Cyber Security DA - Millennial Speech & Debate

advertisement
About MSDI & Missouri State U..
For twenty years, the Missouri State Debate Institute has offered an excellent educational experience in
the middle of the high school topic. MSDI is distinct from other camps in six ways. First, our skills focus
assures that a typical 2-week debater gets nearly 80 speeches, including over 20 debates. Second, we
emphasize the largest cases on topic, with students getting both aff and neg rounds on each. Third, our
senior faculty are comparable with top lab leaders in any camp. Fourth, MSDI students can earn highly
transferable college credit in public speaking for a minimal cost. Fifth, we respect variance in home
debate circuits – our goal is to improve line by line debating in ways that will help students no matter
who judges in their home circuit. Finally, our price is below any comparable camp and far below most
camps. Our 2016 information will be available shortly at: http://debate.missouristate.edu/camp.htm.
Missouri State University is a large comprehensive university (enrollment over 24k), with nearly any
major you might want. The university has excellent academic scholarship support – most debaters
combine academic “entitlement” scholarships (guaranteed based on GPA/test scores) with debate
scholarships. The Spicer Debate Forum competes in two year-long policy debate formats: NDT and NFALD. We’ve national semis or finals in both in the last decade. Our debaters have an average GPA over
3.5, a 97% graduation rate, and 70% complete law/grad school afterward. Our program is a high-impact
academic experience with an exceptional alumni network. Please contact Dr. Eric Morris for more
information (EricMorris@MissouriState.edu).
http://debate.missouristate.edu/
http://www.missouristate.edu/FinancialAid/scholarships/
**Cyber Security DA**
1NC Shell
Cyber security is a top priority now – new programs ensure safety from attack
Shavit Matias, 3-5-2015, research fellow at the Hoover Institution and a member of the Jean Perkins
Task Force on National Security and Law. , "Combating Cyberattacks In The Age Of Globalization,"
Hoover Institution, http://www.hoover.org/research/combating-cyberattacks-age-globalization
Over the past decade, facing the alarming growth of cyberattacks on industry, media, banks,
infrastructure and state institutions, there has been an increasing focus of industry and states on
building tools to enhance capabilities to combat cybercrime, cyber espionage, cyberterrorism and
cyberwarfare, and there is a major shift of funds, efforts, and focus to these areas. Many countries are
creating cyber defense institutions within their national security establishments and enhancing their
cyber capabilities, including through the creation of dedicated cyberwarfare units within their defense
forces. Others are beginning to be aware of the necessity. According to Director of National Intelligence
James R. Clapper in a January 29, 2014 Statement for the Record before the Senate Select Committee on
Intelligence, the United States estimates that several of the cyber defense institutions created by states
will likely be responsible for offensive cyber operations as well. The cyber arena is complex and
continuously evolving. Recognizing the critical interlink between the various actors and the need for
cooperation and innovation, states are increasingly trying to build cooperation between domestic state
cyber institutions and industry and academia, and devise mechanisms for internal cooperation between
different state units and agencies. While in the past states kept many of these efforts — including
information on the formation of military cyber units — relatively secret, today they increasingly
publicize their efforts both nationally and internationally. “Be an Army hacker: This top secret cyber unit
wants you” shouts the headline of an April 6, 2013 article in the Military Times, explaining that the US
Army is looking for computer-savvy American troops to “turn into crack cyberwarriors” for both
offensive and defensive purposes. The United States Cyber Command has already announced that over
the next few years it intends to recruit 6,000 cyber experts and create teams of soldiers and civilians to
assist the Pentagon in defending US national infrastructure.
Strong NSA Surveillance necessary to stop cyberattacks
Jack Goldsmith, 2013 “We Need an Invasive NSA”, October 10, 2013,
http://www.newrepublic.com/article/115002/invasive-nsa-will-protect-us-cyber-attacks,
Ever since stories about the National Security Agency’s (NSA) electronic intelligence-gathering
capabilities began tumbling out last June, The New York Times has published more than a dozen
editorials excoriating the “national surveillance state.” It wants the NSA to end the “mass warehousing
of everyone’s data” and the use of “back doors” to break encrypted communications. A major element
of the Times’ critique is that the NSA’s domestic sweeps are not justified by the terrorist threat they aim
to prevent.¶ At the end of August, in the midst of the Times’ assault on the NSA, the newspaper
suffered what it described as a “malicious external attack” on its domain name registrar at the hands of
the Syrian Electronic Army, a group of hackers who support Syrian President Bashar Al Assad. The
paper’s website was down for several hours and, for some people, much longer. “In terms of the
sophistication of the attack, this is a big deal,” said Marc Frons, the Times’ chief information officer. Ten
months earlier, hackers stole the corporate passwords for every employee at the Times, accessed the
computers of 53 employees, and breached the e-mail accounts of two reporters who cover China. “We
brought in the FBI, and the FBI said this had all the hallmarks of hacking by the Chinese military,” Frons
said at the time. He also acknowledged that the hackers were in the Times system on election night in
2012 and could have “wreaked havoc” on its coverage if they wanted.¶ Illustration by Harry Campbell¶
Such cyber-intrusions threaten corporate America and the U.S. government every day. “Relentless
assaults on America’s computer networks by China and other foreign governments, hackers and
criminals have created an urgent need for safeguards to protect these vital systems,” the Times editorial
page noted last year while supporting legislation encouraging the private sector to share cybersecurity
information with the government. It cited General Keith Alexander, the director of the NSA, who had
noted a 17-fold increase in cyber-intrusions on critical infrastructure from 2009 to 2011 and who
described the losses in the United States from cyber-theft as “the greatest transfer of wealth in history.”
If a “catastrophic cyber-attack occurs,” the Timesconcluded, “Americans will be justified in asking why
their lawmakers ... failed to protect them.Ӧ When catastrophe strikes, the public will adjust its
tolerance for intrusive government measures.¶ The Times editorial board is quite right about the
seriousness of the cyber- threat and the federal government’s responsibility to redress it. What it does
not appear to realize is the connection between the domestic NSA surveillance it detests and the
governmental assistance with cybersecurity it cherishes. To keep our computer and telecommunication
networks secure, the government will eventually need to monitor and collect intelligence on those
networks using techniques similar to ones the Timesand many others find reprehensible when done for
counterterrorism ends.¶ The fate of domestic surveillance is today being fought around the topic of
whether it is needed to stop Al Qaeda from blowing things up. But the fight tomorrow, and the more
important fight, will be about whether it is necessary to protect our ways of life embedded in computer
networks.¶ Anyone anywhere with a connection to the Internet can engage in cyber-operations within
the United States. Most truly harmful cyber-operations, however, require group effort and significant
skill. The attacking group or nation must have clever hackers, significant computing power, and the
sophisticated software—known as “malware”—that enables the monitoring, exfiltration, or destruction
of information inside a computer. The supply of all of these resources has been growing fast for many
years—in governmental labs devoted to developing these tools and on sprawling black markets on the
Internet.¶ Telecommunication networks are the channels through which malware typically travels, often
anonymized or encrypted, and buried in the billions of communications that traverse the globe each
day. The targets are the communications networks themselves as well as the computers they connect—
things like the Times’ servers, the computer systems that monitor nuclear plants, classified documents
on computers in the Pentagon, the nasdaq exchange, your local bank, and your social-network
providers.¶ To keep these computers and networks secure, the government needs powerful intelligence
capabilities abroad so that it can learn about planned cyber-intrusions. It also needs to raise defenses at
home. An important first step is to correct the market failures that plague cybersecurity. Through law or
regulation, the government must improve incentives for individuals to use security software, for private
firms to harden their defenses and share information with one another, and for Internet service
providers to crack down on the botnets—networks of compromised zombie computers—that underlie
many cyber-attacks. More, too, must be done to prevent insider threats like Edward Snowden’s, and to
control the stealth introduction of vulnerabilities during the manufacture of computer components—
vulnerabilities that can later be used as windows for cyber-attacks.¶ And yet that’s still not enough. The
U.S. government can fully monitor air, space, and sea for potential attacks from abroad. But it has
limited access to the channels of cyber-attack and cyber-theft, because they are owned by private
telecommunication firms, and because Congress strictly limits government access to private
communications. “I can’t defend the country until I’m into all the networks,” General Alexander
reportedly told senior government officials a few months ago.¶ For Alexander, being in the network
means having government computers scan the content and metadata of Internet communications in the
United States and store some of these communications for extended periods. Such access, he thinks, will
give the government a fighting chance to find the needle of known malware in the haystack of
communications so that it can block or degrade the attack or exploitation. It will also allow it to discern
patterns of malicious activity in the swarm of communications, even when it doesn’t possess the
malware’s signature. And it will better enable the government to trace back an attack’s trajectory so
that it can discover the identity and geographical origin of the threat.¶ Alexander’s domestic
cybersecurity plans look like pumped-up versions of the NSA’s counterterrorism-related homeland
surveillance that has sparked so much controversy in recent months. That is why so many people in
Washington think that Alexander’s vision has “virtually no chance of moving forward,” as the Times
recently reported. “Whatever trust was there is now gone,” a senior intelligence official told Times.¶
There are two reasons to think that these predictions are wrong and that the government, with
extensive assistance from the NSA, will one day intimately monitor private networks.¶ The first is that
the cybersecurity threat is more pervasive and severe than the terrorism threat and is somewhat easier
to see. If the Times’ website goes down a few more times and for longer periods, and if the next
penetration of its computer systems causes large intellectual property losses or a compromise in its
reporting, even the editorial page would rethink the proper balance of privacy and security. The point
generalizes: As cyber-theft and cyber-attacks continue to spread (and they will), and especially when
they result in a catastrophic disaster (like a banking compromise that destroys market confidence, or a
successful attack on an electrical grid), the public will demand government action to remedy the
problem and will adjust its tolerance for intrusive government measures.¶ At that point, the nation’s
willingness to adopt some version of Alexander’s vision will depend on the possibility of credible
restraints on the NSA’s activities and credible ways for the public to monitor, debate, and approve what
the NSA is doing over time.¶ Which leads to the second reason why skeptics about enhanced
government involvement in the network might be wrong. The public mistrusts the NSA not just because
of what it does, but also because of its extraordinary secrecy. To obtain the credibility it needs to secure
permission from the American people to protect our networks, the NSA and the intelligence community
must fundamentally recalibrate their attitude toward disclosure and scrutiny. There are signs that this is
happening—and that, despite the undoubted damage he inflicted on our national security in other
respects, we have Edward Snowden to thank.¶ “Before the unauthorized disclosures, we were always
conservative about discussing specifics of our collection programs, based on the truism that the more
adversaries know about what we’re doing, the more they can avoid our surveillance,” testified Director
of National Intelligence James Clapper last month. “But the disclosures, for better or worse, have
lowered the threshold for discussing these matters in public.Ӧ In the last few weeks, the NSA has done
the unthinkable in releasing dozens of documents that implicitly confirm general elements of its
collection capabilities. These revelations are bewildering to most people in the intelligence community
and no doubt hurt some elements of collection. But they are justified by the countervailing need for
public debate about, and public confidence in, NSA activities that had run ahead of what the public
expected. And they suggest that secrecy about collection capacities is one value, but not the only or
even the most important one. They also show that not all revelations of NSA capabilities are equally
harmful. Disclosure that it sweeps up metadata is less damaging to its mission than disclosure of the
fine-grained details about how it collects and analyzes that metadata.¶ It is unclear whether the
government’s new attitude toward secrecy is merely a somewhat panicked reaction to Snowden, or if
it’s also part of a larger rethinking about the need for greater tactical openness to secure strategic
political legitimacy. Let us hope, for the sake of our cybersecurity, that it is the latter.
Cyber-attacks will cause extinction – outweighs all other concerns
Visha Thamboo, 2014—, citing Richard Clarke, a former White House staffer in charge of counterterrorism and cyber-security, “Cyber Security: The world’s greatest threat,” 11-25,
https://blogs.ubc.ca/vishathamboo/2014/11/25/cyber-security-the-worlds-greatest-threat/
After land, sea, air and space, warfare had entered the fifth domain: cyberspace. Cyberspace is arguably
the most dangerous of all warfares because of the amount of damage that can be done, whilst
remaining completely immobile and anonymous. In a new book Richard Clarke, a former White House
staffer in charge of counter-terrorism and cyber-security, envisages a catastrophic breakdown within 15
minutes. Computer bugs bring down military e-mail systems; oil refineries and pipelines explode; airtraffic-control systems collapse; freight and metro trains derail; financial data are scrambled; the
electrical grid goes down in the eastern United States; orbiting satellites spin out of control. Society soon
breaks down as food becomes scarce and money runs out. Worst of all, the identity of the attacker may
remain a mystery. Other dangers are coming: weakly governed swathes of Africa are being connected
up to fibre-optic cables, potentially creating new havens for cyber-criminals and the spread of mobile
internet will bring new means of attack. The internet was designed for convenience and reliability, not
security. Yet in wiring together the globe, it has merged the garden and the wilderness. No passport is
required in cyberspace. And although police are constrained by national borders, criminals roam freely.
Enemy states are no longer on the other side of the ocean, but just behind the firewall. The illintentioned can mask their identity and location, impersonate others and con their way into the
buildings that hold the digitised wealth of the electronic age: money, personal data and intellectual
property. Deterrence in cyber-warfare is more uncertain than, say, in nuclear strategy: there is no
mutually assured destruction, the dividing line between criminality and war is blurred and identifying
attacking computers, let alone the fingers on the keyboards, is difficult. Retaliation need not be confined
to cyberspace; the one system that is certainly not linked to the public internet is America’s nuclear
firing chain. Although for now, cyber warfare has not spiralled out of control, it is only a matter of time,
before cyber warfare becomes the most prominent type of attack, and the most deadly because of its
scope and anonymity.
Uniqueness ext
Preventing cyber terror is a top priority now – by 2018 there will be total security
Institute for Critical Infrastructure Technology, April 18, 2015, Critical infrastructure Alliance – public
private partnership for the advancement of digital security in the United States, "Pentagon drafting
civilians into Cyber Mission Force to combat cyber terrorism national emergency,"
http://criticalinfrastructurealliance.com/pentagon-drafting-civilians-into-cyber-mission-force-tocombat-cyber-terrorism-national-emergency/
By 2018, there will be 133 teams consisting of almost 6,200 military and civilian personnel who have
been trained and equipped with the tools and infrastructure to defend US cyber space. The DoD wants
its civilian personnel to come from “the most talented experts in both the uniformed and civilian
workforce, as well as a close partnership with the private sector”. The US government has been
struggling to find enough cyber security experts to join its ranks over the past 12 months. In May 2014,
the FBI even went so far as to admit it was considering relaxing its No Weed policy in order to attract
more hackers, as it had 2,000 jobs it needed to fill for its cybercrime unit. By asking IT and cybersecurity
professionals to serve as reserve forces and let them keep their day jobs, the DoD is hoping to harness
the power of the US cybersecurity industry in case cyberterrorism incidents escalate even further.
Rosenbach concluded in his testimony to the Senate: “Cyber threats are real, serious and urgent, and we
can only overcome them with a cohesive, whole-of-government approach. We have made significant
strides but there is still more work to be done. “I look forward to working with this Committee and the
Congress to ensure that DoD has the necessary capabilities to keep our country safe and our forces
strong.
Current intel gathering is key to continued security from cyber attack
Jude Abeler, 2-10-2015, Independent Researcher, Journalist The Daily Caller, Thoughtree Previous
Young Americans for Liberty, Abeler for U.S. Senate Education Washington Journalism Center, "White
House Announces Urgent Cyber Terror Agency," Daily Caller, http://dailycaller.com/2015/02/10/whitehouse-announces-urgent-cyber-terror-agency/
The Obama administration announced the creation of a new executive agency on Tuesday that will
cooperate with the private sector along with other agencies and countries to try and disrupt cyber
criminals. “Those who do harm should know that they can be found, and held to account,” said Lisa
Monaco, chief counterterrorism advisor to the president. The announcement is largely a response to the
rise in cyber-terrorism activity, such as North Korea’s recent attacks on Sony. Monaco also cited last
week’s data breach at Anthem insurance, which contains sensitive information for up to 80 million
identities. The new Cyber Threat Intelligence Integration Center will employ what Monaco said are
lessons we have learned in combating other forms of terrorism that need to be applied to the realm of
cyber threats – namely coordinating all of the government’s tools to respond at the highest level.
“Currently no single government entity is responsible for producing coordinated cyber-threat
assessments ensuring that information is shared rapidly among existing cyber centers and other
elements within our government,” she explained. “We need to build up the muscle memory for our
cyber-response capabilities, as we have on the terrorism side.” Monaco said the new entity will not
collect new intelligence, but analyze data already collected by other relevant agencies, such as the
Department for Homeland Security, to enable it to do its job more effectively. According to Monaco, 85
percent of the country’s critical infrastructure such as hospitals, banks and water grids are in private
sector (.com) hands. “You are vulnerable if you are hooked up to the internet,” she said. Therefore the
system is designed to work in lockstep with the private sector, and encourages companies that are
victims to do the patriotic thing and report the details to DHS, where it can then be passed on to CTIIC —
which will use all of the government’s tools and unique capacity to integrate information about threats,
and make the best possible assessment. She claimed that the government will not bottle up intelligence,
but will do its utmost to share it, and used the Sony attack as an example. “Within 24 hours of learning
about the Sony Pictures Entertainment attack, the U.S. government pushed out information and
malware signatures to the private sector to update their cyber defenses so they could take action,”
Monaco said. Officials said the new agency will begin with a staff of about 50 people and a budget of
$35 million. Monaco made a gentle pitch to Congress, pointing out that cyber security should not be a
partisan issue, and asked Congress to pass a budget with funding for it. Some, however, question the
need for a new agency when there are already several that have cyber-operations centers. “We should
not be creating more organizations and bureaucracy,” argued Melissa Hathaway, president of Hathaway
Global Strategies and former White House cybersecurity coordinator. “We need to be forcing the
existing organizations to become more effective – hold them accountable,” she said.
Cyber security is a top national security priority – successful now
Robert S. Mueller, Director Federal Bureau of Investigation, 3-1-2012, "Combating Threats in the
Cyber World: Outsmarting Terrorists, Hackers, and Spies," FBI,
https://www.fbi.gov/news/speeches/combating-threats-in-the-cyber-world-outsmarting-terroristshackers-and-spies
Terrorists are increasingly cyber savvy. Much like every other multi-national organization, they are using the Internet to grow their business and to connect
with like-minded individuals. And they are not hiding in the shadows of cyber space. Al Qaeda in the Arabian Peninsula has produced a full-color, English-language online magazine. They are
not only sharing ideas, they are soliciting information and inviting recruits to join al Qaeda. Al Shabaab—the al Qaeda affiliate in Somalia—has its own Twitter account. Al Shabaab uses it to
taunt its enemies—in English—and to encourage terrorist activity. Extremists are not merely making use of the Internet for propaganda and recruitment. They are also using cyber space to
conduct operations. The individuals who planned the attempted Times Square bombing in May 2010 used public web cameras for reconnaissance. They used file-sharing sites to share
sensitive operational details. They deployed remote conferencing software to communicate. They used a proxy server to avoid being tracked by an IP address. And they claimed responsibility
for the attempted attack—on YouTube. To date, terrorists have not used the Internet to launch a full-scale cyber attack. But we cannot underestimate their intent. In one hacker recruiting
video, a terrorist proclaims that cyber warfare will be the warfare of the future. Terrorist use of the Internet is not our only national security concern. As we know, state-sponsored computer
hacking and economic espionage pose significant challenges. Just as traditional crime has migrated online, so, too, has espionage. Hostile foreign nations seek our intellectual property and our
trade secrets for military and competitive advantage. State-sponsored hackers are patient and calculating. They have the time, the money, and the resources to burrow in, and to wait. They
may come and go, conducting reconnaissance and exfiltrating bits of seemingly innocuous information—information that in the aggregate may be of high value. You may discover one breach,
only to find that the real damage has been done at a much higher level. Unlike state-sponsored intruders, hackers for profit do not seek information for political power—they seek information
for sale to the highest bidder. These once-isolated hackers have joined forces to create criminal syndicates. Organized crime in cyber space offers a higher profit with a lower probability of
being identified and prosecuted. Unlike traditional crime families, these hackers may never meet, but they possess specialized skills in high demand. They exploit routine vulnerabilities. They
move in quickly, make their money, and disappear. No company is immune, from the Fortune 500 corporation to the neighborhood “mom and pop” business. We are also worried about
trusted insiders who may be lured into selling secrets for monetary gain. Perimeter defense may not matter if the enemy is inside the gates. The end result of these developments is that we
. And as citizens, we are increasingly vulnerable to losing
our information. Together we must find a way to stop the bleeding. We in the FBI have built up a
substantial expertise to address these threats, both here at home and abroad. We have cyber squads in
each of our 56 field offices, with more than 1,000 specially trained agents, analysts, and forensic
specialists. Given the FBI’s dual role in law enforcement and national security, we are uniquely
positioned to collect the intelligence we need to take down criminal networks, prosecute those
responsible, and protect our national security. But we cannot confront cyber crime on our own. Borders
and boundaries pose no obstacles for hackers. But they continue to pose obstacles for global law
enforcement, with conflicting laws, different priorities, and diverse criminal justice systems. With each
passing day, the need for a collective approach—for true collaboration and timely information sharing—
are losing data. We are losing money. We are losing ideas and we are losing innovation
becomes more pressing. The FBI has 63 legal attaché offices that cover the globe. Together with our
international counterparts, we are sharing information and coordinating investigations. We have special
agents embedded with police departments in Romania, Estonia, Ukraine, and the Netherlands, working
to identify emerging trends and key players. Here at home, the National Cyber Investigative Joint Task
Force brings together 18 law enforcement, military, and intelligence agencies to stop current and
predict future attacks. With our partners at DHS, CIA, NSA, and the Secret Service, we are targeting
cyber threats facing our nation. The task force operates through Threat Focus Cells—specialized groups
of agents, officers, and analysts that are focused on particular threats, such as botnets. Together we are
making progress. Last April, with our private sector and law enforcement partners, the FBI dismantled
the Coreflood botnet. This botnet infected an estimated two million computers with malware that
enabled hackers to seize control of zombie computers to steal personal and financial information. With
court approval, the FBI seized domain names and re-routed the botnet to FBI-controlled servers. The
servers directed the zombie computers to stop the Coreflood software, preventing potential harm to
hundreds of thousands of users. In another case, just a few months ago, we worked with NASA’s
Inspector General and our partners in Estonia, Denmark, Germany, and the Netherlands to shut down a
criminal network operated by an Estonian company by the name of Rove Digital. The investigation,
called Operation Ghost Click, targeted a ring of criminals who manipulated Internet “click” advertising.
They re-directed users to their own advertisements and generated more than $14 million in illegal fees.
This “click” scheme impacted more than 100 countries and infected four million computers, half-amillion of which were here in the United States. We seized and disabled computers, froze the
defendants’ bank accounts, and replaced rogue servers with legitimate ones to minimize service
disruptions. With our Estonian partners, we arrested and charged six Estonian nationals for their
participation in the scheme. And again, we must continue to push forward together. Terrorism remains
the FBI’s top priority. But in the not too distant future, we anticipate that the cyber threat will pose the
number one threat to our country. We need to take lessons learned from fighting terrorism and apply
them to cyber crime. We will ensure that all of our special agents have the fundamental skills to operate
in this cyber environment. Those agents specializing in cyber matters will have the greatest possible skill
set. We are creating a structure whereby a cyber agent in San Francisco can work in a virtual
environment with an agent in Texas, an analyst in Virginia, and a forensic specialist in New York to solve
a computer intrusion that emanated from Eastern Europe. At the same time, we must rely on the
traditional capabilities of the Bureau: sources and wires. We must cultivate the sources necessary to
infiltrate criminal online networks, to collect the intelligence to prevent the next attack, and to topple
the network from the inside. We must ensure that our ability to intercept communications—pursuant to
court order—is not eroded by advances in technology. These include wireless technology and peer-topeer networks, as well as social media.
L – Surveillance key to stop cyberattacks
Intelligence gathering provisions are critical to halting catastrophic cyberattacks
Lev-Ram, 1-21—citing DeWalt, CEO of FireEye, a leader in cyber security, protecting organizations
from advanced malware, zero-day exploits, APTs, and other cyberattacks. “Does President Obama's bid
to bolster cyber security go far enough?” Forbes, http://fortune.com/2015/01/21/obama-state-unioncybersecurity/?icid=maing-grid7|ie8-unsupported-browser|dl31|sec3_lnk3%26pLid%3D602263
Sharing real-time threat intelligence and indicators of compromise–both between the private sector and
the government and among the private sector–is a critical component of a pro-active security strategy.
The timely sharing of threat intelligence improves detection and prevention capabilities and provides
organizations with the ability to mitigate and minimize the adverse consequences of a breach. Sharing
also provides enhanced situational awareness for the community at large. FireEye research
demonstrates that over 70% of malware is highly targeted and used only once. To better manage risk
stemming from this continuously evolving threat environment, FireEye recommends that organizations
conduct robust compromise risk assessments, adopt behavioral based tools and techniques such as
detonation chambers, actively monitor their networks for advanced cyber threats, stand ready to rapidly
respond in the event of a breach and share threat intelligence and lessons learned through active
engagement in information sharing organizations. As a final preventative measure, organization should
obtain a cyber insurance policy to help with catastrophic repercussions of a breach.
Surveillance is helping us predict and prevent cyber-attacks now
James B. Comey Director Federal Bureau of Investigation Statement Before the Senate Judiciary
Committee Washington, D.C. May 21, 2014 https://www.fbi.gov/news/testimony/oversight-of-thefederal-bureau-of-investigation-5
We face sophisticated cyber threats from state-sponsored hackers, hackers for hire, organized cyber
syndicates, and terrorists. They seek our state secrets, our trade secrets, our technology, and our
ideas—things of incredible value to all of us. They may seek to strike our critical infrastructure and our
economy. The threat is so dire that cyber security has topped the Director of National Intelligence list of
global threats for the second consecutive year. Given the scope of the cyber threat, agencies across the
federal government are making cyber security a top priority. Within the FBI, we are targeting high-level
intrusions—the biggest and most dangerous botnets, state-sponsored hackers, and global cyber
syndicates. We want to predict and prevent attacks, rather than reacting after the fact. FBI agents,
analysts, and computer scientists are using technical capabilities and traditional investigative
techniques—such as sources and wires, surveillance, and forensics—to fight cyber crime. We are
working side by side with our federal, state, and local partners on Cyber Task Forces in each of our 56
field offices and through the National Cyber Investigative Joint Task Force (NCIJTF). Through our 24-hour
cyber command center, CyWatch, we combine the resources of the FBI and NCIJTF, allowing us to
provide connectivity to federal cyber centers, government agencies, FBI field offices and legal attachés,
and the private sector in the event of a cyber intrusion. We also work with the private sector through
partnerships such as the Domestic Security Alliance Council, InfraGard, and the National Cyber Forensics
and Training Alliance. And we are training our state and local counterparts to triage local cyber matters,
so that we can focus on national security issues. Our legal attaché offices overseas work to coordinate
cyber investigations and address jurisdictional hurdles and differences in the law from country to
country. We are supporting partners at Interpol and The Hague as they work to establish international
cyber crime centers. We continue to assess other locations to ensure that our cyber personnel are in the
most appropriate locations across the globe. Cyber threats to critical infrastructure require a layered
approach to cyber security, including partnerships with private sector owners and operators, and with
Federal partners including the Department of Homeland Security (DHS). We have been successful in a
joint campaign to combat a campaign of cyber intrusions targeting natural gas pipeline sector
companies, in which the FBI and DHS’s Industrial Control Systems-CERTCyber Emergency Response
Team deployed onsite assistance to some of the organizations targeted, and provided 14 briefings in
major cities throughout the United States to over 750 personnel involved in the protection of energy
assets and critical infrastructure. We have also successfully worked with DHS in to empower the U.S.
banking system to better defend against cyber attacks. As powerful distributed denial of service (DDoS)
incidents impacting leading U.S. banking institutions in 2012 have persisted through 2014, the FBI has
worked with DHS’s US-CERT United States Computer Emergency Readiness Team to identify 600,000
DDoS-related IP addresses and contextual information, to better equip banks to defend themselves. We
know that to be successful in the fight against cyber crime, we must continue to recruit, develop, and
retain a highly skilled workforce. To that end, we have developed a number of creative staffing
programs and collaborative private industry partnerships to ensure that over the long term we remain
focused on our most vital resource—our people.
Expanded NSA domestic surveillance protects against cyber-attack.
Jonathan Mayer, a computer scientist + lawyer at Stanford Web Policy June 4, 2015 The NSA’s
Domestic Cybersecurity Surveillance http://webpolicy.org/2015/06/04/nsa-cybersecurity/
Earlier today, the New York Times reported that the National Security Agency has secretly expanded its
role in domestic cybersecurity. In short, the NSA believes it has authority to operate a warrantless,
signature-based intrusion detection system—on the Internet backbone.1 Owing to the program’s
technical and legal intricacies, the Times-ProPublica team sought my explanation of related primary
documents.2 I have high confidence in the report’s factual accuracy.3 Since this morning’s coverage is
calibrated for a general audience, I’d like to provide some additional detail. I’d also like to explain why,
in my view, the news is a game-changer for information sharing legislation. The Facts Despite nearly two
years of disclosures, the NSA’s domestic Internet surveillance remains shrouded in secrecy. To borrow
Donald Rumsfeld’s infamous turn of phrase, it remains one of the greatest known unknowns
surrounding the agency. The following facts are already public. The NSA maintains “upstream”
interception equipment at many points on the global telecommunications backbone. One of the primary
legal authorities for domestic upstream surveillance is Section 702 of the FISA Amendments Act (FAA).
The Foreign Intelligence Surveillance Court (FISC) has authorized warrantless FAA surveillance in
connection with foreign governments, counterterrorism, and counterproliferation. Each of these topics
has an associated “certification,” establishing procedures for targeting and minimization. The NSA can
use FAA upstream Internet surveillance to collect4 traffic that is “to,” “from,” or “about”5 a “selector.”
