Rockefeller pledges to work with tech leaders to avert "cyber 9/11, cyber Katrina"
Sen. Jay Rockefeller (D-W.Va.) is imploring the tech community to work with congressional lawmakers to address cybersecurity reform before the nation experiences "a cyber-Katrina, or a cyber-9/11."
During a speech Thursday at the Business Software Alliance's 2010 Cybersecurity Forum, the chairman of the Senate Commerce Committee predicted anything less that full cooperation would threaten national security and increase the likelihood that an attack would trigger a public response in support of "tough, unbending solutions" that do not favor private industry.
Rockefeller, however, cautioned tech leaders not to balk prematurely at federal attempts to secure government and private networks. Touting his own cybersecurity bill, drafted last year with the help of Ranking Member Olympia Snowe (R-Maine), he stressed "shared responsibility" would be the only way to deter and respond to cyber threats before they wreaked serious havoc.
"So let me be very clear: The regulation-versus-leave it to the markets debate dominates all hearings, but it's a very damaging and false choice," Rockefeller said during the BSA luncheon. "The government cannot do this on its own, and neither can the private sector. We can only succeed if we work together, but to do so we must develop a new way of thinking."
Both Rockefeller and Snowe have long articulated the need for cybersecurity reform, stressing their own legislation as the most viable option. The two lawmakers have already gone through four drafts of their bill, making changes in response industry criticisms that it was too overreaching and broad.
The most prominent, early complaint was that the bill granted the president exceptional, unprecedented power to shut down entire networks in the event of a cyber-emergency. While both lawmakers insisted their bill did no such thing, they nonetheless clarified their language to quiet tech leaders', who have since grown more supportive of the legislation.
The Senate Commerce Committee ultimately cleared the bill last month with ease, leaving it up to the full Senate to decide its fate. But Rockefeller said Thursday he was not entirely sure when the bill would come to the floor, though he did note he had met repeatedly with Senate Democratic leaders to discuss scheduling.
When that bill does reach the full chamber, the West Virginia Democrat predicted his legislation would not encounter much political push back, even though partisan rancor in the Senate has been especially prevalent as of late.
"As you know in the Senate, we like to fight," Rockefeller said, adding that floor time for a bill has become so valuable that politicos ought to trade it like "futures." Still, he added, "I don't think this is going to be a partisan issue."
He also expressed hope that the private tech industry, too, would warm up to the legislation, which he promised to adapt and revise as more businesses and experts raised new ideas and concerns.
"I am proud of how far we've come," Rockefeller said. "But we need to get it done."
The Attack Coming From Bytes, Not Bombs
Blackouts hit New York, Los Angeles, Washington and more than 100 other American cities. Subways crash. Trains derail. Airplanes fall from the sky.
Gas pipelines explode. Chemical plants release clouds of toxic chlorine. Banks lose all their data. Weather and communication satellites spin out of their orbits. And the Pentagon’s classified networks grind to a halt, blinding the greatest military power in the world.
This might sound like a takeoff on the 2007 Bruce Willis “Die Hard” movie, in which a group of cyberterrorists attempts to stage what it calls a “fire sale”: a systematic shutdown of the nation’s vital communication and utilities infrastructure. According to the former counterterrorism czar Richard A. Clarke, however, it’s a scenario that could happen in real life — and it could all go down in 15 minutes. While the United States has a first-rate cyberoffense capacity, he says, its lack of a credible defense system, combined with the country’s heavy reliance on technology, makes it highly susceptible to a devastating cyberattack.
“The United States is currently far more vulnerable to cyberwar than Russia or China,” he writes. “The U.S. is more at risk from cyberwar than are minor states like North Korea. We may even be at risk some day from nations or nonstate actors lacking cyberwar capabilities, but who can hire teams of highly capable hackers.”
Lest this sound like the augury of an alarmist, the reader might recall that Mr. Clarke, counterterrorism chief in both the Bill Clinton and George W. Bush administrations, repeatedly warned his superiors about the need for an aggressive plan to combat al Qaeda — with only a pallid response before 9/11. He recounted this campaign in his controversial 2004 book, “Against All Enemies.”
Once again, there is a lack of coordination between the various arms of the military and various committees in Congress over how to handle a potential attack. Once again, government agencies and private companies in charge of civilian infrastructure are ill prepared to handle a possible disaster.
In these pages Mr. Clarke uses his insider’s knowledge of national security policy to create a harrowing — and persuasive — picture of the cyberthreat the United States faces today. Mr. Clarke is hardly a lone wolf on the subject: Mike McConnell, the former director of national intelligence, told a Senate committee in February that “if we were in a cyberwar today, the United States would lose.”
