With Michael Kirk
Friday, April 25, 2003; 11 a.m. ET
The Slammer hit on Super Bowl Sunday. Nimda struck one week after 9/11. Code Red had ripped through the system that summer. Moonlight Maze moved from the Russian Academy of Science and into the U.S. Department of Defense. A new form of warfare has broken out and the battleground is cyberspace. With weapons like embedded malicious code, probes and pings, there are surgical strikes, reverse neutron bombs, and the potential for massive assaults aimed directly at America’s infrastructure -- the power grid, the water supply, the complex air traffic control system, and the nation’s railroads.
FRONTLINE's "Cyber War!" aired on Thursday, April 24, at 9 p.m. ET on PBS (check local listings), investigates the threat of cyber war and what the White House knows that the rest of us don’t. Award-winning producer and documentary filmmaker Michael Kirk was online Friday, April 25, at 11 a.m. ET, to talk about the film and war by technology.
Kirk, a former Nieman Fellow in Journalism at Harvard, was Frontline’s senior producer from 1983 to 1987, and has produced more than 100 national television programs. He was online earlier this season to talk about "The Long Road to War," "The War Behind Closed Doors" and "The Man Who Knew," and during the 2001-2002 season to discuss "Did Daddy Do It?"; "American Porn"; "Gunning for Saddam"; and "Target America." Other films include "The Clinton Years," a week-long co-production with ABC News on the presidency of Bill Clinton that aired in January 2001; "The Choice 2000," comparing the lives, beliefs and experiences of Vice President Gore and then-Gov. George W. Bush; "The Killer at Thurston High," the first comprehensive TV profile of high school shooter Kip Kinkel; and "The Navy Blues," a 1996 Emmy Award-winning look at the post-Tailhook Navy.
The transcript follows.
Editor's Note: Washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.
Pine Hill, N.J.: This isn't a question, it's a comment.
I am shocked that "Frontline," a program for which I normally have the highest respect, would air a subject with such an inflammatory demeanor.
The show was nothing but a carefully arranged collection of hubris and buzzwords designed to strike fear into the hearts of people who know almost nothing about computers or networks, which is probably 90 percent of the population.
For instance at one point (discussing the ping attack on the White House), the commentator said that someone contacted the "people who run the Internet." Ever since ARPA escaped into the wild, NOBODY runs the Internet anymore, it's just "there."
Also, this Clark guy said that as the collective pings approached the "edge of the Internet," they just died away. The Internet doesn't have any more of an "edge" than the earth does.
Finally, the knuckledragging culminated in trying to blame Microsoft for many of the problems. This argument in itself is problematic. First off, Microsoft deals in PC operating systems and software, that is the old "IBM PC compatible" designation of yesteryear. While a cyberattack COULD be launched using say Windows 98, the serious hackers weapon of choice is Linux, the Intel compatible version of UNIX which is the native language of the Internet.
So just because someone exploits a hole they find in say Internet Explorer to crash someone "out there," this Clark clown figures its Microsoft's job to fix it under threat of possible regulation.
That's scapegoatism at it's worst. If hundreds of thousands of people are trying to figure out how to get inside of your house, are you going to sue the builder just because some of them manage to get inside every once in a while? It is the homeowner's responsibility to make his house as secure as he deems necessary, and if the homeowner doesn't know how to do locks then he should hire a locksmith.
As you can guess, I could go on and on, but I'll stop here. The point is that tonight's show was cheap sensationalism that irritates the knowledgeable and scares the living hell out of the ignorant.
Michael Kirk: For the program we interviewed dozens of the nation's most prominent cyber-experts. In government, in industry and in the scientific community. The answers they gave to our questions are their opinions and based on their vocabulary and their experiences. We sought a range of opinions and experiences and believe our program reflects that endeavor.
The response after the fact from many in the expert community has been that rather than inflammatory the program was actually sober and considered (much to their surprise given the usual treatment the subject receives in the mass media).
San Diego, Calif.: Why are all of these critical systems available to the Internet? Wouldn't it make sense to place these systems on isolated networks? It's almost like we're encouraging the hackers to try and bust in so we can learn their hacks and cracks. In fact, the impression I got from the show was that you were challenging hackers to attack the power grid.
