Cyber warfare…the new reality
Delivered at the World Affairs Council of the Desert, Indian Wells, Calif., Feb. 12, 2012
Once two years ago, I was being introduced before some remarks by someone who knew me very well–too well in fact–with the words, “What can I possibly say about tonight’s speaker that he has hasn’t already said about himself?” Thank you, Ward, for not knowing me that well.
I greatly appreciate being asked to speak to the World Affairs Council of the Desert…the quality of the speakers preceding me, and the important issues they’ve addressed say a lot about this audience.
It’s always great to be back in California…
With no risk of hyperbole … There’s nothing quite like it … And it’s better still if you don’t fly into LA-X or get caught on the Santa Monica Freeway at rush hour. Every day you witness a beauty that few people in the world can even imagine. So, after this evening I’ll check one more item off my bucket list.
Let’s begin tonight with a story that Ronald Reagan liked to tell at gatherings such as this: An older couple had been married a very long time, some 50 years. They were watching television one night and the wife said to her husband that she would really like some ice cream but they didn’t have any.
The husband–being smart–said that he would be happy to go to the deli down the street and get some. The wife protested but he insisted. In that case, she said, she would like some vanilla, but as long as he was there, could he get some chocolate sauce as well. But write it down, she said, because you’ll forget.
The husband said he wouldn’t forget and asked if there were anything else. And back and forth it went. More requests, more admonitions to write it down, and more assurances that, don’t worry, he would remember.
So off the husband went to the deli. He came back 30 minutes later, his wife had fallen asleep in her chair. He woke her up and handed her a brown paper bag. She looked in it and pulled out a ham sandwich. She gave him that look of irritation that he knew so well and said, “I told you that you should have written it down, you forgot the mustard.”
I tell you that story, not because I am speaking to a certain demographic that might find this story familiar territory, but because, in the murky world I’m about to describe, an adversary can make it difficult to tell the difference between an ice cream sundae and a ham sandwich.
What if I were to tell you … European hackers compromised 13 million computers … which unbeknownst to their owners–are then used to steal bank account information and more.
Not to be outdone, American cyber criminals break into the databases of four retail giants and gain access to 180 million payment card accounts, and then walk off with 400 million dollars.
Or, employees at several Fortune 100 companies receive e-vites supposedly from colleagues…with Trojans attached. Infection spreads across systems, compromising computers between the United States and Bangladesh as these intruders access and copy intellectual property.
And then … A hijacked computer in Washington D.C. sends messages to every name its directory, asking them to dispatch money to the well-travelled owner who’s supposedly, but not really, at an address in Spain, robbed of her credit cards and money, and awaiting their aid …
Ladies and Gentleman … All of this has happened … Just not on the same day.
By the way, that last criminal act is the center-piece of an excellent Atlantic Monthly article “Hacked” by former Jimmy Carter speechwriter and friend Jim Fallows …
This evening, I’ll speak of hackers of all varieties who undermine the nation’s economic potential and security, as I offer some potential solutions on how we may fix these problems …
For a few minutes, let’s talk not about ham sandwiches and ice cream sundaes but rather about wolves, termites and other not so nice critters.
In a Post-911 world, as we focus energy and money on stopping criminals, spies, terrorists and other fellow travelers at our borders, it’s important to remember that in the Cyber world there are no relevant geographical boundaries.
We rightly fear the wolves we’ve seen at our doors. Yet, the out-of-sight and too often out-of-mind cyber termites buried deep in the America’s government, corporate and personal computers are even more dangerous. Because right now, the biggest single threat to America’s security, according the Director of National Intelligence comes in the cyber world …
So-called Black Hat hackers from around the globe outnumber the terrorists we so often read and hear about. One day they’re designing security systems and the next, they create malicious software, also known as malware, to take-over computers. They work solo, or with criminal allies, and freelance for groups and governments hostile to the United States.
Nigeria and Romania produce plenty of Black Hats. In addition to breaking into data bases, they create scams, faux websites, malware and botnets that extract identities and money from unsuspecting visitors.
How many of you have received emails from some Nigerian prince who is going to transfer a million dollars into your bank account? All you have to do is give him your account number, right?
May I see the hands of all those who have provided their account information to these kind fellows? That’s good. Ward said, I’d be in a room full of smart people …
Then there are the white hats and hacktivists. Self-proclaimed Robin Hoods, they steal and damage data, pilfer bank accounts of the rich and not-so-rich, shut down websites and, as has been the case with Wiki-leaks, divulge classified information.
