Computer crime investigator for the US Department of Defense.
. . . During the cold war, we knew who the bad guys were, and they had nuclear
weapons. There was a finite group, and there was a deterrent, because they
knew that if they attacked us, we would know that they attacked us and we would
attack them back. That's a significant deterrent. But now, anybody who goes
down to Best Buy or Radio Shack can buy a computer for two or three hundred
dollars, and they have internet connectivity. And these individuals can . . .
have a weapon of mass destruction sitting on their desk in their bedroom.
And you're learning that defending against such an attack is no little
Absolutely. And I don't think that the big machines of government are tooled
to address this yet. It's hard to make that adjustment quickly. There's
another big difference, and that's the commercial sector. The commercial
sector today, whether they like it or not, whether they want it or not, now
have a role in national security. If you take down an infrastructure, the
military, the intelligence community, and the economic security of a nation may
depend on a private sector infrastructure, which the government doesn't have
any control over securing.
Are we likely to see the growth of a private cyberpolice--Pinkertons of the
cyberworld protecting private corporate interests?
. . . I don't think you're going to find private sector cops out there. You
will find private sector security monitoring and securing. But once you have a
problem, you're probably going to have to call law enforcement. And law
enforcement is starting to gear up for that, at least at the federal level. We
still have a way to go at the local level here in the United States. . . .
What percentage would you put on the chance of an electronic Pearl Harbor,
or at least a cybercatastrophe?
I don't think it will be tomorrow, but I think it could be
tomorrow. I think that countries and traditional terrorist organizations
have not really adopted this doctrine yet. But it's only a matter of time. .
. . When the new generation of leadership in terrorist organizations and
nation-states moves into positions where they can affect things, I think you
will find that that's going to eventually happen to us.
And you're convinced of that?
Chief of the Justice Department's Computer Crime and Intellectual Property
. . . The [Department of Defense] . . . tests the security of its own network
by "red teaming" or "tiger teaming" it. Industry is increasingly doing this as
well. They have hackers--good hackers who follow the rules--trying to hack into
their own networks. . . . One pretty steady figure is that they're able, over
the course of a week, to get into about 88 percent of them. And keep in mind
that, in doing this, DOD is not writing elaborate hacker code. . . . They're
not diving through dumpsters looking through phonebooks. They are using tools,
hacking tools, which are accessible from the Net--garden variety, nothing
exotic. And they have been able, over some span of years, to get in about 88
percent of the time.
Once they get in, they watch to see what percentage of the system
administrators know they're there. That number has varied over the years, but
my understanding is it is quite low--something on the order of three or four or
five percent of system administrators know that the system has been penetrated.
Of the system administrators who know that the system has been violated,
something like 25 percent of those report it up their chain to a law
enforcement agency. So if you do the math, if those numbers are accurate at all
and if we can extrapolate from them, every reported intrusion within DOD
represents something 150 unreported intrusions. . . .
We keep hearing Osama bin Laden's name mentioned in the content of hacking
and vulnerability to international terrorism. Is this real?
It is real. It's a rational concern. Look at how easy it is for people who are
not tremendously skillful and don't have a lot of resources to affect our
communications networks, to steal information, to get root control, to shut
things down. It doesn't take a great intuitive leap to assume that this could
be employed for other purposes. . . .
Chief Executive Officer & Co-Founder of iDefense, a
private agency specializing in information intelligence
How has the digital age changed the nature of global conflict?
What's been happening for the last few years is a migration from the
terrestrial to the virtual. . . . In the same way that we've had down the
centuries, terrestrially, the seeds of conflict--power, money, political
influence, territory and so on--they're all being replicated in the virtual
space. And with it, conflict is migrating too. The significant difference
though, is that down the years, it's been soldier, sailor and the marine that's
been in the front lines. That's true to some extent still; you'll still have
Bosnia, you'll still have Somalia, Rwanda and so on. They're different types
of conflicts, but still very serious. In the virtual space, it's going
to be the private sector, as well as government, that is going to be in the
front line. It's the soft underbelly. That's where you attack because you get
maximum leverage, more bangs for your buck. That's a different paradigm from
any one that's been before. It's not simply a matter of the CIA or the NSA
defending the government, or intelligence agencies serving governments around
the world. It needs to be done differently.. . . .
What you see being replicated is all the problems that existed terrestrially.
