Cyber Insecurity: U.S.

Struggles To Confront Threat

by TOM GJELTEN

First of a three-part series

April 6, 2010 text size A A A

Americans do not often hear that someone has

found a way to overcome U.S. defenses, but
military and intelligence officials have been
sounding downright alarmist lately with their
warnings that the country is ill-prepared to deal
with a cyberattack.

Director of National Intelligence Dennis Blair

opened his annual survey of security threats in
February by advising Congress that "malicious
cyberactivity is growing at an unprecedented
Enlarge Manuel Balce Ceneta/AP
rate," and that the country's efforts to defend
Director of National Intelligence Dennis Blair testifies before
the House Intelligence Committee in February on the annual
against cyberattacks "are not strong enough."
threats assessment of the U.S. intelligence community.
Blair's predecessor as intelligence chief, Mike
McConnell, was even more candid in a Washington Post commentary later that month.

"The United States is fighting a cyberwar today," McConnell wrote, "and we are losing."

No country in the world is more dependent on its computers than the United States. Data networks
now underlie the U.S. power grid, its military operations and the telecommunications, banking and
transportation systems. That means the U.S. is uniquely vulnerable to sophisticated computer
hackers.

'Explosion' Of Computer Attacks

Timeline:
Cybervulnerabilities The Pentagon's Quadrennial Defense Review, released in February,
reported that the department's computer networks "are infiltrated daily by
Read a timeline of major
myriad of sources, ranging from small groups of individuals to some of the
cybersecurity incidents
since 2007.
largest countries in the world." A senior defense official who follows the
cyberthreat closely tells NPR that in the past two years, the Pentagon has
experienced an "explosion" of computer attacks, currently averaging
about 5,000 each day.

One of the biggest was in 2007, when hackers targeted the Pentagon, NASA and the departments
of Energy, Commerce and State. The origin of the attack was unknown, but U.S. officials suspect it
came from China. Among the victims was Defense Secretary Robert Gates, whose unclassified e-
mail account was penetrated.

James Lewis, a cyber-expert at the Center for Strategic and International Studies, says the 2007
hackers gained access to massive amounts of U.S. government data — some of it important, some
of it worthless.
"In fact, I felt sorry [for them]," Lewis says. "Some guy, probably in Beijing, is having to sit there and
translate state dinner menus from 1994. He's probably going nuts."

A 2003 computer attack so impressed the FBI that

agents gave it a code name: Titan Rain. The hackers
managed to penetrate a variety of military networks
The difference between
without being detected.
cybercrime, cyber-
"There's still some debate about who did it and why they espionage, and cyberwar
did it," says Richard Clarke, who was a top cybersecurity is a couple of keystrokes.
adviser to Presidents Bill Clinton and George W. Bush.
The same technique that
"But it proved that it is possible to get into even well-
defended networks and exfiltrate terabytes of information
gets you in to steal
— and nothing can be done about it." money, patented
blueprint information or
U.S. officials estimate that the 2007 attacks and Titan chemical formulas is the
Rain each resulted in the loss of as much as 10
same technique that a
terabytes of data, an amount roughly comparable to the
contents of the entire Library of Congress. There have nation-state would use to
been other large, and possibly related, attacks as well. get in and destroy things.

"Some people say there's really been only one event,

ongoing for years, and it's just that we occasionally - Richard Clarke, cybersecurity
stumble on it," says Lewis, who served as the project adviser to presidents Bill Clinton
director of the center's Commission on Cybersecurity for and George W. Bush
the 44th Presidency.

A New Crime Category Emerging?

The cyberattacks are also becoming more sophisticated and harder to trace. Hackers in China, for
example, are now able to take control of thousands of personal computers in the United States
simultaneously, and remotely command them to send out bogus e-mails or viruses. Such robot
computer networks, called Bot Nets, can do great damage when directed by malicious hackers.

"People who have computers and no [anti-virus] protection are susceptible to being captured,
unknown to them," says Harry Raduege, a retired Air Force lieutenant general and former
commander of the Pentagon's Joint Task Force for Global Network Operations. "They could then
become part of a Bot Net army that could be used to attack an organization, a nation or an
industry."

Up to now, most computer attacks have fallen under the category "cybercrime." There have not yet
been any significant acts of cyberterrorism, though U.S. intelligence officials say al-Qaida and other
terrorist groups are committed to developing a cyber capability.

Goals Change, Threat Stays The Same

Attacks traceable to foreign governments and corporations, according to cyber-experts, have

largely been for espionage purposes — at least until now. The December 2009 attack on Google
and other companies operating in China was apparently an effort to steal industrial secrets,
according to U.S. and company officials.

Still, the danger of an all-out cyberwar remains pressing.

"The difference between cybercrime, cyber-espionage, and cyberwar is a couple of keystrokes,"

says Clarke, who authored a forthcoming book on cyberthreats. "The same technique that gets you
in to steal money, patented blueprint information or chemical formulas is the same technique that a
nation-state would use to get in and destroy things."

The big fear is that an adversary, in the heat of a cyberwar, might try to take down the U.S. power
grid, telephone network or transportation system.

