Social Enterprise

Three cybersecurity wake up calls that the U.S. missed

Bob Gourley is one of top CTOs in the United States. In this interview with TechRepublic, learn the career path he took to CTO via the U.S. Navy. Also, hear about three critical U.S. cybersecurity events that he thinks deserved to be taken a lot more seriously.

Podcast

Bob Gourley is one of top CTOs in the United States. In this interview with TechRepublic, hear how he got started in IT and the career path he took to CTO via the U.S. Navy. Also, hear about three critical U.S. cybersecurity events that he thinks deserved to be taken a lot more seriously:

"All three of them were not the wake up call they should have been," said Gourley. Listen to this interview to get the full story.

------------------------------------------------------------------------------------------------------------------------------------------------------ Four ways to listen to this podcast:

  1. You can click Play directly from this page (if you have Flash installed)
  2. Subscribe to the Tech Sanity Check podcast through iTunes
  3. Subscribe to the podcast RSS feed with Zune, Juice, or other software
  4. Download this episode as an MP3

About

Jason Hiner is the Global Editor in Chief of TechRepublic and Global Long Form Editor of ZDNet. He is an award-winning journalist who writes about the people, products, and ideas that are revolutionizing the ways we live and work in the 21st century.

43 comments
jkameleon
jkameleon

http://izismile.com/img/img2/20090507/selection_149_88.jpg My point was, that y2k scare achieved proverbial status a long time ago, similar to flu (yeah, it's just a flu without adjectives, since ALL flu originates from swines & poultry), terrorism, etc. It became a synonym for crying wolf, a scare hoax. You shouldn't worry about that, though. Y2K scare was once in a lifetime opportunity, which came and gone a long time ago. There will be plenty more of them, though. People will always fall for such shit.

deepsand
deepsand

For those not intimately familiar with the problem, a modicum of research will suffice to put the lies to such claims.

Deadly Ernest
Deadly Ernest

it was a hoax as the majority of systems were never at risk due to not having any software needing to do date comparisons. it was very much a mountain out of a bb pellet

jkameleon
jkameleon

Generally, IT is so full of hype that nothing coming from it can be taken seriously. 99.99% of so called "threats" are actually just a mild nuisances, and the rest can be easily prevented by (oh, horror of all horrors) employing brains instead of buzzwords & jargon.

deepsand
deepsand

You'll understand that those of us who've been around the block a few times don't buy into that wishful thinking.

jkameleon
jkameleon

. . . I got a y2k proof gaslamp to sell you.

deepsand
deepsand

When you are interact with the BIOS, you are dealing with a software abstraction, not directly with the hardware itself. Computing systems keep time as a measure of the time that has elapsed since a selected epoch, with the unit of time varying in granularity (from a nanosecond to a day.) This count is physically stored, and is therefore subject to the physical limits imposed by the granularity of the memory used for such. With few exceptions - the IBM 1401 being a notable one, by virtue of its having user defined word lengths - both the granularity and the number of granules available for such counter storage is fixed in both size and number. Therefore, the upper bound on the time counter is also fixed; and, when it overflows, it rolls over, just like an old analog odometer on a car. How the hardware abstraction layer handles such rollover determines what you see, but does not change what is physically stored.

Deadly Ernest
Deadly Ernest

start date as they were working off an earlier BIOS version - especially the computers put in place prior to 1970.

deepsand
deepsand

2038 is a problem for counters using 32 bit signed integers to measure the passage of time, and time passage is measured as a count of the number of seconds elapsed since 01 JAN 1970. What causes a 2024 problem?

Deadly Ernest
Deadly Ernest

Did you ever see a PC with the Y2K date problem in the BIOS. I've been working with PCs for over twenty years and have never seen one. In each case the BIOS gave me a date selection option for setting the date that went well into the 2000s, even in the 286s and 386s I worked on. I noticed your Google link and checked some of the sites, but I didn't spot one that said it was a DEFINITE problem, only a few that said it MAY be a problem. Now I wonder if anyone did see such an issue at all.

Deadly Ernest
Deadly Ernest

systems. So all you need to do is have him upgrade the hardware to Pentium boxes or later 486 boxes and he's OK. Another answer is to reset the system clock to show an earlier date and just accept all dates in the system are out by that amount

deepsand
deepsand

I'm ready for my massage.

santeewelding
santeewelding

Then, I realized that the medium is indeed the message. There is no longer any need for your musty tomes, bifocals, or page-turning. This is all so much easier. Don't you see, now, and agree?

deepsand
deepsand

Bad news - He has a mission critical DOS application that brings NT kernel machines to their knees, and is therefore still running on several old Win 95/98 boxes. Good news - Given his financial condition, it's unlikely that his business will survive until then.

deepsand
deepsand

Does it make any difference if the doctor examines your health records, and tells you that you don't need a particular inoculation, or, finds that you do and administers such?

Deadly Ernest
Deadly Ernest

vulnerable to Y2K - apart from a few electrical goods like cheap video recorders they were all accounting programs. Not one significant management or control system had a bug that would have caused a problem on the day. The Y2K issue was solely a software issue where you had to perform calculations between two dates and the dates were only recorded in two digits. I'm waiting for year 2024 Problem to pop up, but I don't expect anything bad to come from it. That's the date when most 286 and 386 BIOS chips in the older computers can no longer calculate dates as they overflow the data field related to it. I don't expect too many of those systems to be in operation then. Y2K was NEVER a hardware issue but a limited software issue and most of the software in use didn't do cross date calculations, thus it wasn't an issue.

jkameleon
jkameleon

That was pure superstition. Alas, people's superstition is what pays the best, in IT as well as everywhere else. Magical thinking is something you can always count on.

deepsand
deepsand

Management was in fact quite correct in taking steps to ensure that no calamity would befall the company. IT's responsibility was to execute that charge. That AS400s may not have been susceptible to the problem neither makes management wrong, nor your conclusion that all was hype, correct. The fact remains that many platforms and applications were indeed vulnerable. That so many heeded the warnings of such, took steps to determine their own particular level of vulnerability, and remediate where necessary, was precisely what any reasonably prudent person would do. To claim, after the fact, since nothing terrible happened, the warnings were false, is utterly irrational. Nothing happened because the warnings were heeded!

jkameleon
jkameleon

Our main production machine was AS400 (regularily patched & maintained by IBM) back then. Desktop PCs (regularily patched by little old us) performed only non-critical functions. Management, semi-educated as it is, insisted on making system y2k proof. Expensive consultant and fancy stickers was only a show, whose sole purpose was to make management FEEL safe. A standard security practice, because of which viruses, worms, and botnets will thrive forever, and hacking will always be possible. The whole IT department knew our y2k excercise is BS. We responded professionally, the way NASA egineers did: Write that memo, and let it crash.

deepsand
deepsand

And, there were plenty of 3rd party applications that would have gone bang in the night had they not been patched. BTW, the underlying issue for many platforms was the BIOS clock, not in the OS itself. And, no, a lot of "semi-educated" people do not know that.

