How to Fight and Win the Cyberwar
We should think of cyberattacks as guided missiles and respond similarly—intercept them and retaliate.
By MORTIMER ZUCKERMAN
Several years ago, during the presidency of George W. Bush, many banks and Wall Street firms were knocked offline. The financial industry, which had long been considered to have the best safeguards against cyberinfections in the private sector, discovered its computers had been penetrated by a worm, so-called because a virus grown on one computer can worm its way to millions of others. Mr. Bush asked then Treasury Secretary Hank Paulson to examine what it would take to protect our critical infrastructures. The upshot was that steps were taken to strengthen the security of the military networks, but little else was done.
The major shock about the mischievous WikiLeaks—even more than the individual headline items—is that it dramatizes how vulnerable we still are. Digitization has made it easier than ever to penetrate messages and download vast volumes of information. Our information systems have become the most aggressively targeted in the world. Each year, attacks increase in severity, frequency, and sophistication. On July 4, 2009, for instance there was an assault on U.S. government sites—including the White House—as well as the New York Stock Exchange and Nasdaq. There were similar attacks that month on websites in South Korea. In 2008, our classified networks, which we thought were inviolable, were penetrated. Three young hackers managed to steal 170 million credit-card numbers before the ringleader was arrested in 2008.
The Internet was originally intended for thousands of researchers, not billions of users who did not know and trust one another. The designers placed a higher priority on decentralization than on security. They never dreamed the Internet could be used for commercial purposes or that it would eventually control critical systems and undergird the world of finance. So it is not surprising that the Internet creators were comfortable with a network of networks rather than separate networks for government, finance and other sectors.
A symbol to many of the open communication of American culture, the Internet has thus evolved into a two-edged sword. Our extensive systems facilitate control of pipelines, airlines and railroads; they energize commerce and private banking. They give us rapid access to medical and criminal records. But they also offer a growing target for terrorists and thieves.
Most people who experience “malware” have been victims of so-called phishing, whereby criminals pretending to be bank employees, for example, trick the gullible into revealing account numbers and passwords. But cyberwarriors can do damage on a much larger scale, as former White House counterterrorism czar Richard Clarke points out in his revealing book “CyberWar,” published earlier this year. They can tap into these networks and move money, spill oil, vent gas, blow up generators, derail trains, crash airplanes, cause missiles to detonate, and wipe out reams of financial and supply-chain data. Havoc can be created at the blink of an eye from remote locations overseas. Criminal groups, nation-states, terrorists and military organizations are at work exfiltrating vast amounts of data from the U.S. public and private sectors.
Another worrisome threat is the distributed denial of service attack, a deluge of Internet traffic specifically intended to crash or jam networks. Hackers using malicious computer code can mobilize a “botnet,” or robotic network, of hundreds of thousands of machines that simultaneously visit certain websites to shut them down.
More recently, a virus that targets special industrial equipment has become widely known as the “Stuxnet” attack. This is the worm that this fall reportedly infiltrated the computers controlling Iran’s nuclear centrifuge facilities, thereby delaying or even destroying its nuclear-weapons program (the one Iran denies it has). It is the world’s first-known super cyberweapon designed specifically to destroy a real-world target.
Similarly, many believe that the immobilization of hundreds of key sites in independent Georgia in 2008 was a Russian government operation accompanying its kinetic war in support of breakaway regions in the former Soviet republic. In a cyberattack on South Korea last year, an estimated 166,000 computers in 74 countries flooded the websites of Korean banks and government agencies, jamming their fiber optic cables.
Mr. Clarke argues in his book that China is one of the key players in developing a cyberwar capability. The Chinese use private hackers to engage in widespread penetration of U.S. and European networks, successfully copying and exporting huge volumes of data. That’s on top of their capacity to attack and degrade our computer systems and shut down our critical networks. He believes that the secrets behind everything from pharmaceutical formulas, bioengineering designs, and nanotechnologies to weapons systems and everyday industrial products have been stolen by the Chinese army or private hackers who in turn give them to China.
The United States has done little to enhance the safety of the networks that bolster our economy. We urgently need to develop defensive software to protect these networks and create impermeable barriers to the profusion of malware. Network convergence—transporting all communications over a common network structure—increases the opportunities for and the consequences of disruptive cyberattacks. Hackers and cyberwarriors are constantly devising new ways to trick systems.
Not many people realize that all of our nation’s air, land and sea forces rely on network technologies that are vulnerable to cyberweapons, including logistics, command and control, fleet positioning and targeting. If they are compromised or obliterated, the U.S. military would be incapable of operating. It does not help that there is a disproportion between offense and defense. The average malware has about 175 lines of code, which can attack defense software using between 5 million and 10 million lines of code.
It is currently incredibly challenging to figure out the source of an attack, and this in turn inhibits our capacity to prosecute the wrongdoers or retaliate. Malicious programmers are always able to find weaknesses and challenge security measures. The defender is always lagging behind the attacker.
The task is of such a scale that it needs nothing less than a souped-up Manhattan Project, like the kind that broke the scientific barriers to the bomb that ended World War II. Our vulnerabilities are increasing exponentially. Cyberterrorism poses a threat equal to that of weapons of mass destruction. A large scale attack could create an unimaginable degree of chaos in America.
We should think of cyberattacks as guided missiles and respond similarly—intercept them and retaliate. This means we need a federal agency dedicated to defending our various networks. You cannot expect the private sector to know how—or to have the money—to defend against a nation-state attack in a cyberwar. One suggestion recommended by Mr. Clarke is that the our government create a Cyber Defense Administration. He’s right. Clearly, defending the U.S. from cyberattacks should be one of our prime strategic objectives.
Few nations have used computer networks as extensively as we have to control electric power grids, airlines, railroads, banking and military support. Few nations have more of these essential systems owned and operated by private enterprise. As with 9/11, we do not enjoy the luxury of a dilatory response.