Not all cyberattacks start from outside a computer network. Computer hardware can contain viruses or stealth commands that can activate and compromise security, experts say.
Not all cyberattacks start from outside a computer network. Computer hardware can contain viruses or stealth commands that can activate and compromise security, experts say. iStockphoto.com
Cyber-espionage — or an all-out attack on the nation's computer infrastructure — could help even the odds between a technology-reliant U.S. military and a savvy adversary with little more than a hacker's basic tools, computer security experts say.
China and Russia are among nations that have active programs to target U.S.-based networks — not only government systems, but also those of private contractors serving the military, says Alan Paller, the director of research for the SANS Institute, which specializes in information security and training.
"China's getting a lot of attention right now because their technique is to get in and steal everything and then have lots of people sort through it to see what's important," Paller says.
"Russia has a much more selective approach," he says. "They figure out what they want and make a surgical strike. China's method makes a lot more noise, whereas Russia's is stealthier."
The motivations for these attacks are as old as espionage itself, says Paller: getting information on a potential enemy and feeding him disinformation.
Threats From Inside, Outside
Paller says the threats come in the form of malicious software, such as computer viruses, and spy capabilities embedded directly in computer hardware during manufacture. Both threats are real, he insists.
A Trojan virus, for example, can lurk unknown on a computer for months or years, stealing classified or sensitive information or altering critical data.
Another potential mode of attack is computer chips that contain imbedded components to communicate with an outside controller via the Internet.
"What we're talking about is a chip that actually phones home every so many weeks and asks if there are any new instructions," Paller says. "Computer security systems typically stop you from getting inside, but they don't stop requests from the inside for outside information. That's what these chips do."
The global nature of IT manufacturing makes policing the security of those chips a particularly thorny problem.
"You can't find a chip that hasn't run through a number of countries on its way to the CPU," says Tim Bennett, a former president of the Cyber Security Industry Alliance who now heads his own consulting firm.
Meanwhile, the treat to the military is compounded by its heavy reliance on outside contractors to supply it. While the big defense contractors are protected by some of the same systems used by the U.S. military itself, there are thousands of small and medium contractors that are vital to military operations that don't rate classified security software, according to Howard A. Schmidt, a former IT security adviser to then-President George W. Bush and current head of the nonprofit Informational Security Forum Ltd.
To illustrate the problem, Schmidt outlines what appears to be a routine order for fuel from the U.S. Air Force.
"The military could order 50,000 gallons of jet fuel but if the supplier's computer system is hacked, he could get an order for 50,000 gallons of diesel instead," Schmidt says. "That would be a major disruption that could compromise a military operation."
Others point out that attacks against basic infrastructure and financial institutions could have strategic or tactical value for a military adversary.
"What could be more destructive — a missile attack on one U.S. city or taking out the entire power grid in the Northeast for six months in the middle of the winter?" asks Bennett.
"In that kind of an attack, there would be mass panic and disruption of everyday life. New York would be finished as a financial hub," he says.
While it's probably not in China's or Russia's interest to launch such a scorched-Earth cyberattack, the mere threat of such a scenario is analogous to the "mutual deterrence" subscribed to by nuclear powers in the Cold War, he says.
Bennett and others question the ability of al-Qaida or a rogue state to launch a big cyberattack.
Schmidt calls North Korea "an interesting case."
"It doesn't seem to pop up on anyone's radar right now" concerning cyberattacks, he says. "It seems that closed societies don't generally want the connectivity that allows them to launch these kinds of attacks."
But the nature of cyberattacks against Estonia during a dispute with Russia in 2007 and those that accompanied Moscow's 2008 invasion of Georgia (an event that President Obama mentioned Friday) show that it doesn't necessarily require official state efforts to effectively hack another country's information technology infrastructure.
"A lot of that is believed to have been carried out by groups outside the government — with or without the government's knowledge or support," Schmidt says.
Bennett foresees a movement toward government-to-government discussions to limit cyberattacks because of their potential to be mutually destructive. Such discussions might eventually take the form of the Cold-War era arms reduction and confidence-building agreements between the U.S. and the Soviet Union.
"There's a growing recognition that this isn't in any nation's interest," he says. "I can see a treaty of some sort on this issue evolving over the next decade."