Produced by Michael Kirk
Co-Produced and Reported by Jim Gilmore
Written and Directed by Michael Kirk
NARRATOR: Super Bowl Sunday, 2003, and Washington had a bad
case of pre-game jitters. The
headlines and talk shows were about war with Iraq. The president was practicing his state of the union
address. There was trouble with
North Korea. And on Washington's
outskirts that weekend, inside this secure facility they were tracking another
YORAN: We started noticing a tremendous number
of increases of a particular type of attack.
NARRATOR: The Internet was down in parts of Asia.
YORAN: It was coming from a tremendous number
of source addresses from different locations.
NARRATOR: And the
virus was advancing.
YORAN: About three quarters of our customers
were experiencing attacks from this particular worm. It was trying to infect thousands of systems very
rapidly. And what that did was, it
ate up the bandwidth, the communications channel between the various computers
of the Internet.
NARRATOR: They named it "Slammer." By dawn, it had the full attention of
the White House.
CLARKE, Director, Cyber Security, White House:
In 15 minutes, before anybody could even be notified the attack was
going on, 300,000 servers were taken over. But it wasn't just servers that were affected-- 911 systems
were affected, bank ATM machines were affected, reservation systems for major
YORAN: Almost each and every network that we
monitor is attacked, probed, prodded every single day. The Internet is a hostile environment.
NARRATOR: On this weekend, the Slammer's creators eluded
CLARKE: In the past, you would count the number
of bombers and the number of tanks your enemy had. In the case of cyber war, you really can't tell whether the
enemy has good weapons until the enemy uses them.
NARRATOR: Tonight: a new set of American warriors. Journey
into a new American battlefield.
Tonight on FRONTLINE, Cyber War!
WASHINGTON POST: "Detective Chris Hsiung of the
Mountain View, California, Police Department began investigating a suspicious
pattern of surveillance against Silicon Valley computers."
BARTON GELLMAN, The Washington Post:
Silicon Valley, as you could expect, has an unusual department within
its police force, and that is protection against cyber crime. They had a guy in charge of that
section called Detective Chris Hsiung.
Det. CHRIS HSIUNG, Mountain View Police Dept: I was
notified by my division captain that the city Web site coordinator had
discovered some suspicious activity, visitors to the city Web site. This was only less than a month after
NARRATOR: Detective Hsiung's investigation started with Laura
LAURA WIGOD, Mountain View Web Site Coordinator: I'm
the Web site coordinator for the city of Mountain View. So basically, I run the Web site, put
all the content on.
BARTON GELLMAN: Detective Hsiung begins to notice a
strange pattern of computer intrusions, something that has to do with dams and
emergency telephone systems and electrical systems.
LAURA WIGOD: I've always been interested in other
countries, but I'm specifically a big fan of Middle Eastern culture. But we didn't have any visitors from
any of those countries until the summer of 2001. And when they first showed up on my report, I was really
excited. I just thought it was
really neat that people from these countries were visiting our site. And I couldn't imagine what they wanted
to see there, but I was thrilled.
NARRATOR: The elation wouldn't last. After September 11th, seemingly benign visits from Middle Eastern
cyber tourists took on new meaning.
BARTON GELLMAN: He's seeing probes that seem to
originate in Saudi Arabia, Pakistan, Indonesia, and that are looking into the
junction of pipelines, for example, and the digital control systems that run
Det. CHRIS HSIUNG: After 9/11, obviously, the state of the
country at that time, especially among law enforcement, was, you know, don't
rule anything out.
RICHARD CLARKE, Director, Cyber Security, White House: It
does look like part of a pattern of potential long-range surveillance, remote
surveillance by Al Qaeda or terrorist groups.
WASHINGTON POST: "Some of the probes suggested
planning for a conventional attack, U.S. officials said."
BARTON GELLMAN: The FBI did a broader investigation. And it found, according to a classified
assessment, that there was a broad pattern of intrusions that were described to
me as "casing" these digital controls, trying to learn how the
networks worked and what kind of security protected them and, if you had to
reach out and touch a small number of them, which ones would be the most
damaging. And this is a scary
NARRATOR: Detective Hsiung's evidence was sent to the FBI,
where the head of the bureau's infrastructure protection unit says it fit an emerging
and familiar pattern.
RON DICK, FBI Infrastructure Protection '01-'02: The
thing that keeps me awake at night is a physical attack on U.S. infrastructure
which is combined with a cyber attack which disrupts the ability of first
responders to access 911 systems, disrupts our power grids such that, again,
first responders can't respond to an incident. Those are the things that keep me awake, and those are very
NARRATOR: At just this time on the World Wide Web, an e-mail
was making the rounds. From
universities to think tanks to deep inside hush-hush government projects, a
growing number of concerned scientists were writing a letter to the president
of the United States.
TO PRESIDENT: "Mr. President: Our nation is at grave
risk of a cyber attack that could devastate the national psyche and economy
more broadly than did the September 11th attack. We, as concerned scientists and leaders, seek your help and
O. SAMI SAYDJARI, CEO Cyber Defense Agency: September
11th told us our adversary was very willing to use our infrastructure against
us. A group of us got together and
decided that it was important to let our leadership know, to give them the
benefit of the best scientific thinking in this area, to say, "Hey, this
is a really serious problem."