Michael Kirk: I don't think challenge is the right word. In fact, I think many industries that rely on the Internet because of its ease and utility are actually holding their breath and hoping against hope that they are not hacked.
washingtonpost.com: Since your segment was taped, the White House’s acting cybersecurity czar - Howard Schmidt – has resigned, further fueling speculation that the administration is seeking to put the issue of cyberwar on the back burner. Did you get the sense from those that you interviewed that Dick Clarke's latest effort - raising awareness about the vulnerabilities of US critical systems - was being relegated to a less important position? I imagine there were probably significant views on this subject that were shared with you off-tape that you could share with us, at least in summary. Thank you.
Michael Kirk: Some that we interviewed believed that Dick Clarke was leaving his post at the White House because he sensed that the issue was in fact being relegated to the back burner. In his last interview with us (we did one while he was at the White House and one afterwards) he indicated that he was watching both the Bush administration and the Dept. of Homeland Security very closely to see whether they actually would pay appropriate attention to this vital issue. Others we talked to said they believed that Clarke was indeed skeptical of actions the White House and Homeland Security would take in this area.
Glen Rock, N.J.: I'm in the IT business and am quite baffled by the assertion that one of the guests on the show made that any Microsoft system could be hacked in 2 minutes.
It seems that this was meant to sensationalize the vulnerabilities or there are hacks that are not in the public domain that we are not protecting ourselves against.
Which would lead to the question why is this information is not available (at least the patches) so we can protect ourselves as we implored to do.
Or was this a radical oversimplification for the intended audience?
Michael Kirk: Our interview with Scott Charney, Dir. of Cybersecurity for Microsoft, indicated that that company is aware of vulnerabilities in their software and are doing a great deal to attempt to fix the problems, send out warnings and patches and build better products. They did admit that the patch process has been extremely complicated and not always as readily available as they would like.
As to the comment by our soldier of fortune hacker, he was referring to specific Microsoft software that related to SCADA systems. It is not our intention to sensationalize this issue at all. His comments speak for themselves.
St. Louis, Mo.: I agree with the person in San Diego. Why don't we dismantle the Internet for national security reasons?
Michael Kirk: A tremendous amount of our lives -- the way we live our lives -- is obviously dependent upon the Internet. We have, like Cortez, burned our boats on the shore. There is no going back to manual systems. So the public policy problem is how to make the Internet safer without stifling its vitality.
Gaylord, Mich.: After viewing Cyber War on FRONTLINE, I am concerned about online banking and direct deposit.
In your opinion is this a valid concern, or are financial institutions leading the way in encryption protection for consumers? How safe is Ebay, Amazon, and other internet merchant sites?
Michael Kirk: Without wanting to cause a run on the bank in any way, suffice it to say that the people we interviewed believe the problem of cyberterror and cyberwar is probably larger than specific enterprises and businesses. They're concerned about what are known as "critical infrastructures" being vulnerable and needing the attention of the government and industry.
Richmond, Va.: The segment on cyberterrorism highlighted problems with SCADA. If those who have access to the White House bureaucracy could explain how crucial the exposure of the SCADA systems to compromise is to our national security would cyberterror then be treated with the respect it deserves? Thank you
William M. Davis
Michael Kirk: The hope of people like Dick Clarke and the 54 scientists who wrote the letter to President Bush is that he and his closest advisers will get the message about how vulnerable the critical infrastructure is, including systems run by SCADA are, and that in the midst of all the other issues demanding money and attention the White House will focus on this issue.
Smyrna, Ga.: What can the White House do to prevent Cyberwar? How can they protect America's infrastructure? WMD is like cancer because it destroys you, but Cyber war is like a bad headache that is irritating, but you can live with it - - would that be a good analogy of WMD and Cyberwar?
Michael Kirk: The people we talked to who favor more attention to our cyber vulnerabilities call them Weapons of Mass Disruption. So they would prefer to call the headachee something more like a brain tumor. That's how important and devastating they believe this issue can be.
Redlands, Calif.: Did any of the experts you talked to give a time line for when they thought the cyber attacks against the U.S. would begin?
Michael Kirk: They have begun. Thousands a day at the DOD alone are detected. It's the ones they don't detect they fear the most and they say they're happening all the time.
