13 June 2016

War Games: Tracing the History of Cyber Security

http://knowledge.wharton.upenn.edu/article/the-secret-history-of-cyber-war/?utm_source=kw_newsletter&utm_medium=email&utm_campaign=2016-06-09
Jun 09, 2016
 The concept of “cyber war” goes back to the beginning of the internet, almost 50 years ago. A new book by Pulitzer-Prize-winning journalist Fred Kaplan traces the history of this topic in his new book Dark Territory: The Secret History of Cyber War.
Kaplan recently appeared on the Knowledge@Wharton show on Wharton Business Radio on SiriusXM channel 111 to talk about his new book.

An edited transcript of the conversation follows.
Knowledge@Wharton: Ever since we’ve had the concept of the internet, the thought of cyber war has been in play.

Fred Kaplan: Right. In 1967, the ARPANET was about to roll out. The ARPANET was the precursor to the internet. This was a great boon to scientific research. All the contractors of the Defense Department and labs and universities could communicate with each other on one network, instead of having to go through a zillion consoles. But there was a computer scientist named Willis Ware. He had been a computer pioneer. He was the head of the Computer Science Department at the RAND Corporation and a member of the Scientific Advisory Board at the National Security Agency (NSA). He wrote a paper. It was classified at the time. It’s been declassified since. It’s fascinating to read. He basically said, look, once you put information on a computer network — once you have online access from multiple, unsecured locations — you’re creating inherent vulnerabilities. You’re not going to be able to keep secrets anymore.
When I was doing the research for my book, I talked to the man who was in charge of ARPA [Advanced Research Projects Agency; now known as DARPA, Defense Advanced Research Projects Agency]. I said, “Were you familiar with Willis Ware’s paper?” He said, “Sure, I knew Willis.” I said, “What did you think?” He said, “Well, I took it to the team working on the ARPANET, and they said, ‘Don’t saddle us with a security requirement. Look how hard it is to do what we’ve done. It’s like telling the Wright Brothers that the first plane has to carry 20 passengers for 50 miles. Let’s do this one step at a time. Meanwhile, it’s going to be decades before the Russians can do anything like this.’” Well, it was about two and a half or three decades. In the meantime, whole networks and systems had sprouted up with no provision for security whatsoever. I look at this as the bitten apple in the digital Garden of Eden. It was something that was foreseeable, and by a small number of people, actually foreseen from the beginning; something inherent in the technology.

Knowledge@Wharton: You start the book with a transitional moment. It involves President Reagan. It involves an actual Hollywood movie, War Games, starring Matthew Broderick.

Kaplan: It’s a crazy story. It’s one of the big surprises that I came up with in the research. It’s 15 years after Willis Ware’s paper. Ronald Reagan is up at Camp David the first weekend of June in 1983. He watches a lot of movies up there. On that Saturday night, he watches War Games. This is the Matthew Broderick movie where he plays a teenage whiz kid who unwittingly hacks into the main computer at the North American Air Defense Command. Thinking that he’s playing a new, online game called Global Thermonuclear War, he almost sets off World War III. So, Reagan comes back to the White House. There’s a big meeting on Wednesday with his national security staff about something else completely. But at some point, he puts down his index cards, and he says, “Has anybody seen this movie War Games?” And nobody has. It had just come out.

“Whole networks and systems had sprouted up with no provision for security whatsoever. I look at this as the bitten apple in the digital Garden of Eden.”
He launches into this very detailed plot description. People are looking around the room like, where is this going? He turns to General John Vessey, who is the Chairman of the Joint Chiefs of Staff. He said, “General, could something like this really happen?” The general says, “I’ll look into that, Mr. President,” like generals do. He comes back a week later and says, “Mr. President, the problem is much worse than you think.” This leads, 10 months later, to the presidential signing of the first national security directive on communications and computer security. It reads very much like government papers you read today: “Our computer systems,” which were then just going up, “are vulnerable to electronic interference and interception by foreign powers, by criminals.” But then it takes an interesting step.

This directive was essentially written by people at the NSA because they are the only ones who know anything about this. They write it so that the power to regulate and set the standards for all computers in the United States is controlled by the NSA. Some people on Capitol Hill don’t much like this.

Knowledge@Wharton: That’s a little bit of Big Brother right there, isn’t it?

Kaplan: Exactly. So, they rewrite this. But in the meantime, this is where it all begins. This is the moment that the scenarios of what makes this kind of system so vulnerable — the tensions between civil liberties and privacy, the political rivalries between the NSA and other branches of government, the things that now we’re all very familiar with — all have their birth moments in this bizarre episode where Ronald Reagan watches a movie and then asks a question that makes everybody in the room roll his eyeballs. Like, you know, what’s the old man up to now?

Knowledge@Wharton: The other interesting part is Willis Ware was a consultant on the movie War Games?

Kaplan: This is the funny irony, where things come full circle. The two guys writing this movie – who also later wrote a movie called Sneakers, which also had some impact – had heard from some friends who were hackers, about this technique called war dialing, or demon dialing. This is before the internet, where you program a phone to dial every number in an area code, and it rings twice. If a modem picks up, it squawks. The program records what that number is so you can come back to it later. That’s how Matthew Broderick breaks into the NORAD computer in the game. But they are wondering, is this plausible? I mean, wouldn’t it be a closed network? They lived in Santa Monica, which is where the RAND Corporation was. They called up the Public Affairs Department, laid out their problems. They said, “Oh, you want to talk to Willis Ware.” They go meet with Willis Ware, who is a very nice, genial guy. He listens to their problem, and he says, “You know, it’s funny, I designed the software for that computer in real life.” And he says, “You know, you’re right. It’s a closed system. But there’s always some officer who wants to work at home on the weekends, so they leave a port open. And yeah, if somebody dialed into that number, it could happen.” Then he said something that in retrospect, is very profound. He said, “You know what people don’t realize is the only completely secure computer is a computer that no one can use.”


“The only completely secure computer is a computer that no one can use.”

Knowledge@Wharton: After that a-ha moment with President Reagan, you talk about how it was still a period of time until the government really started to put a lot of resources forward on this, correct?

Kaplan: Right. It lapsed again. People periodically tried to get other people interested. But again, remember, think back. This is the 1970s, the 1980s. Computers were still very new. The military, the air force was controlled by people who had been fighter pilots or bomber pilots; the army by tank commanders, the navy by submarine skippers. Computers as a weapon or as something to be concerned about – nobody really thought it through. Then three things happened around 1997. One, there was an exercise where some NSA Red Team using commercially available equipment – not even the stuff that they had at their own disposal – hacked into the Defense Department’s networks. They just shut them down or distorted them, went in, wrote phony emails, intercepted emails, shut down fax lines, just obliterated it. That’s when people started to think, “Maybe there’s something to this.” Then a few months later, somebody was hacking into a lot of military networks. It was thought maybe this is Iran. Maybe it’s the Russians. It turned out to be two kids in California. Some people said, “Whew, it was just two kids in California,” whereas others said, “Wait a minute. If two kids in California can do this, what can a nation state do?”

Then just a few months after that, another hacking started to appear, much more sophisticated, much more persistent, looking for specific things, and this was eventually traced back to Russia. It was the Russian government.

Knowledge@Wharton: The involvement of the Russians was obviously something that drew the attention of the U.S. government. In fact, you share that representatives from the American government went to Russia to confront the Russians about this hack.

Kaplan: This is 1997, 1998, so the Cold War is over. These are halcyon days. Yeltsin and Clinton. You know, we’re all friends now…. People were saying, “Maybe this isn’t the government. Maybe this is some recalcitrant faction within the intelligence community or something.” So they decided to send over a team. It was headed by the FBI. This was a criminal investigation, where we’re calling upon the Russian Federation for assistance. So it was a five-day trip. The first day — welcome, champagne, caviar, Bellinis — was great. The next day, the first day of serious work, this Russian general, very cooperative, opening up logs, comparing notes, says, “Oh, this is these bastards in the intelligence business. This is scandalous. This is awful. We’re going to put an end to this.” Then the next day, it’s like, “You’re all going on a sightseeing tour today.” The next day, nothing. The next day, well, the general is very busy. We’ll get back to you. And then nothing else happens.


“Somebody was hacking into a lot of military networks. It was thought maybe this is Iran. Maybe it’s the Russians. It turned out to be two kids in California.”

They realize that what happened was that this general was just kind of out of the loop. He probably got into serious trouble for sharing things like logs with the Americans. Now, the hacking did stop for a little while. But then it resumed. Then the Chinese started getting involved and a lot of other countries. In fact, when the NSA Red Team was poking around inside the Defense Department networks, they came across some French IPs. In other words, the French really were hacking into the Defense Department networks. That was something that was kept quite secret, even in the debriefings of this game. But this was not theoretical. This was something that was really happening.

Knowledge@Wharton: In the last few years, there are so many other entities out there that want to check on other companies out there. For example, we’ve had the Sony hack. In addition to governments, every company needs to be worried about it.

Kaplan: Right. The concerns about [national security] first arose … about critical infrastructure. For the last 20-25 years, we’ve developed these systems. By critical infrastructure, I mean banks, transportation, power grids, dams. You know, the kinds of infrastructure without which our modern society collapses. They have all been tied into networks. These, what are called, SCADA systems, where it’s controlled by computers with remote monitors and sensors.

“They have given up on the idea that they can somehow make a black box that nobody can get into.”

You don’t have to blow up a dam. You can hack into the computer that’s controlling the flow of water in and out of the dam. You can do the same damage, at least for a while. That’s the kind of thing that has the most serious vulnerabilities now. Again, it’s one of these things people have known about for decades. The banks have worked on it quite a bit. The other parts of the infrastructure, not so much, in part, because these are private companies. They don’t have an incentive to do this. People have proposed mandatory security requirements here and there. But it’s always been resisted by lobbyists, by the companies themselves, and even by Treasury and Commerce Department officials who will say, “This is going to be a severe impediment to their innovation. It’s going to slow them down and make them less competitive in foreign markets.”

Every few years, a new government paper comes out warning about the vulnerability of all these things. It’s been known for 35 years, and many vulnerabilities in the military networks have been addressed, but not so much in the civilian world.

Knowledge@Wharton: Is the government doing enough these days?

Kaplan: They are doing quite a bit. But every time there’s a war game where they test whether someone could hack into, say, military command networks, they always get in. They always get in. Now the Pentagon, for example, is focusing more on what they call detection and resilience. In other words, the trick is to make sure that if somebody gets into your networks, you see this very quickly, and that you can repel them very quickly and repair the damage very quickly. It’s come to that. They have given up on the idea that they can somehow make a black box that nobody can get into.

No comments: