(Page 3 of 4)
While Cyber War has been widely criticized in the security trade press, the popular media have tended to take the book at its word. Writing in The Wall Street Journal in December 2010, U.S. News & World Report Editor-in-Chief Mort Zuckerman warned that enemy hackers could easily “spill oil, vent gas, blow up generators, derail trains, crash airplanes, cause missiles to detonate, and wipe out reams of financial and supply-chain data.” The sole source for his column, and for his recommendation that the federal government establish a cybersecurity agency to regulate private networks, was Clarke and Knake’s “revealing” book. The New York Times also endorsed Cyber War, sweeping aside skepticism about the book’s doomsday scenarios by noting that Clarke, who had warned the Bush and Clinton administrations about the threat from Al Qaeda before 9/11, has been right in the past.
Then there was the front-page article that The Wall Street Journal published in April 2009 announcing that the U.S. power grid had been penetrated by Chinese and Russian hackers and laced with “logic bombs”—computer programs that can be triggered remotely to cause damage. As with Judith Miller’s notorious New York Times articles on Iraq’s alleged weapons of mass destruction, the only sources for the story’s claim that key infrastructure has been compromised were anonymous U.S. intelligence officials. With little specificity about the alleged infiltrations, readers were left with no way to verify the claims. The article did cite a public pronouncement by senior CIA official Tom Donahue that a cyber attack had caused a power blackout overseas. But Donahue’s pronouncement is what Clarke and Knake cite to support their claim that cyber attacks caused a blackout in Brazil, which we now know is untrue.
The author of the Journal article, Siobhan Gorman, contributed to another front-page cybersecurity scoop claiming that spies had infiltrated Pentagon computers and stolen terabytes of data related to the F-35 Joint Strike Fighter. The only sources for that April 2009 report were “current and former government officials familiar with the attacks.” Later reporting by the Associated Press, also citing anonymous officials, found that no classified information was compromised in the breach.
The Brazil blackout was also the subject of a 2009 60 Minutes exposé on cyberwar. To back up its claim that the blackouts were the result of cyber attacks, the show cited only anonymous “prominent intelligence sources.” The segment also featured an interview with Mike McConnell, who claimed that a blackout was within the reach of foreign hackers and that the United States was not prepared.
In February 2010, The Washington Post granted McConnell 1,400 words to make his case. He told readers: “If an enemy disrupted our financial and accounting transactions, our equities and bond markets or our retail commerce—or created confusion about the legitimacy of those transactions—chaos would result. Our power grids, air and ground transportation, telecommunications, and water-filtration systems are in jeopardy as well.” Rather than offering evidence to corroborate this fear, McConnell pointed to corporate espionage generally, and specifically to an incident in which Google’s Gmail service had been compromised—another instance of espionage attributed to China.
The Cybersecurity-Industrial Complex
Washington is filled with people who have a vested interest in conflating and inflating the threats to our digital security. In his famous farewell address to the nation in 1961, President Dwight Eisenhower warned against the dangers of what he called the “military-industrial complex”: a excessively close nexus between the Pentagon, defense contractors, and elected officials that could lead to unnecessary expansion of the armed forces, superfluous military spending, and a breakdown of checks and balances within the policy making process. Eisenhower’s speech proved prescient.
Cybersecurity is a big and booming industry. The U.S. government is expected to spend $10.5 billion a year on information security by 2015, and analysts have estimated the worldwide market to be as much as $140 billion a year. The Defense Department has said it is seeking more than $3.2 billion in cybersecurity funding for 2012.
Traditional defense contractors, both to hedge against hardware cutbacks and get in on the ground floor of a booming new sector, have been emphasizing cybersecurity in their competition for government business. Lockheed Martin, Boeing, L-3 Communications, SAIC, and BAE Systems have all launched cybersecurity divisions in recent years. Other defense contractors, such as Northrop Grumman, Raytheon, and ManTech International, have also invested in information security products and services.
Traditional I.T. firms such as McAfee and Symantec also see more opportunities to profit from cybersecurity business in both the public and private sectors. As one I.T. market analyst put it in a 2010 Bloomberg report: “It’s a cyber war and we’re fighting it. In order to fight it, you need to spend more money, and some of the core beneficiaries of that trend will be the security software companies.” I.T. lobbyists, too, have pushed hard for cybersecurity budget increases. Nir Zuk, chief technology officer at Palo Alto Networks, complained to The Register last year that “money gets spent on the vendors who spend millions lobbying Congress.”
Meanwhile, politicians have taken notice of the opportunity to bring more federal dollars to their states and districts. Recently, for example, the Air Force established Cyber Command, a new unit in charge of the military’s offensive and defensive cyber capabilities. Cyber Command allows the military to protect its critical networks and coordinate its cyber capabilities, an important function. But the pork feeding frenzy that it touched off offers a useful example of what could happen if legislators or regulators mandate similar buildups for private networks.
Beginning in early 2008, towns across the country sought to lure Cyber Command’s permanent headquarters. Authorities in Louisiana estimated that the facility would bring at least 10,000 direct and ancillary jobs, billions of dollars in contracts, and millions in local spending. Politicians naturally saw the command as an opportunity to boost local economies. Governors pitched their respective states to the secretary of the Air Force, a dozen congressional delegations lobbied for the command, and Louisiana Gov. Bobby Jindal even lobbied President George W. Bush during a meeting on Hurricane Katrina recovery. Many of the 18 states vying for the command offered gifts of land, infrastructure, and tax breaks.
The city of Bossier, Louisiana, proposed a $100 million “Cyber Innovation Center” office complex next to Barksdale Air Force Base and got things rolling by building an $11 million bomb-resistant “cyber fortress,” complete with a moat. Yuba City, California, touted its proximity to Silicon Valley. Colorado Springs pointed to the hardened location of Cheyenne Mountain, headquarters for NORAD. In Nebraska the Omaha Development Foundation purchased 136 acres of land just south of Offutt Air Force Base and offered it as a site.
The Air Force ultimately established Cyber Command HQ at Fort Meade, Maryland, integrated with HQ for the National Security Agency. In the run-up to the announcement, Sen. Barbara Mikulski (D-Md.) proclaimed, “We are at war, we are being attacked, and we are being hacked.”