Virtual Defense U.S.

8/8/2019 Virtual Defense U.S.

1/16

Virtual DefenseJ a me s A d a m s

TH E W EAKNESS OF A S UP ERP OW ERJ U S T AS W orld W ar I introduced new weaponry and m odern combatto the twe ntieth century, the inform ation age is now revolutionizingwarfare for the twenty-first. Aroun d the wo rld, information technologyincreasingly pervades weapons systems, defense infrastructures,and national economies. As a result, cyberspace has become a newinternational battlefield. Whereas military victories used to be wonthrough physical confrontations of weapons and soldiers, the infor-mation warfare being waged today involves computer sabotage byhackers acting on behalf of private interests or governments. Therecent escalation of tension between Israel and the Palestinians, forexample, has had a prom inent virtual dimension. From O ctober 2000to January 2001, attacks by bo th sides too k down mo re than 250 W ebsites, and the aggressions spread well beyond the boundaries of theMiddle East to the computer networks of foreign companies andgroups seen as partisan to the confiict.

A decade after the end of the Cold War, the U.S. military standsas an unco ntested superpower in both conven tional and nuclear force.Ironically, its overwhelming military superiority and its leading edgein information technology have also made the United States thecountry most vulnerable to cyber-attack. Other nations know thatthey have fallen behind in military muscle, so they have begun tolook to other methods for bolstering their war-fighting and defense

J A M E S A D A M S is Co-founder and Ch airman of iDefense, a cyb er-in-telligence and risk-management firm, and serves on the National Secu-rity Agency Advisory Board. He is the author of The Next World War:


2/16

Virtual Defensecapacitiesnamely, "asymmetrical warfare," which the Pentagoncharacterizes as "countering an adversary's strengths by focusing onits weaknesses."Furtherm ore, the U.S. military is radically changing. T h e "revolutionin military affairs" seeks to apply new technology, particularly digitalinformation technology, to operational and strategic concepts. W it hplans ranging from computer-based weapons research programs tosoftware th at encrypts classified m ilitary data, from com pu ter-g uid ed"smart" bom bs to a space-based missile defense, Am ericas m ilitary forcesare coming to depend more and more on computers and informationnetworks. These two factorsthe dominance of U . S . conventionalforces and the military's already extensive and growing use of infor-mation technologymake cyber-attack an increasingly attractiveand effective weapon to use against the United States.

But U.S. defense plans and policymakers ' concept of nationalsecurity have not caug ht up to the new threats of com puter warfare.Indeed, recent warnings indicate that the United States remainshighly vulnerable. To address this challenge, Washington urgentlyneeds to modernize its th inking and transcend its strategies ofdeterrence and national security, which remain fixed in the ColdW ar, pre- Inte rn e t w or ld .

MOONLIGHT MAYHEMI N M A R C H 1998, the D e pa r tm e n t of Defense detected the mostpersistent and serious computer attack against the United States todate . In a st i l l ongoing operat ion that American invest igatorshave code -named Moonl igh t Maze , a group of hackers has usedsophisticated tools to break into hundreds of computer networks atNASA, the Pentag on, and other governm ent agencies, as well as privateuniversities and research laboratories. These cyber-intruders havestolen thousands of files containing technical research, contracts,encryption techniques, and unclassified but essential data relating tothe Pentagon's war-planning systems.

Since Moonlight Maze was first discovered, the U.S. intelligencecom mu nity has been engaged in the largest cyber-intelligence inves-


3/16

James Adamsdistu rbin gly few clues. T h e attacks appear to be comin g from sevenRussian Internet addresses, but it is unclear whether the initiative isstate-sponsored. Last year, Washington issued a demarche to theRussian government and provided Russian officials with the tele-phone numbers from which the attacks appeared to be originating.Moscow said thenumbers were inoperative and denied any priorknow ledge of the attacks.

M eanw hile, the assault has continue d una bated . T h e hackers havebuilt "back doors" through which they can re-enter the infiltratedsystems at will and steal further data; they have also left b eh ind toolsthat reroute specific network traffic through Russia. Despite all theinvestigative effort, the United States still does not know who isbe hin d the attacks, w ha t additional information has been taken andwhy, to wh at extent th e public and private sectors have been penetrated,and w ha t else has been left behin d tha t could still dam age th e vu lner-able netw orks.