There are also those fun-loving pranksters. Primarily young folks, Ken Keseyan derivatives, getting kicks from joy rides into data bases and disrupting commerce, while thumbing noses at the authorities. Some eventually land legitimate cyber jobs, while others become repeat offenders, and go to jail.
Consumers, of course, are targets of all these cyber villains. A Google employee told Jim Fallows that on average a half dozen subscriber accounts are hit by some variety of cyber culprits every 2 to 3 minutes. That translates into about 3,000 per day, or right at 1,000,000 compromised accounts a year.
The computer security firm Symantec estimates the annual cost of cybercrime to be at about 388 billion dollars, or 100 billion dollars more than the total combined trade in cocaine, heroin and marijuana.
But back to those troublesome termites. The organizations they target rarely divulge their losses. Shareholders, clients and employees can get very nervous when they learn of these invasions. And government agencies also don’t publicize these losses. What agency wants to be seen as an easy target by other potential intruders?
When entering a computer system, these termites don’t always make a full exit. No, they leave Trojan horses behind for future work, waiting deep down in the computer for the right moment … the right key to be tapped.
Some Cyber intruders are homegrown, but many come from dozens of other countries, in particular China and Russia. Intruders search, steal, destroy and unbeknownst to their hosts, alter data. At this point we can’t always confirm the national origins of these cyber-crashers. But these bad electrons, on the Internet, hide in plain sight.
They slip undetected into our systems via circuitous routes. Passing unannounced across servers in Netherlands, Singapore, Nigeria and dozens of other nations, and frequently touch down in one or tens of thousands of American computers, perhaps even in your own homes, before invading their primary targets.
The Russians still seek a military advantage. But, perhaps in an attempt to diversify a natural resource-dependent economy, they focus on securing financial data and viewing proprietary information. Mikhail Fradkov, Director of the Russian Foreign Intelligence Service, said publicly:
“Intelligence … aims at supporting the process of modernization of our country and creating the optimal conditions for the development of its science and technology.”
The Chinese come for these reasons and more. They’re sophisticated and very good. They use at least 100,000 full-time cyber-warriors, plus thousands of hackers-for-hire.
To make it plain and simple, I’m talking here about state sponsored economic espionage. The French, North Koreans, Estonians and our Israeli friends, are deep into this game. As Iran has discovered in its nuclear program, much to its chagrin, someone is doing it quite well.
It would be an overstatement to say that all nations are getting involved, but not that far off. In all 124 Nations are at least planning some sort of cyber offence or defense. It’s a long list. It will get longer.
So, how did I get mixed up in this cyber warfare business? Well, I started out in engineering at Syracuse University. However, I had a hard time imagining making a career out of it. Having lived overseas–my Dad was an Air Force officer–in my youth,
I gravitated toward international relations, and switched to Russian studies. Seemed like a good idea at the time.
While briefly joining Vietnam War protestors, I had no illusions about the Soviets or their allies. I’d lived in Germany, while in high school, and watched the Berlin Wall go up. And in ’67, Russia invaded Czechoslovakia, as Fidel Castro suppressed Cubans. Not the exactly the stuff that dreams are made of.
I was a rare character … I applied to both the Peace Corps and the Central Intelligence Agency … and got accepted by both. I’m not sure who was more confused: the CIA, the Peace Corps or me? It was decision time…and I needed to get a job. But guess what?
With the draft still on, neither of these offers could bring me a draft deferment. So, with no plans for a military career, I joined the Navy. They sent me up for officer training in Newport, Rhode Island, and I thought, “I’ll end up on the Mekong, in a Swift boat.”
So, three weeks prior to becoming a freshly-minted officer, the people came up from Washington, and said, “Russian area studies? You’re must be an INTELLIGENCE officer.” And I muttered to myself, “Cool.” and left for a ship home-ported in Naples to chase the Russian fleet around the Mediterranean. Wasn’t the Cold War just grand?
Several overseas commands and sea tours later, the cold war faded and a global computer-driven economy became a reality, Cyber-intrusions emerged as a real, consistent threat. Much later, now a senior intelligence official, I learned as much as I could about what my Booz/Allen colleague and former Director of National Intelligence Mike McConnell calls the 5th Dimension of War.
During Operation Desert Storm I led a team that identified targets in Saddam Hussein’s command and control communications between Bagdad and Kuwait. Cyber played a role, but some of that’s still classified.
But I can you tell this. The primary Iraqi command link between Bagdad and the Kuwait theater of operations was a series of fiber cables, with relay stations and a micro-wave link back-up. With precise attacks, we destroyed the relay stations, severing the cable link between Saddam and his forces in Kuwait.
