New Tricks for Old Threats

January 2001
By Henry S. Kenyon

Cyberwarfare blurs rules of engagement.

Rapid technological change is a double-edged sword. The latest developments that allow faster computing and increased data flow also put critical national infrastructures within reach of any potential adversary with a modem.

As increasingly sophisticated information sharing systems are adopted, software flaws or a lack of built-in security measures and procedures in commercial networks create new avenues for attack. This specter of a digital Pearl Harbor is driving multilateral information assurance initiatives between the United States and its allies.

According to a U.S. Defense Department official speaking on condition of anonymity, the dangers presented by information-based warfare attacks are not fundamentally new. Most of the security threats the United States faces have been known for many years. What is different today is how governments, terrorist organizations and individuals are applying traditional methods, such as disinformation, viruses and hacking, he says.

The official defines information operations as actions taken against an enemy’s data and information systems while at the same time defending one’s own national assets. Such activities go beyond disabling computer networks and into the realm of psychological warfare, military deception and the physical destruction of an adversary’s command and control capability.

Foreign disinformation via the Internet is an example of this blend of traditional and new information operations. False information can be spread around the world in seconds. By setting up their own World Wide Web pages, rogue states and terrorist organizations can reach a wider audience with their messages. The damage is pernicious because it often enters the world of conspiracy theorists and urban myths. “You never quite put it to bed,” he says.

Recent hacker attacks on commercial Web sites and the Melissa and I Love You virus outbreaks have received much media coverage. These types of network intrusions raise multiple concerns. Officials find it difficult to distinguish national security threats from law enforcement problems in cyberspace. “There are no missiles over the poles, [and] no landing craft on the beaches. It’s an intrusion into a network, and we have to go through normal, legally defined processes. Hackers use so many different hops to get where they’re going, you are never quite sure where the attack originated,” he says. The possibility that a future cyberstrike may initially target civilian instead of military infrastructure makes the issue a serious concern in government policy circles.

The United States has addressed these potential threats with a defense in-depth approach that comprises layered security systems and procedures laced with protective measures aimed at preventing unauthorized access. The official notes that this serves to shield critical assets and create a deterrent posture. However, much work still needs to be done to enhance network security software such as firewalls, guards and virus protections. Leveraging new technologies, especially commercial information assurance solutions, is an important part of this strategy, he says.

Commercial products also have weaknesses and entry points that can be exploited by intruders. Additionally, the commercial sector has no unified defensive strategy because there is no incentive to develop one. Most business plans call for fending off the occasional hacker, not a major information warfare attack, he offers. The expert notes that, in the next few years, the potential for lawsuits and insurance liabilities in the civilian sector as a result of lost or stolen data will drive many companies to enhance their security posture (SIGNAL, August 2000, page 25).

Because of weaknesses inherent in the civilian market, the government supplements its commercial inventories with special-purpose products and support from organizations such as the Joint Task Force on Computer Network Defense and the Defense Department Computer Emergency Response Team. While such efforts are important to mitigate risks and ensure the continuity of operations and missions, he cautions that it is impossible to avoid all risks in a network environment.

Globally, the United States and its allies have been exchanging information and forming working groups around issues such as critical infrastructure protection, information assurance and computer network defense. These discussions have taken place under the auspices of the North Atlantic Treaty Organization (NATO) and in separate bilateral and quadrilateral meetings. The U.S. State and Justice departments also have been involved in this process along with other closely related efforts such as the Group of Eight industrialized countries’ working group on cybercrime.

Within NATO, much of the momentum and increased activity has been driven by the efforts of Dr. John J. Hamre, former U.S. Deputy Secretary of Defense. Since his initial 1998 visit to NATO headquarters in Brussels, Belgium, Hamre has stressed the importance of information assurance and encryption policy to the alliance, the official explains. “The basis of an alliance is interoperable command and control, which relies on trust. The root of that trust is security. Without it, and the assurance that vital information is safe and secure, the very foundation of the alliance is threatened,” he notes.

