Leon Panetta was blunt, even for a guy who is known to speak his mind. In the heady aftermath of the Osama bin Laden mission, Panetta’s authority on Capitol Hill was all but unquestioned. Despite an atmosphere of bitter partisanship, the longtime Democrat was about to be confirmed as Defense secretary by a vote of 100-0, a rare feat in any era. Now Panetta, the outgoing CIA director, was telling a rapt audience of senators at his confirmation hearing that America’s national-security defense apparatus was underestimating the gravest danger out there. “We talk about nuclear. We talk about conventional warfare. We don’t spend enough time talking about the threat of cyberwar,” he said. “There’s a strong likelihood that the next Pearl Harbor that we confront could very well be a cyberattack.”
Whoa. Really? You mean, thousands of people could die in a cyberattack? How exactly would this happen? Could it be like some sort of monstrous video game run amok? Or the 1980s classic War Games, in which a teenage Matthew Broderick almost hacks his way into starting a nuclear war? One thing is certain: Panetta is hardly alone in his alarm; indeed, he is channeling the fears of the nation’s top generals and spooks.
On July 14, the Pentagon rolled out its first-ever “cyberspace strategy”—a critical need for the United States because, as Deputy Defense Secretary Bill Lynn declared with alliterative flair that day, “bits and bytes can be as threatening as bullets and bombs.” The U.S. government is now spending about $12 billion a year to wage both offense and defense in cyberspace, and it has set up a Cyber Command at Fort Meade in Maryland. The Homeland Security Department conducts regular war games that it calls “cyberstorming.” A new multibillion-dollar military-industrial complex is emerging, with giant defense contractors like Boeing and Northrop Grumman transforming themselves into part-time cybersecurity contractors.
In truth, cyberskeptics abound. They include many independent analysts as well as some of Panetta’s high-level colleagues in the Obama administration. These skeptics say that much of the alarm stems from a fear of the unknown rather than from concrete evidence of life-and-death threats. It is, they suggest, a 21st-century version of the medieval mapmakers who would mark the boundaries of the known world and then draw mythical beasts on the other side conveying the message: “Here, there be dragons.”
Here was Rep. Mac Thornberry, R-Texas, vice chairman of the House Armed Services Committee, in a recent interview with National Journal: “Very serious four-star generals tell me that cyber is the thing they worry about of all the potential threats, because there is so much that is unknown, and because our laws and military doctrines are so far behind.” For military officers who are trained to plan for every variable, the prospect that an attack on the United States might include some exotic cyber component is the dragon they understand the least. And critics worry that this fear is only going to create the biggest dragon of all: a permanent military-cyber industrial complex not unlike the one that President Eisenhower warned of at the dawn of the nuclear age.
As a result, some skeptical cyberexperts say, the most serious threat may come not from abroad but from our own perceptions and overreactions. Recall the hype around Y2K, the computer glitch that was supposed to paralyze systems around the world once their calendars ticked over to the year 2000. Or think back to a half-dozen “cyberattacks” that turned out to be much less dangerous than believed. To cite just one example: In 1998, someone tried to hack into the Defense Department’s computers in what then-Deputy Defense Secretary John Hamre called “the most organized and systematic attack to date” on U.S. military systems. Suspicions focused on Iraqis conducting “information warfare.” Then it came to light that the culprits were a couple of California teenagers (real-life Matthew Brodericks) egged on by an Israeli teenager.
The danger is that the U.S. government will do what it has been arguably doing in spades since 9/11: overreact. Spend too much. Go overboard with surveillance. Crimp and constrain freedoms, this time involving the Internet.
“That is the history of counterterrorism in this country,” says Neal Pollard, a cyberterrorism expert who has advised the U.S. and British governments, including the U.S. director of national intelligence. “There’s not a whole lot that’s new here. We used to hear about an ‘electronic Pearl Harbor.’ And a ‘digital Pearl Harbor.’ Those types of martial metaphors have gone back to the late ’90s. I don’t think they are particularly helpful. Pearl Harbor was a surprise attack taking out our battleships. Well, we don’t have battleships anymore. We’ve been hearing these kinds of terms for nigh 15 years without any sort of precise thought behind them.”
Pollard is hardly alone. Jim Steinberg, the just-retired deputy secretary of State and an intelligence expert who has followed the cyber strategizing closely, warns that an overreaction could have deeply troubling and far-reaching consequences. In an interview with NJ, he said that overreacting could lead to “measures that significantly balkanize, cramp, and damage the benefits of the cyberworld, in terms of personal freedoms and economic growth.” It could also unnecessarily ratchet up international tensions, “because countries can’t figure out how to manage the perceived activities of others in cyberspace.”
