Note: The following is a piece on cybersecurity that I wrote for the upcoming book: Secrets of 24: The Unauthorized Guide to the Political & Moral Issues Behind TV’s Most Riveting Drama. Unfortunately, the editors decided to cut the piece from the book, but have let me republish it here.
Hed: Experts warn of serious cybersecurity threat to America
Dek: Former Bush official calls administration’s current strategy ‘totally disorganized and ineffective’
by Cyrus Farivar
While cybersecurity might not mean much to most Americans beyond the latest virus updates, experts remain deeply worried that the country is not doing enough to protect our network and information infrastructure.
O. Sami Saydjari, CEO of the Cyber Defense Agency, is one of many scientists leading the charge of increasing the American cyberdefense arsenal. In 2002, He and 50 other leading scientists sent a letter to President Bush warning of a devastating attack against critical systems.
“When [ordinary] people talk about cybersecurity, they mistakenly think about protecting their email correspondence with their kids in college, or [making sure] that their online games are up and running,” he said.
“That’s not what we’re talking about. Our way of life depends on computer systems now. Power [systems] — there is no power without computers. When we’re talking about cybersecurity, we’re talking strategically damaging scenarios, we’re not talking about bring down the Web or email, we’re talking about bringing down systems that run the most critical of critical infrastructure.”
Scientists and scholars believe that a situation analogous to the massive Northeast Blackout of 2003 could happen if rogue or foreign agents somehow compromised American power systems.
How would such a scenario occur?
Pradeep Khosla, dean of the College of Engineering and the director of CyLab at Carnegie Mellon University says that such an attack against this infrastructure is surprisingly easy.
“The reason it is possible is because that critical infrastructure is being controlled by computers that are no different than my desktop PC,” he says.
In other words, if your home PC can get infected with spyware, worms and other types of malware, so too can these ordinary PCs that control our most integral systems. Hackers can use open “ports” on a network to burrow in pieces of software that might seem innocuous, much in the same way that you might have an annoying piece of software installed without your knowing it on your home computer.
“How hard is it for somebody with the right kind of technical understanding to get documentation about the power grid in the Northeast and search around until he found access, bore into one of those, put in some insidious software and use that to screw up the power grid?” asks Michael S. Swetnam, CEO of the Potomac Institute for Policy Studies, who is also a member of the Technical Advisory Group to the United States Senate Special Select Committee on Intelligence.
“That would take some knowledge, but it’s not beyond the capability of computer science professors in this country. If you took down the power grid, you could hurt a lot of people,” he says.
However, while a devastating attack against infrastructure has not yet happened, experts warn that in a major state-on-state all-out war, cyberattacks will certainly become part of the new strategy — on both sides.
“Our opponents are mapping out the vulnerabilities in our infrastructure,” says James Lewis, director of the Technology and Public Policy Program at the Center for Strategic & International Studies. “Can we expect this to be part of any conflict? 100 percent we should expect it.”
Until now, there have been a small handful of serious, large-scale cyberattacks on the United States, which have left little lasting damage.
A series of attacks called “Moonlight Maze” occurred in 1999, most likely from Russian sources, and another, called “Titan Rain,” emanated from China in 2003. The latter attack gained access to computer networks at facilities across the country, including the Sandia National Laboratories and NASA.
More recently in April 2007, the Baltic nation of Estonia was hit with by the most recent example of a large-scale cyberattack against government websites, banks and newspapers. The denial-of-service attack against Estonia made those websites unusable for a short period of time, but was dealt with very rapidly.
Unfortunately, the fact that no one has been caught as the mastermind behind any of these attacks illustrates how difficult it is to fight a nebulous enemy who can easily cover his tracks in cyberspace.
Today, the most serious threat to the United States comes from non-governmental and non-state transnational terrorism organizations, like Al Qaeda. Fortunately, scholars say that Al Qaeda does not have the level of technical sophistication to launch an all-out attack on the American electrical grid, despite the fact that it might like to.
Experts like Michael Swetnam caution that even though there hasn’t been any cyberattack at the level of September 11 from Al Qaeda or other entities doesn’t mean that the threat isn’t real.
“The fact that we haven’t dropped nuclear weapons in 60 years doesn’t mean the technology isn’t there,” Swetnam says. “It is in the hands of people who are ready to use it as a weapon and you can wait until that’s demonstrated to believe it, but this is not a myth.”
Currently, both the government and the military have various strategies such as the White House’s “National Strategy to Secure Cyberspace” (2003) and the Air Force’s announcement in 2006 that it would create an Air Force Cyber Command.
Still, Paul Kurtz, a former Bush administration cyber-security official who was quoted in The Washington Post in 2005 as saying that cybersecurity “has been on a downward slope and we need to arrest that decline and bring the issue back to the level [of importance] it was a few years ago.”
Today, Kurtz characterizes the Bush Administration’s approach to cybersecurity as “totally disorganized and ineffective.”
So how does this situation improve? Industry experts like O. Sami Saydjari say that the citizenry needs to hold the government to account.
“The public needs to demand action from leadership, in the same way that we demand our leadership be more prepared for hurricanes,” he says.
“What we saw in Hurricane Katrina was that a portion of our country became a third world country overnight and stayed for weeks an din some cases months. In cyberspace, our viewpoint is that an organized cyberattack would leave the entire country in the same state as the coastal south was in after Katrina. No phones, no fire, no police. That’s not a state that a country wants to be in. Ever. That’s exactly what I’d like the public to do in response to the press, is to not get scared, but rather to stand up and make their voices heard and say that they expect our leadership to proactively defend us against this serious threat.”
-30-
Cyrus Farivar is a freelance technology journalist based in Oakland, Calif. He has written for The Economist, Slate, Wired, The New York Times, National Public Radio, The World (WGBH/PRI/BBC) and many others. He is also currently working on a book about the history and effects of the Internet in different countries around the world, which will be published by Rutgers University Press in 2009.
