But to play the devil's advocate, a lot of people focus on power grid. You can get control of SCADA systems or whatever, you can burn out the big generators, you can cause cascading effects from one system to another. Some people say that the threat's not unreal, that SCADA is a new system, we're totally dependent upon it. There's a vulnerability there that we've never come across before.
When people say that you can bring down the electrical system with a few keystrokes, it's one of those exaggerations that tends to bother me a lot. First, there is no electrical system. There's a multitude of electrical companies that all work together. Two, they are networked in some way, but each one of them is sort of idiosyncratic in how they've put themselves together. They all have SCADA systems, but they've applied them differently. If you know how to get into one company, that doesn't mean necessarily you know how to get in another.
Of course, there's this assumption that a hacker's going to be able to get into an electrical company and take control without anyone noticing or trying to stop it. That's just silly. We know that electrical companies are a very popular target for hackers. There are thousands of attacks every year. None of them have ever resulted in a single blackout. That makes me kind of skeptical about this whole thing.
Just to figure out the ante on all that, some say that it's necessary to view cyber war tactics in the realm of weapons of mass destruction?
Some people actually believe that this stuff here that they're playing with is equal, if not a bigger threat, than a dirty bomb. One of the things that happened at the end of the Cold War is we went from confronting a massive global threat that had the ability to wipe out the United States in a matter of hours to a series of much tinier threats. And what happened is, I think that a lot of security experts, instead of saying, "Hey, we don't face a big threat anymore," inflated a number of these smaller threats.
In particular, cyber attacks as a replacement for WMD would have to qualify as a gross inflation. Nobody argues -- or at least no sane person argues -- that a cyber attack could lead to mass casualties. It's not in any way comparable to weapons of mass destruction. In fact, what a lot of people call them is "weapons of mass annoyance." If your power goes out for a couple hours, if somebody draws a mustache on Attorney General Ashcroft's face on his Web site, it's annoying. It's irritating. But it's not a weapon of mass destruction. The same is true for this.
Give me your impression of what cyber war, therefore, or a cyber terrorism attack would look like. ...
One of the things I ask myself is, "If I was a terrorist, what would I want to do?" because I have specific goals as a terrorist. These people are rational. They're cold-blooded and they're very determined. They have political goals. They want to achieve these political goals through violence. Is a cyber weapon going to do that for me?
The answer in most cases is when I look at the portfolio of weapons and attacks I have, cyber's at the bottom. I'd much rather use an explosive. Of course, we know Al Qaeda says in one of their training manuals that explosives are their preferred weapon. We know that weapons of mass destruction, bioweapons, or germ warfare are much more likely to induce panic in a population than is a cyber attack. You could shut down the Internet, and it's quite possible no one would notice for a couple days. So I don't think terrorists are out there thinking about this. ...
The National Strategy to Secure Cyberspace is out now. The opponents of it, some people out there say there's no teeth to it. I guess the question becomes why? Is this possibly because the White House basically has a full plate of threats in front of it, and they look at this as not that important comparatively? Or is it that it's a danger, but it's something that can wait, and we'll deal in it when we come to it?
The cyber strategy is basically morphing into the more classic sort of strategies that the White House puts out. If you look for the last more than a decade, we've been putting out a national security strategy, and it basically says a lot of vanilla things: "Security's good. Freedom's good. America should defend it." Then it lays out a vision or some goals that agencies can strive towards. These are not very operational documents.
I think what you've seen happen with the cyber security strategy is it's changed from something that was trying to be very operational. It was 300 pages, and it was a cookbook of things you could do. Now, it's more of this broad vision statement like our other national strategies.
Part of this is it's just too hard a problem for people to wrestle with, because the issue that you need to confront is how much you're going to regulate the private sector. And there's a reluctance -- certainly with this administration, but even with the previous one -- to regulate the Internet. They aren't sure how to do it. People are always telling them it won't work.
But we need to think about some sort of regulatory mechanism to get people to pay more attention to cyber security. This doesn't have to be the big, heavy FCC-style regulation. It could be more like some of the things, perhaps, that were done in Y2K or some of the other alleged cyber menaces. ...
