Cyber War: The Next Threat to National Security and What to Do About It (18 page)

On privacy rights, and civil liberties in general, I am far more categorical. We need to be vigilant, lest government erode our rights. This is not an unjustified fear. Well-meaning provisions of the Patriot Act were abused in recent years. Other restrictions on government action, including those in the Bill of Rights and in the Foreign Intelligence Surveillance Act, were simply ignored. If what we need to do to defend ourselves from cyber war opens the possibility of further government abuse, we will need to do more than simply pass laws making such government action illegal. That has not stopped some in the past. (Cheney, I’m thinking of you here.) We will also have to create empowered, independent organizations to investigate whether abuses are occurring and to bring legal action against those who are violating privacy laws and civil liberties. The safest way to deal with the threat of further abuse is, of course, not to create new programs that government officials could misuse to violate our rights. There may be times, however, as in the case of cyber war,
when we should examine whether effective safeguards can be put in place so that we can start new programs that entail some risk.

4. CASSANDRAS AND RED HERRINGS

Part of the reason that we are so unprepared today is the “boy who cried wolf too soon” phenomenon. Sometimes the boy who cries wolf can see the wolf coming from a lot farther away than everyone else. The Joint Security Commission of 1994, the Marsh Commission of 1997, the Center for Strategic and International Studies (CSIS) commission of 2008, the National Academy of Science commission of 2009, and many more in between have all spoken of a major cyber security or cyber war risk. They have been criticized by many as Cassandras, the type of people who are always predicting disaster. The earth will be hit by a giant meteor. A shift in magnetic north from one pole to another will cause solar wind that will destroy the atmosphere. Well, almost all real experts in the relevant fields of science believe the meteor and pole-shifting scenarios will happen. They just do not know when, and therefore we probably should not get too excited. The various commissions and groups warning about cyber war have not really been wrong about the timing; they were warning us when we had sufficient time to do something in advance of a disaster. It is worth remembering that, despite the bad rap she gets, Cassandra was not wrong about her predictions; she was simply cursed by Apollo never to be believed.

Unfortunately, one thing that is too often believed is that there is a threat from “cyber terrorism.” Cyber terrorism is largely a red herring and, in general, the two words “cyber” and “terrorism” should not be used in conjunction because they conjure up images of bin Laden waging cyber war from his cave. He probably can’t, at least not yet. (Moreover, he’s probably not in a cave, more likely a cushy
villa.) Indeed, we do not have any good evidence that terrorists have ever staged cyber war attacks on infrastructure.

To date, terrorists haven’t so much attacked the Internet or used the Internet to attack physical systems as they have used it to plan and coordinate attacks on embassies, railroads, and hotels. They have also used the Internet to raise funds, recruit, and train. After al Qaeda lost their training grounds in Afghanistan following 9/11, much of what went on there shifted to the web. Training videos on how to build improvised explosive devices or how to stage beheadings were just as effective delivered over a remote learning system as they were at a remote training camp. The web kept terrorists from having to travel for training, which used to be a very good opportunity for international law enforcement to catch a would-be terrorist. Remote training also kept a bunch of terrorists from congregating in one place long enough for a cruise missile strike. While Internet training has been a huge danger, spawning “lone wolf” attacks by terrorists who never had any connection to al Qaeda central, what al Qaeda and other groups really excel at is using the Internet for propaganda. Producing videos of beheadings and spreading radical interpretations of the Koran across the Internet has allowed terrorist groups to reach a wide audience and to do so with relative anonymity.

While al Qaeda has thus far not been capable of staging a cyber attack, that could very well change. As with any developing technology, the cost and other barriers to entry are going down each year. Staging a devastating cyber attack would not require a major industrial effort like building a nuclear bomb. Understanding the control software for an electric grid, however, is not a widely available skill. It is one thing to find a way to hack into a network, and quite another to know what to do once you’re inside. A well-funded terrorist group might find a highly skilled hacker club that would do a cyber attack in return for a lot of money, but that has not happened to date. One of the reasons for that may simply be that most
hackers think that al Qaeda members are crazy, dangerous, and un-trustworthy. When criminal hacker groups think of others that way, you know the real terrorists are pretty far out there.