And last November, Steven Chabinsky, deputy assistant director for the Federal Bureau of Investigation’s cyber division, noted that the F.B.I. was looking into Qaeda sympathizers who want to develop their hacking skills and appear to want to target the United States’ infrastructure.
Mr. Clarke — who wrote this book with Robert K. Knake, an international affairs fellow at the Council on Foreign Relations — argues that because the United States military relies so heavily upon databases and new technology, it is “highly vulnerable to cyberattack.” And while the newly established Cyber Command, along with the Department of Homeland Security, is supposed to defend the federal government, he writes, “the rest of us are on our own”:
“There is no federal agency that has the mission to defend the banking system, the transportation networks or the power grid from cyberattack.” In fact, The Wall Street Journal reported in April 2009 that the United States’ electrical grid had been penetrated by cyberspies (reportedly from China, Russia and other countries), who left behind software that could be used to sabotage the system in the future.
For more than a decade now, Mr. Clarke has been warning about “an electronic Pearl Harbor,” and he is familiar with the frustrations of a political bureaucracy. He notes that pressure from both the right and left over the hot-button issues of regulation and privacy have made it difficult for the government to get individual corporations (which control vital services like electricity, Internet access and transportation) to improve their ability to defend themselves against cyberattack.
Meanwhile, Mr. Clarke says, China has developed “the ability to disconnect all Chinese networks from the rest of the global Internet, something that would be handy to have if you thought the U.S. was about to launch a cyberwar attack on you.” After the first gulf war, he explains, the Chinese “began to downsize their military” — which reportedly has about one-eighth of the Pentagon’s budget (before adding in the costs of the wars in Afghanistan and Iraq) — and invest in new technologies, which they believed could give them an asymmetric advantage over the United States, despite America’s overwhelming conventional arsenal.
As for North Korea, Mr. Clarke says, it employs an Olympics-like approach to creating cyberwarriors, selecting “elite students at the elementary-school level to be groomed as future hackers.” North Korea is suspected of being behind the cyberattacks of July 2009 that took down the Web servers of the Treasury, Secret Service, Federal Trade Commission and Transportation Department and is thought to have placed “trapdoors” — code that allows hackers future access to a network — on computer networks on at least two continents.
Trapdoors are just one device that rival nation states and cyberterrorists can use. There are also “logic bombs” (code that can set off malicious functions when triggered), Distributed Denial of Service (D.D.O.S.) attacks (in which a site or server is flooded with more requests for data than it can process), and foreign-manufactured software and hardware that might have been tampered with before being shipped to the States.
The Defense Department, Mr. Clarke says, began to embrace the cost-saving idea of using commercial off-the-shelf software (instead of applications custom-made in-house) in the ’90s, and it “brought to the Pentagon all the same bugs and vulnerabilities that exist on your own computer.” He says, for instance, that in 1997, when the Windows system on a retrofitted “smart ship” called the U.S.S. Yorktown crashed, “the cruiser became a floating i-brick, dead in the water.”
The United States’ lack of an effective cyberdefense system, Mr. Clarke ominously warns, “will tempt opponents to attack in a period of tensions,” and it could also tempt America to take pre-emptive action or escalate a cyberconflict very rapidly if attacked. Were such a war to start, it could easily jump international boundaries, causing cascades of collateral damage to unspool around the world.
How best to address this alarming situation? Mr. Clarke reports that a 2009 meeting of some 30 cyberspace “old hands” — former government officials, current bureaucrats, chief security officers of major corporations, academics and senior information technology company officials — came to the conclusion that critical infrastructure should be separated from “the open-to-anyone” Internet. They also came out in favor of more government involvement in cyber research and development and a heightened emphasis on building “resilience” into systems so as to enable recovery, post-attack.
In addition to these suggestions, Mr. Clarke adds some fairly common-sense — but not so easily achieved — recommendations of his own. He argues that America needs to “harden the important networks that a nation-state attacker would target” by putting automated scanning systems in place to look for malware. Also, it needs to make sure that the Pentagon enhances the security of its own networks; and to work toward cyberarms-control agreements with other nations.
“The reality is that a major cyberattack from another nation is likely to originate in the U.S.,” Mr. Clarke says, noting that logic bombs and trapdoors are quite likely already in place, “so we will not be able to see it coming and block it with the systems we have now or those that are planned. Yes, we may be able to respond in kind, but our nation will still be devastated by a massive cyberattack on civilian infrastructure that smacks down power grids for weeks, halts trains, grounds aircraft, explodes pipelines and sets fire to refineries.”
And should America then decide to cross the line from cyberwarfare to conventional warfare, he says near the end of this chilling book, the highly advanced technology in our military arsenal “may suddenly not work.
Cybersecurity bill to give president new emergency powers