Authors: Fred Kaplan
Michael Vatis, a Justice Department lawyer on the working group who had just read Gibson's novel, advocated the term's adoption. Others were opposed: it sounded too sci-fi, too frivolous. But once uttered, the word snugly fit. From that point on, the groupâand others who studied the issueâwould speak of “cyber crime,” “cyber security,” “cyber war.”
What to do about these cyber threats? That was the real question, the group's raison d'être, and here they were stuck. There were too many issues, touching too many interestsâbureaucratic, political, fiscal, and corporateâfor an interagency working group to settle.
On February 6, 1996, Gorelick sent the group's report to Rand Beers, Clinton's intelligence adviser and the point of contact for all issues related to PDD-39, the presidential directive on counterterrorism policy, which had set this study in motion. The report's main pointânoting the existence of two kinds of threats to critical infrastructure, physical and cyberâwas novel, even historic. As for a plan of action, the group fell back on the usual punt by panels of this sort when they don't know what else to do: it recommended the creation of a presidential commission.
For a while, nothing happened. Rand Beers told Gorelick that her group's report was under consideration, but there was no follow-up. A spur was needed. She found it in the personage of Sam Nunn, the senior Democrat on the Senate Armed Services Committee.
Gorelick knew Nunn from her days as the Pentagon's general counsel. Both were Democratic hawks, not quite a rare breed but not so common either, and they enjoyed discussing the issues with each other. Gorelick told him about her group's findings. In response, Nunn inserted a clause in that year's defense authorization bill, requiring the executive branch to report to Congress on the policies
and plans to ward off computer-based attacks against the national infrastructure.
Nunn also asked the General Accounting Office, the legislature's watchdog agency, to conduct a similar study. The resulting GAO report, “Information Security: Computer Attacks at Department of Defense Pose Increasing Risks,” cited one estimate that the Defense Department
“may have experienced as many as 250,000 attacks last year,” two thirds of them successful, and that “the number of attacks is doubling each year, as Internet use increases along with the sophistication of âhackers' and their tools.”
Not only was this figure unlikely (a quarter million attacks a year meant 685
per day
, with 457 actual penetrations), it was probably pulled out of a hat: as the GAO authors themselves acknowledged, only “a small portion” of attacks were “actually detected and reported.”
Still, the study sent a shockwave through certain corridors. Gorelick made sure that Beers knew about the wave's reverberations and warned him that Nunn was about to hold hearings on the subject. The president, she hinted, would do well to get out in front of the storm.
Nunn scheduled his hearing for July 16. On July 15, Clinton issued Executive Order 13010, creating the blue-ribbon commission that Gorelick's working group had suggested. The order, a near-exact copy of the working group's proposed draft three months earlier, began:
“Certain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States.” Listing the same eight “critical” sectors that the working group had itemized, the order went on, “Threats to these critical infrastructures fall into two categories: physical threats to tangible property (âphysical threats') and threats of electronic, radio-frequency, or computer-based attacks on
the information or communications components that control critical infrastructures (âcyber threats').”
The next day, the Senate Governmental Affairs Committee, where Nunn sat as a top Democrat, held its much-anticipated hearing on the subject. One of the witnesses was Jamie Gorelick, who warned,
“We have not yet had a terrorist cyber attack on the infrastructure. But I think that that is just a matter of time. We do not want to wait for the cyber equivalent of Pearl Harbor.”
The cyber age was officially under way.
So, behind the scenes, was the age of cyber warfare. At one meeting of the Critical Infrastructure Working Group, Rich Wilhelm took Jamie Gorelick aside and informed her, in broad terms, of the ultrasecret flip side of the threat she was probingâthat
we
had long been doing to other countries what some of those countries, or certain people in those countries, were starting to do to us. We weren't robbing their banks or stealing their industrial secrets, we had no need to do that; but we were using cyber toolsâ“electronic, radio-frequency, or computer-based attacks,” as Clinton's executive order would put itâto spy on them, scope out their networks, and prepare the battlefield to our advantage, should there someday be a war.
The important thing, Wilhelm stressed, was that
our
cyber offensive capabilities must be kept off the tableâmust not even be hinted atâwhen discussing our vulnerability to other countries' cyber offensive capabilities.
America's programs in this realm were among the most tightly held secrets in the entire national security establishment.
When Rand Beers met with deputies from various cabinet departments to discuss Clinton's executive order, John White, the deputy secretary of defense, made the same point to his fellow deputy
secretaries, in the same solemn tone: no one can so much as mention America's cyber offensive capabilities.
The need for secrecy wasn't the only reason for the ensuing silence on the matter. No one around the table said so, but, clearly, to acknowledge America's cyber prowess, while decrying the prowess of others, would be awkward, to say the least.
It took seven months for the commission to get started. Beers, who once again served as the White House point man, first had to find a place for the commissioners to meet. The Old Executive Office Building, the mansion next door to the White House, wasn't sufficiently wired for computer connections (in itself, a commentary on the dismal state of preparedness for a cyber crisis). John Deutch, the new CIA director, pushed for the commissioners to work at his headquarters in Langley, where they could have secure access to anything they needed; but officials in other departments feared this might breed insularity and excessive dependence on the intelligence community. In the end, Beers found a vacant suite of offices in a Pentagon-owned building in Arlington; to sweeten the deal, the Defense Department offered to pay all expenses and to offer technical support.
Then came the matter of filling the commission. This was a delicate matter. Nearly all of the nation's computer traffic flowed through networks owned by private corporations; those corporations should have a say in their fate. Beers and his staff listed the ten federal departments and agencies that would be affected by whatever recommendations came out of this enterpriseâDefense, Justice, Transportation, Treasury, Commerce, the Federal Emergency Management Administration, the Federal Reserve, the FBI, the CIA, and the NSAâand decided that each agency head would pick two delegates for the commission: one official and one executive from a private contractor. In addition to deputy assistant secretaries, there
would also be directors or technical vice presidents from the likes of AT&T, IBM, Pacific Gas & Electric, and the National Association of Regulatory Utility Commissioners.
