Virtual Defense

THE WEAKNESS OF A SUPERPOWER

Just as World War I introduced new weaponry and modern combat to the twentieth century, the information age is now revolutionizing warfare for the twenty-first. Around the world, information technology increasingly pervades weapons systems, defense infrastructures, and national economies. As a result, cyberspace has become a new international battlefield. Whereas military victories used to be won through physical confrontations of weapons and soldiers, the information warfare being waged today involves computer sabotage by hackers acting on behalf of private interests or governments. The recent escalation of tension between Israel and the Palestinians, for example, has had a prominent virtual dimension. From October 2000 to January 2001, attacks by both sides took down more than 250 Web sites, and the aggressions spread well beyond the boundaries of the Middle East to the computer networks of foreign companies and groups seen as partisan to the conflict.

A decade after the end of the Cold War, the U.S. military stands as an uncontested superpower in both conventional and nuclear force. Ironically, its overwhelming military superiority and its leading edge in information technology have also made the United States the country most vulnerable to cyber-attack. Other nations know that they have fallen behind in military muscle, so they have begun to look to other methods for bolstering their war-fighting and defense capacities—namely, "asymmetrical warfare," which the Pentagon characterizes as "countering an adversary's strengths by focusing on its weaknesses."

Furthermore, the U.S. military is radically changing. The "revolution in military affairs" seeks to apply new technology, particularly digital information technology, to operational and strategic concepts. With plans ranging from computer-based weapons research programs to software that encrypts classified military data, from computer-guided "smart" bombs to a space-based missile defense, America's military forces are coming to depend more and more on computers and information networks. These two factors—the dominance of U.S. conventional forces and the military's already extensive and growing use of information technology—make cyber-attack an increasingly attractive and effective weapon to use against the United States.

But U.S. defense plans and policymakers' concept of national security have not caught up to the new threats of computer warfare. Indeed, recent warnings indicate that the United States remains highly vulnerable. To address this challenge, Washington urgently needs to modernize its thinking and transcend its strategies of deterrence and national security, which remain fixed in the Cold War, pre-Internet world.

MOONLIGHT MAYHEM

In March 1998, the Department of Defense detected the most persistent and serious computer attack against the United States to date. In a still ongoing operation that American investigators have code-named Moonlight Maze, a group of hackers has used sophisticated tools to break into hundreds of computer networks at NASA, the Pentagon, and other government agencies, as well as private universities and research laboratories. These cyber-intruders have stolen thousands of files containing technical research, contracts, encryption techniques, and unclassified but essential data relating to the Pentagon's war-planning systems.

Since Moonlight Maze was first discovered, the U.S. intelligence community has been engaged in the largest cyber-intelligence investigation ever. But more than three years of work have produced disturbingly few clues. The attacks appear to be coming from seven Russian Internet addresses, but it is unclear whether the initiative is state-sponsored. Last year, Washington issued a demarche to the Russian government and provided Russian officials with the telephone numbers from which the attacks appeared to be originating. Moscow said the numbers were inoperative and denied any prior knowledge of the attacks.

Meanwhile, the assault has continued unabated. The hackers have built "back doors" through which they can re-enter the infiltrated systems at will and steal further data; they have also left behind tools that reroute specific network traffic through Russia. Despite all the investigative effort, the United States still does not know who is behind the attacks, what additional information has been taken and why, to what extent the public and private sectors have been penetrated, and what else has been left behind that could still damage the vulnerable networks.

Destructive as it is, Moonlight Maze is just a taste of dangers to come. U.S. military leaders increasingly recognize that losing information battles will undermine the country's ability to fight any battles at all. Missile defense, for example, will not be worth the billions it will cost if digital attacks undermine its software or infrastructure. And opponents of missile defense could handicap the system at the development stage by attacking the technology at its source—breaking into the computer networks of the corporations that design the system and making slight modifications that ensure huge costs and long delays.

