Cybersecurity Threats: An Update
By Richard Weitz
In its review of the “World Wide Threats Facing the United States” earlier this year, the Intelligence Community described attacks on the United States through the Internet as potentially the most serious threat facing Americans.
Many members of Congress receiving the three sets of hearings in these global threats concurred in this assessment.
In opening the February 2, 2012 hearing of the House Select Committee on Intelligence, the Committee chairman, Representative Mike Rogers, warned that, “I argue, given classified briefings that we’ve had, discussions with all of you and your counterparts in the working part of those agencies, that a cyberattack is on its way. We will suffer a catastrophic cyberattack. The clock is ticking and winding down.”
Offering bipartisan support, Representative Jim Langevin chimed in: ”I’ve spent a lot of time on this issue and, like the chairman, I believe that a catastrophic cyberattack is coming to this country and we had better get prepared. Time is running out.”
President Barack Obama has also called the cyber threat one of the most serious economic and national security challenges we face as a nation.
Nonetheless, the president, the Congress, and outside observers agree that the United States, including the federal government and state and local authorities, are woefully unprepared to meet this threat.
The U.S. government took some measures before 9/11 to enhance cybersecurity and its capacity to combat malicious activity on the Web, included a 1987 requirement that government personnel protect their computer data and the first national cybersecurity strategy in 2000.
However, strong resistance from civil liberties and privacy groups as well as anemic funding from Congress prevented the establishment of a planned government network to detect intrusions.
After the 9/11 attacks, Washington took additional steps to improve the safety and security of its online information. In 2002, the Congress enacted the Federal Information Security Management Act, which requires agencies to develop policies and standards to protect the integrity, confidentiality, and availability of Internet-based information.
In February 2003, the Bush Administration released the National Strategy to Secure Cyberspace. It also bowed to Congressional pressure and created a new Department of Homeland Security (DHS) to address threats within the United States, including those in the cyber domain.
This year, the U.S. Intelligence Community elevated the threat in the cyber domain to the same top level as that of terrorism and the proliferation of weapons of mass destruction.
Explaining this decision, the Director of National Intelligence, James Clapper, told a hearing on global threats of the Senate Select Intelligence Committee on January 31, 2012, that,
“The cyberthreat is one of the most challenging ones we face… We foresee a cyberenvironment in which emerging technologies are developed and implemented before security responses can be put in place.”
In his written statement to the committee, in which he described an increase in the range of cyber actors and their targets, Clapper elaborated that, “Owing to market incentives, innovation in functionality is outpacing innovation in security, and neither the public nor private sector has been successful at fully implementing existing best practices.”
Clapper warned of the potential of a massive cyberattack that would paralyze the country. In the interim, the immediate threat is primarily economic -–the widespread theft of intellectual property and the money and time wasted to receiver from cyber breaches. Some of security breaches steal military-related information and technologies.
Clapper identified the main responsibility if the U.S. Intelligence Community as detecting and attributing an attack regardless of whether it came from within or outside the United States.
The intelligence community maintains a clandestine technical collection program.
Although few operational details are publicly available, intelligence agencies are widely believed to have some capability to penetrate computer systems used by transnational terrorist networks. These efforts include passively intercepting communications to identify cells and determine their activities.
Presumably, the intelligence community also has the capacity to disrupt terrorist operations, such as by denying services, hacking computer programs, and altering terrorist messages.
More is publicly known about the intelligence community’s defensive capabilities.
Strengthening cybersecurity has been a key objective of the Information Sharing Environment (ISE), a collection of policies, procedures, and technologies that permit the exchange of terrorism information, including intelligence and law enforcement data. The ISE aims to promote a culture of data sharing among its participants to ensure that information is readily available to support its participants’ missions. The ISE connects federal, state, local, and tribal governments. It also envisions a critical role for private sector and foreign actors in sharing information to counter terrorist threats.
U.S. government information systems are also attacked every day from sources within the country and around the world. Some of these intrusions have been extremely serious, compromising security and costing millions of dollars. In a June 2009 speech, Deputy Secretary of Defense William J. Lynn warned that a diverse range of public and private actors—from the “more than 100 foreign intelligence organizations [that] are trying to hack into U.S. networks” to terrorist groups and criminal organizations—use capabilities to threaten U.S. security in cyberspace.
Lynn noted that the targets of the attacks range from military and other U.S. Government web sites to the privately owned critical infrastructure that encompasses most of the transportation, telecommunications, power and financial networks in the United States. He warned that “the cyberthreat to the Department of Defense (DoD) represents an unprecedented challenge to our national security by virtue of its source, its speed and its scope.”
Clapper said that the main threat still came from nation states, but that “the growing role that nonstate actors are playing in cyberspace is a great example of the easy access to potentially disruptive and even lethal technology and know-how by such groups.”
