Cyber War: The Next Threat to National Security and What to Do About It (34 page)

Read Cyber War: The Next Threat to National Security and What to Do About It Online

Authors: Richard A. Clarke,Robert K. Knake

Tags: #General, #Computers, #Technology & Engineering, #Political Science, #Security, #United States, #Political Freedom & Security, #Cyberterrorism, #Political Process, #Law Enforcement, #International Security, #Information warfare, #Military Science, #Terrorism, #Prevention

BOOK: Cyber War: The Next Threat to National Security and What to Do About It
3.3Mb size Format: txt, pdf, ePub

As much as people fear robots and artificial intelligence (without knowing that there are already a lot of both at work today), it may be worth thinking about using artificial intelligence to write new
code. It would mean coming up with a set of rules for writing secure and elegant code. The rules would have to be extensive and iterated with testing. The project would be sufficiently large that it would require government research funding, but it should be possible gradually to develop an artificial intelligence program that could respond to requests to write software. The artificial code writer could compete with famous software designers, much as IBM’s Big Blue played against human chess masters. Drawing on the open source movement, it could be possible to get the world’s experts to contribute to the process.

The work that was done to create the Internet forty years ago has been enormously valuable, far more so than the inventors ever thought then that it would be. Now the funders of the original Internet should fund an attempt to do something better. Today cyber research is fragmented and, according to a presidential advisory board, cyber security research is dangerously underfunded. Cyberspace also needs a fresh look from designers who are freed to think of new protocols, new ways of authenticating, and advanced approaches for authorizing access, seamlessly encrypting both traffic and data at rest.

There are some signs of renewed life at DARPA (the Defense Advanced Research Projects Agency), which funded much of the early Internet development. After years of abandoning research on the public Internet, things have begun to change. In October 2009, DARPA granted a contract to a consortium including defense contractor Lockheed and router manufacturer Juniper Networks to design a new basic protocol for the Internet. For decades, the Internet has been breaking traffic up into little digital packets, each with its own address space, or “header.” The header has the basic
to
and
from
information. The protocol or format for these packets is named TCP/IP (Transport Control Protocol/Internet Protocol). For the gods and founders of the Internet, TCP/IP is as sacred as the Ten
Commandments are to some religious groups. What DARPA is now looking for is something to replace TCP/IP. Shock and horror! The new Military Protocol would allow for authentication of who sent every packet. It would permit prioritization of the packets, depending upon the purpose of the communication. It might even encrypt the content. The Military Protocol would be used initially on the Pentagon’s networks, but just think what it could do for the Internet. It could stop most cyber crime, cyber espionage, and much of cyber war. DARPA has no estimated ready date for the Military Protocol, nor any idea about how the conversion process from TCP/IP would occur. Nonetheless, it is just that kind of thinking that could make the Internet secure someday.

We should not throw out what we have until we are sure that the alternative really is better and that the conversion process is feasible. What might that something new look like? In addition to the Internet, cyberspace might consist of many more intranets, but these would be highly heterogeneous, running one of several different protocols. Some of the intranets might have “thin clients,” which are not skinny guys looking for a lawyer, but computer terminals that use well-controlled servers or mainframes rather than having an extensive hard drive on every desk. Centralized mainframes (yes, the old mainframe) that, if they failed, would be backed up by redundant hardware at other locations, could manage intranets to prevent security violations and configuration mismanagement at the nodes. The intranets’ traffic would run on separate fibers from the public Internet and could be switched by routers that did not touch the public Internet. Data could be scanned for malware and backed up in redundant data farms, some of which would always be disconnected from the network in case of a corrupting system failure. All of these new intranets could use constant scanning technologies to detect and prevent anomalous activity, intrusions, identity theft, malicious software, or unauthorized exporting of data. The
intranets could encrypt all data and require that a user prove with two or three reliable methods who he is before he could access the intranet. If the new nets were “packet switched,” as the Internet is now, the user’s authenticated identity could be embedded in each packet. Most important, these networks could constantly monitor for and prevent connectivity to the Internet.

A lot of people will hate that idea. Many of the Internet’s earliest advocates strongly believe that information should be free and freely disseminated, and that essential to that freedom is the right to access information anonymously. The “open Internet” people believe that if you wish to read
The Communist Manifesto
, or research treatments for venereal disease, or document China’s human rights violations, or watch porn online, your access to that information will not be free if anyone knows that you are looking at it.

