A bell marking the opening of business sounds on the
cavernous trading floor of the New York Stock Exchange. It is Feb. 4, 2006, a decade after
the White House sent the aircraft carrier Nimitz into the Strait of Taiwan, infuriating
China, which had been firing missiles at Taipei.
As traders reach for their phones, all of the computer screens in the Exchange suddenly
go blank. Simultaneously, in Detroit, a mysterious power outage brings auto assembly lines
to a halt. On the West Coast, a chartered jet carrying the Labor Secretary and several
hundred American business executives back from a trip to Taiwan smashes into a 737 on the
runway at Los Angeles Airport; landing coordinates the pilot had received from computers
in the LAX control tower had been tampered with.
Meanwhile, the commander of a Marine Corps base in Japan hears angry voices outside his
office. Once again, trouble is brewing over Taiwan. Washington has just ordered him to put
his troops on alert because Chinese army troops are massing across the Strait. A few hours
earlier, electronic thieves cleaned out the U.S. bank accounts of all the marines in
Japan, and now the troops are frantically taking calls from spouses back home.
Sound improbable? Sure it does. But to a growing number of Pentagon strategists and
other federal security experts, a cyberspace-based scenario like this may be the face of
battle in the 21st century. Many of the combatants in this potentially deadly new form of
guerrilla warfare would be armed with no more than personal computers and modems. And they
could be two continents away from their intended targets.
Waging the domestic version of what security experts call "infowar" means
applying computer viruses, hidden codes, data-destroying software programs and other
electronic mechanisms that could, among other things, halt the operations of electric
power grids, natural gas pipelines, railroad switching facilities and air traffic control
systems. Infowarriors could also scramble the software used by banks, hospitals and
emergency services, and break down telephone and other telecommunications networks.
In January, a high-powered Pentagon advisory group--a task force of the Defense Science
Board--issued an urgent report warning that the nation's computer systems are so
vulnerable to malicious assaults that the country may one day face "an electronic
Pearl Harbor."
The report recommends that the Defense Department spend $3 billion over the next five
years to strengthen its telecommunications and computer systems, and establish centers at
the National Security Agency (NSA) and the Defense Information Systems Agency to study the
potential causes of and responses to information warfare.
Another report is being prepared by a government-industry group called the President's
Commission on Critical Infrastructure Protection. Created last fall, the commission--which
is headed by Robert T. Marsh, a retired Air Force general and former chairman of the board
of Thiokol Corp.--was supposed to issue its findings by midyear. Ten federal agencies with
potential interests in the subject were entitled to have two members each on the
commission. But because some agencies picked only one person and because so many private
experts declined to participate--they didn't want to leave their businesses for a year, as
required--the panel will finish its work with 15 members, instead of the 22 envisioned in
the executive order. The panel's deadline was recently extended to early October.
A THREAT THAT'S VERY REAL
Launching a cyberspace-based assault doesn't necessarily mean using nefarious
techniques to "hack," or penetrate without permission, a computer system. In
fact, many of the digital tools in a cyber-terrorist's arsenal are simply everyday
devices, expressed in the 0's and 1's of computer language, that make a computer network
like the Internet such a marvel of communications.
In the hypothetical assault described at the beginning of this article, for example,
the Stock Exchange's computers might be put out of action by an "electronic-mail
bomb." First the attacker would break into the system of a company--an Internet
service provider--that manages the links between the Exchange and the Internet. The
attacker would tinker with the service provider's computers so that they routed millions
of E-mail messages--which the attacker would generate from his own computer--to the
Exchange. If the flood of false E-mail is large enough, the Exchange's Internet
connection--and possibly its own computer--would become overloaded and shut itself down.
Shutting off Detroit's power might be a simple matter of guessing (with a little
electronic help) the password needed to enter the local electric company's computer system
and then commanding it to flip the city's "off" switch. Password
"dictionaries," which generate hundreds of possible words or combinations of
letters, are easily obtainable; the attacker would simply dial in the power company's
system and run the dictionary program until it chanced upon the right code.
Infowarriors might also break into the air traffic control system by
"hijacking" a password. How? Maybe by waiting for someone who's manning a
computer station to, say, get up for a cup of coffee without exiting the program he's
working on and turning off his machine. This is a favorite among students at colleges that
operate huge, multiuser systems. Once inside a system, a skilled hacker can control it.
And the cleaning out of bank accounts? A "logic bomb"--a program hidden
within a computer and set to activate at some point in the future, destroying designated
files--might do the trick. So might a "data-service" attack. That involves
convincing a computer network to share its information with an intruder's computer. If the
network isn't protected by some form of computer security, there is no way to prevent a
machine outside the network from requesting and receiving data.