Destructive as it is, M oo nligh t M aze is just a taste of dangers tocome. U.S. military leaders increasingly recognize that losing infor-mation batt les wil l undermine the country's ability to fight anybattles at all. Missile defense, for exam ple, will no t be wo rth the billionsit will cost if digital attacks un de rm ine its software or infrastructure.And opponents of missile defense could handicap the system at thedevelopm ent stage by attacking the technology at its source breakinginto the co mp uter networks of the corporations t ha t design the systemand m aking slight modifications tha t ensure huge costs and long delays.

The U.S. military's vulnerability to cyber-attack became clear inJune 1997, when the Joint Chiefs of Staff launched an exercise code-nam ed Eligible Receiver to test the nation's comp uter defenses. T he irscenario imagined a military crisis on the Korean Peninsula thatforced Washington to rapidly bolster South Korean forces With.troops and aircraft. Thirty-five men and women from the NationalSecurity Agen cy (NSA) were split into four teams, three in the U nite dStates and one on a ship in the Pacific, to simulate hackers hiredby North Korea to subvert the American operation. These hackersreceived no advance intelligence about U.S. information networksand could use only publicly available equipment and information.


4/16

Virtual Defenseany computer hacking programs they could find freely available onthe Internet. (Some 30,000 Web sites po st hack er codes, which canbe downloaded to break passwords, crash systems, and steal data.)

Over the course of the next two weeks, the teams used thecomm ercial computers and hacking programs they down loaded fromthe Internet to simultaneously break into the power grids of nineA me rican cities andcrack their 911 em ergency systems. T h is exerciseproved tha t gen uine hackers -with malicious inte nt could, w ith a coupleof keystrokes, have turned off these cities'power and prevented the local emergency T J C taXDavers areservices from responding to the crisis.

Having ensured civilian chaos and dis- Paying billions of dollarstracted Washington, the NSA agents then for a eyber-defenseattacked 41,000 of the Pentagon's 100,000 , , ,computer networks and got in to 36. Only PrOgram that leaves thetwo of the attackswere detected and reported, eountry largelyThe agents were thus able to roam freely unprotectedacross the networks, sowing destructionand distrust wherever they went. They could, for example, have senttruck headlights to an F-16 fighter squadron requesting missiles orrerouted aircraft fuel to a port rather than an air base. The hackersalso managed to infect the human command-and-control systemwith a paralyzing level of mistrust. Orders that appeared to comefrom a commanding general were fake, as were bogus news reportson the crisis and instructions from the civilian command authorities.As a result, nobod y in the chain of command, from the president ondown, could believe anything. This group ofhackers using publiclyavailable resources was able to prevent the U nited States from wagingwar effectively.

In October 1999, a second exercise, code-named Zenith Star,tested the lessons learned from Eligible Receiver. On this occasion,the "hackers" attacked the power systems feeding several U.S. militarybases and th en overwhelm ed local 911 emergency systems w ith a fioodof computer-generated calls. T h e test showed that some im provementhad occurred since Eligible Receiver, but coordination betweengovernment agencies was still poor and the national infrastructure


5/16

James AdamsT h e poten tial nightmares of Eligible Receiver and Ze ni th Star, as

well as the real and ongoing Moonlight Maze sabotage, are visiblesigns of a new war already being waged in cyberspace. This war islargely hidden from public view but the infrastructure protection itrequires is costing the private sector and t he U .S . taxpayer billions ofdollars. A nd thus far, the war is ope rating in an en vironm ent of nearchaos. Un like during the C old W ar, w hen the nuclear standoff producedits own unde rstanda ble rules of the gam e tha t included a sophisticateddeterrence mech anism , no legal or de facto bo und aries inhib it cyb er-aggressions. Instead, information warfare is a free-for-all, with moreand m ore players hurrying to join the scrimmag e.

