Cyber War!



Produced by Michael Kirk
Co-Produced and Reported by Jim Gilmore
Written and Directed by Michael Kirk

NARRATOR: Super Bowl Sunday, 2003, and Washington had a bad case of pre-game jitters. The headlines and talk shows were about war with Iraq. The president was practicing his state of the union address. There was trouble with North Korea. And on Washington's outskirts that weekend, inside this secure facility they were tracking another crisis.

AMIT YORAN: We started noticing a tremendous number of increases of a particular type of attack.

NARRATOR: The Internet was down in parts of Asia.

AMIT YORAN: It was coming from a tremendous number of source addresses from different locations.

NARRATOR: And the virus was advancing.

AMIT YORAN: About three quarters of our customers were experiencing attacks from this particular worm. It was trying to infect thousands of systems very rapidly. And what that did was, it ate up the bandwidth, the communications channel between the various computers of the Internet.

NARRATOR: They named it "Slammer." By dawn, it had the full attention of the White House.

RICHARD CLARKE, Director, Cyber Security, White House: In 15 minutes, before anybody could even be notified the attack was going on, 300,000 servers were taken over. But it wasn't just servers that were affected-- 911 systems were affected, bank ATM machines were affected, reservation systems for major airlines.

AMIT YORAN: Almost each and every network that we monitor is attacked, probed, prodded every single day. The Internet is a hostile environment.

NARRATOR: On this weekend, the Slammer's creators eluded detection.

RICHARD CLARKE: In the past, you would count the number of bombers and the number of tanks your enemy had. In the case of cyber war, you really can't tell whether the enemy has good weapons until the enemy uses them.

NARRATOR: Tonight: a new set of American warriors. Journey into a new American battlefield. Tonight on FRONTLINE, Cyber War!

THE WASHINGTON POST: "Detective Chris Hsiung of the Mountain View, California, Police Department began investigating a suspicious pattern of surveillance against Silicon Valley computers."

BARTON GELLMAN, The Washington Post: Silicon Valley, as you could expect, has an unusual department within its police force, and that is protection against cyber crime. They had a guy in charge of that section called Detective Chris Hsiung.

Det. CHRIS HSIUNG, Mountain View Police Dept: I was notified by my division captain that the city Web site coordinator had discovered some suspicious activity, visitors to the city Web site. This was only less than a month after 9/11.

NARRATOR: Detective Hsiung's investigation started with Laura Wigod.

LAURA WIGOD, Mountain View Web Site Coordinator: I'm the Web site coordinator for the city of Mountain View. So basically, I run the Web site, put all the content on.

BARTON GELLMAN: Detective Hsiung begins to notice a strange pattern of computer intrusions, something that has to do with dams and emergency telephone systems and electrical systems.

LAURA WIGOD: I've always been interested in other countries, but I'm specifically a big fan of Middle Eastern culture. But we didn't have any visitors from any of those countries until the summer of 2001. And when they first showed up on my report, I was really excited. I just thought it was really neat that people from these countries were visiting our site. And I couldn't imagine what they wanted to see there, but I was thrilled.

NARRATOR: The elation wouldn't last. After September 11th, seemingly benign visits from Middle Eastern cyber tourists took on new meaning.

BARTON GELLMAN: He's seeing probes that seem to originate in Saudi Arabia, Pakistan, Indonesia, and that are looking into the junction of pipelines, for example, and the digital control systems that run those places.

Det. CHRIS HSIUNG: After 9/11, obviously, the state of the country at that time, especially among law enforcement, was, you know, don't rule anything out.

RICHARD CLARKE, Director, Cyber Security, White House: It does look like part of a pattern of potential long-range surveillance, remote surveillance by Al Qaeda or terrorist groups.

THE WASHINGTON POST: "Some of the probes suggested planning for a conventional attack, U.S. officials said."

BARTON GELLMAN: The FBI did a broader investigation. And it found, according to a classified assessment, that there was a broad pattern of intrusions that were described to me as "casing" these digital controls, trying to learn how the networks worked and what kind of security protected them and, if you had to reach out and touch a small number of them, which ones would be the most damaging. And this is a scary thought.

NARRATOR: Detective Hsiung's evidence was sent to the FBI, where the head of the bureau's infrastructure protection unit says it fit an emerging and familiar pattern.

RON DICK, FBI Infrastructure Protection '01-'02: The thing that keeps me awake at night is a physical attack on U.S. infrastructure which is combined with a cyber attack which disrupts the ability of first responders to access 911 systems, disrupts our power grids such that, again, first responders can't respond to an incident. Those are the things that keep me awake, and those are very real possibilities.

NARRATOR: At just this time on the World Wide Web, an e-mail was making the rounds. From universities to think tanks to deep inside hush-hush government projects, a growing number of concerned scientists were writing a letter to the president of the United States.

LETTER TO PRESIDENT: "Mr. President: Our nation is at grave risk of a cyber attack that could devastate the national psyche and economy more broadly than did the September 11th attack. We, as concerned scientists and leaders, seek your help and offer ours."

O. SAMI SAYDJARI, CEO Cyber Defense Agency: September 11th told us our adversary was very willing to use our infrastructure against us. A group of us got together and decided that it was important to let our leadership know, to give them the benefit of the best scientific thinking in this area, to say, "Hey, this is a really serious problem."

