Physical Disaster Propels Cybersecurity Initiatives
Data correlation technology enables tracking seemingly unrelated movements of terrorist cell members.
While U.S. military forces retaliate against terrorists for the horrific World Trade Center and Pentagon attacks, the Bush administration also is organizing to help shield the nation’s critical information infrastructure. The White House is establishing U.S. cybersecurity functions under a single individual. That person will function as the president’s special adviser for cybersecurity, reporting directly to both the new cabinet-level Office of Homeland Security and the National Security Adviser Condoleezza Rice.
The Bush administration has named Richard A. Clarke, former National Security Council (NSC) national coordinator for security, infrastructure protection and counterterrorism (SIGNAL, August 1999, page 17), as head of the new Office of Cyberspace Security. The move to coordinate and intensify U.S. cybersecurity activities corresponds to a rapidly changing electronics industry attitude about the urgency of information protection and to the emergence of new related technologies. After the September 11 catastrophe, with the loss of more than 5,000 lives, there is growing evidence that Islamic terrorists also are embracing opportunities offered by recent leaps in information technology.
“To cyberterrorists, distance is meaningless,” a computer security official observes. Speaking on condition of anonymity, the official adds, “The Internet provides them with the ability to be instantly halfway around the world, in many places at once and have an army of compromised machines to do their bidding.” The next attack may not be physical in nature but could come through cyberspace to disrupt government functions such as the national monetary system or our telecommunications and power grids, a Bush administration official points out.
“Certainly terrorist organization cells crossed the threshold in the September 11 attack, and all key U.S. assets are now in play against them. We must assume that people who mean us harm will exploit whatever they can to gain an advantage, and this is not limited to physical damage and murder. In response, we must approach the protection of critical goods and services in a holistic manner to minimize vulnerability,” the official, who is directly involved in government cyberdefense adds.
The U.S. information industry has often been distant about the national security aspects of its products “since business in the marketplace is conducted in a very different atmosphere. There was no clear profit incentive to develop products with more costly and stringent security functions. But that is no longer the case, just as the threat of terror is no longer remote; it is clear and compelling. Therefore, we must develop coherent policy to handle disruptions from cyberspace aimed at undermining the way we run the government and handle the economy,” the administration official insists.
In parallel, the United States also is harnessing information technology’s capability to search databases in its massive effort to locate other members of terrorist cells operating in this country and abroad. Databases are being examined to correlate entry visas, financial transaction links, driver licensing, car rentals, airline and train travel and other everyday facets of modern life.
“There is no longer a need to persuade suppliers or customers of the trenchant importance of implementing Presidential Decision Directive (PDD)-63 (SIGNAL, March 2000, page 17). This directive addresses fundamental methods for necessary cooperation between federal agencies and related industry segments to ensure that the national information infrastructure continues to function in the face of attacks,” the official notes. “Information warfare activity by terrorist groups will grow, targeting our way of life. We cannot ignore critical-infrastructure protection. Opposition to intelligence-gathering systems such as Carnivore and Echelon is receding against vivid and powerful memories of the recent terrorist attacks [see page 61]. Law enforcement is the focal point for homeland defense, and it requires solid intelligence information,” the official maintains.
The Central Intelligence Agency (CIA) continues to warn Congress and the public that terrorist groups, including Osama bin Laden’s al Qaida, Hizballah, Hamas and Abu Nidal organizations, are using computerized files, e-mail and encryption to support their operations. The United States also is closely monitoring what Bush administration officials term an Israeli-Palestinian cyberconflict underway for the past 18 months. Cyberattacks against Web sites and critical-infrastructure domain servers increase in parallel with hostilities on the ground. Hundreds of attacks have been launched by pro-Palestinian hackers, with responses by pro-Israeli hackers. However, damage is spilling over, going beyond planned targets and resulting in attacks against governments in perhaps a dozen countries.
CIA Director George J. Tenet emphasizes concerns over the nation’s vulnerability to attacks on the critical information infrastructure. “Indeed, computer-based information operations could provide our adversaries with an asymmetric response to U.S. military superiority by giving them the potential to degrade or circumvent our advantage in conventional military power,” he says in his recent statement to Congress.
“Attacks on our military, economic and telecommunications infrastructure can be launched from anywhere in the world, and they can be used to transport the problems of a distant conflict directly to America’s heartland,” according to Tenet. He adds that the agency is in a race with technology itself. “We are creating relations with the private sector and academia to help us keep pace with ever-changing technology.” This is one reason the CIA established the Information Operations Center “to bring together the best and brightest to ensure we had a strategy for dealing with the cyberthreat.”