But does that mean that everything should be done on one big, anonymous, open-to-everyone network? That’s how Vint Cerf and others see the Internet, and they’ll be damned if they’re gonna agree to change it. When I worked in the White House, I proposed something I called “Govnet,” a private network for the internal working of federal agencies that would deny access to those who could not really prove who they were (maybe with a special fob). Vint Cerf thought that was an awful idea, one that would erode the open Internet, beginning a trend of cutting it up into lots of little networks. Privacy advocates, whose cause I usually support, hated Govnet, too. They thought it would force everyone accessing the public web pages of government agencies to identify themselves. Of course, the public web pages would not have been on Govnet. They would still have been on the public Internet. But in the face of opposition like that, Govnet did not happen. It is probably time that we revisit the Govnet concept now.

In addition to Govnet for critical functions of the federal government, where else might we want such secure networks? For airline
operations and air traffic control, railroad operations, medical centers, certain research activities, operations of financial institutions, controlling space flight, and, of course (say it with me), for the power grid. All of these institutions would still need an Internet-facing presence off the intranet, to communicate outside the closed community of the intranet. But there would be no real-time connection between the secure networks and the Internet. Indeed, ideally the protocol, applications, and operating systems would be incompatible.

There would still be a public Internet, of course, and we would all still use it for entertainment, information, buying things, sending e-mail, fighting for human rights, learning about medical problems, looking at pornography, and engaging in cyber crime. But if we worked at a bank, the IRS, or the train company, or (say it loudly) the electric company, we would use one of these new secure, special-purpose intranets when we were at work. Cyber war could still target these intranets, but their diversity, their use of separate routers and fiber, and their highly secured internals would make it very unlikely that they could all be taken down. Vint Cerf and those devoted to one big everybody-goes-everywhere, interconnected web won’t like it, but change must come.

6. “IT’S POTUS”

Those were the words our hypothetical White House official heard in chapter 2. Most of the time, those are words you never want to hear, at least when somebody is shoving a phone in your direction in a crisis. The sixth element of our agenda is, however, Presidential involvement. I know that everyone working on a policy issue thinks the President should spend a day a week on his or her pet rock. I don’t.

The President should, however, be required to approve person
ally the emplacement of logic bombs in other nations’ networks, as well as approve the creation of trapdoors on a class of politically sensitive targets. Because logic bombs are a demonstration of hostile intent, the President alone should be the one who decides that he or she wants to run the destabilizing risks associated with their placement. The President should be the one to judge the likelihood of the U.S. being in armed conflict with another nation in the foreseeable future, and only if that possibility is high should he or she authorize logic bombs. Key congressional leaders should be informed of such presidential decisions, just as they are for other covert actions. Then, on an annual basis, the President should review the status of all major cyber espionage, cyber war preparation of the battlefield, and cyber defense programs. An annual cyber defense report to the President should spell out the progress made on defending the backbone, securing the DoD networks, and (let me hear you say it) protecting the electric power grid.

In this annual checkup, the President should review what Cyber Command has done: what networks they have penetrated, what options would be available to him in a crisis, and whether there are any modifications needed to his earlier guidance. This review would be similar to the annual covert-action review and the periodic dusting off of the nuclear war plan with the President. Knowing that there is an annual checkup keeps everybody honest. While he is reviewing the cyber war strategy implementation, the President could annually get a report from our proposed Cyber Defense Administration on its progress in securing government agencies, the Tier 1 ISPs, and (all together now) the power grid.

Finally, the President should put reducing Chinese cyber espionage at the top of the diplomatic agenda, and make clear that such behavior amounts to a form of economic warfare.

As I suggested earlier, the President should use the occasion of his annual commencement address at a military service academy,
looking out over the cadets or midshipmen and their proud families, to promulgate the Obama Doctrine of Cyber Equivalence, whereby a cyber attack on us will be treated the same as if it were a kinetic attack and that we will respond in the manner we think best, based upon the nature and extent of the provocation. I suggested that he add a proposal for a global system of National Cyber Accountability that would impose on nations the responsibility to deal with cyber criminals and allegedly spontaneous civilian hacktivists, and an Obligation to Assist in stopping and investigating cyber attacks. It would be a sharp contrast to the Bush Doctrine, announced at West Point, that expressed the sentiment that we should feel free to bomb or invade any nation that scares us, even before it does anything to us.

