Cyber War: The Next Threat to National Security and What to Do About It (16 page)

While Senator Levin was trying to figure out what Cyber Command was supposed to be protecting and General Alexander was “in the quiet period” before his hearing, I wasn’t too clear on what Homeland Security was supposed to protect. Therefore I went to the source and asked Secretary Janet Napolitano. She graciously agreed to meet with me at her department’s headquarters. Unlike other cabinet departments, which tend to be headquartered in monumental edifices or modern office blocks near the National Mall, the newest department is run from a barbed-wire-enclosed encampment in northwest Washington, D.C. Behind the wire are a series of low-rise redbrick buildings that, seen from the street, appear like a Nazi army kaserne. It is little wonder that when civil servants were forced to move in they gave the place the nickname Stalag 13, after the fictional German prison camp in the long-running television comedy show
Hogan’s Heroes
.

In fact, the facility had been the headquarters of the U.S. Navy’s cryptographical service, the predecessor of the new 10th Fleet. Like U.S. Navy bases everywhere, this one came with a little white church and cute little street signs. One street is named “Intelligence Way.” To get to the Secretary’s office, we walked through a seemingly endless sea of gray Dilbert cubicles. Napolitano’s personal office was only slightly better. For the former Governor of Arizona, the dismal ten-by-twelve-foot office was a distinct comedown. Nonetheless,
she had managed to cram a bronco-busting saddle into one corner. But the place had a temporary feel to it, six years after the department had been created. “We’re moving to a big new headquarters,” the Secretary explained, trying to emphasize the positive. The new headquarters, on the grounds of St. Elizabeth’s, Washington, D.C.’s shuttered insane asylum, would be ready in year ten of the department’s existence, maybe.

“Even though the government was closed for a holiday yesterday, I spent it meeting with executives form the financial sector, talking to them about cyber security,” Napolitano began. It was Cyber Security Awareness Month at the department and she had scheduled a number of events. I asked her what the greatest cyber security threat was. “The highly skilled lone hacker, cyber criminal cartels…” she replied. Well, what if there were a cyber war, I asked. “The Pentagon would have the lead in a war, but we would do consequence management of any damage in the U.S.” What about preventing the damage so that there would be fewer consequences to manage? “We are growing the capability so that we might be able to protect the dot-gov domain.

Well, if U.S. Cyber Command is protecting dot-mil and you will one day protect dot-gov, who is protecting everything else, like the critical infrastructure, which is in the private sector? “We work with the private sector groups, the Information Sharing and Analysis Centers in the eighteen critical industries, to share information with them.” That is not the same thing as the U.S. government protecting the critical infrastructure from cyber war attacks, is it? No, the Secretary admitted, it wasn’t. Doing that, she suggested, was not Homeland Security’s job.

Homeland Security is developing a system to scan cyber traffic going to and from federal departments, looking for malware (viruses, worms, etc.). The immodestly named “Einstein” system had grown from mere traffic flow monitoring (Einstein 1) to intrusion
and malware detection (Einstein 2) and will soon attempt to block Internet packets that appear to be malware (Einstein 3). As part of the effort to defend the government sites, Homeland and the General Services Administration are attempting to reduce the number of portals from the Internet to the dot-gov domain. Then Homeland will place Einstein 3 on each of those portals into dot-gov to scan for malware. The Einstein network will be run by Homeland’s newly consolidated cyber security division, the National Cybersecurity and Communications Integration Center in Ballston, Virginia.

If DHS can get this to work, I asked, why just limit it to protecting the federal government? “Well, we may want to look later on at taking it out more broadly.” Secretary Napolitano, who is a lawyer and a former federal prosecutor, added that there would be legal and privacy hurdles to having the government scanning the public Internet for cyber war attacks. Well, then, could she employ regulatory authority to make critical infrastructure improve their own ability to defend from cyber war attacks, and to regulate the ISPs or the electric power companies? To her credit, Secretary Napolitano did not rule those possibilities out either, even though President Obama himself had seemed to in his cyber security speech in May 2009. But regulation, she noted, would come only after information sharing and voluntary measures had been shown to fail, and in year one of the Obama Administration it was too early to make that judgment. Of course, information sharing and voluntary measure approach had been tried for over a decade.