Prior disclosures have emphasized email addresses as FAA upstream Internet selectors. In order for a
selector to be eligible for FAA surveillance, it must be used by a foreign person or entity outside the
United States. Intelligence communitya NSA analysts can search FAA surveillance data for information
involving Americans. Senator Wyden has been a particularly persistent critic of these queries, dubbing
them “backdoor searches.” The primary documents associated with today’s report confirm the following
additional facts.6 The NSA can use FAA upstream Internet surveillance for cybersecurity purposes, so
long as there is a nexus with one of the three prior certifications. The most common scenario is where
the NSA can attribute a cybersecurity threat to another nation, enabling it to rely on the foreign
government certification. Internet protocol (IP) addresses and ranges are eligible as FAA upstream
surveillance selectors. The Department of Justice approved this practice in July 2012.7 Cybersecurity
threat signatures are also eligible as FAA upstream surveillance selectors. This adds a de facto fourth
category of FAA interceptions, since a threat signature cannot reasonably be categorized as “to,”
“from,” or “about” a particular address.8 DOJ appears to have approved the practice in May 2012. The
NSA has acted upon the above legal interpretations. The primary documents make reference to
particular FAA cybersecurity operations. Those operations relied on the foreign government
certification, and they used IP addresses as selectors. Since 2012, if not earlier, the NSA has prioritized
obtaining an FAA “cyber threat” certification. From the agency’s perspective, a cyber certification has
two desirable properties. First, it would eliminate the nexus requirement. The NSA would be able to
intercept traffic associated with a cybersecurity threat, regardless of whether the threat originates with
a foreign government. Second, a cyber certification would codify procedures for IP address and
signature targeting. The present status of the cyber certification is not apparent; it may have been
approved, have been bundled into another certification, still be in progress, or have been set aside.9 It is
also not apparent how FAA’s foreignness requirement would be implemented under the certification.10
When data is exfiltrated in the course of an attack, it often includes sensitive information about
Americans. The NSA believes that this exfiltrated data should be considered “incidental” collection,
rendering it eligible for backdoor searches. Put differently: when a data breach occurs on American soil,
and the NSA intercepts stolen data about Americans, it believes it can use that data for intelligence
purposes. The NSA collaborates with the Department of Homeland Security and the Federal Bureau of
Investigation on cybersecurity matters. It receives and shares cybersecurity threat signatures with both
agencies. When the NSA wishes to disclose a threat signature to the private sector, it usually routes that
information through DHS or the FBI. The NSA is not attributed as the source of the threat signature. The
FBI does not have its own national security surveillance equipment installed on the domestic Internet
backbone. It can borrow the NSA’s equipment, though, by having the NSA execute surveillance on its
behalf. In my view, the key takeaway is this: for over a decade, there has been a public policy debate
about what role the NSA should play in domestic cybersecurity. The debate has largely presupposed that
the NSA’s domestic authority is narrowly circumscribed, and that DHS and DOJ play a far greater role.
Today, we learn that assumption is incorrect. The NSA already asserts broad domestic cybersecurity
powers. Recognizing the scope of the NSA’s authority is particularly critical for pending legislation.
NSA surveillance is critical to help deter against successful cyber attacks
Jack Goldsmith, Henry L. Shattuck Professor at Harvard Law School, 2012
http://www.brookings.edu/~/media/research/files/papers/2010/12/08-4th-amendmentgoldsmith/1208_4th_amendment_goldsmith.pdf
The National Security Agency (“NSA”) plays an important role in the EINSTEIN projects. NSA is America’s
signals-intelligence and government information assurance agency. It is technically a component of the
Department of Defense (“DoD”), and it is typically headed by a lieutenant general or vice admiral. While
the NSA’s collection capabilities are mostly directed outside the United
States, NSA also has domestic responsibilities. It was the operator of the Terrorist Surveillance Program
(TSP) that involved warrantless wiretapping of certain terrorist communications with one end in the
United States. And it has been heavily involved in the development of the EINSTEIN systems. The
Department of Homeland Security (“DHS”) has stated that EINSTEIN 3 capabilities are “based on
technologies developed by the NSA.”8 According to the government, the “threat signatures determined
by NSA in the course of its foreign intelligence and DoD information assurance missions” will be used in
the EINSTEIN system.9 And based on threats identified by EINSTEIN 3, “alerts that do not contain the
content of communications” will be sent to NSA, which will use the information to check cyber attacks in
unknown ways that the government assures us are consistent with NSA’s “lawfully authorized
missions.”10 NSA also has the lead in the recently established Cyber Command, which is headed by NSA
Director General Keith Alexander. Cyber Command is charged with coordinating US offensive cyber
activities and U.S. defensive efforts in protecting the .mil network. Consistent with the above analysis,
Cyber Command is also in tasked with the responsibility of providing “support to civil authorities” in
their cybersecurity efforts. 11 In addition, Deputy Secretary of Defense William Lynn recently stated that
Cyber Command “works closely with private industry to share information about [cybersecurity] threats
and to address shared vulnerabilities.”12 NSA is involved with domestic cybersecurity in these and
doubtlessly other ways because it possesses extraordinary technical expertise and experience,
unmatched in the government, in exploring and exploiting computer and telecommunication systems.
NSA also has close relationships with private telecommunications firms and other firms central to
national cybersecurity.13 These relationships are important because cybersecurity requires the
government to work closely with the telecommunication firms whose hardware and software constitute
the Internet’s backbone and Internet connection points. These firms already have enormous experience
and expertise identifying and eliminating certain types of bad actors and agents on their systems that
the government leverages in stopping threats that concern it.
Broad NSA surveillance power ensures ability to prevent cyber attacks.
Russell Brandom on June 4, 2015 01:17 pm Email @russellbrandom The NSA is still conducting mass
surveillance of the US internet to find cyberattacks
http://www.theverge.com/2015/6/4/8729155/snowden-nsa-internet-cyber-surveillance-cyberattack
The NSA is scanning US web traffic for specific malware signatures, according to new Snowden
documents published by The New York Times and ProPublica. Previous documents have shown the NSA
and GCHQ collecting data from undersea data cables, but this is the most comprehensive look at how
the NSA uses that data to zero in on specific activities or actors on the web. According to the new
documents, the scanning is enabled by broad legal powers, granted by the Department of Justice and
FISA court in 2012. An initial Justice Department order (interpreting Section 702 of the FISA
Amendments Act) authorized the NSA to target data based on specific IP addresses or threat signatures
that were linked to foreign nations. In addition to its surveillance operations, the NSA is tasked with
defending official US networks from digital intrusions, a task that's grown increasingly difficult as states
like China have grown more sophisticated. But according to the documents, limiting the scans to foreign
states was too restrictive for the NSA. Over the course of 2012, NSA director Keith Alexander lobbied the
Justice Department to extend the signature-based scans to malware that hadn't been linked to state
actors, but his efforts were unsuccessful. Still, the agency Specific malware programs are often reused,
even between criminals and governments, so it's notoriously difficult for researchers to connect a tactic
to a specific actor. Experts are comparing the resulting system to the network intrusion detection
systems (or NIDS) that are deployed on many private networks. Given a top-down view of the network,
NIDS systems monitor for malware traveling between points on the network, rather than catching the
bad actors as they infect individual machines. Those systems have also been proposed at a national
level, although they've rarely been deployed publicly due to the privacy issues involved.
Current surveillance techniques are effective and disrupt/deter terrorist attacks
David Rothkopf 2014 a visiting scholar at the Carnegie Endowment as well as CEO and editor of
Foreign Policy. “National Insecurity: American Leadership in an Age of Fear,” PublicAffairs, p. 337-8
For all of the questions raised by some of the sweeping programs revealed by Snoweden, the
surveillance programs of the US
government include some targeted efforts that are widely regarded within the intelligence and policy
communities as extremely helpful. And new capabilities are emerging daily. Although these will require
vigilance to avoid future violations of civil liberties, there is also a sense that on the cyber side, as with drones
and the development of light-footprint approaches for combating terror, important steps have been
taken that actually enhance the security of the American people and reduce the likelihood of future attacks
like those that ushered in this era.¶ Those tools have made such a marked difference in US counterterrorism efforts
that intelligence community leaders are becoming comfortable with the idea of relaxing other controversial
practices. Mike Hayden noted that one reason he was willing to “empty the prisons” and “scale back on
the authorized interrogation techinques” is that he was not “nearly as desperate as [Director of Central Intelligence]
George [Tenet] was back in 2002, 2003. I’ve got agent networks. I’ve got penetrations. I’ve built up a strong
human intelligence collection efforts. [sic] I’m less dependent on capturing and questioning than I was in 2002. More sources.
Better electronic intelligence. You’re hitting on all cylinders now. And with the requisite intelligence, it enables your orthoscopic
stuff” (meaning “surgical” or “light-footprint activities”).¶ Lisa Monaco asserts, “I think the US government has done a good
job of creating a counterterrorism structure and apparatus-operationally and policy-wise – to learn the
lessons of 9/11 and have an ability to meet the threats that we face, share information, apply the right
kind of military, intelligence, diplomatic, and law enforcement tools today…. As an example, say we know a
terrorist is transiting Germany. We have an apparatus to reach out: The FBI will talk to its German
counterparts, share information, get their assistance within the bounds of the rule of law to try and
detail that person. So, we have a process. We share intelligence. We try and disrupt that threat.” Although she
acknowledges the systems are not quite as evolved on the cybersecurity side, the point is that – despite metastasizing terror threats
worldwide, and confusion and ill-conceived programs of the US government is in a number of important
ways fulfilling its core mission of helping to make America and Americans safer.
NSA surveillance is critical to protecting us against cyber attacks
Michelle Van Cleave What It Takes: In Defense of the NSA NOVEMBER/DECEMBER 2013
http://www.worldaffairsjournal.org/article/what-it-takes-defense-nsa
For my old business of US counterintelligence, the Snowden case is something of an unraveling
nightmare. At this stage, there is no telling whether or not he acted alone, or what he compromised.
Four months isn’t much time on-site, yet he used his access to identify and download highly classified
information that would be of particular use to him. How did he decide what was of value to snatch?
Where did he find it? How did he take it without getting caught? He admitted that he took the NSA
contractor job in March of this year in order to gain access to this material, so his preparations had been
under way for quite a while. The deeper question is at what point along the way he started to get
outside help and direction, and from whom. At a minimum, the press leaks were very well scripted to
provide cover for the rest of the operation, which has received far less attention. Snowden passed
documents allegedly showing US and UK surveillance of Russian and Turkish representatives at a Group
of 20 meeting. He passed ostensible records of US signals intelligence operations in Hong Kong and
elsewhere, as well as Britain’s signals intelligence arm, GCHQ. He passed information about top-secret
plans to counter Chinese cyber-attack capabilities, and about joint intelligence undertakings among
Western allies, including US and German cooperation. That’s just what has been reported publicly. Then
of course there is whatever else he stole. Whether or not there are audit trails for IT administrators like
Snowden we can only guess. If not, there may be no way of bounding the potential damage. And since
we don’t know what secrets may have been lost, we won’t know what or who may now be at risk. That
uncertainty alone is an intelligence bonanza for our adversaries. Whatever else Snowden may be, he has
been a voice of disinformation. For example, here’s an excerpt from his Guardian interview: “Any
analyst at any time can target anyone, any selector, anywhere. . . I sitting at my desk certainly had the
authorities to wiretap anyone from you or your accountant to a federal judge to even the president if I
had a personal e-mail.” If that were true, it would be an outrageous abuse of authority. But it is not true,
not a whit. Now maybe Snowden is just delusional. Or maybe someone is coaching him a little, the
better to inflame public opinion. But who would know, when there is an immediate rush to judgment to
pronounce the man a “hero” or a “conscientious objector” or “deeply idealistic” or whatever other
bouquets of virtue were thrown his way. By such means, some of the West’s best and brightest (looking
less bright all the time) become part of the disinformation campaign directed against America’s moral
standing in the world. That campaign has a long history. Two inherent qualities make US intelligence
unique among the world’s intelligence services. The first is its accountability and unparalleled openness
to public scrutiny and the rigorous oversight of the political process. The fact that we measure these
things against civil liberties, and bring them under the careful checks and balances of our Constitution, is
the bedrock of their strength. Even more fundamentally, US intelligence is part of the great experiment
in governance that is our democratic republic. Beginning with George Washington’s first State of the
Union Address, in which he requested a secret fund for clandestine activities, intelligence has been an
instrument to achieve the broad goals of the American people and the policies advanced by their duly
elected representatives. That is why any rupture between public confidence and the US intelligence
enterprise is so destructive. It is also why America’s adversaries have long sought to provoke one. During
the Cold War, the KGB expended a great deal of energy and treasure in undermining the credibility and
effectiveness of US intelligence in general and the CIA in particular. Soviet disinformation campaigns
included some breathtaking lies, deceptions, and fantastic tales (e.g., forged documents, planted news
reports, and grotesque accusations that the CIA was responsible for trafficking in baby parts,
assassinating President Kennedy, and inventing AIDS). It took decades for the CIA to recover from the
Church Committee investigations of the 1970s—years that the Soviets used to advantage in
undermining pro-Western governments, supporting insurgencies, and implanting spies. And here we go
again. Whatever Snowden may have had in mind when he decided to break his oath, the secrets he
disclosed have been used to discredit US intelligence among the very democratic populations that
depend most on the American defense umbrella. Across Europe, there have been lawsuits to stop NSA
operations. Round two of Snowden’s leaks included purported US collection activities directed against
members of the European Union, so the EU, the French, the Germans, and others lodged diplomatic
complaints and suspended trade and other talks and loudly proclaimed their indignation. (This is more
than a little hypocritical, given their own intelligence activities against one another—not to mention the
value they derive from ours.) To make matters worse, a whole series of damaging leaks in recent years,
ranging from WikiLeaks to include some from the highest levels of the US government, have called into
question America’s reliability as an intelligence partner. For friendly intelligence services, trusting the
Americans to keep secrets secret has become a far riskier proposition. In fact, our stock as an
intelligence partner has never been lower, which is exceedingly worrisome in an era when we rely so
heavily on liaison services for essential intelligence about terrorist targets. For American intelligence
personnel, doing their jobs has become that much more difficult and that much more thankless. You can
be sure that the Russians, the Chinese, and others, knowing about the demoralizing effects of the
Snowden leaks, are working overtime pursuing new recruitment prospects within US intelligence ranks.
They know from long experience that low morale is a key factor in persuading Americans to spy on their
own country. Today, there are more Russian intelligence personnel operating in the United States than
there were at the height of the Cold War, and they are far from alone. By some counts, China is here in
even greater numbers, and even more active against us through cyber means. Add to that the Cubans,
the Iranians, and most of the rest of the world’s governments—plus some thirty-five suspected terrorist
organizations—all here, taking advantage of the freedom of movement, access, and anonymity afforded
by American society. And then there is the phenomenon of the hacker culture and virtual anarchists like
“Anonymous,” which is hard at work to set the conditions for what it calls a “global secrets meltdown.”
Their ostensible plan is to recruit individuals to infiltrate governments to steal classified information or
enable Anonymous hackers to steal it. Then, when the message “do it now” goes out, they will
simultaneously reveal all of the world’s secrets (but of course mostly concentrated in the West because
that’s where the access is). It may sound ridiculous until you realize just how many disaffected, cynical
youth like Snowden are drawn to these circles to find some sense of belonging and self-importance. The
United States has built a global intelligence apparatus because it has global interests and global
responsibilities. We have taken seriously the duties of leader of the free world, as two world wars,
Korea, Vietnam, Afghanistan, Iraq, and freedom fighters in many parts of the world can attest. None of
these duties in the last sixty years could have been met without the exceptional resources of NSA.
Successive presidents and Congresses, entrusted with preserving and defending our freedom, have
judged these investments to be vital to our nation’s security. They have protected the core secrets that
enable collection programs to succeed, as have those in US business and industry who have been
integral to their success. The unquestioned qualitative edge of US intelligence has been as essential to
defending this country and preserving our freedom as have the forces we have built to arm and equip
our military. But time has not stood still. China is attacking computer systems throughout the world,
stealing information and implanting features to enable future control. China’s prominence in IT
commercial markets means that they are in the supply chain, and their market share is growing as part
of a purposeful, state-run program for strategic position. A long roll call of spies from Russia, China,
Cuba, and other nations have targeted the essential secrets of US intelligence capabilities in order to be
able to defeat them. And now they have the Snowdens and the WikiLeakers of the world helping them
out. Interconnected global networks of digital data have become the single most important source of
intelligence warning of threats, enabling our defense at home and the advancement of freedom abroad.
To say “hands off,” as some shortsighted privacy advocates have been doing, will not preserve our
liberties, it will endanger them. It should be possible for an enlightened citizenry to empower
government action in that sphere without forfeiting the very rights that our government exists to
secure. That challenge is, at the very least, a part of the continuing experiment that is our democracy.
Surveillance efforts are expanding and deterring cyber attacks
Frank Konkel 9/10/2014 (writer for NextGov, IS THERE ANY PART OF GOVERNMENT THAT HASN’T
BEEN HACKED YET?, http://www.nextgov.com/cybersecurity/2014/09/there-any-part-governmenthasnt-been-hacked-yet/93704/)
Feds Cite ‘Unprecedented’ Collaboration with Industry The only way to stay ahead of the evolving
threats is to collaborate and share information with the private sector, officials testified. “We’re
engaging in an unprecedented level of collaboration” with industry, international law organizations and
other bodies, Anderson said, and those partnerships will continue to expand. For example, the FBI
released 40 near real-time alerts on “current and emerging threat trends and technical indicators,” to
the private sector – with 21 of those alerts sent to the financial industry. The agency is now engaging in
a more back-and-forth dialogue as opposed to the FBI listening and rarely sharing – which used to be the
case. Anderson also vowed harsher deterrents for malicious actors, referencing the recent indictments
of Chinese citizens who were caught hacking the networks of American companies. Sen. Tom Coburn, ROkla., said he was pleased with FBI’s get-tough approach. “I’m happy to see the FBI being aggressive on
deterrence,” said Coburn, the committee’s ranking Republican. “For so long, we thought building a
higher wall was [the way to protect], but people are going to climb over any war we have. We need
prosecutorial deterrence. I’m thankful of that attitude from FBI both domestically and internationally.”
NSA surveillance prevents cyber attack
Jonathan Mayer, a computer scientist + lawyer at Stanford Web Policy June 4, 2015 The NSA’s
Domestic Cybersecurity Surveillance http://webpolicy.org/2015/06/04/nsa-cybersecurity/
This much is certain about FAA cybersecurity surveillance: If the NSA snoops on hackers as they move
stolen data over the Internet backbone, agency analysts can sift through that information—other than
with explicit U.S. person queries. If the NSA, FBI, or CIA snoops on hackers as they move stolen data
through a cloud service, such as Dropbox or Gmail, analysts can sift through that information—including
with explicit U.S. person queries.
I - Cyber threat is high
Cyber-threat risk is high – prefer consensus
Jordain Carney 14, Staff @ National Journal, “Defense Leaders Say Cyber is Top Terror Threat,” 1-6-14,
http://www.nationaljournal.com/defense/defense-leaders-say-cyber-is-top-terror-threat-20140106,
DOA: 8-13-14,
Defense officials see cyberattacks as the greatest threat to U.S. national security , according
to a survey released Monday. Forty-five percent of respondents to the Defense News Leadership Poll named a cyberattack as the
single greatest threat —nearly 20 percentage points above terrorism, which ranked second. The Defense News Leadership Poll, underwritten by United
Technologies,
surveyed 352
Defense News
subscribe
rs , based on job seniority, between Nov. 14 and Nov. 28, 2013. The poll
targeted senior employees within the White House, Pentagon, Congress, and the defense industry.
"
The magnitude of the cyber problem , combined with declining budgets, will challenge the nation for
years to come ," said Vago Muradian, the editor of Defense News. It's not the first time cyber has ranked at or near the top of a list of security concerns. Seventy percent
of Americans called a cyberattack from another country a major threat in a Pew Research Center survey released last month. Defense Department officials, for their part, have warned
FBI Director James Comey, Rand Beers, the then-acting secretary for the Homeland Security
Department, and Gen. Keith Alexander, director of the National Security Agency, each voiced their concerns before Congress last
about the increasing threat.
year. And
House Intelligence Committee Chairman Mike Rogers, R-Mich., called it the "largest national security
threat
to the face the U.S. that we are not even close to being prepared to handle as a country."
Threat of cyber-attack real and growing; most serious economic and national security
challenge in 2015.
DUSTIN VOLZ, April 1 2015 http://www.nationaljournal.com/tech/obama-declares-cyber-attacks-anational-emergency-20150401
April 1, 2015 President Obama on Wednesday signed an executive order expanding his administration's
ability to respond to malicious cyberattacks by allowing financial penalties to be inflicted on foreign
actors who engage in destructive hacking campaigns. "Cyberthreats pose one of the most serious
economic and national security challenges to the United States, and my administration is pursuing a
comprehensive strategy to confront them," Obama said in a statement. "As we have seen in recent
months, these threats can emanate from a range of sources and target our critical infrastructure, our
companies, and our citizens. This executive order offers a targeted tool for countering the most
significant cyberthreats that we face." The order allows the Treasury secretary, in consultation with the
attorney general and the secretary of State, to impose financial sanctions—such as freezing of assets or
prohibition of commercial trade—on individuals or groups responsible for malicious cyberattacks that
"create a significant threat to U.S. national security, foreign policy, or economic health or financial
stability of the United States," Obama said. Administration officials have long indicated a desire to
strengthen the government's ability to respond to and penalize those engaging in cyberattacks. The
massive hit on Sony Pictures last Thanksgiving—which the White House publicly blamed on North
Korea—increased the urgency to bolster the nation's cyberdefenses. In January, Obama signed a
separate executive order allowing for further sanctions against designated North Korean targets, but
that action was limited solely to government officials in that country and not tethered directly to the
Sony cyberattack. Wednesday's order will broaden the government's authority to permit the levying of
sanctions against those directly responsible for hacking activities—and officials will not need to acquire
a discrete order to respond to each attack. Data breaches in recent years at places like Target, Home
Depot, and Anthem Insurance have resulted in the heist of the personal data of millions of consumers,
ranging from credit-card information to Social Security numbers and health information. But hundreds,
if not thousands, of cyberattacks are waged daily against the United States, officials have said, and many
of them originate overseas. China and Russia have been identified as particularly aggressive and adept
at cyberintrusion and cyberespionage.
Cyberattacks are currently the biggest threat to US national security
Council on foreign relations 3/15, “Cyberattacks on US Infrastructure”,
http://www.cfr.org/global/global-conflict-tracker/p32137#!/?marker=2
In March 2013, Director of National Intelligence James Clapper identified cyberattacks as the greatest
threat to U.S. national security. Critical infrastructure—the physical and virtual assets, systems, and
networks vital to national and economic security, health, and safety—is vulnerable to cyberattacks by
foreign governments, criminal entities, and lone actors. Due to the increasingly sophisticated, frequent,
and disruptive nature of cyberattacks, such an attack on critical infrastructure could be significantly
disruptive or potentially devastating. Policymakers and cybersecurity experts contend that energy is the
most vulnerable industry; a large-scale attack could temporarily halt the supply of water, electricity, and
gas, hinder transportation and communication, and cripple financial institutions. The rising prevalence
of cyberattacks was detailed in a 2013 report by the U.S. security firm Mandiant that linked the Chinese
military to 140 cyberattacks against U.S. and foreign corporations. The same year, major U.S. banks
called on policymakers for assistance after experiencing cyberattacks emanating from Iran. The Obama
administration has emphasized the importance of cybersecurity—its fiscal year 2014 budget requested a
20 percent increase in funding, and in February the White House announced the establishment of a new
Cyber Threat Initiative Integration Center (CTIIC)to provide analysis and support to U.S. government
agencies in response to cyber threats. The United States has strengthened its offensive strategies by
developing rules of engagement for cyber warfare and cyber weapons capabilities. However, cyberspace
policymaking remains decentralized with authority shared among the White House and five executive
departments, resulting in gaps in U.S. cyber policy that leave vulnerabilities unaddressed.
Cyber threat is high---tech advancement
Josephine Wolff 13 is a Ph.D. candidate at MIT and a fellow at Harvard’s Berkman Center for Internet
and Society, "Great, Now Malware Can Jump the “Air Gap” Between Computers," 12-3-2013, Slate
Magazine, http://www.slate.com/blogs/future_tense/2013/12/03/researchers_michael_hanspach_michael_goetz_prove_malware_can_jump_air_gap.html, DOA: 3-15-2015, y2k
The gold standard for protecting computer systems—as everyone from the U.S. military to Osama Bin
Laden’s ghost well knows—is disconnecting them from the Internet. Called an “ air gap ,” because prior
to wireless networking it literally meant making sure there was no cable physically connecting a
computer to the public Internet, this is one of the most drastic, inconvenient, and difficult-to-maintain
computer security measures out there. It’s usually reserved for systems that require the very highest
levels of security, because it leaves you with a computer system that may be limited in what it can do,
but at least it’s absolutely safe. But according to a recent paper by researchers at the Fraunhofer
Institute for Communication, Information Processing, and Ergonomics, that [air]gap can be bridged by
high-frequency audio signals .
The researchers, Michael Hanspach and Michael Goetz, were able to transmit data between airgapped laptops up to 19.7 meters (more than 60 feet) apart at a rate of approximately 20 bits per
second by using acoustic methods originally developed for underwater communications. In other words,
the computers communicated via their built-in speakers and microphones by transmitting inaudible
acoustic waves. The paper announcing this prototype comes just weeks after security consultant Dragos
Ruiu hypothesized that the “ badBIOS” malware he was studying was able to penetrate air-gapped
machines in the same manner. Even without Hanspach and Goetz’s confirmation of its feasibility, Ruiu’s
claim was enough to unsettle some. At the Defense One conference last month, United States Naval
Academy cyber security professor and retired Navy captain Mark Hagerott said the discovery of air-gap
jumping technology would “disrupt the world balance of power.”
The basic idea underlying an air gap is that we want to cut off all access to a computer system to the
outside world but, as it turns out, there are lots of ways to access computers even through the air. The
name itself is deeply misleading, and it reflects a certain kind of misguided thinking about computer
security that comes from carelessly applying the language of physical security to the virtual world. It’s
not just that the things we can’t see—the electromagnetic and acoustic waves—can serve as access
points for attackers. It’s that we don’t yet have any thorough understanding of what all the possible
access points to computer systems are, or what their complete “attack surface” looks like.
Hanspach and Goetz’s research, and Ruiu’s warning, will likely mean that the definition of “air-gapped”
is extended yet again—this time so that its implementation includes shutting off audio input and output
devices. In the long tradition of mixing archaic physical security metaphors with modern cybersecurity
efforts, you can think of it as a sort of modern-day version of Odysseus telling his sailors to plug their
ears as they sail past the sirens. Hanspach and Goetz also suggest as possible defenses against acoustic
malware high-frequency audio filtering and audio intrusion detection systems, but these solutions are
more complicated to implement and may be less effective.
This isn’t the first time we’ve discovered that the machines we thought were protected by an
impermeable air gap were, in fact, vulnerable . Stuxnet made headlines in 2010 when it was spread to
the air-gapped machines in the Iranian Natanz nuclear facilities using infected USB drives. The
realization (or reminder, really) that USB drives could carry malware meant that the notion of airgapping computer systems was extended to include banning removable media, or filling USB ports with
superglue.
Of course, with each such addition to the protocol for thorough air gapping , the practice becomes
more and more difficult to maintain . This summer, for instance, it was revealed that Edward Snowden
used a flash drive to copy the classified materials he later leaked to the press. Turns out the Department
of Defense may have granted thousands of exceptions to its nominal ban on removable media devices. A
mandate to shut off all computer audio input and output devices could meet a similar fate, with
organizations finding that these tools are necessary for certain important tasks—or employees finding
safety measures to be a hassle. More stringent requirements for air-gapping almost inevitably lead to
less rigorous implementation and, as the new acoustic malware prototype suggests, we don’t even
know yet all of the possible attack vectors for computer systems, or what other basic functions they
will mean shutting off and deactivating in the name of greater security.
Trends in social engineering and phishing attacks show that the human users of computer systems
are often crucial (and very vulnerable) attack vectors , while research in side-channel attacks on
cryptosystems has shown that the power used by computers, as well as the sounds they make, can be
used to target encrypted information. In short, audio input and output devices are only the latest in a
long list of computer features that turn out to be vulnerable to attack—that doesn’t make the
researchers’ discovery any less important or significant, but it does mean that it’s probably far from the
final word in air-gap-jumping technology. New attacks will continue to emerge alongside technological
improvements —dark reflections of our ingenuity. The security vulnerabilities of computers extend
across every dimension , including several we likely haven’t thought of yet, and it would be unwise to
rely too heavily on the wax in your ears, or the glue in your computer ports—or the protective cushion
of the air.
Prefer qualified evidence---9/11 commission concludes aff
Melissa Clyne 2014, Staff Writer @ News Max, “9/11 Commission: Cyberattack on US Is Imminent
Threat,” 7-22-14, http://www.newsmax.com/Newsfront/911-terrorism-cyberattack-powergrid/2014/07/22/id/584093/#ixzz3AIa4AZSB, DOA: 8-13-14, y2k
Terrorists are plotting a cyberattack against the United States that is tantamount to 9/11,
American public is acutely uninformed about the grave danger, according to The Wall Street Journal. Members
and the
of the former
9/11 Commission , formed to investigate and analyze the terrorist attacks, will release a report today stating
a growing complacency has set in since 2001, despite heightened threats facing the country. For the 10th anniversary of the release
of the 9/11 report, the National Commission on Terrorist Attacks met to assess the current national security climate and how the
government is handling it. As part of their undertaking, the
panel interviewed current and former intelligence
officials, the Journal reports. In the report, most top
"growing danger
that the
spy
officials pointed to cyberattacks as a
that the government has yet to adequately address," according to the Journal. The Washington Post reports
panel’s most recent findings indicate that cyberspace is the "battlefield of the future"
and
advocate for cybersecurity legislation allowing private companies to work with the government to counter the threat. National security is
tantamount to privacy protection. Additionally, the public should be made aware of the seriousness of the looming threat, according to the
panel. "Platitudes will not persuade the public," the authors wrote. In 2012, then Defense Secretary Leon Panetta warned that terrorists
were targeting computer control systems that operate chemical, electricity, and water plants, and those that guide transportation
throughout the country, Bloomberg reported at the time. "We
successfully gained access to
these
know of specific instances where intruders have
control systems ," Panetta said. "We also know they are seeking to
create advanced tools to attack these systems and cause panic, destruction, and even the loss of life ." He
explained that
an attacker could
across the country
derail trains, contaminate the water supply, or
shut down power grids
by gaining access to control switches. It’s important, according to the report’s authors, that Americans learn
of the threats before it’s too late. "History may be repeating itself in the cyber realm," the report states. "Complacency is
setting in. There is a danger that this waning sense of urgency will divert attention and needed resources from counterterrorism efforts."
