June 03, 2011

Cyber Attacks May Be 'Acts Of War'

IRA FLATOW, host:

You're listening to SCIENCE FRIDAY. I'm Ira Flatow. Up next, cyber-warfare. Computer sabotage can now be considered an act of war, the Pentagon says, as part of an upcoming report on the Pentagon's official cyber-strategy.
In talking about that report, which is due out in a few weeks, Pentagon spokesman Colonel David Lapan told reporters: A response to cyber-incident or attack on the U.S. will not necessarily be a cyber-response. All appropriate options would be on the table.

FLATOW: Well, what constitutes a cyber-attack? If the computers that control the stock market are attacked, is that an attack on the U.S.? What if the hackers were acting alone, without the knowledge of the government? Against whom would we retaliate?
Can the origin of an attack ever be known for sure? What if someone in our own country attacks us via cyberspace? What are the rules of engagement? Who makes the decision to counterattack? Is it the military, or does it have to go up to the president or someone in between?
That's what we'll be talking about, and if you'd like to get in on the conversation, give us a call. Our number is 1-800-989-8255. And Tweet us, @scifri, @-S-C-I-F-R-I, or you can go to our Facebook page, /scifri, or our website at sciencefriday.com.
Bruce Schneier is a writer and security technologist. His most recent book is called "Schneier on Security." He's also chief security technology officer for British Telecom. Welcome back to SCIENCE FRIDAY, Bruce.

Mr. BRUCE SCHNEIER (Writer and Security Technologist; Author, "Schneier on Security"; Chief Security Technology Officer, British Telecom): Hey, hi.

FLATOW: Kristin Lord is vice president and director of studies at the Center for a New American Security in Washington. She is also co-author of a new report, "America's Cyber Future: Security and Prosperity in the Information Age." Welcome to SCIENCE FRIDAY, Dr. Lord.

Dr. KRISTIN LORD (Vice President, Director of Studies, Center for a New American Security): Thank you very much.

FLATOW: Let me ask you first; The cyber-security plan the Obama administration released earlier this year, in May, is that what the Pentagon is saying? Anything different from what is in that report?

Ms. KRISTIN LORD (Vice President and Director of Studies, Center for a New American Security): You know, there's really not. It's interesting. This week, there has been a lot of media attention around a report in the Wall Street Journal about the Defense Department has rolled out a new strategy.
The reporting implies that there's something very new about what's in this, but actually the White House laid this out very clearly in a public document with lots of press in attendance and a whole bunch of Cabinet secretaries just a couple of weeks ago.
And what they say is that if there were ever a cyber-attack that was sufficiently damaging that it would be equivalent to what we'd expect from a kinetic attack, a violent attack, that we would at least retain the option as a country of responding with force.
And I think that's not a terribly surprising thing to expect our government to say, but it was treated as being something I think much more severe than it actually was.

FLATOW: Bruce Schneier, what's your take on this?

Mr. SCHNEIER: I agree exactly. There's nothing new in this report, and there's nothing surprising. Attacks are attacks, and whether they come via planes or ships or cyberspace, it's who does it and the damage. And the fact that we would not limit ourselves or not necessarily or use all appropriate options, this seems perfectly reasonable. I actually don't know what all the press surprise is.

FLATOW: Well, you know, let me give you a scenario or think of something that - for example, a few months ago, the stock market plunged 1,000 points in a matter of minutes, and some stocks lost 100 percent of their value, and it was all attributed to someone on Wall Street who mistakenly typed a B for billion instead of M for million in a stock trade.
And if that's easy to send a stock market, which is all controlled by computers, crashing for so short a time, it looked to me that Wall Street, where all the countries' wealth is located, could be a really simple and easy place to attack.
How vulnerable is that? I mean, when we talk about retaliation, and we talk about the Pentagon being there, there could be a lot other ways of attacking this country and bringing it down to its knees, like Wall Street.

Mr. SCHNEIER: But we are not protected technically. I mean, you can shoot people. You can drop bombs on people. It - our defense against war is political.
I mean, the reason China doesn't drop our stock market or blow up New York City is not because of some magic technology. It's because politically, militarily, they know it's a dumb idea.
So you can paint all of these scenarios, and they make great movie plots, but back in the real world, Wall Street is safe against nation-states bringing it down because that's not the way nation-states work. And if they did, we'd be vulnerable in many, many ways.

FLATOW: Well, Osama bin Laden was not a nation-state.

Mr. SCHNEIER: No, Osama bin Laden was a person. Right, a nation-state, you look on a map, and you see a geography. And remember, people can't declare war. Some guy on Wall Street, even some guy in another country, cannot declare war on the United States.
And this is an important point. Response in cyberspace, response anywhere, depends on who's attacking you and why. And so whether you call the FBI or Homeland Security or the military or your corporate lawyers depends not on what happens but who does it and why.
So when you look at response, that's where you have to look, not on the effects but on where it comes from.

