Even before the terrorist attacks of September 11, 2001, security experts were becoming increasingly concerned about the vulnerability of U.S. computer systems and associated infrastructure. The 9/11 attacks amplified these concerns.

Less attention, however, has been paid to state sponsors of illicit computer activity, which are increasingly using the Internet to conduct espionage, deny services to domestic and foreign audiences, and influence global opinion. In addition, insufficient focus has been given to how terrorists exploit the Internet as a tool for recruiting, fund raising, propa­ganda, and intelligence collection and use it to plan, coordinate, and control terrorist operations. Combat­ing these malicious activities on the Internet will require the cooperation of federal entities, as well as friendly and allied countries and the private sector.

Recent cyber initiatives show promise, but a more concerted national effort is required, particularly in acquiring commercial capabilities and services, man­aging military intelligence and information technol­ogy programs, and developing a corps of professional national security practitioners.

Dangers Lurking

In recent years, government and private information networks have increasingly come under attack from a variety of state-sponsored and non-state actors.

State-Sponsored Threats. A widely publicized cyber assault against Estonia in 2007 increased suspi­cions that adversarial states are using online malicious activity as a tool of national policy. The assault disrupted public and private Estonian information networks with massive denial-of-service attacks. Recent revelations of Chinese cyber-espionage activities against sensitive information networks in the United States, Germany, and other countries have further heightened concerns that the World Wide Web is becoming just another battlefield.[1]

The Estonia attacks targeted the Web sites of banks, telecommunication companies, media outlets, and government agencies, eventually forcing the country to block all foreign Internet traffic.[2] Many Web sites were shut down by denial-of-service attacks, in which the attacker uses thousands of hijacked computers to bombard a Web site with use­less information until it is overloaded. For one bank, disruptions in cyberspace resulted in material losses of over $1 million after it was forced to shut down online services.[3] At one point, telephone service for fire and rescue units was suspended for over an hour.[4]

Estonia's defense minister described the attacks as "a national security situation.... It can effectively be compared to when your ports are shut to the sea."[5] The Estonia attacks vividly testify to the dis­ruptive power of a coordinated cyber offensive.

Chinese intentions also give cause for concern. Senior defense analysts believe that China has undertaken a sustained effort to develop informa­tion warfare capabilities to achieve "electromagnetic dominance" over the United States and other poten­tial competitors.[6] Security experts believe that the Chinese government orchestrated a sophisticated cyber-espionage effort known as Titan Rain, which downloaded information from hundreds of unclas­sified defense and civilian networks.[7]

U.S. government information systems are attacked every day from sources within the country and around the world. Some of these intrusions have been extremely serious, compromising security and costing millions of dollars. Penetration of computer networks at the National Defense University proved so pervasive that the university was forced to take the entire computer network offline and install new information system defenses.

In 2007, Der Spiegel alleged that Chinese pro­grammers had placed spy software on computers at the Foreign, Economics, and Research and Devel­opment Ministries as well as on computers used by the Chancellery office.[8] Such Trojan horse programs can capture data from host computers and transmit the information to external users. The immense scale of the Internet espionage operations suggests that they could not have occurred without the knowledge and at least the tacit support of an offi­cial Chinese entity.

Shortly after the Spiegel article was published, officials in Britain, France, the United States, and other countries indicated that they had found simi­lar evidence of Chinese cyber-espionage cam­paigns.[9] This evidence includes media reports of cyber penetration of the U.S. Department of Home­land Security (DHS) and U.S. Department of Defense from Chinese-language Web sites.[10]

Another concern is the surety of original software and computer components. In two recent reports, the Defense Science Board has warned about the potential vulnerability to intrusion, malicious activ­ity, and exploitation via malicious software and semiconductor components.[11]

Non-State Threats. Analysts have also docu­mented a steady increase in terrorists' use of the Internet.[12] In addition, transnational criminal orga­nizations routinely conduct cyber operations, including identity theft and fraud.

