Cyber War!

interview: john arquilla
photo of arquilla

Arquilla is associate professor of defense analysis at the Naval Postgraduate School. An expert on unconventional warfare, he tells FRONTLINE that the world is now experiencing an "information arms race." In this interview, Arquilla discusses some of the offensive cyber tactics the U.S. has used in the first Gulf War, Kosovo and Afghanistan. He also warns that hackers have the ability to do much more damage than they have yet done. "What we are really talking about is a social gulf between those who have the skills to do costly disruption and those who are radical enough to do it," he says. This interview was conducted on March 4, 2003.

Take us back to sort of the first occasion when you first thought about the cyber world as a potential place for problems. "Cyber war" is a term that you, in fact, invented. When did it first sort of dawn on you? What were you thinking?

Cyber war is like Carl Sandburg's fog. It comes in on little cat feet, and it's hardly noticed. That's its greatest potential.

I come to the whole cyber war business as a bombs and bullets guy. I didn't know a whole lot about computers. But when I was working for the Central Command in the last Gulf War, it became very apparent to me that our biggest advantages came from what we knew and what our opponent didn't. On the spot, we cobbled together something called a Joint Surveillance and Target Acquisition Radar System. This allowed us to know exactly where the opponent was and how to strike him.

It occurred to me, in the wake of that tremendous and lopsided victory of ours, that much of what we did could have been held hostage to the disruption of any of those information systems. That was the beginnings of cyber war -- the idea that the vulnerability of communications could cripple an advanced army. What made it strong also made it weak.

Then it was only a baby step from there to think about this happening across our entire society, commercially and socially. The crippling of information systems could have profound disruptive effects. What made that thought even more chilling was the notion that this power existed in the hands of a few hackers. The disruptive power of this small group was growing by leaps and bounds. This was something that we were vaguely aware of through the 1980s, but really came into its own in the 1990s.

What bothers me more than anything else, as I look at the data each year coming out of the various computer emergency response teams, is that hackers could do a tremendous amount more damage than they choose to do. This says to me the threat is real. We need to get our arms around it before people do get serious about making costly, costly disruptions a way of life. ...

When you had conversations with people at higher levels at that point, what were their thoughts? Did they think you're a nut? Did they think this is something that we really do have to deal with?

In my checkered career, I've had, I think, the good fortune to always be thinking a few years ahead of events. That has been useful in terms of anticipating threats. It has also created a fair amount of social friction in terms of presenting ideas that are intended to be dismissed initially. The idea that cyber war is coming, which was the title of the article that introduced this idea that I wrote with my colleague, David Ronfeldt, also of the Rand Corporation, was greeted with hoots and howls for the most part. So we felt we had to show everybody how serious this was by giving the article an exclamation point: "Cyber War Is Coming!"

I'm sure that convinced them.

It still hasn't.

It's been said that, in fact, we did use cyber tactics to some extent in that first Gulf War. To what extent, at that point, was anything possible?

Well, when we think about cyber, we need to reflect on the Greek root of the word, "kybernan," which means to control or to govern. The cyber things we did in the last Gulf War had much to do with the management of our own information. Yes, we did some things to the systems of the Iraqis at that time. The things that can be acknowledged would be the bombs dropped on particular systems of communications, and the foil strips that disrupted power flows. But beyond that, I think we can't really talk too much. ...

Some people will say, "There's no proof. Nothing has happened. Nothing has ever happened in this regard, and there are so many threats out there. Why focus any attention, money, energy on this issue?"

In the realm of cyberspace-based disruptive threats, we haven't yet had what they call the electronic Pearl Harbor. I think part of that is a function of our skillful defense of our systems. It's not that we're bereft of attacks. Tens of thousands of attacks occur every week against Department of Defense systems alone. In the intifada between the Israelis and the Palestinians, we've seen a cyber jihad that's been waged with a fair amount of infrastructure attacks -- against which the Israelis have defended quite skillfully. So efforts are being made in this area, but there hasn't been a Pearl Harbor.

Does that mean the threat doesn't exist? I don't think so. ... What we really are talking about is a social gulf between those who have the skills to do costly disruption and those who are radical enough to want to do it. Terrorists who probably want to do this don't yet have the technical skill. Those with the technical skill don't have the desire yet to become terrorists. But I think it's only a matter of time before that gap is bridged. ...

[Can the electrical grid be taken down by cyber tactics?] Why might that be a possibility?

