Cyber War! (2003)
CYBER WAR! (2003)
In the aftermath of Sept. 11, 2001, as most U.S. intelligence shifted to finding Al Qaeda cells around the world, one group at the White House decided to investigate a new threat -- attacks from cyberspace.
"In the past, you would count the number of bombers and the number of tanks your enemy had. In the case of cyber war, you really can't tell whether the enemy has good weapons until the enemy uses them," says Richard Clarke, former chairman of the White House Critical Infrastructure Protection Board.
In "Cyber War!" Clarke and other insiders talk about a new set of warriors fighting on the new battlefield of cyberspace, and they evaluate just how vulnerable the Internet may be to both virtual and physical attack.
"The thing that keeps me awake at night is [the thought of] a physical attack on a U.S. infrastructure combined with a cyber attack which disrupts the ability of first responders to access 911 systems," says Ron Dick, former head of the FBI's National Infrastructure Protection Center.
The issue of cyber war first began to command urgent White House attention after a distinguished group of scientists wrote an open letter to President Bush in February 2002.
"The critical infrastructure of the United States, including electrical power, finance, telecommunications, health care, transportation, water, defense and the Internet, is highly vulnerable to cyber attack. Fast and resolute mitigating action is needed to avoid national disaster," wrote the authors of the letter, who included J. M. McConnell, a former head of the National Security Agency, Stephen J. Lukasik of the Defense Advanced Research Projects Agency, and Sami Saydjari of the Cyber Defense Agency.
"Ultimately, it turned into about fifty-four scientists and leaders -- former national leaders, intelligence community people as well -- sending this letter that makes the case that says, 'We have a problem here,'" Saydjari tells FRONTLINE.
In "Cyber War!" FRONTLINE investigates a number of cyber attacks that have already occurred in recent years, including "Slammer," which last January took down the Internet in South Korea and affected 911 systems and the banking system in the United States, and the "Nimda" virus that quietly attacked Wall Street in 2001.
FRONTLINE talks to cyber security experts about what these defining wake-up calls reveal about the vulnerabilities of cyberspace. This report also follows efforts by the United States to go on the offensive.
"You cannot defend yourself unless you understand how the offense works. And in so doing, you learn to wage offensives," says John Arquilla, associate professor of defense analysis at the Naval Postgraduate School in Monterey, Calif. Arquilla has helped the Department of Defense develop information warfare strategies utilized in the first Gulf War, Kosovo, Afghanistan, and in the most recent war with Iraq.
But many cyber war experts believe the Internet could be used to launch a major attack on the nation's infrastructure.
"What we found on Al Qaeda computers was that members of Al Qaeda were from outside the United States doing reconnaissance in the United States on our critical infrastructure," says Clarke.
One target, experts say, could be the country's electric power grid. By exploiting vulnerabilities in the supervisory-control and data-acquisition (SCADA) systems that utility companies use to remotely monitor and control their operations, American cities could be left in the dark.
"You could take down significant pieces of it for let's say operationally useful periods of time. Penetrating a SCADA system that's running a Microsoft operating system takes less than two minutes," says a hacker who spoke on the condition of anonymity.
Joe Weiss, a control system engineer and executive consultant for KEMA Inc. reluctantly agrees that the power grid is vulnerable. "A very worst case could be loss of power for six months or more," says Weiss.
This FRONTLINE report also looks at how Clarke, scientists, and some inside the military have tried to convince Washington that cyber security needs to be a priority. They have had limited success.
A few days before FRONTLINE's broadcast, the recently appointed White House cyber security adviser Howard Schmidt announced his resignation, noting that much of his responsibilities have been transferred to the new Homeland Security Department and warning that "cyber security cannot now be reduced to a 'second tier' issue. It is not sufficient to just respond to attacks, but rather proactive measures must also be implemented to reduce vulnerabilities and prevent future attacks."
"I think cyber terrorism is a theoretical possibility," says John Hamre, director of the Center for Strategic and International Studies, a prestigious military think tank. "[But] terrorists are after the shock effect of their actions," Hamre adds. "And it's very hard to see the shock effect when you can't get your ATM machines to give you twenty dollars."
But Clarke -- who as head of counterterrorism for the Clinton and Bush administrations was an early voice warning about Al Qaeda in the middle 1990s -- says cyber attacks are imminent.
"When we have the experts telling us we have a big risk," says Clarke, "wouldn't it be nice, for once, to get ahead of the power curve, solve the problem, so there never is the big disaster?"
1 When was cyber security recognized as a national issue?
Ronald Reagan was the first U.S. president to address the problem, signing the Computer Security Act of 1987 to protect federal agencies' computer data.
Given the growing dependence in the 1990s of U.S. infrastructures on the cyber world, President Clinton in 1996 set up the President's Commission on Critical Infrastructure Protection, led by former Air Force General Robert Marsh and known as the Marsh Commission, to safeguard vital systems such as gas, oil, transportation, water, telecommunications, etc. Two years later, Clinton ordered the government to work with the private sector to secure vital information networks, 90 percent of which are privately owned and operated. Clinton also appointed Richard Clarke as national coordinator for security, infrastructure protection and counter-terrorism.
In 2000, the Clinton administration released its cyber security strategy, which was criticized by civil liberties and privacy groups for advocating a government intrusion detection network. The plan was later dropped.
In October 2001, George W. Bush set up the President's Critical Infrastructure Advisory Board, responsible for developing a national cyber security strategy. Richard Clarke became White House adviser on cyber security.
In February 2003, the Bush administration released its National Strategy to Secure Cyberspace.
2 To date, what events have fueled fears about the security of cyberspace?
According to Richard Clarke, the 1995 Oklahoma City bombing was a precipitating event leading the Clinton administration to rethink the vulnerabilities of the nation's infrastructure: "[It] made us all step back and say, 'My God, very large scale attacks can occur in the heartland of the U.S. and one or two people can wreak havoc in our heartland.' And when the smoke cleared and we started thinking about the implications, Janet Reno said, 'We really ought to look at how vulnerable is our infrastructure.'"
In the years that followed there have been several isolated events that have sounded alarms for the cyber security community:
In 1997, the Defense Department launched an internal exercise, code-named "Eligible Receiver," in which a "red team" of hackers from the National Security Agency (NSA) was organized to infiltrate the Pentagon systems. The red team was only allowed to use publicly available computer equipment and hacking software. Although many details about Eligible Receiver are still classified, it is known that the red team was able to infiltrate and take control of the Pacific command center computers, as well as power grids and 911 systems in nine major U.S. cities.
Not long after Eligible Receiver, the U.S. accidentally uncovered Moonlight Maze, a two-year long pattern of probing of computer systems in the Pentagon, NASA, Energy Department and university and research labs. Although the attacks, which were believed to have started in March 1998, were traced to a mainframe computer in Russia, the perpetrators are still unknown.
As the 21st century began, several cyber attacks involving worms and viruses caused hundreds of millions of dollars in damages. (See "The Warnings?") In the midst of these events, more than 50 distinguished scientists and national leaders wrote an open letter to President Bush in February 2002 calling for a "Cyber-Warfare Defense Project modeled in the style of the Manhattan Project." The signatories to this letter warned that the clock was ticking and that the U.S. was at grave risk of a cyber attack "that could devastate the national psyche and economy more broadly than did the Sept. 11 attack."
3 What are the cyber vulnerabilities most often cited?
As FRONTLINE reports in "Cyber War!" a weak link in America's vital infrastructures are digital control systems, such as SCADA systems. These digital Supervisory Control and Data Acquisition systems manage critical infrastructures such as gas and propane lines, water, chemical manufacturing systems, power grids, etc. They can be remotely accessed and, because of software vulnerabilities in older systems, an attacker could penetrate the systems and manipulate them without being discovered, potentially inflicting physical damage on the critical infrastructure.
FRONTLINE focused on one particular part of this threat, the electric power grid, because the grid is tied into so many other critical infrastructures and because, if the power grid were taken down, it would have a serious pyschological impact on the population.
