I mentioned above (in chapter 2) that China had essentially blackmailed Microsoft into cooperating with it. China had announced that it would develop its own system based on Linux, called Red Flag, and said it would require that it be used instead of Microsoft. Soon Microsoft was bargaining with the Chinese government at the highest level, helped along by its consultant, Henry Kissinger. Microsoft dropped its price, gave the Chinese its secret code, and established a software research lab in Beijing (the lab is directly wired into Microsoft’s U.S. headquarters). A deal was struck. It must have been a good deal: the President of China then visited Bill Gates at his home near Seattle. The Chinese government now uses Microsoft, but it is that special variation with a Chinese government encryption module. One former U.S. intelligence officer told us, “This may mean that no one can hack Windows easily to spy on China. It certainly does not mean that China is less able to hack Windows to spy on others.”
What can be done to millions of lines of code can also be done with millions of circuits imprinted on computer chips inside computers, routers, and servers. Chips are the guts of a computer, like software in silicon. They can be customized, just like software. Most experts cannot look at a complicated computer chip and determine whether there is an extra piece here or there, a physical trapdoor. Computer chips were originally made in the U.S., although now they are mostly manufactured in Asia. The U.S. government once had its own chip factory, called a “fab” (short for “fabrication facility”); however, the facility has not kept pace with technology and cannot manufacture the chips required for modern systems. Recently the world’s second-largest chip manufacturer, AMD, announced its intentions to build the most advanced fab in the world in upstate New York. It will be partially government funded, but not by the U.S. government: AMD got a big investment from the United Arab Emirates.
It is not that the U.S. government is unaware of the problem of software and hardware being made globally. In fact, in his last year in office, President George W. Bush signed PDD-54, a secret document that outlines steps to be taken to defend the government better from cyber war. One of those programs is reported to be a “Supply Chain Security” initiative, but it will be difficult for the U.S. government to purchase only software and hardware made in the U.S. under secure conditions. Currently, it would be difficult to find any.
MACHINES CONTROLLED FROM CYBERSPACE
Neither the vulnerabilities of Internet design nor the flaws in software and hardware quite explain how cyber warriors could make computers attack. How is it that some destructive hand can reach out from cyberspace into the real world and cause serious damage?
The answer stems from the rapid adoption of the Internet and cyberspace by industries in the U.S. in the 1990s. During that decade evangelical information-technology companies showed other corporations how they could save vast amounts of money by taking advantage of computer systems that could do things deep into their operations. Far beyond e-mail or word processing, these business practices involved automated controls, inventory monitoring, just-in-time delivery, database analytics, and limited applications of artificial-intelligence programs. One Silicon Valley CEO told me enthusiastically in the late 1990s how he had applied these techniques to his own firm. “Somebody wants to buy something, they go online to our site. They customize the product they want and hit BUY. Our system notifies the parts makers, plans to ship the parts to the assembly plant, and schedules assembly and delivery. At the assembly plant, robotic devices put the product together and put it in a box with a delivery label on it. We don’t own the computer server that took the order, the parts plants, the assembly plant, or the delivery aircraft and trucks. It’s all outsourced and it’s all just-in-time delivery.” What he owned was the research department, the design team, and some corporate overhead. At companies like his, and in the U.S. economy in general, profitability soared.
What made all of that possible was the deep penetration in the 1990s of information-technology systems into companies, into every department. In many industries, controls that were once manually activated were converted to digital processors. Picture the factory or plant of the twentieth century where some guy in a hard hat got a call from his supervisor telling him to go over and crank some round valve or change some setting. I can see it vividly, my father worked in a place like that. Today, in almost every industry, fewer people are required. Digital control systems monitor activity and send commands to engines, valves, switches, robotic arms, lights, cameras, doors, elevators, trains, and aircraft. Intelligent inventory systems monitor sales in real time and send out the orders to make and ship replacements, often without a human in the loop.
The conversion to digital control systems and computer-managed operations was quick and thorough. By the turn of the century, most of the old systems were retired, even from the role of “backup.” Like Cortés burning his ships after arriving in the New World, U.S. companies and government agencies built a new world in which there were only computer-based systems. When the computers fail, employees stand around doing nothing or go home. Try to find a typewriter and you will get the picture of this new reality.
Just as the Internet, and cyberspace in general, is replete with software and hardware problems and configuration shortcomings, so are the computer networks that run major corporations, from utilities to transportation to manufacturing. Computer networks are essential for companies or government agencies to operate. “Essential” is a word chosen with care, because it conveys the fact that we are dependent upon computer systems. Without them, nothing works. If they get erroneous data, systems may work, but they will do the wrong things.
