Special report: The Pentagon's new cyber warriors
WASHINGTON (Reuters) - Guarding water wells and granaries from enemy raids is as old as war itself. In the Middle Ages, vital resources were hoarded behind castle walls, protected by moats, drawbridges and knights with double-edged swords.
Today, U.S. national security planners are proposing that the 21st century's critical infrastructure -- power grids, communications, water utilities, financial networks -- be similarly shielded from cyber marauders and other foes.
The ramparts would be virtual, their perimeters policed by the Pentagon and backed by digital weapons capable of circling the globe in milliseconds to knock out targets.
An examination by Reuters, including dozens of interviews with military officers, government officials and outside experts, shows that the U.S. military is preparing for digital combat even more extensively than has been made public. And how to keep the nation's lifeblood industries safe is a big, if controversial, aspect of it.
"The best-laid defenses on military networks will matter little unless our civilian critical infrastructure is also able to withstand attacks," says Deputy U.S. Defense Secretary William Lynn, who has been reshaping military capabilities for an emerging digital battlefield.
Any major future conflict, he says, inevitably will involve cyber warfare that could knock out power, transport and banks, causing "massive" economic disruption.
But not everyone agrees that the military should or even can take on the job of shielding such networks. In fact, some in the private sector fear that shifting responsibility to the Pentagon is technologically difficult -- and could prove counterproductive.
For the moment, however, proponents of the change seem to have the upper hand. Their case has been helped by the recent emergence of Stuxnet, a malicious computer worm of unknown origin that attacks command modules for industrial equipment.
Experts describe the code as a first-of-its-kind guided cyber missile. Stuxnet has hit Iran especially hard, possibly slowing progress on Tehran's nuclear program, as well as causing problems elsewhere.
Stuxnet was a cyber shot heard around the world. Russia, China, Israel and other nations are racing to plug network gaps. They also are building digital arsenals of bits, bytes and logic bombs -- code designed to interfere with a computer's operation if a specific condition is met, according to experts inside and outside the U.S. government.
THE WORMS ARE COMING!
In some ways, the U.S. military-industrial complex -- as President Dwight Eisenhower called ties among policymakers, the armed forces and arms makers -- is turning into more of a military-cyber-intelligence mash-up.
The Pentagon's biggest suppliers -- including Lockheed Martin Corp, Boeing Co , Northrop Grumman Corp, BAE Systems Plc and Raytheon Co -- each have big and growing cyber-related product and service lines for a market that has been estimated at $80 billion to $140 billion a year worldwide, depending on how broadly it is defined.
U.S. officials have shown increasing concern about alleged Chinese and Russian penetrations of the electricity grid, which depends on the Internet to function. Beijing, at odds with the United States over Taiwan arms sales and other thorny issues, has "laced U.S. infrastructure with logic bombs," former National Security Council official Richard Clarke writes in his 2010 book "Cyber War," a charge China denies.
Such concerns explain the Pentagon's push to put civilian infrastructure under its wing by creating a cyber realm walled off from the rest of the Internet. It would feature "active" perimeter defenses, including intrusion monitoring and scanning technology, at its interface with the public Internet, much like the Pentagon's "dot.mil" domain with its more than 15,000 Defense Department networks.
The head of the military's new Cyber Command, Army General Keith Alexander, says setting it up would be straightforward technically. He calls it a "secure zone, a protected zone." Others have dubbed the idea "dot.secure."
"The hard part is now working through and ensuring everybody's satisfied with what we're going to do," Alexander, 58, told reporters gathered recently near his headquarters at Fort Meade, Maryland.
Alexander also heads the National Security Agency, or NSA, the super-secretive Defense Department arm that shields national security information and networks, and intercepts foreign communications.
The Pentagon is already putting in place a pilot program to boost its suppliers' network defenses after break-ins that have compromised weapons blueprints, among other things. Lynn told Alexander to submit plans, in his NSA role, for guarding the so-called defense industrial base, or DIB, that sells the Pentagon $400 billion in goods and services a year.
"The DIB represents a growing repository of government information and intellectual property on unclassified networks," Lynn said in a June 4 memo obtained by Reuters.
He gave the general 60 days to develop the plan, with the Homeland Security Department, to provide "active perimeter" defenses to an undisclosed number of Pentagon contractors.
"We must develop additional initiatives that will rapidly increase the level of cybersecurity protection for the DIB to a level equivalent to the (Department of Defense's) unclassified network," Lynn wrote.
