NY Time Document
http://www.nytimes.com/2014/03/23/world/asia/nsa-breached-chinese-servers-seen-as-spy-peril.html?_r=0
WASHINGTON — American officials have long considered Huawei, the Chinese telecommunications giant, a security threat, blocking it from business deals in the United States for fear that the company would create "back doors" in its equipment that could allow the Chinese military or Beijing-backed hackers to steal corporate and government secrets.
But even as the United States made a public case about the dangers of buying from Huawei, classified documents show that the National Security Agency was creating its own back doors — directly into Huawei’s networks.
The agency pried its way into the servers in Huawei’s sealed headquarters in Shenzhen, China’s industrial heart, according to N.S.A. documents provided by the former contractor Edward J. Snowden. It obtained information about the workings of the giant routers and complex digital switches that Huawei boasts connect a third of the world’s population, and monitored communications of the company’s top executives.
One of the goals of the operation, code-named "Shotgiant," was to find any links between Huawei and the People’s Liberation Army, one 2010 document made clear. But the plans went further: to exploit Huawei’s technology so that when the company sold equipment to other countries — including both allies and nations that avoid buying American products — the N.S.A. could roam through their computer and telephone networks to conduct surveillance and, if ordered by the president, offensive cyberoperations.
Photo
Ren Zhengfei, founder of Huawei, is seen as a Chinese version of Steve Jobs. Credit Dmitry Lovetsky/Associated Press
"Many of our targets communicate over Huawei-produced products," the N.S.A. document said. "We want to make sure that we know how to exploit these products," it added, to "gain access to networks of interest" around the world.
The documents were disclosed by The New York Times and Der Spiegel, and are also part of a book by Der Spiegel, "The N.S.A. Complex." The documents, as well as interviews with intelligence officials, offer new insights into the United States’ escalating digital cold war with Beijing. While President Obama and China’s president, Xi Jinping, have begun talks about limiting the cyber conflict, it appears to be intensifying.
The N.S.A., for example, is tracking more than 20 Chinese hacking groups — more than half of them Chinese Army and Navy units — as they break into the networks of the United States government, companies including Google, and drone and nuclear-weapon part makers, according to a half-dozen current and former American officials.
If anything, they said, the pace has increased since the revelation last year that some of the most aggressive Chinese hacking originated at a People’s Liberation Army facility, Unit 61398, in Shanghai.
The Obama administration distinguishes between the hacking and corporate theft that the Chinese conduct against American companies to buttress their own state-run businesses, and the intelligence operations that the United States conducts against Chinese and other targets.
American officials have repeatedly said that the N.S.A. breaks into foreign networks only for legitimate national security purposes.
A White House spokeswoman, Caitlin M. Hayden, said: "We do not give intelligence we collect to U.S. companies to enhance their international competitiveness or increase their bottom line. Many countries cannot say the same."
But that does not mean the American government does not conduct its own form of corporate espionage with a different set of goals. Those concerning Huawei were described in the 2010 document.
Continue reading the main story
"If we can determine the company’s plans and intentions," an analyst wrote, "we hope that this will lead us back to the plans and intentions of the PRC," referring to the People’s Republic of China. The N.S.A. saw an additional opportunity: As Huawei invested in new technology and laid undersea cables to connect its $40 billion-a-year networking empire, the agency was interested in tunneling into key Chinese customers, including "high priority targets — Iran, Afghanistan, Pakistan, Kenya, Cuba."
Acting to Block a Chinese Telecom Giant
Over the past seven years, the United States government has taken steps to block the Chinese telecommunications and internet giant Huawei from gaining a foothold here, fearing that the company could act on behalf of the Chinese military to gain access to government and corporate secrets. The company was founded in 1987 and by the mid-90s had begun making inroads into the U.S. telecom equipment market.
U.S. RELATIONS WITH HUAWEI
2003–4 Cisco sues Huawei for stealing source code; the suit is settled with neither side revealing terms.
2005 The Air Force hires the RAND corporation to examine threats from Chinese networking firms; it concludes there is a "digital triangle" of Chinese military, state research groups, and companies like Huawei.
2007 The National Security Administration begins its "Shotgiant" effort to pierce Huawei’s networks and exploit its systems.
2008 The U.S. blocks Huawei from buying 3Com on national security grounds.
2010 The U.S. persuades Australia to kill a plan to let Huawei build a national broadband network.
2011 In an open letter to the U.S., Huawei denies that it is a front for the Chinese government, and invites investigation.
2012 The House Intelligence Committee produces a long report urging the U.S. to "block acquisitions, takeovers or mergers" with Huawei, and to exclude its equipment from U.S. systems.
2013 The U.S. approves purchase of Sprint Nextel by Softbank Corporation, but under conditions that probably exclude Huawei equipment.
Vice President Joseph R. Biden Jr., on a trip to Seoul, urges South Korea to kill a contract for Huawei to build an advanced telecom network for Seoul.
Continue reading the main story
Recent Comments
American Privacy
10 days ago
You shouldn't have to choose between new technology and keeping their personal information private. Protections for online privacy are...
Kevin Wang
10 days ago
"American officials have repeatedly said that the N.S.A. breaks into foreign networks only for legitimate national security purposes." Are...
c.k.chen
10 days ago
Another observation after reading for the last hour:Posters here, with a few exceptions, seem to fall into the category of seeing the world,...
See All Comments
They have blocked his company at every turn: pressing Sprint to kill a $3 billion deal to buy Huawei’s fourth generation, or 4G, network technology; scuttling a planned purchase of 3Com for fear that Huawei would alter computer code sold to the United States military; and pushing allies, like Australia, to back off from major projects.
As long ago as 2007, the N.S.A. began a covert program against Huawei, the documents show. By 2010, the agency’s Tailored Access Operations unit — which breaks into hard-to-access networks — found a way into Huawei’s headquarters. The agency collected Mr. Ren’s communications, one document noted, though analysts feared they might be missing many of them.
N.S.A. analysts made clear that they were looking for more than just "signals intelligence" about the company and its connections to Chinese leaders; they wanted to learn how to pierce its systems so that when adversaries and allies bought Huawei equipment, the United States would be plugged into those networks. (The Times withheld technical details of the operation at the request of the Obama administration, which cited national security concerns.)
The N.S.A.’s operations against China do not stop at Huawei. Last year, the agency cracked two of China’s biggest cellphone networks, allowing it to track strategically important Chinese military units, according to an April 2013 document leaked by Mr. Snowden. Other major targets, the document said, are the locations where the Chinese leadership works. The country’s leaders, like everyone else, are constantly upgrading to better, faster Wi-Fi — and the N.S.A. is constantly finding new ways in.
Hack Attacks Accelerate
Chinese state attacks have only accelerated in recent years, according to the current and former intelligence officials, who spoke on condition of anonymity about classified information.
A dozen P.L.A. military units — aside from Unit 61398 — do their hacking from eavesdropping posts around China, and though their targets were initially government agencies and foreign ministries around the world, they have since expanded into the private sector. For example, officials point to the First Bureau of the army’s Third Department, which the N.S.A. began tracking in 2004 after it hacked into the Pentagon’s networks. The unit’s targets have grown to include telecom and technology companies that specialize in networking and encryption equipment — including some Huawei competitors.
For some of its most audacious attacks, China relies on hackers at state-funded universities and privately owned Chinese technology companies, apparently as much for their skills as for the plausible deniability it offers the state if it gets caught. The N.S.A. is tracking more than half a dozen such groups suspected of operating at the behest of the Chinese Ministry of State Security, China’s civilian spy agency, the officials said.
Their targets, they noted, closely align with China’s stated economic and strategic directives. As China strove to develop drones and next-generation ballistic and submarine-launched missiles in recent years, the N.S.A. and its partners watched as one group of privately employed engineers based in Guangzhou in southern China pilfered the blueprints to missile, satellite, space, and nuclear propulsion technology from businesses in the United States, Canada, Europe, Russia and Africa.
Continue reading the main story 446Comments
And as China strove to make its own inroads on the web, officials said another group of private hackers infiltrated Google, Adobe and dozens of other global technology companies in 2010. Lately, the officials said, that group and its counterparts are also going after security firms, banks, chemical companies, automakers and even nongovernment organizations.
"China does more in terms of cyberespionage than all other countries put together," said James A. Lewis, a computer security expert at the Center for Strategic and International Studies in Washington.
"The question is no longer which industries China is hacking into," he added. "It’s which industries they aren’t hacking into."
Correction: March 26, 2014
An article on Sunday about the National Security Agency’s infiltration of the servers of a Chinese telecommunications company considered by the United States to be a security threat misspelled, in two instances, the name of the company. It is Huawei, not Huawai.
In Digital Combat, U.S. Finds No Easy Deterrent
By JOHN MARKOFF, DAVID E. SANGER and THOM SHANKER
This article was reported by John Markoff,David E. Sanger and Thom Shanker, and written byMr. Sanger. WASHINGTON -- On a Monday morning earlier this month, top Pentagon leaders gathered to simulate how they would respond to a sophisticated cyberattack aimed at paralyzing the nation's power...
January 26, 2010, Tuesday
CYBERWAR; In Digital Combat, U.S. Finds No Easy Deterrent
By JOHN MARKOFF, DAVID E. SANGER and THOM SHANKER
Published: January 26, 2010
This article was reported by John Markoff,David E. Sanger and Thom Shanker, and written byMr. Sanger.
WASHINGTON -- On a Monday morning earlier this month, top Pentagon leaders gathered to simulate how they would respond to a sophisticated cyberattack aimed at paralyzing the nation's power grids, its communications systems or its financial networks.
The results were dispiriting. The enemy had all the advantages: stealth, anonymity and unpredictability. No one could pinpoint the country from which the attack came, so there was no effective way to deter further damage by threatening retaliation. What's more, the military commanders noted that they even lacked the legal authority to respond -- especially
because it was never clear if the attack was an act of vandalism, an attempt at commercial theft or a state-sponsored effort to cripple the United States, perhaps as a prelude to a conventional war.
What some participants in the simulation knew -- and others did not -- was that a version of their nightmare had just played out in real life, not at the Pentagon where they were meeting, but in the far less formal war rooms at Google Inc. Computers at Google and more than 30 other companies had been penetrated, and Google's software engineers quickly tracked the source of the attack to seven servers in Taiwan, with footprints back to the Chinese mainland.
After that, the trail disappeared into a cloud of angry Chinese government denials, and then an ugly exchange of accusations between Washington and Beijing. That continued Monday, with Chinese assertions that critics were trying to ''denigrate China'' and that the United States was pursuing ''hegemonic domination'' in cyberspace.
These recent events demonstrate how quickly the nation's escalating cyberbattles have outpaced the rush to find a deterrent, something equivalent to the cold-war-era strategy of threatening nuclear retaliation.
So far, despite millions of dollars spent on studies, that quest has failed. Last week, Secretary of State Hillary Rodham Clinton made the most comprehensive effort yet to warn potential adversaries that cyberattacks would not be ignored, drawing on the language of nuclear deterrence.