To follow up such a spring speech at an academy, the President should then in September give his annual address at the opening of the United Nations General Assembly session. Looking out from that green granite podium at the leaders or representatives of nine-score countries, he should say that

The cyber network technology that my nation has given to the world has become a great force for good, advancing global commerce, sharing medical knowledge that has saved millions of lives, exposing human rights violations, shrinking the globe, and, through DNA research, making us more aware that we are all descendants of the same African Eve.

But cyberspace has also been abused, as a playground for criminals, a place where billions of dollars are annually siphoned off to support cartels’ illicit activities. And it has already been used by some as a battlespace. Because cyber weapons are so easily activated and the identity of an attacker can sometimes be kept secret, because cyber weapons can strike thousands of targets and inflict extensive disruption and damage in seconds, they are potentially a
new source of instability in a crisis, and could become a new threat to peace.

Make no mistake about it, my nation will defend itself and its allies in cyberspace as elsewhere. We will consider an attack upon us through cyberspace as equivalent to any other attack and will respond in a manner we believe appropriate based on the provocation. But we are willing, as well, to pledge in a treaty that we will not be the first in a conflict to use cyber weapons to attack civilian targets. We would pledge that and more, to aid in the creation of a new international Cyber Risk Reduction Center, and undertake obligations to assist other nations being victimized by attacks originating in cyberspace.

Cyber weapons are not, as some have claimed, simply the next stage in the evolution of making war less lethal. If they are not properly controlled, they may result in small disagreements spiraling out of control and leading to wider war. And our goal as signers of the United Nations Charter is, as pledged in San Francisco well over half a century ago, “to save succeeding generations from the scourge of war.” I ask you to join me in taking a step back from the edge of what could be a new battlespace, and take steps not to fight in cyberspace, but to fight against cyber war.

It could be a beautiful speech, and it could make us safer.

 

 

A Guide to the Cyber Warrior’s Acronyms and Phrases

 

Authentication:
Procedures that attempt to verify that a network user is who he or she claims to be. A simple authentication procedure is a password, but software can be used to discover passwords. “Two-factor” authentication is the use of a password and something else, such as a fingerprint or a series of digits generated by a fob, a small handheld device.

 

Backbone:
The Internet backbone consists in the coast-to-coast trunk cables of fiber optics, referred to as “big pipes,” run by the Tier 1 ISPs.

 

Border Gateway Protocol (BGP):
The software system by which an ISP informs other ISPs who its clients are so that messages intended for the client can be routed or switched to the appropriate ISP. Sometimes an ISP may have other ISPs as clients. Thus, for example, AT&T may list on its BGP table an Australian ISP. If a packet originates on, for example, Verizon, and Verizon does not connect to the Australian network, a Verizon router at a telecom hotel (
see below
) would look at a BGP table to see who does have such a connection and would, in this example, route the packet to AT&T for onward routing to the Australian network. BGP tables are not highly secure and can be spoofed, leading to the misrouting of data.

 

Botnet:
A network of computers that have been forced to operate on the commands of an unauthorized remote user, usually without the knowledge of their owners or operators. This network of “robot” computers is then used to commit attacks on other systems. A botnet usually has one or more controller computers, which are being directly employed by the operator behind the botnet to give orders to the secretly controlled devices. The computers on botnets are frequently referred to as “zombies.” Botnets are used, among other purposes, to conduct floods of messages (
see
DDOS).

 

Buffer Overflow:
A frequent error in computer code writing that allows for unauthorized user access to a network. The error is a failure to limit the number of characters that can be entered by a non-trusted user, thus allowing such a user to enter instructions to the software system. For example, a visitor to a webpage may go to a section of the page where he should only be able to enter his address and instead enters instructions that allow him to gain the same access as the network’s administrator.

 

Civilian Infrastructure:
Those national systems that make it possible for the nation’s economy to operate, such as electric power, pipelines, railroads, aviation, telephony, and banking. In the U.S., these separate verticals usually consist of nongovernmental entities, privately held or publicly traded corporations that own and/or operate the systems.

 

Crisis Instability:
In a period of rising tensions or hostilities between nations, there may be preconditions or actions taken by one side that cause the other nation to believe it is in its best interest to take further aggressive action. Crisis instability is that condition that may lead to decisions to escalate military actions.

 

Cyber Boundary:
The cyber/kinetic boundary is the decision point when a commander must decide whether and how to move from a purely cyber war to one involving conventional forces, or kinetic weapons. Crossing the boundary is an escalatory step that may lead to the war spiraling out of control.