TO PRESIDENT: "The critical infrastructure of
the United States -- including electrical power, finance, telecommunications,
health care, transportation, water, defense and the Internet -- is highly
vulnerable to cyber attack. Fast
and resolute mitigating action is needed to avoid national disaster."
[www.pbs.org: Read the letter]
O. SAMI SAYDJARI: Ultimately, it turned into about 54
scientists and leaders -- former national leaders, intelligence community people,
as well -- sending this letter that makes the case that says we have a problem
NARRATOR: The letter was sent February 27th, 2002, to the
White House. It made its way to
the White House Office of Cyberspace Security, into the hands of one of the
government's most experienced troubleshooters.
RICHARD CLARKE: Well, I think the letter from the
scientists and engineers was a bit more stark than other things that the
government has seen. It sent the
message that we depend upon the Internet for our national security and our
national economy. And we know -- we
know -- it's not secure, and therefore the government has to act.
NARRATOR: Richard Clarke knows how to kick-start the
government. For 30 years, he's
been operating in and out of the shadows of six administrations.
BARTON GELLMAN: What's unique about Clarke is his
effectiveness in the bureaucratic process. He's just a guy who rolls over opposition. And it's just unusual in the U.S.
government, and it's especially unusual to last a long time and win a lot of
NARRATOR: But in the mid-'90s, Clarke lost an important
battle. As head of
counterterrorism for the National Security Council, he was unable to persuade
higher-ups of the danger the country faced from a then obscure Saudi citizen
named Usama bin Laden. After 9/11,
when most intelligence gathering shifted to finding Al Qaeda cells, Clarke
decided to investigate a new threat, attacks from cyberspace.
RICHARD CLARKE: The first thing I said to my staff was,
"I want to go see the Internet." And that got a lot of chuckles, because, you know, after,
Dick, it's virtual. It's in
cyberspace. You can't see it. I said, "No, I think you can, and
I want to go find it."
So we went on a series of trips in search of the Internet,
and we found it. And we found it
on Wall Street, six feet below the sidewalk, running into the stock
market. We found it coming up out
of the water on the New Jersey shore, where it comes from Europe. We found its heart beating in various
network operation centers owned by the so-called backbone companies that own
and operate the backbone of the Internet.
It exists. There are key
points to it.
NARRATOR: Clarke began to test the security at regional
Internet hubs, talking his way past guards, breaching security.
RICHARD CLARKE: What I was able to do a lot in those
early days is get fairly far into the building and fairly far onto the control
floor of these regional hubs without any problem. And then I knew we had a problem.
HACKER: In the United States, there are two
network nodes that you can hit electronically and one that you would be more
effective to hit physically using a truck bomb. But if you hit those three nodes, then you would be able to
destroy American communications for a significant length of time.
NARRATOR: This is a soldier of fortune in the cyber war, a
high-end hacker. He's well known
in the secret world of computer spies, at the National Security Agency, the
Defense Department and the CIA.
He's on their side. He
works in secret and wants to keep it that way. We have hidden his identity and altered his voice.
HACKER: If you were to talk to anybody who
works at any one of those NOCs -- Network Operating Centers-- or anyone who works
in security for the telecommunications industry, they already know where their
targets are. They already know the
problems that they have.
NARRATOR: But as vulnerable as they are to physical attack,
it's inside the Web's nervous system, hidden in coded packets of data, that the
hacker and others wage their invisible war.
HACKER: In a terrorist sense, the U.S. is an
open target. You can hit just
about anything that you want to hit, one way or another. This is not bragging, this is a measure
JOHN ARQUILLA, Information Warfare Analyst, DoD: Cyber
war is like Carl Sandburg's fog.
It comes in on little cat feet, and it's hardly noticed. That's its greatest potential.
NARRATOR: Everyone who wants to know about cyber war
eventually finds their way to John Arquilla.
JOHN ARQUILLA: In the realm of cyberspace-based
disruptive threats, we haven't yet had what they call the "electronic
Pearl Harbor." I think part
of that is a function of our skillful defense of our systems. It's not that we're bereft of
attacks. Tens of thousands of
attacks occur every week against Department of Defense systems alone.
NARRATOR: He's been at the Rand Corporation, one of the first
cyber warriors in desert storm, and in Kosovo worked for the Defense
Department. Like Clarke, Arquilla
is a bit of a handful inside bureaucracies.
JOHN ARQUILLA: In my checkered career, I've had, I
think, the good fortune to always be thinking a few years ahead of events. And that has been useful in terms of
anticipating threats. It has also
created a fair amount of social friction.
NARRATOR: He's been stashed -- sidelined, really -- out in
California at the naval postgraduate school in Monterey. But he knows about the power grid, the
water supply, air traffic control systems. Talk about malicious code, probes and pings Arquilla understands.
Zombie computers, he's an
JOHN ARQUILLA: We're looking at hackers and others who
are developing very profoundly different kinds of code-breaking
techniques. Some of this has to do
with linking together many computers around the world. Some hackers have hundreds or thousands
of zombies that they control. The
zombie has come back to life in the information age now as something that's
controlled by a hacker, that can be used to hot-wire them all together to
create computing power beyond our imagination.
HACKER: I could take down scores, thousands of
systems, for example, in Taiwan and then turn those systems, through its
high-speed pipe, against any other nation in the world. Does it mean the attack is originating
in Taiwan? No, not at all.
So the problem that the U.S. has with terrorist attacks,
where we still don't know where the anthrax came from, is the same problem you
have with information operations.