Philadelphia, Pa.: Has there ever been any documented information that relates to the Air Controller System being intruded or causing flight delay/diversions?
If so could you comment on the case.
Michael Kirk: We were told that the people who know the answers to the very question you're asking would not and could not, indeed should not, answer with any specificity. So I can't either.
Piscataway, NJ: Excellent program, Mr Kirk! However, I am curious regarding something that was not brought up during last night's documentary - the prospect of a terrorist attacking from 'within'. It seems as though security products exist to monitor 'insider' use, but these (mainly) secure against general users like you and me. Couldn't a potential attacker pose as a systems administrator with (supposedly) legitimate access to SCADA systems and cause chaos from
within? Many multi-national companies also outsource - often to offshore companies.
Is there a way to protect against these sorts of attacks?
Michael Kirk: There are many in the Internet security world who worry that the most vulnerable element of the process is a person inside the organization who could either become disgruntled, be bribed or coerced into helping an attack on a critical infrastructure.
washingtonpost.com: I thoroughly enjoyed the segment, thank you: You covered a surprisingly large amount of ground in a relatively short period of time. That said, I would liked to have seen some discussion about the ethical questions surrounding the issue of offensive cyberwar. There is a ongoing debate within the Pentagon and the information warfare community over whether the U.S. should actively engage in offensive cyberwarfare, in part because the U.S. – being the most reliant on information technology -– has the most to lose from a counter-cyberattack. Military planners are also wary of tipping their hand to their capabilities, and are worried about starting what could amount to a cyber arms race.
Did you consider this facet of cyberwar in producing the show? If not, why not, given that President Bush recently signed an executive order directing the government to develop national-level guidance for determining when and how the US might launch cyberattacks against enemy computer networks? Thanks.
Michael Kirk: We did and believed that it would be a very important program or perhaps washingtonpost.com article in the future. Many of those we talked about this with in the offensive military community not surprisingly believe that the best defense in this battle space is a strong offense, and they believe we have one.
Wellman, Iowa: In March 2001, the Wall Street Journal exposed the fact Symantec and Network Associates supplied China for years with cyber-war technology, under the noses of U.S. officials including Richard Clarke. My question is, do U.S. antivirus firms continue to arm China for a cyber-war against the U.S.?
Michael Kirk: The Wall Street Journal story you're referring to was on March 30, 2001 on page B3. Symantec issued a four question and answer response:
"Virus Samples and China
China’s Ministry of Security requires anti-virus vendors to submit virus samples in order to certify products to
be sold in China. It is common practice within Symantec and within the anti-virus community to share virus
samples from the “in the wild” collection for certification testing.
In the process of certifying Symantec’s anti-virus products to be sold in China, the Symantec AntiVirus
Research Center provided the Chinese Ministry of Security with virus samples from the “in the wild” collection.
Symantec’s Norton AntiVirus is certified to be sold in China.
Q1. Has the Ministry of Security asked Symantec to provide additional samples? Did Symantec
A1. The Ministry of Security has asked for virus samples in addition to the wild collection provided by
Symantec. In accordance with Symantec’s common practice, we did not provide additional samples.
Q2. Does Symantec provide virus samples to other companies or countries?
A2. Symantec only provides virus samples for certification testing and to bona fide anti-virus research
organizations that have known researchers and the infrastructure to manage the samples to ensure none of them
Q3. When did Symantec share virus samples with China?
A3. Symantec provided the Chinese Ministry of Security with virus samples from the “in the wild” collection in June of 2000."
As to other firms and what they do, the interesting thing about this entire issue is how unregulated and unobserved a lot of the activity is. Therefore its almost impossible to answer the questions who gave what to whom and when. That is the great challenge for the government, the industry and the rest of us.
washingtonpost.com: In answer to the question from Philadelphia re: incidences of attacks on the air traffic control system, there was at least one publicized incident in 1997, in which a Worcester, Mass. teenager hacked into and disabled a local telephone computer servicing center. The teen's stunt severed communications for a nearby air traffic control tower and emergency response unit for six hours. The attack also disabled radio transmitters that allow approaching aircraft to activate the runway lights on approach.
Michael Kirk: Thank you.