''States, terrorists and those who would act as their proxies must know that the United States will protect our networks,'' she declared in a speech on Thursday that drew an angry response from Beijing. ''Those who disrupt the free flow of information in our society or any other pose a threat to our economy, our government and our civil society.''
But Mrs. Clinton did not say how the United States would respond, beyond suggesting that countries that knowingly permit cyberattacks to be launched from their territories would suffer damage to their reputations, and could be frozen out of the global economy.
There is, in fact, an intense debate inside and outside the government about what the United States can credibly threaten. One alternative could be a diplomatic d?rche, or formal protest, like the one the State Department said was forthcoming, but was still not delivered, in the Google case. Economic retaliation and criminal prosecution are also possibilities.
Inside the National Security Agency, which secretly scours overseas computer networks, officials have debated whether evidence of an imminent cyberattack on the United States would justify a pre-emptive American cyberattack -- something the president would have to authorize. In an extreme case, like evidence that an adversary was about to launch an attack intended to shut down power stations across America, some officials argue that the right response might be a military strike.
''We are now in the phase that we found ourselves in during the early 1950s, after the Soviets got the bomb,'' said Joseph Nye, a professor at the Kennedy School at Harvard. ''It won't have the same shape as nuclear deterrence, but what you heard Secretary Clinton doing was beginning to explain that we can create some high costs for attackers.''
Fighting Shadows
When the Pentagon summoned its top regional commanders from around the globe for meetings and a dinner with President Obama on Jan. 11, the war game prepared for them had nothing to do with Afghanistan, Iraq or Yemen. Instead, it was the simulated cyberattack -- a battle unlike any they had engaged in.
Participants in the war game emerged with a worrisome realization. Because the Internet has blurred the line between military and civilian targets, an adversary can cripple a country -- say, freeze its credit markets -- without ever taking aim at a government installation or a military network, meaning that the Defense Department's advanced capabilities may not be brought to bear short of a presidential order.
''The fact of the matter,'' said one senior intelligence official, ''is that unless Google had told us about the attack on it and other companies, we probably never would have seen it. When you think about that, it's really scary.''
William J. Lynn III, the deputy defense secretary, who oversaw the simulation, said in an interview after the exercise that America's concepts for protecting computer networks reminded him of one of defensive warfare's great failures, the Maginot Line of pre-World War II France.
(Page 2 of 3)
Mr. Lynn, one of the Pentagon's top strategists for computer network operations, argues that the billions spent on defensive shields surrounding America's banks, businesses and military installations provide a similarly illusory sense of security.
''A fortress mentality will not work in cyber,'' he said. ''We cannot retreat behind a Maginot Line of firewalls. We must also keep maneuvering. If we stand still for a minute, our adversaries will overtake us.''
The Pentagon simulation and the nearly simultaneous real-world attacks on Google and more than 30 other companies show that those firewalls are falling fast. But if it is obvious that the government cannot afford to do nothing about such breaches, it is also clear that the old principles of retaliation -- you bomb Los Angeles, we'll destroy Moscow -- just do not translate.
''We are looking beyond just the pure military might as the solution to every deterrence problem,'' said Gen. Kevin P. Chilton, in charge of the military's Strategic Command, which defends military computer networks. ''There are other elements of national power that can be brought to bear. You could deter a country with some economic moves, for example.''
But first you would have to figure out who was behind the attack.
Even Google's engineers could not track, with absolute certainty, the attackers who appeared to be trying to steal their source code and, perhaps, insert a ''Trojan horse'' -- a backdoor entryway to attack -- in Google's search engines. Chinese officials have denied their government was involved, and said nothing about American demands that it investigate. China's denials, American officials say, are one reason that President Obama has said nothing in public about the attacks -- a notable silence, given that he has made cybersecurity a central part of national security strategy.
''You have to be quite careful about attributions and accusations,'' said a senior administration official deeply involved in dealing with the Chinese incident with Google. The official was authorized by the Obama administration to talk about its strategy, with the condition that he would not be named.
''It's the nature of these attacks thatthe forensics are difficult,'' the official added. ''The perpetrator can mask their involvement, or disguise it as another country's.'' Those are known as ''false flag'' attacks, and American officials worry about being
fooled by a dissident group, or a criminal gang, into retaliating against the wrong country.
Nonetheless, the White House said in a statement that ''deterrence has been a fundamental part of the administration's cybersecurity efforts from the start,'' citing work in the past year to protect networks and ''international engagement to influence the behavior of potential adversaries.''
Left unsaid is whether the Obama administration has decided whether it would ever threaten retaliatory cyberattacks or military attacks after a major cyberattack on American targets. The senior administration official provided by the White House, asked about Mr. Obama's thinking on the issue, said: ''Like most operational things like this, the less said, the better.'' But he added, ''there are authorities to deal with these attacks residing in many places, and ultimately, of course, with the president.''
Others are less convinced. ''The U.S. is widely recognized to have pre-eminent offensive cybercapabilities, but it obtains little or no deterrent effect from this,'' said James A. Lewis, director of the Center for Strategic and International Studies program on technology and public policy.
In its final years, the Bush administration started a highly classified effort, led by Melissa Hathaway, to build the foundations of a national cyberdeterrence strategy. ''We didn't even come close,'' she said in a recent interview. Her hope had been to recreate Project Solarium, which President Dwight D. Eisenhower began in the sunroom of the White House in 1953, to come up with new ways of thinking about the nuclear threats then facing the country. ''There was a lot of good work done, but it lacked the rigor of the original Solarium Project. They didn't produce what you need to do decision making.''
Ms. Hathaway was asked to stay on to run Mr. Obama's early review. Yet when the unclassified version of its report was published in the spring, there was little mention of deterrence. She left the administration when she was not chosen as the White House cybersecurity coordinator. After a delay of seven months, that post is now filled: Howard A. Schmidt, a veteran computer specialist, reported for work last week, just as the government was sorting through the lessons of the Google attack and calculating its chances of halting a more serious one in the future.
Government-Corporate Divide
In nuclear deterrence, both the Americans and the Soviets knew it was all or nothing: the Cuban missile crisis was resolved out of fear of catastrophic escalation. But in cyberattacks, the damage can range from the minor to the catastrophic, from slowing computer searches to bringing down a country's cellphone networks, neutralizing its spy satellites, or crashing its electrical grid or its air traffic control systems. It is difficult to know if small attacks could escalate into bigger ones.
So part of the problem is to calibrate a response to the severity of the attack.
(Page 3 of 3)
The government has responded to the escalating cyberattacks by ordering up new strategies and a new United States Cyber Command. The office of Defense Secretary Robert M. Gates -- whose unclassified e-mail system was hacked in 2007 -- is developing a ''framework document'' that would describe the threat and potential responses, and perhaps the beginnings of a deterrence strategy to parallel the one used in the nuclear world.
The new Cyber Command, if approved by Congress, would be run by Lt. Gen. Keith B. Alexander, head of the National Security Agency. Since the agency spies on the computer systems of foreign governments and terrorist groups, General Alexander would, in effect, be in charge of both finding and, if so ordered, neutralizing cyberattacks in the making.
But many in the military, led by General Chilton of the Strategic Command and Gen. James E. Cartwright, the vice chairman of the Joint Chiefs of Staff, have been urging the United States to think more broadly about ways to deter attacks by threatening a country's economic well-being or its reputation.
Mrs. Clinton went down that road in her speech on Thursday, describing how a country that cracked down on Internet freedom or harbored groups that conduct cyberattacks could be ostracized. But though sanctions might work against a small country, few companies are likely to shun a market the size of China, or Russia, because they disapprove of how those governments control cyberspace or use cyberweapons.
That is what makes the Google-China standoff so fascinating. Google broke the silence that usually surrounds cyberattacks; most American banks or companies do not want to admit their computer systems were pierced. Google has said it will stop
censoring searches conducted by Chinese, even if that means being thrown out of China. The threat alone is an attempt at deterrence: Google's executives are essentially betting that Beijing will back down, lift censorship of searches and crack down on the torrent of cyberattacks that pour out of China every day. If not, millions of young Chinese will be deprived of the Google search engine, and be left to the ones controlled by the Chinese government.
An Obama administration official who has been dealing with the Chinese mused recently, ''You could argue that Google came up with a potential deterrent for the Chinese before we did.''
Cyberwar: Computers, indispensable in peace, are becoming ever more important in political conflicts and open warfare. This article is part of a series examining the growing use of computer power as a weapon. Previous articles: nytimes.com/ cyberwar.
PHOTOS: PHOTOS (PHOTOGRAPHS BY AP PHOTO/NG HAN GUAN; ANDREW HARRER/BLOOMBERG NEWS); President Obama with Howard A. Schmidt, the White House cybersecurity coordinator.(PHOTOGRAPH BY LAWRENCE JACKSON/THE WHITE HOUSE); Melissa Hathaway began work on cybersecurity under President George W. Bush and continued it into the Obama administration.(PHOTOGRAPH BY OZIER MUHAMMAD/THE NEW YORK TIMES)(A6) CHARTS: Mutually Assured Destruction 2.0: Many of the cyberattacks of the past 10 years seem to have originated from China, though it is difficult to pinpoint their sources conclusively. Counterattacks and cyberoffensives by the United States remain highly classified. Below, a recent history of cyberattacks on the United States and some strategic countermeasures.: ATTACKS; COUNTERMEASURES(A6)
In Digital Combat, U.S. Finds No Easy Deterrent
By JOHN MARKOFF, DAVID E. SANGER and THOM SHANKER
The U.S. is developing a strategy to deal with cyberspace attacks, a task complicated by the problem of identifying the enemy.
January 26, 2010, Tuesday
WASHINGTON — On a Monday morning earlier this month, top Pentagon leaders gathered to simulate how they would respond to a sophisticated cyberattack aimed at paralyzing the nation’s power grids, its communications systems or its financial networks.
The results were dispiriting. The enemy had all the advantages: stealth, anonymity and unpredictability. No one could pinpoint the country from which the attack came, so there was no effective way to deter further damage by threatening retaliation. What’s more, the military commanders noted that they even lacked the legal authority to respond — especially because it was never clear if the attack was an act of vandalism, an attempt at commercial theft or a state-sponsored effort to cripple the United States, perhaps as a prelude to a conventional war.
What some participants in the simulation knew — and others did not — was that a version of their nightmare had just played out in real life, not at the Pentagon where they were meeting, but in the far less formal war rooms at Google Inc. Computers at Google and more than 30 other companies had been penetrated, and Google’s software engineers quickly tracked the source of the attack to seven servers in Taiwan, with footprints back to the Chinese mainland.
After that, the trail disappeared into a cloud of angry Chinese government denials, and then an ugly exchange of accusations between Washington and Beijing. That continued Monday, with Chinese assertions that critics were trying to "denigrate China" and that the United States was pursuing "hegemonic domination" in cyberspace.
These recent events demonstrate how quickly the nation’s escalating cyberbattles have outpaced the rush to find a deterrent, something equivalent to the cold-war-era strategy of threatening nuclear retaliation.
