When Melissa Meets Up With Hal
Last Friday, the virus Melissa landed like a ton of bricks on North American businesses and then proceeded to get worse. It doesn’t damage files on your PC, rather it clogs the e-mail system. Its effect is to crash e-mail servers, and as a result deny e-mail service. The speed with which Melissa proliferated left even the most seasoned computer experts breathless.
Melissa might not be a clever hacker’s stunt. She might not be a terrorist attack. She might be an effective tactical move in a new style of warfare: infrastructure warfare.
The point of infrastructure warfare is to use any and all means, whether a cyber attack or the destruction of bricks and mortar facilities, to crash critical systems in the United States’ infrastructure. Those systems can be things like e-mail, but they can also be things like natural gas pipelines, transportation systems and power grids. Are we prepared for such attacks? Hardly.
In the coming century, war-making will undergo a fundamental change that the military planners in Washington call “asymmetric.” The change comes when the bad guys represent an entity far smaller than the U.S., with far more limited resources. It could be a nation-state, but it could just as easily be a fundamentalist religious group or a drug cartel. It doesn’t take much money, nor does it require sophisticated weapons systems. The requirements are know-how and the ability to move quickly.
Two years ago, the Department of Defense discovered just how vulnerable the United States was to this form of attack with an exercise called Eligible Receiver. A team of sophisticated information warfare specialists from the Air Force, National Security Agency and other government agencies undertook a 20-day exercise with the goal of crashing the military command, control and communications systems in the Pacific. Within the first four days, they had made so much progress that the exercise was halted. During the course of the exercise the “Red Team”--the government’s hackers--discovered an effective way to attack the U.S. electric power grid as well.
The disconcerting reality of Eligible Receiver is this: The Red Team used information and techniques drawn from open, easily accessible sources. It could have been done by a team in Belgrade or Baghdad or Beijing.
The fundamental idea is ageless: Remove an adversary from the contest with the least risk of loss to your own side. In the 21st century, the technique for accomplishing that will be attacks on infrastructure. Fifty years ago, infrastructure-based war, or I-War, wasn’t really possible. Infrastructure was not tightly integrated by communications and computation technology as it is today.
Today, with almost every detail of modern life controlled or influenced by computers and communications-driven systems, our infrastructure has an exposed underbelly: software. Try to imagine something important that doesn’t run on a software system of some kind. The threat doesn’t end there. Water systems, power grids, and oil and gas pipelines can be physically attacked with great ease, and would take months or even years to repair.
Choose the right systems, damage them in the right way and at the right time, and the ripple effect can be massive.
Several years ago, President Clinton established the President’s Commission on Critical Infrastructure Protection and this year the White House announced that a healthy part of the multibillion dollar counterterrorism budget would be devoted to that end. In a perfect example of big talk and lousy execution, the elements of the budget earmarked for infrastructure protection were red-penciled last week by the Office of Management and Budget. Because no government agency is legally chartered to address this transborder threat, the funds cannot be allocated.
Today, the U.S. has tiny digital fire departments like the Computer Emergency Response Team at Carnegie Mellon University that tracked Melissa. There is no grand strategy for defense or offense. We are not prepared.
Most of the men and women who create policy in government are not of the computer generation. They don’t understand software or the fundamental value of data. No one is planning for the grand-scale attack. No one is planning for the grandscale defense. No one is planning for the “soft kill”--military jargon for successful infrastructure attack.
That attack will come. That defense will be necessary.
*
Peter Black is owner of Xiphias, a publisher of DVD-ROM titles and author of “Infomatica,” to be published in July by Random House. E-mail: petermblack@-att.net.