  
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
There's a nightmare scenario that people will talk about. They'll
talk about terrorists or a nation-state coming after us, bringing
down the electrical grid, turning off electricity for weeks on end.
That, catapulting into every infrastructure in America dependent
upon electricity, sort of breaks down into mass hysteria. How real
is that scenario? One easy test for cyber security is to ask yourself
the following question: Could Godzilla do it? If the answer's yes,
it's probably not a very realistic scenario. So when you get into
these things where a big green monster is going to shut down the
whole electrical system or the water system, it's not very likely.
In the U.S., in particular, you have just a maze of different systems.
They're redundant. They've spent a lot of time practicing how to
deal with failure, because we have blackouts and water failure all
the time. So it's not the kind of system that's easy to attack.
The other thing
you can look at is, we know what attacks on critical infrastructures
are like. This is something the military has been doing for at least
80 years. What we've discovered is it's hard to knock out an infrastructure.
Nations are a lot tougher than they look. You can put something
out for a couple of days, and people work really hard to get it
back online. So this isn't an easy task when you're using high explosives,
and high explosives do permanent damage, unlike cyber attacks, which
are not anywhere near as threatening. When people say that you can bring down the electrical system with a few keystrokes, it's one of those exaggerations that tends to bother me a lot. First, there is no electrical system. There's a multitude of electrical companies that all work together. Two, they are networked in some way, but each one of them is sort of idiosyncratic in how they've put themselves together. They all have SCADA systems, but they've applied them differently. If you know how to get into one company, that doesn't mean necessarily you know how to get in another. Of course, there's this assumption that a hacker's going to be able to get into an electrical company and take control without anyone noticing or trying to stop it. That's just silly. We know that electrical companies are a very popular target for hackers. There are thousands of attacks every year. None of them have ever resulted in a single blackout. That makes me kind of skeptical about this whole thing. Some people actually believe that this stuff here that they're playing with is equal, if not a bigger threat, than a dirty bomb. One of the things that happened at the end of the Cold War is we went from confronting a massive global threat that had the ability to wipe out the United States in a matter of hours to a series of much tinier threats. And what happened is, I think that a lot of security experts, instead of saying, "Hey, we don't face a big threat anymore," inflated a number of these smaller threats. In particular, cyber attacks as a replacement for WMD would have to qualify as a gross inflation. Nobody argues -- or at least no sane person argues -- that a cyber attack could lead to mass casualties. It's not in any way comparable to weapons of mass destruction. In fact, what a lot of people call them is "weapons of mass annoyance." If your power goes out for a couple hours, if somebody draws a mustache on Attorney General Ashcroft's face on his Web site, it's annoying. It's irritating. But it's not a weapon of mass destruction. The same is true for this. One of the things I ask myself is, "If I was a terrorist, what would I want to do?" because I have specific goals as a terrorist. These people are rational. They're cold-blooded and they're very determined. They have political goals. They want to achieve these political goals through violence. Is a cyber weapon going to do that for me? The answer in most cases is when I look at the portfolio of weapons and attacks I have, cyber's at the bottom. I'd much rather use an explosive. Of course, we know Al Qaeda says in one of their training manuals that explosives are their preferred weapon. We know that weapons of mass destruction, bioweapons, or germ warfare are much more likely to induce panic in a population than is a cyber attack. You could shut down the Internet, and it's quite possible no one would notice for a couple days. So I don't think terrorists are out there thinking about this. ... The cyber strategy is basically morphing into the more classic sort of strategies that the White House puts out. If you look for the last more than a decade, we've been putting out a national security strategy, and it basically says a lot of vanilla things: "Security's good. Freedom's good. America should defend it." Then it lays out a vision or some goals that agencies can strive towards. These are not very operational documents. I think what you've seen happen with the cyber security strategy is it's changed from something that was trying to be very operational. It was 300 pages, and it was a cookbook of things you could do. Now, it's more of this broad vision statement like our other national strategies. Part of this is it's just too hard a problem for people to wrestle with, because the issue that you need to confront is how much you're going to regulate the private sector. And there's a reluctance -- certainly with this administration, but even with the previous one -- to regulate the Internet. They aren't sure how to do it. People are always telling them it won't work. But we need to think about some sort of regulatory mechanism to get people to pay more attention to cyber security. This doesn't have to be the big, heavy FCC-style regulation. It could be more like some of the things, perhaps, that were done in Y2K or some of the other alleged cyber menaces. ... You get all these hypothetical scenarios, and allegations, and mythical cases of cyber terrorism. And when you ask them, "OK, show me the real event," there's nothing there. I think that makes it hard sometimes to judge these things. If you judge cyber terrorism the way we judge anything else using quantitative evidence, using established facts, it immediately shrinks. ... Al Qaeda's going to rank the options it has in terms of the outcomes that they want. So they're going to start by saying, "How do I create panic and disruption in the United States? How do I do psychological damage to my enemy? How do I do physical damage?" Cyber weapons just don't deliver that. You're much more likely to look at things involving large quantities of explosives. We know they can do that. Possibly chemical weapons, very disruptive. Maybe a lesser threat would be biological weapons. ... Finally, I think there's the psychological payoff, which is these people want to do things that will allow them to attack the United States. Both on the receiving end and on the sending end, a cyber attack doesn't have that payoff. Going back to Osama and saying, "Hey, I launched 16,000 attacks against electrical networks and one of them caused a blackout in Cloverdale, California, for three hours," is not going to get you there in the martyrs' hall of fame. They're going to want to do something much more damaging. That's a very frightening possibility, but cyber is not part of that. I think one of the things that's troubling about Al Qaeda, and really some of the other groups, is they're very methodical. They're very serious. I think they will work through all the options and say, "If I do this attack, what do I get? If I do that attack, what do I get?" They're also very good at collecting information. They have taken advantage of the global communications networks that we've set up, the global information networks that have appeared in the last decade. They've learned how to use them to become a terrorist organization that can operate almost anywhere in the world. So they're a very thorough group. But at the end of the day, I think their first choice is always going to be some more powerful physical weapon. Cyber weapons just aren't a good replacement for bombs. What I'm trying to do is think about, if there was a cyber attack, would it paralyze the United States? I think that the odds of that are very low, because it's easier to recover from a cyber attack. There's no physical damage. There's no casualties. I think that, when Al Qaeda goes through their calculations, they'll go to the same sort of calculation I've gone through -- which is they want something that's going to be successful. Another thing that encourages me is that you have very exaggerated threat assessments put out by the people who sometimes advocate cyber terrorism as a real risk. Let me give you an example. One of our congressmen said recently that hackers or cyber terrorists would be able to take control of two airplanes and get them to fly into each other. I'm exceptionally confident that that would never happen. Hackers can't do that. The system isn't automated. So when you go through each of these scenarios over and over again, the risk is really low. The attractiveness of the weapon compared to other weapons is also low. Does that mean people are going to try? Well, we know they've tried cyber attacks. But so far, there hasn't been any effect. When you think about the question of if there's been all this mapping or probing, what does it mean, you've got to look at it in two ways. First, people are going to explore cyber attacks and cyber weapons. That doesn't mean they're going to use them, because, at the end of the day, I don't think they're very useful. But that doesn't mean that a big country that has a lot of resources won't explore them. The second, and I think the more important risk, is espionage. The Internet is God's gift to spies. The Internet is God's gift to spies. Information that would have been very difficult to get, but very valuable, is now readily accessible. One of the things you've seen in the last year is the U.S. sort of waking up and wondering, "Do we want to have all this information online?" So I think the risk of espionage is much, much higher. But again, if you were a spy, you'd want to break into someone's system, and you'd want to sit there and collect information. You wouldn't want to pull the plug or draw a mustache on somebody's face, because then you'd get shut out. People react very quickly to cyber attacks, and they're very good at deterring them. So a spy is going to want to sit there and not attract any notice. You know, there's been a whole set of stories about cyber attacks -- Moonlight Maze being one of them -- that when you actually track them down, don't seem to have very much substance to them. I think [Moonlight Maze] was another one of these exercises where, hypothetically, people thought they could disable the United States. ... Yes. Espionage is really important, especially for open societies like the U.S. and societies that are networked the way we're becoming, and other developed countries in Western Europe and in Asia. Obviously, it's not a big problem in North Korea or Sudan, where they don't have electricity, much less the Internet. But for us, as a vulnerability for espionage -- different from terrorism -- for espionage, we are at greater risk. So the part that's interesting to me is, how is this valuable as an espionage tool? Again, though, if you ask the operational question, "So there were all these attacks. Did we cancel any sorties? Did any servicemen die? Did any ships not leave the harbor?" The answer is "No. It didn't have any effect that way."