LETTER TO PRESIDENT: "The critical infrastructure of the United States -- including electrical power, finance, telecommunications, health care, transportation, water, defense and the Internet -- is highly vulnerable to cyber attack. Fast and resolute mitigating action is needed to avoid national disaster."

[ Read the letter]

O. SAMI SAYDJARI: Ultimately, it turned into about 54 scientists and leaders -- former national leaders, intelligence community people, as well -- sending this letter that makes the case that says we have a problem here.

NARRATOR: The letter was sent February 27th, 2002, to the White House. It made its way to the White House Office of Cyberspace Security, into the hands of one of the government's most experienced troubleshooters.

RICHARD CLARKE: Well, I think the letter from the scientists and engineers was a bit more stark than other things that the government has seen. It sent the message that we depend upon the Internet for our national security and our national economy. And we know -- we know -- it's not secure, and therefore the government has to act.

NARRATOR: Richard Clarke knows how to kick-start the government. For 30 years, he's been operating in and out of the shadows of six administrations.

BARTON GELLMAN: What's unique about Clarke is his effectiveness in the bureaucratic process. He's just a guy who rolls over opposition. And it's just unusual in the U.S. government, and it's especially unusual to last a long time and win a lot of battles.

NARRATOR: But in the mid-'90s, Clarke lost an important battle. As head of counterterrorism for the National Security Council, he was unable to persuade higher-ups of the danger the country faced from a then obscure Saudi citizen named Usama bin Laden. After 9/11, when most intelligence gathering shifted to finding Al Qaeda cells, Clarke decided to investigate a new threat, attacks from cyberspace.

RICHARD CLARKE: The first thing I said to my staff was, "I want to go see the Internet." And that got a lot of chuckles, because, you know, after, Dick, it's virtual. It's in cyberspace. You can't see it. I said, "No, I think you can, and I want to go find it."

So we went on a series of trips in search of the Internet, and we found it. And we found it on Wall Street, six feet below the sidewalk, running into the stock market. We found it coming up out of the water on the New Jersey shore, where it comes from Europe. We found its heart beating in various network operation centers owned by the so-called backbone companies that own and operate the backbone of the Internet. It exists. There are key points to it.

NARRATOR: Clarke began to test the security at regional Internet hubs, talking his way past guards, breaching security.

RICHARD CLARKE: What I was able to do a lot in those early days is get fairly far into the building and fairly far onto the control floor of these regional hubs without any problem. And then I knew we had a problem.

HACKER: In the United States, there are two network nodes that you can hit electronically and one that you would be more effective to hit physically using a truck bomb. But if you hit those three nodes, then you would be able to destroy American communications for a significant length of time.

NARRATOR: This is a soldier of fortune in the cyber war, a high-end hacker. He's well known in the secret world of computer spies, at the National Security Agency, the Defense Department and the CIA. He's on their side. He works in secret and wants to keep it that way. We have hidden his identity and altered his voice.

HACKER: If you were to talk to anybody who works at any one of those NOCs -- Network Operating Centers-- or anyone who works in security for the telecommunications industry, they already know where their targets are. They already know the problems that they have.

NARRATOR: But as vulnerable as they are to physical attack, it's inside the Web's nervous system, hidden in coded packets of data, that the hacker and others wage their invisible war.

HACKER: In a terrorist sense, the U.S. is an open target. You can hit just about anything that you want to hit, one way or another. This is not bragging, this is a measure of fear.

JOHN ARQUILLA, Information Warfare Analyst, DoD: Cyber war is like Carl Sandburg's fog. It comes in on little cat feet, and it's hardly noticed. That's its greatest potential.

NARRATOR: Everyone who wants to know about cyber war eventually finds their way to John Arquilla.

JOHN ARQUILLA: In the realm of cyberspace-based disruptive threats, we haven't yet had what they call the "electronic Pearl Harbor." I think part of that is a function of our skillful defense of our systems. It's not that we're bereft of attacks. Tens of thousands of attacks occur every week against Department of Defense systems alone.

NARRATOR: He's been at the Rand Corporation, one of the first cyber warriors in desert storm, and in Kosovo worked for the Defense Department. Like Clarke, Arquilla is a bit of a handful inside bureaucracies.

JOHN ARQUILLA: In my checkered career, I've had, I think, the good fortune to always be thinking a few years ahead of events. And that has been useful in terms of anticipating threats. It has also created a fair amount of social friction.

NARRATOR: He's been stashed -- sidelined, really -- out in California at the naval postgraduate school in Monterey. But he knows about the power grid, the water supply, air traffic control systems. Talk about malicious code, probes and pings Arquilla understands.

Zombie computers, he's an expert.

JOHN ARQUILLA: We're looking at hackers and others who are developing very profoundly different kinds of code-breaking techniques. Some of this has to do with linking together many computers around the world. Some hackers have hundreds or thousands of zombies that they control. The zombie has come back to life in the information age now as something that's controlled by a hacker, that can be used to hot-wire them all together to create computing power beyond our imagination.

HACKER: I could take down scores, thousands of systems, for example, in Taiwan and then turn those systems, through its high-speed pipe, against any other nation in the world. Does it mean the attack is originating in Taiwan? No, not at all.

So the problem that the U.S. has with terrorist attacks, where we still don't know where the anthrax came from, is the same problem you have with information operations. If you do the job correctly, there are no fingerprints and nobody can trail you back.

NARRATOR: At the White House, Dick Clarke learned about zombies the hard way.

