WASHINGTON - Guarding water wells and granaries from enemy
raids is as old as war itself. In the Middle Ages, vital resources were
hoarded behind castle walls, protected by moats, drawbridges and knights
with double-edged swords.
Today, U.S. national security planners are proposing that the 21st
century's critical infrastructure -- power grids, communications, water
utilities, financial networks -- be similarly shielded from cyber
marauders and other foes.
The ramparts would be virtual, their perimeters policed by the
Pentagon and backed by digital weapons capable of circling the globe in
milliseconds to knock out targets.
An examination by Reuters, including dozens of interviews with
military officers, government officials and outside experts, shows that
the U.S. military is preparing for digital combat even more extensively
than has been made public. And how to keep the nation's lifeblood
industries safe is a big, if controversial, aspect of it.
"The best-laid defenses on military networks will matter little
unless our civilian critical infrastructure is also able to withstand
attacks," says Deputy U.S. Defense Secretary William Lynn, who has been
reshaping military capabilities for an emerging digital battlefield.
Any major future conflict, he says, inevitably will involve cyber
warfare that could knock out power, transport and banks, causing
"massive" economic disruption.
But not everyone agrees that the military should or even can take on
the job of shielding such networks. In fact, some in the private sector
fear that shifting responsibility to the Pentagon is technologically
difficult -- and could prove counterproductive.
For the moment, however, proponents of the change seem to have the
upper hand. Their case has been helped by the recent emergence of
Stuxnet, a malicious computer worm of unknown origin that attacks
command modules for industrial equipment.
Experts describe the code as a first-of-its-kind guided cyber
missile. Stuxnet has hit Iran especially hard, possibly slowing progress
on Tehran's nuclear program, as well as causing problems elsewhere.
Stuxnet was a cyber shot heard around the world. Russia, China,
Israel and other nations are racing to plug network gaps. They also are
building digital arsenals of bits, bytes and logic bombs -- code
designed to interfere with a computer's operation if a specific
condition is met, according to experts inside and outside the U.S.
THE WORMS ARE COMING!
In some ways, the U.S. military-industrial complex -- as President
Dwight Eisenhower called ties among policymakers, the armed forces and
arms makers -- is turning into more of a military-cyber-intelligence
The Pentagon's biggest suppliers -- including Lockheed Martin Corp,
Boeing Co , Northrop Grumman Corp, BAE Systems Plc and Raytheon Co --
each have big and growing cyber-related product and service lines for a
market that has been estimated at $80 billion to $140 billion a year
worldwide, depending on how broadly it is defined.
U.S. officials have shown increasing concern about alleged Chinese
and Russian penetrations of the electricity grid, which depends on the
Internet to function. Beijing, at odds with the United States over
Taiwan arms sales and other thorny issues, has "laced U.S.
infrastructure with logic bombs," former National Security Council
official Richard Clarke writes in his 2010 book "Cyber War," a charge
Such concerns explain the Pentagon's push to put civilian
infrastructure under its wing by creating a cyber realm walled off from
the rest of the Internet. It would feature "active" perimeter defenses,
including intrusion monitoring and scanning technology, at its interface
with the public Internet, much like the Pentagon's "dot.mil" domain
with its more than 15,000 Defense Department networks.
The head of the military's new Cyber Command, Army General Keith
Alexander, says setting it up would be straightforward technically. He
calls it a "secure zone, a protected zone." Others have dubbed the idea
"The hard part is now working through and ensuring everybody's
satisfied with what we're going to do," Alexander, 58, told reporters
gathered recently near his headquarters at Fort Meade, Maryland.
Alexander also heads the National Security Agency, or NSA, the
super-secretive Defense Department arm that shields national security
information and networks, and intercepts foreign communications.
The Pentagon is already putting in place a pilot program to boost its
suppliers' network defenses after break-ins that have compromised
weapons blueprints, among other things. Lynn told Alexander to submit
plans, in his NSA role, for guarding the so-called defense industrial
base, or DIB, that sells the Pentagon $400 billion in goods and services
"The DIB represents a growing repository of government information
and intellectual property on unclassified networks," Lynn said in a June
4 memo obtained by Reuters.
He gave the general 60 days to develop the plan, with the Homeland
Security Department, to provide "active perimeter" defenses to an
undisclosed number of Pentagon contractors.
"We must develop additional initiatives that will rapidly increase
the level of cybersecurity protection for the DIB to a level equivalent
to the (Department of Defense's) unclassified network," Lynn wrote.