Despite all the money spent on computer security systems, it is still very possible to insert erroneous data into networks. It can mean that systems shut down, or damage themselves, or damage something else, or send things or people to the wrong places. At 3:28 p.m. on June 11, 1999, a pipeline burst in Bellingham, Washington. Gasoline began spilling out into the creek below. The gas quickly extended well over a mile along the creek. Then it caught fire. Two ten-year-old boys playing along the stream were killed, as was an eighteen-year-old farther up the creek. The nearby municipal water-treatment plant was severely damaged by the fire. When the U.S. National Transportation Safety Board examined why the pipeline burst, it focused on “the performance and security of the supervisory control and data acquisition (SCADA) system.” In other words, the software failed. The report does not conclude that in this case the explosion was intentionally caused by a hacker, but it is obvious from the analysis that pipelines like the one in Bellingham can be manipulated destructively from cyberspace.
The clearest example of the dependency and the vulnerability brought on by computer controls also happens to be the one system that everything else depends upon: the electric power grid.
As a result of deregulation in the 1990s, electric power companies were divided up into generating firms and transmission companies. They were also allowed to buy and sell power to each other anywhere within one of the three big power grids in North America. At the same time, they were, like every other company, inserting computer controls deep into their operations. Computer controls were also installed to manage the buying and selling, generation, and transmission. A SCADA system was already running each electric company’s substations, transformers, and generators. That Supervisory Control and Data Acquisition system got and sent signals out to all of the thousands of devices on the company’s grid. SCADAs are software programs, and most electric companies use one of a half dozen commercially available products.
These control programs send signals to devices to regulate the electric load in various locations. The signals are most often sent via internal computer network and sometimes by radio. Unfortunately, many of the devices also have other connections, multiple connections. One survey found that a fifth of the devices on the electric grid had wireless or radio access, 40 percent had connections to the company’s internal computer network, and almost half had
direct connections to the Internet. Many of the Internet connections were put in place to permit their manufacturers to do remote diagnostics.
Another survey found that at one very large electric company, 80 percent of the devices were connected to the corporate intranet, and there were, of course, connections from the intranet out to the public Internet. What that means is that if you can hack from the Internet to the intranet, you can give orders to devices on the electric grid, perhaps from some nice cyber café on the other side of the planet. Numerous audits of electric power companies by well-respected cyber security experts have found that this is all very doable. What sort of things might you do with controls to the grid?
In 2003, the so-called Slammer worm (big, successful computer malware attacks get their own names) got into and slowed controls on the power grid. A software glitch in a widely used SCADA system also contributed to the slowed controls. So when a falling tree created a surge in a line in Ohio, the devices that should have stopped a cascading effect did not do so until the blackout got to somewhere in southern New Jersey. The result was that eight states, two Canadian provinces, and 50 million people were without electricity, and without everything that needs electricity (such as the water system in Cleveland). The tree was the initiator, but the same effects could have been achieved by a command given over the control system by a hacker. In fact, in 2007 CIA expert Tom Donahue was authorized to tell a public audience of experts that the Agency was aware of instances when hackers had done exactly that. Although Tom didn’t say where hackers had caused a blackout as part of a criminal scheme, it was later revealed that the incident took place in Brazil.
The 2003 blackout lasted a few long hours for most people, but even without anyone trying to prolong the effect it lasted four days in some places. In Auckland, New Zealand, in 1998 the damage from overloading power lines triggered a blackout and kept the city in the dark for five weeks. If a control system sends too much power down a high-tension line, the line itself can be destroyed and initiate a fire. In the process, however, the surge of power can overwhelm home and office surge protectors and fry electronic devices, computers to televisions to refrigerators, as happened recently in my rural county during a lightning storm.
The best example, however, of how computer commands can cause things to destroy themselves may be electric generators. Generators make electricity by spinning, and the number of times they spin per minute creates power in units expressed in a measurement called Hertz. In the United States and Canada, the generators on most subgrids spin at 60 Megahertz. When a generator is started, it is kept off the grid until it gets up to 60 MHz. If it is connected to the grid at another speed, or if its speed changes very much while on the grid, the power from all of the other generators on the grid spinning at 60 MHz will flow into the slower generator, possibly ripping off its turbine blades.
To test whether a cyber warrior could destroy a generator, a federal government lab in Idaho set up a standard control network and hooked it up to a generator. In the experiment, code-named Aurora, the test’s hackers made it into the control network from the Internet and found the program that sends rotation speeds to the generator. Another keystroke and the generator could have severely damaged itself. Like so much else, the enormous generators that power the United States are manufactured when they are ordered, on the just-in-time delivery principle. They are not sitting around, waiting to be sold. If a big generator is badly damaged or destroyed, it is unlikely to be replaced for months.
Fortunately, the Federal Electric Regulatory Agency in 2008 finally required electric companies to adopt some specific cyber security measures and warned that it would fine companies for noncompliance up to one million dollars a day. No one has been fined yet. The companies have until sometime in 2010 to comply. Then the commission promises it will begin to inspect some facilities to determine if they are compliant. Unfortunately, President Obama’s “Smart Grid” initiative will cause the electric grid to become even more wired, even more dependent upon computer network technology.