RICHARD CLARKE, Director, Cyber Security, White House: Code Red was the name of a computer attack that occurred in July of 2001, where during the course of the day, we became aware that, ultimately, 300,000 computers around the country had been violated. Someone had gotten into them and planted software.

NARRATOR: The White House urgently contacted the companies that run the Internet.

RICHARD CLARKE: And by about 4:00 o'clock in the afternoon, they came to me in a teleconference and said, "There's good news and bad news. The good news is we know what's going to happen. At 8:00 o'clock tonight, hundreds of thousands of computers are all going to simultaneously start sending pings toward one site on the Internet. The bad news is, you are the site, the White House."

NARRATOR: If the assault worked, in nanoseconds the pings -- hundreds of thousands of simultaneous computer pulses -- would overwhelm the Internet.

RICHARD CLARKE: Hundreds of thousands of computers are going to be firing off pings every second from all over the Internet, and all of that message traffic is going to flow through all of the different channels toward one server.

NARRATOR: Clarke and the nation's Internet providers worked out a plan to block any traffic directed at the white house. And then they held their breath.

RICHARD CLARKE: The clock hit 8:00 o'clock. Hundreds of thousands of computers around the world started firing probes to the White House, and they all died as they hit the edge of the Internet.

ROGER CRESSEY, Cyber Security, White House, '01-'02: The size of the attack, I think, caught a lot of people by surprise. And what Code Red demonstrated was that a sophisticated denial-of-service attack could significantly slow the Internet. And if you then go to the next step, it's not inconceivable that an attack could bring down the Internet for a period of time.

NARRATOR: Then, as the nation was reeling from the tragic events of September 11th, the zombies struck again.

SAN FRANCISCO CHRONICLE: "A new computer worm struck the Internet today, sending network security workers scrambling to protect their systems from being attacked."

NARRATOR: One target was Wall Street.

SAN FRANCISCO CHRONICLE: "The worm, known as W32.Nimda, knocked Web sites off line and overloaded"--

RON DICK, FBI Infrastructure Protection '01-'02: I was up to my neck in responding to the events of September the 11th through the command post there at FBI headquarters, and then right on top of that the NIMDA virus struck.

RICHARD CLARKE: The Nimda virus ripped through the American financial sector just a week after the terrorist attacks of September 11. It cost probably $3 billion, one virus, the Nimda virus. Had it not been for the fact that September 11th was the week before, it would have been a big news story.

RON DICK: It proliferated across the world at a far greater rate than Code Red did. It rattled the Internet, and it caused billions of dollars of damage. And we still don't know who perpetrated that worm.

[ A closer look at these events]

NARRATOR: Catching the hackers in Code Red or Nimda -- indeed, in any of these cases -- proved impossible.

JOHN ARQUILLA: The time to back-hack a perpetrator is within seconds, minutes or hours of the action, not months and years after it happened. The trail is far too cold by then.

NARRATOR: The Web by now is nearly everywhere. The world is full of hideouts. Dick Clarke and many experts have come to believe events like Slammer and Code Red and Nimda were really not ends in themselves. They're certain they were experiments by an enemy or enemies seeking vulnerabilities in the system.

O. SAMI SAYDJARI, CEO Cyber Defense Agency: The number of probes that we're detecting is going up significantly. There's clearly a lot of people out there doing reconnaissance, and they don't want to be seen. So these aren't your average, everyday hackers.

INTERVIEWER: Who might they be?

O. SAMI SAYDJARI: I think they would be adversaries who are interested in doing reconnaissance without tipping their hand that they're doing their reconnaissance in our networks.

INTERVIEWER: Why are they doing it?

O. SAMI SAYDJARI: To prepare for attack or to prepare for getting information out of our systems, to understand our vulnerabilities. That's why you probe and scan networks.

NARRATOR: Inside this building are the top-secret military computers every enemy cyber warrior wants to invade. John Hamre was second in command at the Pentagon in the Clinton administration.

JOHN HAMRE, Deputy Secretary of Defense '97-'99: What startled me at the time was how we had brought around us this powerful new technology, with virtually no security awareness. We didn't have disciplined protocols and procedures in place for how people could connect to the wider Internet. It was just absolutely-- we let a thousand flowers bloom. And as you would expect in that environment, there were just countless opportunities for mischief.

NARRATOR: Hamre wanted to find out just how vulnerable DOD computers were. In 1997, the DOD initiated a red team exercise code-named "Eligible Receiver."

RICHARD CLARKE: We got the permission of the Pentagon. We put together a small team of hackers and only used hacking techniques and tools that we could download from the Internet and attacked the Pentagon systems.

JOHN HAMRE: Eligible Receiver really demonstrated how-- the real lack of consciousness about cyber warfare. I mean, really, the first three days of Eligible Receiver, nobody believed we were under cyber attack.

RICHARD CLARKE: They took control of the Pentagon systems, took control of the National Military Command Center computers.

JOHN HAMRE: If you get super-user control of one node, you basically can get into a network. Pristine protection, I mean, absolute sanitary protection, is what's required, and you'll never get it.

NARRATOR: There are details about "Eligible Receiver" that even today have not been revealed. But one thing is certain: It scared the hell out of the Pentagon.

JOHN ARQUILLA, Information Warfare Analyst, DoD: Eligible Receiver is a classified event about which I can't speak. What I can say is that when people say there is no existence proof of the seriousness of the cyber threat, to my mind, Eligible Receiver provides a convincing existence proof of the nature of the threat that we face.