Cyber attacks are possible, likely, and will escalate
Bucci 9, Dr. Steven P. Bucci is IBM's Issue Lead for Cyber Security Programs and a part of the Global
Leadership Initiative, the in-house think tank for IBM's public-sector practice. He most recently served as
Deputy Assistant Secretary of Defense, Homeland Defense and Defense Support to Civil Authorities. Dr.
Bucci delivered these remarks at a meeting of The Heritage Foundation's Cyber Security Working Group,
The Confluence of Cyber Crime and Terrorism, http://www.heritage.org/research/lecture/theconfluence-of-cyber-crime-and-terrorism
If a cash-rich terrorist group would use its wealth to hire cyber criminal botnets for their own use, we
would have a major problem. A terrorist group so enabled could begin to overwhelm the cyber
defenses of a specific corporation, government organization, or infrastructure sector and do much
damage. They could destroy or corrupt vital data in the financial sector communications over a wide
, cripple
area to spread panic and uncertainty.
Similar to the nation-state attack scenarios discussed earlier, terrorists could use botnet-driven DDoS
attacks to blind security forces at a border crossing point as a means of facilitating an infiltration
operation, or a cyber attack in one area of a country to act as a diversion so a "conventional" kinetic
terrorist attack can occur elsewhere. They could even conduct SCADA attacks on specific sites and use
the system to create kinetic-like effects without the kinetic component. A good example would be to
open the valves at a chemical plant near a population center, creating a Bhopal-like event.
The permutations are as endless as one's imagination . The cyber capabilities that the criminals could
provide would in short order make any terrorist organization infinitely more dangerous and effective.
Some have opined that cyber attacks are not suitable as terror tactics because they lack the drama
and spectacular effect of, say, a suicide bomber. This does not take into account the ability of the
terrorists to adapt. As our intelligence and law enforcement agencies continue to effectively combat
the terrorists, they will continue to evolve. The terrorists' old methods will be augmented and improved.
They will need to develop more imagination and versatility if they are to conduct successful operations.
This evolutionary capability has not been in short supply among the terrorist leadership. They will not
define "spectacular" so narrowly. Imagine the operational elegance of simply hitting the return key
and seeing thousands of enemies die a continent away, or watching a bank go under due to the
destruction of all its data by an unknown force . This will be enormously attractive to terrorist groups.
Additionally, the combination of cyber methods and kinetic strikes could be spectacular regardless of
one's definition.
Criminals, for their part, are motivated by greed and power. Few of the leaders of the enormous cyber
organized crime world would hesitate at selling their capabilities to a terrorist loaded with cash. That
fact, combined with the ever-growing terrorist awareness of cyber vulnerabilities, makes this set of
scenarios not just likely, but nearly inevitable .
I – War/Escalation
Cyber attacks escalate to nuclear war
Jason Fritz 2009, Former Captain of the U.S. Army, Jason, July, Hacking Nuclear Command and
Control, www.icnnd.org/Documents/Jason_Fritz_Hacking_NC2.doc
The US uses the two-man rule to achieve a higher level of security in nuclear affairs. Under this rule two authorized personnel must be present and in agreement during critical stages of nuclear command and control. The
President must jointly issue a launch order with the Secretary of Defense; Minuteman missile operators must agree that the launch order is valid; and on a submarine, both the commanding officer and executive officer must
agree that the order to launch is valid. In the US, in order to execute a nuclear launch, an Emergency Action Message (EAM) is needed. This is a preformatted message that directs nuclear forces to execute a specific attack.
The contents of an EAM change daily and consist of a complex code read by a human voice. Regular monitoring by shortwave listeners and videos posted to YouTube provide insight into how these work. These are issued
from the NMCC, or in the event of destruction, from the designated hierarchy of command and control centres. Once a command centre has confirmed the EAM, using the two-man rule, the Permissive Action Link (PAL)
codes are entered to arm the weapons and the message is sent out. These messages are sent in digital format via the secure Automatic Digital Network and then relayed to aircraft via single-sideband radio transmitters of
the High Frequency Global Communications System, and, at least in the past, sent to nuclear capable submarines via Very Low Frequency (Greenemeier 2008, Hardisty 1985). The technical details of VLF submarine
communication methods can be found online, including PC-based VLF reception. Some reports have noted a Pentagon review, which showed
a potential “ electronic back door
into the US Navy’s system for broadcasting nuclear launch orders to Trident submarines” (Peterson 2004).
The investigation showed that
cyber terrorists could potentially infiltrate this network and insert false orders for
launch. The investigation led to “elaborate new instructions for validating launch orders” (Blair 2003). Adding further to the concern of cyber terrorists seizing control over submarine launched nuclear missiles; The
Royal Navy announced in 2008 that it would be installing a Microsoft Windows operating system on its nuclear submarines (Page 2008). The choice of operating system, apparently based on Windows XP, is not as alarming
This may attract hackers and narrow the necessary reconnaissance to learning its
details and potential exploits. It is unlikely that the operating system would play a direct role in the signal to launch, although this is far from certain. Knowledge of
the operating system may lead to the insertion of malicious code, which could be used to gain
accelerating privileges, tracking, valuable information, and deception that could subsequently be
used to initiate a launch. Remember from Chapter 2 that the UK’s nuclear submarines have the authority to launch if they believe the central command has been destroyed.¶
Attempts by cyber terrorists to create the illusion of a decapitating strike could also be used to
engage fail-deadly systems. Open source knowledge is scarce as to whether Russia continues to
as the advertising of such a system is.
operate such a system. However evidence suggests that they have in the past. Perimetr, also known as Dead Hand , was an automated system
set to launch a mass scale nuclear attack in the event of a decapitation strike against Soviet
leadership and military.¶ In a crisis, military officials would send a coded message to the bunkers, switching on the dead hand. If nearby ground-level sensors detected a nuclear attack on Moscow, and if a
break was detected in communications links with top military commanders, the system would send low-frequency signals over underground antennas to special rockets. Flying high over missile fields and other military sites,
these rockets in turn would broadcast attack orders to missiles, bombers and, via radio relays, submarines at sea. Contrary to some Western beliefs, Dr. Blair says, many of Russia's nuclear-armed missiles in underground
cyber terrorists would need to create a crisis
situation in order to activate Perimetr, and then fool it into believing a decapitating strike had
taken place. While this is not an easy task, the information age makes it easier. Cyber reconnaissance could help locate the machine and
learn its inner workings. This could be done by targeting the computers high of level official’s —anyone
silos and on mobile launchers can be fired automatically. (Broad 1993) ¶ Assuming such a system is still active,
who has reportedly worked on such a project, or individuals involved in military operations at underground facilities, such as those reported to be located at Yamantau and Kosvinksy mountains in the central southern Urals
Cyber terrorists could cause incorrect information to be transmitted,
received, or displayed at nuclear command and control centres, or shut down these centres’
computer networks completely. In 1995, a Norwegian scientific sounding rocket was mistaken by Russian early warning systems as a nuclear missile launched from a US submarine. A
(Rosenbaum 2007, Blair 2008)¶ Indirect Control of Launch¶
radar operator used Krokus to notify a general on duty who decided to alert the highest levels. Kavkaz was implemented, all three chegets activated, and the countdown for a nuclear decision began. It took eight minutes
Creating a false signal
in these early warning systems would be relatively easy using computer network operations . The real
difficulty would be gaining access to these systems as they are most likely on a closed network. However, if they are transmitting wirelessly, that may provide
an entry point, and information gained through the internet may reveal the details, such as
passwords and software, for gaining entrance to the closed network. If access was obtained, a false alarm could
before the missile was properly identified—a considerable amount of time considering the speed with which a nuclear response must be decided upon (Aftergood 2000). ¶
be followed by something like a DDoS attack, so the operators believe an attack may be imminent, yet they can no longer verify it. This could add
pressure to the decision making process, and if coordinated precisely, could appear as a first
round EMP burst. Terrorist groups could also attempt to launch a non-nuclear missile, such as the one used by
Norway, in an attempt to fool the system. The number of states who possess such technology is far greater than the number of states who possess nuclear weapons. Obtaining them
would be considerably easier, especially when enhancing operations through computer network operations. Combining traditional terrorist methods with
cyber techniques opens opportunities neither could accomplish on their own. For example, radar stations
might be more vulnerable to a computer attack, while satellites are more vulnerable to jamming
from a laser beam, thus together they deny dual phenomenology. Mapping communications
networks through cyber reconnaissance may expose weaknesses, and automated scanning devices
created by more experienced hackers can be readily found on the internet.¶ Intercepting or spoofing communications is a highly
complex science. These systems are designed to protect against the world’s most powerful and well funded militaries. Yet, there are recurring gaffes, and the very nature of asymmetric warfare is to bypass complexities by
finding simple loopholes. For example, commercially available software for voice-morphing could be used to capture voice commands within the command and control structure, cut these sound bytes into phonemes, and
splice it back together in order to issue false voice commands (Andersen 2001, Chapter 16). Spoofing could also be used to escalate a volatile situation in the hopes of starting a nuclear war. “ [they cut off the paragraph] “In
a
nuclear war does start, you will be the first to scream” (Denning 1999). Hacker web-page defacements like these are often derided by critics of cyber terrorism as simply being a nuisance which
June 1998, a group of international hackers calling themselves Milw0rm hacked the web site of India’s Bhabha Atomic Research Center (BARC) and put up a spoofed web page showing a mushroom cloud and the text “If
causes no significant harm. However, web-page defacements are becoming more common, and they point towards alarming possibilities in subversion. During the 2007 cyber attacks against Estonia, a counterfeit letter of
apology from Prime Minister Andrus Ansip was planted on his political party website (Grant 2007). This took place amid the confusion of mass DDoS attacks, real world protests, and accusations between governments.
Cyberattacks cause great power wars
Habiger 2010 [Eugue – Retired Air Force General, Cyberwarfare and Cyberterrorism, The Cyber
Security Institute, Feb 2010. p. 11-19]
However, there are reasons to believe that what is going on now amounts to a fundamental shift as
opposed to business as usual. Today’s network exploitation or information operation trespasses possess
a number of characteristics that suggest that the line between espionage and conflict has been, or is
close to being, crossed. (What that suggests for the proper response is a different matter.) First, the
number of cyberattacks we are facing is growing significantly. Andrew Palowitch, a former CIA official
now consulting with the US Strategic Command (STRATCOM), which oversees the Defense Department’s
Joint Task Force‐Global Network Operations, recently told a meeting of experts that the Defense
Department has experienced almost 80,000 computer attacks, and some number of these assaults have
actually “reduced” the military’s “operational capabilities.”20 Second, the nature of these attacks is
starting to shift from penetration attempts aimed at gathering intelligence (cyber spying) to offensive
efforts aimed at taking down systems (cyberattacks). Palowitch put this in stark terms last November,
“We are currently in a cyberwar and war is going on today.”21 Third, these recent attacks need to be
taken in a broader strategic context. Both Russia and China have stepped up their offensive efforts and
taken a much more aggressive cyberwarfare posture. The Chinese have developed an openly discussed
cyberwar strategy aimed at achieving electronic dominance over the U.S. and its allies by 2050. In 2007
the Department of Defense reported that for the first time China has developed first strike viruses,
marking a major shift from prior investments in defensive measures.22 And in the intervening period
China has launched a series of offensive cyber operations against U.S. government and private sector
networks and infrastructure. In 2007, Gen. James Cartwright, the former head of STRATCOM and now
the Vice Chairman of the Joint Chiefs of Staff, told the US‐China Economic and Security Review
Commission that China’s ability to launch “denial of service” attacks to overwhelm an IT system is of
particular concern. 23 Russia also has already begun to wage offensive cyberwar. At the outset of the
recent hostilities with Georgia, Russian assets launched a series of cyberattacks against the Georgian
government and its critical infrastructure systems, including media, banking and transportation sites.24
In 2007, cyberattacks that many experts attribute, directly or indirectly, to Russia shut down the Estonia
government’s IT systems. Fourth, the current geopolitical context must also be factored into any effort
to gauge the degree of threat of cyberwar. The start of the new Obama Administration has begun to
help reduce tensions between the United States and other nations. And, the new administration has
taken initial steps to improve bilateral relations specifically with both China and Russia. However, it must
be said that over the last few years the posture of both the Chinese and Russian governments toward
America has clearly become more assertive, and at times even aggressive. Some commentators have
talked about the prospects of a cyber Pearl Harbor, and the pattern of Chinese and Russian behavior to
date gives reason for concern along these lines: both nations have offensive cyberwarfare strategies in
place; both nations have taken the cyber equivalent of building up their forces; both nations now
regularly probe our cyber defenses looking for gaps to be exploited; both nations have begun taking
actions that cross the line from cyberespionage to cyberaggression; and, our bilateral relations with
both nations are increasingly fractious and complicated by areas of marked, direct competition. Clearly,
there a sharp differences between current U.S. relations with these two nations and relations between
the US and Japan just prior to World War II. However, from a strategic defense perspective, there are
enough warning signs to warrant preparation. In addition to the threat of cyberwar, the limited
resources required to carry out even a large scale cyberattack also makes likely the potential for a
significant cyberterror attack against the United States. However, the lack of a long list of specific
incidences of cyberterrorism should provide no comfort. There is strong evidence to suggest that al
Qaeda has the ability to conduct cyberterror attacks against the United States and its allies. Al Qaeda
and other terrorist organizations are extremely active in cyberspace, using these technologies to
communicate among themselves and others, carry out logistics, recruit members, and wage information
warfare. For example, al Qaeda leaders used email to communicate with the 9‐11 terrorists and the 9‐11
terrorists used the Internet to make travel plans and book flights. Osama bin Laden and other al Qaeda
members routinely post videos and other messages to online sites to communicate. Moreover, there is
evidence of efforts that al Qaeda and other terrorist organizations are actively developing
cyberterrorism capabilities and seeking to carry out cyberterrorist attacks. For example, the Washington
Post has reported that “U.S. investigators have found evidence in the logs that mark a browser's path
through the Internet that al Qaeda operators spent time on sites that offer software and programming
instructions for the digital switches that run power, water, transport and communications grids. In some
interrogations . . . al Qaeda prisoners have described intentions, in general terms, to use those tools.”25
Similarly, a 2002 CIA report on the cyberterror threat to a member of the Senate stated that al Qaeda
and Hezbollah have become "more adept at using the internet and computer technologies.”26 The FBI
has issued bulletins stating that, “U. S. law enforcement and intelligence agencies have received
indications that Al Qaeda members have sought information on Supervisory Control And Data
Acquisition (SCADA) systems available on multiple SCADA‐related web sites.”27 In addition a number of
jihadist websites, such as 7hj.7hj.com, teach computer attack and hacking skills in the service of Islam.28
While al Qaeda may lack the cyber‐attack capability of nations like Russia and China, there is every
reason to believe its operatives, and those of its ilk, are as capable as the cyber criminals and hackers
who routinely effect great harm on the world’s digital infrastructure generally and American assets
specifically. In fact, perhaps, the most troubling indication of the level of the cyberterrorist threat is the
countless, serious non‐terrorist cyberattacks routinely carried out by criminals, hackers, disgruntled
insiders, crime syndicates and the like. If run‐of‐the‐mill criminals and hackers can threaten powergrids,
hack vital military networks, steal vast sums of money, take down a city’s of traffic lights, compromise
the Federal Aviation Administration’s air traffic control systems, among other attacks, it is
overwhelmingly likely that terrorists can carry out similar, if not more malicious attacks. Moreover, even
if the world’s terrorists are unable to breed these skills, they can certainly buy them. There are untold
numbers of cybermercenaries around the world—sophisticated hackers with advanced training who
would be willing to offer their services for the right price. Finally, given the nature of our understanding
of cyber threats, there is always the possibility that we have already been the victim or a cyberterrorist
attack, or such an attack has already been set but not yet effectuated, and we don’t know it yet. Instead,
a well‐designed cyberattack has the capacity cause widespread chaos, sow societal unrest, undermine
national governments, spread paralyzing fear and anxiety, and create a state of utter turmoil, all without
taking a single life. A sophisticated cyberattack could throw a nation’s banking and finance system into
chaos causing markets to crash, prompting runs on banks, degrading confidence in markets, perhaps
even putting the nation’s currency in play and making the government look helpless and hapless. In
today’s difficult economy, imagine how Americans would react if vast sums of money were taken from
their accounts and their supporting financial records were destroyed. A truly nefarious cyberattacker
could carry out an attack in such a way (akin to Robin Hood) as to engender populist support and
deepen rifts within our society, thereby making efforts to restore the system all the more difficult. A
modestly advanced enemy could use a cyberattack to shut down (if not physically damage) one or more
regional power grids. An entire region could be cast into total darkness, power‐dependent systems
could be shutdown. An attack on one or more regional power grids could also cause cascading effects
that could jeopardize our entire national grid. When word leaks that the blackout was caused by a
cyberattack, the specter of a foreign enemy capable of sending the entire nation into darkness would
only increase the fear, turmoil and unrest. While the finance and energy sectors are considered prime
targets for a cyberattack, an attack on any of the 17 delineated critical infrastructure sectors could have
a major impact on the United States. For example, our healthcare system is already technologically
driven and the Obama Administration’s e‐health efforts will only increase that dependency. A
cyberattack on the U.S. e‐health infrastructure could send our healthcare system into chaos and put
countless of lives at risk. Imagine if emergency room physicians and surgeons were suddenly no longer
able to access vital patient information. A cyberattack on our nation’s water systems could likewise
cause widespread disruption. An attack on the control systems for one or more dams could put entire
communities at risk of being inundated, and could create ripple effects across the water, agriculture,
and energy sectors. Similar water control system attacks could be used to at least temporarily deny
water to otherwise arid regions, impacting everything from the quality of life in these areas to
agriculture. In 2007, the U.S. Cyber Consequences Unit determined that the destruction from a single
wave of cyberattacks on critical infrastructures could exceed $700 billion, which would be the rough
equivalent of 50 Katrina‐esque hurricanes hitting the United States all at the same time.29 Similarly, one
IT security source has estimated that the impact of a single day cyberwar attack that focused on and
disrupted U.S. credit and debit card transactions would be approximately $35 billion.30 Another way to
gauge the potential for harm is in comparison to other similar noncyberattack infrastructure failures. For
example, the August 2003 regional power grid blackout is estimated to have cost the U.S. economy up
to $10 billion, or roughly .1 percent of the nation’s GDP. 31 That said, a cyberattack of the exact same
magnitude would most certainly have a much larger impact. The origin of the 2003 blackout was almost
immediately disclosed as an atypical system failure having nothing to do with terrorism. This made the
event both less threatening and likely a single time occurrence. Had it been disclosed that the event was
the result of an attack that could readily be repeated the impacts would likely have grown substantially,
if not exponentially. Additionally, a cyberattack could also be used to disrupt our nation’s defenses or
distract our national leaders in advance of a more traditional conventional or strategic attack. Many
military leaders actually believe that such a disruptive cyber pre‐offensive is the most effective use of
offensive cyber capabilities. This is, in fact, the way Russia utilized cyberattackers—whether government
assets, governmentdirected/ coordinated assets, or allied cyber irregulars—in advance of the invasion of
Georgia. Widespread distributed denial of service (DDOS) attacks were launched on the Georgian
governments IT systems. Roughly a day later Russian armor rolled into Georgian territory. The
cyberattacks were used to prepare the battlefield; they denied the Georgian government a critical
communications tool isolating it from its citizens and degrading its command and control capabilities
precisely at the time of attack. In this way, these attacks were the functional equivalent of conventional
air and/or missile strikes on a nation’s communications infrastructure.32 One interesting element of the
Georgian cyberattacks has been generally overlooked: On July 20th, weeks before the August
cyberattack, the website of Georgian President Mikheil Saakashvili was overwhelmed by a more
narrowly focused, but technologically similar DDOS attack.33 This should be particularly chilling to
American national security experts as our systems undergo the same sorts of focused, probing attacks
on a constant basis. The ability of an enemy to use a cyberattack to counter our offensive capabilities or
soften our defenses for a wider offensive against the United States is much more than mere speculation.
In fact, in Iraq it is already happening. Iraq insurgents are now using off‐the‐shelf software (costing just
$26) to hack U.S. drones (costing $4.5 million each), allowing them to intercept the video feed from
these drones.34 By hacking these drones the insurgents have succeeded in greatly reducing one of our
most valuable sources of real‐time intelligence and situational awareness. If our enemies in Iraq are
capable of such an effective cyberattack against one of our more sophisticated systems, consider what a
more technologically advanced enemy could do. At the strategic level, in 2008, as the United States
Central Command was leading wars in both Iraq and Afghanistan, a cyber intruder compromised the
security of the Command and sat within its IT systems, monitoring everything the Command was doing.
35 This time the attacker simply gathered vast amounts of intelligence. However, it is clear that the
attacker could have used this access to wage cyberwar—altering information, disrupting the flow of
information, destroying information, taking down systems—against the United States forces already at
war. Similarly, during 2003 as the United States prepared for and began the War in Iraq, the IT networks
of the Department of Defense were hacked 294 times.36 By August of 2004, with America at war, these
ongoing attacks compelled then‐Deputy Secretary of Defense Paul Wolfowitz to write in a memo that,
"Recent exploits have reduced operational capabilities on our networks."37 This wasn’t the first time
that our national security IT infrastructure was penetrated immediately in advance of a U.S. military
option.38 In February of 1998 the Solar Sunrise attacks systematically compromised a series of
Department of Defense networks. What is often overlooked is that these attacks occurred during the
ramp up period ahead of potential military action against Iraq. The attackers were able to obtain vast
amounts of sensitive information—information that would have certainly been of value to an enemy’s
military leaders. There is no way to prove that these actions were purposefully launched with the
specific intent to distract American military assets or degrade our capabilities. However, such
ambiguities—the inability to specifically attribute actions and motives to actors—are the very nature of
cyberspace. Perhaps, these repeated patterns of behavior were mere coincidence, or perhaps they
weren’t. The potential that an enemy might use a cyberattack to soften physical defenses, increase the
gravity of harms from kinetic attacks, or both, significantly increases the potential harms from a
cyberattack. Consider the gravity of the threat and risk if an enemy, rightly or wrongly, believed that it
could use a cyberattack to degrade our strategic weapons capabilities. Such an enemy might be
convinced that it could win a war—conventional or even nuclear—against the United States. The effect
of this would be to undermine our deterrence‐based defenses, making us significantly more at risk of a
major war.
The cyber arms race is accelerating — the best data proves; involves countries like Iran
and at least 12 of the world’s 15 largest nuclear powers.
Goldman 2013, CNN Writer, Nations Prepare for Cyberwar,
http://money.cnn.com/2013/01/07/technology/security/cyber-war/index.html
In 2012, large-scale cyberattacks targeted at the Iranian government were uncovered, and in return,
Iran is believed to have launched massive attacks aimed at U.S. banks and Saudi oil companies. At least
12 of the world's 15 largest military powers are currently building cyberwarfare programs, according
to James Lewis, a cybersecurity expert at the Center for Strategic and International Studies.
So a cyber Cold War is already in progress. But some security companies believe that battle will
become even more heated this year.
"Nation states and armies will be more frequent actors and victims of cyberthreats," a team of
researchers at McAfee Labs, an Intel (INTC, Fortune 500)subsidiary, wrote in a recent report.
Michael Sutton, head of security research at cloud security company Zscaler, said he expects
governments to spend furiously on building up their cyber arsenals. Some may even outsource attacks
to online hackers.
The Obama administration and many in Congress have been more vocal about how an enemy nation or
a terrorist cell could target the country's critical infrastructure in a cyberattack. Banks, stock exchanges,
nuclear power plants and water purification systems are particularly vulnerable, according to
numerous assessments delivered to Congress last year.
Escalation likely – comparative to nuclear weapons
Stephen Dycus, 2010, Professor of national security law at Vermont Law School, former
member of the National Academies committee on cyber warfare, LLM, Harvard University, LLB,
BA, Southern Methodist University, “Congress’ Role in Cyber Warfare,” Journal of National
Security Law & Policy, 4(1), 2010, p.161164, http://www.jnslp.com/read/vol4no1/11_Dycus.pdf
In other ways, cyber weapons are critically different from their nuclear counterparts. For one
thing, the time frame for response to a cyber attack might be much narrower. A nuclear
weapon delivered by a land-based ICBM could take 30 minutes to reach its target. An
electronic attack would arrive instantaneously, and leave no time to consult with or even
inform anyone outside the executive branch before launching a counterstrike, if that were
U.S. policy.
Cyber attacks escalate
Sean Lawson 2009 assistant professor in the Department of Communication at the University of
Utah, Cross-Domain Response to Cyber Attacks and the Threat of Conflict,
http://www.seanlawson.net/?p=47
At a time when it seems impossible to avoid the seemingly growing hysteria over the threat of cyber
war,[1] network security expert Marcus Ranum delivered a refreshing talk recently, “The Problem with
Cyber War,” that took a critical look at a number of the assumptions underlying contemporary
cybersecurity discourse in the United States. He addressed one issue in partiuclar that I would like to riff
on here, the issue of conflict escalation–i.e. the possibility that offensive use of cyber attacks could
escalate to the use of physical force. As I will show, his concerns are entirely legitimate as current U.S.
military cyber doctrine assumes the possibility of what I call “cross-domain responses” to cyberattacks.
Backing Your Adversary (Mentally) into a Corner Based on the premise that completely blinding a
potential adversary is a good indicator to that adversary that an attack is iminent, Ranum has argued
that “The best thing that you could possibly do if you want to start World War III is launch a cyber
attack. [...] When people talk about cyber war like it’s a practical thing, what they’re really doing is
messing with the OK button for starting World War III. We need to get them to sit the f-k down and shut
the f-k up.” [2] He is making a point similar to one that I have made in the past: Taking away an
adversary’s ability to make rational decisions could backfire. [3] For example, Gregory Witol cautions
that “attacking the decision maker’s ability to perform rational calculations may cause more problems
than it hopes to resolve… Removing the capacity for rational action may result in completely
unforeseen consequences, including longer and bloodier battles than may otherwise have been.” [4]
Cross-Domain Response So, from a theoretical standpoint, I think his concerns are well
founded. But the current state of U.S. policy may be cause for even greater concern. It’s not just
worrisome that a hypothetical blinding attack via cyberspace could send a signal of imminent attack and
therefore trigger an irrational response from the adversary. What is also cause for concern is that
current U.S. policy indicates that “kinetic attacks” (i.e. physical use of force) are seen as potentially
legitimate responses to cyber attacks. Most worrisome is that current U.S. policy implies that a nuclear response is possible, something that policy makers
have not denied in recent press reports. The reason, in part, is that the U.S. defense community has increasingly come to see cyberspace as a “domain of warfare” equivalent to air, land, sea,
and space. The definition of cyberspace as its own domain of warfare helps in its own right to blur the online/offline, physical-space/cyberspace boundary. But thinking logically about the
potential consequences of this framing leads to some disconcerting conclusions. If cyberspace is a domain of warfare, then it becomes possible to define “cyber attacks” (whatever those may
be said to entail) as acts of war. But what happens if the U.S. is attacked in any of the other domains? It retaliates. But it usually does not respond only within the domain in which it was
attacked. Rather, responses are typically “cross-domain responses”–i.e. a massive bombing on U.S. soil or vital U.S. interests abroad (e.g. think 9/11 or Pearl Harbor) might lead to air strikes
against the attacker. Even more likely given a U.S. military “way of warfare” that emphasizes multidimensional, “joint” operations is a massive conventional (i.e. non-nuclear) response against
the attacker in all domains (air, land, sea, space), simultaneously. The possibility of “kinetic action” in response to cyber attack, or as part of offensive U.S. cyber operations, is part of the
current (2006) National Military Strategy for Cyberspace Operations [5]: (U) Kinetic Actions. DOD will conduct kinetic missions to preserve freedom of action and strategic advantage in
cyberspace. Kinetic actions can be either offensive or defensive and used in conjunction with other mission areas to achieve optimal military effects. Of course, the possibility that a cyber
attack on the U.S. could lead to a U.S. nuclear reply constitutes possibly the ultimate in “cross-domain response.” And while this may seem far fetched, it has not been ruled out by U.S.
defense policy makers and is, in fact, implied in current U.S. defense policy documents. From the National Military Strategy of the United States (2004): “The term WMD/E relates to a broad
range of adversary capabilities that pose potentially devastating impacts. WMD/E includes chemical, biological, radiological, nuclear, and enhanced high explosive weapons as well as other,
more asymmetrical ‘weapons’. They may rely more on disruptive impact than destructive kinetic effects. For example, cyber attacks on US commercial information systems or attacks against
transportation networks may have a greater economic or psychological effect than a relatively small release of a lethal agent.” [6] The authors of a 2009 National Academies of Science report
on cyberwarfare respond to this by saying,
“Coupled with the declaratory policy on nuclear weapons described earlier, this
statement implies that the U nited S tates will regard certain kinds of cyberattacks against the United
States as being in the same category as nuclear, biological, and chemical weapons, and thus that a
nuclear response to certain kinds of cyberattacks (namely, cyberattacks with devastating impacts) may
be possible. It also sets a relevant scale–a cyberattack that has an impact larger than that associated
with a relatively small release of a lethal agent is regarded with the same or greater seriousness.” [7]
I - Cyber attacks on the grid
Grid is vulnerable now and an attack on the grid by terrorists would cripple society
Stuart Poole-Robb, 7-4-2015, "National power grids hit by cyber terrorist onslaught," ITProPortal,
http://www.itproportal.com/2015/04/07/cyber-terrorists-target-national-power-grids/
An analysis of federal energy records has revealed that parts of the US power grid are attacked online or in person every
few days. This threat is now also looming over major cities outside the US such as London. After analysing
federal data and surveying more than 50 electric utilities, USA Today described the power grid as vulnerable to a major
outage that could affect millions. Although a cyberattack has not yet caused a major loss of power, the mechanisms guarding the
grid undergo small hacks multiple times a week. The Department of Homeland Security was alerted to 151 energy-related “cyber incidents” in
2013, up from 111 in 2012. But, since 2013, the
attacks have escalated hugely with probes now continuously taking
place, according to the Edison Electric Institute. The massive power outage that occurred across the US NorthEast in 2003 is evidence that
national power grids in even the most developed countries are vulnerable to cyber attacks. While no one at
the time thought of attributing the widespread outage to a cyber attack, investigations revealed that the outage was originally caused by a
software bug in the alarm system at a control room of the FirstEnergy Corporation, located in Ohio. The failed alarm left operators unaware of
the need to re-distribute power after overloaded transmission lines hit some trees. This triggered a race condition in the control software and
the local blackout cascaded into a widespread power outage. There are now growing fears on both sides of the Atlantic that terrorist groups or
hostile governments might be behind the repeated attempts to hack into the power grids’ control systems. Other possibilities include that of an
organised criminal gang (OCG) using the threat of repeated power outages to hold a city such as New York or London to ransom. A
group of
terrorist hackers located in Iran called Parastoo is already known to be actively recruiting software
engineers with precisely those skills needed to bring down the power supply in a major city such as New
York or London. Parastoo has already been linked to a military-style attack on an electric power station, the PG&E Metcalf substation in
California on 16 April 2013. Parastoo now claims it has been testing national critical infrastructure using cyber vectors. Although cities in
the US and Europe appear equally vulnerable to a determined cyber attack, the US national grid is
particularly at risk. Jon Wellinghoff, former chairman of the Federal Energy Regulatory Commission warns that the power grid is
currently “too susceptible to a cascading outage” because of its reliance on a small number of critical substations and other physical
equipment. Such an attack could leave areas populated by millions of Americans without power. The US national
grid operates as an interdependent network and, if one element fails, energy must be drawn from other geographical areas. It is an essentially
old-fashioned system which predates the era of cyber terrorism. A determined cyber attack by a group such as Parastoo would involve ensuring
that multiple parts of the US Grid failed at the same time. If successful, this type of attack would result in what has been called “a cascading
effect” that could rob millions of people of power for weeks, perhaps even longer. According to Wellinghoff, “Those critical nodes can, in fact,
be attacked in one way or another. You have a very vulnerable system that will continue to be vulnerable until we figure out a way to break it
out into more distributed systems.” It
is easy to underestimate the potentially devastating effect that a major
power outage lasting weeks might have on a city such as London or New York. It would not merely be a question
of lost production and a rush in the shops for torches as happened in the UK during the energy workers’ strikes in the early 1970s. Today’s
economy and society is far more electronic and computerised than that of four decades ago. Our financial
systems are powered by highly-sophisticated real time computer systems, as are all the cash dispensers. A major power outage could
also cripple shop tills and retail security systems, meaning that most shops and stores would be forced to close until the
power was restored.