We forced them into microwave messaging. We picked that up, learned their plans and then shut it down, further confusing the Iraqi field commanders. Today, our capabilities are considerably more advanced. We can do with electrons what we did with bombs in Desert Storm. That would bring still more havoc to an enemy army.
In 1994, I was privileged to join Vice President Gore’s White House national security team–and somehow stumbled into being the Administration’s point man for developing strategies to reduce our cyber vulnerabilities.
Eighteen years ago, many mobile telephones were then the size of a banana. We couldn’t Google. Facebook’s founder-to-be Mark Zuckerberg was all of ten-years-old, and the creation of E-bay was a dozen years away.
Back then, people went to local pawn and second-hand shops, in a not so great part of town, searching for the junk that’s now auctioned off on-line as “chic” treasure. Today over 2 billion people routinely access the Internet. In 1994, less than 16 million people were on-line…and dial-up was king.
Yet, even then most governments and all major corporations tapped into its power. Soon, consumers prodded by Microsoft, Apple, Dell and private service providers took the Internet plunge. Enough for Jeff Bezos to open Amazon’s site in 1995.
Probably a little too full of myself, I came home on the day I got the White House job and said to my wife, “Did you ever … in your wildest dreams … believe that I’d work in the White House.”
With her best smile she said, “Sweetie, I think this is wonderful. But honestly, you don’t even appear in my wildest dreams.” Out here in California, I bet Angelina says that to Brad, too … all the time. But it was a great job.
During the Balkans War, we met often in the White House Situation room, discussing tactics and steps to undermine Serbia’s genocidal regime.
We considered using the Internet to empty the bank accounts of key Serbian leaders.
We had a long, very open conversation about that …
Yes, we’d could probably inflict great damage. But it was also a wake-up call. In taking this step, we’d open Pandora’s Box.
While hurting the Serbs, it opened the door for similar attacks on us, the most technologically vulnerable nation on earth.
We wouldn’t be able to defend our assets against a significant cyber-attack. So, we took that option off the table.
Today, we still depend on cyber space more than any other nation for transportation … finance … power-grids, government services, manufacturing, telecommunications and increasingly health care research and delivery systems.
We’ve come a long way in the last 15-20 years around defending ourselves. However, the Cyber world is not static, and threats have become more sophisticated.
A defense goes up, and a loose conglomeration of hackers, foreign intelligence services and militaries aggressively bump up against it, testing for weaknesses. Every day, they refine tactics and create new viruses, botnets and malicious software to overwhelm our defenses, as we develop stronger defenses to counter them.
Estimates vary on the economic importance of the Internet, but no one says it’s anything less than huge. Over the last five years the Internet accounted for 21 percent of the GDP growth in mature economies.
In the world of logistics, finance, healthcare research and delivery, the Internet is king.
And it’s hard to imagine how we could have possible gained, without the Net, the productivity and overall efficiencies of the past ten years.
By 2001, the Internet played a major role in transferring economic related information between financial institutions. After the carnage of 9/11, my Booz Allen colleague Mike McConnell, when he was the Director of National Intelligence, counseled President Bush that while the nation mourned, it could have been even worse.
If Osama Bin Laden had mounted a successful cyber-attack on the global financial infrastructure, the economic impact would have been dramatically more damaging. In carrying out his bloody Jihad, Ben Laden united much of the World against him. In using a cyber-onslaught, he could easily have crippled not only New York, but Paris, Berlin, Tokyo and, contrary to what the Chinese might think, Beijing. That crashing economy would make the current Great Recession feel like a summer holiday.
So, how are we doing today?
These days as cyber threats become more covert than overt, the conflict has expanded beyond the damaging and embarrassing…denial of service attacks… such as we saw against Google and E-bay and other targets.
Denial of service attacks slow economic activity and certainly have financial consequences. And no doubt about it, crimes against consumers continue. However, available security is also immensely improved.
With the exception of willingness to take risks, in order to gain real strategic value, as is the possibility of Israel’s attack on Iran, most attacks on larger targets are now more covert than overt. The threat has evolved into an all-encompassing use of invisible termites requiring us to constantly search the environment, because these electronic bugs are now almost always there.
Accessing and stealing classified data; changing protocols and leaving instructions behind on our computers that say, “When handling interesting information, call home and let us know.”
China, Russia and other countries, in an effort to reduce time and capital investments in research and development, at the expense of the United States, continue to use traditional human and technical methods of espionage. But the People’s Republic is especially active in waging the 5th Dimension of War.