... The argument that people didn't use aircraft before 9/11 and, therefore, we shouldn't say that because we haven't seen any cyber attacks we shouldn't dismiss cyber terrorism -- unfortunately, that's not right. We know that Islamic fundamentalists had plans to hijack the aircraft and fly them into buildings repeatedly during the 1990s. The famous example, of course, was some Islamic terrorists who had hijacked an Air France airliner, and were apparently intending to fly it into the Eiffel Tower. There was another case, I believe, with hijacked aircraft being flown into targets in Israel. Plans for this that didn't occur. One of the things we've seen with Al Qaeda is that they have been doing this for a while. So you will see them use explosives repeatedly before 9/11. You will see consideration of airplane attacks repeatedly before 9/11. What you won't see is a lot of failure. We've seen lots of cyber attacks that have not had any result. You can't say that for these other methods. So that's why I tend to downgrade this. The terrorists are methodical, serious, and they will try things. But they have a preference for explosives and for things that make very loud bangs and cost a lot of damage and casualties. ... Cyber war as the future of war is one school of thought. The nice thing about the U.S. military is it's so big and it's so well funded that it can pursue many different options at the same time. So when you look at missile defense, when you look at information warfare, or when you look at what the Air Force is doing, we can be in the position of letting a hundred flowers bloom. That doesn't mean that it will turn out that way. If you look at the weapons that the U.S. has pursued over the last, say, 50 years, a lot of them have been dead ends. It doesn't mean we shouldn't have pursued them. It doesn't mean there might have been some benefit in trying to think how they work. It doesn't mean, at some point in the future, we might come back to it and say, "Hey, it was worthwhile." But the fact that someone's pursuing cyber weapons now doesn't mean it's going to make a lot of difference. I, for example, ask two questions on this: If I was Saddam Hussein and I wanted to stop the U.S. from attacking me, what could I do using cyber weapons? The answer is I couldn't do a heck of a lot. So it's not very useful to Mr. S. And if I was the U.S., and I wanted to help bring down Saddam Hussein, what could I do with cyber weapons? Same answer: Not a heck of a lot. He's not very vulnerable. ... India and Pakistan are a good example. Israel and some of the Arab countries are another good example, and this is a good test. Here, you have real wars. They're shooting at each other. They've launched cyber attacks. What has the result been? The results have been zip. There have been no infrastructures turned off. There's been no disruption of military activity. There's been graffiti. There's been annoyances. There's been exchanges of insults. But it's not a real military weapon. If you're a military or if you're a terrorist, you need to focus on things that are going to give you some payoff. China is a country that's realized that it can't compete militarily with the U.S., at least not right now, and not for perhaps the next decade. So they're looking for what is known as asymmetric advantage, someplace where they can make a small investment in a weapon, and get a big payoff in terms of our vulnerability. Naturally, they're looking at cyber weapons as part of this. The attraction is: Information warfare is something the U.S. depends on. If they can disrupt our information systems, they might get an advantage. There's been a lot of talk. They're probably beguiled. They read the same newspapers everyone else reads. So they open the newspaper and read that they're going to be able to turn off the electrical system in the U.S. for a month with cyber attacks. Sure, they're going to explore it. What they're going to find, though, is they can't do that. The other problem for the Chinese, and one they need to think about, is that cyber weapons pose a different kind of problem for nation-states than they do for terrorist groups. A group like Al Qaeda has very few constraints on it, right? There's almost nothing that would constrain them from using any kind of weapon, and that's why they've looked at a range of possibilities. When you look at China, it's a little different. They're part of the international community. They have to follow some international norms, and they share vulnerabilities with us. They use the same global commercial network. They use the same global communications network and the same financial network. If you think about Chinese government officials -- many of whom, in their private lives, tend to be very wealthy, involved very much in the stock market in the international finance -- they may be reluctant to disrupt the financial network, because they could suffer as much as the United States. So I think there's constraints on what the Chinese can do that we don't see for groups like Al Qaeda. The Chinese are going to look for things that are going to get them some real payoff, too. They want to stop the Pacific Fleet from showing up in the Taiwanese Straits. Cyber