Cyber War: The Next Threat to National Security and What to Do About It (13 page)

Code developers may go one step further than just leaving an access point and insert a “logic bomb.” The term encompasses a spectrum of software applications, but the idea is simple. In addition to leaving behind a trapdoor in a network so you can get back in easily, without setting off alarms and without needing an account, cyber warriors often leave behind a logic bomb so they don’t have to take the time to upload it later on when they need to use it. A logic bomb in its most basic form is simply an eraser, it erases all the software on a computer, leaving it a useless hunk of metal. More advanced logic bombs could first order hardware to do something to damage itself, like ordering an electric grid to produce a surge that fries circuits in transformers, or causing an aircraft’s control surfaces to go into the dive position. Then it erases everything, including itself.

America’s national security agencies are now getting worried about logic bombs, since they seem to have found them all over our electric grid. There is a certain irony here, in that the U.S. military invented this form of warfare. One of the first logic bombs, and possibly the first incidence of cyber war, occurred before there even really was much of an Internet. In the early 1980s, the Soviet leadership gave their intelligence agency, the KGB, a shopping list of Western technologies they wanted their spies to steal for them. A KGB agent who had access to the list decided he would rather spend the rest of his days sipping wine in a Paris café than freezing in Stalingrad, so he turned the list over to the French intelligence service in exchange for a new life in France. France, which was part of the Western alliance, gave it to the U.S. Unaware that Western intelligence had the list, the KGB kept working its way down, stealing technologies from a host of foreign companies. Once the French gave the list to the
CIA, President Reagan gave it the okay to help the Soviets with their technology needs, with a catch. The CIA started a massive program to ensure that the Soviets were able to steal the technologies they needed, but the CIA introduced a series of minor errors into the designs for things like stealth fighters and space weapons.

Weapons designs, however, were not at the top of the KGB’s wish list. What Russia really needed was commercial and industrial technology, particularly for its oil and gas industry. In order to get the product from the massive reserves in Siberia to Russian and Western consumers, oil and gas had to be piped over thousands of miles. Russia lacked the technology for the automated pump and valve controls crucial to managing a pipeline thousands of miles long. They tried to buy it from U.S. companies, were refused, and so set their sights on stealing it from a Canadian firm. With the complicity of our northern neighbors, the CIA inserted malicious code into the software of the Canadian firm. When the Russians stole the code and used it to operate their pipeline, it worked just fine, at least initially. After a while, the new control software started to malfunction. In one segment of the pipeline, the software caused the pump on one end to pump at its maximum rate and the valve at the other end to close. The pressure buildup resulted in the most massive non-nuclear explosion ever recorded, over three kilotons.

If the Cold War with Russia heats up again, or if we were to go to war with China, this time it might be our adversaries who have the upper hand in cyber war. The United States’ sophisticated arsenal of space-age weapons could be turned against us to devastating effect. Our air, land, and sea forces rely on networked technologies that are vulnerable to cyber weapons that China and other near peer adversaries have developed with the intention of eliminating our conventional superiority. The U.S. military is no more capable of operating without the Internet than Amazon.com would be. Logistics, command and control, fleet positioning, everything down to targeting,
all rely on software and other Internet-related technologies. And all of it is just as insecure as your home computer, because it is all based on the same flawed underlying technologies and uses the same insecure software and hardware.

With the growth of outsourcing to countries like India and China that Friedman got so excited about, the likelihood that our peer competitors have been able to penetrate major software and hardware companies and insert such code into the software we rely on has only increased. In the world of computer science and networking, experts long thought that the two most ubiquitous operating-system codes (software that tells hardware what to do) were also the most badly written, or “buggy,” computer code. They were Microsoft’s Windows operating system for desktop and laptop computers, and Cisco’s for large Internet routers. Both systems were proprietary, meaning not publicly available. You could buy the software as a finished product, but you could not get the underlying code. There were, however, several known instances in which Microsoft’s security was compromised and the code stolen, giving the recipient the opportunity to identify the software errors and ways to exploit them.