4 What is known about Al Qaeda's cyber capability?
Following the war in Afghanistan against the Taliban and Al Qaeda, the U.S. captured many Al Qaeda computers, interrogated many Al Qaeda prisoners, and learned that Al Qaeda was farther along in their cyber skills and interest than previously thought. The U.S. found sophisticated engineering software that allows for the modeling of what would happen in the event of a catastrophic failure of a dam, and how to bring that failure about. Investigators also found Internet training manuals and learned that people linked to Al Qaeda were taking classes in Pakistan and elsewhere. The assumption is that their aim was not just learning computer skills for communicating with each other but to learn about hacking tools and other tactics for computer network attacks.
There was one specific Al Qaeda computer in which investigators found software and connections to a programming site where the users had been pulling specific information about digital switches on power and water company system infrastructures. It showed how Al Qaeda was doing research through open, available resources to learn more about U.S. critical infrastructure and how to exploit it. With the growing sophistication of hacking tools -- available on the Internet, easy to download, and easy for people to change and adapt to produce more sophisticated hacking methods -- many experts are concerned about terrorists adopting cyber tactics.
For more about Al Qaeda's cyber interest and prowess, explore this section of this Web site.
5 What are the key government organizations working on this issue?
The February 2003 National Strategy to Secure Cyberspace gives the new Department of Homeland Security the lead in implementing the required measures to protect America's cyber security. Of the 22 organizations that were merged into Homeland Security, four are cyber security offices and programs: the Critical Infrastructure Assurance Office (formerly in the Department of Commerce), the National Infrastructure Protection Center (formerly in the FBI), the response functions of the Federal Computer Incident Response Center (formerly in the General Services Administration), and the National Communications System (formerly in the Department of Defense). In addition, many responsibilities of the White House cyber security adviser have been transferred to the Department of Homeland Security.
In his interview with FRONTLINE, Richard Clarke, former White House cyber security adviser, expresses some nervousness about the new system: "We have asked the Department [of Homeland Security] to carry a huge burden on security of cyberspace. And if it doesn't look like it's doing a good job, we need to blow the whistle. It's too early to tell right now whether they'll be able to do it or not."
6 What is the key recommendation of the National Strategy to Secure Cyberspace?
The cornerstone of U.S. strategy is the implementation of a public-private partnership to secure cyberspace. "In general, the private sector is best equipped and structured to respond to an evolving cyber threat," the report reads. "A federal role ... is only justified when the benefits of intervention outweigh the associated costs. This standard is especially important in cases where there are viable private sector solutions for addressing any potential threat or vulnerability."
Cyberspace security is a unique issue because while its vulnerabilities are a national security problem, 85 to 95 percent of cyberspace is owned and managed by the private sector. It is not surprising that the Bush administration -- generally opposed to solving problems by implementing more government regulations -- would downplay the federal government's intervention in this issue.
However, some experts forecast that when a major destructive cyber attack hits the U.S., all bets will be off. As President Bush's former cyber security adviser Richard Clarke notes, "It's in the industry's best interest to get the job done right before something happens."
7 What are the most contentious issues emerging over how to implement an effective U.S. cyber security strategy?
• To start with, there is debate about just how big an issue cyber security is compared to other threats.
Experts like former Deputy Defense Secretary John Hamre and technology expert James Lewis say that cyber terrorism is certainly a possibility, but it would not have the devastating impact of the Sept. 11 terrorist attacks. "Terrorists seek the shock effect," Hamre notes. "It's hard to see the shock effect when you can't get your ATM machine to give you 20 dollars." Those taking a more skeptical view of the threat of a cyber attack also say that it's very difficult to knock out infrastructure -- industries have been preparing for this and have back-up plans to get their programs back online. In addition, they say the U.S. is far better prepared for attacks on physical infrastructures compared to five or six years ago before several wake-up events brought real attention to cyber security.
But others, such as security experts Joe Weiss and Sami Saydjari, maintain that the day has arrived where a cyber attack could potentially inflict real world physical damage through a terrorist takeover of the digital control systems that run structures like gas pipelines, dams, emergency telephone systems, and electrical systems. There are millions of these digital black boxes. Once they were designed as stand alone systems, unconnected to each other or the outside world and not built with security in mind. But over the past decade these digital control boxes have been connected to the Internet and are increasingly vulnerable.
• Where is the problem? Where does one focus first?
We are only now beginning to focus on the problems posed by our growing dependence on cyberspace, experts say. The debate continues to rage over the nature and degree of the threat and the significance of our vulnerabilities. It seems clear that security must be a major concern for all software and hardware manufacturers, critical infrastructure managers, and individual computer owners, as well.
Experts such as Joe Weiss say that in the short term, to "close the doors and windows" of our critical infrastructure vulnerabilities, security policies have to be strengthened, vulnerability assessments run, and software vulnerabilities assessed and patched. Some experts, such as defense analyst John Arquilla, call for the immediate widespread use of sophisticated encryption programs that are already available. Amit Yoran of Symantec says the country needs to create a culture where security is a requirement to do business, and that message has to start from the top down.
Others complain that known vulnerabilities could be patched if software manufacturers made the process easier. "We have to improve the patching process," acknowledges Scott Charney, Microsoft's chief security strategist. However, he says, "I think now that there's all this attention paid to security, you will increasingly see tools designed to help manage the security of the products."
• In a world of limited financial resources, who will -- and should -- pay for closing the security holes in cyberspace?
Some have estimated an expenditure of tens of billions of dollars will be required over many years. But even then, there's no guarantee all the holes will be fixed. Private industry is reluctant because beyond national security interests it has to worry about liability. Admitting it has a problem in its software or hardware can hurt stock prices and make a company vulnerable to lawsuits. Microsoft's Scott Charney says that his company is putting a lot of its own resources into security, but he warns that ultimately consumers will have to show that they are "willing to pay for security features."
• Do we have the hardware and software to fix this?
Many believe our vulnerability problems will only be dealt with successfully over the long term. Some, including SCADA expert Michael Skroch, say that a new generation of more secure technology is called for. They look to programs such as the Energy Department's National SCADA test bed, a program involving Sandia National Laboratories and the Idaho National Engineering and Environmental Lab, to develop these new systems.
Others, including Sami Saydjari, push for more secure software and better precautions put in place to find malicious code and other vulnerabilities before products make it to the marketplace. Software manufacturers, including Microsoft, promise more secure products, but Richard Clarke and others warn that these problems must be met if we are to expect a more secure infrastructure in the future.
8 FRONTLINE's report focuses on America's vulnerabilities to a cyber attack. What is the extent of the U.S.'s offensive cyber capabilities?
This is a very sensitive area and it is hard to get national security and military officials to talk about it. According to John Arquilla, cyber tactics were employed in NATO's war in Kosovo against the Serbs. Such tactics, for example, were used to distort images generated by Serbian integrated air defense systems. This kind of capability, says Arquilla, was "essential to the high performance of the air campaign." He also says that cyberspace means of attack "were used substantially by our adversaries, both during and after the conflict."
In February 2003, The New York Times reported that the U.S. was ready to use similar, but more technically advanced, tactics in the war to oust Saddam Hussein.
However, there is a big debate and a reluctance to talk about America's cyber offense strategy and tactics because this is an area in which it is especially vulnerable: The U.S. fears that if it introduces such tactics, adversaries will feel free to do the same.
Eligible Receiver is the code name of a 1997 internal exercise initiated by the Department of Defense. A "red team" of hackers from the National Security Agency (NSA) was organized to infiltrate the Pentagon systems. The red team was only allowed to use publicly available computer equipment and hacking software. Although many details about Eligible Receiver are still classified, it is known that the red team was able to infiltrate and take control of the Pacific command center computers, as well as power grids and 911 systems in nine major U.S. cities.