Dumphrey
Dumphrey

that you were using large mainframes running older Unix? 1960's and 1970's era boxes like very large banks and government agencies used? Because it was never an issue on the desktop computer market. As any semi-educated person could tell you. Would hate to think you all hired a consultant to double check the MS "patches" to their date/time functions.

jkameleon
jkameleon

My company hired a consultant, who equipped every computer with a fancy "Y2K ready" sticker. Our security policy prevented him from making any other changes. Y2k came and went without consequences, probably because there were some really cool holograms on that stickers, which made us feel safe.

deepsand
deepsand

owing to preemptive IT's actions, not because of the absence of potential danger. You also obviously didn't have any contact with those who suffered the consequences of doing nothing.

deepsand
deepsand

From the NY Times series entitled "Cyberwar" :

deepsand
deepsand

June 28, 2009 U.S. and Russia Differ on a Treaty for Cyberspace By JOHN MARKOFF and ANDREW E. KRAMER The United States and Russia are locked in a fundamental dispute over how to counter the growing threat of cyberwar attacks that could wreak havoc on computer systems and the Internet. Both nations agree that cyberspace is an emerging battleground. The two sides are expected to address the subject when President Obama visits Russia next week and at the General Assembly of the United Nations in November, according to a senior State Department official. But there the agreement ends. Russia favors an international treaty along the lines of those negotiated for chemical weapons and has pushed for that approach at a series of meetings this year and in public statements by a high-ranking official. The United States argues that a treaty is unnecessary. It instead advocates improved cooperation among international law enforcement groups. If these groups cooperate to make cyberspace more secure against criminal intrusions, their work will also make cyberspace more secure against military campaigns, American officials say. ?We really believe it?s defense, defense, defense,? said the State Department official, who asked not to be identified because authorization had not been given to speak on the record. ?They want to constrain offense. We needed to be able to criminalize these horrible 50,000 attacks we were getting a day.? Any agreement on cyberspace presents special difficulties because the matter touches on issues like censorship of the Internet, sovereignty and rogue actors who might not be subject to a treaty. United States officials say the disagreement over approach has hindered international law enforcement cooperation, particularly given that a significant proportion of the attacks against American government targets are coming from China and Russia. And from the Russian perspective, the absence of a treaty is permitting a kind of arms race with potentially dangerous consequences. Officials around the world recognize the need to deal with the growing threat of cyberwar. Many countries, including the United States, are developing weapons for it, like ?logic bombs? that can be hidden in computers to halt them at crucial times or damage circuitry; ?botnets? that can disable or spy on Web sites and networks; or microwave radiation devices that can burn out computer circuits miles away. The Pentagon is planning to create a military command to prepare for both defense and offensive computer warfare. And last month, President Obama released his cybersecurity strategy and said he would appoint a ?cybersecurity coordinator? to lead efforts to protect government computers, the air traffic control system and other essential systems. The administration also emphasizes the benefits of building international cooperation. The Russian and American approaches ? a treaty and a law enforcement agreement ? are not necessarily incompatible. But they represent different philosophical approaches. In a speech on March 18, Vladislav P. Sherstyuk, a deputy secretary of the Russian Security Council, a powerful body advising the president on national security, laid out what he described as Russia?s bedrock positions on disarmament in cyberspace. Russia?s proposed treaty would ban a country from secretly embedding malicious codes or circuitry that could be later activated from afar in the event of war. Other Russian proposals include the application of humanitarian laws banning attacks on noncombatants and a ban on deception in operations in cyberspace ? an attempt to deal with the challenge of anonymous attacks. The Russians have also called for broader international government oversight of the Internet. But American officials are particularly resistant to agreements that would allow governments to censor the Internet, saying they would provide cover for totalitarian regimes. These officials also worry that a treaty would be ineffective because it can be almost impossible to determine if an Internet attack originated from a government, a hacker loyal to that government, or a rogue acting independently. The unique challenge of cyberspace is that governments can carry out deceptive attacks to which they cannot be linked, said Herbert Lin, director of a study by the National Research Council, a private, nonprofit organization, on the development of cyberweapons. This challenge became apparent in 2001, after a Navy P-3 surveillance plane collided with a Chinese fighter plane, said Linton Wells II, a former high-ranking Pentagon official who now teaches at the National Defense University. The collision was followed by a huge increase in attacks on United States government computer targets from sources that could not be identified, he said. Similarly, after computer attacks in Estonia in April 2007 and in the nation of Georgia last August, the Russian government denied involvement and independent observers said the attacks could have been carried out by nationalist sympathizers or by criminal gangs. The United States is trying to improve cybersecurity by building relationships among international law enforcement agencies. State Department officials hold out as a model the Council of Europe Convention on Cybercrime, which took effect in 2004 and has been signed by 22 nations, including the United States but not Russia or China. But Russia objects that the European convention on cybercrime allows the police to open an investigation of suspected online crime originating in another country without first informing local authorities, infringing on traditional ideas of sovereignty. Vladimir V. Sokolov, deputy director of the Institute for Information Security Issues, a policy organization, noted that Russian authorities routinely cooperated with foreign police organizations when they were approached. This is not the first time the issue of arms control for cyberspace has been raised. In 1996, at the dawn of commercial cyberspace, American and Russian military delegations met secretly in Moscow to discuss the subject. The American delegation was led by an academic military strategist, and the Russian delegation by a four-star admiral. No agreement emerged from the meeting, which has not previously been reported. Later, the Russian government repeatedly introduced resolutions calling for cyberspace disarmament treaties before the United Nations. The United States consistently opposed the idea. In late April, Russian military representatives indicated an interest in renewed negotiations at a Russian-sponsored meeting on computer security in Garmisch, Germany. John Arquilla, an expert in military strategy at the Naval Postgraduate School in Monterey, Calif., who led the American delegation at the 1996 talks, said he had received almost no interest from within the American military after those initial meetings. ?It was a great opportunity lost,? he said. Unlike American officials who favor tightening law enforcement relationships, Mr. Arquilla continues to believe in cyberspace weapons negotiations, he said. He noted that the treaties on chemical weapons had persuaded many nations not to make or stockpile such weapons. The United States and China have not held high-level talks on cyberwar issues, specialists say. But there is some evidence that the Chinese are being courted by Russia for support of an arms control treaty for cyberspace. ?China has consistently attached extreme importance to matters of information security, and has always actively supported and participated in efforts by the international community dedicated to maintaining Internet safety and cracking down on criminal cyber-activity,? Qin Gang, spokesman for the Foreign Ministry, said in a statement. Whether the American or Russian approach prevails, arms control experts said, major governments are reaching a point of no return in heading off a cyberwar arms race. John Markoff reported from New York, and Andrew E. Kramer from Moscow. Edward Wong and Xiyun Yang contributed reporting from Beijing. Copyright 2009 The New York Times Company

