hide captionDirector of National Intelligence Dennis Blair testifies before the House Intelligence Committee in February on the annual threats assessment of the U.S. intelligence community.
Manuel Balce Ceneta/AP
Director of National Intelligence Dennis Blair testifies before the House Intelligence Committee in February on the annual threats assessment of the U.S. intelligence community.
Manuel Balce Ceneta/AP
Americans do not often hear that someone has found a way to overcome U.S. defenses, but military and intelligence officials have been sounding downright alarmist lately with their warnings that the country is ill-prepared to deal with a cyberattack.
Director of National Intelligence Dennis Blair opened his annual survey of security threats in February by advising Congress that "malicious cyberactivity is growing at an unprecedented rate," and that the country's efforts to defend against cyberattacks "are not strong enough."
"The United States is fighting a cyberwar today," McConnell wrote, "and we are losing."
No country in the world is more dependent on its computers than the United States. Data networks now underlie the U.S. power grid, its military operations and the telecommunications, banking and transportation systems. That means the U.S. is uniquely vulnerable to sophisticated computer hackers.
The Pentagon's Quadrennial Defense Review, released in February, reported that the department's computer networks "are infiltrated daily by myriad of sources, ranging from small groups of individuals to some of the largest countries in the world." A senior defense official who follows the cyberthreat closely tells NPR that in the past two years, the Pentagon has experienced an "explosion" of computer attacks, currently averaging about 5,000 each day.
One of the biggest was in 2007, when hackers targeted the Pentagon, NASA and the departments of Energy, Commerce and State. The origin of the attack was unknown, but U.S. officials suspect it came from China. Among the victims was Defense Secretary Robert Gates, whose unclassified e-mail account was penetrated.
James Lewis, a cyber-expert at the Center for Strategic and International Studies, says the 2007 hackers gained access to massive amounts of U.S. government data — some of it important, some of it worthless.
"In fact, I felt sorry [for them]," Lewis says. "Some guy, probably in Beijing, is having to sit there and translate state dinner menus from 1994. He's probably going nuts."
A 2003 computer attack so impressed the FBI that agents gave it a code name: Titan Rain. The hackers managed to penetrate a variety of military networks without being detected.
"There's still some debate about who did it and why they did it," says Richard Clarke, who was a top cybersecurity adviser to Presidents Bill Clinton and George W. Bush. "But it proved that it is possible to get into even well-defended networks and exfiltrate terabytes of information — and nothing can be done about it."
U.S. officials estimate that the 2007 attacks and Titan Rain each resulted in the loss of as much as 10 terabytes of data, an amount roughly comparable to the contents of the entire Library of Congress. There have been other large, and possibly related, attacks as well.
"Some people say there's really been only one event, ongoing for years, and it's just that we occasionally stumble on it," says Lewis, who served as the project director of the center's Commission on Cybersecurity for the 44th Presidency.
A New Crime Category Emerging?
The cyberattacks are also becoming more sophisticated and harder to trace. Hackers in China, for example, are now able to take control of thousands of personal computers in the United States simultaneously, and remotely command them to send out bogus e-mails or viruses. Such robot computer networks, called Bot Nets, can do great damage when directed by malicious hackers.
"People who have computers and no [anti-virus] protection are susceptible to being captured, unknown to them," says Harry Raduege, a retired Air Force lieutenant general and former commander of the Pentagon's Joint Task Force for Global Network Operations. "They could then become part of a Bot Net army that could be used to attack an organization, a nation or an industry."
Up to now, most computer attacks have fallen under the category "cybercrime." There have not yet been any significant acts of cyberterrorism, though U.S. intelligence officials say al-Qaida and other terrorist groups are committed to developing a cyber capability.
Goals Change, Threat Stays The Same
Attacks traceable to foreign governments and corporations, according to cyber-experts, have largely been for espionage purposes — at least until now. The December 2009 attack on Google and other companies operating in China was apparently an effort to steal industrial secrets, according to U.S. and company officials.
Still, the danger of an all-out cyberwar remains pressing.
"The difference between cybercrime, cyber-espionage, and cyberwar is a couple of keystrokes," says Clarke, who authored a forthcoming book on cyberthreats. "The same technique that gets you in to steal money, patented blueprint information or chemical formulas is the same technique that a nation-state would use to get in and destroy things."
The big fear is that an adversary, in the heat of a cyberwar, might try to take down the U.S. power grid, telephone network or transportation system.