So far, despite millions of dollars spent on studies, that quest has failed. Last week, Secretary of State Hillary Rodham Clinton made the most comprehensive effort yet to warn potential adversaries that cyberattacks would not be ignored, drawing on the language of nuclear deterrence.
"States, terrorists and those who would act as their proxies must know that the United States will protect our networks," she declared in a speech on Thursday that drew an angry response from Beijing. "Those who disrupt the free flow of information in our society or any other pose a threat to our economy, our government and our civil society."
But Mrs. Clinton did not say how the United States would respond, beyond suggesting that countries that knowingly permit cyberattacks to be launched from their territories would suffer damage to their reputations, and could be frozen out of the global economy.
There is, in fact, an intense debate inside and outside the government about what the United States can credibly threaten. One alternative could be a diplomatic démarche, or formal protest, like the one the State Department said was forthcoming, but was still not delivered, in the Google case. Economic retaliation and criminal prosecution are also possibilities.
Inside the National Security Agency, which secretly scours overseas computer networks, officials have debated whether evidence of an imminent cyberattack on the United States would justify a pre-emptive American cyberattack — something the president would have to authorize. In an extreme case, like evidence that an adversary was about to launch an attack intended to shut down power stations across America, some officials argue that the right response might be a military strike.
"We are now in the phase that we found ourselves in during the early 1950s, after the Soviets got the bomb," said Joseph Nye, a professor at the Kennedy School at Harvard. "It won’t have the same shape as nuclear deterrence, but what you heard Secretary Clinton doing was beginning to explain that we can create some high costs for attackers."
Fighting Shadows
When the Pentagon summoned its top regional commanders from around the globe for meetings and a dinner with President Obama on Jan. 11, the war game prepared for them had nothing to do with Afghanistan, Iraq or
Yemen. Instead, it was the simulated cyberattack — a battle unlike any they had engaged in.
Participants in the war game emerged with a worrisome realization. Because the Internet has blurred the line between military and civilian targets, an adversary can cripple a country — say, freeze its credit markets — without ever taking aim at a government installation or a military network, meaning that the Defense Department’s advanced capabilities may not be brought to bear short of a presidential order.
(Page 2 of 3)
"The fact of the matter," said one senior intelligence official, "is that unless Google had told us about the attack on it and other companies, we probably never would have seen it. When you think about that, it’s really scary."
Cyberwar
Developing a Strategy
Computers, indispensable in peace, are becoming ever more important in political conflicts and open warfare. This series examines the growing use of computer power as a weapon.
Previous Articles in the Series »
Multimedia
Mutually Assured Destruction
Related
Cyberwar: Old Trick Threatens the Newest Weapons (October 27, 2009)
China Issues Sharp Rebuke to U.S. Calls for an Investigation on Google Attacks (January 26, 2010)
Readers’ Comments
"A dam springing a thousand leaks is not going to be made whole by inserting ten fingers into ten holes. "
R M Gopal, Hartford, le
Read Full Comment »
William J. Lynn III, the deputy defense secretary, who oversaw the simulation, said in an interview after the exercise that America’s concepts for protecting computer networks reminded him of one of defensive warfare’s great failures, the Maginot Line of pre-World War II France.
Mr. Lynn, one of the Pentagon’s top strategists for computer network operations, argues that the billions spent on defensive shields surrounding America’s banks, businesses and military installations provide a similarly illusory sense of security.
"A fortress mentality will not work in cyber," he said. "We cannot retreat behind a Maginot Line of firewalls. We must also keep maneuvering. If we stand still for a minute, our adversaries will overtake us."
The Pentagon simulation and the nearly simultaneous real-world attacks on Google and more than 30 other companies show that those firewalls are falling fast. But if it is obvious that the government cannot afford to do nothing about such breaches, it is also clear that the old principles of retaliation — you bomb Los Angeles, we’ll destroy Moscow — just do not translate.
"We are looking beyond just the pure military might as the solution to every deterrence problem," said Gen. Kevin P. Chilton, in charge of the military’s Strategic Command, which defends military computer networks. "There are other elements of national power that can be brought to bear. You could deter a country with some economic moves, for example."
But first you would have to figure out who was behind the attack.
Even Google’s engineers could not track, with absolute certainty, the attackers who appeared to be trying to steal their source code and, perhaps, insert a "Trojan horse" — a backdoor entryway to attack — in Google’s
search engines. Chinese officials have denied their government was involved, and said nothing about American demands that it investigate. China’s denials, American officials say, are one reason that President Obama has said nothing in public about the attacks — a notable silence, given that he has made cybersecurity a central part of national security strategy.
"You have to be quite careful about attributions and accusations," said a senior administration official deeply involved in dealing with the Chinese incident with Google. The official was authorized by the Obama administration to talk about its strategy, with the condition that he would not be named.
"It’s the nature of these attacks that the forensics are difficult," the official added. "The perpetrator can mask their involvement, or disguise it as another country’s." Those are known as "false flag" attacks, and American officials worry about being fooled by a dissident group, or a criminal gang, into retaliating against the wrong country.
Nonetheless, the White House said in a statement that "deterrence has been a fundamental part of the administration’s cybersecurity efforts from the start," citing work in the past year to protect networks and "international engagement to influence the behavior of potential adversaries."
Left unsaid is whether the Obama administration has decided whether it would ever threaten retaliatory cyberattacks or military attacks after a major cyberattack on American targets. The senior administration official provided by the White House, asked about Mr. Obama’s thinking on the issue, said: "Like most operational things like this, the less said, the better." But he added, "there are authorities to deal with these attacks residing in many places, and ultimately, of course, with the president."
Others are less convinced. "The U.S. is widely recognized to have pre-eminent offensive cybercapabilities, but it obtains little or no deterrent effect from this," said James A. Lewis, director of the Center for Strategic and International Studies program on technology and public policy.
In its final years, the Bush administration started a highly classified effort, led by Melissa Hathaway, to build the foundations of a national cyberdeterrence strategy. "We didn’t even come close," she said in a recent interview. Her hope had been to recreate Project Solarium, which President Dwight D. Eisenhower began in the sunroom of the White House in 1953, to come up with new ways of thinking about the nuclear threats then facing the country. "There was a lot of good work done, but it lacked the rigor of the original Solarium Project. They didn’t produce what you need to do decision making."
Ms. Hathaway was asked to stay on to run Mr. Obama’s early review. Yet when the unclassified version of its report was published in the spring, there was little mention of deterrence. She left the administration when she was not chosen as the White House cybersecurity coordinator. After a delay of seven months, that post is now filled: Howard A. Schmidt, a veteran computer specialist, reported for work last week, just as the government was sorting through the lessons of the Google attack and calculating its chances of halting a more serious one in the future.
Government-Corporate Divide
(Page 3 of 3)
In nuclear deterrence, both the Americans and the Soviets knew it was all or nothing: the Cuban missile crisis was resolved out of fear of catastrophic escalation. But in cyberattacks, the damage can range from the minor to the catastrophic, from slowing computer searches to bringing down a country’s cellphone networks, neutralizing its spy satellites, or crashing its electrical grid or its air traffic control systems. It is difficult to know if small attacks could escalate into bigger ones.
Cyberwar
Developing a Strategy
Computers, indispensable in peace, are becoming ever more important in political conflicts and open warfare. This series examines the growing use of computer power as a weapon.
Previous Articles in the Series »
Multimedia
Mutually Assured Destruction
Related
Cyberwar: Old Trick Threatens the Newest Weapons (October 27, 2009)
China Issues Sharp Rebuke to U.S. Calls for an Investigation on Google Attacks (January 26, 2010)
Readers’ Comments
"A dam springing a thousand leaks is not going to be made whole by inserting ten fingers into ten holes. "
R M Gopal, Hartford, le
Read Full Comment »
So part of the problem is to calibrate a response to the severity of the attack.
The government has responded to the escalating cyberattacks by ordering up new strategies and a new United States Cyber Command. The office of Defense Secretary Robert M. Gates — whose unclassified e-mail system was hacked in 2007 — is developing a "framework document" that would describe the threat and potential responses, and perhaps the beginnings of a deterrence strategy to parallel the one used in the nuclear world.
The new Cyber Command, if approved by Congress, would be run by Lt. Gen. Keith B. Alexander, head of the National Security Agency. Since the agency spies on the computer systems of foreign governments and terrorist groups, General Alexander would, in effect, be in charge of both finding and, if so ordered, neutralizing cyberattacks in the making.
But many in the military, led by General Chilton of the Strategic Command and Gen. James E. Cartwright, the vice chairman of the Joint Chiefs of
Staff, have been urging the United States to think more broadly about ways to deter attacks by threatening a country’s economic well-being or its reputation.
Mrs. Clinton went down that road in her speech on Thursday, describing how a country that cracked down on Internet freedom or harbored groups that conduct cyberattacks could be ostracized. But though sanctions might work against a small country, few companies are likely to shun a market the size of China, or Russia, because they disapprove of how those governments control cyberspace or use cyberweapons.
That is what makes the Google-China standoff so fascinating. Google broke the silence that usually surrounds cyberattacks; most American banks or companies do not want to admit their computer systems were pierced. Google has said it will stop censoring searches conducted by Chinese, even if that means being thrown out of China. The threat alone is an attempt at deterrence: Google’s executives are essentially betting that Beijing will back down, lift censorship of searches and crack down on the torrent of cyberattacks that pour out of China every day. If not, millions of young Chinese will be deprived of the Google search engine, and be left to the ones controlled by the Chinese government.
An Obama administration official who has been dealing with the Chinese mused recently, "You could argue that Google came up with a potential deterrent for the Chinese before we did."
Old Trick Threatens the Newest Weapons
By JOHN MARKOFF
Trojan horses hidden in equipment circuitry could pose severe threats in a war in which communications and weaponry rely on computer technology.
Despite a six-year effort to build trusted computer chips for military systems, the Pentagon now manufactures in secure facilities run by American companies only about 2 percent of the more than $3.5 billion of integrated circuits bought annually for use in military gear.
Enlarge This Image
Harry Campbell
Cyberwar
Computers, indispensable in peace, are becoming ever more important in political conflicts and open warfare. This article is part of a series examining the growing use of computer power as a weapon.
Previous Articles in the Series »
RSS Feed
Get Science News From The New York Times »
Enlarge This Image
Jordon R. Beesley/U.S. Navy, via Associated Press
CONCERNS Malicious software could disable missiles and other weapons.
Readers’ Comments
Readers shared their thoughts on this article.
Read All Comments (70) »
That shortfall is viewed with concern by current and former United States military and intelligence agency executives who argue that the menace of so-called Trojan horses hidden in equipment circuitry is among the most severe threats the nation faces in the event of a war in which communications and weaponry rely on computer technology.
As advanced systems like aircraft, missiles and radars have become dependent on their computing capabilities, the specter of subversion causing weapons to fail in times of crisis, or secretly corrupting crucial data, has come to haunt military planners. The problem has grown more severe as most American semiconductor manufacturing plants have moved offshore.
Only one-fifth of all computer chips are now made in the United States, and just one-quarter of the chips based on the most advanced technologies are built here, I.B.M. executives say. That has led the Pentagon and the National Security Agency to expand significantly the number of American plants authorized to manufacture chips for the Pentagon’s Trusted Foundry program.
