Cyber security: The new arms race for a new front line
The Pentagon – and a growing cyber industrial complex – gears up for the new front line: cyberspace. Cyber defense is necessary. But it could cost us.
Illustration by Nancy Stahl
Wall Township, N.J.
In the eastern New Jersey suburbs, a train carrying radiological material is barreling toward a small town, and it is up to Pentagon cyber-operators to derail it. The town is the kind of idyllic whistle-stop hamlet where residents socialize at a cafe with complimentary Wi-Fi while surfing FaceSpace, a social networking site.
But danger lurks all around. Terrorists are using the open Wi-Fi connection to hack into the laptop of a patron who works at the hospital down the street. They plan to find the hospital codes stored in his computer to access the mayor's medical records, in which they will change the dosage of a prescription the mayor refills regularly in an effort to poison him.
They have other nefarious future schemes, too: They will cut the power grid with a nasty cybervirus and destroy the local water supply by engineering a program to make it appear as though the reservoir is polluted. When employees dump chemicals into the water to fix the problem, they will inadvertently be doing just what the terrorists want: contaminating the water supply.
This model town – CyberCity – is one of the US military's premier cyberwar simulators. Situated in a surprisingly unassuming suburban enclave, it is built with hobby shop-supplied model trains, miniature cellphone towers, and streetlights – all attached to a miniature power grid.
CyberCity is just a small town compressed onto an 8-by-10-foot plywood table. But its intricate electronic detail highlights the Pentagon's growing effort to expand its offensive cyberwarfare skills in a bid to bolster the nation's cybersecurity, through increasingly sophisticated and aggressive forays that have the potential to revolutionize the way America's military fights wars.
While the military has long fought on land, sea, and air, the emerging cyber-realm is forcing top defense officials to navigate the far less tangible – ever more murky – battlefield of computer attacks.
CyberCity offers some insight into one of the attack scenarios that senior military officials fear most: Bad guys plotting to take down the US power grid or financial networks.
Former Secretary of Defense Leon Panetta characterized this sort of strike as a "cyber Pearl Harbor," a doomsday sobriquet that has quickly become part of the cyber lexicon. And Secretary of Defense Chuck Hagel has picked up the banner, warning that a cybersiege could "paralyze an electric grid, a banking system, knock out computers on ships or weapons systems – and you never fire a shot."
So the Pentagon is rapidly ramping up to expand its cyberwarfare capacity, bidding to be the go-to authority for the nation's cyberdefense. Cyber-operations is one of its few areas that will see a considerable budget increase – from $3.9 billion this year to $4.7 billion in 2014. And its cadre of cyberwarriors manning computers will expand fivefold over the next two years.
A cyber-industrial complex blooms
Yet with this explosion in US military cyber-operations – and with the corresponding boom in the number of defense contractors to support cyber-activity – comes concern that a rapidly expanding "cyber-industrial complex" could jeopardize the openness and democratic ideals of the Internet.
It's a threat that seems more pressing in light of National Security Agency surveillance exposed by former Booz Allen Hamilton contractor Edward Snowden. The operations of the NSA, a US military organization, indicate that some officials want nothing more "than to identify anyone who connects to the Internet – to get rid of anonymity – so that we can always know who says what to whom," argues Jerry Brito, an attorney and senior research fellow at the Mercatus Center at George Mason University in Fairfax, Va.
"Sure, that would probably make our networks very secure," Mr. Brito adds. "But that's also called a police state."
To bolster their case, analysts point to recent revelations that the NSA is secretly paying US companies hundreds of millions of dollars a year for clandestine access to their communications networks.
"It turns surveillance into a revenue stream," Marc Rotenberg, executive director of the Electronic Privacy Information Center, told The Washington Post. "And that's not the way it's supposed to work."
While the NSA surveillance is ostensibly to detect foreign agents who might harm the United States in a terrorist plot, there is growing concern that the Pentagon may be laying the groundwork for expanded data collection from US companies under the guise of protecting them from cyberattacks, too.
At a conference in August on the security of the electric grid, for example, former NSA Director Michael Hayden lamented that the Internet "wasn't built to be protected ... and that remains in the architecture in today's World Wide Web, and that's why we're in the position we're in."
Mr. Hayden then issued a warning to private companies at risk for hacks and data theft, which some analysts interpreted as a veiled threat: "So those of you in private industry, I guess the point I really want to make to you is the next sound you hear will not be pounding hoofs as the federal cavalry comes over the nearest ridgeline to your cyber-rescue. You're responsible for your safety."
Some companies have taken up the challenge and turned it into a lucrative – legally fraught – venture, hiring hackers to probe private networks, then sell the vulnerabilities back to corporate customers.
