Terrorists target homeland, civilian-owned infrastructures that are key to most military functions.
The Bush administration’s declaration of war on terrorism allows federal organizations such as the National Security Agency to expand their electronic intelligence-gathering practices. With initial deployment of U.S. forces to the Middle East, demand to locate hostile terrorist cells and their support mechanisms immediately is rising, both in the United States and overseas. In addition, what had been a gradually growing requirement for U.S. forces to conduct information operations, including computer network offense and defense, is now switching to fast forward.
The National Security Agency (NSA) is a U.S. Defense Department combat support organization, and its operations may now exceed peacetime limits that otherwise would have necessitated covert action and possibly required a presidential finding to proceed, according to Dr. Mark M. Lowenthal. He is the director of SRA International’s Open Source Intelligence Program, Fairfax, Virginia, and serves as the chairman of AFCEA’s Intelligence Committee. Warfighting commands such as the U.S. Space Command with its computer network operations (offense and defense) mission as well as NSA’s electronic eavesdropping have an expanded license to operate against terrorists organizations, he assures.
“However, the electronic infrastructure of the nation is built to be connected to the entire world through the Internet. This automatically runs counter to the nature of protection,” Lowenthal adds. “Unless you have closed systems, so that part of the infrastructure is connected and part isolated, vulnerability is always a possibility. Like a lot of other technologies such as armor versus anti-armor weapons and submarines versus antisubmarine warfare, computer network offense and defense domination is cyclical. This means that firewalls can be breached,” he relates.
“But the very basis of the electronic systems we use rests on interconnectivity and on electronic-mail traffic. These functions run totally counter to the protection concept. Unless you want separate and parallel systems, there is not a lot you can do about it,” Lowenthal maintains. “If you are going to be connected to the outside world, you must accept as a fact that someone will try to penetrate your system.” Closed systems can be created, as is done with intelligence agencies that operate classified networks. These networks have no outside links to the World Wide Web.
Examples are the NSA and the Central Intelligence Agency (CIA). They have systems that use very different software and do not exchange e-mail. But creating very large closed systems is expensive, and none of the terminals can have access to the Internet. Once a hacker gains access, he is inside the entire network, Lowenthal continues. He believes the attacks in New York City and at the Pentagon are heightening industry’s awareness of network vulnerability, but that the depth of the cyberthreat is still unknown.
Technology traditionally outpaces doctrine, and there is still no U.S. information operations doctrine. “One of the things that may fall out of the U.S. response to the terrorist attacks is whether we are subjected to cyberwarfare,” Lowenthal says. “Cyberattacks do not take a tremendous capability; you just need a terminal located somewhere. As the U.S. prosecutes its war on terrorists and possibly associated states, it will be interesting to see whether their response will be cyberattacks and what we will do about it.”
The reverse strategy is to use technology to track small terrorist cells in places like Afghanistan, where there is almost no infrastructure. Lowenthal notes, “This is like aiming at an organization’s tentacles in more advanced countries, but not the Octopus’ brain. It is difficult to trace the center of the activity, and these organizations are adept at hiding in difficult locations.”
Lowenthal believes that clear, unambiguous authority is necessary to deal with cyberterrorism, especially for responses to computer network attacks. “The new wrinkle is the appointment of former Pennsylvania Governor Tom Ridge to head the Homeland Security Office with cabinet-level rank,” Lowenthal asserts. “The authority and funding provided will be the keys to success, along with the decision on which agencies will report to that new office. An especially important question is whether the U.S. Space Command and NSA must respond to this new office during cyberattacks on the critical infrastructure.” He adds that this new appointment “makes a lot of sense and everyone understands, but it also raises a lot of questions.”
SRA is involved in critical-infrastructure protection programs for the government and industry, Lowenthal relates. The company also is involved in data- and text-mining technologies that pull together fragmented and often undiscovered information into coherent formats. Called knowledge management, the technology enables enterprises to exploit the full capability from internal data repositories, while avoiding the problem of “infoglut” from electronic information available online, he reports.
A consortium of nine companies led by SRA is working to protect against assaults on the critical-information infrastructure through cyber-based attacks. Each of the companies has extensive experience working with government and commercial clients in response to Presidential Decision Directive (PDD)-63 requirements to help federal agencies recover in the event of an attack. This activity also encompasses assistance to state-level disaster and emergency preparedness and recovery agencies, national energy industries and other essential services organizations.
