Current and future actions by governments around the world in response to attacks
on their computer systems are being watched closely by experts and policy makers.
In the United States, particularly, these developments will become part of what
could be a national policy for fighting the so-called cyber wars.
Recent cyber skirmishes between enemy nations offer stark examples of what
could happen in the murky, undefined confines of information warfare.
One instance involves a reported attack by Indonesia on an East Timor web site
based in Ireland. These attacks forced East Timor's web site host in Ireland
to shut down and relocate to another server.
Analysis
China and Taiwan, meanwhile, already may have taken cyber warfare to the next
level. After Taiwan's president Lee Teng-hui voiced support for the island's
independence in the summer of 1999, China began to launch cyber attacks aimed
at altering official Taiwanese government websites. What followed could be considered
state-to-state cyber war, in which complete infrastructures were assaulted.
"In late July, about a month after Lee's statement, Taiwan experienced
a nationwide blackout. One week later, many of the nation's banking teller machines
crashed," said John Pike, a military intelligence expert at the Washington,
D.C.-based Federation of American Scientists. "Taiwan denied at the time
that it was anything out of the ordinary ... but this seems much more than mere
coincidence," he said in an interview.
In the United States, meanwhile, many of the casualties of cyber wars are found
in the private sector. Computer Economics Inc., located in Carlsbad, Calif.,
estimated damages from computer virus attacks in 1999 at $7.6 billion (a figure
the U.S. government often cites). According to Computer Economics vice president
of research, Michael Erbschloe, "The attacks are a form of economic terrorism,
and the economic impact of each new attack will increasingly be damaging to
productivity."
One industry observer indicated, "The billions of dollars lost as a result
of cyber war should make it abundantly clear that this is a matter of national
security. We've been fortunate thus far in that we've lost only money and not
lives in a cyber attack ... yet."
Michael Vatis, director of the FBI's National Infrastructure Protection Center
(NPIC), pointed out in congressional testimony that the FBI has more than 800
pending investigations dealing with criminal cyber-attacks and that doesn't
include hostile nation threats. Vatis believes the government desperately needs
the private sector's help in dealing with these problems. "Clearly, we
cannot rely on government personnel alone. Much of the technical expertise needed
for our mission resides in the private sector ... We rely on contractors to
provide technical and other assistance."
U.S. intelligence officials, speaking on background, explained that they have
routinely penetrated potential enemies' computer networks. These officials claim
that thousands of attacks have taken place, and sensitive information was stolen.
But critics warn that the legitimacy of these claims is questionable because
they come from organizations that specialize in secrecy, eavesdropping and perception
management operations. According to Bruce Schneier, of Counterpane Internet
Security in San Jose, Calif., there is an ongoing and "active disinformation
campaign by government" when it relates to cyber war.
These developments seem to validate recent comments by Rep. Porter Goss, R-Fla.,
chairman of the House Intelligence Committee: "The only certainty in this
uncertain world, as far as I'm concerned, is that threats are out there, and
they are getting more dangerous."
Protect and Defend
During the past two years, the Clinton administration has issued new policy
directives aimed at dealing with current and emerging threats to U.S. information
systems. Vatis pointed out that these policies have "set in motion an unprecedented
effort to protect our nation's critical infrastructure."
Vatis' NIPC is proving its mettle as the most visible U.S. government early
cyber warning and response interagency organization. Located at the FBI, it
employs 108 individuals representing the FBI, the Central Intelligence Agency,
the Defense Department, the Secret Service, NASA and the U.S. Postal Service.
It makes available to the public so-called Cybernotes-along with an array of
other documents-which assess weaknesses in commonly used software and provide
troubleshooting solutions.
The FBI also runs the Awareness of National Security Issues and Response Program
(ANSIR) which, according to FBI documentation, is "the public voice of
the FBI for espionage, counterintelligence, counter-terrorism, economic espionage,
cyber and physical infrastructure protection, and all national security issues."
ANSIR provides information to corporations, law enforcement and government
agencies. It puts together a "national security threat list" designed
by the FBI, intelligence agencies and the military. The program includes an
ANSIR fax/email reporting system, and offers up to a $500,000 reward for "stopping
espionage."
Congress also has stepped in to fund increased cyber-warfare activity and numerous
hearings have been held on the subject. Late last year, lawmakers approved nearly
$500 million of the president's early 1999 request for information operations.
A Senate staffer indicated: "The Congress is in the mood to fund programs
related to information operations."
On the House side, there have been talks about a future Homeland Defense Committee
that would be formed to deal with cyber defense issues, along with chemical
and biological defense concerns. However, a congressional staffer told National
Defense that no new committee would be created, but there would be a "member
level meeting" to discuss cyber-related issues.
"The members are clearly interested in looking at this [cyber war] issue
... particularly since the government is years and years behind technologically,"
said the staffer. "The government is not there anymore...the commercial
sector has the lead."
"Put me in a room with 12 hand-picked computer technicians, and I will
do more damage to an adversary's infrastructure than a B-1 bomber or the 7th
Fleet," said Frank Jones, president of Codex Systems in New York, and a
former New York City police officer. His company produces surveillance and tracking
software for military and intelligence agencies.
"The private sector is so far ahead in this field," said Jones. During
recent product demonstrations to government representatives, "the look
on their faces was one of awe, like they had never seen the technology."
One of Codex's technologies allows agencies to remotely monitor any Internet-linked
PC in the world and does not require physical access to the target PC. "Think
of it as a fly-on-the-wall inside your computer," said Jones. "Investigators
electronically place hidden software via the Internet from any listening post
in the world capturing data, video, audio, keystrokes."
