Are we in cyber war?

have some pretty scary stuff to talk about. This this I think is even scarier than our zombie computers and Halloween shows combined. Really, yeah, I think so. Okay, so we're gonna talk today about cyber war. Are It's not pirate war, cyber war cyber war, so we're all we're not talking about tron here um, nor are we talking about war games, both of which are awesome movies, so put them to the top of your Netflix que um. No, we're talking about using computers to either spy upon, or

sabotage or otherwise inflict some sort of harm upon a nation. Um. And this can be done by one of a dozen different entities. That's the that's one of the scary things about cyber war? Is that all? Right? So in classic warfare, you know, usually you you would talk about two different nations or perhaps two different factions within a nation fighting

one another. Pretty easy to identify who the parties involved are, right, normally, Yeah, because guys shooting at you, right, and normally they have, you know, uniforms of some kind on you know, not to shoot your own guy. Yeah, yeah, there's some there's some general little rules that make it easier to know which guys are the ones you're supposed to be shooting. Um. Cyber war is not quite that clean cut. But the problem with cyber war is that the attacks can come

from anywhere. They can come from another country. They can come from patriots within another country that are acting on their own. That could come from essentially a mercenary, a hacker that's hired to do this sort of thing. Um. That could come from someone who's just trying to cause mischief and they don't have any other motives. Uh. So it's an attack that can come from another country, or that they can come from within the country that is

being attacked. I mean, you know, you're talking about uh sort of a cyber terrorism in a way. Yeah. And as a matter of fact, hum, it could be somebody sitting in his jammie, is in his living room in the computer. You know, it doesn't need to be somebody out, you know, skulking around the streets or you know, somewhere in a foxhole. Heck, it could be someone parked in your driveway hacking into your WiFi. Good point. I mean, it's that's why we're talking about how scary this is.

It's um and and on another level, it's also scary because it takes so little, relatively speaking to uh, to perform an effective cyber attack. Now, when you're talking about a traditional attack on from one nation on to another, you're talking about billions of dollars worth of of equipment, of of personnel. Uh, you know, the things that have to go behind a war machine. I mean, we're that's a huge investment. When you're talking about cyber attacks, you're

talking about a computer and a computer connection. And you know, you might have a couple of other little bells and whistles to help you along, but you really you don't necessarily need it if you know what you're doing and you have the right software. So it's one of those things. Wherefore a very low small entrance fee, I guess you could say you could have a huge, huge impact. As a matter of fact, your computer could be used to

carry out a cyber attack. Yes, if you've if you've installed some kind of malware like a virus or a worm that UH can turn your machine into a zombie. Someone else can direct your computer to UH to send email and a denial of service attack which basically floods UM floods computers with spam and other and other requests

if you will for information. The thing is that doesn't require any cost on the part of on the part of the attack at all, because all the machines are essentially donated, you know, from somebody else, right and the And to make matters worse, UH, when when anyone in authority tries to trace the source of the attack, they might come to your computer and never find the person

who actually infected your computer in the first place. So then you become the person of interest, the person who's under suspicion for committing an attack, and the whole time you were completely unaware. UM. Actually, that's another big, big

issue with the cyber warfare problem. Even when you can detect an attack and trace it back, you can never be a sure that the last place you you trace it back to is in fact the original spot of the attack, because there are these you know, there's there are things like proxy sites, there are these zombie computers where there's always the possibility that there's one more link you haven't found yet that will take you back even further.

So that's uh, you know, if you if you uh, if you were to detect, say an attack, and you say, well, we've traced it back to China, you can never be sure that that the Chinese government was behind it. It could have been patriots in China who had the same sort of goals as the government of China, but we're acting on their own. Or it could have even been a people in a totally different country that just managed to use proxy sites in China to fool you into

thinking that's where the attack came from. So it's really insidious, um, And you might wonder, well, how how vulnerable are we to these sort of attacks? And I guess it really depends on which system you're talking about, because you know, the Internet is a network of networks, right right, So any given network or any given computer could be the weak spot, you know, and and there are just tons

of computers as part of the Internet. You know, every time you were computer is hooked up for Internet access, you become part of this giant cloud. Um So. And then the really sophisticated crackers, those are the really nasty hackers. Those are the ones who can find ways to manipulate a network in ways that you know, most people don't think of, right And and to give you an idea

of how vulnerable certain systems can be. Back in seven, there was a secret experiment the Department of Defense commissioned and it was called Eligible Receiver. I remember that. Yeah, this isn't This was a kind of an eye opener um Now, a lot of Eligible Receiver. A lot of that mission remains classified, so we don't know all the details.