NARRATOR: The Pentagon ordered new detection systems installed on its computers. But it wouldn't take long for the defense department to be hit again, and this time it wasn't an exercise. They gave it the code name "Moonlight Maze."

RICHARD CLARKE: All that I can say about Moonlight Maze is that the phrase Moonlight Maze refers to an investigation conducted by the FBI.

INTERVIEWER: How involved was the FBI?

RON DICK, FBI Infrastructure Protection '01-'02: I can't comment on that.

NARRATOR: But they could divulge general details. The Pentagon accidentally discovered a pattern of probing and cyber espionage that had been going on for nearly two years. A game of cat-and-mouse ensued.

RICHARD CLARKE: As we raised defenses on those computer networks, they raised the attacking capabilities on those computer networks.

JOHN HAMRE: We found that the opponent was learning as he or she went along, that they were getting better as we were getting better at cracking it. That worried you because that meant that they had some type of a monitoring system to observe us while we were observing them. And so we're obviously dealing with a very sophisticated opponent.

NARRATOR: Highly placed sources FRONTLINE cannot name told us more: The invaders were systematically marauding through tens of thousands of files, maps of military installations, troop configurations, military hardware designs.

JOHN HAMRE: They took huge amounts of information. Huge amounts of information. And there was not a clear pattern to the information that they took.

NARRATOR: The DOD began tracing the invasion. The trail led to a huge mainframe computer in the former Soviet Union.

RICHARD CLARKE: It continues to be an active investigation, so I can't talk about who it may or may not have been.

JOHN HAMRE: We do not know who did it. We do know back a certain direction where the attack came from, but we don't know that that was the ultimate source of the attack. It could have been a front operation.

JOHN ARQUILLA: I think the case highlights the problem of identifying the ultimate user. Some tracking was done back to systems in Moscow, for example, but that by no means suggests that these were Russians doing this. It could easily have been someone operating in an entirely other part of the world who bounced off of a computer in Russia. Or it could have been the Russians.

RICHARD CLARKE: Thousands of attempts a day to get into the Defense Department networks are detected. It's the ones that aren't detected that are the sophisticated ones. And the question therefore arises, in some future war, in some future tension, in some future crisis, could we wake up one morning and find that great damage had been done to our railroad system, our electric power system, our banking system, our military logistics system by Trojan horses, logic bombs that were planted in our infrastructure in advance without our knowing it.

NARRATOR: Many in the cyber war are convinced the days of merely using the Web to probe and map America's infrastructure are near an end. They worry the enemy -- especially one enemy, in particular -- is preparing for action.

HACKER: I've been watching them for quite a while, and they are very, very good at everything from money laundering to secure communications. And to underestimate them at any point in time is suicidal.

NARRATOR: He's talking about Al Qaeda. In the rubble created by the war in Afghanistan, Clarke and other cyber experts looked at Al Qaeda computers.

ROGER CRESSEY, Cyber Security, White House, '01-'02: I think the breadth of their interest in areas such as computer attack caught us by surprise. And by that I just mean the documents that were found, information we've learned from people that we have in custody.

RICHARD CLARKE: What we found on Al Qaeda computers were that members of Al Qaeda were from outside the United States doing reconnaissance in the United States on our critical infrastructure.

BARTON GELLMAN, The Washington Post: The government has changed its view. The CIA said 18 months ago that Al Qaeda is nowhere near having the capability to inflict serious damage in cyber war. It put out a new memorandum of intelligence some months ago saying, "Well, it looks like they have more capability than we thought, and it looks like they have more intention than we thought."

ROGER CRESSEY: They were putting people in computer classes whose purpose simply was to develop a competency and a skill set that they could then turn into a capability to develop attacks.

NARRATOR: And there are those who fear that if Al Qaeda has acquired those skills, they will mount a devastating attack on one of the nation's most vulnerable infrastructures. They may be able to use the Internet to bring down portions of the electrical power grid.

RICHARD CLARKE: It turns out that there are only five or six software systems that are used around the world to run electric power grids, other utilities, pipelines, dams, those sorts of things. They're called digital control systems, or they're called SCADA systems, supervisory control data acquisition systems.

NARRATOR: Almost no one flips a switch at the power company anymore. Now it's done by a little black box, a SCADA system, that talks to other little black boxes, often through the Internet.

MICHAEL SKROCH, Sandia National Laboratories: SCADA systems are really the cyber world's portal into our 3-D world. They allow cyberspace to sense what we're doing, sense temperature, sense movement, sense position. And they allow cyberspace to control things in our 3-D world-- move a motor, close a switch, turn on a heater.

WASHINGTON POST: "Al Qaeda prisoners have described intentions, in general terms, to use those tools. Specialized digital devices are used by the millions as the brains of American critical infrastructure."

BARTON GELLMAN: All of a sudden, someone coming in from Pakistan through the Internet, through a hole in your intranet security, is in a place where they can control these black boxes. That is the threat.

NARRATOR: Once SCADA systems stood alone in factories or power plants. Not anymore. Now they're connected on the Web. Whole industries are linked. That's good for business and even better for cyber warriors.

TOM LONGSTAFF, CERT Research Center: I liken it very much to my own thermostat at home. My thermostat at home is protected because I keep my front door locked, so no one can come in and change my heat around. If I add a wireless element to my thermostat, now, suddenly, I can control it from my computer. I can turn the heat up when I'm at work, so that the house is warm when I get home. I can understand every month exactly what my fluctuations are in temperature.