It is certainly possible to disrupt electronic power flows by cyberspace-based means. I think one has to consider the various sorts of systems that regulate a great deal of the flows. Again, I would follow a philosophy of striking at the seams, which has to do with the automated sharing that's done between one part of our country and another. If it's very hot in one part of the country, and they need more air conditioning, electricity, a cooler part of the country will automatically share that. This is all software-driven. So any intrusion into that and any resetting of commands can make a great mess of things.

Now, we have people responsible for protecting these, who spend all of their time, and they're very able people, and do a very good job of this. I think we have to recognize the fact that, in the future, others will think of these systems as targets and will develop skillful ways to try to intrude upon those systems.

But some people will say the electrical grid is a creature with many heads. There's lots of organizations. There's a lot of different districts. It's interconnected, but it's not really interconnected, and there's lots of protection between systems. Why are they wrong?

I think that we do have a great deal of compartmentalization in our electronic infrastructure, the power grid system. At the same time, we have a variety of connections that run entirely through the system. I believe any skillful attacker will look for an avenue of advance that takes them to the most interconnected areas of the power grid system. That said, the attack doesn't have to be of a tremendous magnitude in order to have a great psychological effect. So there are many enclaves within the electronic power grid, small areas, cities, counties, even subdivisions that can be affected from time to time.

So we shouldn't think in terms of the "I" bomb, that information bomb that has as much disruptive effect as a nuclear bomb. We need to think about the possibility of pinpoint attacks on areas, and perhaps persisting over some period of days or weeks that cause disruptions, that have economic, but I think also great psychological effect.

After 9/11, an event took place just north of here, Mountain View, where there were intrusions. When you heard something like that, when you heard about that story to begin with, what did you think? What should we make of that? Why is that story significant?

We need to look at the various events that have occurred in cyberspace since Sept. 11, 2001 as the heralds of perhaps an era of cyber terror. I think it's important not to overstate or to hype this threat; after all, we're talking about things that disrupt, that don't kill, for the most part.

But these disruptions can be very, very costly. It seems to me when we have evidence of people getting into California's independent system operator, for example, or just the week after 9/11, the Nimda virus comes out -- that's "admin" spelled backwards -- we still don't know who did that. And the cost of the disruptions caused by this run into the many billions of dollars. In fact, the several viruses over the past few years have generated economic costs in the hundreds of billions of dollars.

So this is a non-trivial problem. If we had had this kind of damage done with explosives, people would be rioting in the streets and asking their government to be properly protected. But the fact of the matter is that cyber war is like Carl Sandburg's fog. It comes in on little cat feet, and it's hardly noticed. That's its greatest potential.

[Why was Mountain View significant?]

I think the key part of the story of the intrusion into the California Independent System Operator is that it went on so long without being detected. Again, it goes back to a theme that resonates with me always: Hackers do far less damage than they could. An intruder who has a free run for many days inside a system can do many things. So, again, it comes back to the social question: Why don't they want to do more damage than they do, and how do we prevent a linkup between those with advanced hacking skills, and those who do have a desire to do great disruption?

[What is] the significance of the connections to Pakistan and to other Middle Eastern areas that seem [to be] where these probes are coming from?

We always have to be careful about trying to figure out where a cyber attacker is coming from. They can use computers in any part of the world, but they can be in an absolutely different part. The geography of cyber terror is simply not physical, and it's not linear. So while there's some evidence of cyber attackers operating out of South Asia, several Muslim countries -- and indeed, some of my students have identified particular groups and even some individuals operating in those parts of the world -- we're never quite clear about the ultimate identification of the attacker.

This is, I think, the other problem with cyber war -- the ambiguity as to the perpetrator of these acts. In the short story I wrote, I highlighted this point by having the attackers make it look like a particular nation was behind the attacks on the United States, and this precipitated a larger political military crisis.

I think we have to worry about that kind of deception in the future. After all, the Net is the place where deception is woven into its very fabric. I go back to a time with the Internet where, I think, among all the users, half were men, and half were men pretending to be women. So deception has been there from the very beginning.

The Mountain View case was investigated by the FBI, and then the case was closed. The question becomes, in a situation like this, could the FBI ever find out who was actually doing the probing?

