In an earlier post, I suggested that the Stuxnet worm (some experts are pointedly calling it a trojan – I think both terms apply) could be considered the opening salvo in an as-yet undeclared cyber-war. Go ahead, accuse me of being melodramatic. Although no one is unambiguously taking credit for Stuxnet, the current consensus is that the malware was indeed an attack upon one nation by another.
In subsequent posts I have detailed the escalating vulnerability of civilian populations worldwide as intelligence and connectivity are added to elements of the critical infrastructure, including manufacturing, transportation, utilities, communications, and municipal services. The computerish components that automate services and coordinate communication are not well protected, to put it mildly. Many of the embedded systems used in industrial automation employ manufacturers' default passwords that are listed in documentation available for download over the Internet. Some default passwords are burned into ROM chips.
In the face of all this vulnerability, an unsettling idea has emerged. Since we probably can't make our intelligent networks invulnerable, maybe we should proactively launch the first attacks ourselves.
That, at least, is the suggestion of Herbert Lin, chief scientist at the Computer Science and Telecommunications Board at the U.S. National Research Council. In a presentation at a recent MIT/Harvard conference co-sponsored by the Council on Foreign Relations, Lin noted that experts are unable to build effective defenses against cyber-attack. The MIT Technology Review quotes Lin as saying, “Since you don't know how to do good defense, you can't prevent offensive dominance. And you can't do good deterrence because effective retaliation is hard. So if you want to take advantage of cyberspace, you will do offensive operations for nondefensive purposes.”
“We can't just defend,” agreed General Keith B. Alexander, head of the National Security Agency and the U.S. Cyber Command. Speaking at the U.S. Strategic Command's Cyber and Space Symposium last month, he said the U.S. must have the ability to attack other countries electronically. Such attacks might be launched in retaliation for state-sponsored cyber-espionage (it is widely believed that such spying has been conducted by Russia, China, and other governments) or for other reasons.
According to a November 2011 report to Congress, the Department of Defense “maintains, and is further developing, the ability to respond militarily in cyberspace.”
Earlier in 2011, Congress debated a bill that would give the President the power to shut off the Internet in the face of war and other national emergencies. The “kill switch” provision was removed from the bill after the Obama administration assured legislators that the War Powers Resolution already authorized such steps. Air Force General Robert Kehler, who heads the U.S. Strategic Command, told reporters, “I do not believe we need new explicit authorities to conduct offensive [cyber-war] operations of any kind.”
The authority to launch offensive cyber-war strikes is explicitly given to the President and the Pentagon in the fine print of the Defense Department's 2012 funding bill, which says, “Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace.” The bill continues, “[I]n certain instances, the most effective way to deal with threats and protect U.S. and coalition forces is to undertake offensive military cyber activities, including where the role of the United States Government is not apparent or to be acknowledged.”
Is it just me, or does all of this seem more than a little scary?
Web recommendation: I read a lot of government documents while preparing today's report, which was not much fun. The good parts are often buried deep in the fine print. That's the case with today's Web pick too. The page – it's here – is a National Transportation Safety Board analysis of a 2010 schoolbus crash in Gray Summit, Missouri. Investigators examined all the evidence and tried to identify the factors contributing to the crash. At the very end, the NTSB makes recommendations, including this one: “To the 50 states and the District of Columbia: (1) Ban the nonemergency use of portable electronic devices (other than those designed to support the driving task) for all drivers.” That's right, the NTSB is urging the states to outlaw the use of cell-phones, including hands-free devices, at all times. I actually think it's a pretty good suggestion, but I find it odd how the proposal is buried at the bottom of the page. It's a crazy world. J.D. says check it out.
J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He thinks this is shaping up to be a pretty good weekend.