If you do the job correctly, there are no fingerprints and nobody can
trail you back.
NARRATOR: At the White House, Dick Clarke learned about
zombies the hard way.
RICHARD CLARKE, Director, Cyber Security, White House: Code
Red was the name of a computer attack that occurred in July of 2001, where
during the course of the day, we became aware that, ultimately, 300,000
computers around the country had been violated. Someone had gotten into them and planted software.
NARRATOR: The White House urgently contacted the companies
that run the Internet.
RICHARD CLARKE: And by about 4:00 o'clock in the
afternoon, they came to me in a teleconference and said, "There's good
news and bad news. The good news
is we know what's going to happen.
At 8:00 o'clock tonight, hundreds of thousands of computers are all
going to simultaneously start sending pings toward one site on the
Internet. The bad news is, you are
the site, the White House."
NARRATOR: If the assault worked, in nanoseconds the pings --
hundreds of thousands of simultaneous computer pulses -- would overwhelm the
RICHARD CLARKE: Hundreds of thousands of computers are
going to be firing off pings every second from all over the Internet, and all
of that message traffic is going to flow through all of the different channels
toward one server.
NARRATOR: Clarke and the nation's Internet providers worked
out a plan to block any traffic directed at the white house. And then they held their breath.
RICHARD CLARKE: The clock hit 8:00 o'clock. Hundreds of thousands of computers
around the world started firing probes to the White House, and they all died as
they hit the edge of the Internet.
ROGER CRESSEY, Cyber Security, White House, '01-'02: The
size of the attack, I think, caught a lot of people by surprise. And what Code Red demonstrated was that
a sophisticated denial-of-service attack could significantly slow the
Internet. And if you then go to
the next step, it's not inconceivable that an attack could bring down the
Internet for a period of time.
NARRATOR: Then, as the nation was reeling from the tragic
events of September 11th, the zombies struck again.
FRANCISCO CHRONICLE: "A new computer worm struck the
Internet today, sending network security workers scrambling to protect their
systems from being attacked."
NARRATOR: One target was Wall Street.
FRANCISCO CHRONICLE: "The worm, known as W32.Nimda,
knocked Web sites off line and overloaded"--
RON DICK, FBI Infrastructure Protection '01-'02: I was
up to my neck in responding to the events of September the 11th through the
command post there at FBI headquarters, and then right on top of that the NIMDA
RICHARD CLARKE: The Nimda virus ripped through the
American financial sector just a week after the terrorist attacks of September
11. It cost probably $3 billion,
one virus, the Nimda virus. Had it
not been for the fact that September 11th was the week before, it would have
been a big news story.
RON DICK: It proliferated across the world at a
far greater rate than Code Red did.
It rattled the Internet, and it caused billions of dollars of damage. And we still don't know who perpetrated
[www.pbs.org: A closer look at these events]
NARRATOR: Catching the hackers in Code Red or Nimda -- indeed,
in any of these cases -- proved impossible.
JOHN ARQUILLA: The time to back-hack a perpetrator is
within seconds, minutes or hours of the action, not months and years after it
happened. The trail is far too
cold by then.
NARRATOR: The Web by now is nearly everywhere. The world is full of hideouts. Dick Clarke and many experts have come
to believe events like Slammer and Code Red and Nimda were really not ends in
themselves. They're certain they
were experiments by an enemy or enemies seeking vulnerabilities in the system.
O. SAMI SAYDJARI, CEO Cyber Defense Agency: The
number of probes that we're detecting is going up significantly. There's clearly a lot of people out
there doing reconnaissance, and they don't want to be seen. So these aren't your average, everyday
INTERVIEWER: Who might they be?
O. SAMI SAYDJARI: I think they would be adversaries who
are interested in doing reconnaissance without tipping their hand that they're
doing their reconnaissance in our networks.
INTERVIEWER: Why are they doing it?
O. SAMI SAYDJARI: To prepare for attack or to prepare for
getting information out of our systems, to understand our vulnerabilities. That's why you probe and scan networks.
NARRATOR: Inside this building are the top-secret military
computers every enemy cyber warrior wants to invade. John Hamre was second in command at the Pentagon in the
JOHN HAMRE, Deputy Secretary of Defense '97-'99: What
startled me at the time was how we had brought around us this powerful new
technology, with virtually no security awareness. We didn't have disciplined protocols and procedures in place
for how people could connect to the wider Internet. It was just absolutely-- we let a thousand flowers
bloom. And as you would expect in
that environment, there were just countless opportunities for mischief.
NARRATOR: Hamre wanted to find out just how vulnerable DOD
computers were. In 1997, the DOD
initiated a red team exercise code-named "Eligible Receiver."
RICHARD CLARKE: We got the permission of the
Pentagon. We put together a small
team of hackers and only used hacking techniques and tools that we could
download from the Internet and attacked the Pentagon systems.
JOHN HAMRE: Eligible Receiver really demonstrated
how-- the real lack of consciousness about cyber warfare. I mean, really, the first three days of
Eligible Receiver, nobody believed we were under cyber attack.
RICHARD CLARKE: They took control of the Pentagon
systems, took control of the National Military Command Center computers.
JOHN HAMRE: If you get super-user control of one
node, you basically can get into a network. Pristine protection, I mean, absolute sanitary protection,
is what's required, and you'll never get it.
NARRATOR: There are details about "Eligible
Receiver" that even today have not been revealed. But one thing is certain: It scared the
hell out of the Pentagon.