The problem of resolving the perpetrator's identity is central to both the law enforcement and to intelligence, and, frankly, to homeland security. It's something to which we have to devote a great deal of attention in the coming years. I think that our current approaches are limited in part by our own laws. How far back we can hack to trace a user is limited under our existing laws, and the notion of international hot pursuit through cyberspace is also something that has run far ahead of existing international law. So we need to start thinking about a harmonization of information security law around the world.

We need to think about a networking of our own capabilities within this country that will move information far more speedily than it moves today.

The time to back-hack a perpetrator is within seconds, minutes or hours of the action, not months and years after it happens. The trail is far too cold by then. ...

How did 9/11, in general, change the way that cyber war or the potential for cyber war was viewed?

I think the cyber angle of the terror war we're in right now is one in which we realize Al Qaeda makes a very substantial use of the Web and the Net. They are a global network, and you don't run such a network without the use of such systems. For example, their money movements don't physically move money. They consist of e-mails to different places in the world where pots of money sit, and those e-mails direct how the money will be spent or otherwise utilized. So our ability to get inside these systems of communications is a crucial element in combating terror. ...

What we don't do is invest in the human capital that already exists, and that is several orders of magnitude more skillful than anything we can create through a federally funded program. Instead, we have a system in which the hacker faces jail terms far in excess of those of an armed robber for doing what he or she does -- it's mostly he's. We have to reexamine that punitive approach to the hacking community, and try, instead, to turn it into something that can be useful, and perhaps even to reform some of these people away from their own illegal actions.

Before, we talked about what a cyber war might look like, what an attack might look like. What might a defense look like at this point? If there was an attack, again, on infrastructures, what would we see? When would we see it? What would we do?

A cyber war that might unfold would be hard to detect at first. Often, attackers get in without even being noticed. In fact, most intrusions are not noticed. But assuming some kind of warning existed, or we noticed a drop in power production somewhere, or a system went on the fritz, then we would mobilize very quickly to do a pattern analysis to search for what kind of attack tool was being used. In government, we spend a great deal of time figuring out what all the possible tools and devices are that might be employed, and then we try to pattern match those to what's going on as a means of trying to cope with the attack and to mitigate its effects.

Now, this is useful. But it is limited in terms of our dealing only with what is already known -- the known signatures of viruses, for example. So our opponents who may have invented a new virus, or may have taken an old one and modified it in a new way, have an inherent advantage. There is something in the balance between offense and defense. I think there is somewhat of an advantage on the offensive side. Defenses, at best, can hope to limit damage.

I think the situation that you wrote about in your story, we're also talking now about viruses coming at us, but also getting into SCADA systems and such. How does one deal with that?

In the event that our system controls and data acquisition [SCADA] systems have been compromised, we're looking at defensive measures that could mitigate damage quickly, but at great economic cost. Shutdowns, for example, of oil flows on a pipeline to prevent any kind of break or environmental damage would have great, great economic costs that would attend them. In that respect, the cyber attacker might not get their ultimate goal, their primary target, which is to create an oil spill and a rupture in a pipeline. But they would hit their secondary target, if you will, which would be to cause some economic cost to be imposed on us.

I think the best we can hope for is to force the hacker off the primary goal, which is the catastrophic failure of a system. But there are always going to be costs imposed, and these cyber attackers hold the initiative. They decide where and when to attack, and they basically know that they will be able to run free for a little while.

There's an analogy to the Vietnam War that I think is useful here. Ninety percent of the firefights in the Vietnam War were started by the Viet Cong or the North Vietnamese army. They could choose when and where to attack, and they knew the moment they did this, that they would soon come under American attack from artillery, from aircraft, and from reinforcements being brought in by helicopter. I think the skillful hackers are like the Viet Cong. They know that they have a short period in which they will hold the advantage, and then they must disengage. So we have to watch out for those kinds of tactics.

I think we also need to be worried in the future that we won't have a few isolated incidents that occur over months or years, but we have to worry about the possibility of a campaign approach being taken by the cyber attackers, in which they mount several attacks over a period of hours, or perhaps over days. Think about, for example, a Nimda virus, something like that. That would be deployed once a week for three months. Think about the economic impact of something like that. ...

Another analogy that you talk about and you write about is how this is akin to the rise of air power 80 years ago. Define that for me.

When I think about cyberspace-based warfare, I think about air power. Eighty years ago, the great theorists of air power thought about having the ability to attack another society from the air without having the engage their armies or fleets first. Cyber warfare has some of those elements too. You don't have to engage in military. In fact, you don't even need a military in order to engage in this fashion. So it is a form of strategic bombardment. ...