Unfortunately, because it's wireless, someone could sit outside my house, now, in the car, with a laptop, and at 4:00 o'clock in the morning turn off my heat in the dead of winter.

NARRATOR: At Sandia National Laboratories in New Mexico, they worry about just how vulnerable the nation's power grid is. Recently, they initiated a series of red team assaults on SCADA systems that control power companies, including their own solar power-generating station.

MICHAEL SKROCH: When we go after an electrical power system, electrical power provider for the critical infrastructures, we always penetrate that system. During an attack on a SCADA system, an operator will see what the adversary wants them to see and-- of course, dependent upon the scenario and the security of that system. So an operator may see a false indication of the condition of their infrastructure. They may be fooled into taking actions that are unwarranted, so that they themselves damage the infrastructure, not the attacker.

What the attacker did was implement an attack script that befuddled the display of the controller, so that when they move one control on a generator, it affects a second. This will confuse the operator and perhaps cause an effect on the infrastructure that's damaging.

At the solar facility, when we attacked the IT infrastructure, what we did was, we hacked into the system using a common technique. Once we were into the system, we were able to access any of the command and control functions that the operator would be able to use. In this case, we simply executed a script that moved four of the mirrors and danced them around on the solar facility.

The Red Team could have gained access to the system, written a more specific script to have a specific effect on the mirrors, such as moving them to the wrong location or causing damage to the solar facility.

INTERVIEWER: Could you and a group of friends take down the electrical grid of the United States or North America?

HACKER: I don't know if you'd be able to take down the whole grid, but I know that you could take down significant pieces of it for, let's say, operationally useful periods of time. Penetrating a SCADA system that's running a Microsoft operating system takes less than two minutes.

INTERVIEWER: Could your team take down the entire grid in the United States?

MICHAEL SKROCH: The IDART Red Team could demonstrate numerous vulnerabilities and system effects against U.S. critical infrastructure that are scenario-dependent and adversary-dependent. And we do this so that we can help improve the systems, so that they can't be taken down in the future and a cyber Pearl Harbor won't affect the U.S. infrastructures.

INTERVIEWER: But could you, if you wanted to?

MICHAEL SKROCH: I won't answer that question.

NARRATOR: And even though the power companies don't like to talk about it, this threat really scares them, especially industry experts on cyber security. FRONTLINE reporter Jim Gilmore talked to one of them, Joe Weiss.

INTERVIEWER: What's the worst-case scenario? Power, we're talking here, power lines, power grid.

JOE WEISS: Absolute worst? I won't even say absolute, but a very worst case could be loss of power for six months or more.

INTERVIEWER: Over how big an area?

JOE WEISS: Big as you want.

INTERVIEWER: Is that a possibility?



JOE WEISS: I'd just as soon not go into it.

INTERVIEWER: But you believe, as an expert and a man who understands these systems, that that, indeed, is a possibility.

JOE WEISS: It's possible.

INTERVIEWER: Why isn't Washington quaking in its shoes?

JOE WEISS: I can't tell you. I don't know. I don't know.

[ Read the full interview]

NARRATOR: Each time he returned to Washington, Clarke found it more difficult to make cyber security a federal priority. And now, with money and power at stake, doubts and questions would be raised. Washington is a war capital, and Clarke's battlespace is virtual, and according to some, not even real.

JAMES LEWIS, Center for Strategic and Int'l Studies: One easy test for cyber security is to ask yourself the following question: Could Godzilla do it? And if the answer's yes, it's probably not a very realistic scenario. And so when you get into these things, where, you know, a big green monster is going to shut down the whole electrical system or the water system, it's not very likely.

NARRATOR: There is at the Pentagon and military think tanks an anti-Clarke, anti-cyber chorus, high-ranking retired military officials publicly comparing the impact of cyber war against what some of them call "flesh and blood war."

JAMES LEWIS: Cyber attacks as a replacement for WMD would have to qualify as a gross inflation. Nobody argues, or at least no sane person argues, that a cyber attack could lead to mass casualties. And so it's not in any way comparable to weapons of mass destruction. And in fact, what a lot of people call them is "weapons of mass annoyance." If your power goes out for a couple hours, if somebody draws a mustache on Attorney General Ashcroft's face on his Web site, it's annoying. It's irritating. But it's not a weapon of mass destruction.

NARRATOR: And so in a city fresh from a war fought over weapons of mass destruction, the cyber warriors are barely a blip on the screen. And this is the case even for a man who was once a true believer.

JOHN HAMRE, Deputy Secretary of Defense '97-'99: I think cyber terrorism is a theoretical possibility. But will cyber terrorism be like September 11th? No, I don't think so. Not right now.

NARRATOR: Former deputy secretary of defense John Hamre now believes the early problems of cyber intrusion were merely wake-up calls that actually have made the system better.

JOHN HAMRE: I think there's an awareness in the IT community now about security that wasn't there five years ago. So I don't discount it. It is certainly theoretically possible. But the knowledge of-- the cyber security awareness today is thousands of times stronger than it was five years ago, when we first conducted Eligible Receiver.

NARRATOR: Hamre's argument is just one in an increasingly bitter war of words.

RICHARD CLARKE, Director, Cyber Security, White House: I hope I'm wrong. I hope it is the case that not only me but the thousands of experts who say we have a problem -- the people in companies, people in universities who say that we have a major cyber security problem -- I hope we're all wrong. But every day, we're being proved right.