A lot of times, you'll come to a point within this debate where Operation Eligible Receiver will come up -- the NSA's attempts, acting as North Koreans, to damage infrastructure, to take down the Pacific command. They say it was very successful, that they would have taken down the electrical grid across America. They would have destroyed the ability of the military to communicate. They could have caused a delay for the entire two weeks that they were in operation. What's your response to that?
You get all these hypothetical scenarios, and allegations, and mythical cases of cyber terrorism. And when you ask them, "OK, show me the real event," there's nothing there. I think that makes it hard sometimes to judge these things. If you judge cyber terrorism the way we judge anything else using quantitative evidence, using established facts, it immediately shrinks. ...
Let's change seats for a second, and imagine you're Al Qaeda. If you were Al Qaeda, if you were interested in destroying us in any possible way with a major goal of hurting us economically, hurting us psychologically, isn't this sort of an attractive way of going about it? Isn't it an attractive weapon, where your folk can be sitting in cybercafes all over the world going at us, instead of blowing themselves up? I mean, why would Al Qaeda use this, or attempt to use this against us?
Al Qaeda's going to rank the options it has in terms of the outcomes that they want. So they're going to start by saying, "How do I create panic and disruption in the United States? How do I do psychological damage to my enemy? How do I do physical damage?" Cyber weapons just don't deliver that. You're much more likely to look at things involving large quantities of explosives. We know they can do that. Possibly chemical weapons, very disruptive. Maybe a lesser threat would be biological weapons. ...
Finally, I think there's the psychological payoff, which is these people want to do things that will allow them to attack the United States. Both on the receiving end and on the sending end, a cyber attack doesn't have that payoff. Going back to Osama and saying, "Hey, I launched 16,000 attacks against electrical networks and one of them caused a blackout in Cloverdale, California, for three hours," is not going to get you there in the martyrs' hall of fame.
They're going to want to do something much more damaging. That's a very frightening possibility, but cyber is not part of that.
[Al Qaeda] laptops were found with programming information and software sites for SCADA systems and other systems -- specifically for power and water company sites. Why the detailed interest?
I think one of the things that's troubling about Al Qaeda, and really some of the other groups, is they're very methodical. They're very serious. I think they will work through all the options and say, "If I do this attack, what do I get? If I do that attack, what do I get?" They're also very good at collecting information.
They have taken advantage of the global communications networks that we've set up, the global information networks that have appeared in the last decade. They've learned how to use them to become a terrorist organization that can operate almost anywhere in the world. So they're a very thorough group. But at the end of the day, I think their first choice is always going to be some more powerful physical weapon. Cyber weapons just aren't a good replacement for bombs.
You're walking sort of out on a limb here, aren't you? I mean, you could be proven wrong. You're really confident about this. Why? Tell me why you're this confident.
What I'm trying to do is think about, if there was a cyber attack, would it paralyze the United States? I think that the odds of that are very low, because it's easier to recover from a cyber attack. There's no physical damage. There's no casualties. I think that, when Al Qaeda goes through their calculations, they'll go to the same sort of calculation I've gone through -- which is they want something that's going to be successful.
Another thing that encourages me is that you have very exaggerated threat assessments put out by the people who sometimes advocate cyber terrorism as a real risk. Let me give you an example. One of our congressmen said recently that hackers or cyber terrorists would be able to take control of two airplanes and get them to fly into each other. I'm exceptionally confident that that would never happen. Hackers can't do that. The system isn't automated.
So when you go through each of these scenarios over and over again, the risk is really low. The attractiveness of the weapon compared to other weapons is also low. Does that mean people are going to try? Well, we know they've tried cyber attacks. But so far, there hasn't been any effect.
What's your take on the sophisticated probing going on? There have been a lot of government and private organizations that have noted that there's been a lot of sophisticated probing, hiding their tracks, going into all sorts of infrastructures. What does that mean? One definition of what that means is that they're mapping potential attacks, that it looks like nations or terrorist groups, somebody is out there, doing all the preliminary work, so that they're ready for an attack.
