Flashmag Digizine Edition Issue 96 August 2019 - Page 119

..............119............

Flashmag August 2019 www.flashmag.net

or three decades, by which time whole systems and networks had been sprung up with no provision for security whatsoever.

And so, I see this as kind of the—you know, the bitten apple in the digital Garden of Eden. From the very beginning—the P.S. on “War Games” is that when the guys who were writing “War Games,” who also, by the way, later wrote “Sneakers,” when they were researching the script, and they heard about—they learned from some hackers about something called demon dialing or war dialing where, back in the days before the Internet, you had a computer program that would just dial every phone number in an area code, wait two rings, and if it’s hooked up to a modem it would squawk and it would record what that number was. That’s how he gets in. So, they’re thinking but, you know, is this really plausible? I mean, certainly NORAD’s computers, it’s got to be a closed system. We better talk to somebody who might—so they—one of them lived in Santa Monica. And he called RAND. And he said, who can we talk to? And they hooked up him up with Willis Ware. And Willis was a very nice guy. And he called them in. And he goes, yeah, you know, actually, it’s funny. I designed the software for that computer. (Laughter.) And you know, you’re right, it is a closed system. But, you know, there are some officers who like to work on weekends from home, and so they always leave a port open. And yeah, I guess, if somebody knew what that number was, they could get it. And then he said, you know, there’s something that most people don’t realize, and that is that the only computer that’s completely secure is a computer that no one can use. And that was back in 1982 or ‘(8)3. And just a couple years ago, the Defense Science Board put out a paper on cybersecurity. And one of its line, they talked about the inherent fragility of our architectures—inherent. In other words, you know, you could do lots of things. You know, things are much better now than they were before. You know, there are warning systems in place and so forth. But you know, every war game where they’ve had a red team trying to hack into the military networks, they always get in. They always get in.

LINDSAY: And your book recounts a number of occasions in which people got in.

KAPLAN: Yeah.

LINDSAY: Sometimes the good guys getting in doing red team testing, other times bad guys getting in, sometimes good guys watching bad guys so they can track the bad guys.

KAPLAN: That’s right.

LINDSAY: I guess, but I want to come back to this issue of the subtitle of the book, cyberwar. Now, you’ve also mentioned the term cybersecurity. What do you mean by each and how do they differ, if they differ at all?

KAPLAN: Well, there is a fine line—I mean, one thing—very early on in my research I was talking to someone quite high up in intelligence circles. And I was going over some report where it lists the vulnerabilities of our systems, and different scenarios about how people can come in. And he said, listen, there’s one thing that you need to realize, all of these reports, all of these scenarios, they’re based on what we were actually doing to other countries. And then at some point, somebody says, oh, Jesus, somebody could do this to us at some point too. And that’s where it all began. So we have not been, you know, innocent flower children in this arrangement.Another thing about the fine line between—sometime in the ‘90s they came up with some terminology. There was CND, computer network defense. There was CNA, computer network attack. And then there was something called CNE, computer network exploitation. And that was where you just get inside the other guy’s networks and see what’s going on. And you could call this a form of active defense—in other words, we can’t protect every single intersection between a network and the Internet. So the best way to do defense is to get inside the other guy’s network so we can see them planning an attack, if they’re doing an attack. It could be that.

Or, it’s also just one step away from computer network attack. And so the difference between cybersecurity and cyberwar is largely academic

Interview by James M. Lindsay

Senior Vice President, Director of Studies, and Maurice R. Greenberg Chair, Council on Foreign Relations