Here are a few examples of some of our events:
February, 2014: “The Impact of Purposeful Interference on U.S Cyber Interests”
September, 2013: Cyber/Space, EMP Insecurity- Current and Future threats
July, 2013: The Existential EMP Threat
April, 2013: New Strategies to Secure U.S. Economy from Cyber Attacks
July, 2012: Economic Warfare Subversions
September, 2010: SPEECH Act Celebration
“Maintaing Nuclear Stability Through Times of Transition”
Still Thinking About the Unthinkable
“As you become more efficient, you become more vulnerable.” — H. T. Hawkins
WHITE PAPER
The Impact of Purposeful Interference on U.S. Cyber Interests
By Rachel Ehrenfeld, Ph.D.
Co-Sponsored and Hosted by the
Homeland Security Policy Institute,
George Washington University
Washington, D.C.
Wednesday, February 19, 2014
About the Conference:
“Thank you for inviting me to participate in one of the most interesting discussions ever.” — Houston T. Hawkins, Senior Fellow, Principal Associate Directorate for Global Security, Los Alamos National Laboratory
“There’s been obviously a recent deepened concern with cybersecurity. But this is something the ACD has been thinking about for a long time. It has been ahead of its time and done a terrific job identifying emerging threats and issues which we need to be thinking about sooner, rather than later, so we have a better chance of finding solutions.” — Richard Perle, former Assistant Secretary of Defense for International Security Policy, and member of the ACD Board of Directors.
“The conference was both eye-opening and sobering. The presentations were most riveting.” — Jeremy Rabkin, Professor of Law, George Mason University
“In addition to underscoring the serious impacts of intentional interference with America’s critical Earth- and space-based cyber infrastructure, conference participants identified pragmatic, innovative solutions. The American Center for Democracy handed policymakers valuable, out-of-the-box approaches for protecting the nation’s citizens from paralyzing attacks.” — William B. Scott, author of bestsellers “Space Wars,” “Counterspace,” and “The Permit”; former bureau chief, Aviation Week & Space Technology; and current ACD Fellow
“I found tremendous benefit from the opinions of so many experts from so many different fields. The conference’s ability to bring together such a diverse and talented group made the discussions more interesting and enlightening. It was like attending several conferences in one day! ” — Maj. Gen. Robert Newman (USAF, Ret.)
“This is a timely and important discussion in the evolution of the cyber-physical domain.” — Robert Crane, Senior Homeland Security Advisor, National Coordination Office for the U.S. Space-Based Positioning, Navigation and Timing Policy
Table of Contents
General Observations and Insights…..
The Internet of Things (IoT)…..
Inadequate Government Responses…..
Private Sector Failings and the Need for Cooperation with Government…..
Need for Coordinated Strategy…..
Approaches to Data Aggregation…..
Roles of the Public and Private Sector…..
Recommendation for the ACD’s Continuing Role…..
Appendix A: Name withheld by request…..
Appendix B: Mary Fisk-Bieker, CIC, SVP Chief Underwriting Officer, OneBeacon Technology Insurance…..
Purpose and Scope
On February 19, 2014, the American Center for Democracy assembled a group of cyber and space, communication, defense and policy experts to discuss the United States’ vulnerabilities to purposeful interference with cyber systems and technologies essential to the functioning of our economy and society. The roundtable discussion, held at George Washington University, and hosted by Homeland Security Policy Institute director, Frank Cilluffo, was conducted under Chatham House Rules. Consequently, attributions herein are limited to those contributors who gave their permission to be named.
The focus of the meeting was not only to discuss the problems and the impact of purposeful interference in cyber and the U.S. Global Positioning System (GPS), but mostly to encourage the public and private sector partnership that together will look for new solutions to bridge the significant gaps in cybersecurity with cost-effective opportunities to enhance security to enhance the integrity of our critical infrastructure. This includes the electric grid, communications and financial systems.
The growing dependency on wireless services and the resulting escalation of cyberattacks has resulted in innumerable ideas about how best to enhance cybersecurity and protect against purposeful interference. Many call for enhanced government-private sector cooperation.
President Obama’s Executive Order 13636, is intended to “Improve Critical Infrastructure Cybersecurity,” and establish “a voluntary set of security standards for critical infrastructure industries….The Order directs the Executive Branch to increase the volume, timeliness and quality of cyber threat information sharing, which should result in further developing a public-private partnership.”
To date, different data breach notification laws have been adopted by 46 states, creating a jigsaw puzzle with different notification triggers, timing and notice content requirements. While the government calls for passing a national law to standardize data breach notifications, the private sector is reluctant. This is not surprising considering the ease with which the security of the supposedly best-protected government agencies was breached. A lone bad actor was able to steal millions of documents detailing the country’s most critical national security and business secrets.
On top of this comes a report confirming that Iran successfully penetrated the Navy Marine Corps Intranet, which presumably has the best cybersecurity systems, raising grave concerns regarding the vulnerability of our civilian infrastructure to similar attacks and questions the government’s ability to protect them. For many years now, many vulnerabilities have been discussed in congressional hearings. But hearings are usually held after something happens, or are about the next budget cycle. Thus, the government’s ability to coordinate response to a significant interference event remains unclear.
We are well aware of the vulnerability of the electric grid and communication systems. Yet, instead of considering systems organization and putting in place individual systems, we continue to think about a central system. We experience everyday interference with our communication systems and devices dependent upon GPS. A survey of the web reveals a large number of radio frequency jamming devices are advertised and sold in the U.S., despite the 1934 Communications Act that strictly forbids the manufacturing, marketing and importation of jamming devices into the U.S. Apparently, the Federal Communications Commission’s enforcement efforts are not enough to curtail this problem.
We have to combine our knowledge to figure out what needs to be done to prevent attacks that even if not catastrophic could damage our economy and endanger our lives. The U.S. still leads the world in technological innovation. But for how long?
Meaningful improvements in our security, reliability, and resilience require that our government officials, elected representatives, and senior business executives come together with greater clarity and strategic vision to identify and tackle current and emerging problems. We cannot afford to consider purposeful attacks as force majeure, which are unforeseeable, unpreventable, and unmanageable. We also cannot expect meaningful progress without considerable thought leadership, bringing together multidisciplinary approaches and solutions to issues that transcend any one industry, span the globe, and increasingly impact our economic and national security.
Houston T. Hawkins, Senior Fellow, Principal Associate Directorate for Global Security, Los Alamos National Laboratory, observed that without a change of attitude we may win on the tactical level, but not on the strategic level. “An example is the Tet Offensive, which the US won by all conventional military criteria. But the Viet Cong won on the strategic level, by convincing us that we lost, that victory was impossible, and that we needed to get out of Vietnam.”
Our goal is to drive a major change in attitude from reactive to proactive, so that new policies, architectures, and technologies are developed to enhance our resiliency and protection, through coordination between the government and private sector partners. To succeed, we must, as in chess, take little comfort in temporary tactical gains. Instead, we must better anticipate and restrict the future moves of our adversaries over the long term. Too often we leap vigorously — and at great expense — into tackling that which we can do successfully in the moment, with an unrealistic hope that temporary tactical successes will somehow lead to strategic success.
Please keep these concerns and considerations in mind as you join our dialogue, and hopefully become part of the thought leadership on how best to counter purposeful interference against our strategic infrastructure.
General Observations and Insights
The roundtable discussion was extraordinarily rich, addressing complicated, intricate issues, such as:
· The rapid pace at which cyber-related architectures and wireless technologies are evolving must not be allowed to present an insurmountable barrier to policymakers’ understanding and therefore affect the nation’s preparedness. Significant gains can be accomplished by breaking down complex problems into coordinated actions that reduce vulnerabilities, threats, and/or consequences.
· Purposeful interference is an emerging homeland security, national security, and economic security problem, having the ability to disrupt a broad range of wireless connections and dependencies that include the delivery of critical infrastructure services, first responder communications, air travel, and the timing signals needed to synchronize most of our nation’s computing systems and telecommunications networks.
· While the Federal Communications Commission oversees protecting the radio spectrum and minimizing intentional or unintentional sources of interference, there is no public/private partnership to coordinate purposeful interference prevention, detection, and response efforts. Immediate security gains could be made by establishing a central repository for tracking and analyzing interference events and trends. Providing law enforcement with enhanced tools to geo-locate an interference event and identify the perpetrator in real time would help to determine the nature of the attack.
· Cybersecurity needs to be thought of holistically, to include interference events that can impact the confidentiality, integrity, and availability of networks. The problems of each sector affected by cyber intrusion should be considered as it relates to others, not as discrete vulnerabilities that need to be fixed (or even can be fixed) in isolation.
· Cyber expertise remains confined to individual parts of cyber-concerned communities. This is understandable, because the requirements and duties assigned by employers to cyber professionals tend to focus on discrete, tactical, company-specific problems rather than strategic, long-term national goals.
· Cyber-smart individuals not involved in corporate or government service typically have few knowledgeable colleagues with whom to share interests and concerns.
· Despite government and private sector attempts to bring cyber experts together, they usually focus on an individual sector and not on the problems that affect others, and they do not lead to pragmatic action plans that can be executed.
· The rapid progression of the Internet of Things, and the use of wireless connections to access vital data, increases the vulnerability of all American citizens to cyber-related threats. Citizens’ lives are threatened, both physically and economically, in ways that were unthinkable a few years ago. While the federal government should lead the efforts to increase the nation’s security, it appears indifferent and undependable. Citizens should demand that governors and state legislatures, infrastructure custodians, and local public interest groups take responsibility for their constituents’ and customers’ wellbeing. This makes prudent political and business sense.
Vulnerabilities
Network and Spectrum Interdependence:
· The definitions and policies governing “Cyber” must include the electromagnetic spectrum (EMS) and civil GPS services, not only those involving computer networks. Every device containing a microcircuit or chip—from massive computer servers and glass-cockpit airliners to cars and “smart” refrigerators and handheld receivers—is vulnerable to cyber attack. This distinction is not widely known and appreciated. A simple example of GPS vulnerability is a sea vessel that was successfully brought off course by a GPS spoofing device in 2013.
· With efficiencies come vulnerabilities. Cyberspace and electromagnetic activities are becoming increasingly vulnerable to disruption activities (access denial, service interruption and disruptions, communications intercept and monitoring, infiltration, and data compromise) by adversaries as well as natural events. Capabilities and intent exist, e.g. jamming and spoofing, to disrupt networks and to directly affect all critical infrastructure and government operations and information-related activities.
· Cyber systems are interdependent and can be hacked, even if “offline” or in the “cloud.” The most dramatic example of this was the success of Stuxnet in allegedly bridging the “air gap” to infect hardened Iranian computer networks, disrupting/slowing their nuclear program. An obvious example would be a cyber attack that takes down the electrical grid via cascading failures. But the attack could be also physical. A case in point is last year’s attack by unknown but clearly highly skilled agents on an electric-power substation near San Jose, California, which nearly shut off power in Silicon Valley. The attack was not initially reported to the public but was disclosed months after the fact. Cell towers are similarly vulnerable to physical interference.
· Substantial segments of the U.S. economy would be severely harmed by interference with the U.S. Global Positioning System (GPS) for vital navigation and timing information. Satellites in the GPS constellation are vulnerable to attack, and China, in particular, has already demonstrated (2007) its capability to wage “space war” by shooting down one of its own defunct weather spacecraft with a ground-launched missile. If GPS satellites or the constellation’s ground control stations were disabled, military operations, financial transactions, cell phone communications, and hundreds of other areas of the economy would be disrupted or halted entirely. In particular, this would affect computer networks, cell phones, and other devices dependent upon the GPS timing signal. This timing signal distributed by GPS is absolutely essential for modern communications, secure financial transactions, transportation and position/location determination.
Financial Markets:
· U.S. financial markets, where transactions occur in milliseconds, remain vulnerable to cyber attack and cyber manipulation, as well as interference with GPS, which affects the timing and reconciliation of trades. However, the monitoring systems, where they exist, are without sufficient automation or isolation to withstand future concerted attacks. The financial industry, in addition, is also vulnerable to other cyber interference, such as denial of service attacks and traditional theft of money and identities.
The Internet of Things (IoT):
· “Technical” vulnerabilities are exacerbated by the inexorable rise of the IoT, particularly power and computer networks’ centralized switching nodes. An alarming vulnerability is that of medical devices. Pacemakers, for example, are routinely implanted with wireless capability for diagnostic purposes. In fact, Dick Cheney’s pacemaker was installed without remote access ability for this reason.
· Another example is that of first responders after an attack or disaster – regardless of progress made since 9/11 on interoperability, this would be worthless if communications are deliberately interfered with, which would cause chaos.
Inadequate Government Responses:
· Despite being aware of — and trying to defend against — devastating cyber strikes, the pace and number of such attacks is growing. Because none has caused a truly crippling catastrophe, policymakers and average citizens mistakenly assume such threats fall below the threshold of political and financial liability. For example, the U.S. government has yet to aggregate information about the quantity and level of damage caused by the continuing wave of successful computer intrusions against civilian and military government systems, which persist despite a scheme that includes mandatory National Institute of Standards and Technology standards.
Private Sector Failings and the Need for Cooperation with Government:
· Non-technical issues also cause vulnerabilities, such as rouge “insiders,” dormant malware, and reluctance by both the private and public sectors to aggressively defend the physical infrastructure of remote and oftentimes unmanned facilities.
· The private sector remains largely unprotected from cyber attack. In addition there are deliberate, bottom-line-driven decisions by company executives to accept risks, despite obvious, increasing threats. Many corporate leaders have begun to question the return on investment of taking never-ending defense measures that appear to be easily countered by persistent adversaries. Meanwhile, the government has been unable to deter threat actors in cyberspace and as a result is failing in its primary role to protect (rather than simply warn) its citizenry.