When you think about the question of if there's been all this mapping or probing, what does it mean, you've got to look at it in two ways. First, people are going to explore cyber attacks and cyber weapons. That doesn't mean they're going to use them, because, at the end of the day, I don't think they're very useful. But that doesn't mean that a big country that has a lot of resources won't explore them.
The second, and I think the more important risk, is espionage. The Internet is God's gift to spies. The Internet is God's gift to spies. Information that would have been very difficult to get, but very valuable, is now readily accessible. One of the things you've seen in the last year is the U.S. sort of waking up and wondering, "Do we want to have all this information online?" So I think the risk of espionage is much, much higher.
But again, if you were a spy, you'd want to break into someone's system, and you'd want to sit there and collect information. You wouldn't want to pull the plug or draw a mustache on somebody's face, because then you'd get shut out. People react very quickly to cyber attacks, and they're very good at deterring them. So a spy is going to want to sit there and not attract any notice.
Which lead to Moonlight Maze. Tell us the story of what Moonlight Maze was and its significance.
You know, there's been a whole set of stories about cyber attacks -- Moonlight Maze being one of them -- that when you actually track them down, don't seem to have very much substance to them. I think [Moonlight Maze] was another one of these exercises where, hypothetically, people thought they could disable the United States. ...
But Moonlight Maze is the attack against DOD, supposedly Russian source of some sort, and a huge amount of intelligence was gathered, non-classified. Isn't there some significance in espionage ways, if nothing else?
Yes. Espionage is really important, especially for open societies like the U.S. and societies that are networked the way we're becoming, and other developed countries in Western Europe and in Asia. Obviously, it's not a big problem in North Korea or Sudan, where they don't have electricity, much less the Internet. But for us, as a vulnerability for espionage -- different from terrorism -- for espionage, we are at greater risk.
So the part that's interesting to me is, how is this valuable as an espionage tool? Again, though, if you ask the operational question, "So there were all these attacks. Did we cancel any sorties? Did any servicemen die? Did any ships not leave the harbor?" The answer is "No. It didn't have any effect that way."...
One of the other things that people will say is that you're right. It hasn't happened before. No one has used this in that way. But then they immediately go to 9/11, saying that no one ever used four aircraft and tried to ram huge major buildings in the United States either. What do you make of that argument?
The argument that people didn't use aircraft before 9/11 and, therefore, we shouldn't say that because we haven't seen any cyber attacks we shouldn't dismiss cyber terrorism -- unfortunately, that's not right. We know that Islamic fundamentalists had plans to hijack the aircraft and fly them into buildings repeatedly during the 1990s. The famous example, of course, was some Islamic terrorists who had hijacked an Air France airliner, and were apparently intending to fly it into the Eiffel Tower. There was another case, I believe, with hijacked aircraft being flown into targets in Israel. Plans for this that didn't occur.
One of the things we've seen with Al Qaeda is that they have been doing this for a while. So you will see them use explosives repeatedly before 9/11. You will see consideration of airplane attacks repeatedly before 9/11. What you won't see is a lot of failure. We've seen lots of cyber attacks that have not had any result. You can't say that for these other methods. So that's why I tend to downgrade this. The terrorists are methodical, serious, and they will try things. But they have a preference for explosives and for things that make very loud bangs and cost a lot of damage and casualties.
The recent reports about President Bush signing in July the NSPD 16, that the government was going to develop guidance for when the U.S. should launch cyber attacks -- it sounds like the government is still very interested in cyber war tactics, and their use in a war. Why?
... Cyber war as the future of war is one school of thought. The nice thing about the U.S. military is it's so big and it's so well funded that it can pursue many different options at the same time. So when you look at missile defense, when you look at information warfare, or when you look at what the Air Force is doing, we can be in the position of letting a hundred flowers bloom. That doesn't mean that it will turn out that way.
If you look at the weapons that the U.S. has pursued over the last, say, 50 years, a lot of them have been dead ends. It doesn't mean we shouldn't have pursued them. It doesn't mean there might have been some benefit in trying to think how they work. It doesn't mean, at some point in the future, we might come back to it and say, "Hey, it was worthwhile." But the fact that someone's pursuing cyber weapons now doesn't mean it's going to make a lot of difference.