The well-regarded Mandiant Corporation – which uncovered a series of cyberattacks on US networks by a branch of China's People's Liberation Army – was hired by The New York Times and The Wall Street Journal when they were hacked. And Mandiant's professional hackers consult with a number of Fortune 500 companies at a reported rate of $450 an hour.
Other companies are taking matters into their own hands, raising questions about the legality of private firms striking back against cyberattackers.
Former FBI cyber lawyer Steven Chabinsky argued at a recent cyber symposium that a company attacked should be able to counterattack in order to retrieve data: "It is universally accepted that in the physical world, you have the right to protect your property without first going to law enforcement."
This gets messy, of course, and may argue for a more clear role for the US military. Sen. James Inhofe (R) of Oklahoma noted during a recent congressional hearing that financial firms have spent millions of dollars responding to cyberattacks and "can't be expected to fend off attacks from a foreign government."
Indeed, responded Gen. Keith Alexander, head of the US Cyber Command: "I think this gets to the heart of 'how do we defend the country, and when does the Defense Department step in to defend the country?' "
At the same time, there is reason to question an expanded military role in domestic cybersecurity, says Steven Aftergood, director of the Project on Government Secrecy at the Federation of American Scientists. "These are secret US military agencies that have a tendency to expand their scope of activities," Mr. Aftergood adds, "but never to retreat."
There is a concern, however, among some companies about being compelled to share data with the government – coupled with a less altruistic disinclination to let it be known when they have been hacked, since it might jeopardize customer confidence.
As a result, there is a push in some corners for establishing cybersecurity-insurance programs to mitigate the cost of fortifying networks in the event of a breach, as well as proposals to establish legislation that treats various sorts of companies and incursions differently.
"If you're an auto parts manufacturer and your data is stolen, that's sort of like if your home got burgled – it's up to you whether you want to tell your friends or not," says Brito. "But if you're a company and you are breached in a way that might put your customers' data at risk, then you should be required to tell someone."
Pentagon stakes out turf
In the meantime, the US military is forging ahead with its own cyberdefense plans. While the Posse Comitatus Act largely bars the US military from getting involved in law enforcement endeavors, a new Department of Defense publication argues that the Pentagon can provide "law enforcement actions that are performed primarily for a military purpose, even when incidentally assisting civil authorities," notes Aftergood.
That includes cyberattacks, under the category of "complex catastrophe" – a "new addition to the DOD lexicon" introduced in the DOD report, he adds. "There is some turf-marking that seems to be going on on the part of the Pentagon."
It's a lexicon that has been embraced, too, by defense contractors eyeing the end of the war in Afghanistan and vying for their next business opportunity. Half of Booz Allen's $5.8 billion annual revenue comes from US military and intelligence agency contracts. Former NSA Director Mike McConnell now heads the company's "rapidly expanding" cyber division (earning $2.3 million a year to do so) and has likened cyberattacks to weapons of mass destruction. His division has a $5.6 billion, five-year intelligence analysis contract to protect networks in the Pentagon's Defense Intelligence Agency.
Some analysts worry that the big money involved could encourage fearmongering.
"If you're in the business of selling safeguards against cyberthreats, as many large firms are, you have an incentive to hype the threat," Aftergood says. "I don't want to be overly cynical about this and say that just because there is financial incentive, the threat is bogus, but it is a challenge to sort through the various claims and chart a way forward."
Industry specialists point out, however, that the business is lucrative because the cost of cybertheft is high and growing. A recent report by the Ponemon Institute, an independent security policy research group, surveyed 56 multinational companies and found the average annual cybertheft losses were $8.9 million per company, up from $8.4 million in 2011. Companies in the study reported a total of 102 successful attacks per week. (By way of comparison, there are more than 15,000 DOD computers in 100 countries, which are probed "thousands of times a day," according to a top Pentagon official who briefed reporters in February. "And we have not always been successful in stopping intrusions.")
Against this backdrop, plans leaked earlier this year that the US military is quickly working to increase the size of its cyber forces in its premier computer defense arm, US Cyber Command, from 900 to 4,900 during the next two years.
One-third of these will be designated "national mission forces," with special training in protecting critical infrastructure like power plants at national "cyber ranges" where they can practice and hone their skills. The group is slated to be ready to be up and working by the end of the month.
One-third more will be "cyber-protection forces" to defend the Pentagon's networks, and the final third are designated "combat mission forces" responsible for counterattacks and other offensive operations by September 2015.
The unprecedented growth in these forces is "also a recognition that the problem has become so great that they need to act quickly," says Alan Paller, founder of the SANS Institute, a private firm that is one of the premier training organizations for the US Air Force. "And it's a recognition that in this arena, the skills are the weapon."
