excerpt from my book on technology, terrorism, and
DHS, tentatively titled "Skating on Stilts." (If you want to
read the excerpts in a more coherent fashion, try the categories on the
right labeled "Excerpts from the book." I'm afraid I can't fix the bug
in TypePad that prevents me from putting them in the category in
reverse-chronological order, but I have started putting chapters up in
pdf form from time to time.) Comments and factual quibbles
are welcome, either in the comments section or by email:
firstname.lastname@example.org. If you're dying to order the book, send
mail to the same address. I'm still looking for an agent and a
publisher, so feel free to make recommendations on that score too.
You might think that’s the worst of it.
But it’s not, quite. It’s not just that you could lose your life savings. Your country could lose its next war. And not just the way we’re used to losing – where we get tired of being unpopular in some third-world country and go home. I mean losing losing: Attacked at home and forced to give up cherished principles or loyal allies to save ourselves.
Plenty of countries are enthusiastic about using hackers’ tools as weapons of war. At the start of a 2008 shooting war between Georgia and Russia over South Ossetia, for example, numerous Georgian websites were swamped by denial of service attacks. Security researchers found evidence that the attacks were coordinated and organized by Russian intelligence agencies. The year before, Estonian government agencies and banks were also crippled by denial of service attacks after the Estonian government moved a World War II memorial that had become a symbol of Soviet colonial rule. Estonia’s foreign minister charged that the Russian government was behind the attacks; Russia denied the allegation and NATO, and European investigators could not refute the denial.
China has also been accused publicly of audacious computer attacks. The German Chancellor, Angela Merkel, discovered that her office computers had been compromised in an attack blamed on the People’s Liberation Army. India, France, and Taiwan have also suffered intrusions and attacks attributed to China. The compromise of the Dalai Lama’s network was also widely blamed on China. Like Russia, China has consistently denied all charges.
As I said before, in a strategic sense, the denials don’t really matter. If the attacks weren’t carried out by Russian and Chinese government agencies, that just means that there are more organizations and countries with effective cyberintelligence and cyberwarfare capabilities than we thought. And, in fact, five or ten years from now, there will be. That’s because cyberattacks don’t require heavy capital investments, the way nuclear weapons or stealth fighter jets do. Any nation willing to put ten of its best computer experts to work on a cyberintelligence program could probably have one in a year or two. (The Conficker worm that brought down British and French military systems could easily have been written by a single well-trained person.) Many cyberattacks are simply a matter of individual effort. Put enough smart people on enough targets, and some of them will get through.
And that’s why attacks on computer networks pose such a strategic threat to the United States in particular. We are an important intelligence target for practically every nation on earth. And attacking our networks is nearly risk free; the list of suspects is about as long as the UN membership roster. In fact, there are incentives for them to help each other break into our networks. (“I've seized control an email server at USDA, but what I really want is USTR’s. Want to trade? I could throw in the Commerce Secretary’s password to balance the deal.”)
If you’re a foreign government, breaking into US networks is a twofer. You can start by stealing secrets. But if push comes to shove, you can use your access to destroy the same systems you’ve been exploiting. Corrupt the backup files, then bring the whole system down. Or start randomly changing data and emails until no one can trust anything in the system.
It won’t take much to create chaos. The financial crisis of 2008 became a panic when bankers began to disbelieve each other. No one trusted the other guy’s books, so they stopped lending, and the world crashed. Could that same mistrust be created by modifying or destroying a few firms' computer accounting and trading records? We probably don’t want to find out.
It’s no secret how to fight a war against the United States. Slow us down, then cause us pain at home and wait for antiwar sentiment to grow. Cyberattacks are ideal for that strategy. Everything in the country, from flight plans and phone calls to pipelines and traffic lights, is controlled by networks susceptible to attack. A determined, state-sponsored attacker could bring them all down – and blame it on some hacker liberation front so we wouldn’t even know who to bomb.
The Pentagon has heard fifty years of warnings about not fighting land wars in Asia, where hand to hand fighting and sheer numbers can overwhelm an American army’s technological edge. But now it turns out we’ve opened an electronic bridge, not just to Asia but to the rest of the world, and now we’re trying to defend ourselves hand to hand against all comers. It’s hard to see how that ends well.
So that’s the nub of the problem. No law of nature says that the good guys will win in the end, or even that the benefits of a new technology will always outweigh the harm it causes.
The exponential growth of information technology has made the
Pentagon far more efficient at fighting wars; it has made our economy far more
So far, it’s been very good to us as a nation.
But it was good to Howard Crank, too, for a while.