deepsand
deepsand

June 13, 2009 Cyberwar Privacy May Be a Victim in Cyberdefense Plan By THOM SHANKER and DAVID E. SANGER WASHINGTON - A plan to create a new Pentagon cybercommand is raising significant privacy and diplomatic concerns, as the Obama administration moves ahead on efforts to protect the nation from cyberattack and to prepare for possible offensive operations against adversaries? computer networks. President Obama has said that the new cyberdefense strategy he unveiled last month will provide protections for personal privacy and civil liberties. But senior Pentagon and military officials say that Mr. Obama?s assurances may be challenging to guarantee in practice, particularly in trying to monitor the thousands of daily attacks on security systems in the United States that have set off a race to develop better cyberweapons. Much of the new military command?s work is expected to be carried out by the National Security Agency, whose role in intercepting the domestic end of international calls and e-mail messages after the Sept. 11, 2001, attacks, under secret orders issued by the Bush administration, has already generated intense controversy. There is simply no way, the officials say, to effectively conduct computer operations without entering networks inside the United States, where the military is prohibited from operating, or traveling electronic paths through countries that are not themselves American targets. The cybersecurity effort, Mr. Obama said at the White House last month, ?will not ? I repeat, will not ? include monitoring private sector networks or Internet traffic.? But foreign adversaries often mount their attacks through computer network hubs inside the United States, and military officials and outside experts say that threat confronts the Pentagon and the administration with difficult questions. Military officials say there may be a need to intercept and examine some e-mail messages sent from other countries to guard against computer viruses or potential terrorist action. Advocates say the process could ultimately be accepted as the digital equivalent of customs inspections, in which passengers arriving from overseas consent to have their luggage opened for security, tax and health reasons. ?The government is in a quandary,? said Maren Leed, a defense expert at the bipartisan Center for Strategic and International Studies who was a Pentagon special assistant on cyberoperations from 2005 to 2008. Ms. Leed said a broad debate was needed ?about what constitutes an intrusion that violates privacy and, at the other extreme, what is an intrusion that may be acceptable in the face of an act of war.? In a recent speech, Gen. James E. Cartwright, vice chairman of the Joint Chiefs of Staff and a chief architect of the new cyberstrategy, acknowledged that a major unresolved issue was how the military ? which would include the National Security Agency, where much of the cyberwar expertise resides ? could legally set up an early warning system. Unlike a missile attack, which would show up on the Pentagon?s screens long before reaching American territory, a cyberattack may be visible only after it has been launched in the United States. ?How do you understand sovereignty in the cyberdomain?? General Cartwright asked. ?It doesn?t tend to pay a lot of attention to geographic boundaries.? For example, the daily attacks on the Pentagon?s own computer systems, or probes sent from Russia, China and Eastern Europe seeking chinks in the computer systems of corporations and financial institutions, are rarely seen before their effect is felt inside the United States. Some administration officials have begun to discuss whether laws or regulations must be changed to allow law enforcement, the military or intelligence agencies greater access to networks or Internet providers when significant evidence of a national security threat was found. Ms. Leed said that while the Defense Department and related intelligence agencies were the only organizations that had the ability to protect against such cyberattacks, ?they are not the best suited, from a civil liberties perspective, to take on that responsibility.? Under plans being completed at the Pentagon, the new cybercommand will be run by a four-star general, much the way Gen. David H. Petraeus runs the wars in Afghanistan and Iraq from Central Command in Tampa, Fla. But the expectation is that whoever is in charge of the new command will also direct the National Security Agency, an effort to solve the turf war between the spy agency and the military over who is in charge of conducting offensive operations. While the N.S.A.?s job is chiefly one of detection and monitoring, the agency also possesses what Michael D. McConnell, the former director of national intelligence, called ?the critical skill set? to respond quickly to cyberattacks. Yet the Defense Department views cyberspace as its domain as well, a new battleground after land, sea, air and space. The complications are not limited to privacy concerns. The Pentagon is increasingly worried about the diplomatic ramifications of being forced to use the computer networks of many other nations while carrying out digital missions ? the computer equivalent of the Vietnam War?s spilling over the Cambodian border in the 1960s. To battle Russian hackers, for example, it might be necessary to act through the virtual cyberterritory of Britain or Germany or any country where the attack was routed. General Cartwright said military planners were trying to write rules of engagement for scenarios in which a cyberattack was launched from a neutral country that might have no idea what was going on. But, with time of the essence, it may not be possible, the scenarios show, to ask other nations to act against an attack that is flowing through their computers in milliseconds. ?If I pass through your country, do I have to talk to the ambassador?? General Cartwright said. ?It is very difficult. Those are the questions that are now really starting to emerge vis-?-vis cyber.? Frida Berrigan, a longtime peace activist who is a senior program associate at the New America Foundation?s arms and security initiative, expressed concerns about whether the Obama administration would be able to balance its promise to respect privacy in cyberspace even as it appeared to be militarizing cybersecurity. ?Obama was very deliberate in saying that the U.S. military and the U.S. government would not be looking at our e-mail and not tracking what we do online,? Ms. Berrigan said. ?This is not to say there is not a cyberthreat out there or that cyberterrorism is not a significant concern. We should be vigilant and creative. But once again we see the Pentagon being put at the heart of it and at front lines of offering a solution.? Ms. Berrigan said that just as the counterinsurgency wars in Iraq and Afghanistan had proved that ?there is no front line anymore, and no demilitarized zone anymore, then if the Pentagon and the military services see cyberspace as a battlefield domain, then the lines protecting privacy and our civil liberties get blurred very, very quickly.? Copyright 2009 The New York Times Company.

