Cyber War!

a letter from concerned scientists

Following the Sept. 11 attacks, a group of concerned scientists sent President Bush this letter, in which they warn, "The critical infrastructure of the United States, including electrical power, finance, telecommunications, health care, transportation, water, defense and the Internet, is highly vulnerable to cyber attack. Fast and resolute mitigating action is needed to avoid national disaster." The scientists advocate that the president respond to the cyber threat by setting up a Cyber Warfare Defense Project modeled on the Manhattan Project.

27 February 2002

George W. Bush
President of the United States
The White House
1600 Pennsylvania Avenue, NW
Washington, DC 20500

Mr. President,

Our nation is at grave risk of a cyber attack that could devastate the national psyche and economy more broadly than did the September 11th attack. We, as concerned scientists and leaders, seek your help and offer ours. The critical infrastructure of the United States, including electrical power, finance, telecommunications, health care, transportation, water, defense and the Internet, is highly vulnerable to cyber attack. Fast and resolute mitigating action is needed to avoid national disaster. We urge you to act immediately by former a Cyber-Warfare Defense Project modeled in the style of the Manhattan Project.

Consider the following scenario. A terrorist organization announces one morning that they will shut down the Pacific Northwest electrical power grid for six hours starting at 4:00 PM; they then do so. The same group then announces that they will disable the primary telecommunication trunk circuits between the U.S. East and West Coasts for a half day; they then do so, despite our best efforts to defend against them. Then, they threaten to bring down the air traffic control system supporting New York City, grounding all traffic and diverting inbound traffic; they then do so. Other threats follow, and are successfully executed, demonstrating the adversary's capability to attack our critical infrastructure. Finally, they threaten to cripple e-commerce and credit card service for a week by using several hundred thousand stolen identities in millions of fraudulent transactions. Their list of demands is then posted in the New York Times, threatening further actions if their demands are not met. Imagine the ensuing public panic and chaos. If this scenario were to unfold, Americans everywhere would feel that our national sovereignty had been compromised; we would wonder how, as a nation, we could have let this happen.

Mr. President, what makes this scenario both interesting and alarming is that all of the aforementioned events have already happened, albeit not concurrently nor all by malicious intent. They occurred as isolated events, spread out over time; some during various technical failures, some during simple (government-sponsored) exercises, and some during real-world cyber attacks. All of them, however, could be effected through remote cyber attack by any adversary who so chooses, whether individual or state-sponsored. The resources required are modest -- far less than the cost of one army tank. All that is required is a small group of competent computer scientists, a few inexpensive PCs, and Internet access. Even the smallest nation-states and terrorist organizations can easily muster such capabilities, let alone better-organized groups such as Al Qaeda.

Many nations, including Iran and China, for example, have already developed cyber-offense capabilities that threaten our economy and the economies of our allies.

There is no doubt that such a serious national vulnerability is a real and present danger. This has been affirmed by a number of distinguished bodies, including the President's Commission on Critical Infrastructure Protection (1997), the National Academy of Sciences (Computers at Risk, 1990; Trust in Cyberspace, 1999), and the U.S. Defense Science Board on Information Warfare Defense (1996, 2000).

The consequence of successfully exploiting these vulnerabilities would be significant damage to the U.S. economy, degraded public trust with concomitant long-term retardation of economic growth, degradation in quality of life, and a severe erosion of the public's confidence that the government can adequately protect their security. We have seen the amplification effects, on our economy and on public apprehension, from a single event such as the World Trade Center and Pentagon attacks. Aggregate damages resulting from amateur cyber attacks (e.g., 1998 Internet Worm, Melissa Virus, I-LOVE-YOU virus, Code Red Virus and the Nimda virus) are estimated to have been $12 billion for the year 2001 alone. Extrapolating from this, a professionally-executed, coordinated cyber attack on our national critical infrastructure could easily result in a 100-fold amplification -- 10-fold from being professionally-executed and another 10-fold from indirect e-commerce suppression effects. In terms of a dollar value, this could amount to several hundred billion dollars in damage to the U.S. economy. Moreover, some community experts and reports (such as those cited above) estimate a high probability of a serious attack on U.S. critical infrastructure within the next few years.