Stamford, Conn.: During the program, it was repeatedly stated that Code Red and Nimda attacks cost the US economy "...hundreds of billions of dollars." Given the open nature of the Internet, how was this ballpark number reached?
Michael Kirk: The program does not assert and never said "hundreds of billions of dollars."
In one case, the case of NIMDA, Dick Clarke used the figure "about $3 billion." Estimates of damages from viruses that spread around the world with increasing rapidity are hard to be very specific about. In fact, coming to exact numbers, for even the experts is very problematic. One thing is certain, a lot of money gets lost when one of these things happens.
Thanks for your excellent program and all the supporting material on the pbs.org Web site. I have found the full interview with Joe Weiss on the vulnerability of PLCs, digital control systems, and SCADA systems particularly significant.
I also appreciate the opportunity to ask questions of the experts and to post comments on the discussion board set up for the program at the pbs Web site. How long will the postings and the "full interviews" continue to be posted on the Web site?
I also wonder if you would comment on the interview that was done with Howard Schmidt, but was not used.
Thanks again for your outstanding efforts to shed light on this topic.
Homeland security Web site: www.gwu.edu/~rpsol/homeland
Michael Kirk: As long as there's an Internet and viewers continue to fund and support public television, that Web site will exist. The reason Howard Shmidt's interview was not used was because we didn't interview him.
Washington, D.C.: Don't you think that the war and terrorism talk goes a little far in describing a much more mundane problem? If the lock on my front door was broken, would you say that my house was vulnerable to criminals or vulnerable to terrorists bent on destroying America?
Michael Kirk: I don't agree with the terms of the analogy. Obviously I believe that the words "cyberterror" and "cyberwar" are appropriate because we interviewed thoroughly credible people in the scientific, government and military and in critical infrastructure industries who worry about, use and deal with those terms every day.
Livermore, Calif.: Do you Approve or Disapprove "security" conferences such as Defcon, Bay Con and 2600 Meetings?
Michael Kirk: I know there is a very real position taken by some in the Department of Defense who believe America must embrace, use and nurture the skills of the more sophisticated hackers in our society to protect the rest of us. There is, not surprisingly, another side that believes we should arrest and prosecute these people and that debate is very real and ongoing.
Denver, Colo.: Does there exist, or is there the potential for, a totally secure system -- or is it a scientific impossibility?
Michael Kirk: As I understand it, pristine protection is virtually impossible.
Raleigh, N.C.: Are there certain areas of the nation whose systems are more vulnerable to the point that they could be used as launch points for a cyber attack? Your report documented the slow pace of the federal government in addressing the issue, but I'm wondering to what extent state and local governments are moving to secure their systems since they seem to be the front lines for fighting the war on terror.
Michael Kirk: There are regional and industry differences, the variance is apparently quite broad. But the people who know would just as soon deal with those problems in private, apparently for obvious reasons they don't want to alert people who don't know, but would like to, where we're more vulnerable. So, they didn't tell me.
washingtonpost.com: One of key sources in the Frontline segment -Naval Postgraduate School Professor John Arquilla – has spoken and written about the need for military planners to move from the reliance on so-called “shock-and-awe”-type military strategies to plans that involve greater use of - and expenditures on - a broader range of information technologies that can bring about the enemy’s defeat at a much lower cost. Now that the nations of the world have seen the newest conventional US weapons in action – there will likely be a group of countries lining up to buy the latest toys from US defense contractors. Do you see any signs that US military planners are moving toward a more integrated approach to waging war?
Michael Kirk: THere is a fear that an enemy or enemies, having seen the unrivalled power of the American military in Iraq, may wish for a more level playing field. They believe cyber warfare from one computer to another is that level playing field. And therefore, more resources need to be invested in that aspect of our military preparedness.
Washington, D.C.: Your film seemed to imply many times that people who refused to comment were actually saying "yes" to the questions being asked. So maybe you will go on the record where your interview subjects failed to do so: Can a hacker bring down the "entire nation's power grid?" If so, for how long?
Michael Kirk: I don't know, and I'm not sure if anybody really does. But the people who know a lot about it acknowledge that portions could be brought down and fear what they call a cascading effect that could result in a significant power outage over a large part of the country.
© Copyright 2003 The Washington Post Company