deepsand
deepsand

May 31, 2009 Cyberwar Contractors Vie for Plum Work, Hacking for the United States By CHRISTOPHER DREW and JOHN MARKOFF MELBOURNE, Fla. The government?s urgent push into cyberwarfare has set off a rush among the biggest military companies for billions of dollars in new defense contracts. The exotic nature of the work, coupled with the deep recession, is enabling the companies to attract top young talent that once would have gone to Silicon Valley. And the race to develop weapons that defend against, or initiate, computer attacks has given rise to thousands of ?hacker soldiers? within the Pentagon who can blend the new capabilities into the nation?s war planning. Nearly all of the largest military companies ? including Northrop Grumman, General Dynamics, Lockheed Martin and Raytheon ? have major cyber contracts with the military and intelligence agencies. The companies have been moving quickly to lock up the relatively small number of experts with the training and creativity to block the attacks and design countermeasures. They have been buying smaller firms, financing academic research and running advertisements for ?cyberninjas? at a time when other industries are shedding workers. The changes are manifesting themselves in highly classified laboratories, where computer geeks in their 20s like to joke that they are hackers with security clearances. At a Raytheon facility here south of the Kennedy Space Center, a hub of innovation in an earlier era, rock music blares and empty cans of Mountain Dew pile up as engineers create tools to protect the Pentagon?s computers and crack into the networks of countries that could become adversaries. Prizes like cappuccino machines and stacks of cash spur them on, and a gong heralds each major breakthrough. The young engineers represent the new face of a war that President Obama described Friday as ?one of the most serious economic and national security challenges we face as a nation.? The president said he would appoint a senior White House official to oversee the nation?s cybersecurity strategies. Computer experts say the government is behind the curve in sealing off its networks from threats that are growing more persistent and sophisticated, with thousands of intrusions each day from organized criminals and legions of hackers for nations including Russia and China. ?Everybody?s attacking everybody,? said Scott Chase, a 30-year-old computer engineer who helps run the Raytheon unit here. Mr. Chase, who wears his hair in a ponytail, and Terry Gillette, a 53-year-old former rocket engineer, ran SI Government Solutions before selling the company to Raytheon last year as the boom in the military?s cyberoperations accelerated. The operation ? tucked into several unmarked buildings behind an insurance office and a dentist?s office ? is doing some of the most cutting-edge work, both in identifying weaknesses in Pentagon networks and in creating weapons for potential attacks. Daniel D. Allen, who oversees work on intelligence systems for Northrop Grumman, estimated that federal spending on computer security now totals $10 billion each year, including classified programs. That is just a fraction of the government?s spending on weapons systems. But industry officials expect it to rise rapidly. The military contractors are now in the enviable position of turning what they learned out of necessity ? protecting the sensitive Pentagon data that sits on their own computers ? into a lucrative business that could replace some of the revenue lost from cancellations of conventional weapons systems. Executives at Lockheed Martin, which has long been the government?s largest information-technology contractor, also see the demand for greater computer security spreading to energy and health care agencies and the rest of the nation?s critical infrastructure. But for now, most companies remain focused on the national-security arena, where the hottest efforts involve anticipating how an enemy might attack and developing the resources to strike back. Though even the existence of research on cyberweapons was once highly classified, the Air Force plans this year to award the first publicly announced contract for developing tools to break into enemy computers. The companies are also teaming up to build a National Cyber Range, a model of the Internet for testing advanced techniques. Military experts said Northrop Grumman and General Dynamics, which have long been major players in the Pentagon?s security efforts, are leading the push into offensive cyberwarfare, along with the Raytheon unit. This involves finding vulnerabilities in other countries? computer systems and developing software tools to exploit them, either to steal sensitive information or disable the networks. Mr. Chase and Mr. Gillette said the Raytheon unit, which has about 100 employees, grew out of a company they started with friends at Florida Institute of Technology that concentrated on helping software makers find flaws in their own products. Over the last several years, their focus shifted to the military and intelligence agencies, which wanted to use their analytic tools to detect vulnerabilities and intrusions previously unnoticed. Like other contractors, the Raytheon teams set up ?honey pots,? the equivalent of sting operations, to lure hackers into digital cul-de-sacs that mimic Pentagon Web sites. They then capture the attackers? codes and create defenses for them. And since most of the world?s computers run on the Windows or the Linux systems, their work has also provided a growing window into how to attack foreign networks in any cyberwar. ?It takes a nonconformist to excel at what we do,? said Mr. Gillette, a tanned surfing aficionado who looks like a 1950s hipster in his T-shirts with rolled-up sleeves. The company, which would allow interviews with other employees only on the condition that their last names not be used because of security concerns, hired one of its top young workers, Dustin, after he won two major hacking contests and dropped out of college. ?I always approach it like a game, and it?s been fun,? said Dustin, now 22. Another engineer, known as Jolly, joined Raytheon in April after earning a master?s degree in computer security at DePaul University in Chicago. ?You think defense contractors, and you think bureaucracy, and not necessarily a lot of interesting and challenging projects,? he said. The Pentagon?s interest in cyberwarfare has reached ?religious intensity,? said Daniel T. Kuehl, a military historian at the National Defense University. And the changes carry through to soldiers being trained to defend and attack computer and wireless networks out on the battlefield. That shift can be seen in the remaking of organizations like the Association of Old Crows, a professional group that includes contractors and military personnel. The Old Crows have deep roots in what has long been known as electronic warfare ? the use of radar and radio technologies for jamming and deception. But the financing for electronic warfare had slowed recently, prompting the Old Crows to set up a broader information-operations branch last year and establish a new trade journal to focus on cyberwarfare. The career of Joel Harding, the director of the group?s Information Operations Institute, exemplifies the increasing role that computing and the Internet are playing in the military. A 20-year veteran of military intelligence, Mr. Harding shifted in 1996 into one of the earliest commands that studied government-sponsored computer hacker programs. After leaving the military, he took a job as an analyst at SAIC, a large contractor developing computer applications for military and intelligence agencies. Mr. Harding estimates that there are now 3,000 to 5,000 information operations specialists in the military and 50,000 to 70,000 soldiers involved in general computer operations. Adding specialists in electronic warfare, deception and other areas could bring the total number of information operations personnel to as many as 88,700, he said. Copyright 2009 The New York Times Company

deepsand
deepsand

May 29, 2009 Pentagon Plans New Arm to Wage Cyberspace Wars By DAVID E. SANGER and THOM SHANKER WASHINGTON The Pentagon plans to create a new military command for cyberspace, administration officials said Thursday, stepping up preparations by the armed forces to conduct both offensive and defensive computer warfare. The military command would complement a civilian effort to be announced by President Obama on Friday that would overhaul the way the United States safeguards its computer networks. Mr. Obama, officials said, will announce the creation of a White House office ? reporting to both the National Security Council and the National Economic Council ? that will coordinate a multibillion-dollar effort to restrict access to government computers and protect systems that run the stock exchanges, clear global banking transactions and manage the air traffic control system. White House officials say Mr. Obama has not yet been formally presented with the Pentagon plan. They said he would not discuss it Friday when he announced the creation of a White House office responsible for coordinating private-sector and government defenses against the thousands of cyberattacks mounted against the United States ? largely by hackers but sometimes by foreign governments ? every day. But he is expected to sign a classified order in coming weeks that will create the military cybercommand, officials said. It is a recognition that the United States already has a growing number of computer weapons in its arsenal and must prepare strategies for their use ? as a deterrent or alongside conventional weapons ? in a wide variety of possible future conflicts. The White House office will be run by a ?cyberczar,? but because the position will not have direct access to the president, some experts said it was not high-level enough to end a series of bureaucratic wars that have broken out as billions of dollars have suddenly been allocated to protect against the computer threats. The main dispute has been over whether the Pentagon or the National Security Agency should take the lead in preparing for and fighting cyberbattles. Under one proposal still being debated, parts of the N.S.A. would be integrated into the military command so they could operate jointly. Officials said that in addition to the unclassified strategy paper to be released by Mr. Obama on Friday, a classified set of presidential directives is expected to lay out the military?s new responsibilities and how it coordinates its mission with that of the N.S.A., where most of the expertise on digital warfare resides today. The decision to create a cybercommand is a major step beyond the actions taken by the Bush administration, which authorized several computer-based attacks but never resolved the question of how the government would prepare for a new era of warfare fought over digital networks. It is still unclear whether the military?s new command or the N.S.A. ? or both ? will actually conduct this new kind of offensive cyberoperations. The White House has never said whether Mr. Obama embraces the idea that the United States should use cyberweapons, and the public announcement on Friday is expected to focus solely on defensive steps and the government?s acknowledgment that it needs to be better organized to face the threat from foes attacking military, government and commercial online systems. Defense Secretary Robert M. Gates has pushed for the Pentagon to become better organized to address the security threat. Initially at least, the new command would focus on organizing the various components and capabilities now scattered across the four armed services. Officials declined to describe potential offensive operations, but said they now viewed cyberspace as comparable to more traditional battlefields. ?We are not comfortable discussing the question of offensive cyberoperations, but we consider cyberspace a war-fighting domain,? said Bryan Whitman, a Pentagon spokesman. ?We need to be able to operate within that domain just like on any battlefield, which includes protecting our freedom of movement and preserving our capability to perform in that environment.? Although Pentagon civilian officials and military officers said the new command was expected to initially be a subordinate headquarters under the military?s Strategic Command, which controls nuclear operations as well as cyberdefenses, it could eventually become an independent command. ?No decision has been made,? said Lt. Col. Eric Butterbaugh, a Pentagon spokesman. ?Just as the White House has completed its 60-day review of cyberspace policy, likewise, we are looking at how the department can best organize itself to fill our role in implementing the administration?s cyberpolicy.? The creation of the cyberczar?s office inside the White House appears to be part of a significant expansion of the role of the national security apparatus there. A separate group overseeing domestic security, created by President George W. Bush after the Sept. 11 attacks, now resides within the National Security Council. A senior White House official responsible for countering the proliferation of nuclear and unconventional weapons has been given broader authority. Now, cybersecurity will also rank as one of the key threats that Mr. Obama is seeking to coordinate from the White House. The strategy review Mr. Obama will discuss on Friday was completed weeks ago, but delayed because of continuing arguments over the authority of the White House office, and the budgets for the entire effort. It was kept separate from the military debate over whether the Pentagon or the N.S.A. is best equipped to engage in offensive operations. Part of that debate hinges on the question of how much control should be given to American spy agencies, since they are prohibited from acting on American soil. ?It?s the domestic spying problem writ large,? one senior intelligence official said recently. ?These attacks start in other countries, but they know no borders. So how do you fight them if you can?t act both inside and outside the United States?? John Markoff contributed reporting from San Francisco. Copyright 2009 The New York Times Company

