Cyber War: The Next Threat to National Security and What to Do About It (19 page)

The banking and finance industry also started to look at open-source alternatives after the repeated failure of Microsoft systems had cost the finance industry hundreds of millions a year. In 2004, a banking industry group, the Financial Services Roundtable, sent a delegation of computer security specialists from the banks to Redmond, Washington, to confront Microsoft. They demanded access to the secret Microsoft code. They were denied. They demanded to see the quality-assurance standards Microsoft used so that they could compare them with other software companies. They were denied. Microsoft’s position with the U.S. banks is in contrast to the program the company had announced in 2003 whereby, pursuant to agreement, Microsoft provide participating national and international bodies access to its Windows source code, a move designed to address concerns about the security of its operating system. Russia, China, NATO, and the United Kingdom were early participants.

The banks threatened to start using Linux. Microsoft told them the conversion to Linux would be very expensive for them. Moreover, the next version of Windows was being developed under the code name Longhorn. Longhorn would be much better. Longhorn became Vista. Vista went to market later than expected, delayed by flaws discovered in Microsoft’s expanded tests program. When Vista was sold, many corporate users experienced problems. Word spread and many companies decided not to buy the new system. Microsoft suggested that it would stop providing support for some of its older systems, forcing customers to upgrade.

Microsoft insiders have admitted to me that the company really did not take security seriously, even when they were being embarrassed by frequent highly publicized hacks. Why should they? There was no real alternative to its software, and they were swimming in money from their profits. When Linux appeared, and later when
Apple started to compete directly, Microsoft did take steps to improve its quality. What they did first, however, was to employ a lot of spokesmen to go to conferences, to customers, and to government agencies lobbying against moves to force improvements in security. Microsoft can buy a lot of spokesmen and lobbyists for a fraction of the cost of creating more secure systems. They are one of several dominant companies in the cyber industry for whom life is good right now and change may be bad.

6. NO, I THOUGHT YOU WERE DOING IT

Change, however, is coming. Like the United States, more and more nations are establishing offensive cyber war organizations. U.S. Cyber Command also has a defensive mission, to defend the Department of Defense. Who defends the rest?

As it stands now, the Department of Homeland Security defends the non-DoD part of the federal government. The rest of us are on our own. There is
no
federal agency that has the mission to defend the banking system, the transportation networks, or the power grid from cyber attack. Cyber Command and DHS think that by defending their government customers they may coincidentally help the private sector a little, maybe. The government thinks it is the responsibility of individual corporations to defend themselves from cyber war. Government officials will tell you that the private sector wants it that way, wants to keep the government out of their systems. After all, they are right that no one in government would know how to run a big bank’s networks, or a railroad’s, or a power grid’s.

When you talk to CEOs and the other C-level types in big companies (chief operating officers, chief security officers, chief information officers, chief information security officers), they all say pretty much the same things: we will spend enough on computer security
to protect against the day-to-day threat of cyber crime. We cannot, they say, be expected to know how to, or spend the money to, defend against a nation-state attack in a cyber war. Then they usually add words to the effect of, “Defending against other nations’ militaries is the government’s job, it’s what we pay taxes for.”

At the beginning of the era of strategic nuclear war capability, the U.S. deployed thousands of air defense fighter aircraft and ground-based missiles to defend the population and the industrial base, not just to protect military facilities. Every major city was ringed with Nike missile bases to shoot down Soviet bombers. At the beginning of the age of cyber war, the U.S. government is telling the population and industry to defend themselves. As one friend of mine asked, “Can you imagine if in 1958 the Pentagon told U.S. Steel and General Motors to go buy their own Nike missiles to protect themselves? That’s in effect what the Obama Administration is saying to industry today.”

On this fundamental issue of whose job it is to defend America’s infrastructure in a cyber war, the government and industry are talking past each other. As a result, no one is defending the likely targets in a cyber war, at least not in the U.S. In other countries, some of whom might be cyber war adversaries someday, the defense part of cyber war might be doing a little better than it is here.

THE CYBER WAR GAP

We noted earlier that the U.S. may have the most sophisticated and complex cyber war capability, followed soon thereafter by Russia. China and perhaps France are in a close second tier, but over twenty nations have some capability, including Iran and North Korea. Whether or not this ranking is accurate, it is widely believed by cyber warriors. So, one can almost imagine the American geek fighters sit
ting around after work in some secure location drinking their Red Bulls and chanting “U-S-A, U-S-A,” as at the Olympics, or “We’re Number One!” as at a high school football game. (My high school was so nerdy we chanted “Sumus Primi!”) But are we really number one? That obviously depends upon what criteria you employ.

In cyber offensive capability, the United States probably would rank first if you could develop an appropriate contest. But there is more to cyber war than cyber offensive. There is also cyber dependence, the degree to which a nation relies upon cyber-controlled systems. In a two-way cyber war, that matters. As I discovered when I asked for a cyber war plan to go after Afghanistan in 2001, there are sometimes no targets for cyber warriors. In a two-way cyber war, that gives Afghanistan an advantage of sorts. If they had any offensive cyber capability (they didn’t), the cyber war balance would have shifted in an interesting way. There is also the issue of whether a nation can defend itself from cyber war. Obviously, Afghanistan can protect itself just by being there and having no networks, but theoretically a nation may have networks and, unlike us, be able to protect them. Cyber defense capability is also, therefore, a criterion: Can a nation shut off its cyber connectivity to the rest of the world, or spot cyber attacks coming from inside its geographical boundaries and stop them?