The Pentagon, along with the Homeland Security department, is now
consulting volunteer "industry partners" on the challenges private
sector companies envision, said Air Force Lieutenant Colonel Rene White,
a Pentagon spokeswoman, in a status report.
Some see the Pentagon's proposed new ring around certain critical services as a throwback almost to the dark ages.
"Dot.secure becomes new Target One," says Richard Bejtlich, General
Electric Co's director of incident response. "I can't think of an easier
way to help an adversary target the most critical information on
Bejtlich and others say such an arrangement would only be as strong
as its weakest link, vulnerable to compromise in many ways. "I guarantee
users will want to and need to transfer information between their
normal company Internet-connected computers and 'dot.secure'," he says.
"Separation is a fool's goal."
Utilities already use encrypted, password-controlled systems to
handle communication between power plants and large-scale distribution
Trying to move that traffic off the existing Internet onto an
independent computer network would be expensive, and would not
necessarily guarantee security.
"Even a private network is only so secure," said Dan Sheflin, a vice
president at Honeywell International Inc who works on grid-control
technology. "A big threat is employees walk in, unknowingly or
knowingly, with (an infected) thumb drive, plug it in, put their kids'
pictures on their PC and, oh boy, something's on the network. Those are
things that even a private network could be subject to."
Rather than building a new network, a more practical solution could be improving the security of existing systems.
"The real issue is not letting people in and having layers of defense
if they do get in to isolate them and eradicate them," said Sheflin, of
Honeywell, which makes grid components ranging from home thermostats to
automation systems to run power plants. "This is a very difficult
problem. We are up against well-funded groups who can employ many people
who spend their time trying to do this."
Greg Neichin of San Francisco-based Cleantech Group LLC, a research
firm, says utility companies already are well aware of the need to guard
their infrastructure, which can represent billions of dollars of
investment. "Private industry is throwing huge sums at this already," he
says. "What is the gain from government involvement?"
Companies ranging from Honeywell to General Electric Co -- whose
chief executive, Jeff Immelt, called the U.S. energy grid a relic last
month -- are pushing the drive toward a "smart grid."
That model would permit two-way communication between power producers
and consumers, so a utility could avoid a blackout during a peak demand
time by sending a signal to users' thermostats to turn down air
conditioning, for instance. Such a system could also allow variable
pricing -- lowering prices during off-peak demand times, which would
encourage homeowners to run major appliances like dishwashers and
washing machines in the evenings, when industrial demand declines.
Neichin is worried that efforts to wall off grid-related communication could stifle that kind of innovation.
But even Sheflin of Honeywell argues that private companies are not
likely to solve a problem of this magnitude on their own. "The
government needs to be involved in this," he said. "There is going to
have to be someone that says, 'Wait a minute, this is of paramount
importance.' I don't think it's going to be private industry that will
raise the red flag."
A Pentagon spokesman said he could not address industry concerns
right now, but the Defense Department would do so before long. Still,
the military's proposal faces other complications.
WHO'S IN CHARGE?
The U.S. Department of Homeland Security now leads efforts to secure
federal non-military systems, often described as the Internet's
"dot.gov" domain. It also has the lead in protecting critical
infrastructure. NSA and Cyber Command lend a hand when asked to do so,
including by U.S. companies seeking to button up their networks.
The idea of letting the Defense Department wall off certain
private-sector networks is highly tricky for policymakers, industry and
Pentagon planners. Among the issues: what to protect, who should be in
charge, how to respond to any attack and whether the advent of a
military gateway could hurt U.S. business's dealings overseas, for
instance for fear of Pentagon snooping.
In addition, the 1878 Posse Comitatus Act generally bars federal
military personnel from acting in a law-enforcement capacity within the
United States, except where expressly authorized by the Congress.
Alexander says the White House is considering whether to ask Congress
for new authorities as part of a revised team approach to cyber threats
that would also involve the FBI, the Department of Homeland Security
and the Defense Department.
There are persistent signs of strains between Cyber Command and the
Homeland Security Department over how to enhance the U.S. cybersecurity
"To achieve this, we have to depart from the romantic notion of
cyberspace as the Wild Wild West," Homeland Deputy Secretary Jane Lute
told the annual Black Hat computer hackers' conference in Las Vegas in
July. "Or the scary notion of cyberspace as a combat zone. The goal here
is not control, it's confidence."
Alexander made a reference to tensions during certain meetings ahead
of Cyber Storm III, a three-day exercise mounted by U.S. Homeland
Security last week with 12 other countries plus thousands of
participants across government and industry. It simulated a major cyber
attack on critical infrastructure.
"Defense Department issues versus Homeland Security issues," he told
the House of Representatives Armed Services Committee on September 23.
