DAVID GREENE, HOST:
On MORNING EDITION this week, we're looking at preparations in the United States for a possible cyberattack against key computer networks. Security experts say if an all-out cyberwar broke out today, the U.S. would be vulnerable, and here's one problem: The government knows the most about what weapons might be used, but it is the private sector that's most likely to be targeted. As NPR's Tom Gjelten reports, the two sides need to talk.
TOM GJELTEN, BYLINE: Cybersecurity has become an urgent priority, partly because there's a cyberarms race going on right now. The United States, its allies and its adversaries are all developing evermore sophisticated computer weapons. The U.S. military has its own cyber command, headed by Army General Keith Alexander. He knows as much as anyone about the computer weapons being developed on the U.S. side. And at a Senate hearing in March, he guessed other countries are not far behind.
GENERAL KEITH ALEXANDER: When we see what our folks are capable of doing, we need to look back and say: There are other smart people out there that can do things to this country. We need to look at that and say: How are we going to defend?
GJELTEN: After all, if the U.S. military develops an especially lethal computer weapon, someone else could, too. Here's Mike McConnell, a former U.S. director of national intelligence.
MIKE MCCONNELL: There are nation-states, to include the United States, who are building cybertools to prevail on a disagreement. The worry is what happens when some of those tools - and there are thousands of them - get released inadvertently. Or it's - somebody steals it to sell to a terrorist group, somebody who has a different view of the world order and wants to change things.
GJELTEN: So, if the people defending U.S. computer networks are to be well-prepared for cyberattacks, it would help if they knew what cyberweapons the U.S. is itself developing, just in case those weapons end up on the enemy side. But cyberwar tools are not something the government generally wants to say much about. Mike McConnell, speaking recently at a cybersecurity conference, pointed out that most of what the U.S. cyber command does in this area is classified top secret. It can't be revealed.
MCCONNELL: How do we establish a regime where that information can be shared with corporate America at the unclassified level?
GJELTEN: Information first about what cyberweapons U.S. adversaries are developing, but also what might be in the United States' own cyberarsenal, information that could be critical if corporate America is to defend its own computer networks. There is at least one important initiative in this area. It's about four years old, but until now, little has been said about it. It's part of what's called the enduring security framework. Chief executives of top U.S. corporations are brought to Washington two or three times a year for a one-day, classified briefing by General Alexander and other officials.
For each session, the CEOs get special, top-secret clearances so they can be told about the latest in cyberweaponry. They can then go back to their companies and take steps to deal with the threats they hear about, threats they may not previously have taken seriously. In the words of one government participant: We scare the bejeezus out of them. Richard Bejtlich, chief security officer at the Mandiant Company, says for one CEO he knows, the Alexander briefing was a life-changing experience.
RICHARD BEJTLICH: He got a one-day secret clearance. General Alexander sat him down, told him what was going on. This particular CEO, in my opinion, should have known, but did not, and now it's colored everything about the way he thinks about this problem.
GJELTEN: At one session in the spring of 2010, tech company CEOs were told, quote, "We can turn your computer into a brick," unquote. U.S. cyber experts told the execs that they'd learned how an adversary could rewrite computer firmware - the low-level software that dictates how the hardware works - rewrite the firmware so that it would disable the computer.
Manufacturers had known in theory about that design flaw, but they had not previously realized an enemy could exploit that flaw in such a way as to actually get into a machine and destroy it. The computer manufacturers subsequently redesigned their machines and fixed the flaw. No damage was done. Still, it was a close call, according to two participants with knowledge of the incident. And there was a lesson. It showed how important it is for the government and industry to work together in addressing cyberthreats. And that principle is now at the heart of cybersecurity legislative proposals under consideration in Congress. Tom Gjelten, NPR News.