Another official asserts that intelligence data are available on terrorism, “but there has been no one to connect the dots, to provide a comprehensive picture through rapid analyses of where the next moves may take place. This is not a law enforcement function of chasing criminals but an intelligence matter. The intelligence failure is not from information collection but from information overload, analyses and language barriers, which are often funding issues with the Congress.” Industry is focusing on consequence management and is forming private alliances to assist the government with technologies. Since a hacker is always one step ahead, “we need to focus on computer network defense,” he persists.
One system, designed for Federal Bureau of Investigation (FBI) use and now emerging from technology development, could help track terrorist cells by identifying patterns in their movements. The Terror Network Mining System uses pattern recognition and neural network technology functions coupled to data mining techniques. “The term ‘network’ refers to a terrorist organization, not a computer network,” an expert in cyberprotection explains. Technologies from two separate systems developed for the military by Northrop Grumman’s Long Island, New York- and San Diego-based Logicon Incorporated subsidiaries enable tracking terrorist movements, “even low and slow progress, from various existing databases,” an expert claims.
Technology is being harnessed to look for terrorist cell patterns in what an official calls seemingly innocuous features, collecting data on individuals who may appear to be unconnected, yet have parallel movements. Computer-based correlation technology is used with whatever information may be available from a wide variety of databases of companies, airlines, and city and state agencies involved in licensing. As the data are collected about seemingly unrelated activities, a pattern emerges through correlation software. These techniques address today’s problem in tracking movements of individuals within terrorist cells.
A similar approach uses pattern recognition and packet sniffing technologies coupled to other intrusion detection sensors to predict network cyberattacks. These techniques also help provide ways to gather evidence that will hold up in court to prosecute hackers, a difficult challenge for law enforcement agencies.
An existing approach that can be applied to the terror network mining system is from the Cyber Attack Tool Precursor Awareness and Warning System (CATPAWS), initially developed under the aegis of an interagency working group for the U.S. Navy. This system, which some officials believe advances state-of-the-art artificial intelligence functions, is designed to detect cyberattacks in real time and forecast future attacks. A U.S. Air Force program called the Network Early Warning System (NEWS) also is capable of providing an advanced warning of impending Internet-based coordinated attacks on computer networks.
Using a combination of neural network reasoning, algorithms and artificial intelligence plus visualization and graphic interfaces, CATPAWS displays intrusion patterns from various network sensors for both internal and external intrusions. The software detects intrusion patterns using mathematical modeling. As the system’s artificial intelligence learns to recognize these patterns and in combination with a skilled operator, it can detect an attack in progress in real or near-real time. This capability allows the user to predict rather than react after an attack is underway. Information operations officials anticipate that the cutting-edge capability of CATPAWS will cause this system to spread to both federal civil agency and private use.
CATPAWS could have immediate applications for the FBI, especially in providing prosecutable criminal evidence. U.S. Defense Department sites are already under escalating Chinese hacker attacks. The Defense Information Systems Agency’s Global Network Operations Security Center and the U.S. Space Command’s Joint Task Force–Computer Network Operations have been dealing with an onslaught of attacks from China for several months. This escalation came in the aftermath of a Chinese pilot crashing his fighter into a U.S. reconnaissance aircraft off the coast of China and since U.S. support for weapons sales to Taiwan became known publicly. What is still unclear, however, is whether these network attacks are from disgruntled individuals or are state sponsored.
A multiagency technical support working group sponsored CATPAWS development in cooperation with Logicon. The FBI is represented in that multiagency group. The system was subsequently selected by the Naval Surface Warfare Center, Dahlgren, Virginia, for a 16-month, $320,000 contract. However, at the last minute, the Navy demanded that the company provide all of the system’s source code. On that basis, Logicon, which has 10 years invested in source code development, declined the award.
Meanwhile, the FBI is running its Awareness of National Security Issues and Response program to support the National Infrastructure Protection Center (NIPC) and counterterrorism. This program provides e-mail notices of topics that are relevant to cyberterrorism. The FBI/NIPC communication is intended for corporate security professionals and others who receive unclassified national security advisories.
NEWS, developed by Logicon under a $1.2 million two-year contract through the Air Force Research Laboratory, Rome, New York, also enables active instead of reactive network defense. NEWS also may have direct application to help thwart numerous attacks on the Defense Department and its computer systems and networks. The system employs artificial intelligence to automate the indications and warning discipline, which has been rules-based and manpower intensive. Designed to help protect military computers from organized information warfare assaults that may disrupt their use, NEWS replaces the manual review of intrusion detection reports and event logs with real-time automated processes.
So-called soft computing technologies such as neural networks and fuzzy logic are integrated in NEWS along with advances in intrusion detection tools for robust network defense. These technologies enable automatic warning of threats while reducing the analysts’ workload. Logicon also recently won an award from the United Kingdom’s former Defence Research and Evaluation Agency for intrusion detection methodologies.