How to Meet the Cyber-Threat against America in the 21st Century

Security through strength is no longer a completely reliable mission statement.  The cyber-threat is a great equalizer.  There can be an adversary from anywhere in the world.

Though people tend to discount the cyber-threat since it occurs slowly and there is no tangible evidence regarding potential attacks, the risk of cyber-warfare damaging American national security is nonetheless real.  American Thinker interviewed former Homeland Security Director Michael Chertoff, former CIA Director Michael Hayden, former FBI Executive Assistant Director Shawn Henry, and Congressman Mike Rogers (R-MI), chairman of the House Intelligence Committee, to get their thoughts on this new and dangerous threat.

Henry feels that America is currently not winning the battle.  Part of the problem is that people are complacent and are not taking the cyber-threat seriously enough.  "A company loses billions of dollars of R&D, but no one is jumping up and down.  When you tell someone a foreign organization is in a computer network, it does not resonate.  An adversary has access to computer networks and can steal all the data.  The integrity of the data can be changed and manipulated.  For example, moving a decimal point to the left or right.  Think about it: everything is now done on computers, and most people do not keep paper backups."  Chertoff agrees but sees an additional problem: that people regard the cyber-threat as a complicated technical issue with too much jargon and too many acronyms. 

Everyone interviewed agree with Chertoff's threat analysis.  And cyber-threats can take many forms: online fraud threat, which has a huge impact on individuals and businesses; a denial of service threat, where people try to intimidate by threatening an attack on a network; and a more serious threat, the theft of intellectual property by groups, sometimes enabled by governments, which steals American technology and uses it to gain a global economic advantage.  Henry told American Thinker that there has been over $100 billion dollars lost to cyber-crime.  "In China, Ford trucks were being produced to the exact color.  They copied and manufactured it at a lesser cost.  They get the technology without the investment."  It boggles Henry's mind that people are not angrily jumping up and down, yet would be furious if a person was caught in an office rifling through someone's private files.

Although the above threats are significant, the most dangerous threat would be an attack on America's infrastructure.  Chertoff cites the example of what recently happened in North Korea, where they attempted to use the jamming of South Korean airplanes' GPS systems.  He also warns that since automobiles may soon have wireless capabilities, someone may soon be able to control your ability to drive.  Everyone interviewed cautions that terrorist organizations are actively looking to buy tools that can create a serious attack.  There are also at least a half-dozen foreign governments -- China, Russia, Iran, and North Korea, to name a few -- that are attempting to target America's infrastructure.  Henry noted, "They have done it to '.mil, .gov, and .com.'  Cyber allows the possible attack where people could die."

Two bills are being considered to deal with the cyber-threat: the Lieberman-Collins Cyber Security Act and the Cyber Intelligence Sharing and Protection Act (CISPA), authored by Congressman Rogers and passed this past April.  The Cyber Security Act involves the security of systems that control the essential services: power, water, and transportation.  Among the requirements: the Department of Homeland Security will assess the risks and vulnerabilities of critical infrastructure systems, working with the owners/operators to develop risk-based performance requirements and to verify that the requirements are being met.  There would also be information-sharing between the private sector and the federal government regarding threats, incidents, best practices, and fixes.

Michael Hayden does not view these bills as necessarily mutually exclusive and sees positive elements in both.  He feels that something must be done and that although America as a country can be threatened militarily, it is "the cyber-threat that affects the individual personally.  It's your data, and your computer.  This threat is the one that has the most immediate personal effect on folks.  The fear is that the highest-level threats, the advanced persistent threats, are now becoming so commonplace that they will be available to the 'hacktavists.'  The great fear going forward is really high-end threats falling into the hands of very irresponsible and dangerous individuals."

Congressman Rogers explained that his bill allows intelligence information to be passed on to protect the consumer so it will be harder for countries like China and Russia to steal intellectual property. Rogers initiated it to try to deal with a huge problem that he feels America is unprepared to handle, a catastrophic event.  He explained that he does not believe in government regulation and intentionally allowed for voluntary participation.  In fact, those supporting the Rogers bill include Democrats, Republicans, and companies such as Facebook and Microsoft.  Hayden is very supportive of this bill because "it moves the ball forward.  It facilitates sharing to protect private firms.  It nudges the government to be more generous when it comes to sharing cyber information."