The race to master the perceived threats—or to even learn of their existence—could trigger an expensive and unnecessary new arms race, Steinberg continued. “It could be like the nuclear rivalry in the Cold War, which is that each side becomes preoccupied with the potential danger that the other could pose and begins to orient its own policy around those dangers.” Such a development could end up being self-defeating if it constrains Internet activity too much (although, of course, Cold-War era defense spending created the Internet in the first place).
“When we start throwing out [words like] cyberwar … we have to define what … we’re talking about.” —Howard Schmidt, White House cybersecurity coordinator
The bottom line, says Steinberg: “You never say never. But I think the likelihood of a cyberattack that leads to losses of life on a scale of 9/11 is still extremely unlikely.” Asked about Panetta’s comments, Steinberg administers a gentle scolding. The idea of a cyber Pearl Harbor or a cyber 9/11 “tends to be shorthand in order to get people to pay attention,” he says.
The White House’s own cybersecurity coordinator, Howard Schmidt, pointedly avoids using the term “cyberwar,” saying that most cyberthreats are closer to criminal acts than to military actions. “Words do matter,” Schmidt remarked at a conference in February. “When we start throwing out these things, like we’re in the midst of a cyberwar, or that cyberwar is around the corner, there’s a lot of [those things] that don’t actually apply, so we really have to define what it is that we’re talking about.”
It’s a critical distinction. Wars—whether conventional or irregular—entail the organized killing and maiming of large numbers of people over extended periods of time. Especially after a decade in which the post-9/11 “war on terrorism” led to long and bloody real wars in Iraq and Afghanistan, the term should be used sparingly.
Even skeptics agree that we need to worry about cyberespionage—about foreign states or rogues or terrorists probing the U.S. defense grid. We need to worry, perhaps, about some future version of Stuxnet, the now infamous computer virus that is believed to have sabotaged Iran’s nuclear centrifuges. We may need to worry about new cyber components in future wars.
But about cyberwar itself? Perhaps not so much.
When pressed, cyberhawks in Congress and in the Defense and Homeland Security departments say the worst nightmare scenarios they can imagine involve a disruption of the nation’s power grid or banking system. “The water supply is contaminated. Sewage treatment is attacked. The floodgates are opened,” Rep. Jim Langevin, D-R.I., a cofounder and cochairman of the House Cybersecurity Caucus, told NJ. “God forbid this would happen in middle of winter and a section of the country is without power,” he adds. Yes, that could be ugly and economically paralyzing, but it’s hard to imagine mass fatalities. Some people could freeze to death.
Thornberry, the Texas House member, argues that hackers could cause a large-scale loss of life by “making a nuclear power plant do something it’s not supposed to do” or by “interfering with air-traffic-control systems.”
But even there, Pollard suggests, the threat is probably being hyped. “I don’t think it’s realistic to talk about terrorist groups bringing down air-traffic-control systems,” he says. “First, the technology required to do that is not trivial. You have to launch multiple attacks on the telecom system, on GPS, on the beaconing system. Second, pilots know how to fly airplanes without all those electronics if those databases are corrupted. And thirdly, there are not too many people who would benefit from those types of attacks. Terrorist groups would, but we have not seen terrorist groups go that way.”
It’s a similar story with worries about a cyber infiltration that makes a nuclear plant go haywire. In a now-famous experiment by Idaho National Labs, researchers deployed a computer attack that caused a turbine to destroy itself by literally spinning off its axis—an effect not unlike what Stuxnet supposedly accomplished. But Pollard points out that authorities can put safeguards and redundant systems into place to prevent the worst. The simplest solution, he says, is that “you just don’t connect it to the Internet.”
One of the things that scares U.S. military officials the most about cyberwar is that, if an attack comes, they may not know who the enemy is. Cyberexperts say the toughest problem of all is “attribution”—knowing who’s breaking into your grid and where they are if you wish to retaliate. Stuxnet first appeared more than a year ago, and many experts suspect it was a joint U.S.-Israeli project. But that remains an unsolved mystery, which may be the case in many future incidents.
“The next Pearl Harbor … could well be a cyberattack.” —Defense Secretary Leon Panetta
“What could be coming from a nation-state might appear to be coming from individual in a remote location,” Langevin says. “A ‘botnet’ attack [referring to an infected group of computers] could be made to look like it was coming from some little old lady in Idaho, or someplace in Sweden. What years ago could be achieved only through kinetic weapons could be achieved through a few keystrokes.” Think Thunderball, but without James Bond around to figure it out and save us.
