The ordeal of your friend, mugged in a foreign capital and without the means to get home, has become something of a joke. Untold thousands, maybe millions, of nice people were conned this way before the world got wise to the fact that the friend who has popped up in your email is actually someone who has hacked into your account and found your address. Your real friends, too, are likely to get a similar email, and maybe, not having heard the joke before, are sending off dollars to help out.
In early cybermayhem, primitive hacking attacks like this were ostensibly pleas from fake Nigerian princes whose fortunes were in danger in some civil commotion; you'd be paid a percentage if you'd kindly store the fortune in your own bank account (details, please) for a few weeks. And then, there are the fake "Microsoft" technicians proliferating today who want to fix your machine.
The explosive evolution of cyberspace, reflected in the rapid growth of email, the web, twitter and e-commerce, is of a magnitude never anticipated. The growth has been an immense boon to human progress, one of the greatest technological revolutions in recorded history. So what's a little hacking to worry about? Well, the menace of hacking is now of such a scale and of such stealth that it could threaten entire civilizations. The identity and location of cybergangsters – individual, groups and states – are easy to hide because of the physical architecture and software protocols, which permit the relatively easy use of aliases and proxies. Further, the barriers to entry to cyberspace melt away with the spread of low-cost Internet-enabled devices that combine voice communications, web access, and still and video photographic capabilities. These multiply the wealth of opportunities for commercial enterprise, for the delivery of public goods and services, and for citizens to participate – but also for theft on a global scale, complex to defend against and to deter.
The critical question now is how to safeguard information stored inside computers and prevent hackers from creating confusion, panic and irrationality among the civilian target population through information warfare. Hackers who infiltrate a computer system and gain administrator-level access have enormous power within that system. Indeed, in hacker-slang, they "own it." Many sophisticated and well-organized groups operating out of safe-harbor countries target specific institutions for purposes of industrial espionage and the theft of intellectual property of great value. Cyberwarriors can create and operate malware such as the stuxnet worm. We are said to have used a worm to delay Iran's progress to the nuclear bomb, and bravo to that.
Last year, a number of financial institutions in the U.S. came under attack, including sites belonging to our major banks, as well as Middle East oil and gas companies. Now Iran is in the process of building defensive and offensive cyberspace capabilities, both to attack various targets in retaliation for sanctions that have been imposed against it and to repel cyberattacks directed at it. Beyond these attacks, we are faced with the theft of scientific innovation and other intellectual property – acts that have already cost billions of dollars and damaged our economy.
Currently, there are thousands upon thousands of cyberattacks every day, with many of those attacks taking place on critical infrastructure networks. Our Department of Defense has been hacked. Israel experiences about 1,000 cyberattacks per minute, every day, all day, and not just from hacker groups but also from states, organized crime and terrorists, according to leading authorities. Last year, a computer virus wiped out crucial business data from more than 30,000 computers at the Saudi Arabian oil company (Aramco) and equally damaged the systems of RasGas in Qatar, because the standard defensive systems proved insufficient against these anonymous but focused attacks. Just think: A successful attack not only defeats our defense systems but also could disrupt power generation and literally put the lights out across America. The failure of communications would paralyze not only banks but also hospitals, making it impossible for first-responders to save lives.
No wonder former secretary of defense Leon Panetta warned publicly that the U.S. could soon face a mass disruption, an event of catastrophic proportion, what he named a "cyber-Pearl Harbor," that could wreak havoc on the elaborate computer networks daily life in America depends on – one that could be created in the blink of an eye from remote locations overseas.
A concerted assault on U.S. networks of information, power generation, water, air traffic control and GPS systems could produce panic and chaos. The U.S. intelligence community's annual review puts cyberattacks by foreigners on our critical infrastructure at the forefront of a list of threats that includes terrorism, global crime networks, and the proliferation of weapons of mass destruction.
Why, then, is the Senate holding up the Cyber Intelligence Sharing and Protection Act (CISPA)? It creates a database for known threats from cyberspace so that industry and government would be able to identify and record the viruses, malware and dirty tricks evolving all the time. Promoted by House Intelligence Committee Chairman Mike Rogers, R-Mich., and the ranking member C.A. Dutch Ruppersberger, D-Md., it was passed by the House with a huge majority. But it is still being held up by the Senate.
The blocking seems to lie in the fear that the government might use CISPA to pry into your personal affairs. As attorney Brian Finch wrote this week in Roll Call, "depriving the government of the ability to share that information is tantamount to telling the FBI that it can publish a '10 Most Wanted' list, but only if no names or descriptors are used." We all want our personal secrets held inviolate, but CISPA is not a real threat. Cyberwarfare is.
President Obama summed it up in the State of the Union address: "Our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems; we cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."
China claims it is a victim, too. The Chinese Foreign Ministry has declared itself "firmly against any forms of cyberattacks." But this week, in justifiably strong language, the Pentagon directly accused China's government and military of carrying out numerous attempts to infiltrate our defense industrial base. The report underlines that the private sector is targeted through means that are less questionable but nonetheless indicate the level of intrusion: "China continues to leverage foreign investments, commercial joint ventures, academic exchanges, the experience of repatriated Chinese students and researchers, and state sponsored industrial and technical espionage to increase the level of technologies and expertise available to support military research, development and acquisition."
To date we have yet to establish security standards to prevent large-scale cyberattacks on the nation's critical infrastructure. This, despite the awareness of the extent to which our most critical cybersystems have been infiltrated. Our cyberdefenses are "woefully lacking," according to our national intelligence directors. "We are no nearer to dealing comprehensively with the issues presented by the danger of unauthorized entry into, and use of, our computer systems than we were a decade ago," former attorney general Michael Mukasey has said.
What we need is an intense, comprehensive and continuing effort to keep us safe from cyberattacks. Technology companies and individuals should be encouraged to bid for software to destroy, deny, degrade, disrupt, correct or usurp an adversary's attempt to use cyberspace for an advantage and to launch superfast computer counterattacks. The National Security Agency must take the lead in such a process.
We have a White House cyber-tsar to develop a national strategy. But too little of substance has been done to date. We are going to have to consider what students are accepted at the world's top five computer science schools, all of which are in America, for we must educate and retain our talent. We will also have to review the kinds of investment made in U.S. companies where technology will be shared including through joint venture and minority investment, as well as outright purchases of U.S. businesses. We are going to have to find a way to share threat information, to make it easier for critical infrastructure companies to share information with the government when they are attacked, and also to help them recover from attack. When it comes to intellectual property, we are not just dealing with state actors having a specific agenda. Somebody described it as a group of 18-wheelers backing up on K Street, accumulating all that confidential information, and sending it to China.
Solving the critical threat of mass attacks by nation states and foreign criminal efforts requires nothing less than a souped up Manhattan Project, if we are to succeed at strengthening our growing vulnerabilities.
- Read the U.S. News Debate: Should the Congress Pass CISPA?
- Read Mieke Eoyang and Edward Gerwin: Ending China's Cyberattacks
- Check out U.S. News Weekly, now available on iPad