5. MONEY TALKS

Another reason for inertia is that some people like things the way they are. Some of those people have bought themselves access. I mentioned earlier that George W. Bush’s first reaction when told of a possible cyber security crisis was to ask what a certain computer industry CEO who was one of his biggest campaign donors thought about it. You had probably already guessed that the Bush Administration was not interested in playing hardball with the private sector. The first
Homeland Security Strategy of the United States
, put out in 2003, reads like a conservative economic textbook on the power of the free market. You may be surprised, however, at how Democratic administrations have also been captured by these arguments. You might think that the new Democratic administration would be in favor of finally solving the market failure on cyber security by introducing some new regulation, but you would be wrong. To understand why, let’s go to a party.

It was a lavish affair. All the big names in Washington were there. Over 250 guests joined to celebrate the marriage of Melody Barnes to Marland Buckner. Barnes, President Obama’s domestic policy advisor, had known her husband-to-be for years before they started dating; their acquaintance goes back to her time on Capitol Hill, working for Ted Kennedy, and to his as Chief of Staff to Harold Ford, Jr., of Tennessee. After a short ceremony at the People’s Congregational United Church of Christ, the newlyweds and their guests retired to Washington’s Mellon Auditorium, which had been converted into a “South Beach–style” lounge, with hints of silver
and a floral theme for each table that was heavy on orchids. The locally sourced, carbon-neutral menu featured short ribs, sea bass, and a selection of spring vegetables elegantly arranged in bento boxes, followed by sliders and fries to keep the guests’ energy up until they were released at some point after midnight.

What the
New York Times
Weddings and Celebrations reporter described as “a bevy of Obama Administration officials” in attendance included White House Chief of Staff Rahm Emanuel and Valerie Jarrett, a White House senior advisor and Assistant to the President for Intergovernmental Relations. My friend Mona Sutphen, Deputy Chief of Staff, danced the night away, as did former Clinton Chief of Staff John Podesta. Also in attendance, but not noted by the
Times
, were a bevy of Microsoft executives. Buckner, a former director of government affairs at the world’s largest software company and now an independent registered lobbyist, had also invited some friends. Since going out on his own in 2008, Buckner took in lobbying fees, more than a third of which were from Microsoft. It is too bad
Mother Jones
doesn’t do weddings. Their reporter might have noted that on that night, the Obama Administration was, quite literally, in bed with Microsoft.

Microsoft makes OpenSecret.org’s top 30 list of “Heavy Hitters,” donating to political causes. While most of the organizations on that list are trade associations, Microsoft is one of only seven companies that make the cut. Of course, Microsoft was making up for lost time. Before the company’s battle with the Justice Department over antitrust issues in the late 1990s, the West Coast–based company wanted nothing more than to be left alone and stayed out of politics. Before 1998, Microsoft and its employees were little inclined to spend their stock options supporting East Coast politicians. That all changed when Clinton Administration lawyers argued that the marketing of Windows was intended to create a monopoly. Donations started pouring in from newly established political action commit
tees and Microsoft employees alike. And in the years 1998 through 2002, the majority of that money went to Republicans. Then, in 2004, maybe disgusted by the war or maybe misunderestimating the Bush campaign, Microsoft began donating to Democrats at almost twice the rate than to Republicans. In 2008, Microsoft beat those numbers, giving $2.3 million to Democrats and only $900,000 to Republicans.

Maybe Microsoft’s PACs and employees have good intentions, like so many Americans who donated money and time to the Obama campaign who wanted nothing more than to see Obama in office. Marland Buckner told a reporter for Media General News Service that he would “follow White House rules ‘to the letter’ to avoid any conflict of interest due to Barnes’s new job, and promised not to use his relationship with his spouse to attract clients. But Microsoft the corporation has an agenda that is very clear: don’t regulate security in the software industry, don’t let the Pentagon stop using our software no matter how many security flaws it has, and don’t say anything about software production overseas or deals with China.

