Cyber War: The Next Threat to National Security and What to Do About It (10 page)

WHEN CYBER WARRIORS ATTACK

You may by now believe that there are cyber warriors, but in addition to jamming Internet sites what can they do, really? Obviously, we have not had a full-scale cyber war yet, but we have a good idea what it would look like if we were on the receiving end. Imagine a day in the near future. You are the Assistant to the President for Homeland Security and you get a call from the White House Situation Room as you are packing up to leave the office for the day, at eight p.m. NSA has issued a “CRITIC” message, a rare alert that something important has just happened. The one-line message says only: “large scale movement of several different zero day malware programs moving on Internet in the US, affecting critical infrastructure.” The Situation Room’s Senior Duty Officer suggests that you come down and help him figure out what is going on.

By the time you get to the Situation Room, the Director of the Defense Information Systems Agency is waiting on the secure phone for you. He has just briefed the Secretary of Defense, who suggested he call you. The unclassified Department of Defense network known as the NIPRNET is collapsing. Large-scale routers throughout the network are failing, and constantly rebooting. Network traffic is es
sentially halted. As he is telling you this, you can hear someone in the background trying to get his attention. When the general comes back on the line, he says softly and without emotion, “Now it’s happening on the SIPRNET and JWICS, too.” He means that DoD’s classified networks are grinding to a halt.

Unaware of what is happening across the river at the Pentagon, the Undersecretary of Homeland Security has called the White House, urgently needing to speak to you. FEMA, the Federal Emergency Management Agency, has told him that two of its regional offices, in Philadelphia and in Denton, Texas, have reported large refinery fires and explosions in Philadelphia and Houston, as well as lethal clouds of chlorine gas being released from several chemical plants in New Jersey and Delaware. He adds that the U.S. Computer Emergency Response Team in Pittsburgh is being deluged with reports of systems failing, but he hasn’t had time to get the details yet.

Before you can ask the Senior Duty Officer where the President is, another officer thrusts a phone at you. It’s the Deputy Secretary of Transportation. “Are we under attack?” she asks. When you ask why, she ticks off what has happened. The Federal Aviation Administration’s National Air Traffic Control Center in Herndon, Virginia, has experienced a total collapse of its systems. The alternate center in Leesburg is in a complete panic because it and several other regional centers cannot see what aircraft are aloft and are trying to manually identify and separate hundreds of aircraft. Brickyard, the Indianapolis Center, has already reported a midair collision of two 737s. “I thought it was just an FAA crisis, but then the train wrecks started happening…” she explains. The Federal Railroad Administration has been told of major freight derailments in Long Beach, Norfolk, Chicago, and Kansas City.

Looking at the status board for the location of the President, you see it says only “Washington-OTR.” He is on an “off the record,” or personal, activity outside the White House. Reading your mind,
the Senior Duty Officer explains that the President has taken the First Lady to a hip new restaurant in Georgetown. “Then put me through to the head of his Secret Service detail,” says a breathless voice. It’s the Secretary of the Treasury, who has run from his office in the building next to the White House. “The Chairman of the Fed just called. Their data centers and their backups have had some sort of major disaster. They have lost all their data. Its affecting the data centers at DTCC and SIAC—they’re going down, too.” He explains that those initials represent important financial computer centers in New York. “Nobody will know who owns what. The entire financial system will dissolve by morning.”

As he says that, your eyes are drawn to a television screen reporting on a derailment on the Washington Metro in a tunnel under the Potomac. Another screen shows a raging flame in the Virginia suburbs where a major gas pipeline has exploded. Then the lights in the Situation Room flicker. Then they go out. Battery-operated emergency spotlights come on, casting the room in shadows and bright light. The television flat screens and the computer monitors have gone blank. The lights flicker again and come back on, as do some of the screens. There is a distant, loud droning. “It’s the backup generator, sir,” the Duty Officer says. His deputy again hands you a secure phone and mouths the words you did not want to hear: “It’s for you. It’s POTUS.”

The President is in the Beast, his giant armored vehicle that resembles a Cadillac on steroids, on his way back from the restaurant. The Secret Service pulled him out of the restaurant when the blackout hit, but they are having a hard time getting through the traffic. Washington’s streets are filled with car wrecks because the signal lights are all out. POTUS wants to know if it’s true what his Secret Service agent told him, that the blackout is covering the entire eastern half of the country. “No, wait, what? Now they’re saying that
the Vice President’s detail says it’s out where he is, too. Isn’t he in San Francisco today? What time is it there?”