· Currently, there is little correlation between government regulations that address cyber protection and insurance industry risk criteria, nor is such an interface being explored. There is still no congressionally- or executive branch-mandated cooperation between government and the private sector.
· Government agencies, in general, are inexcusably far behind the cyber-vulnerability curve, despite isolated, commendable efforts by some agencies.
· Regardless of the theoretical ability to harden our networks perfectly (many believe it is not possible), protecting everything would cost in the hundreds of billions of dollars and even if attainable would not be feasible. This means that public and private groups will need to determine an acceptable level of risk in light of the costs and benefits of preventive measures. There also is an increasing call for shifting our strategic focus away from hardening targets and, as we do in the physical world, applying greater emphasis on deterring and punishing threat actors. These decisions need to be made soon, given the time (five years or more) necessary for designing and deploying fundamental cyber infrastructure to accomplish our strategic goals.
Remedies
Need for Coordinated Strategy:
· Cyber defense should be addressed as a national problem, with coordinated strategies, rather than being tackled by separate sectors. The problems are synergistic, and solutions must be developed in concert with myriad sectors of the economy. Nevertheless, the primary responsibility for cyber defense must ultimately reside with the federal and state governments. Steven Chabinsky, former cyber advisor to the DNI and FBI Deputy Assistant Director, suggested the following:
1) Detection of events: DHS should define the measurements for, be the central repository for, and analyze information associated with interference events. This will help determine trends, etc.;
2) Locating the source of events: the FBI should lead the federal, state, and local law enforcement communities in identifying the technologies, methods, and reports relating to identifying the source, motivation, and resolution of interference events;
3) Recovering from events — either by detection/attribution (as mentioned in 1 & 2), or through greater Research & Development efforts focused on resilience of all of the various services that are critically vulnerable to interference events;
4) Identifying the increasing vulnerabilities of our critical infrastructure and IoT reliance upon cyber, and potential harm relating to, interference—including, but not limited to sophisticated GPS interference and unsophisticated terrestrial jamming of infrastructure processes, emergency communications, and transportation;
5) Fundamentally, we need to ensure that our cybersecurity strategies, technologies, market incentives, and international dialogue focus greater attention on the challenges of more quickly detecting and mitigating harm, while in parallel locating and penalizing bad actors.
Approaches to Data Aggregation:
· There is an urgent need to aggregate all interference data from entities using cyber technologies in one place, analyze the data, identify patterns and then disseminate the results to the participating entities. This will allow the participating agencies to develop appropriate defenses and countermeasures. The absence of a dedicated data center that identifies the risk and analyzes the data facilitates successful interference with the nation’s strategic and civil infrastructure, and has made it all but impossible to determine whether terrorist organizations, nation states, and criminals are developing, testing, and intending to deploy these capabilities against us.
· Regarding technical “fixes”: collecting cyber attack data in one location does not suggest that the monitoring of cyber attacks throughout America’s digital infrastructure should be centralized. Nor should there necessarily be uniform cyber defense protocols for all government and private sector systems.
Redundancy and Resilience:
· We should be able to bend without breaking. There is a lack of basic redundancy in critical systems as a straightforward means of preventing catastrophic cyber attacks from causing complete breakdowns. For example, the national electric grid would be far more robust if “islands” of power generation were created. Developing and fielding small nuclear reactors at the community level was mentioned as one possible solution, capitalizing on technology developed by the U.S. Army decades ago. Similarly, high energy density, long-life batteries and other advanced means of electrical power generation and storage would greatly reduce the potential of nationwide blackouts.
· Because today’s GPS system is vulnerable to space- or ground-based attack, there is a pressing need for alternative sources of timing and positioning information. LORAN, a legacy navigation system used for decades by ships and aircraft, has been abandoned. If the system had not been shut down, LORAN might be a reliable backup for GPS. Currently, a major communications company is testing the feasibility of sending timing signals generated by national atomic clocks to cell phone networks via fiber-optic cable.
· GPS is vital to the world as a whole and is not confined to the borders of the US. This means we need to address GPS vulnerability and possible loss of the system through an international forum. This would be especially true given that an attack could in fact result from a preemptive or offensive cyber attack on our part.
Application of resilience principles could be achieved by:
1) Engaging CEOs in the private sector. CEOs usually don’t seek or receive advance notices of looming risks and crises that could affect their supply chains, interconnected links and interdependencies from end to end.
2) Anticipating that “unknown, unknowns” will happen. Adapt, recover, restore, and move on. The ability to bend in the winds of a disruption or disaster, rather than break, should assume that mission-essential functions of government and core business functions are liable to fail.
3) Pursuing uninterrupted availability of critical government and business functions and services, e.g. U.S. provisioning and distribution of timing and navigation services for critical infrastructure. Build resiliency, defined by robustness, reliability and flexibility, into user functions, systems architecture, and end-user equipment designs.
Role of Civil Defense:
· There is a need to reassess the capabilities of our current civil defense system. Well-planned technological redundancy, backed by good preparation and training, would ensure national resilience, defined as an ability to ride out major disruptions and then quickly restore communications, supply lines, electrical power and computer systems to a basic level of functionality.
· Directly approaching the states should facilitate rapid improvement of cyber-security awareness. Recently, Maine and Oklahoma have taken action to protect its electrical grid, and active discussions are underway in North and South Carolina.
George Mason University Law Professor Jeremy Rabkin offered the following observations:
1) The most original and promising proposals voiced at the event were to mobilize state governments and state National Guard units to prepare responses.
2) We should try to interest Pentagon planners in getting the National Guard involved in preparing for massive power outages—prepositioning vital supplies, including water and gasoline and oil, or gas-powered electric generators for emergency use.
Roles of the Public and Private Sector:
· Private industry plays a significant role in the day-to-day network-based operations and functions of the economy, e.g. communications, energy, medical services, accounting and finance services, equipment maintenance, and logistics functions (shipping companies, transportation grid providers, and suppliers as a part of the global transportation system). Therefore, the private sector also plays a significant role in addressing known vulnerabilities with the security and the reliability of networks and equipment.
· Government and the private sector can work together to mitigate risk and perhaps design more resilient architectures and end-user equipment less susceptible to interference. Where it makes sense, disaggregated (non-interdependent) architectures of small independent systems could be pursued and could be less susceptible to cascading effect.
· A potential next step is for private sector to develop a risk-mitigation and an “Options for Consideration” document of best practices and techniques.
· Conversations among businesses and technology-insurance firms are in their infancy, and DHS and the Commerce Department have done commendable work in starting a dialogue on cybersecurity. Business and insurance leaders should be required to be better informed of both vulnerabilities and the availability of advanced solutions to weigh the costs of cyber defense against those of insurance premiums. Insurers must establish premium costs by assessing the level of cyber defense a client has implemented, and the potential impacts of various types of intrusions. While conducting these assessments and risk determinations is a complex process, companies must show compliance with a certain set of rules in order to receive cyber insurance. (See Appendix B for further remarks)
· Well-defined standards governing cyber-defense methodologies, whether mandated or voluntary, would greatly simplify today’s confusing muddle.
Policy:
Richard Perle, Former Assistant Secretary of Defense, and member of the ACD Board of Directors, observed:
1) The way in which government officials describe the problem, far from increasing public apprehension, leads to a cavalier attitude. Why? Because they describe seemingly endless cyber attacks but no one is aware of any damage so the attacks are dismissed as meaningless.
2) We have to better understand the uses of force in cyberspace. What actions are being taken against US government entities and industry, and what are the rules of engagement for US government and industry to respond either in kind or through other punitive measures (including, for example, via trade sanctions, civil penalties, etc.)
3) We need a serious report on the estimated cost of several hypothetical attacks. It is hard to get a feel for attacks that fall short of Armageddon. Given that hackers have imposed costs in the billions (look at the cost to Target of having been hacked and identities stolen) shouldn’t we look at the costs of disrupting, say, a single power plant or a refinery or an inland waterway lock, etc.
Education:
There is an urgent need to educate public and private sector policy-makers.
Richard Perle noted:
1) There is insufficient expertise in Congress to enable meaningful dialogue among representatives and their staffs and competent, outside technical experts. Consequently, elected representatives and their support personnel do not understand the full range of options for resolving critical cyber issues.
2) Technical experts would like to know there’s someone you could go to, who would understand. And how often have we seen policy makers outside of the legislative branch — or even the executive branch — frustrated by the inability of elected officials to understand the problems. This highlights the need to have some people who are sufficiently trained. A subcommittee on cyber and related issues should be established in both houses of Congress, supported by cyber-knowledgeable people.
· Bill Scott, ACD Fellow and former Aviation Week bureau chief, discussed measures for increasing public awareness of cyber vulnerabilities and how catastrophic, cascading attacks would affect citizens’ lives. He noted that employing entertainment—fictional books, television and film—is a powerful tool to shape our perception and raise our awareness, and could be leveraged to educate citizens and public officials about current and future cyber-related vulnerabilities.
List of Participants
Speakers:
• Frank Cilluffo, Director, Homeland Security Policy Institute, GWU.
• Richard Perle, Former Assistant Secretary of Defense, member of ACD Board of Directors.
• Dr. Rachel Ehrenfeld, Director of the ACD.
• Steven Chabinsky, Former cyber advisor to the DNI and FBI Deputy Assistant Director
• Houston (Terry) Hawkins, Senior Fellow, Principal Associate Directorate for Global Security, Los Alamos National Laboratory
• William B. Scott, Author of bestsellers “Space Wars,” “Counterspace,” “The Permit”; Former bureau chief, Aviation Week; and ACD Fellow.
• Robert Crane, Senior Advisor DHS, National Coordination Office for the U.S. Space-Based Positioning, Navigation and Timing Policy.
Commentators:
• Maj. Gen. Robert Wheeler, DoD Dep CIO (Command, Control, Communications and Computers (C4)) and Information Infrastructure Capabilities (DCIO for C4IIC).
• David Simpson, Chief, Public Safety Homeland Security Bureau, FCC.
• David A. Wollman, Deputy Director, Smart Grid and Cyber-Physical Systems Program Office, Engineering Laboratory, National Institute of Standards and Technology.
• Thomas Sporkin, Former SEC Chief of the Office of Market Intelligence, currently with BuckleySandler LLP.
Other Participants:
• Dr. Roger Breeze, Former Associate Administrator for Special Research Programs at the U.S Department of Agriculture’s Agricultural Research Service, on biological warfare.
• Dr. Peter Pry, Executive Director of the Task Force on National and Homeland Security, a Congressional Advisory Board.
• Amb. Henry F. Cooper, Chairman of High Frontier
• Prof. Jeremy Rabkin. George Mason University School of Law.
• Jon Baselice, Legislative Assistant, office of Sen. Marco Rubio.
• Maj. Gen. Robert Newman (USAF, Ret.), Senior Vice President and Director of Strategic Partnerships, Sera Brynn Cyber Security Specialists. Former Adjutant General of Virginia, Deputy Assistant Homeland Security Advisor to Virginia Governor Mark Warner, and Vice Director for Operations, Plans, Logistics and Engineering (J3/4V) at United States Joint Forces Command.
• Mary Fisk-Bieker, OneBeacon Technology Insurance.
• Joe Budzyn, OneBeacon Technology Insurance.
• Dan Mahaffee, Director of Policy and Board Relations, Center for the Study of the Presidency and Congress (CSPC).
• Jonathan Murphy, Director of External Affairs, The Center for the Study of the Presidency and Congress.
• Ilan Weinglass, Executive Director of ACD.
• Dr. Kenneth D.M. Jensen, Associate Director of ACD.
• Brett Heimov, Government Relations Liaison at ACD, Partner at Winning Strategies.
Appendix A: Name withheld by request
I found the meeting to be extremely informative and quite eye-opening. I left the meeting knowing a lot more about the issue than when I came in that day.
Given how dependent our society has become on technological advances, I think the best and most productive way to move forward at this time is the education process for people in important positions in the government, in particular in Congress, the White House, and the legislative and executive branches at the state level. There are so many ways that cybersecurity issues directly affect other issue areas, like energy, trade, agriculture, among others, that the more members of Congress (and their staff) know not just the underlying issues with regard to cybersecurity, but the consequences of not addressing these security risks effectively.
There should be more cooperation between the government and the private sector in order to effectively address these issues. To that end, I think the optimal way to move forward would be if both Congress and the Executive Branch could join together and reach out to the interested stakeholders to ensure that the proper balance is struck between our security and other interests at play.
Appendix B: Mary Fisk-Bieker, CIC, SVP Chief Underwriting Officer, OneBeacon Technology Insurance
The meeting was very informative and worthwhile.
Suggestions:
Clearly we need to think more holistically about attack scenarios. We tend to build threat scenarios around one vulnerability, then are surprised when an attack exploits several vulnerabilities. Actual attackers are going to blend threats together, not try one attack, then another. A strategic risk management approach is needed. While we have identified the 16 critical infrastructure industry groups, the approach should also consider:
• Developing vulnerability case scenarios for each group
• Define what “major impacts” would be in terms of severity and frequency (i.e. would society collapse if we lost power for two weeks? GPS obviously was discussed quite a bit as a single point of failure which may have a much more significant impact should it be disrupted.)
• Prioritize the major impacts from cyber-related events
• Repeat above: utilizing multiple threat scenarios/multiple critical infrastructure companies/multiple vulnerabilities–aka: thinking like the bad guys.
• Determine “fixes” to vulnerabilities with sensitivity given to a phased approach to private industry to include low cost but big impact solutions. One such example given in the session was electric transformers, which are vulnerable to damage by falling trees, and EMP blasts. Putting them in a steel shelter that doubles as a Faraday cage makes the system much more resilient as it addresses several vulnerabilities at minimal increase in cost.
