Concurrent Breakout Sessions 9 Breakout Sessions 12

1. 
   Bureau of Justice Assistance, Office of Justice Programs, U.S. Department of Justice. Intelligence-Led Policing: The New Intelligence Architecture. September 2005. http://www.ncjrs.gov/pdffiles1/bja/210681.pdf (last accessed on January 5, 2009).
   
2. 
   New Jersey State Police; Center for Policing Terrorism at the Manhattan Institute; Harbinger. Practical Guide to Intelligence-Led Policing. September 2006. http://www.cpt-mi.org/pdf/NJPoliceGuide.pdf (last accessed on January 5, 2009).
   
3. 
   Robert Hutchings, National Intelligence Council. Strategic Choices, Intelligence Challenges (Speech delivered at the Woodrow Wilson School, Princeton University). December 1, 2003. http://www.dni.gov/nic/speeches_choices_challenges.htm (last accessed on January 5, 2009).
   

The Threat From Cyberspace

In a tragically ironic turn of history, a remnant of perhaps the greatest struggle of the 20^th century helped spark what threatens to be the defining challenge of the 21^st. On April 27, 2007, the Estonian government relocated the Bronze Soldier of Tallinn, a memorial to the millions of Red Army soldiers who died fighting Nazi Germany. The move stirred simmering ethnic rivalry and, in response, a group of rogue actors moved to exact revenge upon the Estonian government. Ten years ago, such a response would have likely involved bombs and bullets and burning buildings. However, this attack came through a very 21^st century medium: the Internet.

A carefully orchestrated denial-of-service campaign employed a massive network of hijacked computers to flood websites critical to Estonian infrastructure. An Estonian government spokesman confirmed that websites normally receiving 1,000 visits each day were being inundated with 2,000 visits every second.⁹ Sites belonging to Estonia’s government, political parties, media outlets, and leading businesses were all forced to shut down. The infrastructure of an entire society grinded to a halt; a sovereign nation was, albeit temporarily, toppled without a single shot fired.

Intelligence agencies the world over must treat the Estonian cyberattack as a wakeup call; as a grave signal that the age of cyberwarfare and cyberterrorism is here and, perhaps, has just begun. The increasingly interconnected world of the 21^st century has ushered in an era of new personal luxuries and technological innovations that have truly transformed human society. Yet, this era’s greatest strength – the proliferation of information technology that has connected and empowered so many – may also be its greatest weakness. Threats from cyberspace – from warfare to espionage, from organized crime to terrorism – will constitute the intelligence community’s greatest challenge as it confronts the difficult and dangerous decade to come.

The Estonian cyberattack stands out as a particularly ominous example of how a nation can fall prey to an online offensive, but it is neither the first nor even the greatest strike of its kind. For years, hackers on the Indian subcontinent have been engaged in a cyberconflict, with scores of denial-of-service attacks exchanged over the Pakistan-India border. After the disqualification of South Korean speed skater Kim Dong-sun effectively awarded a gold medal to American rival Apollo Ohno at the 2002 Winter Olympics in Salt Lake City, outrage in South Korea manifested itself in a massive denial-of-service attack that brought down several large American servers. Perhaps the largest and most damaging cyberattack to date was a series of China-based hacks on United States government computers that the FBI has codenamed Titan Rain, though Titan Rain stands out from this list because it was not a denial-of-service attack.

Denial-of-service attacks are often launched using bot networks, or botnets. Responsible for both the Estonian and Olympic cyberattacks, botnets are constellations of computers that have been compromised and infected with a malicious code. The code allows them to be remotely controlled by a hacker (known as the botmaster) over the Internet. Remotely controlling thousands (sometimes hundreds of thousands) of computers enables the botmaster to flood and disable websites, potentially wreaking havoc on any electronic system. How can a threat to computer systems, in the age of seemingly greater threats including nuclear proliferation and Islamic extremism, comprise the most important challenge to the intelligence community? The problem is that computer systems now control nearly every facet of military and civilian life. Joel Brenner, the National Counterintelligence Executive put it this way:

Our water and sewer systems, electricity grids, financial markets, payroll systems, air and ground traffic control systems ... are all electronically controlled, electronically dependent, and subject to sophisticated attacks by both state-sponsored and freelance terrorists.¹⁰

