STEVE INSKEEP, host:
Over the next few days on MORNING EDITION we're going to be looking at America's cyber-security. It's about safeguarding everything that happens over computer networks, from online banking to the power grid to cell phones. Even the security of military operations is at stake here. When you count all of that, no country on this planet depends so much on computer networks, and that means no country is as vulnerable to disruptions.
NPR's Tom Gjelten will be our guide through these challenges. Hi, Tom.
TOM GJELTEN: Hi, Steve.
INSKEEP: I assume you're here to tell us that we're not all that secure.
GJELTEN: Afraid not, Steve. You know, we have had cyber-criminals, cyber mischief-makers, cyber-spies, as long as there's been an Internet, and we have built up defenses against them. But what's new is the sophistication of cyber-attacks is now out pacing the sophistication of cyber-defense. It's a sophistication gap. That's what's jeopardizing our cyber-security.
INSKEEP: This is the same kind of thing you have in any kind of warfare. The offense is ahead and then the defense catches up. Should we be concerned about our own securities as individuals, or about the security of the nation here?
GJELTEN: Well, as individuals we have to be on guard against cyber-crime of all kinds, but I'm going to focus on the national security issues. Remember, each year the director of national intelligence delivers an official threat assessment. It used to be terrorism always topped the list; then last year the new director, Dennis Blair, surprised everyone by saying the global financial meltdown was the biggest security threat. This year he started with cyber.
Mr. DENNIS BLAIR (Director of National Intelligence): Malicious cyber-activity is growing at an unprecedented rate.
GJELTEN: Malicious cyber-activity. He's talking about the whole range of things cyber-attackers do in saying we're actually losing ground in our efforts to deal with them.
Mr. BLAIR: Just the facts of the matter are that cyber-defenders have to spend more, have to work harder than cyber-attackers, and American efforts are not strong enough in this regard right now.
GJELTEN: Thousands of cyber-attacks every single day. A big one in 2007 targeted the Pentagon, NASA, and other government agencies. U.S. officials suspect China was behind it. Jim Lewis, the Center for Strategic and International Studies, says it was like the hackers went in with a vacuum cleaner sucking up all the stuff within reach, some of it important, some of it worthless.
Mr. JAMES LEWIS (Center for Strategic and International Studies): In fact, I felt sorry, because some guy over probably in Beijing is having to sit there and translate state dinner menus from, you know, 1994. And he's probably going nuts.
GJELTEN: Lewis directed the Commission on Cyber-security for the 44th presidency. He's someone we'll hear a lot from in this series. There was also a big cyber-attack in 2003, big enough the FBI actually gave it a code name: Titan Rain. Richard Clarke knows about that one. He was a White House advisor on various security issues, including cyber, for Presidents Clinton and Bush. Clarke says the Titan Rain hackers penetrated several military networks without being detected.
Mr. RICHARD CLARKE (Former White House Security Advisor): There's still some debate about who did it and why they did it. But what it proved was that it is possible to get into even well-defended networks and exfiltrate terabytes of information and nothing can be done about it.
GJELTEN: Terabytes is a lot. If all the words in all the books in the Library of Congress were converted to data, that would be about 10 terabytes, and that's about how much was taken in Titan Rain and also in 2007. And there will be more. Hackers in other countries can take control of a bunch of people's personal computers in the U.S. and command them all remotely to send out bogus emails or viruses - thousands of robot computers networked and at a hackers disposal, you call it a botnet.
Harry Raduege, a retired Air Force lieutenant general, who's worked on cyber issues much of his career, says it starts with individual users who don't have anti-virus software on their home computers.
Lieutenant General HARRY RADUEGE (U.S. Air Force, Retired): People who have computers and they have no protection are susceptible to being captured, unknown to them. And then being part of a botnet army that is used to attack an organization, a nation, or an industry.
GJELTEN: Botnets have been around for a while, but hackers and foreign governments are using them in more damaging ways. We're seeing a move from cyber-crime to cyber-espionage, as in the case of the hackers who stole secrets from Google in China last December. And Richard Clarke says the stage is now set for a full-scale cyber-attack.
Mr. CLAKE: The difference between cyber-crime, cyber-espionage, and cyber-war is a couple of keystrokes. The same technique that gets you in to steal money, the same technique that gets you in to steal patented blueprint information or chemical formulas - that's the same technique that a nation-state would use to get in and destroy things.
GJELTEN: The big U.S. fear is that in a cyber-war an adversary could take down our power grid, our telephone network, or our transportation system. Jim Lewis takes the threat seriously.
Mr. LEWIS: My guess is that right now it's only a few advanced militaries that could damage the electrical grid or damage some other networks. But they have that capability. They've probably done the reconnaissance necessary to use it, and if we got into a fight, we could expect some kind of cyber-attack.
GJELTEN: I then asked Lewis if the U.S. is capable of defending itself. He smiled.
Mr. LEWIS: I didn't realize we had defensive capabilities. No, that's not fair. How can I say that?
GJELTEN: Retired General Harry Raduege now works at the consulting firm Deloitte, but he still follows cyber issues closely and he says it's not fair to say we have no cyber defenses. He cites the 2007 attack on the Pentagon, when Defense Secretary Robert Gates and others had their Pentagon email accounts hacked.
Lt. Gen. RADUEGE: When the secretary was attacked, of course someone got in, but somebody also noticed it right away, was able to isolate those attackers, clean up the system, and then put the users back online immediately. It's a real battle space.
GJELTEN: In fact, cyber experts say U.S. military and intelligence networks are now moderately well-defended. But that still leaves the non-military government networks, and Jim Lewis says they have a mixed record at best when it comes to cyber-security efforts.
Mr. LEWIS: Some places Treasury - a relatively good job. Other places - the other agencies - relatively dreadful job. Alright. They may as well just change their passwords to Welcome Chinese Friends.
GJELTEN: And those are just the government networks. The power, telecommunication, and transportation grids are largely in private hands, meaning the U.S. military can't really protect them. A new military cyber command has been organized and the Obama administration has designated a cyber czar to coordinate cyber-security policy. But Richard Clarke says we have a ways to go.
Mr. CLARKE: Right now the government is saying Cyber Command will defend the military and the intelligence community. Homeland Security Department will defend the rest of the federal government. And the rest of us are on our own.
GJELTEN: And Steve, those power and telecom companies - essentially they're on their own.
INSKEEP: That's NPR's Tom Gjelten reporting on cyber-security or the lack of it. And Tom, I want to ask, because other kinds of war, like nuclear war, seem to have been prevented through deterrence, the threat of a counter-attack. Does deterrence work with cyber-war?
GJELTEN: Steve, U.S. officials are still trying to come up with a deterrence strategy for cyber-war. It's a problem. We're going to be getting to that scenario tomorrow.
INSKEEP: NPR's Tom Gjelten, thanks very much. Now, if you want a list of some of the most serious cyber-attacks we have already faced in recent years, go to npr.org.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.