• Insurance potentially can play a role as industry adopts the basic and essential risk management approach to the risks.
Surviving Cyberia: Exploring Solutions to Cyber-Threats
Click the picture above for the “Surviving Cyberia: Exploring Solutions to Cyber-Threats” presentation by Houston T. Hawkins, Senior Fellow Los Alamos National Laboratory. He gave this presentation at the meeting.
“Cyber/Space, EMP Insecurity – Current and Future Threats”
A Roundtable
September 30th, 2013
Key Elements of Energy Security
by Ambassador R. James Woolsey
ACD Board Member – Former Director of Central Intelligence, and Chairman, Foundation for Defense of Democracies
The Video Presentation: Click here to play
First of all, I just want to welcome everybody. After I look around here, I feel like I’m a junior participant in the flood trying to chair a discussion among a group of Noahs. You folks really have an extraordinary range of backgrounds in the issues that are facing us. I got to know Rachel a few years ago when a Saudis, in an effort to exploit the extremely plaintiff-friendly libel laws of Great Britain, decided to use a few trillion of their dollars and to expand their power and authority to harass American writers, not having been satisfied with having had a burning at Cambridge University of a book that was critical of them.
This massive machine was on one side, and on the other were, for a time, several major U.S. publications, famous leading newspapers and magazines. They all caved. One person didn’t cave. She’s sitting on my left. She took on the Saudis and their trillions and she basically won. Rachel’s law is now law in New York, some twelve other states and more importantly the federal SPEECH Act of 2010.
She changed a lot with her incredible stubbornness and intelligence and ability. But I’ve got to say, I think stubbornness, for me, is an extremely positive virtue. And Rachel certainly demonstrated it in this. The American Center for Democracy, which I am on the board of and which she chairs, has done a great deal to bring issues such as economic warfare to the front of policy makers’ discussions here in Washington. We had several sessions, the first session chaired by Senator John Kyl in July 2012, more recently we discussed these issues at George Mason University with Rep. Mike Rogers, chair of House Intelligence Committee and others—on EMP and cyber issues.
ACD published over 500 articles on these and related issues in their daily blog. And they are also focused heavily on terrorist financing, on the financial picture of what’s happening with the radical Islamist movement such as the Brotherhood and Al Qaeda, Lebanon’s Hezbollah, not only in the Middle East but well beyond. Rep. Randy Weber of the 14th District of Texas, was supposed to join us today, but apparently is held up in Congress. He is the Vice Chairman of the Energy Subcommittee, is also on the House Committee on Science, Space, and Technology, and is Vice Chairman of the Subcommittee on Africa and Global Human Rights, as well as on the International Organization’s Subcommittee of the Committee of Foreign Affairs. He has a lot of positions to which what we’re doing here today is relevant. If we should miss him today, we’ll find an opportunity to get together with him separately.
In the meantime, let me just say a very quick word about the scope of what we hope to talk about and swap some ideas with you. First of all, as Peter Pry keeps saying — and hopefully is succeeding in restructuring the terminology to some extent — when we talk about cyber, we should include electromagnetic pulse. It is so included by the Chinese, the Russians, the North Koreans, and the Iranians, and not because cyber and EMP are exactly the same thing, but because their functions have sort of total information warfare overlap.
And some of the technologies that are relevant to one are relevant to the other. And some of the protective technologies that are relevant to one are relevant to the other. So although one important focus is to ensure that when people don’t spend much time on security and focus their attention on “smart grids” and kind of blink like deer in the headlights when you tell them that the way they’re doing their smart grids looks like it’s not only going to be possible for you to turn down the thermostat in your house via your cell phone, but a teenager in Shanghai could do the same thing to your house, and perhaps other far more mischievous undertakings.
Most of the people who work on cyber security, and particularly who are interested in smart grid, are very difficult to yaw around to focusing on some of the security aspects rather than just the technological “whee, isn’t it fun, look what we can do with the internet smart grid.” So we plan to look at traditional cyber, but also of course at EMP, both solar-caused and malevolently caused, and that is a huge subject, one that is just beginning to break into the public discussion. It’s been helped immeasurably, Bill [Fortschen], by your writings, by your novel and others. There are just a lot people that are – Peter Pry – who have started in one way or another bringing this issue to the fore.
It is insidious because if you look at the vulnerability from intentionally-caused EMP, it’s a much simpler task than designing and developing and testing and targeting an ICBM or an SLBM that can hit a target on the ground. If all you have to do is get 30 clicks or more up into space and get in some rough orbit and get over some portion of the United States and detonate — either salvage-fused if somebody shoots something at you, or just detonate — you could have a massive effect without being accurate at all, and even try a shot around the South Pole, and if that doesn’t work, don’t say anything and go try another one later. There are just a number of vulnerabilities that stem from the nature of electromagnetic pulse that people really are so appalled by they often don’t want to deal with the matter at all.
And in some ways, this is our biggest problem. That some of the difficulties that we face, here, in particular the takedown — the comparatively easy takedown — of major portions of (or even, in some circumstances, all of) the North America electrical grid creates a situation where people just say: “This is just too hard, this is just too massive, it’s too scary, I’m going to go do something else.” Part of what we need to do is make sure people understand that in a lot of circumstances, we’re talking about the massive expenditure of roughly 20 cents per electricity consumer per year on some of the important types of steps that can usefully be taken. So part of what we need to do is understand the way one can utilize technology in a very affordable way to make a real difference in our vulnerabilities to cyber and related threats.
I want to close by just saying a word about the issue of physical survivability of the grid. I got a call from Emery Levens a few months ago — he’s an old friend of my wife’s and mine and has his finger in lots of pots. He said: Jim, do you realize there was an attack just north of San Jose cutting out the 911 emergency call capacity and taking out 17 of the 20 transformers that supply the electricity to the valley? And I said: “Duh, no. Didn’t know.” Turned out it was covered in the San Jose Press a little bit, kinda sorta, as vandalism at the electrical facility. But if you look back at the films that were taken, this and that and the other thing, it turns out there were three or four extremely disciplined guys with AK47s.
The timing was perfect, deployment was perfect, destruction of the 911 system was perfect except they couldn’t get at the 911 calls that went from cell phones. One person did hear the rifle fire that was going after the transformers, and did channel some people from the electrical company to see what was going on. Actually, the highway patrol came by first, and they didn’t see anything wrong. They didn’t know what a transformer was or why it wouldn’t have holes in it or should not have holes in it. So they kind of went on. And finally, PEPCO, I guess it was, showed up several hours later and realized how close they had come — this group had come — to taking out 17 of the 20 of the transformers for Silicon Valley.
A piece on the web within the last few days indicates that something rather similar, a month or so ago, happened in Arkansas. The San Jose attack, by the way, happened the day after the Boston Marathon bomb explosion, so it might have been timed very carefully to go along with that. So although it’s not quite at the level of ability to destroy and take down systems that one would see from an electromagnetic pulse shot or a very clever cyber attack, physical attacks are possible. Again, like cyber and EMP, some of the fixes are really pretty simple and pretty cheap.
A lot of these fixes are not necessarily perfect fixes, but they’re things like taking a transformer that has fulfilled most of its useful life but still has some utility left and putting it in, say, a little stone house somewhere near where it’s needed instead of throwing it away or disposing of it. There are a number of steps that one can take in this overall area of vulnerability of the grid.
Welcome to the Age of Space and Cyber Warfare
By M. V. “Coyote” Smith
Colonel, USAF, Professor of Strategic Space and Cyber Studies, School of Advanced Air and Space Studies, Air University, Maxwell Air Force Base
The Video Presentation: Click here to play
I’m Colonel-Doctor ‘Coyote’ Smith, a professor of strategic space and cyber studies at the School of Advanced Air and Space Studies at Air University on Maxwell Air Force Base in beautiful Montgomery, Alabama. Our school, ‘SAASS’ as we call it, is where our Air Force educates a small, hand-picked student body of majors and lieutenant colonels at the masters- and PhD-levels to serve as strategists within our services.
I must thank Rachel Ehrenfeld and the American Center for Democracy for hosting this Washington Roundtable on this critical set of issues that challenge American, allied, and global security. It is an honour for me to speak to this gathering of accomplished and distinguished people, especially appearing along side William Scott and William Forstchen, authors of two of the most popular books in our courses on space and cyber, respectively. The lessons I learn here from all of you will immediately inform our curriculum at SAASS and Air University as we endeavour to sharpen the minds of our warfighters to meet the challenges of our uncertain future.
I must point out that due to the magic of sequestration that I am here on leave today and am enjoying my personal time greatly. As such, I am not representing the Air Force or any part of the US government in any way. The observations and opinions that I provide here are my own and do not represent necessarily the official positions or policies of the US government-although the speaker asserts that they ought to be!
All of the information I will provide here is unclassified. My sources are discoverable on the open Internet and in public forums. I encourage all of you to fact check me. Any misrepresentations I might make are my fault entirely.
Please, feel free to point out any such mistakes.
My presentation is titled, “Welcome to the Age of Space and Cyber Warfare.” It is a long overdue welcome, as we have been living in the age of space and cyber warfare for over 30 years. It has not received much attention, because it takes place out-of-sight and therefore out-of-mind. Real space warfare and the fact that it has been underway for decades is almost beyond the public’s imagination.
In fact the common conception of space warfare is grossly misrepresented in science fantasy novels, movies, TV shows, and propelled even further by outlandish claims by the arms control community that space warfare necessarily involves blowing-up satellites in orbit and creating cascading fields of debris. They point to the so-called Chinese anti-satellite test of 2007 as an example of a space weapon, but such a weapon is more likely a missile defense system than an anti-satellite weapon. Why do we think this? Because soldiers are smart enough not to plant a mine field inside their own camp. Sailors know enough not to randomly mine their own harbors. Likewise space professionals, in all countries who reply on space even a little bit, know enough not to create space debris that could ruin for decades their access to space and that of everyone else. Those countries that do not rely on space to any extent are unlikely to master the technology or be able to afford destructive CounterSpace weapons. The process of developing rockets, satellite interceptors, and fielding and sustaining such systems costs billions of dollars. There are exponentially cheaper options, such as jammers, that are far more reliable and can be employed with a high degree of deniability in many circumstances. Such is the nature of space warfare.
When I say warfare, I am speaking in the classical Western Clauswitzian sense of warfare, which is the use of martial engagement for political purpose. Satellites have been engaged for years for political purpose to deny or disrupt adversaries’ space-based sensors from collecting certain information and routing that and other data to their users. Satellites are little more than computers placed in orbit with very long and very vulnerable wifi-like data links to ground stations and users.
Instead of blowing-up satellites and creating unwanted space debris with rockets and interceptors, we are witnessing a proliferation of ground-based jammers, lasers, data insertion and data corruption devices and techniques, as well as other directed energy weapons that are exceedingly cheap and able to be executed covertly. In fact, our satellites-American and allied-experience interference on a regular basis, but we often find it difficult to attribute the interference to the precise actor. In part this is because nations routinely probe the capabilities of potential adversaries-think of Soviet and now Russian bombers testing our air defenses-but the entry cost for jamming a satellite is so low and the intelligence for doing so is available on the Internet, that we are witnessing non-government organizations and even individuals interfering with satellite operations. However, the US and other nations who experience disruptions from interference with our space systems seldom speak out about it even when confirmed and attributed because the tendency is to deny attackers intelligence about the effect of their attacks. An exception to this came a few years ago when the director of the National Reconnaissance Office complained publicly about Chinese lasers engaging our imagery satellites. Enough, was enough.
At a 2011 conference in Luxembourg hosted by the Eisenhower Center for Space and Defense Studies, a representative from the United Nations International Telegraphic Union reported that his organization receives over 200 satellite frequency interference complaints daily. In their estimation perhaps only 7 percent of such complaints are the result of intentional jamming or other interference. That means there are over 14 cases of space warfare or criminal interference occurring daily-that get reported.
Consider the following examples that have been reported in the news within the last decade. The Chinese dissident group Falun Gong actually overpowered a state-owned satellite and broadcast their messages over the top of the authorized signal. The former Libyan government jammed British satellite broadcasting of offensive programming into their country. Iran has become a powerhouse in this area, not only jamming satellite broadcasts of Western news into their region regularly, but they have also engaged American and other satellites to jam satellite data links used to command remotely piloted vehicles in the Middle East. The Iranians even went so far as to send a small team of people to Cuba secretly to jam American satellite data links. It took a concerted effort between the US and Cuba to figure out the situation and for Cuba to eject the perpetrators diplomatically. This is the face of space warfare. Not the grandiose visions of blowing things up in space.
Space warfare is not executed for its own purpose. It is done because a contest of wills exists on Earth between two or more polities or non-state actors. It is done to prevent flows of information, in a non-lethal, and non-damaging manner, which is the criteria required in the Law of Armed Conflict. The Law of Armed Conflict places a moral burden on nation-states to achieve their objectives in a manner that prevents loss of life, undue human suffering, or damage to property. To date, space warfare and cyber warfare are machine-on-machine engagements that meet or exceed the international community’s requirements for morality in warfare. The alternative is blowing up ground stations and the users of information-people and property. In short, negating satellites saves lives.
What we think of today as cyber warfare has really evolved out of space warfare. As personal computers, the Internet, and the various means of connecting them became prolific on Earth in recent years, the various warfare techniques used in space-and other terrestrial forms of electronic warfare–migrated to cyber. We are all very familiar with examples of cyber warfare. Examples include the Russian use of cyber warfare against Georgia in their recent conflict to essentially put down Georgian information networks, their command and control systems, along with the Internet and most everything connected to it. What makes this example particularly interesting was how the Russians went about it. They simply encouraged private hactivists to engage Georgian cyber systems. It was a free-for-all. This resulted in a very effective removal of Georgia from the grid, with very little Russian investment in this success.