WAR BY OTHER MEANST H E U . S . G O V E R N M E N T now believes that more than 30 nationshave developed aggressive computer-warfare programs. The listincludes Russia and China, volatile governments such as Iran andIraq, and U.S. allies such as Israel and France . A m bitio us new com ers,including Ind ia and Brazil, are also seeking to become pow ers in thewo rld of virtual com bat.Am ericans celebrated th e Persian G ulf W ar as a major victory forU.S . military forces and as a vindication of the nation's defensestructu re. But outside the Un ited States, the conflict taug ht an add i-tional lesson: a direct military confrontation with the United Stateswould inevitably result in defeat. So while theUnited States hascontinued to develop its conventional forces (the Pentagon's defensebudget is now larger than those of the 12 next largest nations com bined),other countries have looked elsewhere for an asymmetric advantage."T h e rest of the world realizes tha t you don't take the U nited Stateson in a military frontal sense, but you can probably bring it downor cause severe damage in a more oblique way," asserts Art Money,assistant secretary of defense for com m and, co ntrol, and intelligence."And that's where the vulnerability in the U nited States resides."

O ne cou ntry that Am erican intelligence has been closely monitoringis China, which is actively exploring the possibilities raised by thisnew American vulnerability. Because Beijing sees the United States


6/16

Virtual Defenseleaders and policymakers have made an intensive effort to applythe lessons learned from the Persian GulfWar's show of American mil-itary might. The heated Chinese debate about how to seize a militaryadvantage over the United States produced a partial answer inUnrestricted Warfare, written by two People's Liberation Army(PLA) colonels, Qiao Liang and W ang Xiangsui. The book clearlysets out why China considers the Gulf War to have been the lasthurrah for the old-style warrior.

[T ]h e age of technological integration and globalization ... hasrealigned the relationship of weapons to war.... Does a single "hacker"attack cou nt as a hostile act or not? C an u sing financial instru m ents todestroy a country's economy be seen as a battle? D id CN N 's broadcastof an exposed corpse of a U.S. soldier in the streets of M ogadishu shakethe determination of the Americans to act as the world's policeman,thereby altering the world's strategic situation? ... W h e n we suddenlyrealize that all these non -w ar actions may be the new factors con stitut-ing future warfare, we have to come up with a new name for this newform of war: Warfare which transcends all boundaries and limitsinshort, unrestricted warfare.The authors believe that China wHl never be able to match Americantechnological superiority. Moreover, having watched Moscow spenditself into oblivion trying to win the Cold W ar arms race, Beijing willseek to avoid the same mistake. Instead, the authors write, a digitalattack will give C hina a significant asymmetric advantage and evenbring about the defeat of the U nited States. China has therefore beenmaking large investments in new technology for the PLA and has

established a special information-warfare group to coordinate nationaloffense and defense. China-watchers in the Pentagon refer to theseefforts as the creation of "the G reat Firewall of China."Part of the reason for such aggressive action is that China suspectsthat it is already under cyber-attack from the United States. Everypiece of computer hardware or software imported from the UnitedStates or its allies is subject to detailed inspection when it arrives atthe border. China's own technicians then take control of the goodsand either resist or closely monitor W estern experts' efforts to install


7/16

James AdamsT h e sam e restrictions apply in Russia, wh ere political and militaryleaders are convinced that they are losing the cyberspace war to theUnited States. For the past two years, M osco w has qu ietly circulatedam ong the m embers of the U .N . S ecurity Coun cil drafts of a possible

arms-control treaty for cyberspace. The United States and its allieshave dismissed the proposals as the desperate posturing of a nationwith a weak information economy that is losing the cyber-war.Ind eed, from the perspective of inform ation-tech nolo gy powers suchas the Un ited States, an arms co ntrol treaty that will primarily benefitthose n ations falling behin d in the information war makes no sense.