Moonlight Maze refers to a highly classified incident in which U.S. officials accidentally discovered a pattern of probing of computer systems at the Pentagon, NASA, Energy Department, private universities, and research labs that had begun in March 1998 and had been going on for nearly two years. Highly placed sources told FRONTLINE that the invaders were systematically marauding through tens of thousands of files -- including maps of military installations, troop configurations and military hardware designs. The Defense Department traced the trail back to a mainframe computer in the former Soviet Union but the sponsor of the attacks is unknown and Russia denies any involvement. Moonlight Maze is still being actively investigated by U.S. intelligence
Code Red was a worm with multiple variants that first appeared in July 2001 and ultimately affected nearly 300,000 computers in the U.S. Exploiting a hole in Microsoft's IIS Web servers, it was time sensitive based on the date: From days 1-19 of the month the worm would propagate; from days 20-27 it would launch a denial of service attack against a particular site, and from day 27 through the end of the month the worm would "sleep," dormant in the computer. In Code Red's first variation, the affected computers were programmed to launch a denial of service attack against the White House Web site at a certain date and time. If the assault worked, the hundreds of thousands of pings would have overwhelmed the Internet in nanoseconds. Richard Clarke, the president's adviser for cyberspace security, worked with the nation's Internet providers to thwart the attack by blocking traffic to the White House site. Other Web sites were shut down, however, and replaced by a message that read "Hacked by Chinese."
In the summer of 2001, the coordinator for the city of Mountain View, Calif.'s Web site noticed a suspicious pattern of intrusions. The FBI investigated and found similar "multiple casings of sites" in other cities throughout the U.S. The probes were seemingly emanating from the Middle East and South Asia, and the visitors were looking up information about the cities' utilities, government offices, and emergency systems. This information took on a new significance when U.S. intelligence officials examined computers seized from Al Qaeda operatives after the Sept. 11 attacks and discovered what appeared to be a broad pattern of surveillance of U.S. infrastructure.
The Nimda worm ripped through the U.S. financial sector one week after the Sept. 11, 2001 terrorist attacks. Nimda, which is "admin" spelled backwards, was a mass-mailing worm that exploited vulnerabilities in Microsoft software. It was notable because of its sophistication. It could replicate itself several ways -- by infecting e-mail programs, copying itself onto computer servers, or afflicting users who downloaded infected Web pages. Nimda was also significant for its speed and potency -- it affected millions of computers and slowed the Internet. Officials do not believe it was related to the Sept. 11 attacks.
The Slammer worm, also known as the Sapphire worm, hit at 5:30 a.m. GMT on Jan. 25, 2003 -- Superbowl weekend. Exploiting a vulnerability in servers running Microsoft SQL Server 2000 software, Slammer was the fastest cyber attack in history. According to a team of researchers from the University of California at San Diego, Lawrence Berkeley National Labs, and Silicon Defense, the number of infections doubled every 8.5 seconds and Slammer did 90 percent of its damage in the first 10 minutes of its release. Among other things, the worm took down parts of the Internet in South Korea and Japan, disrupted phone service in Finland, and slowed airline reservation systems, credit card networks, and automatic teller machines in the U.S.
How Vulnerable are We?
Cyber security experts and military and government authorities discuss why a cyber attack is an increasingly attractive and effective weapon to use against the United States -- and how imminent the threat may be.
A Letter from Concerned Scientists
Following the Sept. 11 attacks, a group of concerned scientists sent President Bush this letter, in which they warn, "The critical infrastructure of the United States, including electrical power, finance, telecommunications, health care, transportation, water, defense and the Internet, is highly vulnerable to cyber attack. Fast and resolute mitigating action is needed to avoid national disaster." The scientists advocate that the president respond to the cyber threat by setting up a Cyber Warfare Defense Project modeled on the Manhattan Project.
How Real is the Threat?
Many authorities on national defense and the Internet are warning that the critical infrastructure of the U.S. -- including electrical power, finance, telecommunications, health care, transportation, water, defense, and the Internet -- is highly vulnerable to cyber attack. How imminent is such a threat? And how prepared are we? Here are excerpts from interviews with Richard Clarke, former White House adviser on cyberspace security; Amit Yoran of Symantec; O. Sami Saydjari of Cyber Defense Agency; former FBI security expert Ron Dick; James Lewis of the Center for Strategic and International Studies; John Arquilla of the Naval Postgraduate School; former Deputy Secretary of Defense John Hamre; and Scott Charney of Microsoft.
What's Needed to Secure Cyberspace?
Does the U.S. need a regulatory mechanism to get people to pay attention to cyber security? Would liability laws help? More encryption technology? Or a more robust government/private-sector partnership? Here are views on the measures needed and the challenges involved in improving cybersecurity, drawn from FRONTLINE's interviews with Amit Yoran of Symantec; James Lewis of the Center for Strategic and International Studies; John Arquilla of the Naval Postgraduate School; John Hamre, former deputy secretary of defense; Michael Skroch of Sandia National Laboratories; O. Sami Saydjari of Cyber Defense Agency; Scott Charney, chief security strategist at Microsoft; and Richard Clarke, former White House adviser on cyberspace security.
What are Al Qaeda's Capabilities?
Over the past year, investigators have accumulated intelligence about Al Qaeda's interests and skills in using cyberspace to launch an attack. Many experts believe terrorists could likely combine such a cyber-based disruption with a real-world physical attack to amplify the impact. Here are excerpts from interviews with Richard Clarke, former White House adviser on cyberspace security; John Arquilla of the Naval Postgraduate School; James Lewis of the Center for Strategic and International Studies; John Hamre, former deputy secretary of defense; Michael Skroch of Sandia National Laboratories; Ron Dick, former FBI security expert; and a hacker who spoke on condition of anonymity.
Vulnerabilities: The Power Grid?
In a potential cyber attack on the U.S., there are experts who believe one of the targets could be the country's electric power grid. By exploiting vulnerabilities in the control systems utility companies use to remotely monitor and manage their operations, U.S. cities could be blacked out for extended periods of time. Here are excerpts from interviews with Richard Clarke, former White House adviser on cyberspace security; O. Sami Saydjari of Cyber Defense Agency; Ron Dick, former FBI security expert; James Lewis of the Center for Strategic and International Studies; Michael Skroch of Sandia National Laboratories; John Arquilla of the Naval Postgraduate School; and John Hamre, former deputy secretary of defense.
Vulnerabilities: SCADA Systems?
Digital control systems, such as SCADA systems, supervise and control real-world structures like gas pipelines, oil refineries, and power grids -- and they can be manipulated remotely. That, says experts, makes them a potential prime target for terrorist groups who could get inside these systems and inflict physical damage on the nation's infrastructure. Is the clock ticking on this kind of cyber-based threat? Here are excerpts from interviews with Tom Longstaff of the CERT Research Center; James Lewis of the Center for Strategic and International Studies; Joe Weiss of KEMA Consulting; Amit Yoran of Symantec; Michael Skroch of Sandia National Laboratories; and a hacker.
Some of the most recent worms that have affected computers worldwide took advantage of software vulnerabilities that were previously known to manufacturers. There's also the problem of known vulnerabilities in the software used in SCADA systems. Although many companies maintain that they are doing their best to prevent and self-correct for inadvertent vulnerabilities, critics say the manufacturers should be held more accountable for software security. Here are excerpts from interviews with Amit Yoran of Symantec; John Hamre, former deputy secretary of defense; Richard Clarke, former White House adviser on cyberspace security; Joe Weiss, a security consultant for KEMA Consulting; O. Sami Saydjari of Cyber Defense Agency; Scott Charney, chief security strategist at Microsoft; and a hacker.
Produced by Michael Kirk
Co-Produced and Reported by Jim Gilmore
Written and Directed by Michael Kirk
NARRATOR: Super Bowl Sunday, 2003, and Washington had a bad case of pre-game jitters. The headlines and talk shows were about war with Iraq. The president was practicing his state of the union address. There was trouble with North Korea. And on Washington's outskirts that weekend, inside this secure facility they were tracking another crisis.
AMIT YORAN: We started noticing a tremendous number of increases of a particular type of attack.
NARRATOR: The Internet was down in parts of Asia.
AMIT YORAN: It was coming from a tremendous number of source addresses from different locations.
NARRATOR: And the virus was advancing.
AMIT YORAN: About three quarters of our customers were experiencing attacks from this particular worm. It was trying to infect thousands of systems very rapidly. And what that did was, it ate up the bandwidth, the communications channel between the various computers of the Internet.
NARRATOR: They named it "Slammer." By dawn, it had the full attention of the White House.
RICHARD CLARKE, Director, Cyber Security, White House: In 15 minutes, before anybody could even be notified the attack was going on, 300,000 servers were taken over. But it wasn't just servers that were affected-- 911 systems were affected, bank ATM machines were affected, reservation systems for major airlines.
