Cyberwarfare Looms Large in Information Systems

Then-Secretary of Homeland Security Michael Chertoff gives a keynote address at the AFCEA Solutions Cyberspace conference, held in Washington, D.C., in December.

The digital realm may host key battles in coming conflicts.

Cyberspace, the virtual domain existing within the chips and wires of computer networks, may be the front line of the next big battle. A clash there may not be decisive, but it could be over in less than a second. As to whether the United States is as prepared as it ought to be, the answer appears to be no. According to government and industry experts, U.S. forces are just beginning their learning curve. The message is that it is time to beef up defenses, partner with the private sector, train the work force and educate the public about the dangers the country faces.

This was the prevailing consensus at AFCEA’s Solutions conference on cyberspace, held at the RonaldReaganInternationalTradeCenter in Washington, D.C., in December. Military, civilian government and industry officials offered two days of assessments on the prevailing threat—and whether defenses are up to task.

The U.S. military recognizes cyberspace as a warfighting domain. But cyberspace is unlike the physical domains of land, air, sea and space. It is totally artificial, ever-expanding, not dominated by U.S. forces and almost entirely commercially-owned, pointed out David Hollis, director of cyberspace programs in the Office of the Assistant Secretary of Defense for Information and Identity Assurance. “It’s almost like, if you’re going to invade a foreign country, you’ve got to transgress AT&T first,” he said. Cyberspace also is a domain where it is “oftentimes virtually impossible to achieve attribution,” he added.

Another notable characteristic of cyberspace, Hollis said, is the dominance of the offense over the defense. “In cyber, offense is cheap and easy, and defense is tough and expensive,” he shared. Attackers do not even need to write their own code—downloadable freeware and shareware is there for the taking. Defense is not enough, he concluded. “You’ve got to integrate exploitation and offense into the package, and you may have to incorporate kinetic, i.e., real-world attacks,” he said.

Cyberspace also is the only warfighting domain susceptible to weapons designed at home by talented teenagers, Hollis warned. But the attacker’s profile is changing. In the last five years, the offense has moved from ego-driven attacks to assaults motivated by politics and profit as well as by prestige, said Josh Corman, a principal security strategist with IBM.

“Control of cyberspace may well be as decisive in the early- and mid-21st century as control of the air was for most of the 20th century,” asserted Daniel Kuehl, a professor at the NationalDefenseUniversity. Military motives include the potential to disrupt enemy communications, supply lines, and command and control (C2); impair the enemy’s mobility of forces; and create opportunities to attack the enemy’s strategic infrastructure.

Gordon England, deputy secretary of defense, warns of the ubiquity of cyberspace weapons during his keynote address.

It is as important for future leaders and operators to understand the capabilities, limitations and vulnerabilities of computers and networks as it is to understand traditional weapons such as radars, missiles and tanks, said Gordon England, deputy defense secretary. He compared the advent of cyberthreats to the introduction of gunpowder in the impact on military thinking. Vice Adm. Nancy Brown, USN, director of command, control, communications and computer (C4) systems, J-6, the Joint Staff, also compared the network to a weapon system and stressed the need to understand how it is put together, its linkages and the consequences that actions there are going to have—down to second- and third-order effects. “If you don’t understand that, then you really can’t defend, attack and exploit” in that arena, Adm. Brown shared.

Modern militaries and societies rely on enormous databases to conduct their daily operations, Kuehl said. If that data becomes unreliable, the result is chaos. Cyberattackers need weapons of “precision disruption,” not mass destruction. “We cannot afford to lose this battle,” even though it may last only a matter of microseconds, hours or days, he noted.

Despite the aura of the fantastic that surrounds this subject, cyberwarfare is not science fiction. Estonia and Georgia both suffered assaults on their networks, assaults that in Georgia’s case were followed by kinetic attacks. Citizens of the United States may think they have it bad in the current economic meltdown, but just think if the banks were having to deal not with the evaluation of assets but with data corruption, a thought that raised questions about whether people’s money is safe, said Michael Chertoff, secretary of the Department of Homeland Security (DHS). “How long do you think it would be before people started to pull their money out of financial institutions?” he posited.

Cyberattacks can occur on many levels—ranging from the individual to the group to the nation-state. Chertoff cited a criminal ring apparently responsible for stealing 140 million credit card numbers. They captured the numbers as they were transmitted over a wireless network between major retailers.

Panelists in a Solutions town hall session are (l-r) John Grimes, assistant secretary of defense for networks and information integration (ASD NII); Bob Lentz, deputy assistant secretary of defense for information and identity assurance; Vice Adm. Nancy Brown, USN, J-6, the Joint Staff; and David M. Wennergren, deputy assistant secretary of defense for information management and technology.

In some developing states, government and private-sector networks are used to perform military reconnaissance and industrial espionage, according to Melissa Hathaway, senior adviser and cyber coordination executive in the Office of the Director of National Intelligence. “They are targeting you,” she warned the audience, “looking for your information and … handing it to their corporations.” Terrorist groups, including al-Qaida and Hamas, “have all expressed the desire to utilize cyber to target the United States,” she said. In the same vein, England cited McAfee’s estimate that more than 120 countries and other transnational organizations have developed Internet-based “weapons” to use against financial, political and military systems.

The U.S. government’s security strategy is not keeping up with the threat, Hathaway said. One reason is that for years the offense was not allowed to inform the defense. That has changed, but the problem still is that the enemies that the U.S. government and its allies are fighting operate mostly in private sector networks, and the .mil, .gov and .com domains all are actually linked, she pointed out. “A vulnerability of one is a vulnerability to all,” she argued. Information today is a strategic asset, she asserted—the business of the United States and of the world is conducted on the network.