"And that's probably where you'll see more friction. So how much of each
do you play? How radical do you make the exercise?"
President Barack Obama's cybersecurity coordinator, Howard Schmidt,
is working with Congress and within the administration to develop
policies and programs to improve U.S. cybersecurity, says a White House
spokesman, Nicholas Shapiro.
Obama, proclaiming October National Cybersecurity Awareness Month,
said protecting digital infrastructure is a "national security
"We must continue to work closely with a broad array of partners --
from federal, state, local and tribal governments to foreign
governments, academia, law enforcement and the private sector -- to
reduce risk and build resilience in our shared critical information and
communications infrastructure," he said.
VIRTUAL CASTLE WALLS
Active defenses of the type the military would use to shield a
"dot.secure" zone represent a fundamental shift in the U.S. approach to
network defense, Lynn says. They depend on warnings from communications
intercepts gathered by U.S. intelligence.
Establishing this link was a key reasons for the creation of Cyber
Command, ordered in June 2009 by Defense Secretary Robert Gates after he
concluded that the cyber threat had outgrown the military's existing
"Policymakers need to consider, among other things, applying the
National Security Agency's defense capabilities beyond the ".gov"
domain, such as to domains that undergird the commercial defense
industry," Lynn wrote in the September/October issue of Foreign Affairs.
"The Pentagon is therefore working with the Department of Homeland
Security and the private sector to look for innovative ways to use the
military's cyber defense capabilities to protect the defense industry,"
U.S. Senator Sheldon Whitehouse, who led a Senate Intelligence
Committee cyber task force that submitted a classified report to the
panel in July, has floated a similar idea, drawing an analogy to
"Can certain critical private infrastructure networks be protected
now within virtual castle walls in secure domains where those
pre-positioned offenses could be both lawful and effective?" he asked in
a July 27 floor speech.
"This would obviously have to be done in a transparent manner,
subject to very strict oversight. But with the risks as grave as they
are, this question cannot be overlooked," said the Rhode Island
Democrat. "There is a concerted and systematic effort under way by
national states to steal our cutting-edge technologies."
The "dot.secure" idea may be slow in getting a full congressional
airing. More than 40 bills on cyber security are currently pending. The
chairman of the House Armed Services Committee, Missouri Democrat Ike
Skelton, told Reuters he was not ready to pass judgment on possible new
powers for Cyber Command.
Cyber Command leads day-to-day protection for the more than 15,000
U.S. defense networks and is designed to mount offensive strikes if
ordered to do so.
The command has already lined up more than 40,000 military personnel,
civilians and contractors under Alexander's control, nearly half the
total involved in operating the Defense Department's sprawling
information technology base.
It is still putting capabilities in place from across the military as
it rushes to reach full operational capability by the end of this
month. Reuters has pinned down the numbers involved for each service.
The Air Force component, the 24th Air Force, will align about 5,300
personnel to conduct or support round-the-clock operations, including
roughly 3,500 military, 900 civilian and 900 contractors, said
spokeswoman Captain Christine Millette. The unit was declared fully
operational on October 1, including its 561st Network Operations
Squadron based at Peterson Air Force Base, Colorado, where it operates,
maintains and defends Air Force networks.
The Navy adds about 14,000 active duty military and civilian
employees serving at information operations, network defense, space and
telecommunication facilities around the world. They are now aligned
operationally under the U.S. Fleet Cyber Command, said spokesman
Commander Steve Mavica.
The Army contributes more than 21,000 soldiers and civilians,
including the Army Intelligence and Security Command, for cyber-related
actions, said Lieutenant Colonel David Patterson, an Army spokesman.
The Marine Corps will assign roughly 800 of its forces to "pure"
cyber work, according to Lieutenant General George Flynn, deputy
commandant for combat development.
Cyber Command's headquarters staff will total about 1,100, mostly
military, under a budget request of about $150 million for the fiscal
year that started October 1, up from about $120 million the year before.
Beside guarding Defense Department computers, the nation's cyber
warriors could carry out computer-network attacks overseas with weapons
never known to have been used before.
"You can turn a computer or a power plant into a useless lump of
metal," says a former U.S. national security official familiar with the
development of U.S. cyber warfare capabilities. "We could do all kind of
things that would be useful adjuncts to a balanced military campaign."
Such weapons could blow up, say, a chemical plant by instructing
computers to raise the temperature in a combustion chamber, or shut a
hydro-electric power plant for months by sabotaging its turbines.
Scant official information is available on the development of U.S.
cyber weapons, which are typically "black" programs classified secret.