Internet Exploitation. One comprehensive sur­vey has identified specific ways that terrorists employ the Internet.[13] They use the Internet to:

• Wage psychological warfare by spreading disinfor­mation, delivering threats to instill fear and help­lessness, and disseminating horrific images. For example, the grisly murder of Daniel Pearl was videotaped by his captors and posted on several terrorist Web sites.
• Create publicity and spread propaganda.
• Gather intelligence. Details about potential targets-- such as transportation facilities, nuclear power plants, public buildings, ports, and airports-- and even counterterrorism measures are avail­able online. For example, the DHS maintains a password-protected online site called Tripwire, which provides information on how to counter improvised explosive devices (IEDs).
• Fundraise. Many Islamic charitable organizations allow users to make a zakat contribution online. Some terrorist organizations use front companies and charitable organizations under their control to receive such donations.
• Recruit and mobilize supporters through chat rooms, cybercafés, and bulletin boards.
• Communicate and coordinate with operatives and supporters. Two terrorist cells in Florida and Can­ada, which were recently disrupted, passed mes­sages via the Internet.
• Share information, such as how to manufacture and use weapons, including bomb-making techniques.
• Plan attacks.To preserve their anonymity, the 9/11 attackers used the public Internet services and sent messages via free Web-based e-mail accounts.

Al-Qaeda and other transnational terrorist net­works rely heavily on the Internet to communicate with dispersed operatives. The organization's mes­sages appear on approximately 6,000 Web sites.[14] As-Sahab Institute, al-Qaeda's media component, has released a slew of videos--about one every three days since the beginning of 2007--featuring Osama bin Laden and other terrorist leaders. Observers have been impressed by both the quan­tity of these releases and the institute's use of the lat­est commercial computer software and hardware in producing and distributing them.[15]

The Internet offers terrorists certain advantages over more traditional means of communication and operation:

• Easy access,
• Little government control,
• Potentially enormous domestic and foreign audiences,
• Anonymous communications,
• Rapid information exchanges,
• Low cost,
• Multimedia platforms, and
• The ability to influence other mass media that rely on the Internet for stories.[16]

The Internet also gives terrorists tremendous operational flexibility. When extremist Web sites have been identified, hacked, or shut down by Inter­net service providers (ISPs), the terrorists have turned to chat rooms and message boards for com­munication. Their Web sites commonly disappear from and return to the Web. Al-Qaeda operatives post their messages and videos on Islamist forums.[17]

Non-State Cyber Attacks. Islamist hackers have promoted the tactic of "electronic jihad," attacking "enemy" Web sites to harm the enemy's morale and economic and military infrastructure. Many Islamist Web sites host forums that discuss how to conduct such Web-based offensives.[18] The Web is a target-rich environment. The Department of Defense alone has 3.5 million computers and 35 internal networks located in 65 countries, many of which depend on commercial systems.[19]

Propaganda and Fundraising. One of the most troubling developments has been the use of the Inter­net by Sunni insurgent groups in Iraq. These groups use the Web to conduct media campaigns by dis­tributing videos, online magazines, blogs, video clips, full-length films, and online television programs. According at an authoritative study by Radio Free Europe/Radio Liberty's Arabic Language Service:

[These products are] undermining the authority of the Iraqi government, demoniz­ing coalition forces, fomenting sectarian strife, glorifying terrorism, and perpetrating falsehoods that obscure accounts of respon­sible journalists. Insurgent media seek to create an alternate reality to win hearts and minds, and they are having a considerable degree of success.[20]

These products are designed primarily for politi­cal activists who are native Arabic speakers and have high-speed Internet connections. The majority of downloads are in the Middle East but outside of Iraq. Insurgent media appear to be most effective in fundraising and influencing "opinion makers," and secondarily as a source of recruiting.[21]

The Response

The over 1 billion users on the Internet include threats to American security. Efforts to combat them have been increased as the danger has grown.

Federal Programs. The U.S. government took some measures before 9/11 to enhance cybersecurity and its capacity to combat malicious activity on the Web, including a 1987 requirement that govern­ment personnel protect their computer data and formulation of the first national cybersecurity strat­egy in 2000. However, strong resistance from civil liberties and privacy groups as well as anemic fund­ing from Congress prevented the establishment of a planned government network to detect intrusions.

After the 9/11 attacks, Washington took additional steps to improve the safety and security of its online information. In 2002, Congress enacted the Federal Information Security Management Act 2002, which requires agencies to develop policies and standards to protect the integrity, confidentiality, and availabil­ity of Internet-based information. In February 2003, the Administration released the National Strategy to Secure Cyberspace.[22]

Homeland Security. In 2003, DHS, in coopera­tion with Carnegie Mellon University, created a com­puter emergency response team (CERT) to coordinate emergency efforts and established an alert system for cyber threats. The US-CERT has also sought to facili­tate public-private cybersecurity partnerships, nota­bly by sponsoring the National Cyber Security Summit in December 2003.7 Today, most responsibil­ity falls under the National Cyber Security Division.

