There are no front lines in an information war, no fiery explosions. The enemy's camp is a cube on the other side of the globe. Their target? Your business.
Six months from now China sends an invasion armada steaming across the straits of Taiwan. The still-green Bush White House faces a fresh national security crisis. To discourage Washington from coming to Taiwan's aid, the People's Liberation Army information warfare units quietly take aim at the U.S. network infrastructure.
First, they attack computer networks at the New York Stock Exchange and the NASDAQ, disrupting trading for several hours every day for a week. Investors fly into a panic. Then an air traffic control tower at O'Hare goes offline, diverting hundreds of flights to Detroit, Indianapolis, and St. Louis, shuttering the nation's busiest airport for three days.
What next? The computer networks that power one or all of the massive retail banks - like Chase, or Citibank, or Wells Fargo - go down for four days. Dallas loses power for 24 hours. Then Atlanta. Then Denver. The Grand Coulee Dam's spillway opens, causing flooding along the Columbia River. Would we even know where these attacks came from? Or that a hostile political force was responsible? Most likely, no.
Beyond China, experts like Dan Kuehl of the National Defense University add to the list of potential cyberthreats: Russia, Iraq, Libya, and terrorist groups like Osama Bin Laden's Al Qaedaplus a slew of friendly nations including Japan, France, Norway, England, Australia, South Korea, and Israel. The U.S. Department of Defense, to be sure, is also honing its skills. It launched a cyberattack against Serbia and Slobodan Milosovic during the 1999 NATO bombing campaign.
Most experts believe the United States is widely exposed to this kind of attack. As you read this, U.S. networks are undergoing large-scale probing and mapping. "As a country we are still terribly underprepared," says John Arquilla, an associate professor of information technology at the Naval Postgraduate School. "We haven't seen anything that serious happen yet, but it's coming." Our country's biggest weakness is its ever-expanding globally linked business networks. They belong mostly to publicly traded companies whose primary goal is profit, not national security.
In March 1999 at a Senate Armed Services Committee hearing on terrorism, then - deputy defense secretary John Hamre stated that an "electronic Pearl Harbor" was a credible threat to the country. It wasn't military defenses Hamre was worried about, but the infrastructure that keeps the country running.
"This Pearl Harbor's going to be different," Hamre told the committee. "It's not going to be against Navy ships . . . it's going to be against commercial infrastructure, and we don't control that."
In other words, our country's biggest weakness is its ever- expanding globally linked business networks, which don't belong to the military. They belong mostly to publicly traded companies whose primary goal is profit, not national security.
While executives preach the ubenefits of these networks in corporate boardrooms everywhere, the downside is that anybody with a computer and an Internet connection from Saskatoon to Ulan Bator is armed for battle. You don't need to train and arm an airborne division to cause havoc in the United States. You can spend a lot less money training 20 technologists.
"Increasingly, government agencies are relying on the public infrastructure," admits Scott Charney, who left his job as chief of the computer crime and intellectual property section of the Justice Department in 1999 and is now a partner at PricewaterhouseCoopers, consulting with companies on shoring up their defenses. "Companies like AOL, UUNetcompanies that provide communications infrastructure and other public infrastructuresare targets," he says. "ATM networks are at risk. An enemy might attack our power grid. As a practical matter this is not easy to do, but I can envision scenarios where it could work."
As a measure of how vulnerable the public networks are, according to the Center for Strategic and International Studies, most of the world's 250 largest companies have already been hit by some sort of cyberattack, usually multiple attacks. A 1999 study by PricewaterhouseCoopers and the American Society for Industrial Security reports that the 1,000 largest companies in the country have sustained losses of $45 billion from theft of company secrets, in part due to holes in their networks.
It was in 1997 that the government first began to understand what kind of attack scenarios would be most damaging to the private sector. That June a team from the National Security Agency participating in a war game called Eligible Receiver discovered they could shut down the nation's power grid and disrupt 911 calling centers nationwide with tools gleaned off the Internet.
Lieutenant General Ken Minihan of the NSA told a Senate committee that Eligible Receiver was just the beginning. "A sophisticated adversary could develop and use more advanced tools and dedicate greater resources and time to support his campaign," he warned. "In short, our adversaries will have oppor tunities and advantages that were not available to Eligible Receiver."
Even less-skilled adversaries proved troublesome. In 1996 a teenage hacker broke into the air traffic control system at the Worcester, Massachusetts, airport, and a Swedish hacker tied up 911 lines in 11 Florida counties for two weeks.
By 1999 an investigation code-named Moonlight Maze (which continues today under a secret name) revealed wholesale mapping and looting of U.S. government and private computer networks. The Pentagon's public computer network was thoroughly excavated, as was the Space and Naval Warfare Systems Command's network. NASA also came under intense attacks, spurring the space agency's inspector general to tell reporters that the breaches were "massive, really very massive."