deepsand
deepsand

May 11, 2009 Cyberwar Cadets Trade the Trenches for Firewalls By COREY KILGANNON and NOAM COHEN WEST POINT, N.Y. ? The Army forces were under attack. Communications were down, and the chain of command was broken. Pacing a makeshift bunker whose entrance was camouflaged with netting, the young man in battle fatigues barked at his comrades: ?They are flooding the e-mail server. Block it. I?ll take the heat for it.? These are the war games at West Point, at least last month, when a team of cadets spent four days struggling around the clock to establish a computer network and keep it operating while hackers from the National Security Agency in Maryland tried to infiltrate it with methods that an enemy might use. The N.S.A. made the cadets? task more difficult by planting viruses on some of the equipment, just as real-world hackers have done on millions of computers around the world. The competition was a final exam of sorts for a senior elective class. The cadets, who were computer science and information technology majors, competed against teams from the Navy, Air Force, Coast Guard and Merchant Marine as well as the Naval Postgraduate Academy and the Air Force Institute of Technology. Each team was judged on how well it subdued the threats from the N.S.A. The cyberwar games at West Point are just one example of a heightened awareness across the military that it must treat the threat of a computer attack as seriously as it does an attack carried out by a bomber or combat brigade. There is hardly an American military unit or headquarters that has not been ordered to analyze the risk of cyberattacks to its mission ? and to train to counter them. If the hackers were to succeed, they could change information on the network and cripple Internet communications. In the desert outside Las Vegas, in a series of inconspicuous trailers, some of the most highly motivated hackers in the United States spend their days and nights probing the military?s vast computer networks for weaknesses to exploit. These hackers ? many of whom got their start as teenagers devoted to computer screens in their basements ? have access to the latest in attack software. Some of it was developed by cryptologists at the N.S.A., the nation?s largest intelligence agency, where most of the government?s talent for breaking and making computer codes resides. The hackers have an official name ? the 57th Information Aggressor Squadron ? and a real home, Nellis Air Force Base. The Army last year created its own destination for computer experts, the Network Warfare Battalion, where many of the cadets in the cyberwar games hope to be assigned. But even so, the ranks are still small. The Defense Department today graduates only 80 students a year from its cyberwar schools, causing Defense Secretary Robert M. Gates to complain that the Pentagon is ?desperately short of people who have capabilities in this area in all the services, and we have to address it.? Under current Pentagon budget proposals, the number of students cycled through the schools will be quadrupled in the next two years. Part of the Pentagon?s effort to increase the military?s capabilities are the annual cyberwar games played at the nation?s military academies, including West Point, where young cadets in combat boots and buzz cuts talk megabytes instead of megatons on a campus dotted with statues of generals, historic armaments and old stone buildings. While the Pentagon has embraced the need for offensive cyberwarfare, there were no offensive maneuvers in the games last month, said Col. Joe Adams, who teaches Information Assurance and stood at the head of the classroom during the April exercise. Cadet Joshua Ewing said he and his fellow Blue Team members ?learn all the techniques that a hacker would do, and we try to beat a hacker.? These strategies are not just theoretical. Most of these cadets will soon be sent to Afghanistan to carry out such work, Cadet Ewing said. When the military deploys in a combat zone or during a domestic emergency, establishing a secure Internet connection is an early priority. To keep things humming, the military?s experts must fend off the ordinary chaos of the Internet as well as attacks devised to disable the communications system, like flooding e-mail servers with so many junk messages that they collapse. Underscoring how seriously the cadets were taking the April games, the sign above the darkened entranceway in Thayer Hall read ?Information Warfare Live Fire Range? and the area was draped with camouflage netting. One group had to retrieve crucial information from a partly erased hard drive. One common method of hiding text, said Cadet Sean Storey, is to embed it in digital photographs; he had managed to find secret documents hidden this way. He was seeking a password needed to read encrypted e-mail he had located on the hard drive. Other cadets worked in tandem, as if plugging a leaky dam, to keep the entire system working as the N.S.A. hackers attacked the engine that runs a crucial database as well as the e-mail server. They shouted out various Internet addresses to inspect ? and usually block ? after getting clearance from referees. And there was that awkward moment when the cadet in charge, Salvatore Messina, had to act without clearance because the attack was so severe he couldn?t even send an e-mail message. The cadets in this room do get their share of ribbing. But one cadet, Derek Taylor, said today?s soldiers recognize that technological expertise can be as vital as brute force in saving lives. West Point takes the competition seriously. The cadets who helped install and secure the operating system spent a week setting it up. The dean gives a pep talk; professors bring food. Brian McCord, part of the team that installed the operating system, said he was chosen because his senior project was deeply reliant on Linux. The West Point team used this open-source operating system, freely available on the Internet, instead of relying on proprietary products from big-name companies like Microsoft or Sun Microsystems. ?It seems weird for the Army with its large contracts to be using Linux, but it?s very cheap and very customizable,? Cadet McCord said. It is also much easier to secure because ?you can tweak it for everything you need? and there are not as many known ways to attack it, he said. West Point emerged victorious in the games last month. That means the academy, which has won five of the last nine competitions, can keep the Director?s Cup trophy, which is displayed near a German Enigma encoding machine from World War II. Cracking the Enigma code helped the Allies win the war, and the machine is a stark reminder of the pivotal role of technology in warfare. Thom Shanker contributed reporting from Washington. Copyright 2009 The New York Times Company