 

DARPA (also seen as ARPA):
The Defense Advanced Research Projects Agency is a component of the U.S. Defense Department charged with funding innovative research to meet the needs of the U.S. military. DARPA funded the initial research that created the Internet. In 1969 ARPANET became the first packet-switched network connecting four universities.

 

Deep-Packet Inspection:
A procedure that scans the packets of data that make up an e-mail, webpage, or other Internet traffic. Normally only the “header” of a packet is scanned, the top part that gives the
to
and
from
information. A deep inspection would scan the digital pattern in the content but would not convert that
content into text. The inspection looks only for digital patterns that are identical or highly similar to known malware or hacking tools.

 

Distributed Denial of Service (DDOS):
A basic cyber war technique often used by criminals and other nonstate actors in which an Internet site, a server, or a router is flooded with more requests for data than the site can respond to or process. The result of such a flood is that legitimate traffic cannot access the site and the site is in effect shut down. Botnets are used to conduct such attacks, thus “distributing” the attack over thousands of originating computers acting in unison.

 

Domain Name System (DNS):
A hierarchy of computers that converts words used as Internet addresses (as in www.google.com) into the numerical addresses that the networks actually use for routing message traffic (as in 192.60.521.7294). At the lowest rung of the hierarchy a DNS server may know only the routing information within a company; at a higher level a computer might know routing information for within a “domain,” such as the dot-net (.net) set of addresses. The highest-level DNS computers may contain the routing information for a national domain, such as dot-de (.de) for Germany—the “de” standing, of course, for “Deutschland.” DNS computers are vulnerable to floods of demands (
see
DDOS) and to unauthorized changes in routing information, or “spoofing,” in which a user is sent to a fraudulent look-alike version of the intended webpage.

 

Edge:
That place on the Internet where local traffic connects to a larger, nationally connected fiber-optic cable. An edge router directs locally originating traffic onto the national network.

 

Encryption:
The scrambling of information so that it is unreadable to those who do not have the code to unscramble it. Encrypting
traffic (or “data at rest”) prevents those who intercept it or steal it from being able to read it.

 

Equivalence:
The Cyber Equivalence Doctrine is a policy under which a cyber war attack will be treated like any other attack, including a kinetic strike, and will be responded to in a manner of the attacked nation’s own choosing, based upon the extent of the damage done and other relevant factors.

 

Escalation Dominance:
When one party to a conflict responds to an attack or provocation by significantly expanding the scope or level of the conflict and at the same time communicates that if its demands (such as war termination) are not met it can and will go even further, this is referred to as “escalation dominance.” The expansion of the hostilities is meant to demonstrate seriousness of intent and strength of capability, as well as a refusal to tolerate a prolonged low-level conflict. It is similar to the poker move of significantly raising the stakes and bringing the contest to an end-game phase in the hopes of convincing an opponent to back down.

 

Espionage:
Intelligence activities designed to collect information, access to which another nation (or other actor) is attempting to deny. Cyber espionage is the unauthorized entry by a nation-state onto the networks, computers, or databases of another nation for purposes of copying and exfiltrating sensitive information.

 

Hacker:
Originally, a skilled user of software or hardware who can adapt systems to do things other than their intended or original use. In common parlance, however, the term has been used to denote someone who uses skills to gain access to a computer or network without authorization. As a verb, “to hack” means to break into a system.

 

Internet:
The global interconnected network of networks intended for general access for the transmission of e-mails, the sharing of information on webpages, and so on. Networks may use the same software and transmission protocols, but not be part of the Internet if they are designed to be closed off from the global interconnected system. Such closed networks are referred to as “intranets.” Often there are controlled connections between intranets and the Internet. Sometimes there are unintentional connections.

 

Internet Service Provider (ISP):
A corporation (or government agency) that provides the wired or wireless connectivity from a user’s home, office, or mobile computer to the Internet. In the U.S. there are numerous small, regional ISPs and a handful of national ISPs. Often ISPs are also telephone companies or cable television providers.

 

JWICS:
The Joint Worldwide Intelligence Communication System is the Defense Department’s global intranet for transmitting data that it has classified Top Secret/SCI (Specially Compartmented Information). TS/SCI information is derived from intelligence collection systems such as satellites (
see
NIPRNET
and
SIPRNET).