As examples of how emerging threat technologies are evolving faster than the government or private sector can adapt to cyberthreats and implement security responses, Clapper identified the difficulty of making “real-time attribution of cyberattacks — that is, knowing who carried out such attacks and where these perpetrators are located” as well as reducing “the enormous vulnerabilities within the IC supply chain for U.S. networks.”
The security of the U.S. supply chain from implanted malicious software has been a major object of concern, especially the surety of original software and computer components.
The Defense Science Board has warned about the potential vulnerability to intrusion, malicious activity, and exploitation via malicious software and semiconductor components of larger systems.
The 2007 cyberattack against Estonia, a NATO member, reenergized multinational cyberdefense efforts.
These were further stimulated by the cyberattacks that accompanies the 2008 Russian War against Georgia. NATO information specialists have traditionally concentrated on protecting the alliance’s own networks, especially those that might support collective military operations.
The Estonia incident led NATO to deploy some of its information specialists to provide immediate assistance. The Estonian CERT was effective in reducing the level of disruption caused by the attacks. By coordinating the work of foreign Internet service providers, local law enforcement, and network managers across the country, the CERT ensured that Estonia’s information infrastructure responded in a coordinated manner.
Without an empowered and properly funded CERT, the cyberattacks could have lasted much longer and been more disruptive.
However, Estonia’s cyber disruption highlighted the need to clarify both international and domestic responses to malicious cyber activities.
Member governments are currently studying under what conditions such attacks would fall within the alliance’s definition of self-defense, requiring a collective NATO response under Article 5 of the North Atlantic Treaty.
NATO is not the only organization demonstrating renewed interest in combating cyber threats. The United Nations, the Council of Europe, the Shanghai Cooperation Organization, and other international bodies have initiated programs aimed at countering information attacks through the Internet, including by terrorist groups. The Department of State plays the lead role in U.S. negotiations with these international institutions.
News reports indicate that the United States and Russia are close to reaching an agreement to expand a secure communications channel established to avert misunderstandings that might lead to nuclear war to the domain of cyber conflicts.
The Nuclear Risk Reduction Center, created in 1988, has already been extended to exchange information in support of more than a dozen bilateral and multilateral treaties as well as other confidence-building measures that limit the nature and scope of military activities. Participating countries can transmit data about a missile test, military exercise, troops movement or other potentially destabilizing activity deemed threatening to a country’s national security. With the new agreement, Russia and the United States could send messages to one another about seemingly threatening cyber activity they plan to undertake or they believe the other is engaged in. The Russian-US alert agreement is that first such confidence-building measure in the cyber domain between the United States and another country, and will include ancillary communication and transparency measures. The United States is engaged in similar negotiations on cyber confidence-building measures with other countries, including China.
A frequent presumption among those writing about cyberwarfare is that the advent of the Internet and other transformations resulting from the Information Revolution mean that future wars are likely to include novel types of military operations extending into the cyber domain.
They posit a world in which a growing number of actors will employ information operations and tactics that will include disrupting enemy networks, communications and supply lines; distracting and confusing enemy command and control; and employing innovative efforts to weaken adversaries’ social unity and political resolve, perhaps even before the conventional onset of a conflict.
In addition, the post-modern battlefield of cyberspace is thought likely to become an arena for conflict involving the targeting of critical infrastructures, since such assaults are widely seen as offering fast, relatively inexpensive and effective ways to assail and degrade these critical—and vulnerable—interlinking networks.
The literature sees critical infrastructure assets, including power, water, oil, telecommunications, finance and transportation, as targets for attack by adversaries as they become more technologically advanced and the cost of cyberwarfare becomes increasingly inexpensive. Whereas past attacks on cyber infrastructure have taken the form mainly of probes, industry experts believe this will change in favor of strategic attacks.
Confirming the potential gravity of a major successful national cyberattack on the United States, former Director of National Intelligence Michael McConnell testified to Congress in February 2010 that “If we went to war today, in a cyberwar, we would lose.”
But the popular literature exaggerates probable cyberthreats by underestimating the defensive capabilities of countries.
The common metaphor of an “electronic Pearl Harbor” implies untraceable electronic attacks; cyberoffensives that induce nationwide blackouts, electronic looting or manipulation of invaluable digitally stored information; and the disabling of telephones, emergency services and other critical infrastructure. Critical infrastructures are considerably less vulnerable than their constituent computer networks given the redundancy of information services and equipment as well as the ability to repair and restore essential networks fairly rapidly.
This relative invulnerability of critical infrastructures partly explains why terrorists typically assault non-cyber targets. Government defenders should focus on fortifying those small numbers though changing list of key networks and infrastructures most vulnerable to attack.
(For a look at cyber as subsumed under a Tron Warfare concept see
And see the late Jack Wheeler’s look at cyber operations