NATIONAL INSECURITYALTHOUGH MOSCOW'S idea of an international treaty to limit infor-mation warfare may seem far-fetched, the concept of an effectivedeterrence regime for cyberspace is gaining currency in Washington.A s the information revolution gathers pace, so do the frequency andsophistication of the attacks on U .S. computer and communicationsnetworks. And these attacks have made glaringly clear two danger-ous changes in U .S. m ilitary and national security structures.First, during the C old War, W ashing ton controlled the pace of U.S.technology developm ent by directly funding approximately 70 percentof technology research. Today, tha t figure is less tha n 5 percent. Tech-nological innovation is now driven by private interests that refuse todepe nd on Wash ington's archaic acquisition systems. Instead, tech no l-ogy entrep reneurs strive incessantly to increase the speed of change.

That shift from public to private funding has been matched bythe development of a new weapons platform know n as the personalcomputer. The ammunit ion for this weaponthe hacking toolscome free on the W eb and are constantly being upd ated. One needsonly access to a computer, Internet capabilities, and a little bit of technicalsavvy to become an information warrior. And unlike twentie th-centu ry weapo ns innovations th at too k an average of 15 years to entermilitary service, today's newest versions of computers and softwareare available everyw here and accessible to everyone at the same tim e.

Second, the front line in this new war has changed. In the last


8/16

Virtual Defensesoldiers, sailors, andaviators met in combat. For the United States,w ith n o aggressive neighbo rs on its bord ers, defense of the hom elandm ean t projecting power overseas w hen U.S. interests were endangered.This strategy has worked well since the nation was founded; unlikem ost m od ern great pow ers, the Un ited States has rarely been invadedby foreign forces.

The cyber-world has changed that paradigm. Seeking to avoid adirect military confrontation with U.S. forces, potential foreignaggressors now look instead to attack th e softAmer ican underbel lythe private sec to i C o m p u t e r h ac ke rS canand to do so in such a way as to make mili-tary retaliation very difficult, either because ^ttaC K U . S . C o m p u t e rthe a ttack's origin is unknown or because the n e t w o r k s w i t h im p u n i t y .perpetrators have sabotaged civilian ormilitary command networks. The privateand public sectors together now form the front line of twenty-first-cen tury warfare, and private citizens are the likely first target.

D espite th e warning signs, the U nited States still does not p rioritizethreats to the private sector or sufficiently emphasize cooperationbetween citizens and government in defense. In many cases, W ash -ington remains legally constrained from passing on informationabout pote ntia l threats to the private sector. For exam ple, intelligenceofficials now believe that certain hardware and software importedfrom Russia , China, Israel , India , and France are infected withdevices that can read data or destroy systems. Th e names of the suspectedcompanies and products are not available to the private sector, how-ever, and because that inform ation and th e intelligence tha t supportsit are so highly classified, the suspicions are impossible to verify.In addition, the U .S. defense posture, wh ich is designed aroundpower projection and not homeland defense, leaves the country'sinformation and communications networks vulnerable. Currently nomechanism exists for effective defense of the computer networks ofbusinesses, the power grids of Am erican cities, or even th e informationnetworks of the federal government. Indeed, cyber-defense is left tothe FBI, a law-enforcement agency meant to pursue criminals, notdefend the nation. Th us far, the FBI'S efforts to coo rdinate cyber-defense


9/16

James AdamsThe bureau has supposedly been coordinating the sharing of infor-mation across public and private sectors but has in fact focused on itstraditional role of law^ enforcement.

The Clinton administration's response to these challenges wasfragmented and disorganized. Leadership in cyber-warfare was sup-posed to come from the National Security Council (N SC) , but notenough materialized. Relations between the F B I and the NSC weretense, and those between th e NSC and the Pen tagon even wo rse, w ithofficials refusing even to speak with one another. And cooperationamong the military services remains weak, despite efforts to put allcomputer warfare under a single entity, the U.S. Space Command.Every service has developed its own information-warfare capabilityat huge cost and with significant dup lication of effort. Similarly, theCIA, the Defense Intelligence Agency, and the NSA have each u nd er-taken inde pen den t information-warfare efforts, with little cooperationbetween them.