Despite the increases, semiconductor industry executives and Pentagon officials say, the United States lacks the ability to fulfill the capacity requirements needed to manufacture computer chips for classified systems.
"The department is aware that there are risks to using commercial technology in general and that there are greater risks to using globally sourced technology," said Robert Lentz, who before his retirement last month was in charge of the Trusted Foundry program as the deputy assistant defense secretary for cyber, identity and information assurance.
Counterfeit computer hardware, largely manufactured in Asian factories, is viewed as a significant problem by private corporations and military planners. A recent White House review noted that there had been several "unambiguous, deliberate subversions" of computer hardware.
"These are not hypothetical threats," the report’s author, Melissa Hathaway, said in an e-mail message. "We have witnessed countless intrusions that have allowed criminals to steal hundreds of millions of dollars and allowed nation-states and others to steal intellectual property and sensitive military information."
Ms. Hathaway declined to offer specifics.
Cyberwarfare analysts argue that while most computer security efforts have until now been focused on software, tampering with hardware circuitry may ultimately be an equally dangerous threat. That is because modern computer chips routinely comprise hundreds of millions, or even billions, of transistors. The increasing complexity means that subtle modifications in manufacturing or in the design of chips will be virtually impossible to detect.
"Compromised hardware is, almost literally, a time bomb, because the corruption occurs well before the attack," Wesley K. Clark, a retired Army general, wrote in an article in Foreign Affairs magazine that warns of the risks the nation faces from insecure computer hardware.
"Maliciously tampered integrated circuits cannot be patched," General Clark wrote. "They are the ultimate sleeper cell."
Indeed, in cyberwarfare, the most ancient strategy is also the most modern.
Internet software programs known as Trojan horses have become a tool of choice for computer criminals who sneak malicious software into computers by putting it in seemingly innocuous programs. They then pilfer information and transform Internet-connected PCs into slave machines. With hardware, the strategy is an even more subtle form of sabotage,
building a chip with a hidden flaw or a means for adversaries to make it crash when wanted.
Pentagon executives defend the manufacturing strategy, which is largely based on a 10-year contract with a secure I.B.M. chipmaking plant in Burlington, Vt., reported to be valued as high as $600 million, and a certification process that has been extended to 28 American chipmakers and related technology firms.
"The department has a comprehensive risk-management strategy that addresses a variety of risks in different ways," said Mitchell Komaroff, the director of a Pentagon program intended to develop a strategy to minimize national security risks in the face of the computer industry’s globalization.
Mr. Komaroff pointed to advanced chip technologies that made it possible to buy standard hardware components that could be securely programmed after they were acquired.
But as military planners have come to view cyberspace as an impending battlefield, American intelligence agency experts said, all sides are arming themselves with the ability to create hardware Trojan horses and to hide them deep inside the circuitry of computer hardware and electronic devices to facilitate military attacks.
Cyberwar
Computers, indispensable in peace, are becoming ever more important in political conflicts and open warfare. This article is part of a series examining the growing use of computer power as a weapon.
Previous Articles in the Series »
RSS Feed
Get Science News From The New York Times »
Readers’ Comments
Readers shared their thoughts on this article.
Read All Comments (70) »
In the future, and possibly already hidden in existing weapons, clandestine additions to electronic circuitry could open secret back doors that would let the makers in when the users were depending on the technology to function. Hidden kill switches could be included to make it possible to disable computer-controlled military equipment from a distance. Such switches could be used by an adversary or as a safeguard if the technology fell into enemy hands.
A Trojan horse kill switch may already have been used. A 2007 Israeli Air Force attack on a suspected partly constructed Syrian nuclear reactor led to speculation about why the Syrian air defense system did not respond to the Israeli aircraft. Accounts of the event initially indicated that sophisticated jamming technology was used to blind the radars. Last December, however, a report in an American technical publication, IEEE Spectrum, cited a European industry source in raising the possibility that the Israelis might have used a built-in kill switch to shut down the radars.
Separately, an American semiconductor industry executive said in an interview that he had direct knowledge of the operation and that the technology for disabling the radars was supplied by Americans to the Israeli electronic intelligence agency, Unit 8200.
The disabling technology was given informally but with the knowledge of the American government, said the executive, who spoke on the condition of anonymity. His claim could not be independently verified, and American military, intelligence and contractors with classified clearance declined to discuss the attack.
The United States has used a variety of Trojan horses, according to various sources.
In 2004, Thomas C. Reed, an Air Force secretary in the Reagan administration, wrote that the United States had successfully inserted a software Trojan horse into computing equipment that the Soviet Union had bought from Canadian suppliers. Used to control a Trans-Siberian gas pipeline, the doctored software failed, leading to a spectacular explosion in 1982.
Crypto AG, a Swiss maker of cryptographic equipment, was the subject of intense international speculation during the 1980s when, after the Reagan administration took diplomatic actions in Iran and Libya, it was widely reported in the European press that the National Security Agency had access to a hardware back door in the company’s encryption machines that made it possible to read electronic messages transmitted by many governments.
According to a former federal prosecutor, who declined to be identified because of his involvement in the operation, during the early ’80s the Justice Department, with the assistance of an American intelligence agency, also modified the hardware of a Digital Equipment Corporation computer to ensure that the machine — being shipped through Canada to Russia — would work erratically and could be disabled remotely.
The American government began making a concerted effort to protect against hardware tampering in 2003, when Deputy Defense Secretary Paul D. Wolfowitz circulated a memorandum calling on the military to ensure the economic viability of domestic chipmakers.
In 2005, the Defense Science Advisory Board issued a report warning of the risks of foreign-made computer chips and calling on the Defense Department to create a policy intended to stem the erosion of American semiconductor manufacturing capacity.
Former Pentagon officials said the United States had not yet adequately addressed the problem.
"The more we looked at this problem the more concerned we were," said Linton Wells II, formerly the principal deputy assistant defense secretary for networks and information integration. "Frankly, we have no systematic process for addressing these problems."
October 27, 2009, Tuesday
Defying Experts, Rogue Computer Code Still Lurks
By JOHN MARKOFF
A rogue program, known as Conficker, has confounded the efforts of security experts to trace its origins and purpose.
August 27, 2009, Thursday
Cyberwar
Zombie Networks
Computers, indispensable in peace, are becoming ever more important in political conflicts and open warfare. This article is the seventh in a series examining the growing use of computer power as a weapon.
Previous Articles in the Series »
Multimedia
Graphic
Tracking a Botnet
Readers’ Comments
Readers shared their thoughts on this article.
Read All Comments (67) »
Like a ghost ship, a rogue software program that glided onto the Internet last November has confounded the efforts of top security experts to eradicate the program and trace its origins and purpose, exposing serious weaknesses in the world’s digital infrastructure.
The program, known as Conficker, uses flaws in Windows software to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors. With more than five million of these zombies now under its control — government, business and home computers in more than 200 countries — this shadowy computer has power that dwarfs that of the world’s largest data centers.
Alarmed by the program’s quick spread after its debut in November, computer security experts from industry, academia and government joined forces in a highly unusual collaboration. They decoded the program and developed antivirus software that erased it from millions of the computers. But Conficker’s persistence and sophistication has squelched the belief of many experts that such global computer infections are a thing of the past.
"It’s using the best current practices and state of the art to communicate and to protect itself," Rodney Joffe, director of the Conficker Working Group, said of the malicious program. "We have not found the trick to take control back from the malware in any way."
Researchers speculate that the computer could be employed to generate vast amounts of spam; it could steal information like passwords and logins by capturing keystrokes on infected computers; it could deliver fake antivirus warnings to trick naïve users into believing their computers are infected and persuading them to pay by credit card to have the infection removed.
There is also a different possibility that concerns the researchers: That the program was not designed by a criminal gang, but instead by an intelligence agency or the military of some country to monitor or disable an enemy’s computers. Networks of infected computers, or botnets, were used widely as weapons in conflicts in Estonia in 2007 and in Georgia last year, and in more recent attacks against South Korean and United States government agencies. Recent attacks that temporarily crippled Twitter and Facebook were believed to have had political overtones.
Yet for the most part Conficker has done little more than to extend its reach to more and more computers. Though there had been speculation that the computer might be activated to do something malicious on April 1, the date passed without incident, and some security experts wonder if the program has been abandoned.
The experts have only tiny clues about the location of the program’s authors. The first version included software that stopped the program if it
infected a machine with a Ukrainian language keyboard. There may have been two initial infections — in Buenos Aires and in Kiev.
Wherever the authors are, the experts say, they are clearly professionals using the most advanced technology available. The program is protected by internal defense mechanisms that make it hard to erase, and even kills or hides from programs designed to look for botnets.
A member of the security team said that the Federal Bureau of Investigation had suspects, but was moving slowly because it needed to build a relationship with "noncorrupt" law enforcement agencies in the countries where the suspects are located.
An F.B.I. spokesman in Washington declined to comment, saying that the Conficker investigation was an open case.
The first infections, last Nov. 20, set off an intense battle between the hidden authors and the volunteer group that formed to counter them. The group, which first called itself the "Conficker Cabal," changed its name when Microsoft, Symantec and several other companies objected to the unprofessional connotation.
Eventually, university researchers and law enforcement officials joined forces with computer experts at more than two dozen Internet, software and computer security firms.
The group won some battles, but lost others. The Conficker authors kept distributing new, more intricate versions of the program, at one point using code that had been devised in academia only months before. At another point, a single technical slip by the working group allowed the program’s authors to convert a huge number of the infected machines to an advanced peer-to-peer communications scheme that the industry group has not been able to defeat. Where before all the infected computers would have to phone home to a single source for instructions, the authors could now use any infected computer to instruct all the others.
In early April, Patrick Peterson, a research fellow at Cisco Systems in San Jose, Calif., gained some intelligence about the authors’ interests. He studies nasty computer programs by keeping a set of quarantined computers that capture and observe them — his "digital zoo."
He discovered that the Conficker authors had begun distributing software that tricks Internet users into buying fake antivirus software with their credit cards. "We turned off the lights in the zoo one day and came back the next day," Mr. Peterson said, noting that in the "cage" reserved for Conficker, the infection had been joined by a program distributing an antivirus software scam.
It was the most recent sign of life from the program, and its silence has set off a debate among computer security experts. Some researchers think Conficker is an empty shell, or that the authors of the program were scared away in the spring. Others argue that they are simply biding their time.
If the misbegotten computer were reactivated, it would not have the problem-solving ability of supercomputers used to design nuclear weapons or simulate climate change. But because it has commandeered so many machines, it could draw on an amount of computing power greater than that from any single computing facility run by governments or Google. It is a dark reflection of the "cloud computing" sweeping the commercial Internet, in which data is stored on the Internet rather than on a personal computer.
The industry group continues to try to find ways to kill Conficker, meeting as recently as Tuesday. Mr. Joffe said he, for one, was not prepared to declare victory. But he said that the group’s work proved that government and private industry could cooperate to counter cyberthreats.
"Even if we lose against Conficker," he said, "there are things we’ve learned that will benefit us in the future."