Fine lines between offense and defense
CyberCity, one of a number of Air Force cybertraining ranges, grew out of a request from senior defense officials who wanted to hone the offensive cyberskills of US troops.
"They came to us and said, 'We need you to figure out some way to teach cyberwarriors that cyberattacks have a kinetic effect – that they make stuff move, blow up – and that people can get killed," says Ed Skoudis, founder of Counter Hack, the company that designed CyberCity, and a trainer at the SANS Institute.
US military officials asked that the city include a reservoir, as well as a lighted landing strip.
Mr. Skoudis estimates CyberCity missions break down equally into defensive and offensive training.
To illustrate the effect of cyberattack skills, for example, Skoudis has installed a miniature Nerf rocket launcher on the outskirts of CyberCity. When the US military begins to use the cyber-range regularly later this year, the mission for trainees will be to reverse-engineer the controls to the rocket launcher to make sure it fires away from the hospital rather than – as terrorists would have it – toward innocent patients.
"If you can hack a computer and use it to launch a Nerf rocket launcher, you have some interesting skills, no?" Skoudis says. "The skills that we're building can be used for offense or defense."
Cyberwarriors of the future, he points out, will often need to make use of offensive skills to defend US interests – a branch of cyber that the US military has only more recently begun to discuss, and even then in highly general terms, in the hope that mention of it might serve as some deterrent to would-be attackers.
"All the offensive stuff we describe is to take control of things to keep bad things from happening," Skoudis notes. "Of course, you can always use those skills to make bad things happen."
These are complex talents, and the plan to expand the cyber cadre has quickly raised concerns about how the services will find enough cyberwarriors to do the job – and keep them from decamping for the high-paying private sector firms eager to recruit well-trained specialists with top-secret security clearances.
Maj. Gen. Suzanne "Zan" Vautrinot, commander of Air Forces Cyber and of Air Force Network Operations at Lackland Air Force Base, Texas, offers a glimpse of the wide scope of Pentagon designs for cybersecurity. She cites congressional figures that indicate the military has 1,000 cyberwarriors who can operate at the highest level. But, she adds, "what we need is on the order of 20,000 or 30,000.... Cyber is foundational to everything we do, because everything you do in your mission is dependent on it."
For this reason, the US military's cyber effort is heavily reliant on civilian contractors like Mr. Snowden, along with the National Guard.
"There is a talent search within the existing military forces," says Mr. Paller. This involves reaching out to increasingly young prospective cyber prodigies, including high school students, and giving them secret security clearances in order to test the extent of their skills.
At the military's largest cyberwarfare school, the Air Force's 39th Information Operations Squadron at Hurlburt Field, Fla., students conduct real-time operations against cyberattacks on simulators like CyberCity.
The training is increasingly sophisticated, notes Col. John "Kiley" Weigle, commander of the squadron, who adds that he would like to see the number of trainers grow: "I could easily see this all doubling, given the correct instructors, to be much more close to what the nation needs."
Phishing for generals
As the US military's top flag officers sit down at their office computers each morning to sift through e-mail, their in-boxes routinely hold lures from hackers across the globe in search of an easy mark.
If these would-be infiltrators succeed in getting a general to click on a link embedded in an otherwise innocuous-looking e-mail, it may offer them entry to the DOD's top-secret networks and allow them to troll undetected, potentially exporting valuable data about US defense systems.
One of the more popular – and successful – recent phishing expeditions was an attachment labeled "I love you."
"It's the biggest threat right now that the Air Force and others are seeing," says Col. David Gibson, head of the computer science department at the Air Force Academy. "It's 'whale-phishing' – targeting a specific bigwig. In the Air Force, all of the general officers are constantly getting these," Gibson says.
Instead of simply remaining on the defense, the Air Force Academy is now teaching its young cadets how to wage offensive cyberwarfare by showing them how to harness some of the most insidious cybertactics used against the military. This starts with learning how to target high-profile people.
"This is a great tool to get to know the leadership in an adversary's country – where are they going to be at a certain time, trying to influence adversarial leadership. There's absolutely a lot of fruit in that sort of endeavor," Gibson says.
The incoming cadets get advanced instruction in "social engineering," which involves, among other things, "learning how to build e-mails to try to fool the recipient into doing something, like clicking on a link." Such e-mails are "incredibly sophisticated," because of the variety of information now available on social networking sites.
During their social engineering lessons, cadets draw on Facebook, newspapers, and other open sources of information to try to create an e-mail that might convince their targets to open an attachment or link that they shouldn't.
"It's 'how do I trick my classmates, and make this look as legitimate as possible?' " Gibson says.
