Cyber War: The Next Threat to National Security and What to Do About It (15 page)

Early in 2000, when we were still glowing from our success in avoiding a Y2K problem, a number of the new Internet commerce sites (AOL, Yahoo, Amazon, E-Trade) crashed from what I was told was a DDOS, a term new to most people in 2000. This was the first “big one,” hitting numerous companies simultaneously and knocking them down. The motive was hard to discern. There were no monetary demands, nor was there a real political message. Somebody seemed to be trying out the concept of covertly taking over lots of people’s computers and secretly using them to attack. (That somebody later turned out to be a busboy from Montreal.) I saw the DDOS as an opportunity to have the government remind the private sector that they needed to take cyber attacks seriously.

President Clinton agreed to host the leaders of the companies that had been attacked as well as other CEOs from important infrastructures and from the IT industry. It was the first presidential White House meeting with private-sector leadership concerning a cyber attack. It was also the last, thus far. Although it was a remarkably
detailed and frank meeting, eye-opening for many, it essentially resulted in everyone agreeing to work harder on the problem.

In 2001, the new Bush Administration got a taste of the problem when the Code Red worm infected over 300,000 computers in a few hours and then turned them all into zombies programmed to launch a DDOS attack on the White House webpage. I was able to distribute the White House website onto 20,000 servers using a company called Akamai and thereby avoided the effects of the attack (we also persuaded some of the major ISPs to divert the attack traffic). Cleaning up the infected computers turned out to be a harder job. Many companies and individuals could not be bothered to remove the worm software, despite its repeated disruptive effects on the Internet. Nor did we have any ability to deny those machines access to the Internet, even though they were pumping out malware on a regular basis. In the days after the 9/11 terrorist attack, another, more serious worm spread quickly. The NIMDA (Admin spelled backward) worm was targeted at computers running in the most well secured private-sector industry vertical, the financial industry. Despite their sophisticated security, many banks and Wall Street firms were knocked offline.

CYBER SECURITY GETS BUSHED

The Bush Administration took some convincing that cyber security was an important problem, but agreed by the summer of 2001 to set up a separate office in the White House to handle its coordination (Executive Order 13231). I ran that office as Special Advisor to the President for Cybersecurity from the autumn of 2001 to early 2003. Most of the rest of the Bush White House (the Science Advisor, the Economic Advisor, the Budget Director) sought to limit the authority of the new cyber security position.

Unfazed by that, my team took the Clinton National Plan and modified it based on input from twelve industry teams we established and from citizen input at ten town halls held around the country. (The kind of crowd that shows up for a cyber security town hall is, thankfully, more civilized than the nut jobs who showed up in 2009 at health-care town halls.) The result was the National Strategy to Secure Cyberspace, which Bush signed in February 2003. Substantively, there was little difference between the Clinton and Bush approaches, except that the Republican administration not only continued to eschew regulation, they downright hated the idea of the federal government issuing any new regulations on anything at all. Bush left jobs vacant for long periods at several regulatory commissions and then appointed commissioners who did not enforce the regulations that did exist.

Bush’s personal understanding and interest in cyber security early in his administration were best summed up by a question he asked me in 2002. I had gone to him in the Oval Office with news of a discovery of a pervasive flaw in software, a flaw that would allow hackers to run amok unless we could quietly persuade most major networks and corporations to fix the flaw. Bush’s only reaction was: “What does John think?” John was the CEO of a large information-technology company and a major donor to the Bush election committee.

With the creation of the Department of Homeland Security, I had thought there would be an opportunity to take many of the scattered entities working on cyber security and merge them into one center of excellence. As a result, some cyber security offices from the Commerce Department, FBI, and DoD were brought together in Homeland. The sum turned out to be much less than the parts, as many of the best people in the merged offices took the opportunity to leave government. When I also took my exit from the Bush Administration shortly before it began the disastrous Iraq War, the
White House chose not to replace me as Special Advisor. The most senior official in government charged with coordinating cyber security was then in an office buried several layers down in what was turning into the most dysfunctional department in government, DHS. Several very good people tried to make that job work, but each one quit in frustration. The media began talking about the “cyber czar of the week.” The high-level private-sector focus on the issue we had achieved faded.

