Director of National Intelligence Dennis Blair opened his annual survey of security threats in February by advising Congress that "malicious cyberactivity is growing at an unprecedented rate," and that the country's efforts to defend against cyberattacks "are not strong enough."
Blair's predecessor as intelligence chief, Mike McConnell, was even more candid in a Washington Post commentary later that month.
"The United States is fighting a cyberwar today," McConnell wrote, "and we are losing."
No country in the world is more dependent on its computers than the United States. Data networks now underlie the U.S. power grid, its military operations and the telecommunications, banking and transportation systems. That means the U.S. is uniquely vulnerable to sophisticated computer hackers.
'Explosion' Of Computer Attacks
The Pentagon's Quadrennial Defense Review, released in February, reported that the department's computer networks "are infiltrated daily by myriad of sources, ranging from small groups of individuals to some of the largest countries in the world." A senior defense official who follows the cyberthreat closely tells NPR that in the past two years, the Pentagon has experienced an "explosion" of computer attacks, currently averaging about 5,000 each day.
One of the biggest was in 2007, when hackers targeted the Pentagon, NASA and the departments of Energy, Commerce and State. The origin of the attack was unknown, but U.S. officials suspect it came from China. Among the victims was Defense Secretary Robert Gates, whose unclassified e-mail account was penetrated.
James Lewis, a cyber-expert at the Center for Strategic and International Studies, says the 2007 hackers gained access to massive amounts of U.S. government data — some of it important, some of it worthless.
"In fact, I felt sorry [for them]," Lewis says. "Some guy, probably in Beijing, is having to sit there and translate state dinner menus from 1994. He's probably going nuts."
A 2003 computer attack so impressed the FBI that agents gave it a code name: Titan Rain. The hackers managed to penetrate a variety of military networks without being detected.
"There's still some debate about who did it and why they did it," says Richard Clarke, who was a top cybersecurity adviser to Presidents Bill Clinton and George W. Bush. "But it proved that it is possible to get into even well-defended networks and exfiltrate terabytes of information — and nothing can be done about it."
U.S. officials estimate that the 2007 attacks and Titan Rain each resulted in the loss of as much as 10 terabytes of data, an amount roughly comparable to the contents of the entire Library of Congress. There have been other large, and possibly related, attacks as well.
"Some people say there's really been only one event, ongoing for years, and it's just that we occasionally stumble on it," says Lewis, who served as the project director of the center's Commission on Cybersecurity for the 44th Presidency.
A New Crime Category Emerging?
The cyberattacks are also becoming more sophisticated and harder to trace. Hackers in China, for example, are now able to take control of thousands of personal computers in the United States simultaneously, and remotely command them to send out bogus e-mails or viruses. Such robot computer networks, called Bot Nets, can do great damage when directed by malicious hackers.
"People who have computers and no [anti-virus] protection are susceptible to being captured, unknown to them," says Harry Raduege, a retired Air Force lieutenant general and former commander of the Pentagon's Joint Task Force for Global Network Operations. "They could then become part of a Bot Net army that could be used to attack an organization, a nation or an industry."
Up to now, most computer attacks have fallen under the category "cybercrime." There have not yet been any significant acts of cyberterrorism, though U.S. intelligence officials say al-Qaida and other terrorist groups are committed to developing a cyber capability.
Goals Change, Threat Stays The Same
Attacks traceable to foreign governments and corporations, according to cyber-experts, have largely been for espionage purposes — at least until now. The December 2009 attack on Google and other companies operating in China was apparently an effort to steal industrial secrets, according to U.S. and company officials.
Still, the danger of an all-out cyberwar remains pressing.
"The difference between cybercrime, cyber-espionage, and cyberwar is a couple of keystrokes," says Clarke, who authored a forthcoming book on cyberthreats. "The same technique that gets you in to steal money, patented blueprint information or chemical formulas is the same technique that a nation-state would use to get in and destroy things."
The big fear is that an adversary, in the heat of a cyberwar, might try to take down the U.S. power grid, telephone network or transportation system.
"My guess is that it's only a few advanced militaries that could damage the electrical grid or damage some other networks," Lewis says. "But they have that capability. They have probably done the reconnaissance necessary to use it, and if we got into a fight, we could expect some kind of cyberattack."
Covering A Vast Space
Asked about the U.S. capability to defend itself from such an attack, Lewis, the cyber-expert with CSIS, feigns a shocked look.
"I didn't realize we had defensive capabilities," he says.
He adds, laughing, "No, that's not fair. How can I say that?"
Raduege, who is now directing the Deloitte Center for Cyber Innovation, argues that some attacks on the Pentagon have been countered relatively well, such as the 2007 incident that resulted in the penetration of Gates' personal e-mail account.
"When the secretary was attacked, of course someone got in. But somebody also noticed it right away, was able to isolate those attackers, clean up the system, and then put the users back online immediately," Raduege says. "So I think that's a real tribute to the people who are really fighting the network, as we say. It's a real battle space."
The problem for U.S. cyberwarriors is that the "battle space" is so vast.
"The government has its hands full defending the Defense Department and the intelligence community," says Clarke. "And, really, about the only parts of the U.S. government that are moderately well-defended [are] the Pentagon and the CIA."
Improving Overall Quality
Cyberdefense efforts at other government departments are spotty at best. The Treasury Department is doing "a relatively good job," Lewis says. But he adds that other agencies are doing "a relatively dreadful job."
"They may as well just change their passwords to 'Welcome, Chinese Friends,' " he says.
As for the critical civilian infrastructure, including the power, telecommunication and transportation grids, it is largely in private hands, meaning the U.S. military is not authorized to protect it.
In recognition of the country's vulnerability to computer attacks, the Pentagon has established a new U.S. Cyber Command, due to be directed by a four-star general, and the Obama administration has designated a cybersecurity coordinator, with responsibilities that extend across all U.S. government agencies. Still, critics say more must be done.
"Right now, the government is saying that Cyber Command will defend the military and the intelligence community. Homeland Security Department will defend the rest of the federal government," says Clarke. "The rest of us are on our own."