What was within her responsibilities was to secure the dot-gov domain, and Napolitano was pleased to report that DHS was looking for one thousand new employees with cyber security skills. Immediately critics wondered publicly why highly qualified cyber geeks would want to work for Homeland when everyone from Cyber Command to Lockheed and Bank of America was recruiting them. Napolitano said she was working to get the personnel rules changed
so that she could pay salaries competitive with the private sector, and she was looking into creating satellite offices in California and other places away from Washington where geeks “might prefer to live.” I thought I heard in her voice the longing for back home that many in the Washington bureaucracy secretly harbor. As we left the Secretary’s office, the head of the U.S. Coast Guard, Admiral Thad Allen, was waiting outside. “Glad to see you survived the interview with Dick,” the Admiral joked. “I survived,” the Secretary replied, “but now I’m depressed about cyber war.”

Why had Clinton, Bush, and then Obama failed to deal successfully with the problem posed by America’s private-sector vulnerability to cyber war? People who have worked on this issue for years all have slightly different answers, or differences in emphasis. Let’s explore six of the reasons they most often give.

1. THE GREATEST TRICK

The first reason you hear is that many cyber attacks that have happened have left behind no marks, no gaping crater like Manhattan’s Ground Zero. When private-sector firms have their core intellectual property stolen, they usually don’t even know it happened. To understand the problem that creates, imagine that you work in a museum with valuable objects, let’s say sculptures and paintings. When you leave the museum at the end of the day, you turn on an alarm system and make sure that the video recorder is running and is connected to the surveillance cameras. In the morning, you return. The alarm has not gone off overnight, but just to be sure, you scan through the video of the last twelve hours and satisfy yourself that no one was inside the museum while you were gone. Finally, you check all the sculptures and paintings to be sure that they are still
there. All is well. Why ever would you then think you had a security problem?

That is essentially the situation that the Pentagon was facing in the late 1990s and continues to face today. There may be some low-level activity of people trying to penetrate their networks, but doesn’t the security software (firewalls, intrusion-detection systems, intrusion-prevention systems) deal effectively with most of the threats? Why would the brass think that their intellectual property, their crown jewels, war plans, engineering drawings, or software was now residing on hard drives in China, Russia, or anywhere other than just on their systems?

The difference between art thieves and world-class hackers is that with the best of the cyber thieves, you never know you were a victim. “Hell, the U.S. government does [number withheld] penetrations of foreign networks every month,” one intelligence official told me. “We never get caught. If we are not getting caught, what aren’t we catching when we’re guarding our own?” How do you convince someone that they have a problem when there is no evidence you can give them? The data isn’t missing like the Vermeer that was snatched from the Isabella Stewart Gardner Museum in Boston in 1990. This sounds like a new problem, unique to cyberspace. Historians of military intelligence, however, have heard this tale before.

In the Cold War the United States Navy was confident that it could defeat the Soviet naval forces if it ever came to a shooting war, until they learned that a family of Americans had given the Soviets a unique advantage. The Walker family, including an employee at the National Security Agency and his son in the U.S. Navy, had supplied the Soviets with the Navy’s top-secret codes, the cryptology that scrambled and unscrambled messages to and from our ships. The Red Navy knew where our ships were, where they were going, what they were ordered to do, and which major weapons and other systems onboard were not working. We were
unaware that the Soviets knew these things because, although we assumed that they were intercepting our message traffic coming over radio frequencies, we were very confident that they could never unscramble our code. They probably never could have, until they bought the descrambling key from some trusted Americans.