deepsand
deepsand

May 1, 2009 Cyberwar Iranians and Others Outwit Net Censors By JOHN MARKOFF The Iranian government, more than almost any other, censors what citizens can read online, using elaborate technology to block millions of Web sites offering news, commentary, videos, music and, until recently, Facebook and YouTube. Search for ?women? in Persian and you?re told, ?Dear Subscriber, access to this site is not possible.? Last July, on popular sites that offer free downloads of various software, an escape hatch appeared. The computer program allowed Iranian Internet users to evade government censorship. College students discovered the key first, then spread it through e-mail messages and file-sharing. By late autumn more than 400,000 Iranians were surfing the uncensored Web. The software was created not by Iranians, but by Chinese computer experts volunteering for the Falun Gong, a spiritual movement that has beem suppressed by the Chinese government since 1999. They maintain a series of computers in data centers around the world to route Web users? requests around censors? firewalls. The Internet is no longer just an essential channel for commerce, entertainment and information. It has also become a stage for state control ? and rebellion against it. Computers are becoming more crucial in global conflicts, not only in spying and military action, but also in determining what information reaches people around the globe. More than 20 countries now use increasingly sophisticated blocking and filtering systems for Internet content, according to Reporters Without Borders, a Paris-based group that encourages freedom of the press. Although the most aggressive filtering systems have been erected by authoritarian governments like those in Iran, China, Pakistan, Saudi Arabia and Syria, some Western democracies are also beginning to filter some content, including child pornography and other sexually oriented material. In response, a disparate alliance of political and religious activists, civil libertarians, Internet entrepreneurs, diplomats and even military officers and intelligence agents are now challenging growing Internet censorship. The creators of the software seized upon by Iranians are members of the Global Internet Freedom Consortium, based largely in the United States and closely affiliated with Falun Gong. The consortium is one of many small groups developing systems to make it possible for anyone to reach the open Internet. It is the modern equivalent of efforts by organizations like the Voice of America to reach the citizens of closed countries. Separately, the Tor Project, a nonprofit group of anticensorship activists, freely offers software that can be used to send messages secretly or to reach blocked Web sites. Its software, first developed at the United States Naval Research Laboratories, is now used by more than 300,000 people globally, from the police to criminals, as well as diplomats and spies. Political scientists at the University of Toronto have built yet another system, called Psiphon, that allows anyone to evade national Internet firewalls using only a Web browser. Sensing a business opportunity, they have created a company to profit by making it possible for media companies to deliver digital content to Web users behind national firewalls. The danger in this quiet electronic war is driven home by a stark warning on the group?s Web site: ?Bypassing censorship may violate law. Serious thought should be given to the risks involved and potential consequences.? In this cat-and-mouse game, the cat is fighting back. The Chinese system, which opponents call the Great Firewall of China, is built in part with Western technologies. A study published in February by Rebecca MacKinnon, who teaches journalism at the University of Hong Kong, determined that much blog censorship is performed not by the government but by private Internet service providers, including companies like Yahoo China, Microsoft and MySpace. One-third to more than half of all postings made to three Chinese Internet service providers were not published or were censored, she reported. When the Falun Gong tried to support its service with advertising several years ago, American companies backed out under pressure from the Chinese government, members said. In addition, the Chinese government now employs more than 40,000 people as censors at dozens of regional centers, and hundreds of thousands of students are paid to flood the Internet with government messages and crowd out dissenters. This is not to say that China blocks access to most Internet sites; most of the material on the global Internet is available to Chinese without censorship. The government?s censors mostly censor groups deemed to be state enemies, like the Falun Gong, making it harder for them to reach potential members. Blocking such groups has become more insidious as Internet filtering technology has grown more sophisticated. As with George Orwell?s ?Newspeak,? the language in ?1984? that got smaller each year, governments can block particular words or phrases without users realizing their Internet searches are being censored. Those who back the ragtag opponents of censorship criticize the government-run systems as the digital equivalent of the Berlin Wall. They also see the anticensorship efforts as a powerful political lever. ?What is our leverage toward a country like Iran? Very little,? said Michael Horowitz, a fellow at the Hudson Institute who advises the Global Internet Freedom Consortium. ?Suppose we have the capacity to make it possible for the president of the United States at will to communicate with hundreds of thousands of Iranians at no risk or limited risk? It just changes the world.? The United States government and the Voice of America have financed some circumvention technology efforts. But until now the Falun Gong has devoted the most resources, experts said, erecting a system that allows the largest number of Internet users open, uncensored access. Each week, Chinese Internet users receive 10 million e-mail messages and 70 million instant messages from the consortium. But unlike spam that takes you to Nigerian banking scams or offers deals on drugs like Viagra, these messages offer software to bypass the elaborate government system that blocks access to the Web sites of opposition groups like the Falun Gong. Shiyu Zhou, a computer scientist, is a founder of the Falun Gong?s consortium. His cyber-war with China began in Tiananmen Square in 1989. A college student and the son of a former general in the intelligence section of the People?s Liberation Army, he said he first understood the power of government-controlled media when overnight the nation?s student protesters were transformed from heroes to killers. ?I was so disappointed,? he said. ?People believed the government, they didn?t believe us.? He decided to leave China and study computer science in graduate school in the United States. In the late 1990s he turned to the study of Falun Gong and then joined with a small group of technically sophisticated members of the spiritual group intent on transmitting millions of e-mail messages to Chinese. Both he and Peter Yuan Li, another early consortium volunteer, had attended Tsinghua University ? China?s Massachusetts Institute of Technology. Mr. Li, the son of farmers, also came to the United States to study computer science, then joined Bell Laboratories before becoming a full-time volunteer. The risks of building circumvention tools became clear in April 2006 when, Mr. Li later told law enforcement officials, four men invaded his home in suburban Atlanta, covered his head, beat him, searched his files and stole two laptop computers. The F.B.I. has made no arrests in the case and declined to comment. But Mr. Li thinks China sent the invaders. Early on, the group of dissidents here had some financial backing from the International Broadcasting Bureau of the Voice of America for sending e-mail messages, but the group insists that most of its effort has been based on volunteer labor and contributions. The consortium?s circumvention system works this way: Government censorship systems like the Great Firewall can block access to certain Internet Protocol addresses. The equivalent of phone numbers, these addresses are quartets of numbers like 209.85.171.100 that identify a Web site, in this case, google.com. By clicking on a link provided in the consortium?s e-mail message, someone in China or Iran trying to reach a forbidden Web site can download software that connects to a computer abroad that then redirects the request to the site?s forbidden address. The technique works like a basketball bank shot ? with the remote computer as the backboard and the desired Web site as the basket. But government systems hunt for and then shut off such alternative routes using a variety of increasingly sophisticated techniques. So the software keeps changing the Internet address of the remote computer ? more than once a second. By the time the censors identify an address, the system has already changed it. China acknowledges that it monitors content on the Internet, but claims to have an agenda much like that of any other country: policing for harmful material, pornography, treasonous propaganda, criminal activity, fraud. The government says Falun Gong is a dangerous cult that has ruined the lives of thousands of people. Hoping to step up its circumvention efforts, the Falun Gong last year organized extensive lobbying in Congress, which approved $15 million for circumvention services. But the money was awarded not to the Falun Gong consortium but to Internews, an international organization that supports local media groups. This year, a broader coalition is organizing to push for more Congressional financing of anti-filtering efforts. Negotiations are under way to bring together dissidents of Vietnam, Iran, the Uighur minority of China, Tibet, Myanmar, Cuba, Cambodia, Laos, as well as the Falun Gong, to lobby Congress for the financing. Mr. Horowitz argues that $25 million could expand peak usage to as many as 45 million daily Internet users, allowing the systems to reach as many as 10 percent of the Web users in both China and Iran. Mr. Zhou says his group?s financing is money well spent. ?The entire battle over the Internet has boiled down to a battle over resources,? he said. ?For every dollar we spend, China has to spend a hundred, maybe hundreds of dollars.? As for the Falun Gong software, it proved a little too popular among Iranians. By the end of last year the consortium?s computers were overwhelmed. On Jan. 1, the consortium had to do some blocking of its own: It shut down the service for all countries except China. Copyright 2009 The New York Times Company