GETTING TOUGHA F T E R W O R L D WAR II, the detonation of two nuclear bombs overJapan frightened the world enough to provoke a ferment of activityinside the world's governments and the academic communityleading in tim e to the developmen t of a nuclear deterrent strategy. Th eworld knew tha t a nuclear attack against the Un ited States or one of itsallies, or against the Soviet Union or a Soviet ally, would provokeinstant nuclear retaliation. Defense planners later applied this strategyof deterrence through the threat of mutually assured destruction tochemical and biological weapon s as well . D urin g the Gu lf W ar, forexample, Saddam Hu ssein recognized tha t if he used chemical or bi o-logical weapons, he could expect a devastating, if unspecified, response.

But with no U.S. strategy for deterrence in the virtual world andno clear thinking about a legal regime for retaliation against cyber-attack, poten tial hackers can battle the Un ited States w ith impu nity.Consider wh at happened in M ay 2000, when a hacker in the Philippineslaunched the "Love Letter" vims around the world. In the UnitedStates, the Veterans Health Administration received 7 million "I


10/16

Virtual Defensefrom the attack at the D ep art m en t of Lab or required more tha n 1,600employee hours and 1,200 contractor hours. Estimates oft he cost ofthe attack to the United States range from $4 billion to $15 billionor the equivalent, in conventional war terms, of the carpet-bom bingof a small Am erican city. Yet W ash ingto n did nothing to prosecutethe hacker or to recover damages. A ltho ugh the hacker was arrested,he was later released because Philippine law is not designed toprosecute such crimes.

MEDICINE FOR THE VIRUST H E P R O B L E M S in the current U.S. defense system and nationalsecurity para digm are easy to identify. B ut rem edyin g those problem sby creating an effective defense and deterrent will be much moredifficult. Bringing order to the new frontier of information warfarewill require a robust strategy and sound tactics.Firs t and foremost, p rim ary responsibility for the cyber-defense ofthe nation must be given to the Depar tmen t of Defense. The N SChas failed to lead the b attle in com puter warfare, in par t because it haslacked the financial and military muscle to do so. In Washington'sbureaucratic m aze, where departm ents and agencies vie for money,the cyber-threat has often been seen as just another excuse to winadditional funding to take on the task of netw ork defense. Because itlacks bureaucratic pu nch , the NSC 'S warnings about cyber-threats tonational security have gone largely unh eede d.

T h e FBI, w hich has the training and resources to investigate andapprehen d hackers, can play a crucial role in fighting cyber-c rime , bu tit should not coordinate the battle. The bureau has a reputation fornot sharing information with other government departments, and itsinitiative to promote communication between government and theprivate sector has produced disappo inting results. The F B I officials incharge of that project argue that the bureau itself remains uncom-mitted to the cyber-defense role and has not allocated the necessarypeople, money, and technology to cyber-defense.C ertainly, there are some doubts about the wisdom of giving thePentagon the information-defense mandate. Foreign enemies of


11/16

James Adamsprotect and defend the nation, whereas American citizens enjoy civilrights that domestic law-enforcement agencies such as the F B I mustobserve. So lawmakers and civil libertarians are understandablynervous about extending the military's powers to the homeland. Butthe U nited States has two underused assets at its disposal that will allowit to avoid this contentious move: the m ilitary reserves and the N ationa lG ua rd. Th ese groups already have the technology skills needed to ru nan effective inform ation defense, because their personne l are also in te-grated into the technology-driven private sector. Homeland defense,coordinated by the Pentagon and using the National G uard and the re-serves, is the way to pro tect Am erica's information netw orks.

T h e Pentagon has the resources to lead information defense but hasbeen reluctant to take on this mission. To assume this additional rolenow would require realigning Defense Department priorities and re-allocating resources from traditional power projection abroad tohom eland defense. Bu t national defense is the Pentagon's business. A ndin the information age, national defense must include cyber-defense.

In order for defense planners to coord inate a strategy for cyberspace,the definitions of national security and the appropriate methods ofmanaging it need to be redefined. "National security" has alwaysmeant protecting the nation's borders from foreign attack, and theperceived national interest has often led to the projection of U.S.military power overseas to protect the hom eland . B ut as the Ch ineseclearly understand, fliture war is no longer going to focus on bordersand territorial disputes. In addition, previously it was defeat on thebattlefield that decided the outcome of a conflict, and any wartimeattacks on a country's private sector primarily targeted its industrialcomplex. In cyberspace, however, the asymmetric advantage goes towhoever und erstands th at a successfiil com puter attack against privatelyowned information networks is just as effective a weapon as militaryforce. Th is is an uncomfortable concept for bo th military and politicalleaders to grasp, because it requires, first, acknowledging that thebarriers between the public and private sectors have eroded and , second,embracing innovative strategies that take the private sector's newtechnological skills and vulnerability into account.