But what we do know is that part of the the experiment involved getting a group of hackers together, giving them some very basic computing hardware and software, and telling them to try and break their way into the Pentagon's computer system. And it took them three days using basic computers and basic software. Uh, three days. Just for regular hackers, these aren't necessarily the people who are who have a you know, an actual motive to break into the Pentagon,

and the fact that they're part of an experiment. Right, it's not like they have a government breathing down their next saying we need access to this information. Uh. So that's that's pretty sobering to think that within three days one of the nation's most important computing systems was compromised, even though it was an inside job and an experiment. Right. Well, they there have been attempts to shore that up since then, and in fact, they conduct regular exercises in order to

do that. In fact, there was one not that long ago. Every year they there are students from Army, Navy, Air Force, and the Coast Guarden Merchant Marine, as well as the Naval Postgraduate Academy and the Air Force Institute of Technology. And uh, basically it's it's uh undergrads were given the opportunity to defend themselves from an attack by the n s a UM and uh every year they undergo this experiment. And uh, the West Point held out the longest and

they the Army got to defend their title. But they were using Lenox computers. But this is apparently a normal thing. Um. The Defense Department is only graduating eighties students a year from schools of cyber war in the United States. According to the New York Times article that I read about it, um and if you're wondering, this is the fifty seven Information aggress Or Squadron. They're based in Nellis Air Force Base,

and they are they they are, they are. They make a point of doing this test every year, and um, you know they it's one of those things where they are making a conscious effort to attack and defend uh computer networks. And apparently the uh you know, the nerds are nerds everywhere, even at West Point um according to the way, according to the way the article was written, they get a little ribbing for being the geeks of

the group. But even the you know, the the future officers that graduate from their know the importance of the computer network because that's one of the very first things they do. They're about to deploy these guys to Afghanistan, as a matter of fact, and the first thing they're gonna do is set up a secure internet connection, and they have to be ready to defend themselves against denial

denial of service attacks and uh another attacks. So I mean, they're they're coming right out of the service academies with knowledge of how to attack and to protect UM computer networks military computer networks. Sure. UM. Usually we call those sort of exercises red team attacks UM, where a group is is designated to play the part of an UM adversary and that's the red team. And the Red team's job is to is to achieve their goals by whatever

means necessary. So in other words, you know, you're not supposed to necessarily follow a certain protocol or rules. You're supposed to be inventive and creative and try and find new ways to to really compromise or defeat the other team and UM, because that's exactly what the enemy is going to do. You know, the enemy is not going to play by rules necessarily, especially if you're talking about

enemies that you can't predict. I mean, they may not even be directly involved with any other government or or official agency. So UM. And and you know, we government websites and our government web servers and and systems aren't

the only targets. One of the big targets in the United States, and it's been in the news quite a bit over the spring of two thousand nine is the electric grid and UH part of the problem with that is that systems like the electric grid and and some water and fuel systems are using UM using the software that that directly ties into hardware, and if you just change a few settings, you can cause catastrophic damage to

the the equipment. UM. There was a video that was on CNN for a while where some uh, some electric utility experts showed that with just a couple of tweaks, you could completely destroy a generator by changing some settings through the computer system, and they essentially turned a generator into a pile of scrap metal. UM. Yeah, it was very sobering to me to see that, because not that long ago the news broke out that the United States

Electric red certain parts of it. Anyway, UH has been under attack by some cyber spies over the last several years, and I don't really know who it is, right right right. They've traced them back mostly to China and Russia. But again, um, both China and Russia deny that they had anything to

do with it. But I mean, of course, the thing is it, you know, those countries are are gradually becoming more and more uh, computer centric, and it you know, it could be anybody, It could be you know, it could it could be that they are directly involved um or it could be that it's groups of of individuals within those countries, or like we said, it could even be that the attacks are ultimately originating somewhere else, but we're only able to trace them back as far as