I mentioned above (in chapter 2) that China had essentially blackmailed Microsoft into cooperating with it. China had announced that it would develop its own system based on Linux, called Red Flag, and said it would require that it be used instead of Microsoft. Soon Microsoft was bargaining with the Chinese government at the highest level, helped along by its consultant, Henry Kissinger. Microsoft dropped its price, gave the Chinese its secret code, and established a software research lab in Beijing (the lab is directly wired into Microsoft’s U.S. headquarters). A deal was struck. It must have been a good deal: the President of China then visited Bill Gates at his home near Seattle. The Chinese government now uses Microsoft, but it is that special variation with a Chinese government en
cryption module. One former U.S. intelligence officer told us, “This may mean that no one can hack Windows easily to spy on China. It certainly does not mean that China is less able to hack Windows to spy on others.”

What can be done to millions of lines of code can also be done with millions of circuits imprinted on computer chips inside computers, routers, and servers. Chips are the guts of a computer, like software in silicon. They can be customized, just like software. Most experts cannot look at a complicated computer chip and determine whether there is an extra piece here or there, a physical trapdoor. Computer chips were originally made in the U.S., although now they are mostly manufactured in Asia. The U.S. government once had its own chip factory, called a “fab” (short for “fabrication facility”); however, the facility has not kept pace with technology and cannot manufacture the chips required for modern systems. Recently the world’s second-largest chip manufacturer, AMD, announced its intentions to build the most advanced fab in the world in upstate New York. It will be partially government funded, but not by the U.S. government: AMD got a big investment from the United Arab Emirates.

It is not that the U.S. government is unaware of the problem of software and hardware being made globally. In fact, in his last year in office, President George W. Bush signed PDD-54, a secret document that outlines steps to be taken to defend the government better from cyber war. One of those programs is reported to be a “Supply Chain Security” initiative, but it will be difficult for the U.S. government to purchase only software and hardware made in the U.S. under secure conditions. Currently, it would be difficult to find any.

MACHINES CONTROLLED FROM CYBERSPACE

Neither the vulnerabilities of Internet design nor the flaws in software and hardware quite explain how cyber warriors could make computers attack. How is it that some destructive hand can reach out from cyberspace into the real world and cause serious damage?

The answer stems from the rapid adoption of the Internet and cyberspace by industries in the U.S. in the 1990s. During that decade evangelical information-technology companies showed other corporations how they could save vast amounts of money by taking advantage of computer systems that could do things deep into their operations. Far beyond e-mail or word processing, these business practices involved automated controls, inventory monitoring, just-in-time delivery, database analytics, and limited applications of artificial-intelligence programs. One Silicon Valley CEO told me enthusiastically in the late 1990s how he had applied these techniques to his own firm. “Somebody wants to buy something, they go online to our site. They customize the product they want and hit
BUY
. Our system notifies the parts makers, plans to ship the parts to the assembly plant, and schedules assembly and delivery. At the assembly plant, robotic devices put the product together and put it in a box with a delivery label on it. We don’t own the computer server that took the order, the parts plants, the assembly plant, or the delivery aircraft and trucks. It’s all outsourced and it’s all just-in-time delivery.” What he owned was the research department, the design team, and some corporate overhead. At companies like his, and in the U.S. economy in general, profitability soared.

What made all of that possible was the deep penetration in the 1990s of information-technology systems into companies, into every department. In many industries, controls that were once manually activated were converted to digital processors. Picture the factory or
plant of the twentieth century where some guy in a hard hat got a call from his supervisor telling him to go over and crank some round valve or change some setting. I can see it vividly, my father worked in a place like that. Today, in almost every industry, fewer people are required. Digital control systems monitor activity and send commands to engines, valves, switches, robotic arms, lights, cameras, doors, elevators, trains, and aircraft. Intelligent inventory systems monitor sales in real time and send out the orders to make and ship replacements, often without a human in the loop.