Chinese attackers have extracted sensitive data from Google, Adobe, Yahoo, Dow Chemical, Symantec and the US Chamber of Commerce. The PRC, of course, denies its involvement. But with improvements in detection, tracking and occasional slip ups on their end, we’ll know where they’ve been, or better yet, when they are in the act. Yet, even with these improvements we’ve found that many organizations are compromised for 6–12 months and even longer without detecting it.
So in the national policy arena what can or should we do? First, we need to make more Americans aware of cyber threats. And Responsible journalists are doing a great job in getting that message out.
Succeeding, requires us to take two important steps. I believe that all of us would agree that most companies understandably don’t want the government prescribing mandatory standards and processes. After all, they, not the folks in Washington, own most of those systems.
Yet, if we ignore the fact that a privately-owned portion of an infrastructure, or firms with extensive access to infrastructures, are not adequately protected, consumers, shareholders, employees and the general public may suffer.
I’m neither an advocate or an opponent of increased Internet regulation per se. I see both sides. But I believe it’s coming. And ultimately we’ll need international protocols in order to corral hackers before they send bad electrons our way.
Succeeding requires business-government partnerships and international cooperation to maintain a safe, expanding cyber-driven economy. So there’s a need for making the Internet, a friendlier, more predictable place.
It will take much discussion within the US and around the globe, but increased cooperation will add value to the Net and save all legal participants a great deal of money. Secondly, cyber security is improving. But we need to invest in its constant improvement.
And for us in the United States, it’s important to establish early warning systems beyond our borders, similar in function to the approach used during the nuclear arms race. We probably have the technology now that can do this. We need the legislation, and the will to get it done.
But perhaps most important is for us to work with the rest of the world to achieve a more stable and predictable cyber environment. And frankly, even not all of our friends … want to do this.
The effort to protect a global Internet is not too different from when people debated how to decrease the number of airline hijackings.
The first recorded hijacking took place in 1931, when armed revolutionaries took over a plane in Lima, Peru. For the next 25 years, few passengers forced planes to fly to alternative exotic destinations. But in the 1960′s there were literally hundreds of hijackings.
The advent of Cuba as a preferred destination sure didn’t help. And the friendly hijacking skies of North Africa also probably spurred on these airborne bandits. By the 1970′s, almost every nation, including Cuba, which by then was seeing hijackers fly both ways, felt it was time to end this largely criminal conduct.
So Nation states came together and hammered out agreements. That was way before 9/11. We’re on a path to reaching similar agreements on the Internet. China and Russia have both experienced intrusions. But not many. Yet, if the Net remains the same, they like the Cubans before them will probably see the advantage of bringing genuine law and order to the cyber world.
And by the way … the Chinese may just want to come to the bargaining table sooner, rather than later. Over Christmas holiday, Saint Nick hackers visited the Middle Kingdom spreading not-so-good-cheer across China’s piece of the Internet. They picked up over 100 million Internet usernames, pass words and email addresses from some of China’s most popular on-line sites …
Back in the USA, we need to move ahead with building awareness, tapping into our resources, as we develop better defenses in this war of the Fifth Dimension. Beyond Dragons, Wolves & Termites
In Manhattan, 40 blocks north of Ground Zero, the New York Public Library displays the 16th Century Lenox Globe.
This medieval icon shows a portion marked as “Terra Incognito”– the unexplored territories, beyond the edge of the then-known world. A famous Latin phrase warns, “Here be Dragons.” And yet there brave and resourceful men, then as now, who ventured into the unknown, discovered a new world, and unleashed one of the most expansive economic periods in history.
In 21st Century America, some worry about the dangers that may emerge from the cyber world, as well they should. But most Americans do not quake before an uncertain future, passively waiting for horrors that may be unleashed upon us. It’s our tradition to actively meet the future with hope, optimism, and energy, as we step forward prepared to meet the unexpected.
If we move on with the full knowledge that for almost three centuries we’ve progressed regardless of our vulnerabilities, I believe we will contain and even exploit the risks that exist into today’s cyber world.
In America, there have always been brave and courageous people willing to explore unknown territories, to move beyond the dragons of fear and ignorance to defeat these enemies of progress.
Fortunately for us, there are many bright, talented and dedicated people working on these cyber concerns … So yes, we’re making progress. But achieving and maintaining cyber security is a journey without a destination. There will be no ending … We’ll need to remain vigilant … as we reap the bountiful benefits of this new amazing cyber-linked world.
Thank you for listening … and now let’s have some dialogue.
Address by RICHARD WILHELM, Executive Vice President, Booz Allen Hamilton