More than two dozen professional hackers have set up operations in exurban Virginia beside a mock military headquarters made of plywood. Huddled over laptops, they are preparing to launch a vicious barrage of cyberattacks. Once they break into their targets' computer networks, the nefarious possibilities are myriad: shutting off phone lines, overloading citywide emergency response systems, or simply slinking around to pilfer passwords.

Not far away, the defenders prepare for the onslaught they know is coming during the two-day "Cyberdawn" exercise, one of the country's premier electronic war games. It is run with the help of volunteers by the private firm White Wolf Security, which also arranges closed war games for some federal agencies. The chance to test their cyberskills has attracted groups from private companies as well as the U.S. military. Ten teams, including those from West Point and the Air Force Academy, have traveled across the country to take part in the game in the hopes of protecting a simulated digital network linking phone systems, Social Security numbers, and power grids on which 10,000 fictitious citizens rely.

The exercise pits teams from the U.S. military, the military's service academies, corporations, and even teenage computer savants against live hackers who look surprisingly innocuous. Most could easily be mistaken for middle-aged accountants, in neat khaki slacks and button-up shirts. Others are sporting Puma training jackets and baseball caps. The de facto leader of the group has donned a stylish black bowling shirt with a name patch that reads, simply, "Hacker." They have been instructed to use any means short of causing physical damage to exploit the vulnerabilities of their prey, placing them on the front line of what is an increasingly vital area of national security--the art and practice of offensive cyberwar.

Public debate about cyberspace revolves almost exclusively around questions of defense. Are retailers adequately protecting their customers' credit card information? How can home computers be immunized against nettlesome viruses? When will the Pentagon more effectively be able to stop hackers in Russia and China from stealing military secrets?

Offensive cyberwar itself can encompass espionage, intercepting communications, and disabling computers and other infrastructure. The United States has those capacities, but the scope of the arsenal receives far less ink than the status of the country's defense. The Obama administration issued a report on that aspect in May and announced the creation of a cybersecurity czar to organize defense. But the sections of the report that address the country's offense remain highly classified, according to officials familiar with its contents. That's frustrating to many people in the national security field. "The only way that deterrence works is if the other side knows that you have weapons and the willingness to use them," says Charles Dodd, an expert in cyberwar at the security firm Nicor Global, who advises the House Armed Services Committee on cyberthreats sponsored by foreign nations.

The technical details behind these operations are very hush-hush, as disclosing them inevitably exposes the sources and methods of intelligence collection or military exploitation. The Pentagon, for instance, is keen to protect what hackers call "zero-day exploits," an industry term for vulnerabilities that enemies do not yet know exist. "There's a never-ending race for them," says Tim Rosenberg, who founded White Wolf Security. "You find it; now how long can you use it before the rest of the world finds out about it and you've got to move on to the next vulnerability? It's a never-ending game of leapfrog."

Despite the secrecy, brief glimpses of several cyberwar incursions have surfaced recently. The New York Times reported this year, for example, that some of the best information the intelligence community has collected on the Iranian nuclear program came from a hack into that country's computer networks. Remotely hacking into al Qaeda laptops, meanwhile, is within the purview of the nation's spy agencies, says researcher and former intelligence officer Mathew Aide, who recently wrote The Secret Sentry, a book about the National Security Agency. He says that the NSA's Tailored Access Operation Group employs a cadre of Navy computer technicians who spend their days in rooms protected by James Bond-esque retinal scanners deep inside NSA headquarters at Fort Meade in Maryland. But their activities are more often focused on monitoring communications than on remotely erasing hard drives or crashing power grids.

In 2004, Thomas Reed, a retired senior national security official, revealed the extraordinary story of how the CIA tricked the Soviet Union into stealing doctored software that later destabilized the trans-Siberian gas pipeline. That fancy bit of hacking caused a massive explosion in a wilderness section of the pipeline in 1982 that was visible from space and equivalent in size to that of a 3-kiloton nuclear weapon, according to Reed, who at the time sat on the National Security Council. Russian government officials have denied that the explosion was the result of a CIA hack. But in 2001 a special committee of the European Union's Parliament accused the United States of using its Echelon global spy network to steal secrets that enabled U.S. companies to beat the European consortium, Airbus, to aircraft contracts in the mid 1990s.

Three former senior military officials involved in electronic warfare, speaking on the condition of anonymity for this article, say that the United States contemplated a cyberattack against the Iraqi financial system around the time of the 2003 invasion. The plan was abandoned after analysts predicted it could shatter confidence in the global banking system. "Seizing or freezing those funds during the war could cause havoc afterwards, even beyond the Middle East, if people felt that they couldn't trust the banks to protect their money," says one official.

Communications and computer networks are the most obvious targets for cyberwar. But as technology spreads into more areas of the human experience, the possibilities for hacking grow exponentially. One potential application could be hacking into an enemy dictator's digital pacemaker, for instance, and making it go haywire. It is technologically feasible and would be the geek equivalent of a well-placed marksman's bullet, hackers say. They call it "digital sniping." Or hackers could break into an enemy country's banking system and scramble or delete accounts to cause havoc in the streets and a collapse of confidence in the government. "Accessing networks or disabling physical infrastructure remotely is, frankly, cheaper and safer. People do not have to risk their lives stealing documents, and pilots don't have to take antiaircraft fire bombing power stations," says one former senior intelligence official familiar with aspects of offensive cyberwar.

