(Bernd Debusmann is a Reuters columnist. The opinions expressed are his own)
By Bernd Debusmann
WASHINGTON (Reuters) - At the height of the Cold War, a Soviet oil pipeline blew up in an explosion so huge that the American military suspected a nuclear blast. A quarter of a century later, the incident serves as an object lesson in successful cyber warfare.
The pipeline blew up, with disastrous consequences for the Soviet economy, because its pumps, valves and turbines were run by software deliberately designed to malfunction. Made in the U.S. and doctored by the CIA, it passed into Soviet hands in an elaborate game of deception that left them unaware they had acquired “bugged” software.
“The pipeline software...was programmed to go haywire, after a decent interval, to reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welts. The result was the most monumental non-nuclear explosion ever seen from space,” Thomas C. Reed, a former air force secretary, wrote in his 2004 memoir.
The pipeline explosion was probably the first major salvo in what has since become known as cyber warfare. The incident has been cropping up in increasingly urgent discussions in the U.S. on how to cope with attacks on military and civilian computer networks and control systems - and how and when to strike back.
Air traffic control, power plants, Wall Street trading systems, banks, traffic lights and emergency responder communications could all be targets of attacks that could bring the U.S. to its knees. As Michael McConnell, the Director of National Intelligence, put it in recent testimony to a Senate committee:
“Our information infrastructure - including the Internet, telecommunications networks, computer systems and embedded processors and controllers in critical industries - increasingly is being targeted...by a growing array of state and non-state adversaries.” Cyber attacks, he said, had grown more sophisticated and more serious.
The Pentagon says it detects three million attempts to infiltrate its computer networks every day. There are no estimates of how many probes are successful but last year the Pentagon had to take 1,500 computers off line because of a concerted attack from unknown hackers.
How tight are the U.S. government’s defenses? Not very, according to the Government Accountability Office, the audit and investigative arm of the U.S. Congress. In a report last week, it said an audit of 24 government agencies - including Defense and Homeland Security - had shown that “poor information security is a widespread problem with potentially devastating consequences.”
Striking back at cyber attackers poses a raft of tricky questions, chiefly because cyber war cannot be waged without involving civilians. Private companies own more than 80 percent of the infrastructure McConnell talked about and without close public-private coordination, effective counter-strikes are next to impossible.
"Unlike traditional defense categories (i.e. land, sea and air), the military capabilities required to respond to an attack on U.S. infrastructure will necessarily involve infrastructure owned and operated by the private sector," according to Jody R. Westby, CEO of the Washington consulting firm Global Cyber Risk and a champion of better public-private coordination to cope with cyber attacks.(here)
Coordination between the military and civilians has yet to be tested. The military stayed away from an exercise this month that brought together experts from the U.S., Canada, Britain, New Zealand and Australia, 18 U.S. federal agencies and around 40 companies, including Microsoft and Cisco Systems. The game featured mock attacks against computer networks, pipelines and railroads.
(The exercise was described as the biggest of its kind. But “big” is relative. To get the scale into perspective: There are 233 countries connected to the Internet today, with an estimated 1.2 billion users. More than 120 countries are estimated to be developing cyber warfare capabilities).
As things stand, could the U.S. or its allies become victim of an attack similar to the Soviet pipeline blast? Probably yes. The threat comes from China, which has been placing heavy emphasis on what it calls “informationized war,” and a motley array of hackers and terrorists.
Among the most potent weapons in their arsenal: “bots,” malicious software robots that are the digital equivalent of terrorist sleeper cells that lie dormant for months or years before springing into destructive action. In testimony to Congress, Homeland Security’s top scientist on cyber security, W. Douglas Maugham, has said that there is currently no effective antidote to bots.
How much damage could they do? Here is a scenario drawn from an interview with Westby, who is a member of the World Federation of Scientists’ Permanent Monitoring Panel on Information Security. Her outline is based on the assumption that China has already implanted bots in millions of public and private computer systems.
“Bot herders” around the world unleash their malicious software bots to attack U.S. government, financial, oil and gas systems. One early victim: the U.S. Department of Commerce, which loses all communications because its internet and telephone communications use Voice over Internet Protocol networks. That means if the Internet goes down, all communications go down.
As Commerce is cut off, the U.S. collection point for inter-bank financial transactions discovers that bogus data are being inserted from both the sending and confirming side of the SWIFT (Society for Worldwide Interbank Financial Telecommunication) system. Chaos ensues in financial markets.
The New York Stock Exchange shuts down after massive “denial of service” attacks similar to those that last year forced Estonia to close down websites run by government ministries, banks and telecommunications companies.
At the same time, systems controlling the valves of oil and gas pipelines come under attack as bogus instructions override system controls and false data is sent to control room screens. The pipelines are shut. Some explode. There are casualties.
The government decides it must block the malicious traffic and come to the assistance of the financial, gas and oil companies under cyber attack. This involves deploying classified solutions and counter attacks through the networks of various U.S. communication providers.
The problem: There is no agreement between the Pentagon and the private sector on transferring private networks to military control. Owners are reluctant to turn over their systems to the military for fear their networks and their reputation might be damaged as a result of cyber war actions not under their control. The problem could be solved by the government declaring martial law, a step it is hesitant to take.
And what about the foreign-owned networks that would have to be used to launch an effective counter attack? Does the U.S. have to ask permission before sending cyber war actions across foreign networks? Would NATO have to be involved? (The 50-year-old treaty does not cover cyber warfare). Should the U.N. charter be amended to apply to cyber war rather than only “armed attacks?”
These are all questions that require urgent answers if the U.S., more dependent on computers and the Internet than most countries, wants to protect what a writer in the latest issue of the Armed Forces Journal aptly describes as “America’s digital Achilles’ heel.”
(You can contact the author at Debusmann@Reuters.com)
Editing by Sean Maguire