Encryption policy is another issue that has been smoothed out by the United States and its allies. In July, the Clinton administration updated its policy for encryption exports to the European Union and other key trading partners. This resolved problems about conflicting data formats and national regulations between the United States and the European Union. The new rules include three important elements to U.S. export policies regarding encryption technologies: a meaningful one-time technical review of products prior to export, post-export reporting to ensure compliance with the regulation, and the right to review and deny exports to certain foreign governments and militaries.

In connection with the new export policies, civilian computer and encryption technologies have been moved from the State Department’s munitions list to the Commerce Department’s commodity control list. The administration hopes the shift indicates a desire to treat these items less as military goods and more as dual-use commercial commodities, the official says.

The armed forces are also reassessing their approach toward network security. While information assurance has been a part of military doctrine for many years, commanders at all levels are now more aware of their operations’ dependence on critical infrastructures and information assurance, the official shares. The global information grid (GIG), an interconnected network of computers and communications equipment, is an example of this data framework. It represents more than just hardware. The GIG exemplifies that proper policy implementation is as important as the correct choice of bandwidth, datalinks and applications.

This global military network is built around the idea that evolution is not restricted to technology but also includes all of the related doctrine, organizations, training, material, logistics, personnel and facilities. When new systems are brought into service, the way they fit into the entire framework must be assessed. “It’s not enough to give somebody a new networked radio. You have to make sure there are system administrators ready to operate it and that the doctrine calls for sharing that much information,” he points out.

Networks like the GIG can be susceptible to information operations such as denial-of-service attacks or viruses. The latest Defense Department initiative, the Navy/Marine Corps intranet (NMCI), relies on a defense in-depth strategy based on multiple layers and types of systems. According to the official, the NMCI represents an important step for information assurance because it has an integrated security architecture. The design’s strength is that it reduces the number of entry points into the system, limiting potential avenues of attack.

As the world becomes more interconnected, the speed at which cyberattacks can be carried out and viruses can spread increases. The official notes that viruses have been in existence since the earliest days of computing. However, because a virus had to be loaded from a disk onto a computer, the infection rate was roughly comparable to that of communicable diseases in the medical world. They took some time to spread, he allows.

This situation changed with the advent of the Internet. For example, the I Love You virus spread around the world in 72 hours. “As the world gets more connected, the potential rapidity and extent of the damage only increases,” the official claims. However, a growing awareness of computer security features and the use of more robust defensive architectures is keeping pace with new viruses, he adds.

Communications technologies such as wireless networking, Ethernet and digital subscriber lines also pose a variety of security challenges.

Variants of popular commercial handheld computers such as the Palm 7 are now being used in military service. These devices have little or no protection against a virus propagated via a wireless connection. Unlike standard modems that must be dialed up or accessed, wireless connections are always on, making them more vulnerable to attack, he explains.

Another concern is the development and widespread availability of easy-to-use intrusion software. The official notes that while hackers previously had to know several computer languages to carry out an attack, new automated software allows cyberterrorists to launch one with the click of a mouse.

Hacking and viruses form a facet of a broader international picture. Many nations that are unable to challenge the United States in a conventional conflict are now embracing doctrines such as asymmetric warfare, which calls for using any available means such as cyberattacks and terrorism to disrupt U.S. military operations and civilian infrastructure targets. If properly executed, these types of remote strikes are hard to trace, he admits.

With the global availability of sophisticated hardware and software, this offensive capability is no longer the sole realm of nation-states. Groups such as drug cartels and international terrorist organizations are potential players in the messy world of future asymmetric warfare, the official says.

Because of these threats, the Clinton administration has been very active in promoting information assurance. The Defense Department also is prepared to defend against and wage information warfare. He notes that the commanders in chief of the military’s various global regions run sophisticated command and control centers geared toward dealing with these types of threats.

The official says his greatest concern is the constant game of catch-up that government and private sector security groups play against hackers and other cyberthreats. The threat level posed by a lone hacker is substantially different from a planned, systematic, multimonth or multiyear attack carried out by a foreign power or a transnational terrorist group. “The possibility of working against a really determined and sophisticated adversary is a source of continuing concern,” he stresses.