27 February 2002
George W. Bush
President of the United States
The White House
1600 Pennsylvania Avenue, NW
Washington, DC 20500

Mr. President,

Our nation is at grave risk of a cyber attack that could devastate the national psyche and economy more broadly than did the September 11th attack. We, as concerned scientists and leaders, seek your help and offer ours. The critical infrastructure of the United States, including electrical power, finance, telecommunications, health care, transportation, water, defense and the Internet, is highly vulnerable to cyber attack. Fast and resolute mitigating action is needed to avoid national disaster. We urge you to act immediately by former a Cyber-Warfare Defense Project modeled in the style of the Manhattan Project.

Consider the following scenario. A terrorist organization announces one morning that they will shut down the Pacific Northwest electrical power grid for six hours starting at 4:00 PM; they then do so. The same group then announces that they will disable the primary telecommunication trunk circuits between the U.S. East and West Coasts for a half day; they then do so, despite our best efforts to defend against them. Then, they threaten to bring down the air traffic control system supporting New York City, grounding all traffic and diverting inbound traffic; they then do so. Other threats follow, and are successfully executed, demonstrating the adversary's capability to attack our critical infrastructure. Finally, they threaten to cripple e-commerce and credit card service for a week by using several hundred thousand stolen identities in millions of fraudulent transactions. Their list of demands is then posted in the New York Times, threatening further actions if their demands are not met. Imagine the ensuing public panic and chaos. If this scenario were to unfold, Americans everywhere would feel that our national sovereignty had been compromised; we would wonder how, as a nation, we could have let this happen.

Mr. President, what makes this scenario both interesting and alarming is that all of the aforementioned events have already happened, albeit not concurrently nor all by malicious intent. They occurred as isolated events, spread out over time; some during various technical failures, some during simple (government-sponsored) exercises, and some during real-world cyber attacks. All of them, however, could be effected through remote cyber attack by any adversary who so chooses, whether individual or state-sponsored. The resources required are modest -- far less than the cost of one army tank. All that is required is a small group of competent computer scientists, a few inexpensive PCs, and Internet access. Even the smallest nation-states and terrorist organizations can easily muster such capabilities, let alone better-organized groups such as Al Qaeda.

Many nations, including Iran and China, for example, have already developed cyber-offense capabilities that threaten our economy and the economies of our allies.

There is no doubt that such a serious national vulnerability is a real and present danger. This has been affirmed by a number of distinguished bodies, including the President's Commission on Critical Infrastructure Protection (1997), the National Academy of Sciences (Computers at Risk, 1990; Trust in Cyberspace, 1999), and the U.S. Defense Science Board on Information Warfare Defense (1996, 2000).

The consequence of successfully exploiting these vulnerabilities would be significant damage to the U.S. economy, degraded public trust with concomitant long-term retardation of economic growth, degradation in quality of life, and a severe erosion of the public's confidence that the government can adequately protect their security. We have seen the amplification effects, on our economy and on public apprehension, from a single event such as the World Trade Center and Pentagon attacks. Aggregate damages resulting from amateur cyber attacks (e.g., 1998 Internet Worm, Melissa Virus, I-LOVE-YOU virus, Code Red Virus and the Nimda virus) are estimated to have been $12 billion for the year 2001 alone. Extrapolating from this, a professionally-executed, coordinated cyber attack on our national critical infrastructure could easily result in a 100-fold amplification -- 10-fold from being professionally-executed and another 10-fold from indirect e-commerce suppression effects. In terms of a dollar value, this could amount to several hundred billion dollars in damage to the U.S. economy. Moreover, some community experts and reports (such as those cited above) estimate a high probability of a serious attack on U.S. critical infrastructure within the next few years.

The goal of our proposed Manhattan-style undertaking would be to create a national-scale cyber-defense policy and capability to prevent, detect, and respond to cyber threats to our critical infrastructure. We mean Manhattan-style in several senses: national priority, inclusion of top scientists, focus, scope, investment, and urgency with which a national capability must be developed. To prevent attacks, we need a coordinated effort to work with our critical-infrastructure providers in defending their most critical information systems. To detect attacks, we need to permeate our critical networks with a broad sensor grid imbued with the capability to detect large-scale attacks by correlating and fusing seemingly unrelated events that are, in fact, part of a coordinated attack. To respond to attacks, we need to devise strategies and tactics to pre-plan effective actions in the face of major cyber-attack scenarios; we need to augment our national infrastructure with mechanisms that support the defined strategies and tactics when attacks are detected and verified. We believe that all this can be done with a close partnership between the public and private sectors while maintaining sensitivity to public concerns about privacy and fairness, consistent with American values and laws. The result should be a resilient critical infrastructure that is resistant to cyber attack, plus next-generation technology which enables our critical infrastructure to be more easily secured. Given private-sector economic realities, our nation's economy and well-being will continue to rely on the existing vulnerable infrastructure for the indefinite future, unless strong government investment leads the way.

The proposed Manhattan-style cyber-defense project will cost a fraction of the expense we will incur from a single major cyber attack. We estimate the project would require an investment of $500 million per year initially, and could reach the billion dollar level in the out-years. The project would run over the course of five years to create a national-scale initial operating capability no later than year three, and more advanced defensive and offensive capabilities by year five. We recommend that you appoint a small board of top computer scientists and engineers to work out the details of a plan, and set the plan in motion within ninety days. The plan should include an appropriate balance between engineering and focused research to support the national capability and the policy, laws, and procedures that would be needed to deploy and support the cyber-defense technology.

The clock is ticking. We look to you, as America's leader, to act on behalf of the nation. Your conscientious and effective defense of our physical homeland should extend into the increasingly vital frontier of U.S. cyberspace. We anticipate that the nation will fully endorse and even expect this forward-thinking and courageous action in the face of such a major threat to national security. We stand ready to help in any way we can in taking this very important next step to defend our country.

Very respectfully,

[signed]

Signed copies of this presidential letter for all individual signers are on file and available for inspection.