The Pentagon, along with the Homeland Security department, is now consulting volunteer "industry partners" on the challenges private sector companies envision, said Air Force Lieutenant Colonel Rene White, a Pentagon spokeswoman, in a status report.
Some see the Pentagon's proposed new ring around certain critical services as a throwback almost to the dark ages.
"Dot.secure becomes new Target One," says Richard Bejtlich, General Electric Co's director of incident response. "I can't think of an easier way to help an adversary target the most critical information on industry computers."
Bejtlich and others say such an arrangement would only be as strong as its weakest link, vulnerable to compromise in many ways. "I guarantee users will want to and need to transfer information between their normal company Internet-connected computers and 'dot.secure'," he says. "Separation is a fool's goal."
Utilities already use encrypted, password-controlled systems to handle communication between power plants and large-scale distribution systems.
Trying to move that traffic off the existing Internet onto an independent computer network would be expensive, and would not necessarily guarantee security.
"Even a private network is only so secure," said Dan Sheflin, a vice president at Honeywell International Inc who works on grid-control technology. "A big threat is employees walk in, unknowingly or knowingly, with (an infected) thumb drive, plug it in, put their kids' pictures on their PC and, oh boy, something's on the network. Those are things that even a private network could be subject to."
Rather than building a new network, a more practical solution could be improving the security of existing systems.
"The real issue is not letting people in and having layers of defense if they do get in to isolate them and eradicate them," said Sheflin, of Honeywell, which makes grid components ranging from home thermostats to automation systems to run power plants. "This is a very difficult problem. We are up against well-funded groups who can employ many people who spend their time trying to do this."
Greg Neichin of San Francisco-based Cleantech Group LLC, a research firm, says utility companies already are well aware of the need to guard their infrastructure, which can represent billions of dollars of investment. "Private industry is throwing huge sums at this already," he says. "What is the gain from government involvement?"
Companies ranging from Honeywell to General Electric Co -- whose chief executive, Jeff Immelt, called the U.S. energy grid a relic last month -- are pushing the drive toward a "smart grid."
That model would permit two-way communication between power producers and consumers, so a utility could avoid a blackout during a peak demand time by sending a signal to users' thermostats to turn down air conditioning, for instance. Such a system could also allow variable pricing -- lowering prices during off-peak demand times, which would encourage homeowners to run major appliances like dishwashers and washing machines in the evenings, when industrial demand declines.
Neichin is worried that efforts to wall off grid-related communication could stifle that kind of innovation.
But even Sheflin of Honeywell argues that private companies are not likely to solve a problem of this magnitude on their own. "The government needs to be involved in this," he said. "There is going to have to be someone that says, 'Wait a minute, this is of paramount importance.' I don't think it's going to be private industry that will raise the red flag."
A Pentagon spokesman said he could not address industry concerns right now, but the Defense Department would do so before long. Still, the military's proposal faces other complications.
WHO'S IN CHARGE?
The U.S. Department of Homeland Security now leads efforts to secure federal non-military systems, often described as the Internet's "dot.gov" domain. It also has the lead in protecting critical infrastructure. NSA and Cyber Command lend a hand when asked to do so, including by U.S. companies seeking to button up their networks.
The idea of letting the Defense Department wall off certain private-sector networks is highly tricky for policymakers, industry and Pentagon planners. Among the issues: what to protect, who should be in charge, how to respond to any attack and whether the advent of a military gateway could hurt U.S. business's dealings overseas, for instance for fear of Pentagon snooping.
In addition, the 1878 Posse Comitatus Act generally bars federal military personnel from acting in a law-enforcement capacity within the United States, except where expressly authorized by the Congress.
Alexander says the White House is considering whether to ask Congress for new authorities as part of a revised team approach to cyber threats that would also involve the FBI, the Department of Homeland Security and the Defense Department.
There are persistent signs of strains between Cyber Command and the Homeland Security Department over how to enhance the U.S. cybersecurity posture.
"To achieve this, we have to depart from the romantic notion of cyberspace as the Wild Wild West," Homeland Deputy Secretary Jane Lute told the annual Black Hat computer hackers' conference in Las Vegas in July. "Or the scary notion of cyberspace as a combat zone. The goal here is not control, it's confidence."
Alexander made a reference to tensions during certain meetings ahead of Cyber Storm III, a three-day exercise mounted by U.S. Homeland Security last week with 12 other countries plus thousands of participants across government and industry. It simulated a major cyber attack on critical infrastructure.
"Defense Department issues versus Homeland Security issues," he told the House of Representatives Armed Services Committee on September 23. "And that's probably where you'll see more friction. So how much of each do you play? How radical do you make the exercise?"