While the United States very likely possesses the most sophisticated offensive cyber war capabilities, that offensive prowess cannot make up for the weaknesses in our defensive position. As former Admiral McConnell has noted, “Because we are the most developed technologically—we have the most bandwidth running through our society and are more dependent on that bandwidth—we are the most vulnerable.” We have connected more of our economy to the Internet than any other nation. Of the eighteen civilian infrastructure sectors identified as critical by the Department of Homeland Security, all have grown reliant on the Internet to carry out their basic functions,
and all are vulnerable to cyber attacks by nation-state actors. Contrast this with China. While China has been developing its offensive cyber capability, it has also focused on defense. The PLA’s cyber warriors are tasked with both offense and defense in cyberspace, and unlike in the case of the U.S. military, when they say defense, they mean defense of the nation, not just defense of the military’s networks. While I do not advocate an expanded role for the Pentagon in protecting civilian systems in the U.S., there is no other agency or arm of the federal government that has taken on that responsibility. In light of the eschewing of regulation that began in the Clinton Administration and has continued through the Bush Administration and into the Obama Administration, the private sector has not been required to improve security, nor has the government stepped in to actively take on the role. In China, the networks that make up the Chinese Internet infrastructure are all controlled by the government through direct ownership or very close partnership with the private sector. There are no debates about the cost of security when Chinese authorities demand new security measures. The networks are largely segmented between government, academic, and commercial use. The Chinese government has both the power and the means to disconnect China’s slice of the Internet from the rest of the world, which it may very well do in the event of a conflict with the United States. The U.S. government has no such authority or capability. In the U.S., the Federal Communications Commission has the legal power to regulate but it largely chosen not to do that. In China, the government can set and enforce standards, but it also goes many steps further.

The “Internet” in China is more like the internal network of a company, an intranet. The government is the service provider and therefore in charge of the network’s defense. In China, the government is actively defending the network. Not so in the United States. In the U.S., the government’s role is at least one step removed. As
mentioned briefly in chapter 2, China’s much-discussed Internet censorship, including “the Great Firewall of China,” can also provide security advantages. The technology that the Chinese use to screen e-mails for speech deemed illegal can also provide the infrastructure to stop malware. China has also invested in developing its own proprietary operating system that would not be susceptible to existing network attacks, though technical problems have delayed its implementation. China launched and then temporarily halted an effort to install software on all computers in China, software allegedly meant to keep children from gaining access to pornography. The real intent, most experts believe, was to give China control over every desktop in the country. (When word of the plan got out in the hacker community, they quickly found vulnerabilities that could have given almost anyone control over the system, and the Chinese promptly delayed the program.) These efforts show how seriously the Chinese take their defense, as well as the direction their efforts are headed. China, meanwhile, remains behind the United States in the automation of its critical systems. Its electric power system, for example, relies on control systems that require a large degree of manual control. This is an advantage in cyber war.

MEASURING CYBER WAR STRENGTH

It would be great if the only thing we had to take into account in measuring our cyber war strength was one factor, our ability to attack other nations. If that were the only consideration, the United States might do really well when compared to other nations. Unfortunately for us, a realistic measurement of cyber war strength also needs to include an assessment of two other factors: defense and dependence. “Defense” is a measure of a nation’s ability to take actions that under attack, actions which will block or mitigate the attack. “Dependence”
is the extent to which a nation is wired, reliant upon networks and systems that could be vulnerable in the event of cyber war attack.

To illustrate how these three factors (offense, defense, and dependence) interact, I have created a chart. The chart assigns scores to several countries for each of the three factors. Quibblers will argue with the overly simplistic methodology: I gave each of the three measures equal weight and then added the three scores together to get an overall score for a nation. The scores assigned to each nation are based on my assessment of their offense power, their defensive capability, and the extent to which they are dependent on cyber systems. There is one counterintuitive aspect to the chart: the less wired a nation is, the higher its score on the dependence ranking. Being a wired nation is generally a good thing, but not when you are measuring its ability to withstand cyber war.

OVERALL CYBER WAR STRENGTH

Nation
: U.S.

Cyber Offense
: 8

Cyber Dependence
: 2

Cyber Defense
: 1

Total
: 11

Nation
: Russia

Cyber Offense
: 7

Cyber Dependence
: 5

Cyber Defense
: 4

Total
: 16

Nation
: China

Cyber Offense
: 5

Cyber Dependence
: 4

Cyber Defense
: 6

Total
: 15

Nation
: Iran

Cyber Offense
: 4

Cyber Dependence
: 5

Cyber Defense
: 3

Total
: 12

Nation
: North Korea

Cyber Offense
: 2

Cyber Dependence
: 9

Cyber Defense
: 7

Total
: 18

The results are revelatory. China has a high “defense” score, in part because it has plans and capability to disconnect the entire nation’s networks from the rest of cyberspace. The U.S., by contrast, has neither the plans nor the capability to do that because the cyber connections into the U.S. are privately owned and operated. China can limit cyberspace utilization in a crisis by disconnecting nonessential users. The U.S. cannot. North Korea gets a high score for
both “defense” and “lack of dependence.” North Korea can sever its limited connection to cyberspace even more easily and effectively than China can. Moreover, North Korea has so few systems dependent upon cyberspace that a major cyber war attack on North Korea would cause almost no damage. Remember that cyber dependence is not about the percentage of homes with broadband or the per capita number of smart phones; it’s about the extent to which critical infrastructures (electric power, rails, pipelines, supply chains) are dependent upon networked systems and have no real backup.