Halted ’03 Iraq Plan Illustrates U.S. Fear of Cyberwar Risk
By JOHN MARKOFF and THOM SHANKER
Fears of collateral damage are shaping an effort to develop rules and tactics for carrying out attacks on computer networks.
August 02, 2009, Sunday
Privacy May Be a Victim in Cyberdefense Plan
By THOM SHANKER and DAVID E. SANGER
A plan to create a new Pentagon cybercommand is raising privacy and diplomatic concerns.
June 13, 2009, Saturday
Contractors Vie for Plum Work, Hacking for U.S.
By CHRISTOPHER DREW and JOHN MARKOFF
The government’s push into cyberwarfare has set off a rush among big military companies to secure billions of dollars in contracts and attract top young talent.
It would have been the most far-reaching case of computer sabotage in history. In 2003, the Pentagon and American intelligence agencies made plans for a cyberattack to freeze billions of dollars in the bank accounts of Saddam Hussein and cripple his government’s financial system before the United States invaded Iraq. He would have no money for war supplies. No money to pay troops.
Enlarge This Image
Darrell Miho for The New York Times
John Arquilla, a military strategy expert, said, "Cyberwarriors are held back by extremely restrictive rules of engagement."
Cyberwar
Collateral Damage
Computers, indispensable in peace, are becoming ever more important in political conflicts and open warfare. This article is the fifth in a series examining the growing use of computer power as a weapon.
Previous Articles in the Series »
Blog
The Caucus
The latest on President Obama, the new administration and other news from Washington and around the nation. Join the discussion.
More Politics News
Enlarge This Image
Brendan Smialowski for The New York Times
James Lewis, a cyberwarfare specialist, urges caution in the use of computer attacks because of the potential harm to civilians.
Readers’ Comments
Readers shared their thoughts on this article.
Read All Comments (38) »
"We knew we could pull it off — we had the tools," said one senior official who worked at the Pentagon when the highly classified plan was developed.
But the attack never got the green light. Bush administration officials worried that the effects would not be limited to Iraq but would instead create worldwide financial havoc, spreading across the Middle East to Europe and perhaps to the United States.
Fears of such collateral damage are at the heart of the debate as the Obama administration and its Pentagon leadership struggle to develop rules and tactics for carrying out attacks in cyberspace.
While the Bush administration seriously studied computer-network attacks, the Obama administration is the first to elevate cybersecurity — both defending American computer networks and attacking those of adversaries — to the level of a White House director, whose appointment is expected in coming weeks.
But senior White House officials remain so concerned about the risks of unintended harm to civilians and damage to civilian infrastructure in an attack on computer networks that they decline any official comment on the topic. And senior Defense Department officials and military officers directly involved in planning for the Pentagon’s new "cybercommand" acknowledge that the risk of collateral damage is one of their chief concerns.
"We are deeply concerned about the second- and third-order effects of certain types of computer network operations, as well as about laws of war that require attacks be proportional to the threat," said one senior officer.
This officer, who like others spoke on the condition of anonymity because of the classified nature of the work, also acknowledged that these concerns had restrained the military from carrying out a number of proposed missions. "In some ways, we are self-deterred today because we really haven’t answered that yet in the world of cyber," the officer said.
In interviews over recent weeks, a number of current and retired White House officials, Pentagon civilians and military officers disclosed details of classified missions — some only considered and some put into action — that illustrate why this issue is so difficult.
Although the digital attack on Iraq’s financial system was not carried out, the American military and its partners in the intelligence agencies did receive approval to cripple Iraq’s military and government communications systems in the early hours of the war in 2003. And that attack did produce collateral damage.
Besides blowing up cellphone towers and communications grids, the offensive included electronic jamming and digital attacks against Iraq’s telephone networks. American officials also contacted international communications companies that provided satellite phone and cellphone coverage to Iraq to alert them to possible jamming and to ask their assistance in turning off certain channels.
Officials now acknowledge that the communications offensive temporarily disrupted telephone service in countries around Iraq that shared its cellphone and satellite telephone systems. That limited damage was deemed acceptable by the Bush administration.
Another such event took place in the late 1990s, according to a former military researcher. The American military attacked a Serbian telecommunications network and accidentally affected the Intelsat satellite communications system, whose service was hampered for several days.
These missions, which remain highly classified, are being scrutinized today as the Obama administration and the Pentagon move into new arenas of cyberoperations. Few details have been reported previously; mention of the proposal for a digital offensive against Iraq’s financial and banking systems appeared with little notice on Newsmax.com, a news Web site, in 2003.
The government concerns evoke those at the dawn of the nuclear era, when questions of military effectiveness, legality and morality were raised about radiation spreading to civilians far beyond any zone of combat.
"If you don’t know the consequences of a counterstrike against innocent third parties, it makes it very difficult to authorize one," said James Lewis, a cyberwarfare specialist at the Center for Strategic and International Studies in Washington.
But some military strategists argue that these uncertainties have led to excess caution on the part of Pentagon planners.
"Policy makers are tremendously sensitive to collateral damage by virtual weapons, but not nearly sensitive enough to damage by kinetic" — conventional — "weapons," said John Arquilla, an expert in military strategy at the Naval Postgraduate School in Monterey, Calif. "The cyberwarriors are held back by extremely restrictive rules of engagement."
Despite analogies that have been drawn between biological weapons and cyberweapons, Mr. Arquilla argues that "cyberweapons are disruptive and not destructive."
That view is challenged by some legal and technical experts.
"It’s virtually certain that there will be unintended consequences," said Herbert Lin, a senior scientist at the National Research Council and author of a recent report on offensive cyberwarfare. "If you don’t know what a computer you attack is doing, you could do something bad."
Mark Seiden, a Silicon Valley computer security specialist who was a co-author of the National Research Council report, said, "The chances are very high that you will inevitably hit civilian targets — the worst-case scenario is taking out a hospital which is sharing a network with some other agency."
And while such attacks are unlikely to leave smoking craters, electronic attacks on communications networks and data centers could have broader, life-threatening consequences where power grids and critical infrastructure like water treatment plants are increasingly controlled by computer networks.
Over the centuries, rules governing combat have been drawn together in customary practice as well as official legal documents, like the Geneva Conventions and the United Nations Charter. These laws govern when it is legitimate to go to war, and set rules for how any conflict may be waged.
Two traditional military limits now are being applied to cyberwar: proportionality, which is a rule that, in layman’s terms, argues that if you slap me, I cannot blow up your house; and collateral damage, which requires militaries to limit civilian deaths and injuries.
"Cyberwar is problematic from the point of view of the laws of war," said Jack L. Goldsmith, a professor at Harvard Law School. "The U.N. Charter basically says that a nation cannot use force against the territorial integrity or political independence of any other nation. But what kinds of cyberattacks count as force is a hard question, because force is not clearly defined."
May 31, 2009, Sunday
Cadets Trade the Trenches for Firewalls
By COREY KILGANNON and NOAM COHEN
WEST POINT, N.Y. — The Army forces were under attack. Communications were down, and the chain of command was broken.
Cyberwar
Basic Training
Computers, indispensable in peace, are becoming ever more important in political conflicts and open warfare. This is the third article in a series on the growing use of computer power as a weapon.
Related
Cyberwar: Iranians and Others Outwit Net Censors (May 1, 2009)
Cyberwar: U.S. Steps Up Effort on Digital Defenses (April 28, 2009)
Enlarge This Image
Michael Falco for The New York Times
In war games at West Point last month, teams had to establish a secure computer network and protect it from cyberattacks.
Readers’ Comments
Readers shared their thoughts on this article.
Read All Comments (17) »
Pacing a makeshift bunker whose entrance was camouflaged with netting, the young man in battle fatigues barked at his comrades: "They are flooding the e-mail server. Block it. I’ll take the heat for it."
These are the war games at West Point, at least last month, when a team of cadets spent four days struggling around the clock to establish a computer network and keep it operating while hackers from the National Security Agency in Maryland tried to infiltrate it with methods that an enemy might use. The N.S.A. made the cadets’ task more difficult by planting viruses on some of the equipment, just as real-world hackers have done on millions of computers around the world.
The competition was a final exam of sorts for a senior elective class. The cadets, who were computer science and information technology majors, competed against teams from the Navy, Air Force, Coast Guard and Merchant Marine as well as the Naval Postgraduate School and the Air Force Institute of Technology. Each team was judged on how well it subdued the threats from the N.S.A.
The cyberwar games at West Point are just one example of a heightened awareness across the military that it must treat the threat of a computer attack as seriously as it does an attack carried out by a bomber or combat brigade. There is hardly an American military unit or headquarters that has not been ordered to analyze the risk of cyberattacks to its mission — and to train to counter them. If the hackers were to succeed, they could change information on the network and cripple Internet communications.
In the desert outside Las Vegas, in a series of inconspicuous trailers, some of the most highly motivated hackers in the United States spend their days and nights probing the military’s vast computer networks for weaknesses to exploit.
These hackers — many of whom got their start as teenagers devoted to computer screens in their basements — have access to the latest in attack software. Some of it was developed by cryptologists at the N.S.A., the nation’s largest intelligence agency, where most of the government’s talent for breaking and making computer codes resides.
The hackers have an official name — the 57th Information Aggressor Squadron — and a real home, Nellis Air Force Base.
The Army last year created its own destination for computer experts, the Network Warfare Battalion, where many of the cadets in the cyberwar games hope to be assigned. But even so, the ranks are still small.
The Defense Department today graduates only 80 students a year from its cyberwar schools, causing Defense Secretary Robert M. Gates to complain that the Pentagon is "desperately short of people who have capabilities in this area in all the services, and we have to address it." Under current Pentagon budget proposals, the number of students cycled through the schools will be quadrupled in the next two years.
Part of the Pentagon’s effort to increase the military’s capabilities are the annual cyberwar games played at the nation’s military academies, including West Point, where young cadets in combat boots and buzz cuts talk megabytes instead of megatons on a campus dotted with statues of generals, historic armaments and old stone buildings.
While the Pentagon has embraced the need for offensive cyberwarfare, there were no offensive maneuvers in the games last month, said Col. Joe Adams, who teaches Information Assurance and stood at the head of the classroom during the April exercise.
Cadet Joshua Ewing said he and his fellow Blue Team members "learn all the techniques that a hacker would do, and we try to beat a hacker."
These strategies are not just theoretical. Most of these cadets will soon be sent to Afghanistan to carry out such work, Cadet Ewing said.
When the military deploys in a combat zone or during a domestic emergency, establishing a secure Internet connection is an early priority. To keep things humming,
the military’s experts must fend off the ordinary chaos of the Internet as well as attacks devised to disable the communications system, like flooding e-mail servers with so many junk messages that they collapse.
(Page 2 of 2)
Underscoring how seriously the cadets were taking the April games, the sign above the darkened entranceway in Thayer Hall read "Information Warfare Live Fire Range" and the area was draped with camouflage netting.
Cyberwar
Basic Training
Computers, indispensable in peace, are becoming ever more important in political conflicts and open warfare. This is the third article in a series on the growing use of computer power as a weapon.
