http://www.nytimes.com/2009/04/28/us/28cyber.html?_r=1&hp
New York Times
By DAVID E. SANGER, JOHN MARKOFF and THOM SHANKER
Published: April 27, 2009
This article was reported by David E. Sanger, John Markoff and Thom Shanker and written by Mr. Sanger.
Mario Jose Sanchez/Associated Press
Cyberwar
The Digital Arms Race
Computers, indispensable in peace, are becoming ever more important in political conflicts and open warfare. This is the first article in a series on the growing use of computing power as a weapon.
Multimedia
Graphic
Strengthening Digital Defenses
Enlarge This Image
When President George W. Bush ordered new ways to slow Iran’s progress toward a nuclear bomb last year, he approved a plan for an experimental covert program — its results still unclear — to bore into their computers and undermine the project.
And the Pentagon has commissioned military contractors to develop a highly classified replica of the Internet of the future. The goal is to simulate what it would take for adversaries to shut down the country’s power stations, telecommunications and aviation systems, or freeze the financial markets — in an effort to build better defenses against such attacks, as well as a new generation of online weapons.
Just as the invention of the atomic bomb changed warfare and deterrence 64 years ago, a new international race has begun to develop cyberweapons and systems to protect against them.
Thousands of daily attacks on federal and private computer systems in the United States — many from China and Russia, some malicious and some testing chinks in the patchwork of American firewalls — have prompted the Obama administration to review American strategy.
President Obama is expected to propose a far larger defensive effort in coming days, including an expansion of the $17 billion, five-year program that Congress approved last year, the appointment of a White House official to coordinate the effort, and an end to a running bureaucratic battle over who is responsible for defending against cyberattacks.
But Mr. Obama is expected to say little or nothing about the nation’s offensive capabilities, on which the military and the nation’s intelligence agencies have been spending billions. In interviews over the past several months, a range of military and intelligence officials, as well as outside experts, have described a huge increase in the sophistication of American cyberwarfare capabilities.
Because so many aspects of the American effort to develop cyberweapons and define their proper use remain classified, many of those officials declined to speak on the record. The White House declined several requests for interviews or to say whether Mr. Obama as a matter of policy supports or opposes the use of American cyberweapons.
The most exotic innovations under consideration would enable a Pentagon programmer to surreptitiously enter a computer server in
Or American intelligence agencies could activate malicious code that is secretly embedded on computer chips when they are manufactured, enabling the United States to take command of an enemy’s computers by remote control over the Internet. That, of course, is exactly the kind of attack officials fear could be launched on American targets, often through Chinese-made chips or computer servers.
So far, however, there are no broad authorizations for American forces to engage in cyberwar. The invasion of the Qaeda computer in
A principal architect of that order said the issue had been passed on to the next president, in part because of the complexities of cyberwar operations that, by necessity, would most likely be conducted on both domestic and foreign Internet sites. After the controversy surrounding domestic spying, Mr. Bush’s aides concluded, the Bush White House did not have the credibility or the political capital to deal with the subject.
Electronic Vulnerabilities
Cyberwar would not be as lethal as atomic war, of course, nor as visibly dramatic. But when Mike McConnell, the former director of national intelligence, briefed Mr. Bush on the threat in May 2007, he argued that if a single large American bank were successfully attacked “it would have an order-of-magnitude greater impact on the global economy” than the Sept. 11, 2001, attacks. Mr. McConnell, who left office three months ago, warned last year that “the ability to threaten the
The scenarios developed last year for the incoming president by Mr. McConnell and his coordinator for cybersecurity, Melissa Hathaway, went further. They described vulnerabilities including an attack on Wall Street and one intended to bring down the nation’s electric power grid. Most were extrapolations of attacks already tried.
Today, Ms. Hathaway is the primary author of White House cyberstrategy and has been traveling the country talking in vague terms about recent, increasingly bold attacks on the computer networks that keep the country running. Government officials will not discuss the details of a recent attack on the air transportation network, other than to say the attack never directly affected air traffic control systems.
Still, the specter of an attack that could blind air traffic controllers and, perhaps, the military’s aerospace defense networks haunts military and intelligence officials. (The saving grace of the air traffic control system, officials say, is that it is so old that it is not directly connected to the Internet.)
Studies, with code names like Dark Angel, have focused on whether cellphone towers, emergency-service communications and hospital systems could be brought down, to sow chaos.
But the theoretical has, at times, become real.
“We have seen Chinese network operations inside certain of our electricity grids,” said Joel F. Brenner, who oversees counterintelligence operations for Dennis Blair, Mr. McConnell’s successor as national intelligence director, speaking at the
But the broader question — one the administration so far declines to discuss — is whether the best defense against cyberattack is the development of a robust capability to wage cyberwar.
As Mr. Obama’s team quickly discovered, the Pentagon and the intelligence agencies both concluded in Mr. Bush’s last years in office that it would not be enough to simply build higher firewalls and better virus detectors or to restrict access to the federal government’s own computers.
“The fortress model simply will not work for cyber,” said one senior military officer who has been deeply engaged in the debate for several years. “Someone will always get in.” That thinking has led to a debate over whether lessons learned in the nuclear age — from the days of “mutually assured destruction” — apply to cyberwar.
