Today's date:
Summer 2009

Cyberwar Is the New Atomic Age

Mike McConnell is one of America's top spymasters. He was Director of National Intelligence, the supreme authority over all US intelligence agencies, from Feb. 2007 to Jan. 2009, and director of the NSA (National Security Agency) from 1992 to 1996. He spoke with NPQ editor Nathan Gardels in Washington in June.

NPQ | As America designs a new defense posture for the 21st century—small wars and counterinsurgency instead of large deployments for land wars—where does cyberwar fit in?

Mike McConnell | These three will be critical in the future. We have to specialize for these new types of war, but we never want to give up the capability for a general purpose war. There has to be a balance. Let me focus, though, on cyber war.

Broadly, there are only two types of communication—wireless and wire. Most of the world has communicated through wireless means via high frequency signals, microwave and satellite lines or site signals for many years (except for undersea cables). Today, about 90 percent of all global communications goes through glass pipes —that is, optic fiber cables.

A wireless road is like a cowpath compared to the 6,000-lane highway of optic fiber wire. Different frequency light passes through glass strands the size of human hair to transmit information. We now have operational capacity for 100 gigabits—the equivalent of transmitting the entire contents of the Library of Congress every few hours through a single strand. When I was a young sailor at sea a few decades ago our transmission capacity was 75 baud—100 words a minute. Now it is measured in millions and billions of words a minute.

Scientists, technologists and entrepreneurs have now figured out how to interconnect all these stands—the Internet—for instantaneous contact around the globe.

With this system, one can transmit $100 million from a bank in Tokyo to New York City in a few seconds. That is the magnitude of change. Through this system, companies such as WalMart can manage their inventory on a just-in-time basis, ordering a new shipment of goods from a factory in rural China the moment supplies at a store in Indiana depletes beyond an established threshold. This drove costs down so far they could beat their competition to become the world's largest retailer through increased efficiency and reduced cost in their supply chain.

On the benefit side of all this, therefore, the cost of living has gone down, the standard of living has gone up and productivity has increased significantly, creating new goods, services and wealth.

But there is a negative side. A level of vulnerability has been introduced into our way of life that is unprecedented.

We now have a smaller connected globe where information can be moved in seconds, where information managed by computer networks—which run our utilities, our transportation, our banking and our communications—can be exploited or attacked in seconds from a remote location overseas. No flotilla of ships or intercontinental missiles or standing armies can defend against such remote attacks located well beyond our borders, indeed beyond physical space—in the digital ether of cyberspace.

NPQ | To what kind of threats are we vulnerable?

McConnell | There are different kinds of cyber-exploitation. Mostly what goes on is stealing information from others so that those who steal it have an information advantage. The vast majority of countries in the world today have cyber attack capabilities. Most of them are trying to understand what their neighbors, competitors or adversaries are doing.

Another type of attack is denial-of-service. If Russia wants to block the ability of Estonia or Georgia to communicate, they fill up the information space so nothing else can get through.

Neither of these is a real long-term threat to a country. The real threat is when someone is not deterred from getting access to information in order to destroy the data, the information. If information or data are destroyed, computer systems can cease to function.

Global banking illustrates the immense vulnerability to this kind of attack. There is no gold standard today. When money is transferred, there are no printed dollar bills changing hands. It is all an accounting system run by computers based on confidence and trust that the transactions will be completed, validated and reconciled in the global financial system. "Hello, New York, this is Tokyo. Transmitting $100 million. Transmitted. Received. Accounts reconciled." A few seconds' transaction.

What happens if someone who is not deterred attacks a large bank in New York and contaminates or destroys the data? Suddenly there is a level of uncertainty and loss of confidence. Without confidence that transactions are safe and will reconcile, financial transactions stop.

If cyberhackers can destroy online and backup data in this way, we would have a banking crisis of global proportions not unlike what we've just been through, in slow motion, with the toxic assets of the subprime mortgage crisis. What we would see is not unlike the level of uncertainty that has spread through the banking system. Who knows what accounts would really be worth? Was that $100 million transmitted only $90 million or $10 million? The trust has been compromised. Lack of trust would cascade through the system because of the widely interconnected contamination of data.

If the 19 terrorists who attacked the World Trade Center in 2001 had cyber-attacked one large New York bank and been successful in destroying its data and back-up data, it would have had a greater order-of-magnitude economic impact than 9/11 had on the world. So, we are vulnerable. A small number of people could create the significant damage from a remote, even overseas location.

If attackers want to interrupt communication or contaminate information, they need to only find one way in. But if we want to defend against an attack, we have to defend the whole system from penetration. Therefore, every system linked to computer networks and the Internet—from utilities to transportation to banking to ATM machines—must be defended.

This is the warfare of the future. In my view, it is one of the highest priorities for the United States. Because we are the most developed technologically, we have the most bandwith running through our society, and we are more dependent on that bandwidth, we are the most vulnerable.

This mass vulnerability means we have entered a new age of threat, defense, deterrence and attack equivalent in some ways, to the atomic age. Cyberattacks have the potential to damage our way of life as devastatingly as a nuclear weapon.