I take heart from the notion that, in the eight decades or so of strategic aerial bombardment, their campaigns have almost never worked. It says to me that cyber bombardment campaigns are probably not likely to work either.

Now, both physical bombing and cyber bombing will have great costs associated with them, but I don't think a people will fold under that kind of pressure. So, for me, the real meaning of cyber warfare is on the battlefield. Much as aircraft which couldn't break societies with bombardment transformed 20th century warfare, I think cyber attacks will transform 21st century warfare. Militaries which are highly dependent on secure information systems will be absolutely crippled, just as if they didn't have aircraft above to protect them in the 20th century. If they don't have good cyber defenses in the 21st century, they'll be absolutely helpless.

Why was Kosovo important to understand the use of cyber tactics in a war situation?

I think Kosovo was, in some ways, a proving ground of certain cyber capabilities. We get into a very sensitive area here. But what can be said is that some means may have been used to distort the images that the Serbian integrated air defense systems were generating. This, of course, was crucially important to waging a successful air campaign. The president ruled out a ground invasion, so the ability to operate in a heavily defended airspace was quite important, and it goes to the issue of the applications of cyber-based tools in the field.

Now, on the Serbian side, there were some pinprick attacks in cyberspace against NATO, and these were easily brushed off. Perhaps the most fascinating aspect of cyber warfare in Kosovo came after the armistice and the Serbian withdrawal from Kosovo. A group of hackers known as the Black Hand didn't have to withdraw, because they weren't in Kosovo. They began to wage a campaign, a cyber war, to try to prevent the reconstitution of [civil] society.

This was at a time when there were few landlines for telecommunications, and the geography made cellphone communication somewhat problematic. I think the figures were that if you dialed the number, you had a one in four chance of ever connecting in a phone call. So the Internet and the World Wide Web were absolutely crucial to the reestablishment of communications and business. Both of these systems came under sustained hack attack by the Black Hand, we think, and perhaps some other hackers. These were defended against reasonably skillfully, and the rebuilding of Kosovo was enabled to proceed.

This is just one of several cyber wars that have erupted in different parts of the world. It is thought that mainland Chinese hackers are routinely attacking both infrastructure and the stock market in Taiwan. Hundreds of attacks are reported in cyberspace by South Korea that are believed to emanate from North Korea. We see shadow conflicts emerging here or there that, once again, impose some economic costs, but don't take lives. So, again, we have Sandburg's fog on its little cat feet coming in here and there.

But back to Kosovo -- it's important because cyberspace-based means were essential to the high performance of the air campaign. Cyberspace means of attack were used substantially by our adversaries, both during and after the conflict. ...

Define for me the situation, the overall picture on this one. Here we have a national security issue. Yet, for instance, in the United States, number one, huge amounts of military communication goes over through the private sector. Infrastructures which are also part of the national security issue here are all in the hands of the private sector. How difficult a situation do we have here, where government doesn't control the real means to fix the problem?

We have a substantial organizational problem when it comes to [encryption].

Who's to blame? So we have come a long way. I mean, we're to the point now where it is available, but it's not moving very fast. Is that because we don't understand threat? Is that because the Microsofts of the world are not pushing it, or the Apples or the computer companies? Or is that because of government? Where does the blame lie?

... Why aren't we more encrypted? I think there are several answers to that question. The first is that being more secure has efficiency costs that goes with it. Your machine will be slower. Lord knows, everybody wants a fast machine. They all brag about how fast their machine is. So in a business sense, it's probably seen as making you less competitive, to have to create more secure systems.

With that said, it was very heartening to see Microsoft stand down for a month a year ago, and say, "We're going to start thinking about security." That was a good thing.

Something else that has slowed the spread of strong encryption is the institutional resistance of our government. They have fought a rearguard action even after laws have been repealed that prevented the spread of strong encryption. This rearguard action is simply in the form of not telling people to go get encrypted, and, to some extent, also in trying to maintain export controls, strong crypto products. This is simply because law enforcement and intelligence feel that they will be constrained if they can't read everybody's mail or e-mail.

Finally, I think that we don't have more encryption, because it is a complicated issue. The average computer user wants to boot up and be online, and doing what they're doing. I think various research samples have shown that, even when people try to encrypt, they don't implement it correctly about half the time. So it would take a really sustained effort to get people to practice real, safe cyber surfing practices. So for those combination of reasons, we're under-encrypted right now. ...

