Surveillance Slips Into Cyberspace

February 2005
By David E. Peterson

U.S. warfighters in the Coalition Operations and Intelligence Center in Camp Doha, Kuwait, monitor the ground war in Iraq. Computer-to-computer signals intelligence gathering could be used as another means to conduct intelligence-gathering and psychological operations.

Computer forensics offers new intelligence-gathering options.

Allied intelligence agencies engaged in computer-to-computer signals intelligence exploration are closely examining Internet protocol network intercepts and forensics analysis as a new weapon in the war against terrorism. Traditional signals intelligence professionals, who have shied away from this type of intelligence gathering for more than a decade, are realizing that the computer-to-computer intelligence gap can be filled. The fact that computer-to-computer signals intelligence is a weakness in current allied intelligence-gathering efforts is no secret. But after decades of denial, the intelligence community and emerging technologies are changing the old ways of looking at network surveillance.

Several new technologies capture, analyze and exploit computer-to-computer (C2C) data in hostile environments. It is possible to target a section of the Internet—even the sections that originate in small countries—to find targets of interest online. The benefits of using network intercept and forensics in intelligence gathering, as well as the mission-tasking opportunities available to forces charged with enemy communications collection, are enormous. This technology will enable U.S. Department of Homeland Security officials to track a terrorist suspect inside the United States and allow military commanders to listen in on enemy computer communications. With proper network targeting and sensor placement, intelligence professionals can use network forensics to protect their own networks while exploiting it to create intelligence at every stage of warfare—from pre-conflict negotiations to hostilities to post-conflict rebuilding.

Marcus J. Ranum, developer, author, consultant and lecturer in the network security field, defines network forensics as the capture, recording and analysis of network events. In the signals intelligence (SIGINT) world, the ability to capture foreign computer network traffic and provide timely analysis has been the unspoken Achilles’ heel for years. The physical access required to place an intercept device is sometimes hard to manage, and a general lack of computer networking knowledge in a field staffed predominately by radio frequency experts makes procurement of such technologies difficult. In fact, the term “network forensics” has only recently been heard in SIGINT circles, primarily as a description of a post-intrusion detection system information assurance capability.

Network monitoring is most often understood as a set of software tools used to spy on trusted insiders. The most notorious example of this definition is the Federal Bureau of Investigation’s Carnivore tool (SIGNAL, November 2001, page 17), later named DCS1000, which is used to collect targeted—and sometimes innocuous—network traffic on federal suspects. Loved by federal agencies and hated by public-privacy advocates, Carnivore is the best known example of a true network forensics system.

More recently, network forensics technology has meant new exploitation opportunities for allied intelligence. At the tactical level especially, military and law enforcement units now have the ability to collect C2C SIGINT data and combine it with network forensics analysis. This means that only a few pieces of equipment are needed to tap into, for example, an Iraqi Internet service provider and collect all network traffic from that provider’s subscriber list. Theoretically, an entire nation’s Internet traffic could be monitored if the ingress and egress of that data were controlled at a single choke point.

The capability to conduct tactical C2C SIGINT is gathering interest in units that provide commanders with battlefield intelligence. New companies are forming that specifically cater to this need, including Narus Incorporated and TopLayer Networks Incorporated. As the military depends on computer communications for passing its own intelligence, it also demands the ability to exploit enemy C2C communications. This power to “sniff” enemy network traffic is almost nonexistent in current military force structure, but a shift in thinking is underway. While current U.S. SIGINT efforts focus on the old reliable radio frequency monitoring services such as cellular telephones and radios, future missions will require C2C SIGINT as well.

New commercial technologies, such as Computer Associates’ SilentRunner and Forensics Explorers’ NetWitness, are enabling forces to close the C2C intelligence gap. This mission is being accomplished within the community through the acquisition of network capture-and-analysis tools coupled with a zealous commitment to computer network training. When U.S. forces are provided with accurate C2C SIGINT, the enemy is denied the anonymity that computer network communications have provided them.

Gathered C2C SIGINT can be used in a myriad of intelligence roles. Psychological operations can use network forensics for sowing dissent within organizations hostile to Western allies. Mark Longworth, a national security professional and cyberforensics expert, makes the case. “The ideas espoused by terrorists are finding audiences in nontraditional communications. In order to contradict those ideas, defense must be aware of their cyberexistence and be able to deny, distort, delay and destroy them at will,” he explains.

Units charged with providing SIGINT to battlefield commanders must have definitive collection goals with which to target network users. Just as radio frequency communications must be quickly passed up the chain, C2C data needs to be defined for mission tasking and organized into an actionable product.

Network forensics allows SIGINT units to capture network traffic for several requirements. Traditional data collection, alerting and analysis enable the military to capture targeted enemy e-mail, chat sessions, Web pages, file transfer protocol downloads, logs and voice over Internet protocol communications from network bottlenecks such as Internet service providers and other choke points. It also provides near-real-time analysis and reporting to create actionable intelligence from enemy network traffic. Additionally, it allows the SIGINT units to conduct relational surveys by monitoring contacts of known terrorist suspects, building orders of battle around enemy organizations.

Psychological operations via the Internet enable the military to manipulate enemy e-mail before delivering it to the intended recipient or to issue false reports while posing as the enemy. In addition, C2C interruption and denial or targeting allow the armed forces to conduct site surveys for targeting national network communications nodes. When bottlenecks to national infrastructure are uncovered, this tactic also enables the military to limit enemy communications while preserving national infrastructure by destroying only international nodes.