AMIT YORAN: Almost each and every network that we monitor is attacked, probed, prodded every single day. The Internet is a hostile environment.
NARRATOR: On this weekend, the Slammer's creators eluded detection.
RICHARD CLARKE: In the past, you would count the number of bombers and the number of tanks your enemy had. In the case of cyber war, you really can't tell whether the enemy has good weapons until the enemy uses them.
NARRATOR: Tonight: a new set of American warriors. Journey into a new American battlefield. Tonight on FRONTLINE, Cyber War!
THE WASHINGTON POST: "Detective Chris Hsiung of the Mountain View, California, Police Department began investigating a suspicious pattern of surveillance against Silicon Valley computers."
BARTON GELLMAN, The Washington Post: Silicon Valley, as you could expect, has an unusual department within its police force, and that is protection against cyber crime. They had a guy in charge of that section called Detective Chris Hsiung.
Det. CHRIS HSIUNG, Mountain View Police Dept: I was notified by my division captain that the city Web site coordinator had discovered some suspicious activity, visitors to the city Web site. This was only less than a month after 9/11.
NARRATOR: Detective Hsiung's investigation started with Laura Wigod.
LAURA WIGOD, Mountain View Web Site Coordinator: I'm the Web site coordinator for the city of Mountain View. So basically, I run the Web site, put all the content on.
BARTON GELLMAN: Detective Hsiung begins to notice a strange pattern of computer intrusions, something that has to do with dams and emergency telephone systems and electrical systems.
LAURA WIGOD: I've always been interested in other countries, but I'm specifically a big fan of Middle Eastern culture. But we didn't have any visitors from any of those countries until the summer of 2001. And when they first showed up on my report, I was really excited. I just thought it was really neat that people from these countries were visiting our site. And I couldn't imagine what they wanted to see there, but I was thrilled.
NARRATOR: The elation wouldn't last. After September 11th, seemingly benign visits from Middle Eastern cyber tourists took on new meaning.
BARTON GELLMAN: He's seeing probes that seem to originate in Saudi Arabia, Pakistan, Indonesia, and that are looking into the junction of pipelines, for example, and the digital control systems that run those places.
Det. CHRIS HSIUNG: After 9/11, obviously, the state of the country at that time, especially among law enforcement, was, you know, don't rule anything out.
RICHARD CLARKE, Director, Cyber Security, White House: It does look like part of a pattern of potential long-range surveillance, remote surveillance by Al Qaeda or terrorist groups.
THE WASHINGTON POST: "Some of the probes suggested planning for a conventional attack, U.S. officials said."
BARTON GELLMAN: The FBI did a broader investigation. And it found, according to a classified assessment, that there was a broad pattern of intrusions that were described to me as "casing" these digital controls, trying to learn how the networks worked and what kind of security protected them and, if you had to reach out and touch a small number of them, which ones would be the most damaging. And this is a scary thought.
NARRATOR: Detective Hsiung's evidence was sent to the FBI, where the head of the bureau's infrastructure protection unit says it fit an emerging and familiar pattern.
RON DICK, FBI Infrastructure Protection '01-'02: The thing that keeps me awake at night is a physical attack on U.S. infrastructure which is combined with a cyber attack which disrupts the ability of first responders to access 911 systems, disrupts our power grids such that, again, first responders can't respond to an incident. Those are the things that keep me awake, and those are very real possibilities.
NARRATOR: At just this time on the World Wide Web, an e-mail was making the rounds. From universities to think tanks to deep inside hush-hush government projects, a growing number of concerned scientists were writing a letter to the president of the United States.
LETTER TO PRESIDENT: "Mr. President: Our nation is at grave risk of a cyber attack that could devastate the national psyche and economy more broadly than did the September 11th attack. We, as concerned scientists and leaders, seek your help and offer ours."
O. SAMI SAYDJARI, CEO Cyber Defense Agency: September 11th told us our adversary was very willing to use our infrastructure against us. A group of us got together and decided that it was important to let our leadership know, to give them the benefit of the best scientific thinking in this area, to say, "Hey, this is a really serious problem."
LETTER TO PRESIDENT: "The critical infrastructure of the United States -- including electrical power, finance, telecommunications, health care, transportation, water, defense and the Internet -- is highly vulnerable to cyber attack. Fast and resolute mitigating action is needed to avoid national disaster."
[www.pbs.org: Read the letter]
O. SAMI SAYDJARI: Ultimately, it turned into about 54 scientists and leaders -- former national leaders, intelligence community people, as well -- sending this letter that makes the case that says we have a problem here.
NARRATOR: The letter was sent February 27th, 2002, to the White House. It made its way to the White House Office of Cyberspace Security, into the hands of one of the government's most experienced troubleshooters.
RICHARD CLARKE: Well, I think the letter from the scientists and engineers was a bit more stark than other things that the government has seen. It sent the message that we depend upon the Internet for our national security and our national economy. And we know -- we know -- it's not secure, and therefore the government has to act.
NARRATOR: Richard Clarke knows how to kick-start the government. For 30 years, he's been operating in and out of the shadows of six administrations.
BARTON GELLMAN: What's unique about Clarke is his effectiveness in the bureaucratic process. He's just a guy who rolls over opposition. And it's just unusual in the U.S. government, and it's especially unusual to last a long time and win a lot of battles.
NARRATOR: But in the mid-'90s, Clarke lost an important battle. As head of counterterrorism for the National Security Council, he was unable to persuade higher-ups of the danger the country faced from a then obscure Saudi citizen named Usama bin Laden. After 9/11, when most intelligence gathering shifted to finding Al Qaeda cells, Clarke decided to investigate a new threat, attacks from cyberspace.
RICHARD CLARKE: The first thing I said to my staff was, "I want to go see the Internet." And that got a lot of chuckles, because, you know, after, Dick, it's virtual. It's in cyberspace. You can't see it. I said, "No, I think you can, and I want to go find it."
So we went on a series of trips in search of the Internet, and we found it. And we found it on Wall Street, six feet below the sidewalk, running into the stock market. We found it coming up out of the water on the New Jersey shore, where it comes from Europe. We found its heart beating in various network operation centers owned by the so-called backbone companies that own and operate the backbone of the Internet. It exists. There are key points to it.
NARRATOR: Clarke began to test the security at regional Internet hubs, talking his way past guards, breaching security.
RICHARD CLARKE: What I was able to do a lot in those early days is get fairly far into the building and fairly far onto the control floor of these regional hubs without any problem. And then I knew we had a problem.
HACKER: In the United States, there are two network nodes that you can hit electronically and one that you would be more effective to hit physically using a truck bomb. But if you hit those three nodes, then you would be able to destroy American communications for a significant length of time.
NARRATOR: This is a soldier of fortune in the cyber war, a high-end hacker. He's well known in the secret world of computer spies, at the National Security Agency, the Defense Department and the CIA. He's on their side. He works in secret and wants to keep it that way. We have hidden his identity and altered his voice.
HACKER: If you were to talk to anybody who works at any one of those NOCs -- Network Operating Centers-- or anyone who works in security for the telecommunications industry, they already know where their targets are. They already know the problems that they have.
NARRATOR: But as vulnerable as they are to physical attack, it's inside the Web's nervous system, hidden in coded packets of data, that the hacker and others wage their invisible war.
HACKER: In a terrorist sense, the U.S. is an open target. You can hit just about anything that you want to hit, one way or another. This is not bragging, this is a measure of fear.
JOHN ARQUILLA, Information Warfare Analyst, DoD: Cyber war is like Carl Sandburg's fog. It comes in on little cat feet, and it's hardly noticed. That's its greatest potential.
NARRATOR: Everyone who wants to know about cyber war eventually finds their way to John Arquilla.
JOHN ARQUILLA: In the realm of cyberspace-based disruptive threats, we haven't yet had what they call the "electronic Pearl Harbor." I think part of that is a function of our skillful defense of our systems. It's not that we're bereft of attacks. Tens of thousands of attacks occur every week against Department of Defense systems alone.
NARRATOR: He's been at the Rand Corporation, one of the first cyber warriors in desert storm, and in Kosovo worked for the Defense Department. Like Clarke, Arquilla is a bit of a handful inside bureaucracies.