Capabilities of this consortium include critical-infrastructure asset identification; physical-infrastructure protection; information systems security and assurance; emergency preparedness training, exercises and simulation; remedial action planning; crisis management; and vulnerability assessments.
However, U.S. protection against cyberspace terrorism could require a totally new information architecture for federal agencies and the military. Such an operating system developed by NSA would be reserved for use by related federal organizations. The use of dumb terminals and distributed but extremely secure smart servers would be a key element of this architecture along with positive identification of server users through biometrics, Col. Alan D. Campen, USAF (Ret.), discloses. He is an adjunct faculty member, School of Information Warfare and Strategy, National Defense University, Fort McNair, Washington, D.C., and a guest lecturer at the U.S. Defense Department’s Joint Military Intelligence Training Center at Bolling Air Force Base, also in Washington, D.C.
Col. Campen has long warned that it has been difficult to generate concern over dependency on and the vulnerability of information and that it may take an “electronic Pearl Harbor” before the value of information as a national asset is recognized. Once the insurance industry establishes the monetary value of information losses resulting from the terrorist attacks in New York and Washington, the nation will come to realize that information is an element of national power.
When the true value of information is widely understood and accountability for its protection is established, a new architecture would be based on operational procedures, providing control of the infosphere. “As part of this new architecture, an operating system would evolve with standard, reusable software modules and would allocate applications by an operations order from replicated software depots,” Col. Campen imparts.
In addition, the realization that information security is a deadly serious undertaking could spur a thorough examination of this nation’s dependence on and vulnerability of commercial products and services. “There is an unappreciated dependence on commercial products and services, while strategic information operations and perception management remain theories,” the colonel warrants. “Warfighting support is emphasized, as it must be, since the military responds first. Weapons, platforms and doctrine are dependent on information; however, information warfare is more than computer network defense and computer network attack.”
War is no longer defined by geography, sovereignty or laws. Other than an attack on the United States resulting in destruction and death of citizens, such as happened on September 11, “there is no clear way to know if a state of war exists or how to react,” he offers. “This new way of waging war can involve nation-state aggression, terrorism, crime and espionage. And a proportionate response may not involve the military,” he emphasizes.
In redefining warfare, the target is homeland and civilian-owned infrastructures, which are key to most military functions. Certainly in the United States, computer intrusions are initially treated as law enforcement and intelligence matters. Col. Campen believes there is no national policy or process to deal with a continuing state of conflict during which there would have to be continuous interaction between the departments of Defense and State as well as federal government and private-sector partnerships involving the critical-information infrastructure. The creation of the new Homeland Security Office and the involvement of the Reserve and National Guard are examples of dealing with terrorism both in the physical world and in cyberspace.
Information is now regarded as a weapon; however, information operations are difficult, requiring a wartime posture in peacetime. “The conflict includes many phases, only one of which is a clash between uniformed armies operating under the ‘law of war,’” the colonel insists. He adds that the military culture is still driven by kinetic weaponry. However in this new era, “the peacetime and crisis management phases are the most critical. Every event, however small, is strategic since there is no theater of war. The American public is the center of gravity and now is the prime target in a conflict that will be waged on global television and over the Internet. Planning is the key to survival, not post-attack reaction and recovery,” he warns.
Col. Campen contends that assumptions are shaky on U.S. information warfare and operations, especially the presumption that “we can ruggedize the global commercial information infrastructure against malicious and skilled attack, or else better insulate military functions.” Another assumption that could be in doubt is that the United States will have adequate radio frequencies, adequate bandwidth and space systems. Doubt also exists about reliance on commercial software and services, particularly when outsourced.
As part of homeland defense, the federal government seeks a partnership in defending infrastructures. The active military is not structured or empowered for homeland defense and has a supporting role other than for computer network defense. But there is a new role opening for reserve components to support state and local responses. There have been partnership problems with industry before the September 11 attacks. The private sector owns, but has been unmotivated to protect, these infrastructures mainly because it has been difficult to establish the value of information. Now, somehow it will have to be quantified.
Industry fears competition more than the national security threat and is extremely reluctant, as it should be, to share vulnerability data. The likely solution is sector cooperatives, which are forming. These cybercitizen partnerships with trade associations and other trends seem to favor self-defense in the private sector, Col. Campen details. For example, the FBI’s InfraGard program invites information sharing and cooperation at local levels. Other “motivation may come through high insurance costs and lawsuits,” he maintains.