You look at your watch. It’s now 8:15 p.m. Within a quarter of an hour, 157 major metropolitan areas have been thrown into knots by a nationwide power blackout hitting during rush hour. Poison gas clouds are wafting toward Wilmington and Houston. Refineries are burning up oil supplies in several cities. Subways have crashed in New York, Oakland, Washington, and Los Angeles. Freight trains have derailed outside major junctions and marshaling yards on four major railroads. Aircraft are literally falling out of the sky as a result of midair collisions across the country. Pipelines carrying natural gas to the Northeast have exploded, leaving millions in the cold. The financial system has also frozen solid because of terabytes of information at data centers being wiped out. Weather, navigation, and communications satellites are spinning out of their orbits into space. And the U.S. military is a series of isolated units, struggling to communicate with each other.

Several thousand Americans have already died, multiples of that number are injured and trying to get to hospitals. There is more going on, but the people who should be reporting to you can’t get through. In the days ahead, cities will run out of food because of the train-system failures and the jumbling of data at trucking and distribution centers. Power will not come back up because nuclear plants have gone into secure lockdown and many conventional plants have had their generators permanently damaged. High-tension transmission lines on several key routes have caught fire and melted. Unable to get cash from ATMs or bank branches, some Americans will begin to loot stores. Police and emergency services will be overwhelmed.

In all the wars America has fought, no nation has ever done this kind of damage to our cities. A sophisticated cyber war attack by one of several nation-states could do that today, in fifteen minutes,
without a single terrorist or soldier ever appearing in this country. Why haven’t they done it by now, if they can? For the same reason that the nine nations with nuclear weapons haven’t used one of them since 1945, because they need to have the political circumstances that cause them to believe such an attack would be in their interest. But unlike with nuclear weapons, where an attacker may be deterred by the promise of retaliation or by the radioactive blow-back on his own country, launching a cyber attack may run fewer risks. In cyber war, we may never even know what hit us. Indeed, it may give little solace to Americans shivering without power to know that the United States may be about to retaliate in kind.

“While you were on the line with the President, sir, Cyber Command called from Fort Meade. They think the attack came from Russia and they are ready to turn out the lights in Moscow, sir. Or maybe it was China, so they are ready to hit Beijing, if you want to do that. Sir?”

C
yberspace. It sounds like another dimension, perhaps with green lighting and columns of numbers and symbols flashing in midair, as in the movie
The Matrix
. Cyberspace is actually much more mundane. It’s the laptop you or your kid carries to school, the desktop computer at work. It’s a drab windowless building downtown and a pipe under the street. It’s everywhere, everywhere there’s a computer, or a processor, or a cable connecting to one.

And now it’s a war zone, where many of the decisive battles in the twenty-first century will play out. To understand why, we need to answer some prior questions, like: What is cyberspace? How does it work? How can militaries fight in it?

HOW AND WHY CYBER WAR IS POSSIBLE

Cyberspace is all of the computer networks in the world and everything they connect and control. It’s not just the Internet. Let’s be clear about the difference. The Internet is an open network of networks. From any network on the Internet, you should be able to communicate with any computer connected to any of the Internet’s networks. Cyberspace includes the Internet
plus
lots of other networks of computers that are not supposed to be accessible from the Internet. Some of those private networks look just like the Internet, but they are, theoretically at least, separate. Other parts of cyberspace are transactional networks that do things like send data about money flows, stock market trades, and credit card transactions. Some networks are control systems that just allow machines to speak to other machines, like control panels talking to pumps, elevators, and generators.

What makes these networks a place where militaries can fight? In the broadest terms, cyber warriors can get into these networks and control or crash them. If they take over a network, cyber warriors could steal all of its information or send out instructions that move money, spill oil, vent gas, blow up generators, derail trains, crash airplanes, send a platoon into an ambush, or cause a missile to detonate in the wrong place. If cyber warriors crash networks, wipe out data, and turn computers into doorstops, then a financial system could collapse, a supply chain could halt, a satellite could spin out of orbit into space, an airline could be grounded. These are not hypotheticals. Things like this have already happened, sometimes experimentally, sometimes by mistake, and sometimes as a result of cyber crime or cyber war. As Admiral Mike McConnell has noted, “information managed by computer networks—which run our utilities, our transportation, our banking and communi
cations—can be exploited or attacked in seconds from a remote location overseas. No flotilla of ships or intercontinental missiles or standing armies can defend against such remote attacks located not only well beyond our borders, but beyond physical space, in the digital ether of cyberspace.”