Cyber attack on the grid would cause death and collapse the economy; all
infrastructure at risk.
Kevin Mandi, 2-19-2013, "Successful hacker attack could cripple U.S. infrastructure, experts say," NBC
News, http://usnews.nbcnews.com/_news/2013/02/19/17019005-successful-hacker-attack-couldcripple-us-infrastructure-experts-say?lite
A report tying the Chinese
military to computer attacks against American interests has sent a chill through
cyber-security experts, who worry that the very lifelines of the United States — its energy pipelines, its
water supply, its banks — are increasingly at risk. The experts say that a successful hacker attack taking out
just a part of the nation’s electrical grid, or crippling financial institutions for several days, could sow
panic or even lead to loss of life. “I call it cyberterrorism that makes 9/11 pale in comparison,” Rep. Mike Rogers, a
Michigan Republican and chair of the House Intelligence Committee, told NBC News on Tuesday. An American computer security company,
Mandiant, reported with near certainty that members of a sophisticated Chinese hacking group work out of the headquarters of a unit of the
Chinese army outside Shanghai. The report was first detailed in The New York Times, which said that
the hacking group’s focus was
increasingly on companies that work with American infrastructure, including the power grid, gas lines
and waterworks. The Chinese embassy in Washington told The Times that its government does not
engage in computer hacking. As reported, the Chinese attacks constitute a sort of asymmetrical
cyberwarfare, analysts said, because they bring the force of the Chinese government and military against private companies. “To us that’s
crossing a line into a class of victim that’s not prepared to withstand that type of attack,” Grady Summers, a Mandiant vice president, said on
the MSNBC program “Andrea Mitchell Reports.” The
report comes as government officials and outside security
experts alike are sounding ever-louder alarms about the vulnerability of the systems that make everyday
life in the United States possible.
Power grid super vulnerable – empirics prove risk
Pierluigi Paganini, 7-4-2015, Works as a director at European Union Agency for Network and
Information Security and is a fellow at the EUROPEAN CENTRE FOR INFORMATION POLICY & SECURITY,
"US power grid vulnerable to cyber-attacks," Security Affairs,
http://securityaffairs.co/wordpress/38296/security/us-power-grid-vulnerable.html
Security experts and US politicians are aware that the power grid is vulnerable to a terrorist attack.
Nation’s power grid is a privileged target for terrorists as explained by the former Secretary of Defense
William Cohen: “It’s possible and whether it’s likely to happen soon remains to be seen,” said Cohen on
Monday on “The Steve Malzberg Show.” A major attack on the power grid would cause chaos in the
country by interrupting vital services for the population, the former government official said. Not only
cyber attacks are threatening the vulnerable power grid, natural disasters, such as the solar storm
known as the Carrington Event, could also interfere or disrupt the power delivery system nationwide.
Terrorists have several options to hit a power grid, from a cyber attack on SCADA systems to an EMP
attack, according to Cohen. “You can do it through cyber attacks, and that’s the real threat coming up as
well. We have to look at cyber attacks being able to shut down our power grid, which you have to
remember is in the private sector’s hands, not the government’s. And we’re vulnerable,” Cohen added.
“It’s possible and whether it’s likely to happen soon remains to be seen.” “That’s because the
technology continues to expand and terrorism has become democratized. Many, many people across
the globe now have access to information which allows them to be able to put together a very
destructive means of carrying out their terrorist plans. We’re better at detecting than we were in the
past. We’re much more focused in integrating and sharing the information that we have, but we’re still
vulnerable and we’ll continue to be vulnerable as long as groups can operate either on the margins or
covertly to build these kind of campaigns of terror.” said Cohen. Former Department of Homeland
Security Secretary Janet Napolitano shared the same Cohen’s concerns, a major cyber attack the power
grid was a matter of “when,” not “if.” State-sponsored hackers, cyber terrorists are the main threat
actors, but as confirmed by a recent research conducted by TrendMicro, also the cybercrime represents
a serious menace. Former senior CIA analyst and EMP Task Force On National Homeland Security
Director, Dr. Peter Vincent Pry, told Newsmax TV that that a cyber attack against the power grid could
cause serious destruction and losses of lives. Not only US power grid are under attack, In January 2015
the British Parliament revealed that UK Power Grid is under cyber attack from foreign hackers, but the
emergency is for critical infrastructure worldwide.
Attacks on the grid would be devastating
Tara Dodrill, 06-30-2015, "Power Grid Vulnerable To Cyber Attack, Former Defense Secretary
Says," Inquisitr News, http://www.inquisitr.com/2213678/power-grid-vulnerable-to-cyber-attackformer-defense-secretary-says/
Read more at http://www.inquisitr.com/2213678/power-grid-vulnerable-to-cyber-attack-formerdefense-secretary-says/#fqs9YG7EpwxldHox.99
The power grid is vulnerable to a terrorist attack, former Secretary of Defense William Cohen said. A direct assault on the
electrical system would cause chaos and civil unrest throughout the country, the former government official said. Natural
disasters, such as Carrington Event-level solar flares, could also take down the power delivery system nationwide. William Cohen was a Republican Senator from Maine and is currently serving
as the CEO and chairman of The Cohen Group. Cohen recently released a new thriller, Collision, which is published by Forge Books. Cohen served as Secretary of Defense under President Bill
The destruction of the power grid by terrorists would not necessarily have to involve an
EMP attack, according to Cohen. “You can do it through cyber attacks, and that’s the real threat coming up as well.
We have to look at cyber attacks being able to shut down our power grid, which you have to remember
is in the private sector’s hands, not the government’s. And we’re vulnerable,” the former Secretary of Defense added. “It’s
possible and whether it’s likely to happen soon remains to be seen.” As previously reported by the Inquisitr, former Department of
Clinton from 1997-2001.
Homeland Security Secretary Janet Napolitano said that a cyber attack on the power grid was a matter of “when,” not “if.” Former senior CIA analyst and EMP Task Force On National
Homeland Security Director, Dr. Peter Vincent Pry, told Newsmax TV that that America is a “sitting duck” for a terror attack that could completely destroy the power grid and take the lives of
every nine out of ten Americans in the process. William Cohen detailed the power grid threats and what role modern technology could play in a terror attack that would leave all of America
That’s because the technology continues to expand and terrorism has become democratized.
Many, many people across the globe now have access to information which allows them to be able to
put together a very destructive means of carrying out their terrorist plans. We’re better at detecting
than we were in the past. We’re much more focused in integrating and sharing the information that we
have, but we’re still vulnerable and we’ll continue to be vulnerable as long as groups can operate either
on the margins or covertly to build these kind of campaigns of terror.” The American Society of Civil Engineers (ASCE) reviewed the
sitting in the dark. “
soundness and functionality of the power grid, and gave the vital piece of infrastructure a barely passing grade of “D+.” The rating means the power grid is in “poor to fair condition and mostly
below standard, with many elements approaching the end of their service life.” The ASCE review also revealed that a “large portion of the system exhibits significant deterioration” with a
“strong risk of failure.”
I - Grid attacks escalate
Grid attacks cause nuclear war
Robert Tilford 12, Graduate US Army Airborne School, Ft. Benning, Georgia, “Cyber attackers could
shut down the electric grid for the entire east coast” 2012, http://www.examiner.com/article/cyberattackers-could-easily-shut-down-the-electric-grid-for-the-entire-east-coa ***we don’t agree with the
albeist language
To make matters worse
a cyber attack that can take out a civilian power grid, for example could also cripple destroy
the U.S. military .¶ The senator notes that is that the same power grids that supply cities and towns, stores and gas
stations, cell towers and heart monitors also power “ every military base in our country.”¶ “Although bases would be
prepared to weather a short power outage with backup diesel generators, within hours, not days, fuel supplies would run
out”, he said.¶ Which means military c ommand and c ontrol centers could go dark .¶ Radar systems that
detect air threats to our country would shut Down completely.¶ “Communication between commanders and their
troops would also go silent. And many weapons systems would be left without either fuel or electric power”, said
Senator Grassley.¶ “So in a few short hours
or days, the mightiest military in
the world would be left
scrambling to maintain base functions”, he said.¶ We contacted the Pentagon and officials confirmed the
threat of a cyber attack is something very real .¶ Top national security officials—including the Chairman of the Joint
Chiefs, the Director of the National Security Agency, the Secretary of Defense, and the CIA Director— have
improving the nation’s electric grids is among the
said, “preventing a cyber attack and
most urgent priorities of our country” (source: Congressional Record).¶ So how serious is the
Pentagon taking all this?¶ Enough to start, or end a war over it, for sure.¶ A
cyber attack today against the US could very well be seen
as an “Act of War” and could be met with a “full scale” US military response . ¶ That could include the
use of “nuclear weapons”,
if authorized by the President.
Blackouts escalate to nuke war
Andres and Breetz 11 Richard B, Professor of National Security Strategy at the National War College
and a Senior Fellow and Energy and Environmental Security and Policy Chair in the Center for Strategic
Research, Institute for National Strategic Studies, at the National Defense University and Hanna L,
doctoral candidate in the Department of Political Science at The Massachusetts Institute of Technology,
February, "Small Nuclear Reactors for Military Installations: Capabilities, Costs, and Technological
Implications", www.ndu.edu/press/lib/pdf/StrForum/SF-262.pdf
Government and private organizations are currently working to secure the grid against attacks;
however, it is not clear that they will be successful. Most military bases currently have backup power
that allows them to function for a period of hours or, at most, a few days on their own. If power were not restored after this
amount of time, the results could be disastrous. First, military assets taken offline by the crisis would not be
available to help with disaster relief. Second, during an extended blackout, global military operations could be seriously
compromised; this disruption would be particularly serious if the blackout was induced during major
combat operations. During the Cold War, this type of event was far less likely because the United States and Soviet Union shared the common understanding that blinding an opponent with a grid
blackout could escalate to nuclear war . America’s current opponents, however, may not share this fear or be deterred by this
possibility.¶ In 2008, the Defense Science Board stressed that DOD should mitigate the electrical grid’s vulnerabilities by turning military installations into “islands” of energy self-sufficiency.10 The department has
made efforts to do so by promoting efficiency programs that lower power consumption on bases and by constructing renewable power generation facilities on selected bases. Unfortunately, these programs will
not come close to reaching the goal of islanding the vast majority of bases. Even with massive
investment in efficiency and renewables, most bases would not be able to function for more than a
few days after the civilian grid went offline.
Cyber attack hurts economy
Cyber-attacks are the biggest threat to our economy
Ed Moy, 7-6-2015, "Cyber Attacks Pose Biggest Unrecognized Threat to Economy," Newsmax,
http://www.newsmax.com/Finance/Ed-Moy/cyber-attack-terrorism-economy/2015/05/07/id/643241/
There is no shortage of threats to the U.S. economy: fragile growth, increasing regulation, the timing of
the Fed’s raising interest rates, White House and congressional inaction, out-of-control entitlements,
and a punitive and complicated tax system. Yet the biggest threat may be one that is least mentioned:
cyber attacks. Cyber attacks have been expanding quickly from criminal gain to corporate espionage to ideological warfare.
And these attacks have been increasing in frequency, scale, sophistication and severity. The primary reason for cyber
attacks has been financial gain. Criminals go where the money is and there is easy money using personal data to commit
fraud. Credit card data are sold to other criminals who use them to make purchases. Medical data are used to create new
personal identities for credit card and bank fraud. Health insurance information is used to make false claims, access addictive
prescription drugs and get free medical treatment. As a result, stealing personal data has reached epidemic proportions. The
numbers from recent data breaches are staggering: credit card information from 56 million Home Depot and 70
million Target customers, 145 million login credentials from eBay, contact information for 76 million J.P.
Morgan Chase customers and 80 million Anthem customers. Even small companies are not immune to
these cyber attacks. From card skimmers to point-of-sale intrusions, data theft rings have targeted relatively unprotected
small businesses as a new and vast profit center. The economic costs are monumental. It costs the breached
organization an average of $200 per compromised record, mostly from business disruption and revenue
loss. That does not include intangible costs like losing customer loyalty or hurting a company’s brand. To
add insult to injury, corporate espionage attacks are increasing. Stealing intellectual property and spying
on competitors comprises a growing number of attacks and come at huge costs to the company that has
been hacked. And the big difference with corporate spying is that the attacker usually does not give up
until they are successful. Finally, and most dangerous, are ideologically and politically motivated attacks. Cyber attacks
have proven that computers are very vulnerable. But like any profit-driven enterprise, criminals and
corporations are adverse to killing the goose that lays their golden eggs. Even nation states like China and Russia may
be too co-dependent on the U.S. But the growth of ideologically driven movements is changing the risk.
It is not a huge leap of imagination to envision a radical environmental group hacking into our energy infrastructure. Or
terrorist groups like ISIS, Boko Haram and al Qaeda wanting to bring down our banking system.
Ideological or political enemies can exploit the same vulnerabilities but have no remorse about maiming
or killing the goose. In the recent annual threat assessment delivered to Congress, the National Director
of Intelligence said that cyber attacks by politically and criminally motivated actors are the biggest threat
to U.S. national security. In this brave new world, the good guys are playing catch up to the bad guys, who
seem to always be one step ahead.
Cyberterrorism turns both the economy and surveillance
Patrick Tucker 2014 [Patrick - technology editor for Defense One. He’s also the author of The Naked
Future: What Happens in a World That Anticipates Your Every Move? “Major Cyber Attack Will Cause
Significant Loss of Life By 2025, Experts Predict”, Defense One, 10/29/14,
http://www.defenseone.com/threats/2014/10/cyber-attack-will-cause-significant-loss-life-2025experts-predict/97688/
Signals Intelligence, CyberWar and You You may believe that a major cyber attack is likely to occur
between now and 2025, or you may view the entire cyber menace as a scheme by security software
companies. (The truth may be a mixture of both.) However, one thing that the threat of cyberwar will
certainly do is increase the amount of computer, and particularly network government, surveillance to
detect “anomalous behaviors,” possibly related to cyber attacks. The same recently released Pentagon
paper on offensive cyber operations made a pointed mention of networks and the cloud as a potential
source of signals intelligence of relevance to cyber-operators. Networks were “a primary target for
signals intelligence (SIGINT), including computer network exploitation (CNE), measurement and
signature intelligence, open source intelligence, and human intelligence.” Make no mistake, signals
intelligence collection means watching how individuals behave online. As for the Pew’s 2025 date, Jason
Healey, director of the Cyber Statecraft Initiative of the Atlantic Council, told Defense One that he
considered it to be arbitrary. “We just don’t have a clue when it’s going to happen,” he said, adding that
a single cyber attack on the scale of Pearl Harbor frightened him less than the prospect of a massive
cyber failure, absent of malice but with real-time market implications. “I’m less concerned about attacks
and more about a shock” of the size of a major market collapse, he said and argued that pre-occupation
with a “cyber Pearl Harbor” ignores the “larger complexity” of the issue. “What do we do if one of these
IT companies that’s too big to fail has a Lehman Brother’s moment? The data was there on Monday and
is gone on Friday? If a major cloud provider fails, how do we get our data back?” While Healey was
incredulous that a country like Russia would launch a cyber attack resulting in loss of life, he
acknowledged that much has changed between today and 1991 when the electronic Pearl Harbor
concept first emerged. And the changes are coming only more rapidly, as are potential vulnerabilities.
“The more that we plug things to the Internet, things of concrete and steel and connect them to the
Internet, the more likely we are to get ourselves into the state where this will happen in 2025. The
dynamic that will make that more and more true is the Internet of Things,” he said
Cyber attacks could potentially cause millions in damage. Next 3 years are critical.
Patricia Burke 7/1/15 Burke is a writer for CEO Insight “CIOs Need to Address Growing Cyber-Crime
Threats” http://www.cioinsight.com/security/cios-need-to-address-growing-cyber-crime-threats.html /
EM
Aside from a communications gap, increased cyber-attacks
will cost enterprises millions, and not just because of
down time and lost productivity. Within three years, due to the increase in cyber-attacks and cyber- terrorism, organizations
will be facing the need to invest more in compliance with mandates on critical infrastructure protection
and national cyber-defense strategies, according to the report. The study, titled “The Global Megatrends in Cybersecurity 2015,”
questioned 1,006 cyber security CIOs, CISOs and senior IT leaders. It revealed that within the current state of cyber-security across surveyed
organizations: * Less than one-half of respondents (47 percent) believe their organizations take appropriate steps to comply with the leading
cyber-security standards. *Only one-third of those surveyed believe their organizations are prepared to deal with the cyber-security risks
associated with the Internet of things (IoT) and the proliferation of IoT devices. *Fewer than half of all respondents (47 percent) said their
organizations have sufficient resources to meet cyber-security requirements. *Two-thirds (66 percent) of those surveyed indicated their
organizations need more knowledgeable and experienced cyber-security practitioners. “You
don’t have to wait until you’re
attacked to take cyber-security seriously,” said Jack Harrington, vice president of cyber-security and special missions at Raytheon
Intelligence, Information and Services. “Rallying around the cyber-security issue is critical to address the real
threats we face as a global society.” Many security leaders believe the next three years will determine if
organizations can win the cyber-war, according to the study. Understanding the trends that will impact organizations will help IT
leaders make more informed decisions about investments in people, processes and technologies.
Cyber-attacks will destroy the economy
Carter Dougherty, 8-30-2014, "Next Big Bailout for U.S. Banks Could Be Forced by Cyber-Attack,"
Bloomberg,
http://www.bloomberg.com/news/articles/2014-08-29/next-u-s-bank-bailout-could-come-after-acyber-terror-attack
Bankers and U.S. officials have warned that cyber-terrorists will try to wreck the financial system’s
computer networks. What they aren’t saying publicly is that taxpayers will probably have to cover much
of the damage. Even if customers don’t lose money from a hacking assault on JPMorgan Chase & Co., the episode is a
reminder that banks with the most sophisticated defenses are vulnerable. Treasury Department officials have quietly told bank
insurers that in the event of a cataclysmic attack, they would activate a government backstop that doesn’t explicitly cover
electronic intrusions, two people briefed on the talks said. “I can’t foresee a situation where the president wouldn’t do
something via executive order,” said Edward DeMarco, general counsel of the Risk Management Association, a professional
group of the banking industry. “All we’re talking about is the difference between the destruction of tangible property and
intangible property.” The attack on New York-based JPMorgan, though limited in scope, underscored how
cyber assaults are evolving in ferocity and sophistication, and turning more political, possibly as a prelude to the
sort of event DeMarco describes. Not simply an effort to steal money, the attack looted the bank of gigabytes
of data from deep within JPMorgan’s network. And bank security officials believe the hackers may have been aided
by the Russian government, possibly as retribution for U.S. sanctions over the Ukraine war.
Cyber-crime will collapse the economy
Matt Egan, 7-22-2013, "Report: Cyber Crime Costs Global Economy Up to $500B a Year," Fox Business,
http://www.foxbusiness.com/technology/2013/07/22/report-cyber-crime-costs-global-economy-up-to1-trillion-year/
Cyber evildoers are inflicting serious damage to the world’s already-sluggish economy. According to a
newly-released report sponsored by McAfee, global cyber activity is costing up to $500 billion each year,
which is almost as much as the estimated cost of drug trafficking. In the U.S. alone, the report estimates
that cyber crime is the catalyst behind the loss of as many as 500,000 jobs as companies grapple with
the loss of coveted intellectual property, confidential strategies that are snooped on, and suffer
reputational harm. “Extracting value from the computers of unsuspecting companies and government
agencies is a big business,” the 20-page report from McAfee and the Center for Strategic and
International Studies says. “These losses could just be the cost of doing business or they could be a
major new risk for companies and nations as these illicit acquisitions damage global economic
competitiveness and undermine technological advantage," the report said.
Biggest threat
Cyberwarfare is a bigger threat than terrorism- Experts agree
Michael Pizzi January 7,, 1-7-2014, "Cyberwarfare greater threat to US than terrorism, say security
experts," No Publication, http://america.aljazeera.com/articles/2014/1/7/defense-leaderssaycyberwarfaregreatestthreattous.html
Cyberwarfare is the greatest threat facing the United States – outstripping even terrorism – according to
defense, military, and national security leaders in a Defense News poll, a sign that hawkish warnings about an imminent
“cyber Pearl Harbor” have been absorbed in defense circles. That warning, issued by then Secretary of Defense Leon Panetta in Oct. 2012,
struck many as a fear-mongering plug for defense and intelligence funding at a moment when many in the United States, including 32
percent of those polled by the same Defense News Leadership Poll, believe the government spends too much on
defense. But 45 percent of the 352 industry leaders polled said cyberwarfare is the gravest danger to the U.S., underlining
the government’s shift in priority – and resources – towards the burgeoning digital arena of warfare. In
2010, the Pentagon created the U.S. Cyber Command, under the helm of NSA director Gen. Keith Alexander, to better prepare the U.S. for a
potential attack on digital infrastructure. Later that year, U.S. Deputy Secretary of Defense William Lynn said cyberspace had become “just as
critical to military operations as land, sea, air, and space.” The
nebulous term "cyberwarfare" refers to full-on conflict
between countries or terror groups featuring digital attacks on computer systems. But its more
devastating, violent impacts are considered by many analysts to be largely theoretical at this point.
Looming fears of cyber attacks on pacemakers of world leaders, for instance, have inspired movie plots and
television shows but are not known to have occurred, noted Morgan Marquis-Boire, a security researcher at the University
of Toronto's Citizen Lab. “At the moment, this is all set in the realm of science fiction." Marquis-Boire said the most kinetic cyberattack to date
was probably the Stuxnet worm that attacked Iran’s Natanz nuclear enrichment facility in 2010, stoking fears of a cyber-triggered nuclear terror
attack. In the U.S., the most prominent cyber attacks have targeted websites, including the Syrian Electronic Army's infamous White House
bomb hoax that briefly caused a 140-point drop in the Dow Jones Industrial Average. But the classic fear is that enemy hackers – from countries
like Iran, China, or Russia – could infiltrate the U.S. power grid, shutting down government agencies, crashing planes into buildings, and grinding
the economy to a halt. And though it has yet to happen, security
experts say a large-scale attack on the U.S. power grid
that could inflict mass casualties is within the realm of possibility. The North American Electric Reliability Corporation
reported in 2009 that the U.S. grid remains susceptible to infiltration despite substantial government investment in securing it. “We do have a
security problem whereby life is rushing towards the Internet faster than we’re developing Internet security,” said Marquis-Boire. “Many of
these systems weren’t built in a cyberwarfare age. We weren’t worried about cyberwarfare when we built the national power grid, and it’s
difficult to retrofit security.” The
impact of such an attack could be devastating. Massive power outages could
not only unleash chaos, they could also distract from a simultaneous military – or terrorist – attack. That
latter concern – that cyber war tactics might blur with traditional terrorism – were underlined in June 2012,
when information security expert Eugene Kaspersky announced his lab’s discovery of the Flame virus
that targeted computers in Iran. “It’s not cyber war, its cyber terrorism and I’m afraid it’s just the
beginning of the game,” Kaspersky said at a conference in Tel Aviv. “I’m afraid it will be the end of the world as we know it.” A few
months later, Panetta compounded fears when he warned of a “new, profound sense of vulnerability” in the U.S. due to the prospect of
cyberwarfare. But with the exception of several high-profile hacking incidents of websites, the
American public has yet to
experience any sort of large-scale attack on U.S. infrastructure, let alone American lives. Despite the
improbability of a full-on cyber conflict, analysts say they are not surprised the nebulous threat posed by
cyberwarfare has struck fear in American hearts. "The capability is out there to launch a large-scale
cyberattack resulting in loss of life or property damage, and potential targets are in some sense infinite,
because everything is connected to computers in one way or the other,” said Tara Maller, a research fellow with the
National Security Studies program at the New America Foundation and a former military analyst for the CIA. "But do I think it is very
likely another country would launch a cyber attack of this type on the U.S. right now? No, because I think there
is some level of cyber deterrence that exists between states," she said. The prospect of cyberwarfare between world
powers might be compared to a nuclear standoff: Unless geopolitical dynamics shift, it's difficult to
envision a viable scenario whereby any state's capacity to wreak havoc and mass casualties is actually
deployed. A "cyber" Pearl Harbor – like the real one – could spark a world war. "I don’t think there’s any country right now
where tensions are high enough for the state to essentially carry out an act of war against the U.S.,"
added Maller. "It could make more sense for a terrorist group, but they have more limited capabilities."
Affirmative Answers
Not protected now
The U.S. is very vulnerable – new digital controls, weak cyber security and a lack of
professionals prove
Michael Assante, Mr. Assante is director of Industrial Control Systems as well as Supervisory Control
and Data Acquisition Networks for the SANS Institute., 11-11-2014, "America's Critical Infrastructure Is
Vulnerable To Cyber Attacks," Forbes, http://www.forbes.com/sites/realspin/2014/11/11/americascritical-infrastructure-is-vulnerable-to-cyber-attacks/2/
America’s critical infrastructure—the utilities, refineries, military defense systems, water treatment
plants and other facilities on which we depend every day—has become its soft underbelly, the place
where we are now most vulnerable to attack. Over the past 25 years, hundreds of thousands of analog
controls in these facilities have been replaced with digital systems. Digital controls provide facility
operators and managers with remote visibility and control over every aspect of their operations,
including the flows and pressures in refineries, the generation and transmission of power in the
electrical grid, and the temperatures in nuclear cooling towers. In doing so, they have made industrial
facilities more efficient and more productive. But the same connectivity that managers use to collect
data and control devices allows cyber attackers to get into control system networks to steal sensitive
information, disrupt processes, and cause damage to equipment. Hackers, including those in China,
Russia and the Middle East, have taken notice. While early control system breaches were random,
accidental infections, industrial control systems today have become the object of targeted attacks by
skilled and persistent adversaries. Industrial control systems are being targeted The recently discovered
Industrial Control System modules of the HAVEX trojan are one example. The malware infiltrated an
indeterminate number of critical facilities by attaching itself to software updates distributed by control
system manufacturers. When facilities downloaded the updates to their network, HAVEX used open
communication standards to collect information from control devices and send that information to the
attackers for analysis. This type of attack represents a significant threat to confidential production data
and corporate intellectual property and may also be an early indicator of an advanced targeted attack
on an organization’s production control systems. Other hacks represent a direct threat to the safety of
U.S. citizens. Earlier this year, the FBI released information on Ugly Gorilla, a Chinese attacker who
invaded the control systems of utilities in the United States. While the FBI suspects this was a scouting
mission, Ugly Gorilla gained the cyber keys necessary for access to systems that regulate the flow of
natural gas. Considering that cyber attackers are numerous and persistent—for every one you see there
are a hundred you don’t—those developments should sound alarms among executives at companies
using industrial controls and with the people responsible for protecting American citizens from attacks.
To their credit, both businesses and the U.S. government have begun to take action; however, neither is
adequately addressing the core of the issue. The threat isn’t static Businesses continue to believe that
cybersecurity issues can be addressed solely through technology. The problem was created by
technology so the solution must be more technology, they reason, ignoring the spirit of Einstein’s
observation that “no problem can be solved from the same level of consciousness that created it.”