Even now, we can’t seem to keep up with the cyber surprise attacks. Authorities say that whole terabytes of information, more than exists in the Library of Congress, have already been “exfiltrated” or stolen from U.S. government computers and the networks of defense companies. Among the more alarming incidents: In March, a foreign intelligence service took 24,000 files from a defense contractor, Lynn said (he would not identify the government, but China is the likeliest suspect). “A great deal” of the stolen data in such cases “concerns our most sensitive systems, including aircraft avionics, surveillance technologies, satellite communications systems, and network security protocols,” Lynn said on July 14.
More than 100,000 “security incidents” occur in the United States every year, according to the U.S. Computer Emergency Readiness Team. More than half of them involve “phishing,” or hackers posing as other people to break into secure computer systems. Michael McConnell, the former director of national intelligence, echoed Panetta in telling a Senate hearing last year: “The cyber risk has become so important that, in my view, it rivals nuclear weapons in terms of seriousness.”
It all sounds terrifying until one begins to look a little more closely at the facts. Lynn cites only one successful penetration of U.S. classified computers used by the Defense Department or the intelligence community. That was in 2008, when a flash drive infected by a “foreign intelligence agency” was inserted into a U.S. military laptop in the Middle East and uploaded a spybot onto a network run by the U.S. Central Command. “That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control,” Lynn wrote in Foreign Affairs last year.
But little seems to have come of that beachhead. The vast majority of cyberattacks against the United States amount to spying or misguided mischief, without anything like the consequences envisioned in War Games. Warnings about cyberspying and malevolent hacking have been around for more than 10 years. Even today, however, most experts believe that known rogue actors, such as al-Qaida and other terrorist groups, don’t have anything close to the technical sophistication to infiltrate the U.S. defense or intelligence computer system.
The occasional global hackers who have cropped up—one prominent example was “Lulz Security,” a pirate hacker group that appeared suddenly this year and then abruptly disbanded—have done little but paralyze servers and act as an annoyance. (WikiLeaks succeeded in breaking into the State Department computers, but only because it had an inside accomplice: Army Pvt. Bradley Manning, according to authorities.) As far as nation-states go, the Cold War principle of deterrence is still operative: What you do to us, we can do to you—and more. Indeed, China, which desperately seeks to restrict Internet freedom and this year arrested hundreds of people for fear that a “Jasmine Spring” could imitate the Arab Spring, seems more worried about battening down its own cyberhatches even as it probes our own.
Last year, in her biggest strategic speech on this topic, Secretary of State Hillary Rodham Clinton issued a Churchillian warning about the “new information curtain” descending on countries like China and Iran. U.S. officials agree that in the strategic struggle for freedom that still persists across the world, the United States shouldn’t do anything to cripple the free flow of information on the Internet. Lynn acknowledges concerns that “cyberspace is at risk of being militarized,” and he says that the Pentagon wants to avoid that. But he isn’t specific on how. “Far from ‘militarizing’ cyberspace, our strategy of securing networks to deny the benefit of an attack will help dissuade military actors from using cyberspace for hostile purposes,” Lynn says. “Establishing robust cyberdefense no more militarizes cyberspace than having a navy militarizes the ocean.”
Yet the Government Accountability Office, Congress’s investigative arm, says in a forthcoming report that the Pentagon doesn’t seem to have a very clear idea about how it plans to conduct “cyberdefense,” how much it plans to spend, or even who is in charge. In the report, scheduled to be published on July 25, GAO is expected to harshly criticize the way that the Defense Department has managed its Cyber Command. “They have confused Capitol Hill and the public,” says Davi D’Agostino, the GAO’s director of defense capabilities and management and the main author of the report. “We are still seeing problems with ground rules and command and control. Is it clear who does what to whom?” Many of the problems seem to be driven, again, by a confusion about the unknowns. Among them: Who should carry out “offensive operations” and when, and how much money should be committed. Three different parts of the Defense Department delivered three different budget estimates for Cyber Command, D’Agostino says.
Another big unknown is who would take the lead in coordinating a response to what might or might not be a hostile action by another country. Lynn, in laying out the Pentagon’s cyber strategy, suggested that a compromise of the nation’s infrastructure could also cripple the military at a time of crisis. “Ninety-nine percent of the electricity the U.S. military uses comes from civilian sources,” he said. “Ninety percent of U.S. military voice and Internet communications travel over the same private networks that service homes and offices.”