deepsand
deepsand

April 28, 2009 Cyberwar U.S. Steps Up Effort on Digital Defenses By DAVID E. SANGER, JOHN MARKOFF and THOM SHANKER This article was reported by David E. Sanger, John Markoff and Thom Shanker and written by Mr. Sanger. When American forces in Iraq wanted to lure members of Al Qaeda into a trap, they hacked into one of the group?s computers and altered information that drove them into American gun sights. When President George W. Bush ordered new ways to slow Iran?s progress toward a nuclear bomb last year, he approved a plan for an experimental covert program ? its results still unclear ? to bore into their computers and undermine the project. And the Pentagon has commissioned military contractors to develop a highly classified replica of the Internet of the future. The goal is to simulate what it would take for adversaries to shut down the country?s power stations, telecommunications and aviation systems, or freeze the financial markets ? in an effort to build better defenses against such attacks, as well as a new generation of online weapons. Just as the invention of the atomic bomb changed warfare and deterrence 64 years ago, a new international race has begun to develop cyberweapons and systems to protect against them. Thousands of daily attacks on federal and private computer systems in the United States ? many from China and Russia, some malicious and some testing chinks in the patchwork of American firewalls ? have prompted the Obama administration to review American strategy. President Obama is expected to propose a far larger defensive effort in coming days, including an expansion of the $17 billion, five-year program that Congress approved last year, the appointment of a White House official to coordinate the effort, and an end to a running bureaucratic battle over who is responsible for defending against cyberattacks. But Mr. Obama is expected to say little or nothing about the nation?s offensive capabilities, on which the military and the nation?s intelligence agencies have been spending billions. In interviews over the past several months, a range of military and intelligence officials, as well as outside experts, have described a huge increase in the sophistication of American cyberwarfare capabilities. Because so many aspects of the American effort to develop cyberweapons and define their proper use remain classified, many of those officials declined to speak on the record. The White House declined several requests for interviews or to say whether Mr. Obama as a matter of policy supports or opposes the use of American cyberweapons. The most exotic innovations under consideration would enable a Pentagon programmer to surreptitiously enter a computer server in Russia or China, for example, and destroy a ?botnet? ? a potentially destructive program that commandeers infected machines into a vast network that can be clandestinely controlled ? before it could be unleashed in the United States. Or American intelligence agencies could activate malicious code that is secretly embedded on computer chips when they are manufactured, enabling the United States to take command of an enemy?s computers by remote control over the Internet. That, of course, is exactly the kind of attack officials fear could be launched on American targets, often through Chinese-made chips or computer servers. So far, however, there are no broad authorizations for American forces to engage in cyberwar. The invasion of the Qaeda computer in Iraq several years ago and the covert activity in Iran were each individually authorized by Mr. Bush. When he issued a set of classified presidential orders in January 2008 to organize and improve America?s online defenses, the administration could not agree on how to write the authorization. A principal architect of that order said the issue had been passed on to the next president, in part because of the complexities of cyberwar operations that, by necessity, would most likely be conducted on both domestic and foreign Internet sites. After the controversy surrounding domestic spying, Mr. Bush?s aides concluded, the Bush White House did not have the credibility or the political capital to deal with the subject. Electronic Vulnerabilities Cyberwar would not be as lethal as atomic war, of course, nor as visibly dramatic. But when Mike McConnell, the former director of national intelligence, briefed Mr. Bush on the threat in May 2007, he argued that if a single large American bank were successfully attacked ?it would have an order-of-magnitude greater impact on the global economy? than the Sept. 11, 2001, attacks. Mr. McConnell, who left office three months ago, warned last year that ?the ability to threaten the U.S. money supply is the equivalent of today?s nuclear weapon.? The scenarios developed last year for the incoming president by Mr. McConnell and his coordinator for cybersecurity, Melissa Hathaway, went further. They described vulnerabilities including an attack on Wall Street and one intended to bring down the nation?s electric power grid. Most were extrapolations of attacks already tried. Today, Ms. Hathaway is the primary author of White House cyberstrategy and has been traveling the country talking in vague terms about recent, increasingly bold attacks on the computer networks that keep the country running. Government officials will not discuss the details of a recent attack on the air transportation network, other than to say the attack never directly affected air traffic control systems. Still, the specter of an attack that could blind air traffic controllers and, perhaps, the military?s aerospace defense networks haunts military and intelligence officials. (The saving grace of the air traffic control system, officials say, is that it is so old that it is not directly connected to the Internet.) Studies, with code names like Dark Angel, have focused on whether cellphone towers, emergency-service communications and hospital systems could be brought down, to sow chaos. But the theoretical has, at times, become real. ?We have seen Chinese network operations inside certain of our electricity grids,? said Joel F. Brenner, who oversees counterintelligence operations for Dennis Blair, Mr. McConnell?s successor as national intelligence director, speaking at the University of Texas at Austin this month. ?Do I worry about those grids, and about air traffic control systems, water supply systems, and so on? You bet I do.? But the broader question ? one the administration so far declines to discuss ? is whether the best defense against cyberattack is the development of a robust capability to wage cyberwar. As Mr. Obama?s team quickly discovered, the Pentagon and the intelligence agencies both concluded in Mr. Bush?s last years in office that it would not be enough to simply build higher firewalls and better virus detectors or to restrict access to the federal government?s own computers. ?The fortress model simply will not work for cyber,? said one senior military officer who has been deeply engaged in the debate for several years. ?Someone will always get in.? That thinking has led to a debate over whether lessons learned in the nuclear age ? from the days of ?mutually assured destruction? ? apply to cyberwar. But in cyberwar, it is hard to know where to strike back, or even who the attacker might be. Others have argued for borrowing a page from Mr. Bush?s pre-emption doctrine by going into foreign computers to destroy malicious software before it is unleashed into the world?s digital bloodstream. But that could amount to an act of war, and many argue it is a losing game, because the United States is more dependent on a constantly running Internet system than many of its potential adversaries, and therefore could suffer more damage in a counterattack. In a report scheduled to be released Wednesday, the National Research Council will argue that although an offensive cybercapability is an important asset for the United States, the nation is lacking a clear strategy, and secrecy surrounding preparations has hindered national debate, according to several people familiar with the report. The advent of Internet attacks ? especially those suspected of being directed by nations, not hackers ? has given rise to a new term inside the Pentagon and the National Security Agency: ?hybrid warfare.? It describes a conflict in which attacks through the Internet can be launched as a warning shot ? or to pave the way for a traditional attack. Early hints of this new kind of warfare emerged in the confrontation between Russia and Estonia in April 2007. Clandestine groups ? it was never determined if they had links to the Russian government ? commandeered computers around the globe and directed a fire hose of data at Estonia?s banking system and its government Web sites. The computer screens of Estonians trying to do business with the government online were frozen, if they got anything at all. It was annoying, but by the standards of cyberwar, it was child?s play. In August 2008, when Russia invaded Georgia, the cyberattacks grew more widespread. Georgians were denied online access to news, cash and air tickets. The Georgian government had to move its Internet activity to servers in Ukraine when its own servers locked up, but the attacks did no permanent damage. Every few months, it seems, some agency, research group or military contractor runs a war game to assess the United States? vulnerability. Senior intelligence officials were shocked to discover how easy it was to permanently disable a large power generator. That prompted further studies to determine if attackers could take down a series of generators, bringing whole parts of the country to a halt. Another war game that the Department of Homeland Security sponsored in March 2008, called Cyber Storm II, envisioned a far larger, coordinated attack against the United States, Britain, Canada, Australia and New Zealand. It studied a disruption of chemical plants, rail lines, oil and gas pipelines and private computer networks. That study and others like it concluded that when attacks go global, the potential economic repercussions increase exponentially. To prove the point, Mr. McConnell, then the director of national intelligence, spent much of last summer urging senior government officials to examine the Treasury Department?s scramble to contain the effects of the collapse of Bear Stearns. Markets froze, he said, because ?what backs up that money is confidence ? an accounting system that is reconcilable.? He began studies of what would happen if the system that clears market trades froze. ?We were halfway through the study,? one senior intelligence official said last month, ?and the markets froze of their own accord. And we looked at each other and said, ?Our market collapse has just given every cyberwarrior out there a playbook.? ? Just before Mr. Obama was elected, the Center for Strategic and International Studies, a policy research group in Washington, warned in a report that ?America?s failure to protect cyberspace is one of the most urgent national security problems facing the new administration.? What alarmed the panel was not the capabilities of individual hackers but of nations ? China and Russia among them ? that experts believe are putting huge resources into the development of cyberweapons. A research company called Team Cymru recently examined ?scans? that came across the Internet seeking ways to get inside industrial control systems, and discovered more than 90 percent of them came from computers in China. Scanning alone does no damage, but it could be the prelude to an attack that scrambles databases or seeks to control computers. But Team Cymru ran into a brick wall as soon as it tried to trace who, exactly, was probing these industrial systems. It could not determine whether military organizations, intelligence agencies, terrorist groups, criminals or inventive teenagers were behind the efforts. The good news, some government officials argue, is that the Chinese are deterred from doing real damage: Because they hold more than a trillion dollars in United States government debt, they have little interest in freezing up a system they depend on for their own investments. Then again, some of the scans seemed to originate from 14 other countries, including Taiwan, Russia and, of course, the United States. Bikini Atoll for an Online Age Because ?cyberwar? contains the word ?war,? the Pentagon has argued that it should be the locus of American defensive and offensive strategy ? and it is creating the kind of infrastructure that was built around nuclear weapons in the 1940s and ?50s. Defense Secretary Robert M. Gates is considering proposals to create a Cyber Command ? initially as a new headquarters within the Strategic Command, which controls the American nuclear arsenal and assets in space. Right now, the responsibility for computer network security is part of Strategic Command, and military officials there estimate that over the past six months, the government has spent $100 million responding to probes and attacks on military systems. Air Force officials confirm that a large network of computers at Maxwell Air Force Base in Alabama was temporarily taken off-line within the past eight months when it was put at risk of widespread infection from computer viruses. But Mr. Gates has concluded that the military?s cyberwarfare effort requires a sharper focus ? and thus a specific command. It would build the defenses for military computers and communications systems and ? the part the Pentagon is reluctant to discuss ? develop and deploy cyberweapons. In fact, that effort is already under way ? it is part of what the National Cyber Range is all about. The range is a replica of the Internet of the future, and it is being built to be attacked. Competing teams of contractors ? including BAE Systems, the Applied Physics Laboratory at Johns Hopkins University and Sparta Inc. ? are vying to build the Pentagon a system it can use to simulate attacks. The National Security Agency already has a smaller version of a similar system, in Millersville, Md. In short, the Cyber Range is to the digital age what the Bikini Atoll ? the islands the Army vaporized in the 1950s to measure the power of the hydrogen bomb ? was to the nuclear age. But once the tests at Bikini Atoll demonstrated to the world the awesome destructive power of the bomb, it became evident to the United States and the Soviet Union ? and other nuclear powers ? that the risks of a nuclear exchange were simply too high. In the case of cyberattacks, where the results can vary from the annoying to the devastating, there are no such rules. The Deterrence Conundrum During the cold war, if a strategic missile had been fired at the United States, screens deep in a mountain in Colorado would have lighted up and American commanders would have some time to decide whether to launch a counterattack. Today, when Pentagon computers are subjected to a barrage, the origin is often a mystery. Absent certainty about the source, it is almost impossible to mount a counterattack. In the rare case where the preparations for an attack are detected in a foreign computer system, there is continuing debate about whether to embrace the concept of pre-emption, with all of its Bush-era connotations. The questions range from whether an online attack should be mounted on that system to, in an extreme case, blowing those computers up. Some officials argue that if the United States engaged in such pre-emption ? and demonstrated that it was watching the development of hostile cyberweapons ? it could begin to deter some attacks. Others believe it will only justify pre-emptive attacks on the United States. ?Russia and China have lots of nationalistic hackers,? one senior military officer said. ?They seem very, very willing to take action on their own.? Senior Pentagon and military officials also express deep concern that the laws and understanding of armed conflict have not kept current with the challenges of offensive cyberwarfare. Over the decades, a number of limits on action have been accepted ? if not always practiced. One is the prohibition against assassinating government leaders. Another is avoiding attacks aimed at civilians. Yet in the cyberworld, where the most vulnerable targets are civilian, there are no such rules or understandings. If a military base is attacked, would it be a proportional, legitimate response to bring down the attacker?s power grid if that would also shut down its hospital systems, its air traffic control system or its banking system? ?We don?t have that for cyber yet,? one senior Defense Department official said, ?and that?s a little bit dangerous.? Copyright 2009 The New York Times Company