Cyber warfare is clear in our minds, but the Russian example points to another interesting phenomenon that we are seeing in space and cyber warfare. We find ourselves living in the age of the super-empowered individual. Space and cyber capabilities that only nation-states possessed even as late as a few years ago now reside within the grasp of anyone with access to the internet-for intelligence, operational command-and-control, and execution of various cyber techniques that can destroy, degrade, deny, disrupt, or deceive targeted equipment and the services they provide.
The relationships between space and cyber warfare are relatively clear, and this explains, partly, why the Air Force has vested its space and cyber assets in a single major command. Both space and cyber warfare present us with similar problems. First, attacks can be exceptionally difficult to detect. Systems can fail or have glitches for any number of reasons. Detecting an intentional attack is made even more difficult if the attack occurred months or even years earlier when some line of malicious code was inserted into software waiting to time-out or for some signal to be given. This brings us to the second big problem once an attack has been detected; attributing it correctly to the actual aggressor-knowing full well that the aggressor might do everything in its power to implicate an innocent party. Iran’s covert use of Cuban soil is just one example of what is seen commonly.
We in the business of space and cyber strategy speak about the Probability of Detection and the Probability of Attribution…and the Probability of Retribution as well. The Probability of Retribution is characterization of likelihood, ways, and means of an adversary’s response for being attacked. This is critical and tricky because the culture and context of each adversary we face will be different, just as America responds differently at different times to different threats and attacks. These are points upon which we are concentrating a great deal of energy.
This is of increasing importance as we “pivot” our national security attention more towards the East. Asian Strategy is deeply informed by the writings of the ancient theorist, Sun Tzu, who twenty-six centuries ago wrote that “all warfare is based on deception,” in his treatise, The Art of War. Things will not be so clear in Asia as they have been in Europe.
While many speak of developing a deterrence strategy to prevent Chinese and others from attacking our space systems, we risk being misled by false assumptions promulgated by the members of the arms control community. Many of them assert vociferously at every opportunity that space has always been a peaceful sanctuary and that any interference with our satellites will instantly put the US or other world powers on the path to nuclear warfare. We know that both of their premises are false. Space has never been a sanctuary, and interference with satellites is commonplace. As demonstrated daily, such interference does not trigger nuclear wars. Nevertheless, they insist the remedy to their imaginary scenario is to sign-up for all forms of codes of conduct or other arms control agreements. Behind their altruistic shroud seems to lie an agenda aimed at undermining nation-states’ abilities to defend themselves from hostile or unlawful use of space or the systems that operate there. To what end? To whose benefit?
So, where is all of this technology taking us? Anticipating the future is something I’ve been privileged to do as the Director of Dream Works in the Pentagon’s National Security Space Office and later as the Director of the Center for Strategy and Technology where I led the Chief of Staff’s Blue Horizons project. It was my job to meet with ‘mad scientists’ not necessarily to find out how they were progressing with their government or commercial research, but to find out about their passions-what they were working on in their spare time and where they think the technology will lead. One such discovery I made that is starting to make the news is a helmet that can read your thoughts. Yes, I said, ‘read your thoughts.’ I visited a laboratory that was working on improving the brain-mechanical interface to improve the performance of prosthetic limbs. They had taken a bicycle helmet and hollowed out its ribs and inserted electroencephalograph sensors that were connected by wires to a computer.
They are now able to map the firing of neurons and synapses throughout the brain whenever the brain is stimulated. Whenever you see, hear, smell, feel, or taste anything there is a distinct brain pattern that you create in response to that stimulation. What they discovered is that by watching a very simple movie and reading a story, they are now able to use this helmet to map where those specific thoughts and memories generated by the movie are stored in a subject’s brain. After watching the movie, they invite their subjects to have an internal dialog with themselves. While this is going on, the scientists are able to read the stream of conscious thoughts of each subject on a computer screen. It is not perfect, but they can identify what the person is thinking about with roughly 50% accuracy. This is brand new technology that has only existed for months. Where will this technology lead? This offers great hope not only for prosthetic users, but for brain trauma victims, comma patients, and the like. The gaming industry is highly interested in this, as you might imagine!
Combine this with other technology being developed to make truly handless devices-a wifi system that does not work on machine-to-machine interface, but rather from machines directly to the human neural system. Think of wifi between peoples’ nervous systems! What society in general and policy makers in specific need to be thinking about now are the implications of ‘hacking’ peoples’ central nervous systems without their awareness. Stealing their thoughts. Robbing them of mental privacy. Think also about the implications of inserting thoughts directly into their brains, not just as a matter of learning, but programming their thoughts and opinions! This goes on today in the commercial marketplace of advertisement and marketing, but we have a gap between the marketers and ourselves. What if they can manipulate our belief systems without our awareness? Marketing, education, religion, and political campaigning will embrace these technologies.
Will we be ready? I answer this question with a strong ‘maybe.’ I believe we are witnessing the evolution of the sixth medium of warfare. In addition to air, land, sea, space, and cyber, we will soon be fighting in-what shall we call it? Mental space? Psychic space? Neurospace? It is most likely that our authors here with us today will name this new medium for us.
This seems quite scary, far-off in the future, and highly imaginative. However, the devices to make this possible are being developed in garages, on workbenches, and in laboratories today. William Gibson, the author of Neuromancer, the book wherein he coined the term ‘cyberspace,’ tells us, ‘The future is already here. It’s just unevenly distributed.’ This technology is out there and I have given you a glimpse of where I anticipate it heading. It is clear that we will improve our engagement with the future if we study it intently today.
I want to emphasize the importance and credibility of proper future science. I will finish with a little story. The famous physicist, Michio Kaku, passed it along in his book Visions. He tells us that back during the War a Frenchman writing about Paris in the Twentieth Century took note of the developing rocket technology of the day and the mechanical prowess of the Americans. He concluded that America would likely be the first to the Moon, doing so with a multi-stage rocket, blasting three astronauts on their way from Florida, and returning to splash down in the ocean. The Frenchman’s clairvoyance is made even more remarkable by the fact that the year was 1863 and the War was the American Civil War! The Frenchman was Jules Verne, who filled his time interviewing scientists and inventors, pressing them to explain how far the technology they were working on could go. As the late Paul Harvey used to say, ‘And now you know…the rest…of the story.’
In summary, we have been living in the age of space and cyber warfare for a number of decades now. There is no negotiating our way out, and no treaties that can be made to stop it. In fact, in most cases space and cyber warfare is employed in lieu of using lethal and destructive force against people and property.
In an age where super-empowered individuals and groups cannot be deterred, the only way forward is to invest in space and cyber defenses and plan to operate through whatever interference they cause. Eliminating critical dependencies on space and cyber is essential, as well as creating robust terrestrial back-ups for both mediums. We can already glimpse with some discomfort where technology is taking us, but we can begin now to prepare for the emerging realities.
I look forward to learning from the rest of today’s distinguished speakers, and once again, I thank Rachel Ehrenfeld and the American Center for Democracy for having me here today.
“To Live or Not to Live” — Protecting Against EMP Attack
by Dr. William Fortschen
Author of the best selling “One Second After”
The Video Presentation: Click here to play
My background was in the history of technology. And I want to spend just one minute on how I wound up in the field of EMP threat. By a coincidence, on the day that the Congressional report on the threat of Electro MP came out, which was chaired by Congressman Roscoe Bartlett, and it is an honor to share this forum with Dr. Pry was a very key moving force in that report, I happened to be in DC on the same day the report on the threat of EMP was released in 2004. And in a discussion that evening with Newt Gingrich, the comment came up that there was zero response to this report.
Newt asked me to go over to talk to Congressman Bartlett, who inspired me with a very simple observation: that the problem truly is that there’s no constituency. Mention EMP to any group of citizens, and you’re nowhere. Mention any number of other issues: The one I like to point out is (we might recall) that horrific incident about four years back of a woman who was attacked by a chimpanzee and her face was destroyed. Congress passed a law outlawing the ownership of chimpanzees. So you’re safe when you come to my house now. But the point is, what’s the probability threat there of any of us being attacked in such a manner versus the threat of EMP? When writing my novel about EMP, “One Second After,” I was inspired by the classics of my youth, particularly Alas, Babylon and On the Beach.
Thus, I wrote the book with the intent of trying to get a popular novel out there that took a complex issue and put it into a small community, and what happens to each one of us individually. What happens to us, our parents, our children, our town? And the book was 12 weeks on the New York Times bestseller list.
I want to shift into some of the things that, as my background in military history and the history of technology now applies to warfare, and that is the issue of EMP.
EMP is a first-strike weapon. And it’s a technological game changer. Throughout the history of warfare, we have always seen that the losing side in a war often trumps the victor in the next conflict by rethinking the paradigm. A very simple example is Crecyand Agincourt, battles fought during the 100 Years War of the 14th & 15th century where the M-1 tanks of their time, the French armored nobility, suddenly encountered English longbow men.
Thus we see all the way to the present a technology that’s been dismissed (or recently realized) that trumps what’s considered to be the existing, dominant force on the battlefield. What is the primary issue that Sun Tzu talks about – and almost every military writer after him – regarding the opening moves of warfare? The destruction of command and control. If you can shut down the command and control of your opponent, you have pretty well won the day before battle is even joined. What is the best way, currently, to take out command and control? It would be cyber attack or EMP.
I was thinking last night about something of the issue of morale. I recently read that what really broke the morale of the average German soldier – starting around 1943 – was not necessarily their being pushed back in North Africa or the debacle on the Eastern front. It was men going home on furlough or wounded or getting letters and seeing that city after city after city was getting leveled. While they fought on the front lines, their wives, their children, their families, their homeland was being flattened. That was a crucial factor in breaking the morale of the German troops. I remember talking with a German soldier, a veteran of the Russian front, who said the most terrifying experience of his life was that he happened to be in Hamburg when it was hit. He said it shook him for the rest of the war.
He realized they were going to lose, as he put it. We see regarding command and control, a first strike via EMP or cyber attack as a decapitation of information. But it also strikes morale. And then you have societal breakdown. We need not go through an exercise here of what happens if the electricity turns off in the next minute and what happens to this city within the hour.
But, as an old hero of mine, Rod Serling, once said: “Presented for your consideration.” I present for your consideration what if on 9/11, we all saw the first minute of the impact on the second World Trade Center tower and the Pentagon. And then the entire news grid went down. Think of the panic that would have struck across the country within the hour. We have been used to ever since the age of technology – excuse me, actually since the advent of telegraphy – to having instant access to information. Particularly within the last 15 years. I’m a college teacher. If my kids walk out of the classroom (or even in the classroom) and they can’t immediately text their boyfriend or their parents, they’re throwing a panic attack. Think of the shutdown of command and control but also the communication grid of a civilian society. What happens next? It’s a grim proposition.
One of the things that I found difficult in communicating the threat of EMP and cyber attack is that the mere discussion of it often brings on a certain level of shock and resulting non-responses. A good analogy to that is what the film On the Beach created. How many of you have actually seen the film On the Beach? I read an article a while back pointing out that On the Beach was a contributing factor in the shutting down of the American Civil Defense system that had been developed in the ’40s and the ’50s. The reason being that when On the Beach came out, it presented such an overwhelming, catastrophic view of thermonuclear war as a planet-destroying event, that the attitude then became: “Why in hell are we even bothering to try and prepare our infrastructure, build command and control centers, dig bunkers in back yards? It’s all meaningless.”
The infamous line: “The living will envy the dead.” That is the problem that we here face today. How do we convince the general populus, voters, the people up on the Hill, that the cyber threats that you’re talking about – which sound sci-fi to some, how do we convince them that these are real and that in preparing for such an event we might actually prevent an enemy from attempting it? It seems so overwhelming that most people react with: “Oh, hell, somebody else will figure it out.” Or: “I’ll go back to my Xbox.”
I do see glimmers of hope. There are constituencies that are starting to react. How many of you are familiar with the fact that the state of Maine has actually passed a bill to start infrastructure hardening. The state representative who wrote the bill read my book and decided to respond protectively rather than give into passive inaction. The same is about to happen in my home state of North Carolina. I’d like to introduce my friend Sid Morris, from Charlotte, North Carolina, who is with us today. Sid’s NOAH Foundation is working aggressively with the State of North Carolina, and also with Duke Energy. I think we’re going to be on the edge of agreements both with Duke and with the governor of North Carolina and in turn our state legislators. North Carolina will thus start to prepare as well. So even if we’re not seeing success at the federal level, we are starting to see success at the state level.
[Moderator Rachel Ehrenfeld asks what NOAH is doing. Fortschen responds.]
They are working on developing survivable infrastructure. Developing command and control nodes that are survivable, addressing issues of cyber security, and hardening infrastructure against EMP. That’s the goal that the NOAH Foundation – they’re just down the road from me and they operate politically and within the community.
We’re having a remarkable experience here, today. But we’re all preaching to the choir. How do we build a broader constituency to react to make sure devastation via EMP doesn’t happen? Or better yet, to create such a sound infrastructure that an opponent dare not risk such an attack as a first strike, knowing the impact will be minimal and the response overwhelming. Thank you for the honor of being here.
EMP & Nuclear Proliferation Threats
by Dr. Peter Pry
President of EMPACT America and former Director of U.S. Nuclear Strategy Forum
The Video Presentation: Click here to play
I am the Executive Director of the Task Force on National and Homeland Security, which is a congressional advisory board. And before that, I worked on the House Armed Services Committee, and before that the CIA. I’ve spent all of my professional life working on weapons of mass destruction, including EMP. EMP is the threat that’s always concerned me the most because it was the least understood and it can do the most damage with the smallest investment. But I think all of us here seem to be experts on EMP now.
