Participants and Biographies:
Fallin: Bryan, what were you going to say?
Cunningham: I'd like to divert the discussion for about two minutes from the purely commercial side because in addition to passing the Patriot Act, we spent a lot of time in the White House, thinking about, "What's the worst that can happen?"
Mullen: And when you say "we," who do you mean?
Harrison: He can't tell you that. He'll have to shoot you.
Cunningham: The Congress of the United States, and the Executive Branch. So, rarely would you ever get a group with your kind of expertise and perspective together to address the following question. There's a huge debate as to whether or not there is a legitimate, significant, national security threat to the United States or to other countries from information security-type attacks. I would love to hear a discussion of whether there's any realistic capability that's either in existence now or in the next five or ten years, where you could do serious damage -- data system attacks, screwing up the FAA airline transportation system. Do you think this threat is over-hyped or not?
Kaminsky: Let's break down the problem that you provide.
Mullen: I'm going to get in trouble on this one.
Kaminsky: The national security threat is that the country might become unable to implement its will due to a certain kind of information-style attack. In other words, there is a command and the command cannot be implemented because the mechanisms are not in place to implement the command.
Cunningham: Or there's catastrophic damage to the economy or public services.
Kaminsky: That is arguably a different problem. On the one hand, there's the problem of: we want to do a short term thing and we can't. On the other hand is: we had a complex chaotic system -- the economy -- in operation, and that chaotic system has been disrupted in a manner that is short-term extremely harmful. These are two different problems. They are two different national security threats. Would you agree with that?
Cunningham: They are.
Kaminsky: It would be very hard to argue that neither is technically possible.
Nachreiner: How about probable? Let's get out of this "what is technically possible" and get into what is really happening. Who cares if they're theoretically possible. Are they probable?
Mullen: That's novel. You actually want to discuss real life scenarios. [laughter]
Nachreiner: Exactly. Will we really get attacked by something that will hurt our government?
Long: Look at what the US is scared about right now: it's the asymmetric threat. The threat does not come from a super power. It's not about getting attacked by some big country with lots of money. It's asymmetric threats. One person causing damage to a big group. Well, in that sense, that's the same threat any government faces online, you know? The war in cyberspace is asymmetric. The threat is, one smart person with a little bit of funding, on any kind of connection, could potentially inflict a large amount of damage. That's it. Plain and simple.
Cunningham: All right, does anyone disagree with that?
Mullen: That they could do it?
Mullen: Well, I could flap my arms and fly to the moon if I do it hard enough. [To actually hurt American infrastructure by using the Internet] would require a sustained attack that includes the physical.
Cunningham: It's not just that. You could disrupt surgery schedules in hospitals around the country. You could disrupt the air transportation system, I mean there are a lot of theoretical ways that you could do a lot of economic and terror damage. Remember, terrorism is just striking fear in people. It's not really based on the amount of actual damage you can do. And so what I'm asking this group is, What is the realistic probability of such a threat?
Mullen: A terrorist is not gonna interrupt the communications network. Without the communications network, the fact that they've induced whatever pain and suffering on the target won't be communicated. The way that a terrorist is going to get their point across is to bring two big buildings down so everybody can watch it on television.
Harrison: That much has been made very clear.
Mullen: So, the threat of an asymmetric terrorist group actually attacking an infrastructure that would interrupt communications I think is minimal.
Cunningham: How about public utilities? How about air transportation? How about data systems?
Mullen: You're talking about a qualified attack over an infrastructure that would have to remain intact in order for the full value of the attack to be realized across the States.
Temmingh: So, basically what you're saying is that a Denial of Service attack and a viral attack don't go hand-in-hand.
Cunningham: Look, it's a very sincere question. If the experts in this room honestly believe that the possibility, given today's technology, of a catastrophic national security-damaging attack are vanishing …
Mullen: I'm not going to say that.
Cunningham: …That we shouldn't--
Harrison: I think you've overgeneralized the issue.
Mullen: I once had grid resources through a Web application anonymously for a power company. Grid resource control, OK? SQL injection, hit that through an anonymous connection and I had grid resources for the State. I understand what the threat is. I understand what the risk is. Is it possible that a terrorist group is going to use the Internet to inflict damage? Absolutely. So, if you're gonna ask us is the possibility there, we're technology people. We have to say, Of course, the possibility is there.
Cunningham: But understand there are technology people who say the possibility isn't there.
Mullen: Fine. They can say that. But the possibility is there. It'd be hard to argue. Anybody who tells me the possibility is not there is going to have to erase my memory.
Cunningham: Don't think that's not do-able. [laughter]
Pinzon: Somehow that's more scary coming from a government guy. [laughter]
Cunningham: Ex-government guy!
Mullen: Well, I was waiting on Will Smith to walk in here with his memory flashlight -- [laughter]
Kaminsky: What was it, a couple years back we had an Eastern power outage?
Kaminsky: The entire Northeast lost all electricity. It's never been conclusively, publicly said that this was because of Blaster, but pretty much everyone that I know in that scene was saying, Yeah, Blaster took out all the management machines. Now, I've not seen the evidence first hand, and in fact I've since heard other well-placed people contradict this early reaction, but the point is that nobody considered it at all impossible or even unlikely that this very large scale power outage was the result of Blaster.
Harrison: That's the first thing that everybody thought of.
Fallin: …No, but if the virus was targeted -- [room breaks into comments; Fallin prevails] No, no, stop stop. If the virus was targeted, and somebody stands up like al-Qaeda and says, "We did that," then that Northeast power outage becomes a completely different event.
Cunningham: What it becomes, under international law, is an act of war.
Kaminsky: Yes it does.
Fallin: How are you going to retaliate and wage war on a group of people that we've been chasing for four years?
[several voices talking at once]
Mullen: Are we not in agreement?
Temmingh: I guess the problem here is, who's got the most machines connected to the Net?
Mullen: Oh, I do. [laughter]
Temmingh: No, I mean what country has the most machines hooked to the Internet?
Harrison: Although China's coming up fast.
Temmingh: Who's got the most to lose, if there's an information war?
Harrison: If you had to pick one right now, this very time and place, I'd say, America would be the biggest target because we have the biggest interconnected infrastructure.
Temmingh: Sure, and that's my point. How much does America have to lose in this whole thing? A lot. Probably even the most of any country in the world.
Long: That's the nature of an asymmetric threat.
Mullen: The question, though, the original question was, Does the threat of infrastructure attacks exist? It does.
Cunningham: But just understand. That is a controversial answer. I mean, there are lawyers, there are policy makers, there are technical specialists who will tell ya this cannot happen.
Mullen: OK, then they weren't sittin' on the Web, attacking grid resources.
Cunningham: I understand. And I'm looking forward to this transcript being published. [big laughter]
Mullen: But I think this is important -- is the United States communication infrastructure a critical part of a terrorist attack? Not because of taking it out, but because of keeping it up. Right? You know what happened to the CNN Web site on 9/11?
Harrison: It was like Slashdot hooked to it.
Mullen: Well yeah, people couldn't access it.
Harrison: That could just as easily be people beating it to death with requests.
Fallin: But there was still radio and television.
[descends into chaos of voices.]
Mullen: Wait wait! What do you think caused the terror?
Temmingh: The fact that you couldn't route to CNN.
Mullen: No, that wasn't the terror. The terror was the fact that these people were killed. The way that everybody found out that the people were killed was over the communications network.
Harrison: I got to watch the second plane hit. I was not watching the Internet.
Cunningham: So your point is that a terrorist that was wanting to launch a catastrophic attack would want the communication system to stay up.
Mullen: Because the reason that it's terror --
Cunningham: Fine! But why are you limiting your analysis to the communications system?
Mullen: It's not just the communications system. Because, if an attack -- for a coordinated attack to go off against all these systems simultaneously, it's gonna have to continue. I wouldn't launch a singular attack, expecting that it's gonna work the first time. You're gonna have to saturate the network.
Harrison: Or look for a cascade effect.
Mullen: Otherwise, if you don't saturate the network … If you don't continue the attack, it ends. You have to make a continued, sustained attack, to make sure that all available assets continue to be exploited. That's gonna have to be true on all networks. If that's going to happen, the terrorists risk taking out the entire infrastructure.
Cunningham: Well you guys tell me; you're the experts. But I would think the capabilities are more subtle and targetable than that. I would think you could leave CNN's Web site up while --
Mullen: CNN can't leave CNN's Web site up.
Cunningham: -- and you could leave communications alone, yet touch air traffic control, and hospitals, and water resources, and just stay away from the communications. And that's probably what they'd want to do.
Mullen: It's not gonna play like that.
Pinzon: I don't buy it.
Mullen: You don't? You think I'm wrong about that. Okay.
Pinzon: I don't think that terrorists necessarily care if our communications stay up. I think they understand that it would also be scary if suddenly no one could reach Las Vegas by phone or Web or --
Harrison: Uncertainty more scary than fact? There were more people talking about what they saw on the news than what they couldn't see. I guarantee you.
Mullen: You're agreeing with me.
Harrison: Yes. I think we're ignoring one of the basic precepts behind terror and terrorist acts: they're anything but subtle. The idea is, "We're going to literally make you wish you had a clean pair of underwear." That's the biggest point behind any terrorist attack you ever saw. Why do they like bombs? Because it makes a big noise, a big flash, and people die. They like running into stores, and mosques, and what not, shooting people left and right. Why? Because it's a lot of noise, it's a lot of flash, and people die. You could take out our entire Internet, and with few exceptions, people won't die.
Nachreiner: But I think what Cunningham's saying is, What if they didn't take out the whole Internet and they just shut off all the power in New York ?
Harrison: Here's my point. While it is possible and certainly easy to mount, for at least a short period of time, the probability that they're going to use this medium to attack us in the context of a terrorist act is very small in my opinion.
Cunningham: Because why?
Harrison: There's very little return on the effort.
Mullen: Let's ask an attacker how hard that would be. [Turning to Jaco van Graan] Now--
[laughter; asides: "I didn't see his bomb!"]
Mullen: You attack my infrastructure. Internet Web has to stay up, Exchange communications between all my clients has to stay up, and access to the Web has to stay up. You have to take out my SQL server, you have to take out my authentication server, and you have to take out my, um, internal alarm system. While leaving everything else up. How hard is that gonna be for you to do?
Van Graan: I think if you have enough time, then you will be able to do it.
Mullen: Enough time on my one network. And how much time is that for you to go in, and on this one network, do reconnaissance that will allow you to create a sustained attack that keeps all these services off line, while allowing all these other services to stay on line indefinitely?
Temmingh: I think that depends on what kind of attack you're doing, but, I think what you're referring to is, if you wanna take those machines down -- if you're talking a Denial of Service attack, it's gonna be really difficult to be a Denial of Service attack.
Mullen: I agree with you.
Temmingh: I think it's all or nothing.
Mullen: That, sir, is my point. Now multiply that times 150 million, okay? Different infrastructures. Different services. Different attack points. Different attack platforms and sources. In order to sustain an attack like this -- this is my opinion -- the infrastructure's all or nothing.
Kaminsky: Why do you have to sustain an attack? Why not just cause enough damage such that --
Mullen: Because then the attack's no longer an attack.
Kaminsky: Well I mean --
[people jumping in; Temmingh prevails]
Temmingh: If you start deleting all the data on the server, it's not a sustained attack. But it's unrecoverable.
Mullen: We're not talking about that. We're talking about the Denial of Service; we're talking about --
Nachreiner: No we're not! We're talking about a critical strike to one resource.
Mullen: You mean, take it out and it never comes back up? How do you know it never comes back up?
Cunningham: It doesn't matter! It doesn't matter if it ever comes back up, because terrorism is about spreading fear.
Mullen: Mm-hmm. And how you gonna spread it?
Cunningham: And once a sector of this economy understands that they're vulnerable, that is severe economic and national security damage.
Fallin: Case in point. I happen to know that the systems which control the inflow of water to a major west coast city are all computer-controlled, and many of them are accessible from the Internet. It is possible through the abuse of those controls, or similar controls on natural gas pipelines, and those sorts of things, to permanently rupture a --
Mullen: Not permanent.
Fallin: Well, for a period of weeks, damage the vessels through which the water and the gas flow into the city.
Mullen: That's what I mean by sustained.
Temmingh: No no no! That's not what he's saying. He's saying it's permanent damage.
Mullen: It's not permanent.
Temmingh: If it's physical, there goes the pipe and water.
Fallin: I can rupture a gas pipeline by abusing the controls, I can rupture a water pipeline by abusing the controls. Suddenly the city has no water and no gas. No sustained attack: sustained effect.
Mullen: The difference between turning the valve and shutting off the line, and abusing that valve to the degree that it causes permanent damage. Now … you've done this?
Fallin. No. It is theoretically possible according to somebody who has intimate knowledge of the system.
Mullen: Okay, well then they're using the wrong controls.
Fallin: But those are the controls they have.
Kaminsky: Large-scale physical infrastructure can always be configured in a way that causes things to blow up.
Mullen: Can you walk over to your tub and overpressure the pipe in such a way --
Kaminsky: That's your tub! That's not something that serves water to a city!
Mullen: Okay, theoretically possible. Wait wait!
Temmingh: Come on, we don't know! Let's just say, we don't know.
Fallin: It's something along the lines of a failure in one power control system in Ohio, taking out the entire Northeast through a cascading affect.
Kaminsky: Which happened.
Cunningham: Does anyone disagree with this proposition? I have not heard anyone say, that it's not technically possible for people with bad intent against the United States to do catastrophic damage to our infrastructure. Even if that damage is short-term. I've not heard anybody object to that.
Mullen: Of course we're not going to, because we don't know. No one's going to say that, even if they think it.
Cunningham: Okay, so you concede it's possible --
Mullen: You know what? The little red light on there [gesturing to the iPod recording this session], nobody's going to sit here and say, "It's not possible." Even if they believe it.
Cunningham: All right. So possible is not the same as likely, and it's not the same as saying, we ought to devote significant resources to this. So. Getting back to the original overhyped/underhyped question, is there consensus that critical infrastructure threats are either of significant magnitude and probability that we should worry about them, or they are of vanishing probability? Or do we just disagree about that?
Kaminsky: I don't think they're a vanishing probability. Basically, I think they're appropriately worried about.
Mullen: Without enough data to support a conclusion.
Harrison: That's a fair statement. So then, you have real possibility bordering on real probability. The question we have to examine is, do we deal with this in a blanket manner where all things must be dealt with in a Patriot Act kind of mentality?
Cunningham: Oh, I'd have that discussion, but you don't have enough time! [laughter]
Harrison: I don't think we're going to come away from this meeting tonight with an answer to that question.
Cunningham: But I think we've made a lot of progress. Because we've got a dozen experts here who say it's something that's so possible, we ought to worry about it. And that opinion is not universally shared.
Fallin: Okay then, new question. "There is no longer any privacy; get over it." Is this statement accurate, or overstated?
[Editor's note: Loved it? Hated it? Interested in hearing the group's response? Let us know at firstname.lastname@example.org. If we receive enough responses, we'll publish a subsequent article. -- Scott]