There was another delicate matter. The commission's final report would be a public document, but its working papers and meetings would be classified; the commissioners would need to be vetted for top secret security clearances. That, too, would take time.
Finally, Beers and the cabinet deputies had to pick a chairman. There were tried-and-true criteria for such a post: he (and it was almost always a he) should be eminent, but not famous; somewhat familiar with the subject at hand, but not an expert; respected, amiable, but not flush with his own agenda; someone with time on his hands, but not a reject or a duffer. They came up with a retired Air Force four-star general named Robert T. Marsh.
Tom Marsh had risen through the ranks on the technical side of the Air Force, especially in electronic warfare. He wound up his career as commander of the electronic systems division at Hanscom Air Force Base in Massachusetts, then as commander of Air Force Systems Command at Andrews Air Force Base, near Washington. He was seventy-one years old; since retiring from active duty, he'd served on the Defense Science Board and the usual array of corporate boards; at the moment, he was director of the Air Force Aid Society, the service's main charity organization.
In short, he seemed ideal.
John White, the deputy secretary of defense, called Marsh to ask if he would be willing to serve the president as chairman of a commission to protect critical infrastructure. Marsh replied that he wasn't quite sure what “critical infrastructure” meant, but he'd be glad to help.
To prepare for the task, Marsh read the report by Gorelick's Critical Infrastructure Working Group. It rang true. He recalled his days at Hanscom in the late 1970s and early 1980s, when the Air Force
crammed new technologies onto combat planes with no concern for the vulnerabilities they might be sowing. The upgrades were all dependent on command-control links, which had no built-in redundancies. A few technically astute junior officers on Marsh's staff warned him that, if the links were disrupted, the plane would be disabled, barely able to fly, much less fight.
Still, Marsh had been away from day-to-day operations for twelve years, and this focus on “cyber” was entirely new to him. For advice and a reality check, Marsh called an old colleague who knew more about these issues than just about anybodyâWillis Ware.
Ware had kept up with every step of the Internet revolution since writing his seminal paper, nearly thirty years earlier, on the vulnerability of computer networks. He still worked at the RAND Corporation, and he was a member of the Air Force Scientific Advisory Board, which is where Marsh had come to know and trust him. Ware assured Marsh that Gorelick's report was on the right track; that this was a serious issue and growing more so by the day, as the military and society grew more dependent on these networks; and that too few people were paying attention.
His chat with Ware filled Marsh with confidence. The president's executive order had chartered the commission to examine vulnerabilities to physical threats and cyber threats. Marsh figured that solutions to the physical threats were fairly straightforward; the cyber threats were the novelty, so he would focus his inquiry on them.
Marsh and the commissioners first convened in February 1997. They had six months to write a report. A few of the members were holdovers from the Critical Infrastructure Working Group, most notably Brent Greene, the Pentagon delegate, whose briefing on the vulnerability of telecom switches and the electrical power grid had so shaken Gorelick and the others. (Gorelick, who left the Justice Department for a private law practice in May, would later co-chair an advisory panel for the commission, along with Sam Nunn.)
Most of the commissioners were new to the issuesâat best, they knew a little bit about the vulnerabilities in their own narrow sectors, but had no idea of how vastly they extended across the economyâand their exposure to all the data, at briefings and hearings, filled them with dread and urgency.
Marsh's staff director was a retired Air Force officer named Phillip Lacombe, who'd earned high marks as chief of staff on a recent panel studying the roles and missions of the armed forces. Lacombe's cyber epiphany struck one morning, when he and Marsh were about to board an eight a.m. plane for Boston, where they were scheduled to hold a ten-thirty hearing. Their flight was delayed for three hours because the airline's computer system was down; the crew couldn't measure weights and balances (a task once performed with a slide rule, which no one knew how to use anymore), so the plane couldn't take off. The irony was overwhelming: here they were, about to go hear testimony on the nation's growing dependence on computer networksâand they couldn't get there on time because of the nation's growing dependence on computer networks.
That's when Lacombe first realized that the problem extended to every corner of modern life. Military officers and defense intellectuals had been worried about weapons of mass destruction; Lacombe now saw there were also weapons of mass
disruption
.
Nearly every hearing that the commission held, as well as several casual conversations before and after, hammered home the same point. The executives of Walmart told the commission that, on a recent Sunday, the company's computer system crashed and, as a result, they couldn't open any of their retail stores in the southeast region of the United States. When a director at Pacific Gas & Electric, one of the nation's largest utilities, testified that all of its control systems were getting hooked up to the Internet, to save money and speed up the transmission of energy, Lacombe asked what the company was doing about security. He didn't know what Lacombe
was talking about. Various commissioners asked the heads of railways and airlines how they were assuring the security of computer-controlled switches, tracks, schedules, and air traffic radarâand it was the same story: the corporate heads looked puzzled; they had no idea that security was an issue.
On October 13, 1997, the President's Commission on Critical Infrastructure Protection, as it was formally called, released its reportâ154 pages of findings, analyses, and detailed technical appendices.
“Just as the terrible long-range weapons of the Nuclear Age made us think differently about security in the last half of the twentieth century,” the report stated in its opening pages, “the electronic technology of the Information Age challenges us to invent new ways of protecting ourselves now. We must learn to negotiate a new geography, where borders are irrelevant and distances meaningless, where an enemy may be able to harm the vital systems we depend on without confronting our military power.”