Introduction

In February 2008, Director of National Intelligence Michael McConnell delivered his annual threat assessment to Congress, and in doing so, opened a new chapter in American cyber warfare. "Our information infrastructure ...is being targeted for exploitation and potentially for disruption or destruction by a growing array of state and non-state adversaries," McConnell said that day, discussing "cyber threats" before uttering a word on the war in Afghanistan. "We assess that nations, including Russia and China, have the technical capabilities to target and disrupt" America's information infrastructure.
It would be an exaggeration, of course, to suggest the Bush administration has turned its back on the Taliban to battle botnets inside the Beltway. Pentagon planners talk of adding thousands of troops in Afghanistan, not an army of computer geeks in Washington. But as McConnell's chronology of threats that day illustrates, American policymakers are preparing for wars where nerds with keyboards are as menacing and, possibly even more destructive, than extremists with roadside bombs. "In this business, there are lots of peers because the price of admission is relatively low," Maj. Gen. William T. Lord, head of the U.S. Air Force Cyberspace Command told me recently. "With some technologically-smart kids, you can do a lot of damage."

A Threat Emerges
In 2007, the Department of Homeland Security logged an estimated 37,000 attempted breaches of private and government computer systems, and over 80,000 attacks on Pentagon systems. Some hacks "reduced the U.S. military's operational capabilities," according to the Heritage Foundation, a conservative think-tank in Washington. Civilian government agencies are faring no better. According to a 2007 assessment by the White House Office of Management and Budget, the number of successful hacking incidents reported to Homeland Security more than doubled between 2006 and 2007. James Lewis, a cyber security expert at the Center for Strategic and International Studies, says the actually number of successful hacks is probably higher, because most attacks go unreported. Still, Lewis says the likelihood of rouge hacker shutting down the Eastern Seaboard of the United States with a few keystrokes is unrealistic. "The U.S. is a very big set of targets, and some of our important networks are very secure," he says. "I've seen people who say a cyber attack could turn the United States into a third-world nation in a matter of minutes. That's silly. We have to be realistic about this."

Tactics and Consequences

But what if Lewis is wrong? Scott Borg, director of the U.S. Cyber Consequences Unit, a nonprofit research institute that studies cyber threats, says the biggest threat from cyber espionage may be economic upheaval in the attack's aftermath. Consider a successful cyber strike on a city's power grid, Borg says. If a cyber criminal were able to turn the lights off in a major metropolitan area for 10 days, Borg calculates that 70 percent of the region's economy would be brought to its knees. "If you can do that with a pure cyber attack on only one critical infrastructure, why would you bother with any traditional military attack?" Borg says.
Maybe that's the rationale hackers took to their fight against the small Baltic nation of Estonia in the spring of 2007.
Following the relocation of a monument to the Red Army in the capital city of Tallinn, a diplomatic row erupted with neighboring Russia. Ethnic Russians, who make up about a quarter of Estonia's 1.3 million people, were furious by the treatment of the statue and took to the streets in protest. Order was restored only after U.S. and European diplomatic interventions. But the story of the "Bronze Statue" did not end there. In the days and weeks that followed, small cracks began to emerge in the computerized infrastructure of Estonia's high-tech government. Cyber security experts later determined the strike was a coordinated "denial of service" attack, which crippled Estonian banks, media outlets, and government ministries with bogus requests for information. The approach harnessed "botnets"-massive networks of interconnected computers-to bombard targeted networks with information requests while masking the location of the primary attacker.

More Sophisticated Than Ever

Disruptive as it was, the Estonia strike was technological child's play. Today hackers employ a steady barrage of "malware," "spyware," and malicious programs that embed into computer systems to steal information without user knowledge. This stealth software is designed to hide undetected and siphon information from its host-everything from secrets stored on personal computers to Pentagon military mainframes. Spyware attacks have even been aimed at the highest levels of the U.S. government. A December 2007 analysis of U.S. Air Force cyber vulnerabilities, for instance, notes that because much of the Pentagon's operating systems are off-the-shelf components manufactured overseas, U.S. military networks are open to intrusion. "Foreign countries could place hidden components inside the computers, making the computers vulnerable for attack and/or spying," the analysis concludes.
Less common but far more worrisome for cyber security experts are attacks aimed at critical infrastructure-like nuclear-power-plant control systems, banks, or subways. In March 2007 the Department of Energy's Idaho Lab conducted an experiment to determine whether a power plant could be compromised by hacking alone. The result-a smoking, self-combusting diesel generator incapacitated by nothing more than keystrokes-sent shivers through the private sector. The worries were apparently well-founded. In January 2008 a CIA analyst told U.S. utilities that hackers had succeeded in infiltrating electric companies in undisclosed locations outside the United States and, it at least one instance, shut off power to multiple cities. The hackers thendemanded money. "The [U.S.] government is scrambling to try and protect its own systems, to try and check the Chinese from reading government email," says Borg. "But the focus probably needs to be critical infrastructure. That's what we need to defend."