Four years later, Bush made a decision much more quickly than his staff had assumed he would. There was a covert action that the President had to approve personally. The President’s scheduler had booked an hour for the decision briefing. It took five minutes. Bush never saw a covert-action proposal he didn’t like. Now, with fifty-five minutes left in the meeting, the Director of National Intelligence, Mike McConnell, saw an opening. All the right people were in the room, senior national security cabinet members. McConnell asked if he could discuss a threat to the financial industry and the U.S. economy. Given the floor, he talked about cyber war and how vulnerable we were to it. Particularly vulnerable was the financial sector, which would not know how to recover from a data-shredding attack, an attack that could do unimaginable damage to the economy. Stunned, Bush turned to Treasury Secretary Hank Paulson, who agreed with the assessment.

At this point, Bush, who had been sitting behind the large desk in the Oval Office, almost jumped in the air. He moved quickly to the front of the desk and began gesturing for emphasis as he spoke. “Information technology is supposed to be our advantage, not our weakness. I want this fixed. I want a plan, soon, real soon.” The result was the Comprehensive National Cybersecurity Initiative (CNCI) and National Security Presidential Decision 54. Neither has ever become public. Both documents call, appropriately enough, for a twelve-step plan. They focus, however, on securing the govern
ment’s networks. Oddly, the plan did not address the problem that had started the discussion in the Oval Office, the vulnerability of the financial sector to cyber war.

Nonetheless, Bush requested $50 billion over five years for the Comprehensive National Cybersecurity Initiative, which is neither comprehensive nor national. The initiative is an effort to, in the words of one knowledgeable insider, “stop the bleeding” out of DoD and intelligence-community systems, with a secondary focus on the rest of the government. Also described as a multibillion-dollar “patch and pray program,” the initiative does not address vulnerabilities in the private sector, including in our critical infrastructures. That tougher problem was left to the next administration.

The initiative was also supposed to develop an “information warfare deterrence strategy and declaratory doctrine.” That part has almost totally been put on hold. In May 2008, the Senate Armed Services Committee criticized the initiative’s secrecy in a public report, with the comment that “it is difficult to conceive how the United States could promulgate a meaningful deterrence doctrine if every aspect of our capabilities and operational concepts is classified.” Reading that, I could not help but think of Dr. Strangelove when, in the movie of the same name, he berates the Soviet Ambassador for Moscow’s keeping the existence of its nuclear-deterrent Doomsday Machine a secret: “Of course, the whole point of a Doomsday Machine is lost if you
keep it a secret
! Why didn’t you tell the world?” The reason we are keeping our cyber deterrence strategy secret is probably that we do not have a good one.

OBAMA’S OVERFLOWING PLATE

It was another vulnerability of the financial sector, brought on as a result of industry successfully lobbying against government regulation,
that Barack Obama was forced to focus on when he became President in 2009. The subprime-mortgage meltdown and the complex dealings in the derivatives markets had created the worst financial crisis since 1929. With that, in addition to the war in Iraq, the war in Afghanistan, threatening flu pandemics, health-care reform, and global warming all requiring his attention, Obama did not focus on cyber security. He had, however, addressed the issue during the 2008 campaign. Although I had signed on to the campaign as a terrorism advisor, I used that access to pester the candidate and his advisors about cyber war. It was not surprising to me that Obama “got” the issue, since he was running the most technologically advanced, cyber-dependent presidential campaign in history.

Thus, as part of the campaign’s effort to stake out some ground on national security issues, then-Senator Obama gave a speech and met with national experts on technology and emerging threats at Purdue University in the summer of 2008. In the speech, he took the bold step of declaring U.S. cyber infrastructure “a strategic asset,” an important phrase in government-speak that means it is something worth defending. He also pledged to appoint a senior White House advisor who would report directly to him and gave a general commitment to make cyber security “a top federal priority.” In the accompanying fact sheet, which my coauthor Rob Knake drafted along with two MIT computer scientists, John Mallery and Roger Hurwitz, he went a step further, criticizing the Bush Administration for moving too slowly in the face of the risks associated with cyberspace, and pledging to initiate a “Safe Computing R&D effort” to “develop next-generation secure computers and networking for national security applications,” to invest more in science and math education, and to create plans to address private-sector vulnerabilities, identity theft, and corporate espionage.

