GWEN IFILL: Now: another concern for the Pentagon.
NewsHour correspondent Spencer Michels reports on cyber-warfare.
SPENCER MICHELS: In a dark hotel ballroom off the Las Vegas Strip, hundreds of computer geeks are playing a high-tech version of capture the flag, among them, a contingent from Korea dressed in traditional garb.
But this is no childhood game. These are the final rounds of a deadly serious exercise at the DefCon hacking convention, looking for security holes that can be exploited, the way a computer expert, a criminal, a spy or a saboteur would.
And there are security holes everywhere. Earlier this summer, the Pentagon revealed that its systems are attacked 250,000 times an hour, six million times a day. The Department of Energy recently warned that computer networks controlling the electric grid are riddled with vulnerabilities, confirming reports that hackers have developed malicious computer code designed specifically to target power plants and other critical infrastructure around the world.
Video of a simulated attack conducted at the Idaho National Lab and obtained by CNN showed how a hacker could simply use a dial-up modem to destroy a massive power turbine. And that goes for the nation’s water supply and air traffic control.
Jeffrey Carr, who spoke at the convention, says that means the United States is at serious risk. He specializes in defeating cyber-attacks against infrastructure and governments.
JEFFREY CARR, author, “Inside Cyber Warfare”: The entire global grid has become a leveler of power. So, the great strength that the U.S. military has, has been mitigated because of its vulnerability, the fact that it has so reliant on networks. This has become a new leveler, just like the Colt 45 was considered the great equalizer. Well, the Internet now has taken over that role.
SPENCER MICHELS: For 18 years, DefCon has attracted hackers of all stripes, security experts, computer-wise kids, professors and maybe even some criminals.
Hackers at this convention have become surprisingly open about what they do. Presentations here include how to hack millions of routers, hacking hardware, and we don’t need no stinking badges, hacking electronic doors.
At DefCon and at the more upscale Black Hat gathering held the same week, experts exchange information and experience. To laypeople, the concept of cyber-war may seem theoretical, since there are no bombs and no troops. But to attendees, like Michael Hayden, who was director of both the CIA and the National Security Agency, cyber-war is not just a game.
GEN. MICHAEL HAYDEN (RET.), former CIA director: If you do something in the cyber-domain, something happens in physical space. This is not just a video game. Real things happen. And, so, whatever you decide here, it’s actually going to make a difference in physical space. And, sometimes, those differences are questions of life and death.
SPENCER MICHELS: And has that happened, in your knowledge?
GEN. MICHAEL HAYDEN: I’m not at liberty to discuss is the best answer I can give you.
SPENCER MICHELS: But real instances of cyber-attacks by one nation against another have been confirmed by intelligence experts not so tied to the government.
Russia launched a digital attack on Estonia in 2007, swamping Web sites and incapacitating banks and media. The same year, Israel reported confusing Syrian radar by hacking into computers prior to bombing an alleged nuclear facility.
In 2008, paving the way for military action, Russia attacked Georgia’s computer infrastructure, crippling the country. And, last year, sensitive information about the F-35 fighter plane project was stolen from Pentagon computers.
Cyber-intelligence expert Jeffrey Carr says the attack came from hackers in China. He says the threat from China is far-reaching.
JEFFREY CARR: If an attack by the U.S. is imminent, they want to have the ability to shut down U.S. government command-and-control networks. They do that by shutting down the grid, because 31 out of 34 of the Department of Defense’s most critical assets rely on the public grid.
SPENCER MICHELS: Do you think they could do it?
JEFFREY CARR: Absolutely. The grid is wide-open.
SPENCER MICHELS: In January, when Google executives said that hackers from China had broken into the company’s computer networks to steal information about Chinese dissidents, that sounded alarm bells in Washington.
But, to Jeff Moss, a computer security expert who founded both hacker conventions, Google’s announcement was welcome.
JEFF MOSS, founder, DefCon and Black Hat: When Google came up and said to the world, hey, we’re being attacked and we think it’s China, and — they stood up and drew a lot of attention to this problem. Now, it’s not new. We — corporate America has been getting attacked for a decade. Why? Why now? Why all of a sudden is it a big problem now? Well, is it because Google is a really large company and they know the right people?
SPENCER MICHELS: And they’re willing to talk about it.
JEFF MOSS: And they’re willing to talk about it. I’m really hoping that Google going public will encourage others to go public, because, as a country, how can we have an informed debate, how can our decision-makers, our policy-makers make an informed decision if they don’t have the facts?
And so my attempt, through conferences like this, is to try to bring people the facts.
SPENCER MICHELS: Among those Moss is trying to reach are government cyber-security specialists, like Riley Repko with the U.S. Air Force. Moss ran into him at the Black Hat convention, which they agreed was a good venue to learn secret tricks of the trade.
JEFF MOSS: But we rely on open forums, Black Hat and other conferences like it, to really figure out what is the art of the possible. And I think maybe that’s what you guys find interesting.
RILEY REPKO, Cyber Operations, U.S. Air Force: And that’s the key. I think, more and more, we’re going to see more and more government attendees to events like this.
SPENCER MICHELS: Among other Defense Department attendees, Jim Christy of the DOD’s Cyber Crime Center.
JIM CHRISTY, Department of Defense Cyber Crime Center: We want to know the latest and greatest tools and techniques that the bad guys are going to use, so we can build countermeasures. Sometimes, we have sources here, informants that will work the crowd. And we have undercovers that may come in here.
SPENCER MICHELS: Many of the lessons are self-taught. These hackers were working together on figuring out how their electronic conference badge worked, essentially an exercise akin to breaking into a computer.
Palmer Eldridge, a self-described hacker, explained how he does it.
PALMER ELDRIDGE, self-described hacker: A lot of attempting to understand cyber-security comes in the form of understanding puzzles. So, during DefCon, the badges are one of the most famous puzzles out there.
SPENCER MICHELS: Defending against cyber-attacks is an industry in its infancy, and, Jeff Moss says, not quite there yet.
JEFF MOSS: It’s solvable. It’s just not solvable easily, because, when we design these systems, a lot of them were not designed with a hostile adversary, not so much intentional manmade attacks, specifically pushing the right button at the right time to cause the most problems. You know, they call that trying to engineer Satan’s computer.
And we didn’t design our country’s infrastructure to defend against, you know, a Satan-type adversary that knows exactly what to do at the right time. So, it’s not impossible to defend against. It just takes a new way of thinking about things.
SPENCER MICHELS: One new approach General Hayden advocates is engaging other countries in a discussion about cyber-security.
GEN. MICHAEL HAYDEN: There are no international norms of behavior in cyberspace. Let’s start there. Let’s start building up a consensus as to what constitutes good and bad behavior in the cyber-domain.
SPENCER MICHELS: Not necessarily a treaty at this point?
GEN. MICHAEL HAYDEN: No, certainly not a treaty at this point. The thinking is frankly just not mature enough. And, besides that, you know, a treaty depends upon verification. There is nothing more difficult to verify than somebody developing a cyber-weapon. You can do that in the garage.
SPENCER MICHELS: For several years, the military has been recruiting hackers to work on cyber-security. Now the Obama administration has stepped up its efforts and created a new cyber-command to deal with the cyber-threat.