A book review by Alice Friedemann of “CYBER WAR. The Next Threat to National Security and What to Do About It” by Richard A. Clarke and Robert K. Knake.
The New York Times describes author Richard Clarke as a former counter-terrorism czar. This well-written book describes how many nations are secretly preparing for cyberwar. America, Russia, and China have the largest number of expert cyber warriors, but other countries also have a high level of ability, such as Taiwan, Iran, Australia, South Korea, India, Pakistan, and the rest of the industrialized countries.
The outsourcing of information systems jobs that Thomas Friedman and other experts think so highly of led to hardware and software companies unwittingly hiring foreign cyberwar agents who planted logic bombs and trapdoors at the companies they worked for. They also stole billions of dollars of intellectual property. Of course, this is also going on from abroad, but the existence of foreign agents within our borders means that even if we could shut our network off from the global internet if cyberwar broke out, this hidden army of cyberwarriors could launch attacks from within the United States.
We’re far more vulnerable than any other nation to a cyberattack, since all of our 18 civilian infrastructure sectors rely 100% on the internet. They shouldn’t be connected to the internet or intranet AT ALL. But since our infrastructure is privately owned, and private companies hire lobbyists to prevent any government regulation because they don’t want to spend the money to take themselves off the network or make their networks more secure, all of these infrastructures within the United States are vulnerable: Agriculture, Banking and Finance, Chemical and Hazardous materials, Dams, Defense, Emergency services, Energy, Information technology, National monuments and icons, Nuclear power, Postal and shipping, Public Health, Telecommunications, Transportation, and Water and water treatment systems.
The Chinese and Russian government’s own the infrastructure and have gone to great lengths to protect their systems from attack. This has led to what the defense department and Homeland Security call “asymmetric vulnerability”.
Here’s how a cyberwar might go down (pp. 65-68). It would take just 15 minutes:
- Large-scale routers fail and reboot throughout the network
- Department of Defense networks collapse
- All the electric grids fail. Several generators self-destruct. These can take up to 2 years to replace, and the grid can’t come back up without them
- Satellites for weather, navigation, and communications spin out of orbit
- The U.S. Military can’t communicate without the internet, they use the same Internet networks and software as the rest of us.
- Refinery fires and explosions destroy large oil refineries
- Chemical plants explode and release lethal clouds of chlorine gas
- Air traffic control systems collapse, some airplanes collide
- Freight trains derail at key locations: major junctions and marshaling yards
- Cities will run out of food within the next 3 days because the trains aren’t running, and the trucking and distribution centers data systems are down
- All of the data and the backups kept by the Fed have been lost – this will cause the financial system to crash
- Gas pipelines explode in the Northeast, leaving without millions of people without heat in freezing cold weather
- High-tension transmission lines catch on fire and melt
- With the grid down, traffic lights are out, making it hard for military and emergency workers to get to their posts
- BART trains crash in Oakland, and so do other metro trains in big cities
- Power can’t be brought back up because you need nuclear power plants to reboot the system, but they’re in lockdown
- ATM machines are down, people who can’t get money out have started looting stores
On page 70 Clarke writes “If they take over a network, cyber warriors could steal all of its information or send out instructions that move money, spill oil, vent gas, blow up generators, derail trains, crash airplanes, send a platoon into an ambush, or cause a missile to detonate in the wrong place. If cyber warriors crash networks, wipe out data, and turn computers into doorstops, then the financial system could collapse, a supply chain could halt, an airline could be grounded. These are not hypotheticals. Things like this have already happened, sometimes experimentally, sometimes by mistake, and sometimes as a result of cyber crime or war”.
Worse yet, in a cyber war, we may never know who did it. We wouldn’t know who to retaliate against. Clarke discusses the difficulty of attribution on pages 213-215.
And we probably couldn’t kinetically (physically) retaliate with bombs even if we knew who did it, because our military is utterly dependent on the internet, and can’t communicate or launch missiles without it.
If China was the attacker, we couldn’t retaliate against their systems, because unlike the United States, the Chinese government has gone to great lengths to protect their civilians by making their network secure, and can sever their network from the world-wide internet. Their internet is really more like an intranet due to the government being the service provider.
And we can’t hack them as easily as they can us, because Bill Gates sold them Microsoft’s internal code (Cisco did the same thing), which the Chinese modified to be far more secure and encrypted. Plus now the Chinese know what the weaknesses and vulnerabilities in the code are and the best ways to break into Microsoft computers (or Cisco routers). The Chinese government doesn’t have privacy issues like the USA, so they scan incoming traffic for malware to prevent other nations from planting logic bombs and trapdoors on their systems.