Microsoft has vast resources, literally billions of dollars in cash, or liquid asset reserves. Microsoft is an incredibly successful empire built on the premise of market dominance with low-quality goods. For years, Microsoft’s operating system and applications, like its ubiquitous Internet browser, have been prepackaged on the computers we buy. Getting an alternative was a time-consuming and problematic task, until Apple began to open stores and advertise in the last decade.

To be fair, Microsoft did not originally intend its software to be running critical systems. Therefore, its goal was to get the product out the door fast and at a low cost of production. It did not originally see any point to investing in the kind of rigorous quality assurance and quality control processes that NASA insisted on for the software used in human space-flight systems. The problem is that
people did start using Microsoft products in critical systems, from military weapons platforms to core banking and finance networks. They were, after all, much cheaper than custom-built applications.

Every once in a while there is a wave of government efficiency improvements that brings federal government agencies up to date with the cost-saving approaches being used in industry. One of them was called the COTS campaign. The idea was to use commercial off-the-shelf (COTS) software to replace specialized software that in the past the government would have ordered up. Throughout the Cold War, the Pentagon had led much of this country’s technological innovation. I remember being told that there were cameras without film that had been developed for the government. (I could not quite understand how that would work—until I bought one at Best Buy a decade later.) Only after military applications were developed did the technology eventually leak out for commercial use.

COTS stood that process on its head. Before the 1990s, most of the Pentagon’s software applications were purpose-built in-house or by a small number of trusted defense contractors. No two systems were alike, which was how the defense contractors wanted it. The systems they built were extremely expensive. They also made it very difficult for defense systems to work interoperably. The COTS movement reduced the costs and allowed the Pentagon to create interoperable systems because they all used the same computer languages and the same operating systems. More and more applications were developed. Sensor grids were netted together. The 5.5-million-computer Global Information Grid, or GIG, was created. Netcentric warfare provided a huge advantage for the U.S. military, but it also introduced a huge vulnerability.

COTS brought to the Pentagon all the same bugs and vulnerabilities that exist on your own computer. In 1997, the U.S. Navy found out just how dangerous it could be to rely on these systems for combat operations. The USS
Yorktown
, a Ticonderoga-class cruiser,
was retrofitted as the test bed for the Navy’s “smart ship” program. The
Yorktown
had been outfitted with a network of twenty-seven Pentium-powered workstations all running Windows NT, all tied to a Windows server. The system controlled every aspect of ship operations, from bridge operations to fire control to engine speed. When the Windows system crashed, as Windows often does, the cruiser became a floating i-brick, dead in the water.

In response to the
Yorktown
incident and a legion of other failures of Windows-based systems, the Pentagon began to look at Unix and the related Linux systems for critical operations. Linux is an open-source system. What that means is that the computer code for the operating system can be viewed and edited by the user. With Windows (and most other commercial software), the source code is considered to be proprietary and is heavily guarded. Open source had a number of advantages for the Pentagon. First, Pentagon programmers and defense contractors could customize the software to make it operate the way they wanted. They could slice and dice the code to eliminate parts of the operating system that they did not need and that could introduce bugs into the system. Second, after reducing the size of the operating system, they could then run what the software industry refers to as “tools” on the remaining lines of code to try and identify bugs, malicious code, and other vulnerabilities.

Microsoft went on the warpath against Linux to slow the adoption of it by government agencies, complete with appearances before congressional committees, including by Bill Gates. Nonetheless, because there were government agencies using Linux, I asked NSA to do an assessment of it. In a move that startled the open-source community, NSA joined that community by publicly offering fixes to the Linux operating system that would improve its security. Microsoft gave me the very clear impression that if the U.S. government promoted Linux, Microsoft would stop cooperating with the U.S. government. While that did not faze me, it may have had an effect
on others. Microsoft’s software is still being bought by most federal agencies, even though Linux is free.