Why, then, do we run sophisticated computer networks that allow unauthorized access or unauthorized commands? Aren’t there security measures? The design of computer networks, the software and hardware that make them work, and the way in which they were architected, create thousands of ways that cyber warriors can get around security defenses. People write software and people make mistakes, or get sloppy, and that creates opportunities. Networks that aren’t supposed to be connected to the public Internet very often actually are, sometimes without their owners even knowing. Let’s look at some things in your daily life as a way of explaining how cyber war can happen. Do you think your condominium association knows that the elevator in your building is, like
ET
in the movie of the same name, “phoning home”? Your elevator is talking over the Internet to the people who made it. Did you know that the photocopier in your office is probably doing the same thing? Julia Roberts’s character in the recent movie
Duplicity
knew that many copying machines are connected to the Internet and can be hacked, but most people don’t know that their copier could even be online. Even fewer think about the latest trick, shredders that image. Just before all those sensitive documents pass through the knives that cut them into little pieces, they go by a camera that photographs them. Later, the cleaning crew guy will take his new collection of pictures away to whoever hired him.

Your elevator and copier “phoning home” is supposed to be happening, the software is working properly. But what if your competitor has a computer programmer who wrote a few lines of code and slipped them into the processor that runs your photocopier? Let’s say
those few lines of computer code instruct the copier to store an image of everything it copies and put them into a compressed data (or zip) file. Then, once a day, the copier accesses the Internet and—ping!—it shoots that zip file across the country to your competitor. Even worse, on the day before your company has to submit a competitive bid for a big contract—ping!—the photocopier catches fire, causing the sprinklers to turn on, the office to get soaked, and your company to be unable to get its bid done in time. The competitor wins, you lose.

Using an Internet connection you did not know existed, someone wrote software and downloaded it onto your photocopier, which you did not even know had an onboard processor big enough to be a computer. Then that someone used the software to make the photocopier do something it wouldn’t otherwise do, short-circuit or jam and overheat. They knew the result would be a fire. They probably experimented with a copier just like yours. The result is your office is flooded by the sprinkler system and you think it was an accident. Somebody reached out from cyberspace and made your physical space a mess. That someone is a hacker. Originally “hacker” meant just somebody who could write instructions in the code that is the language of computers to get them to do new things. When they do something like going where they are not authorized, hackers become cyber criminals. When they work for the U.S. military, we call them cyber warriors.

In this scenario, the cyber criminal used the Internet as his avenue of attack, first to get information and then to do damage. His weapon was a few lines of software, which he inserted into the computer in the copier. Or you may think about it this way: he used software to turn your copier into the weapon. He succeeded because the software program that ran the copier was written to allow people to add commands and give those commands remotely. The designers of the copier never thought anyone would make it a weapon, so they never wrote their software in a manner that would make that
difficult or impossible to do. The same is true of the designers of the electric power grid and other systems. They didn’t think about people hacking them and turning their systems into weapons. Your office manager didn’t pay attention when the salesperson said the copier would have a remote diagnostics capability to download improvements, fix problems, and dispatch a repairman with the right replacement parts. Hackers paid attention, or maybe they were just exploring their cyberspace neighborhood and found an address that identified itself as “Xeonera Copier 2000, serial number 20-003488, at Your Company, Inc.”

If you doubt that copiers are part of cyberspace, read
Image Source Magazine
:

While mundane, this hypothetical scenario is helpful because it shows the three things involved in cyberspace that make cyber war possible: (1) flaws in the design of the Internet; (2) flaws in hardware
and software; and (3) the move to put more and more critical systems online. Let’s look at each.

VULNERABILITIES OF THE INTERNET

There are at least five major vulnerabilities in the design of the Internet itself. The first of these is the addressing system that finds out where to go on the Internet for a specific address.

ISPs are sometimes called “carriers,” because they are the companies that carry the Internet’s traffic. Other companies make the computer terminals, the routers, the servers, the software, but it is the ISPs that link them all together. All ISPs are not created equal. For our discussion, let’s divide them into two categories. There are the national ISPs that own and operate thousands of miles of fiber-optic cable running from coast to coast, connecting all the big cities. There are six of these big ISPs in the United States (Verizon, AT&T, Qwest, Sprint, Level 3, and Global Crossing). Because their big fiber-optic cable pipes form the spine of the Internet in the U.S., they are called the “backbone providers,” or, more technically, the Tier 1 ISPs. Once they get the backbone into your city, they connect up with lots of smaller ISPs that run service to local businesses and to your house. Your local ISP is probably the phone company or the cable TV company. (If it’s the phone company, it may be that you have one of the Tier 1 ISPs also providing your local service.) Their wires run from your house down the street to the world.