Technology is static and the threat is not. Hackers will always find a way to beat technology-based
solutions. That’s why we have to do more than create barriers to keep out intruders. We have to man
our digital borders with people who have the same skill and determination as the attackers similar to
the use of technology, the ability to regulate a solution is inherently limited. Regulation creates a
compliance mentality in which policies and investments are based on achieving and maintaining
compliance. Compliance is predictable, which makes it the hacker’s best friend. Lack in security
professionals who understand both digital security and control system technology Legislation (HR 3696)
has been introduced in the U.S. Congress that would increase the sharing of information related to
control system breaches to better arm security professionals to prevent future breaches. That is a
worthwhile goal; unfortunately, there is a dire lack of security professionals with an understanding of
both digital security and control system technology to benefit from this information sharing. Filling this
gap is where the lion’s share of the cybersecurity effort must go. It is estimated in the latest Project
SHINE report that the United States has more than half a billion control system devices connected to the
Internet. The SANS Institute, the largest cybersecurity training organization in the world, estimates that
in the U.S. power industry alone thousands of new or existing control systems security professionals
must be deployed or further developed in the next five years to adequately address the challenge of
control system security within the electric sector.
Cyber-terrorists have the upper hand – major attack is a question of when, not if
Aasha Bodhani, 1-19-2015,Award-winning journalist / Industry Features Editor at The IET, "Cybersecurity: organisations vulnerable to new swathe of attacks in 2015," No Publication,
http://eandt.theiet.org/magazine/2015/01/special-report-cyber-security.cfm
2014 was a bad year for cyber security, and experts warn that 2015 could be even worse. The scale of
attacks indicates that cyber crime is not only a considerable challenge but that the bad guys are winning.
Rather than implement effective security, many organisations are simply gambling that they do not
represent an attractive enough target compared with their peers. The cyber world has become an
increasingly attractive playground for criminals, activists and terrorists motivated to become noticed,
make money, cause havoc or bring down corporations and governments through online attacks. In 2013
alone, IBM reported, 1.5 million monitored cyber attacks took place in the US, so it is not a surprise that
cyber-security specialist and senior vice president of products at Clearswift Guy Bunker warns: "threats
are an everyday event and breaches are 'when' not 'if'." To make matters worse, cyber criminals are not
only hacking the obvious such as smartphones, e-health devices and credit card theft; they are
beginning to see driverless vehicles, e-cigarettes and smart kitchen appliances as potential targets.
Before 2014 got under way, security consultancy Websense predicted a number of attack types would
blossom. Its recent '2014 Predictions Accuracy' report shows that the experts had identified some key
problems correctly. The report states that as the cloud became the preferred location for storing data,
cyber criminals focused their attention on attacking the cloud. Other predictions that appear to have
come true include a shift from simple data theft at corporation level to nation-state level, a decrease in
the quantity of new malware resulting in more targeted attacks and cyber criminals targeting the
weakest links in the information chain, such as third-party vendors, contractors, point-of-'sale devices
and out-of-date software.
Cyber Risk High – The US fails to implement security.
Tony Kovaleski, Liz Wagner and Mark Villarreal, 2-1-2015, "Critical Infrastructure Vulnerable to
Cyber Attack," NBC Bay Area, http://www.nbcbayarea.com/news/local/Critical-InfrastructureVulnerable-to-Cyber-Attacks-Experts-Warn-290370921.html
Recent security breaches at Sony Pictures, Target and Home Depot have put a spotlight on the
vulnerabilities of the nation’s cyber systems. But an NBC Bay Area investigation reveals concerns from
some of the country’s leading cyber security experts that threats have moved beyond movies, credit
cards and bank accounts, to the ability to hack into computer systems that control vital infrastructure.
For nearly two decades, the United States government has known and warned about potential threats
to critical infrastructure, including nuclear plants, electric substations, gas pipelines, transit systems,
chemical facilities and drinking water supplies. “It’s those systems, that if we lose them, it’s going to
have a serious impact on our way of life,” said Perry Pederson, a Washington, D.C.-based expert on
cyber security. In 2007, when Pederson worked for the Department of Homeland Security (DHS), he
helped design a government test now known as Project Aurora. The experiment involved hacking into a
replica of an Idaho power plant’s control system and causing it to smoke, shake and self-destruct. “It
ultimately proved and demonstrated on video that you can destroy physical equipment with a cyberattack,” Pederson said. “It’s a type of vulnerability we should be concerned about.” But Pederson said
the United States isn’t employing the lessons learned from the experiment. “Aurora should have been a
wakeup call, and we just hit the snooze button and go back to sleep,” Pederson said.
Lack necessary protections against cyber attacks now
Katherine Brocklehurst, 1-27-2015, Working with network security technologies ranging from
protocols to core encryption to intrusion detection/prevention to web application firewalls, she’s
touched every layer in the ISO model. Katherine is a subject matter expert on security and compliance
policies, and works on this every day in the field of security configuration management as senior
solutions manager at Tripwire. "Cyberterrorists Attack on Critical Infrastructure Could Be Imminent,"
State of Security, http://www.tripwire.com/state-of-security/security-data-protection/securitycontrols/cyberterrorists-attack-on-critical-infrastructure-could-be-imminent/
In a November 20, 2014, hearing for the House Intelligence Committee, NSA Director Admiral Michael
Rogers said several foreign governments had already hacked into U.S. energy, water and fuel
distribution systems, potentially damaging essential services, according to Bloomberg. “This is not
theoretical,” Rogers said. “This is something real that is impacting our nation and those of our allies and
friends every day.” DHS Warns U.S. Utility Was Hacked In May 2014, the Department of Homeland
Security and its Industrial Control Systems Cyber Emergency Response Team issued an ICS-CERT report
warning of several known attacks against U.S. utilities in the first quarter of 2014. They cited details of
one unnamed utility that had been breached and warned U.S. utilities to be on guard for intrusion
activity. The complete article on this information is available here. CYBER THREATS CAN BE PHYSICAL
Increasing cyber threat concerns are having an impact on critical infrastructure organizations because
the physical implications have the potential to be catastrophic—cybersecurity rated as the fourth
highest issue for energy executives in 2014, up from sixth place in 2013. This shows dramatic progress; it
was not even in the top ten concerns for utilities two years ago. According to the 2014 annual report
from industry consultants Black & Veatch conducted in May of 2014: “We are seeing an industry that is
actively moving forward with the deployment of comprehensive asset protection plans following several
high-profile cyber and physical threat events.” 48% OF ELECTRIC UTILITIES SURVEYED NEED CYBER
THREAT PROTECTION Still – a survey of electric utility representatives showed that 48% of respondents
indicated they did not have integrated security systems with the “proper segmentation, monitoring and
redundancies” needed for cyber threat protection. Only 32% said they had these protections in place.
Surveillance hurts ability to fight cyber attacks
NSA surveillance actually decreases ability to fight cyber-attacks by decreasing the
overall security of the internet.
Eduard Kovacs on July 30, 2014 NSA Surveillance Programs Directly Damage Internet Security: Report
http://www.securityweek.com/nsa-surveillance-programs-directly-damage-internet-security-report
“The NSA has both weakened overall trust in the network and directly harmed the security of the
Internet.” A report published by the New America Foundation’s Open Technology Institute on Tuesday
details the impact of NSA surveillance activities on the United Sates economy, foreign policy and
Internet security. There have been numerous discussions on the intelligence agency's controversial
spying programs over the past year, ever since former NSA contractor Edward Snowden started leaking
classified information obtained from the organization's systems. However, the Open Technology
Institute argues that most discussions have revolved around the impact of surveillance programs on
privacy and civil liberties, and not so much on how they affect the interests of the United States and the
global Internet community. The 64-page paper focuses on the costs to cybersecurity, the direct
economic costs to U.S businesses, the economic and technological costs of data localization and data
protection proposals, and political costs to American foreign policy. Internet Security Weakened by NSA.
Internet security has been greatly impacted by NSA spying because in addition to monitoring online
communications, the agency has been involved in various activities that, according to the authors of the
report, "fundamentally threaten the basic security of the Internet." For example, the report points to
the NSA's attempts to intentionally weaken critical cryptographic standards. One of these algorithms
was until recently included in cryptographic libraries used by default by RSA and other companies. The
agency is also said to be spending hundreds of millions of dollars on getting companies to intentionally
create backdoors in their products, including communication devices, commercial encryption systems
and IT networks. In addition to getting companies to insert security holes into their products, the NSA
keeps information about zero-day vulnerabilities to itself, instead of notifying the companies whose
solutions are affected. This leaves organizations and regular users exposed to attacks from the NSA, and
also from other entities that might have knowledge of the flaws, the report said. The Open Technology
Institute believes costs to cybersecurity also stem from the activities of the NSA's Tailored Access
Operations (TAO) unit, whose employees rely on an aggressive set of tools to hack into computers,
phones, routers and even SCADA systems. One of the tactics used by this unit involves targeting
networks and network providers, including the undersea cables that carry Internet traffic between
continents. The TAO unit is also said to have impersonated several major US companies, including
Facebook and LinkedIn, in an effort to insert malware and steal sensitive information.
NSA surveillance undermines our ability to prevent cyber attacks
DAVID HAMILTON NOV 18, 2014 The Real Lesson From Recent Cyberattacks: Let's Break Up The NSA
It's supposed to guard against cyberintrusion. Remember? http://readwrite.com/2014/11/18/hackingcyber-attack-break-up-the-nsa
Over the weekend, the U.S. State Department shut down its unclassified email network after finding
evidence that hackers might have been prowling around. It's in good company: In the past several
weeks, hackers have poked around in computers at the White House, the Postal Service and the
National Weather Service—not to mention JPMorgan and nine other big banks. If only there was a
federal agency dedicated to protecting federal information systems and critical U.S. infrastructure from
criminals and foreign attackers. Oh, wait—there is. It's the National Security Agency. And to all
appearances, it's botched the job so badly you'd think it wasn't really trying in the first place. Maybe it
wasn't. The NSA has historically been a house divided against itself. On one side, it ostensibly works to
"ensure appropriate security solutions are in place to protect and defend information systems, as well as
our nation’s critical infrastructure." This mission, the NSA says, aims to ensure "confidence in
cyberspace." Then there's the other side of the NSA, which listens in on the communications of U.S.
adversaries, conducts mass surveillance of Americans and foreigners and undertakes military-style cyber
attacks against other nations and alleged terrorists. Oh, and that also deliberately tries to undermine
security tools used to guard both civilian and and government systems against intrusion. For instance,
the NSA's secret 2013 budget request—provided by Edward Snowden and published by the New York
Times, ProPublica and other outlets a year ago—revealed that the agency seeks to "introduce
vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communication
devices used by targets." In other words, the NSA routinely undermines the security tools that
government agencies, businesses and consumer services use to protect messages and data from
attackers. It's a little as if car makers were surreptitiously making it easier for repo men to unlock and
drive away your vehicle—right in the midst of an auto-theft epidemic. The NSA apparently does this in
the misguided belief that its own spooks will be the only ones to notice and exploit these vulnerabilities.
But criminals and foreign governments are smart, too, and just as eager to exploit security holes created
by accident or design. In 2010, for instance, Chinese hackers were able to break into individual Gmail
accounts by using "secret" backdoors that Google had installed specifically to comply with U.S.
government search-warrant requests.
NSA surveillance undermines protection from cyber-attacks.
LeakSource, 2015 What Goes Around Comes Around: NSA Cyberattacks Helping Other Countries
(Iran) Learn to Hack Better http://leaksource.info/2015/02/16/what-goes-around-comes-around-nsacyberattacks-helping-other-countries-iran-learn-to-hack-better/
The NSA’s concern of inadvertently aiding Iran’s cyberattack capabilities is striking given the
government’s recent warning about the ability of adversaries to develop more advanced viruses. A top
official at the Pentagon’s Defense Advanced Research Projects Agency’s (DARPA) appeared on 60
Minutes this Sunday and claimed that cyberattacks against the U.S. military are becoming more potent.
“The sophistication of the attacks is increasing,” warned Dan Kaufman, director of DARPA’s Information
Innovation Office. The NSA document suggests that offensive cyberattacks on other states do not
merely provoke counterattacks—those attacks can teach adversaries how to launch their own. “Iran
continues to conduct distributed denial-of-service (DDOS) attacks against numerous U.S. financial
institutions, and is currently in the third phase of a series of such attacks that began in August 2012,” the
document says. “SIGINT indicates that these attacks are in retaliation to Western activities against Iran’s
nuclear sector and that senior officials in the Iranian government are aware of these attacks.” This
would not be the first time the U.S. has inadvertently assisted Iran’s attack capabilities. Last month,
former CIA officer Jeffrey Sterling was convicted of multiple felony counts for telling New York Times
reporter James Risen about an agency program designed to feed Iran false data about nuclear
engineering in order to create setbacks, but which instead may have provided useful information the
Iranians were able to exploit to advance their nuclear research. As of 2013, the NSA said that while it
had no indications “that Iran plans to conduct such an attack against a U.S. or UK target, we cannot rule
out the possibility of such an attack, especially in the face of increased international pressure on the
regime.” The NSA “can’t comment or speculate on the motivations of those who aim to harm the United
States or our allies,” a spokesperson for the agency said. “The National Security Agency works with
foreign partners to protect our interests and citizens in cyberspace.”
NSA surveillance efforts compromise our ability to improve cybersecurity
Danielle Kehl How the NSA Hurts Our Economy, Cybersecurity, and Foreign Policy 2014
http://www.slate.com/blogs/future_tense/2014/07/31/usa_freedom_act_update_how_the_nsa_hurts_
our_economy_cybersecurity_and_foreign.html
Lastly, there’s growing evidence that certain NSA surveillance techniques are actually bad for
cybersecurity. As the Institute of Electrical and Electronics Engineers recently explained: “The United
States might have compromised both security and privacy in a failed attempt to improve security.”
We’ve learned in the past year that the NSA has been deliberately weakening the security of the
Internet, including commercial products that we rely on every day, in order to improve its own spying
capabilities. The agency has apparently tried everything from secretly undermining essential encryption
tools and standards to inserting backdoors into widely used computer hardware and software products,
stockpiling vulnerabilities in commercial software, and building a vast network of spyware inserted onto
computers and routers around the world. A former U.S. ambassador to the U.N. Human Rights Council,
Eileen Donahoe, wrote a forceful article back in March about how the NSA’s actions threaten our
national security.
The NSA weakens encryption and increases risk of cyber attack
Matt Buchanan, 9-6-2013, "How the N.S.A. Cracked the Web," New Yorker,
http://www.newyorker.com/tech/elements/how-the-n-s-a-cracked-the-web
It’s been nearly three months since Edward Snowden started telling the world about the National Security Agency’s mass surveillance of global
communications. But the latest disclosures, by the Guardian, New York Times, and ProPublica are perhaps the most profound yet:
N.S.A.
and its partner agency in the United Kingdom, the Government Communications Headquarters,
the
possess significant
capabilities to circumvent widely used encryption software in order to access private data . Encryption
poses a problem for intelligence agencies by scrambling data with a secret code so that even if they, or any other third-party, manages to
capture it, they cannot read it—unless they possess the key to decrypt it or have the ability to crack the encryption scheme. Encryption has
become only more pervasive in the decade since the N.S.A.’s “aggressive, multipronged effort to break widely used Internet encryption
technologies” began in 2000. When you log into Gmail or Facebook, chat over iMessage, or check your bank account, the data is typically
encrypted. This is because encryption is vital for everyday Web transactions; if for instance, you were to log in to your Gmail account using a
park’s open wireless network and your username and password were transmitted in plain form, without being encrypted, your credentials
could potentially be captured by anyone using that same network. Both the Times and the Guardian write that the N.S.A. and the G.C.H.Q. have
“cracked much of the encryption” on the Web. But we don’t know precisely how much: the Times writes that the “full extent of the N.S.A.’s
decoding capabilities is known only to a limited group of top analysts from the so-called Five Eyes: the N.S.A. and its counterparts in Britain,
Canada, Australia and New Zealand.” But it deploys “custom-built, superfast computers to break codes,” and it works with “technology
companies in the United States and abroad to build entry points into their products.” While the Times and the Guardian do not make clear
precisely which encryption schemes the N.S.A. and its partners have rendered effectively useless—and which companies the agency has
partnered with—there are some hints about what the N.S.A. has accomplished with Bullrun, its project to defeat network encryption.
N.S.A. has
Guardian says
The
apparently possessed “groundbreaking capabilities” against encrypted voice and text communication since 2010, which the
made “‘vast amounts’ of data collected through internet cable taps newly ‘exploitable. ’”
The N.S.A. appears to have found a way around some Internet-level encryption protocols that use outdated standards, but are nonetheless
ubiquitous: the Guardian writes, “
The agency has capabilities against widely used online protocols , such as HTTPS,
voice-over-IP and Secure Sockets Layer.”
And the
Times notes that the
“most intensive efforts have focused on the
encryption in universal use in the United States , including Secure Sockets Layer, or SSL; virtual private networks, or V.P.N.s;
and the protection used on fourth-generation, or 4G, smartphones .” The hypertext transfer protocol (H.T.T.P.) is
the basis for Web communication—it’s the “http” in your browser’s address bar. S.S.L. is one of the most common cryptographic protocols on
the Web and is supported by nearly all Web sites. (It’s also used by instant-messaging and other programs to secure transmissions over the
Internet.) H.T.T.P.S. is essentially the application of the S.S.L. protocol to H.T.T.P., making online services like e-mail and banking secure. A
virtual private network enables a user to have a private connection on a public network in which their transmissions are protected. Under
normal circumstances, the use of these protocols would shield data from the N.S.A.’s dragnet surveillance of communications. Cryptographic
and security experts have been able to piece together some ideas about the extent of the agency’s capabilities. Mike Janke, the C.E.O. of the
encrypted-communications company Silent Circle—which shut down its encrypted e-mail service a few weeks ago—said over the phone that,
based on information and literature he has seen, he believes the N.S.A. developed “a massive push-button scale” ability to defeat or circumvent
S.S.L. encryption in virtually real time. He added, “the reality of it is that most of the security world has known that lower level encryption—
S.S.L., H.T.T.P.S., V.P.N.s—are highly susceptible to being defeated because of their architecture.” Bruce Schneier, who has seen the Snowden
documents, wrote that
the N.S.A. has circumvented common Web encryption “primarily by cheating, not
by mathematics.” Instead of busting the algorithms that power encryption schemes,
that
the N.S.A. has
Schneier is suggesting
found a way around it. Matthew Green, a prominent crypto researcher, suggests that the N.S.A. may have
compromised the encryption software that implements the algorithms that determine how data is
scrambled —in particular, software made by Microsoft and used by many Web servers for encryption. The Times writes that the “the
agency maintains an internal database of encryption keys for specific commercial products, called a Key Provisioning Service, which can
automatically decode many messages.” Intriguingly, it adds, “independent cryptographers say many are probably collected by hacking into
companies’ computer servers, where they are stored.” If the agency possesses the keys, there is no need to crack the encryption algorithm.
Thomas Drake, an N.S.A. whistleblower who was profiled by Jane Mayer in the magazine, said over the phone that he believes the 2010
breakthrough was possibly more dramatic and may refer to the defeat of “some of the main-line encryption” algorithms in wide use, like the
R.S.A. algorithm or the Advanced Encryption Standard at 256-bit level. (The length of the key used to encrypt and decrypt information,
measured in bits, is one of many aspects of what determines how hard an encryption scheme is to crack: 128-bit encryption is now relatively
easy; 2048-bit is much harder.) This kind of capability was hinted at in James Bamford’s piece a year ago about the N.S.A.’s massive new data
center in Utah.
The most damning aspect of the new disclosures is that the N.S.A. has worked to make
widely used technology less secure . The Times reports that in 2006, the N.S.A. intentionally introduced a
vulnerability into an encryption standard adopted by both the N ational I nstitute of S tandards and
T echnology and the I nternational O rganization for S tandardization. This is deeply problematic, Green writes, because the
cryptographic industry is “highly dependent on NIST standards.” The N.S.A. also uses its Commercial Solutions Center, which invites companies,
including start-ups, to show their technology to the agency under the guise of improving security, in order to “leverage sensitive, cooperative
relationships with specific industry partners” and covertly make those products more susceptible to N.S.A.’s surveillance. Schneier, who has
reviewed the documents, describes the process thusly: “
Basically, the NSA asks companies to subtly change their
products in undetectable ways: making the random number generator less random, leaking the key
somehow, adding a common exponent to a public-key exchange protocol, and so on.”
This is why the
N.S.A. specifically asked the Times and Guardian to not publish their articles and the documents detailing the program warn explicitly and
repeatedly of the need for secrecy: “Do not ask about or speculate on sources or methods.” The Times notes that the
N.S.A. expects to
“gain full unencrypted access to an unnamed major Internet phone call and text service”
sometime this
year. The Guardian further specifies that it is a “major internet peer-to-peer voice and text communications,” which sounds like it might be
Skype—owned by Microsoft and previously named as an N.S.A. partner. Drake said that he was certain that Skype has been “compromised.”
And, in one instance, the Times notes that “after the government learned that a foreign intelligence target had ordered new computer
hardware, the American manufacturer agreed to insert a back door into the product before it was shipped.” This is worse than the legal
mandate the N.S.A. and the F.B.I. pushed for in the nineties to force technology companies to build backdoors into their products, because, as
Chris Soghoian, the principal technologist for the American Civil Liberties Union said, “with a secret backdoor you’ll think it’s secure,” rather
than simply avoiding the technology. Schneier writes, “My guess is that most encryption products from large U.S. companies have NSA-friendly
back doors, and many foreign ones probably do as well.” The pervasive effort to engineer backdoors into commercial technology strikes upon a
broader question, raised by Soghoian: “Can we rely on technology provided by corporations with extensive relations with the U.S.
government?” Despite the scope of the N.S.A.’s program, and its apparent success against Internet-level encryption, strong encryption schemes
do remain uncracked by the N.S.A, and they are “your best bet” for privacy, said Janke. Pretty Good Privacy, a common encryption program, if
used with the latest algorithms, remains safe, he added, as does the encryption used in Z.R.T.P., which is used by Silent Circle’s voice and text
products to encrypt communications. Janke believes in their security in large part because “it’s good enough for the government to approve it
for their use.” Soghoian says that the “the kind of stuff we need is already available, it’s just not in our browsers and not with Google and
Facebook.” (However, in response to the N.S.A. revelations, Google has fast-tracked its plan to encrypt data as it zips between its own data
centers to prevent it from being subject to intelligence-agency prying.) Janke notes that on a local level, TrueCrypt, a hard-drive encryption
program, along with Apple’s native hard-disk encryption tool both remain unbroken. Though Drake said he would only trust 2048-bit level
encryption schemes and that he relies largely on open-source software, he would not reveal how he protects his own communications. “I just
don’t want others to know how I protect myself,” he said. “I literally do not trust anything commercial.” In response to the latest revelations,
Representative Rush Holt of New Jersey has introduced a bill, the Surveillance State Repeal Act, which would, among other things, bar the
N.S.A. from installing such backdoors into encryption software. While a statement from the Director of National Intelligence, James Clapper—
published after the reports by the Times and the Guardian—said that the fact that the N.S.A. works to crack encrypted data was “not news,”
Holt said, correctly, that “
if in the process they degrade the security of the encryption we all use, it’s a net
national disservice.”
The upshot is that it is now known that “the N.S.A. cannot be trusted on the issue of cyber security,” said
Soghoian. He continued, “My sincere hope is that the N.S.A. loses its shine.
systems; they’re exploiting vulnerabilities.”
They’re the bad guy; they’re breaking into
It’s conceivable that they have good intentions. And yet, Soghoian continued,
“they act like any other hacker. They steal data. They read private communications.” With that methodology, how easy can it be, though, to
give the agency the benefit of the doubt? As many have, Thomas Drake compared the worldview of what he calls the “rogue agency” to the
total surveillance of George Orwell’s “1984,” in which the only way to escape was “to cower in a corner. I don’t want to live like that. I’ve
already lived that and it’s not pleasant.”
NSA has made US more vulnerable to hacker for many reasons
Brendan Sasso, 4-30-2014, "How the NSA Undermines Cybersecurity to Protect You," Nextgov,
http://www.nextgov.com/cybersecurity/2014/04/how-nsa-undermines-cybersecurity-protectyou/83482/
But critics argue that the National Security Agency has actually undermined cybersecurity and made the
United States more vulnerable to hackers. At its core, the problem is the NSA’s dual mission. On one
hand, the agency is tasked with securing U.S. networks and information. On the other hand, the agency
must gather intelligence on foreign threats to national security. Collecting intelligence often means
hacking encrypted communications. That’s nothing new for the NSA; the agency traces its roots back to
code-breakers deciphering Nazi messages during World War II. So in many ways, strong Internet security
actually makes the NSA’s job harder. “This is an administration that is a vigorous defender of
surveillance,” said Christopher Soghoian, the head technologist for the American Civil Liberties Union.
“Surveillance at the scale they want requires insecurity.” The leaks from Edward Snowden have revealed
a variety of efforts by the NSA to weaken cybersecurity and hack into networks. Critics say those
programs, while helping NSA spying, have made U.S. networks less secure. According to the leaked
documents, the NSA inserted a so-called back door into at least one encryption standard that was
developed by the National Institute of Standards and Technology. The NSA could use that back door to
spy on suspected terrorists, but the vulnerability was also available to any other hacker who discovered
it. NIST, a Commerce Department agency, sets scientific and technical standards that are widely used by
both the government and the private sector. The agency has said it would never “deliberately weaken a
cryptographic standard,” but it remains unclear whether the agency was aware of the back door or
whether the NSA tricked NIST into adopting the compromised standard. NIST is required by law to
consult with the NSA for its technical expertise on cybersecurity. The revelation that NSA somehow got
NIST to build a back door into an encryption standard has seriously damaged NIST’s reputation with
security experts. “NIST is operating with a trust deficit right now,” Soghoian said. “Anything that NIST
has touched is now tainted.” It’s a particularly bad time for NIST to have lost the support of the
cybersecurity community.
NSA has hindered- not helped- cybersecurity
Brendan Sasso, 4-30-2014, "How the NSA Undermines Cybersecurity to Protect You," Nextgov,
http://www.nextgov.com/cybersecurity/2014/04/how-nsa-undermines-cybersecurity-protectyou/83482/
The U.S. government “is as concerned as the public is with the security of these products.” “The United
States pursues its intelligence mission with care to ensure that innocent users of those same
technologies are not affected,” she said. According to Vines, the NSA relies on the same encryption
standards it recommends to the public to protect its own classified networks. “We do not make
recommendations that we cannot stand behind for protecting national security systems and data,” she
said. But due to concern over the NSA damaging Internet security, the president’s review group on
surveillance issues recommended that the U.S. government promise not to “in any way subvert,
undermine, weaken, or make vulnerable generally available commercial encryption.” “Encryption is an
essential basis for trust on the Internet; without such trust, valuable communications would not be
possible,” the group wrote in its report, which was released in December. “For the entire system to
work, encryption software itself must be trustworthy.” In response to the report, the administration
adopted a new policy on whether the NSA can exploit “zero-days”—vulnerabilities that haven’t been
discovered by anyone else yet. According to the White House, there is a “bias” toward publicly disclosing
flaws in security unless “there is a clear national security or law enforcement need.” In a blog post
Monday, Michael Daniel, the White House’s cybersecurity coordinator, said that disclosing security flaws
“usually makes sense.” “Building up a huge stockpile of undisclosed vulnerabilities while leaving the
Internet vulnerable and the American people unprotected would not be in our national security
interest,” he said. But Daniel added that, in some cases, disclosing a vulnerability means that the U.S.
would “forego an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the
theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities.” He said that
the government weighs a variety of factors, such as the risk of leaving the vulnerability un-patched, the
likelihood that anyone else would discover it, and how important the potential intelligence is. But
privacy advocates and many business groups are still uncomfortable with the U.S. keeping security flaws
secret. And many don’t trust that the NSA will only exploit the vulnerabilities with the most potential for
intelligence and least opportunity for other hackers. “The surveillance bureaucracy really doesn’t have a
lot of self-imposed limits. “Now I think people dealing with that bureaucracy have to understand they
can’t take anything for granted.” Most computer networks are run by private companies, and the
government must work closely with the private sector to improve cybersecurity. But companies have
become reluctant to share security information with the U.S. government, fearing the NSA could use any
information to hack into their systems. “When you want to go into partnership with somebody and work
on serious issues—such as cybersecurity—you want to know you’re being told the truth,” Black said.
NSA hurt cyber-security by making backdoor required which increases risk of
compromise
Trevor Timm, 3-4-2015, "Building backdoors into encryption isn't only bad for China, Mr President,"
Guardian, http://www.theguardian.com/commentisfree/2015/mar/04/backdoors-encryption-chinaapple-google-nsa
In a stunningly short-sighted move, the FBI - and more recently the NSA - have been pushing for a new
US law that would force tech companies like Apple and Google to hand over the encryption keys or build
backdoors into their products and tools so the government would always have access to our
communications. It was only a matter of time before other governments jumped on the bandwagon,
and China wasted no time in demanding the same from tech companies a few weeks ago. As President
Obama himself described to Reuters, China has proposed an expansive new “anti-terrorism” bill that
“would essentially force all foreign companies, including US companies, to turn over to the Chinese
government mechanisms where they can snoop and keep track of all the users of those services.”
Obama continued: “Those kinds of restrictive practices I think would ironically hurt the Chinese
economy over the long term because I don’t think there is any US or European firm, any international
firm, that could credibly get away with that wholesale turning over of data, personal data, over to a
government.” Bravo! Of course these are the exact arguments for why it would be a disaster for US
government to force tech companies to do the same. (Somehow Obama left that part out.) As Yahoo’s
top security executive Alex Stamos told NSA director Mike Rogers in a public confrontation last week,
building backdoors into encryption is like “drilling a hole into a windshield.” Even if it’s technically
possible to produce the flaw - and we, for some reason, trust the US government never to abuse it other countries will inevitably demand access for themselves. Companies will no longer be in a position
to say no, and even if they did, intelligence services would find the backdoor unilaterally - or just steal
the keys outright.