JOHN ARQUILLA: In my checkered career, I've had, I think, the good fortune to always be thinking a few years ahead of events. And that has been useful in terms of anticipating threats. It has also created a fair amount of social friction.
NARRATOR: He's been stashed -- sidelined, really -- out in California at the naval postgraduate school in Monterey. But he knows about the power grid, the water supply, air traffic control systems. Talk about malicious code, probes and pings Arquilla understands.
Zombie computers, he's an expert.
JOHN ARQUILLA: We're looking at hackers and others who are developing very profoundly different kinds of code-breaking techniques. Some of this has to do with linking together many computers around the world. Some hackers have hundreds or thousands of zombies that they control. The zombie has come back to life in the information age now as something that's controlled by a hacker, that can be used to hot-wire them all together to create computing power beyond our imagination.
HACKER: I could take down scores, thousands of systems, for example, in Taiwan and then turn those systems, through its high-speed pipe, against any other nation in the world. Does it mean the attack is originating in Taiwan? No, not at all.
So the problem that the U.S. has with terrorist attacks, where we still don't know where the anthrax came from, is the same problem you have with information operations. If you do the job correctly, there are no fingerprints and nobody can trail you back.
NARRATOR: At the White House, Dick Clarke learned about zombies the hard way.
RICHARD CLARKE, Director, Cyber Security, White House: Code Red was the name of a computer attack that occurred in July of 2001, where during the course of the day, we became aware that, ultimately, 300,000 computers around the country had been violated. Someone had gotten into them and planted software.
NARRATOR: The White House urgently contacted the companies that run the Internet.
RICHARD CLARKE: And by about 4:00 o'clock in the afternoon, they came to me in a teleconference and said, "There's good news and bad news. The good news is we know what's going to happen. At 8:00 o'clock tonight, hundreds of thousands of computers are all going to simultaneously start sending pings toward one site on the Internet. The bad news is, you are the site, the White House."
NARRATOR: If the assault worked, in nanoseconds the pings -- hundreds of thousands of simultaneous computer pulses -- would overwhelm the Internet.
RICHARD CLARKE: Hundreds of thousands of computers are going to be firing off pings every second from all over the Internet, and all of that message traffic is going to flow through all of the different channels toward one server.
NARRATOR: Clarke and the nation's Internet providers worked out a plan to block any traffic directed at the white house. And then they held their breath.
RICHARD CLARKE: The clock hit 8:00 o'clock. Hundreds of thousands of computers around the world started firing probes to the White House, and they all died as they hit the edge of the Internet.
ROGER CRESSEY, Cyber Security, White House, '01-'02: The size of the attack, I think, caught a lot of people by surprise. And what Code Red demonstrated was that a sophisticated denial-of-service attack could significantly slow the Internet. And if you then go to the next step, it's not inconceivable that an attack could bring down the Internet for a period of time.
NARRATOR: Then, as the nation was reeling from the tragic events of September 11th, the zombies struck again.
SAN FRANCISCO CHRONICLE: "A new computer worm struck the Internet today, sending network security workers scrambling to protect their systems from being attacked."
NARRATOR: One target was Wall Street.
SAN FRANCISCO CHRONICLE: "The worm, known as W32.Nimda, knocked Web sites off line and overloaded"--
RON DICK, FBI Infrastructure Protection '01-'02: I was up to my neck in responding to the events of September the 11th through the command post there at FBI headquarters, and then right on top of that the NIMDA virus struck.
RICHARD CLARKE: The Nimda virus ripped through the American financial sector just a week after the terrorist attacks of September 11. It cost probably $3 billion, one virus, the Nimda virus. Had it not been for the fact that September 11th was the week before, it would have been a big news story.
RON DICK: It proliferated across the world at a far greater rate than Code Red did. It rattled the Internet, and it caused billions of dollars of damage. And we still don't know who perpetrated that worm.
[www.pbs.org: A closer look at these events]
NARRATOR: Catching the hackers in Code Red or Nimda -- indeed, in any of these cases -- proved impossible.
JOHN ARQUILLA: The time to back-hack a perpetrator is within seconds, minutes or hours of the action, not months and years after it happened. The trail is far too cold by then.
NARRATOR: The Web by now is nearly everywhere. The world is full of hideouts. Dick Clarke and many experts have come to believe events like Slammer and Code Red and Nimda were really not ends in themselves. They're certain they were experiments by an enemy or enemies seeking vulnerabilities in the system.
O. SAMI SAYDJARI, CEO Cyber Defense Agency: The number of probes that we're detecting is going up significantly. There's clearly a lot of people out there doing reconnaissance, and they don't want to be seen. So these aren't your average, everyday hackers.
INTERVIEWER: Who might they be?
O. SAMI SAYDJARI: I think they would be adversaries who are interested in doing reconnaissance without tipping their hand that they're doing their reconnaissance in our networks.
INTERVIEWER: Why are they doing it?
O. SAMI SAYDJARI: To prepare for attack or to prepare for getting information out of our systems, to understand our vulnerabilities. That's why you probe and scan networks.
NARRATOR: Inside this building are the top-secret military computers every enemy cyber warrior wants to invade. John Hamre was second in command at the Pentagon in the Clinton administration.
JOHN HAMRE, Deputy Secretary of Defense '97-'99: What startled me at the time was how we had brought around us this powerful new technology, with virtually no security awareness. We didn't have disciplined protocols and procedures in place for how people could connect to the wider Internet. It was just absolutely-- we let a thousand flowers bloom. And as you would expect in that environment, there were just countless opportunities for mischief.
NARRATOR: Hamre wanted to find out just how vulnerable DOD computers were. In 1997, the DOD initiated a red team exercise code-named "Eligible Receiver."
RICHARD CLARKE: We got the permission of the Pentagon. We put together a small team of hackers and only used hacking techniques and tools that we could download from the Internet and attacked the Pentagon systems.
JOHN HAMRE: Eligible Receiver really demonstrated how-- the real lack of consciousness about cyber warfare. I mean, really, the first three days of Eligible Receiver, nobody believed we were under cyber attack.
RICHARD CLARKE: They took control of the Pentagon systems, took control of the National Military Command Center computers.
JOHN HAMRE: If you get super-user control of one node, you basically can get into a network. Pristine protection, I mean, absolute sanitary protection, is what's required, and you'll never get it.
NARRATOR: There are details about "Eligible Receiver" that even today have not been revealed. But one thing is certain: It scared the hell out of the Pentagon.
JOHN ARQUILLA, Information Warfare Analyst, DoD: Eligible Receiver is a classified event about which I can't speak. What I can say is that when people say there is no existence proof of the seriousness of the cyber threat, to my mind, Eligible Receiver provides a convincing existence proof of the nature of the threat that we face.
NARRATOR: The Pentagon ordered new detection systems installed on its computers. But it wouldn't take long for the defense department to be hit again, and this time it wasn't an exercise. They gave it the code name "Moonlight Maze."
RICHARD CLARKE: All that I can say about Moonlight Maze is that the phrase Moonlight Maze refers to an investigation conducted by the FBI.
INTERVIEWER: How involved was the FBI?
RON DICK, FBI Infrastructure Protection '01-'02: I can't comment on that.
NARRATOR: But they could divulge general details. The Pentagon accidentally discovered a pattern of probing and cyber espionage that had been going on for nearly two years. A game of cat-and-mouse ensued.
RICHARD CLARKE: As we raised defenses on those computer networks, they raised the attacking capabilities on those computer networks.
JOHN HAMRE: We found that the opponent was learning as he or she went along, that they were getting better as we were getting better at cracking it. That worried you because that meant that they had some type of a monitoring system to observe us while we were observing them. And so we're obviously dealing with a very sophisticated opponent.
NARRATOR: Highly placed sources FRONTLINE cannot name told us more: The invaders were systematically marauding through tens of thousands of files, maps of military installations, troop configurations, military hardware designs.
JOHN HAMRE: They took huge amounts of information. Huge amounts of information. And there was not a clear pattern to the information that they took.
NARRATOR: The DOD began tracing the invasion. The trail led to a huge mainframe computer in the former Soviet Union.