To see how this works, and to discover some of the vulnerabilities of the Internet addressing system, follow what happens when I connect to the Internet. I open a “browser” on my laptop. Just by opening the browser, I am requesting that it go out onto the Internet and bring back “my homepage.” Let’s say that “homepage” is that of the consulting firm where I work. So, sitting in my home office in
Rappahannock County, Virginia, in the foothills of the Blue Ridge Mountains, I click and my browser goes to www.mycompany.com. Since computers can’t understand words like “mycompany,” the address needs to be translated into 1’s and 0’s that computers can read. To do that, my browser uses the Domain Name System. Think of it as the 411 information operator. You say a name, you get a number.

My consulting firm is headquartered seventy-five miles away from my home in Virginia, but its webpage is hosted on a remote server in Minneapolis with the Internet address of, let’s say, 123.45.678.90. That is a lot of numbers to memorize. Luckily I don’t have to. The browser uses the Domain Name System to look up the address. The browser sends a message to a database kept on a server computer, part of an elaborate hierarchy of such computers that together form the Domain Name System. For cyber warriors, the Domain Name System is a target. It was designed with little thought to security, so hackers can change its information and misdirect you to a phony webpage.

When I open up the browser it sends a request to the server hosting the page. The request is broken down into a series of packets that are each sent individually. Let’s trace just one packet along its way from my computer to the website. The first hop is from my computer to the wi-fi card in my computer, where the packets are translated into radio waves and sent out over the air to the wi-fi router in my house. If that router is improperly secured, hackers can get into the computer over the wi-fi connection. The wi-fi router turns the signal back from a radio wave into an electronic signal passed to my local ISP in the booming megalopolis of Culpepper, Virginia.

If you know it, you may think that Culpepper is lovely, but not necessarily near the heart of cyberspace. Because it’s just beyond the blast radius if a nuclear weapon were to go off in Washington, the government and the financial community have all sorts of databases nearby. So, there is an AT&T node there, at 13456 Lovers Lane.
(Really.) My ISP has a line running across town to the AT&T facility, where the electrons of my request for the webpage get converted into photons so they can hop on AT&T’s fiber-optic network. Once on the fiber, the packet first hits a router in Morristown, New Jersey, is passed to another AT&T router in Washington, D.C., and then back to New Jersey, this time to a router in Middletown.

At Middletown, the router passes the packet to another Tier 1 company, Level 3. Once on the Level 3 backbone, the packet is routed through three different nodes in Washington, D.C. At this point, the packet has traveled over radio waves, copper wires, and high-speed bundles of fiber-optic cables for more than 800 miles, but is only about 75 miles from where I first sent it off. The last Level 3 router, in Washington, sends it speeding toward Chicago (now we are getting somewhere), where it descends through two more Level 3 routers before being sent to Minneapolis. What goes to Minneapolis, though, does not necessarily stay in Minneapolis. Instead of handing off to our web hosting provider, the packet goes another 741 miles to another Level 3 router in the company’s headquarters in Broomfield, Colorado, which then routes the packet back to our company’s ISP, in Minneapolis, and on to our web server. To travel the 900 miles to Minneapolis, the packet went about 2,000 miles out of its way, but the whole process took a few seconds. It also provided several opportunities for cyber warriors.

If cyber warriors had wanted to send those packets to the wrong place, or to prevent them from going anywhere, they had at least two opportunities. First, as noted earlier, they could have attacked that Internet 411, the Domain Name System, and sent me to the wrong page, perhaps to a phony look-alike webpage, where I would enter my account number and password. Rather than hacking the Domain Name System to hijack a webpage request, however, cyber warriors could attack the system itself. This is just what happened in February 2007, when six of the thirteen top-level worldwide do
main servers were targeted in a DDOS attack. Similar to the botnets that hit Estonia and Georgia, the attack flooded the domain name servers with thousands of requests per second. Two of the servers targeted were taken down, including one that handles traffic for the Department of Defense. The other four were able to manage the attack by shifting requests to other servers not targeted in the attack. The attack was traced back to the Pacific region and lasted only eight hours. The attackers stopped it either because they were afraid continuing it would allow investigators to trace it back to them or, more likely, because they were just testing to see if they could do it.