No impact to cyberterrorism
Zero impact to cyber-attacks --- overwhelming consensus of qualified authors goes neg
- No motivation---can’t be used for coercive leverage
- Defenses solve---benefits of offense are overstated
- Too difficult to execute/mistakes in code are inevitable
- AT: Infrastructure attacks
- Military networks are air-gapped/difficult to access
- Overwhelming consensus goes neg
Colin S. Gray 13, Prof. of International Politics and Strategic Studies @ the University of Reading and
External Researcher @ the Strategic Studies Institute @ the U.S. Army War College, April, “Making
Strategic Sense of Cyber Power: Why the Sky Is Not Falling,” U.S. Army War College Press,
http://www.strategicstudiesinstitute.army.mil/pdffiles/PUB1147.pdf
CONCLUSIONS AND RECOMMENDATIONS: THE
SKY IS NOT FALLING¶ This analysis has sought to explore, identify, and explain the strategic meaning of
cyber power. The organizing and thematic question that has shaped and driven the inquiry has been “So what?” Today we all do cyber, but this behavior usually has
not been much informed by an understanding that reaches beyond the tactical and technical. I have endeavored to analyze in strategic terms what is on offer from
the largely technical and tactical literature on cyber. What can or might be done and how to go about doing it are vitally important bodies of knowledge. But at least
as important is understanding what cyber, as a fifth domain of warfare, brings to national security when it is considered strategically. Military history is stocked
abundantly with examples of tactical behavior un - guided by any credible semblance of strategy. This inquiry has not been a campaign to reveal what cy ber can
and might do; a large literature already exists that claims fairly convincingly to explain “how to . . .” But what does cyber power mean, and how does it fit
strategically, if it does? These Conclusions and Rec ommendations offer some understanding of this fifth geography of war in terms that make sense to this
strategist, at least. ¶ 1. Cyber can only be an enabler of physical effort. Stand-alone (popularly misnamed as “strategic”) cyber
action is
inherently grossly limited by its immateriality. The physicality of conflict with cyber’s human participants and mechanical artifacts has
not been a passing phase in our species’ strategic history. Cyber action, quite independent of action on land, at sea, in the air, and in orbital space, certainly is
possible. But the
strategic logic of such behavior, keyed to anticipated success in tactical achievement, is not promising. To date,
“What if . . .” speculation about strategic cyber attack usually is either contextually too light, or, more often, contextually
unpersuasive . 49 However, this is not a great strategic truth, though it is a judgment advanced with
considerable confidence. Although societies could, of course, be hurt by cyber action, it is important not to lose touch
with the fact, in Libicki’s apposite words, that “[ i]n the absence of physical combat, cyber war cannot lead to the
occupation of territory. It is almost inconceivable that a sufficiently vigorous cyber war can overthrow
the adversary’s government and replace it with a more pliable one.” 50 In the same way that the concepts of sea war, air
war, and space war are fundamentally unsound, so also the idea of cyber war is unpersuasive. ¶ It is not impossible, but then, neither is war conducted only at sea,
or in the air, or in space. On the one hand, cyber war may seem more probable than like environmentally independent action at sea or in the air. After all, cyber
warfare would be very unlikely to harm human beings directly , let alone damage physically the
machines on which they depend. These near-facts (cyber attack might cause socially critical machines to behave in a rogue manner with
damaging physical consequences) might seem to ren - der cyber a safer zone of belligerent engagement than would physically violent action in other domains. But
most likely there
would be serious uncertainties pertaining to the consequences of cyber action, which must
include the possibility of escalation into other domains of conflict. Despite popular assertions to the contrary, cyber is
not likely to prove a precision weapon anytime soon. 51 In addition, assuming that the political and strategic contexts for cyber war
were as serious as surely they would need to be to trigger events warranting plausible labeling as cyber war, the distinctly limited harm likely to
follow from cyber assault would hardly appeal as prospectively effective coercive moves. On balance, it is most
probable that cyber’s strategic future in war will be as a contribut - ing enabler of effectiveness of physical efforts in the other four geographies of conflict.
Speculation about cyber war, defined strictly as hostile action by net - worked computers against networked computers, is hugely unconvincing. ¶ 2. Cyber
defense is difficult, but should be sufficiently effective.
The structural
advantages of the offense in cyber
conflict are as obvious as they are easy to overstate. Penetration and exploitation, or even attack, would need to be
by surprise. It can be swift almost beyond the imagination of those encultured by the traditional demands of physical combat. Cyber attack may be so
stealthy that it escapes notice for a long while, or it might wreak digital havoc by com - plete surprise. And need one emphasize, that at least for a while, hostile
cyber action is likely to be hard (though not quite impossible) to attribute with a cy - berized equivalent to a “smoking gun.” Once one is in the realm of the
catastrophic “What if . . . ,” the world is indeed a frightening place. On a personal note, this defense analyst was for some years exposed to highly speculative
briefings that hypothesized how unques - tionably cunning plans for nuclear attack could so promptly disable the United States as a functioning state that our
nuclear retaliation would likely be still - born. I should hardly need to add that the briefers of these Scary Scenarios were obliged to make a series of Heroic
Assumptions. ¶ The
literature of cyber scare is more than mildly reminiscent of the nuclear attack stories with
which I was assailed in the 1970s and 1980s. As one may observe regarding what Winston Churchill wrote of the disaster that was the
Gallipoli campaign of 1915, “[t]he terrible ‘Ifs’ accumulate.” 52 Of course, there are dangers in the cyber domain. Not only are there cyber-competent competitors
and enemies abroad; there are also Americans who make mistakes in cyber operation. Furthermore, there are the manufacturers and constructors of the physical
artifacts behind (or in, depending upon the preferred definition) cyber - space who assuredly err in this and that detail. The
more sophisticated—
usually meaning complex—the code for cyber, the more certain must it be that mistakes both lurk in
the program and will be made in digital communication.¶ What I have just outlined minimally is not a
reluc - tant admission of the fallibility of cyber, but rather a statement of what is obvious and should be
anticipat - ed about people and material in a domain of war. All human activities are more or less
harassed by friction and carry with them some risk of failure, great or small. A strategist who has read
Clausewitz, especially Book One of On War , 53 will know this. Alternatively, anyone who skims my
summary version of the general theory of strategy will note that Dictum 14 states explicitly that
“Strategy is more difficult to devise and execute than are policy, operations, and tactics: friction of all
kinds comprise phenomena inseparable from the mak - ing and execution of strategies.” 54 Because of
its often widely distributed character, the physical infrastruc - ture of an enemy’s cyber power is
typically, though not invariably, an impracticable target set for physical assault. Happily, this probable
fact should have only annoying consequences. The discretionary nature and therefore the variable
possible characters feasible for friendly cyberspace(s), mean that the more danger - ous potential
vulnerabilities that in theory could be the condition of our cyber-dependency ought to be avoidable at
best, or bearable and survivable at worst. Libicki offers forthright advice on this aspect of the subject
that deserves to be taken at face value: ¶ [T]here is no inherent reason that improving informa - tion
technologies should lead to a rise in the amount of critical information in existence (for example, the
names of every secret agent). Really critical information should never see a computer; if it sees a
computer, it should not be one that is networked; and if the computer is networked, it should be airgapped.¶ Cyber defense admittedly is difficult to do, but so is cyber offense. To quote Libicki yet again,
“[i]n this medium [cyberspace] the best defense is not necessarily a good offense; it is usually a good
defense.” 56 Unlike the geostrategic context for nuclear-framed competition in U.S.–Soviet/Russian
rivalry, the geographical domain of cyberspace definitely is defensible. Even when the enemy is both
clever and lucky, it will be our own design and operating fault if he is able to do more than disrupt and
irritate us temporarily.¶ When cyber is contextually regarded properly— which means first, in particular,
when it is viewed as but the latest military domain for defense planning—it should be plain to see that
cyber performance needs to be good enough rather than perfect. 57 Our Landpower, sea power, air
power, and prospectively our space systems also will have to be capable of accepting combat damage
and loss, then recovering and carrying on. There is no fundamental reason that less should be
demanded of our cyber power. Second, given that cyber is not of a nature or potential character at all
likely to parallel nuclear dangers in the menace it could con - tain, we should anticipate international
cyber rivalry to follow the competitive dynamic path already fol - lowed in the other domains in the
past. Because the digital age is so young, the pace of technical change and tactical invention can be
startling. However, the mechanization RMA of the 1920s and 1930s recorded reaction to the new
science and technology of the time that is reminiscent of the cyber alarmism that has flour - ished of
recent years. 58 We can be confident that cyber defense should be able to function well enough , given
the strength of political, military, and commercial motivation for it to do so. The technical context here is
a medium that is a constructed one, which provides air-gapping options for choice regarding the extent
of networking. Naturally, a price is paid in convenience for some closing off of possible cyberspace(s),
but all important defense decisions involve choice, so what is novel about that? There is nothing new
about accepting some limitations on utility as a price worth paying for security.¶ 3. Intelligence is
critically important, but informa - tion should not be overvalued. The strategic history of cyber over the
past decade confirms what we could know already from the science and technology of this new domain
for conflict. Specifically, cyber power is not technically forgiving of user error. Cyber warriors seeking
criminal or military benefit require precise information if their intended exploits are to succeed. Lucky
guesses should not stumble upon passwords, while efforts to disrupt electronic Supervisory Con - trol and Data Acquisition
(SCADA) systems ought to be unable to achieve widespread harmful effects. But obviously there are
practical limits to the air-gap op - tion, given that control (and command) systems need to be networks
for communication. However, Internet connection needs to be treated as a potential source of serious
danger.¶ It is one thing to be able to be an electronic nuisance, to annoy, disrupt, and perhaps delay.
But it is quite another to be capable of inflicting real persisting harm on the fighting power of an enemy.
Critically important military computer networks are, of course, accessible neither to the inspired
amateur outsider, nor to the malignant political enemy. Easy passing reference to a hypothetical “cyber
Pearl Harbor” reflects both poor history and ignorance of contemporary military common sense.
Critical potential military (and other) targets for cyber attack are extremely hard to access and influence (I
believe and certainly hope),
and the technical knowledge, skills, and effort required to do serious harm to national
security is forbiddingly high.
However, it is to say that such
This is not to claim, foolishly, that cyber means absolutely could not secure near-catastrophic
results.
a scenario is extremely improbable . Cyber defense is advancing all the time, as is cyber offense, of course.
But so discretionary in vital detail can one be in the making of cyberspace, that confidence—real confidence—in cyber attack could not plausibly be high. It should
be noted that I am confining this particular discussion to what rather idly tends to be called cyber war. In political and strategic practice, it is unlikely that war would
or, more importantly, ever could be restricted to the EMS. Somewhat rhetorically, one should pose the question: Is it likely (almost anything, strictly, is possible)
that cyber war with the potential to inflict catastrophic damage would be allowed to stand unsupported in and by action in the other four geographical domains of
war? I believe not.¶ Because we have told ourselves that ours uniquely is the Information Age, we have become unduly respectful of the potency of this rather
slippery catch-all term. As usual, it is helpful to contextualize the al - legedly magical ingredient, information, by locating it properly in strategic history as just one
important element contributing to net strategic effectiveness. This mild caveat is supported usefully by recognizing the general contemporary rule that information
per se harms nothing and nobody. The electrons in cyber - ized conflict have to be interpreted and acted upon by physical forces (including agency by physical
human beings). As one might say, intelligence (alone) sinks no ship; only men and machines can sink ships! That said, there is no doubt that if friendly cyber action
can infiltrate and misinform the electronic informa - tion on which advisory weaponry and other machines depend, considerable warfighting advantage could be
gained. I do not intend to join Clausewitz in his dis - dain for intelligence, but I will argue that in strategic affairs, intelligence usually is somewhat uncertain. 59
Detailed up-to-date intelligence literally is essential for successful cyber offense, but it can be healthily sobering to appreciate that the strategic rewards of
intelligence often are considerably exaggerated. The basic reason is not hard to recognize. Strategic success is a complex endeavor that requires adequate perfor mances by many necessary contributors at every level of conflict (from the political to the tactical). ¶ When thoroughly reliable intelligence on the en - emy is in
short supply, which usually is the case, the strategist finds ways to compensate as best he or she can. The IT-led RMA of the past 2 decades was fueled in part by the
prospect of a quality of military effec - tiveness that was believed to flow from “dominant battle space knowledge,” to deploy a familiar con - cept. 60 While there is
much to be said in praise of this idea, it is not unreasonable to ask why it has been that our ever-improving battle space knowledge has been compatible with so
troubled a course of events in the 2000s in Iraq and Afghanistan. What we might have misunderstood is not the value of knowledge, or of the information from
which knowledge is quarried, or even the merit in the IT that passed information and knowledge around. Instead, we may well have failed to grasp and grip
understanding of the whole context of war and strategy for which battle space knowledge unquestionably is vital. One must say “vital” rather than strictly essential,
because relatively ignorant armies can and have fought and won despite their ig - norance. History requires only that one’s net strategic performance is superior to
that of the enemy. One is not required to be deeply well informed about the en - emy. It is historically quite commonplace for armies to fight in a condition of morethan-marginal reciprocal and strategic cultural ignorance. Intelligence is king in electronic warfare, but such warfare is unlikely to be solely, or even close to solely,
sovereign in war and its warfare, considered overall as they should be. ¶ 4. Why the sky will not fall. More accurately, one should say that the
sky will not
fall because of hostile action against us in cyberspace unless we are improb - ably careless and foolish. David J. Betz and Tim Ste vens
strike the right note when they conclude that “[i]f cyberspace is not quite the hoped-for Garden of Eden, it is also not quite the pestilential swamp of the
imagination of the cyber-alarmists.” 61 Our understanding of cyber is high at the technical and tactical level, but re - mains distinctly rudimentary as one ascends
through operations to the more rarified altitudes of strategy and policy. Nonetheless,
our scientific, technological, and tactical
knowledge and understanding clearly indicates that the sky is not falling and is unlikely to fall in
the future as a result of hostile cyber action. This analysis has weighed the more technical and tactical
literature on cyber and concludes, not simply on balance , that cyber alarmism has little basis save in the
imagination of the alarmists. There is military and civil peril in the hostile use of cyber, which is why we must take cyber security seriously, even to the point of
buying redundant capabilities for a range of command and control systems. 62 So seriously should we regard cyber danger that it is only prudent to as - sume that
we will be the target for hostile cyber action in future conflicts, and that some of that action will promote disruption and uncertainty in the damage it will cause.¶
That granted, this analysis recommends strongly that the U.S. Army, and indeed the whole of the U.S. Government, should strive to comprehend cyber in context.
Approached in isolation as a new technol - ogy, it is not unduly hard to be over impressed with its potential both for good and harm. But if we see networked
computing as just the latest RMA in an episodic succession of revolutionary changes in the way information is packaged and communicated, the computer-led IT
revolution is set where it belongs, in historical context. In modern strategic history, there has been only one truly game-changing basket of tech - nologies, those
pertaining to the creation and deliv - ery of nuclear weapons. Everything else has altered the tools with which conflict has been supported and waged, but has not
changed the game. The nuclear revolution alone raised still-unanswered questions about the viability of interstate armed conflict. How - ever, it would be accurate
to claim that since 1945, methods have been found to pursue fairly traditional political ends in ways that accommodate nonuse of nuclear means, notwithstanding
the permanent pres - ence of those means.¶ The light cast by general strategic theory reveals what requires revealing strategically about networked computers.
Once one sheds some of the sheer wonder at the seeming miracle of cyber’s ubiquity, instanta - neity, and (near) anonymity, one realizes that cyber is just another
operational domain, though certainly one very different from the others in its nonphysi - cality in direct agency. Having placed cyber where it belongs, as a domain
of war, next it is essential to recognize that its nonphysicality compels that cyber should be treated as an enabler of joint action, rather than as an agent of military
action capable of behav - ing independently for useful coercive strategic effect. There
are stand-alone possibilities for cyber action,
but they are not convincing as attractive options either for or in opposition to a great power, let alone a
superpower. No matter how intriguing the scenario design for cyber war strictly or for cyber warfare,
the logic of grand and military strategy and a common sense fueled by understanding of the course of
strategic history, require one so to contextualize cyber war that its independence is seen as too close to
absurd to merit much concern.
No risk or impact related to cyberterror
Bicchierai 2015 [ LORENZO FRANCESCHI - staff writer at VICE Motherboard in Brooklyn, New York,
where he covers hacking, information security, and digital rights. “The 'ISIS Cyberwar' Hype Machine Is
Doing More Harm Than Good”, MotherBoard,]
Yet, that didn’t stop a new round of breathless hype. On Sunday, The Hill wrote that ISIS was preparing
for “cyberwar” and an “all-out cyber crusade.” Looks like ISIS wannabes successfully hacked the media
once again. “Toss out a shitty video that claims that you do things that you’re not—doesn’t matter, we’ll
still overreact,” Peter W. Singer, an author and well-known expert in cybersecurity, told Motherboard.
Instead of responding with a “keep calm and carry on” attitude “we lose our shit.” That being said, it’s
worth pointing out that ISIS could do real damage by doing espionage online, monitoring and tracking
down dissidents who live in ISIS-controlled territories. That might have already happened. Last
November someone targeted a Syrian citizen media group known as Raqqa Is Being Slaughtered Silently
(RSS), which documents human rights crimes in Raqqa, the self-proclaimed capital of the ISIS caliphate.
To date, however, there hasn’t been a case of actual cyberterrorism—an act targeting computers
systems that result in physical violence, as the FBI defines it. In fact, squirrels have been way more
damaging to US critical infrastructure than cyberterrorists. Singer criticized the article, which he said
is good for a “cyber laugh.” But jokes apart, Singer warned that hyping ISIS hacking abilities rewards the
group with useful attention that it can turn into recruiting power. Instead of responding with a “keep
calm and carry on” attitude, Singer added, “we lose our shit.” This encourages and incentivizes ISIS to
keep attacking, or at least claim attacks—something that doesn’t help anyone. Robert M. Lee, an active
duty Air Force cyber warfare operations officer, agreed with Singer, and dismissed the hype on Twitter.
“Terrorist groups will continue to use the internet to spread their message and perform hacktivist-type
acts but nothing of significant damage,” he wrote. “Performing significant damage requires more than
just internet connected devices. It requires advanced logistical support and expertise.” “Describing
savvy use of social media as cyberwar is akin to describing Miley Cyrus as the Clausewitz of
cyberwar.” In other words, being good at social media, as ISIS is, doesn’t mean you’ll be a good hacker.
The truth, as we reported before, is that all the cyberattacks attributed to ISIS in the recent past have
been unsophisticated attacks carried out by what looks like online fanboys not at all affiliated with the
group. As Singer put it, “it’s either sympathizers or people doing it for shits and giggles.” As Singer
explained in 2012, “cyberterrorism” is overhyped, just like our obsessive fear of sharks. As he put it, we
are “15,000 times more likely to be hurt or killed by an accident involving a toilet,” yet Discovery
Channel has Shark Week and not Toilet Week.
No cyber impact
Jason Healey 2013 Jason, Director of the Cyber Statecraft Initiative at the Atlantic Council, "No,
Cyberwarfare Isn't as Dangerous as Nuclear War", 3/20, www.usnews.com/opinion/blogs/worldreport/2013/03/20/cyber-attacks-not-yet-an-existential-threat-to-the-us
America does not face an existential cyberthreat today, despite
undoubtedly grave and
recent
warnings . Our cybervulnerabilities are
the threats we face are severe but far from comparable to nuclear war . ¶
The most recent alarms come in a Defense Science Board report on how to make military cybersystems more resilient against advanced threats (in short, Russia or
China). It warned that the "cyber threat is serious, with potential consequences similar in some ways to the nuclear threat of the Cold War." Such fears were also
expressed by Adm. Mike Mullen, then chairman of the Joint Chiefs of Staff, in 2011. He called cyber "The single biggest existential threat that's out there" because
"cyber actually more than theoretically, can attack our infrastructure, our financial systems." ¶
While it is true that cyber attacks
might do these things, it is also true they have not only never happened but are far more
difficult to accomplish than mainstream thinking believes . The consequences from cyber threats may be similar in some ways
to nuclear, as the Science Board concluded, but mostly, they are incredibly dissimilar. ¶ Eighty years ago, the generals of the U.S. Army Air Corps were sure that their
bombers would easily topple other countries and cause their populations to panic, claims which did not stand up to reality.
A study of the 25-
year history of cyber conflict, by the Atlantic Council and Cyber Conflict Studies Association, has shown a similar dynamic
where the impact of disruptive cyberattacks has been consistently overestimated. ¶ Rather than
theorizing about future cyberwars or extrapolating from today's concerns, the history of cyberconflict that have actually been fought, shows that cyber incidents
No attacks, so far, have
been both widespread and persistent. There have been no authenticated cases of
have so far tended to have effects that are either widespread but fleeting or persistent but narrowly focused.
anyone dying from a cyber attack. Any widespread disruptions, even the 2007 disruption against
have been short-lived
Estonia,
causing no significant GDP loss. ¶ Moreover, as with conflict in other domains, cyberattacks can take down
many targets but keeping them down over time in the face of determined defenses has so far been out of the range of all but the most dangerous adversaries such
as Russia and China. Of course, if the United States is in a conflict with those nations, cyber will be the least important of the existential threats policymakers should
be worrying about.
Plutonium trumps bytes in a shooting war.¶ This is not all good news. Policymakers have recognized
the problems since at least 1998 with little significant progress. Worse, the threats and vulnerabilities are getting steadily more worrying.
Still, experts
have been warning of a cyber Pearl Harbor for 20 of the 70 years since the actual Pearl Harbor . ¶ The
cyber espionage could someday accumulate into an
existential threat. But it doesn't seem so seem just yet, with only handwaving estimates of annual losses of
0.1 to 0.5 percent to the total U.S. GDP of around $15 trillion. That's bad, but it doesn't add up to an existential crisis or
transfer of U.S. trade secrets through Chinese
"economic cyberwar."
Cyber threats are exaggerated hype – alarmist rhetoric and won’t escalate
Thomas Rid, 2012 reader in war studies at King's College London, is author of "Cyber War Will Not
Take Place" and co-author of "Cyber-Weapons.", March/April 2012, “Think Again: Cyberwar”,
http://www.foreignpolicy.com/articles/2012/02/27/cyberwar?page=full
"Cyberwar Is Already Upon Us." No way. "Cyberwar is coming!" John Arquilla and David Ronfeldt
predicted in a celebrated Rand paper back in 1993. Since then, it seems to have arrived -- at least by the
account of the U.S. military establishment, which is busy competing over who should get what share of
the fight. Cyberspace is "a domain in which the Air Force flies and fights," Air Force Secretary Michael
Wynne claimed in 2006. By 2012, William J. Lynn III, the deputy defense secretary at the time, was
writing that cyberwar is "just as critical to military operations as land, sea, air, and space." In January,
the Defense Department vowed to equip the U.S. armed forces for "conducting a combined arms
campaign across all domains -- land, air, maritime, space, and cyberspace." Meanwhile, growing piles of
books and articles explore the threats of cyberwarfare, cyberterrorism, and how to survive them. Time
for a reality check: Cyberwar is still more hype than hazard. Consider the definition of an act of war: It
has to be potentially violent, it has to be purposeful, and it has to be political. The cyberattacks we've
seen so far, from Estonia to the Stuxnet virus, simply don't meet these criteria. Take the dubious story of
a Soviet pipeline explosion back in 1982, much cited by cyberwar's true believers as the most destructive
cyberattack ever. The account goes like this: In June 1982, a Siberian pipeline that the CIA had virtually
booby-trapped with a so-called "logic bomb" exploded in a monumental fireball that could be seen from
space. The U.S. Air Force estimated the explosion at 3 kilotons, equivalent to a small nuclear device.
Targeting a Soviet pipeline linking gas fields in Siberia to European markets, the operation sabotaged the
pipeline's control systems with software from a Canadian firm that the CIA had doctored with malicious
code. No one died, according to Thomas Reed, a U.S. National Security Council aide at the time who
revealed the incident in his 2004 book, At the Abyss; the only harm came to the Soviet economy. But did
it really happen? After Reed's account came out, Vasily Pchelintsev, a former KGB head of the Tyumen
region, where the alleged explosion supposedly took place, denied the story. There are also no media
reports from 1982 that confirm such an explosion, though accidents and pipeline explosions in the
Soviet Union were regularly reported in the early 1980s. Something likely did happen, but Reed's book is
the only public mention of the incident and his account relied on a single document. Even after the CIA
declassified a redacted version of Reed's source, a note on the so-called Farewell Dossier that describes
the effort to provide the Soviet Union with defective technology, the agency did not confirm that such
an explosion occurred. The available evidence on the Siberian pipeline blast is so thin that it shouldn't be
counted as a proven case of a successful cyberattack. Most other commonly cited cases of cyberwar are
even less remarkable. Take the attacks on Estonia in April 2007, which came in response to the
controversial relocation of a Soviet war memorial, the Bronze Soldier. The well-wired country found
itself at the receiving end of a massive distributed denial-of-service attack that emanated from up to
85,000 hijacked computers and lasted three weeks. The attacks reached a peak on May 9, when 58
Estonian websites were attacked at once and the online services of Estonia's largest bank were taken
down. "What's the difference between a blockade of harbors or airports of sovereign states and the
blockade of government institutions and newspaper websites?" asked Estonian Prime Minister Andrus
Ansip. Despite his analogies, the attack was no act of war. It was certainly a nuisance and an emotional
strike on the country, but the bank's actual network was not even penetrated; it went down for 90
minutes one day and two hours the next. The attack was not violent, it wasn't purposefully aimed at
changing Estonia's behavior, and no political entity took credit for it. The same is true for the vast
majority of cyberattacks on record. Indeed, there is no known cyberattack that has caused the loss of
human life. No cyberoffense has ever injured a person or damaged a building. And if an act is not at least
potentially violent, it's not an act of war. Separating war from physical violence makes it a metaphorical
notion; it would mean that there is no way to distinguish between World War II, say, and the "wars" on
obesity and cancer. Yet those ailments, unlike past examples of cyber "war," actually do kill people. "A
Digital Pearl Harbor Is Only a Matter of Time." Keep waiting. U.S. Defense Secretary Leon Panetta
delivered a stark warning last summer: "We could face a cyberattack that could be the equivalent of
Pearl Harbor." Such alarmist predictions have been ricocheting inside the Beltway for the past two
decades, and some scaremongers have even upped the ante by raising the alarm about a cyber 9/11. In
his 2010 book, Cyber War, former White House counterterrorism czar Richard Clarke invokes the specter
of nationwide power blackouts, planes falling out of the sky, trains derailing, refineries burning,
pipelines exploding, poisonous gas clouds wafting, and satellites spinning out of orbit -- events that
would make the 2001 attacks pale in comparison. But the empirical record is less hair-raising, even by
the standards of the most drastic example available. Gen. Keith Alexander, head of U.S. Cyber Command
(established in 2010 and now boasting a budget of more than $3 billion), shared his worst fears in an
April 2011 speech at the University of Rhode Island: "What I'm concerned about are destructive
attacks," Alexander said, "those that are coming." He then invoked a remarkable accident at Russia's
Sayano-Shushenskaya hydroelectric plant to highlight the kind of damage a cyberattack might be able to
cause. Shortly after midnight on Aug. 17, 2009, a 900-ton turbine was ripped out of its seat by a socalled "water hammer," a sudden surge in water pressure that then caused a transformer explosion. The
turbine's unusually high vibrations had worn down the bolts that kept its cover in place, and an offline
sensor failed to detect the malfunction. Seventy-five people died in the accident, energy prices in Russia
rose, and rebuilding the plant is slated to cost $1.3 billion. Tough luck for the Russians, but here's what
the head of Cyber Command didn't say: The ill-fated turbine had been malfunctioning for some time,
and the plant's management was notoriously poor. On top of that, the key event that ultimately
triggered the catastrophe seems to have been a fire at Bratsk power station, about 500 miles away.
Because the energy supply from Bratsk dropped, authorities remotely increased the burden on the
Sayano-Shushenskaya plant. The sudden spike overwhelmed the turbine, which was two months shy of
reaching the end of its 30-year life cycle, sparking the catastrophe. If anything, the Sayano-Shushenskaya
incident highlights how difficult a devastating attack would be to mount. The plant's washout was an
accident at the end of a complicated and unique chain of events. Anticipating such vulnerabilities in
advance is extraordinarily difficult even for insiders; creating comparable coincidences from cyberspace
would be a daunting challenge at best for outsiders. If this is the most drastic incident Cyber Command
can conjure up, perhaps it's time for everyone to take a deep breath. "Cyberattacks Are Becoming
Easier." Just the opposite. U.S. Director of National Intelligence James R. Clapper warned last year that
the volume of malicious software on American networks had more than tripled since 2009 and that
more than 60,000 pieces of malware are now discovered every day. The United States, he said, is
undergoing "a phenomenon known as 'convergence,' which amplifies the opportunity for disruptive
cyberattacks, including against physical infrastructures." ("Digital convergence" is a snazzy term for a
simple thing: more and more devices able to talk to each other, and formerly separate industries and
activities able to work together.) Just because there's more malware, however, doesn't mean that
attacks are becoming easier. In fact, potentially damaging or life-threatening cyberattacks should be
more difficult to pull off. Why? Sensitive systems generally have built-in redundancy and safety systems,
meaning an attacker's likely objective will not be to shut down a system, since merely forcing the
shutdown of one control system, say a power plant, could trigger a backup and cause operators to start
looking for the bug. To work as an effective weapon, malware would have to influence an active process
-- but not bring it to a screeching halt. If the malicious activity extends over a lengthy period, it has to
remain stealthy. That's a more difficult trick than hitting the virtual off-button. Take Stuxnet, the worm
that sabotaged Iran's nuclear program in 2010. It didn't just crudely shut down the centrifuges at the
Natanz nuclear facility; rather, the worm subtly manipulated the system. Stuxnet stealthily infiltrated
the plant's networks, then hopped onto the protected control systems, intercepted input values from
sensors, recorded these data, and then provided the legitimate controller code with pre-recorded fake
input signals, according to researchers who have studied the worm. Its objective was not just to fool
operators in a control room, but also to circumvent digital safety and monitoring systems so it could
secretly manipulate the actual processes. Building and deploying Stuxnet required extremely detailed
intelligence about the systems it was supposed to compromise, and the same will be true for other
dangerous cyberweapons. Yes, "convergence," standardization, and sloppy defense of control-systems
software could increase the risk of generic attacks, but the same trend has also caused defenses against
the most coveted targets to improve steadily and has made reprogramming highly specific installations
on legacy systems more complex, not less.
Many barriers to a cyber-attack
Martin Libicki, October 2014, A Dangerous World? Threat Perceptions and US National Security, ed.
