09 December 1998
(Potential damage would be "much worse" than Pearl Harbor) (2710) Washington -- "If an attack comes today with information warfare," it would be "much, much worse than Pearl Harbor," warns Richard Clarke, national coordinator for security, infrastructure protection, and counter-terrorism. In remarks to the "Defense Week" conference on "Defending National Critical Infrastructure," Clarke outlined key differences between the surprise Japanese attack in 1941 on Pearl Harbor in Hawaii and the threat of "an electronic Pearl Harbor." Addressing the participants on December 7 -- the 57th anniversary of Pearl Harbor -- Clarke explained that an information warfare attack would be nationwide and target the U.S. civilian infrastructure and industrial might. The Pearl Harbor attack was "fairly localized" and "was not an attack on our industrial strength," he explained. Outlining ways to enhance protection of information networks, Clarke cited the need for intrusion detection monitoring systems, a netted and adaptive intrusion monitoring system in the private sector, artificial intelligence research and development, and an education initiative to encourage more individuals to become highly qualified information science experts. Following are excerpts from an unofficial transcript of Clarke's address: (begin excerpts) I did talk to my mother in Arizona yesterday and told her what I would be doing today and told her I was going to be talking about an "electronic Pearl Harbor." She recalled that day 57 years ago today when she and my father were off on a picnic, literally, as much of the country was, figuratively, and came back home to find out that we were at war. And within weeks my father was on his way to the Pacific where he spent the next four years. It was 57 years ago today, and there's a lot of talk about an "electronic Pearl Harbor" now. I think there are some important differences between Pearl Harbor and the threat that we face. While it is useful to use the phrase "electronic Pearl Harbor" to get people's attention, it's important also that we recognize the differences between Pearl Harbor and the threat we face today. Then, even though we did not know specifically with tactical intelligence that the attack was coming, we knew who the enemy was and we knew the enemy's strengths. We knew how many battleships Japan had, and we knew how many aircraft carriers it had. The attack when it came was fairly localized. The attack on the United States at least was largely at Pearl Harbor. And while it did take out the battleships of the Pacific fleet, it was not an attack on our industrial strength. Our industrial might was untouched and allowed us to bounce back. If we were to have an electronic Pearl Harbor, it would be somewhat different. For example, we cannot count the enemy's battleships in an electronic war. We cannot estimate the strength of the opposing force. That's something very important to the nature of structuring our activity. If I could go to the Congress and say that our satellites have flown overhead and counted the enemy's strength and it was growing, then it would be easier for me to gain the resources I need to defend this nation's infrastructure. But we can't do that in an electronic threat, in a computer information war. Therefore we have to find another approach convincing the Congress and convincing the American people that the threat is worth the resources it requires. A second difference is that if an attack does occur today, it will not be localized. It will not just be in Aiea or Honolulu. It will be nationwide. Very seldom in our nation's history have we faced a nationwide catastrophe. We have disastrous hurricanes and earthquakes, and we respond to them fairly well. We've never had two of them at the same time -- at least not in my memory. To think of an attack that causes the same effect as an earthquake or a hurricane, but causes it throughout the country, will severely test our reconstitution capability. And a third difference: If an attack comes today with information warfare, it will not be after our fleet. It will be after our civilian infrastructure and our industrial might. So it would be much, much worse than Pearl Harbor. How did we get so vulnerable? How did we allow this to happen? How is it that we wake up today on the 57th anniversary of Pearl Harbor and find ourselves again vulnerable -- even more vulnerable than we were then? The answer is that we have spent the last 20 years totally restructuring America. We have taken our electric power industry, our telephone industry, our aviation, transportation, railroads, banking -- you name it -- every major sector of our economy, and we have changed the way we do business. No one made that decision on any one day. The Congress never voted on a bill to make us reliant upon computers and computer-controlled systems. The American people never decided to do that. But, gradually, over the course of the last 20 years, we have made all of our systems -- our key infrastructure systems -- reliant upon computers or reliant upon computer-controlled systems. Many people had not realized before this year how reliant we have become. But this year CEOs (chief executive officers) throughout the country woke up when their CIO (chief information officer) came in to them -- their information tech officer vice president came in to them -- and said, "Boss, you know, you've bet the company on computer assistance, because if you don't fix the Y2K (year 2000 conversion) problem, if you don't do Y2K remediation, our company won't work in the year 2000." And gradually CEOs, boards of directors, stockholders throughout the country realized that something had happened to their companies, that they now required some new piece of software to solve a problem that they didn't even know existed two years ago -- a problem called Y2K -- because without fixing Y2K they don't have a company. That means that company -- every company -- is reliant upon computers and computer-controlled systems. If that is true, it is also true that they are vulnerable to information warfare of one kind or another. How large is the vulnerability? As I said, you can't fly overhead and take pictures of the enemy's strength. But we can scope the threat, even if we can't estimate it precisely. We can do it in two ways: one, by self-analysis -- we can look at our own vulnerabilities; and two, what graduate students at MIT (Massachusetts Institute of Technology) used to call "the cockroach test." We can go into the kitchen at night and turn on the light and see what's there when you're not looking. Let me talk about those. First, self-analysis and vulnerabilities. Most of you by now have heard the phrases "Solar Sunrise" and "Eligible Receiver." Solar Sunrise was an attack on computer systems throughout the Defense Department last February as we were preparing to send forces to the Persian Gulf. Someone, or some group of people -- at the time we didn't know who -- gained route access, systems administrator status, on over 20 important logistical computers throughout the Air Force and, subsequently, we learned throughout the Navy and the Army. They could have therefore crashed the systems. They downloaded thousands of passwords and they installed sniffers and trap doors. And for days, critical days, as we were trying to get forces to the Gulf, we didn't know who it was who was doing it. We assumed therefore it was Iraq. We found out it was two 14-year-olds from San Francisco. Was that good news or bad? If two 14-year-olds could do that, think about what a determined foe could do. Eligible Receiver was an intentional attack launched by the Defense Department on the Defense Department. And for days there, too, we did not detect the attack. And the attackers, using only unclassified techniques available on the Internet, were able to get significant access and significant control of critical Defense Department computers. I would argue that those two exercises show that we have significant vulnerabilities. What about the cockroach test? Every time we put a detection monitoring system on a...critical computer in the Defense Department or in the private sector, over the course of a week, there are scores of attempted intrusions. Over the course of a month, there are thousands of attempted intrusions, every time we look. So because we have created and operated critical computer systems for years without intrusion monitoring devices, without systems to look for people attempting to get in, because we know that every time we do put intrusion monitoring systems on, we find people trying to get in and oftentimes succeeding, we must assume today that every critical computer system in the United States is already vulnerable to information warfare attack. What are we going to do about it? Well, there are many things that need to be done. It's going to take a lot of work over a number of years. But I do want this morning to talk about four things that are high on my agenda for making our country defensible from information warfare attack. First, I think we need intrusion detection monitoring systems. If we go back to the Solar Sunrise experience of February, the Air Force noticed the attack and for the better of the day, we assumed it was only the Air Force that was being attacked. And then as usual a bright Air Force captain said, "Why don't we ask the Navy and the Army to look into their computer systems at that point of vulnerability that was being attacked in the Air Force system -- rather than just asking the Army and Navy, are you being attacked and being told no, let's ask them to look at that point where the Air Force is coming under attack." And at the end of the day, all of the Army bases and Navy bases called back and said, "Whoops, you're right, we were attacked. People have gained route access. People have downloaded passwords." Why did the Air Force know and not the other services? Because at the time the Air Force was the only service that had intrusion detection monitoring systems on critical computers. That is no longer the case. But it was at the time. But even with those systems in place on that weekend in February, we had to call up individual Air Force bases and ask them what their intrusion monitoring systems were doing. We had to get systems administrators in over the weekend and ask them to check the logs that were created by monitoring systems and to block the kind of attack that was occurring. So, intrusion detection monitoring systems themselves are not sufficient. We need netted and adaptive intrusion detection monitoring systems. What do I mean by netted and adaptive? We need to take the hundreds or thousands of intrusion detection monitors we put on individual servers and LANs (local area networks) and net them all together so that an attack on one is an attack on all, so that we know when an attack occurs on one system, that that methodology of attack is automatically communicated to every other system on the network, so that we don't have to wake up the systems administrator in the middle of the night and ask her to come in and see if there's an attack going on, that we don't have to ask her to change her software in the middle of the night to prevent the attack. As soon as the attack occurs on one system, all of the systems know about it and are adaptive. They can fix the vulnerability so that it cannot succeed elsewhere. We need now to install intrusion detection monitoring systems that are netted and adaptive throughout the federal government. That is my first of my four suggestions this morning. It is already being done in the Defense Department, but the Defense Department alone does not possess our critical information systems in the federal government. How critical is NASA (National Aeronautics and Space Administration), the FBI (Federal Bureau of Investigation), the Secret Service? How critical are the checks that come out of the IRS (Internal Revenue Service), the Veterans Administration, the Social Security Administration? There are lots of non-defense systems that are critical and need to be protected, if they are not protected today. Secondly, we need to take that kind of netted and adaptive intrusion monitoring system and cause it to come about in the private sector, because it is the private sector where our infrastructure lies. Systems owned and operated by private companies provide 90 plus percent of the telecommunications and electrical power required by the Defense Department and other agencies of government. If you take down the privately owned and operated telecoms and electricity and banking and transportation networks, you have destroyed this country. So we need not only to protect the government but more importantly we need to protect the private sector systems. We are not talking about here creating a government system to protect private infrastructures. What we are talking about is creating a government system to protect the government's critical computers and then saying to the key sectors of our economy, "You ought to do the same thing. You the banking industry, you the electric power industry ought to create netted, adaptive intrusion monitoring systems just like we have. And to the extent that you can learn from our mistakes, to the extent that you can learn from our successes, we want to work with you." The third thing on my list this morning is artificial intelligence research and development. Why? I've already said that...experts can look at a dozen lines of code and, if a trap door is artfully done, cannot find it. In millions of lines of code, you are never going to find it. How then do we deal with the fact that, I believe, trap doors are already installed throughout the country. How do we defend against that if you can't find it? Well, one thing we can do is get all the computer science graduate students of the world and chain them to their desks and make them go through millions of lines of code. But we are talking about computers and we are talking about computer science, shouldn't there be a way that we can develop an artificial intelligence program that can scan in real time the operating system running on your computers to look for trap doors, to look for logic bombs, to look for trojan horses? It's not going to be easy. It's stretching what artificial intelligence has done. But, given the time and the effort and the money necessary, it ought to be something that we can do. Fourth, we need an education initiative. We need, frankly, more computer science majors, more information science master's degree candidates in this country. The U.S. government in particular needs more highly qualified information science majors working as its systems administrators and systems security officers. Frankly today our assessment is that we don't have anywhere near enough working in the U.S. government, in part because the government is not competitive in what is now a highly competitive market because the number of positions far outruns the number of qualified applicants. Now all of these four things that I have talked about are an appropriate kind of activity for the U.S. government. If we do those four things, and more about which you will hear a lot more over the next two days, then I think if the electronic Pearl Harbor does occur, and if it does come with surprise, and if we do take the hit, then I think we will be able to pick ourselves up off the floor and reconstitute our strength and go about our tasks the way our parents' generation did. But if we do not act now to put the systems in place to deal with the threat that is out there, then we will fail to do the necessary protection of our country that our parents' generation did so well 57 years ago. (end excerpts)