JOHN ARQUILLA, Information Warfare Analyst, DoD:
Eligible Receiver is a classified event about which I can't speak. What I can say is that when people say
there is no existence proof of the seriousness of the cyber threat, to my mind,
Eligible Receiver provides a convincing existence proof of the nature of the
threat that we face.
NARRATOR: The Pentagon ordered new detection systems installed
on its computers. But it wouldn't
take long for the defense department to be hit again, and this time it wasn't
an exercise. They gave it the code
name "Moonlight Maze."
RICHARD CLARKE: All that I can say about Moonlight Maze
is that the phrase Moonlight Maze refers to an investigation conducted by the
INTERVIEWER: How involved was the FBI?
RON DICK, FBI Infrastructure Protection '01-'02: I
can't comment on that.
NARRATOR: But they could divulge general details. The Pentagon accidentally discovered a
pattern of probing and cyber espionage that had been going on for nearly two
years. A game of cat-and-mouse
RICHARD CLARKE: As we raised defenses on those computer
networks, they raised the attacking capabilities on those computer networks.
JOHN HAMRE: We found that the opponent was learning
as he or she went along, that they were getting better as we were getting
better at cracking it. That
worried you because that meant that they had some type of a monitoring system
to observe us while we were observing them. And so we're obviously dealing with a very sophisticated
NARRATOR: Highly placed sources FRONTLINE cannot name told us
more: The invaders were systematically marauding through tens of thousands of
files, maps of military installations, troop configurations, military hardware
JOHN HAMRE: They took huge amounts of
information. Huge amounts of
information. And there was not a
clear pattern to the information that they took.
NARRATOR: The DOD began tracing the invasion. The trail led to
a huge mainframe computer in the former Soviet Union.
RICHARD CLARKE: It continues to be an active
investigation, so I can't talk about who it may or may not have been.
JOHN HAMRE: We do not know who did it. We do know back a certain direction
where the attack came from, but we don't know that that was the ultimate source
of the attack. It could have been
a front operation.
JOHN ARQUILLA: I think the case highlights the problem
of identifying the ultimate user.
Some tracking was done back to systems in Moscow, for example, but that
by no means suggests that these were Russians doing this. It could easily have been someone
operating in an entirely other part of the world who bounced off of a computer
in Russia. Or it could have been
RICHARD CLARKE: Thousands of attempts a day to get into
the Defense Department networks are detected. It's the ones that aren't detected that are the
sophisticated ones. And the
question therefore arises, in some future war, in some future tension, in some
future crisis, could we wake up one morning and find that great damage had been
done to our railroad system, our electric power system, our banking system, our
military logistics system by Trojan horses, logic bombs that were planted in
our infrastructure in advance without our knowing it.
NARRATOR: Many in the cyber war are convinced the days of
merely using the Web to probe and map America's infrastructure are near an end.
They worry the enemy -- especially one enemy, in particular -- is preparing for
HACKER: I've been watching them for quite a
while, and they are very, very good at everything from money laundering to
secure communications. And to
underestimate them at any point in time is suicidal.
NARRATOR: He's talking about Al Qaeda. In the rubble created by the war in
Afghanistan, Clarke and other cyber experts looked at Al Qaeda computers.
ROGER CRESSEY, Cyber Security, White House, '01-'02: I
think the breadth of their interest in areas such as computer attack caught us
by surprise. And by that I just
mean the documents that were found, information we've learned from people that
we have in custody.
RICHARD CLARKE: What we found on Al Qaeda computers
were that members of Al Qaeda were from outside the United States doing
reconnaissance in the United States on our critical infrastructure.
BARTON GELLMAN, The Washington Post: The
government has changed its view.
The CIA said 18 months ago that Al Qaeda is nowhere near having the
capability to inflict serious damage in cyber war. It put out a new memorandum of intelligence some months ago
saying, "Well, it looks like they have more capability than we thought,
and it looks like they have more intention than we thought."
ROGER CRESSEY: They were putting people in computer
classes whose purpose simply was to develop a competency and a skill set that
they could then turn into a capability to develop attacks.
NARRATOR: And there are those who fear that if Al Qaeda has
acquired those skills, they will mount a devastating attack on one of the
nation's most vulnerable infrastructures.
They may be able to use the Internet to bring down portions of the
electrical power grid.
RICHARD CLARKE: It turns out that there are only five
or six software systems that are used around the world to run electric power
grids, other utilities, pipelines, dams, those sorts of things. They're called digital control systems,
or they're called SCADA systems, supervisory control data acquisition systems.
NARRATOR: Almost no one flips a switch at the power company
anymore. Now it's done by a little
black box, a SCADA system, that talks to other little black boxes, often
through the Internet.
MICHAEL SKROCH, Sandia National Laboratories: SCADA
systems are really the cyber world's portal into our 3-D world. They allow cyberspace to sense what
we're doing, sense temperature, sense movement, sense position. And they allow cyberspace to control
things in our 3-D world-- move a motor, close a switch, turn on a heater.
POST: "Al Qaeda prisoners have described
intentions, in general terms, to use those tools. Specialized digital devices are used by the millions as the
brains of American critical infrastructure."
BARTON GELLMAN: All of a sudden, someone coming in from
Pakistan through the Internet, through a hole in your intranet security, is in
a place where they can control these black boxes. That is the threat.