JAMES LEWIS: A lot of the people who think about the seriousness of cyber warfare tend to be computer people. And what you need to do is, you need to get more national security people, more military people thinking about it, people whose job is to win wars or to defend the nation, not whose job is to administer computer networks.

JOHN ARQUILLA, Information Warfare Analyst, DoD: I think the skillful hackers are like the Vietcong. They know that they have a short period in which they will hold the advantage, and then they must disengage. And so we have to watch out for those kinds of tactics. I think we also need to be worried in the future that we won't have a few isolated incidents that occur over months or years, but we have to worry about the possibility of a campaign approach being taken by the cyber attackers in which they mount several attacks over a period of hours or perhaps over days. Think about, for example, a Nimda virus, something like that, that would be deployed once a week for three months. Think about the economic impact of something like that.

JOHN HAMRE: Terrorists are after the shock effect of their actions, and it's very hard to see the shock effect when you can't get your ATM machine to give you $20 dollars. I mean, it's distributed all around-- when we had this last worm, or whatever it was, I went down to the bank, tried to get money out of the ATM machine. I couldn't get any money out. Well, it was frustrating to me personally, but it doesn't translate in the same way that flying an airplane into a building does.

JOHN ARQUILLA: If I were establishing a terror organization today, I would be more interested in doing costly disruption by cyberspace-based means. If I did physical destruction, I would know that I would have to deal with a bunch of angry Americans who would track me to the ends of the earth. On the other hand, if I could engage in acts that would cause hundreds of billions of dollars worth of costly economic damage, and I could do it relatively secretly, why wouldn't I pursue that aim? And why wouldn't that make me a great hero to the constituency I was serving, my people, those who believe as I would? So if I were a terrorist, I would be thinking these days about mass disruption rather than mass destruction.

[ Read the interview]

NARRATOR: And so out in California, Arquilla is thinking about how to defend against weapons of mass disruption. But he's also helping the navy to create an offensive cyber capability.

JOHN ARQUILLA: Americans need to realize that even as we learn to defend our country against cyber warfare, we naturally are developing offensive capabilities, as well. You cannot defend yourself unless you understand how the offense works. And in so doing, you learn to wage offensives.

NARRATOR: FRONTLINE was allowed to see some of the war gaming.

RED TEAM LEADER: OK, game start-- 5, 4, 3, 2, 1. Game on.

1st RED TEAM MEMBER: Orange has 5, 5, 5-8-4 launch.


3rd RED TEAM MEMBER: Purple clear. Shows possible intrusion, network alpha.

STEVEN IATROU, Naval Postgraduate School: What they're learning to do is operate in a hostile cyber environment. The military mission must go on.

4th RED TEAM MEMBER: Black, this is brown.


4th RED TEAM MEMBER: Showing a stealth scan, an IDS, on network Charlie.

STEVEN IATROU: An adversary trying to get an operational advantage through the computer network. And that's all warfare is, is gaining the upper hand, no matter how you can do it.

6th RED TEAM MEMBER: White, this is green. We have some unusual activity on the Brother network.


6th RED TEAM MEMBER: There seems to be a clown head inserted into the network.

STEVEN IATROU: The clown appeared to be an icon put in by an intruder to try to mask some of the information appearing on our screens.

8th RED TEAM MEMBER: Red, I have an indication of an F-14 down. There is a clown head appearing at that location. Request assistance.

9th RED TEAM MEMBER: Roger. Initiating trace-route program.


STEVEN IATROU: What we assumed we were seeing from an enemy was that they had access to our computers, that they knew what we were looking at on our computers-- i.e., icons of our troop movements. And they were trying to cover those so that we could not see what either our forces or their forces were doing.

4th RED TEAM MEMBER: Black, this is brown. Request permission initiate hack-back attack.

5th RED TEAM MEMBER: Affirmative. Initiate hack-back.

NARRATOR: The red team decided to attack a critical SCADA system.

5th RED TEAM MEMBER: Cyan, this is black. Could you give me the analysis on the SCADA bravo attack?

1st RED TEAM MEMBER: Cyan, analysis is put up on the main screen. You may want to take a look at that.

STEVEN IATROU: SCADA is everything. It's the heart and soul of the systems. If you can get into that, then you have control or you disrupt their control. Or if you can even get them to think you're in there, then you can lower their confidence in their ability to manage their systems.

NARRATOR: The gaming is good practice because America has launched cyber attacks for realin the first gulf war.

JOHN ARQUILLA: We did some things to the systems of the Iraqis at that time. And the things that can be acknowledged would be the bombs dropped on particular systems of communications and the foil strips that disrupted power flows. But beyond that, I think we can't really talk too much.

NARRATOR: Arquilla watched the United States get better at offense in Kosovo.

JOHN ARQUILLA: I think Kosovo was, in some ways, a proving ground of certain cyber capabilities. We get into a very sensitive area here, but what can be said is that some means may have been used to distort the images that the Serbian integrated air defense systems were generating. And this, of course, was crucially important to waging a successful air campaign.

NARRATOR: And then there was Afghanistan.

JOHN ARQUILLA: Operation Enduring Freedom in Afghanistan featured a small, nimble, networked force that was extremely information-savvy and which achieved our national aims with a minimum of bloodshed in a very short time.

NARRATOR: And recently, the war in Iraq.