On EMP, China and Russia are light years ahead of us . On the Congressional EMP Commission, we found that Russia has developed what they call a Super-EMP weapon, a new generation of nuclear weapon specifically designed to create EMP. The Super is basically a gamma ray producer. Very low yield; on the order of a couple kilotons, or even less. And it generates a tremendous EMP pulse, an E-1 pulse of 200 kilovolts per meter, according to Russian military writings. That is for every meter of dimension in the object being attacked, you get 200,000 volts. So if it’s 2 meters long, that’s 400,000. Multiply by 200,000 volts the dimension in meters of the target – that’s the amount of energy. Imagine the energy transferred to power lines or communications lines that can run for kilometers.
The EMP phenomenon begins above an altitude of 30 kilometers. But the ideal attack would be to place one about 400 kilometers within the center of the country. That puts the EMP field down over all 48 contiguous United States. And it would be 100 kilovolts per meter at the horizon with the 200 kilovolt peak field. Russia and China are the only countries in the world that have hardened their infrastructures against EMP. They did it back in the Cold War because they believed you could fight and win a nuclear war. At least the Soviets did. And we now know – fairly recently because it’s only a recent discovery – about the so-called Underground Great Wall in China. The Chinese have built thousands of kilometers of underground facilities very similar to what the Russians and the Soviets before them did. And they have hardened their critical infrastructure.
The Russians told us – we were actually visited by a delegation from Moscow, two Russian generals, their top experts on EMP – to warn the Commission that there had been a technology leak from Russia to North Korea on the secret of the Super-EMP weapon. They predicted – this was in 2004 – that, within a few years, North Korea would be capable of developing a Super-EMP weapon. And a couple of years later in 2006, they did their first [nuclear] test. And all of the tests have been the same. These low-yield weapons, one to three kilotons, the Western press has tended to declare to be failures because the yields were so low. I mean, a nominal atomic bomb should have a yield of about 10 kilotons.
These are on the order of one to two kilotons. And no leakage of radionuclides from the tests, which almost always happens. This indicates something like a pure fusion weapon, which is consistent with the Super-EMP weapon. South Korean military intelligence independently came to the conclusion that Russians were in North Korea helping them develop Super-EMP weapons. Then in 2012, a military commentator for People’s Republic of China said the North Koreans have Super-EMP weapons.
To make matters worse, you don’t actually need a Super-EMP weapon. Any nuclear weapon would do: our electrical grid is not hardened, at all.
Any nuclear weapon detonated anywhere above 30 kilometers over the Eastern U.S. would cause a national catastrophe. You could use a meteorological balloon to get up that high. Last year an acrobat had himself lofted up into the stratosphere by balloon above 30 kilometers with a heavy sky-diving suit demonstrating that you can get heavy objects up to that altitude by balloon. We knew it before he did that. One of our concerns was that you could use a meteorological balloon to lift any kind of warhead up to that altitude, 30 kilometers or higher, and detonate the warhead anywhere over the United States – preferably someplace over the Eastern seaboard, because the Eastern Grid generates 70 percent of our electricity. And the country can’t survive without the Eastern Grid. If you take down the Eastern Grid, all the critical infrastructures are going to collapse.
One of the things that makes this so tragic is there’s really no excuse for the country to be vulnerable to EMP. We have known for decades how to protect military systems against EMP. And it’s far easier to protect the civilian grid. There are things like Faraday cages and surge arresters they could use. At the heart of the grid are EHV transformers, Extremely High Voltage transformers. They are to our civilization what the aqueducts were to the Romans. You can’t have a grid – you can’t have a modern society – without these EHV transformers.
They aren’t built in this country anymore. They were invented here by Nikolai Tesla. They were originally built here. We exported the electric grid to the world. But unfortunately, like so many things, we don’t make EHV transformers here anymore. There’s only two countries in the world that make EHV transformers for export: South Korea and Germany. And the worldwide production of EHV transformers is 180 per year – because the windings have to be done by hand, the old fashioned way, just the way Nikolai Tesla did it. And we have about 3,000 EHV transformers in this country. So it doesn’t take a genius to do the arithmetic that if you lose 1,000 EHV transformers, how many years will it take to replace them? And it doesn’t take a year for people to starve to death massively. This is why the Commission estimated that within a year, given our current state of unpreparedness, millions would starve.
There is also natural EMP – because the sun can do this, too, by means of a Carrington class coronal mass ejection. [Holds up a photograph.] That is an actual photograph of a Carrington class coronal mass ejection taken from a satellite. In December 2012 we entered the solar maximum, which means greater risk of the occurrence of a Carrington class coronal mass ejection. You may not be able to see it, but this little blue dot – that’s the relative size of the Earth compared to one of these coronal mass ejections. So you don’t need to be an astrophysicist to understand that if this hits, it’s going to ruin your whole day. A Carrington event would be even worse than a Super-EMP weapon because it would cause an EMP worldwide and collapse electric grids everywhere.
But yet again, the technology is understood, and it’s relatively inexpensive. We think – the Congressional EMP Commission estimated – that for about $2 billion we could protect the whole country, the entire national electric grid. And as we’ve looked at different plans, we’ve been able to bring the price down so that it’s down now around $500 million. There are many ways of doing it. There are three plans described in my book Apocalypse Unknown about how to protect the country, but we haven’t been able to get Congress to do it.
I’m extremely alarmed at what is not being reported in our newsrooms. And while it’s fascinating to talk about the future, I frankly am increasingly concerned that we may not have any future, given how blind we are about what’s going on and what isn’t being talked about. It’s appalling to me to hear the whole focus on the media reporting and what we’re focused on in this town today is over sequestration, over the budget, whether the government is going to shut down.
Going back I guess four weeks ago, over the past four weeks, things that have happened that I find extremely disturbing but that weren’t reported, or were barely reported in the press. I think it was the 2nd of September, on a Monday, when Israel did an unannounced anti-missile test. It was all over the Russian press, but to my knowledge, not mentioned at all except in an article I wrote for LIGNET. The Russian general staff command post went on alert in response to that Israeli anti-missile test and notified Vladimir Putin that unknown missiles were coming out of the Med, headed towards Syria where they have a fleet.
Now, they likened this – their deputy defense minister – likened this to the January 1995 incident (they did, not me), which was the closest we ever came to a nuclear war. And they reminded the international press that on the 25th of January, 1995, when they had detected an unannounced Norwegian meteorological missile, they had nearly pushed the button because they had not been notified. And they likened this thing that happened back in September to the January, 1995 incident. It was the closest we ever came – it was the only time that all three “Chegets,” which is their equivalent to the U.S. nuclear football, the presidential football, were activated.
The Chief of the General Staff, the Defense Minister, and the President – all three of those Chegets were activated, and basically [Mikhail] Kolesnikov, then the Chief of the General Staff, was yelling at Yeltsin, who was President at the time, ‘Push the button!” And it was only Boris Yeltsin, an alcoholic, who couldn’t believe the United States was going to launch a surprise nuclear attack. He waited and paused for ten minutes. And that’s what spared us. That’s how close we came. And they claim, on the 2nd of September because of what the Israelis did, that this was another incident, a nuclear war scare. Totally unreported.
The Israelis had launched two target missiles. They were testing their anti-missile system. So it was scheduled in advance and the bureaucracy, I guess, just decided – despite the fact that there was a crisis going on in Syria – to launch these two target missiles from the central Mediterranean toward the eastern Med to be intercepted. And the Israelis – only after the Russians came out and made a warning about: hey, who’s launching missiles in the Mediterranean – did they say, well, we did it. And then they declared it was a success.
There’s another event that I’m just sort of amazed at: That is the Russian fleet that nobody seems to think much of. The Russians are closely aligned with Syria, made it clear that their national interests are tied up there. There are probably tactical nuclear weapons on that Russian fleet. Where do our people think these 8,000 tactical nuclear weapons the Russians have are? In storage? We know from their exercises, the military writings, that these things play a very important role in their defense plans. The Moskva, which is now the flagship of the Russian fleet off Syria, during the Cold War, we understood that that thing carried tactical nuclear weapons that had yields of 300 kilotons on anti-ship missiles. So that Russian fleet’s probably got tactical nuclear weapons on it. The whole thing strikes me as being like 1914 all over again.
In Syria the President passed the buck to Congress. And Congress and the President, now that we’re engaged in negotiations, our fleet is still there, we passed the buck to the U.S. Navy and to the Russian fleet as well, who are going to be watching each other because they have no alternative. Both sides, the U.S. and Russian fleets and their military establishments, are watching each other like hawks with their national tactical means, just in case something should happen. What if there’s some kind of a glitch with a satellite? What if Hezbollah or Iran or somebody who would love to see the United States and Russia get into a nuclear war with each other decides to use cyber warfare to try to provoke something? The Iranians have got Silkworm anti-ship missiles from China. They’ve got Sunburn [anti-ship] missiles from the Russians to attack our guys and start a war, like 1914. We’ve got all these actors, many of whom have an interest in seeing us go to war with each other, and nobody’s talking about that.
Let me just step through a couple of other headlines that should have been – things that happened over the past few weeks that have really bothered me that our own Western media has largely ignored. Syria had crossed the chemical redline, but now they’re going to go into negotiation.
North Korea restarted the Yongbyon reactor, and that has gone virtually unreported, which is crossing another redline. That was supposed to be a redline with North Korea: They were not going to restart that reactor, but they did. And not even Fox News has mentioned it. You know, that reactor produces enough plutonium for two atomic bombs a year.
On Friday, Maariv, an Israeli newspaper, reported that interviews with Israeli government experts – Israeli experts who have elected to remain anonymous – show they believe that the redline in Iran has already been crossed and that it’s too late to stop Iran from getting a nuclear weapon.
They concluded that Iran has probably already developed at least one nuclear weapon. And you know, I think that that is so. Congressman Bartlett and I two years ago wrote an article in the Washington Times warning that Iran may already have the bomb. It just astonishes me that we have this – you know, that we truly are a culture of strategic optimists. I mean here’s a country [Iran] that’s had a nuclear weapons program for 30 years – 30 years! And, supposedly, in 30 years they haven’t been able to build an atomic bomb when the United States in World War II, in the Manhattan Project, working with 1930s-1940s era technology, built two atomic bombs of completely different design in just three years.
And the Iranians had help from North Korea, the Russians and Chinese, and, yet, we say that it’s still a year before they’re going to get the bomb! Why do we think that? Because the Iranians told the UN International Atomic Energy Agency inspectors, supposedly, exactly how many centrifuges they really have. The Administration’s calculations are all based on information provided by Iran to the IAEA.
You know, the last thing – building on what Jim Woolsey said – if you pull all of this together, you know, the EMP, the cyber warfare, with the doctrine – the adversary doctrine of the Russians, the Chinese, North Koreans. To them cyber warfare, information warfare, is not just computer viruses. They may use kinetic attacks like those AK-47s that were used in San Jose – all the way up to nuclear EMP attack. And it’s almost like, over the past several years, we’ve seen a dry run happening.
They’ve been attacking us, maybe not doing everything that they could. I think that these things are more like exploratory scouting expeditions to see how vulnerable our critical infrastructures really are to their viruses and those kinds of attacks. Now, we’ve had a couple of instances where we had kinetic attacks on transformers. The San Jose one was clearly professional. They haven’t found those so-called vandals. We don’t know who they were, and they were using AK-47s when they did it.
That North Korean freighter that was stopped for smuggling drugs to Panama had SA-2 missiles on it. Now, that is a nuclear-capable surface-to-air missile. The Russians designed it so that it could carry a nuclear warhead. Now, they didn’t have nuclear warheads on them. But it’s just fascinating that it just happened to be discovered by accident – because they were investigating the freighter for smuggling drugs – that we found that here’s a North Korean vessel that brought a nuclear-capable missile into the Caribbean, which was the EMP Commission’s nightmare scenario.
Our worst-case scenario was that Iran or North Korea or somebody would put a short-range missile, or some kind of missile, on a freighter and do an EMP attack from a freighter, launch it up over the East Coast of the United States. And here we’ve actually found a freighter that had a nuclear-capable missile in it, discovered just by accident when it was trying to go through the Panama Canal. How many other things have been going on like that? So you’ve got all the building blocks here, and I wonder how much time we have. I wonder how much time.
The last thing I will mention is the complexity of our world now and all the different pathways in which things could lead to apocalypse. I mean 99 years ago, this August just past, World War I started because the political and military leadership of the time were overwhelmed by the technology of the time. The technology involved in the act of mobilizing armies was something they didn’t anticipate, the complexity of it, the risk of trying to de-escalate once mobilization had started.
So all it took was one bullet from a Serbian terrorist to send us down a path that our great minds of the time, the political and military leaders and the crowned heads of Europe, could not control. They could not control it. How much more complex is the technology and the difference between war and peace today? Then, the decision between war and peace was based on days and weeks. Now it’s minutes and seconds, and extremely potentially fallible and cyber-vulnerable satellite systems – and all kinds of bad guys out there who would love to see an apocalypse that would take out the United States and Russia both.
There’s just one last thing I want to mention. Thursday, the Russians finished Zapad 13, which is a big military exercise that they held. Again, another thing that hasn’t been mentioned in the press, while they’re negotiating with us on behalf of the Syrians. And this exercise, by the way, was witnessed by President Putin and Aleksandr Lukashenka, President of Belarus. It was a joint exercise between Russia and Belarus that in a matter of a couple of days delivered 22,000 troops from central Russia to the gates of Poland and the Baltic states – 22,000 troops. That is almost exactly the same number of the active duty personnel in the combined armed forces of Lithuania, Latvia, and Estonia – 22,000.