Congressman Rogers told American Thinker, "This is about the government sharing what it knows with the private sector so they can defend their own network.  There is a 1947 law that allows us to collect intelligence information but not share it.  Our intelligence services go overseas to find out what the Chinese, Russians, North Koreans, and Iranians are doing to us.  They use malicious source codes that steal information or develop a capability to shut down or possibly physically break your computer.  My bill basically allows this information to be passed on to protect the consumer, just like Norton tries to protect your system from a virus.  A malicious source code can hack into your computer, steal your information, or steal a company's information, circumventing your computer's security.  It's only a twenty-page bill that does not include monitoring and reading e-mails."

Does Congressman Rogers see a "wall" being put up by the privacy advocates?  He does indeed -- just as, before 9/11, there was a "wall" placed by civil liberty advocates to prevent sharing between intelligence agencies and law enforcement.  This very practice contributed to 9/11.  Rogers understands that there is a need to balance protection and privacy, but he wants Americans not to be confused between surveillance and sharing.  Henry agrees and goes farther by pointing out that these privacy walls only help the "[a]dversaries that just leap over them.  I believe in privacy, but we need to break down the wall and understand this threat.  Data can be stolen, such as plans to the next generation weapons system, biomedical technology, or they can shut down our water and electrical systems."

Recently, the Department of Homeland Security released details of an unidentified hacker group's cyber-attack on gas pipeline delivery systems in the U.S.  They sent targeted e-mails to gas company employees, trying to gather passwords and personal information that would give them unauthorized access to the networks. 

Chertoff argues, "You can't have privacy without security.  You can have every institution promise on a stack of Bibles that they are going to keep your information safe.  However, if they are vulnerable and criminals take that information, the promise becomes useless.  What puzzles me is that Americans seem to worry about the U.S. government looking at their information, but not foreign governments.  Is it a victory for privacy to keep the U.S. government out of the business to defend, yet allow the Chinese government to come in and steal your stuff for their own purposes?"

Part of the problem is that before the internet and a computerized world, all documents were kept privately.  Personal papers were kept in a safe, a deposit box, or a locked desk drawer.  It was easy to conceptualize between private and public.  Chertoff is hoping that there will not be a "cyber Pearl Harbor, loss of life, [before] we really get serious about this.  We cannot eliminate the risk, but we can greatly reduce it, manage it, and mitigate it.  We have to be constantly changing and evolving.  The internet can no longer be thought of as a kind of Wild West, an open and free area where anyone can do what they want.  There must be rules that protect us."  Otherwise, America's adversaries will gain the upper hand that will affect jobs, the economy, the infrastructure, and personal information.

Security through strength is no longer a completely reliable mission statement.  The cyber-threat is a great equalizer.  There can be an adversary from anywhere in the world.

Though people tend to discount the cyber-threat since it occurs slowly and there is no tangible evidence regarding potential attacks, the risk of cyber-warfare damaging American national security is nonetheless real.  American Thinker interviewed former Homeland Security Director Michael Chertoff, former CIA Director Michael Hayden, former FBI Executive Assistant Director Shawn Henry, and Congressman Mike Rogers (R-MI), chairman of the House Intelligence Committee, to get their thoughts on this new and dangerous threat.

Henry feels that America is currently not winning the battle.  Part of the problem is that people are complacent and are not taking the cyber-threat seriously enough.  "A company loses billions of dollars of R&D, but no one is jumping up and down.  When you tell someone a foreign organization is in a computer network, it does not resonate.  An adversary has access to computer networks and can steal all the data.  The integrity of the data can be changed and manipulated.  For example, moving a decimal point to the left or right.  Think about it: everything is now done on computers, and most people do not keep paper backups."  Chertoff agrees but sees an additional problem: that people regard the cyber-threat as a complicated technical issue with too much jargon and too many acronyms. 

Everyone interviewed agree with Chertoff's threat analysis.  And cyber-threats can take many forms: online fraud threat, which has a huge impact on individuals and businesses; a denial of service threat, where people try to intimidate by threatening an attack on a network; and a more serious threat, the theft of intellectual property by groups, sometimes enabled by governments, which steals American technology and uses it to gain a global economic advantage.  Henry told American Thinker that there has been over $100 billion dollars lost to cyber-crime.  "In China, Ford trucks were being produced to the exact color.  They copied and manufactured it at a lesser cost.  They get the technology without the investment."  It boggles Henry's mind that people are not angrily jumping up and down, yet would be furious if a person was caught in an office rifling through someone's private files.

Although the above threats are significant, the most dangerous threat would be an attack on America's infrastructure.  Chertoff cites the example of what recently happened in North Korea, where they attempted to use the jamming of South Korean airplanes' GPS systems.  He also warns that since automobiles may soon have wireless capabilities, someone may soon be able to control your ability to drive.  Everyone interviewed cautions that terrorist organizations are actively looking to buy tools that can create a serious attack.  There are also at least a half-dozen foreign governments -- China, Russia, Iran, and North Korea, to name a few -- that are attempting to target America's infrastructure.  Henry noted, "They have done it to '.mil, .gov, and .com.'  Cyber allows the possible attack where people could die."

Two bills are being considered to deal with the cyber-threat: the Lieberman-Collins Cyber Security Act and the Cyber Intelligence Sharing and Protection Act (CISPA), authored by Congressman Rogers and passed this past April.  The Cyber Security Act involves the security of systems that control the essential services: power, water, and transportation.  Among the requirements: the Department of Homeland Security will assess the risks and vulnerabilities of critical infrastructure systems, working with the owners/operators to develop risk-based performance requirements and to verify that the requirements are being met.  There would also be information-sharing between the private sector and the federal government regarding threats, incidents, best practices, and fixes.

Michael Hayden does not view these bills as necessarily mutually exclusive and sees positive elements in both.  He feels that something must be done and that although America as a country can be threatened militarily, it is "the cyber-threat that affects the individual personally.  It's your data, and your computer.  This threat is the one that has the most immediate personal effect on folks.  The fear is that the highest-level threats, the advanced persistent threats, are now becoming so commonplace that they will be available to the 'hacktavists.'  The great fear going forward is really high-end threats falling into the hands of very irresponsible and dangerous individuals."

Congressman Rogers explained that his bill allows intelligence information to be passed on to protect the consumer so it will be harder for countries like China and Russia to steal intellectual property. Rogers initiated it to try to deal with a huge problem that he feels America is unprepared to handle, a catastrophic event.  He explained that he does not believe in government regulation and intentionally allowed for voluntary participation.  In fact, those supporting the Rogers bill include Democrats, Republicans, and companies such as Facebook and Microsoft.  Hayden is very supportive of this bill because "it moves the ball forward.  It facilitates sharing to protect private firms.  It nudges the government to be more generous when it comes to sharing cyber information."

Congressman Rogers told American Thinker, "This is about the government sharing what it knows with the private sector so they can defend their own network.  There is a 1947 law that allows us to collect intelligence information but not share it.  Our intelligence services go overseas to find out what the Chinese, Russians, North Koreans, and Iranians are doing to us.  They use malicious source codes that steal information or develop a capability to shut down or possibly physically break your computer.  My bill basically allows this information to be passed on to protect the consumer, just like Norton tries to protect your system from a virus.  A malicious source code can hack into your computer, steal your information, or steal a company's information, circumventing your computer's security.  It's only a twenty-page bill that does not include monitoring and reading e-mails."

Does Congressman Rogers see a "wall" being put up by the privacy advocates?  He does indeed -- just as, before 9/11, there was a "wall" placed by civil liberty advocates to prevent sharing between intelligence agencies and law enforcement.  This very practice contributed to 9/11.  Rogers understands that there is a need to balance protection and privacy, but he wants Americans not to be confused between surveillance and sharing.  Henry agrees and goes farther by pointing out that these privacy walls only help the "[a]dversaries that just leap over them.  I believe in privacy, but we need to break down the wall and understand this threat.  Data can be stolen, such as plans to the next generation weapons system, biomedical technology, or they can shut down our water and electrical systems."

Recently, the Department of Homeland Security released details of an unidentified hacker group's cyber-attack on gas pipeline delivery systems in the U.S.  They sent targeted e-mails to gas company employees, trying to gather passwords and personal information that would give them unauthorized access to the networks. 

Chertoff argues, "You can't have privacy without security.  You can have every institution promise on a stack of Bibles that they are going to keep your information safe.  However, if they are vulnerable and criminals take that information, the promise becomes useless.  What puzzles me is that Americans seem to worry about the U.S. government looking at their information, but not foreign governments.  Is it a victory for privacy to keep the U.S. government out of the business to defend, yet allow the Chinese government to come in and steal your stuff for their own purposes?"

Part of the problem is that before the internet and a computerized world, all documents were kept privately.  Personal papers were kept in a safe, a deposit box, or a locked desk drawer.  It was easy to conceptualize between private and public.  Chertoff is hoping that there will not be a "cyber Pearl Harbor, loss of life, [before] we really get serious about this.  We cannot eliminate the risk, but we can greatly reduce it, manage it, and mitigate it.  We have to be constantly changing and evolving.  The internet can no longer be thought of as a kind of Wild West, an open and free area where anyone can do what they want.  There must be rules that protect us."  Otherwise, America's adversaries will gain the upper hand that will affect jobs, the economy, the infrastructure, and personal information.