Is that the secret answer though? We encrypt and this problem goes away?

If we move to strong encryption -- both to civil and military systems, and individuals at large -- I think we will deal with a great amount of the problem that exists already. There are some things that may persist. The distributed denial of service attack may be mitigated by some uses of encryption, but probably won't go away. The problem of trusted insiders who are disrupting systems themselves won't go away, even with a strong encryption system. Then there's one other threat, the rise of quantum computing, or spintronics. Instead of ones and zeros, plus or minuses of individual electronics can become a basis for advanced computing.

So we're looking at hackers and others who are developing very profoundly different kinds of codebreaking techniques. Some of this has to do with linking together many computers around the world. Some hackers have hundreds or thousands of zombies that they control. The zombie has come back to life in the information age now, as something that's controlled by a hacker that can be used to hotwire them all together to create computing power beyond our imagination. The strongest computer in the world is not a mainframe being manufactured in the United States or Japan. It's the parallel computer being hotwired by a hacker from some dusty office in some abandoned building.

[Moonlight Maze is] a real-world event that took place that proves the vulnerability. How? Why is it significant?

For me, Moonlight Maze, this intrusion into Defense Department computers that went on over a considerable period of time, is an existence proof of the vulnerabilities that the infosphere has, not only to disruption, but to exploitation by some adversary gaining access to very sensitive information, and doing so over a considerable period of time.

For me, it also suggested the risks of having a marginal line way of thinking about information security. Had the data in question that was being pilfered been strongly encrypted, it would have been of no use to the intruders. But the fact of the matter is most of the material taken was cued up at a printer where it's, first of all, not behind a secure firewall, and secondly, not at all encrypted. And so it was simply plucked.

The case also highlights the problem of identifying the ultimate user. Some tracking was done back to systems in Moscow, for example. But that, by no means, suggests that these were Russians doing this. It could easily have been someone operating in an entirely other part of the world who bounced off of a computer in Russia. Or it could have been the Russians. This, of course, was one of the themes of the short story I wrote on this subject. You simply don't know who's coming at you.

Is it also significant due to the fact that the sophistication shown for espionage reasons could also be used to attack our infrastructures or our military systems with as great a success as this was?

There's an interesting problem here, in that some events, like the Moonlight Maze intrusions, were simply exploitative in nature -- gaining access to information. But the means by which access was gained are observationally equivalent to the things that a hacker would do if he wanted to intrude and then engage in vast disruption. So we need to figure out how to deal with these problems that have to do with exploitation of systems, because that's our first basis for defense against attacks designed to take these systems down.

There is much talk of a very sophisticated program going on, and a lot of it is into power grids, gas companies, SCADA systems. What does this mean, and what should we be worried about?

... Cyberspace is being mapped all over the world, not just in the United States. It may be mapped by hackers who are trying to build large zombie farms. Or it may be hacked by terrorists working for themselves or for some other country to figure out how to attack the infrastructure of potential adversaries. For whatever reason it's going on -- and it's been happening for years -- when we do a pattern analysis of this, the trend in the mapping relates very closely to how we ourselves think about information warfare campaigns.

So it looks like the military analog of preparing the battlefield in the physical world is going on in the virtual world today. I think this is yet another forewarning. We have already seen the existence proof of capabilities to do great disruption. Now we have very clear indicators, and, I think, strategic warning that cyber war is being prepared for at a campaign level; not individual or isolated instances, but a campaign in which target after target or hit, day after day. ...

Operation Eligible Receiver is very significant. Everybody talks about it. Tell me, what was Eligible Receiver, and why is it significant? Why is it important to understand?

Eligible Receiver is a classified event about which I can't speak. What I can say is that when people say there is no existence proof of the seriousness of the cyber threat, to my mind, Eligible Receiver provides a convincing existence proof of the nature of the threat that we face.

People who oppose the view that this is a significant topic, that [believe] cyber terrorism is not the threat that I think you believe in, and other people we talked to believe in, say that Eligible Receiver proves nothing. The grid was not taken down. They didn't get into the grid. There's no proof to the fact, though some people supposedly said that they could have taken down the grid, for instance, and taken over command control of the South Pacific fleet so that they wouldn't be able to do anything. They say that it proves nothing. What's your opinion of that?

