Tuesday, April 14, 2009

OPINION: GLOBAL VIEW

"Gentlemen," Henry Stimson once said, "don't read each other's mail." Neither do gentlemen hack into each other's computers, electric grids, military networks and other critical infrastructure.

[Global View]
'War Games,' 1983. Next time there won't be a happy ending.

Ours is not a world of gentlemen.

Stimson was referring to cryptanalysis, or code-breaking, which he forbade as Herbert Hoover's Secretary of State. (He would revisit that opinion as Franklin Roosevelt's Secretary of War.) I am referring to Siobhan Gorman's front-page story in last Wednesday's Journal, in which she reported widespread cyberspying of the U.S. electricity grid, much of it apparently originating in China and Russia.

"Authorities investigating the intrusions," Ms. Gorman reported, "have found software tools left behind that could be used to destroy infrastructure components." A senior intelligence official told the Journal that, "If we go to war with them, they will try to turn them on."

To get a better sense of what all this is about, type the words "Cyber attack" and "generator" into YouTube. The first result should be a short clip from the Department of Homeland Security, leaked to CNN a couple of years ago, showing an electric generator under a simulated cyberattack at the Idaho National Laboratory. Within seconds the generator begins to shake violently. Within a minute, it's up in smoke.

Now imagine the attack being conducted against 60 large generators, simultaneously. Imagine, too, similar attacks against chemical plants, causing Bhopal-style toxic leaks. Imagine malicious software codes planted in U.S. weapons systems, which could lie undetected until triggered by a set of conditions similar to mobilization.

"It's as though we've entered something like the nuclear era without a Hiroshima," says Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit, a nonprofit, nongovernmental organization that consults with government and industry about potential cyberattacks. "People aren't aware that everything has changed."

Today, the general perception of cyberattacks is that they amount to so much mischief-making by bored and spiteful 20-year-old computer geeks. Think of the 1998 Melissa computer virus. There's also some awareness of the uses of cyberpenetration for industrial espionage, though here cases are harder to name since victimized companies are often reluctant to go public. In April 2007, following a political row between Russia and Estonia over the latter's removal of a Soviet-era war memorial, a cyberattack paralyzed many of Estonia's key Web sites. The same happened in Georgia after Russia's invasion last August.

Still, none of this seems to amount to a strategic threat. Think again. In the early-1990s, the Chinese military resurrected the concept of Shashoujian, which loosely means any weapon or military strategy that can get the better of a seemingly invincible opponent. More often it's translated as "assassin's mace," or -- even better -- "killer ap."

The Chinese began investigating Shashoujian after noting how a highly networked, information-centric U.S. military easily bested Iraq in the 1991 Gulf War. The result was heavy investment in asymmetric weapons like an antisatellite missile, which China successfully tested in January 2007 and which could knock America's eyes out of the sky, as well as ultra-quiet, relatively inexpensive, diesel-electric submarines that could take out an aircraft carrier.

As for the penetrations into the U.S. electricity grid, the Chinese and Russians adamantly deny involvement. But the advantages to any potential enemy of shutting down large parts of the grid are huge, beginning with the fact that the nature of the Internet makes it virtually impossible confidently to pinpoint the author of the attack. As for consequences, Mr. Borg outlines a grim scenario.

"If you shut down power for about three days," he says, "it causes very little damage. We can handle a long weekend. But if you shut down power for longer, all kinds of other things begin to happen. After about 10 days the curve levels off with about 72% of all economic activity shut down. You don't have air conditioning in the summer; you don't have heating in the winter. Thousands of people die."

Among Mr. Borg's conceptual recommendations is for the U.S. to begin thinking about its critical infrastructure as the center of gravity in any future conflict. "This is no longer about perimeter defense," he stresses. As for who could pull off that kind of cyberattack, he names (besides the U.S. and other leading high-tech nations) China, Russia and Israel. And Iran? Probably not, he suspects, nor yet groups like al Qaeda. Then again, he adds, "the worry is that over the next six or seven years they will assemble this kind of expertise."

Under President George W. Bush, Congress secretly approved $17 billion in cyber-security spending. President Barack Obama's 2010 budget calls for an additional $355 million, and that's on the public side. Maybe it's helping. Then again, personal data involving 49,000 people was recently stolen from a Federal Aviation Administration data server, while the Los Alamos National Laboratory reports 13 computers lost or stolen and another 67 missing in the past year. Yes, it's that Los Alamos.

Plainly, we have a problem. And as we consider ever-more elaborate defenses for our vulnerable networks, here's a modest suggestion: Gently alert our non-NATO "partners" that we might be in their electricity grids, too.

No comments: