The next time this country is targeted by terrorists, the primary weapon may be an object no bigger than your thumbnail: a computer chip.
Without bombs, bullets, or missiles—without even setting foot on U.S. soil— cyberterrorists could disable the nation’s phone systems, plunge cities into blackout, sever water supplies, scramble military communications, steal classified files, clog emergency-response lines, cripple highways, and ground planes. By commandeering vulnerable home PCs and using them to bombard the servers that make modern life possible, they could shutter our markets and take out key links like the Federal Reserve, which every day transfers $2 trillion over the wires. With a few keystrokes, they could wreak damage on a scale not easily imagined, and for pennies on the dollar.
The best intelligence suggests that the next major military strike by the Bush administration, now drumming up support for an imminent war on Iraq, will draw in response an equally intense virtual assault. A report by Dartmouth College’s Institute for Security Technology Studies examined cyberwar overseas—with particular attention to the conflicts in Serbia and the Middle East—and concluded that virtual onslaughts “immediately accompany physical attacks.” By the logic of that analysis, if Bush moves on Saddam Hussein after the midterm elections, we would see the first full-on blitz before Christmas.
It’s not as though the White House lacks all understanding of the danger. Last week, Bush officials brought to the readjourning Congress a plan to create a cabinet-level Department of Homeland Security. Lawmakers are weighing the president’s request to provide the agency with $38 billion next year. But of that sum, only $364 million—less than 1 percent of the total budget—would go to shield the nation’s most vulnerable front.
This low funding level reflects in part a faith in larger computer security investments by the Defense Department ($10 billion and climbing fast) and the private sector (especially banks, financial services, media, and other technology-dependent industries).
The real problem, critics argue, is that the feds won’t, or can’t, deal with America’s agile, innovative, and occasionally criminal hackers—the experts with the street experience and technical know-how to prevent a catastrophe. Instead, most Homeland funds are going to what one cyberwar expert calls “the usual suspects,” the same big players who built our now-endangered infrastructure: large, slow-moving defense contractors like Northrop Grumman, Raytheon, and SAIC, mainline academic institutions, and established think tanks like the Rand Corporation.
“The concept of ‘homeland security’ is essentially retarded,” says Michael Wilson, a former hacker and current partner in Decision Support Systems Inc., a Reno, Nevada-based consultancy advising sovereign states, companies, and the ultrarich about dealing with cyberwar. “The contracts are going to the very people who got us into this mess to begin with. None of them can tell you what the current cyber-threat is, and they don’t know what to defend with.”
Too young, too radical, and too often freighted with checkered pasts, hackers are a breed of cyberwarrior no government agency feels comfortable with. Because so few among the hacker ranks would even pass the first level of security clearance background checks, the feds are trying to manufacture their own, through programs like the Cyber Corps. Set up by President Clinton, it now trains students on six campuses in the defense of government institutions. Similar efforts to develop in-house cyberwarriors have been launched by the CIA, the FBI, and each branch of the nation’s armed forces. But all these efforts are falling short. The federal government estimates it needs 100,000 computer security pros, up from the 37,000 thought necessary a year ago. Today, the entire Cyber Corps program has just 66 students.
Recognizing the failings of a conservative approach, some major defense contractors are in fact reaching out to “white-hat” hackers. “I don’t deal with folks who are dancing too close to the line,” says Adelle McIlroy, security practice lead with Internal Network Services, a spin-off from Lucent Technologies. “I look for someone who has learned their skills in the military. If they have a criminal history, I wouldn’t hire them. I look for the ones who are smarter than thieves but who are not thieves themselves.”
McIlroy believes the system will have to change, embracing more hackers to provide an effective defense. “Government agencies are going to have to change how they think, to be more adaptive,” she says.
This view is an exception to the rule. Consider the response of one Raytheon spokesman: “There’s no requirement to change. We believe we have the people to make it work.”
Such breathtaking smugness, combined with the ease with which a cyberattack can successfully be launched, should be giving New York City officials the willies.
New York is the number one target of any retaliatory strike, because it remains the pre-eminent symbol of America’s economic and technological might. From a cyberterrorist’s perspective, it might not be an entirely open city—demand for computer security is growing fast—but it is still all too vulnerable. Every pipe out is potentially a crack for enemies to exploit. With DSL and cable connections quickly growing more popular, New York ranks among the top 25 cities in the nation for household Internet access. The city’s financial, media, and entertainment industries could not exist without the servers and routers ordering the data, tracking and transferring money, and connecting us with the world beyond. New York is second only to Los Angeles in number of Web sites registered, and it has almost twice as many high-speed links as any city on the planet.
It is all very impressive. Yet none of the systems upon which the city’s economic life depends could withstand the major denial-of-service attack terrorists are now capable of delivering. “The odds of some kind of cyberattack have gone from probability to a certainty,” says Fred Rica, a threat-assessment guru with PricewaterhouseCoopers, LLP.
The question is, what scope of attack should the city expect? Rica’s answer: Prepare for the worst.
Opening skirmishes have already taken place. “Banks and financial service organizations are experiencing a lot of benign attacks on the parameters of their systems,” says Steve Buerle, security practice director with ThruPoint, Inc., one of the country’s leading cyber-detective agencies.
Indeed, while no overt cyberwar has been declared on the U.S., the country’s defenses are clearly being tested. According to officials at CERT (the federally funded Computer Emergency Response Team, based at Carnegie Mellon University), the number of “incidents”—cases of malicious hacking—is growing rapidly. Between 1994 and 2001, the yearly number of virtual break-ins at the country’s defense agencies grew from 225 to 40,076. Breaches at private companies and other government agencies grew at only a slightly lower rate, increasing from 2340 to 52,658.
