You may have missed it.
As fireworks were exploding over our nation’s capital this Independence Day weekend, U.S. government websites were being attacked by hackers.
South Korean intelligence sources have since implicated North Korea.
The denial-of-service attacks, in which hackers overwhelm a website by flooding its server with as many as a million requests per second, “suggest the involvement of between 30,000 to 60,000 computers,” according to Dale Meyerrose, former chief information officer for the U.S. intelligence community.
While the cyber assault had “absolutely no effect on the White House’s day-to-day operations,” the Treasury Department, Secret Service, Federal Trade Commission and Transportation Department’s public websites were affected for days. Ben Rushlo, director of Internet technologies at Keynote Systems, called it a “massive outage”.
The fact that the White House and Defense Department websites were sufficiently protected while other agencies’ were not “points to the need for coordinated government network defenses,” said James Lewis, a senior fellow at the Center for Strategic and International Studies. “We are disorganized. In the event of an attack, some places aren’t going to be able to defend themselves.”
Of course, such vulnerabilities have been on the government’s radar for years. In an almost comic moment of foreshadowing, General Victor Renuart, Commander of the North American Aerospace Defense Command, warned about the plausibility of such an assault just two days beforehand:
While the orchestrated offense managed to knock several websites offline, it was notable to penetrate government security networks. Therefore, no sensitive information was compromised. Indeed, such denial of service attacks can be seen as nothing more than pesky, temporary inconveniences.
Or rather, as political provocation, notes John Bumgarner, director of research at the U.S. Cyber Consequences Unit:
“There’s been a lot of chatter recently about cyber-war. The North Koreans may have felt they were not getting enough attention launching missiles so they moved into another potential warfare – cyber. It’s a form of sabre rattling. But the big question is, did the North Koreans launch it themselves or [hire] someone [to] do it for them?”
And what should be the appropriate U.S. response?
Kristin Lord at the Center for a New American Security thinks the recent offense “[doesn’t] merit the use of force” as the act was simply “annoying, a little embarrassing, but not a big deal.” Michael O’Hanlon, a defense analyst at the Brookings Institution, seems to agree but rightly warns that if the attacks had harmed Americans, one would “get more serious, and start thinking and talking about it as an act of war, or at least state-sponsored violence.”
Meanwhile, government bureaucracies worldwide are continuing to shore up their defense capabilities against similar acts of cyber warfare. And rightly so: Department of Homeland Security (DHS) statistics show that such attacks have been on the rise, with “5,499 known security breaches of U.S. government computers in 2008, up from 3,928 the previous year, and just 2,172 in 2006.”
Of course, the pressing need for coordinated government action unfortunately does not make political and institutional infighting disappear. In March 2008, the Bush administration created the National Cyber Security Center (NCSC) within the DHS. Its first Director, Rob Beckström, announced his resignation less than a year after being appointed, complaining that the National Security Agency “effectively controls DHS cyber efforts.”
Since then, President Obama has outlined his own vision of cyber security, acknowledging that “we’re not as prepared as we should be as a government… [we have] failed to invest in the security of our digital infrastructure.” He has yet, however, to sort out the turf wars between the various defense institutions:
Other countries are similarly worried. France recently announced the creation of a new cyber security agency, the French Network and Information Security Agency, charged with monitoring government networks to detect and quickly respond to cyber attacks. Given the increasing prevalence of such attacks, used for instance by Russia during its war with Georgia and Iran during its election protests, cyber security agencies have good reason to demand the appropriate funding and independence needed to fulfill their mandate.
Last weekend’s surprise disruption should be warning enough.
Andrew Kessinger is an intern with the New Atlanticist. He is a graduate student pursuing a double degree in International Security at the Institut des Etudes Politiques in Paris (Sciences Po) and Columbia University (SIPA).