Russia and China. So that's that's the other issue with the Internet is that it is a global entity, and so law enforcement officials only have so much authority to pursue cyber attacks. You know, they can cross over borders easily on the Internet, but law enforcement can't. They don't necessarily have the authority to pursue an investigation beyond the borders of you know, whatever their jurisdiction is. So that also makes life much more complicated when you're talking about

fending off cyber warfare attacks. Yeah, you know, uh, it wasn't even that long ago that some countries were complaining of real cyber attacks launched on their inner infrastructure, like Estonia not too long ago, and uh they were blaming the Russians for that attack. But that was back in in two thousand seven, all those years ago. Yeah, all those both years ago. Yeah, well, you know they say

that Internet time is sort of like dog years. It's about that would make it about fourteen years ago in internet, so I guess so, um yeah. And then of course there's the example of the Dalai Lama's office that the Tibetan office that was UH. They knew they were being watched. They were absolutely certain that their systems had been compromised UM,

and they hired a Canadian firm to investigate. In the Canadian firm found that indeed, there there were programs installed upon the Dali lamas Uh computer systems, and that it appeared to be coming from an offshore island off the

coast of a China. And the software even included UM controls that would allow people on the other end to activate audio and video software UM and hardware so that they could turn on if the computer had a webcam or a microphone, they could turn it on and turn it into a remote listening station, so they could actually spy on the goings on of these offices remotely. UM. So,

I mean, this is a very real problem worldwide. It's not just something that we have to worry about in the United States or or you know, any other specific nation. It's it's pretty much if if you have computers, there's a good chance there's another party somewhere that's really interested in finding out what you know and what you don't know and what you're up to. Yea, And um there's there's even another component to it that I know we were gonna stick, uh mainly to talking about how you

could use computers to launch computer attacks. But um, another facet of this that I think is interesting was sort of relates to a blog post I wrote in early April UM on the tech Stuff blog that that talked about the Moldovan pro democracy protesters and they weren't launching computer attacks, but what they were doing was using uh social networking sites like Twitter and Facebook to coordinate their

efforts sort of like flash mobs. They could go ahead and use computer networks like those and uh text messaging to discuss where and when they were going to organize and meet and hold a demonstration. So that's um, I mean, that's you know, relying on the network staying up and

rather than taking them down. But UM, I just it's just kind of funny because you know, you don't think of you think of Facebook and Twitter or something we use for fun or to to keep up with people and just another way that you can use them to Actually, I mean those could those could just as well have been used to hold a violent, you know attack on someone. Say, you know, meet at this corner at one forty in the afternoon. Uh, you know, and have everybody show up

and start fighting. Well, if the law enforcement is unaware of it or the military forces are unaware of it, you know, that could be a devastating attack, and it could be used by virtually anybody. Sure, and uh, you know, the dangers of these attacks go beyond just damaging a network or shutting down a system. UM. One of the big fears that that a lot of security folks have is that what if you were to coordinate a physical

attack with a cyber attack. So what if you were to target a major city and first you bring down the city's power grid through a cyber attack, and then you couple that with an actual physical attack link bombs or or whatever, and that UM together, that would cause a real panic because suddenly you have an entire population that that doesn't have access to UM information the way they normally would, and yet there is obviously chaos going on.

And uh that that really is the true definition of terrorism. There, you're you're inspiring terror in the victim. UM. Now would this be nationwide? Probably not. For one thing, the electric grid is really much a pretty much a regional kind of thing. UM. But it's something that every region could theoretically be vulnerable to without the right security measures in place. Um. I. Now, that sort of attack obviously would have to come from

a much more organized group. UM. It would have to come from a country or organization that had a strong financial backing to be able to fund the physical side of the attack. UM. So that that narrows down the list of possible suspects who could do that. But it's still within the realm of possibility. And it's one of those things that you know, keep security people up at night.

Sure sure UM. And you know, I'm really not certain what we're going to be able to do short of pulling all the plugs um to make it an impost complete and utter impossibility that they could carry out those kinds of attacks, because UM, it's just going to require constant monitoring and searching for vulnerabilities. That's why the the efforts of those who are participating in those um those

computer security uh war games. If you will. Um, they're they're so important because they're searching, they're actively searching for those vulnerabilities in the system and try, you know, to try to find ways to patch them up before they can be hacked into. But um, you know, I think that any time that you update those systems, you're going

to open up new vulnerabilities and new problems. And you know, it's just one of those things where the people who whose job it is to pay attention to it are just going to have to stay constantly vigilant to prevent

something like that from happening. And it is even more complicated when you think that, you know, not every system runs on the same software or operating system or whatever, so some of them are proprietary and uh and and so you might find something that works as a great security measure for one system, but it's not at all applicable to any other. So it is a huge challenge. I mean, well, what's the response to that. Do you go ahead and try and standardize everything so that hopefully

the same measures will work across the board. Because if you do that and someone does find a vulnerability, suddenly they've got a vulnerability that works across all systems. Right, So, I mean it's a yeah, it's a double edged sword, and it's it's there are no easy answers. We've got people who are way smarter than I am working on this, UM and I wish them the best because this is this is scary stuff. Now. Are we all in danger of something like this happening anytime soon? I don't know.