No American Defense possible
1) Right Wing & Left Wing Opposition. Because the right wing wants no government regulation, the government can’t write legislation requiring a minimum amount of network protection from the private sector (i.e. electric utilities, railroads, nuclear power plants, refineries, etc). The defense department and Homeland Security can’t do anything because the left wing is afraid of government scanning of network traffic in search of malware lest someone’s privacy be violated. Clarke discusses this on pages 133-135.
2) Even if the left and right could agree that some regulation and loss of privacy was better than going back to the stone age after a cyber attack, Congress is too gridlocked to do anything (this isn’t an entirely bad thing, since most of the legislation redistributes wealth from the middle class to the filthy rich).
3) There are so many problems – the recession, health care, and so on to be fixed that cyber security is not a high priority.
4) The software industry opposes regulation of security and Microsoft especially wants the Pentagon, banking, finance, and other businesses to use their systems despite the many security flaws. They’ve gone to great lengths to discourage the Pentagon and businesses from using Linux, which is far more secure, and free. Microsoft is one of the 30 largest donors to political campaigns and has been very successful at preventing security requirements of their systems (138-143).
5) On page 71 Clarke writes that there are thousands of ways to hack into computer systems because of bad code, the architecture itself, and more.
6) The most complex microchips are only made in Asia – United States fabrication plants have fallen behind in technology and can’t make the chips needed by modern systems (page 95). Chips can be made with spyware, logic bombs, Trojan horses, or designed to break down on a certain date. An innocent-looking component or even a bit of soldering can be a disguised antenna.
7) For even more understanding of why we’ve failed to defend ourselves, and what could be done if we had competent leaders, read Chapter 4 “The Defense Fails”.
What could trigger a cyber war? (page 157)
It could be tempting for a country to attack the U.S.A. to change the balance of power by demonstrating what harm they could do to us (i.e. taking down part of our electric grid) in the hopes that we’d be too scared to retaliate against them.
But if an attack is launched, America might attack back, and the conflict could escalate and grow out of control in microseconds.
The purpose of a military is to defend a nation, not build weapons to attack, but our country has focused almost exclusively on cyber-attacking, not defending Americans.
Because we have no defense, and are the most vulnerable nation in the world, we’re in a very dangerous situation. This could drive us into mistakenly launching a “first strike” cyberattack despite the retaliation on our systems likely to be far more severe than the damage we can inflict on a foreign nation.
Because there aren’t any rules yet, and the harm that can be done is so great, there is an advantage to going first in a cyberwar. This is the opposite of nuclear war, where deterrence and mutually assured destruction, and lots of luck, has prevented nuclear war so far.
What’s even scarier is that if a cyberwar occurs, it’ll happen at the speed of light, and go global, affecting nations that weren’t under attack as servers and computers within the borders of other nations are hacked and used as weapons.
The strategies for cyber war are quite different from nuclear war because a cyberattack could be deflected by a country that had secret back-up systems and other surprise capabilities. But a bomb can’t be deflected – no one ever thought Star Wars could work, and it still doesn’t protect us despite the trillions spent.
Mutually assured destruction (MAD) has kept us from annihilating one another with nuclear bombs, but in a cyber war, both the power of the offense and the defenses of a nation are secret – there’s no deterrence holding nations in check.
If our offensive capabilities were made public, adversaries might think we were bluffing. If we demonstrated our ability with a small attack, that method is no longer available – many cyberweapons can only be used once because after that the enemy will fix their systems to deter a similar attack. All cyberweapons all have a limited shelf life as new operating systems replace old ones, logic bombs and trapdoors discovered and removed, security holes are patched, etc.
Nor is it likely the United States could be deterred by threats of a cyberattack. For example, both this book and Brenner’s “America the Vulnerable” describe a hypothetical military situation where China takes over the South China Seas to get at the oil deposits, and we in turn send in our navy in to try to get China to back down. At that point someone in the room should say something like, “Mr President, if we do that, the Chinese will cyberattack us and destroy our electric grid, crash the stock market, derail our trains, blow up our refineries and chemical plants”.
But there isn’t anyone to speak up – no one wants to be Obama’s cyber czar for reasons explained in the book. The military can only see the positives of technology, they see it as our greatest strength, and can’t comprehend it’s also our greatest weakness as well.
Because we haven’t thought this through yet, and because we’re so vulnerable, it means we’re even more likely to strike first because we know that if we’re attacked first, the other side will have cut off their cyberspace so we can’t retaliate.
