When was cyber security recognized as a national issue?
Ronald Reagan was the first U.S. president to address the problem, signing the Computer Security Act of 1987 to protect federal agencies' computer data.
Given the growing dependence in the 1990s of U.S. infrastructures on the cyber world, President Clinton in 1996 set up the President's Commission on Critical Infrastructure Protection, led by former Air Force General Robert Marsh and known as the Marsh Commission, to safeguard vital systems such as gas, oil, transportation, water, telecommunications, etc. Two years later, Clinton ordered the government to work with the private sector to secure vital information networks, 90 percent of which are privately owned and operated. Clinton also appointed Richard Clarke as national coordinator for security, infrastructure protection and counter-terrorism.
In 2000, the Clinton administration released its cyber security strategy, which was criticized by civil liberties and privacy groups for advocating a government intrusion detection network. The plan was later dropped.
In October 2001, George W. Bush set up the President's Critical Infrastructure Advisory Board, responsible for developing a national cyber security strategy. Richard Clarke became White House adviser on cyber security.
In February 2003, the Bush administration released its National Strategy to Secure Cyberspace.
To date, what events have fueled fears about the security of cyberspace?
According to Richard Clarke, the 1995 Oklahoma City bombing was a precipitating event leading the Clinton administration to rethink the vulnerabilities of the nation's infrastructure: "[It] made us all step back and say, 'My God, very large scale attacks can occur in the heartland of the U.S. and one or two people can wreak havoc in our heartland.' And when the smoke cleared and we started thinking about the implications, Janet Reno said, 'We really ought to look at how vulnerable is our infrastructure.'"
In the years that followed there have been several isolated events that have sounded alarms for the cyber security community:
In 1997, the Defense Department launched an internal exercise, code-named "Eligible Receiver," in which a "red team" of hackers from the National Security Agency (NSA) was organized to infiltrate the Pentagon systems. The red team was only allowed to use publicly available computer equipment and hacking software. Although many details about Eligible Receiver are still classified, it is known that the red team was able to infiltrate and take control of the Pacific command center computers, as well as power grids and 911 systems in nine major U.S. cities.
Not long after Eligible Receiver, the U.S. accidentally uncovered Moonlight Maze, a two-year long pattern of probing of computer systems in the Pentagon, NASA, Energy Department and university and research labs. Although the attacks, which were believed to have started in March 1998, were traced to a mainframe computer in Russia, the perpetrators are still unknown.
As the 21st century began, several cyber attacks involving worms and viruses caused hundreds of millions of dollars in damages. (See "The Warnings?") In the midst of these events, more than 50 distinguished scientists and national leaders wrote an open letter to President Bush in February 2002 calling for a "Cyber-Warfare Defense Project modeled in the style of the Manhattan Project." The signatories to this letter warned that the clock was ticking and that the U.S. was at grave risk of a cyber attack "that could devastate the national psyche and economy more broadly than did the Sept. 11 attack."
What are the cyber vulnerabilities most often cited?
As FRONTLINE reports in "Cyber War!" a weak link in America's vital infrastructures are digital control systems, such as SCADA systems. These digital Supervisory Control and Data Acquisition systems manage critical infrastructures such as gas and propane lines, water, chemical manufacturing systems, power grids, etc. They can be remotely accessed and, because of software vulnerabilities in older systems, an attacker could penetrate the systems and manipulate them without being discovered, potentially inflicting physical damage on the critical infrastructure.
FRONTLINE focused on one particular part of this threat, the electric power grid, because the grid is tied into so many other critical infrastructures and because, if the power grid were taken down, it would have a serious pyschological impact on the population.
What is known about Al Qaeda's cyber capability?
Following the war in Afghanistan against the Taliban and Al Qaeda, the U.S. captured many Al Qaeda computers, interrogated many Al Qaeda prisoners, and learned that Al Qaeda was farther along in their cyber skills and interest than previously thought. The U.S. found sophisticated engineering software that allows for the modeling of what would happen in the event of a catastrophic failure of a dam, and how to bring that failure about. Investigators also found Internet training manuals and learned that people linked to Al Qaeda were taking classes in Pakistan and elsewhere. The assumption is that their aim was not just learning computer skills for communicating with each other but to learn about hacking tools and other tactics for computer network attacks.
There was one specific Al Qaeda computer in which investigators found software and connections to a programming site where the users had been pulling specific information about digital switches on power and water company system infrastructures. It showed how Al Qaeda was doing research through open, available resources to learn more about U.S. critical infrastructure and how to exploit it. With the growing sophistication of hacking tools -- available on the Internet, easy to download, and easy for people to change and adapt to produce more sophisticated hacking methods -- many experts are concerned about terrorists adopting cyber tactics.
For more about Al Qaeda's cyber interest and prowess, explore this section of this Web site.
What are the key government organizations working on this issue?
The February 2003 National Strategy to Secure Cyberspace gives the new Department of Homeland Security the lead in implementing the required measures to protect America's cyber security. Of the 22 organizations that were merged into Homeland Security, four are cyber security offices and programs: the Critical Infrastructure Assurance Office (formerly in the Department of Commerce), the National Infrastructure Protection Center (formerly in the FBI), the response functions of the Federal Computer Incident Response Center (formerly in the General Services Administration), and the National Communications System (formerly in the Department of Defense). In addition, many responsibilities of the White House cyber security adviser have been transferred to the Department of Homeland Security.