The U.S. military's vulnerability to cyber-attack became clear in June 1997, when the Joint Chiefs of Staff launched an exercise code-named Eligible Receiver to test the nation's computer defenses. Their scenario imagined a military crisis on the Korean Peninsula that forced Washington to rapidly bolster South Korean forces with troops and aircraft. Thirty-five men and women from the National Security Agency (NSA) were split into four teams, three in the United States and one on a ship in the Pacific, to simulate hackers hired by North Korea to subvert the American operation. These hackers received no advance intelligence about U.S. information networks and could use only publicly available equipment and information. Even though they were not allowed to break U.S. law, they could use any computer hacking programs they could find freely available on the Internet. (Some 30,000 Web sites post hacker codes, which can be downloaded to break passwords, crash systems, and steal data.)

Over the course of the next two weeks, the teams used the commercial computers and hacking programs they downloaded from the Internet to simultaneously break into the power grids of nine American cities and crack their 911 emergency systems. This exercise proved that genuine hackers with malicious intent could, with a couple of keystrokes, have turned off these cities' power and prevented the local emergency services from responding to the crisis.

Having ensured civilian chaos and distracted Washington, the NSA agents then attacked 41,000 of the Pentagon's 100,000 computer networks and got in to 36. Only two of the attacks were detected and reported. The agents were thus able to roam freely across the networks, sowing destruction and distrust wherever they went. They could, for example, have sent truck headlights to an f-16 fighter squadron requesting missiles or rerouted aircraft fuel to a port rather than an air base. The hackers also managed to infect the human command-and-control system with a paralyzing level of mistrust. Orders that appeared to come from a commanding general were fake, as were bogus news reports on the crisis and instructions from the civilian command authorities. As a result, nobody in the chain of command, from the president on down, could believe anything. This group of hackers using publicly available resources was able to prevent the United States from waging war effectively.

In October 1999, a second exercise, code-named Zenith Star, tested the lessons learned from Eligible Receiver. On this occasion, the "hackers" attacked the power systems feeding several U.S. military bases and then overwhelmed local 911 emergency systems with a flood of computer-generated calls. The test showed that some improvement had occurred since Eligible Receiver, but coordination between government agencies was still poor and the national infrastructure remained vulnerable to attack.

The potential nightmares of Eligible Receiver and Zenith Star, as well as the real and ongoing Moonlight Maze sabotage, are visible signs of a new war already being waged in cyberspace. This war is largely hidden from public view but the infrastructure protection it requires is costing the private sector and the U.S. taxpayer billions of dollars. And thus far, the war is operating in an environment of near chaos. Unlike during the Cold War, when the nuclear standoff produced its own understandable rules of the game that included a sophisticated deterrence mechanism, no legal or de facto boundaries inhibit cyber-aggressions. Instead, information warfare is a free-for-all, with more and more players hurrying to join the scrimmage.

WAR BY OTHER MEANS

The U.S. government now believes that more than 30 nations have developed aggressive computer-warfare programs. The list includes Russia and China, volatile governments such as Iran and Iraq, and U.S. allies such as Israel and France. Ambitious newcomers, including India and Brazil, are also seeking to become powers in the world of virtual combat.

Americans celebrated the Persian Gulf War as a major victory for U.S. military forces and as a vindication of the nation's defense structure. But outside the United States, the conflict taught an additional lesson: a direct military confrontation with the United States would inevitably result in defeat. So while the United States has continued to develop its conventional forces (the Pentagon's defense budget is now larger than those of the 12 next largest nations combined), other countries have looked elsewhere for an asymmetric advantage. "The rest of the world realizes that you don't take the United States on in a military frontal sense, but you can probably bring it down or cause severe damage in a more oblique way," asserts Art Money, assistant secretary of defense for command, control, and intelligence. "And that's where the vulnerability in the United States resides."

One country that American intelligence has been closely monitoring is China, which is actively exploring the possibilities raised by this new American vulnerability. Because Beijing sees the United States as its principal antagonist in the twenty-first century, Chinese military leaders and policymakers have made an intensive effort to apply the lessons learned from the Persian Gulf War's show of American military might. The heated Chinese debate about how to seize a military advantage over the United States produced a partial answer in Unrestricted Warfare, written by two People's Liberation Army (PLA) colonels, Qiao Liang and Wang Xiangsui. The book clearly sets out why China considers the Gulf War to have been the last hurrah for the old-style warrior.