NARRATOR: Once SCADA systems stood alone in factories or power
plants. Not anymore. Now they're connected on the Web. Whole industries are linked. That's good for business and even
better for cyber warriors.
TOM LONGSTAFF, CERT Research Center: I liken
it very much to my own thermostat at home. My thermostat at home is protected because I keep my front
door locked, so no one can come in and change my heat around. If I add a wireless element to my
thermostat, now, suddenly, I can control it from my computer. I can turn the heat up when I'm at
work, so that the house is warm when I get home. I can understand every month exactly what my fluctuations
are in temperature.
Unfortunately, because it's wireless, someone could sit
outside my house, now, in the car, with a laptop, and at 4:00 o'clock in the
morning turn off my heat in the dead of winter.
NARRATOR: At Sandia National Laboratories in New Mexico, they
worry about just how vulnerable the nation's power grid is. Recently, they initiated a series of
red team assaults on SCADA systems that control power companies, including
their own solar power-generating station.
MICHAEL SKROCH: When we go after an electrical power
system, electrical power provider for the critical infrastructures, we always
penetrate that system. During an
attack on a SCADA system, an operator will see what the adversary wants them to
see and-- of course, dependent upon the scenario and the security of that
system. So an operator may see a
false indication of the condition of their infrastructure. They may be fooled into taking actions
that are unwarranted, so that they themselves damage the infrastructure, not
What the attacker did was implement an attack script that
befuddled the display of the controller, so that when they move one control on
a generator, it affects a second.
This will confuse the operator and perhaps cause an effect on the infrastructure
At the solar facility, when we attacked the IT
infrastructure, what we did was, we hacked into the system using a common
technique. Once we were into the
system, we were able to access any of the command and control functions that
the operator would be able to use.
In this case, we simply executed a script that moved four of the mirrors
and danced them around on the solar facility.
The Red Team could have gained access to the system, written
a more specific script to have a specific effect on the mirrors, such as moving
them to the wrong location or causing damage to the solar facility.
INTERVIEWER: Could you and a group of friends take
down the electrical grid of the United States or North America?
HACKER: I don't know if you'd be able to take
down the whole grid, but I know that you could take down significant pieces of
it for, let's say, operationally useful periods of time. Penetrating a SCADA system that's
running a Microsoft operating system takes less than two minutes.
INTERVIEWER: Could your team take down the entire
grid in the United States?
MICHAEL SKROCH: The IDART Red Team could demonstrate
numerous vulnerabilities and system effects against U.S. critical
infrastructure that are scenario-dependent and adversary-dependent. And we do this so that we can help
improve the systems, so that they can't be taken down in the future and a cyber
Pearl Harbor won't affect the U.S. infrastructures.
INTERVIEWER: But could you, if you wanted to?
MICHAEL SKROCH: I won't answer that question.
NARRATOR: And even though the power companies don't like to
talk about it, this threat really scares them, especially industry experts on
cyber security. FRONTLINE reporter
Jim Gilmore talked to one of them, Joe Weiss.
INTERVIEWER: What's the worst-case scenario? Power, we're talking here, power lines,
JOE WEISS: Absolute worst? I won't even say absolute, but a very
worst case could be loss of power for six months or more.
INTERVIEWER: Over how big an area?
JOE WEISS: Big as you want.
INTERVIEWER: Is that a possibility?
JOE WEISS: Yes.
JOE WEISS: I'd just as soon not go into it.
INTERVIEWER: But you believe, as an expert and a man
who understands these systems, that that, indeed, is a possibility.
JOE WEISS: It's possible.
INTERVIEWER: Why isn't Washington quaking in its
JOE WEISS: I can't tell you. I don't know. I don't know.
[www.pbs.org: Read the full interview]
NARRATOR: Each time he returned to Washington, Clarke found it
more difficult to make cyber security a federal priority. And now, with money and power at stake,
doubts and questions would be raised. Washington is a war capital, and Clarke's
battlespace is virtual, and according to some, not even real.
JAMES LEWIS, Center for Strategic and Int'l Studies: One
easy test for cyber security is to ask yourself the following question: Could
Godzilla do it? And if the
answer's yes, it's probably not a very realistic scenario. And so when you get into these things,
where, you know, a big green monster is going to shut down the whole electrical
system or the water system, it's not very likely.
NARRATOR: There is at the Pentagon and military think tanks an
anti-Clarke, anti-cyber chorus, high-ranking retired military officials
publicly comparing the impact of cyber war against what some of them call
"flesh and blood war."
JAMES LEWIS: Cyber attacks as a replacement for WMD
would have to qualify as a gross inflation. Nobody argues, or at least no sane person argues, that a
cyber attack could lead to mass casualties. And so it's not in any way comparable to weapons of mass
destruction. And in fact, what a
lot of people call them is "weapons of mass annoyance." If your power goes out for a couple
hours, if somebody draws a mustache on Attorney General Ashcroft's face on his
Web site, it's annoying. It's
irritating. But it's not a weapon
of mass destruction.
NARRATOR: And so in a city fresh from a war fought over
weapons of mass destruction, the cyber warriors are barely a blip on the
screen. And this is the case even
for a man who was once a true believer.
JOHN HAMRE, Deputy Secretary of Defense '97-'99: I
think cyber terrorism is a theoretical possibility. But will cyber terrorism be like September 11th? No, I don't think so. Not right now.
