U.S. Scurries to Erect Cyber-Defenses

Distant forests dominate the view from the eighth-floor director’s suite at the National Security Agency, America’s largest intelligence gathering operation. But the talk inside is of a more troubling horizon: cyberspace.

“Think of it as a physical domain, like land, sea and air,” said Air Force Lt. Gen. Michael V. Hayden in his first interview since taking the NSA’s helm in May. “Now think of America conducting operations in that new domain.”

These days, many in the U.S. intelligence, law enforcement and national security community are thinking of little else.

The Pentagon has stepped up cyber-defense and is planning cyber-combat. The FBI is still struggling to unravel Moonlight Maze, a massive assault on U.S. government computers that has been traced to Russia. Prodded by the White House, other agencies are also scrambling to protect America’s electronic infrastructure from a daily digital barrage from around the world.

The stakes could not be higher. Put simply, how can an increasingly wired America best defend itself from hostile nations, foreign spies, terrorists or anyone else armed with a computer, an e-mail virus and the Internet? And how can America fight back in the strange new world of warp-speed warfare?

The answers so far are not encouraging.

“The pace of technological change is rapidly outstripping our existing technical edge in intelligence that has long been one of the pillars of our national security,” said CIA Director George J. Tenet.

The United States faces “a growing cyber-threat” from “weapons of mass disruption,” Tenet said. “Potential targets are not only government computers but the lifelines that we all take for granted: our power grids and our water and transportation systems.”

That threat is why 50 experts from the NSA, CIA, FBI, Defense Department and other agencies gathered in early October in a drab office building in Falls Church, Va., for a classified war game that was code named Zenith Star.

For two days, they huddled behind closed doors to test America’s response to a simulated surprise attack by electronic evildoers--the first such effort since a 1997 exercise found the U.S. government almost defenseless in cyber-war.

This time, enemy hackers supposedly had triggered blackouts around major military facilities near Chicago, Honolulu and Tampa, Fla. They paralyzed 911 emergency response systems with a flood of computer-generated calls. Then they started disrupting crucial Pentagon computer networks.

The mock scenario was “based on actual vulnerabilities,” explained Air Force Maj. Gen. John H. Campbell, who ran Zenith Star as head of the Pentagon’s new Joint Task Force-Computer Network Defense in Arlington, Va.

Although results are not in, Campbell said, he believes coordination and cooperation have improved since Eligible Receiver, the classified 1997 war game that found America unprepared for cyber-attack. In that exercise, a team of NSA hackers proved that they could easily disable power, telephones and oil pipelines across the country, as well as Pentagon war-fighting capabilities.

The joint task force was one result. Operational since June, it aims to organize defense of the Pentagon’s 2.1 million computers, 10,000 local networks and more than 100 long-distance networks. The unit formally became part of the Pentagon’s combat mission on Oct. 1, when it was attached to U.S. Space Command, based in Colorado Springs, Colo. A separate task force will be established next October to safeguard against computer network attack, Campbell said.

Now the computer defense force runs a 24-hour operations room that looks like the set of a Hollywood thriller. Inside the Secure Compartmented Information Facility, a dozen experts tend banks of classified and unclassified computers. Red digital clocks on the ceiling show time zones around the world. Three huge screens on one wall monitor major military computer nodes in the United States, Europe and the Pacific. Three other large screens are tuned to TV networks.

Campbell, a veteran fighter pilot, sees cyberspace as the wild new yonder. Donning his worn leather flight jacket for an interview in a drafty task force office, he warned that terrorists rely increasingly on computers for planning and communication.

“We see more and more terrorist organizations . . . are recruiting computer-smart people and even providing the training for them,” Campbell said.

Most attacks on U.S. government computers have involved politically motivated vandalism, not terrorism. During the Kosovo conflict last spring, for example, the White House and numerous other government departments and agencies were forced to take down Web sites after hackers defaced them with electronic graffiti.

But the hackers are more malicious and more powerful than ever. Despite the increased protection, two unknown groups used multiple simultaneous attacks last week to penetrate and deface 13 government and military sites, including the U.S. Army Reserve Command, the White Sands Missile Range, the National Aeronautics and Space Administration’s Jet Propulsion Laboratory, the National Defense University and the Naval Coastal Systems Center.