... I think there is a line, if I may talk about this debate between two sides. It's the one that says there's no threat, and the one that says there's a terrible threat. I think the real answer is, like in almost any debate on any serious issue, the truth lies in between. The potential threat of cyber attack, I believe, is very high. I think existing hacker activities, the amount of damage that could be done but isn't, and the increasing dependence, not only of our armed forces, but society in general and information systems suggests a great and growing vulnerability to disruption.

At the same time, the lack of physical attacks of a very serious nature on the system suggests that we aren't at a point yet where this threat is imminent, is immediately upon us. So I think that we have to look at this as a situation where we have warning of something that's coming. We have to think about how to prepare for it now. We have to consider the various policies which, if enacted -- whatever the merits of the debate, we can enact policies now that will protect us against this problem if it is going to become something serious, and we can do so in a way that's not terribly costly. In part, the strong encryption solution is one that people should be doing anyway, and would mitigate this problem very, very seriously. ...

If [Eligible Receiver] was run today, would they be able to repeat their successes?

Yes. If Eligible Receiver were run today, I believe that the successes of the attacking team that I'm aware of could be replicated, and perhaps even built upon.

Then what were the lessons learned? I mean, it did have an effect on DOD, and that's the other sign that this was significant.

Yes. Eligible Receiver happened several years ago. Like in any area of military affairs, there is an action and reaction process between those who would protect information systems and those who would attack them. Since the time of that exercise, we've made strides forward in good information security. But the attacking capabilities of those who would disrupt the system have increased also, and I think at a far greater pace than the pace of our changes on the defensive side. In the realm of cyber warfare, those on the offensive have an inherent advantage right now. ...

Hamre's an interesting guy, because he was a real proponent and a real cheerleader for a lot of these issues early on. Now the pendulum has swung, and now he sort of discounts it, and he says, "I spend hours a day worrying about biowarfare and chemical warfare. Do I spend minutes on cyber? No." So what happened there? Explain that, and why that's important.

I worked for a little while for Dr. Hamre. In my view, he is one of the leading defense intellectuals of his time. When I was first involved with him, he took a very serious view of the cyber dimension. I think it's only natural, in more recent years, that his focus has tended to go away from the cyber realm to the realm of physical terror. The events of Sept. 11, 2001, have focused many minds in that direction.

What I would say in response to that, though, is that there is a very, very big virtual dimension to the terror war. Our ability to detect, to track, and to preempt the terror attacks is often a function of our skillful exploitation of cyberspace. Our adversaries increasingly use advance information systems for the management of their organizations, and there's also a considerable evidence that they're trying to develop some attacking capabilities. They're beginning to explore this area.

I would say this about the convergence of terror and cyber warfare: If I were establishing a terror organization today, I would be more interested in doing costly disruption by cyberspace-based means. If I did physical destruction, I would know that I would have to deal with a bunch of angry Americans who would track me to the ends of the Earth. On the other hand, if I could engage in acts that would cause hundreds of billions of dollars worth of costly economic damage, and I could do it relatively secretly, why wouldn't I pursue that aim? And why wouldn't that make me a great hero to the constituency I was serving, my people, those who believe as I would? So if I were a terrorist, I would be thinking these days about mass disruption rather than mass destruction. ...

There's a couple of things I want to talk about Al Qaeda. We've covered some of them. What out there has been reported upon and that you've talked to people about, that concerns you about what was found -- for instance, like the Al Qaeda computers? What is out there that you can talk about that concerns you?

Some of the things that concern me about the increasing awareness Al Qaeda has of advanced information technologies is the apparent evidence that some of their operatives were undergoing advanced hacking training. It's very clear from intercepted communications, as well as discs that were found, that there is an extremely vigorous use of the Web and the Net. There is a surprisingly small amount of strong encryption being used, but that doesn't mean their messages are uncoded. It appears that there's a lot of low-tech coding going on with simple word substitution codes or, perhaps, book codes being used, which are also very hard.

This is why we need a new Bletchley Park of codebreakers for the Information Age, because it's not all going to be codes broken by high-performance computers. It's also going to be about intuitive insights that are generated into what kind of paradigm are they using for securing their communications. It's also clear that all money movement is basically done with e-mails, rather than the physical movements of money.

Now it's also important, as a last point, not to consider Al Qaeda 10 feet tall in this area. We're looking at [Khalid] Sheikh Mohammed, for example, who was simply using the e-mail account of a relative or friend, and assuming that maybe that relative or friend wasn't going to be monitored in some fashion. Very, very sloppy in that particular case, and there are other examples of sloppiness that we can't talk about in more detail.