I, for example, ask two questions on this: If I was Saddam Hussein and I wanted to stop the U.S. from attacking me, what could I do using cyber weapons? The answer is I couldn't do a heck of a lot. So it's not very useful to Mr. S. And if I was the U.S., and I wanted to help bring down Saddam Hussein, what could I do with cyber weapons? Same answer: Not a heck of a lot. He's not very vulnerable. ...
There are countries, though, that have been reported to use these tactics, like India and Pakistan, the Israelis and the Palestinians. I mean, there are examples of people using it in these situations, aren't there?
India and Pakistan are a good example. Israel and some of the Arab countries are another good example, and this is a good test. Here, you have real wars. They're shooting at each other. They've launched cyber attacks. What has the result been? The results have been zip. There have been no infrastructures turned off. There's been no disruption of military activity. There's been graffiti. There's been annoyances. There's been exchanges of insults. But it's not a real military weapon. If you're a military or if you're a terrorist, you need to focus on things that are going to give you some payoff.
The Chinese government has made statements that this is a tactic that they would use. What's the significance there?
China is a country that's realized that it can't compete militarily with the U.S., at least not right now, and not for perhaps the next decade. So they're looking for what is known as asymmetric advantage, someplace where they can make a small investment in a weapon, and get a big payoff in terms of our vulnerability. Naturally, they're looking at cyber weapons as part of this.
The attraction is: Information warfare is something the U.S. depends on. If they can disrupt our information systems, they might get an advantage. There's been a lot of talk. They're probably beguiled. They read the same newspapers everyone else reads. So they open the newspaper and read that they're going to be able to turn off the electrical system in the U.S. for a month with cyber attacks. Sure, they're going to explore it. What they're going to find, though, is they can't do that.
The other problem for the Chinese, and one they need to think about, is that cyber weapons pose a different kind of problem for nation-states than they do for terrorist groups. A group like Al Qaeda has very few constraints on it, right? There's almost nothing that would constrain them from using any kind of weapon, and that's why they've looked at a range of possibilities.
When you look at China, it's a little different. They're part of the international community. They have to follow some international norms, and they share vulnerabilities with us. They use the same global commercial network. They use the same global communications network and the same financial network. If you think about Chinese government officials -- many of whom, in their private lives, tend to be very wealthy, involved very much in the stock market in the international finance -- they may be reluctant to disrupt the financial network, because they could suffer as much as the United States.
So I think there's constraints on what the Chinese can do that we don't see for groups like Al Qaeda. The Chinese are going to look for things that are going to get them some real payoff, too. They want to stop the Pacific Fleet from showing up in the Taiwanese Straits. Cyber just isn't going to let them do that.
Finally, the last area to cover is Kosovo. Give me the background. What did we do in Kosovo? Then we'll figure out what we learned or what we didn't learn from it.
... Kosovo was sort of interesting, because we did probe other people's networks. At the end of the day, for me, the thing that brought the Serbs to the table, and the thing that brought them to stop their activities, were the air attacks. So once again, it was the physical weapons, the kinetic weapons that made a difference. We used these weapons much more effectively because of our emphasis on information dominance and information warfare, but that's different from attacking computer networks. You saw [that] a lot of attacks by the Serbs on NATO computer networks [and] U.S. computer networks didn't have any effect in terms of stopping the attacks on them. So it wasn't a very effective defense.
In terms of what we could do, some people said, "We could freeze the dictator's bank accounts." A great idea. What if the dictator freezes our bank accounts? We don't want to legitimize attacks that are much more damaging to the U.S. than they are to the target. That's one of the problems with these cyber things: When you think about finance or when you think about information networks, we're the ones who have a lot more online than any other country. So when we think about cyber attacks, we want to think, "What do we want to legitimize?"...