[T]he age of technological integration and globalization ... has realigned the relationship of weapons to war. ... Does a single "hacker" attack count as a hostile act or not? Can using financial instruments to destroy a country's economy be seen as a battle? Did CNN's broadcast of an exposed corpse of a U.S. soldier in the streets of Mogadishu shake the determination of the Americans to act as the world's policeman, thereby altering the world's strategic situation? ... When we suddenly realize that all these non-war actions may be the new factors constituting future warfare, we have to come up with a new name for this new form of war: Warfare which transcends all boundaries and limits—in short, unrestricted warfare.

The authors believe that China will never be able to match American technological superiority. Moreover, having watched Moscow spend itself into oblivion trying to win the Cold War arms race, Beijing will seek to avoid the same mistake. Instead, the authors write, a digital attack will give China a significant asymmetric advantage and even bring about the defeat of the United States. China has therefore been making large investments in new technology for the PLA and has established a special information-warfare group to coordinate national offense and defense. China-watchers in the Pentagon refer to these efforts as the creation of "the Great Firewall of China."

Part of the reason for such aggressive action is that China suspects that it is already under cyber-attack from the United States. Every piece of computer hardware or software imported from the United States or its allies is subject to detailed inspection when it arrives at the border. China's own technicians then take control of the goods and either resist or closely monitor Western experts' efforts to install the equipment themselves.

The same restrictions apply in Russia, where political and military leaders are convinced that they are losing the cyberspace war to the United States. For the past two years, Moscow has quietly circulated among the members of the U.N. Security Council drafts of a possible arms-control treaty for cyberspace. The United States and its allies have dismissed the proposals as the desperate posturing of a nation with a weak information economy that is losing the cyber-war.

Indeed, from the perspective of information-technology powers such as the United States, an arms control treaty that will primarily benefit those nations falling behind in the information war makes no sense.

NATIONAL INSECURITY

Although Moscow's idea of an international treaty to limit information warfare may seem far-fetched, the concept of an effective deterrence regime for cyberspace is gaining currency in Washington. As the information revolution gathers pace, so do the frequency and sophistication of the attacks on U.S. computer and communications networks. And these attacks have made glaringly clear two dangerous changes in U.S. military and national security structures.

First, during the Cold War, Washington controlled the pace of U.S. technology development by directly funding approximately 70 percent of technology research. Today, that figure is less than 5 percent. Technological innovation is now driven by private interests that refuse to depend on Washington's archaic acquisition systems. Instead, technology entrepreneurs strive incessantly to increase the speed of change.

That shift from public to private funding has been matched by the development of a new weapons platform known as the personal computer. The ammunition for this weapon—the hacking tools—come free on the Web and are constantly being updated. One needs only access to a computer, Internet capabilities, and a little bit of technical savvy to become an information warrior. And unlike twentieth-century weapons innovations that took an average of 15 years to enter military service, today's newest versions of computers and software are available everywhere and accessible to everyone at the same time.

Second, the front line in this new war has changed. In the last century, the crucial battlefront was generally seen as the place where soldiers, sailors, and aviators met in combat. For the United States, with no aggressive neighbors on its borders, defense of the homeland meant projecting power overseas when U.S. interests were endangered. This strategy has worked well since the nation was founded; unlike most modern great powers, the United States has rarely been invaded by foreign forces.

The cyber-world has changed that paradigm. Seeking to avoid a direct military confrontation with U.S. forces, potential foreign aggressors now look instead to attack the soft American underbelly—the private sector—and to do so in such a way as to make military retaliation very difficult, either because the attack's origin is unknown or because the perpetrators have sabotaged civilian or military command networks. The private and public sectors together now form the front line of twenty-first-century warfare, and private citizens are the likely first target.