I don't know. I don't think so. I mean, I'm not I'm not staying up at night worrying the next day about that's going to be the day when the cyber war attack is going to happen. But it's I mean, it is possible. It's just not necessarily something that you know that I'm gonna have to worry about on a

day to day basis. Well, the more systems come online UM in more places around the world, I think it's going to be it becomes sort of like you know, aerial assaults were after you know, that became a real possibility in the twentieth century. It's it's going to be something that a well planned military strategy is going to include. You've got your ground troops, you know, air, sea, and internet.

Anything that can take down the computer network, the computer the communications network, the power grid all at one time. If you can do that, then you know you'll panic the citizenry, and that just gives you a better chance. I can pretty much guarantee that just about every modern nation in the world has some sort of plan like that in place. Um, and I can also guarantee that they're not going to share that because that kind of

defeats the purpose of the plan. Yeah, but you know, my internet connection goes down plenty without anybody attacking it. So and I occasionally lose power if I sneeze too hard, so or maybe I blackout. It's one of the two either way. Alright, then I'm done. I'm yeah, that's all I have that divulge to the public. Now that we've scared the pants off of you, it's time for listener

me fitness knows that scares the pants off me. And you know what, in retrospect, the alarm noise is probably not the most appropriate one to play the podcast holbably not. I apologize, folks, I should have picked something like Kittens Purring Kittens. Well, today's listener mail comes from Tom from Kansas. When I call a radio station to try and win a contest, would I have an advantage if I were closer to the radio station, or closer to a tower

that's closest to the station. Sometimes when I call, I never get through. Who's getting through? And why? Um? Tom, I was getting through? No, Seriously, I used to have like the bat phone into the local radio station. I won so many tickets from that station that they actually had to say, Hey, how long has it been since the last time you won. I'd be like sixty two days, and your your policies is sixty hands them over? Um. Does it help if I could just see you doing that?

Does it help if you're closer now? Does it help if the tower is closer. No, these signals are moving really really fast. Um. Otherwise you couldn't have a conversation normal time. Exactly. These signals are moving essentially at the

speed of light, um, or close enough to it. Because if you if they weren't moving that fast, if when you spoke into the phone, the person on the other end would experience a really long delay and then they would hear you, and then they would speak, and you would hear a really long pause, and then you would hear them and then you'd speak. That's not how it happens. Conversations have happened in near real time, so we're talking

about really really fast signals. Now, what is happening, Tom, is that the radio station has only so many incoming lines available. After that, you're going to get a busy signal and those lines are going to fill up pretty quickly,

especially if the radio station has a large audience. Yeah, if you have a switchboard with with ten lines and switchboard two people are calling in, that means two sixty five people are getting a busy signal or an all circuits are busy recording, which is probably what you're hearing. And that's what I always heard when I called in, you know, until I worked for a very specific company that had a particular phone system. That's why I used to get to I don't know what it was about

that phone system. I think it was nothing at all. I think it was just luck and coincidence. So I don't think it was I don't think there was any causation. There might have been correlation, but no causation um at any rate. Um. All I can say is keep trying. Lines are open, um. But yeah, if as soon as the line does go open, someone else is trying to call. It's going to fill up really quickly. It's really just, you know, kind of a crapshoot. All right then, all right, Tom,

thanks for writing in. If any of you have any questions you'd like answered right in at tech stuff at how stuff works dot com. Remember, you can find out all about fun activities like cyber war at how stuff works dot com. Well, I was trying to, you know, lighten up the mood after that podcast, and we will talk to you again really soon for more on this

and thousands of other topics. Does it how stuff works dot com And be sure to check out the new tech stuff blog now on the house stuff Works homepage, brought to you by the reinvented two thousand twelve camera. It's ready, are you