You've got vandals, you've got organized crime, you've got extensive economic
espionage, you've got 30 nation-states with very aggressive offensive
information warfare programs. So you're seeing all the stuff that we had
before. But it's also very different, because you and I can go into our local
computer store and buy what is essentially an immensely powerful weapon: the
computer. And you can load that weapon with very powerful bullets, which are
hacks downloaded from the web, and you can fire that weapon at pretty much
anybody you choose. . . .
Historically, it's been governments that have invested in some new gizmo or
other. . . . Now you and I have control. That's a huge shift. And it's a
shift that governments are ill equipped to deal with, because it's a
fundamental change in how you look at national security, what you look at as
defense and offense. And the world in which we are currently living in, this
kind of different environment, is essentially a world of chaos. There is no
arms control. There are no mechanisms by which we can produce order out of
chaos---not yet. There will be, in time, but there isn't at the moment. So
it's a sort of free-for-all in the virtual space. . . .
It's a very different world, and we're only just beginning to see the
dimensions of it. And nobody yet has a true handle on the threat, the
opportunity, what is effective defense, what can we do to create an effective
offense. Nobody has got that yet. But we're getting a picture, even though
it's a little blurred.
But what are we defending against here?
. . . For example, when I was in Moscow a couple of years ago, it was very
clear to me, from talking to the senior people in the scientific and
intelligence communities, that they already feel they're at war. They are
convinced that they are engaged in the next world war, that it is happening in
cyberspace, and that they're losing. They're very active in the area, but they
think that America has a very significant advantage, which is why the Russians
have come up with two proposals for arms control agreements in cyberspace.
Well, they haven't got much of a reception for that, because America and its
allies think that we're winning the war, so why should we have a treaty?. . .
Given the fact that the United States is so far ahead of everybody else, are
we looking at a whole new era of American imperialism?
Well, I think that there is a both a yes and a no. America is the most
advanced technology country in the world, no question. It is also the most
vulnerable, because we are so connected. The capabilities that currently
exist to wage information warfare, to attack a system, to destroy a network, to
turn off a city or devastate a country are around.
The problem is, America is a huge and largely inert bureaucracy. I can attack
a nation that I know is attacking me today--Russia, for example. I know that
they have created significant damage to me. Now, can I retaliate? Do I have
the capability? Yes. Can I do it? Well, that depends. You need legal
sign-off. Is it an act of war or is it aggression or can you allow it? Is it
a breach of a convention ? Will the politicians bear that? Can you actually
convincingly supply the evidence? And on and on and on and on.
Now, if I am a market-state, as CEO, I can arbitrarily take decisions. If I am
a small nation-state, a dictatorship if you like, that creates a very
different dynamic. It's not a question of my needing to have ten tank
divisions to have any impact at all. I just need a couple of smart guys with a
really cool computer who understand how to do stuff. I can achieve an awful
lot more with very little, provided I'm flexible and dynamic.
I could argue that you can achieve all that because you're not hamstrung by
values like democracy and accountability.
Absolutely. Of course, that's true. . . .
Are we heading to a whole new realm of dictatorship?
We're looking at a change in the dynamic. The influence of the nation-state is
absolutely declining. Nobody argues that. The influence of the market-state,
the big global companies, is rising very powerfully. Many of them are more
powerful than nations, in fact. . . . So the challenge for the nation-state is
to continue to remain relevant. . . .
Why is the ability of government, of the traditional nation-state, falling
so far behind the new market-state in terms of delivering value?
Because the nation-states, as they should in a democracy, slowly evolve. They
take pressure and they absorb pressure and then they bring out change in a slow
and well-paced way. That's a great strength in a democracy. This is a
revolutionary environment, however. And the pace of change is enormous.
We've all seen it--how many new chips do we get each year for our computer,
what how many new PDAs or Palm Pilots have we seen emerge in the last 12
months? The pace is enormous. And it's going to continue in this way,
everybody seems to agree, for as far as one can see. . . . What can
government do to move at that kind of pace? . . .
Governments can always do something. The question is, can they do something
fast enough? And if you look at the way the process is currently working, you
have to agree that the pace of change is not matching the challenge. . . . All
I have done my whole life is cover war and its consequences . All of the seeds
of war are here: tremendous conflict and tension in society; the growth of the
disenfranchised; all the things that you can see as points of potential
conflict are around. And yet, governments, because they're largely inert, are
treating business as if it's business as usual. Well, it very definitely is
not. And it's a big concern, frankly, because I think democracy is going to
find it very hard to adapt to these kind of very fundamental changes that are
occurring. And most political leaders have no idea--none--because they're out
of touch with the people. . . .