Meanwhile, the Washington Times reported that the NSA traced an attack at Los Alamos National Laboratory to a research institute in Beijing. The hackers reportedly retrieved hundreds of documents related to nuclear weapons production.
And on it goes. Robert West, a Navy captain and special assistant to the commander of the Joint Task Force - Computer Network Operations, admits that the Pentagon's public sites are scanned and surveyed every day. "They're being sucked dry by people with Chinese IP addresses. Is it state sponsored? You can't tell," he says.
Starting last October and into January Microsoft fell under repeated and well-organized attacks thought to be based in Russia. Microsoft officials declined to comment, but it is believed that a large-scale mapping of the software giant's networks was under way. "They're having the guts sucked out of them either by Russian intelligence or Russian organized crime," says a former high-level military official. If enemies can disable the software that runs most of the computers in the United States, then they're halfway to shutting down most of the nation's computer networks. "In the military we call it preparing the battlefield," says Arquilla of the Naval Postgraduate School.
The Microsoft attacks also beg the question: If Microsoft can be infiltrated, who can't be?
Corporate America tends to watch its bottom line more than its back. And national security isn't their job anyway. So the NIPC was put on the lookout.
If you are a tech company or a financial company or a conglomerate, is it your responsibility to defend the free world against a cyberattack? Probably not. That's the government's job, but public companies control the country's vital infrastructures. Which brings the question full circle: Are public companies responsible for protecting national security?
With these problems in mind, former president Clinton issued Presidential Decision Directive 63 in 1998, which set up the National Infrastructure Protection Center. The NIPC was put under the jurisdiction of the FBI. Its mandate was to investigate cyberattacks and to stimulate information sharing between the government and the private sector.
The problem is that many industries, technology in particular, are wary of sharing anything with the government. For an executive, the thought of releasing information about a network attack conjures investor relations nightmares.
Beyond the NIPC, the Department of Defense has also set up a Joint Task Force for Computer Network Defense to protect the Pentagon's networks. Meanwhile, several industry groups are setting up the Information Technology Information Sharing and Analysis Center to pool resources, and, it is hoped, share information with the NIPC.
Ron Dick, a 24-year veteran of the FBI and director of the NIPC, is frustrated with the lack of trust between the government and the private sector. "There is going to be a reluctance to share information," Dick laments. "But we have a great relationship with the electrical power industry and sharing information has helped both of us. We hope that will be a model. You've got to start somewhere."
Still, many experts criticize the government's efforts and point to the distinct fear that these efforts could lead to an increase in federal regulation and oversight. Bill Crowell is the president and CEO of network security provider Cylink and served as deputy director of the NSA until he retired after the Eligible Receiver war games in 1997. "They don't have the ability legally because they don't own the infrastructure, and the only way that's going to change is to increase regulation," Crowell says. "In this political environment, that doesn't seem likely. And it's difficult to make the case that there should be more involvement."
Crowell, whose company provides network security to the financial services industry, argues that ultimately it will be the insurance industry that goes furthest to protect vital infrastructures by refusing to provide coverage to firms that don't have protective measures in place. Indeed, American International Group, the insurance behemoth, has recently started offering coverage against cyberattacks.
Since PricewaterhouseCoopers' Charney left the attorney general's office, he has spent much of his time at the consulting firm persuading companies to at least assess their risk to network attacks. "The reception to that is mixed, because risk is hard to quantify," he says. "They want to know how much money it's going to cost to defend against an attack. Does the business model sustain that kind of investment? If your company has $40 million in revenues, it doesn't make sense to spend $50 million on a security solution. You could go bankrupt protecting yourself."
Companies will never be able to create a totally impenetrable network, but Cylink's Crowell says they can build security systems that will cause enough confusion and enough difficulty that cyberattackers will move on to easier prey. "It's easier to go after weaker targets than to devote a lot of time to a difficult target," he says. "We argue for a layered approach. The first layer is protecting your network with encryption programs. The second is to protect access to your internal networks with strong authentication like smart cards."
"Looking at how societies have defended themselves, intelligence has always been critical.... [But] this country is preparing for the last war, not the next one."
Just under the flight path of Dulles International Airport in the suburbs of Washington, D.C., sit the offices of iDefense, a company that aspires to be the Central Intelligence Agency for the private sector. iDefense is the brainchild of James Adams, a former CEO of United Press International, who has written several books on warfare and espionage. It was his most recent book, The Next World War (Simon & Schuster, 1998), that launched him into the private sector. Adams gives an exhaustive history of information warfare, as well as the U.S. military's capabilities, stating categorically that the Air Force can track hackers back to their computers and launch "computer bombs." Many of our enemies, he insists, have the same skills.