In response to the perceived threat, the Bush administration launched the Comprehensive National Cyber Initiative (CNCI) in 2008. This initiative envisions “integrating all the tools and capabilities of national power,” Chertoff said, to make them available to the government domains and potentially to share them “in a somewhat refined form” with the private sector.

Chertoff and other speakers emphasized the importance of partnership between government and the private sector. The DHS chief, however, stressed the government’s sensitivity to privacy and civil liberty issues. The government is not looking to form a “massive federal presence sitting on the Internet,” he said.

The mechanism for cooperation with the private sector already exists, he shared, citing the sector coordinating councils that have been created under the National Infrastructure Protection Plan. He predicted “strong acceptance” of a partnership by the private sector but described the relationship as one to be handled with a “great deal of delicacy.” He suggested that government could play the role of the “enabler,” helping the private sector choose “performance standards.”

But Chertoff stated that the first priority is getting the government’s own house in order. The federal government’s civilian domains, for example, have had “literally thousands of points of access to the Internet,” a number that needs to be reduced in order to get a handle on the traffic coming in and out. According to Hathaway, the number of trusted public Internet connections in the federal .gov space at one point was more than 8,000. After a house cleaning effort, that number is now down to 2,700, she said, with an eventual target of fewer than 100. In the last decade, the .mil domain was similarly rationalized, reducing Internet access points from thousands to dozens.

Where attribution is difficult to determine, automatic massive cyberretaliation similar to Cold War nuclear deterrence may not be advisable. An instantaneous attack-back methodology built into computers could set up fratricides that could take everybody down, Hollis warned.

One improvement would be more realistic training, Kuehl suggested. “A lot of exercises include the cyber aspect up to the point where it starts to be painful,” he said. So it may be important to let a network exercise collapse in order to make the point.

Another area touched on by many speakers is the need for a well-trained work force to defend U.S. networks. The U.S. Defense Department has to defend itself against thousands of network attacks, intrusions and other incidents each day, England shared. In this sort of environment, work force challenges—particularly the declining number of college-level science and engineering students—poses one of the greatest long-term threats to the country, he noted. According to some experts, there are more honor-level students in computer science and other technical programs in China than the total number of students in the United States who are enrolled in these types of programs, he asserted.

Cyberoperations and adversary motivations are discussed in a panel featuring (l-r) Professor Daniel Kuehl, National Defense University; Doug Chabot, vice president, principal solutions architect, Qinetiq North America; Josh Corman, principal security strategist, IBM; and David Hollis, senior cyberspace and information assurance program manager, ASD NII.

“It’s not enough to think about how to stop the current problem—the Band-Aid approach,” Hathaway echoed. “We need to change the way we think about education” and drive changes similar to the U.S. push after the Sputnik launch in 1957.

Although it often does not grab headlines, the insider threat still is a major issue. Insider attacks are up more than 52 percent, according to Hathaway. Intrusion detection systems, intrusion prevention systems and firewalls are designed to look at the threat from the outside coming in rather than from the inside going out.

On the technology front, there has been insufficient emphasis on detecting anomalous behavior, she said. Signature- and behavior-based technology has not kept pace because “we have never looked at information as a strategic asset.”

Hathaway also underscored the necessity to understand and deal with the risks that may be introduced through the supply chain. She argued that the way to do this is through a public-private partnership. The government needs to understand “when somebody is starting to manipulate [the supply chain],” she said, and make decisions that are right from a security standpoint but that are not a “point defense” or harmful to industrial competitiveness.

Photography by Michael Carpenter

A New Cyberthreat Is Underestimated One area that does not seem to be in the crosshairs of cyberwarriors involves botnets, the million-strong networks of “zombie” computers hijacked from their unwitting owners through malware spread by e-mail spam. Run by faceless criminals, these mechanical attackers also rake in revenues in the millions of dollars a year from e-mail “product” sales, fraud and identity theft. Although the infamous Storm botnet attack peaked in 2007, the security industry still lacks adequate defense mechanisms against botnets, claimed Josh Corman, a principal security strategist with IBM. The root cause of this inertia is that the security community is “looking at technology, not motives,” he argued. Storm cleverly avoided retaliation by attacking consumers, not corporations, Corman said. The innocent, PC-buying public is not an interest group; it cannot make waves. Thus cyberpredators continue to make a killing by “targeting the part of the market we just don’t care about,” Corman explained. He described botnets as a “sleeping giant—a potential weapon of mass destruction.” Corman said he often is asked what the biggest security threats are. “It’s the leper colony,” as he termed the hijacked consumer population, “that has the most computational power [and that represents] the most risk to our infrastructure.” Although botnets today are used primarily to generate revenue, he said that the political aspects of these threats should not be ignored. Today’s signature antivirus software is not the answer, Corman warned. It is “antiquated defense technology” predicated on the idea that someone is “going to write a single executable to infect millions of PCs.” But the threat has shifted from the old, ego-driven style of attack, he argued. For one thing, it does not work. “Once a few victims have fallen, you can gather a sample [of the code] and inoculate the masses,” he said, whereas the smart, “for-profit” attacker will “write one virus for one target—one shot, one kill.” This enemy will infect a pharmaceutical company, for example, and extract ransom. The security community needs to realize these trends and take appropriate action, he asserted.