White Wolf's Rosenberg foresees a new generation of hybrid warriors. A former soldier and cyberwarfare go-to guy for the defense industry, he imagines one day deploying U.S. military cyberforces who might work in conjunction with special-operations units to remotely shut down power to a building prior to a military strike or hack into a security camera and kill the video feed. "There are all kinds of ways you can conduct cyber-physical operations," says Rosenberg, who adds that the field should also be considered a career track, which would enable the military to rank skill levels.

However, launching cyberattacks is illegal, which makes it tricky to train what Rosenberg calls "cybersamurai." The Defense Advanced Research Projects Agency, the research arm of the Pentagon, plans to build a national cyber-range to test offensive cyberweapons. The project is years from completion, but in the meantime the Obama administration allocated some $50 million in the defense authorization bill signed last month. Meanwhile, members of the military use exercises like Cyberdawn to improve their proficiency. In the course of defending themselves against professional hackers, soldiers and cadets learn skills that they hope will translate to the battlefield, where in the future they might be launching attacks of their own against enemy computer systems. "One of the questions we were constantly being asked is why don't we teach offensive attacks," says Col. Joe Adams, a former West Point professor who coached the academy's cyberdefense team and is attending Cyberdawn. "They learn offensive skills, but they don't get a chance to practice them. But they need to--it's a perishable skill."

Over time, specialists guarding the barricades begin to feel like Sisyphus, the mythical Greek condemned to an eternity of pushing a boulder up a hill only to have it roll back down again. And on a number of occasions, the only defense is isolation. In 2007, amid a larger political dispute, hackers apparently based in Russia mounted cyberattacks against Estonia, shutting down ATMs and newspaper and government websites. To halt the onslaught, the Estonian government cut international Internet connections, isolating the country from the rest of the cyberworld.

At Cyberdawn, the military's best-case scenario often involves sacrificing security in some realms in the hopes of defending others, says Col. Barry Hensley, director of the Army Global Network Operations and Security Center since May 2008. "In many cases, you cannot secure the entire network," he says, noting that at least half of all computer systems in the Army have "had a security situation" within their networks at one time or another. "Am I concerned? I am," he adds. "Few people know the predicament we're in."

The predicament is also a costly one. A malicious worm attack in the Pentagon's computer networks this year has cost millions of dollars to mitigate. Last month, Deputy Defense Secretary William Lynn noted that though the Internet has shifted national defense paradigms, the technology itself is still young. "In terms of cybersecurity, we're still in the era of biplanes and dirigibles."

America's technological dependence and vulnerability to attacks explain why officials are reluctant to discuss the U.S. cyberarsenal. "Right now we have the brain capacity to launch attacks, but we have neither the technology nor the personnel to fight off a counterattack, nor the means to know exactly where an attack comes from," says James Lewis, a cybersecurity researcher at the Center for Strategic and International Studies.

An attack launched from Russia against Washington, for example, could be routed through North Korea or the United Kingdom, making it difficult if not impossible to ascertain the culprit. "So we have a capacity to hit back, but how do you know who to hit? And how do you know that the target you are hitting was actually responsible?" says Fred Rica, a cybersecurity expert with PricewaterhouseCoopers. Computer security officials from around the globe are still trying to piece together the origins of cyberattacks against Georgia that coincided with Russian military operations against the country in August 2008.

In other cases, the perpetrators are more obvious. The Chinese government, while publicly denying offensive cyberoperations, makes little effort to hide its activities, according to the U.S. intelligence community. Congressional leaders have been told for years that China is one of the most aggressive players in state-sponsored hacking. "The U.S. doesn't define what constitutes an act of cyberwar, so countries like China--while publicly denying it--are going full speed ahead to take advantage of us," says Nicor Global's Dodd. "It would be good to see the government putting some money behind offensive capabilities to fight back."

Back at Cyberdawn, the vulnerabilities are becoming apparent. Hacker Paul Asadoorian is deploying "agents" into his victims' operating systems and begins running a customized attack program. "Now I can do all sorts of fun things," he says as he pulls up the start menu of his opponent's computer. "I can jump into the system--here's a screen shot," he says, pointing at the monitor as he takes note of what's running on the network. This includes a screen shot of everything his victims are typing and reading. "And they have no idea I am here," he says.

There's no doubt the cyberwar learning curve is steep. An hour after the cyberattacks begin, the Air Force Academy team is desperately trying to shield its ersatz phone system. "I'm sure it's just a matter of time before we start yelling at each other," says Rob Cilla, a 19-year-old sophomore at the academy. Minutes later, the system has been hacked.

 

 

Securing the Information Highway
Wesley K. Clark and Peter L. Levin

The Obama administration recognizes that the United States is utterly dependent on Internet-based systems and that its information assets are precariously exposed. Accordingly, it has made electronic network security a crucial defense priority. But that is only the tip of the iceberg.

(c) 2009 U.S. News & World Report