Christopher Peeble & John Mueller, Martin Libicki is a senior management scientist at the RAND
Corporation, where his research focuses on the effects of information technology on domestic and
national security. He is the author of several books, including Conquest in Cyberspace: National Security
and Information Warfare and Information Technology Standards: Quest for the Common Byte. He has
also written two cyberwar monographs: Cyberwar and Cyberdeterrence and Crisis and Escalation in
Cyberspace. Prior to joining RAND, Libicki was a senior fellow at the National Defense University, page #
at end of card
An attack as large as posited would be unprecedented. No comparable major cyberattack has occurred
since the Internet became accessible to the world’s public 20 years ago. Although prior absence is no
proof that it will never happen, it may be premature to declare a major attack inevitable. All the trend
lines— good and bad— are rising at the same time: (a) the sophistication of attackers and defenders; (b)
the salience of cyberattack as a weapon, but also the rising sensitivity to the prospect that such attacks
are possible and must be countered; (c) the bandwidth available for organizing a flooding attack, but
also to ward it off; and (d) the complexity of operational software (which increases the number of places
where vulnerabilities can be found), but also the complexity of security software and systems (which
deepens the number of levels an attack must overcome to succeed). (2014-10-14). A Dangerous
World? Threat Perception and U.S. National Security (Kindle Locations 2518-2524). Cato Institute. Kindle
Edition.
No impact to a cyber-attack
Brandon Valeriano and Ryan Maness 11/21/12, Lecturer in Social and Political Sciences at the
University of Glasgow AND Ph.D. candidate at the University of Illinois at Chicago, "The Fog of
Cyberwar," Foreign Affairs, www.foreignaffairs.com/articles/138443/brandon-valeriano-and-ryanmaness/the-fog-of-cyberwar?page=show
Some cyberattacks
over the past decade have briefly affected state strategic plans, but none has resulted
in death or lasting damage. For example, the 2007 cyberattacks on Estonia by Russia shut down networks and government websites
and disrupted commerce for a few days, but things swiftly went back to normal. The majority of cyberattacks worldwide have
been minor: easily corrected annoyances such as website defacements or basic data theft -- basically the
least a state can do when challenged diplomatically.¶ Our research shows that although warnings about
cyberwarfare have become more severe, the actual magnitude and pace of attacks do not match
popular perception. Only 20 of 124 active rivals -- defined as the most conflict-prone pairs of states in the system -engaged in cyberconflict between 2001 and 2011. And there were only 95 total cyberattacks among
these 20 rivals. The number of observed attacks pales in comparison to other ongoing threats: a state is
600 times more likely to be the target of a terrorist attack than a cyberattack. We used a severity score
ranging from five, which is minimal damage, to one, where death occurs as a direct result from
cyberwarfare. Of all 95 cyberattacks in our analysis, the highest score -- that of Stuxnet and Flame -- was only a three.
Its just alarmist rhetoric
Jerry Brito (senior research fellow at the Mercatus Center and directs the Technology Policy Program at
George Mason University) and Tate Watkins (research associate for the Technology Policy Program
and the State and Local Policy Project at George Mason University) April 26, 2011 “Loving the Cyber
Bomb? The Dangers of Threat Inflation in Cybersecurity Policy”
http://mercatus.org/sites/default/files/publication/WP1124_Loving_cyber_bomb.pdf
Cybersecurity is an important policy issue, but the alarmist rhetoric coming out of Washington that
focuses on worst-case scenarios is unhelpful and dangerous. Aspects of current cyber policy
discourse parallel the run-up to the Iraq War and pose the same dangers. Pre-war threat inflation and
conflation of threats led us into war on shaky evidence. By focusing on doomsday scenarios and
conflating cyber threats, government officials threaten to legislate, regulate, or spend in the name of
cybersecurity based largely on fear, misplaced rhetoric, conflated threats, and credulous reporting. The
public should have access to classified evidence of cyber threats, and further examination of the risks
posed by those threats, before sound policies can be proposed, let alone enacted. Furthermore, we
cannot ignore parallels between the military-industrial complex and the burgeoning
cybersecurity industry. As President Eisenhower noted, we must have checks and balances on the
close relationships between parties in government, defense, and industry. Relationships between these
parties and their potential conflicts of interest must be considered when weighing cybersecurity policy
recommendations and proposals. Before enacting policy in response to cyber threats,
policymakers should consider a few things. First, theyshould end the cyber rhetoric. The
alarmist rhetoric currently dominating the policy discourse is unhelpful and potentially
dangerous. Next, they should declassify evidence relating to cyber threats. Overclassification is a widely
acknowledged problem, and declassification would allow the public to verify before trusting blindly.
They must also disentangle the disparate cyber threats so that they can determine who is best suited to
address which threats. In cases of cyber crime and cyber espionage, for instance, private network
owners may be best suited and may have the best incentive to protect their own valuable data,
information, and reputations. After disentangling threats, policymakers can then assess whether a
market failure or systemic problem exists when it comes to addressing each threat. Finally, they can
estimate the costs and benefits of regulation and its alternatives and determine the most effective and
efficient way to address disparate cyber threats.
No impact – effects of cyber-attacks are just temporary pinpricks to the system
Erik Gartzke is Professor of Government at the University of Essex and Associate Professor of Political
Science at the University of California San Diego (“The Foreign Policy Essay: Erik Gartzke on “Fear and
War in Cyberspace”” 12/1, http://www.lawfareblog.com/2013/12/foreign-policy-essay-erik-gartzke-onfear-and-war-in-cyberspace/)
Should we fear cyberspace? The internet is said to be a revolutionary leveler, reducing the hard won
military advantages of western powers, even as the dependence of developed nations on computer
networks leaves them vulnerable to attack. Incidents like the Stuxnet worm and cyber attacks against
U.S. government computers, apparently launched from servers in China, seem to testify to the need for
concern. Yet, even if these details are correct—and some are not—there is no reason to believe that
the internet constitutes an Achilles heel for the existing world order. To the contrary, cyberwar
promises major advantages for status quo powers like the United States.
Contrasting a Logic of Possibilities with a Logic of Consequences
The ability to harm is ubiquitous. Anyone passing on the street could just punch you in the face. Still,
violence is relatively rare in large part because little is typically gained from most potential uses of force.
Perpetrators must ask not just “what harm can I inflict?” but “how can I benefit by inflicting harm?” In
short, cyberwar requires a logic of consequences. Just as a morbid fear of being sucker punched at
random may be misplaced, concern about cyberwar can be exaggerated if there is little to suggest how
internet aggression can be of benefit to potential perpetrators.
Efficacy separates the widespread potential for harm from actual aggression. Nations, groups and
persons threaten force to influence, compelling others to cooperate or deterring aggression. Violence is
also exercised to alter the balance of power. If the damage inflicted is temporary, however, then
aggression must be followed up with other actions, or an attack serves no purpose. Creating “a window
of opportunity” cannot matter unless one intends to exercise the opportunity.
Fighting on the Internet
In isolation, the internet is an inferior venue for achieving objectives traditionally associated with
military violence, particularly coercion. Traditional military capabilities are observable. Armies can be
seen standing near city gates. Missiles can be observed in firing positions ready to launch. Capability
coerces precisely because the effects of a contest can be anticipated. A city does not need to be
stormed for inhabitants to imagine the consequences of an attack. Cyber coercion is problematic
because capabilities are difficult to communicate without harming military potency. Targets cannot
assess credibility unless they are given access to details of a planned cyber attack, but attackers cannot
share this information with defenders without undermining their own attack. If instead a defender
accedes to unverified threats, then it will invite a multitude of false claims.
Harm threatened can compel if it is credible and does not weaken the exercise of force. Harm inflicted
can be used to threaten future harm, but only if the act of harming is a good indicator of future
effectiveness. This works pretty well with war elephants, infantry brigades or high speed penetrating
bombers, where capability is not determined by whether the enemy knows they exist. But again the
success of cyber aggression is unusually reliant on conditions of surprise and even an internet attacker
that has succeeded before can be tempted to bluff if bluffing will be believed.
The bigger issue, however, is that the effects of internet attacks are temporary . Unlike a rocket strike
on an oil refinery or demolition of critical elements of the transportation grid, cyber attacks generally
achieve “soft kills,” temporary incapacitation that can be reversed relatively quickly at moderate cost.
Unless it has a lasting effect on the balance of power, internet aggression serves either as an irritant, or
as an adjunct to other, more traditional, forms of coercion or force.
Imagine that some unspecified cyber attack disables communication or transportation nodes in a target
country. What then? While inconvenienced, the target will eventually get the lights back on and
vehicles running. The target will then attempt to retaliate. Permanent harm inflicted over the internet
can weaken an opponent and serve as a motive for aggression. Yet, harm inflicted over the internet, or
at Pearl Harbor for that matter, only benefits the attacker if it can extract concessions from the target,
or if the attack can be made to permanently weaken an opponent.
Considerable damage was done to the U.S. Pacific Fleet in the Pearl Harbor attack, but it failed to force
the United States to be bargaining table, a critical component of Japan’s grand strategy. Though Japan’s
leadership knew that total war with the United States would result in their defeat, they hoped for a
limited contest. Cyberwar with no follow-on strategy is much more foolish than the Japanese plan in
1941 to the degree that the effects of an attack can be repaired more quickly. Any attack over the
internet must either convert short-term advantages into long-term effects, or wager that the enemy will
accept defeat in cyberspace lying down. A cyber Pearl Harbor has no purpose unless it is accompanied
by a terrestrial attack precisely because the target is capable and is destined to respond to any serious
attack with a vigorous reprisal. If the target is unlikely to succumb to traditional forms of aggression,
then cyber attack makes very little sense, either.
Cyberwar Benefits the Strong
While many can imagine a cyber attack on the United States, few find it practical to speculate about
physical invasion of U.S. territory. Yet, short of invasion, all that can be achieved by cyber attack are the
kinds of pin pricks that anger and mobilize an enemy, rather than leading to concessions or defeat. It
is far less difficult to imagine powerful nations invading weaker states. It is thus as an adjunct to existing
capabilities that cyberwar is destined to prove most useful.
Cyberterror threats are exaggerated – too many vested interests for accurate
predictions
Jerry Brito (senior research fellow at the Mercatus Center and directs the Technology Policy Program at
George Mason University) and Tate Watkins (research associate for the Technology Policy Program
and the State and Local Policy Project at George Mason University) April 26, 2011 “Loving the Cyber
Bomb? The Dangers of Threat Inflation in Cybersecurity Policy”
http://mercatus.org/sites/default/files/publication/WP1124_Loving_cyber_bomb.pdf
An industrial complex reminiscent of the Cold War‘s may be emerging in cybersecurity today.
Some serious threats may exist, but we have also seen evidence of threat inflation. Alarm raised
over potential cyber threats has led to a cyber industry build-up and political competition over
cyber pork. 1. Build-up In many cases, those now inflating the scope and probability of cyber threats
might well benefit from increased regulation and more government spending on information security.
Cybersecurity is a big and booming industry.163 The U.S. government is expected to spend $10.5
billion per year on information security by 2015, and analysts have estimated the worldwide market to
be as much as $140 billion per year.164 The Department of Defense has also said it is seeking more than
$3.2 billion in cybersecurityfunding for 2012.16In recent years, in addition to traditional information
security providers like MacAfee, Symantec, and Checkpoint, defense contractors and consulting firms
have recognized lucrative opportunities in cybersecurity.166 To weather probable cuts on
traditional defense spending, and to take advantage of the growing market, these firms have positioned
themselves to compete with information security firms for government contracts.167 Lockheed
Martin, Boeing, L-3 Communications, SAIC, and BAE Systems have all launched cybersecurity business
divisions in recent years.168 Other traditional defense contractors, like Northrop Grumman, Raytheon,
and ManTech International, have also invested in information security products and services.169 Such
investments appear to have positioned defense firms well. In 2009, the top 10 information technology
federal contractors included Lockheed Martin, Boeing, Northrop Grumman, General Dynamics,
Raytheon, SAIC, L-3 Communications, and Booz Allen Hamilton.170 Traditional IT firms also see more
opportunities to profit from cybersecurity business in both the public and private sectors.171 Earlier this
year, a software security company executive noted ―a very large rise in interest in spending on
computer security by the government.‖172 And as one IT market analyst put it: ―It‘s a cyber war and
we‘re fighting it. In order to fight it, you need to spend more money, and some of the core beneficiaries
of that trend will be the security software companies.‖173 Some companies from diverse industries
have also combined forces in the cybersecurity buildup. In 2009, a combination of defense, security, and
tech companies, including Lockheed, McAfee, Symantec, Cisco, Dell, Hewlett-Packard, Intel, Juniper
Networks, and Microsoft, formed a cybersecurity technology alliance to study threats and innovate
solutions.174 IT lobbyists, too, have looked forward to cybersecurity budget increases, to the dismay
of at least one executive at a small tech firm, who claimed, ―Money gets spent on the vendors who
spend millions lobbying Congress.‖175 There are serious real online threats, and security firms,
government agencies, the military, and private companies clearly must invest to protect against such
threats. But as with the Cold War bomber and missile gap frenzies, we must be wary of parties
with vested interests exaggerating threats, leading to unjustified and superfluous defense spending in
the name of national security.
Don’t believe their impacts – the cyber-industrial complex ensures wild exaggeration
Jerry Brito (senior research fellow at the Mercatus Center and directs the Technology Policy Program at
George Mason University) and Tate Watkins (research associate for the Technology Policy Program
and the State and Local Policy Project at George Mason University) April 26, 2011 “Loving the Cyber
Bomb? The Dangers of Threat Inflation in Cybersecurity Policy”
http://mercatus.org/sites/default/files/publication/WP1124_Loving_cyber_bomb.pdf
The rhetoric of ―cyber doom‖2 employed by proponents of increased federal intervention,
however, lacks clear evidence of a serious threat that can be verified by the public. As a result,
the United States may be witnessing a bout of threat inflation similar to that seen in the
run-up to the Iraq War. Additionally, a cyber-industrial complex is emerging, much like the
military-industrial complex of the Cold War. This complex may serve to not only supply
cybersecurity solutions to the federal government, but to drum up demand for them as
well
Even new cyberterror therats are exaggerated
Tom Espiner (writer for ZDnet) January 2011 “Cyber-war risk is exaggerated, says OECD study”
http://www.zdnet.co.uk/news/security/2011/01/17/cyber-war-risk-is-exaggerated-says-oecd-study40091451/
In a cyber-warfare report released on Monday, the OECD said that the risk of a catastrophic attack on
critical national systems has been exaggerated. The majority of cyberattacks are low level and cause
inconvenience rather than serious or long-term disruption, according to report co-author professor
Peter Sommer of the London School of Economics. "There are many scare stories, which, when you
test, don't actually pan out," Sommer said. "When you analyse malware, a lot is likely to be short
term, or fail." Sophisticated malware such as Stuxnet, which targets industrial control processes, is the
exception, not the norm, according to Sommer. Stuxnet used a number of zero-day vulnerabilities to
target programmable logic controllers in frequency converter drives used mainly to control motors in
uranium-enrichment facilities. Policy makers should be aware that a number of different cyber-events,
disasters or physical attacks could come together to create a "perfect storm", says the report. However,
a pure cyber-war would be unlikely to occur, with attacks on computer systems more likely to
be used in conjunction with other, physical types of attacks.
No motivation – terrorists perceive other methods as more worthwhile
Sandeep Bhardwaj (Research Officer, Institute of Peace and Conflict Studies) August 2008
“Cyberterrorism: Threat Exaggerated?”
http://www.ipcs.org/Terrorism_kashmirLevel2.jsp?action=showView&kValue=2675&subCatID=1014&st
atus=article&mod=g
In conclusion, while the threat of cyber terrorism in terms of hacking, viruses and cyber attacks remains
real, it is less serious than it is perceived to be. For a terrorist, a simple cost-benefit analysis would
make clear that an IED, built with much less technical know-how, has a much larger impact than
bringing down government networks. However, a much more pertinent and significant threat which is
often ignored, is the help terrorists get from internet to make their operations easier, global and hence
more effective. The internet is a tool that can be used to increase productivity and this could well refer
to how much destruction can be caused in the world.
Cyberterror risk is exaggerated– but the really catastrophic attacks are impossible to
pull off
Peter Singer 2012 Director, 21st Century Defense Initiative, Senior Fellow, Foreign Policy, November
2012, “The Cyber Terror Bogeyman”, Brookings,
http://www.brookings.edu/research/articles/2012/11/cyber-terror-singer
About 31,300. That is roughly the number of magazine and journal articles written so far that discuss the
phenomenon of cyber terrorism. Zero. That is the number of people that who been hurt or killed by
cyber terrorism at the time this went to press. In many ways, cyber terrorism is like the Discovery Channel’s “Shark
Week,” when we obsess about shark attacks despite the fact that you are roughly 15,000 times more likely to be
hurt or killed in an accident involving a toilet. But by looking at how terror groups actually use the Internet, rather than fixating on nightmare scenarios, we can properly
prioritize and focus our efforts. Part of the problem is the way we talk about the issue. The FBI defines cyber terrorism as
a “premeditated, politically motivated attack against information, computer systems, computer
programs and data which results in violence against non-combatant targets by subnational groups or clandestine agents.” A key word there is
“violence,” yet many discussions sweep all sorts of nonviolent online mischief into the “terror” bin. Various
reports lump together everything from Defense Secretary Leon Panetta’s recent statements that a terror group might launch a “digital Pearl Harbor” to Stuxnet-like sabotage (ahem, committed by state forces) to hacktivism,
the way we use a term like cyber terrorism “has as much clarity as
cybersecurity — that is, none at all.” Another part of the problem is that we often mix up our fears with
the actual state of affairs. Last year, Deputy Defense Secretary William Lynn, the Pentagon’s lead official
for cybersecurity, spoke to the top experts in the field at the RSA Conference in San Francisco. “It is possible for a
terrorist group to develop cyber-attack tools on their own or to buy them on the black market,” Lynn warned. “A couple dozen talented programmers wearing flip-flops and drinking Red Bull can do a lot of damage.” The
deputy defense secretary was conflating fear and reality, not just about what stimulant-drinking
programmers are actually hired to do, but also what is needed to pull off an attack that causes meaningful violence. The requirements go well
beyond finding top cyber experts. Taking down hydroelectric generators, or designing malware like
Stuxnet that causes nuclear centrifuges to spin out of sequence doesn’t just require the skills and means to get into a computer system. It’s also knowing what to do once you
are in. To cause true damage requires an understanding of the devices themselves and how they run,
the engineering and physics behind the target. The Stuxnet case, for example, involved not just cyber
experts well beyond a few wearing flip-flops, but also experts in areas that ranged from intelligence and
surveillance to nuclear physics to the engineering of a specific kind of Siemens-brand industrial
equipment. It also required expensive tests, not only of the software, but on working versions of the
WikiLeaks and credit card fraud. As one congressional staffer put it,
target hardware as well. As George R. Lucas Jr., a professor at the U.S. Naval Academy, put it, conducting a truly mass-scale action using cyber
means “simply outstrips the intellectual, organizational and personnel capacities of even the most wellfunded and well-organized terrorist organization, as well as those of even the most sophisticated international criminal enterprises.” Lucas said the threat of cyber
terrorism has been vastly overblown. “To be blunt, neither the 14-year-old hacker in your next-door neighbor’s upstairs
bedroom, nor the two- or three-person al-Qaida cell holed up in some apartment in Hamburg are going
to bring down the Glen Canyon and Hoover dams,” he said.
No cyber war
A Cyber war will never happen
Anna Leach 10/20/11, Author for The Journal of Strategic Studies, “killer cyberattacks wont happen”,
http://www.theregister.co.uk/2011/10/20/cyber_war_wont_be_real/
People worried about a cyber-war should calm down and stop worrying because it will never
happen , a war studies academic has said. In the paper Cyber War Will Not Take Place Dr Thomas Rid
confidently argues that hacking and computer viruses never actually kill people. An act of war must
have the potential to be lethal, says Dr Rid, of King's College London, writing in The Journal of Strategic
Studies, but hacking and cyber-attacks have much more in common with spying than, say, nuclear
bombs. He believes that although a "cyber war" conforms to the traditional definition of a two-sided
conflict, a lethal one will never take place. "The threat intuitively makes sense," Dr Rid says. "Almost
everybody has an iPhone, an email address and a Facebook account. We feel vulnerable to cyber-attack
every day. Cyber-war seems the logical next step." But worriers are misguided: Dr Rid states that to
constitute cyber-warfare an action must be a "potentially lethal, instrumental and political act of force,
conducted through the use of software". Yet, he says, no single cyber attack has ever been classed as
such and no single digital onslaught has ever constituted an act of war . He concludes: " Politically
motivated cyber-attacks are simply a more sophisticated version of activities that have always
occurred within warfare: sabotage, espionage and subversion." Wait for those deadly country-wide
digital infrastructure attacks, Dr Rid, just you wait.
No impact to cyber war/ won’t escalate
Fox 11—Assistant Editor, InnovationNewsDaily (Stuart, 2 July 2011, “Why Cyberwar Is Unlikely ,”
http://www.securitynewsdaily.com/cyberwar-unlikely-deterrence-cyber-war-0931
In the two decades since cyberwar first became possible, there hasn't been a single event that politicians,
generals and security experts agree on as having passed the threshold for strategic cyberwar. In fact, the attacks
that have occurred have fallen so far short of a proper cyberwar that many have begun to doubt that
cyberwarfare is even possible. The reluctance to engage in strategic cyberwarfare stems mostly from the
uncertain results such a conflict would bring, the lack of motivation on the part of the possible
combatants and their shared inability to defend against counterattacks. Many of the systems that an aggressive
cyberattack would damage are actually as valuable to any potential attacker as they would be to the victim. The five countries
capable of large-scale cyberwar (Israel, the U.S., the U.K., Russia and China) have more to lose if a cyberwar were to
escalate into a shooting war than they would gain from a successful cyberattack. "The half-dozen countries that have cyber capability are
deterred from cyberwar because of the fear of the American response. Nobody wants this to spiral out of control," said
James Lewis, senior fellow and director of technology and public policy at the Center for Strategic and International
Studies in Washington, D.C. "The countries that are capable of doing this don't have a reason to," Lewis added.
"Chinese
officials have said to me, 'Why would we bring down Wall Street when we own so much of it?'
They like money almost as much as we do." Big deterrent: retaliation Deterrence plays a major factor in
preventing cyberwar. Attacks across the Internet would favor the aggressor so heavily that no country has developed an effective
defense. Should one country initiate a cyberattack, the victim could quickly counter-attack, leaving both
countries equally degraded, Lewis told InnovationNewsDaily. Even if an attacker were to overcome his fear of
retaliation, the low rate of success would naturally give him pause. Any cyberattack would target the
types of complex systems that could collapse on their own, such as electrical systems or banking
networks. But experience gained in fixing day-to-day problems on those systems would allow the
engineers who maintain them to quickly undo damage caused by even the most complex cyberattack ,
said George Smith, a senior fellow at Globalsecurity.org in Alexandria, Va. "You mean to tell me that the people who work
the electrical system 24 hours a day don't respond to problems? What prevents people from turning the
lights right back on?" Smith told SecurityNewsDaily. "And attacks on the financial system have always been a non-starter for me. I
mean, [in 2008] the financial system attacked the U.S.!"
Cyber war infeasible
Paul Clark, 2012 MA candidate – Intelligence Studies @ American Military University, senior analyst –
Chenega Federal Systems, 4/28/’12 (Paul, “The Risk of Disruption or Destruction of Critical U.S.
Infrastructure by an Offensive Cyber Attack,” American Military University)
The Department of Homeland Security worries that our critical infrastructure and key resources (CIKR)
may be exposed, both directly and indirectly, to multiple threats because of CIKR reliance on the global
cyber infrastructure, an infrastructure that is under routine cyberattack by a “spectrum of malicious
actors” (National Infrastructure Protection Plan 2009). CIKR in the extremely large and complex U.S.
economy spans multiple sectors including agricultural, finance and banking, dams and water resources,
public health and emergency services, military and defense, transportation and shipping, and energy
(National Infrastructure Protection Plan 2009). The disruption and destruction of public and private
infrastructure is part of warfare, without this infrastructure conflict cannot be sustained (Geers 2011).
Cyber-attacks are desirable because they are considered to be a relatively “low cost and long range”
weapon (Lewis 2010), but prior to the creation of Stuxnet, the first cyber-weapon, the ability to disrupt
and destroy critical infrastructure through cyber-attack was theoretical. The movement of an offensive
cyber-weapon from conceptual to actual has forced the United States to question whether offensive
cyber-attacks are a significant threat that are able to disrupt or destroy CIKR to the level that national
security is seriously degraded. It is important to understand the risk posed to national security by cyberattacks to ensure that government responses are appropriate to the threat and balance security with
privacy and civil liberty concerns. The risk posed to CIKR from cyber-attack can be evaluated by
measuring the threat from cyber-attack against the vulnerability of a CIKR target and the consequences
of CIKR disruption. As the only known cyber-weapon, Stuxnet has been thoroughly analyzed and used as
a model for predicting future cyber-weapons. The U.S. electrical grid, a key component in the CIKR
energy sector, is a target that has been analyzed for vulnerabilities and the consequences of disruption
predicted – the electrical grid has been used in multiple attack scenarios including a classified scenario
provided to the U.S. Congress in 2012 (Rohde 2012). Stuxnet will serve as the weapon and the U.S.
electrical grid will serve as the target in this risk analysis that concludes that there is a low risk of
disruption or destruction of critical infrastructure from a an offensive cyber-weapon because of the
complexity of the attack path, the limited capability of non-state adversaries to develop cyber-weapons,
and the existence of multiple methods of mitigating the cyber-attacks. To evaluate the threat posed by a
Stuxnet-like cyber-weapon, the complexity of the weapon, the available attack vectors for the weapon,
and the resilience of the weapon must be understood. The complexity – how difficult and expensive it
was to create the weapon – identifies the relative cost and availability of the weapon; inexpensive and
simple to build will be more prevalent than expensive and difficult to build. Attack vectors are the
available methods of attack; the larger the number, the more severe the threat. For example, attack
vectors for a cyberweapon may be email attachments, peer-to-peer applications, websites, and infected
USB devices or compact discs. Finally, the resilience of the weapon determines its availability and affects
its usefulness. A useful weapon is one that is resistant to disruption (resilient) and is therefore available
and reliable. These concepts are seen in the AK-47 assault rifle – a simple, inexpensive, reliable and
effective weapon – and carry over to information technology structures (Weitz 2012). The evaluation of
Stuxnet identified malware that is “ unusually complex and large ” and required code written in
multiple languages (Chen 2010) in order to complete a variety of specific functions contained in a “vast
array” of components – it is one of the most complex threats ever analyzed by Symantec (Falliere,
Murchu and Chien 2011). To be successful, Stuxnet required a high level of technical knowledge across
multiple disciplines, a laboratory with the target equipment configured for testing, and a foreign
intelligence capability to collect information on the target network and attack vectors (Kerr, Rollins and
Theohary 2010). The malware also needed careful monitoring and maintenance because it could be
easily disrupted; as a result Stuxnet was developed with a high degree of configurability and was
upgraded multiple times in less than one year (Falliere, Murchu and Chien 2011). Once introduced into
the network, the cyber-weapon then had to utilize four known vulnerabilities and four unknown
vulnerabilities, known as zero-day exploits, in order to install itself and propagate across the target
network (Falliere, Murchu and Chien 2011). Zero-day exploits are incredibly difficult to find and fewer
than twelve out of the 12,000,000 pieces of malware discovered each year utilize zero-day exploits
and this rarity makes them valuable, zero-days can fetch $50,000 to $500,000 each on the black market
(Zetter 2011). The use of four rare exploits in a single piece of malware is “unprecedented” (Chen
2010). Along with the use of four unpublished exploits, Stuxnet also used the “first ever” programmable
logic controller rootkit, a Windows rootkit, antivirus evasion techniques, intricate process injection
routines, and other complex interfaces (Falliere, Murchu and Chien 2011) all wrapped up in “layers of
encryption like Russian nesting dolls” (Zetter 2011) – including custom encryption algorithms
(Karnouskos 2011). As the malware spread across the now-infected network it had to utilize additional
vulnerabilities in proprietary Siemens industrial control software (ICS) and hardware used to control the
equipment it was designed to sabotage. Some of these ICS vulnerabilities were published but some were
unknown and required such a high degree of inside knowledge that there was speculation that a
Siemens employee had been involved in the malware design (Kerr, Rollins and Theohary 2010). The
unprecedented technical complexity of the Stuxnet cyber-weapon, along with the extensive
technical and financial resources and foreign intelligence capabilities required for its development and
deployment, indicates that the malware was likely developed by a nation-state (Kerr, Rollins and
Theohary 2010). Stuxnet had very limited attack vectors. When a computer system is connected to the
public Internet a host of attack vectors are available to the cyber-attacker (Institute for Security
Technology Studies 2002). Web browser and browser plug-in vulnerabilities, cross-site scripting attacks,
compromised email attachments, peer-to-peer applications, operating system and other application
vulnerabilities are all vectors for the introduction of malware into an Internetconnected computer
system. Networks that are not connected to the public internet are “air gapped,” a technical
colloquialism to identify a physical separation between networks. Physical separation from the public
Internet is a common safeguard for sensitive networks including classified U.S. government networks. If
the target network is air gapped, infection can only occur through physical means – an infected disk or
USB device that must be physically introduced into a possibly access controlled environment and
connected to the air gapped network. The first step of the Stuxnet cyber-attack was to initially infect the
target networks, a difficult task given the probable disconnected and well secured nature of the Iranian
nuclear facilities. Stuxnet was introduced via a USB device to the target network, a method that suggests
that the attackers were familiar with the configuration of the network and knew it was not connected to
the public Internet (Chen 2010). This assessment is supported by two rare features in Stuxnet – having
all necessary functionality for industrial sabotage fully embedded in the malware executable along with
the ability to self-propagate and upgrade through a peer-to-peer method (Falliere, Murchu and Chien
2011). Developing an understanding of the target network configuration was a significant and
daunting task based on Symantec’s assessment that Stuxnet repeatedly targeted a total of five
different organizations over nearly one year (Falliere, Murchu and Chien 2011) with physical
introduction via USB drive being the only available attack vector. The final factor in assessing the threat
of a cyber-weapon is the resilience of the weapon. There are two primary factors that make Stuxnet
non-resilient: the complexity of the weapon and the complexity of the target. Stuxnet was highly
customized for sabotaging specific industrial systems (Karnouskos 2011) and needed a large number of
very complex components and routines in order to increase its chance of success (Falliere, Murchu and
Chien 2011). The malware required eight vulnerabilities in the Windows operating system to succeed
and therefore would have failed if those vulnerabilities had been properly patched; four of the eight
vulnerabilities were known to Microsoft and subject to elimination (Falliere, Murchu and Chien 2011).