President Barack Obama's cybersecurity coordinator, Howard Schmidt, is working with Congress and within the administration to develop policies and programs to improve U.S. cybersecurity, says a White House spokesman, Nicholas Shapiro.
Obama, proclaiming October National Cybersecurity Awareness Month, said protecting digital infrastructure is a "national security priority."
"We must continue to work closely with a broad array of partners -- from federal, state, local and tribal governments to foreign governments, academia, law enforcement and the private sector -- to reduce risk and build resilience in our shared critical information and communications infrastructure," he said.
VIRTUAL CASTLE WALLS
Active defenses of the type the military would use to shield a "dot.secure" zone represent a fundamental shift in the U.S. approach to network defense, Lynn says. They depend on warnings from communications intercepts gathered by U.S. intelligence.
Establishing this link was a key reasons for the creation of Cyber Command, ordered in June 2009 by Defense Secretary Robert Gates after he concluded that the cyber threat had outgrown the military's existing structures.
"Policymakers need to consider, among other things, applying the National Security Agency's defense capabilities beyond the ".gov" domain, such as to domains that undergird the commercial defense industry," Lynn wrote in the September/October issue of Foreign Affairs.
"The Pentagon is therefore working with the Department of Homeland Security and the private sector to look for innovative ways to use the military's cyber defense capabilities to protect the defense industry," he said.
U.S. Senator Sheldon Whitehouse, who led a Senate Intelligence Committee cyber task force that submitted a classified report to the panel in July, has floated a similar idea, drawing an analogy to medieval fortresses.
"Can certain critical private infrastructure networks be protected now within virtual castle walls in secure domains where those pre-positioned offenses could be both lawful and effective?" he asked in a July 27 floor speech.
"This would obviously have to be done in a transparent manner, subject to very strict oversight. But with the risks as grave as they are, this question cannot be overlooked," said the Rhode Island Democrat. "There is a concerted and systematic effort under way by national states to steal our cutting-edge technologies."
The "dot.secure" idea may be slow in getting a full congressional airing. More than 40 bills on cyber security are currently pending. The chairman of the House Armed Services Committee, Missouri Democrat Ike Skelton, told Reuters he was not ready to pass judgment on possible new powers for Cyber Command.
Cyber Command leads day-to-day protection for the more than 15,000 U.S. defense networks and is designed to mount offensive strikes if ordered to do so.
The command has already lined up more than 40,000 military personnel, civilians and contractors under Alexander's control, nearly half the total involved in operating the Defense Department's sprawling information technology base.
It is still putting capabilities in place from across the military as it rushes to reach full operational capability by the end of this month. Reuters has pinned down the numbers involved for each service.
The Air Force component, the 24th Air Force, will align about 5,300 personnel to conduct or support round-the-clock operations, including roughly 3,500 military, 900 civilian and 900 contractors, said spokeswoman Captain Christine Millette. The unit was declared fully operational on October 1, including its 561st Network Operations Squadron based at Peterson Air Force Base, Colorado, where it operates, maintains and defends Air Force networks.
The Navy adds about 14,000 active duty military and civilian employees serving at information operations, network defense, space and telecommunication facilities around the world. They are now aligned operationally under the U.S. Fleet Cyber Command, said spokesman Commander Steve Mavica.
The Army contributes more than 21,000 soldiers and civilians, including the Army Intelligence and Security Command, for cyber-related actions, said Lieutenant Colonel David Patterson, an Army spokesman.
The Marine Corps will assign roughly 800 of its forces to "pure" cyber work, according to Lieutenant General George Flynn, deputy commandant for combat development.
Cyber Command's headquarters staff will total about 1,100, mostly military, under a budget request of about $150 million for the fiscal year that started October 1, up from about $120 million the year before.
Beside guarding Defense Department computers, the nation's cyber warriors could carry out computer-network attacks overseas with weapons never known to have been used before.
"You can turn a computer or a power plant into a useless lump of metal," says a former U.S. national security official familiar with the development of U.S. cyber warfare capabilities. "We could do all kind of things that would be useful adjuncts to a balanced military campaign."
Such weapons could blow up, say, a chemical plant by instructing computers to raise the temperature in a combustion chamber, or shut a hydro-electric power plant for months by sabotaging its turbines.
Scant official information is available on the development of U.S. cyber weapons, which are typically "black" programs classified secret. They are built from binary 1s and 0s -- bits and bytes. They may be aimed at blinding, jamming, deceiving, overloading and intruding into a foe's information and communications circuits.