And there were enormous protests. Poles, I think accurately, objected that the exercise featured a simulated nuclear strike on Warsaw. So here’s just another thing that the Western press seems to have no interest in whatsoever that might perhaps raise some questions about the sincerity of our Russian negotiating partners in Syria and the like. Anyway, thank you for letting me get all those events off my chest. What their collective significance is yet, I hope, will come to no significance.
Next-Generation Space & Cyber War
By William B. Scott
Former Editor, Aviation Week/ Author of the best selling “SpaceWars” and “CounterSpace” and “The Permit”, Senior Fellow, American Center for Democracy
The Video Presentation: Click here to play
John Kenneth Galbraith once said, “Only a fool tries to predict the future.” If that’s so, there’s an abundance of well-paid jokers in prestigious think tanks and on cable TV talk shows. However, a much larger-and less-well-paid-group of hopelessly afflicted prognosticators can be found in the ranks of fiction writers. Science fiction and techno-thriller authors, in particular, can’t resist future-gazing; it’s in our DNA to dream up an engaging story by starting with a simple question: “What if…?”
History suggests that writers have a better track record of foreseeing world events and technological advancements than think-tankers and TV talking heads do. Or maybe not. One school of thought says fiction writers don’t really predict the future; their stories merely prompt policymakers or scientists and engineers to think differently about a problem, and events unfold along the same lines sketched by authors.
Having worked as both an engineer and aerospace journalist, I can testify that writing techno-thriller novels is more fun than solving real-world technical problems and reporting hard news. Authors can dream up wild stories and high-tech weapons, yet never worry about annoying constraints like facts and physics. We rarely have to be concerned how a futuristic system would actually be designed, built and employed.
That said, authors are pleasantly surprised when future-gazing scenarios and systems they wrote about years earlier actually come to pass. Rather than predicting the future, though, I think we merely look at a geopolitical situation or technology and extrapolate forward several years.
I’d like to share some of the futuristic space-related capabilities that started as “What ifs,” and ultimately were incorporated into our “Space Wars” and “Counterspace” novels. Please consider the potential impacts, if America’s smart scientists and engineers actually developed and fielded the following:
* A MASER beam weapon that disables an adversary’s satellite, by creating mini- electromagnetic pulses in electronic systems. It’s feasible, and sources claim it’s been done in the Navy’s China Lake labs, by initially firing a laser to create a momentary “waveguide” or “filament” through the atmosphere, then firing a MASER’s microwave pulse down that channel.
* Hypervelocity weapons delivered from a piloted spaceplane in low-Earth orbit. Basically a titanium bar boosted by a rocket, these “Rods from God” can take out an underground nuclear facility without an explosive. A dense-material “warhead” propelled at hypersonic speed delivers a tremendous amount of kinetic energy in a brief time span. Basically, a Rod from God has the impact of a tactical nuclear weapon-but is covert and leaves nothing behind that can be traced to the U.S.
* Space-based “Angels and Demons.” “Angels” are small, stealthy spacecraft deployed in-orbit to protect our own high-value satellites. “Demons” hover near an adversary’s satellite, quietly waiting. In an emergency, “Demons” can be activated and ram the bad guy’s satellite to disable it. If a “soft kill” is warranted, a Demon might just squirt “slime” onto a target’s optics to temporarily blind a reconnaissance bird.
* A “Hoover” anti-satellite system. This is a stealthy spacecraft that could vacuum-up debris left in orbit by China’s 2007 hit-to-kill test, for example, then park behind an active Chinese military satellite. During a conflict, “Hoover” could silence its neighbor by firing orbital debris at the satellite. People’s Liberation Army forensics experts would have to conclude that they’d “shot themselves down” with their own space junk.
In the cyberwar realm, here are some futuristic weapons and information warfare scenarios my coauthors and I dreamed up, starting with a “What if…?” question:
* Employing modern American fighter aircraft fitted with advanced electronically scanned array or AESA radar systems to launch a covert attack against an adversary’s oil refinery and shipping port. In our Counterspace novel, AESA radar beams fired by stealthy F-22 Raptor and F-35 Lightning II fighters are combined to create mini-EMPs that destroy microprocessors and electronics circuitry in a Venezuelan oil refinery’s control system. Valves randomly open and close, creating havoc and extensive damage throughout the oil-handling and shipping complex. Bottom line: Hugo Chavez[‘s successor] couldn’t ship a drop of oil for months, causing massive economic problems-and he had no idea what hit him.
* An electromagnetic or electrostatic system that remotely disrupts the electrical activity of a human heart. Fired from a drone or aircraft, these tailored signals trigger heart attacks and strokes, covertly killing a rogue nation’s dictator or terrorist cartel’s leaders.
* “Smart Dust” to locate and neutralize terrorists. Tiny, nano-scale systems that can be programmed to operate cooperatively would be scattered from the air over a target community. Microscopic “Hunter-Bots” could be programmed to search for the DNA of a particular suicide bomber. When they get a match, they’d clear in companion “Killer- Bots,” which would be injested by a terrorist’s wife, children or siblings. Bio agents coating the Killer-Bot nanoparticles would radically alter the target’s behavior, ultimately causing considerable shame to be heaped on the suicide bomber’s memory. Soon, nobody volunteers to strap on the suicide belt.
* The ultimate cyber attack might be a biostatic signal that affects a person’s brain, by altering his thoughts. Maybe a wannabe suicide bomber’s thinking could be reprogrammed, inspiring him to leave his explosive vest in the attic and just keep driving the cab.
* Along the same line, what if biostatic signals could be tailored to a person’s DNA, enabling the insertion of false images into a specific target’s brain? He THINKS he sees an object with his eyes, but the object isn’t really there. It only exists as an image in his brain, created by engineered biostatic signals beamed from a stealthy drone. The target could no longer tell the difference between what’s real and what his brain falsely registers as if it were seen through his eyes.
What might be the effect of “brain-spoofing”-inserting false imagery? Maybe a political or military leader would conclude that he’s hallucinating and going crazy. Could that leader rapidly lose the confidence and trust of subordinates, rendering him ineffective?
Bottom line: Brain-spoofing and cyberwar weapons designed to interact with human biological systems would be invaluable for instilling fear, doubt and division in an enemy force.
Such wild-eyed concepts and scenarios may be confined to the realm of fiction, never to be realized in the real world. But perhaps the mere possibility that they could be developed and fielded is enough to neutralize threats. That’s why authors and screenwriters are a form of cyberwarrior. Historically, fiction/entertainment has been employed as one of mankind’s most powerful vehicles for shaping perceptions. Stories are no-harm, no-foul vehicles, allowing one to suspend skepticism and barriers to belief. After all, we’re just being entertained, right?
Hollywood’s been using subliminal programming quite effectively for decades. For example, movies in the 1950s and ’60s, such as “On The Beach” and “Dr. Strangelove,” portrayed the horror of nuclear war in vivid, personal terms. Did stark movies and literature of the time help shape policies and decisions that prevented nuclear war? It’s hard to tell, but maybe they inspired us to collectively decide, “Let’s not go there.
A second example: “The China Syndrome,” a gripping movie about a nuclear reactor meltdown, was released in 1979. About three weeks later, the real-world Three-Mile Island reactor accident occurred. The combination of movie and real-world accident virtually killed the nuclear power industry for more than thirty years.
Perhaps it’s a stretch to classify fiction and entertainment as “soft cyberwar,” but what if…? What if fiction authors and Hollywood screenwriters were engaged to create entertainment featuring advanced, horrific weapons and tactics that instilled fear and dissension among terrorist bands and deadly criminal cartels? What if these stories rapidly spread throughout a culture via books, TV shows, the Internet and movies, capitalizing on the power of entertainment to shape perceptions?
What if such a campaign were already underway? Maybe it is.
Cyber Survival: Why We’re Losing and What’s Needed to Win
By Steven Chabinsky
Former Deputy Assistant Director, FBI Cyber Division, Senior Vice President of Legal Affairs and Chief Risk Officer, CrowdStrike
The Video Presentation: Click here to play
Cyber security is not just about the computer on your desk, or even the remote computer sitting somewhere in what we now call the cloud. A different way of looking at it is to consider cyber security an issue that concerns any technology that has a computer chip in it. Cyber security issues extend to information and information systems, and increasingly they extend to products and services we use in our day-to-day lives. We are facing a technology issue in which similar vulnerabilities exist to your information as they do, for example, to the new generation of biomedical implant devices that allow for remote diagnostics.
When we think about the harms that can befall our information, information systems, products and services, we typically categorize them into categories involving risk to their confidentiality, integrity, and availability. Everyday in the newspapers we read about harms to confidentiality. Everyday someone’s online data is compromised and corporate trade secrets stolen. But, that’s not what keeps most people up at night.
Rather, the possibility of having integrity problems, where you cannot trust the data that you’re seeing, is a far greater problem. The idea that you could alter perceptions through technology is the digital equivalent of the Mission Impossible movie where a security camera is in the corner of a room, but the night watchman is deceived by the spy who created a picture of the room empty, put it at the right focal length in front of the camera, and then went on to do anything in the room he wanted.
The cyber equivalent is happening now. Indeed, it happened ten years ago to the electric power grid, when software failures in an Ohio operations center resulted in computer screens that never updated to reflect the developing, and increasingly bleak, situation. As far as the control room was concerned, everything was great. Meanwhile, there was a rolling blackout and the Midwest witnessed the shut down of over 250 power plants that included 10 nuclear power stations. So, you might be inclined to say, “but that wasn’t from a hacker, I remember it was merely a computer glitch.” You would be right. Still, I’m reminded of the saying that anything that can happen by accident can happen on purpose. In other words, just because this particular example was accidental, don’t feel a false sense of hope that the next time it won’t be intentional and calculated to result in maximum harm.
In addition to crimes against confidentiality and integrity, we are concerned with issues of availability. Talks about availability tend to focus on Distributed Denial of Service, or DDoS, attacks, the idea that somebody is sending so much traffic to a website or server that nobody can access it. Worse yet, though, you might have seen what happened last year to Saudi Aramco, the most valuable company in the world, which reportedly fell victim to a malware infection that purposefully destroyed 30,000 of their computers. Yes, thirty thousand.
As you can see, cyber security concerns extend beyond someone viewing your personal information. The big-ticket items involve information and technology that is rendered unreliable, untrusted, and left irreplaceably in ruins. As to these issues, Bill Forstchen’s novel, One Second After must be considered one of the most significant works of our time. In it, we are exposed to the nightmares of what happens when technology is no longer available to us. One of the most remarkable aspects of the novel in my view, the core of its brilliance, is that it is set in a small town, an area that is rural and not densely populated, where you would consider it most likely that people can survive without technology. Yet, even there we find utter chaos, confusion, and death. You can only extrapolate from that small town to imagine what is happening in the major cities.
And so, when I hear people talk about a cyber 9/11, or a cyber Pearl Harbor, I’m quite dismissive of those as being appropriate analogies. Instead, what I believe is that we very much might face the equivalent of a cyber Katrina. Where we don’t have resources, we don’t have potable water, we don’t have electricity. What we have are all of the cascading harms that are reflected in Bill Fortschen’s writings, which are every bit or more as devastating as planes with bombs or planes as bombs. These effects are real possibilities, and nations recognize it. Only a couple of years ago, the China Youth Daily featured an article expressing, “Just as nuclear warfare was the strategic war of the industrial era, cyber-warfare has become the strategic war of the information era, and this has become a form of battle that is massively destructive and concerns the life and death of nations.”
Non-nuclear electromagnetic pulse is certainly an emerging threat against availability and, as a result, an emerging risk to our very way of life. I greatly appreciate the efforts of the American Center for Democracy in bringing thought leadership and emphasis to this important topic. Of more immediate concern, however, may be EMP’s baby brother, “purposeful interference,” more commonly known as jamming. We already are seeing people with $25 illegal jammers interfere with the electromagnetic spectrum, most commonly focused on impeding mobile communications. Think about a situation that requires emergency responders to talk with each other, perhaps an active shooter scenario, hindered through purposeful interference.
We are only now beginning to understand how reliant we have become on wireless devices. But, it’s not just about your phone calls, although it certainly includes those. It’s not just about being able to check your email, although it includes that as well. In addition, it may be about critical infrastructure and the ability, for example, to change train tracks through wireless communications. And then we have GPS. When people think about GPS they immediately think about positioning and navigation. But an additional feature of GPS that we’ve grown increasingly reliant upon is its timing signal. And so, if you could interfere with GPS, the timing elements that we’ve relied upon for interoperability and synchronization of networked systems could be rendered inadequate, if not entirely useless.
Stepping back for a moment, we are forced to take in the entire picture of how vulnerable all of our data and systems are, how they can impact our critical infrastructure, our privacy, and even our personal health. On top of that, we must consider the world economy. Everybody knows that our economy no longer runs on a gold standard. There’s no precious metal that reflects every dollar we have. However, what most people don’t stop to consider is that there is no physical dollar that represents every dollar we have. At the end of the day, these are mostly accounting entries that get rationalized in the trillions of dollars, and the integrity of that data is what makes up the world’s economy.
Yet, despite our increasing reliance upon data integrity and security, our culture has created a demand for products and services that are quick to market without resilience, or reliability, or secondary systems in place should our new, untested ways fail. This is quite serious, and I appreciate the opportunity to discuss this with everyone here in order to focus our mutual efforts on improved security.
[Rachel Ehrenfeld: What do you think can be done?]