JOHN ARQUILLA, Information Warfare Analyst, DoD: I'm not allowed to talk about a campaign in Iraq. But when I was working for the Central Command in the last Gulf War, it became very apparent to me that our biggest advantages came from what we knew and what our opponent didn't. On the spot, we cobbled together something called a Joint Surveillance and Target Acquisition Radar System. This allowed us to know exactly where the opponent was and how to strike him.

NARRATOR: But what works in cyber wars against states may not work against terrorist groups. Now they believe Al Qaeda can get inside critical parts of the nation's infrastructure. But do the terrorists have the kind of engineering expertise it would take to manipulate the systems?

Some in law enforcement believe they can. They offer as evidence the resume of one of Usama bin Laden's top deputies, the man recently arrested in Pakistan, Khalid Shaikh Mohammed.

RICHARD CLARKE: I'm troubled by the fact that a number of people related to Al Qaeda, including Khalid Shaikh Mohammed, the chief operating officer, if you will, in Al Qaeda-- a number of these people have technical backgrounds. Khalid Shaikh Mohammed studied engineering at the University of North Carolina. He was employed for a while at a water-- department water ministry in the nation of Qatar in the Persian Gulf.

RON DICK, FBI Infrastructure Protection '01-'02: It goes back to the old axiom, "with knowledge comes power." And because of his knowledge of those systems, or apparent knowledge of those systems, use of those systems, he would be familiar with what the vulnerabilities are and how to exploit those vulnerabilities in a fashion that would be advantageous to his organization.

NARRATOR: The FBI believes Khalid Shaikh Mohammed was the chief architect of the 9/11 attacks. He has reportedly told police that the next major attack will be led by Adnan El'Shukrijumah, who is wanted for questioning. Shukrijumah fled the country in May of 2001 after attending college in Florida, majoring in computer engineering.

MICHAEL SKROCH, Sandia National Laboratories: I think that we shouldn't underestimate any adversary, especially one as sophisticated as Al Qaeda. This kind of group, if they don't have the innate knowledge to achieve a cyber attack, if they should choose to do so, can obtain that knowledge from other individuals.

WASHINGTON POST: "A computer seized at an Al Qaeda office contained models of a dam. The FBI reported that the computer had been running Microstran, an advanced tool for analyzing steel and concrete structures"--

BARTON GELLMAN, The Washington Post: We have reached the threshold of the day when computer attacks can cause real-world bloodshed, can damage actual physical structures in this world.

WASHINGTON POST: "To destroy a dam physically would require 'tons of explosives,' Assistant Attorney General Michael Chertoff said a year ago. To breach it from cyberspace is not out of the question."

BARTON GELLMAN: You're talking about the nexus between digital control systems here and physical things, like dam floodgates, like electrical transformer stations. And the day has arrived when a cyber attack could potentially inflict physical damage.

[ More about key vulnerabilities]

NARRATOR: But Clarke and others who worry about cyber security understand that government cannot attack the problem alone.

BARTON GELLMAN: There are always lots of reasons not to do something new. For example, protecting the critical infrastructure of the United States from cyber attack means you have to focus preeminently in the private sector. Eighty-five or ninety percent of all the pipelines and transmission towers and computer switching stations and the Internet base are not in the government's hands, they're in the private sector.

NARRATOR: The Bush White House made it clear to Clarke that a public-private partnership was the way they were going handle this problem. But in the beginning, American industry didn't believe cyber war was a problem. Then they didn't believe it was their problem. And they didn't much like the idea of the government telling them to spend their own money to plug cyber holes.

ROGER CRESSEY, Cyber Security, White House, '01-'02: Dick's objective in educating industry on the importance of this issue was to get their attention, to shock them-- in some respects, to shame them because they needed to understand that the return on investment here is not something that's tangible, that you can put your finger on. It's a return on investment that plays out over an extended period of time. So if you're spending so little money on cyber security, then you really deserve to be hacked. And if your systems are brought down and if your systems are compromised, you have no one to blame but yourself.

NARRATOR: When it comes to blame, the favorite targets of the cyber security forces are the companies that design and make software. They say enemies identify its vulnerabilities and exploit them in SCADA in home and industry computers. Clarke says this is the chink in America's armor.

RICHARD CLARKE: It's absolutely unforgivable that major software companies in this country and around the world continue to produce sloppy products.

NARRATOR: When it comes to fixing the software problems, all roads lead to Microsoft, and it says it's now committed to improving its products. Cyber security chief Scott Charney speaks for Microsoft.

SCOTT CHARNEY, Microsoft Corporation: What would you have us do as a company that we're not doing today? We're doing a security push on every product. We're building things that are secure by design, secure by default. And we're fixing patch management to keep you secure in deployment.

RICHARD CLARKE: Major software companies have in the last year said that they're cleaning up their act-- notably, Microsoft, which says it has introduced new qualify assurance procedures. Frankly, it needs to, because it's had a record of very sloppy products rushed to market without concern for security.

NARRATOR: There are a variety of tough measures being talked about. They're designed to force Microsoft and others to clean up, including imposing civil liability.

SCOTT CHARNEY: When companies start paying liability claims and legal fees and everything that comes with it, where does that money come from? Well, you can raise the cost of the product, but that might be counterproductive because one of the great things about software is how the price has been driven down so it can be available to everyone.

The second thing you can do is take it out of profit, which means it comes out of the investor's pocket. Or you can take it out of cost, perhaps by paying people less, and driving your best security people right out of the company.