The age when America's threat came from "over there," across the great saltwater moats of the Atlantic and Pacific that have protected the continent, can no longer be the cornerstone of our defense. Today there is no distinction between "over there" and "here" because we are all connected by strands of optic fiber that run our computer and communications systems that could determine our survival. As shocking as 9/11 was to the nation, it was a small breach compared to the systemic threats we face today. Terrorists won't even need to come to our shores to create the kind of havoc and turmoil they did by flying planes into the Twin Towers. They will be able to do it from their laptops from overseas.

NPQ | Defense analysts say that 90 percent of the probes and scans of American defense systems as well as commercial computer networks come from China. What is that about?

McConnell |  I don't know if it is 90 percent.

Probably the best in the world in the cyber realm are the Americans, the Russians, the British, the Israelis and the French. The next tier is the Chinese, but they are determined to be the best.

We are an open society, a virtual sieve for cyber penetration. Most information can be readily downloaded from the Web. It takes seconds to scan a network to determine which two or three of the thousands of computers are not protected by blocking technology. You infect the unprotected computers, which in turn infect the remaining computers inside the network.

The Chinese are exploiting our systems for information advantage—looking for the characteristics of a weapons system being designed by a defense contractor or academic research on plasma physics, for example—not to destroy data or do damage. But, for now, I believe they are deterred from destroying data both by the need to export to the US and by the need to keep currency and global markets stable.

But what happens if we have a war? The capability to exploit information could quickly be used to attack information and to destroy systems on which the US depends. Every nation with advanced technology is exploring options on how to use this new capability to wage war.

NPQ | So everyone is probing everyone else?

McConnell |  Everyone. All the time. US probings are limited to foreigners. We cannot probe American systems. We would need a warrant for that, and the purpose would have to be foreign intelligence value, approved by a court. Foreign attackers, of course, do not have such restrictions.

The US intelligence community obtains information on foreign resources that will assist our understanding of those who might in some way threaten our security.

Terrorist groups today rank near the bottom of cyber war capability. Criminal organizations are more sophisticated. There is a hierarchy. You go from nation states which can destroy things, to criminals, who can steal things, to aggravating but skillful hackers.

At some point, however, terrorists will use a couple of graduates from the best universities with skills in cyber capabilities. It is a mistake to think terrorists are simply poor peasants or angry preachers.

Sooner or later, terror groups will achieve cyber sophistication. It's easier than nuclear proliferation. Once you have the knowledge, you don't have to spend years enriching uranium and testing long-range missiles. It doesn't take long to obtain a sophisticated attack capability.

The US should take proactive measures to plan ahead for this type of disaster. I understand the art of the possible in cyber warfare capabilities, and I know what our capabilities are today. Others will be able to do the same thing in time, so let's do what is necessary to defend ourselves now, before a catastrophic event.

NPQ | When we talk about the Chinese, are we talking about the government or the People's Liberation Army?

McConnell |  Let me put it this way. In World War II the US had codebreaking units in the Army, Navy and State Department that contributed significantly to winning the war in Europe and in the Pacific. In order to manage codebreaking going into the Cold War, President Truman created the National Security Agency (NSA), which reports to the Secretary of Defense, a Cabinet position, because the function was considered so important.  The Secretary of Defense remains today responsible for NSA's mission of Signals Intelligence.

China has a similar structure and authority associated with it. So, its intelligence collection is coordinated, but, just as in the US, there are competing bureaucracies carrying out the cyber exploitation mission.

In China today, thousands of people work in a sustained effort to collect intelligence, many of them on an entrepreneurial basis, as it were, within a competing bureaucratic structure. China understands that the strategic vulnerability of the US is its soft cyber underbelly. I believe it seeks to " own" that space.

My view is that the Chinese had a big shock when they watched the action of Desert Storm. They saw the power of the US linking computer technology with weaponry to attain precision. We dropped 1,000 bombs in World War II to destroy a target effectively. In Vietnam, it took hundreds bombs. Today, it takes one.

One target. One bomb. We dominated the warfare sphere. We owned the ability to locate and see targets through navigation and satellite imagery others did not have. We had air superiority. We could take a valuable target out with one bomb at the time of our choosing.

The Chinese concluded from the Desert Storm experience that their counter approach had to be to challenge America's control of the battle space by building capabilities to knock out our satellites and to invade our cyber networks. In the name of the defense of China in this new world, the Chinese want to remove that US advantage in the event of a war.

So, to this end, the Chinese have developed the capacity to shoot down satellites. Over-the-horizon radar and missiles that can be retargeted in flight. In short, they seek ways to keep the US at bay in the event of a conflict. In time, as their power, influence and wealth grows, the Chinese likely will develop "power projection" weapons systems.

They see the Middle Kingdom as the center of the world. They will have gone from what they describe as "the century of shame" to "our century" going forward. And they want to protect that from the US or anybody else. Because the Chinese want to dominate this information space, they will develop the capability to attack our "information advantage" and deny the US this capability.