The Reality of Cyber Threats: Congress Must Act
Lately I’ve been reflecting on my very last day of active duty in the military. It doesn’t seem all that long ago but it was a few days after 9/11. My last assignment was as the Department of Defense (DoD) lead for the intelligence portion of cyber warfare. Basically I was in charge of developing what role the intelligence community would play in this new form of warfare. This involved working with over 30 Department of Defense commands and all of the intelligence agencies to develop intelligence policy. A lot of people in various organizations had done some great things but there was no community wide policy. Many felt the intelligence community would never work together on this issue because of organizational politics. Many in senior leadership didn’t believe the intelligence community should play a role in cyber. “They” said it was an issue for the military communications folks. I stood with the group who felt just as the intelligence community monitored weapons development (aircraft, ships, submarines, bombs, WMD) of potential hostile nations, we should also monitor what nations and/or transnational groups were doing in the cyber field. We felt cyber would be used as a weapon and believed we would be looking at a cyber Pearl Harbor if we didn’t solve this issue. We also felt non- military targets like financial institutions and electric grids could be possible targets. The buzz word is: critical infrastructures.
Of all the battles I fought over 28 years, the fight to prove cyber warfare was not hype within the military and government circles was one of the hardest. Fighting wars or dealing with various security crises was nothing compared to trying to educate people on the threat of cyber war. It was a constant struggle but working as one team we did what everyone told me was impossible and developed agreements for sharing information via compatible data bases as well as developing a system for intelligence reporting and intelligence collection. We were able to solve most of these problems during a one week conference. One of the key players told me for years after this, he was asked to speak at various computer conferences and explain how we were able to get the intelligence community and 30 DoD commands to agree and solve what had been considered an unsolvable problem. I’ve written about it before but it’s pretty simple. We all remembered who we were there for: to support the warfighter and to support the nation. I have to say simple didn’t mean it was easy.
On the day of my briefing to the new J-2, a Washington DC money person was coming to the command to give us millions of dollars, so the Department of Defense intelligence communities could upgrade our capabilities. We had put together a 5 year plan but after 9/11 new money became available for the intelligence community. We provided a detailed plan to the money folks on what our needs were for software, hardware and trained personnel. They thought our plan had merit and that’s why they were going to give us the money. I also believe they were impressed because we had worked together as one team against all odds.
I spent about 3 hours bringing the new J-2 up to speed. After I stopped talking he told me he had not understood a word I’d said, was of the opinion that cyber was not an intelligence problem, and flatly refused us the money. I went back to my office and called up the administrative folks to tell them I was going to start my retirement leave (vacation) the next day. As I was going through the retirement paperwork one young officer came up to me and tactfully asked why was I retiring in the midst of a war. I told him the truth; the Navy had sent my relief one year early without even asking if I wanted to retire and wasn’t offering me another job. I did not share that the primary catalyst was gridlock on the cyber issue and after participating in two wars and numerous crises, I was running on empty. With the guy relieving me showing up shortly, I wouldn’t have been able to work cyber much longer anyway. I didn’t want to spend the month or so I had left on active duty sitting in my office sulking.
I don’t need a shrink to tell me I’ve been thinking about this issue because Congress failed to pass needed cyber legislation this summer. My understanding is the legislation was addressing two primary areas: information sharing between government and industry and standards for cyber protection/defenses for industry. If you go back and check Congressional testimony, you will see that at least two years prior to 9/11, then head of the CIA, George Tenant warned that the number one threat to national security was a possible terrorist attack by al Qaeda. Senior military and government leaders have been warning of the potential for a cyber Pearl Harbor for years, but so far key players in Congress and industry either don’t believe it, mumble something about privacy concerns, or say they have adequate security in place in spite of wide spread reports of successful computer espionage and hacking by China and Russia. If people are so concerned about privacy how come no one complains about those three financial monitoring services that track every purchase you make and how much debt you carry? Every time I’ve had to make a major purchase, I’ve had to take time to correct mistakes in my financial history. I never gave them permission to track the data and then I have to send them proof they’ve made a mistake!!!!
The head of cyber command, General Alexander, and the Secretary of Defense have said they are not interested in monitoring email, but skeptics do not believe them. The challenge with cyber is so much of the information is classified. People should pay very close attention to the talk Secretary of Defense Leon Panetta gave this week in New York. I understand he had to have the security gurus declassify things so he could get out the message. Here are some of the highlights:
“I know that when people think of cybersecurity today, they worry about hackers and criminals who prowl the Internet, steal people’s identities, steal sensitive business information, steal even national security secrets. Those threats are real and they exist today.
But the even greater danger — the greater danger facing us in cyberspace goes beyond crime and it goes beyond harassment. A cyber attack perpetrated by nation states or violent extremists groups could be as destructive as the terrorist attack on 9/11. Such a destructive cyber-terrorist attack could virtually paralyze the nation.”
“Let me give you some examples of the kinds of attacks that we have already experienced. In recent weeks, as many of you know, some large U.S. financial institutions were hit by so-called Distributed Denial of Service attacks. These attacks delayed or disrupted services on customer websites. While this kind of tactic isn’t new, the scale and speed with which it happened was unprecedented.
But even more alarming is an attack that happened two months ago when a very sophisticated virus called Shamoon infected computers in the Saudi Arabian State Oil Company Aramco. Shamoon included a routine called a ‘wiper’, coded to self-execute. This routine replaced crucial systems files with an image of a burning U.S. flag. But it also put additional garbage data that overwrote all the real data on the machine. More than 30,000 computers that it infected were rendered useless and had to be replaced. It virtually destroyed 30,000 computers.”
The Secretary laid out how a cyber Pearl Harbor might play out:
“Let me explain how this could unfold. An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches. They could, for example, derail passenger trains or even more dangerous, derail trains loaded with lethal chemicals. They could contaminate the water supply in major cities or shutdown the power grid across large parts of the country.
The most destructive scenarios involve cyber actors launching several attacks on our critical infrastructure at one time, in combination with a physical attack on our country. Attackers could also seek to disable or degrade critical military systems and communication networks. The collective result of these kinds of attacks could be a “cyber Pearl Harbor:” an attack that would cause physical destruction and the loss of life. In fact, it would paralyze and shock the nation and create a new, profound sense of vulnerability.”
I’ll conclude by saying the people working on this problem are not making up the threat. There are ugly things going on, and we we are already at war in cyber space.
Think I’ll end here. As always my views are my own.
Gail Harris is a Truman Security Fellow