The goal of our proposed Manhattan-style undertaking would be to create a national-scale cyber-defense policy and capability to prevent, detect, and respond to cyber threats to our critical infrastructure. We mean Manhattan-style in several senses: national priority, inclusion of top scientists, focus, scope, investment, and urgency with which a national capability must be developed. To prevent attacks, we need a coordinated effort to work with our critical-infrastructure providers in defending their most critical information systems. To detect attacks, we need to permeate our critical networks with a broad sensor grid imbued with the capability to detect large-scale attacks by correlating and fusing seemingly unrelated events that are, in fact, part of a coordinated attack. To respond to attacks, we need to devise strategies and tactics to pre-plan effective actions in the face of major cyber-attack scenarios; we need to augment our national infrastructure with mechanisms that support the defined strategies and tactics when attacks are detected and verified. We believe that all this can be done with a close partnership between the public and private sectors while maintaining sensitivity to public concerns about privacy and fairness, consistent with American values and laws. The result should be a resilient critical infrastructure that is resistant to cyber attack, plus next-generation technology which enables our critical infrastructure to be more easily secured. Given private-sector economic realities, our nation's economy and well-being will continue to rely on the existing vulnerable infrastructure for the indefinite future, unless strong government investment leads the way.

The proposed Manhattan-style cyber-defense project will cost a fraction of the expense we will incur from a single major cyber attack. We estimate the project would require an investment of $500 million per year initially, and could reach the billion dollar level in the out-years. The project would run over the course of five years to create a national-scale initial operating capability no later than year three, and more advanced defensive and offensive capabilities by year five. We recommend that you appoint a small board of top computer scientists and engineers to work out the details of a plan, and set the plan in motion within ninety days. The plan should include an appropriate balance between engineering and focused research to support the national capability and the policy, laws, and procedures that would be needed to deploy and support the cyber-defense technology.

The clock is ticking. We look to you, as America's leader, to act on behalf of the nation. Your conscientious and effective defense of our physical homeland should extend into the increasingly vital frontier of U.S. cyberspace. We anticipate that the nation will fully endorse and even expect this forward-thinking and courageous action in the face of such a major threat to national security. We stand ready to help in any way we can in taking this very important next step to defend our country.

Very respectfully,


O. Sami Saydjari
Founder Cyber Defense Research Center
Former Information Assurance Program
Manager, DARPA
Former Fellow, National Security Agency

Dr. Robert Balzer
Chief Technology Officer
Teknowledge Corporation

Terry C. Vickers Benzel
Vice President of Advanced Security Research
Network Associates, Inc.

Thomas A. Berson, Ph.D.
Principal Scientist, Palo Alto Research Center
Past-President, International Association for Cryptologic Research
Past-Chair, IEEE Technical Committee on
Security and Privacy

Bob Blakely
Chief Scientist, Security and Privacy
IBM Tivoli Software

Seymour E. Goodman
Professor of International Affairs and Computing
Co-Director, Georgia Tech Information Security Center
Georgia Institute of Technology

Dr. J. Thomas Haigh
Chief Technology Officer
Secure Computing Corporation

Walter L. Heimerdinger, PhD

Patrick M. Hughes
Lieutenant General, U.S. Army, Retired
President, PMH Enterprises LLC
Former Director, Defense Intelligence
Former Director of Intelligence (J-2),
Joint Chiefs of Staff

Stephen T. Kent
Chief Scientist -- Information Security
BBN Technologies -- A Verizon Company
(member of "Computers at Risk" & "Trust
in Cyber Space" NRC committees)

Angelos D. Keromytis
Assistant Professor,
Computer Science Dept.
Columbia University

Dr. Marvin J. Langston
Deputy Chief Information Officer,
Department of Defense, 1998-2001
Director Information Systems Office,
Defense Advanced Research Projects
Agency, 1997-98
Chief Information Officer, Department of
Navy, 1996-1997

Karl N. Levitt
Professor of Computer Science
Director of the UC David Security
Department of Computer Science
University of California, Davis

Marcus Ranum
Chief Technology Officer
NFR Security, Inc.

Jaisook Rho
Principal Computer Scientist
Network Associates, Inc.