Some infowar specialists would include other forms of digitized assault under the
rubric "information warfare." In addition to attacking the inner workings of
computers, for example, infowar could also mean the use of information technology on the
battlefield or the use of microwaves to block wireless data transmissions, some experts
say.
The NSA, the federal agency that concentrates on (among other hyperclassified matters)
the use of information technology, focuses more on the danger that renegades with
computers pose to America's national security apparatus. The agency estimates that more
than 120 countries now have "computer attack capabilities" for attempting to
seize control of Pentagon computers in a way that would "seriously degrade the
nation's ability to deploy and sustain military forces," the General Accounting
Office noted in a 1996 report.
According to the gloomiest of infowar theories, all computer systems are vulnerable to
attack. And a challenge facing the people in charge of potential targets is deciding
whether a glitch in a computer system means that somebody somewhere innocently pushed the
wrong button or that the first shot has been fired in a cyberspace attack, Clinton D.
Brooks, an adviser to NSA director Kenneth A. Minihan, said in a rare interview.
"We certainly don't want to defend at the national federal level against something
that's just an accident," he said. "What we need is some sort of national
centralized recording, monitoring and assessment center. . . . We need to know what's
normal behavior [in cyberspace]. How many real accidents happen out there? How many
different incidents [that resemble infowar] normally occur?"
Such a statement, coming from the top level of the highly secretive NSA, indicates the
alarm with which the U.S. defense and intelligence communities view the prospect of
electronic warfare.
In an appendix to its January report, the Defense Science Board task force cites a
variety of computer-related incidents occurring since the late 1980s that, some members of
the task force maintain, prove that the threat of infowar is very real. These incidents
include the 1989 placement of logic bombs in public telephone network switches in Atlanta,
Denver and Newark, the 1995 theft of 60,000 telephone calling card numbers by a technician
and the attack an organized crime ring based in Russia made against Citibank's computers
in 1994 that resulted in the theft of almost $12 million.
Other attacks have targeted U.S. research and defense facilities. In the months leading
up to the Persian Gulf war, for example, a group of teenagers from the Netherlands
"hacked" computer files at 34 American military sites on the Internet and
electronically siphoned off such information as the exact locations of U.S. troops and the
types of weapons they had, according to the task force report.
By browsing through the sites' computerized directories, reading E-mail and copying
data, the teenagers also gleaned information about the capabilities of the Patriot missile
and the movement of American warships in the Gulf region. When they were done, they
modified the computer systems' logs to cover their traces. Late last month, Eugene
Schultz, former head of computer security at the Energy Department, told the BBC that
during the Gulf conflict the hackers tried to sell their pilfered information to Iraq. The
generals in Baghdad backed off, fearing a trap, Schultz said.
More recently, a 19-year-old Londoner named Richard Pryce broke into the computer files
of an Air Force research facility in Rome, N.Y., more than 150 times in 1994. Pryce, who
American intelligence officers said had caused "more harm than the KGB," was
convicted of making an unauthorized entry in a London court and fined the equivalent of
$2,400.
The Science Board unit's report also lists 10 countries--Russia, China, North Korea,
Iraq, Iran, India, Egypt, Cuba, Libya and Syria--ranked according to their progress in
developing 15 categories of technologies to support infowar, including such fields as
"psychological operations," "deception," "electronic
warfare" and "lethal destruction."
Russia, for example, is said to have technology equal to the best the United States has
to offer in seven categories, and "average or good" capabilities in four others.
In only four categories, the report says, does Russia fail to measure up to the United
States.
China and North Korea are reported to be on a par with the United States in three
categories, but Iran, Egypt, Cuba, Libya and Syria appear to be out of the game for the
time being.
TARGETING PUBLIC SERVICES
It's more difficult to pin down the threat to the private sector and to the U.S.
economy in general, security experts acknowledge.
The United States has more computer expertise within its borders than any other country
in the world. And so on any given day, the wires are humming with data being passed back
and forth not only between corporations or organizations within a given industry, but also
along the Internet, which uses telephone lines.
So far, even the cleverest of hackers have yet to successfully target an electric power
grid for disruption or lob E-mail bombs at a regional telephone network. But just because
a full-scale domestic cyberspace attack hasn't happened yet doesn't mean that it can't
happen, some security experts say.
Because so many computer systems are so interconnected, well-timed assaults on only a
few of these systems could disrupt the lives of millions of Americans, suggests Ross
Stapleton-Grey, a former CIA analyst who is now president of Tele-Diplomacy Inc., an
Arlington (Va.)-based consulting firm.