Related
Cyberwar: Iranians and Others Outwit Net Censors (May 1, 2009)
Cyberwar: U.S. Steps Up Effort on Digital Defenses (April 28, 2009)
Readers’ Comments
Readers shared their thoughts on this article.
Read All Comments (17) »
One group had to retrieve crucial information from a partly erased hard drive. One common method of hiding text, said Cadet Sean Storey, is to embed it in digital photographs; he had managed to find secret documents hidden this way. He was seeking a password needed to read encrypted e-mail he had located on the hard drive.
Other cadets worked in tandem, as if plugging a leaky dam, to keep the entire system working as the N.S.A. hackers attacked the engine that runs a crucial database as well as the e-mail server.
They shouted out various Internet addresses to inspect — and usually block — after getting clearance from referees. And there was that awkward moment when the cadet in charge, Salvatore Messina, had to act without clearance because the attack was so severe he couldn’t even send an e-mail message.
The cadets in this room do get their share of ribbing. But one cadet, Derek Taylor, said today’s soldiers recognize that technological expertise can be as vital as brute force in saving lives. West Point takes the competition seriously. The cadets who helped install and secure the operating system spent a week setting it up. The dean gives a pep talk; professors bring food.
Brian McCord, part of the team that installed the operating system, said he was chosen because his senior project was deeply reliant on Linux. The West Point team used this open-source operating system, freely available on the Internet, instead of relying on proprietary products from big-name companies like Microsoft or Sun Microsystems.
"It seems weird for the Army with its large contracts to be using Linux, but it’s very cheap and very customizable," Cadet McCord said. It is also much easier to secure because "you can tweak it for everything you need" and there are not as many known ways to attack it, he said.
West Point emerged victorious in the games last month. That means the academy, which has won five of the last nine competitions, can keep the Director’s Cup trophy, which is displayed near a German Enigma encoding machine from World War II. Cracking the Enigma code helped the Allies win the war, and the machine is a stark reminder of the pivotal role of technology in warfare.
In cyberwar games conducted by military schools with the National Security Agency, hackers replace snipers.
May 11, 2009, Monday
MELBOURNE, Fla. — The government’s urgent push into cyberwarfare has set off a rush among the biggest military companies for billions of dollars in new defense contracts.
Enlarge This Image
Gregg Matthews for The New York Times
Terry Gillette, left, and Scott Chase run a Raytheon unit that finds flaws in Pentagon computers.
Cyberwar
The Digital Arms Race
Computers, indispensable in peace, are becoming ever more important in political conflicts and open warfare. This series examines the growing use of computer power as a weapon.
Previous Articles in the Series »
Fending Off Attacks in Cyberspace
What can the White House do to prepare for and fight cyberwars?
Join the Discussion »
Readers' Comments
Readers shared their thoughts on this article.
Read All Comments (44) »
The exotic nature of the work, coupled with the deep recession, is enabling the companies to attract top young talent that once would have gone to Silicon Valley. And the race to develop weapons that defend against, or initiate, computer attacks has given rise to thousands of "hacker soldiers" within the Pentagon who can blend the new capabilities into the nation’s war planning.
Nearly all of the largest military companies — including Northrop Grumman, General Dynamics, Lockheed Martin and Raytheon — have major cyber contracts with the military and intelligence agencies.
The companies have been moving quickly to lock up the relatively small number of experts with the training and creativity to block the attacks and
design countermeasures. They have been buying smaller firms, financing academic research and running advertisements for "cyberninjas" at a time when other industries are shedding workers.
The changes are manifesting themselves in highly classified laboratories, where computer geeks in their 20s like to joke that they are hackers with security clearances.
At a Raytheon facility here south of the Kennedy Space Center, a hub of innovation in an earlier era, rock music blares and empty cans of Mountain Dew pile up as engineers create tools to protect the Pentagon’s computers and crack into the networks of countries that could become adversaries. Prizes like cappuccino machines and stacks of cash spur them on, and a gong heralds each major breakthrough.
The young engineers represent the new face of a war that President Obama described Friday as "one of the most serious economic and national security challenges we face as a nation." The president said he would appoint a senior White House official to oversee the nation’s cybersecurity strategies.
Computer experts say the government is behind the curve in sealing off its networks from threats that are growing more persistent and sophisticated, with thousands of intrusions each day from organized criminals and legions of hackers for nations including Russia and China.
"Everybody’s attacking everybody," said Scott Chase, a 30-year-old computer engineer who helps run the Raytheon unit here.
Mr. Chase, who wears his hair in a ponytail, and Terry Gillette, a 53-year-old former rocket engineer, ran SI Government Solutions before selling the company to Raytheon last year as the boom in the military’s cyberoperations accelerated.
The operation — tucked into several unmarked buildings behind an insurance office and a dentist’s office — is doing some of the most cutting-edge work, both in identifying weaknesses in Pentagon networks and in creating weapons for potential attacks.
Daniel D. Allen, who oversees work on intelligence systems for Northrop Grumman, estimated that federal spending on computer security now totals $10 billion each year, including classified programs. That is just a fraction of the government’s spending on weapons systems. But industry officials expect it to rise rapidly.
The military contractors are now in the enviable position of turning what they learned out of necessity — protecting the sensitive Pentagon data that sits on their own computers — into a lucrative business that could replace some of the revenue lost from cancellations of conventional weapons systems.
Executives at Lockheed Martin, which has long been the government’s largest information-technology contractor, also see the demand for greater computer security spreading to energy and health care agencies and the rest of the nation’s critical infrastructure. But for now, most companies remain focused on the national-security arena, where the hottest efforts involve anticipating how an enemy might attack and developing the resources to strike back.
Though even the existence of research on cyberweapons was once highly classified, the Air Force plans this year to award the first publicly announced contract for developing tools to break into enemy computers. The companies are also teaming up to build a National Cyber Range, a model of the Internet for testing advanced techniques.
(Page 2 of 2)
Military experts said Northrop Grumman and General Dynamics, which have long been major players in the Pentagon’s security efforts, are leading the push into offensive cyberwarfare, along with the Raytheon unit. This involves finding vulnerabilities in other countries’ computer systems and developing software tools to exploit them, either to steal sensitive information or disable the networks.
Cyberwar
The Digital Arms Race
Computers, indispensable in peace, are becoming ever more important in political conflicts and open warfare. This series examines the growing use of computer power as a weapon.
Previous Articles in the Series »
Fending Off Attacks in Cyberspace
What can the White House do to prepare for and fight cyberwars?
Join the Discussion »
Readers' Comments
Readers shared their thoughts on this article.
Read All Comments (44) »
Mr. Chase and Mr. Gillette said the Raytheon unit, which has about 100 employees, grew out of a company they started with friends at Florida Institute of Technology that concentrated on helping software makers find flaws in their own products. Over the last several years, their focus shifted to the military and intelligence agencies, which wanted to use their analytic tools to detect vulnerabilities and intrusions previously unnoticed.
Like other contractors, the Raytheon teams set up "honey pots," the equivalent of sting operations, to lure hackers into digital cul-de-sacs that mimic Pentagon Web sites. They then capture the attackers’ codes and create defenses for them.
And since most of the world’s computers run on the Windows or the Linux systems, their work has also provided a growing window into how to attack foreign networks in any cyberwar.
"It takes a nonconformist to excel at what we do," said Mr. Gillette, a tanned surfing aficionado who looks like a 1950s hipster in his T-shirts with rolled-up sleeves.
The company, which would allow interviews with other employees only on the condition that their last names not be used because of security
concerns, hired one of its top young workers, Dustin, after he won two major hacking contests and dropped out of college. "I always approach it like a game, and it’s been fun," said Dustin, now 22.
Another engineer, known as Jolly, joined Raytheon in April after earning a master’s degree in computer security at DePaul University in Chicago. "You think defense contractors, and you think bureaucracy, and not necessarily a lot of interesting and challenging projects," he said.
The Pentagon’s interest in cyberwarfare has reached "religious intensity," said Daniel T. Kuehl, a military historian at the National Defense University. And the changes carry through to soldiers being trained to defend and attack computer and wireless networks out on the battlefield.
That shift can be seen in the remaking of organizations like the Association of Old Crows, a professional group that includes contractors and military personnel.
The Old Crows have deep roots in what has long been known as electronic warfare — the use of radar and radio technologies for jamming and deception.
But the financing for electronic warfare had slowed recently, prompting the Old Crows to set up a broader information-operations branch last year and establish a new trade journal to focus on cyberwarfare.
The career of Joel Harding, the director of the group’s Information Operations Institute, exemplifies the increasing role that computing and the Internet are playing in the military.
A 20-year veteran of military intelligence, Mr. Harding shifted in 1996 into one of the earliest commands that studied government-sponsored computer hacker programs. After leaving the military, he took a job as an analyst at SAIC, a large contractor developing computer applications for military and intelligence agencies.
Mr. Harding estimates that there are now 3,000 to 5,000 information operations specialists in the military and 50,000 to 70,000 soldiers involved in general computer operations. Adding specialists in electronic warfare, deception and other areas could bring the total number of information operations personnel to as many as 88,700, he said.
Iranians and Others Outwit Net Censors
By JOHN MARKOFF
Computers are becoming more crucial in global conflicts, not only in spying and military action, but also in determining what information reaches people.
May 01, 2009, Friday
Iranians and Others Outwit Net Censors
By JOHN MARKOFF
Published: April 30, 2009
comments (8)
Top of Form
Bottom of Form
Single Page
Top of Form
Bottom of Form
Reprints
Share
o Digg
o Reddit
o Tumblr
o Permalink
o
The Iranian government, more than almost any other, censors what citizens can read online, using elaborate technology to block millions of Web sites offering news, commentary, videos, music and, until recently, Facebook and YouTube. Search for "women" in Persian and you’re told, "Dear Subscriber, access to this site is not possible."
Enlarge This Image
James Estrin/The New York Times
Shiyu Zhou is a founder of the Falun Gong consortium that maintains a series of computers in data centers around the world to route Web users’ requests around censors’ firewalls.
Cyberwar
Through the Firewall
Computers, indispensable in peace, are becoming ever more important in political conflicts and open warfare. This is the second article in a series on the growing use of computer power as a weapon.
Related
Cyberwar: U.S. Steps Up Effort on Digital Defenses (April 28, 2009)
Readers’ Comments
Readers shared their thoughts on this article.
Read All Comments (8) »
Last July, on popular sites that offer free downloads of various software, an escape hatch appeared. The computer program allowed Iranian Internet users to evade government censorship.
College students discovered the key first, then spread it through e-mail messages and file-sharing. By late autumn more than 400,000 Iranians were surfing the uncensored Web.
The software was created not by Iranians, but by Chinese computer experts volunteering for the Falun Gong, a spiritual movement that has beem suppressed by the Chinese government since 1999. They maintain a series of computers in data centers around the world to route Web users’ requests around censors’ firewalls.
The Internet is no longer just an essential channel for commerce, entertainment and information. It has also become a stage for state control — and rebellion against it. Computers are becoming more crucial in global conflicts, not only in spying and military action, but also in determining what information reaches people around the globe.