On the other hand, we didn't give it up. There's a whole group of guys out there, the Joint Task Force in Computer Security and such, that are working offensively and defensively on it. There's a whole lot of folk that are still talking about it. From the situation in Kosovo and the use against the Serbs, was there anything learned? And is there a debate about what was learned on whether it showed that it was a good direction or whether it was a ridiculous direction to go?
Unfortunately, there isn't much of a debate about the effectiveness of these weapons. One of the things we need to do is start going around and trying to get quantitative evidence, trying to think about this in a scientific manner, the way we would with any other weapon system, and say, not a hypothetical, "If I could do this, then I could bring them to their knees," but a real world "This attack was launched. What happened?"
Right now, when you look for that evidence, you can't find anything that would show damage or effect. If you put this in the larger context of military operations or terrorism, you just can't find evidence that it's been that effective. Does that mean people should stop experimenting? No. But does it mean we should rely on it for victory tomorrow. No, we should not rely on it for victory tomorrow.
Explain, if you could, our trying to take down the telephone system [in Kosovo]? Why would that have been done, and what did we learn from that?
One of the things we learned in the theory about taking down communication systems is that it can backfire, because the first thing that people realized -- actually, not the first thing, it took them two or three weeks to realize -- is that if you bring down the communication network in Serbia or in Yugoslavia, the opposition isn't going to be able to communicate with each other. They're actually more at risk, more dependent on these commercial networks than the government is. So we would have handicapped the political opposition that actually was one of the key things that help us win in that situation.
That's what I would say to this: When you think about these cyber weapons, when we deploy them, are we going to suffer more than the opponent? In the case of Serbia, that was definitely the case, because we would have hamstrung the political opponents of the regime, and not done as much damage or necessarily any damage to the regime's command and control.
There's another side of this, which says that we found, to some extent, that it doesn't work for us. ... But Al Qaeda is a different world. In fact, the more horrific things they can do, it works better, because psychologically, it's more damaging. So is there a case to be made for the fact that, though we might find as a warfare tactic, it's not a very successful [one], there are others out there that, in fact, might believe it works for them?
Another thing we haven't done is actually map out the real vulnerabilities created by computer networks. There's been an assumption the computer networks are vulnerable, and the infrastructures that use them are just as vulnerable. Actually, we need to test that assumption. We need to actually walk through and say, "Here's the network. What does it actually control? What can I do remotely?"
One of the things I think you'd find is that, very often, there's not that much you can do with a computer network, especially for some of the big infrastructures like air traffic, like electricity, like water supply. So when you talk about needing to be more precise in these attacks and why it might not deter Al Qaeda, it's not as much of a problem for us to worry about, because you're going to find, I think, so far, when I've looked, that we're not as vulnerable as it might appear.
Could that change over time? Sure. We're becoming more networked every week. Is it a vulnerability now? It's not. So when I think about these precision attacks, it's not clear to me that Al Qaeda could do a precision attack and it's possible no one would notice. ...
Lastly, then why all the hubbub? Why all the very distinguished people who sort of say, "This is a problem. We've got to deal with this?" Why the scientists that are saying, "Hey, listen to us. We've got a problem here?"
One thing that I would say is that a lot of the people who think about the seriousness of cyber warfare tend to be computer people. What you need is to get more national security people, more military people thinking about it -- people whose job is to win wars or to defend the nation, not whose job is to administer computer networks. So you've got to broaden the debate.
The second thing is that the terrain is shifting all the time. Three years ago, the Internet was this wonderful thing. We were naming stadiums after dot-coms. It looked like you had this new amazing thing that was going to be completely different from everything in our experience. We still haven't completely recovered from that, although people have calmed down considerably when the stock market level popped.
The third thing is that we still need to do the research. People assert vulnerability. They say, "I did an exercise. Here's a hypothetical situation." I want to get to the nuts and bolts. I want to say, "Show me the attack. Show me the vulnerability. Trace for me the line from the guy sitting in front of his keyboard all the way to the floodgate on the dam. Show me the links." You'd be shocked to discover how infrequently we have done that, and that's what we need to do. Then we'll get a better assessment of how real this threat is. ...
There's a lot made of SCADA systems. They're the least protected. ... It's a potential target. It's systems that you can't put cryptographic sort of controls over. So what's the danger?