The conversion to digital control systems and computer-managed operations was quick and thorough. By the turn of the century, most of the old systems were retired, even from the role of “backup.” Like Cortés burning his ships after arriving in the New World, U.S. companies and government agencies built a new world in which there were only computer-based systems. When the computers fail, employees stand around doing nothing or go home. Try to find a typewriter and you will get the picture of this new reality.

Just as the Internet, and cyberspace in general, is replete with software and hardware problems and configuration shortcomings, so are the computer networks that run major corporations, from utilities to transportation to manufacturing. Computer networks are essential for companies or government agencies to operate. “Essential” is a word chosen with care, because it conveys the fact that we are dependent upon computer systems. Without them, nothing works. If they get erroneous data, systems may work, but they will do the wrong things.

Despite all the money spent on computer security systems, it is still very possible to insert erroneous data into networks. It can mean that systems shut down, or damage themselves, or damage something else, or send things or people to the wrong places. At 3:28 p.m. on June 11, 1999, a pipeline burst in Bellingham, Washington. Gasoline began spilling out into the creek below. The gas quickly
extended well over a mile along the creek. Then it caught fire. Two ten-year-old boys playing along the stream were killed, as was an eighteen-year-old farther up the creek. The nearby municipal water-treatment plant was severely damaged by the fire. When the U.S. National Transportation Safety Board examined why the pipeline burst, it focused on “the performance and security of the supervisory control and data acquisition (SCADA) system.” In other words, the software failed. The report does not conclude that in this case the explosion was intentionally caused by a hacker, but it is obvious from the analysis that pipelines like the one in Bellingham can be manipulated destructively from cyberspace.

The clearest example of the dependency and the vulnerability brought on by computer controls also happens to be the one system that everything else depends upon: the electric power grid.

As a result of deregulation in the 1990s, electric power companies were divided up into generating firms and transmission companies. They were also allowed to buy and sell power to each other anywhere within one of the three big power grids in North America. At the same time, they were, like every other company, inserting computer controls deep into their operations. Computer controls were also installed to manage the buying and selling, generation, and transmission. A SCADA system was already running each electric company’s substations, transformers, and generators. That Supervisory Control and Data Acquisition system got and sent signals out to all of the thousands of devices on the company’s grid. SCADAs are software programs, and most electric companies use one of a half dozen commercially available products.

These control programs send signals to devices to regulate the electric load in various locations. The signals are most often sent via internal computer network and sometimes by radio. Unfortunately, many of the devices also have other connections, multiple connections. One survey found that a fifth of the devices on the electric
grid had wireless or radio access, 40 percent had connections to the company’s internal computer network, and almost half had direct connections to the Internet. Many of the Internet connections were put in place to permit their manufacturers to do remote diagnostics.

Another survey found that at one very large electric company, 80 percent of the devices were connected to the corporate intranet, and there were, of course, connections from the intranet out to the public Internet. What that means is that if you can hack from the Internet to the intranet, you can give orders to devices on the electric grid, perhaps from some nice cyber café on the other side of the planet. Numerous audits of electric power companies by well-respected cyber security experts have found that this is all very doable. What sort of things might you do with controls to the grid?

In 2003, the so-called Slammer worm (big, successful computer malware attacks get their own names) got into and slowed controls on the power grid. A software glitch in a widely used SCADA system also contributed to the slowed controls. So when a falling tree created a surge in a line in Ohio, the devices that should have stopped a cascading effect did not do so until the blackout got to somewhere in southern New Jersey. The result was that eight states, two Canadian provinces, and 50 million people were without electricity, and without everything that needs electricity (such as the water system in Cleveland). The tree was the initiator, but the same effects could have been achieved by a command given over the control system by a hacker. In fact, in 2007 CIA expert Tom Donahue was authorized to tell a public audience of experts that the Agency was aware of instances when hackers had done exactly that. Although Tom didn’t say where hackers had caused a blackout as part of a criminal scheme, it was later revealed that the incident took place in Brazil.