I think that there are solution sets. One thing, I believe, is that we have failed in a meaningful way to exercise common enterprise risk management principles in this area. We tend to treat the entire Internet and our technologies as needing to share a common environment. It is almost as though we think everyone needs the same levels of privacy and security, and as a result that everyone should use the same Internet protocols and standards for interoperability. This is quite preposterous. When I go to the gas station, I can’t use a diesel pump to put gas in my regular car. The nozzle simply won’t fit. But when I was working at the FBI, I had an unclassified computer, a secret computer, and a top-secret computer, and I could use the same thumb drive to move data back and forth between all of them (although I didn’t). The computers were differentiated only by the stickers we put on them, indicating their classification levels. The computers themselves were the same computers that are available to you in any common consumer store. So that’s the first thing. That has to change. We’ve got to figure out that there are different priorities and that our security posture needs to be different depending on those priorities.
The second thing is, you cannot have meaningful security without meaningful threat deterrence unless we all decide to live in a bunker. It’s just not a possibility. When you think through the risk model, you only have three levers to work from. You could lower the threat, you can lower the vulnerability, or you can lower the consequences. That’s what you get to play with; those are your opportunities. We have seen the almost tunnel-like focus on vulnerability mitigation over the past 15 years. It is impossible to create software and hardware that is interoperable, impenetrable, and iterative. That is as absurd, or actually more absurd, than thinking of creating physical environments where communities are impervious to intentional attack. It is not in any way, shape, or form a possibility. It is even worse, I would postulate, in the technology area because it’s less static than a building. Technology is dynamic; it is constantly evolving with new software, new hardware, and new applications, with each one being quicker to market than the earlier version.
What you see as a result of this is that vulnerability mitigation has worked best in the area of reducing cyber crimes of opportunity, and even then it has serious limitations. We patch our systems, we update our software, and as a result the common criminal doesn’t break into those better-protected systems. They break into the systems that haven’t done that. That’s the same as in the real world. If someone just wants a TV, and your house has the door locked, they don’t go to your house; they go to the one that doesn’t have the door locked. Now, query for a second if everybody locked their doors what would happen? You would see a shift. Burglars would start going through windows, and vulnerability mitigation practices would repeat themselves in that context. In essence, best practices would be raised to protect doors and windows.
Obviously there’s a point where vulnerability mitigation efforts need to stop. We don’t start first with locks on doors, then with locks on doors and windows, then with bars on doors and windows, and then with underground bunkers. That’s not how it works. Instead, we immediately shift to threat deterrence once standard vulnerability mitigation opportunities are no longer cost effective. We put up alarms, we put up video cameras, and those basically say to the adversary: we concede the ground, but now it’s no longer about us. It’s about you. You can get in, but now we’re going to detect you, we’re going to find you, and you will suffer a penalty. It won’t be worth it for you.
Could you imagine if in your place of business the alarm went off at 3:00 in the morning, and the monitoring company calls you. And they say: someone just broke through the front door of your place of business, but don’t be concerned we have the locksmith on the way. How absurd, right? We don’t do that. We call the police. And that is the only reason why burglars don’t like to rob places that have alarm systems. It’s not the noise that bothers them.
Yet, every day, tens of thousands of times a day, across this country we have enemies who are trying to break into our critical infrastructure, into our military institutions, and the response has been to tell the chief information security officer: Make sure you’re continuously monitoring to patch your systems. It doesn’t work, it won’t work, it will never work. So the next strategic opportunity is after we figure out what’s important, to make sure that we build the software, hardware, and protocols necessary for detection, attribution, and penalty based deterrence.
There are opportunities here that, I think, actually are a happy coincidence. I would suggest that in a lot of areas where security is the most needed, privacy rights are actually not the most necessary. Take the electric power grid, for example. The electric power grid is a high security system in which the owners and operators do not want or need anonymity. No one who isn’t authorized should be touching those systems. The owners, operators, and employees of an electric power company want perfect attribution. So that’s an area that’s ripe for new software, new hardware, new security policies, and less interoperability, all of which should add up to say to would-be attackers: if you are found in our infrastructure (and you will be, because we have designed this system for detection and attribution), there will be penalties.
So, I think there are opportunities, but the first step is to distinguish what we need to protect most, to build in proper threat deterrent models that promote detection and attribution consistent with privacy demands, and then to ensure that policies and resources are in place that will make the possibility of our adversaries being brought to justice a reality.
EMP, Cyber/Space Warfare Question & Answer
Video Presentation: Click here to play
EMP, Cyber/Space Warfare Roundtable – Complete Discussion
Video Presentation: Click here to play
The Existential EMP Threat
The meeting was supported by Artemis Strategies, andsponsored by the newly established EMP Coalition-of which Mr. Woolsey is the Honorary Co-Chair along with former House Speaker Newt Gingrich. To view briefing charts of Amb. Cooper, click here. A YouTube video CLICK TO PLAY of the 2-hour conference is included below.
* An EMP catastrophe also can be created by rogue states armed with nuclear weapons. North Korea already has nuclear missiles and nuclear weapons; Iran nearly so-and these two rogue states actively collaborate on both nuclear and ballistic missile development. It is also plausible that Jihadi terrorists might get their hands on a nuclear weapon-especially if Iran gets such a capability, mate it to a short range ballistic missile they can easily buy and launch it from a vessel off our coasts and detonate it over the U.S. to create a lethal EMP.
* A single nuclear weapon detonated at high-altitude over the center of this country could collapse the electric grid, leading to the collapse of other critical infrastructure and within a year lead to the death of several hundred million Americans. Based on extensive Department of Defense efforts during the Cold War, we (specifically, the Defense Nuclear Agency and the Services) understand EMP effects and how to protect against them, and we have applied these protective measures to harden our strategic systems-but not to harden our critical civil infrastructure. A high altitude nuclear explosion creates an EMP with three wavelength components, a mid-range one that is essentially the same as lightning, a short wavelength one that can cause severe damage to solid state electronics, and a long wavelength one that is essentially the same as that from a solar storm which would couple into the electric power grid that would transmit a massive energy pulse through the grid to focus on a few thousand large transformers, which when severely damaged would require many months to repair-if ever.
* Effective ballistic missile defense (BMD) systems are needed to defend against these threats. But no defense is perfect, so an attacking missile could get through and detonate its weapon above the U.S. (Note that a high altitude nuclear explosion will not immediately kill lots of people-it primarily will turn out the lights and everything dependent of electric power, possibly for an indefinite period.) And since BMD systems provide no protection against a massive solar storm, it is very important to harden the electric power grid to assure that damage from either an EMP attack or a massive solar emission can be repaired and our critical infrastructure reconstructed before major fatalities result from the failure of our just in time economy. More on this point, below.
* North Korea probably already can launch a catastrophic EMP attack-and not only with ICBMs that approach the U.S. over the North Pole, for which we have deployed a limited BMD system. North Korea has also launched its so-called Space Launch Vehicle to their south, over the South Polar region, to approach the U.S. from the south. Like the Soviet Fractional Orbital Bombardment System (FOBS) – invented by the Soviets in the 1960s to bypass U.S. Ballistic Missile Early Warning radars (BMEWs) and missile defenses to attack the United States. The U.S. has no BMEWs or BMD interceptors facing south. Iran has also launched satellites to their south-but they are thought not yet to have nuclear weapons. Ending this complete vulnerability can be helped by at-sea Aegis radars and interceptors-and by deploying Aegis Ashore and a BMEWs radar near the Panama City, Florida.
* The North Korean freighter Chong Chon Gang was intercepted a couple of weeks ago in the Panama Canal and is still being inspected in Panama. The Panamanians stopped the vessel (which earlier this year made stops in China and Russia), suspecting it of drug smuggling, and discovered in its hold two nuclear-capable SA-2 missiles. Although these missiles were without nuclear warheads, the incident is disturbingly suggestive of the EMP Commission’s nightmare scenario of a nuclear EMP attack launched from a vessel off the U.S. coast, to conceal the identity of the attacker and escape retaliation. We are still vulnerable to this attack scenario, especially from the Gulf of Mexico. We know how to defend against these ballistic missile attacks, for relatively small funding requirements. Indeed, we are already building, in the next two to four years, Aegis Ashore sites in Romania and Poland to protect our NATO allies from Iranian missiles-we can surely afford to build the same defenses for the American people on the same timeframe, probably for less money. Such sites could also help defend folks along the Eastern Seaboard-and our existing Aegis ships operating or in port along our eastern seaboard can defend Americans who live there if they are prepared and trained to do so.
* Hundreds if not thousands of electric utilities in the United States thus far have not acted to protect themselves (and their subscribers) from EMP, and might not be expected to do so voluntarily because national defense and homeland security is a U.S. federal government responsibility. Indeed, our federal government is dysfunctional and doing little if anything to lead a serious response to harden the electric power grid. If you watch nothing else in the YouTube video of our conference, I urge you to watch Jim Woolsey’s eloquent explanation at the beginning of the video to better understand why this problem exists. This discussion leads directly to the reason the House EMP Caucus is supporting the proposed Secure High-voltage Infrastructure for Electricity from Lethal Damage (SHIELD) Act to protect the national electric power grid. In addition, the Department of Homeland Security should develop a new National Planning Scenario focused on EMP to guide all government efforts in countering EMP.
* This condition should be considered in the context of thousands of cyber attacks daily, via computer viruses and hacking to probe U.S. critical infrastructures, searching for weaknesses. These attacks, justifiably receiving increased attention, should account for the known foreign military doctrines of potential adversaries such as Iran, North Korea, China and Russia. They all include acts of sabotage and kinetic attacks – including nuclear EMP attack – as part of their planning for an all-out Information Warfare or Cyber Warfare Operation. Notably, a sabotage attempt last April against electric grid transformers near San Jose, CA, damaged five transformers with fire from AK-47 assault rifles.
* “Connecting the dots” between ongoing cyber attacks, sabotage by AK-47s, a North Korean freighter carrying nuclear capable missiles in the Caribbean should warrant a serious effort to protect the nation’s electric grid. But, for my part, I remain skeptical that Washington will anytime soon overcome its dysfunctional lethargy and urge instead that state and local authorities undertake locally generated initiatives to harden the grid in their respective states. Then maybe powers that be in Washington will eventually live up to their oaths to provide for the common defense.
* With this bottom line in mind, I again applaud Maine Representative Andrea Boland (D-Sanford) for her initiative in getting almost unanimous approval for her Act to harden the electric power grid in Maine against natural and menmade EMP. Notably, she is leading a session at the August 12-15 Summit of the Council of State Legislators in Atlanta to discuss the EMP issues and what they can do to protect their citizens. She will be joined by several others of our EMP Coalition in informing these key representatives from all over America about the problem and what they can do to deal with it. Hopefully, other states will not wait for Washington, but follow Maine’s example and undertake state initiatives to protect their electric grids from EMP now.
For several media reports published following our meeting, see:
|
WorldNetDaily – July 21, 2013: U.S. Faces Brand-New Cuban Missile Crises |
CyberThreats & The Economy
New Strategies to Secure Our Economy
from Cyber Depredation
ACD/EWI Briefing, Tuesday, April 9, 2013
George Mason University Law School
Click here for the full transcript of the event
(click on photos for videos)
Featured Speakers:
Dr. Rachel Ehrenfeld
Director ACD/EWI
Click here to read the text version.
Hon. Mike Rogers
Chairman, House Permanent Select Committee on Intelligence; Keynote Address
Click here to read the text version.
Michael Mukasey
former Attorney General –“Cyber-Where Time Marches On and Progress Doesn’t”
Click here to read the text version.
R. James Woolsey
former Director of Central Intelligence – “Key Elements of Energy Security”
Click here to read the text version.
Stewart Baker
former Assistant Secretary for Policy, DHS – “How the Attribution Revolution is Changing Cyberthreats”
Click here to read the text version.
Prof. Jeremy Rabkin
George Mason University School of Law – “Retaliating in Cyberspace: Lessons from the History of War at Sea.”
Click here to read the text version.
Steven Chabinsky
former Deputy Assistant Director, FBI Cyber Division- “Passive Cyber Defense and the Laws of Diminishing and Negative Returns”
Click here to read the text version.
Mark Weatherford
Deputy Under Secretary for Cybersecurity, DHS – “Cybersecurity: Engine for Growth or Economic Anchor?”
Click here to read the text version.
Executive Summary
PRINCIPAL INSIGHTS
Cyberattacks on government, public and private industries in the U.S. have caused enormous financial loses and untold damage to our national security. Untold, because often hacking victims in both private and government sectors either are unaware, are reluctant to report (or underreport), thus making it the perfect tool for economic warfare. Indeed, the Defense Science Board public report noted that China has “compromised the United States’ most advanced weapons systems.” While the report understandably didn’t list the weapons, it failed to mention the companies whose systems were hacked. The report warned that the U.S. military is unprepared to win a cyber-conflict. Wrong policies, lack of foresight, budgetary constrains and bureaucracy that shackle the Pentagon, do not apply to the private sector that is able and eager to counter cyber attacks. Their hands are tied because the U.S. law forbids such actions.
* Rep. Mike Rogers, chairman of the House Permanent Select Committee on Intelligence, our keynote speaker, noted that the Internet accounts for one-sixth of the U.S. economy today and that 80 percent of U.S. cyber networks are in private-sector hands.
* Rogers believed (at that time) that there was a good chance that his proposed Cyber Intelligence and Protection Act (CIPSA) would be passed by Congress and signed by the president despite the failures of 2012. The event was on the eve of the House mark-up and passage of its version of the bill, which turned out to be dead-on-arrival in the Senate and was also objected to by the White House. Accordingly, the United States has yet to take the first step in cyberdefense: government and private sector information sharing on cyberattacks.
* Cybersecurity – On the question of who’s responsible for protecting from and remedying the effects of cyberattacks on the economy, Mark Weatherford of DHS referred to our status as that of “Constant Remediation.” When the private sector is attacked, it’s each and everybody’s responsibility to take the necessary measures to prevent further attacks. When the government is being attacked, it is supposed to take care of the problem. They seldom work together.
