By James A. Lyons Jr.
November 13, 2007
One asymmetric threat to our military forces and the nation is "cyber
terrorism." Our advanced technologically based military forces
dependent on our satellites, critical infrastructure computers, the
Internet, secure software programming, computer-driven
telecommunications, air traffic control centers and other sophisticated
sensor systems are tempting targets for cyber terrorism.
Not only do we use our satellite and communication technology to support
our military forces, but it has also become a key link in all aspects of
our complex economic society. Banking, control of electrical grids,
stock markets, telecommunications and a vast array of computer networks
are part of our everyday life. Microprocessors and soon nanoprocessors
have been built into our social fabric.
The control mechanisms at our nuclear power plants rely on performance
analysis not by operators but by micro-processors. The flow of oil
through thousands of miles of pipelines is adjusted by computers at
valve sites remotely managed with communication systems vulnerable to
interference and disruption. Railroad switches often are controlled the
Experts have said 80 percent of successful intrusion into our government
computer systems can be attributed to software errors or poor software
quality. Many software products have poorly written or have poorly
configured security features. Computers and networks without operating
firewalls, up-to-date virus and password protection are invitations for
disasters. DHS computers were subjected to penetration by Chinese
hackers because we failed to install and monitor the necessary
Compounding the problem, offshore outsourcing provides a programmer
overseas the chance to secretly insert a "Trojan Horse" or other
trapdoor into a new software product. Oracle, a major database software
vendor and a supplier to U.S. intelligence agencies, has contracted for
software development in India and China. It is to be noted that U.S.
agencies are not permitted to use unsupervised development of software
from untrusted sources.
Using untrusted software in critical commercial infrastructure is the
major problem. Other countries that have received outsourced software
work are Malaysia and Indonesia as well as possibly Pakistan, Russia,
China and Israel.
Software outsourcing is only part of the problem. The Chinese mega
corporation Lenovo bought IBM PC's production unit. There was great
concern that they would have access to IBM's sensitive technology.
Nonetheless, the U.S. State Department has placed an order for 15,000
Lenovo PCs. How will State ensure the Chinese have not placed bugs and
other devices in these PCs? This is too tempting a target for the
Chinese to pass up.
We have been conditioned mentally to accept the ubiquitous "civilian
hacker." Internet security companies such as Akamai in Boston track
thousands of attacks against the U.S. government and corporate computer
systems every day. The single biggest source of those attacks is China.
According to Richard Clarke, former National Security Council member, a
Chinese general has said they would reach out through cyberspace and
turn off our electric power grids before any conflict with the United
States. I would thank that Chinese general for the "strategic warning."
It has also been reported that Chinese "military hackers" have prepared
a detailed plan to disable our aircraft carrier battle groups with what
they hope would be a devastating cyber attack, according to one Pentagon
report. That will not happen because of the redundancy built into our
carrier battle groups.
In a previous briefing before Congress, the former CIA director said at
least a dozen countries including China, Libya, Russia and Iran are
developing programs to attack other nations' information computer
Cyber attacks on our military forces, computer networks and critical
infrastructure would be more than isolated acts of terrorism. The Carter
administration considered nation-state-sponsored terrorism a "police
problem." We cannot fall into that trap. The National Infrastructure
Protection Center (NTPC) in the Department of Homeland Security defines
cyber terrorism as "a criminal act perpetrated through computers,
resulting in violence, death and/or destruction, and creating terror for
the purpose of coercing a government to change its policies." But when a
nation-state launches or sponsors such attacks either directly or
through proxies, it is more than a criminal act, it is an "act of war."
For those potential nation-state enemies, we need to fire a "shot across
the bow" to make the consequences perfectly clear to them before they
start down that path.
As part of our national policy, we need to declare now that a cyber
attack by a nation-state or its proxies against our military forces or
our critical infrastructure will be considered "an act of war" against
the United States.
James A. Lyons Jr., U.S. Navy retired admiral, was commander in chief of
the U.S. Pacific Fleet, senior U.S. military representative to the
United Nations, and deputy chief of naval operations, where he was
principal adviser on all Joint Chiefs of Staff matters.
Visit InfoSec News