A few weeks later, the cyber threat was hammered home to Obama in a very serious way. The FBI quietly informed the campaign that it
had reason to believe Chinese hackers had infiltrated the campaign’s computer systems. I asked one of my business partners, Paul Kurtz (who had worked on cyber security on both the Clinton and Bush White House staffs), to take a team of cyber security experts out to the Chicago headquarters to assess the extent of the damage and see what could be done to secure the systems. The Chinese hackers had focused on draft policy documents. They had used some sophisticated techniques, hidden beneath more obvious activity.

When the campaign quietly put together an unofficial transition team weeks before election day, I asked everyone working on national security planning to stop using their home computers for that purpose. Even though what they were writing was unclassified, it was of interest to China and others (including, presumably, John McCain, not that his campaign had shown much understanding of cyber technology). With the campaign’s blessing, we distributed “clean” Apple laptops and locked them down so they could only connect to one thing, a virtual private network we created using a server with a completely innocuous name. I knew we were going to be in trouble when I started getting calls complaining about the security features. “Dick, I’m at a Starbucks and this damn machine won’t let me connect to the wi-fi.” “Dick, I want to pull some files off of my Gmail account, but I can’t access the Internet.” I tried to point out that if you are a senior member of the informal national security transition team, you probably should not be planning the takeover of the White House from a Starbucks, but not everyone seemed to care.

Shortly before the inauguration, Paul Kurtz and I provided the new White House team with a draft decision document to formalize the proposals Obama had advocated in the Purdue speech. We argued that if Obama waited, people would come out of the woodwork to try to stop it. Although the most senior White House staff understood that problem and wanted a quick decision, it was, understandably, not
a high priority for them. Instead, the new Obama White House announced a Sixty Day Review and asked one of the drafters of Bush’s CNCI to run it. This was despite the fact that Jim Lewis and the Commission on Cyber Security for the forty-fourth Presidency had already spent over a year working to achieve a consensus view on what the next President needed to do, releasing their report on December 8, 2008. When, 110 days later, the President announced the results, guess what? It was CNCI redux. It also had a military Cyber Command, but not a cyber war strategy, not a major policy or program to defend the private sector, nothing to initiate international dialogue on cyber war. And, déjà vu all over again, the new Democratic President went out of his way to take regulation off the table: “So let me be very clear: my administration will not dictate security standards for private companies.”

What Obama did not announce in his public remarks after the Sixty Day Review was who would be the new White House cyber security czar. Few qualified people wanted the job, largely because it had no apparent authority and had been altered to report directly to both the Economic Advisor and the National Security Advisor. The Economic Advisor was the ousted former Harvard president Larry Summers, who had made it clear that he thought the private sector and market forces would do enough to deal with the cyber war threat without any additional government regulation or role in their affairs. Months went by during which the best efforts of the White House personnel office failed to convince candidate after candidate that this was a job worth taking.

Thus, for the first year of his administration, Obama had no one in the White House trying to orchestrate a government-wide, integrated cyber security or cyber war program. Departments and agencies did their own thing, or did nothing. The two lead agencies in defending America from cyber war were U.S. Cyber Command (to defend the military) and the Department of Homeland Security (to
defend, well, something else). The head of U.S. Cyber Command kept a low profile for most of 2009 because the Senate had not yet agreed to give him his fourth star. To get the promotion from three stars, General Keith Alexander would have to answer questions before a Senate committee, and that committee wasn’t too sure it understood what U.S. Cyber Command was actually supposed to do. Senator Carl Levin of Michigan asked the Pentagon to send over an explanation of the command’s mission and strategy before he would agree to schedule a confirmation hearing.