"My guess is that it's only a few advanced militaries that could damage the electrical grid or damage some other networks," Lewis says. "But they have that capability. They have probably done the reconnaissance necessary to use it, and if we got into a fight, we could expect some kind of cyberattack."
Covering A Vast Space
Asked about the U.S. capability to defend itself from such an attack, Lewis, the cyber-expert with CSIS, feigns a shocked look.
"I didn't realize we had defensive capabilities," he says.
He adds, laughing, "No, that's not fair. How can I say that?"
Raduege, who is now directing the Deloitte Center for Cyber Innovation, argues that some attacks on the Pentagon have been countered relatively well, such as the 2007 incident that resulted in the penetration of Gates' personal e-mail account.
"When the secretary was attacked, of course someone got in. But somebody also noticed it right away, was able to isolate those attackers, clean up the system, and then put the users back online immediately," Raduege says. "So I think that's a real tribute to the people who are really fighting the network, as we say. It's a real battle space."
The problem for U.S. cyberwarriors is that the "battle space" is so vast.
"The government has its hands full defending the Defense Department and the intelligence community," says Clarke. "And, really, about the only parts of the U.S. government that are moderately well-defended [are] the Pentagon and the CIA."
Improving Overall Quality
Cyberdefense efforts at other government departments are spotty at best. The Treasury Department is doing "a relatively good job," Lewis says. But he adds that other agencies are doing "a relatively dreadful job."
"They may as well just change their passwords to 'Welcome, Chinese Friends,' " he says.
As for the critical civilian infrastructure, including the power, telecommunication and transportation grids, it is largely in private hands, meaning the U.S. military is not authorized to protect it.
In recognition of the country's vulnerability to computer attacks, the Pentagon has established a new U.S. Cyber Command, due to be directed by a four-star general, and the Obama administration has designated a cybersecurity coordinator, with responsibilities that extend across all U.S. government agencies. Still, critics say more must be done.
"Right now, the government is saying that Cyber Command will defend the military and the intelligence community. Homeland Security Department will defend the rest of the federal government," says Clarke. "The rest of us are on our own."
Timeline: Major Cybersecurity Incidents Since 2007
hide captionU.S. government and private computer networks find themselves facing much more frequent and much more sophisticated cyberintrusions.
A series of cyberattacks on U.S. government agencies and departments results in the loss of 10 terabytes to 20 terabytes of data. That's more data than what's stored in the Library of Congress. Defense Secretary Robert Gates' unclassified e-mail account is hacked.
Estonia's Parliament, banks, ministries and news media face "distributed denial of service," or DDoS, attacks. In DDoS attacks, Web sites are inundated with traffic, causing them to collapse. The attacks come as Estonia is in a heated dispute with Russia over the relocation of a Soviet-era war memorial. Estonian officials blame the Kremlin for the attacks.
An e-mail sent to 1,000 staff members at the Department of Energy's Oak Ridge National Labs contains an attachment that accesses the lab's nonclassified databases.
Hackers insert pictures of Adolf Hitler into the country of Georgia's Foreign Ministry Web site, while other government Web sites are disabled by DDoS attacks. The cyberattacks come as Russian forces engage in combat with Georgian troops. U.S. intelligence officials conclude that the Russian government was behind the attacks, perhaps acting through organized crime channels.
Hackers gain access to e-mails and computer files at the presidential campaign headquarters for John McCain and Barack Obama. Investigators reportedly trace the penetrations to computers in China.
Several thousand military computers at the Tampa, Fla.-based U.S. Central Command, the headquarters for military operations between east Africa and central Asia, are infected with malicious software. Investigators conclude that the malware was introduced via thumb drives that had been scattered in a parking lot.
Researchers at the University of Toronto announce that they have discovered an extensive cyberespionage network, which they call "GhostNet." The GhostNet operators are said to have infected 1,295 host computers in 103 countries around the world. The researchers cannot conclusively identify the GhostNet operators but suspect Chinese involvement.
Cyberattacks are launched against government, financial and media Web sites in South Korea and the U.S. Among those targeted is washingtonpost.com, the newspaper site. South Korea blames North Korea for the attacks, but the origin of the attacks is not determined.
Google and more than 30 other U.S. companies in China are subject to significant computer attacks, resulting in the loss of technological secrets.
Source: Center for Strategic and International Studies (Technology and Public Policy Program); news reports