Despite the warning signs, the United States still does not prioritize threats to the private sector or sufficiently emphasize cooperation between citizens and government in defense. In many cases, Washington remains legally constrained from passing on information about potential threats to the private sector. For example, intelligence officials now believe that certain hardware and software imported from Russia, China, Israel, India, and France are infected with devices that can read data or destroy systems. The names of the suspected companies and products are not available to the private sector, however, and because that information and the intelligence that supports it are so highly classified, the suspicions are impossible to verify.

In addition, the U.S. defense posture, which is designed around power projection and not homeland defense, leaves the country's information and communications networks vulnerable. Currently no mechanism exists for effective defense of the computer networks of businesses, the power grids of American cities, or even the information networks of the federal government. Indeed, cyber-defense is left to the FBI, a law-enforcement agency meant to pursue criminals, not defend the nation. Thus far, the FBI's efforts to coordinate cyber-defense have been hampered by a lack of technological skills and resources. The bureau has supposedly been coordinating the sharing of information across public and private sectors but has in fact focused on its traditional role of law enforcement.

The Clinton administration's response to these challenges was fragmented and disorganized. Leadership in cyber-warfare was supposed to come from the National Security Council (NSC), but not enough materialized. Relations between the FBI and the NSC were tense, and those between the NSC and the Pentagon even worse, with officials refusing even to speak with one another. And cooperation among the military services remains weak, despite efforts to put all computer warfare under a single entity, the U.S. Space Command. Every service has developed its own information-warfare capability at huge cost and with significant duplication of effort. Similarly, the CIA, the Defense Intelligence Agency, and the NSA have each undertaken independent information-warfare efforts, with little cooperation between them.

GETTING TOUGH

After World War II, the detonation of two nuclear bombs over Japan frightened the world enough to provoke a ferment of activity inside the world's governments and the academic community—leading in time to the development of a nuclear deterrent strategy. The world knew that a nuclear attack against the United States or one of its allies, or against the Soviet Union or a Soviet ally, would provoke instant nuclear retaliation. Defense planners later applied this strategy of deterrence through the threat of mutually assured destruction to chemical and biological weapons as well. During the Gulf War, for example, Saddam Hussein recognized that if he used chemical or biological weapons, he could expect a devastating, if unspecified, response.

But with no U.S. strategy for deterrence in the virtual world and no clear thinking about a legal regime for retaliation against cyber-attack, potential hackers can battle the United States with impunity. Consider what happened in May 2000, when a hacker in the Philippines launched the "Love Letter" virus around the world. In the United States, the Veterans Health Administration received 7 million "I Love You" messages, 1,000 files were damaged at NASA, and recovery from the attack at the Department of Labor required more than 1,600 employee hours and 1,200 contractor hours. Estimates of the cost of the attack to the United States range from $4 billion to $15 billion—or the equivalent, in conventional war terms, of the carpet-bombing of a small American city. Yet Washington did nothing to prosecute the hacker or to recover damages. Although the hacker was arrested, he was later released because Philippine law is not designed to prosecute such crimes.

MEDICINE FOR THE VIRUS

The problems in the current U.S. defense system and national security paradigm are easy to identify. But remedying those problems by creating an effective defense and deterrent will be much more difficult. Bringing order to the new frontier of information warfare will require a robust strategy and sound tactics.

First and foremost, primary responsibility for the cyber-defense of the nation must be given to the Department of Defense. The NSC has failed to lead the battle in computer warfare, in part because it has lacked the financial and military muscle to do so. In Washington's bureaucratic maze, where departments and agencies vie for money, the cyber-threat has often been seen as just another excuse to win additional funding to take on the task of network defense. Because it lacks bureaucratic punch, the NSC's warnings about cyber-threats to national security have gone largely unheeded.

The FBI, which has the training and resources to investigate and apprehend hackers, can play a crucial role in fighting cyber-crime, but it should not coordinate the battle. The bureau has a reputation for not sharing information with other government departments, and its initiative to promote communication between government and the private sector has produced disappointing results. The FBI officials in charge of that project argue that the bureau itself remains uncommitted to the cyber-defense role and has not allocated the necessary people, money, and technology to cyber-defense.

