Running head: THE INVISIBLE THREAT
IA 2 THE INVISIBLE THREAT: CYBERSECURITY
Pamela Beaty
National Cybersecurity Policy and Law CSEC 9021
University of Maryland University College
Saundra McDavid
June 09, 2014
1
THE INVISIBLE THREAT: CYBERSECUITY
THE INVISIBLE THREAT: CYBERSECURITY
Table of Contents
Page #
1. Abstract 3
2. Introduction 4
3. Post 9-11 6
4. Revising Bush Initiative 8
5. Obama’s 60 Day Review of Bush’s Directives 9
6. The Making of a Cyber Weapon: Stuxnet. 10
7. Pass the Bill 14
2
ABSTRACT
Over the past ten years the federal government has struggled with protecting its own IT
system. During former President George H.W. Bush and William Clinton’s reign, both parties
periodically sought to address cybersecurity threats by enacting legislative laws and policies;
however technology along with the sophistication of attacks has changed since the Bush and
Clinton era. After 1990, cybersecurity changed from an ‘annoying problem’ to a national
security issue. President Barak Obama has coined the Internet as a digital infrastructure. The
current advancement of technology and the revelations of state actors conducting attacks against
US companies call for the Obama’s administration to make substantial improvements in updating
previous predecessors’ guidance regarding cybersecurity. The Stuxnet worm that attack Iran’s
industrial Programmable Logic Controllers (PLC) in Iran was created during the Bush era and
accelerated during Obama’s. Although neither administration has claimed responsibility for
shutting down Iran’s nuclear facility, this drone-like computer virus was far sophisticated than
any virus is an example of the new face of cyber war in the 21st century: sophisticated, invisible
and deadly. Despite the administration taking the initiative to advance cybersecurity technology
and embracing the public’s demands by declassifying previous directives policies, the Obama
administration is still unprepared to protect US communications and critical infrastructure. As
cybercrime and the risk of digital infrastructure increases, it is imperative for the government to
form a ‘brain thrust’ that consists of computer scientists, the private sector and the international
community to improve communications within the private sector, the international community
and the federal government. Beginning with a history of analysis from previous policies and past 3
cyber conflicts it is time for the government to proscribe a course of action in order to protect
communications network and our nation’s critical infrastructure.
The Invisible Threat: Cybersecurity
There have been a significant number of breaches in cybersecurity in the past few years
that could affect not only the private and public sector but also our nation’s critical
infrastructures. The efforts of protecting critical infrastructures took a positive step in the 1990’s
when President William Clinton issued Presidential Directive 39 (PDD 39) in response to a
domestic terrorist attack at the Oklahoma City bombing in 1995. PDD 39 outlined
counterterrorism and made protection of critical infrastructures a national priority. At a speech
before the U.S. Naval Academy in 1998, President Clinton provided a more detailed description
of foreign and domestic terrorism and how PDD 39 would help to counter the threat. President
Clinton stated to a group of U.S. Navy academy graduates that “If the U.S. fails to take strong
action, then terrorists, criminals and hostile regimes could invade and paralyze these vital
systems, disrupt commerce, threatening health, or weakening our capacity to function in a crisis
(Clinton, 1998).” The directive also discussed promoting partnerships between government and
owners of the infrastructures. Today cyber threats come from foreign and domestic groups and
individuals whose motives for attacking networks vary. Financial institutions have had their
websites come under direct denial of service (DDoS) attacks from individuals and groups. More
than eighty to ninety percent of cyber related critical infrastructures are owned by the private
sector (Eckert, 2005, p.179). Private sector companies who own critical infrastructures firewalls,
malware protection tools are constantly being tested for vulnerabilities by hackers whom they
believe are working for or with state actors such as Iran and China. Reports from security firms,
the private sector and from the federal government indicates China, Iran and Russia may have 4
the capability to shut down financial services, gas and electric systems, and possibly nuclear
plants. Critical infrastructures are prime targets for criminal elements due to lack of upgrades on
these types of servers. The fact that almost every significant activity (social media, US
government, military) depend on the security of the Internet is an overall threat to our nation’s
social and economic well-being. The use of the Internet is in the mist of unprecedented
technological changes. Building a safer network will require cooperation from the international
community, the private sectors and government agencies. As the threat to cyberspace grows, the
urgency in investing wisely in protecting, detecting, mitigating, and recovering from cyber
threats is imminent. The changing nature of technology and the aggressiveness of criminal
elements call for a periodic review and update on laws and policies that will promote information
sharing on cybersecurity.
