< Assessing the True Threat of Cyberwar

Transcript

Friday, February 15, 2013

  [MUSIC UP AND UNDER]

BROOKE GLADSTONE:  Aasif Mandvi is "The Daily Show's" Senior Muslim Correspondent, among other titles. He is also a stage actor, playwright and, of course, since he’s Indian, has played many, many doctors in the movies. Join me on February 26th at New York Public Radio’s Jerome L. Greene Space for a chat with Aasif Mandvi about comedy, Broadway, making fake news and the challenge of being “the brown guy.” For tickets, go to onthemedia.org.

  [MUSIC/MUSIC OUT]

ANNOUNCER:  WNYC needs your feedback. If you connect to WNYC online or to our mobile app, if you listen to our podcasts or follow us on Facebook or Twitter, please take our online audience survey. Sign up today at wnyc.org/input.

 [MUSIC UP AND UNDER]    

BOB GARFIELD:  From WNYC in New York, this is On the Media. I’m Bob Garfield.

BROOKE GLADSTONE:  And I’m Brooke Gladstone.

HOUSE SPEAKER JOHN BOEHNER:  Members of Congress, I have the high privilege and distinct honor of presenting to you the President of the United States.

  [AUDIENCE APPLAUSE]

PRESIDENT BARACK OBAMA:  Thank you.

  [APPLAUSE]

BROOKE GLADSTONE:  During Tuesday night’s State of the Union speech, along with the President’s call to lift the middle class, raise the minimum wage and invest in new technologies, he highlighted a critical security concern.

PRESIDENT OBAMA:  Earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing and developing standards to protect our national security, our jobs and our privacy.

  [APPLAUSE]

But now, now Congress must act as well by passing legislation to give our government a greater capacity to secure our networks and deter attacks. This is something we should be able to get done on a bipartisan basis.

  [APPLAUSE]

BOB GARFIELD:  The President’s executive order wants the government to share information about potential cyber threats with public and private owners of critical infrastructure. The day after the State of the Union, the Cyber Intelligence Sharing and Protection Act, or CISPA, was reintroduced in the House, after having died last year in the Senate. CISPA shares the same goal as the executive order, but it also wants private entities to share threat information with the government. That makes privacy advocates a little queasy.

BROOKE GLADSTONE:  They may be queasy, but this week the Washington Post reported on a secret document that described Chinese hackers penetrating, quote, “a wide range of sectors, including energy, finance, information technology, aerospace and automotives.” Bloomberg News described Chinese hacker attacks as, quote, “a continuous invasion.”

In the midst of the legislative fight over cyber security last year, OTM’s Alex Goldman decided to look into just how worried we should be about the threat of all-out cyber warfare.

ALEX GOLDMAN:  The alarms have been sounding about attacks like these for years, coming from people like Secretary of Defense and former CIA Director Leon Panetta.

DEFENSE SECRETARY LEON PANETTA:  There’s a strong likelihood that the next Pearl Harbor that we confront could very well be a cyber attack.

ALEX GOLDMAN:  Michigan Congressman Mike Rogers.

CONGRESSMAN MIKE ROGERS:  A cyber attack that could shut down critical infrastructure and potentially cause physical damage to the United States.

ALEX GOLDMAN:  Senate Majority Leader Harry Reid.

SENATE MAJORITY LEADER HARRY REID:  The nation’s top security experts have said a cyber 9/11 is imminent.

ALEX GOLDMAN:  And the screenwriters for the fourth movie in the Die Hard franchise.

  [CLIP]

WOMAN AGENT:  FAA just issued a critical alert.  The entire network went down.

  [SIREN]

MAN:  The transportation system’s crashing and they just hit the entire financial sector.

  [END CLIP]

ALEX GOLDMAN:  These kinds of attacks are not only hard to protect against, they’re hard to identify. In fact, to date there’s only been one verified incident of destroying critical infrastructure via computers. That would be Stuxnet, a complex computer worm believed to be a joint effort of Israel and the United States, that was used against an Iranian nuclear facility. Reportedly, Stuxnet fooled facility workers by making it look as though the plant was functioning normally, while it turned centrifuges at the plant on and off until they broke apart. But Stuxnet was not a classic cyber attack.

JERRY BRITO:  It’s not as if some American soldier was simply at a terminal somewhere and sent commands across the Internet thousands of miles to Iran and caused something to blow up.

ALEX GOLDMAN:  Jerry Brito, director of the Technology Policy Program at George Mason University’s Mercatus Center.

JERRY BRITO:  In order for Stuxnet to take place, you had to have an amazing investment in traditional intelligence, in espionage. You had to have people infiltrate the Natanz facility in Iran to really understand the system that they had in place at that facility. And once they had the weapon, once they had Stuxnet built, they had to get somebody to put it on the computer system.

The problem with folks in Congress being hysterical about cyber war is that they’re sort of giving short shrift to the fact that Stuxnet was incredibly difficult, and the nations that could have the capability that the US would have with Stuxnet are very few.

ALEX GOLDMAN:  In fact, evidence of attacks on American infrastructure are so scant, I assumed cyber war was just a convenient fiction exploited by lawmakers to push unpopular restrictive Internet regulation. But the more I learn about the online vulnerability of US infrastructure, the more serious the threat seems to be. So how scared should you be?