Increasingly offensive in nature, this curriculum has sparked concern among some faculty about teaching such skills to cadets.
"I still have some in my department who are really nervous about teaching teenagers that there are tools freely available out there that you can download easily and use to break into other people's computers," Gibson acknowledges. "And they're right to be concerned about this. But I and most of my faculty have become convinced that this is the world we live in: that to be a good defender – which is what we need – you have to know what's coming at you and how."
To this end, the first classified data that young cadets at the Air Force Academy receive is a briefing about the cyberthreat.
Recruiting hackers from middle school
The military is also reaching out to even younger students through high school talent searches in the form of cybergames like CyberPatriot, a hacking tournament pitting young high school students against industry mentors who play the aggressors in a contest to see who can destroy the other's network first.
"If you compete well," Vautrinot says, "that highlights to the industry, 'Hey, this guy's got game.' "
Students who have caught the eye of commanders are recruited into an internship program to do temporary stints with the military.
"We gave them clearances and they are actually doing forensics on intrusions into our network," says Vautrinot, who likens the process to a coach replaying a game tape for a team after the big game. Sometimes they go on "hunt missions" looking for enemy hackers lurking in the systems.
"They can learn, 'How did that work, so I can thwart it the next time?' " Vautrinot says, extending the sports analogy. "What does it look like when they move back their arm to throw? So that even before the play sets up, it can be identified and automatically responded to on the network."
The Air Force is now even reaching down into middle schools to identify prodigies.
Even in such a prioritized field in the US military, however, there are limitations, Weigle says. "It all costs money, and my needs smack into the fiscal reality. I can sit here as the training commander and say, 'Yes, I need my staff to double.' But at what expense, right? I do have to weigh that."
Cybertraining will be a "cradle to grave" endeavor for the military for the foreseeable future, Vautrinot says.
That said, the vast resources being poured into cyber have some questioning whether it is the best use of increasingly scarce defense dollars.
Senior military officials insist that the cost of cyberattacks to the nation is great. "We've seen the attacks on Wall Street over the last six months grow significantly – over 140...," Alexander told the Senate Armed Services Committee last March.
"You don't see a person on the street walking around without a cellphone or a device. It's become part of our American way of life. And it's also incorporated into our weapons systems to make them more accurate," says Col. Jodine Tooke, chief of the Air Force's Cyberspace Force Development Division.
These realms alone "certainly bear protection from a military perspective," she argues. "There may be industry trying to take advantage of our uncertainty about how best to protect networks, but that's why we're building astute people in the force."
Yet Alexander acknowledges, too, that the attacks hitting Wall Street, for example, are mainly "distributed denial-of-service attacks," which tend to be "at the nuisance level."
The vast majority of cyberthreats to US networks today are intellectual property theft and other forms of corporate espionage, rather than the dire sorts of attacks decried by top US officials.
"Any teenager can do a distributed denial-of-service attack. It's finite; when it's done, there's no permanent damage," says George Mason University's Brito. In other words, "it's very easy, and not very harmful."
On the other hand, a "kinetic" attack, in which a hacker is able to, say, open a dam and flood a community, "is incredibly difficult – we've never seen it happen."
Such an attack would be "incredibly harmful, but if you look at the realm of possibility, really unlikely," Brito adds.
"When you hear all the rhetoric from politicians and defense contractors, it's a cyber Pearl Harbor where planes fall out of the sky, trains derail, and thousands are killed – but they provide no evidence to back up serious threats, and a lot of it is easily debunked.
"The lesson," he argues, "is to be more critical."
A whiff of August 1945
It is, of course, the US military's job to plan for unlikely but highly catastrophic attacks.
That said, even top defense officials acknowledge that a cyber Pearl Harbor is unlikely, and would portend more problems for America than simply cybersecurity.
China is "without question ... the country that's out there stealing our stuff," says retired NSA Director Hayden.
But, he says, "I find it hard to imagine circumstances where China would do something incredibly destructive to any American network – the grid – absent a far more problematic international environment in which the cyberattack is itself part of a larger package of really, really bad things."
Still, the US military continues to refine and deploy its own increasingly sophisticated cyberweaponry – including Stuxnet, a cybervirus created to damage Iran's nuclear reactors, a fact that gives some top US officials pause.
Without commenting on the origin of Stuxnet, Hayden says that "blowing a thousand centrifuges in Natanz [in Iran], I think, is absolutely, unalloyed good," the use of cyberweaponry should not be taken lightly.
"Someone, almost certainly a nation-state – during a time of peace – just used a cyberweapon to destroy another nation's critical infrastructure," Hayden said. "That's a big deal."
"This has the whiff of August 1945. Somebody just used a new weapon," he adds. "And this weapon will not be put back into the box."