But from the evidence that's out there, is there enough evidence to believe that they could be gearing up? And if they are -- or if they're not -- would we know it?

When we think about Al Qaeda and its potential for cyber terror or other sympathetic Muslim groups, we're now in an area that's very proprietary in nature. All I can say on this subject is that there is a cyber jihad going on right now against Israel. We see some people that we associate with modern terrorism who are trying to use cyberspace-based means to pursue their ends. Beyond that, I'm afraid we're in a very classified area.

What about states like China, Russian, North Korea, Iraq? Do you deal with this area? Is Washington concerned about this area?

As a defense analyst, I am, of course, interested in what other countries or other organizations are doing in the cyber warfare realm. What I find in the case of the People's Republic of China is an extremely lively and intelligent interest in this issue area. They understand that very simple technologies can achieve very complex effects. They have a character in their language which transliterates at "networkization." They understand the organizational dimension extremely well.

Some years ago, I was also asked to chair a meeting with the leading cyber warfare experts in Russia, and came away deeply impressed by, again, their own appreciation of the seriousness of the problem. They were concerned very much more about vulnerabilities, whereas I think the People's Republic of China is more interested in the opportunities posed in this area.

So what would you tell Washington they should be worried about as far as, for instance, China?

I think we need to be concerned that there is a new kind of arms race emerging, this one being an information arms race, and this is something about which Washington is very concerned. During the Kosovo war, there were things that could have been done in the cyber realm that weren't done, because the United States wanted to send a clear message that it took cyber warfare seriously, and didn't want to be the first ones to go down that road and make it appear an acceptable form of warfare.

Now, we did things in the military realm in Kosovo that helped and enhanced the effectiveness of our physical military assets. But the other sorts of things associated with hacking and making money disappear, things like that, were all refrained from. So I think Washington has a very serious attitude about this. ...

Should we be concerned at this point about a lack of interest or lack of focus due to the fact, the real fact that there are many, many threats, and many serious threats that Washington is dealing with? Should we be concerned that, in Washington and in the private sector by people like Governor Ridge and others, this area is getting scant attention?

In a world with a lot of threats, it's going be easy for cyber warfare to be tucked away into a corner for a while -- perhaps for a long while. I think it's going to be dangerous for us to let that happen, in part, because terrorists themselves already use the Web and the Net very substantially, and often quite effectively. ...

[But] every day, I see how much attention is being paid to this problem from the services and the private sector. We have gone through the looking glass, and we know that this is an area to which me must pay attention. So I'm not worried about this. I understand that other things may cause our attention to be focused on other matters for some period of time, maybe for a long time. But once you begin the process of examining an issue area like cyberspace-based conflict, you don't walk away from that, and we haven't. We will continue to get better. I think, ultimately, we'll grapple with the problems that will confront us. ...

What does Slammer teach us? Why is it important?

Slammer is interesting to me, because of the speed with which it affected the systems that it could intrude upon. It suggests that the tempo of operations of particular tools and devices may be accelerating, and this is something that should trouble us. ...

[The National Strategy to Secure Cyberspace] is out. Some people say it's not enough, that partnership with the private sector itself does not do it, does not cut it, that, in fact, this is a major failure of governance.

I think we have suffered something of a failure of governance in terms of moving toward good information security in this country. Part of it is the institutional resistance of the private sector and the government to work closely together on things that are sometimes apparently inimical to each other's interests. Undue intrusions in the private sector and the marketing of very sensitive systems by companies, private companies out there that the government perhaps doesn't want to see out there, which is why we have still export controls on supercomputers and some forms of encryption.

So there are some tensions there. But I think the greatest failure is in the lack of recognition, both in the private sector and in the government, of the profound benefits that would come with strong encryption for all. This is the message the American people simply are not hearing. The release of some legal constraints is a far cry from using the bully pulpit of government to encourage everyone to be properly protective.

I'm going to ask you a stupid question. Why shouldn't the government just go in, march in, and say, "Listen, the Internet is integral to our national security. We're taking it over, and this is what we're going to do. And, private sector, you've got to do it. Let's regulate this. Let's use the stick instead of the carrot, because this is essential, and the clock is ticking?"