Another product by Codex was developed in response to the alleged theft of
nuclear weapons secrets from a U.S. government facility. This technology tags
electronic documents, which are then stored on a server, hard drive, floppy
disk or "Honeypot." If the intruder is connected to the Internet and
opens a tagged document, a message is automatically sent back to a command center
somewhere in the world. According to Jones, that tagged document can be tracked
through multiple chains of custody anywhere in the world.
Jones pointed out that cyber attacks are less likely to occur against secure
facilities, such as Fort Knox, than against more vulnerable targets. "Who
in the government or in the corporate world doesn't take work home and put it
on the computer? You can attack the home PC."
At the Air Force Research Laboratory in Rome, N.Y., Joe Giordano and Dennis
McCallum are developing techniques and technologies to maintain data stability
in the event of a cyber attack, as well as to monitor and trace attacks. Giordano
and McCallum are part of the vanguard in emerging fields known as information
resiliency, cyberpathology, computer forensics and TransAttack analysis, all
of which aim to assess damage, track, recover data and produce evidence for
a counter attack or criminal prosecution.
Their techniques follow similar patterns to those used in medical pathology,
viral tracking models used by the Centers for Disease Control and even genetic
mapping techniques for data tracking. They speak about data as proficiently
as a physicist or biologist would speak of particles and cilia.
"I'm a big believer in looking at the more well established disciplines
to see what I can learn," said Girodano.
McCallum agreed. "For example, we're looking into helping the U.S. Army
frame its policy for continuity of operations and we're looking into what other
industries have done ... If they've already done something successful in this
area, and it applies, we'll use it."
His employer, Logicon-Northrop Grumman, based in Herndon, Va., has implemented
an internal incentive program, offering $10,000 and $5,000 prizes to employees
who come up with useful innovations that can be applied to information security
projects.
The Air Force Research Lab now has in place a number of cyber-defense mechanisms
such as false databases made from deception software (available on the Internet)
that create a bogus trail for potential hackers. When the attack is detected,
a TransAttack-or forensic analysis-begins. As Giordano describes it, "While
the attack is happening we gather the evidence: Who is doing this? Where are
they?"
Those efforts have found their way into programs such as the Automated Intrusion
Detection Environment (AIDE). AIDE is being developed for the Defense Department
and the private sector and will, ultimately, allow security personnel to "be
aware of global cyber-threats, to access locally relevant information from a
single computer platform, and to quickly choose a course of action," he
explained. An upcoming demonstration will focus on an "integrated tactical
warning-attack assessment capability for intrusion" and will involve 27
sites worldwide.
Giordano predicted the next key development in the defensive information warfare
field will be the ability to compile and correlate information from a variety
of attacks. "The software applications have to know about data; what to
throw away and what to keep," he said. AIDE is an ambitious attempt in
that direction.
Rules of War
The National Security Agency (NSA) last year was awarded patent number 5,937,422.
Experts said this could be significant because that patent is for a machine-based
voice-pattern recognition technology. Put simply, the NSA may have a revolutionary
tool to monitor international voice and data traffic by tagging speech. According
to the patent documentation, "possible applications of the present invention
include ... a search engine for Internet ... an interface for legal/financial
information retrieval, keyword indexing for document retrieval for locating
portions of interest within documents, automated data sorting, natural language
processing."
According to Schneier, of Counterpane, this technology may allow the NSA to
"harvest millions of telephone calls." It also raised concerns among
privacy groups and the international community about the potential access by
the U.S. government to private and corporate data.
Many questions remain unanswered about the rules of engagement in cyber warfare.
If the U.S. government declared martial law or a state of national emergency,
what could it do legally to control cyber space? According to Stuart Biegel,
professor of cyber space law at the University of California, Los Angeles, the
field is wide open.
"The reality is that in a time of war, the government ... will generally
ignore the law or use the available laws to justify actions taken against another
nation. It's really a problem of enforcement," he said in an interview.
"Remember, during the Cuban missile crisis, we did not use the word 'blockade'
because by international law, that was an act of war. We used 'quarantine' to
avoid war. I don't anticipate it being any different with cyber war."
And why wouldn't the basic rules of martial law apply to the Internet? Assume
the United States decided to shut it down, speculated Biegel. "The problem
now is that you have to figure out where U.S. cyberspace ends and international
cyberspace begins. How would that affect the international community? What are
the implications? Truly, it is an unexplored region, and no one knows how a
nation would respond to a full scale, attributable cyber attack."
Responses to attacks against the United States could be drastic, according
to the Pentagon's office of general counsel. In a document released early last
year, titled "An Assessment of International Legal Issues in Information
Operations," the consequences of a large-scale campaign of computer network
attacks "might well justify a large-military scale response."
The report, additionally, said that "there are no show stoppers in international
law for information operations as now contemplated by the Defense Department
... The growth of international law in these areas will be greatly influenced
by what decision makers say and do at critical moments."
According to Maj. Gen. Wang Pufeng of the Chinese Army, "In the final analysis,
information warfare is conducted by people at all levels of decision making
and operations."
That's a point often overlooked by technocrats, noted Dorothy Denning, professor
of computer science at Georgetown University in Washington, D.C. "In this
field, you've got an interesting mix of people: Chicken Littles, who believe
the sky is falling and everyone's out to get us, and Big Brother-types who fear
government is everywhere. It's hard to find balance sometimes."
Denning, the author of Information Warfare and Security, believes that the most
effective defense against cyber threats, real or imagined, is an educated body
of citizens, "an educated public that understands the issues and the threats
involved."
John J. Stanton is a member of the professional staff of the National Defense
Industrial Association. His e-mail address is jstanton@ndia.org