Securing Cyberspace

About four hours before sunset on August 14, 2003, the lights went off across a broad swath of North America: New York City, Toronto, Detroit, and Ottawa all lost power. The great 2003 blackout caused fewer problems than many had initially speculated: looters stayed away, and more than a million people trapped on elevators, subways, and light rail lines evacuated without incident. Businesspeople slept uncomfortably, although unmolested, on the steps of Manhattan’s main post office. Nonetheless, even though stock markets, governments, and most businesses resumed operation the next day, disruptions in transportation networks, retail sales, and tourism cost the American and Canadian economies billions of dollars. Although it appears certain that a combination of human and mechanical failures in Ohio set off the blackout, the chaos that ensued gave America a sampling of what computer-savvy terrorists could achieve.

During the blackout, pundits raised many disturbing questions: Could terrorists hack computer systems to take control of a nuclear reactor, an air-traffic control tower, or America’s nuclear arsenal? When it comes to the security of America’s electronic infrastructure, we can offer a mix of good and bad news. On one hand, the doomsday scenarios are hugely improbable. On the other hand, attacks causing mass inconvenience on the scale of last August’s blackout appear certain if America’s electronic security doesn’t improve. Although the Department of Homeland Security’s (DHS) February 2003 National Cybersecurity Strategy represents a well-thought-out first step in protecting the Internet (particularly the government’s facilities), it says very little about how the nation can protect the Internet’s physical infrastructure, and it offers few specifics about what the private sector should do.

As former Central Intelligence Agency (CIA) director James Woolsey has often remarked, modern society relies on a series of networks—such as the power grid, Internet, and air transportation system—which “are constructed to be responsive to the public, to be open, easily accessed, easily maintained, fully utilized to spread overheads.” In practice, however, as Woolsey notes, the security measures around these networks are “the equivalent of [the] flimsy cockpit doors” that failed to keep out the hijackers on September 11, 2001. Nearly all of these networks rely on computers, and most use some part of the Internet to transfer data. As the August blackout shows, these networks can fail as a result of even minor glitches, which is why protecting them should be near the top of our list of national priorities.

Fortunately, the systems that concern most Americans will prove the hardest to attack. The National Cybersecurity Strategy document observes that the technological sophistication required to carry out a successful attack on critical cyber infrastructure is high. No amount of remote computer hacking could ever launch nuclear missiles, cause a nuclear power plant to melt down, compromise troop positions, or crash a jet airliner. Systems engineers keep high-security networks that manage such obvious targets completely detached from the public Internet—operators can only access them from secure terminals in secure locations, and automatic safety features make it very difficult for individual operators to do serious damage. That does not mean that a terrorist could never cause a massive disaster using computers—no system is perfectly secure—but doing so would require enormous technical sophistication. After all, every public library contains the information needed to build a nuclear weapon, but no more than a handful of people understand the workings of America’s nuclear weapons launch system. Compromising even a single nuclear power plant or air-traffic control center would likely require the cooperation of its manager and most of its staff.

The relative safety of the biggest and most tempting targets, however, may lull Americans into a false sense of complacency. Three cyberterrorism threats stand out as the most likely and, not coincidentally, the most difficult to stop: physical attacks on the Internet’s physical infrastructure; coordinated electronic or physical attacks on commercial targets; and forgery of electronic credentials.

Soft Targets

The Internet’s physical infrastructure remains terribly unprotected. Key fiber-optic backbones trace their way through public sewers, tunnels, and railroad right-of-ways. Cutting the right fiber-optic cables could stop or significantly slow Internet traffic in large sections of the world. Likewise, many key servers sit in unprotected locations. “Root” servers (thirteen clusters of machines held in twenty-nine locations around the world) serve as giant phonebooks for all of the Internet’s traffic by converting domain names (such as aol.com) into internet protocol (IP) addresses that computers can understand (such as 152.163.159.232). Shortly after the September 11 terrorist attacks, the Internet Corporation for Assigned Names and Numbers (ICANN) issued a panicked press release pointing at the vulnerability of these root servers. Efforts to beef up electronic security around them and create additional backup measures quickly followed. These were not wholly successful: one attack on root servers in 2002 effectively disabled nine of them but, luckily, failed to slow the Internet significantly. Still, it remains possible that incapacitating enough domain-name servers could disable the Internet. DHS’s Homeland Security Strategy suggests setting up alternatives and backups for key infrastructure, but there’s little obvious progress to report. So far, security around the root servers seems rather poor: one of the authors of this article managed to find out the exact physical locations of two root servers simply by placing a few phone calls. A careful searcher can find the exact location of at least one other on the World Wide Web.

As important as defending the Internet’s nerve centers is, protecting the private sector’s key systems may prove even more important. Here, DHS has done everything it can under current law: it has formed public-private task forces and done yeoman’s work in encouraging private companies to upgrade their security. The National Cybersecurity Strategy points out the problems with systems that industries use to transmit data. Many of these—including those used by companies providing vital parts of America’s energy and food supply—use the public Internet rather than much more secure private networks. Smart hackers could easily disrupt these networks and cause nationwide chaos.

And things could get worse: A coordinated attack on enough companies might leave a large portion of corporate America unable to access its data. For years, major private companies have contracted for backup centers and developed elaborate continuity plans. Contractors (IBM is the largest single player) provide disaster recovery centers full of mainframe computers ready to run corporate America’s software. The capacity for these companies’ systems to compensate for disabled computers during a massive disaster, however, has proven to be much more limited than their planning suggested. When forty-seven of its clients simultaneously declared ninety disasters on September 11, Comdisco, then one of the largest players in the disaster recovery business (and already financially ailing), spent so much money keeping its systems running that it went into a final tailspin and eventually had to liquidate its assets in 2002. Despite elaborate continuity planning, companies ranging from American Express to the Wall Street Journal experienced significant business interruptions on September 11. Moreover, few firms ran large data-server “farms” near the World Trade Center. In fact, many September 11 business “disasters” resulted from precautionary evacuations of facilities outside of lower Manhattan. The rest involved the loss of desktop computers and small, in-office servers.

Given the limited number of sophisticated full-service backup centers in the United States—there are about fifty—one shudders to think what might happen if terrorists made successful physical or electronic attacks simultaneously on several large corporate data centers. If their backup providers failed mid-course, as Comdisco almost did, millions of people could find themselves out of work. Even the U.S. military relies very heavily on private businesses: dozens of contractors such as Reston, Virginia-based DynCorp (a unit of Computer Science Corporation) provide the military with everything from field sanitation to satellite uplinks. Many of these companies, in turn, rely on other private-sector firms for backup, and any logistics chain is no stronger than its weakest link.

Catastrophic intrusions into key military computer systems are unlikely to happen, but another, equally dangerous threat may emerge: terrorists using computer systems to forge credentials electronically. Credentials ranging from passports to credit cards have an electronic alter eg it is reasonably easy to obtain the equipment needed to create a plausible-looking phony passport or drivers’ license but, without a database entry to back it up, such a document wouldn’t pass any examination beyond a bar bouncer’s cursory inspection. By creating false database entries for everything from passport records to cargo manifests, however, terrorists could infiltrate America as tourists or, worse, bring a bomb into the country by identifying it as a box of blue jeans. And they might not have a hard time doing s any moderately large database has to grant access to thousands of people, and as different databases share user profiles and information, they become less secure. Solving this problem (a field in which Microsoft, Unisys, and other corporations have made progress) will prove critical. In any case, no computer system will ever prove itself more honest than the most dishonest person who fully understands its inner workings.

Profitable Myopia

Reducing the risks of cyberterrorism requires swift and certain action on several fronts. Specifically, securing the country against terrorists who strike by electronic means requires significantly improved physical security of the nation’s electronic infrastructure, efforts to track enemy hackers through cyberspace, and national-level policy changes designed to make it easier for the private sector to protect itself.

First, the nation should beef up the physical security of its electronic infrastructure. Because a physical attack on the Internet’s infrastructure might also kill a great number of the men and women who keep its most important servers humming, the government should ensure that a sufficient number of network engineers (probably those already working for the military) will be easily available in an emergency. Likewise, if only for the safety of the individuals who run them, DHS should do more to protect the Internet’s key physical infrastructure components. This should include making it more difficult to find out the physical locations of root servers and key fiber-optic cables. Given the Internet’s paramount importance to interstate commerce, the federal government might do well to consider assigning the FBI, Transportation Security Administration, or United States Marshall’s service to provide round-the-clock security near key pieces of Internet infrastructure.

Second, federal officials should work harder to apprehend and hinder computer hackers working for the country’s enemies. The best way to do this is by building tools that search the Internet for the telltale signs of hacker activity and, just as importantly, track the hackers to where they live and work. Information that foreign enemy agents move on the public Internet is, by definition, not private. Protecting the nation from cyberterrorism requires that its perpetrators be tracked down, and monitoring their activities on the Internet should raise no more civil liberties concerns than police patrols on highways. When hackers seek to destroy America, Americans should strike back. Hence, developing the capacity to strike actively against hackers operating for foreign powers is well worth exploring: disabling the websites, chat rooms, and email servers used by terrorists should raise no more moral questions than the bombing of government propaganda outlets, as the United States did in Iraq and Bosnia.

Finally, private businesses must do a better job of preparing themselves for the worst. Unfortunately, doing so may not always make the best business sense: just as airlines found it perfectly acceptable to shirk their security responsibilities before September 11, many private firms, including at least three Fortune 500 firms the authors know about, have let cyber-security fall by the wayside. Prices for secure backup data services have risen, often astronomically, since September 11, and many profit-seeking companies have actually cut back on their data backup efforts. They conclude, not improbably, that massive private and government outpourings of aid—like those that followed September 11—may make up for their financial losses. Despite whatever help such firms would get from the government, a coordinated attack on corporate America’s nerve centers might be more than the nation could handle.

To encourage more investment in backup infrastructure, the federal government could offer a limited tax credit for certain kinds of offsite backups and redundant systems. With these tax benefits in place, firms that now expect to rely mostly on some other company’s data center to support them in a catastrophe would probably find it worthwhile to build their own backup data centers in secure and secret locations. Also, although most defense contracts already require that private contractors provide a degree of redundancy, Congress would do well to write this requirement into federal law. Many private contractors—though better at providing services to troops than the armed forces ever were—may not pay as much attention to security as the armed forces would. They simply have different motivations; whereas the armed forces have a security and defense mindset that puts costs and, perhaps, service quality behind security, private contractors emphasize profitability and service quality. They ought to think a little more about security.

To a large extent, the problems of securing cyberspace are the same ones America faces in every other phase of the War on Terrorism. The enemies hide well, strike silently, and prove difficult to capture. Winning a total victory over the terrorists will require great cunning, skill, and success on the battlefield. Making targets more secure can make a tremendous difference, but it will not win the war. Many of the threats to cyberspace, in fact, are essentially the same threats we face in the rest of the world. Although the nation should prepare itself to face both types of threats, it should also realize that infecting computers with viruses will probably require more specialized training than simply blowing them up. In the dimly lit reaches of the electronic frontier, terrorists will have a very easy time building hiding places from which to launch their attacks. Total victory will come only when terrorists and those who support them no longer have any place to hide.