"In a non-hyper-wired world, technological failures are OK," he said in an
interview. "But if we have a string of calamities such as the 1991 AT&T switch
failure that caused traffic control systems at airports all along the East Coast to go
down, that can lead to a major disaster."
The President's commission was formed to head off just such disasters. The executive
order that established the panel warns that "certain national infrastructures are so
vital that their incapacity or destruction would have a debilitating impact on the defense
or economic security of the United States."
Marsh isn't persuaded by the argument that cyberattacks won't happen in the future
because they haven't happened in the past. "In this tough world, if we have exposed
vulnerabilities in any of our vital systems . . . any prudent person would conclude that
we ought to plug up the holes and not invite outsiders in to cause harm," he said.
Recent events overseas show that some terrorists already have plans for targeting basic
public services, Marsh and other security experts say. Last July, for example, Scotland
Yard said it had foiled an Irish Republican Army plot to bomb natural gas, water and power
installations in London.
American businesses have become dependent on information technology, and some
industries couldn't operate without using computers. With terrorism, hacker mischief and
computer attacks by organized crime all on the rise, Marsh said, "we face a looming
problem of serious proportions that needs to be addressed."
Infowar specialists who concentrate on the home front, however, also have trouble
distinguishing between hacking activities that merely annoy and cyber- attacks intended to
do serious harm.
Winn Schwartau, a Seminole (Fla.)-based security consultant, applies the term primarily
to electronic attacks on computer networks. He has labeled as infowar everything from
recent defacing of Web sites operated by the National Aeronautics and Space Administration
and the Justice Department to three incidents in January 1993 involving hackers who
reportedly extorted huge ransoms from British banks and brokerage houses in return for not
crashing the financial institutions' computer systems.
"I don't like to use the term `infowar,' but it gets the executives'
attention," Ron Skelton, an engineer with the Palo Alto (Calif.)-headquartered
Electronic Power Research Institute, said at a mid-March conference of computer
programmers in San Francisco. "The bottom line is this: The American public really
wants hot showers, warm bedrooms and cold beer. And if they don't get it, the government
will hear about it."
Marsh reiterated this point later in the conference. "As you know, the Internet
contains hacker sites with complete instructions on how to do the job [of launching
cyber-attacks]," he said. "Our infrastructures are constantly in danger from
people intent on penetrating and disrupting them. And all these people need are a personal
computer and a modem."
WHEN "SATAN" CAUSED A PANIC
Not everybody buys the notion that cyberwar is just around the corner. True, the report
by the Defense Science Board task force notes that "there really is a smoking
gun." But not everybody who looked saw the gun or the smoke; the report notes that
the opinions in the document don't reflect the views of all participants in the study.
And many specialists--often quick to bristle whenever the government weighs the need
for controls on the uses and occasional misuses of computers--don't believe Washington's
warnings.
"It's nothing more than a make-work project for the NSA now that the Cold War is
over," said Jim Warren, a San Francisco-based computer expert.
Another skeptic, Ohio State University law professor Peter Swire, asserted at the San
Francisco conference that national computer networks are less threatened today than they
were just a few years ago.
Most corporations, he said, now rely on internal networks, composed of linked desktop
computers, for data processing. These local networks--or LANs--are far less vulnerable to
unauthorized penetration than the big mainframe computers corporations used a decade ago.
That's because electronic files can be broken up into discreet sections and stored on
different computers. With mainframes, data were usually stored in one location; an
intruder needed only one password to reach everything he was after.
But other specialists note that most private-sector networks aren't adequately
protected because most corporate executives either don't understand computer security or
don't want to spend the money on safeguards.
"You have to make distinctions between computer sites," A. Michael Froomkin,
a law professor at the University of Miami (Florida), said in an interview during the
conference. Most of the Internet sites that have been tampered with are open to the
public. "The serious stuff, the classified top-secret data, is always stored on
isolated systems with protection developed by the NSA," he said.
A software program called Security Administrator Tool for Analyzing Networks (SATAN)
caused a panic among corporate security experts when it was distributed free on the
Internet a few years ago because it could probe computer systems for weaknesses and holes,
Froomkin said. "SATAN was useless with the military networks. But the fact that it
worked so well elsewhere is a sign that the civilian networks still aren't well
maintained."
Some federal computer security experts like the NSA's Brooks acknowledge that the
threats are sometimes overstated. "We have a lot of people who talk rather
simplistically, as though all it takes is a group of super-hackers somewhere to bring the
United States to its knees," Brooks said.
But it's irresponsible, he continued, not to prepare for cyberwarfare. "The
message in all of this is: Do we really understand what we're facing? Can you take the
existing charters and lethal responses of an industrial age and apply them directly to the
Information Age? We really don't know, and we need to know."