The U.S. Navy’s smug arrogance about the security of its Cold War codes was hardly unique in the history of code-breaking: the Japanese thought that no one could read their naval codes during World War II, but the United States and the United Kingdom were doing just that. Some historians believe that the U.S. Navy defeated the Imperial Japanese Navy precisely because of code-breaking skills. Certainly the decisive U.S. victory in the Battle of Midway was due to the advanced knowledge of Japanese plans gained from code-breaking. It is a reasonable assumption that over several decades many nations’ codes, presumed to be unbreakable by their users, were (or are) actually being read by others.

Even though historians and national security officials know that there are numerous precedents for institutions thinking their communications are secure when they are not, there is still resistance to believing that it may be happening now, and to us. American military leaders today cannot conceive of the possibility that their Secret (SIPRNET) or Top Secret intranet (JWICS) is compromised, but several experts I spoke to are convinced that it is. Many corporate leaders also believe that the millions of dollars they have spent on computer security systems means they have successfully protected their company’s secrets. After all, if anybody had gotten inside their secret files, the intrusion detection system software would have sounded an alarm. Right?

No, not necessarily. And even if the alarm did go off, in many cases that would not have caused anyone to do anything very quickly in response. There are ways of penetrating networks and assuming the role of the network administrator or other authorized user with
out ever doing anything that would cause an alarm. Moreover, if an alarm does go off, it is often such a routine occurrence on a large network that nothing will happen in response. Perhaps the next day someone will check the logs and notice that a couple of terabytes of information were downloaded and transmitted outside of the network to some compromised server, the first stop on a multistage trip intended to obscure the final destination. Or, perhaps, no one will notice that anything ever happened. The priceless art is still on the museum walls. And if that is the case, why should the government or the bottom-line-conscious executive do anything?

I mentioned in chapter 2 the 2003 phenomenon code-named Titan Rain. Alan Paller, a friend who runs the SANS Institute, a cyber security education and advocacy group, described what happened on one afternoon in that case, November 1, 2003.

At 10:23 p.m. the Titan Rain hackers exploited vulnerabilities at the U.S. Army Information Systems Engineering Command at Fort Huachuca, Arizona.

At 1:19 a.m. they exploited the same hole in computers at the Defense Information Systems Agency in Arlington, Virginia.

At 3:25 a.m. they hit the Naval Ocean Systems Center, a Defense Department installation in San Diego, California.

At 4:46 a.m. they struck the U.S. Army Space and Strategic Defense installation in Huntsville, Alabama.

There were lots of days like that. Not only were Defense facilities hit, but terabytes of sensitive information left NASA labs, as well as the computers of corporations such as Lockheed Martin and Northrop Grumman, which have been given contracts worth billions of dollars to manage security for DoD networks. Cyber security staffs tried to figure out the techniques being used to penetrate the networks. And their blocking efforts seemed to work. One participant in these defensive efforts told us that “Everyone was all self-congratulatory.” He shook his head, pulled a grimace, and
added softly, “…till they realized that the attacker had just gone all stealthy, but was probably still stealing us blind. We just couldn’t see it anymore.” The case names Moonlight Maze and Titan Rain are now best thought of as fleeting glimpses of a much broader campaign, most of which went unseen. It may seem somewhat incredible that terabytes of information can be removed from a company’s network without that company being able to stop it all from going out the door. In the major cases we know about, the companies or federal organizations usually did not even detect that an exfiltration of data had occurred until well after it had taken place. All of these victims had intrusion-detection systems that are supposed to alarm when an unauthorized intruder attempts to get on a network. Some sites even had the more advanced intrusion-
prevention
systems, which not only alarm but also automatically take steps to block an intruder. The alarms remained silent. If you have a mental image of every interesting lab, company, and research facility in the U.S. being systematically vacuum cleaned by some foreign entity, you’ve got it right. That is what has been going on. Much of our intellectual property as a nation has been copied and sent overseas. Our best hope is that whoever is doing this does not have enough analysts to go through it all and find the gems, but that is a faint hope, particularly if the country behind the hacks has, say, a billion people in it.