Certainly, there are some doubts about the wisdom of giving the Pentagon the information-defense mandate. Foreign enemies of the United States face U.S. military services that are authorized to protect and defend the nation, whereas American citizens enjoy civil rights that domestic law-enforcement agencies such as the FBI must observe. So lawmakers and civil libertarians are understandably nervous about extending the military's powers to the homeland. But the United States has two underused assets at its disposal that will allow it to avoid this contentious move: the military reserves and the National Guard. These groups already have the technology skills needed to run an effective information defense, because their personnel are also integrated into the technology-driven private sector. Homeland defense, coordinated by the Pentagon and using the National Guard and the reserves, is the way to protect America's information networks.

The Pentagon has the resources to lead information defense but has been reluctant to take on this mission. To assume this additional role now would require realigning Defense Department priorities and reallocating resources from traditional power projection abroad to homeland defense. But national defense is the Pentagon's business. And in the information age, national defense must include cyber-defense.

In order for defense planners to coordinate a strategy for cyberspace, the definitions of national security and the appropriate methods of managing it need to be redefined. "National security" has always meant protecting the nation's borders from foreign attack, and the perceived national interest has often led to the projection of U.S. military power overseas to protect the homeland. But as the Chinese clearly understand, future war is no longer going to focus on borders and territorial disputes. In addition, previously it was defeat on the battlefield that decided the outcome of a conflict, and any wartime attacks on a country's private sector primarily targeted its industrial complex. In cyberspace, however, the asymmetric advantage goes to whoever understands that a successful computer attack against privately owned information networks is just as effective a weapon as military force. This is an uncomfortable concept for both military and political leaders to grasp, because it requires, first, acknowledging that the barriers between the public and private sectors have eroded and, second, embracing innovative strategies that take the private sector's new technological skills and vulnerability into account.

Furthermore, effective defense means deterring attacks before they occur. The threat of retaliation is a good preventive strategy. Every nation already understands the consequences of using weapons of mass destruction against the United States. Washington must similarly put the world on notice that it will consider a cyber-attack against any U.S. entity an act of war that will generate an appropriate response. It must also make clear that the United States does not distinguish between methods of attack; whether struck by a bomb or a computer virus, it cares only about the effect.

But acts of aggression against U.S. information networks will occur, and guidelines for responding need to be developed. As Washington has learned from Moonlight Maze, pinning the blame on a specific group or nation is tough. Many nations faced similar challenges from terrorism in the late 1960s and early 1970s, when they suffered from a critical shortage of intelligence, little cooperation between governments, and no defensive capability, either civilian or military, to protect against the new phenomenon of transnational terrorism. By the mid-1980s, however, intelligence had improved dramatically, nations were cooperating more, and defensive measures had been put in place. The result was the containment of the terrorism problem, although it will never be fully eliminated. The same parallels apply in cyberspace.

If the United States is to respond effectively to cyber-attack, it must first know who is responsible for the aggression. Finding criminals who act through computer networks is a tough challenge, since attacks in cyberspace can come from multiple points simultaneously, with their origins disguised. For example, in February 1998, while tensions were mounting once again with Iraq, the Pentagon discovered a sophisticated set of intrusions into a number of Defense Department information systems. These attacks, code-named Solar Sunrise, seemed designed to gather intelligence on U.S. plans for actions in Iraq and disrupt command-and-control and logistics systems. The hacks were assumed to have been organized by Iraq, and their origin was traced to Abu Dhabi. A strike force was sent to that Gulf state and, after receiving permission from its government, entered what was thought to be the building where the Iraqi computer team was hiding. In fact, the building housed not Iraqis but computer servers; the attacks were not ordered by Baghdad, and Abu Dhabi was simply a false trail laid by the hackers. Shortly afterward, two teenagers in California were arrested. It turned out that they and an Israeli hacker had launched Solar Sunrise, and their motivation had nothing to do with Iraq.

U.S. policymakers must also resolve the legal and moral questions surrounding retaliation in information warfare. The legal principle of proportionality applies to issues of national sovereignty—a nation has every right to use force to defend itself against territorial incursion. But there is no clear understanding of how or whether proportionality should apply to information warfare, which involves civilian populations to a greater extent than does traditional war. If China launched a network attack to turn off the power in Chicago in midwinter, killing large numbers of the city's residents, would the United States be justified in using remote systems to raise the gates of a dam in China and kill the Chinese living in the valley below? Is responding to a cyber-attack with conventional force legally, morally, or politically acceptable? These difficult questions have so far frustrated computer warriors and lawyers alike.