NARRATOR: Former deputy secretary of defense John Hamre now
believes the early problems of cyber intrusion were merely wake-up calls that
actually have made the system better.
JOHN HAMRE: I think there's an awareness in the IT
community now about security that wasn't there five years ago. So I don't discount it. It is certainly theoretically
possible. But the knowledge of--
the cyber security awareness today is thousands of times stronger than it was
five years ago, when we first conducted Eligible Receiver.
NARRATOR: Hamre's argument is just one in an increasingly
bitter war of words.
RICHARD CLARKE, Director, Cyber Security, White House: I hope
I'm wrong. I hope it is the case
that not only me but the thousands of experts who say we have a problem -- the people
in companies, people in universities who say that we have a major cyber
security problem -- I hope we're all wrong. But every day, we're being proved right.
JAMES LEWIS: A lot of the people who think about the
seriousness of cyber warfare tend to be computer people. And what you need to do is, you need to
get more national security people, more military people thinking about it,
people whose job is to win wars or to defend the nation, not whose job is to
administer computer networks.
JOHN ARQUILLA, Information Warfare Analyst, DoD: I
think the skillful hackers are like the Vietcong. They know that they have a short period in which they will
hold the advantage, and then they must disengage. And so we have to watch out for those kinds of tactics. I think we also need to be worried in
the future that we won't have a few isolated incidents that occur over months
or years, but we have to worry about the possibility of a campaign approach
being taken by the cyber attackers in which they mount several attacks over a
period of hours or perhaps over days.
Think about, for example, a Nimda virus, something like that, that would
be deployed once a week for three months.
Think about the economic impact of something like that.
JOHN HAMRE: Terrorists are after the shock effect
of their actions, and it's very hard to see the shock effect when you can't get
your ATM machine to give you $20 dollars.
I mean, it's distributed all around-- when we had this last worm, or
whatever it was, I went down to the bank, tried to get money out of the ATM
machine. I couldn't get any money
out. Well, it was frustrating to
me personally, but it doesn't translate in the same way that flying an airplane
into a building does.
JOHN ARQUILLA: If I were establishing a terror organization
today, I would be more interested in doing costly disruption by
cyberspace-based means. If I did
physical destruction, I would know that I would have to deal with a bunch of
angry Americans who would track me to the ends of the earth. On the other hand, if I could engage in
acts that would cause hundreds of billions of dollars worth of costly economic
damage, and I could do it relatively secretly, why wouldn't I pursue that
aim? And why wouldn't that make me
a great hero to the constituency I was serving, my people, those who believe as
I would? So if I were a terrorist,
I would be thinking these days about mass disruption rather than mass
[www.pbs.org: Read the interview]
NARRATOR: And so out in California, Arquilla is thinking about
how to defend against weapons of mass disruption. But he's also helping the
navy to create an offensive cyber capability.
JOHN ARQUILLA: Americans need to realize that even as
we learn to defend our country against cyber warfare, we naturally are developing
offensive capabilities, as well. You cannot defend yourself unless you
understand how the offense works.
And in so doing, you learn to wage offensives.
NARRATOR: FRONTLINE was allowed to see some of the war gaming.
RED TEAM LEADER:
OK, game start-- 5, 4, 3, 2, 1.
1st RED TEAM MEMBER:
Orange has 5, 5, 5-8-4 launch.
2nd RED TEAM MEMBER:
3rd RED TEAM MEMBER:
Purple clear. Shows
possible intrusion, network alpha.
STEVEN IATROU, Naval Postgraduate School: What
they're learning to do is operate in a hostile cyber environment. The military mission must go on.
4th RED TEAM MEMBER:
Black, this is brown.
5th RED TEAM MEMBER:
4th RED TEAM MEMBER:
Showing a stealth scan, an IDS, on network Charlie.
STEVEN IATROU: An adversary trying to get an
operational advantage through the computer network. And that's all warfare is, is gaining the upper hand, no
matter how you can do it.
TEAM MEMBER: White, this is green. We have some unusual activity on the
TEAM MEMBER: Roger.
TEAM MEMBER: There seems to be a clown head inserted
into the network.
STEVEN IATROU: The clown appeared to be an icon put in
by an intruder to try to mask some of the information appearing on our screens.
TEAM MEMBER: Red, I have an indication of an F-14
down. There is a clown head
appearing at that location.
TEAM MEMBER: Roger. Initiating trace-route program.
TEAM MEMBER: Roger.
STEVEN IATROU: What we assumed we were seeing from an
enemy was that they had access to our computers, that they knew what we were
looking at on our computers-- i.e., icons of our troop movements. And they were trying to cover those so
that we could not see what either our forces or their forces were doing.
TEAM MEMBER: Black, this is brown. Request permission initiate hack-back
TEAM MEMBER: Affirmative. Initiate hack-back.
NARRATOR: The red team decided to attack a critical SCADA
TEAM MEMBER: Cyan, this is black. Could you give me the analysis on the
SCADA bravo attack?
TEAM MEMBER: Cyan, analysis is put up on the main
screen. You may want to take a
look at that.
STEVEN IATROU: SCADA is everything. It's the heart and soul of the
systems. If you can get into that,
then you have control or you disrupt their control. Or if you can even get them to think you're in there, then
you can lower their confidence in their ability to manage their systems.
NARRATOR: The gaming is good practice because America has
launched cyber attacks for real„in the first gulf war.