FLATOW: Kristin Lord, the summary of your report, "America's Cyber Future: Security and Prosperity in the Information Age," begins with this line: Cyber-threats imperil America now and for the foreseeable future.

Dr. LORD: That's right.

FLATOW: How vulnerable are we?

Dr. LORD: I think the key is to say what - vulnerable to what? What is the most likely threat, and then what is the most dangerous threat? And there's a really big difference between the two.
Cybercrime is a tremendous problem in this country. It's something that needs to be dealt with by corporations, by individuals, by law enforcement, by the federal government. But it is not a national security threat if granny gets her credit card number stolen. It would become a national security threat if these attacks escalated to such a degree that people lost confidence in the Internet.
We're such a way long way from that I dont see that point coming, but that's how far we would have to go for that kind of threat to become a national security threat.
There's also cyber-espionage. This is a real threat. Companies are losing their intellectual property, in some cases to foreign governments, in many cases to organizations we don't know much about and for reasons we don't know much about.
But over time, if there is a slow sapping of American, or a rapid sapping of American intellectual property, this will hurt us in the long term.
A real threat is also in battle. It's almost impossible to imagine a future conflict that doesn't have a cyber dimension, and so we just have to be prepared that others will try and interrupt our command and control and that there are offensive tools that we would expect our military to use, as well.
I hope that doesn't happen anytime soon, but looking over the broad swath of history, conflicts occur, and in the future, cyber will be part of that.

FLATOW: If one guy mistyping a B can bring down all the stock market in a matter of minutes, why is that not considered a threat if you might have an organized attach that can do that with many people?

Dr. LORD: Well, it is a threat, period, full stop. It is a threat. But it's also not something that is imminent, I think for some of the reasons Bruce laid out.
First of all, who has the motivation to do that? It's not nation-states. The Chinese, for instance, have so much money invested in the American financial system that they would perhaps be the most hurt. So there are a lot of reasons why nation-states would be deterred from engaging in that kind of attack.
Now, I think something to be at least concerned about looking forward into the future is that criminals and terrorists or whomever can increasingly purchase advanced cyber-capabilities on an open black market, and to the extent that malicious actors who have an ideological intent, like the group around Anonymous that was going to go after the base in Quantico, to the extent that those actors can gain access to sophisticated capabilities, that's something to at least watch over the long term.
But for the most part, I agree with Bruce: The most sophisticated actors don't have an interest in that kind of an attack. It doesn't mean not to protect against it. I still lock my doors and windows when I leave my house. But I don't think it's something we ought to get up every day and worry about.

FLATOW: Wasn't one of the 9/11 commissions' statements following this was a failure of the imagination?

Dr. LORD: Indeed, and you know we quote that in the report. And I think the reason we raised that is because everyone is grasping for examples, trying to understand cyber-conflicts, cyber-war and in fact have grasped on to some very poor examples of what to be worried about.
But we have to be preparing now for the threats we might face in the future, and the way we need to do that is by building better software, more secure systems. We need to educate people, and as a country we need to not overspend.
I think there's a real risk of spending a tremendous amount of money on cyber-security for a low return. You can't possibly secure every potential target. So we're going to have to find some much more cost-effective solutions in order to build our defenses and to educate those of us who use all of these systems every day.

FLATOW: Bruce, do you agree?

Mr. SCHNEIER: I - there's actually nothing said that I disagree with. You know, cyberwar is the sexy threat. Cybercrime is the real threat, and that's what we have to worry about. Of course, it has to do with national security, but it's not military security. The FBI has a role. State Department has a role. A lot of these crimes are international. They're organized.
You asked about organized groups. Well, you know, organized crime isn't new so organized cybercrime. It's the same thing just with the words cyber in front of it. I definitely agree that we've prepared for these new threats. I mean, interesting thing about a lot of these threats is it's the same tactics. Whether it's, you know, two guys from China or the Chinese government, they're doing the same stuff. So defending our infrastructure whether it'd be better software or better investigative techniques are going to pay dividends regardless of what we do.
Also agree that we should worry about spending too much money. We're right now in the early years of a cyberwar arms race. There's a lot of money being thrown around in D.C. and a lot of people trying to grab it. And the worry is this is just going to be a huge expenditure at very little return, and we're just going to beat each other up, just like we did in the Cold War.

FLATOW: Would Congress have to declare a cyberwar, like it does a shooting war?

Mr. SCHNEIER: Remember, there's nothing magical about the word cyber that makes the rules different. I do not know the rules of war, but whatever they are, they exist for cyberwar or noncyberwar. There's no difference. I mean, Congress has to declare war, although, you know, in Libya, it seems like they don't anymore. So I don't know what the rules are, but they're no different with cyberspace.

FLATOW: Mm-hmm. 1-800-989-8255. Let's go to Jake(ph) in Houston. Hi, Jake.

JAKE (Caller): Hi. How is it going?

FLATOW: Hi there. Go ahead.