Stuxnet also required that two drivers be installed and required two stolen security certificates for
installation (Falliere, Murchu and Chien 2011); driver installation would have failed if the stolen
certificates had been revoked and marked as invalid. Finally, the configuration of systems is everchanging as components are upgraded or replaced. There is no guarantee that the network that was
mapped for vulnerabilities had not changed in the months, or years, it took to craft Stuxnet and
successfully infect the target network. Had specific components of the target hardware changed – the
targeted Siemens software or programmable logic controller – the attack would have failed. Threats are
less of a threat when identified; this is why zero-day exploits are so valuable. Stuxnet went to great
lengths to hide its existence from the target and utilized multiple rootkits, data manipulation routines,
and virus avoidance techniques to stay undetected. The malware’s actions occurred only in memory to
avoid leaving traces on disk, it masked its activities by running under legal programs, employed layers of
encryption and code obfuscation, and uninstalled itself after a set period of time, all efforts to avoid
detection because its authors knew that detection meant failure. As a result of the complexity of the
malware, the changeable nature of the target network, and the chance of discovery, Stuxnet is not a
resilient system. It is a fragile weapon that required an investment of time and money to constantly
monitor, reconfigure, test and deploy over the course of a year. There is concern, with Stuxnet
developed and available publicly, that the world is on the brink of a storm of highly sophisticated
Stuxnet-derived cyber-weapons which can be used by hackers, organized criminals and terrorists (Chen
2010). As former counterterrorism advisor Richard Clarke describes it, there is concern that the
technical brilliance of the United States “has created millions of potential monsters all over the world”
(Rosenbaum 2012). Hyperbole aside, technical knowledge spreads. The techniques behind cyber-attacks
are “constantly evolving and making use of lessons learned over time” (Institute for Security Technology
Studies 2002) and the publication of the Stuxnet code may make it easier to copy the weapon (Kerr,
Rollins and Theohary 2010). However, this is something of a zero-sum game because knowledge works
both ways and cyber-security techniques are also evolving , and “understanding attack techniques
more clearly is the first step toward increasing security” (Institute for Security Technology Studies 2002).
Vulnerabilities are discovered and patched, intrusion detection and malware signatures are expanded
and updated, and monitoring and analysis processes and methodologies are expanded and honed.
Once the element of surprise is lost, weapons and tactics are less useful , this is the core of the
argument that “uniquely surprising” stratagems like Stuxnet are single-use, like Pearl Harbor and the
Trojan Horse, the “very success [of these attacks] precludes their repetition” (Mueller 2012). This
paradigm has already been seen in the “son of Stuxnet” malware – named Duqu by its discoverers – that
is based on the same modular code platform that created Stuxnet (Ragan 2011). With the techniques
used by Stuxnet now known, other variants such as Duqu are being discovered and countered by
security researchers (Laboratory of Cryptography and System Security 2011). It is obvious that the effort
required to create, deploy, and maintain Stuxnet and its variants is massive and it is not clear that the
rewards are worth the risk and effort. Given the location of initial infection and the number of
infected systems in Iran (Falliere, Murchu and Chien 2011) it is believed that Iranian nuclear facilities
were the target of the Stuxnet weapon. A significant amount of money and effort was invested in
creating Stuxnet but yet the expected result – assuming that this was an attack that expected to damage
production – was minimal at best. Iran claimed that Stuxnet caused only minor damage, probably at the
Natanz enrichment facility, the Russian contractor Atomstroyeksport reported that no damage had
occurred at the Bushehr facility, and an unidentified “senior diplomat” suggested that Iran was forced to
shut down its centrifuge facility “for a few days” (Kerr, Rollins and Theohary 2010). Even the most
optimistic estimates believe that Iran’s nuclear enrichment program was only delayed by months, or
perhaps years (Rosenbaum 2012). The actual damage done by Stuxnet is not clear (Kerr, Rollins and
Theohary 2010) and the primary damage appears to be to a higher number than average replacement of
centrifuges at the Iran enrichment facility (Zetter 2011). Different targets may produce different results.
The Iranian nuclear facility was a difficult target with limited attack vectors because of its isolation from
the public Internet and restricted access to its facilities. What is the probability of a successful attack
against the U.S. electrical grid and what are the potential consequences should this critical infrastructure
be disrupted or destroyed? An attack against the electrical grid is a reasonable threat scenario since
power systems are “a high priority target for military and insurgents” and there has been a trend
towards utilizing commercial software and integrating utilities into the public Internet that has
“increased vulnerability across the board” (Lewis 2010). Yet the increased vulnerabilities are
mitigated by an increased detection and deterrent capability that has been “honed over many years
of practical application” now that power systems are using standard, rather than proprietary and
specialized, applications and components (Leita and Dacier 2012). The security of the electrical grid is
also enhanced by increased awareness after a smart-grid hacking demonstration in 2009 and the
identification of the Stuxnet malware in 2010; as a result the public and private sector are working
together in an “unprecedented effort” to establish robust security guidelines and cyber security
measures (Gohn and Wheelock 2010).
Their authors conflate threats
Paul Clark, MA candidate – Intelligence Studies @ American Military University, senior analyst –
Chenega Federal Systems, 2012
(Paul, “The Risk of Disruption or Destruction of Critical U.S. Infrastructure by an Offensive Cyber Attack,”
American Military University)
This increased focus on cyber-security has led to concern that
the perceived risk is greater than the actual risk , a situation
that has resulted in an imbalance between security and privacy and civil liberties (American Civil Liberties Union 2012). In
1993 a Rand
Corporation paper predicted that “cyberwar is coming” and twenty years later the prediction is the same and
critics argue that cyber-war is “more hype than hazard” (Rid 2012). A review of high profile cyberattacks shows that,
with the exception of Stuxnet and the limited Israeli disruption of Syrian air defense networks, most cyberattacks are categorized as information theft, network compromise, or website defacement (Lewis 2012). Even the high
profile threat of an “Electronic Pearl Harbor” (Bronk 2009), despite being repeated by senior government
officials like U.S. Defense Secretary Leon Panetta (Rid 2012) , has been found to be only a slight possibility
(Wilson 2005).
There is no doubt that cyber-security is important. Businesses recognize this importance and spent
more than $80 billion on
computer network security in 2011 (Johnson 2012) and the federal government is expected to be spending $10.5 billion per year
by 2015 (Brito and Watkins 2012). This response is appropriate when data shows that the vast majority of cyber-attacks are
focused on espionage and the theft of intellectual property. It is not clear why senior government officials
corporate executives
and
focus on high-impact low-probability events and engage in “alarmist rhetoric ” (Brito and
Watkins 2011) that
skews the public perception of risk and creates an atmosphere of fear. The danger of an
inappropriate response in reaction to an inflated threat and prevalence of misinformation is exemplified by the
politicized intelligence that led to the invasion of Iraq in 2003 (Brito and Watkins 2011). Understanding how information on the
risk posed by cyber-attacks is poorly communicated and the public reaction to an increased perception of risk – fear – is important in identifying
when the perceived risk is greater than the actual risk; when risk is more hype than threat. Critics of current cyber-security policy believe that
threats are being conflated; this results in a threat appearing larger than it is (Brito and Watkins 2012). In essence, a
wide variety of cyber-activity – political and social activity, criminal activity for profit, espionage, and offensive cyber-attack – are treated as
presenting the same level of threat. There
is a wide divide between easily mounted and easily defended denial of service
attacks on public websites and high-potential cyber-weapons capable of severely disrupting or destroying critical
infrastructure (Rid and McBurney 2012). The rise of automated tools that allow for low-level cyber-attacks to be
easily mounted has caused a significant increase in the number of cyber-attacks, a statistic often cited as
proof of increased risk, but qualified cyber -security organizations have discarded the number of cyberattacks as a metric and consider it to be meaningless
(Wilson 2005). Without
as a method of assessing the scope and effects of cyber-attacks
differentiating between generic malicious software and highly specialized and targeted offensive cyberattacks, the risk of cyber-attacks on critical infrastructure systems like the electrical grid cannot be properly assessed.
The threshold for this impact is incredibly high – no chance of serious cyber war
Dr. James A. Lewis, senior fellow at CSIS where he writes on technology, national security and the
international economy, October 2009 “The “Korean” Cyber Attacks and Their Implications for Cyber
Conflict”
http://csis.org/files/publication/091023_Korean_Cyber_Attacks_and_Their_Implications_for_Cyber_Co
nflict.pdf
Only a few nations –Russia, China, Israel, France, the United States, and the United Kingdom, and
perhaps a small number of the most sophisticated cyber criminals – have the advanced capabilities
needed to launch a cyber attack that could do serious and long-term damage equivalent to sabotage
or bombing and thus rise to the level of an act of war. A sophisticated attack against infrastructure
requires planning, reconnaissance, resources and skills that are currently available only to these
advanced cyber attackers. As part of their larger military planning, these nations have likely planned to
launch such attacks in the event of a crisis.8 Such attacks are not yet within the scope of capabilities
possessed by most non-state hackers. Serious cyber attack independent of some larger conflict
is unlikely. To transpose cyber to the physical world, there are remarkably few instances of a
nation engaging in covert sabotage attacks against another nation (particularly larger powers)
unless they were seeking to provoke or if conflict was imminent. The political threshold for serious
cyber attack (as opposed to espionage) by a nation-state is very high, likely as high as the
threshold for conventional military action. At a minimum, this suggests that a serious cyber attack
is a precursor, a warning, that some more serious conflict is about to begin. Absent such larger
conflict, however, a nation-state is no more likely to launch a serious cyber attack than they are to
shoot a random missile at an opponent.9 The risk is too great and the benefits of a cyber attack by
itself too small for political leaders to authorize the use of this capability in anything short of a
situation where they had already decided on military action. Cyber weapons are not decisive; cyber
attack by itself will not win a conflict, particularly against a large and powerful opponent. It is
striking that to date; no cyber "attack" that rises above the level of espionage or crime has been
launched outside of a military conflict.
It’s literally impossible for terrorists to hack into and fire U.S. nuclear weapons
because they have no connection to any outside networks
Newman, Slate Reporter, 4-28-14
(Lily Hay, “Why U.S. Nuclear Missile Silos Rely on Decades-Old Technology,” accessed 3-14-15,
http://www.slate.com/blogs/future_tense/2014/04/28/huge_floppy_disks_and_other_old_tech_is_co
mmon_at_air_force_nuclear_missile.html
You'd probably expect to encounter all sorts of crazy technology in a U.S. Air Force nuclear silo. One you might not expect: floppy disks.
Leslie Stahl of CBS's 60 Minutes reported from a Wyoming nuclear control center for a segment that aired on Sunday, and the Cold War-era
tech she found is pretty amazing. But it also makes sense. The government built facilities for the Minuteman missiles in the 1960s and
1970s, and though the missiles have been upgraded numerous times to make them safer and more reliable, the bases themselves haven't
the
bases have extremely tight IT and cyber security, because they're not Internet-connected and they use
changed much. And there isn't a lot of incentive to upgrade them. ICBM forces commander Maj. Gen. Jack Weinstein told Stahl that
such old hardware and software. While on the base, missileers showed Stahl the 8-inch floppy disks they use as part of launch
commands for the missiles. Later, in an interview with Weinstein, Stahl described the disk she was shown as "gigantic," and said she had never
seen one that big. Weinstein explained,
"Those older systems provide us some, I will say, huge safety, when it comes
to some cyber issues that we currently have in the world."
A2 Cyber-attack collapses economy
At most $1 billion in economic damage
Martin Libicki, October 2014, A Dangerous World? Threat Perceptions and US National Security, ed.
Christopher Peeble & John Mueller, Martin Libicki is a senior management scientist at the RAND
Corporation, where his research focuses on the effects of information technology on domestic and
national security. He is the author of several books, including Conquest in Cyberspace: National Security
and Information Warfare and Information Technology Standards: Quest for the Common Byte. He has
also written two cyberwar monographs: Cyberwar and Cyberdeterrence and Crisis and Escalation in
Cyberspace. Prior to joining RAND, Libicki was a senior fellow at the National Defense University, page #
at end of card
The immediate and direct damage from a major cyberattack can range from zero to tens of billions of
dollars (e.g., from a broad outage of electric power). Direct casualties would likely be few, and indirect
causalities may have to be inferred from guessing what would have happened if, say, emergency 911
service had not been taken down. In this essay’s scenario, total damage would likely be less than $ 1
billion. Indirect effects may be larger if a cyberattack causes a great loss of confidence— in the banking
system, for example, which could trigger a recession. But it is a stretch to argue that even a cyberattack
that stopped the banking system completely (much less the sort that merely prevented 24– 7 access to a
bank’s website) would damage customers’ confidence that their bank accounts would maintain their
integrity. NASDAQ’s three-hour shutdown on August 22, 2013, for example, did not spark a wave of
selling. It would require data corruption (e.g., depositors’ accounts being zeroed out) rather than
temporary disruption, before an attack would likely cause depositors to question whether their deposits
are safe.
A2 Grid attacks
No long-term shut-down of the power grid
Martin Libicki, October 2014, A Dangerous World? Threat Perceptions and US National Security, ed.
Christopher Peeble & John Mueller, Martin Libicki is a senior management scientist at the RAND
Corporation, where his research focuses on the effects of information technology on domestic and
national security. He is the author of several books, including Conquest in Cyberspace: National Security
and Information Warfare and Information Technology Standards: Quest for the Common Byte. He has
also written two cyberwar monographs: Cyberwar and Cyberdeterrence and Crisis and Escalation in
Cyberspace. Prior to joining RAND, Libicki was a senior fellow at the National Defense University, page #
at end of card
Compared with terrorism involving conventional explosives, the ratio of death and destruction from
cyberattacks is likely to be several orders of magnitude lower; in that respect, 9/ 11 was an outlier
among terrorist attacks, with the March 11, 2004, Madrid attacks or the July 7, 2005, London attacks
being more typical. It is by no means clear what the worst plausible disaster emanating from cyberspace
might be (it is far clearer that it would not come from Iran, whose skills at cyberwarfare likely pale in
comparison with China’s, much less Russia’s). Doomsayers argue that a coordinated attack on the
national power grid that resulted in the loss of electric power for years would lead to widespread death
from disease (absent refrigeration of medications) and starvation (the preelectrified farm sector was far
less productive than today’s). But even if their characterization of the importance of electricity were not
exaggerated (it is), killing electric power for that long requires that equipment with lengthy repair times
(e.g., transformers, few of which are made here) be broken. (2014-10-14). A Dangerous World? Threat
Perception and U.S. National Security (Kindle Locations 2599-2604). Cato Institute. Kindle Edition.
Grid resilience means no impact and no attempt
Kaplan 07 (Eben–Associated Editor at the Council of Foreign Relations, “America’s Vulnerable Energy
Grid,” 4-27-2007, http://www.cfr.org/publication/13153/americas_vulnerable_energy_grid.html)
Attacks on infrastructure are an almost daily fact of life in Iraq. Experts caution the war in that country
will produce a whole generation of terrorists who have honed their skills sabotaging infrastructure. In
his recent book, The Edge of Disaster, CFR security expert Stephen E. Flynn cautions, “The terrorist skills
acquired are being catalogued and shared in Internet chat rooms.” But when it comes to Iraq’s electrical
grid, RAND economist Keith W. Crane says terrorists are not the main cause of disruptions: “Most of the
destruction of the control equipment was looting,” he says. Either way, Clark W. Gellings, vice president
of the Electric Power Research Institute, an industry research organization, thinks the U.S. grid is an
unlikely target. “It’s not terribly sensational,” he explains, “The system could overcome an attack in
hours, or at worst, days.” That said, attacks on electricity infrastructure could become common in future
warfare: The U.S. military has designed and entire class of weapons designed to disable power grids.
Terrorism DA Updates
Surveillence solves terrorism
Intelligence is the best way we have to prevent new terrorist attacks
Jason Howerton Jun. 10, 2013 7:00pm Here Is the Pro-NSA Surveillance Argument
http://www.theblaze.com/stories/2013/06/10/here-is-the-pro-nsa-surveillance-argument/
In his weekly column for the Washington Post, Marc A. Thiessen calls out critics who believe the NSA’s
surveillance is overreaching and reminiscent of George Orwell’s “1984.” “If the critics don’t think the
NSA should be collecting this information, perhaps they would like to explain just how they would have
us stop new terrorist attacks,” he writes. Thiessen goes on to point out the various ways that President
Barack Obama has stifled the federal government’s ability to gather intelligence. By his estimation,
without the ability to monitor the “enemy’s phone calls and Internet communications,” there would be
no effective way to protect the country. “Terrorists don’t have armies or navies we can track with
satellites. There are only three ways we can get information to prevent terrorist attacks: The first is
interrogation — getting the terrorists to tell us their plans. But thanks to Barack Obama, we don’t do
that anymore. The second is penetration, either by infiltrating agents into al-Qaeda or by recruiting
operatives from within the enemy’s ranks. This is incredibly hard — and it got much harder, thanks to
the leak exposing a double agent, recruited in London by British intelligence, who had penetrated alQaeda in the Arabian Peninsula and helped us break up a new underwear bomb plot in Yemen — forcing
the extraction of the agent. That leaves signals intelligence — monitoring the enemy’s phone calls and
Internet communications — as our principal source of intelligence to stop terrorist plots. Now the same
critics who demanded Obama end CIA interrogations are outraged that he is using signals intelligence to
track the terrorists. Well, without interrogations or signals intelligence, how exactly is he supposed to
protect the country?
Status quo internet surveillance prevents terrorism
Williams Janbek, Ph.D, and Valerie Williams 2014 Williams and Valerie, Sping/Summer Ed. The
Brown Journal of World Affairs, 20.2, “The Role of the Internet in post-9/11 Terrorism and
Counterterrorism,”
The way in which terrorists utilize the Internet has continuously evolved since 9/11. U.S. intelligence,
law enforcement, and security agencies have responded by significantly expanding their
counterterrorism workforce, conducting undercover operations, and increasing surveillance of
communications and online activity. Collaboration between these agencies has been vital to the nation's
counterterrorism efforts; information gathered by the National Security Agency (NSA)'s surveillance
technology is shared with the FBI for use in investigations.20 Though these strategies have arguably
stopped potential attacks on U.S. soil, media outlets have questioned the ethics behind undercover
operations and advanced surveillance technologies.¶ Due to varying motivations, levels of expertise, and
tactics of extremist groups and individuals, the FBI acknowledges terrorism as a complex threat. As a
response, the agency has increased its number of agents by 40 percent and now allocates approximately
half of its resources to counterterrorism and the remaining half to all other criminal activity.21 Between
2001 and 2011, the agency has almost tripled its intelligence analyst workforce.22 It has also increased
the number of Joint Terrorism Task Force (JTTF) partnerships from 35 to over 100.23 JTTF partnerships
exist between law enforcement agencies across the country that share essential information with each
other. These partnerships contribute resources, enhance operational capability, and significantly expand
the FBI's intelligence base. According to the FBI, "JTTFs have been instrumental in breaking up
cells...[and] they've foiled attacks on the Fort Dix Army base in New Jersey, on the JFK International
Airport in New York, and on various military and civilian targets in Los Angeles."24¶ In addition to
expanding its labor force, the FBI has adapted its investigative approach to more proactive, intelligenceled strategies to combat terrorist attacks. These strategies are specifically tailored to the targeted
suspect, requiring agents to utilize unique skill sets and language abilities for undercover operations. The
FBI implements a variety of undercover tactics on the Internet, at times creating terrorist-network
recruiting websites convincing enough to attract potential terrorists. When 18-year-old would-be
terrorist Abdella Ahmad Tounisi was searching the Internet for Jabhat al-Nusra, an al-Qaeda branch in
Syria, he found one of these sites. Created and maintained by the FBI, the page featured pictures and
videos of armed fighters in masks and fatigues intended to depict terrorist training.25 A section of the
site, titled "A Call for Jihad in Syria," urged visitors to "come and join your lion brothers of Jabhat AlNusra who are fighting under the true banner of Islam, come and join your brothers, the heroes of
Jabhat Al-Nusra."26 When Tounisi contacted the website's recruiter, who in reality was an FBI agent,
they exchanged email messages in which the teen divulged his detailed plan to engage in jihad in Syria.
As a result of this communication, the agency was able to arrest Tounisi in 2013 at Chicago's O'Hare
International Airport before his flight across seas. Tounisi was ultimately charged with attempting to
provide material support to a foreign terrorist organization and lying to federal authorities.¶ The FBI
utilizes specially trained undercover agents to befriend and earn the trust of domestic terror suspects
similar to Tounisi. This strategy allows agents to monitor terrorism plots in their beginning stages and
intercept forum posts and emails from individual suspects before they catch the attention of authentic
extremist organizations. For example, after posting violent messages on an online extremist forum,
teenaged Texas resident Hosam Maher Husein Smadi was befriended by an Arabic-speaking FBI agent
posing as a member of an al-Qaeda sleeper cell.27 Within months, Smadi and three undercover agents
devised a plot to bomb a 60-story corporate building in Dallas, Texas. On the last day of the sting
operation in 2009, Smadi attempted to detonate the fake bomb provided by the FBI and was
immediately arrested.¶ Once an agent befriends a targeted suspect, plans are developed and if
necessary, resources are provided at the target's request. Throughout this process, FBI agents attempt
to dissuade the suspect, offering him or her a chance to abandon the plan.28 If the individual is adamant
in completing the mission-at times seen in attempts to purchase weapons, to leave the country, or to
detonate an FBI-provided bomb-he or she is arrested and tried for the crime. This scenario is not
uncommon; there have been several cases of homegrown violent extremism fueled by extremist
websites, even in individuals as young as 14.29 In cases like these, the FBI asserts that if an individual is
susceptible to an undercover agent, he or she would be just as susceptible to an extremist group.30
Although sting operations have been used by law enforcement for decades, this process of befriending
and working with potential terrorists online has sparked an ethical debate. Furthermore, some have
questioned whether sting operations are the best use of counterterrorism resources. Some consider
these operations to be entrapment since the FBI partially devises the plan and provides money, fake
bombs, and even vehicles to suspects. In a recent New York Times article, author David Shipler
questioned the legitimacy of cultivating potential terrorists instead of finding real ones.31 Shipler
dismisses some terror suspects as "incompetent wannabes looking for a cause that the informer or
undercover agent skillfully helps them find."32¶ Cases like that of Hosam Smadi exemplify these
arguments; Smadi's defense team described him as a troubled youth who suffered from depression and
schizophrenia. 33 According to the defense, Smadi was motivated by the undercover agents' praise and
companionship.34 Despite their efforts to portray him as a misguided victim of entrapment, Smadi was
charged in 2010 with one count of attempting to use a weapon of mass destruction and one count of
bombing a public place. He was sentenced to 24 years in prison and deportation upon release.
According to investigative journalist Trevor Aaronson, no terrorism defendant since 9/11 has won an
acquittal using entrapment as a defense.35 Collaborating with prosecutors, undercover operatives
determine strategies to prove the suspect's predisposition to committing the crime. Working together,
prosecutors and FBI employees document proof to use in court later.36 Though its ethical standards are
in question by the public, the FBI's strategies have been successful under legal standards.¶ Undercover
operations represent just one investigative technique for identifying terrorists and their networks. FBI
operatives also investigate activities of known terrorist organizations, interview locals, and monitor
foreign press for intelligence. These traditional, preventative policing techniques are employed in
collaboration with online data to compile evidence necessary to prosecute terrorists.37 Although
controversy surrounds the agency's sting operations, the FBI reports that it has removed more than 20
of al-Qaeda's top 30 leaders due to the FBI's improvements since 9/11.38 These changes hinder alQaeda's efforts in fundraising, recruiting, training, and planning attacks outside their local region. The
FBI also says that every major al-Qaeda affiliate has lost its key leader.39 Although these leaders can be
replaced, al-Qaeda is forced to use less experienced leaders, degrading their overall efficiency. The FBI
credits their achievements to their expansion in intelligence and access to digital records, due in part to
post- 9/11 legislation.¶ Post-9/11 legislation, including the PATRIOT Act and the FISA (Foreign Intelligence
Surveillance Act of 1978) Amendments Act, enables the NSA to gain access to individuals' online activity,
employ advanced surveillance technology, and increase the use of National Security Letters. National
Security Letters, commonly used in counterterrorism investigations, enable agents to collect noncontent
consumer information including Internet records, telephone records, and credit reports from third party
service providers. Additionally, section 215 of the PATRIOT Act permits the FBI to seize anything tangible
from a person for investigations against international terrorism.40 Intelligence officials admit that "the
National Security Agency is searching the contents of vast amounts of Americans' email and text
communications into and out of the country" for mentions of foreign terrorist suspects under
surveillance.41 Relevant data collected by this surveillance is shared with the FBI and their JTTFs to aid
investigations.42
NSA surveillance programs disrupt cyber attacks.
Jim Michaels, USA TODAY 1:21 a.m. EDT June 13, 2013 NSA chief: Surveillance programs protect
Americans http://www.usatoday.com/story/news/politics/2013/06/12/alexander-nsa-cybersnowden/2415217/
WASHINGTON — Gen. Keith Alexander, director of the National Security Agency, defended his agency
and surveillance programs, saying they help protect Americans. "I think what we're doing to protect
American citizens here is the right thing," Alexander told members of the Senate Appropriations
Committee. "We aren't trying to hide it." Alexander said he favors providing more transparency so the
public can learn more about the programs. "This is not us doing something under the covers," Alexander
said. Alexander also said NSA programs have led to the disruption of "dozens" of terrorist plots.
Alexander said he was pushing for declassifying as much as possible about the programs to improve
transparency, but he said those disclosures had to be weighed against potential damage to national
security.
Surveillance doesn’t prevent terrorism (general)
Surveillance does not prevent terrorism – claims to the contrary have been completely
discredited with evidence.
CINDY COHN AND NADIA KAYYALI JUNE 2, 2014 The Top 5 Claims That Defenders of the NSA Have
to Stop Making to Remain Credible https://www.eff.org/deeplinks/2014/06/top-5-claims-defendersnsa-have-stop-making-remain-credible
The NSA has Stopped 54 Terrorist Attacks with Mass Spying The discredited claim NSA defenders have
thrown out many claims about how NSA surveillance has protected us from terrorists, including
repeatedly declaring that it has thwarted 54 plots. Rep. Mike Rogers says it often. Only weeks after the
first Snowden leak, US President Barack Obama claimed: “We know of at least 50 threats that have been
averted” because of the NSA’s spy powers. Former NSA Director Gen. Keith Alexander also repeatedly
claimed that those programs thwarted 54 different attacks. Others, including former Vice President Dick
Cheney have claimed that had the bulk spying programs in place, the government could have stopped
the 9/11 bombings, specifically noting that the government needed the program to locate Khalid al
Mihdhar, a hijacker who was living in San Diego. Why it’s not credible: These claims have been
thoroughly debunked. First, the claim that the information stopped 54 terrorist plots fell completely
apart. In dramatic Congressional testimony, Sen. Leahy forced a formal retraction from NSA Director
Alexander in October, 2013: "Would you agree that the 54 cases that keep getting cited by the
administration were not all plots, and of the 54, only 13 had some nexus to the U.S.?" Leahy said at the
hearing. "Would you agree with that, yes or no?" "Yes," Alexander replied, without elaborating. But that
didn’t stop the apologists. We keep hearing the “54 plots” line to this day. As for 9/11, sadly, the same is
true. The government did not need additional mass collection capabilities, like the mass phone records
programs, to find al Mihdhar in San Diego. As ProPublica noted, quoting Bob Graham, the former chair
of the Senate Intelligence Committee: U.S. intelligence agencies knew the identity of the hijacker in
question, Saudi national Khalid al Mihdhar, long before 9/11 and had the ability find him, but they failed
to do so. "There were plenty of opportunities without having to rely on this metadata system for the FBI
and intelligence agencies to have located Mihdhar," says former Senator Bob Graham, the Florida
Democrat who extensively investigated 9/11 as chairman of the Senate’s intelligence committee.
Moreover, Peter Bergen and a team at the New America Foundation dug into the government’s claims
about plots in America, including studying over 225 individuals recruited by al Qaeda and similar groups
in the United States and charged with terrorism, and concluded: Our review of the government’s claims
about the role that NSA "bulk" surveillance of phone and email communications records has had in
keeping the United States safe from terrorism shows that these claims are overblown and even
misleading... When backed into a corner, the government’s apologists cite the capture of Zazi, the socalled New York subway bomber. However, in that case, the Associated Press reported that the
government could have easily stopped the plot without the NSA program, under authorities that comply
with the Constitution. Sens. Ron Wyden and Mark Udall have been saying this for a long time. Both of
the President’s hand-picked advisors on mass surveillance concur about the telephone records
collection. The President’s Review Board issued a report in which it stated “the information contributed
to terrorist investigations by the use of section 215 telephony meta-data was not essential to preventing
attacks,” The Privacy and Civil Liberties Oversight Board (PCLOB) also issued a report in which it stated,
“we have not identified a single instance involving a threat to the United States in which [bulk collection
under Section 215 of the Patriot Act] made a concrete difference in the outcome of a counterterrorism
investigation.” And in an amicus brief in EFF’s case First Unitarian Church of Los Angeles v. the NSA case,
Sens. Ron Wyden, Mark Udall, and Martin Heinrich stated that, while the administration has claimed
that bulk collection is necessary to prevent terrorism, they “have reviewed the bulk-collection program
extensively, and none of the claims appears to hold up to scrutiny.” Even former top NSA official John
Inglis admitted that the phone records program has not stopped any terrorist attacks aimed at the US
and at most, helped catch one guy who shipped about $8,000 to a Somalian group that the US has
designated as a terrorist group but that has never even remotely been involved in any attacks aimed at
the US.
Download