RICHARD CLARKE: It continues to be an active investigation, so I can't talk about who it may or may not have been.
JOHN HAMRE: We do not know who did it. We do know back a certain direction where the attack came from, but we don't know that that was the ultimate source of the attack. It could have been a front operation.
JOHN ARQUILLA: I think the case highlights the problem of identifying the ultimate user. Some tracking was done back to systems in Moscow, for example, but that by no means suggests that these were Russians doing this. It could easily have been someone operating in an entirely other part of the world who bounced off of a computer in Russia. Or it could have been the Russians.
RICHARD CLARKE: Thousands of attempts a day to get into the Defense Department networks are detected. It's the ones that aren't detected that are the sophisticated ones. And the question therefore arises, in some future war, in some future tension, in some future crisis, could we wake up one morning and find that great damage had been done to our railroad system, our electric power system, our banking system, our military logistics system by Trojan horses, logic bombs that were planted in our infrastructure in advance without our knowing it.
NARRATOR: Many in the cyber war are convinced the days of merely using the Web to probe and map America's infrastructure are near an end. They worry the enemy -- especially one enemy, in particular -- is preparing for action.
HACKER: I've been watching them for quite a while, and they are very, very good at everything from money laundering to secure communications. And to underestimate them at any point in time is suicidal.
NARRATOR: He's talking about Al Qaeda. In the rubble created by the war in Afghanistan, Clarke and other cyber experts looked at Al Qaeda computers.
ROGER CRESSEY, Cyber Security, White House, '01-'02: I think the breadth of their interest in areas such as computer attack caught us by surprise. And by that I just mean the documents that were found, information we've learned from people that we have in custody.
RICHARD CLARKE: What we found on Al Qaeda computers were that members of Al Qaeda were from outside the United States doing reconnaissance in the United States on our critical infrastructure.
BARTON GELLMAN, The Washington Post: The government has changed its view. The CIA said 18 months ago that Al Qaeda is nowhere near having the capability to inflict serious damage in cyber war. It put out a new memorandum of intelligence some months ago saying, "Well, it looks like they have more capability than we thought, and it looks like they have more intention than we thought."
ROGER CRESSEY: They were putting people in computer classes whose purpose simply was to develop a competency and a skill set that they could then turn into a capability to develop attacks.
NARRATOR: And there are those who fear that if Al Qaeda has acquired those skills, they will mount a devastating attack on one of the nation's most vulnerable infrastructures. They may be able to use the Internet to bring down portions of the electrical power grid.
RICHARD CLARKE: It turns out that there are only five or six software systems that are used around the world to run electric power grids, other utilities, pipelines, dams, those sorts of things. They're called digital control systems, or they're called SCADA systems, supervisory control data acquisition systems.
NARRATOR: Almost no one flips a switch at the power company anymore. Now it's done by a little black box, a SCADA system, that talks to other little black boxes, often through the Internet.
MICHAEL SKROCH, Sandia National Laboratories: SCADA systems are really the cyber world's portal into our 3-D world. They allow cyberspace to sense what we're doing, sense temperature, sense movement, sense position. And they allow cyberspace to control things in our 3-D world-- move a motor, close a switch, turn on a heater.
WASHINGTON POST: "Al Qaeda prisoners have described intentions, in general terms, to use those tools. Specialized digital devices are used by the millions as the brains of American critical infrastructure."
BARTON GELLMAN: All of a sudden, someone coming in from Pakistan through the Internet, through a hole in your intranet security, is in a place where they can control these black boxes. That is the threat.
NARRATOR: Once SCADA systems stood alone in factories or power plants. Not anymore. Now they're connected on the Web. Whole industries are linked. That's good for business and even better for cyber warriors.
TOM LONGSTAFF, CERT Research Center: I liken it very much to my own thermostat at home. My thermostat at home is protected because I keep my front door locked, so no one can come in and change my heat around. If I add a wireless element to my thermostat, now, suddenly, I can control it from my computer. I can turn the heat up when I'm at work, so that the house is warm when I get home. I can understand every month exactly what my fluctuations are in temperature.
Unfortunately, because it's wireless, someone could sit outside my house, now, in the car, with a laptop, and at 4:00 o'clock in the morning turn off my heat in the dead of winter.
NARRATOR: At Sandia National Laboratories in New Mexico, they worry about just how vulnerable the nation's power grid is. Recently, they initiated a series of red team assaults on SCADA systems that control power companies, including their own solar power-generating station.
MICHAEL SKROCH: When we go after an electrical power system, electrical power provider for the critical infrastructures, we always penetrate that system. During an attack on a SCADA system, an operator will see what the adversary wants them to see and-- of course, dependent upon the scenario and the security of that system. So an operator may see a false indication of the condition of their infrastructure. They may be fooled into taking actions that are unwarranted, so that they themselves damage the infrastructure, not the attacker.
What the attacker did was implement an attack script that befuddled the display of the controller, so that when they move one control on a generator, it affects a second. This will confuse the operator and perhaps cause an effect on the infrastructure that's damaging.
At the solar facility, when we attacked the IT infrastructure, what we did was, we hacked into the system using a common technique. Once we were into the system, we were able to access any of the command and control functions that the operator would be able to use. In this case, we simply executed a script that moved four of the mirrors and danced them around on the solar facility.
The Red Team could have gained access to the system, written a more specific script to have a specific effect on the mirrors, such as moving them to the wrong location or causing damage to the solar facility.
INTERVIEWER: Could you and a group of friends take down the electrical grid of the United States or North America?
HACKER: I don't know if you'd be able to take down the whole grid, but I know that you could take down significant pieces of it for, let's say, operationally useful periods of time. Penetrating a SCADA system that's running a Microsoft operating system takes less than two minutes.
INTERVIEWER: Could your team take down the entire grid in the United States?
MICHAEL SKROCH: The IDART Red Team could demonstrate numerous vulnerabilities and system effects against U.S. critical infrastructure that are scenario-dependent and adversary-dependent. And we do this so that we can help improve the systems, so that they can't be taken down in the future and a cyber Pearl Harbor won't affect the U.S. infrastructures.
INTERVIEWER: But could you, if you wanted to?
MICHAEL SKROCH: I won't answer that question.
NARRATOR: And even though the power companies don't like to talk about it, this threat really scares them, especially industry experts on cyber security. FRONTLINE reporter Jim Gilmore talked to one of them, Joe Weiss.
INTERVIEWER: What's the worst-case scenario? Power, we're talking here, power lines, power grid.
JOE WEISS: Absolute worst? I won't even say absolute, but a very worst case could be loss of power for six months or more.
INTERVIEWER: Over how big an area?
JOE WEISS: Big as you want.
INTERVIEWER: Is that a possibility?
JOE WEISS: Yes.
JOE WEISS: I'd just as soon not go into it.
INTERVIEWER: But you believe, as an expert and a man who understands these systems, that that, indeed, is a possibility.
JOE WEISS: It's possible.
INTERVIEWER: Why isn't Washington quaking in its shoes?
JOE WEISS: I can't tell you. I don't know. I don't know.
[www.pbs.org: Read the full interview]
NARRATOR: Each time he returned to Washington, Clarke found it more difficult to make cyber security a federal priority. And now, with money and power at stake, doubts and questions would be raised. Washington is a war capital, and Clarke's battlespace is virtual, and according to some, not even real.
JAMES LEWIS, Center for Strategic and Int'l Studies: One easy test for cyber security is to ask yourself the following question: Could Godzilla do it? And if the answer's yes, it's probably not a very realistic scenario. And so when you get into these things, where, you know, a big green monster is going to shut down the whole electrical system or the water system, it's not very likely.
NARRATOR: There is at the Pentagon and military think tanks an anti-Clarke, anti-cyber chorus, high-ranking retired military officials publicly comparing the impact of cyber war against what some of them call "flesh and blood war."
JAMES LEWIS: Cyber attacks as a replacement for WMD would have to qualify as a gross inflation. Nobody argues, or at least no sane person argues, that a cyber attack could lead to mass casualties. And so it's not in any way comparable to weapons of mass destruction. And in fact, what a lot of people call them is "weapons of mass annoyance." If your power goes out for a couple hours, if somebody draws a mustache on Attorney General Ashcroft's face on his Web site, it's annoying. It's irritating. But it's not a weapon of mass destruction.