* More than one panelist, but most especially former Director of Central Intelligence R. James Woolsey, noted that state sponsors of cyberattacks are of two sorts: rational actors (such as China) and not-so-rational actors (such as North Korea and Iran). The presence of the latter means that U.S. cyberdefense has to be ready to protect us against all cyberattacks.
* R. James Woolsey presented a complete (and horrifying) picture the U.S. electric grid vulnerability to cyberattacks. Identifying 18 critical infrastructures in the country, Woolsey noted that all of the others in country depended on the status of the electrical grid. If a substantial portion of the grid were knocked out by cyberattack, or an electro-magnetic impulse (EMP) attack, remediation could take years. Such a circumstance would return the United States, not to the pre-Internet 1980s, but to the pre-electricity 1880s. By his estimate, the prolonged absence of electricity would likely mean that two-thirds of our population could die.
* Woolsey also pointed out that, apart from state public utility commissions and the Department of Energy, no one is in charge of America’s 3,500 public utilities and no one is responsible to protecting the grid. The Department of Energy only regulates transmission (but not distribution) and the state commissions do essentially nothing to protect the grid. America’s public utilities in toto commit less research and development per year than the U.S. dog food industry. Unlike the U.S., Russia, China, Israel and Britain, for example, are “hardening” their grids against attack. The U.S. does not because, in Woolsey’s opinion, “No one is in charge.”
* Christina Ray, cited PLA officers Colonel Qiao Liang and Colonel Wang Xiangsui, from their book Unrestricted Warfare:
“So, which [of many unconventional means], which seem totally unrelated to war, will ultimately become the favored minions of this new type of war-‘the non-military war operation’ which is being waged with greater and greater frequency throughout the world? … Financial War is a form of non-military warfare which is just as terribly destructive as a bloody war, but in which no blood is actually shed. Financial warfare has now officially come to war’s center stage.”
This quote goes a long way to answering those critics who regard “cyberwarfare” and “economic warfare” as exaggerations.
* Former attorney general Michael Mukasey noted that we “have laws against crimes, and at least a comprehensible if not a comprehensive way of applying them. We really don’t have either in the cyber sector;” and, in his estimation, we’ve made no progress over the past decade. Mukasey also noted that, in May 2011, the White House issued a document entitled “International Strategy for Cyberspace,” subtitled “Prosperity, Security and Openness in a Networked World.” He remarked, “I think perhaps a further subtitle for that document, after prosperity, security and openness, might be ‘pick two out of three, so long as the two aren’t security and openness.'” And then there’s the way the document ends, with the pledge that when we do act, it will be in a way “that reflects our values and strengthens our legitimacy, seeking broad international support whenever possible.”
* The U.S. government is interested in the dot-mil and dot-gov segments of the Internet. Mukasey cites Cyber Command head General Alexander, as saying “that when he saw a threat to the dot-com portion he thought he had little authority to do more than say – to himself and others in the room – ouch, this is going to be a bad one.”
* In the U.S., the situation regarding cyberdefense is not unlike that besetting our war on terror. Just as we can’t decide where and how to try terrorists, we cannot decide on where responsibility lies, with the government or the private sector:
Witness the Senate and White House rejections of CIPSA.
* Former assistant secretary for policy at DHS Stewart Baker pointed out that there’s been a revolution in cyber attribution, that is, in our ability to find out exactly who’s hacking. It is “not possible to operate in cyberspace these days without leaving little digital bits of your DNA all over cyberspace. It’s just like Pigpen. We’ve got this cloud of data falling off us whenever we move around in cyberspace.” Meaning, hackers are traceable.
* Baker encouraged taking the attribution opportunity: “I’ve been trying to popularize Baker’s Law, which sums up the attribution opportunity this way: ‘Our security sucks, but so does theirs.’ That’s what we need to remember. The hackers are no better at securing their communications and their data than we are, and we know we’re bad at it, right?”
* Baker again: The attribution revolution “creates an enormous set of options for policy makers. Many people know what attribution 101 is. You’ve got all the people who’ve been compromised up on that top line. Then the command and control server which tells them all what to do and receives all their reports about the information. Then headquarters takes that information from the command and control and ultimately passes on to some final customer who actually is going to use the information that has been stolen.
“If we can break down that set of information, we can start penetrating each of those steps along the espionage trail. We can go from attribution to, not deterrence, but retribution.” Baker’s basic position was that deterrence is impossible without retribution first.
* One way to look at where we are now, as Baker noted, is according to the following analogy: “You know how much help you’re going to get from the police if somebody steals your bike: They will tell you how sorry they feel about it, and they will tell you what kind of lock you should buy next time for the next bike you own. That is the treatment we’re getting now from the FBI and the CIA when they don’t have the ability and don’t have the resources to do the help.” According to Baker, the ability and resources exist in the private sector.
* It is instructive to call our current response to cyberattacks “passive defense.” As CrowdStrike’s Steven Chabinsky notes, the entire emphasis is on the vulnerability of the victims and not the actions of the perpetrators:
“It’s absolutely incredible how much cost today is borne by individuals and the private sector in trying to defend their security with little to no return on investment. It’s incredible the amount of time, effort, opportunity cost that’s going into a failed strategy, and how our response to that continues to be information sharing efforts to do more of it. We keep blaming the victim.” Chabinsky likens this to the police sending a locksmith if someone breaks into your front door.
* The current passive approach to cyberdefense actually makes the problem worse. According to Chabinsky, “That’s what we’re doing here, because every time we have our businesses spend more money on security against targeted attacks and raise the bar to this level, guess where the well-resourced, very capable organized crime groups and nation-states bring the threat? To a higher level.” It’s like building a 20-foot wall around a house when thieves can easily buy 30-foot ladders at a hardware store.
* Retaliation and retribution in cyberspace-in other words, cyberoffense as the only conceivable approach to cyberdefense-was generally approved by conference panelists, but none more than George Mason University Law Professor Jeremy Rabkin. He noted that the 2012 Defense Authorization Act, said, “Congress affirms that the Department of Defense has the capability and upon direction by the President, may conduct offensive operations in cyberspace to defend our nation, allies and interests.” And then the Senate said, “Wait. No, we can’t just say that. We’ve got to add, ‘Subject to the legal regimes the Defense Department follows for kinetic capabilities, including the law of armed conflict.’ This meant that consideration of cyber retaliation and retribution should be reconciled with the law of armed conflict and, therefore, effectively neutralized the approval of cyberoffense.”
* Considerable attention is being given when dealing with conflict in cyberspace, to such things as the Geneva Conventions and what the Red Cross has said about the laws of war. According to Rabkin, “Pretty much the Red Cross view of the law of armed conflict is this: it’s how Switzerland would have fought the Second World War–if it had actually been fighting.” Post-Vietnam, Additional Protocol I of the Geneva Convention became something of an international norm. That protocol has it that in armed conflict only military objectives must be involved; nothing must harm civilians or “civilian objects.” This, Rabkin called “utopian” and wholly at odds with how the First and Second World Wars were fought by the Allies. In those instances, we instituted blockades that sought to punish our enemies economically. These certainly harmed civilians and “civilian objects.”
* Non-military retaliation for aggression is hardly new. It dates from the Middle Ages at least and is enshrined in the Article 1, section 8 of the U.S. Constitution, which deals with war at sea. There, the Constitution authorizes the granting of letters of marque and reprisal.According to Rabkin, we don’t need to be at war. Our government can grant letters of marque and reprisal separate from a declaration of war. In the early American Republic, when it was impossible to fight the enemy’s army or navy, such a letter allowed private ship owners to attack the commercial navy of the enemy. Were letters of marquee and reprisal used to take the offensive in cyberspace, they, like those concerning the sea, their message would be clear: “You’re aggressing, we’re retaliating. Maybe something less than kinetic battle would convince you to end the aggression.”
* According to Rabkin, “there’s no good reason why we shouldn’t use cyber attack to damage a lot of property, especially in retaliation for enemies who have already done that to us. It is insane to allow the Swiss to tell us how we fight our wars, and it’s doubly insane to have the Swiss tell us how to fight cyber conflict, which mostly won’t rise to the level of war and is something Switzerland knows even less about than actual armed conflict.”
Further, he says “Is cyber more like naval war–where we disrupt the enemy’s trade and communication, without exempting commerce just because it’s owned by civilians? Or is cyber conflict more like a land war, where we send tanks into enemy territory and then say to enemy civilians, ‘Stay out of our way and we’ll stay out of yours’? I say it’s more like naval war, so what is permissible in naval war should be applicable to cyber conflict.”
* While Rabkin was the only panelist advocating a modern, “cyber” version of letters of marquee and reprisal, all generally agreed that the U.S. government should at least authorize private sector counter-hacking which would otherwise be illegal. Moreover, the general conclusion was that the private sector has the will, fiscal means and technical ability that the government may never have.
Concluding this briefing are notes by former assistant Secretary of Defense and ACD/EWI Board Member, Richard Perle, (who was unable to attend):
* “Would it make sense for us to approach the Chinese with the following proposition: We know what you are doing and we insist that it stop. If it doesn’t, you should understand that we can do to you what you are doing to us. We don’t think there is much to be gained by stealing your intellectual property (it’s mostly ours to begin with) but how would you feel about the publication of your intergovernmental communications made available to your own citizens? In any society governed as the Chinese govern theirs, the threat of disclosure could be a very powerful deterrent.”
* “I suspect that at some point we will begin to hear proposals for a treaty or treaties, or an international convention aimed at creating norms with respect to cross-border intrusions of all sorts. I hope we will resist the temptation to hope that such an approach offers any substantial protection. What it is more likely to do is compromise sensitive information that we are sometimes able to keep secure, and invite the foxes into the chicken coop. The worst prospect of all would be a cyber version of the Non-Proliferation Treaty–a universal convention based on the premise that any country willing to sign up should have full access to advanced computer science from anywhere in the world. We’ve been down that path before.”
Click here for the full report
Additional Videos:
CyberThreat & the Economy, ACD/EWI – Part 1 CLICK TO PLAY – Introduction – Dr. Rachel Ehrenfeld, Director Dean Daniel Polsby, GMU School of Law; Michael B. Mukasey, Former Attorney General; Rep. Mike Rogers, House Permanent Select Committee on Intelligence; Keynote Address
Economic Warfare Subversions:
Anticipating the Threats
A Capitol Hill Briefing, July 9, 2012
Click here for the event report
POST-EVENT REACTIONS FROM PARTICIPANTS
“Challenging thoughts for challenging times.”
— General Michael Hayden
“The Economic Warfare Institute recognizes that the key to meeting economic
threats is knowing who can afford to—and who will gain by—acting on them.”
— R. James Woolsey
“This was a high-level discussion of a high-risk subject. EWI is to be
commended for drawing together panelists with experience in intelligence, law
and commerce to at least begin the process of informing public discussion of the
dangerous prospect of economic warfare.”
— Michael Mukasey
“Thoughtful people must thank the Economic Warfare Institute for gathering
authoritative, creative panelists in a wide range of areas who offer the alarming
insights and unsettling questions that can renew our vigilance and protect our
freedoms.”
— Daniel Heath
“You presented a remarkably informed panel—with a remarkably troubling
message. We will only be safe if we take seriously and prepare for the risks your
speakers identified so ably.”
— Stewart Baker
“Economic Warfare is the current generation’s Weapon of Mass Destruction . . .
and the Western system of finance and trade is the target.”
— David Hamon
“The Economic Warfare Institute is today’s Paul Revere, sounding an urgent
alarm, before attacks on key sectors of the American economy bring modern
society to its knees. Just as 19 jihadists armed with box cutters murdered about
3,000 of our fellow citizens, equally determined enemies could cripple the U.S.
with dirty money, a few computers and a box of matches.
— William B. Scott
Videos from the Event
Dr. Rachel Ehrenfeld, Director ACD/EWI
David Hamon, Distinguished Analyst, Analytic Services (ANSER),
former Director for Strategic Research and Dialogues, Defense Threat Reduction Agency (DTRA)
General Michael Hayden, principal, Chertoff Group, and former director, CIA and NSA
R. James Woolsey, Chairman, Foundation for the Defense of Democracies, former
director, CIA, and member, ACD/EWI Board of Directors.
Daniel Heath, Managing Director for North America, Maxwell
Stamp PLC, and former U.S. Executive Director Alternate, IMF
Stewart Baker, partner, Steptoe & Johnson LLP, former assistant secretary
for policy, Department of Homeland Security, and author of Skating
on Stilts: Why Aren’t We Stopping Tomorrow’s Terrorism
William B. Scott, former editor, Aviation Week,
former official, National Security Agency, and author of Space Wars
David Aufhauser, partner, Williams & Connolly LLP, and former
general counsel and chief legal officer, U.S. Department of the Treasury
Michael Mukasey, partner, Debevoise & Plimpton,
ACD/EWI board member, former attorney general of the United States
2010 SPEECH Act Celebration
These videos were filmed at the celebration of the enactment of the 2010 SPEECH Act, a federal anti-libel law initiated by the American Center for Democracy (ACD). Congressmen, ACD board members, free speech activists and others gathered in the Senate Judiciary Committee hearing room on Capitol Hill on September 20, 2010.
Senator Jeff Sessions (R-AL)
Representative Steve Cohen (D-TN)
Former Director of CIA R. James Woolsey
Former Assistant Secretary of Defense, Richard Perle
First Amendment Attorney, Floyd Abrams
Professor Ruth Wedgwood
Judy Platt, Association of American Publishers
Dr. Rachel Ehrenfeld
Josh London, ZOA