Fu rther m ore, effective defense m eans deterrin g attacks before they


12/16

Virtual Defensenation already understands the consequences of using weapons ofmass destruction against the Un ited States. W ash ing ton must similarlypu t the wo rld on notice tha t it will consider a cyber-attack against anyU.S. entity an act of war tha t will generate anappropriate response.It must also make clear that the United States does not distinguishbetween m ethods of attack; w hethe r struck by a bom b or a com putervirus, it cares only about the effect.

But acts of aggression against U.S. information networks will occur,and guidelines for responding need to be developed. As Washingtonhas learned from Moonlight Maze, pinning the blame on a specificgrou p or nation is tou gh . M an y nation s faced similar challenges fromterro rism in the late 1960s and early 1970s, w he n the y suffered from acritical shortage of intelligence, little cooperation between govern-m en ts, and no defensive capability, either civilian or military, to p rotec tagainst the new ph enom enon of transnational terrorism. By the m id-1980s, however, intelligence ha d im proved dramatically, nations w erecoop erating m ore, and defensive measures had been pu t in place. Th eresult was the co ntain m ent of the terrorism prob lem , althoug h it willnever be fully eliminated. The same parallels apply in cyberspace.

If the United States is to respond effectively to cyber-attack, itmust first know who is responsible for the aggression. Findingcrim inals w ho act thro ug h co m puter netw orks is a tou gh challenge,since attacks in cyberspace can come from m ultiple po ints simu lta-neously, w ith th eir origins disguised. For exam ple, in Febru ary 1998,while tensions were mounting once again with Iraq, the Pentagondiscovered a soph isticated set of intrusion s into a nu m ber o f D efenseD ep artm en t information systems. Th ese attacks, code-nam edSolar Sunrise, seemed designed to gather intelligence on U . S . plansfor actions in Iraq and disrupt command-and-control and logis t icssystems. The hacks were assumed to have been organized by Iraq,and their origin was traced to Abu Dha b i . A strike force was sentto that Gulf state and, after receiving permission from its govern-ment, entered what was thought to be the building where the Iraqicomputer team was hiding. In fact, the building housed not Iraqisbut computer servers; the attacks were not ordered by Baghdad ,and Ab u D ha b i was simp ly a false trail laid by th e hack ers. Sh ortly


13/16

James Adamsthat they and an Israeli hacker had launched Solar Sunrise, andtheir motivation had noth ing to do with Iraq.

U.S . policymakers m ust also resolve the legal and m oral question ssurroun ding retaliation in information warfare. T h e legal principle ofpro po rtionality applies to issues of national sovereignty a na tion hasevery righ t to use force to defend itself against territorial incursion.Bu t there is no clear understanding of how or whethe r proportionality

should apply to information warfare, whichIn form ation attacks are involves civilian populations to a greater, . r 1 extent than does traditional war. If Chinat h e n e w t e r r o r i s m o f t h e lau nch ed a network attack to turn off thetw e n ty -f ir s t CentXiry. power in Chicago in midwinter, kill ing large

numbers of the city's residents, would theUnited States be justified in using remotesystems to raise the gates of a dam in C hina and kill the Chineseliving in the valley below? Is responding to a cyber-attack with con-ventional force legally, morally, or politically acceptable? Thes e difficultquestions have so far frustrated com puter warriors and lawyers alike.

In such a confiised environment, the intelligence agencies mustimprove their sources and methods. They will have to develop newmeans of infiltrating private or government-sponsored groups thatwage war in cyberspace. T h e CIA targets parties hostile to the UnitedStates and develops covert operations to counter themand thesame m ethod s must be employed against those w ho choose c om puternetw orks as their battlefield.