In fact, he says, an enemy's ability to launch an info war is a foregone conclusion. "This country is preparing for the last war, not the next one," Adams sighs, and picks up Unrestricted Warfare, a voluminous treaty on the future of war, which pays particular attention to cyberattacks on the commercial infrastructure. All of which leads Adams to believe that after companies have purchased their security platforms, what they really need is reliable human intelligence.
"Looking at how societies have defended themselves, intelligence has always been critical," Adams says. In the Civil War, for example, the armies used hot-air balloons to spy. "So if you accept that this is a global environment, and that the front line embraces the private sector, then the private sector needs intelligence."
iDefense, which doesn't offer security software, maintains a 24-hour intelligence-gathering team, spearheaded by Dan Owen (pictured), a retired Air Force intelligence officer, and Ben Venzke, a specialist in Middle East terrorism. The company's experts spend the day scouring everything from hacker chat rooms to secret Web sites. Many of them spend hours working the phones and even e-mailing hackers to uncover their motives. iDefense also claims to have paid informants sprinkled around the world. Its goal is to determine if its clients, including Microsoft and Citibank, are about to be attacked.
As proof of his company's success, Adams points to a recent "major" high-tech company whose server farm in France was on the verge of being hacked. "We woke their security officers up in the middle of the night and told them they were under attack," Adams says. "And I can tell you they were quite surprised."
Adams also claims that his company warned Starbucks—not a client—of an impending attack. Indeed, Venzke (pictured) says, they spend much of their time calling companies that aren't even paying customers. "We've called people up and said, 'You're under attack,' and they'll have no idea what's going on. Many companies just don't believe it when they are under attack."
Providing security and intelligence to the private sector is big business. Ubizen, for example, which is one of the top three Internet security firms in Europe and just expanded into the United States, also offers an intelligence service.
Since Eligible Receiver sent Washington into a frenzy back in 1997, no major attacks have occurred. No dams have been breached, no cities have been thrown into darkness, and the financial system seems secure. Yet everyone interviewed for this story believes info war is inevitable.
West of the Joint Task Force—Computer Network Operations argues that the government and the private sector have both made impressive gains. "Today, if a terrorist or another enemy wants to shut down power grids, SCATA systems [control and data systems], trains, subway systems, dams, any of that, they would probably have better success walking into the control room and threatening to blow someone's head off. Today that is a more likely scenario and threat. I won't say that's the case for tomorrow, though."
And Adams? He picks up his copy of Unrestricted Warfare and begins to leaf through it. "I have no doubt that the virtual world is where the next war will be waged," he says. "Why? For the first time in history, the weapons are available to everyone."
There's even a manual for launching a cyber campaign. But is it a real threat or just a scare tactic?
A few years ago, two Chinese air force colonels, Qiao Liang and Wang Xiangsui, published Unrestricted Warfare (PLA Literature and Arts Publishing House, 1999), a treatise explaining how underdeveloped nations could attack the United States. The tactic? Mount cybercampaigns against the U.S. infrastructure, and American businesses are fair game.
They write: "If the attacking side secretly . . . launches a sneak attack against its financial markets, then after causing a financial crisis, buries a computer virus and hacker detachment in the opponent's computer system in the advance, while at the same time carrying out a network attack against the enemy so that the civilian electricity network, traffic dispatching network, financial transaction network, telephone communications network, and mass media network are completely paralyzed, this will cause the enemy nation to fall into social panic, street riots, and a political crisis."
According to Captain Robert West of the Joint Task Force—Computer Network Operations, the book has stirred wide debate about whether we are prepared for such an attack. But is it really a threat or just a scare tactic? West argues, "You have to assume that is being discussed over there as an option."
Hackers siphoned $377 million from U.S. businesses' bottom lines last year. Now insurance companies are trying to mitigate the risk.
Feeling vulnerable to cyberattack? You should be. "We regard these threats, attacks on companies' networks, to be a fundamental risk of doing business today," says Ty R. Sagalow, COO of American International Group's eBusiness Risk Solutions group. "Whether it's a result of an info war, or a script kiddie, or a criminal, we don't care, but you've got to protect your business."
Indeed, according to a recent study by the Computer Security Institute and the San Francisco office of the FBI, 85 percent of businesses surveyed had their online security systems breached last year, and 35 percent of the companies actually quantified a loss from the attacks. The tally? About $377 million. And that's just from the 186 companies that came clean.
AIG now offers insurance policies against attacks. If your company needs more than $5 million in coverage, AIG will conduct a free onsite security check (done in partnership with Unisys and Global Integrity). The assessments include analyzing your current security and ethical hacking, in which they try to break into your company's networks. For more information, visit www.aignetadvantage.com.