Intelligence Operations. The intelligence com­munity maintains a clandestine technical collection program. Although few operational details are pub­licly available, intelligence agencies are widely believed to have some capability to penetrate com­puter systems used by transnational terrorist net­works. These efforts include passively intercepting communications to identify cells and determine their activities. Presumably, the intelligence commu­nity also has the capacity to disrupt terrorist opera­tions by, for example, denying services, hacking computer programs, and altering terrorist messages.

More is publicly known about the intelligence community's defensive capabilities. Strengthening cybersecurity has been a key objective of the Informa­tion Sharing Environment (ISE), a collection of poli­cies, procedures, and technologies that permit the exchange of terrorism information, including intelli­gence and law enforcement data. The ISE aims to pro­mote a culture of data sharing among its participants to ensure that information is readily available to sup­port their missions. The ISE connects federal, state, local, and tribal governments. It also envisions a criti­cal role for private-sector and foreign actors in sharing information to counter terrorist threats.[23]

Military Responses. The military increasingly envisions cyberspace as a theater of operations. Defense operations range from field activities to strategic campaigns. For example, U.S. forces in Iraq have undertaken operations to suppress insur­gent propaganda networks that use the Internet against coalition forces.[24]

At the national level, the U.S. Strategic Command (STRATCOM) has played a role in global cyber operations since its creation in 1992. STRATCOM's Joint Functional Component Command for Network Warfare was established in 2005 and is responsible for working with federal agencies on computer network defense and for planning offensive information warfare. The Director of the Defense Information Systems Agency also heads a Joint Task Force for Global Network Operations.

The military services, particularly the Air Force, have demonstrated an increased interest in cyber operations. The Air Force recently announced the creation of a Cyberspace Command on par with other Air Force major commands to develop infor­mation warfare capabilities and doctrine.[25] Lieuten­ant General Robert Elder, Commander of the 8th Air Force, is helping to set up the new command. He has emphasized the need to "ratchet up our capability" in cyberspace to challenge China's emphasis on information warfare.[26]

This military emphasis on cyberspace does not necessarily translate into protection against the kinds of disruptions experienced in Estonia. The Defense Department's policy on cyberwarfare spe­cifically emphasizes protecting the military infor­mation network and developing offensive cyberwar capabilities against potential adversaries.[27]

International Cooperation. The attacks against Estonia, a NATO member, have reenergized multina­tional cyber defense efforts. NATO information spe­cialists have traditionally concentrated on protecting the alliance's own networks, especially those that might support collective military operations. The Estonia incident led NATO to deploy some of its information specialists to provide immediate assistance.[28]

The Estonian CERT was effective in reducing the level of disruption caused by the attacks. By coordi­nating the work of foreign Internet service providers, local law enforcement, and network managers across the country, the CERT ensured that Estonia's infor­mation infrastructure responded in a coordinated manner. Without an empowered and properly funded CERT, the cyber attacks could have lasted much longer and been more disruptive.[29]

However, Estonia's cyber disruption highlighted the need to clarify both international and domestic responses to malicious cyber activities. Member governments are currently studying the question of precisely which conditions would cause such attacks to fall within the alliance's definition of self-defense, requiring a collective NATO response under Article 5 of the North Atlantic Treaty.[30]

NATO is not the only organization demonstrating renewed interest in combating cyber threats. The United Nations, the Council of Europe, the Shanghai Cooperation Organization, and other international bodies have initiated programs aimed at countering information attacks through the Internet, including attacks by terrorist groups.

Public-Private Partnerships. In 2003, the White House issued Homeland Security Presiden­tial Directive 7, which emphasized that "critical infrastructure and key resources provide the essen­tial services that underpin American society."[31] The directive resulted in development of the National Infrastructure Protection Plan (NIPP), which was released in 2006. The NIPP details cooperative strategies for public-sector and private-sector infor­mation sharing and network protection.[32]

The NIPP relies on several institutions, partic­ularly Information Sharing and Analysis Centers (ISACs), to facilitate the exchange of information with critical business sectors, such as financial institutions and energy companies. ISACs are established and funded by the private sector, and the data handled by ISACs are provided largely by private-sector participants. ISACs also receive information from other entities, including law enforcement agencies and security associations.[33] In addition to the ISACs, critical business sectors have Sector Coordinating Councils that develop policy recommendations in coordination with government agencies.[34] The NIPP and its associ­ated centers provide the backbone of the DHS cyber effort.