An unclassified May 2009 U.S. Air Force budget-justification document for Congress lifted the veil on one U.S. cyber weapon program. It described "Project Suter" software, apparently designed to invade enemy communication networks and computer systems, including those used to track and help shoot down enemy warplanes.
"Exercises provide an opportunity to train personnel in combined, distributed operations focused on the 'Find, Fix and Finish' process for high-value targets," says the request for research, development, test and evaluation funds.
The U.S. Air Force Space Command has proposed the creation of a graduate-level course for "network warfare operations." The proposed five-and-a-half-month class would produce officers to lead weapons and tactics development "and provide in-depth expertise throughout the air, space and cyberspace domains focused on the application of network defense, exploitation and attack," Lieutenant Colonel Chad Riden, the space command's Weapons and Tactics branch chief, said in an emailed reply to Reuters.
GEORGIA ON THEIR MIND
The world got a glimpse of what lower-level cyber warfare might look like in Estonia in 2007 and in Georgia in 2008 when cyber attacks disrupted networks amid conflicts with Russia.
Now, the Stuxnet computer virus is taking worries about cyber warfare to new heights as the first reported case of malicious software designed to sabotage industrial controls.
"Stuxnet is a working and fearsome prototype of a cyber-weapon that will lead to a new arms race in the world," said Kaspersky Lab, a Moscow-based security software vendor. "This time it will be a cyber arms race."
The program specifically targets control systems built by Siemens AG, a German equipment maker. Iran, the target of U.N. sanctions over its nuclear program, has been hit hardest of any country by the worm, according to experts such as the U.S. technology company Symantec.
Asked about Stuxnet, U.S. Navy Vice Admiral Bernard McCullough, head of Cyber Command's Navy component, told Reuters: "It has some capabilities we haven't seen before."
Discovered in June, Stuxnet -- named for parts of its embedded code -- is capable of reprogramming software that controls such things as robot arms, elevator doors and HVAC climate control systems, said Sean McGurk, who has studied it for the U.S. Department of Homeland Security at an Idaho lab that grabs live viruses from the Internet and serves as a kind of digital Petri dish.
"We're not looking right now to try to attribute where it came from," McGurk told reporters at the National Cybersecurity and Communications Integration Center that he runs in Arlington, Virginia. "What we're focusing on now is how to mitigate and prevent the spread," he said on September 24.
And then there is China. Its cyber clout has been a growing concern to U.S. officials amid bilateral strains over U.S. arms sales to Taiwan, Beijing's currency policies, its territorial claims in the South China Sea and other irritants.
Beijing appears to have thoroughly pierced unclassified U.S. government networks, said Dmitri Alperovitch, who heads Internet-threat intelligence analysis and correlation for McAfee, a software and security vendor that counts the Pentagon among its clients.
"In the U.S. when you're sending an email over an unclassified system you might as well copy the Chinese on that email because they'll probably read it anyway because of their pretty thorough penetration of our network," he says.
Still, Chinese cyber capabilities lag those of the United States, Russia, Israel and France in that order, adds Alperovitch. He headed McAfee's investigation into Aurora, a codename for a cyber espionage blitz on high-tech Western companies that led Google to recast its relationship with China earlier this year.
Cyber arms entail "high reward, low risk" says Jeffrey Carr, a consultant to the United States and allied governments on Russian and Chinese cyber warfare strategy and tactics.
Lynn, the deputy defense secretary steering the military's cyber overhaul, went to Brussels on September 14 to brief NATO allies on U.S. cyber defense initiatives. He encouraged them to take action to secure NATO networks, said Bryan Whitman, a Pentagon spokesman.
Some U.S. computer defenses are already linked with those of its allies, notably through existing intelligence-sharing partnerships with Britain, Canada, Australia and NATO. But "far greater levels of cooperation" are needed to stay ahead of the threat, Lynn says.
NATO's secretary-general, Anders Fogh Rasmussen, "believes that this is a growing problem and that it can reach levels that can threaten the fundamental security interests of the alliance," NATO spokesman James Appathurai said.
A Rasmussen-compiled draft of a new NATO vision statement is due to be approved by NATO states at a November 19-20 summit in Lisbon and will endorse a more prominent cyber defense role for the alliance.
They all agree that castle walls alone are no longer an option. (Additional reporting by Jim Finkle and Scott Malone in Boston; David Brunnstrom in Brussels; editing by Jim Impoco and Claudia Parsons)