The Bush administration has made several attempts to set up meaningful protection, such as the Federal Computer Incident Response Center and the Cyber Warning and Information Network. But the very nature of cyberwarfare puts large and complex organizations—private or public—at a disadvantage.
As a result, although most computer systems now in place in New York’s major private and public institutions have some form of protective software, almost all of them are sitting ducks. Rica points out that part of the reason for this is that as systems age, they become more vulnerable. Moreover, even when new defensive software is available, companies and agencies don’t always have the money or the inclination to buy in.
Cheaper and faster are the hackers, people Michael Wilson says should be deployed to defend the city and the nation at large. “We’ve been relying on people in the spook establishment who have an arm’s length of clearances and are ostensibly squeaky clean, but it just doesn’t work,” he says. “For you to be any good in this area, you have to have done moves on the street. But that kind of person can’t pass clearance tests.”
Others agree. “We need to treat hackers today the way we treated German rocket scientists after World War II,” says John Arquilla, senior consultant with the Rand Corporation. “Hackers can be cultivated rather than punished. They are an underutilized resource.”
Much of that resource waits untapped, right in the heart of Gotham. “New York has the world’s largest hacker community,” says Wilson. Of the 1000 top hackers in the world, he believes 20 are to be found here in the city, along with between 200 to 300 cyberwarriors known as “script kiddies.” Those numbers might sound small, but in cyberwarfare, every hacker is an army.
Commissioning a major defense contractor to craft a response to cyberwar is like sending a tank to do the work of a scooter. “The U.S. defense establishment is trying to instill a mindset that is inherently foreign to the people they’ve selected to do the job,” warns Wilson. “You need to build a defensive organization that can react like a 14-year-old.”
Indeed, organized military response has been shockingly poor, at best. Despite the $1.6 billion the Pentagon spent on computer defenses last year, the General Accounting Office recently blasted the DOD for having networks “beset by vulnerabilities.” When the Defense Department tested itself, it held an exercise in which teams from the National Security Agency used hacker programs to break into 36 Pentagon computer networks and nine city power grids and 911 systems, all at once. According to one source close to that exercise, Pentagon systems administrators were able to detect just two of the mock attacks.
There have also been real incidents in which only a dose of perverse luck prevented disaster. During the Gulf War, Dutch hackers stole information about U.S. troop movements from Defense Department computers and tried to sell it to the Iraqis, who thought it was a hoax and turned it down.
That case shows how hard it can be to predict who will try to break in. But correctly identifying the attacker is as important as knowing what systems are being bombed. In 1998, more than 500 Pentagon computer systems were compromised in a series of attacks code-named “Solar Sunrise.” The assault was first thought to have originated in the United Arab Emirates but later found to have been the work of a couple of California high school students and their 17-year-old Israeli mentor.
Homeland Security will have to move quickly to distinguish a serious foe from a juvenile pest. And it will need to make a realistic determination of who is capable of launching an attack in the first place.
Bush administration efforts to show that Al Qaeda terror cells are planning to launch cyberattacks against the U.S. may appeal to public imagination, but there has been little indication that Osama bin Laden has the cadre of geeks needed to launch such an operation.
Still, plenty of others have the resources to pull it off. Intelligence agencies have identified 20 countries and two dozen terror rings that are developing cyberwar technology. Among them, the U.S. ranks first in terms of money being invested. The list of other players includes both friends and enemies: China, Russia, France, Germany, Israel, Iran, Iraq, Libya, Cuba, Britain, France, and North Korea. Groups known to employ cyberweapons range from Hamas in the Middle East to Chiapas rebels in Mexico to the Falun Gong in China. There are also well-financed private cyberarmies mustering in Pakistan, India, and Germany.
In this form of warfare, both the generals and the soldiers are marked by extreme youth. The jargon reflects this. In addition to being called script kiddies, frontline attackers are known as “ankle biters” and “packet monkeys.”
Some computer experts denigrate these more minor players. “They don’t have to be very intelligent,” says John Hale, a computer science professor who works with the Cyber Corps program at the University of Tulsa. “These hackers use scripts other people write.”
The hacker community has other weaknesses. Its members are often their own worst enemy. “Hackers can expose and break into things, but they aren’t necessarily good at making something work,” says McIlroy, of Internal Network Services. “A person committing the crime of breaking in isn’t always expert in defending. Besides, the question isn’t how to defend a system, but how to make it unbreakable.”
Though that question may have no answer, the strongest hope lies with pulling in all available minds. Cyberwar is not a game for the shortsighted. Some argue the long-term fallout from a potent assault would be even more devastating than the virtual battle itself. John Adams, a well-known defense expert and former Washington correspondent for the London Sunday Times, recently wrote that cyberwar technology “is capable of deciding the outcome of geopolitical crises without the firing of a single weapon.”
And just as the effects of an atom bomb linger for generations, so a cyberwar could unleash a host of viruses, worms, and Trojan horses that defy the best defense efforts long after the fighting has ended. Already, there are some 30,000 hacker-oriented sites on the Internet, bringing the tools needed to wage cyberwar within the reach of even the technologically challenged. The array of weapons is vast and growing. According to ICSA Labs, more than 50,000 computer viruses have been created, and up to 400 are active at any one time, with over 10 new ones released every day.
In the end, the Department of Homeland Security may fail in its mission because it is reactive rather than proactive, seeking to influence events from on high rather than from the ground level, where effective control can determine the outcome of cyber-conflict. Left unprepared, New York—and the country—could find itself the victim not simply of a cyberattack, but of an utter failure of governing elites to see the writing on the wall.