Clearly, the threat of a botnet attack transcends the inconvenience and monetary toll of mere website failure. The fact that a botnet attack on the United States civilian or military infrastructure has not yet inflicted significant and lasting damage, experts agree, does not mean that America is safe. In fact, the threat appears to be growing as cybercriminals in general and botmasters in particular have grown dramatically more adept and powerful in recent years. One reason for identifying the threat from cyberspace as the most important challenge facing the intelligence community over the next 10 years is to examine what has happened on this front over the past 10 years. A decade ago, cybercrime was a blip on the radar of intelligence agencies. Today, according to the FBI, it costs American industry alone almost half a trillion dollars per year.¹¹ Dr. James Lewis, Director of the Technology and Public Policy Program at the Center for Strategic and International Studies in Washington, D.C. explains:

Ten years ago, they were amateurs; now they are professionals who stay on top of their game. Cyber crime is a risk… and we’re having a hard time getting a handle on it.¹²

Botnets in particular seem to be evolving in two major ways. First, the mechanism of infection is changing. Botnets used to be transmitted by hiding in software and programs that people open from their email or download from the Internet. A well-informed individual could largely avoid botnets by not downloading pirated software, not following malicious links, and not opening spam email. Unfortunately, those days are long gone. Avoiding such risky online practices is no longer sufficient because bots are increasingly transmitted through “drive-by downloads” from legitimate websites.¹³ This means that bots can spread simply through the viewing of innocent websites (no conscious download is required), and such transmission can occur without the knowledge of either website owner or viewer. Since bots are often very good at hiding their presence, the owners of infected computers generally do not know they are carriers of the botnet… and one does not need to be a practicing physician to know that it is very hard to cure an illness when the patient has no symptoms at all.

The second major aspect of the deeply troubling botnet evolution involves the flattening of the botnet organizational hierarchy. Until 2004, all botnets operated in basically the same fashion: As the network grew, the botmaster communicated with its herd using an Internet Relay Chat (IRC) server.¹⁴ Under this system, every bot has a direct link to the botmaster. If the authorities could successfully locate a bot and track the IRC address of the computer on the other end of the botnet communication, then the authorities had successfully found the botmaster. From there, arresting the botmaster and disabling the botnet was relatively easy work.

Then, in 2004, the first P2P botnets began to terrorize the web. P2P botnets, or peer-to-peer bot networks, operate much as they sound: The bots communicate as peers, so a direct IRC connection no longer links each bot to its master. Since trapping a bot does not easily lead authorities to the ringleader, the proliferation of these advanced botnets are even harder to stop.

The case of Jeanson Ancheta is a rare example of a major botmaster who was tracked down and convicted in federal court. Ancheta alone, a 21-year-old California hacker and member of a group known as “Botmaster Underground,” had taken over more than 400,000 computers.¹⁵ These advanced botnets are staggeringly – almost incomprehensibly – vast and potent threats. In 2006, the prominent Internet security firm Symantec announced that it had detected over 6 million bot-infested computers.¹⁶

It is critical that intelligence agents understand the way in which this new type of cybercrime fits into the existing criminal and terrorist framework. Ancheta reportedly earned over $100,000 from Internet advertising companies for permission to access the botnet, and may have rented out the botnet as well.¹⁷ The Estonia attack was also carried out via a rented botnet, or more likely, several rented botnets. The attack finally subsided on May 10^th, not because Estonian authorities had defeated the hackers and cracked their malicious code, but because the time for which the botnets were rented simply ran out.

Thus, organized crime is an integral component of the cyber threat. Botnets are commonly owned and operated by online gangs like “Botmaster Underground” and turf wars and bot-based extortion are all too common. Intelligence professionals are well aware of the fact that, wherever organized crime runs rampant, the terrorist link is not far away. That many nations, largely in the Middle East and Southeast Asia, are quickly becoming world leaders in both information technology and anti-American ideology, presents a pressing concern. One fear is that cyberweapons might fall into the hands of terrorists. This scenario should not sound like science fiction. In fact, terrorists have long used cybercrime to plan and fund their objectives. It is clear that advanced technology is playing an increasingly critical role in Al-Qaeda operations:

Ramzi Yousef, who was sentenced to life imprisonment for the previous bombing of the World Trade Center, had trained as an electrical engineer, and had planned to use sophisticated electronics to detonate bombs on 12 U.S. airliners departing from Asia for the United States. He also used sophisticated encryption to protect his data and to prevent law enforcement from reading his plans should he be captured.¹⁸

It seems only a matter of time before those who harbor extreme anti-American sentiment and computer mastery find a way to combine those two passions on an unprecedented scale… especially given the vulnerabilities that exist in American military and civilian infrastructure. For example, federal authorities were forced to deal with gaping holes in the Supervisory Control And Data Acquisition (SCADA) system and the Simple Network Management Protocol (SNMP) in recent years, both of which control critical components of American infrastructure. The Congressional Research Service report on Botnets, Cybercrime, and Cyberterrorism explains:

Some experts believe that the importance of SCADA systems for controlling the

critical infrastructure may make them an attractive target for terrorists. Many

SCADA systems also now operate using Commercial-Off-The-Shelf (COTS)

software, which some observers believe are inadequately protected against a cyberattack… In August 2003, the “Slammer” Internet computer worm was able to corrupt for five hours the computer control systems at the Davis-Besse nuclear power plant located in Ohio (fortunately, the power plant was closed and off-line when the cyberattack occurred).¹⁹

In 2002, a major vulnerability was discovered in switching equipment software that threatened the infrastructure for major portions of the Internet. A flaw in the Simple Network Management Protocol (SNMP) would have enabled attackers to take over Internet routers and cripple network telecommunications equipment globally… the security flaw could have been exploited to cause many serious problems, such as bringing down widespread telephone networks and also halting control information exchanged between ground and aircraft flight control systems.²⁰

The terrorist fascination with aircraft is clearly nothing new. In this day and age, though, the intelligence community must focus as much on securing the information technology that controls air travel as on securing aircraft themselves. America and the world can ill afford a vulnerability in SCADA or SNMP to be discovered and exploited by terrorists before it is found and fixed by federal intelligence authorities. This Congressional Research Service report captures another critical part of the cyber threat, the interconnection between military and civilian infrastructure and software. The presence of commercial-off-the-shelf (COTS) software in government infrastructure is troubling because cybercriminals and terrorists have access to very similar if not identical programs. The fact that about 85% of American infrastructure is privately owned also presents grave security challenges, as private firms often prefer to spend shareholder funds on profit-maximizing innovations instead of costly security measures that may only seem important when it is too late.²¹

Another worry is that cyberciminals might sell botnets and other cyberweapons to terrorist organizations. This is perhaps a more likely scenario, as most cybecriminals are more interested in making a buck than making jihad against America and its allies. The anonymity that characterizes the black markets in which these sorts of cyber secrets are exchanged could easily place botnets or cyberweapons in hostile hands.

Perhaps the greatest threat of all, however, is that of a coordinated attack. Some experts have expressed the opinion that a massive cyberattack does not fit the Al-Qaeda modus operandi because Al-Qaeda tends to prefer more spectacular attacks that cause real-life bloodshed, thus sending a clearer message to the world. However, a cyberattack would be an ideal way to supplement a conventional attack – perhaps a nuclear, biological, or chemical strike – and amplify its effects by hindering the response effort. Ronald Dick, director of the FBI’s National Infrastructure Protection Center, elaborated on this threat:

The event I fear most is a physical attack in conjunction with a successful cyber-attack on the responders' 911 system or on the power grid… [One in which] the first responders couldn't get there . . . and water didn't flow, hospitals didn't have power. Is that an unreasonable scenario? Not in this world. And that keeps me awake at night.²²

Espionage, as experienced during Titan Rain, represents another serious danger in cyberspace. The threat of nations or corporations hacking into government computer systems and retrieving classified data is certainly a leading challenge for the intelligence community, as is the growing possibility of an insider stealing vast amounts of data on a flash-drive or other tiny media device that can easily be hidden and smuggled past security checkpoints.

However, in this era of globalization, cyberattacks designed to cripple major transportation or financial infrastructure are more likely to come not from a nation state (China, for example, is almost as dependent on the American financial system as is the United States) but from a rogue group that rejects the world economy altogether.²³ The global network of extremists that the United States is currently confronting in the War on Terror fits that description to a downright chilling extent. Testifying before the House Committee on Homeland Security, former NSA Director’s Fellow O. Sami Saydjari described what the aftermath of a massive cyberattack might look like. His poignant description is as frightening as it is critical to 21^st century intelligence:

As another day turns to night, looting starts, and the traffic jams get worse. Word begins to spread that the US has been attacked—not by a conventional weapon, but by a cyber weapon. As a result, our national power grid, telecommunications, and financial systems have been disrupted—worse yet, they won’t be back in a few hours or days, but in months. The airports and train stations have closed. Food production has ceased. The water supply is rapidly deteriorating. Banks are closed so people’s life savings are out of reach and worthless. The only things of value now are gasoline, food and water, and firewood traded on the black market. We’ve gone from being a superpower to a third-world nation practically overnight… We are a nation unprepared to properly defend ourselves and recover from a strategic cyber attack.²⁴

Working to ensure that that day never materializes is truly the greatest challenge facing the intelligence community in the coming decade and beyond.