More than 20 countries now use increasingly sophisticated blocking and filtering systems for Internet content, according to Reporters Without Borders, a Paris-based group that encourages freedom of the press.
Although the most aggressive filtering systems have been erected by authoritarian governments like those in Iran, China, Pakistan, Saudi Arabia and Syria, some Western democracies are also beginning to filter some content, including child pornography and other sexually oriented material.
In response, a disparate alliance of political and religious activists, civil libertarians, Internet entrepreneurs, diplomats and even military officers and intelligence agents are now challenging growing Internet censorship.
The creators of the software seized upon by Iranians are members of the Global Internet Freedom Consortium, based largely in the United States and closely affiliated with Falun Gong. The consortium is one of many small groups developing systems to make it possible for anyone to reach the open Internet. It is the modern equivalent of efforts by organizations like the Voice of America to reach the citizens of closed countries.
Separately, the Tor Project, a nonprofit group of anticensorship activists, freely offers software that can be used to send messages secretly or to reach blocked Web sites. Its software, first developed at the United States Naval Research Laboratories, is now used by more than 300,000 people globally, from the police to criminals, as well as diplomats and spies.
Political scientists at the University of Toronto have built yet another system, called Psiphon, that allows anyone to evade national Internet firewalls using only a Web browser. Sensing a business opportunity, they have created a company to profit by making it possible for media companies to deliver digital content to Web users behind national firewalls.
The danger in this quiet electronic war is driven home by a stark warning on the group’s Web site: "Bypassing censorship may violate law. Serious thought should be given to the risks involved and potential consequences."
In this cat-and-mouse game, the cat is fighting back. The Chinese system, which opponents call the Great Firewall of China, is built in part with Western technologies. A study published in February by Rebecca MacKinnon, who teaches journalism at the University of Hong Kong, determined that much blog censorship is performed not by the government but by private Internet service providers, including companies like Yahoo China, Microsoft and MySpace. One-third to more than half of all postings made to three Chinese Internet service providers were not published or were censored, she reported.
When the Falun Gong tried to support its service with advertising several years ago, American companies backed out under pressure from the Chinese government, members said.
In addition, the Chinese government now employs more than 40,000 people as censors at dozens of regional centers, and hundreds of thousands of students are paid to flood the Internet with government messages and crowd out dissenters.
This is not to say that China blocks access to most Internet sites; most of the material on the global Internet is available to Chinese without censorship. The government’s censors mostly censor groups deemed to be state enemies, like the Falun Gong, making it harder for them to reach potential members.
Blocking such groups has become more insidious as Internet filtering technology has grown more sophisticated. As with George Orwell’s "Newspeak," the language in "1984" that got smaller each year, governments can block particular words or phrases without users realizing their Internet searches are being censored.
Those who back the ragtag opponents of censorship criticize the government-run systems as the digital equivalent of the Berlin Wall.
(Page 2 of 2)
They also see the anticensorship efforts as a powerful political lever. "What is our leverage toward a country like Iran? Very little," said Michael Horowitz, a fellow at the Hudson Institute who advises the Global Internet Freedom Consortium. "Suppose we have the capacity to make it possible for the president of the United States at will to communicate with hundreds of thousands of Iranians at no risk or limited risk? It just changes the world."
Cyberwar
Through the Firewall
Computers, indispensable in peace, are becoming ever more important in political conflicts and open warfare. This is the second article in a series on the growing use of computer power as a weapon.
Related
Cyberwar: U.S. Steps Up Effort on Digital Defenses (April 28, 2009)
Readers’ Comments
Readers shared their thoughts on this article.
Read All Comments (8) »
The United States government and the Voice of America have financed some circumvention technology efforts. But until now the Falun Gong has devoted the most
resources, experts said, erecting a system that allows the largest number of Internet users open, uncensored access.
Each week, Chinese Internet users receive 10 million e-mail messages and 70 million instant messages from the consortium. But unlike spam that takes you to Nigerian banking scams or offers deals on drugs like Viagra, these messages offer software to bypass the elaborate government system that blocks access to the Web sites of opposition groups like the Falun Gong.
Shiyu Zhou, a computer scientist, is a founder of the Falun Gong’s consortium. His cyber-war with China began in Tiananmen Square in 1989. A college student and the son of a former general in the intelligence section of the People’s Liberation Army, he said he first understood the power of government-controlled media when overnight the nation’s student protesters were transformed from heroes to killers.
"I was so disappointed," he said. "People believed the government, they didn’t believe us."
He decided to leave China and study computer science in graduate school in the United States. In the late 1990s he turned to the study of Falun Gong and then joined with a small group of technically sophisticated members of the spiritual group intent on transmitting millions of e-mail messages to Chinese.
Both he and Peter Yuan Li, another early consortium volunteer, had attended Tsinghua University — China’s Massachusetts Institute of Technology. Mr. Li, the son of farmers, also came to the United States to study computer science, then joined Bell Laboratories before becoming a full-time volunteer.
The risks of building circumvention tools became clear in April 2006 when, Mr. Li later told law enforcement officials, four men invaded his home in suburban Atlanta, covered his head, beat him, searched his files and stole two laptop computers. The F.B.I. has made no arrests in the case and declined to comment. But Mr. Li thinks China sent the invaders.
Early on, the group of dissidents here had some financial backing from the International Broadcasting Bureau of the Voice of America for sending e-mail messages, but the group insists that most of its effort has been based on volunteer labor and contributions.
The consortium’s circumvention system works this way: Government censorship systems like the Great Firewall can block access to certain Internet Protocol addresses. The
equivalent of phone numbers, these addresses are quartets of numbers like 209.85.171.100 that identify a Web site, in this case, google.com. By clicking on a link provided in the consortium’s e-mail message, someone in China or Iran trying to reach a forbidden Web site can download software that connects to a computer abroad that then redirects the request to the site’s forbidden address.
The technique works like a basketball bank shot — with the remote computer as the backboard and the desired Web site as the basket. But government systems hunt for and then shut off such alternative routes using a variety of increasingly sophisticated techniques. So the software keeps changing the Internet address of the remote computer — more than once a second. By the time the censors identify an address, the system has already changed it.
China acknowledges that it monitors content on the Internet, but claims to have an agenda much like that of any other country: policing for harmful material, pornography, treasonous propaganda, criminal activity, fraud. The government says Falun Gong is a dangerous cult that has ruined the lives of thousands of people.
Hoping to step up its circumvention efforts, the Falun Gong last year organized extensive lobbying in Congress, which approved $15 million for circumvention services.
But the money was awarded not to the Falun Gong consortium but to Internews, an international organization that supports local media groups.
This year, a broader coalition is organizing to push for more Congressional financing of anti-filtering efforts. Negotiations are under way to bring together dissidents of Vietnam, Iran, the Uighur minority of China, Tibet, Myanmar, Cuba, Cambodia, Laos, as well as the Falun Gong, to lobby Congress for the financing.
Mr. Horowitz argues that $25 million could expand peak usage to as many as 45 million daily Internet users, allowing the systems to reach as many as 10 percent of the Web users in both China and Iran.
Mr. Zhou says his group’s financing is money well spent. "The entire battle over the Internet has boiled down to a battle over resources," he said. "For every dollar we spend, China has to spend a hundred, maybe hundreds of dollars."
As for the Falun Gong software, it proved a little too popular among Iranians. By the end of last year the consortium’s computers were overwhelmed. On Jan. 1, the consortium
had to do some blocking of its own: It shut down the service for all countries except China.
U.S. Steps Up Effort on Digital Defenses
By DAVID E. SANGER, JOHN MARKOFF and THOM SHANKER
A new international race has begun to develop cyberweapons and systems to protect against them.
April 28, 2009, Tuesday
This article was reported by David E. Sanger, John Markoff and Thom Shanker and written by Mr. Sanger.
Enlarge This Image
Mario Jose Sanchez/Associated Press
Melissa Hathaway, the White House cybersecurity coordinator, speaking last week in San Francisco.
Cyberwar
The Digital Arms Race
Computers, indispensable in peace, are becoming ever more important in political conflicts and open warfare. This is the first article in a series on the growing use of computing power as a weapon.
Multimedia
Graphic
Strengthening Digital Defenses
Connect With Us on Twitter
Follow @NYTNational for breaking news and headlines.
Twitter List: Reporters and Editors
Enlarge This Image
The Washington control room for Cyber Storm I, a simulated online attack run by the government in 2006.
Readers’ Comments
Readers shared their thoughts on this article.
Read All Comments (47) »
When American forces in Iraq wanted to lure members of Al Qaeda into a trap, they hacked into one of the group’s computers and altered information that drove them into American gun sights.
When President George W. Bush ordered new ways to slow Iran’s progress toward a nuclear bomb last year, he approved a plan for an experimental covert program — its results still unclear — to bore into their computers and undermine the project.
And the Pentagon has commissioned military contractors to develop a highly classified replica of the Internet of the future. The goal is to simulate what it would take for adversaries to shut down the country’s power stations, telecommunications and aviation systems, or freeze the financial markets — in an effort to build better defenses against such attacks, as well as a new generation of online weapons.
Just as the invention of the atomic bomb changed warfare and deterrence 64 years ago, a new international race has begun to develop cyberweapons and systems to protect against them.
Thousands of daily attacks on federal and private computer systems in the United States — many from China and Russia, some malicious and some testing chinks in the patchwork of American firewalls — have prompted the Obama administration to review American strategy.
President Obama is expected to propose a far larger defensive effort in coming days, including an expansion of the $17 billion, five-year program that Congress approved last year, the appointment of a White House official to coordinate the effort, and an end to a running bureaucratic battle over who is responsible for defending against cyberattacks.
But Mr. Obama is expected to say little or nothing about the nation’s offensive capabilities, on which the military and the nation’s intelligence agencies have been spending billions. In interviews over the past several months, a range of military and intelligence officials, as well as outside experts, have described a huge increase in the sophistication of American cyberwarfare capabilities.
Because so many aspects of the American effort to develop cyberweapons and define their proper use remain classified, many of those officials declined to speak on the record. The White House declined several requests for interviews or to say whether Mr. Obama as a matter of policy supports or opposes the use of American cyberweapons.
The most exotic innovations under consideration would enable a Pentagon programmer to surreptitiously enter a computer server in Russia or China, for example, and destroy a "botnet" — a potentially destructive program that commandeers infected machines into a vast network that can be clandestinely controlled — before it could be unleashed in the United States.
Or American intelligence agencies could activate malicious code that is secretly embedded on computer chips when they are manufactured, enabling the United States to take command of an enemy’s computers by remote control over the Internet. That, of course, is exactly the kind of attack officials fear could be launched on American targets, often through Chinese-made chips or computer servers.
So far, however, there are no broad authorizations for American forces to engage in cyberwar. The invasion of the Qaeda computer in Iraq several years ago and the covert activity in Iran were each individually authorized by Mr. Bush. When he issued a set of classified presidential orders in January 2008 to organize and improve America’s online defenses, the administration could not agree on how to write the authorization.