JAKE: I just have a bit of a question because I remember two distinct attacks on Google from Chinese hackers. And I believe, on one of those, it was believed that they were government sponsored. What is the situation on that?

Mr. SCHNEIER: I could take that.

FLATOW: Go ahead, Bruce.

Mr. SCHNEIER: We don't actually know. There's certainly - there's a lot of attacks from China, not just the two that Google has announced. They're broad. They've been happening for years. They seemed to be some combination of state sponsored and state tolerated. There was a WikiLeaks cable that talked about some of the state-sponsored attacks.
We also know that there are independent groups in China that operate with relative impunity, and they just know if they find something cool, they pass it off to the government. And in return, the government leaves them alone. So there's a large combination of stuff that goes on in China. It's hard to know which particular attack is what.
But you look at what's being targeted, and it's kind of who's who of who China wants to spy on. So there certainly is some government direction at least in some levels, but there's also a lot of autonomy.

FLATOW: Talking about cyberwar on SCIENCE FRIDAY from NPR. I'm Ira Flatow talking with Bruce Schneier and Kristin Lord.
You know, when we talk about defending ourselves against conventional weapons, we talk about, you know, building up our arsenal and our ships and things and planes. What do we do to build up - what do we need to build up in a cyber attack? Kristin?
Ms. LORD: Well, it's interesting. The Pentagon has been very reluctant to talk about building up offensive cyber capabilities, and I actually think that's a mistake. I'd like to see the Pentagon talking about, obviously not revealing classified information, but just talking about the need to develop some offensive capabilities because there will be a cyber dimension to any future conflict the United States is engaged in. And in fact, I'd argue that our armed forces would be negligent if they weren't prepared for that eventuality.
The thing I think we should be a little bit concerned about is there is going to be pressure for cyber arms races, as you or the caller noted. And one of the reasons for that is there's a lack of transparency in cyberspace.
During the Cold War, the United States and the Soviet Union could count the - or could measure the capabilities of the other side. We can count the number of tanks. We can count the number of missiles. We have a rough idea about how much damage a single tank or a single missile can inflict. And it actually induces a bit of stability into the relationship.
The same is not true with cyberspace. You don't know what tools the other guy has. You don't know exactly what they can do. Once they're used, they're sort of out in the general population. They can be reengineered. There's a risk of diffusion. And so there are some things about cyber weapons that are escalatory.

FLATOW: Well...

Ms. LORD: There's some things the government can do to counter that, but that's a concern.

FLATOW: So we might even be in a cyberwar now that no one knows about?

Mr. SCHNEIER: It seems unlikely. I mean, if you're at war, you know it. I mean, there's no (unintelligible).

FLATOW: Well, there are covert operations going on over the world. Why not covert cyberwar?

Mr. SCHNEIER: Well, because that's not war. There have been covert operations going on forever, right since the beginning of civilization, but war involves tanks and troops and people dying. When you're at war, I think you're going to know it. It's not going to something you're going to miss because you weren't paying attention. It's war.

FLATOW: Well, if the stock market crashes one day and we don't know why, there are no people dying immediately, there are no buildings, there's no collateral damage until everybody's life savings are wiped out.

Mr. SCHNEIER: And that might be - we might decide that is an act of war, just like, you know, I'm going to make this up, Pearl Harbor. Everything was fine until the Japanese bombed the naval base. So everything is fine until whoever attacks the stock market. It's not different.
Something happens, and then in retaliation, the U.S. declares war on whoever attacked us and then we go to war. It's regular war. I mean, there could be lots of attacks. But when a nation-state does something like that, that's an act of war, and we respond accordingly. Cyber doesn't make it different.

FLATOW: Kristin, last word.

Ms. LORD: Ira, one of the reasons any group over the course of history uses force is to communicate a message and to inflict harm and have others know that they inflicted that harm. So one of the things about -one of the things protecting us from attack against Wall Street that we don't - and we don't know who has done it is that often force is used to send a message.
I'll give an example. It made a tremendous difference that Osama bin Laden died not through some sort of fictional cyber attack where he went to plug in his lamp and was administered a cyber-administered shock through the electrical socket and, you know, keeled over. That would not have sent the same message, even though the effect would have been the same, it would not have sent the same message as navy SEALs landing in his yard, kicking down his door and shooting him. That was an extremely important message to be sent. And we have to remember the reasons why force is used in war to start with.

FLATOW: Mm-hmm. All right. We've run out of time, but it's certainly an interesting question that we will pick up.
And I want to thank both of you for taking time to be with us. Bruce Schneier, a writer and security technologist. His most recent book is called "Schneier on Security." He's also chief security technology officer for British Telecom. Kristin Lord is vice president, director of studies at the Center for a New American Security in Washington D.C. and co-author of a new report, "America's Cyber Future: Security and Prosperity in the Information Age." Thank you again for taking time to be with us.

Ms. LORD: Thank you so much.

Mr. SCHNEIER: Thanks a lot.

FLATOW: You're welcome.

Click here to listen to the interview.