Complicating the intelligence agencies' task of finding computerattackers is the fact th at hackers can use man y different rou tes, so th atan attack that seems to come from L on do n h as actually originated inBrazil and traveled to the U nited States via M oscow and A ntwerp.Trac ing an e-mail virus back to its source, for example, requiresindividu al authorization from every jurisdiction th rou gh wh ich it hastraveled. This time-consuming job restricts the ability of law en-forcement to arrest an attacker and of the Pentagon to retaliate. Congressshould pass new legislation tha t will allow the track ing of intrusion sthrough the Internet . Further legis la t ion is needed to allow law-enforcement agents to infiltrate computer networks when tracking a


14/16

Virtual Defensesecurity priority can be shown, such taps could be allowed by law.Congress already has the authority to pass some such legislationindeed , the intelligence com m unity is authorized to gather informationfrom foreign computer networks. But for Congress to acquire thenecessary legal license and political leeway to pass com prehensive andeffective m easures, the co operation of oth er governm ents is required.

D urin g the Cold War, U.S . and foreign policymakers approp riatelyrecognized that an armed conflict could threaten access to vital oilsupplies. Washington managed the problem by positioning suppliesin areas of risk, developing a rapid deployment force, and forminginte rna tion al alliances. In the ev ent of a conflict, Am erica n and alliedforces could be rapidly deployed to protec t the oil supplies, as happenedbefore the Gulf War. The same solutions are relevant in a worldwh ere com pu ter attacks could cut A m erica n access to an equally vitaleconomic fiiel: com puter n etworks. Alth ou gh the Un ited States hasdeveloped some effective cyber-weapons that can destroy an enemy'scomputer network or interrupt a nation's fuel and water supplies,there is disagreement about when and how they can be used.

These questions must be sorted out inside theUnited States toavoid the kind of confusion that emerged in B osnia. The re, the militarywanted to unleash some information attacks against the BosnianSerbs, but officials in the Justice De pa rtm en t expressed real concernabou t w heth er such attacks were legal. Co ord inatio n w ith U .S . alliesis also necessary to share inform ation on the threat and wha t can bedone to overcome it . D uri ng the C old War, the United States and itsallies developed an effective early w arn ing system to d etect an d trackthe laun ch of nuclear m issiles, wh ich could reach their targets w ithinm inute s. Similarly, a hack ing techn ique or e-mail virus developed inEurope can hit the United States a few minutes later. But as of yet,there is no effective warning against cyber-attacks.

Anothe r gap in U.S. information defense concerns the severalcountries with offensive information-warfare programs that useprivate com panies as a cover for pla ntin g m alicious code in seeminglybenign computer software. For example, India or Israel may sell asoftware solution to a U.S. government agency tha t has a virusembedded within it. Currently, there is no way of comparing a


15/16

James Adamscheck for any discrepancy in the source code. Developing the tech-nological means to vet software codes should be a priority for boththe pub lic and th e private sectors. The pres iden t could assign this taskto the National Science Fou ndation. At the same tim e, foreign com-panies need to understand that if malicious code is found in theirproducts, there will be an economic price to pay, such as an impor tban. Such a threat would swiftly persuade foreign companies thatcooperating with their governments in waging computer warfare isnot in their best econom ic interests.

BRAVING THE NEW WORLDE V E N IF Washington takes steps to create, guide , anddirect a coherentstrategy to combat the cyber-threats to national security, effectivedefense w ill w ork o nly in cooperation with the private sector. A newpartne rship m ust be forged betw een policymakers and the high-techcomm unity, wh ich generally has better intelligence abo ut inform ation-network threats than does the government. U.S. network vulnerabilityis a shared problem, and there must be a shared solution.

The Bush adminis t ra t ion has an oppor tun i ty to redefine thenational security enviro nm ent. The threat of cyber-at tack dem andsleadership and creative think ing th at will prod uce new solutions. Ifthe adm inistration remains stuck in the outda ted. Co ld W ar paradigmof confiict, U .S . status as a military superpow er will be jeopard izedby the new players of the cyber-world. The United States mustneutralize the asymm etric advantage of waging virtual war.


16/16

Virtual Defense U.S.

Documents