WASHINGTON -- Fears of Cold War tensions are finding new life in cyberspace, as the threat of Internet espionage shifts the nuclear-age doctrine of "mutually assured destruction" to that of mutually assured disruption.
In one long-running operation, the subject of a U.S. spy investigation dubbed "Storm Cloud," hackers traced back to Russia were found to have been quietly downloading millions of pages of sensitive data, including one colonel's entire e-mail inbox. During three years, most recently in April, government computer operators have watched--often helplessly--as reams of electronic documents flowed from Defense Department computers, among others.
The heist is "equivalent to a stack of printed copier paper three times the height of the Washington Monument," says Air Force Maj. Gen. Bruce Wright of the Air Intelligence Agency.
China and Russia pose the deepest threats because their technology research is the most advanced, U.S. officials say. But some senior officials worry that it doesn't take a superpower to hack into a nation's sensitive computer networks. Moreover, there are complicated legal issues about how and when to launch counterstrikes.
A teenager or a terrorist?
It is often impossible for government or corporate victims to know whether an attacker is a teenager or terrorist, a rival company or a foreign government--and those distinctions make all the difference in how the U.S. government reacts. Even in the Storm Cloud case, officials can't answer for certain whether a foreign government or rogue hackers are involved.
Both pose dangers. A federal advisory panel, the Defense Science Board, reported in March that the Pentagon "cannot today defend itself from an information operations attack by a sophisticated, nation-state adversary." Security testers at the Pentagon's National Security Agency routinely hack into U.S. military networks--and without the Pentagon noticing 99 percent of the time, the board found.
But the Central Intelligence Agency says hacking by foreign governments, as opposed to individuals, is the biggest threat. "Only government-sponsored programs are developing capabilities with the future prospect of causing widespread, long-duration damage to U.S. critical infrastructures," says Lawrence Gershwin, head of the CIA's intelligence on technology. He calls terrorists, for example, a "limited" Internet threat. "Bombs still work better than bytes."
The Storm Cloud case, which involved several military and law-enforcement agencies and descended from an FBI investigation called "Moonlight Maze," isn't the only illustration of the threat from overseas. After a U.S. spy plane collided with a Chinese jet in May, Chinese activists vandalized or shut hundreds of U.S. Web sites, including that of the White House. Last fall, a hacker accessed software blueprints at Microsoft Corp.; detectives believe the hacker used software from Asia and transferred data back to an anonymous e-mail account in Russia.
So far, the government's response has been disjointed; cooperation has been slow to evolve among various U.S. agencies, corporations and foreign governments. A 1998 presidential order made the Federal Bureau of Investigation's National Infrastructure Protection Center the "focal point" for collecting data about threats. But the FBI center sometimes can't share information with the president's cyber-security adviser unless the Justice Department approves. Meanwhile, the White House budget office instructed agencies to report Internet attacks to the General Services Administration.
The Storm Cloud case has highlighted all these issues. The attackers often covered their tracks using a modified software tool called "Loki," after a mischievous Nordic god; the software makes break-ins look like innocent Web browsing. Victims include the Defense Department's high-performance computer labs, where researchers use some of the world's fastest supercomputers to predict how air flows around a jet or how a missile penetrates armor. Weeks after the first attacks, an insider newsletter at one lab, the Aeronautical Systems Center at Wright-Patterson Air Force Base, conceded, "We accept that we can never be completely secure." Investigators insist nothing classified was stolen though the data were sensitive and commercially valuable.
Suspicious file transfers tripped sensors at Wright-Patterson in early 1998. But it wasn't until months later, after intrusions into other computer labs, that officials realized the attacks were connected. The hackers were particularly clever: Officials found software sensors inside federal computers that modified a private Web site in Britain whenever new documents were available. The hackers would view the Web site to see if it had changed and therefore didn't have to risk detection by checking themselves.
Investigators believe hackers installed eavesdropping "sniffer" software as early as 1997 at universities, including Louisiana State University, in Baton Rouge, and the University of Cincinnati in Ohio, where professors working on defense projects connect via the Internet to military labs. The hackers then posed online as those professors to steal data and pilfer more passwords. Only after the attacks were noted were outside researchers instructed to use some encryption.
The Pentagon then ordered all defense employees to change their computer passwords. The intruders even stole that memorandum, investigators suspect, and accordingly changed the passwords for the military accounts they had hacked.
Investigators traced the break-ins to three commercial Internet-service providers in Moscow. But the riddle remained: Who was at the keyboard? Russia's government, or rogue hackers? The State Department last year formally pressed Russia--where laws subject almost all electronic communications to government monitoring--for help. A spokesman for Russia's intelligence service denies culpability, adding that if the government had organized the hacking, it would have done a better job hiding its tracks.
How to respond to attacks?
Such uncertainties raise crucial legal and diplomatic questions about how to respond. When does the U.S. hack back, and how? If the hackers are civilians, they are deemed "unlawful combatants" and criminals under U.S. law. But if a government is involved, the U.S. would weigh a retaliatory cyberstrike, says military spokesman Barry Venable.
The agency that chiefly defends the military's computers changed its role this spring to include offensive attacks. It expects to triple its staff to nearly 150 in the next two years, and a draft Pentagon budget projects spending on computer warfare to increase by $400 million next year, and by $3.5 billion over the next seven years.
The FBI tried a similar hack-back approach. In April, a grand jury in Seattle indicted two Russian computer experts accused of hacking into dozens of U.S. banks and e-commerce sites, and then demanding money for not publicizing the break-ins. FBI agents, posing as potential customers from a mock company called Invita Computer Security, last November had lured the Russians to Seattle and asked the pair for a hacking demonstration. The agents secretly recorded every keystroke with commercial software available to anyone for $99.
Days later, using one man's password, "cfvlevfq," the FBI connected to the Russians' own computers overseas and downloaded 781 megabytes of data. Only then did they obtain a search warrant for the files. A U.S. judge condoned the tactic in a pretrial ruling, partly because the searched computers were in Russia.
Sen. Robert Bennett, a Utah Republican who is one of Congress's technology experts, says the ability to counterstrike should help discourage serious attacks from those who can be hit back. "The U.S. is the most vulnerable society because we're the most wired in the world," he said. "On the other hand, we're probably the most capable to wage this kind of warfare if someone were to provoke us."