What’s really strange is that we have already been attacked (and “attacked” other nations as well). The battlefield is prepared for a future war. Since it wasn’t actual foreign military forces strapping bombs on our infrastructure or foreign workers returning home with briefcases of stolen intellectual property, we do nothing, feel nothing. Yet the logic bombs and trap doors within our electric grid and financial systems can do just as much damage as foreign secret agents with nuclear suitcase bombs. Which do exist, though we don’t believe that another nation has brought a nuclear bomb suitcase into America (yet), nor have we planted any of the several hundred we own into another nation (p 198-199).
Yet both we and foreign nations are planting bombs in each other’s computers, microchips, networks, and internet systems.
In the future, a cyberwarrior might be caught laying a trapdoor or logic bomb that’s interpreted as meaning an attack was on the way. The risk of an accidental cyber war is huge, and that in turn could lead to a (nuclear) war. Or a hacker or a network operator might accidentally trigger a logic bomb that’s already in place and start a cyberwar. The odds are good we’d retaliate against the wrong nation (i.e. the attack is launched from Viet Nam and made to look like its’ from China because Viet Nam is angry the Chinese are drilling for oil within their territorial waters and want the United States to intervene).
China’s Cyberwarfare strategy
The most likely conflict we’ll have with China is over the South China Seas. China has been claiming sovereignty despite objections from Vietnam, Taiwan, Malaysia, and the Philippines for many years. This area has some of the last large stocks of fish, it’s an essential trade route, and above all, there’s oil and gas.
At the end of the 1990s China realized that they could use cyber warfare to make up for their lack of a physical military as strong as ours.
They’re especially keen on the idea of “asymmetric warfare” as expressed in the book “Unrestricted warfare”, which shows how a weak country can outmaneuver a much larger enemy using unexpected weapons and tactics such as:
- Controlling natural resources
- Join international legal bodies to influence them
- Target civilians
- Overwhelm the enemy nation with drugs
- Steal an enemy’s technology, find the flaws you can exploit, and make your own version.
China’s cyberwar abilities are advanced enough that they don’t need to have equal physical armies to challenge the United States, as you can see in the Orbis article “How the United States Lost the Naval War of 2015”.
As mentioned earlier, Cisco not only gave away their secret internal code to China, but China also makes Cisco routers, and with this combined knowledge made counterfeit routers sold all over the world at a discount – even the Pentagon bought some.
The FBI believes these routers could take down networks in a cyberwar and read encrypted data.
Knowing the internal code of both Microsoft and Cisco hardware, China could take down any network in the world. But they won’t harm themselves, because they changed the code to make it secure, and also developed their own microprocessors, and built their own operating system. China is also putting software on all computers that can scan for any malware already placed by the United States or other countries and remove it.
China even found a way to put software on thousands of computers at many embassies all over the world that turned on the computer camera and microphone and exported the information back to servers in China. It was nearly 2 years before this was discovered.
Nothing comes close in history to the extent to which the Chinese government has hacked into industrial, universities, and government computers all over the world and stolen intellectual property such as military secrets, pharmaceutical drugs, and nanotechnology.
Our taxes and stock market investments have provided billions of dollars for research which China has stolen with cybertheft for pennies and made our businesses go bankrupt. We’ve lost tens of millions of jobs because of this cyberespioage, and swung the balance of power away from America both economically and militarily, since they’ve been able to get the designs for our most sophisticated fighter jets, submarines, destroyers, and other military weapons and systems.
A few years after China got Microsoft and Cisco source code, they stole Google’s source code by “spear-phishing”. Chinese hackers used social network tools like Facebook or Linked-in to figure out who the friends or colleagues of Google executives were, and sent emails that appeared to be from them. All it took was one executive to click the embedded link and the malware loaded on their computer spread throughout the network.
This isn’t cybercrime, but it is intellectual “theft by China”. Recently the Chinese were caught trying to steal seeds that can take up to 8 years and $40 million to develop (not GMO, see the New York Times article “Designer Seed Thought to Be Latest Target by Chinese. Agricultural espionage is a trend, F.B.I. says” for details).
Clarke thinks that Russia is a bigger danger, perhaps even better at cyberwar than the United States is. They’re also far more covert than the Chinese, who’ve operated more openly and thereby gotten more attention in the news as well.
In September 2014 J P Morgan announced that 76 million of their accounts were compromised as the result of an intrusion. Despite billions spent on detection software, we still have no idea who did it. Because of recent tensions with Russia lately, they’re the #1 suspect. When Obama was notified about the breach, his reaction was “Is this plain old theft, or is Putin retaliating?” (Corkery)
The New York Times (Corkery) also stated: “The F.B.I. has begun a criminal inquiry into the attacks, and the Secret Service has been involved as well. But the scale and breadth of the attacks — and the lack of clarity about the hackers’ identity or motive — show not only the vulnerability of the most heavily fortified American financial institutions but also the difficulty, despite billions of dollars spent in detection technology, in finding the sources of attack. And because it is so difficult to trace an attack to its source, it is next to impossible to deter one, security industry experts said.”
