Over the past few weeks things cyber have blown up in our faces once again. While some of the media noticed, the gist of the reporting was on who was doing what to us now, not the growing scandal of our essentially supine reaction to it.
Back on March 12, DNI James Clapper gave the Senate Select Committee on Intelligence a worldwide threat assessment, in which cyber led the list. Despite the fact that the Obama administration had gone public on the threat of Chinese cyberattacks at about the same time, Clapper certainly didn’t seem all that concerned. As with the Obama White House, his emphasis was on potential threats to U.S. public infrastructure (electrical grids, transportation systems, water works). However, these he judged to be minimal for the next two years, first, because of the sophistication involved and, second, because those with the ability now—Russia and China—”are unlikely to launch such a devastating attack against the United States outside of a military conflict or crisis that they believe threatens their vital interests.” Incidentally, Clapper expressed the opinion that infrastructure attacks, when they do come, are more likely to come from nonstate actors, i.e., those who won’t be sophisticated enough for at least a couple of years.
This assessment left out any mention of Iran as a state cyberthreat, and this despite its denial-of-service attacks on U.S. banks last fall. It did, however, mention the attack on Saudi Aramco in August 2012 that destroyed 30,000 computers, but failed to mention Iran as the source.
Now, just two months after it was issued, Clapper’s assessment regarding state-sponsored cyber has already been overtaken by events.
On May 23, the Wall Street Journal revealed that Iran-backed hackers have been increasing cyber infiltration and surveillance missions against (guess what?) infrastructure in the form of computer networks running U.S. energy companies: “In the latest operations, the Iranian hackers were able to gain access to control-system software that could allow them to manipulate oil or gas pipelines. They proceeded ‘far enough to worry people,’ one former official said.” The Journal indicated that Iranian hackers had also got into the control systems of power companies. U.S. officials were also cited as saying that the infiltrations were of the same sort that the Iranians used against Saudi Aramco.
The foregoing is serious enough for one to ask what in the world this administration is doing about cyber threats if the DNI chooses to linger so far behind the curve of events. But there’s more bad news—bad news that suggests that things in the cyber realm move far faster than the administration is prepared to acknowledge and respond to.
Although the non-classified version of the worrying Defense Science Board report on cyber came out in March, it took until this week for the Washington Post to lay its hands on some of the classified parts. The initial reporting simply had it that the DSB report noted continuous cyber attacks on the Pentagon but without indication of effect. The classified sections revealed that the Chinese have had access to data from 37 Pentagon weapons programs and 29 other U.S. defense technologies, and that this has happened over the past two years: “A chart included in the science board’s report laid out what it called a partial list of 37 breached programs, which included the Terminal High Altitude Area Defense weapon — a land-based missile defense system that was recently deployed to Guam to help counter the North Korean threat. Other programs include the F-35 Joint Strike Fighter, the F-22 Raptor fighter jet, and the hybrid MV-22 Osprey, which can take off and land like a helicopter and fly like an airplane.” The Post published separately the list of weapons very likely compromised on May 27.
Since early April, the administration has been talking noisily—but not doing anything—regarding all the fronts of cyber defense. White House opposition effectively killed Rep. Mike Rogers’s Cyber and Intelligence Protection and Security Act (CIPSA), drafted to facilitate government-private sector information sharing on commercial cyber attacks. That’s three times since last year that this has happened. The House of Representatives passes a cyber bill and it’s dead on arrival in the Senate at the direction of the White House.
The special pathos here is that the bill is only a first baby step in meeting the cyber challenge and amounts to the authorization of nothing more than basic information sharing regarding attacks made. This is nothing more than achieving the ability to close the barn door after the horse has bolted—that is, provided that it’s the same horse and the same barn. And with cyberattacks nothing is ever the same: its practitioners aren’t that stupid.
The mainstream media has made a big deal out of the purported fact that administration toughness has gotten the Chinese to agree to talk about cyber intrusion. Gen. Martin Dempsey, chairman of the Joint Chiefs, mentioned U.S. cyber concerns to Chinese President Xi Jinping and the military leader Gen. Fan Changlong during his three-day-long tour earlier in May, and now Obama is proposing to talk cyber when he meets with Xi Jingping next month in Southern California.
There isn’t the slightest indication that we will actually do more than talk or, rather, complain. How do we know? Consider the administration’s past record with regard of Chinese cyberattacks (a scandal in itself):
Writing in the Washington Free Beacon, Bill Gertz reported on March 11 that two years ago President Obama rejected a series of tough actions against China. The options were presented to the president over a three-month period beginning in August 2011. The agent was the White House Interagency Policy Committee, a working group directly supporting the National Security Council. According to Gertz,
“The options that eventually were presented included using bilateral and multilateral diplomacy, conducting covert computer network attack operations, levying economic sanctions, and taking legal action against the Chinese government and military.”
In response to the recommendations, the Obama administration in late 2011 decided against approving a comprehensive strategy regarding Chinese cyberthreats. Officials told Gertz that the administration preferred to limit its response to diplomacy and law enforcement efforts: “The officials said the strategy deliberately played down China’s role in the theft of trade secrets and ducked effective action to avoid upsetting relations with China.” So, as with terrorism, the U.S. government is treating cyber attacks as mainly a criminal matter best addressed through law enforcement—as if U.S. courts and lawsuits mean anything to the Chinese.
While the administration currently is so busy not worrying enough about foreign perpetrators, the Department of Homeland Security is really gung-ho on domestic cyber stuff. DHS, by the way, now has more law enforcement agents than any other federal department or agency.
Secretary Janet Napolitano said recently that since its creation in 2009, her National Cybersecurity and Communications Integration Center “has responded to nearly half a million incident reports and released more than 26,000 ‘actionable cybersecurity alerts’ to state and local governments and private sector companies.” She added that the department had “prevented $10 billion in potential losses through cybercrime investigations and arrested more than 5,000” suspected cyber criminals.
Five-thousand cybersecurity-related arrests? In the United States? Why might one doubt such large numbers given the paucity of news about them? Of course, what we don’t know is how many convictions there have been or the profiles of those who’ve been arrested. Adolescent hackers? Members of Anonymous? Agents of major foreign governments? Surely not agents of major foreign governments: James Clapper says “not under current circumstances.”
So: We’ve arrested 5,000 Americans while the Chinese and Iranians continue to run amok. They get digitally tough with us, and we get digitally tough with . . . ourselves. Except, of course, when we don’t do anything at all.
Other threats have surfaced lately. No word from Secretary Napolitano on these. For example, denial-of-service (DDoS) attacks on banks and Internet businesses have gone from the temporary annoyance they originally were to something far more serious. Now, anyone can apparently go to a web-based provider to set one up and have him do it for you. All it takes is digital money (although some services take Visa and MasterCard). Barry Shteiman of Imperva can give you a list of sites that seem to offer DDoS for hire: I won’t list them here. According to the Credit Union Times, “Almost all such sites claim to offer, not rogue DDoS for hire, but “stress testing” so that an organization—a credit union for instance—can check its DDoS defenses. Just one problem: Sources insisted that the majority of stress-testing sites they are familiar with do no verification that the person buying the “stress test” has any affiliation whatsoever with the target.”
But don’t worry: James Clapper tells us not to be afraid of nonstate actors in the cyber realm for another couple of years.
And on it goes. There’s plenty of government scandal to go around at the moment; but what we’re not doing on cyber has long since put us into real danger.
Ken Jensen is associate director of the American Center for Democracy for its Economic Warfare Institute.