The same way that a hand can reach out from cyberspace and destroy an electric transmission line or generator, computer commands can derail a train or send freight cars to the wrong place, or cause a gas pipeline to burst. Computer commands to a weapon system may cause it to malfunction or shut off. What a cyber warrior can do, then, is to reach out from cyberspace, causing things to shut down or blow up, things like the power grid, or a thousand other critical systems, things like an opponent’s weapons.
The design of the Internet, flaws in software and hardware, and allowing critical machines to be controlled from cyberspace, together, these three things make cyber war possible. But why haven’t we fixed these problems by now?
CHAPTER FOUR
THE DEFENSE FAILS
Thus far we have seen evidence that there have been “trial runs” at cyber war, mostly using primitive denial of service attacks. We have seen how the United States, China, Russia, and others are investing heavily in cyber war units. We have imagined what the first few minutes of a devastating, full-scale cyber attack on the U.S. would look like. And we have walked through what it is about cyber technology and its uses that makes such a devastating attack possible.
Why hasn’t anybody done anything to fix these vulnerabilities? Why are we placing such emphasis on our ability to attack others, rather than giving priority to defending ourselves against such an attack? People have tried to create a cyber war defense for the U.S. Obviously they have not succeeded. In this chapter we’ll review what efforts have been made to defend against cyber war (and cyber crime, and cyber espionage) and see why they have been such an unmitigated failure. Strap yourself in, we are first going to move quickly through twenty years of efforts in the U.S. to do something about cyber security. Then we will talk about why it hasn’t worked.
INITIAL THOUGHTS AT THE PENTAGON
In the early 1990s the Pentagon began to worry about the vulnerability created by reliance on new information systems to conduct warfare. In 1994, something called the “Joint Security Commission” that was set up by DoD and the intelligence community focused on the new problem introduced by the spread of networked technology. The commission’s final report got three important concepts right:
“Information systems technology…is evolving at a faster rate than information systems security technology.”
“The security of information systems and networks [is] the major security challenge of this decade and possibly the next century and…there is insufficient awareness of the grave risks we face in this arena.”
The report also noted that the increased dependence in the private sector on information systems made the nation as a whole, not just the Pentagon, more vulnerable.
These three points are all true and even more relevant today. A prescient Time magazine article from 1995 demonstrates the point that cyber war and domestic vulnerabilities were subjects to which Washington was alerted fifteen years ago. We keep rediscovering this wheel. In the 1995 story, Colonel Mike Tanksley waxed poetic about how in a future conflict with a lesser power the United States would force our enemy to submit without our ever having fired a shot. Using hacker techniques that were then only possible in the movies, Colonel Tanksley described how America’s cyber warriors would take down the enemy’s phone system, destroy the routing system for the country’s rail line, issue phony commands to the opposing military, and take over television and radio broadcasts to flood them with propaganda. In the fantasy scenario that Tanksley describes, the effect of using these tactics would end the conflict before it even starts. Time magazine reported that a logic bomb “would remain dormant in an enemy system until a predetermined time, when it would come to life and begin eating data. Such bombs could attack, for example, computers that run a nation’s air defense system or central bank.” The article told readers that the CIA had a “clandestine program that would insert booby-trapped computer chips into weapons systems that a foreign arms manufacturer mi
ght ship to a potentially hostile country—a technique called ‘chipping.’” A CIA source told the reporters how it was done, explaining, “You get into the arms manufacturer’s supply network, take the stuff off-line briefly, insert the bug, then let it go to the country…. When the weapons system goes into a hostile situation, everything about it seems to work, but the warhead doesn’t explode.”
The Time article was a remarkable piece of journalism that captured both complicated technical issues and the resulting policy problems long before most people in government understood anything about them. On the cover it asked: “The U.S. rushes to turn computers into tomorrow’s weapons of destruction. But how vulnerable is the homefront?” That question is as pertinent today as it was then, and, remarkably, the situation has changed very little. “An infowar arms race could be one the US would lose because it is already so vulnerable to such attacks,” the writers conclude. “Indeed,” they continue, “the cyber enhancements that the military is banking on for its conventional forces may be chinks in America’s armor.” So by the mid-1990s journalists were seeing that the Pentagon and the intelligence agencies were excited about the possibility of creating cyber war capabilities, but doing so would create a double-edged sword, one that could be used against us.
MARCHING INTO THE MARSH
Timothy McVeigh and Terry Nichols woke a lot of people up in 1995. Their inhumane attack in Oklahoma City, killing children at a day care center and civil servants at their desks, really got to Bill Clinton. He delivered an especially moving eulogy near the site of the attack. When he came back to the White House, I met with him, along with other White House staff. He was thinking conceptually, as he often does. Society was changing. A few people could have significant destructive power. People were blowing things up in the U.S., not just in the Middle East. What if the truck bomb had been aimed at the stock market, or the Capitol, or some building whose importance we didn’t even recognize? We were becoming a more technological nation, but in some ways that also was making us a more fragile nation. At the urging of Attorney General Janet Reno, Clinton appointed a commission to look at our vulnerability as a nation to attacks on important facilities.
Cyber War: The Next Threat to National Security and What to Do About It Page 11
