U.S. military leaders will say the nation’s ground forces are the best in the world. The Air Force will tout its air superiority, and the Navy, its ability to rule the seas.
But ask Pentagon officials about the Defense Department´s global communications network, and they’ll call it its weakest link.
While the conflicts in Iraq and Afghanistan can be seen on the nightly news, there are unseen battles being waged in cyberspace. It’s a war being fought by hackers, worms, net bots and cyber-terrorists. It’s a fight taking place in nanoseconds, 24 hours a day, and the attacks can be launched from anywhere in the world.
The U.S. military is comfortable facing enemies on traditional battlefields, but facing them in the virtual world is a new challenge, said Army Brig. Gen. Susan Lawrence, Joint Staff chief information officer and director of command, control, communications and computers. Until the military figures out how to defeat its adversaries in this battle space, “we’re not going to win the global war on terrorism,” she said at a military communications conference.
Marine Corps Lt. Gen. Robert Shea, director of command, control, communications and computer systems on the Joint Staff, said at the conference that “the network is our center of gravity, and our ability to defend it is our Achilles’ heel.”
Army Col. Carl Hunt, director of technology for the joint task force for global network operations, said those who attack the Pentagon’s network are often “a half step ahead of us.”
“We’ve gone to great lengths to build complementary capabilities in the kinetic battlefield,” but not in the virtual battlefield, he told military writers at a briefing. “We have a very thin, fragile communications capability basically in the global information grid and the Internet.”
Tom Kellerman, chief knowledge officer with the consulting firm, Cybrinth LLC, said the Internet threats come from different sources. Some are cyber-terrorists, others are criminal syndicates, and there are nation-states involved, as well.
North Korea supports a “hacker university,” where students learn to penetrate networks. In 2003, South Korean networks suffered a 450 percent jump in attacks that were believed to be originating from the north, Kellerman said.
The Defense Department’s 2005 annual congressional report, “The Military Power of the People’s Republic of China,” said the People’s Liberation Army sees computer network operations as critical means to seizing the initiative in a future conflict. “The PLA has likely established information warfare units to develop viruses to attack enemy computer systems and networks,” the report said.
Meanwhile, the threat is not a full-scale cyber-attack designed to bring an entire network down, Kellerman said. Instead, it’s a war of attrition. It’s the “sniper attacks,” not a “blitzkrieg,” that should concern the Pentagon, he said.
Hackers don’t want to shut networks down, he said. They want to control them and be omniscient as to what the military is thinking and planning. “And a worse case scenario is that they want to pollute the integrity of our data so they can provide misinformation,” Kellerman added.
Chinese Web sites were used extensively last year as a conduit to breach networks operated by the Defense Department, defense contractors and other U.S. agencies, according to the Washington Post. The attacks were described by one unnamed Pentagon source as an “ongoing, organized attempt to siphon off information from our classified system.”
Hunt declined to say if foreign governments were directly behind cyber-attacks on the Pentagon’s network. The nature of computer attacks, which can be launched through so-called “bot programs” embedded inside unwitting computer systems, makes it difficult to establish where the source of the attack originates.
“There’s no question there are nations looking toward offensive [Internet] capabilities to direct against economies or infrastructures,” Hunt added.
Kellerman said most nations do not have cyber-crime laws, or the ability to forensically investigate such complexities. And if they do, they often find the attack is launched through a “zombie computer” in a third country. Operators of such computers don’t realize that their system has been hijacked by a hacker.
The Internet is not only used as a means to attack networks, but is used by enemies to pursue their goals, the experts said.
The Web aids cyber-terrorists because they can work collaboratively and globally. For example, a Romanian, a Chinese and a Pakistani hacker can meet in a chat room without ever seeing each other face-to-face and conspire to launch a worm, Hunt said.
Criminals are also seeking data to sell. “Identity theft has become more lucrative than cocaine trafficking,” Kellerman said. “Organized criminal syndicates are working in collusion with various nation states to pilfer intellectual property, financial data, you name it.”
Worms have come through the back doors of older systems, and companies are not doing a good job of protecting their networks, he added. They see it as an added expense. “There is an illusion, that if you encrypt something, you are totally secure,” he said.
Terrorists see cyber-crime as a way to fund their causes. Imam Sumudra, the Indonesian bomber responsible for the Bali bombing in 2002, exhorted followers to finance their missions through Internet fraud and identity theft. Money can also easily be laundered online, Kellerman added.
“The danger we are facing is not that we will be turned off,” he added, “but that our enemies are feeding off of us in order to attack us or becoming omnipotent because they are already inside us.”
The integrity of software code written offshore is the major concern, both Kellerman and Pentagon officials said. The fear is that malicious code has been embedded in software used by the Pentagon, contractors or businesses.
The Defense Department has done “a fairly decent job” of keeping hackers out of its system compared to other organizations, Kellerman said, but warned there may be threats from the inside. “There are so many zombies, it’s a matter of kicking the enemies out of the castle rather than keeping them out.”
“The train has left the station in this regard,” Shea said. “This is the world we’re living in.”
The question is how to manage the risk, and create a balance between security and the necessity of working with international partners and the private sector. “I’ve got a lot of questions on this, but I don’t have a lot of answers,” Shea said.
Malicious code embedded in software should be a concern to everybody, not just the military, Hunt said. The National Security Agency is among the organizations looking into improving the certification processes. Looking at programming code line by line or module by module is a daunting task, so efforts are underway to develop an automated system to ensure a program doesn’t “phone home and tell some other country our business,” he said.
Meanwhile, development of automated programs designed to ferret out such programs should be kept in-house or with a trusted vendor, he added.
While networks must be protected in the cyber-battlefields, the old-school electromagnetic warfare weapons are still very much around and a threat to networks, said Rick Moran, counter-radio-frequency program manager at the directed energy technology office of the Naval Surface Warfare Center in Dahlgren, Va.
Electromagnetic weapons can be used to temporarily or permanently damage computer hardware. Chechen rebels, for example, have used radio frequencies to defeat Russian security systems.
“There are people who think about doing things like that,” Moran said at a conference sponsored by the Institute for Defense and Government Advancement.
Such weapons can be constructed from off-the-shelf technology. The Navy has tested homemade radio frequency weapons built from commercially available parts.
The effects of such weapons can range from temporary blips on a computer screen to permanently frying electronic equipment. They can be hidden in containers as small as a briefcase or as large as a truck. Operators may not even realize they’ve come under an electromagnetic attack. They may believe that their computer simply has some kind of glitch, Moran said.
“In many places we have single points of failure that are developed into our systems,” Shea said. Critical network infrastructure often passes through soft facilities, sometimes commercial enterprises that cannot thwart an electronic warfare attack. Proprietary designs have also caused vulnerabilities. The vulnerabilities may not always be the network pipelines, but could exist in power sources. The Pentagon is looking closely at where these key points of failure exist, Shea said.
Both Shea and Lawrence believe the Pentagon must develop a new class of warrior, the information assurance specialist. Too many personnel in such roles are “part-timers,” Lawrence said. Anytime the military launches an operation, an IA specialist should be deployed, they said.
The problem with developing personnel, checking code for malicious software and creating a more robust network, as usual, comes down to budget constraints.
Funding has been steady during the past three years, “but I don’t see us getting more money to do network defense,” Hunt said.