JOHN ARQUILLA: We did some things to the systems of
the Iraqis at that time. And the
things that can be acknowledged would be the bombs dropped on particular systems
of communications and the foil strips that disrupted power flows. But beyond that, I think we can't
really talk too much.
NARRATOR: Arquilla watched the United States get better at
offense in Kosovo.
JOHN ARQUILLA: I think Kosovo was, in some ways, a
proving ground of certain cyber capabilities. We get into a very sensitive area here, but what can be said
is that some means may have been used to distort the images that the Serbian
integrated air defense systems were generating. And this, of course, was crucially important to waging a
successful air campaign.
NARRATOR: And then there was Afghanistan.
JOHN ARQUILLA: Operation Enduring Freedom in
Afghanistan featured a small, nimble, networked force that was extremely
information-savvy and which achieved our national aims with a minimum of
bloodshed in a very short time.
NARRATOR: And recently, the war in Iraq.
JOHN ARQUILLA, Information Warfare Analyst, DoD: I'm
not allowed to talk about a campaign in Iraq. But when I was working for the Central Command in the last
Gulf War, it became very apparent to me that our biggest advantages came from
what we knew and what our opponent didn't. On the spot, we cobbled together something called a Joint
Surveillance and Target Acquisition Radar System. This allowed us to know exactly where the opponent was and
how to strike him.
NARRATOR: But what works in cyber wars against states may not
work against terrorist groups. Now
they believe Al Qaeda can get inside critical parts of the nation's
infrastructure. But do the
terrorists have the kind of engineering expertise it would take to manipulate
Some in law enforcement believe
they can. They offer as evidence
the resume of one of Usama bin Laden's top deputies, the man recently arrested
in Pakistan, Khalid Shaikh Mohammed.
RICHARD CLARKE: I'm troubled by the fact that a number
of people related to Al Qaeda, including Khalid Shaikh Mohammed, the chief
operating officer, if you will, in Al Qaeda-- a number of these people have
technical backgrounds. Khalid
Shaikh Mohammed studied engineering at the University of North Carolina. He was employed for a while at a water--
department water ministry in the nation of Qatar in the Persian Gulf.
RON DICK, FBI Infrastructure Protection '01-'02: It goes
back to the old axiom, "with knowledge comes power." And because of his knowledge of those
systems, or apparent knowledge of those systems, use of those systems, he would
be familiar with what the vulnerabilities are and how to exploit those
vulnerabilities in a fashion that would be advantageous to his organization.
NARRATOR: The FBI believes Khalid Shaikh Mohammed was the
chief architect of the 9/11 attacks.
He has reportedly told police that the next major attack will be led by
Adnan El'Shukrijumah, who is wanted for questioning. Shukrijumah fled the country in May of 2001 after attending
college in Florida, majoring in computer engineering.
MICHAEL SKROCH, Sandia National Laboratories: I
think that we shouldn't underestimate any adversary, especially one as
sophisticated as Al Qaeda. This
kind of group, if they don't have the innate knowledge to achieve a cyber
attack, if they should choose to do so, can obtain that knowledge from other
POST: "A computer seized at an Al Qaeda
office contained models of a dam.
The FBI reported that the computer had been running Microstran, an
advanced tool for analyzing steel and concrete structures"--
BARTON GELLMAN, The Washington Post: We
have reached the threshold of the day when computer attacks can cause
real-world bloodshed, can damage actual physical structures in this world.
POST: "To destroy a dam physically would
require 'tons of explosives,' Assistant Attorney General Michael Chertoff said
a year ago. To breach it from
cyberspace is not out of the question."
BARTON GELLMAN: You're talking about the nexus between
digital control systems here and physical things, like dam floodgates, like
electrical transformer stations.
And the day has arrived when a cyber attack could potentially inflict
[www.pbs.org: More about key vulnerabilities]
NARRATOR: But Clarke and others who worry about cyber security
understand that government cannot attack the problem alone.
BARTON GELLMAN: There are always lots of reasons not to
do something new. For example,
protecting the critical infrastructure of the United States from cyber attack
means you have to focus preeminently in the private sector. Eighty-five or ninety percent of all
the pipelines and transmission towers and computer switching stations and the
Internet base are not in the government's hands, they're in the private sector.
NARRATOR: The Bush White House made it clear to Clarke that a
public-private partnership was the way they were going handle this
problem. But in the beginning,
American industry didn't believe cyber war was a problem. Then they didn't believe it was their
problem. And they didn't much like
the idea of the government telling them to spend their own money to plug cyber
ROGER CRESSEY, Cyber Security, White House, '01-'02: Dick's
objective in educating industry on the importance of this issue was to get
their attention, to shock them-- in some respects, to shame them because they
needed to understand that the return on investment here is not something that's
tangible, that you can put your finger on. It's a return on investment that plays out over an extended
period of time. So if you're
spending so little money on cyber security, then you really deserve to be
hacked. And if your systems are
brought down and if your systems are compromised, you have no one to blame but
NARRATOR: When it comes to blame, the favorite targets of the
cyber security forces are the companies that design and make software. They say enemies identify its
vulnerabilities and exploit them in SCADA in home and industry computers. Clarke says this is the chink in
RICHARD CLARKE: It's absolutely unforgivable that major
software companies in this country and around the world continue to produce
NARRATOR: When it comes to fixing the software problems, all
roads lead to Microsoft, and it says it's now committed to improving its
products. Cyber security chief
Scott Charney speaks for Microsoft.