Post 9-11
In 1939, a group of physicists wrote a letter to President Franklin Delano Roosevelt
(FDR) with Albert Einstein’s signature (PBS, 2012). The letter urged Roosevelt to consider
research development in building a nuclear weapon. During the 1940’s, Americans feared
Adolph Hitler’s power and German’s advancement in uranium enrichment research. Several
physicists including some who fled Germany feared German scientists were developing a
uranium enriched weapon. FDR consulted with his military advisors which resulted in what was
then a classified plan called the Manhattan Project. The Bush’s administration planning for
cyber war has been linked to the invention to the Manhattan Project. After the post-terrorism
events, President Bush’s second term in office provided him with the opportunity to implement
policies that included high-tech advancement and policies to protect the networks against
cybersecurity threats. In 2003, President Bush signed National Presidential Security Directive 16 5
(NPSD) without the public’s knowledge. Similar to the Manhattan project, this doctrine ordered
the government to develop guidelines for determining when and how the government would
launch cyberattacks against networks. Speculations of Iraq developing biological and nuclear
weapons led to the development of NPSD 16. In 2003, the United States planned a cyberattack
that would have frozen Iraq’s financial system which would have shut down Iraq’s President
Saddam Hussein’s cash flow. The plan was cancelled due to the Iraq’s bank system’s connection
to networks in France and the United States. In January 2003, the Bush administration consulted
with cyber experts, government officials and the academia at a meeting held at the Massachusetts
Institute of Technology (MIT). Harvey M. Sapolsky, MIT professor stated, “A lot of institutions
and people are worried about becoming subject to the same kinds of attack in reverse (Graham,
2003, p.2).” Fear of retaliatory attacks and collateral damage are one of many reasons why the
U.S. government did not use cyber warfare during the Iraq war.
By early 2007, senior government and military officials experienced in cyber warfare began to
implement strategies to launch cyberattacks against Iraq. In 2007, President Bush authorized
information warfare to use against Iraq. Information warfare encompassed using a computerized
system to attack Iraq’s network. Bush ordered the National Security Agency (NSA) to attack
Iraq’s cellular phones and computers Iraqi insurgents were using to emplace bombs. Iraq’s
electronic devices also allowed insurgents to post videos of the attack of Coalition Forces (CF)
on the Internet. Mike McConnell, former director of NSA and U.S. Army General Petraeus who
led the surge in Iraq, were two senior officials who believed cyber war was the future. The use
of cyber war enabled military planners to capture/kill some of the most influential insurgents in
Iraq by cutting off or jamming their electronic devices. A spike in the number of attacks in
government agencies networks and intelligence reports from the National Security Agency 6
(NSA) led the Bush administration to sign the National Security Presidential Directive
54/Homeland Security Presidential Directive 23 (NSPD54/HSPD 23) . This document was
designed to protect federal government systems intrusions, and to anticipate future attacks
(Sharp, 2003, p.3). The Comprehensive National Cyber security Initiative (CNCI) was
established under NSPD 54HSPD 23. This initiative outlined defense mechanisms to protect US
networks against cyberattacks. The directive also included expanding cyber education and
developing strategies to protect the nation against malicious activities in cyber space. The
overall goal of CNCI was to secure the U.S. in cyberspace.
Revising Bush’s Initiative
In 2010, President Obama’s administration declassified a portion of CNCI’s project.
President Obama cited the administration’s reason for declassifying the project was to foster a
transparent relationship between the private sector, the American public, and the government.
The pattern of secrecy defined the characteristics of Bush’s legacy. President Bush was criticized
during his tenure for expanding secrecy as part of the war on terrorism. President Obama
however wanted a more open dialogue with the public, After the September11 attacks, the seed
of distrust between America and the government began when Congress rushed to pass the Patriot
Act which expanded the government’s ability to track and detain suspected enemies in secret
including Americans. Civil libertarians and some conservative groups criticized the Bush
administration for failing to disclose some of their projects in cybersecurity and directives. Steve
Aftergood, who is in charge of the of the project on government secrecy for the Federation of
American scientists concurred some degree of secrecy is justifiable however during the Bush
administration he stated, “we are seeing far more secrecy than is warranted by national security
requirements(Graham, 2003).” The declassified project included new information on CNCI. The 7
Einstein project, part of the CNCI initiative, is a program that was designed to look for indicators
of cyberattacks by ‘sifting’ in Internet connections, including contents of emails. Einstein was
recently upgraded to Einstein 3 by the Obama administration. The goal of Einstein 3 is to
develop a next generation intrusion prevention system (Vijayan, 2010). President Obama stated
he planned to ensure the public that the plan would not violate privacy rights. Under CNCI, the
overall goal is to enhance advance warning capabilities and to develop an effective response to
deter attacks against federal and critical infrastructures.
Obama’s 60-Day Review of Bush’s Directives
No threat has grown faster and more complicated than cybersecurity. Before the end of
President Bush’s second term in office, his administration took bold steps to improve the overall
security of the nation’s networks. President Obama followed suit by hiring former Bush
appointees and revising some of Bush’s directives/initiatives on cybersecurity. After taking
office in 2009, Obama made protecting the nation’s digital networks and infrastructures a
priority and ordered a sixty day review of documents that entailed the government’s efforts to
protect vial information systems. The 60-Day Review led by a former Bush appointee (Melissa
Hathaway) offered an assessment and insights of what the United States must accomplish in
order to secure its digital future. The review was viewed as a critical step towards addressing the
challenges the government faced in securing information systems and outlined the importance of
partnerships. The report also recommended promoting education, more training, and
technological advancement in cyber security, but the report was not fundamentally different from
previous cybersecurity initiatives outlined from President Obama predecessors.
Let the Games Begin. During the last months of Bush’s presidential term, The New York Times
writer and author of the book Confront and Conceal, David Sanger reported that President Bush 8
authorized ‘Olympic Games,’ a covert program that was aimed to stop Iran’s electrical and
computer system (Sanger, 2012b ). Sanger’s intelligence information was based on interviews
with former American European and Israeli officials who were participants of the program.
Names were not provided due to the sensitive nature of the program. Olympic Games was
formulated in 2006 when President’s Bush’s options were limited. President Bush had
previously accused Iraq of staging nuclear weapons which proved false and Iran knew the
president had little credibility within the international community to publicly accuse another
country of reconstituting its nuclear program. Iran took advantage of this vulnerability and
increased its efforts in enriching its underground site in Nantz, Iran. Iran’s president even
invited the international community to visit the facility. The Bush administration began to fear
Iran was storing bomb grade material when Iran requested fuel for its civilian led nuclear
program when Iran was already receiving fuel from Russia. The program was so secret and
important to the Bush administration that before President Bush left office, President Elect
Obama was briefed on the covert program before taking oath. Bush then urged President Obama
to continue to focus on cybersecurity in particular conducting cyberattacks against Iran and to
continue strikes against Pakistan using unmanned aircrafts called drones. Obama agreed and
increased its efforts to attack against Iran using cyber warfare. After President Obama took the
presidential oath, Olympic Games under the Obama’s administration name was changed to
Stuxnet (Sanger, 2012). Despite Bush’s policies on cyber security, some security experts believe
the Obama Administration is considered the era of cyber war.
9
The Making of a Cyber weapon: Stuxnet
The Art of Cyber War. During his first months in office, President Obama secretly ordered
sophisticated attacks on Iran’s uranium enrichment facility. Some computer experts signify the
attack against Iran’s facility as America’s first sustained use of cyber weapons against an
adversary. Using human intelligence (HUMINT), imagery intelligence (IMINT), and foreign
allies (Israel, Germany) and a Universal Serial Bus (USB) also known as a flash drive, the U.S.
was able to gain access to Iran’s industrial computer controls. The National Security Agency
along with Israel’s cyber unit collaborated with the German company Siemens develop a code
which was tested at the Energy Departing using a replica of Iran’s facility. The test was deemed
successful. Thumb drives proved critical in spreading the attack as Israel using unwitting
employees at the facility in Iran to insert the thumb drive in a computer. In 2010, Iran reported
approximately 1,000 of its centrifuges at Iran’s Nuclear facility which is used for enriching
weapons-grade uranium was destroyed. Iran claimed the virus set back the program for at least
Israel the US intelligence agencies were blamed for the cyberattack and have yet to claim
responsibility. Some computer experts who have dissected Stuxnet stated that the program was
so complex that only government agencies were capable of designing it. Noted one intelligence
expert on cyber warfare, “To check out the worms, you have to know the machines; the reason
the worm has been effective is that the Israelis tried it out (Broad, Markoff, and Sanger, 2011).”
