The U.S. faces a cybersecurity threat of such magnitude that the next President should move quickly to create a Center for Cybersecurity Operations and appoint a special White House advisor to oversee it. Those are among the recommendations in a 44-page report by the U.S. Commission on Cybersecurity, a version of which will be made public today. The bipartisan panel includes executives, high-ranking military officers and intelligence officials, leading specialists in computer security, and two members of Congress.
To compile the report, which is entitled "Securing Cyberspace in the 44th Presidency," commission members say they reviewed tens of thousands of pages of undisclosed documentation, visited forensics labs and the National Security Agency, and were briefed in closed-door sessions by top officials from Pentagon, CIA, and British spy agency MI5. From their research, they concluded that the U.S. badly needs a comprehensive cybersecurity policy to replace an outdated checklist of security requirements for government agencies under the existing Federal Information Security Management Act.
The report calls for the creation of a Center for Cybersecurity Operations that would act as a new regulator of computer security in both the public and private sector. Active policing of government and corporate networks would include new rules and a "red team" to test computers for vulnerabilities now being exploited with increasing sophistication and frequency by identity and credit card thieves, bank fraudsters, crime rings, and electronic spies. "We're playing a giant game of chess now and we're losing badly," says commission member Tom Kellermann, a former World Bank security official who now is vice-president of Security Awareness at Core Security.
Obama seems on board
Kellermann should know: He had a hand in crafting the nation's cybersecurity strategy in 2003. But as he tells it, government efforts led by the Homeland Security Dept. have been stymied by bureaucratic confusion and an unwillingness by agencies and corporations to share information about cyber break-ins. The commission's report catalogues incidents afflicting financial institutions, large corporations, and government agencies, including some first detailed publicly over the last year in various BusinessWeek articles. In an ominous note for the private sector, the commission notes that "senior representatives from the intelligence community told us they had conclusive evidence covertly obtained from foreign sources that U.S. companies have lost billions in intellectual property." For more on the spread of malicious software, read Saturday's New York Times article, "Thieves Winning Online War, Maybe Even in Your Computer."
Kellermann describes a behind-the-scenes effort by several members of the commission, five of whom are advisers on President-elect Barack Obama's transition team, to convince him of the need for action "to stop the hemorrhaging of national secrets, proprietary information, and personal data. We need to begin to deal with this cancer." Informal briefings by members of the commission, starting last July, seem to have affected Obama's thinking, sources say. Those who worry about the problem are heartened by his July 16 vow to "declare our cyber-infrastructure a strategic asset" and to "bring together government, industry, and academia to determine the best ways to guard the infrastructure that supports our power." At the time, the candidate also pledged that, if elected, he would appoint a "national cyber advisor" who would report directly to the President.
The threat from China
Over the past 11 months, BusinessWeek has examined high-tech security threats to U.S. weapons systems and to government and defense industry computer networks. The three main installments in the BusinessWeek series were based on previously undisclosed documents and interviews with more than 100 current and former government employees, defense industry executives, and people with ties to U.S. military, space, and intelligence agencies. They are: E-spionage (BusinessWeek, 4/10/08), Dangerous Fakes (BusinessWeek, 10/2/08), and The Taking of NASA's Secrets (BusinessWeek, 11/20/08).
As the world's corporations, governments, military forces, and computer users have gravitated to the Web, so have competitors, adversaries, criminals, and spies, including government-backed electronic operatives establishing footholds for potential attacks, according to groups such as the congressionally created U.S.-China Economic & Security Review Commission, which warned on Nov. 21 of the threat from China (BusinessWeek.com, 11/21/08).
"The damage from cyber attack is real," states the cybersecurity group's report, referring to intrusions last year at the departments of Defense, State, Homeland Security, and Commerce, and at NASA and the National Defense University.
Hacking for 'friendly fire'
The report continues: "The Secretary of Defense's unclassified e-mail was hacked and DOD officials told us that the department's computers are probed hundreds of thousands of times each day; a senior official at State told us the department has lost 'terabytes' of information; Homeland Security suffered 'break-ins' in several of its divisions, including the Transportation Security Agency; Commerce was forced to take the Bureau of Industry and Security offline for several months; NASA had to impose e-mail restrictions before shuttle launches and allegedly has seen designs for new launchers compromised. Recently, the White House itself had to deal with unidentifiable intrusions in its networks."
The report mentions some of the most severe threats, such as those being faced by U.S. war fighters in Iraq and Afghanistan, only hypothetically. It notes, for instance, that "the U.S. has a 'blue-force tracking' that tells commanders where friendly forces are located," and then goes on to posit a scenario under which an opponent could turn some of the blue signals to red, a color used to flag adversaries' forces. The implication is that an intruder might, for instance, provoke a so-called friendly-fire incident in which U.S. fighters mistakenly target U.S. personnel.
At least six members of the commission approached by BusinessWeek declined to share specifics of the most recent intrusions into the computers of companies, the Pentagon, the U.S. Central Command, and important centers of military operations such as Bagram Air Base in Afghanistan. Defense and intelligence officials also declined to describe the operational impacts of that massive penetration of corporate and military networks, but they did confirm that it culminated Nov. 22 in the raising of U.S. Strategic Command's threat level—known as INFOCON—which entailed banning plug-in devices such as thumb drives throughout the U.S. military and in some allied forces. Emergency briefings were also given to Obama and President Bush.
U.S. military fights agent.btz
As first reported Nov. 28 by Los Angeles Times in "Cyber-Attack on Defense Department Computers Raises Concerns,", the intrusion and compromise of the U.S. military networks began with a piece of malicious software—or malware—known as agent.btz, which has also afflicted corporate networks in recent months, U.S. military officials and private cybersecurity specialists confirmed. Such intrusions have grown increasingly sophisticated and difficult to trace to their origins. The latest generation of malware, developed by gangs and governments with large sums of money at their disposal, can easily cloak its activities and capabilities.
Complicating the cleanup is not only the nature of the malicious software, but the sheer scale of the task: The U.S. military has around 7 million vulnerable electronic devices. U.S. military officials tell BusinessWeek that assuring themselves that they have cleansed their computers of the intruders that gained a foothold via agent.btz has grown increasingly uncertain and expensive. Forensics examinations and the reprogramming of each computer—which continues in the Pentagon, in Central Command headquarters in Tampa, and in military installations in Afghanistan—costs around $5,000 to $7,000 per machine, sources said.
Kellermann and other computer security consultants declined to discuss the threat to the U.S. military, though several said they were intimately familiar with it. But Kellermann said it was yet another example of how "the cyber security threat has really gotten out of control. But it's not only a national security threat. It's an economic security threat."