But if the U.S. military were compromised because of a mysterious attack on civilian infrastructure, would Washington retaliate militarily? The Obama administration tries to make it sound straightforward. “If it’s an attack on military systems, the DOD would obviously have the lead. If it’s infrastructure, then it’s a DHS lead,” says White House spokesman Bob Jensen. But what if both are hit or if it’s not clear for weeks or months or years what the real target is and who the perpetrator was? Asked about this at a news conference, the vice chairman of the Joint Chiefs, Marine Gen. James E. Cartwright, said that an act of war in cyberspace will be “in the eyes of the beholder.”
There have been disturbing improvements in cybermartial capabilities, and most evidence suggests that the expertise is accumulating mainly in governments, not among private hackers. “The most sophisticated sort of threat comes from state-connected actors,” Thornberry warns. Moscow was suspected of taking down computers in Georgia and Estonia in recent years. Richard A. Clarke, a former adviser to the National Security Council, wrote in his 2010 book, Cyber War, that Israel’s attack on a suspected Syrian reactor in 2007 may have involved some clever cyberjamming. Clarke says that the Israelis transmitted computer data packets that fooled the Syrian air defense network in an almost Stuxnet-like way. “Those packets made the system malfunction, but they also told it not to act [like] there was anything wrong with it,” Clarke wrote. “The sky would look just like it had when it was empty, even though it was, in actuality, filled with Israeli fighters.”
THE STUXNET QUESTION
To date, the most devastating cyberattack may have been launched is believed to have been from, not at, the United States: Stuxnet, which apparently sabotaged the controls systems in Iran’s uranium-enrichment process. According to a recent analysis of Stuxnet by Symantec, the cybersecurity firm, the virus caused Iranian centrifuges to spin beyond their normal tolerance levels, fatally damaging them, while at the same time relaying false information to the plant operators that all was well. The virus was also believed to have disabled kill switches, so that operators couldn’t turn the centrifuges off as they spun out of control. For all the attack’s importance, it didn’t actually hurt or kill anyone—a key distinction between cybersecurity and real war. Indeed, if Stuxnet preempted the U.S. or Israel from launching an actual military assault on Iran’s nuclear complex, attacks in cyberspace might actually prevent death in the real world.
That said, the reported success of the Stuxnet attack also demonstrates the risks. U.S. military and intelligence officials are right to prepare for the day when some other nation such as China or Russia could launch its own Stuxnet—which could conceivably provoke a military response by Washington if it can pin down the culprit (again, a very big “if”). Steinberg and other former or current U.S. officials acknowledge that the United States could confront a brilliant rogue actor who has mastered cybertools, such as the aggrieved Pakistani computer scientist in David Ignatius’s new novel, Bloodmoney, who exposes the identities of several CIA agents to terrorists and causes their deaths. A more realistic fear, say Steinberg and others, is that some country or terrorist group might simply add cyber to its arsenal of physical weapons.
“So let’s imagine that you had a 9/11 [terrorist attack] and then somebody hacked a 911 system and the emergency communications in New York,” Steinberg says. But that’s different from preparing for a separate war fought exclusively in cyberspace. “What would be the strategic end?” Steinberg asks. “You can’t do that much damage to bring the United States to its knees. Even if the odds of attribution are low, a country has to worry that it risks a counterattack.”
The most nefarious hacking is really about espionage, but that’s been going on forever anyway. “We’re all grownups, right? I mean, people spy on each other, right? Surprise, surprise,” says Steinberg, who refused to give specifics about how much activity China or Russia was up to. “There’s no reason that the basic activities that states engaged in pre-cyberworld are not going to extend to the cyberworld. Why wouldn’t they? Why would you expect states to behave differently in terms of their interest in knowing what the other guy is doing? … Aldrich Ames is just as dangerous as a botnet.”
Yet even there the real dangers of stealing secrets about new technologies or encryption are probably exaggerated, says a technological consultant who spent most of his career with the National Security Agency. Most secrets in the cyberage don’t last very long, and the nation’s greatest strength “has to do with the preservation of intellectual capital,” he says. “Microsoft has to turn out software with a half-life of six months,” he says. “Is your intellectual capital embodied in the software that you run on your computer systems every day, or is it the as-yet-unleashed ideas inside the minds of your staff?”
The time that China and other nations spend trying to hack into U.S. know-how may just steal energy and dedication from their own entrepreneurial efforts—and, ultimately, their national security. It is a lesson that Leon Panetta and the others who manage America’s defense should remember. Yes, cyber expertise can potentially be used as a threat as much as an economic boon. But cyberwar still belongs to the realm of fiction.
This article appears in the July 23, 2011, edition of National Journal.