But in cyberwar, it is hard to know where to strike back, or even who the attacker might be. Others have argued for borrowing a page from Mr. Bush’s pre-emption doctrine by going into foreign computers to destroy malicious software before it is unleashed into the world’s digital bloodstream. But that could amount to an act of war, and many argue it is a losing game, because the
In a report scheduled to be released Wednesday, the National Research Council will argue that although an offensive cybercapability is an important asset for the United States, the nation is lacking a clear strategy, and secrecy surrounding preparations has hindered national debate, according to several people familiar with the report.
The advent of Internet attacks — especially those suspected of being directed by nations, not hackers — has given rise to a new term inside the Pentagon and the National Security Agency: “hybrid warfare.”
It describes a conflict in which attacks through the Internet can be launched as a warning shot — or to pave the way for a traditional attack.
Early hints of this new kind of warfare emerged in the confrontation between
The computer screens of Estonians trying to do business with the government online were frozen, if they got anything at all. It was annoying, but by the standards of cyberwar, it was child’s play.
In August 2008, when
Every few months, it seems, some agency, research group or military contractor runs a war game to assess the
Another war game that the Department of Homeland Security sponsored in March 2008, called Cyber Storm II, envisioned a far larger, coordinated attack against the United States, Britain, Canada, Australia and New Zealand. It studied a disruption of chemical plants, rail lines, oil and gas pipelines and private computer networks. That study and others like it concluded that when attacks go global, the potential economic repercussions increase exponentially.
To prove the point, Mr. McConnell, then the director of national intelligence, spent much of last summer urging senior government officials to examine the Treasury Department’s scramble to contain the effects of the collapse of Bear Stearns. Markets froze, he said, because “what backs up that money is confidence — an accounting system that is reconcilable.” He began studies of what would happen if the system that clears market trades froze.
“We were halfway through the study,” one senior intelligence official said last month, “and the markets froze of their own accord. And we looked at each other and said, ‘Our market collapse has just given every cyberwarrior out there a playbook.’ ”
Just before Mr. Obama was elected, the Center for Strategic and International Studies, a policy research group in Washington, warned in a report that “America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration.”
What alarmed the panel was not the capabilities of individual hackers but of nations —
Scanning alone does no damage, but it could be the prelude to an attack that scrambles databases or seeks to control computers. But Team Cymru ran into a brick wall as soon as it tried to trace who, exactly, was probing these industrial systems. It could not determine whether military organizations, intelligence agencies, terrorist groups, criminals or inventive teenagers were behind the efforts.
The good news, some government officials argue, is that the Chinese are deterred from doing real damage: Because they hold more than a trillion dollars in
Then again, some of the scans seemed to originate from 14 other countries, including
Because “cyberwar” contains the word “war,” the Pentagon has argued that it should be the locus of American defensive and offensive strategy — and it is creating the kind of infrastructure that was built around nuclear weapons in the 1940s and ’50s.
Defense Secretary Robert M. Gates is considering proposals to create a Cyber Command — initially as a new headquarters within the Strategic Command, which controls the American nuclear arsenal and assets in space. Right now, the responsibility for computer network security is part of Strategic Command, and military officials there estimate that over the past six months, the government has spent $100 million responding to probes and attacks on military systems. Air Force officials confirm that a large network of computers at Maxwell Air Force Base in
But Mr. Gates has concluded that the military’s cyberwarfare effort requires a sharper focus — and thus a specific command. It would build the defenses for military computers and communications systems and — the part the Pentagon is reluctant to discuss — develop and deploy cyberweapons.
In fact, that effort is already under way — it is part of what the
In short, the Cyber Range is to the digital age what the Bikini Atoll — the islands the Army vaporized in the 1950s to measure the power of the hydrogen bomb — was to the nuclear age. But once the tests at Bikini Atoll demonstrated to the world the awesome destructive power of the bomb, it became evident to the United States and the Soviet Union — and other nuclear powers — that the risks of a nuclear exchange were simply too high. In the case of cyberattacks, where the results can vary from the annoying to the devastating, there are no such rules.
The Deterrence Conundrum
During the cold war, if a strategic missile had been fired at the
In the rare case where the preparations for an attack are detected in a foreign computer system, there is continuing debate about whether to embrace the concept of pre-emption, with all of its Bush-era connotations. The questions range from whether an online attack should be mounted on that system to, in an extreme case, blowing those computers up.
Some officials argue that if the United States engaged in such pre-emption — and demonstrated that it was watching the development of hostile cyberweapons — it could begin to deter some attacks. Others believe it will only justify pre-emptive attacks on the
Senior Pentagon and military officials also express deep concern that the laws and understanding of armed conflict have not kept current with the challenges of offensive cyberwarfare.
Over the decades, a number of limits on action have been accepted — if not always practiced. One is the prohibition against assassinating government leaders. Another is avoiding attacks aimed at civilians. Yet in the cyberworld, where the most vulnerable targets are civilian, there are no such rules or understandings. If a military base is attacked, would it be a proportional, legitimate response to bring down the attacker’s power grid if that would also shut down its hospital systems, its air traffic control system or its banking system?
“We don’t have that for cyber yet,” one senior Defense Department official said, “and that’s a little bit dangerous.”
###
Donations can be sent to the
"The master class has always declared the wars; the subject class has always fought the battles. The master class has had all to gain and nothing to lose, while the subject class has had nothing to gain and everything to lose--especially their lives." Eugene Victor Debs
No comments:
Post a Comment