which had been firing missiles at Taipei.
As traders reach for their phones, all of the computer screens in the Exchange suddenly go blank. Simultaneously, in Detroit, a mysterious power outage brings auto assembly lines to a halt. On the West Coast, a chartered jet carrying the Labor Secretary and several hundred American business executives back from a trip to Taiwan smashes into a 737 on the runway at Los Angeles Airport; landing coordinates the pilot had received from computers in the LAX control tower had been tampered with.
Meanwhile, the commander of a Marine Corps base in Japan hears angry voices outside his office. Once again, trouble is brewing over Taiwan. Washington has just ordered him to put his troops on alert because Chinese army troops are massing across the Strait. A few hours earlier, electronic thieves cleaned out the U.S. bank accounts of all the marines in Japan, and now the troops are frantically taking calls from spouses back home.
Sound improbable? Sure it does. But to a growing number of Pentagon strategists and other federal security experts, a cyberspace-based scenario like this may be the face of battle in the 21st century. Many of the combatants in this potentially deadly new form of guerrilla warfare would be armed with no more than personal computers and modems. And they could be two continents away from their intended targets.
Waging the domestic version of what security experts call "infowar" means applying computer viruses, hidden codes, data-destroying software programs and other electronic mechanisms that could, among other things, halt the operations of electric power grids, natural gas pipelines, railroad switching facilities and air traffic control systems. Infowarriors could also scramble the software used by banks, hospitals and emergency services, and break down telephone and other telecommunications networks.
In January, a high-powered Pentagon advisory group--a task force of the Defense Science Board--issued an urgent report warning that the nation's computer systems are so vulnerable to malicious assaults that the country may one day face "an electronic Pearl Harbor."
The report recommends that the Defense Department spend $3 billion over the next five years to strengthen its telecommunications and computer systems, and establish centers at the National Security Agency (NSA) and the Defense Information Systems Agency to study the potential causes of and responses to information warfare.
Another report is being prepared by a government-industry group called the President's Commission on Critical Infrastructure Protection. Created last fall, the commission--which is headed by Robert T. Marsh, a retired Air Force general and former chairman of the board of Thiokol Corp.--was supposed to issue its findings by midyear. Ten federal agencies with potential interests in the subject were entitled to have two members each on the commission. But because some agencies picked only one person and because so many private experts declined to participate--they didn't want to leave their businesses for a year, as required--the panel will finish its work with 15 members, instead of the 22 envisioned in the executive order. The panel's deadline was recently extended to early October.
A THREAT THAT'S VERY REAL
Launching a cyberspace-based assault doesn't necessarily mean using nefarious techniques to "hack," or penetrate without permission, a computer system. In fact, many of the digital tools in a cyber-terrorist's arsenal are simply everyday devices, expressed in the 0's and 1's of computer language, that make a computer network like the Internet such a marvel of communications.
In the hypothetical assault described at the beginning of this article, for example, the Stock Exchange's computers might be put out of action by an "electronic-mail bomb." First the attacker would break into the system of a company--an Internet service provider--that manages the links between the Exchange and the Internet. The attacker would tinker with the service provider's computers so that they routed millions of E-mail messages--which the attacker would generate from his own computer--to the Exchange. If the flood of false E-mail is large enough, the Exchange's Internet connection--and possibly its own computer--would become overloaded and shut itself down.
Shutting off Detroit's power might be a simple matter of guessing (with a little electronic help) the password needed to enter the local electric company's computer system and then commanding it to flip the city's "off" switch. Password "dictionaries," which generate hundreds of possible words or combinations of letters, are easily obtainable; the attacker would simply dial in the power company's system and run the dictionary program until it chanced upon the right code.
Infowarriors might also break into the air traffic control system by "hijacking" a password. How? Maybe by waiting for someone who's manning a computer station to, say, get up for a cup of coffee without exiting the program he's working on and turning off his machine. This is a favorite among students at colleges that operate huge, multiuser systems. Once inside a system, a skilled hacker can control it.
And the cleaning out of bank accounts? A "logic bomb"--a program hidden within a computer and set to activate at some point in the future, destroying designated files--might do the trick. So might a "data-service" attack. That involves convincing a computer network to share its information with an intruder's computer. If the network isn't protected by some form of computer security, there is no way to prevent a machine outside the network from requesting and receiving data.