To be sure, U.S. officials insisted that no one has stolen military or other national security secrets by penetrating a classified computer system from outside. But it clearly is not for want of trying.

Consider the Navy’s Space and Naval Warfare Systems Command Center in San Diego, which helps safeguard naval intelligence codes. Its unclassified computer systems, a senior official said, are “under constant attack, more than one a day from outside the country.”

Spawar, as it is commonly called, has traced hackers this year alone to Argentina, Australia, Brazil, Britain, China, France, Italy, Israel, Japan and Russia. Most use programs to electronically “sweep” the Spawar systems, looking for unguarded access points.

“For every protection we put up, they find a way around it,” he said. “Many get in, rummage around, package files and send them off. A few gain root access,” or complete access to the compromised system. “It’s steadily increasing, steadily getting worse.”

In February, someone even used the Internet to secretly program a new password for a Hewlett-Packard printer at Spawar so that copies would print out in Russia. The intrusion was detected before sensitive files were lost, the official said. In that case, as in most, officials never determined whether a curious teenager, a foreign intelligence agency or someone else was responsible for the intrusion.

“Often you don’t know what you’re dealing with until you’re pretty far along in an investigation,” said Michael A. Vatis, America’s top cyber-cop. “You don’t know if you have a single intrusion or a concerted attack.”

Vatis heads the FBI’s National Infrastructure Protection Center, the focal point of the federal government’s effort to prevent, detect and prosecute cyber-crimes. The center has 800 pending hacker, virus and intrusion cases, up from 200 two years ago. Most involve disgruntled employees who sabotage computer systems for revenge or crooks who use the Internet for scams and fraud.

But Vatis said that he worries most about what he calls “America’s Achilles’ heel,” the growing reliance on computer-controlled systems built for efficiency, not security.

“We know other countries are building information warfare technology,” he said at the headquarters of the infrastructure protection center, a warren of computer cubicles on the 11th floor of the FBI building in Washington. “We know countries are engaged in espionage and economic espionage.”

The FBI, for example, has tried to determine if cyber-spies at Moscow’s prestigious Russian Academy of Sciences are responsible for Moonlight Maze, the most pervasive assault yet on sensitive U.S. Defense Department and other computer networks.

The first Moonlight Maze attack was detected in March 1998. Three months later, U.S. security sleuths were able to monitor a series of intrusions as they occurred and traced them back to seven dial-up Internet connections near Moscow.

But the intense attacks continued until at least last May, and the FBI investigation remains open. One reason: U.S. officials are unable to determine if the trail really stops in Moscow or simply appears to.

Either way, the Moonlight Maze attack was enormous. U.S. officials said that the intruders systematically ransacked hundreds of essential but unclassified computer networks used by the Pentagon, the Energy Department, NASA, defense contractors and several universities. Vast amounts of technical defense research were illegally downloaded and transferred to Russia.

Investigators found that the hackers used workstations running Sun operating systems and routed high-speed calls through U.S. university network servers to hide their tracks. They usually logged into government computer systems with stolen passwords. Attacking from within, they gained root access to numerous systems.

The intruders also sometimes created illegal “back doors” to secretly reenter the compromised systems, the evidence showed. They also installed “sniffers,” which let them monitor sensitive communication along U.S. government networks, thus sending Russia e-mail as well as other sensitive information stored in compressed data files.

One private-sector target was Meganet Corp., which is based in Tarzana and sells 21 versions of commercial encryption software that it bills as “unbreakable.” U.S. export controls prohibit sale of the software overseas, the company says.

In two overnight attacks in July 1998, Meganet’s Web servers were swamped with “tens of thousands” of hits from “Lab 1313,” an unknown group that used an Internet connection from the Russian Academy of Sciences, according to Michael Vaknin, the company’s general manager. He said that the attackers sought source code for the encryption software but failed because it is kept on a separate system.

Not long ago, few Americans outside the secretive National Security Agency were concerned with the esoteric field of encryption or the theft of digital data.

The high-tech NSA, which does the government’s code making and code breaking, is responsible for the covert collection of signals intelligence, or “Sigint,” from around the world. The explosion of new computer and communications technology has given the intelligence agency powerful new tools--but it has also made the agency’s job much more difficult.

Hayden, the NSA director, conceded, “It was easier to be top dog before.”