In all stages of conflict, network interception operations require dedicated resources to monitor a nation’s Internet traffic. Large amounts of hardware are not needed to set up at an Internet service provider for network collection. Equipment can be flown or driven into an area of operations, and collection can begin the same day access to the site is obtained.

Depending on the number of international gateway nodes and national nodes, the ability of a unit to monitor 100 percent of a nation’s Internet traffic varies. A nation with few Internet service providers, for example, would be easier to tap than would the United States with its thousands of nodes and access points. When a more targeted approach is used, however, it is possible to monitor a region within a country fairly well. Properly trained personnel can set up temporary Internet monitoring activities covering wide geographical areas with little preparation time. All that is needed is the right equipment, a linguist to translate Web sites or e-mail, and a team of trained network administrators to act as analysts.

This setup could be used in several ways. For example, a known terrorist using a public Internet café depends on the anonymity of his Web-mail account to issue orders to his lieutenants. Because he fears allied radio frequency monitoring, he uses Web-based e-mail instead of issuing his orders via telephone or radio and contacts cell members. The terrorist’s intent is to use the anonymity of the Internet to issue attack orders. To further reduce his communications profile, he logs into his Web-mail account and drafts a message without sending it to other e-mail addresses. The terrorist checks his Web-mail account days later to find his draft box has been edited by his lieutenants who have used the draft message box to read communications, issue orders and report battle damage assessments. Superstition and poor understanding of how computers communicate lead members of the organization to believe that their messages were never sent. They are wrong. The drafted messages are sent to a Web host servicing multiple accounts, and the messages are collected and analyzed by investigating agents who build an order of battle and disrupt the organization’s activities. In real life, this scenario could be played out over and over in future operations.

Another tactical scenario involves exploiting the recent surge of wireless hot spots in the developing world. The hot-spot phenomenon has led developing nations to seek wireless networking technology as an alternative to more expensive wired networks. Precedents lie in the cellular telephone market boom of the 1990s, where Third World nations skipped generations of telecommunications technology. U.N. Secretary General Kofi Annan has gone so far as to issue a decree to member nations “to think of ways to bring wireless fidelity applications to the developing world so as to make use of unlicensed radio spectrum to deliver cheap and fast Internet access.”

This trend presents an unprecedented exploitation opportunity for allied forces with the means to collect packets moving through the airwaves. Western intelligence assets have the capability to monitor these services by setting up rogue access points and conducting targeted war-driving collections and site survey analyses. Wireless collections provide the unique opportunity of conducting operations without host nation cooperation.

In the three stages of warfare, perhaps the most beneficial time for network monitoring occurs pre-conflict. Politicians are trying to avert war, and information gathered on known adversaries through joint efforts with friendly contacts that provide network access can help prevent conflict by supplying confidential information to U.S. decision makers. International media outlets have created a global democracy where even sovereign leaders are influenced by the will of the global majority. The future will hold—and the current situation in Iraq demonstrates—that when political processes break down, conflicts will be wars of ideas, information control and propaganda for consumption by the masses before kinetic warfare ever becomes a reality. During the buildup to a conflict, C2C SIGINT can be a great intelligence multiplier for politicians seeking peaceful alternatives to war.

In the hostilities phase of warfare, network intercept and analysis can occur at the Internet-service-provider-level where U.S. forces exercise geographic and political control as well as with a dedicated war-driving patrol capability as long as hot spots exist. During this period, network intercepts provide valuable tools for psychological operations. Commanders in the field gain the capability to monitor the enemy’s online communications. As Web-mail, e-mail and other protocols and events are collected, U.S. forces will have the ability to log in with intercepted passwords and send misleading messages to enemy cohorts, confusing the enemy command structure and destroying morale. Psychological operations need not be limited to expensive airdrops when the same effect can be gained by sending spam—albeit well-disguised spam—to enemy combatants.

C2C SIGINT also could support post-conflict activities. It can allow allied intelligence agencies to show resolve and support for newly established governments— assuming conflicts end favorably for allies—by offering to quell insurrection before it starts via Internet monitoring services. When used to target known enemies of newly established governments, C2C SIGINT in an information assurance role can be offered as the proverbial carrot for establishing new intelligence rapport. The ability to monitor people using the Internet does not exist in most nations, and the controlled capability to do so may be used as a temporary political tool to further U.S. interests in a region during the build-up to peace.

U.S. and allied intelligence services are at a technological crossroads in their ability to conduct tactical C2C SIGINT. As more of the United States’ enemies gain access to the World Wide Web, allied forces must adapt to gain control of the enemy’s ability to use the Internet for command and control and information operations. These networks must be harnessed to work toward allied advantage in lieu of destroying foreign infrastructure. Intelligence goals of the future mean waging war with bits and bytes rather than with blood and steel. With the right tools working to control enemy information, wars of the future may be over before they begin.

David E. Peterson is a senior network forensics engineer for business and    government, ManTech IS&T, Vienna, Virginia, and a consultant to the U.S. intelligence community. He served in the U.S. Marine Corps from 1997 to 2002.


Web Resources
DOD Computer Forensics Laboratory:
Advanced Topics in Cyber Forensics:
Cyber Forensics: A Military Operations Perspective:
How Stuff Works: Carnivore: