WASHINGTON — What could be one of the most dangerous and least understood post-cold-war threats facing the United States today has nothing to do with nuclear weapons or smart bombs. It may involve the clicking of computer mouses and the sending of unseen commands through cyberspace.
American officials and business leaders are becoming increasingly concerned about US vulnerability to "information warfare" (IW) - attacks on the nation's complex web of computers and electronic-data networks by enemies, terrorists, or even weekend hackers.
While computer security has long been a concern, apprehension is mounting about the threat of "cyberwar" and other electronic mischief as the nation's military, financial, government, and business sectors become more interlinked and dependent on proliferating communications networks worldwide.
Consider this scenario, which senior US officials and business leaders recently grappled with as part of an unprecedented Pentagon exercise:
The year is 2000 and Iranian forces are advancing on Saudi Arabia in a bid to seize control of the oil-rich Gulf. As US-led allies gear up a Desert Storm-style response, computer systems in America and elsewhere are hit by invisible assaults from the ether of cyberspace.
Telephone and power networks are taken out by "logic bombs" planted via the Internet. Viruses and other digital weaponry send banking and financial systems haywire and cause planes and trains to crash. As US leaders grope to trace the source of the chaos, history's mightiest military is paralyzed.
"Information warfare has no front line. Potential battlefields are anywhere networked systems allow access," concludes the study by the Rand Corp., the think tank that plotted US nuclear strategy. "In sum, the US homeland may no longer provide a sanctuary from outside attack."
Says an administration official: "There is a recognition that we are vulnerable. There is a feeling that maybe it's time for a focused national policy."
In their public statements, senior officials list terrorism, chemical and biological weapons, and the theft of nuclear bomb materials as the gravest dangers facing the US. Few ever mention IW. What work the the US has done on IW has concentrated almost exclusively on "offensive" tactics for use against enemies.
Developing a strategy to defend against IW faces massive hurdles, including finding a balance between privacy and the government's responsibility to safeguard national security.
Extent of threat unclear
An even more fundamental problem is that no one knows the true extent of the threat. A congressional report released this week quotes US intelligence officials as saying there has been no systematic effort to collect data for use in assessing how much of a threat IW poses.
Furthermore, the extent of US vulnerabilities is unknown. Though government agencies are believed to suffer numerous daily computer attacks, few are ever detected and reported.
Meanwhile, the corporate world has been unwilling to cooperate with the government on the issue. Companies refuse to reveal their own vulnerabilities, damages, and losses caused by computer attacks. Doing so could drive off customers, shake the confidence of their stockholders, and help competitors. The private sector also shuns government involvement in their business, especially communications.
"We do not want the federal government telling private companies how to run their information systems. But clearly there is a federal interest involved in protecting nationally linked systems," asserts Sen. Jon Kyl (R) of Arizona. "The United States currently has no ability to protect itself from cyberspace attacks."
Senator Kyl won passage in February of legislation requiring the Clinton administration to formulate by this month an IW defense policy. Administration officials say they will fail to meet the deadline but add that considerable work on the issue is under way, including a study being supervised by Attorney General Janet Reno. Several congressional committees are also examining US vulnerability to IW, as is the Pentagon.
The ability to attack computers is not a skill confined to cyberspace's best and brightest. Programs to penetrate and sabotage computer systems are widely available from hacker "sites" on the Internet and can be harnessed by anyone with a $2,000 desktop computer.
Such programs have been employed with devastating effect. "Cyber-thieves" have jumped between phone switches and computers in different countries to steal untold millions from banks and private companies. Others take circuitous cyberspace routes to break, undetected, into sensitive government computers and heist, alter, or sabotage data. The few who are caught are amateurs, experts say.
The implication of all of this, experts say, is that for a tiny investment a determined foe could develop the capability of dealing severe blows to the US without ever firing a shot or dropping a bomb. Because global communications networks are borderless and so vast, the identity of the attacker might never be determined.
"Today, our information infrastructure is increasingly vulnerable to computer attack from a variety of bad actors, including foreign states, subnational groups, criminals, and vandals. Anecdotal evidence documents that these adversaries are organized and already regularly exploiting these vulnerabilities," warns a study released Wednesday by Democratic staffers of the Senate Permanent Subcommittee on Investigations.
"Our nation is in need of a comprehensive strategy that addresses the vulnerability of our information infrastructure," it says.
Jack Brook Jr. of the Government Accounting Office (GAO), the investigative arm of Congress, says more than 120 nations are reportedly developing IW techniques.
A measure of US vulnerability was provided by a GAO study published last month on the susceptibility of the Defense Department to computer attacks.
The Defense Department has 2.1 million computers, most of which are used for unclassified but vital functions such as weapons research, logistics, salaries, bill payments, electronic mail, combat training, and tracking personnel. Many of these functions rely on the Internet, itself originally a Pentagon creation.
'Attacks' on Pentagon computers
The GAO study says that, according to Pentagon estimates, there may have been as many as 250,000 attacks last year on defense computer systems, of which 65 percent succeeded in penetrating their targets. There is no way of knowing the full extent of the damage because few of the attacks were noticed and because those that are do not have to be reported.
The study details a number of known cases in which Defense Department computers were attacked. One case concerns two hackers who cooperated in stealing secret targeting data from computers at an Air Force laboratory in Rome, N.Y., in 1994 via telephone links through South America. The pair also used the Rome computers to attack other defense computers and NASA, the study said. One hacker, a British teenager, was eventually arrested, while his partner remains untraced.
Concludes the GAO study: "There is mounting evidence that attacks on Defense [Department] computer systems pose a serious threat to national security."