WikiLeaks has woken Americans up to the concept of “cyberwar.”
“Cyberanarchists” are attacking the websites of multinational companies that cut off services to WikiLeaks after it published classified State Department cables.
But these cyberattacks in the name of Internet freedom are mere pinpricks in comparison with the havoc a real cyberwar could wreak. Yet Americans have developed no credible defenses, according to former White House counterterrorism czar Richard A. Clarke, author of a chilling book called “Cyber War: The Next Threat to National Security and What to Do About It.”
“The United States is currently far more vulnerable to cyberwar than Russia or China,” said Clarke, speaking to Philadelphia’s Foreign Policy Research Institute last week. “We may even be at risk some day from nonstate actors … who can hire teams of highly capable hackers.”
Our risk is high because we are more dependent on computer networks than any other nation. “All our critical infrastructure depends on computer networks working,” Clarke said, including trains, planes, truck dispatchers, the electricity grid, hospitals, pipelines, supply chains, banks, and the stock exchange.
“A sophisticated cyberwar attack by one of several nation-states,” Clarke said, could bring all that to a halt in 15 minutes. The effect “would be just the same as if you dropped a bomb.” Things would break, crash, burn, explode or go dark.
High-tech weaponry and communications satellites also depend on computer networks. Yet the former director of national intelligence, Mike McConnell, told a Senate committee in February: “If we were in a cyberwar today, the United States would lose.”
Our vulnerability lies in the characteristic that has made the Internet so attractive — its openness. A would-be attacker can plant “trapdoors” or “logic bombs” — code that can be triggered in the future to cause damage. The attacker can take advantage of flaws in software to propagate so-called malware — computer viruses and worms.
The Pentagon is developing the capacity to wage offensive cyberwar — on Oct. 1, 2009, a general took charge of the new U.S. Cyber Command — yet there is no coordinated civilian-military strategy to defend against attackers. Concerns about Internet openness, along with the private sector’s resistance to regulation, have stood in the way.
But we fail to listen to Clarke at our peril. Recall that he was the White House Cassandra who fruitlessly warned in the Clinton and George W. Bush administrations about the danger posed by al-Qaida.
As he points out now, we have already seen trial runs for a future cyberwar against the United States. Russia tolerates sophisticated criminal cartels that make billions by hacking into bank and credit card accounts. “In 1997, when Russia got mad at Estonia, Russian criminal cartels knocked out that country’s computer networks, but Russia denied responsibility,” Clarke said. When Russia attacked Georgia in 2008, that country’s entire communications system went down.
China, he said, is “regularly breaking into (the networks of) American companies and stealing anything of value. We know of 3,000 U.S. companies that have been hacked, including Google and Cisco, whose source codes were stolen. It is a serious threat to our economy.”
The Chinese, he said, have “established cyberwar military units,” created private hacker groups, and “laced U.S. infrastructure with logic bombs.” In stark contrast to the United States, China has developed “the ability to disconnect all Chinese networks from the rest of the global Internet” — which would give them a huge advantage in a cyberwar.
The most dramatic trial run was the recent highly sophisticated attack by a computer worm known as Stuxnet on Iranian centrifuges used to enrich uranium. The “good news,” Clarke said, is that whoever managed to do this — and some think it was Israel — set Iran’s nuclear program back for months “by a precision-guided cyberattack,” without having to send bombers. The bad news: “This could happen to us.”
This is why, Clarke said, “it’s time we get over our partisanship and tell Congress to defend our cyberspace.” We need a comprehensive strategy to defend critical civilian infrastructure, including electricity grids and major Internet service providers that are privately owned. A balance must be found between privacy protection and requiring the installation of scanning systems that detect malware.
Clarke also recommended a bigger government commitment to cyberresearch and an effort to craft an international accord banning cyberattacks on civilian institutions such as banks. Countries could then be held responsible for hacker attacks traced back to their territory.
And there should be a stronger Pentagon effort to secure its own networks. The theft of the documents WikiLeaks published was easily avoidable with available software; Clarke is worried about far bigger dangers — the large-scale cyberattacks against which we have no defense.