Accusations and Denials

Over 140 different foreign organizations regularly attempt to hack American computer systems, and Israel, India, Pakistan, and the United States have all been accused of launching attacks on adversaries. But when Western governments look to lay blame, fingers typically point in China's direction.
The Bush administration has accused the Chinese of hacking into government computer networks at the U.S. Departments of State, Commerce, and Defense-in some instances making off with data. In May, U.S. intelligence officials said they were investigating whether contents of a Commerce Department laptop were secretly copied during trade talks in Beijing in late 2007. (A Commerce official told me the laptop belonged to the Commerce secretary himself.) American authorities said the stolen data may have been used during an attempted hack of department networks, allegations the Chinese have denied.
Verbal sparing picked up in June 2007, when, according to the Financial Times, hackers broke into a Pentagon network that serves the Office of the Secretary of Defense, briefly shutting it down. U.S. officials have also quietly accused Chinese hackers of swiping proprietary information from American executives, penetrating deeply into U.S. government systems, even gaining access to the networks of electric power plants. Chinese electronic espionage has also been suspected against British companies (Rolls Royce is one example), as well as government agencies in France, Germany, South Korea, and Taiwan. China has never admitted direct involvement in international cyber attacks.
Yet China's suspected cyber snooping has left Washington on tough diplomatic footing. As the Beijing summer Olympics approached, American intelligence agencies were reportedly debating whether to publicly warn visitors of the risks posed by Chinese hackers, long-suspected of wirelessly stealing data off visitors' BlackBerry devices, cell phones, and electronics. According to the Wall Street Journal, some U.S. intelligence officials and security analysts favored warning the public of the risks. Others sought to tamp the issue down out of deference to the Chinese.

U.S. Cyber Warfare on the Offensive
The United States, of course, is no innocent bystander in the race to control cyberspace. In 1995, France expelled five American diplomats and officials over suspected cyber spying, and in 2001, a special European parliament committee concluded the U.S. used its Echelon spy network to steal trade secrets from international firms. Even the Department of Defense has hinted at its abilities. In March 2004, for example, the Pentagon announced the formation of an Information Operations team-the Network Attack Support Staff-to streamline the military's cyber attack capabilities. The aim, senior military officials said at the time, was to create an "interface between the combatant commanders and the intelligence community."
William M. Arkin, a defense analyst, says the United States' cyber weapons caches includes technologies capable of penetrating and jamming enemy networks, including the classified "Suter" system of airborne technology. According to Aviation Week, Suter has been integrated into unmanned aircraft and "allows users to invade communications networks, see what enemy sensors see, and even take over as systems administrator so sensors can be manipulated into positions so that approaching aircraft can't be seen." Some speculate the Israeli military used the capability during its air raid on a Syrian construction site in September 2007. The United States made use of nascent capabilities in the 1999 Kosovo War, and built on those lessons in Iraq.

A Cyber Revolution
Most of the United States' offensive capabilities in cyberspace remain classified. But plans to defend American networks from adversaries have been discussed publicly for over a decade. In 1996 the Pentagon published a report on "Information Warfare-Defense," when public use of the Internet was still in its infancy. Numerous assessments have been published since, all reaching a similar conclusion: the holes in American cyber security are growing.
Yet only recently has concern been matched by action. In January 2008 Bush signed a presidential directive calling for an expansion of the nation's cyber security efforts. Among other changes the move directed the National Security Agency to coordinate with the Department of Homeland Security to protect government and civilian communication networks. The $144 million plan, unveiled quietly in White House Budget documents, aimed to enhance "civilian agency cybersecurity and strengthen defenses to combat terrorism." According to the Wall Street Journal, the White House's 2009 budget request takes the program exponentially further, with an estimated $6 billion request to build a secretive system to protect U.S. communications networks.
The Pentagon, too, has moved to close the gap. Defense Department officials have considered banning nonofficial traffic from its servers, and the U.S. Air Force has created a dedicated Cyber Command to defend Pentagon networks, communications, and weaponry. Eager for a fix, Air Force officials are even considering hiring non-traditional geeks and gamers to enlist in the cyber service of their nation. "Perhaps we need a different kind of warrior in this domain," says Maj. Gen. Lord, head of the Air Force's cyber command. The United States needs these peoples' smarts, though "they're not the same kind of folks that perhaps you want to march to breakfast in the morning."
Despite recent progress both on the civilian and military side of the ledger, however, security analysts and some politicians say more is needed. Senator Barack Obama of Illinois, the presumptive Democratic candidate for president, waded into the fray on July 16, accusing the Bush administration of failing to protect the nation from cyber-terrorism while China pushes ahead unchallenged. This challenge to the status quo, Lewis of CSIS says, "reflects the increase in the threat we are facing."

Tactics Questioned

Analysts say it's not entirely fair to discount recent progress of the current White House. "If you're going to be critical, you'd say it started kind of late; it would have been better to do it before rather than after," Lewis of CSIS says. "That said the Bush administration has made significant progress in the last couple of months." President Bush's Comprehensive National Cyber Security Initiative, unveiled in January 2008, calls for reducing the number of Internet connections across government agencies, improving network monitoring, and securing existing configurations. "Those are all good things," Lewis says.
But critics of the Bush administration accuse the effort of being shrouded in unnecessary secrecy. "It's wildly over classified," Lewis says. "Why they decided to do that I don't know." This has angered civil libertarians who fear monitoring of civilian networks could infringe on privacy rights. Members of Congress, too, have voiced concern. In October 2007, Rep. Bennie G. Thompson (D-MS), chairman of the House Homeland Security Committee, called for the program to be put on hold until Congress could adequately review it. Then in May 2008, the Senate Armed Services Committee said that in order for a cyber security strategy to be an effective deterrent, American cyber policy must be made public. "It is difficult to conceive how the United States could promulgate a meaningful deterrence doctrine if every aspect of our capabilities and operational concepts is classified," the committee concluded.

Vulnerabilities Remain

Maybe intelligence chief McConnell was right in putting cyber threats before the Afghan war. According to a June 2008 U.S. Government Accountability Office report, not even the Department of Homeland Security-the U.S. agency in charge of coordinating cyber security policy-has adequately protected its own networks. Bruce McConnell, who served as chief of information and technology policy at the Office of Management and Budget in the 1980s and 90s, says the U.S. federal government still has a lot of work to do to protect the nation's network-dependent economy. For years, securing computer networks "has just been viewed as another headache," he says. "I think we are playing catch."