Let me use a model here that's a little unusual in answering the SCADA question. I want to use the model of air attacks, because you saw very similar arguments made by the initial strategists of air power. This new technology would allow them to fly over enemy forces and cripple economies, bring nations to their knees with just a few well-placed attacks. This is what people started thinking in about 1919. And, of course, in the 1920s, it didn't work. In the 1940s, people tried it; it didn't work.
It wasn't until the advent of nuclear weapons that the air power scenario really began to make sense -- that you could think about this as a logical way to attack people. That doesn't mean that people didn't experiment with it or that they didn't try it, or that people didn't think about how to defend against it.
Now, at a much different level, we're looking at the same thing with SCADA systems and the Internet and computer networks. Right now, we aren't that interconnected. People use SCADA systems, but they use them in a whole variety of idiosyncratic matters. They buy different systems. They connect them differently. They connect differently to the physical structure. So understanding how a SCADA system works for one company doesn't give you a benefit in attacking another company. It's very difficult. We just aren't as vulnerable as some people would make up.
Could that change over time, the way air power changed over time? I think it will, and that's why we need to pay attention to what the defenses are, how we build secure networks now. But that doesn't mean that terrorists are going to be able to turn off the water supply tomorrow or that they're going to be able stop the U.S. from moving forces to Iraq. SCADA is just not as interconnected with either the physical infrastructure or with other companies' networks as people make out. So the vulnerability isn't there.
Let me give you a concrete example. People looked really hard with this Slammer worm that came up a couple weeks ago -- it came up in early February -- to see if it had affected any SCADA systems or if there were any reports of attacks on SCADA systems that led to infrastructure being crippled. Today, no reports of any successful attacks.
So I'm kind of doubtful about the ability to penetrate a SCADA system, and then turn that to some real-world advantage. People can penetrate SCADA, but they have a hard time turning off the lights. ...
It brings up the question: Have we not seen the damage that could be simply because the right or wrong people have not been the ones sending it out?
One of the things you could say that's good about the efforts that the U.S. has made to improve network security and cyber security in the last years is that big companies, a lot of companies have taken steps to make themselves harder targets. Let me give you an example. Ford Motor Company was hit by a worm. This was in the New York Times. They were hit by a worm, and it affected their company networks for a week. So for a week, e-mail was slowed down, and company communications were disrupted. It did not, however, affect production at any of their plants. It didn't affect their Web sites for dealers and for component makers, and it didn't really affect their performance as a company.
What companies will tell you is that they learn each time there's one of these viruses. They improve their defenses. They learn how to react more quickly. So the damage caused by each virus has been going down over time. We're going to continue to see these sorts of attacks. They're going to be annoying, and you will see opportunity cost as a result. But I think that people are adjusting to them, and learning how to continue to operate in a way that means that we're not as vulnerable as you might think when you hear about things like Slammer or I Love You.
But a Code Red, they'll come out also with the figures economically how badly we were hurt. That's something?
Yes. I am trying to figure out how they come up with these numbers on the value of cyber attacks. It's like the old days, when you had the values of e-commerce and it was almost like a random number generator. Some days, e-commerce was $11 zillion. Some days, e-commerce was at $4 trillion. People just sort of made it up.
When you look at how you come up with the estimates of the damage caused by a cyber attack, a lot of it is the resources spent for system administrators to repair and recover. A lot of it is what you would call opportunity cost, meaning, my system's offline and, therefore, I didn't make a sale, for example, that I could have made. Opportunity cost is a tricky one to value out, because the fact that one company is down, if another company is up, they might make the sale instead, right? Or if you're down for a day, the customer might come back the next day, and make the purchase.
So I think the problem with opportunity cost, which is a large component of these estimates, is it inflates the value. In fact, the damage to the economy is much smaller, much less than you might get in the really high-end $15 billion, $15 zillion estimates that you see. We need a better way of accounting for the actual damage of these attacks. There's no question that there's economic problems, and that's why we need to take security seriously. It doesn't mean that it's very useful for terrorists, though.