Dr. Arthur S. Robinson
President, System/Technology
Development Corporation
Formerly Technical Director of RCA
R&D for U.S.N. Aegis Weapons Systems

S. Shankar Sastry
Professor and Chair, Department of Electrical Engineering and Computer Sciences
Formerly, Director, Information Technology Office, DARPA, US DoD

Salvatore J. Stolfo
Professor of Computer Science
Columbia University

Dr. Curtis R. Carlson
Chief Executive Officer
SRI International

George Cybenko
Dorothy and Walter Gramm Professor
Thayer School of Engineering
Dartmouth College

John C. Davis
Director of Information Security
Mitretek Systems Inc.
Former Commissioner on PCCIP
Former Director of NCSC/NSA

Matt Donlon
Former Director, Security and Intelligence Office
Defense Advanced Research Projects

Patrick Lincoln
Member of Defense Science Board Panels
Director, Computer Science Laboratory
SRI International

John H. Lowry
Division Engineer
Technical Director for Information Security
BBN Technologies/Verizon

Stephen J. Lukasik
Consultant, Science Applications
International Corporation
Former Director, Department of Defense Advanced Research Projects Agency
Former Chief Scientist, Federal
Communications Commission

David Luckham
Research Professor of Electrical
Stanford University

Dr. Joseph Markowitz

Robert T. Marsh
General, USAF (Retired)
Former Chairman, President's
Commission on Critical Infrastructure

Terry Mayfield
Institute for Defense Analyses

J.M. McConnell
Former Director, National Security Agency

John McHugh, PhD
Carnegie Mellon University

Fred B. Schneider
Professor of Computer Science and
Director of Cornell/AFRL Information
Assurance Institute

Gregg Schudel
Formerly, Senior Engineer and Manager
of Experimentation, DARPA
Information Assistance Program

Larry J. Schumann
President, EnterpriseTec, Inc.
Member of the President's National
Security Telecommunications Advisory
Committee (1996-2000)

Jonathan M. Smith
Computer and Information Science Department
University of Pennsylvania

Roy A. Maxion, Ph.D.
Director, Dependable Systems Laboratory
Computer Science Department
Carnegie Mellon University

David J. Farber
Moore Professor of Telecommunications and Professor of Business and Public Policy
University of Pennsylvania

Richard J. Feiertag
Manager of Strategic Planning
NAI Labs, Security Research Division
Network Associates, Inc.

Edward A. Feigenbaum
Kumagai Professor of Computer Science
Stanford University, and
Chief Scientist, United States Air Force

Dr. Tiffany M. Frazier
Director, Advanced Computing
Alphatec, Inc.

Roderick A. Moore
Systems Engineer
Former National Security Council Staff
Pres. Reagan and Pres. Bush

Dr. Charles L. Moorefield
Board Chairman,
Alphatech, Inc.

Peter G. Neumann
Computer Science Lab
SRI International

Dr. Clifford Neuman
Sr. Research Scientist and Associate Division Director -- Computer Networks Division
Information Sciences Institute
University of Southern California

E. Rogers Novak, Jr.
Managing Member
Novak Biddle Venture Partners

Allen E. Ott
Orincon Information Assurance

Dr. Michael Paige
Former Director, Xerox PARC

Dr. Vern Paxson
Senior Scientist, International Computer Science Institute
Staff Scientist, Lawrence Berkeley National Laboratories

Phillip A. Porras
Program Director
System Design Laboratory
SRI International

Laura S. Tinnel
Deputy Program Manager and Research
Information & Systems Assurance Group
Teknowledge Corporation

J. Douglas Tygar
Professor of Computer Science and Information Management
University of California, Berkeley

J. Kendree Williams
Chief Technology Officer
Zel Technologies, LLC
CDR, USN (Ret)

R. James Woolsey
Director of Central Intelligence, 1993-95

Larry T. Wright
Chairman, Defense Science Board
Task Force on Defensive Information Operations



home :introduction : interviews : experts' answers : faqs : vulnerabilities : warnings?
discussion : readings & links : maps : producer's chat
tapes & transcripts : press reaction : credits : privacy policy
FRONTLINE : wgbh : pbsi

published apr. 24, 2003

background photograph copyright © photodisc
web site copyright 1995-2014 WGBH educational foundation