(Page 2 of 4)
More ominously, the report warns: “Porous information systems have allowed opponents to map our vulnerabilities and plan their attacks. Depriving Americans of electricity, communications, and financial services may not be enough to provide the margin of victory in a conflict, but it could damage our ability to respond and our will to resist. We should expect that exploiting vulnerabilities in cyber infrastructure will be part of any future conflict.”
An enemy able to take down our electric, communications, and financial networks at will would indeed be a serious threat. And it may well be the case that the state of security in government and private networks is deplorable. But the CSIS report cites no reviewable evidence to substantiate this supposed danger. There is no support for the claim that opponents have “mapped vulnerabilities” and “planned attacks.” Neither the probing of Pentagon computers nor the cited cases of cyberespionage—for instance, the hacking of a secretary of defense’s unclassified email—have any bearing on the probability of a successful attack on the electrical grid.
Nevertheless, the commission concludes that tighter regulation is the only way toward greater security. It is “undeniable,” the report claims, that “market forces alone will never provide the level of security necessary to achieve national security objectives.” But without any verifiable evidence of a threat, how are we to know what exactly the “appropriate level of cybersecurity” is and whether market forces are providing it? With at least some security threats, such as industrial espionage and sabotage, private industry has a strong incentive to protect itself. If there is a market failure here, the burden of proof is on those who favor regulation. So far they have not delivered.
Although they never explicitly say so, the report’s authors imply that they are working from classified sources, which might explain the dearth of reviewable evidence. To its credit, the commission laments what it considers the “overclassification” of information related to cybersecurity. But this excessive secrecy should not serve as an excuse. If the buildup to the Iraq war teaches us anything, it is that we cannot accept the word of government officials with access to classified information as the sole evidence for the existence or scope of a threat.
Cyberwar: The Book
If the CSIS report is the document cyberhawks cite most, the most widely read brief for their perspective is the 2010 bestseller Cyber War, by Richard Clarke and Robert Knake, a cybersecurity specialist at the Council on Foreign Relations. This book makes the case that U.S. infrastructure is extremely vulnerable to cyber attack by enemy states. Recommendations include increased regulation of electrical utilities and Internet service providers.
“Obviously, we have not had a full-scale cyber war yet,” Clarke and Knake write, “but we have a good idea what it would look like if we were on the receiving end.” The picture they paint includes the collapse of the government’s classified and unclassified networks, the release of “lethal clouds of chlorine gas” from chemical plants, refinery fires and explosions across the country, midair collision of 737s, train derailments, the destruction of major financial computer networks, suburban gas pipeline explosions, a nationwide power blackout, and satellites in space spinning out of control. In this world, they warn, “Several thousand Americans have already died, multiples of that number are injured and trying to get to hospitals.…In the days ahead, cities will run out of food because of the train-system failures and the jumbling of data at trucking and distribution centers. Power will not come back up because nuclear plants have gone into secure lockdown and many conventional plants have had their generators permanently damaged. High-tension transmission lines on several key routes have caught fire and melted. Unable to get cash from ATMs or bank branches, some Americans will begin to loot stores.” All of which could be the result of an attack launched “in fifteen minutes, without a single terrorist or soldier appearing in this country.”
Clarke and Knake assure us that “these are not hypotheticals.” But the only verifiable evidence they present relates to several well-known distributed denial of service (DDOS) attacks. A DDOS attack works by flooding a server on the Internet with more requests than it can handle, thereby causing it to malfunction. A person carrying out a DDOS attack will almost certainly produce this flood of requests with a botnet—a network of computers that have been compromised without their users’ knowledge, usually through a virus. Vint Cerf, one of the fathers of the Internet and Google’s chief Net evangelist, has estimated that possibly a quarter of personal computers in use today are compromised and placed in unwilling service of a botnet.
Clarke and Knake cite several well-known DDOS attacks, such as the attacks on Estonia in 2007 and Georgia in 2008, both widely suspected to have been coordinated by Russia. They also mention an attack on U.S. and NATO websites in 1999 after American bombs fell on the Chinese embassy in Belgrade. And they cite a July 4, 2009, attack on American and South Korean websites, widely attributed to North Korea. These reputedly state-sponsored operations, along with the hundreds of thousands of other DDOS attacks each year by private vandals, are certainly a sign of how vulnerable publicly accessible servers can be. They are not, however, evidence of the capability necessary to derail trains, release chlorine gas, or bring down the power grid.
The authors admit that a DDOS attack is often little more than a nuisance. The 1999 attack saw websites temporarily taken down or defaced, but it “did little damage to U.S. military or government operations.” Similarly, the 2009 attacks against the United States and South Korea caused several government agency websites, as well as the websites of the NASDAQ Stock Market, the New York Stock Exchange, and The Washington Post, to be intermittently inaccessible for a few hours. But they did not threaten the integrity of those institutions. In fact, the White House’s servers were able to deflect the attack easily thanks to the simple technique of “edge caching,” which involves serving Web content from multiple sources, in many cases servers geographically close to users.
Without any formal regulation mandating that it be done, the affected agencies and businesses worked with Internet service providers to filter out the attacks. Once the attackers realized they were no longer having an effect, the vandalism stopped. Georgia, hardly the world’s richest or most technologically sophisticated country, similarly addressed attacks on its websites by moving them to more resilient servers hosted outside of its borders.
Clarke and Knake recognize that DDOS is a “primitive” form of attack that would not pose a major threat to national security. Yet DDOS attacks make up the bulk of the evidence for the dire threat they depict. If we have no verifiable evidence of the danger we’re in, they write, it is merely because the “attackers did not want to reveal their more sophisticated capabilities, yet.” With regard to the Georgian and Estonian episodes, they argue that the “Russians are probably saving their best cyber weapons for when they really need them, in a conflict in which NATO and the United States are involved.”
When Clarke and Knake venture beyond DDOS attacks, their examples are easily debunked. To show that the electrical grid is vulnerable, for example, they suggest that the Northeast power blackout of 2003 was caused in part by the “Slammer” worm, which had been spreading across the Internet around that time. But the 2004 final report of the joint U.S.-Canadian task force that investigated the blackout explained clearly that no virus, worm, or other malicious software contributed to the power failure. Clarke and Knake also point to a 2007 blackout in Brazil, which they believe was the result of criminal hacking of the power system. Yet separate investigations by the utility company involved, Brazil’s independent systems operator, and the energy regulator all concluded that the power failure was the result of soot and dust deposits on the high-voltage insulators on transmission lines.
Before we pursue the regulations that Clarke and Knake advocate, we should demand more precise evidence of the threat they portray and the probability that it will materialize. That will require declassification and a more candid, on-the-record discussion.