An invisible army of criminal hackers is constantly generating malware – new varieties enter cyberspace every 2.2 seconds. Do you think that Norton or McAfee can really keep up with that? At best they can fix 10% of the malware, but by then it’s probably already gotten onto computers.
Websites of legitimate companies and universities can be hacked so that when you go to their site, it downloads malware onto your computer.
Malware can also get in through trapdoors left by programmers to make it easier to update their code later on. Hackers and cyberwarriors alter even the code that’s being developed to put in a trapdoor so they can get into networks later. And programmers write bad code that hackers can take advantage of.
If a hacker can get root access (administration privileges) then he can do anything, including erasing any evidence he was ever there.
Logic Bombs and Trapdoors
A logic bomb can do many things. A basic one would erase all the software on a computer, rendering it totally useless. Or the bomb could somehow cause the hardware to harm itself. Logic bombs have been found all over our electric grid.
Trapdoors are holes in the system either deliberately set or the result of flaws and vulnerabilities that allow a hacker to come in anytime and snoop around, mainly to steal intellectual property or commit cybercrime. But in a war, new logic bombs or software to trigger a piece of physical equipment to destroy itself could be put into the system through a trapdoor.
Our own weapons systems may have logic bombs planted, such as in the millions of lines of code for the F-35 fighter jet, or the computer hardware (the plans were stolen by hackers in China)?
Why is the electric grid so vulnerable?
This will be a prime target, since taking down the grid takes down a lot of other infrastructure.
Basically, the software that runs most of the equipment, SCADA, is connected to the outside world via the internet, the intranet (which can be hacked into from the internet easily), radio, wireless, etc. This is convenient for the power company, but these systems can be hacked into from anywhere in the world. The “Smart Grid” will only make these systems even more vulnerable (pages 98-101).
Above all, it’s because power companies don’t want to spend the money to make their systems more secure and have vigorously fought off regulatory legislation from the Federal Energy Regulatory Commission (page 167-8).
We’re lucky it hasn’t happened yet, because it’s cheap compared to all the other options. No need to build a nuclear bomb. You can launch the attack from a local café while you sip coffee. You don’t even need to understand how to write software – with enough money there is a hacker out who will do the dirty work for you.
Nation states like China & Russia might avoid attacking the financial system since they’d be affected too, but terrorists might have a goal of bringing the financial system down by altering or wiping out financial sector data.
Thomas Friedman in “The world is flat” wrote that “the total supply chain for my computer, including suppliers of suppliers, involved about 400 companies in North America, Europe, and primarily Asia”.
Friedman draws the conclusion that this makes war less likely because everyone loses.
Clarke thinks it may make cyber warfare more likely. And that China would win, since many of the components were made in China and could have been engineered to have hidden logic bombs that could be triggered in a cyberwar, or known vulnerabilities, intentional or not, that can be taken advantage of.
Also, cyber criminals have penetrated supply chains for computer software and hardware and injected malicious code to defeat security systems, which would also make them capable of teaming up with terrorists and attacking nations.
Consider this as a way of replacing the pamphlets dropped by airplanes. One example of how this tactic was used was in the first Gulf War, where Americans managed to infiltrate the Iraqi network and send emails just before the war that said something like ‘we don’t want to harm you, just Saddam. We won’t attack you if you park your trucks and armored vehicles out in the open and abandon them.” Many Iraqi officers did just this, enabling American fighter jets to easily blow them up.
Cuba and North Korea have been the first “peak oil” experiments, the first nations to have to cope with their oil supplies diminished drastically. North Korea’s strategy has been to build nuclear bombs to blackmail what Clarke describes as “concessionary loans, free food, and gifts of oil.”
They’re also trying to figure out how to launch cyberattacks. In 2009 they started a distributed denial of service against dhs.gov and state.gov, both of which were temporarily knocked out, as well as the Treasury, Secret Service, Federal Trade Commission, and Department of Transportation (the attack on the White House failed). The Washington Post, NASDAQ, New York Mercantile, and NYSE were also attacked.
North Korea also attacked South Korea to find out how large an attack was needed to flood the fiber-optic cable connection, which would prevent the United States from coming to their aid (the U.S. Military also uses these connections).
We know that North Korea has four warfare units, with hundreds of hackers. Many are in China, since there’s almost no internet in North Korea. Which is a big problem – our systems are wide-open vulnerable, but we can’t attack them.
Corkery, M. et al. Oct 9, 2014. Obama Got Early Briefing on JPMorgan Breach. New York Times.