One possible solution for the government would be to assert central control in an effort to solve the problem. I think this might actually impede the process of securing this, because of the resistance it would generate. I also think it would choke off all the wonderful ideas coming out of the private sector and into government. The last thing we need to do socially is to create even more of an adversarial environment, make it like labor and management in baseball if government tried to come in and just say, "We're from government. We're here to solve this problem." I think the relationship, while sometimes edgy, is overall quite healthy. I don't think we should imperil that as we move ahead.

We've talked about the software being a huge problem. How big a problem is software? Is, for instance, is Microsoft part of the problem, or part of the solution at this point?

In the area of software, Microsoft and others have all emphasized, in general, the efficiency and simplicity over security. There are good economic reasons why that's been the case. The fact that Microsoft has acknowledged the need to think more about security is an important admission. I think their toes have to be held in the fire to continue to do that -- both Microsoft and others in the software business -- because the security dimension is absolutely integral. In the future, you're not going to have prosperity and efficiency without security.

What's the problem?

I think the most serious problem in terms of getting the private sector, particularly the software developers, on board to a good security regime is that it will cost something on the bottom line. It will reduce profits, at least in the short run. The answer to that may be that the first software designer to really build in good efficiency with great security, in the long run, is going to generate enormous economic benefits. ...

One last thing. In July, Bush ordered [National Security Presidential Directive] 16 to go into the guidance for when U.S. should launch cyber attacks. It sounds from just the information that's already released that it certainly shows that our government is very interested still in the use of cyberspace in war, and takes it very seriously. What's the significance specifically of NSPD 16?

I think the presidential directive on information warfare is prima facie evidence of how seriously the government does take cyber warfare. It also marks a shift away from a far more prudential approach to information warfare. In the last administration, there was a great concern about using techniques of cyber warfare that would then be emulated by others, and, by suggesting to the world that the Americans think this is a legitimate form of warfare, others might want to begin doing this as well. There was a great deal of concern about that. This administration is suggesting that we need to pull out all the stops to defeat terrorism. It is an admission, if only a tacit one, that cyberspace-based means of warfare are an essential part of the campaign against global terrorism.

How so? Can you define that a little bit better?

The ways in which cyber warfare can be used against terrorism largely go to breaking into the systems used by various terrorist networks. We create a capability that will sow the seeds of doubt in every terrorist's mind as he's tapping off the message to his attack team, or trying to move money to a particular cell or a node in some part of the world. Then we will slow them down. If we intrude without them having any idea that we're there, we'll be able to rip these various networks apart, because the true way to detecting who they are, where they are, and what they're doing lies in getting the kind of intelligence that's virtually human in nature.

We spend about $30 billion a year on intelligence today -- most of it for satellites that look down. They can see the tent in the desert. They can't tell you who's in there, or what they're saying. A sliver of the money we spend on intelligence goes to cyber warfare-based need, what's called clandestine technical collection. And yet, this sliver is giving us very, very high-resolution information about what our adversaries are up to. Just imagine what we might achieve if we invest even more heavily in this area. ...

Has there been anything that you've tried to sell, especially in those early days, and called for, that was rejected, that maybe now is being reconsidered or that you wish would be reconsidered, besides the encryption?

... When I think about the last 10 years, I'm surprised at how many of the things I've suggested are being adopted. Talk about the rise of Net war, a whole realm of conflict arising. Well, the Navy now has a network warfare command, NETWARCOM, and there's a three-star admiral running it. So these are good things. We talk about building networks among our various services. I think we have succeeded greatly in doing this. It is amazing to me that, just 10 years after Operation Desert Storm in Iraq, Operation Enduring Freedom in Afghanistan featured a small nimble network force that was extremely information-savvy, which achieved our national aims with a minimum of bloodshed in a very short time. These are powerful and profound changes in our military.

What hasn't changed is, I think, back in the Pentagon, where the organizational stovepipes still keep the whole issue of information security as a province of each individual service. Now we have people who are supposed to be chief information officers, and they're at bully pulpits, but they can't make the services give away what the services think is power; that is, the control over their own procurement of advanced technologies. I guess what I'm saying is that the real need for change is organizational, rather than technological, and that's where the greatest resistance lies. ...



home :introduction : interviews : experts' answers : faqs : vulnerabilities : warnings?
discussion : readings & links : maps : producer's chat
tapes & transcripts : press reaction : credits : privacy policy
FRONTLINE : wgbh : pbsi

published apr. 24, 2003

background photograph copyright © photodisc
web site copyright 1995-2014 WGBH educational foundation