Unlike other types of malware, Stuxnet was designed to target Industrial control facilities such as
factories, refineries or plants. Technical analysis of Stuxnet revealed the virus was a complex
piece of malware with multiple features that took cybersecurity to a new level. When President 10
Obama was breached during every phase of the attack it was during this stage President Obama
was learning the arts of cyber war. Sanger noted that President Obama was aware that every
attack he approved was pushing the United States into unfound territory which was similar to his
predecessor FDR who authorized the Manhattan Project. According to Sanger President Obama
acknowledged any word of US and its allies involved in the use of cyber weapons could possibly
“enable other countries, terrorists, hackers, to justify their own attacks (Sanger, 2012a).”
Michael V Hayden, former chief of the Central Intelligence Agency (CIA) was interviewed by
the news show 60 Minutes did not admit to U.S. involvement but commented that Stuxnet was “a
good idea and it was the first attack of a major nature in which a cyberattack was used to effect
physical destruction, rather than just slow another computer, or hack into it to steal data (The
Chertoff Group, 2012).” President Obama repeatedly advised his aides the risk in using cyber
warfare and the overuse of the weapon during his meetings with prominent computer experts in
the White House’s Situation Room. President Obama understood the repercussions behind using
a physical weapon; President Obama’s prognostication regarding the over usage came to fruition.
In the summer of 2010, it was revealed a new variant of the virus that was programmed for the
Natanz facility had entered ‘cyberspace.’ Reports from computer experts revealed an error in the
code enabled the virus to spread to computer. When the virus left the Natanz facility in Iran, the
virus failed to recognize the environment had changed and the bug began to replicate itself.
Engineers working on the project ‘allegedly with the US believed the Israelis modified the code
but not without leaving a trace or digital forensics of the virus. Although President Obama was
hesitant to use the Stuxnet virus against other adversaries such as China and Syria, one
intelligence official noted the techniques in Iran could one day be used to “disrupt Chinese
military plans, forces in Syria, and Al-Qaeda operations around the world (Sangerb, 2012).” 11
However if the U.S. uses this type of cyber weapon on its adversaries the U.S. must take into
account the political blowback that adversaries may attempt to use cyber weapons against the
U.S.
Future of Cyberwar. Michael Hayden acknowledged the U.S. has entered a new phase of
conflict in which we use cyber weapons to create physical destruction in someone else’s critical
infrastructure. Speculation about what Stuxnet means for cybersecurity will continue to be
dissected in both the technical and political environment. Stuxnet has raised the bar and has set a
precedent for future attacks and has shown that industrial systems are vulnerable. Cyber weapons
offer great potential for striking at enemies with less risk than using traditional military means. It
is unclear how much the Stuxnet program cost, but it was almost certainly less than the cost of
12
Figure 1: How Stuxnet Spreads (2012). Note: From The New York Times. Copyright 2012 by Guilbert Gates. Reprinted with permission (Educational purposes only).
single fighter-bomber. Yet if damage from cyberattacks can be quickly repaired, careful strategic
thought is required in comparing the cost and benefits of cyber versus traditional military attack.
One important benefit of cyberattack may be its greater opportunity to achieve goals such as
retarding the Iranian nuclear program without causing the loss of life or injury to innocent
civilians that air strikes would seem more likely to inflict. Nevertheless, cyberattacks do carry a
risk of collateral damage, with a risk of political blowback if the attacking parties are identified.
Difficulty in identifying a cyber attacker presents multiple headaches for responding. A key
strategic risk in cyberattack finally, lies in potential escalatory responses. Strategies for using
cyber weapons like Stuxnet need to take into account that adversaries may attempt to turn them
back against the U.S.
Pass the Bill
Summary. No threat has ever grown as fast as cybersecurity. Before the end of President
Clinton’s term in 2001, he warned the nation and advised his predecessor President Bush
regarding the imminent threat of cybersecurity. President Bush took bold steps to improve
security U.S. networks and President Obama followed suit by appointing some of Bush’s
appointees to tackle cybersecurity issues. Threats to government networks have increased in
recent years. Cyber -attacks are no longer imposed by teenage hackers but sophisticated criminal
elements targeting U.S. financial banking systems, and criminal infrastructures. President Bill
Clinton, George W. Bush and Barak Obama administrations have each recognized the
importance of protecting the cyber space and each administration experienced cyberattacks
during their presidential terms. During the Bush administration counterterrorism was the focal
point. During President Bush’s tenure many Americans were outraged that terrorist activities in
13
the US occurred on US soil. This outrage enabled President Bush to pass laws relating to
terrorism. It was during his last term in office the administration began to concentrate its efforts
on passing directives in order to protect the nation’s networks and critical infrastructures. These
directives along with some of Bush’s initiatives were passed without the public’s knowledge and
the seed of distrust between Americans and the Bush administration became the focal point at the
end of Bush second term. President Obama is near the end of his second term. During his 2008,
presidential campaign, Obama promised the Americans that his administration would a
cybersecurity strategy due to breaches of data and cybersecurity attacks on U.S. companies by
state actors. The recession, the war in Afghanistan, deadlocks with Congress on passage of
cyber bills and a possible uprising of Al-Qaeda insurgents in Iraq are one of many issues that
have diverted the administration to refocus its efforts. The recent cyberattacks in the last two
years and well publicized security breaches has cause the administration to devote once again its
attention on cybersecurity. The Obama administration has made great strides in creating a
cybersecurity strategy but will suffer a resistance from Congress and once again skepticism from
the public.
Conclusion: The late Mohandas Ghandi, the political leader of India who was inspirational in
freeing the people of India from British oppression believed that policy was temporary and
subject to be changed. He believed that if there was a policy in place than one should pursue it
with expedience. Troubled with ending the war in Afghanistan, the Eric Snowden event in
which classified documents were leaked to state actors, and the uprising of Al Qaeda in Iraq has
once again caused the administration to place cybersecurity on the backburner. To date, few
cyber bills have yet to be passed from the Obama administration, despite the fact that cyber
14
threats are growing at a fast pace. Disagreements between party lines have also caused
legislative acts to be deadlocked in the senate. Bickering between political parties must end as
the government will need to address implementing a mandate to secure its own network. One
way to address this issue is to implement security policies with accurate definitions that the
public and private sector can follow. Second, the U.S. should address the need to implement an
international security policy. The public and private sector must start to consider other vital
cyber supply chain assets that are subject to attacks such as smartphones and tablets. Most of
these types of components are made in China who poses a serious threat to our country. These
recommendations can only be accomplished with the cooperation of both political parties and the
international community.
15
References
Broad, W. J., Markoff, J., & Sanger, D. E. (2011, January 15). Israeli test on worm called crucial
in Iran nuclear delay. New York Times, 15, 2011.
Clinton, B. (1998, May). “President Bill Clinton Speaks To The Naval Academy At Annapolis.”
Present at the Naval Academy, Annapolis Maryland.
Eckert, S. (2005). Protecting Critical Infrastructure: The Role of the Private Sector. Guns
& Butter: The Political Economy of International Security, 179-201.
Gates, G. (2012). How stuxnet spreads [Image]. Retrieved from
http://search.proquest.com.ezproxy.umuc.edu/docview/1017924484?accountid=14580
Graham, G. (February 7, 2003). Bush orders guidelines for cyber-warfare. Washington Post
Retrieved from http://www.stanford.edu/class/msande91si/www-spr04/readings/week5/
bush_guidelines.html
Public Broadcasting Service. (2012). American Experience: The Presidents. [Review of the
DVD American Experience, The Presidents, produced by American Experience, 2012]
Sanger, D. E. (2012, Jun 1, 2012). Obama order sped up wave of cyberattack16
against iran. New York Times Retrieved from
http://search.proquest.com.ezproxy.umuc.edu/docview/1017924484?accountid=14580
Sanger, D. E. (2012b.). Confront and conceal: Obama's secret wars and surprising use of
American power. Random House LLC.
Sharp Sr., W. G. (2010). Past, Present, and Future of Cybersecurity, The. J. Nat'l Sec. L. &
Pol'y, 4, 13.
The Chertoff Group. (2012, March 2012). General Michael Hayden discusses the stuxnet virus
on 60 minutes. [video file]. Retrieved from http://www.youtube.com/watch?
v=8HK3XPXBbNk
Vijayan, J. (2010, March). Obama administration partially lifts secrecy on classified
cybersecurity project. Computerworld. Retrieved from
http://www.computerworld.com/s/article/9164818/Obama_administration_partially_lifts_
secrecy_on_classified_cybersecurity_project
17