just isn't going to let them do that. ... Kosovo was sort of interesting, because we did probe other people's networks. At the end of the day, for me, the thing that brought the Serbs to the table, and the thing that brought them to stop their activities, were the air attacks. So once again, it was the physical weapons, the kinetic weapons that made a difference. We used these weapons much more effectively because of our emphasis on information dominance and information warfare, but that's different from attacking computer networks. You saw [that] a lot of attacks by the Serbs on NATO computer networks [and] U.S. computer networks didn't have any effect in terms of stopping the attacks on them. So it wasn't a very effective defense. In terms of what we could do, some people said, "We could freeze the dictator's bank accounts." A great idea. What if the dictator freezes our bank accounts? We don't want to legitimize attacks that are much more damaging to the U.S. than they are to the target. That's one of the problems with these cyber things: When you think about finance or when you think about information networks, we're the ones who have a lot more online than any other country. So when we think about cyber attacks, we want to think, "What do we want to legitimize?"... Unfortunately, there isn't much of a debate about the effectiveness of these weapons. One of the things we need to do is start going around and trying to get quantitative evidence, trying to think about this in a scientific manner, the way we would with any other weapon system, and say, not a hypothetical, "If I could do this, then I could bring them to their knees," but a real world "This attack was launched. What happened?" Right now, when you look for that evidence, you can't find anything that would show damage or effect. If you put this in the larger context of military operations or terrorism, you just can't find evidence that it's been that effective. Does that mean people should stop experimenting? No. But does it mean we should rely on it for victory tomorrow. No, we should not rely on it for victory tomorrow. One of the things we learned in the theory about taking down communication systems is that it can backfire, because the first thing that people realized -- actually, not the first thing, it took them two or three weeks to realize -- is that if you bring down the communication network in Serbia or in Yugoslavia, the opposition isn't going to be able to communicate with each other. They're actually more at risk, more dependent on these commercial networks than the government is. So we would have handicapped the political opposition that actually was one of the key things that help us win in that situation. That's what I would say to this: When you think about these cyber weapons, when we deploy them, are we going to suffer more than the opponent? In the case of Serbia, that was definitely the case, because we would have hamstrung the political opponents of the regime, and not done as much damage or necessarily any damage to the regime's command and control. Another thing we haven't done is actually map out the real vulnerabilities created by computer networks. There's been an assumption the computer networks are vulnerable, and the infrastructures that use them are just as vulnerable. Actually, we need to test that assumption. We need to actually walk through and say, "Here's the network. What does it actually control? What can I do remotely?" One of the things I think you'd find is that, very often, there's not that much you can do with a computer network, especially for some of the big infrastructures like air traffic, like electricity, like water supply. So when you talk about needing to be more precise in these attacks and why it might not deter Al Qaeda, it's not as much of a problem for us to worry about, because you're going to find, I think, so far, when I've looked, that we're not as vulnerable as it might appear. Could that change over time? Sure. We're becoming more networked every week. Is it a vulnerability now? It's not. So when I think about these precision attacks, it's not clear to me that Al Qaeda could do a precision attack and it's possible no one would notice. ... One thing that I would say is that a lot of the people who think about the seriousness of cyber warfare tend to be computer people. What you need is to get more national security people, more military people thinking about it -- people whose job is to win wars or to defend the nation, not whose job is to administer computer networks. So you've got to broaden the debate. The second thing is that the terrain is shifting all the time. Three years ago, the Internet was this wonderful thing. We were naming stadiums after dot-coms. It looked like you had this new amazing thing that was going to be completely different from everything in our experience. We still haven't completely recovered from that, although people have calmed down considerably when the stock market level popped. The third thing is that we still need to do the research. People assert vulnerability. They say, "I did an exercise. Here's a hypothetical situation." I want to get to the nuts and bolts. I want to say, "Show me the attack. Show me the vulnerability. Trace for me the line from the guy sitting in front of his keyboard all the way to the floodgate on the dam. Show me the links." You'd be shocked to discover how infrequently we have done that, and that's what we need to do. Then we'll get a better assessment of how real this threat is. ... Let me use a model here that's a little unusual in