Well, to target a piece of infrastructure, cyber warriors would look for what are called SCADA systems, which control industrial processes, everything from milking machines on dairy farms, to banks of elevators, to water treatment plants. One of the simplest ways to safeguard our infrastructure is to simply keep SCADA systems off of the global Internet, a technique that’s called air gapping. The reason Stuxnet could not be remotely installed on computers at the Iranian nuclear plant is because the system was air gapped. But even though air gapping SCADA systems is ostensibly the industry standard, that doesn’t mean it’s always happening.

ÉIREANN LEVERETT:  I worked in quality assurance for GE Energy for five and a half years.

ALEX GOLDMAN:  Éireann Leverett is a security researcher with IOActive

ÉIREANN LEVERETT:  I heard from my superiors that we didn’t need to do a lot of security testing because these devices were never connected to the Internet. And that’s false on two counts, one that they are connected to some degree and, secondly, that being disconnected they would be entirely secure. There are still issues, even if you’re not connected, for example employees who work for you who mean you harm. So I wanted to combat that.

ALEX GOLDMAN:  Leverett found a way to identify over 12,000 SCADA systems connected to the Internet, including things like:

ÉIREANN LEVERETT:  Water treatment facilities, geothermal heat plans, power plants, dams, bridges, train stations, these sorts of things.

ALEX GOLDMAN:  So should you be scared that according to General Keith Alexander, head of the National Security Agency, there’s been a quote, “17-fold increase in computer attacks on American infrastructure between 2009 and 2011?” Not that scared. None of those attacks have had any impact. There’s a vast difference between accessing a poorly secured piece of infrastructure and causing pipelines to explode. More likely, our enemies would combine some form of cyber attack with traditional warfare.

John Arquilla is a professor of defense analysis at the US Naval Postgraduate School.

JOHN ARQUILLA:  When I introduced the concept of cyber war 20 years ago, in an article called “Cyber War is Coming,” the thing I envisioned most was the use of cyber attacks by militaries in the field to cripple their opponents’ responses, in a way similar to the use of air attacks in the initial Blitzkriegs of 1939 and 1940; they’d knock out communications. Cyber attacks in Georgia in 2008 did just that and greatly enhanced the ability of the Russians to move forward with few casualties and, and quite effectively. This is something that I think is a prototype for what can be done on a larger scale in the future.

ALEX GOLDMAN:  So should you be scared that Arquilla wholeheartedly believes that we’re already in the midst of an escalating cyber war? Not that scared, because he also believes that it may be preferable to traditional warfare.

JOHN ARQUILLA:  Throughout all of history, war was just a matter of hurling mass and energy at your opponents. Now we hurl mass, energy and information. The actual wars that are fought can be waged with far less casualties. I think the possibility of using cyber attack to cripple the military command and control of two countries getting ready to go at it with each other, were it done under some kind of international control, such as the Blue Helmets of the UN clicking for the cause, that also is pretty cool to, to think about.

The not-so-cool part is do we, because of the ease of having cyber warfare, do we intervene more often? As Robert E. Lee once said, “It is well that war is so terrible. Otherwise, we should grow too fond of it.” Well, cyber war may not be so terrible, and we may grow over-fond of it.

ALEX GOLDMAN:  In his book, Confront and Conceal, the New York Times’ David Sanger shows that the US might already be applying Arquilla’s vision of cyber war.

DAVID SANGER:  You know, if you look back at what has been different about the Obama approach to national security, it’s been the embrace of something called the “light footprint strategy.” The idea here is to find a way for the United States to be able to deal with its adversaries without sending 100,000 troops, without occupying a nation for five years, without spending several hundred billion or a trillion dollars. So, light footprint strategies involve usually high tech weaponry that’s a lot less expensive and doesn’t put personnel at risk. The difficulty, of course, is that in the case of a cyber campaign not just states hold the monopoly on the weapons here.

ALEX GOLDMAN:  Many interviewed for this story shared Sanger’s fear that the democratization of technology enables not just nation states but common criminals, curious hackers and activist groups like Anonymous to wage war. John Arquilla warns us to beware the boomerang effect.

JOHN ARGUILLA:  The first time around with Stuxnet, there may have been some investment required. There are hackers already who have reverse engineered it. And guess what, the next weapons are a lot easier. There’s no question that a new arms race is underway, and the problem, of course, is that every time you use one of these techniques, you have signaled how to develop these weapons. So yeah, the race is on and, unfortunately, it’s not going to be limited to a few great powers. Everybody’s in this race.

ALEX GOLDMAN:  The Armed Forces’ Cyber Command Unit, now about 900 strong, has announced that it will expand to nearly 5,000 employees, but civilian businesses have yet to settle on a regulatory standard for security that they can live with. The challenge is meeting potential threats without sacrificing individual privacy. In fact, every debate over the Internet seems to be about protecting privacy, whether in personal relationships, commerce or now even in war. For On the Media, I’m Alex Goldman.

BOB GARFIELD:  And in related news, there’s thisThe Pentagon this week announced that it’s created a new medal for troops who have a direct impact on combat operations but do it off the battlefield. That means the Distinguished Warfare Medal will be open to drone pilots and those engaged in cyber warfare.

 [MUSIC UP AND UNDER]

One caveat, since the Department of Defense doesn’t publicly acknowledge offensive cyber operations, the medals too might be secret.

Guests:

John Arquilla, Jerry Brito, Eireann Leverett and David Sanger

Produced by:

Alex Goldman