In such a confused environment, the intelligence agencies must improve their sources and methods. They will have to develop new means of infiltrating private or government-sponsored groups that wage war in cyberspace. The CIA targets parties hostile to the United States and develops covert operations to counter them—and the same methods must be employed against those who choose computer networks as their battlefield.

Complicating the intelligence agencies' task of finding computer attackers is the fact that hackers can use many different routes, so that an attack that seems to come from London has actually originated in Brazil and traveled to the United States via Moscow and Antwerp. Tracing an e-mail virus back to its source, for example, requires individual authorization from every jurisdiction through which it has traveled. This time-consuming job restricts the ability of law enforcement to arrest an attacker and of the Pentagon to retaliate. Congress should pass new legislation that will allow the tracking of intrusions through the Internet. Further legislation is needed to allow law-enforcement agents to infiltrate computer networks when tracking a cyber-criminal, just as they can tap telephone lines. If a national security priority can be shown, such taps could be allowed by law. Congress already has the authority to pass some such legislation—indeed, the intelligence community is authorized to gather information from foreign computer networks. But for Congress to acquire the necessary legal license and political leeway to pass comprehensive and effective measures, the cooperation of other governments is required.

During the Cold War, U.S. and foreign policymakers appropriately recognized that an armed conflict could threaten access to vital oil supplies. Washington managed the problem by positioning supplies in areas of risk, developing a rapid deployment force, and forming international alliances. In the event of a conflict, American and allied forces could be rapidly deployed to protect the oil supplies, as happened before the Gulf War. The same solutions are relevant in a world where computer attacks could cut American access to an equally vital economic fuel: computer networks. Although the United States has developed some effective cyber-weapons that can destroy an enemy's computer network or interrupt a nation's fuel and water supplies, there is disagreement about when and how they can be used.

These questions must be sorted out inside the United States to avoid the kind of confusion that emerged in Bosnia. There, the military wanted to unleash some information attacks against the Bosnian Serbs, but officials in the Justice Department expressed real concern about whether such attacks were legal. Coordination with U.S. allies is also necessary to share information on the threat and what can be done to overcome it. During the Cold War, the United States and its allies developed an effective early warning system to detect and track the launch of nuclear missiles, which could reach their targets within minutes. Similarly, a hacking technique or e-mail virus developed in Europe can hit the United States a few minutes later. But as of yet, there is no effective warning against cyber-attacks.

Another gap in U.S. information defense concerns the several countries with offensive information-warfare programs that use private companies as a cover for planting malicious code in seemingly benign computer software. For example, India or Israel may sell a software solution to a U.S. government agency that has a virus embedded within it. Currently, there is no way of comparing a specific piece of software to other commercially available products to check for any discrepancy in the source code. Developing the technological means to vet software codes should be a priority for both the public and the private sectors. The president could assign this task to the National Science Foundation. At the same time, foreign companies need to understand that if malicious code is found in their products, there will be an economic price to pay, such as an import ban. Such a threat would swiftly persuade foreign companies that cooperating with their governments in waging computer warfare is not in their best economic interests.

BRAVING THE NEW WORLD

Even if Washington takes steps to create, guide, and direct a coherent strategy to combat the cyber-threats to national security, effective defense will work only in cooperation with the private sector. A new partnership must be forged between policymakers and the high-tech community, which generally has better intelligence about information-network threats than does the government. U.S. network vulnerability is a shared problem, and there must be a shared solution.

The Bush administration has an opportunity to redefine the national security environment. The threat of cyber-attack demands leadership and creative thinking that will produce new solutions. If the administration remains stuck in the outdated, Cold War paradigm of conflict, U.S. status as a military superpower will be jeopardized by the new players of the cyber-world. The United States must neutralize the asymmetric advantage of waging virtual war.