Former Chief of the National Infrastructure Protection Center
It's sort of an image of our times--a 16-year-old geek in his bedroom
hacking away and inviting the wrath of the state on him. It doesn't
necessarily look well upon the FBI, ultimately, that you're running around
knocking on the doors of teenagers all over the world.
We investigate crimes that are reported to us. And when we follow the trail
back, we will act appropriately, regardless of the age or the location of the
perpetrator. And so I think the image has been somewhat misleading to people,
because it suggests that this problem is really one of individual young
hackers. In fact, we are focused on a much more worrisome part of this
problem. We are really much more concerned about some of the organized threats
from foreign countries engaged in intelligence gathering, or preparation for
information warfare from terrorist organizations. They will use these tools to
commit violent acts against critical infrastructure systems, and organized
crime groups, who really want to steal money or valuable information.
. . . But I guess the problem the public is still having is that there
hasn't been a terrorist incident as far as we know. Other than Phonemasters,
there hasn't really been a successful organized crime bust in
I think we just recently had a very good example that disproves that notion.
We've had two subjects from Kazakhstan who were engaged in an intrusion and
extortion plot against Bloomberg LP. And that case was successfully
investigated because of close cooperation between the FBI and authorities in
both the United Kingdom and Kazakhstan. That case involves a number of
subjects, who are engaged in a traditional organized crime
activity--extortion--but they carried out through cyber means. So I differ
strongly with the notion that we haven't had successful organized crime
investigations. We've had quite a few.
When you look at the internet and at the interconnectivity of the world,
what is your greatest fear?
My greatest fear is that the level of vulnerability is still so high that we
are really open to a devastating attack on a broad scale against the computer
networks that run vital systems, such as our electrical power systems,
government operations, the banking and finance system. . . . And another
significant challenge for us is dealing with espionage. The "Cuckoo's Egg"
case, which involved the KGB hiring hackers to break into U.S. Defense
Department systems, is now a 14-year-old case. I think if hostile intelligence
services were engaged in that sort of activity 14 years ago, it doesn't take a
great leap of the imagination to imagine what some of those sorts of
intelligence services might be doing or planning to do today. . . .
What does the future hold? Can we fix this problem?
I think we can fix the problem. I think that, in the near term, we might see
the problem get worse before it gets better. There's a power curve, and right
now security is behind the power curve, because it takes some time for good
security products to be put out there and integrated into networks and
operating systems. And I think we need to make sure that the government has
the resources in place to investigate crimes and, more importantly, to get
information and get warnings out to try to try to prevent crime before it
happens. That's really our number one consideration. But I think we will see
an increase in the number of crimes being committed on the internet before good
security is ubiquitous.
That raises the process of private police or Pinkertons of cyberspace.
There's a huge growth in private security companies. There must be a
temptation among them to just go and take action, whatever action, themselves.
Does that concern you?
. . . What's most important is that, as people get into the security business,
that they realize that this is not an area where the private sector can go it
alone. If we're going to deter people from engaging in computer crime, we have
to have an effective law enforcement response. That means that victims really
need to report to law enforcement so that we can catch the bad guys, punish
them appropriately, and deter other would-be bad guys from engaging in the same
sort of activity.
Some critics say that government just can't move fast enough, that it's a big
bureaucracy, that it's a huge infrastructure in and of itself. They say that
it just isn't going to be able to keep up with the crime.
Well, there are certainly challenges to bringing the government around to deal
with this sort of fast-evolving environment. But look at the track record that
we've established in the two and a half years since the NIPC was founded. We
have created a program in the FBI and for the federal government as a whole
that is now capable of investigating some very complex international
investigations. And I think the speed with which we are able to investigate
things such as the "Melissa" virus, the "I Love You" virus, the distributed
denial of service attacks, the Bloomberg extortion, the Curador case and on and
on and on shows that we've made a tremendous amount of progress in a very short
But we can't sit on our hands or rest on our laurels, because the problem
continues to grow. And it's imperative that the executive branch of government
and the Congress realize that we need to keep making progress, that we need to
put more resources into this area to make sure that we can stay at the cutting
home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online
some photos copyright ©2001 photodisc
web site copyright 1995-2013 WGBH educational foundation