NARRATOR: And so in a city fresh from a war fought over weapons of mass destruction, the cyber warriors are barely a blip on the screen. And this is the case even for a man who was once a true believer.
JOHN HAMRE, Deputy Secretary of Defense '97-'99: I think cyber terrorism is a theoretical possibility. But will cyber terrorism be like September 11th? No, I don't think so. Not right now.
NARRATOR: Former deputy secretary of defense John Hamre now believes the early problems of cyber intrusion were merely wake-up calls that actually have made the system better.
JOHN HAMRE: I think there's an awareness in the IT community now about security that wasn't there five years ago. So I don't discount it. It is certainly theoretically possible. But the knowledge of-- the cyber security awareness today is thousands of times stronger than it was five years ago, when we first conducted Eligible Receiver.
NARRATOR: Hamre's argument is just one in an increasingly bitter war of words.
RICHARD CLARKE, Director, Cyber Security, White House: I hope I'm wrong. I hope it is the case that not only me but the thousands of experts who say we have a problem -- the people in companies, people in universities who say that we have a major cyber security problem -- I hope we're all wrong. But every day, we're being proved right.
JAMES LEWIS: A lot of the people who think about the seriousness of cyber warfare tend to be computer people. And what you need to do is, you need to get more national security people, more military people thinking about it, people whose job is to win wars or to defend the nation, not whose job is to administer computer networks.
JOHN ARQUILLA, Information Warfare Analyst, DoD: I think the skillful hackers are like the Vietcong. They know that they have a short period in which they will hold the advantage, and then they must disengage. And so we have to watch out for those kinds of tactics. I think we also need to be worried in the future that we won't have a few isolated incidents that occur over months or years, but we have to worry about the possibility of a campaign approach being taken by the cyber attackers in which they mount several attacks over a period of hours or perhaps over days. Think about, for example, a Nimda virus, something like that, that would be deployed once a week for three months. Think about the economic impact of something like that.
JOHN HAMRE: Terrorists are after the shock effect of their actions, and it's very hard to see the shock effect when you can't get your ATM machine to give you $20 dollars. I mean, it's distributed all around-- when we had this last worm, or whatever it was, I went down to the bank, tried to get money out of the ATM machine. I couldn't get any money out. Well, it was frustrating to me personally, but it doesn't translate in the same way that flying an airplane into a building does.
JOHN ARQUILLA: If I were establishing a terror organization today, I would be more interested in doing costly disruption by cyberspace-based means. If I did physical destruction, I would know that I would have to deal with a bunch of angry Americans who would track me to the ends of the earth. On the other hand, if I could engage in acts that would cause hundreds of billions of dollars worth of costly economic damage, and I could do it relatively secretly, why wouldn't I pursue that aim? And why wouldn't that make me a great hero to the constituency I was serving, my people, those who believe as I would? So if I were a terrorist, I would be thinking these days about mass disruption rather than mass destruction.
[www.pbs.org: Read the interview]
NARRATOR: And so out in California, Arquilla is thinking about how to defend against weapons of mass disruption. But he's also helping the navy to create an offensive cyber capability.
JOHN ARQUILLA: Americans need to realize that even as we learn to defend our country against cyber warfare, we naturally are developing offensive capabilities, as well. You cannot defend yourself unless you understand how the offense works. And in so doing, you learn to wage offensives.
NARRATOR: FRONTLINE was allowed to see some of the war gaming.
RED TEAM LEADER: OK, game start-- 5, 4, 3, 2, 1. Game on.
1st RED TEAM MEMBER: Orange has 5, 5, 5-8-4 launch.
2nd RED TEAM MEMBER: Roger.
3rd RED TEAM MEMBER: Purple clear. Shows possible intrusion, network alpha.
STEVEN IATROU, Naval Postgraduate School: What they're learning to do is operate in a hostile cyber environment. The military mission must go on.
4th RED TEAM MEMBER: Black, this is brown.
5th RED TEAM MEMBER: Roger.
4th RED TEAM MEMBER: Showing a stealth scan, an IDS, on network Charlie.
STEVEN IATROU: An adversary trying to get an operational advantage through the computer network. And that's all warfare is, is gaining the upper hand, no matter how you can do it.
6th RED TEAM MEMBER: White, this is green. We have some unusual activity on the Brother network.
7th RED TEAM MEMBER: Roger.
6th RED TEAM MEMBER: There seems to be a clown head inserted into the network.
STEVEN IATROU: The clown appeared to be an icon put in by an intruder to try to mask some of the information appearing on our screens.
8th RED TEAM MEMBER: Red, I have an indication of an F-14 down. There is a clown head appearing at that location. Request assistance.
9th RED TEAM MEMBER: Roger. Initiating trace-route program.
8th RED TEAM MEMBER: Roger.
STEVEN IATROU: What we assumed we were seeing from an enemy was that they had access to our computers, that they knew what we were looking at on our computers-- i.e., icons of our troop movements. And they were trying to cover those so that we could not see what either our forces or their forces were doing.
4th RED TEAM MEMBER: Black, this is brown. Request permission initiate hack-back attack.
5th RED TEAM MEMBER: Affirmative. Initiate hack-back.
NARRATOR: The red team decided to attack a critical SCADA system.
5th RED TEAM MEMBER: Cyan, this is black. Could you give me the analysis on the SCADA bravo attack?
1st RED TEAM MEMBER: Cyan, analysis is put up on the main screen. You may want to take a look at that.
STEVEN IATROU: SCADA is everything. It's the heart and soul of the systems. If you can get into that, then you have control or you disrupt their control. Or if you can even get them to think you're in there, then you can lower their confidence in their ability to manage their systems.
NARRATOR: The gaming is good practice because America has launched cyber attacks for realãin the first gulf war.
JOHN ARQUILLA: We did some things to the systems of the Iraqis at that time. And the things that can be acknowledged would be the bombs dropped on particular systems of communications and the foil strips that disrupted power flows. But beyond that, I think we can't really talk too much.
NARRATOR: Arquilla watched the United States get better at offense in Kosovo.
JOHN ARQUILLA: I think Kosovo was, in some ways, a proving ground of certain cyber capabilities. We get into a very sensitive area here, but what can be said is that some means may have been used to distort the images that the Serbian integrated air defense systems were generating. And this, of course, was crucially important to waging a successful air campaign.
NARRATOR: And then there was Afghanistan.
JOHN ARQUILLA: Operation Enduring Freedom in Afghanistan featured a small, nimble, networked force that was extremely information-savvy and which achieved our national aims with a minimum of bloodshed in a very short time.
NARRATOR: And recently, the war in Iraq.
JOHN ARQUILLA, Information Warfare Analyst, DoD: I'm not allowed to talk about a campaign in Iraq. But when I was working for the Central Command in the last Gulf War, it became very apparent to me that our biggest advantages came from what we knew and what our opponent didn't. On the spot, we cobbled together something called a Joint Surveillance and Target Acquisition Radar System. This allowed us to know exactly where the opponent was and how to strike him.
NARRATOR: But what works in cyber wars against states may not work against terrorist groups. Now they believe Al Qaeda can get inside critical parts of the nation's infrastructure. But do the terrorists have the kind of engineering expertise it would take to manipulate the systems?
Some in law enforcement believe they can. They offer as evidence the resume of one of Usama bin Laden's top deputies, the man recently arrested in Pakistan, Khalid Shaikh Mohammed.
RICHARD CLARKE: I'm troubled by the fact that a number of people related to Al Qaeda, including Khalid Shaikh Mohammed, the chief operating officer, if you will, in Al Qaeda-- a number of these people have technical backgrounds. Khalid Shaikh Mohammed studied engineering at the University of North Carolina. He was employed for a while at a water-- department water ministry in the nation of Qatar in the Persian Gulf.
RON DICK, FBI Infrastructure Protection '01-'02: It goes back to the old axiom, "with knowledge comes power." And because of his knowledge of those systems, or apparent knowledge of those systems, use of those systems, he would be familiar with what the vulnerabilities are and how to exploit those vulnerabilities in a fashion that would be advantageous to his organization.