Brother Martin de Porres
Brother Martin de Porres

Bob may have heard or remember the video that crashed our UK Military Networks for several hours. Our Lads in Iraq posted a parody of 'Comic-Relief' charity appeal. Due to certification delays, military hardware tends to lag civilian kit. The demand on the servers for this sketch, brought the system down! http://www.youtube.com/watch?v=dyBxkLPxIfk British Soldiers in Iraq do send up of Tony Christie & Peter Kay - Is this the way to Amarillo ? And here is the original from Red-Nose Day 2005. "Dedicated especially to HACKERS" http://www.youtube.com/watch?v=6liAimpfH3k&feature=related

deepsand
deepsand

Considering that the events cited happened roughly 5 to 10 years ago, and that Gourley offered his opinion without benefit of supporting evidence, how are we to say whether or not any "wakeup" calls went unheeded? It would have been far more useful had he addressed specific possible breaches, how such could be strengthened, what efforts had been made toward such and to what degree of success. Rather, Mr. Gourley gave the appearance of one touting a need for the services he provides.

bob
bob

Deepsand, it is good to look for facts in this area of cyber security, and it is certainly ok to be a bit cynical. We haven't met so there is little way for you to know if I'm credible on this stuff or not. If I were you or others who want to get to the bottom of this I'd strongly recommend diving in and doing some fast research. Even a couple Google searches will help you get some good context. Try searches for terms like "Moonlight Maze", "Solar Sunrise" and "Eligible Receiver." Anyway, it was a short interview and I'm glad I raised these topics in the limited amount of time we had. Maybe I'll have an opportunity to chat with Jason again sometime to dive deeper into those topics. I'd also mention, just to clarify, I don't offer any services, at this time, that benefit from my discussion of those key cyber security wakeup calls. Sorry if I gave that impression. I certainly believe there is more need for huge gains in enterprise security, and I reserve the right to contribute in those areas in the future. But the fact is I really believe what I said in this discussion with Jason, and if I can encourage you to dive in and look for facts I think you and I will end up sharing similar views. Cheers, Bob http://ctovision.com

Deadly Ernest
Deadly Ernest

unknown invaders. If you wish to find and trap them, one way is to not full build a brick wall where you know them to be coming in. Yes, you build a stronger wall, but then leave an open space for them to explore once they get through the wall, and back beyond that you have a much stronger wall with defences set to trap them once you know they've entered the trap area. You do NOT advertise what you've done. So, they people responsible may have taken no action, they may have taken action to build the strongest defences they can without telling anyone, or they may have built a stronger defence to wall off a trap area and isolated it from the rest. We don't know and are unlikely to know until such time as another beach occurs or the trap is sprung.

deepsand
deepsand

Rather, it is to say that, while such are widely published, not so the case with countermeasures, which are, of necessity, oft times well cloaked in secrecy. This is most definitely a case of the absence of proof not constituting proof of absence.