They are built from binary 1s and 0s -- bits and bytes. They may be
aimed at blinding, jamming, deceiving, overloading and intruding into a
foe's information and communications circuits.
An unclassified May 2009 U.S. Air Force budget-justification document
for Congress lifted the veil on one U.S. cyber weapon program. It
described "Project Suter" software, apparently designed to invade enemy
communication networks and computer systems, including those used to
track and help shoot down enemy warplanes.
"Exercises provide an opportunity to train personnel in combined,
distributed operations focused on the 'Find, Fix and Finish' process for
high-value targets," says the request for research, development, test
and evaluation funds.
The U.S. Air Force Space Command has proposed the creation of a
graduate-level course for "network warfare operations." The proposed
five-and-a-half-month class would produce officers to lead weapons and
tactics development "and provide in-depth expertise throughout the air,
space and cyberspace domains focused on the application of network
defense, exploitation and attack," Lieutenant Colonel Chad Riden, the
space command's Weapons and Tactics branch chief, said in an emailed
reply to Reuters.
GEORGIA ON THEIR MIND
The world got a glimpse of what lower-level cyber warfare might look
like in Estonia in 2007 and in Georgia in 2008 when cyber attacks
disrupted networks amid conflicts with Russia.
Now, the Stuxnet computer virus is taking worries about cyber warfare
to new heights as the first reported case of malicious software
designed to sabotage industrial controls.
"Stuxnet is a working and fearsome prototype of a cyber-weapon that
will lead to a new arms race in the world," said Kaspersky Lab, a
Moscow-based security software vendor. "This time it will be a cyber
The program specifically targets control systems built by Siemens AG,
a German equipment maker. Iran, the target of U.N. sanctions over its
nuclear program, has been hit hardest of any country by the worm,
according to experts such as the U.S. technology company Symantec.
Asked about Stuxnet, U.S. Navy Vice Admiral Bernard McCullough, head
of Cyber Command's Navy component, told Reuters: "It has some
capabilities we haven't seen before."
Discovered in June, Stuxnet -- named for parts of its embedded code
-- is capable of reprogramming software that controls such things as
robot arms, elevator doors and HVAC climate control systems, said Sean
McGurk, who has studied it for the U.S. Department of Homeland Security
at an Idaho lab that grabs live viruses from the Internet and serves as a
kind of digital Petri dish.
"We're not looking right now to try to attribute where it came from,"
McGurk told reporters at the National Cybersecurity and Communications
Integration Center that he runs in Arlington, Virginia. "What we're
focusing on now is how to mitigate and prevent the spread," he said on
And then there is China. Its cyber clout has been a growing concern
to U.S. officials amid bilateral strains over U.S. arms sales to Taiwan,
Beijing's currency policies, its territorial claims in the South China
Sea and other irritants.
Beijing appears to have thoroughly pierced unclassified U.S.
government networks, said Dmitri Alperovitch, who heads Internet-threat
intelligence analysis and correlation for McAfee, a software and
security vendor that counts the Pentagon among its clients.
"In the U.S. when you're sending an email over an unclassified system
you might as well copy the Chinese on that email because they'll
probably read it anyway because of their pretty thorough penetration of
our network," he says.
Still, Chinese cyber capabilities lag those of the United States,
Russia, Israel and France in that order, adds Alperovitch. He headed
McAfee's investigation into Aurora, a codename for a cyber espionage
blitz on high-tech Western companies that led Google to recast its
relationship with China earlier this year.
Cyber arms entail "high reward, low risk" says Jeffrey Carr, a
consultant to the United States and allied governments on Russian and
Chinese cyber warfare strategy and tactics.
Lynn, the deputy defense secretary steering the military's cyber
overhaul, went to Brussels on September 14 to brief NATO allies on U.S.
cyber defense initiatives. He encouraged them to take action to secure
NATO networks, said Bryan Whitman, a Pentagon spokesman.
Some U.S. computer defenses are already linked with those of its
allies, notably through existing intelligence-sharing partnerships with
Britain, Canada, Australia and NATO. But "far greater levels of
cooperation" are needed to stay ahead of the threat, Lynn says.
NATO's secretary-general, Anders Fogh Rasmussen, "believes that this
is a growing problem and that it can reach levels that can threaten the
fundamental security interests of the alliance," NATO spokesman James
A Rasmussen-compiled draft of a new NATO vision statement is due to
be approved by NATO states at a November 19-20 summit in Lisbon and will
endorse a more prominent cyber defense role for the alliance.
They all agree that castle walls alone are no longer an option.