SCOTT CHARNEY, Microsoft Corporation: What
would you have us do as a company that we're not doing today? We're doing a security push on every
product. We're building things
that are secure by design, secure by default. And we're fixing patch management to keep you secure in
RICHARD CLARKE: Major software companies have in the
last year said that they're cleaning up their act-- notably, Microsoft, which
says it has introduced new qualify assurance procedures. Frankly, it needs to, because it's had
a record of very sloppy products rushed to market without concern for security.
NARRATOR: There are a variety of tough measures being talked
about. They're designed to force
Microsoft and others to clean up, including imposing civil liability.
SCOTT CHARNEY: When companies start paying liability
claims and legal fees and everything that comes with it, where does that money
come from? Well, you can raise the
cost of the product, but that might be counterproductive because one of the
great things about software is how the price has been driven down so it can be
available to everyone.
The second thing you can do is take it out of profit, which
means it comes out of the investor's pocket. Or you can take it out of cost, perhaps by paying people
less, and driving your best security people right out of the company.
NARRATOR: More and more, Clarke found himself having arguments
like these with leading high-tech industries, arguments that led to the
ultimate threat: regulation.
RICHARD CLARKE: If there's a major devastating
cyberspace security attack, the Congress will slam regulation on the industry
faster than anything we can imagine.
So it's in the industry's best interest to get the job done right before
something happens because after something happens and our economy has been
really badly hurt, there will be regulation.
SCOTT CHARNEY: Is regulation really an effective way
to get where we need to go? And to
what extent will regulation stifle innovation? Because if you tie down industry and say, "This is what
you must do," then you also tie down the technology. So I think there are a lot of reasons
not to go in a regulatory fashion.
O. SAMI SAYDJARI, CEO Cyber Defense Agency:
Regulation is not part of the policy of the current administration. They are very reluctant to use that,
and it's understandable.
Regulation and its effects can be-- can have different effects than you
really intend them to have. And so
one has to think about it carefully.
At the same time, this is very much on the order of fire codes. If we don't do these things, it not
only affects the people who are going to be attacked but the entire society
NARRATOR: But elements of the Bush administration simply
aren't in the mood to back Clarke up in these battles.
BARTON GELLMAN: He runs very quickly into ideological
opposition in the Office of Management and Budget and the Council of Economic
Advisers and elsewhere in government to the very idea of telling private
industry what to do. It looks too
much like "big nanny" government to them, and so they are putting
very sharp limits, or were putting very sharp limits, on what Clarke could do
NARRATOR: And in February 2003, a bureaucratic shuffle removed
Clarke's operation from the White House.
It was folded into the gigantic Department of Homeland Security. But Clarke wasn't. He decided to leave government. But he would not go quietly.
NARRATOR: The man who was right about the danger of Al Qaeda --
and who has come to believe that the cyber war is real and that America is
unprepared -- will now do all he can to sound the alarm.
RICHARD CLARKE: After Pearl Harbor, we did a tremendous
job of defeating the Nazis and the Japanese. After Sputnik showed that the Russians were winning the
space race, we did a pretty good job of national mobilization and we beat the
Russians to the moon. After
September 11th, Al Qaeda's little sanctuary in Afghanistan was gone in a couple
of months, and we're now doing a very good job of rounding terrorists up around
the world. After the fact.
Wouldn't it be nice, for once, when we have the experts
telling us we have a big risk-- wouldn't it be nice, for once, to get ahead of
the power curve, solve the problem so there never is the big disaster?
CO-PRODUCED & REPORTED BY
WRITTEN & DIRECTED BY
CREDITS AT END OF PROGRAM
WRITTEN, PRODUCED AND DIRECTED BY
CO-PRODUCER AND REPORTER
DIRECTOR OF PHOTOGRAPHY
Michael H. Amundson
MUSIC COMPOSED BY
Michael H. Amundson
Erin Martin Kane
FOUNDATION GRANT MANAGER
WEBSITE MANAGING EDITOR
Louis Wiley Jr.
A FRONTLINE Co-Production with Kirk Documentary Group, Ltd.
WGBH EDUCATIONAL FOUNDATION
ALL RIGHTS RESERVED
FRONTLINE is a production of WGBH Boston, which is solely
responsible for its content.
ANNOUNCER: This report continues on our Web site,
where you'll be able to join in a forum with cyber security experts who will
field your question, get an information
warfare expert's analysis of the vulnerabilities of our infrastructure, explore
some of the most significant cyber attacks to date, watch the full program
again on line or find out on the Web site if your PBS station will be airing it
again. Then join the conversation
PBS on line, pbs.org, or write an e-mail to email@example.com.
Next time on FRONTLINE: After spending years in prison--
PRISONER: I was on death row for the murder of
someone I didn't murder.
ANNOUNCER: --they were set free.
PRISONER: I know that I'm not going to be hired
by anybody because of the rape that I didn't commit.
ANNOUNCER: But the system that finally exonerated
them deserted them.
PRISONER: When the cameras went away, everybody
PRISONER: Sometimes I'd rather be in jail.
ANNOUNCER: Burden of Innocence next time on FRONTLINE.
To obtain a VHS copy of FRONTLINE's Cyber War!, call PBS HOME VIDEO at 1-800-PLAY-PBS. [$29.95 plus s&h]
FRONTLINE is made possible by contributions to your PBS
station from viewers like you.