Some infowar specialists would include other forms of digitized assault under the rubric "information warfare." In addition to attacking the inner workings of computers, for example, infowar could also mean the use of information technology on the battlefield or the use of microwaves to block wireless data transmissions, some experts say.
The NSA, the federal agency that concentrates on (among other hyperclassified matters) the use of information technology, focuses more on the danger that renegades with computers pose to America's national security apparatus. The agency estimates that more than 120 countries now have "computer attack capabilities" for attempting to seize control of Pentagon computers in a way that would "seriously degrade the nation's ability to deploy and sustain military forces," the General Accounting Office noted in a 1996 report.
According to the gloomiest of infowar theories, all computer systems are vulnerable to attack. And a challenge facing the people in charge of potential targets is deciding whether a glitch in a computer system means that somebody somewhere innocently pushed the wrong button or that the first shot has been fired in a cyberspace attack, Clinton D. Brooks, an adviser to NSA director Kenneth A. Minihan, said in a rare interview.
"We certainly don't want to defend at the national federal level against something that's just an accident," he said. "What we need is some sort of national centralized recording, monitoring and assessment center. . . . We need to know what's normal behavior [in cyberspace]. How many real accidents happen out there? How many different incidents [that resemble infowar] normally occur?"
Such a statement, coming from the top level of the highly secretive NSA, indicates the alarm with which the U.S. defense and intelligence communities view the prospect of electronic warfare.
In an appendix to its January report, the Defense Science Board task force cites a variety of computer-related incidents occurring since the late 1980s that, some members of the task force maintain, prove that the threat of infowar is very real. These incidents include the 1989 placement of logic bombs in public telephone network switches in Atlanta, Denver and Newark, the 1995 theft of 60,000 telephone calling card numbers by a technician and the attack an organized crime ring based in Russia made against Citibank's computers in 1994 that resulted in the theft of almost $12 million.
Other attacks have targeted U.S. research and defense facilities. In the months leading up to the Persian Gulf war, for example, a group of teenagers from the Netherlands "hacked" computer files at 34 American military sites on the Internet and electronically siphoned off such information as the exact locations of U.S. troops and the types of weapons they had, according to the task force report.
By browsing through the sites' computerized directories, reading E-mail and copying data, the teenagers also gleaned information about the capabilities of the Patriot missile and the movement of American warships in the Gulf region. When they were done, they modified the computer systems' logs to cover their traces. Late last month, Eugene Schultz, former head of computer security at the Energy Department, told the BBC that during the Gulf conflict the hackers tried to sell their pilfered information to Iraq. The generals in Baghdad backed off, fearing a trap, Schultz said.
More recently, a 19-year-old Londoner named Richard Pryce broke into the computer files of an Air Force research facility in Rome, N.Y., more than 150 times in 1994. Pryce, who American intelligence officers said had caused "more harm than the KGB," was convicted of making an unauthorized entry in a London court and fined the equivalent of $2,400.
The Science Board unit's report also lists 10 countries--Russia, China, North Korea, Iraq, Iran, India, Egypt, Cuba, Libya and Syria--ranked according to their progress in developing 15 categories of technologies to support infowar, including such fields as "psychological operations," "deception," "electronic warfare" and "lethal destruction."
Russia, for example, is said to have technology equal to the best the United States has to offer in seven categories, and "average or good" capabilities in four others. In only four categories, the report says, does Russia fail to measure up to the United States.
China and North Korea are reported to be on a par with the United States in three categories, but Iran, Egypt, Cuba, Libya and Syria appear to be out of the game for the time being.
TARGETING PUBLIC SERVICES
It's more difficult to pin down the threat to the private sector and to the U.S. economy in general, security experts acknowledge.
The United States has more computer expertise within its borders than any other country in the world. And so on any given day, the wires are humming with data being passed back and forth not only between corporations or organizations within a given industry, but also along the Internet, which uses telephone lines.
So far, even the cleverest of hackers have yet to successfully target an electric power grid for disruption or lob E-mail bombs at a regional telephone network. But just because a full-scale domestic cyberspace attack hasn't happened yet doesn't mean that it can't happen, some security experts say.
Because so many computer systems are so interconnected, well-timed assaults on only a few of these systems could disrupt the lives of millions of Americans, suggests Ross Stapleton-Grey, a former CIA analyst who is now president of Tele-Diplomacy Inc., an Arlington (Va.)-based consulting firm.