In his interview with FRONTLINE, Richard Clarke, former White House cyber security adviser, expresses some nervousness about the new system: "We have asked the Department [of Homeland Security] to carry a huge burden on security of cyberspace. And if it doesn't look like it's doing a good job, we need to blow the whistle. It's too early to tell right now whether they'll be able to do it or not."
What is the key recommendation of the National Strategy to Secure Cyberspace?
The cornerstone of U.S. strategy is the implementation of a public-private partnership to secure cyberspace. "In general, the private sector is best equipped and structured to respond to an evolving cyber threat," the report reads. "A federal role ... is only justified when the benefits of intervention outweigh the associated costs. This standard is especially important in cases where there are viable private sector solutions for addressing any potential threat or vulnerability."
Cyberspace security is a unique issue because while its vulnerabilities are a national security problem, 85 to 95 percent of cyberspace is owned and managed by the private sector. It is not surprising that the Bush administration -- generally opposed to solving problems by implementing more government regulations -- would downplay the federal government's intervention in this issue.
However, some experts forecast that when a major destructive cyber attack hits the U.S., all bets will be off. As President Bush's former cyber security adviser Richard Clarke notes, "It's in the industry's best interest to get the job done right before something happens."
What are the most contentious issues emerging over how to implement an effective U.S. cyber security strategy?
• To start with, there is debate about just how big an issue cyber security is compared to other threats.
Experts like former Deputy Defense Secretary John Hamre and technology expert James Lewis say that cyber terrorism is certainly a possibility, but it would not have the devastating impact of the Sept. 11 terrorist attacks. "Terrorists seek the shock effect," Hamre notes. "It's hard to see the shock effect when you can't get your ATM machine to give you 20 dollars." Those taking a more skeptical view of the threat of a cyber attack also say that it's very difficult to knock out infrastructure -- industries have been preparing for this and have back-up plans to get their programs back online. In addition, they say the U.S. is far better prepared for attacks on physical infrastructures compared to five or six years ago before several wake-up events brought real attention to cyber security.
But others, such as security experts Joe Weiss and Sami Saydjari, maintain that the day has arrived where a cyber attack could potentially inflict real world physical damage through a terrorist takeover of the digital control systems that run structures like gas pipelines, dams, emergency telephone systems, and electrical systems. There are millions of these digital black boxes. Once they were designed as stand alone systems, unconnected to each other or the outside world and not built with security in mind. But over the past decade these digital control boxes have been connected to the Internet and are increasingly vulnerable.
• Where is the problem? Where does one focus first?
We are only now beginning to focus on the problems posed by our growing dependence on cyberspace, experts say. The debate continues to rage over the nature and degree of the threat and the significance of our vulnerabilities. It seems clear that security must be a major concern for all software and hardware manufacturers, critical infrastructure managers, and individual computer owners, as well.
Experts such as Joe Weiss say that in the short term, to "close the doors and windows" of our critical infrastructure vulnerabilities, security policies have to be strengthened, vulnerability assessments run, and software vulnerabilities assessed and patched. Some experts, such as defense analyst John Arquilla, call for the immediate widespread use of sophisticated encryption programs that are already available. Amit Yoran of Symantec says the country needs to create a culture where security is a requirement to do business, and that message has to start from the top down.
Others complain that known vulnerabilities could be patched if software manufacturers made the process easier. "We have to improve the patching process," acknowledges Scott Charney, Microsoft's chief security strategist. However, he says, "I think now that there's all this attention paid to security, you will increasingly see tools designed to help manage the security of the products."
• In a world of limited financial resources, who will -- and should -- pay for closing the security holes in cyberspace?
Some have estimated an expenditure of tens of billions of dollars will be required over many years. But even then, there's no guarantee all the holes will be fixed. Private industry is reluctant because beyond national security interests it has to worry about liability. Admitting it has a problem in its software or hardware can hurt stock prices and make a company vulnerable to lawsuits. Microsoft's Scott Charney says that his company is putting a lot of its own resources into security, but he warns that ultimately consumers will have to show that they are "willing to pay for security features."
• Do we have the hardware and software to fix this?
Many believe our vulnerability problems will only be dealt with successfully over the long term. Some, including SCADA expert Michael Skroch, say that a new generation of more secure technology is called for. They look to programs such as the Energy Department's National SCADA test bed, a program involving Sandia National Laboratories and the Idaho National Engineering and Environmental Lab, to develop these new systems.
Others, including Sami Saydjari, push for more secure software and better precautions put in place to find malicious code and other vulnerabilities before products make it to the marketplace. Software manufacturers, including Microsoft, promise more secure products, but Richard Clarke and others warn that these problems must be met if we are to expect a more secure infrastructure in the future.
FRONTLINE's report focuses on America's vulnerabilities to a cyber attack. What is the extent of the U.S.'s offensive cyber capabilities?
This is a very sensitive area and it is hard to get national security and military officials to talk about it. According to John Arquilla, cyber tactics were employed in NATO's war in Kosovo against the Serbs. Such tactics, for example, were used to distort images generated by Serbian integrated air defense systems. This kind of capability, says Arquilla, was "essential to the high performance of the air campaign." He also says that cyberspace means of attack "were used substantially by our adversaries, both during and after the conflict."
In February 2003, The New York Times reported that the U.S. was ready to use similar, but more technically advanced, tactics in the war to oust Saddam Hussein.
However, there is a big debate and a reluctance to talk about America's cyber offense strategy and tactics because this is an area in which it is especially vulnerable: The U.S. fears that if it introduces such tactics, adversaries will feel free to do the same.