In addition to the strategies outlined by the NIPP, information sharing between government and the private sector receives considerable support from InfraGard, a program established by the FBI in 1996.[35] Originally developed to assist cybercrime investigations, InfraGard facilitates collaboration with law enforcement, business, and academia on a range of security-related issues. InfraGard chapters facilitate information collection, analysis, and train­ing and provide discussion forums to share best practices. InfraGard also provides a secure Web-based communications platform.[36]

Nongovernmental Efforts. Private-sector com­panies, universities, research centers, and nongov­ernmental groups have developed capabilities to combat malicious cyber activities and to investigate or disrupt terrorist operations on the Internet. Per­haps the best-known of these groups is the Internet Security Alliance, a collaboration between the Elec­tronic Industries Alliance, a federation of trade asso­ciations, and Carnegie Mellon University's CyLab. It was established to provide a forum for information sharing and to generate suggestions for strengthen­ing information security.

Many other organizations and private-sector companies support America's cyber defenses. The University of Arizona has conducted a multi-year project called Dark Web, which attempts to monitor how terrorists use the Internet. The university's Arti­ficial Intelligence Lab has accumulated the world's most extensive database of terrorist-related Web sites--over 500 million pages of messages, images, and videos--and has made it available to the U.S. military and intelligence communities. Some of its sophisticated software exposes social linkages among radical groups and seeks to identify and track indi­vidual authors by analyzing their writing styles. This knowledge enables researchers to assess which peo­ple are most susceptible to radicalization and which terrorist recruitment messages are most effective. The university recently received a $1.5 million fed­eral grant to concentrate on how extremists use the Internet to teach terrorists how to construct IEDs.[37]

The Middle East Media Research Institute (MEMRI) publicizes extremist messages on the Inter­net, including terrorist Web sites, discussion forums, and blogs. After MEMRI published a comprehensive survey of Islamist Web sites in 2004, many them were closed down by their hosting ISPs.[38]

After 9/11, the U.S. Military Academy at West Point established a Combating Terrorism Center. Among the center's studies, The Islamic Imagery Project: Visual Motifs in Jihadi Internet Propaganda[39] provides a ready guide to commonly used terrorist graphics, symbols, icons, and photographs.

In addition to these efforts, nongovernmental organizations and private companies provide a vari­ety of analytical and investigative tools for penetrat­ing terrorist operations on the Internet. For example, the Washington-based SITE Intelligence Group rou­tinely monitors, translates, and posts information from terrorist Web sites and often shares that infor­mation with U.S. intelligence agencies.

Finally, software and hardware providers con­tinue to respond to the needs of the marketplace with new services and products to counter illicit online activity, from combating unauthorized intru­sions and countering denial-of-service attacks to preventing the disruption or exploitation of systems or data. Providing security services and products is a multibillion-dollar-a-year industry.

Reinforcing the Cyber Arsenal

A war is raging on the Internet--a contest of action and counteraction between legitimate users and malicious actors that range from state-spon­sored hackers to terrorists and transnational crimi­nals. However, the perception that the United States is defenseless in the face of illicit exploitation of computer networks is far from accurate. Both the government and the private sector possess signifi­cant capabilities.

Nevertheless, there is little room for compla­cency. New computer advances create new vulnera­bilities. The surety of information systems and the capacity to deter, disrupt, or exploit malicious Inter­net activity will require developing capabilities pro­actively and responding in a timely manner to emerging threats.

Washington is struggling "with understanding and harnessing information technologies and the prospects for cyber-warfare, but these challenges may represent merely the dawn of an age in which military competition is defined by commercial research and development and consumer choice."[40] The federal government is a fairly minor customer in the multitrillion-dollar transnational information industry.