NARRATOR: The FBI believes Khalid Shaikh Mohammed was the chief architect of the 9/11 attacks. He has reportedly told police that the next major attack will be led by Adnan El'Shukrijumah, who is wanted for questioning. Shukrijumah fled the country in May of 2001 after attending college in Florida, majoring in computer engineering.
MICHAEL SKROCH, Sandia National Laboratories: I think that we shouldn't underestimate any adversary, especially one as sophisticated as Al Qaeda. This kind of group, if they don't have the innate knowledge to achieve a cyber attack, if they should choose to do so, can obtain that knowledge from other individuals.
WASHINGTON POST: "A computer seized at an Al Qaeda office contained models of a dam. The FBI reported that the computer had been running Microstran, an advanced tool for analyzing steel and concrete structures"--
BARTON GELLMAN, The Washington Post: We have reached the threshold of the day when computer attacks can cause real-world bloodshed, can damage actual physical structures in this world.
WASHINGTON POST: "To destroy a dam physically would require 'tons of explosives,' Assistant Attorney General Michael Chertoff said a year ago. To breach it from cyberspace is not out of the question."
BARTON GELLMAN: You're talking about the nexus between digital control systems here and physical things, like dam floodgates, like electrical transformer stations. And the day has arrived when a cyber attack could potentially inflict physical damage.
[www.pbs.org: More about key vulnerabilities]
NARRATOR: But Clarke and others who worry about cyber security understand that government cannot attack the problem alone.
BARTON GELLMAN: There are always lots of reasons not to do something new. For example, protecting the critical infrastructure of the United States from cyber attack means you have to focus preeminently in the private sector. Eighty-five or ninety percent of all the pipelines and transmission towers and computer switching stations and the Internet base are not in the government's hands, they're in the private sector.
NARRATOR: The Bush White House made it clear to Clarke that a public-private partnership was the way they were going handle this problem. But in the beginning, American industry didn't believe cyber war was a problem. Then they didn't believe it was their problem. And they didn't much like the idea of the government telling them to spend their own money to plug cyber holes.
ROGER CRESSEY, Cyber Security, White House, '01-'02: Dick's objective in educating industry on the importance of this issue was to get their attention, to shock them-- in some respects, to shame them because they needed to understand that the return on investment here is not something that's tangible, that you can put your finger on. It's a return on investment that plays out over an extended period of time. So if you're spending so little money on cyber security, then you really deserve to be hacked. And if your systems are brought down and if your systems are compromised, you have no one to blame but yourself.
NARRATOR: When it comes to blame, the favorite targets of the cyber security forces are the companies that design and make software. They say enemies identify its vulnerabilities and exploit them in SCADA in home and industry computers. Clarke says this is the chink in America's armor.
RICHARD CLARKE: It's absolutely unforgivable that major software companies in this country and around the world continue to produce sloppy products.
NARRATOR: When it comes to fixing the software problems, all roads lead to Microsoft, and it says it's now committed to improving its products. Cyber security chief Scott Charney speaks for Microsoft.
SCOTT CHARNEY, Microsoft Corporation: What would you have us do as a company that we're not doing today? We're doing a security push on every product. We're building things that are secure by design, secure by default. And we're fixing patch management to keep you secure in deployment.
RICHARD CLARKE: Major software companies have in the last year said that they're cleaning up their act-- notably, Microsoft, which says it has introduced new qualify assurance procedures. Frankly, it needs to, because it's had a record of very sloppy products rushed to market without concern for security.
NARRATOR: There are a variety of tough measures being talked about. They're designed to force Microsoft and others to clean up, including imposing civil liability.
SCOTT CHARNEY: When companies start paying liability claims and legal fees and everything that comes with it, where does that money come from? Well, you can raise the cost of the product, but that might be counterproductive because one of the great things about software is how the price has been driven down so it can be available to everyone.
The second thing you can do is take it out of profit, which means it comes out of the investor's pocket. Or you can take it out of cost, perhaps by paying people less, and driving your best security people right out of the company.
NARRATOR: More and more, Clarke found himself having arguments like these with leading high-tech industries, arguments that led to the ultimate threat: regulation.
RICHARD CLARKE: If there's a major devastating cyberspace security attack, the Congress will slam regulation on the industry faster than anything we can imagine. So it's in the industry's best interest to get the job done right before something happens because after something happens and our economy has been really badly hurt, there will be regulation.
SCOTT CHARNEY: Is regulation really an effective way to get where we need to go? And to what extent will regulation stifle innovation? Because if you tie down industry and say, "This is what you must do," then you also tie down the technology. So I think there are a lot of reasons not to go in a regulatory fashion.
O. SAMI SAYDJARI, CEO Cyber Defense Agency: Regulation is not part of the policy of the current administration. They are very reluctant to use that, and it's understandable. Regulation and its effects can be-- can have different effects than you really intend them to have. And so one has to think about it carefully. At the same time, this is very much on the order of fire codes. If we don't do these things, it not only affects the people who are going to be attacked but the entire society fabric.
NARRATOR: But elements of the Bush administration simply aren't in the mood to back Clarke up in these battles.
BARTON GELLMAN: He runs very quickly into ideological opposition in the Office of Management and Budget and the Council of Economic Advisers and elsewhere in government to the very idea of telling private industry what to do. It looks too much like "big nanny" government to them, and so they are putting very sharp limits, or were putting very sharp limits, on what Clarke could do there.
NARRATOR: And in February 2003, a bureaucratic shuffle removed Clarke's operation from the White House. It was folded into the gigantic Department of Homeland Security. But Clarke wasn't. He decided to leave government. But he would not go quietly.
NARRATOR: The man who was right about the danger of Al Qaeda -- and who has come to believe that the cyber war is real and that America is unprepared -- will now do all he can to sound the alarm.
RICHARD CLARKE: After Pearl Harbor, we did a tremendous job of defeating the Nazis and the Japanese. After Sputnik showed that the Russians were winning the space race, we did a pretty good job of national mobilization and we beat the Russians to the moon. After September 11th, Al Qaeda's little sanctuary in Afghanistan was gone in a couple of months, and we're now doing a very good job of rounding terrorists up around the world. After the fact.
Wouldn't it be nice, for once, when we have the experts telling us we have a big risk-- wouldn't it be nice, for once, to get ahead of the power curve, solve the problem so there never is the big disaster?
CO-PRODUCED & REPORTED BY
WRITTEN & DIRECTED BY
CREDITS AT END OF PROGRAM
WRITTEN, PRODUCED AND DIRECTED BY
CO-PRODUCER AND REPORTER
DIRECTOR OF PHOTOGRAPHY
Michael H. Amundson
MUSIC COMPOSED BY
Michael H. Amundson
Erin Martin Kane
FOUNDATION GRANT MANAGER
WEBSITE MANAGING EDITOR
Louis Wiley Jr.
A FRONTLINE Co-Production with Kirk Documentary Group, Ltd.
WGBH EDUCATIONAL FOUNDATION
ALL RIGHTS RESERVED
FRONTLINE is a production of WGBH Boston, which is solely responsible for its content.
ANNOUNCER: This report continues on our Web site, where you'll be able to join in a forum with cyber security experts who will field your question, get an information warfare expert's analysis of the vulnerabilities of our infrastructure, explore some of the most significant cyber attacks to date, watch the full program again on line or find out on the Web site if your PBS station will be airing it again. Then join the conversation PBS on line, pbs.org, or write an e-mail to [email protected]
Next time on FRONTLINE: After spending years in prison--
FORMER PRISONER: I was on death row for the murder of someone I didn't murder.
ANNOUNCER: --they were set free.
FORMER PRISONER: I know that I'm not going to be hired by anybody because of the rape that I didn't commit.
ANNOUNCER: But the system that finally exonerated them deserted them.
FORMER PRISONER: When the cameras went away, everybody went away.
FORMER PRISONER: Sometimes I'd rather be in jail.
ANNOUNCER: Burden of Innocence next time on FRONTLINE.
To obtain a VHS copy of FRONTLINE's Cyber War!, call PBS HOME VIDEO at 1-800-PLAY-PBS. [$29.95 plus s&h]
FRONTLINE is made possible by contributions to your PBS station from viewers like you. Thank you.