answering the SCADA question. I want to use the model of air attacks, because you saw very similar arguments made by the initial strategists of air power. This new technology would allow them to fly over enemy forces and cripple economies, bring nations to their knees with just a few well-placed attacks. This is what people started thinking in about 1919. And, of course, in the 1920s, it didn't work. In the 1940s, people tried it; it didn't work. It wasn't until the advent of nuclear weapons that the air power scenario really began to make sense -- that you could think about this as a logical way to attack people. That doesn't mean that people didn't experiment with it or that they didn't try it, or that people didn't think about how to defend against it. Now, at a much different level, we're looking at the same thing with SCADA systems and the Internet and computer networks. Right now, we aren't that interconnected. People use SCADA systems, but they use them in a whole variety of idiosyncratic matters. They buy different systems. They connect them differently. They connect differently to the physical structure. So understanding how a SCADA system works for one company doesn't give you a benefit in attacking another company. It's very difficult. We just aren't as vulnerable as some people would make up. Could that change over time, the way air power changed over time? I think it will, and that's why we need to pay attention to what the defenses are, how we build secure networks now. But that doesn't mean that terrorists are going to be able to turn off the water supply tomorrow or that they're going to be able stop the U.S. from moving forces to Iraq. SCADA is just not as interconnected with either the physical infrastructure or with other companies' networks as people make out. So the vulnerability isn't there. Let me give you a concrete example. People looked really hard with this Slammer worm that came up a couple weeks ago -- it came up in early February -- to see if it had affected any SCADA systems or if there were any reports of attacks on SCADA systems that led to infrastructure being crippled. Today, no reports of any successful attacks. So I'm kind of doubtful about the ability to penetrate a SCADA system, and then turn that to some real-world advantage. People can penetrate SCADA, but they have a hard time turning off the lights. ... One of the things you could say that's good about the efforts that the U.S. has made to improve network security and cyber security in the last years is that big companies, a lot of companies have taken steps to make themselves harder targets. Let me give you an example. Ford Motor Company was hit by a worm. This was in the New York Times. They were hit by a worm, and it affected their company networks for a week. So for a week, e-mail was slowed down, and company communications were disrupted. It did not, however, affect production at any of their plants. It didn't affect their Web sites for dealers and for component makers, and it didn't really affect their performance as a company. What companies will tell you is that they learn each time there's one of these viruses. They improve their defenses. They learn how to react more quickly. So the damage caused by each virus has been going down over time. We're going to continue to see these sorts of attacks. They're going to be annoying, and you will see opportunity cost as a result. But I think that people are adjusting to them, and learning how to continue to operate in a way that means that we're not as vulnerable as you might think when you hear about things like Slammer or I Love You. Yes. I am trying to figure out how they come up with these numbers on the value of cyber attacks. It's like the old days, when you had the values of e-commerce and it was almost like a random number generator. Some days, e-commerce was $11 zillion. Some days, e-commerce was at $4 trillion. People just sort of made it up. When you look at how you come up with the estimates of the damage caused by a cyber attack, a lot of it is the resources spent for system administrators to repair and recover. A lot of it is what you would call opportunity cost, meaning, my system's offline and, therefore, I didn't make a sale, for example, that I could have made. Opportunity cost is a tricky one to value out, because the fact that one company is down, if another company is up, they might make the sale instead, right? Or if you're down for a day, the customer might come back the next day, and make the purchase. So I think the
problem with opportunity cost, which is a large component of these
estimates, is it inflates the value. In fact, the damage to the
economy is much smaller, much less than you might get in the really
high-end $15 billion, $15 zillion estimates that you see. We need
a better way of accounting for the actual damage of these attacks.
There's no question that there's economic problems, and that's why
we need to take security seriously. It doesn't mean that it's very
useful for terrorists, though.
 *
James Lewis is a senior fellow and director of technology policy at
the Center for Strategic and International Studies. Prior to joining
CSIS, he spent 16 years at the Departments of State and Commerce.
He calls cyber tactics a "weapon of mass annoyance" rather than a
weapon of mass destruction. Lewis also argues that the debate over
the threat of cyber war is being dominated by computer experts and
that the expertise of national security and defense personnel is needed
for a serious evaluation of the threat. This interview was conducted
on Feb. 18, 2003.
|