A principal architect of that order said the issue had been passed on to the next president, in part because of the complexities of cyberwar operations that, by necessity, would most likely be conducted on both domestic and foreign Internet sites. After the controversy surrounding domestic spying, Mr. Bush’s aides concluded, the Bush White House did not have the credibility or the political capital to deal with the subject.
Electronic Vulnerabilities
Page 2 of 4)
Cyberwar would not be as lethal as atomic war, of course, nor as visibly dramatic. But when Mike McConnell, the former director of national intelligence, briefed Mr. Bush on the threat in May 2007, he argued that if a single large American bank were successfully attacked "it would have an order-of-magnitude greater impact on the global economy" than the Sept. 11, 2001, attacks. Mr. McConnell, who left office three months ago, warned last year that "the ability to threaten the U.S. money supply is the equivalent of today’s nuclear weapon."
Cyberwar
The Digital Arms Race
Computers, indispensable in peace, are becoming ever more important in political conflicts and open warfare. This is the first article in a series on the growing use of computing power as a weapon.
Multimedia
Graphic
Strengthening Digital Defenses
Connect With Us on Twitter
Follow @NYTNational for breaking news and headlines.
Twitter List: Reporters and Editors
Readers’ Comments
Readers shared their thoughts on this article.
Read All Comments (47) »
The scenarios developed last year for the incoming president by Mr. McConnell and his coordinator for cybersecurity, Melissa Hathaway, went further. They described vulnerabilities including an attack on Wall Street and one intended to bring down the nation’s electric power grid. Most were extrapolations of attacks already tried.
Today, Ms. Hathaway is the primary author of White House cyberstrategy and has been traveling the country talking in vague terms about recent, increasingly bold attacks on the computer networks that keep the country running. Government officials will not discuss the details of a recent attack on the air transportation network, other than to say the attack never directly affected air traffic control systems.
Still, the specter of an attack that could blind air traffic controllers and, perhaps, the military’s aerospace defense networks haunts military and intelligence officials. (The saving grace of the air traffic control system, officials say, is that it is so old that it is not directly connected to the Internet.)
Studies, with code names like Dark Angel, have focused on whether cellphone towers, emergency-service communications and hospital systems could be brought down, to sow chaos.
But the theoretical has, at times, become real.
"We have seen Chinese network operations inside certain of our electricity grids," said Joel F. Brenner, who oversees counterintelligence operations for Dennis Blair, Mr. McConnell’s successor as national intelligence director, speaking at the University of Texas at Austin this month. "Do I worry about those grids, and about air traffic control systems, water supply systems, and so on? You bet I do."
But the broader question — one the administration so far declines to discuss — is whether the best defense against cyberattack is the development of a robust capability to wage cyberwar.
As Mr. Obama’s team quickly discovered, the Pentagon and the intelligence agencies both concluded in Mr. Bush’s last years in office that it would not be enough to simply build higher firewalls and better virus detectors or to restrict access to the federal government’s own computers.
"The fortress model simply will not work for cyber," said one senior military officer who has been deeply engaged in the debate for several years. "Someone will always get in."
That thinking has led to a debate over whether lessons learned in the nuclear age — from the days of "mutually assured destruction" — apply to cyberwar.
But in cyberwar, it is hard to know where to strike back, or even who the attacker might be. Others have argued for borrowing a page from Mr. Bush’s pre-emption doctrine by going into foreign computers to destroy malicious software before it is unleashed into the world’s digital bloodstream. But that could amount to an act of war, and many argue it is a losing game, because the United States is more dependent on a constantly running Internet system than many of its potential adversaries, and therefore could suffer more damage in a counterattack.
In a report scheduled to be released Wednesday, the National Research Council will argue that although an offensive cybercapability is an important asset for the United States, the nation is lacking a clear strategy, and secrecy surrounding preparations has hindered national debate, according to several people familiar with the report.
Page 3 of 4)
The advent of Internet attacks — especially those suspected of being directed by nations, not hackers — has given rise to a new term inside the Pentagon and the National Security Agency: "hybrid warfare."
Cyberwar
The Digital Arms Race
Computers, indispensable in peace, are becoming ever more important in political conflicts and open warfare. This is the first article in a series on the growing use of computing power as a weapon.
Multimedia
Graphic
Strengthening Digital Defenses
Connect With Us on Twitter
Follow @NYTNational for breaking news and headlines.
Twitter List: Reporters and Editors
Readers’ Comments
Readers shared their thoughts on this article.
Read All Comments (47) »
It describes a conflict in which attacks through the Internet can be launched as a warning shot — or to pave the way for a traditional attack.
Early hints of this new kind of warfare emerged in the confrontation between Russia and Estonia in April 2007. Clandestine groups — it was never determined if they had links to the Russian government — commandeered computers around the globe and directed a fire hose of data at Estonia’s banking system and its government Web sites.
The computer screens of Estonians trying to do business with the government online were frozen, if they got anything at all. It was annoying, but by the standards of cyberwar, it was child’s play.
In August 2008, when Russia invaded Georgia, the cyberattacks grew more widespread. Georgians were denied online access to news, cash and air tickets. The Georgian government had to move its Internet activity to servers in Ukraine when its own servers locked up, but the attacks did no permanent damage.
Every few months, it seems, some agency, research group or military contractor runs a war game to assess the United States’ vulnerability. Senior intelligence officials were shocked to discover how easy it was to permanently disable a large power generator. That prompted further studies to determine if attackers could take down a series of generators, bringing whole parts of the country to a halt.
Another war game that the Department of Homeland Security sponsored in March 2008, called Cyber Storm II, envisioned a far larger, coordinated attack against the United States, Britain, Canada, Australia and New Zealand. It studied a disruption of chemical plants, rail
lines, oil and gas pipelines and private computer networks. That study and others like it concluded that when attacks go global, the potential economic repercussions increase exponentially.
To prove the point, Mr. McConnell, then the director of national intelligence, spent much of last summer urging senior government officials to examine the Treasury Department’s scramble to contain the effects of the collapse of Bear Stearns. Markets froze, he said, because "what backs up that money is confidence — an accounting system that is reconcilable." He began studies of what would happen if the system that clears market trades froze.
"We were halfway through the study," one senior intelligence official said last month, "and the markets froze of their own accord. And we looked at each other and said, ‘Our market collapse has just given every cyberwarrior out there a playbook.’ "
Just before Mr. Obama was elected, the Center for Strategic and International Studies, a policy research group in Washington, warned in a report that "America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration."
What alarmed the panel was not the capabilities of individual hackers but of nations — China and Russia among them — that experts believe are putting huge resources into the development of cyberweapons. A research company called Team Cymru recently examined "scans" that came across the Internet seeking ways to get inside industrial control systems, and discovered more than 90 percent of them came from computers in China.
Scanning alone does no damage, but it could be the prelude to an attack that scrambles databases or seeks to control computers. But Team Cymru ran into a brick wall as soon as it tried to trace who, exactly, was probing these industrial systems. It could not determine whether military organizations, intelligence agencies, terrorist groups, criminals or inventive teenagers were behind the efforts.
(Page 4 of 4)
The good news, some government officials argue, is that the Chinese are deterred from doing real damage: Because they hold more than a trillion dollars in United States
government debt, they have little interest in freezing up a system they depend on for their own investments.
Cyberwar
The Digital Arms Race
Computers, indispensable in peace, are becoming ever more important in political conflicts and open warfare. This is the first article in a series on the growing use of computing power as a weapon.
Multimedia
Graphic
Strengthening Digital Defenses
Connect With Us on Twitter
Follow @NYTNational for breaking news and headlines.
Twitter List: Reporters and Editors
Readers’ Comments
Readers shared their thoughts on this article.
Read All Comments (47) »
Then again, some of the scans seemed to originate from 14 other countries, including Taiwan, Russia and, of course, the United States.
Bikini Atoll for an Online Age
Because "cyberwar" contains the word "war," the Pentagon has argued that it should be the locus of American defensive and offensive strategy — and it is creating the kind of infrastructure that was built around nuclear weapons in the 1940s and ’50s.
Defense Secretary Robert M. Gates is considering proposals to create a Cyber Command — initially as a new headquarters within the Strategic Command, which controls the American
nuclear arsenal and assets in space. Right now, the responsibility for computer network security is part of Strategic Command, and military officials there estimate that over the past six months, the government has spent $100 million responding to probes and attacks on military systems. Air Force officials confirm that a large network of computers at Maxwell Air Force Base in Alabama was temporarily taken off-line within the past eight months when it was put at risk of widespread infection from computer viruses.
But Mr. Gates has concluded that the military’s cyberwarfare effort requires a sharper focus — and thus a specific command. It would build the defenses for military computers and communications systems and — the part the Pentagon is reluctant to discuss — develop and deploy cyberweapons.
In fact, that effort is already under way — it is part of what the National Cyber Range is all about. The range is a replica of the Internet of the future, and it is being built to be attacked. Competing teams of contractors — including BAE Systems, the Applied Physics Laboratory at Johns Hopkins University and Sparta Inc. — are vying to build the Pentagon a system it can use to simulate attacks. The National Security Agency already has a smaller version of a similar system, in Millersville, Md.
In short, the Cyber Range is to the digital age what the Bikini Atoll — the islands the Army vaporized in the 1950s to measure the power of the hydrogen bomb — was to the nuclear age. But once the tests at Bikini Atoll demonstrated to the world the awesome destructive power of the bomb, it became evident to the United States and the Soviet Union — and other nuclear powers — that the risks of a nuclear exchange were simply too high. In the case of cyberattacks, where the results can vary from the annoying to the devastating, there are no such rules.
The Deterrence Conundrum
During the cold war, if a strategic missile had been fired at the United States, screens deep in a mountain in Colorado would have lighted up and American commanders would have some time to decide whether to launch a counterattack. Today, when Pentagon computers are subjected to a barrage, the origin is often a mystery. Absent certainty about the source, it is almost impossible to mount a counterattack.
In the rare case where the preparations for an attack are detected in a foreign computer system, there is continuing debate about whether to embrace the concept of pre-emption,
with all of its Bush-era connotations. The questions range from whether an online attack should be mounted on that system to, in an extreme case, blowing those computers up.
Some officials argue that if the United States engaged in such pre-emption — and demonstrated that it was watching the development of hostile cyberweapons — it could begin to deter some attacks. Others believe it will only justify pre-emptive attacks on the United States. "Russia and China have lots of nationalistic hackers," one senior military officer said. "They seem very, very willing to take action on their own."
Senior Pentagon and military officials also express deep concern that the laws and understanding of armed conflict have not kept current with the challenges of offensive cyberwarfare.
Over the decades, a number of limits on action have been accepted — if not always practiced. One is the prohibition against assassinating government leaders. Another is avoiding attacks aimed at civilians. Yet in the cyberworld, where the most vulnerable targets are civilian, there are no such rules or understandings. If a military base is attacked, would it be a proportional, legitimate response to bring down the attacker’s power grid if that would also shut down its hospital systems, its air traffic control system or its banking system?
"We don’t have that for cyber yet," one senior Defense Department official said, "and that’s a little bit dangerous."
Comments