Not so Quiet on the Cyber Front

It was a clear, sunny August day in 1945 when the B-29 Enola Gay flew over the Japanese city. Its payload –- a “Little Boy” atomic bomb –- was armed in flight and dropped at approximately 8:15 a.m. It exploded at an altitude of 1,800 feet with a force of 13 to 20 kilotons, or roughly a million sticks of dynamite.

The resulting 20,000‐foot mushroom cloud of smoke and debris ended a world war and prompted Albert Einstein to exclaim, "The release of atom power has changed everything except our way of thinking… the solution to this problem lies in the heart of mankind. If only I had known, I should have become a watchmaker."

Today’s nuclear weapons are measured in megatons –- a thousand times stronger than the blast delivered to Hiroshima. But “kilotons” were quite enough to kill an estimated 60,000 people, injuring another 60,000.

Now a new kind of warfare is emerging –- but it is measured in byte streams, packets, and megawatts rather than megatons. “Just as the invention of the atomic bomb changed warfare and deterrence 64 years ago, a new international race has begun to develop cyberweapons and systems to protect against them,” reports the New York Times.

Silicon Valley’s massive phone and Internet outage in April 2009 underscores a recent announcement that cyberspies from China, Russia and other countries have penetrated the U.S. electrical grid and planted disruptive software programs. Cutting fiber underground in the San Jose, Calif. area was most likely the work of vandals. However, it shows the vulnerability of our interlaced, networked dependence on centrally controlled electrical distribution and computing devices.

Foreign cyberattackers haven’t yet damaged the U.S. power grid or key network infrastructure, but officials say they could try during a crisis or war. There are thousands of daily attacks on federal and private computer systems in the United States — this includes your home computer — mostly looking for chinks in the patchwork of American firewalls that keep network intruders away from sensitive data and programs.

Defense Secretary Robert Gates warns that the United States is "under cyberattack virtually all the time, every day" and that the Defense Department “plans to more than quadruple the number of cyber experts it employs to ward off such attacks.” Hackers please note: Uncle Sam wants you!

A cyberattack can occur on several fronts: stolen or compromised military secrets, infiltration of large online financial accounts, electrical blackouts, or control of remote computers –- to do the bidding of cyberattackers. Government officials fear that a combined, coordinated attack of computer networks on all fronts could result in the digital equivalent of a mushroom cloud –- a cyber Hiroshima.

Already computer spies have broken into the Pentagon’s $300 billion Joint Strike Fighter project, one of the Defense Department’s costliest weapons program ever. The intruders were able to copy several terabytes of data related to design and electronics systems giving them access to potential Achilles’ heels. Similar incidents have also breached the Air Force’s air traffic control system in recent months.

And data thieves –- whether domestic criminals or cyberspies –- can drain financial accounts, steal identities, and use debit and credit cards fraudulently. The implications for corporate investors include a loss of shareholder value –- or worse –- if the company has an information security breach.

There is also government concern that stolen financial information can also be used to finance terrorism, and to create forged identities allowing terrorists to cross borders or access critical systems.

One approach to preventing network intrusions is to simulate cyberattacks – essentially cyber war gaming. The National Cyber Range is a test environment for the Internet of the future, and it is being built to be attacked. Northrop Grumman Corporation recently won a contract for this Defense Advanced Research Projects Agency’s (DARPA) project, “which will provide an environment to test and analyze new concepts and technologies to protect against modern cyber threats.”

Northrop Grumman is one of seven firms awarded eight-month study contracts to provide conceptual designs for a future. "Our Millersville cyber test range is like having the Internet in a bottle," says Bob Frizzelle, Northrop Grumman Information Systems sector vice president. "In a closed lab, we replicate a full rate commercial telecommunications infrastructure with hundreds of computers of various types and operating systems. We build a host domain and hack it from other computers, and record and analyze everything with proven tools that automate the process.” He continues, “For real cybersecurity, it’s the wave of the future."

The New York Times concludes that the Cyber Range is to the digital age what the Bikini Atoll –the islands the Army vaporized in the 1950s to measure the power of the hydrogen bomb –- was to the nuclear age. After the tests at the Bikini Atoll demonstrated to the world the destructive power of the bomb, it became evident to the United States and the Soviet Union and other nuclear powers “that the risks of a nuclear exchange were simply too high.” “In the case of cyberattacks, where the results can vary from the annoying to the devastating, there are no such rules.”

In securing the “cyberperimeter,” Secretary Gates has concluded that the military’s cyberwarfare effort requires a sharper focus. It would build the defenses for military computers and communications systems and –- the part the Pentagon is reluctant to discuss –- to develop and deploy cyberweapons.

To handle all this, the Obama administration proposes to create a new military cybersecurity command to unify responsibility for Pentagon networks –- this responsibility is currently spread across several agencies and service branches. Pentagon officials say the front-runner to lead the new command is National Security Agency (NSA) Director Keith Alexander, a three-star Army general. The command would assist the Department of Homeland Security, but would not be subsumed under it.

Meanwhile, bi-partisan bill S.773: Cybersecurity Act of 2009 was introduced by Senators Jay Rockefeller (D-WV) and Olympia Snowe (R-ME):

• Ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications,
• Provide for the continued development and exploitation of the Internet and intranet communications for such purposes,
• Provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.

A key provision is unprecedented in its implications: “The Secretary of Commerce shall have access to all relevant data concerning (critical infrastructure) networks without regard to any provision of law, regulation, rule, or policy restricting such access…”. The Electronic Freedom Foundation suggests that the bill would give the Commerce Department absolute, non-emergency access to “all relevant data” without any privacy safeguards like standards or judicial review.

In reality, the General Accounting Office (GAO) reports that network computer security problems are relatively “mundane.” The problems mentioned in the report include insufficient access controls, a lack of encryption where necessary, poor network management, failure to install patches, inadequate audit procedures, and incomplete or ineffective information security programs. This raises the question of what’s really required to secure the cyberperimeter. Why the need for such sweeping legislation as S.773?

Live Free or Die – the state motto of New Hampshire – is popular among users of the Unix computer operating system, a group that clearly cherishes its independence. The Internet was built by Unix hackers to be an open, decentralized network of computers not dependent upon a central “master control program” as portrayed in the 1982 cult classic Tron – a hacker favorite.

The Internet has driven economic innovation, democratic participation, and free speech online. "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” Benjamin Franklin’s warning rings as true today as it did in 1759.