Abdicating on a ‘cyber czar’?
In May, President Obama completed his long-awaited “cyberspace policy review,” concluding that cyberspace is a strategic asset that must be safeguarded from attack as a national security priority. He recalled how hackers had gotten into his own campaign servers, and he worried that crucial infrastructure, public and private, was vulnerable to hackers, cyber terrorists and even other governments.
The president promised to appoint a permanent “cyber czar” who would coordinate the work of federal agencies charged with protecting us. But since “acting cyber-security czar” Melissa Hathaway resigned in August, the post has been unfilled.
Why? Part of the reason may be the nature of the job. The cyber czar would have to coordinate with agencies that engage in constant turf wars, including the CIA, the FBI, the Department of Defense, the National Security Agency and others. That is a daunting task for an outsider -- even a “czar” appointed by the president.
But the need is great. Last August, Twitter was the victim of an attack emanating from Eastern Europe that took down the social network for most of a day. Facebook and LiveJournal were also affected. In 2007, Chinese hackers penetrated American electricity grids. About the same time, unidentified hackers broke into a Pentagon network and briefly brought it down. Defense Secretary Robert M. Gates has said government computers are “under attack all the time -- every day.”
The weapons in the hackers’ arsenal are easily obtained. International cyber arms dealers regularly sell “malware” and “botnet” programs through online auctions similar to priceline.com or EBay. Malware, in case you aren’t a geek, is short for “malicious software,” designed to do damage to a computer system. According to a Hoover Institution Policy Review released earlier this year, a botnet is a network of thousands of software robots that run autonomously on compromised, or “zombie,” computers. These computers spawn malware under the command of a “bot herder,” who can control the group remotely. Because effective cyber attacks involve not just one malicious computer but thousands of computers at a time, with new ones constantly joining the fray, cyber sallies are all the more difficult to deflect.
In the spring of 2007, after the government of Estonia moved a monument to the Red Army from the center of its capital to the outskirts of town, it became the victim of a monthlong cyber attack that the New York Times said “came close to shutting down the country’s digital infrastructure.” Through the use of botnets, your computer may have been used against Estonia without you even knowing it.
A significant issue is that the government uses the same networking, the same Internet protocols and the same operating systems as the private sector, making cyber security a universal problem as opposed to a governmental problem. Hackers may find a greater payload in targeting critical infrastructure such as power grids, financial or communication networks or air traffic control systems than in attacking the CIA or the Pentagon.
An attack by an adversary nation, much less a cyber extortionist or terrorist, is not so far-fetched. In March 2007, the Department of Energy’s Idaho National Laboratory conducted an experiment to determine whether a power plant could be compromised by hacking alone. The researchers were able to cause a generator to shake, smoke and shut down with a few keystrokes. The same year, then-Deputy Undersecretary of Defense Richard P. Lawless told a House committee that “Chinese capabilities in this area have evolved from defending networks from attack to offensive operations against adversary networks.
Strengthening our software systems will require a deft hand. Security technologist and author Bruce Schneier points out a problem he calls the “equities issue.” The good guys and the bad guys all use Windows, Oracle, e-mail and Skype. If we alert the manufacturer and patch vulnerability in the system, are we making it tougher on ourselves when our own government wants to go after the bad guys?
So why hasn’t the president appointed a new cyber czar to monitor and, if indicated, secure the electronic highway from attack? His staff said he is looking for just the right person, and that takes time. The problem is that we don’t have much time.