The initiatives that will likely best serve the United States and its friends and allies in the cyber conflicts of the 21st century will be those derived from the private-sector experience, coupled with emerging military and intelligence capabilities to conduct information warfare and law enforcement measures to combat cybercrime. What is required is a national framework that builds on these capabili­ties, encouraging them to collaborate and reinforce one another. They should form the cornerstone of smart strategies for fighting and winning against the cyber threats of the future.

Several principles for cyber security and com­petition should guide U.S. efforts. Specifically, the U.S. should:

• Adopt best practices. Both government agen­cies, such as the National Institute for Standards and Technology, and the private sector should continue to develop best practices and lessons learned.[41] These can be effective tools. Ensuring that these practices are continuously updated and applied should be government's first priority. Only programs that establish clear tasks, condi­tions, and standards and that ensure rigorous application will keep up with determined and willful efforts to overcome surety efforts.
• Employ risk-based approaches.[42] All informa­tion programs should include assessments of criti­cality, threat, and vulnerability as well as measures to reduce risks efficiently and effectively.
• Foster teamwork. Cybersecurity is a national responsibility that requires global cooperation. The United States must maintain effective bilat­eral and multinational partnerships to combat cyber threats.[43] These efforts should include rig­orous measures to prevent the export of sensitive technologies to malicious actors, as well as per­sistent vigilance to ensure that adversarial states and transnational terrorist and criminal groups do not penetrate U.S. companies that provide essential national capabilities and sensitive national security services.
• Exploit emergent private-sector capabilities. Critical capabilities could come from many sources, including small companies and foreign countries.[44] The U.S. government needs to become a more agile consumer of cutting-edge commercial capabilities.
• Focus on professional development. Most gov­ernment information programs underperform because they lack clear requirements, have unreal­istic projections of the resources required to imple­ment them, and lack attentive senior leadership. All of these problems can be addressed by main­taining a corps of experienced, dedicated service professionals. National security professionals must have "familiarity with a number of diverse security-related disciplines...and practice in interagency operations, working with different government agencies, the private sector, and international part­ners."[45] These skills and attributes must include expertise in cyber operations, as well as in develop­ing and managing new systems.

Washington can do better in preparing to respond to current and future cyber threats. Long-term commitment and sound initiatives are needed, not massive reorganization and massive infusions of government cash. These initiatives should push for better and faster acquisition of commercial services; better and smarter management of military, intelli­gence, and information technology programs; and better and sustained professional development of federal, state, local, and private-sector leaders.

Next Steps

Washington needs to accept that cyberwar will be an enduring feature of the long war on terror­ism--perhaps continuing even after the "long war" is won. Thus, Washington should:

• Fund cyber initiatives for the long term. In the past, funding and attention from Congress and the Administration have come in "fits and starts." This practice is counterproductive and should be ended. For example, DHS programs should be funded consistently at about $1 billion annually in constant dollars. In particular, Einstein, a sys­tem that monitors network gateways for com­puter viruses and other malicious computer activity, should be fully funded. Additionally, the budgets of the Departments of Defense, Justice, and State and the intelligence community should adequately reflect their cyber missions, including protecting U.S. infrastructure, fighting cyber­crime and network intrusions, and combating international espionage, sabotage, and disinfor­mation activities.
• Implement the Defense Science Board's rec­ommendations for improving the surety of critical software and microchip components. These recommendations include enhancing edu­cation and training for the acquisition commu­nity on cyber issues, ensuring robust resources for conducting risk assessments and assurance programs for mission-critical systems, improving the quality and surety of Defense Department software, and conducting advanced research on vulnerability detection and mitigation for soft­ware and hardware.
• Continue to emphasize the information-shar­ing environment, as well as various programs under the National Infrastructure Protection Plan that promote effective public-private coop­eration on cyber issues.

The Way Forward

There are no silver bullets to ensure that Ameri­cans can roam the information superhighway freely and safely in the 21st century. Nor are there any guarantees that malicious actors can be kept on the sidelines. On the other hand, consistent, adequately funded programs should give Americans the confi­dence that they can outcompete any adversary in the 21st century.

James Jay Carafano, Ph.D., is Assistant Director of the Kathryn and Shelby Cullom Davis Institute for International Studies and Senior Research Fellow for National Security and Homeland Security in the Dou­glas and Sarah Allison Center for Foreign Policy Studies at The Heritage Foundation. Richard Weitz, Ph.D., is Senior Fellow and Director of Program Management at the Hudson Institute.