By Jared Chausow
By Katie Toth
By Elizabeth Flock
By Albert Samaha
By Anna Merlan
By Jon Campbell
By Jon Campbell
By Albert Samaha
Without bombs, bullets, or missileswithout even setting foot on U.S. soil cyberterrorists could disable the nation's phone systems, plunge cities into blackout, sever water supplies, scramble military communications, steal classified files, clog emergency-response lines, cripple highways, and ground planes. By commandeering vulnerable home PCs and using them to bombard the servers that make modern life possible, they could shutter our markets and take out key links like the Federal Reserve, which every day transfers $2 trillion over the wires. With a few keystrokes, they could wreak damage on a scale not easily imagined, and for pennies on the dollar.
The best intelligence suggests that the next major military strike by the Bush administration, now drumming up support for an imminent war on Iraq, will draw in response an equally intense virtual assault. A report by Dartmouth College's Institute for Security Technology Studies examined cyberwar overseaswith particular attention to the conflicts in Serbia and the Middle Eastand concluded that virtual onslaughts "immediately accompany physical attacks." By the logic of that analysis, if Bush moves on Saddam Hussein after the midterm elections, we would see the first full-on blitz before Christmas.
It's not as though the White House lacks all understanding of the danger. Last week, Bush officials brought to the readjourning Congress a plan to create a cabinet-level Department of Homeland Security. Lawmakers are weighing the president's request to provide the agency with $38 billion next year. But of that sum, only $364 millionless than 1 percent of the total budgetwould go to shield the nation's most vulnerable front.
This low funding level reflects in part a faith in larger computer security investments by the Defense Department ($10 billion and climbing fast) and the private sector (especially banks, financial services, media, and other technology-dependent industries).
The real problem, critics argue, is that the feds won't, or can't, deal with America's agile, innovative, and occasionally criminal hackersthe experts with the street experience and technical know-how to prevent a catastrophe. Instead, most Homeland funds are going to what one cyberwar expert calls "the usual suspects," the same big players who built our now-endangered infrastructure: large, slow-moving defense contractors like Northrop Grumman, Raytheon, and SAIC, mainline academic institutions, and established think tanks like the Rand Corporation.
"The concept of 'homeland security' is essentially retarded," says Michael Wilson, a former hacker and current partner in Decision Support Systems Inc., a Reno, Nevada-based consultancy advising sovereign states, companies, and the ultrarich about dealing with cyberwar. "The contracts are going to the very people who got us into this mess to begin with. None of them can tell you what the current cyber-threat is, and they don't know what to defend with."
Too young, too radical, and too often freighted with checkered pasts, hackers are a breed of cyberwarrior no government agency feels comfortable with. Because so few among the hacker ranks would even pass the first level of security clearance background checks, the feds are trying to manufacture their own, through programs like the Cyber Corps. Set up by President Clinton, it now trains students on six campuses in the defense of government institutions. Similar efforts to develop in-house cyberwarriors have been launched by the CIA, the FBI, and each branch of the nation's armed forces. But all these efforts are falling short. The federal government estimates it needs 100,000 computer security pros, up from the 37,000 thought necessary a year ago. Today, the entire Cyber Corps program has just 66 students.
Recognizing the failings of a conservative approach, some major defense contractors are in fact reaching out to "white-hat" hackers. "I don't deal with folks who are dancing too close to the line," says Adelle McIlroy, security practice lead with Internal Network Services, a spin-off from Lucent Technologies. "I look for someone who has learned their skills in the military. If they have a criminal history, I wouldn't hire them. I look for the ones who are smarter than thieves but who are not thieves themselves."
McIlroy believes the system will have to change, embracing more hackers to provide an effective defense. "Government agencies are going to have to change how they think, to be more adaptive," she says.
This view is an exception to the rule. Consider the response of one Raytheon spokesman: "There's no requirement to change. We believe we have the people to make it work."
Such breathtaking smugness, combined with the ease with which a cyberattack can successfully be launched, should be giving New York City officials the willies.
New York is the number one target of any retaliatory strike, because it remains the pre-eminent symbol of America's economic and technological might. From a cyberterrorist's perspective, it might not be an entirely open citydemand for computer security is growing fastbut it is still all too vulnerable. Every pipe out is potentially a crack for enemies to exploit. With DSL and cable connections quickly growing more popular, New York ranks among the top 25 cities in the nation for household Internet access. The city's financial, media, and entertainment industries could not exist without the servers and routers ordering the data, tracking and transferring money, and connecting us with the world beyond. New York is second only to Los Angeles in number of Web sites registered, and it has almost twice as many high-speed links as any city on the planet.