"My guess is that it's only a few advanced militaries that could damage the electrical grid or
damage some other networks," Lewis says. "But they have that capability. They have probably
done the reconnaissance necessary to use it, and if we got into a fight, we could expect some kind
of cyberattack."

Covering A Vast Space

Asked about the U.S. capability to defend itself from such an attack, Lewis, the cyber-expert with
CSIS, feigns a shocked look.

"I didn't realize we had defensive capabilities," he says.

He adds, laughing, "No, that's not fair. How can I say that?"

Raduege, who is now directing the Deloitte Center for Cyber Innovation, argues that some attacks
on the Pentagon have been countered relatively well, such as the 2007 incident that resulted in the
penetration of Gates' personal e-mail account.

"When the secretary was attacked, of course someone got in. But somebody also noticed it right
away, was able to isolate those attackers, clean up the system, and then put the users back online
immediately," Raduege says. "So I think that's a real tribute to the people who are really fighting
the network, as we say. It's a real battle space."

The problem for U.S. cyberwarriors is that the "battle space" is so vast.

"The government has its hands full defending the Defense Department and the intelligence
community," says Clarke. "And, really, about the only parts of the U.S. government that are
moderately well-defended [are] the Pentagon and the CIA."

Improving Overall Quality

Cyberdefense efforts at other government departments are spotty at best. The Treasury
Department is doing "a relatively good job," Lewis says. But he adds that other agencies are doing
"a relatively dreadful job."

"They may as well just change their passwords to 'Welcome, Chinese Friends,' " he says.
As for the critical civilian infrastructure, including the power, telecommunication and transportation
grids, it is largely in private hands, meaning the U.S. military is not authorized to protect it.

In recognition of the country's vulnerability to computer attacks, the Pentagon has established a
new U.S. Cyber Command, due to be directed by a four-star general, and the Obama
administration has designated a cybersecurity coordinator, with responsibilities that extend across
all U.S. government agencies. Still, critics say more must be done.

"Right now, the government is saying that Cyber Command will defend the military and the
intelligence community. Homeland Security Department will defend the rest of the federal
government," says Clarke. "The rest of us are on our own."

Timeline: Major Cybersecurity Incidents Since 2007

by TOM GJELTEN

April 5, 2010
April-June 2007

A series of cyberattacks on U.S. government

agencies and departments results in the loss of
10 terabytes to 20 terabytes of data. That's
more data than what's stored in the Library of
Congress. Defense Secretary Robert Gates'
unclassified e-mail account is hacked.

May 2007

Estonia's Parliament, banks, ministries and

news media face "distributed denial of service,"
or DDoS, attacks. In DDoS attacks, Web sites
are inundated with traffic, causing them to
collapse. The attacks come as Estonia is in a
heated dispute with Russia over the relocation
of a Soviet-era war memorial. Estonian officials
blame the Kremlin for the attacks.

October 2007

An e-mail sent to 1,000 staff members at the

Mikkel William/iStockphoto.com Department of Energy's Oak Ridge National
U.S. government and private computer networks find
themselves facing much more frequent and much more
Labs contains an attachment that accesses the
sophisticated cyberintrusions. lab's nonclassified databases.

August 2008

Hackers insert pictures of Adolf Hitler into the country of Georgia's Foreign Ministry Web site, while
other government Web sites are disabled by DDoS attacks. The cyberattacks come as Russian
forces engage in combat with Georgian troops. U.S. intelligence officials conclude that the Russian
government was behind the attacks, perhaps acting through organized crime channels.

August-October 2008

Hackers gain access to e-mails and computer files at the presidential campaign headquarters for
John McCain and Barack Obama. Investigators reportedly trace the penetrations to computers in
China.

November-December 2008

Several thousand military computers at the Tampa, Fla.-based U.S. Central Command, the
headquarters for military operations between east Africa and central Asia, are infected with
malicious software. Investigators conclude that the malware was introduced via thumb drives that
had been scattered in a parking lot.

March 2009

Researchers at the University of Toronto announce that they have discovered an extensive
cyberespionage network, which they call "GhostNet." The GhostNet operators are said to have
infected 1,295 host computers in 103 countries around the world. The researchers cannot
conclusively identify the GhostNet operators but suspect Chinese involvement.

July 2009

Cyberattacks are launched against government, financial and media Web sites in South Korea and
the U.S. Among those targeted is washingtonpost.com, the newspaper site. South Korea blames
North Korea for the attacks, but the origin of the attacks is not determined.

December 2009

Google and more than 30 other U.S. companies in China are subject to significant computer
attacks, resulting in the loss of technological secrets.

Source: Center for Strategic and International Studies (Technology and Public Policy Program);
news reports

Related NPR Stories

Timeline: Major Cybersecurity Incidents Since 2007 April 5, 2010
Assessing The Threat Of Cyberterrorism Feb. 10, 2010
Al-Qaida, Cyberattacks Top U.S. Threat List Feb. 2, 2010
Fighting Cybercrime, One Digital Thug At A Time Jan. 26, 2010
Cybersecurity On Display In D.C. Oct. 7, 2009
A Tech Fix For Illegal Government Snooping? July 13, 2009