 

Latency:
The extent to which a data packet is slowed from moving as quickly as possible on a network or path. Latency is measured in seconds or parts of seconds. The fastest, unimpeded speed is referred to as “line rate.” The size of a fiber-optic cable and the processing speed of routers along a network determine the line rate for that cable and/or router.

 

Launch on Warning:
A strategy component that dictates that a nation will initiate conflict—in this case, a cyber war—when intelligence indicators suggest that an opponent has or is about to commence hostile activities.

 

Logic Bomb:
A software application or series of instructions that cause a system or network to shut down and/or to erase all data or software on the network.

 

Malware:
Malicious software that causes computers or networks to do things that their owners or users would not want done. Examples of malware include logic bombs, worms, viruses, packet sniffers, and keystroke loggers.

 

National Accountability:
The concept that a national government will be held responsible for cyber attacks originating inside its physical boundaries. Also called the Arsonist in the Basement Theory (“If you are harboring an arsonist in your house and he is going out from your house and burning down others, you are just as responsible as he is”).

 

National Cyber Strength:
A net assessment of a nation’s ability to fight cyber war, the national cyber strength takes into account three factors: offensive cyber capability, the nation’s dependence upon cyber networks, and the ability of the nation to control and defend its cyberspace through such measures as cutting off traffic from outside the country.

 

NIPRNET:
Non-classified Internet Protocol Router Network is the Defense Department’s global intranet for information that is not classified. NIPRNET connects with the Internet at a limited number of portals. These are two other Defense Department intranets, SIPRNET and JWICS.

 

No First Use:
In arms control, the concept that a nation will not employ a certain kind of weaponry until and unless it has been used on it. Implicit in the concept is that a nation will only use a
certain kind of weapon on those that have already used it, and that the use of the weapon would be an in-kind retaliation.

 

NSA:
The National Security Agency is a U.S. intelligence agency that is also a component of the Defense Department. NSA is the lead U.S. agency for collecting information through electronic means. It is headquartered at Fort Meade, Maryland, and is frequently referred to simply as “The Fort.”

 

Obligation to Assist:
The proposal that each nation in a cyber war agreement would take on a requirement to help other nations and/or the appropriate international body in investigating and stopping cyber attacks originating from within its own physical boundaries.

 

Out of Band:
Communications, frequently about the management of a network, that use a different channel or method of communicating than the network being managed.

 

Server:
A computer usually accessed by many others, in order to interact with information stored on it, such as web pages or e-mails. Typically, servers are meant to operate without constant human monitoring. Routers, which direct the movement of Internet traffic, are a type of server.

 

SIPRNET:
Secret Internet Protocol Router Network is the Defense Department’s global intranet for transmitting confidential and secret-level information. The Defense Department classifies information into five catergories: unclassified, confidential, secret, top secret, top secret/SCI (specially compartmented information). The SIPRNET is supposed to be air-gapped from, i.e., not physically touching, the unclassified NIPRNET and the Internet.

 

Supervisory Control and Data Acquisition System (SCADA):
Software for networks of devices that control the operation of a system of machines such as valves, pumps, generators, transformers, and robotic arms. SCADA software collects information about the condition of and activities on a system. SCADA software sends instructions to devices, often to do physical movements. Instructions sent to devices on SCADA networks are sometimes sent over the Internet or broadcast via radio waves. Instructions are not encrypted. When the devices receive orders, they do not validate who sent the instructions.

 

TCP/IP:
Transmission Control Protocol/Internet Protocol. The format used to divide information such as e-mails into digital “packets,” each with its own
to
and
from
data so that the packet can be routed on the Internet.

 

Telecom Hotels:
Buildings that house large numbers of network routers, often places where major networks connect to each other. Internet and other cyber traffic, including voice telephony, are switched in such a facility. Large telecom hotels are sometimes called gigapops (points of presence). Early Internet switching centers were called Metropolitan Area Exchanges (MAEs); two examples are MAE East in Tysons Corner, Virginia, and MAE West in San Jose, California.

Other books

The Last Darkness by Campbell Armstrong
Shadow Sister by Simone Vlugt
Passing Time by Ash Penn
Mexican Gothic by Silvia Moreno-Garcia
The Town House by Norah Lofts
Living Hell by Catherine Jinks
A Pigeon Among the Cats by Josephine Bell
In the Silks by Lisa Wilde
Fire Angel by Susanne Matthews