"In a non-hyper-wired world, technological failures are OK," he said in an interview. "But if we have a string of calamities such as the 1991 AT&T switch failure that caused traffic control systems at airports all along the East Coast to go down, that can lead to a major disaster."
The President's commission was formed to head off just such disasters. The executive order that established the panel warns that "certain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States."
Marsh isn't persuaded by the argument that cyberattacks won't happen in the future because they haven't happened in the past. "In this tough world, if we have exposed vulnerabilities in any of our vital systems . . . any prudent person would conclude that we ought to plug up the holes and not invite outsiders in to cause harm," he said.
Recent events overseas show that some terrorists already have plans for targeting basic public services, Marsh and other security experts say. Last July, for example, Scotland Yard said it had foiled an Irish Republican Army plot to bomb natural gas, water and power installations in London.
American businesses have become dependent on information technology, and some industries couldn't operate without using computers. With terrorism, hacker mischief and computer attacks by organized crime all on the rise, Marsh said, "we face a looming problem of serious proportions that needs to be addressed."
Infowar specialists who concentrate on the home front, however, also have trouble distinguishing between hacking activities that merely annoy and cyber- attacks intended to do serious harm.
Winn Schwartau, a Seminole (Fla.)-based security consultant, applies the term primarily to electronic attacks on computer networks. He has labeled as infowar everything from recent defacing of Web sites operated by the National Aeronautics and Space Administration and the Justice Department to three incidents in January 1993 involving hackers who reportedly extorted huge ransoms from British banks and brokerage houses in return for not crashing the financial institutions' computer systems.
"I don't like to use the term `infowar,' but it gets the executives' attention," Ron Skelton, an engineer with the Palo Alto (Calif.)-headquartered Electronic Power Research Institute, said at a mid-March conference of computer programmers in San Francisco. "The bottom line is this: The American public really wants hot showers, warm bedrooms and cold beer. And if they don't get it, the government will hear about it."
Marsh reiterated this point later in the conference. "As you know, the Internet contains hacker sites with complete instructions on how to do the job [of launching cyber-attacks]," he said. "Our infrastructures are constantly in danger from people intent on penetrating and disrupting them. And all these people need are a personal computer and a modem."
WHEN "SATAN" CAUSED A PANIC
Not everybody buys the notion that cyberwar is just around the corner. True, the report by the Defense Science Board task force notes that "there really is a smoking gun." But not everybody who looked saw the gun or the smoke; the report notes that the opinions in the document don't reflect the views of all participants in the study.
And many specialists--often quick to bristle whenever the government weighs the need for controls on the uses and occasional misuses of computers--don't believe Washington's warnings.
"It's nothing more than a make-work project for the NSA now that the Cold War is over," said Jim Warren, a San Francisco-based computer expert.
Another skeptic, Ohio State University law professor Peter Swire, asserted at the San Francisco conference that national computer networks are less threatened today than they were just a few years ago.
Most corporations, he said, now rely on internal networks, composed of linked desktop computers, for data processing. These local networks--or LANs--are far less vulnerable to unauthorized penetration than the big mainframe computers corporations used a decade ago. That's because electronic files can be broken up into discreet sections and stored on different computers. With mainframes, data were usually stored in one location; an intruder needed only one password to reach everything he was after.
But other specialists note that most private-sector networks aren't adequately protected because most corporate executives either don't understand computer security or don't want to spend the money on safeguards.
"You have to make distinctions between computer sites," A. Michael Froomkin, a law professor at the University of Miami (Florida), said in an interview during the conference. Most of the Internet sites that have been tampered with are open to the public. "The serious stuff, the classified top-secret data, is always stored on isolated systems with protection developed by the NSA," he said.
A software program called Security Administrator Tool for Analyzing Networks (SATAN) caused a panic among corporate security experts when it was distributed free on the Internet a few years ago because it could probe computer systems for weaknesses and holes, Froomkin said. "SATAN was useless with the military networks. But the fact that it worked so well elsewhere is a sign that the civilian networks still aren't well maintained."
Some federal computer security experts like the NSA's Brooks acknowledge that the threats are sometimes overstated. "We have a lot of people who talk rather simplistically, as though all it takes is a group of super-hackers somewhere to bring the United States to its knees," Brooks said.
But it's irresponsible, he continued, not to prepare for cyberwarfare. "The message in all of this is: Do we really understand what we're facing? Can you take the existing charters and lethal responses of an industrial age and apply them directly to the Information Age? We really don't know, and we need to know."