NARRATOR: More and more, Clarke found himself having arguments like these with leading high-tech industries, arguments that led to the ultimate threat: regulation.

RICHARD CLARKE: If there's a major devastating cyberspace security attack, the Congress will slam regulation on the industry faster than anything we can imagine. So it's in the industry's best interest to get the job done right before something happens because after something happens and our economy has been really badly hurt, there will be regulation.

SCOTT CHARNEY: Is regulation really an effective way to get where we need to go? And to what extent will regulation stifle innovation? Because if you tie down industry and say, "This is what you must do," then you also tie down the technology. So I think there are a lot of reasons not to go in a regulatory fashion.

O. SAMI SAYDJARI, CEO Cyber Defense Agency: Regulation is not part of the policy of the current administration. They are very reluctant to use that, and it's understandable. Regulation and its effects can be-- can have different effects than you really intend them to have. And so one has to think about it carefully. At the same time, this is very much on the order of fire codes. If we don't do these things, it not only affects the people who are going to be attacked but the entire society fabric.

NARRATOR: But elements of the Bush administration simply aren't in the mood to back Clarke up in these battles.

BARTON GELLMAN: He runs very quickly into ideological opposition in the Office of Management and Budget and the Council of Economic Advisers and elsewhere in government to the very idea of telling private industry what to do. It looks too much like "big nanny" government to them, and so they are putting very sharp limits, or were putting very sharp limits, on what Clarke could do there.

NARRATOR: And in February 2003, a bureaucratic shuffle removed Clarke's operation from the White House. It was folded into the gigantic Department of Homeland Security. But Clarke wasn't. He decided to leave government. But he would not go quietly.

NARRATOR: The man who was right about the danger of Al Qaeda -- and who has come to believe that the cyber war is real and that America is unprepared -- will now do all he can to sound the alarm.

RICHARD CLARKE: After Pearl Harbor, we did a tremendous job of defeating the Nazis and the Japanese. After Sputnik showed that the Russians were winning the space race, we did a pretty good job of national mobilization and we beat the Russians to the moon. After September 11th, Al Qaeda's little sanctuary in Afghanistan was gone in a couple of months, and we're now doing a very good job of rounding terrorists up around the world. After the fact.

Wouldn't it be nice, for once, when we have the experts telling us we have a big risk-- wouldn't it be nice, for once, to get ahead of the power curve, solve the problem so there never is the big disaster?

Cyber War!

Michael Kirk

Jim Gilmore

Michael Kirk



Michael Kirk

Jim Gilmore

Steve Audette

Corey Ford

Ben McCoy

Steve Lederer

Will Lyman

Michael H. Amundson

Jim Sullivan

Mark Molesworth

Dennis Hrbek

Callie Taintor

Frank Ferrucci


Kris Hillstrand


Tim Mangini

M.R. Frederick

Steve Audette

Michael H. Amundson
John MacGibbon

Chris Fournelle

Chetin Chabuk

Mason Daring
Martin Brody

Erin Martin Kane

Christopher Kelly

Jessica Smith

Jennifer McCauley

Dennis O'Reilly

Jenna Lowe

Jessica Cashdan

Mary Sullivan

Danielle Gillis

Lisa Palone-Clarke

Eric Brass
Jay Fialkov

Adrienne Armor

Alex Fitzsimmons
Paul Plutnicki

Tobee Phipps

Sarah Moughty
Kimberly Tabor

Stephanie Ault

Sam Bailey

Wen Stephenson

Catherine Wright

Robin Parmelee

Ken Dornstein

Karen O'Connor

Sharon Tiller

Michael Sullivan

Marrie Campbell

Jim Bracciale

Louis Wiley Jr.

David Fanning

A FRONTLINE Co-Production with Kirk Documentary Group, Ltd.

(c) 2003

FRONTLINE is a production of WGBH Boston, which is solely responsible for its content.

ANNOUNCER: This report continues on our Web site, where you'll be able to join in a forum with cyber security experts who will field your question, get an information warfare expert's analysis of the vulnerabilities of our infrastructure, explore some of the most significant cyber attacks to date, watch the full program again on line or find out on the Web site if your PBS station will be airing it again. Then join the conversation PBS on line,, or write an e-mail to frontline@pbs.organization.

Next time on FRONTLINE: After spending years in prison--

FORMER PRISONER: I was on death row for the murder of someone I didn't murder.

ANNOUNCER: --they were set free.

FORMER PRISONER: I know that I'm not going to be hired by anybody because of the rape that I didn't commit.

ANNOUNCER: But the system that finally exonerated them deserted them.

FORMER PRISONER: When the cameras went away, everybody went away.

FORMER PRISONER: Sometimes I'd rather be in jail.

ANNOUNCER: Burden of Innocence next time on FRONTLINE.

To obtain a VHS copy of FRONTLINE's Cyber War!, call PBS HOME VIDEO at 1-800-PLAY-PBS. [$29.95 plus s&h]

FRONTLINE is made possible by contributions to your PBS station from viewers like you. Thank you.



home :introduction : interviews : experts' answers : faqs : vulnerabilities : warnings?
discussion : readings & links : maps : producer's chat
tapes & transcripts : press reaction : credits : privacy policy
FRONTLINE : wgbh : pbsi

published apr. 24, 2003

background photograph copyright © photodisc
web site copyright 1995-2014 WGBH educational foundation