Chapter 13: The Information Warfare Arsenal and Tactics of the Military

OVERVIEW

The growing reliance on computer networks makes the networks themselves likely sites for attack. What is more, civilian and military networks are becoming increasingly intertwined, and so the U.S. military’s focus have shifted from protecting every network to securing mission-critical systems. Current efforts include software agent-based systems (for real-time detection and recovery from a cyberattack) and network-level early-warning systems (for monitoring suspicious on-line activity).

As tensions continue to mount in the Middle East, a different sort of pitched battle is being waged behind the scenes. With all the fervor of their comrades in arms, computer-savvy patriots on both sides have managed to infiltrate or disable enemy Web servers. And so the Hezbollah site was reprogrammed to play the Israeli national anthem, while Israeli government sites were slowed to a crawl by wave upon wave of hostile e-mail.

As displays of warlike aggression go, the bombs, bullets, and mortar fire that recently claimed the lives of some 600 Palestinians and Israelis were far more troubling. That said, the prospect of cyberwarfare, or information warfare, is a deadly serious matter in military circles. The electron is the ultimate precision-guided weapon. Indeed, the more heavily we come to rely on computer networks, the greater the fear that adversaries will attack the networks themselves. In the very worst case (what some have termed an electronic Pearl Harbor) a sudden, all-out network assault would knock out communications as well as financial, power, transportation, military, and other critical infrastructures, resulting in total societal collapse.

Civilian and military networks are increasingly intertwined. The advent of the Internet means there really isn’t an outside anymore. Even when Air Force information warfare (IW) personnel are planning a mission, it coexists within the World Wide Web infrastructure.

Another concern is that the military’s push toward commercial off-the-shelf technology is exposing vital networks to attack. A lot of important decisions are being made that will affect the future of information war, but they’re being made in Washington State (home of Microsoft Corporation.), not in Washington, D.C.

Beyond the odd idiot or random rogue, military networks tend to be favored targets for hackers. The Pentagon figures it fends off something like a half-million attacks a year. Annoying and costly as that may be, it’s not the chief worry. The odd idiot or random rogue trying to break in—that happens all the time. The Pentagon’s primary concern is the government that’s prepared to invest heavily in coordinated strategic attacks on the U.S.’s military and civilian networks. So, although the line between cyber crime and information warfare often blurs, what separates the two is that the latter is state-sponsored.

For the information warrior, the basic issues are protecting oneself from attack, identifying the attacker, and then responding. By far the most effort has gone into the first area, network security. Here, commercial firms have led the way, producing a host of off-the-shelf hardware, software, and services, from firewalls to intrusion sensors to encryption schemes. For the civilian world’s take on information warfare, see Chapter 18, “Civilian Causalities: The Victims and Refugees of Information Warfare.”

The U.S. military is generally regarded as being farthest along in its information warfare preparedness. A fairly recent recognition has been that it is not possible to simultaneously defend the myriad military, civilian, and commercial networks.

A further recognition has been that simply trying to “keep the bad guys out” is futile. No system is perfect—somebody’s always going to get in.

Nowadays the focus is on keeping so-called mission-critical networks up and running, and detecting intruders early on, before any real harm gets done. Work is now going into developing early-warning systems for information networks, akin to the radar and satellites that watch for long-range missile attacks. A system administrator typically only has local knowledge of the health of his own system.

A bird’s-eye view, by contrast, would allow analysts to correlate attacks from the same IP addresses, or from those having the same mode of operation, or from those occurring in a certain time frame. Achieving such a network-wide perspective is the aim of Cyberpanel, a new Darpa (Defense Advanced Research Projects Agency) program, as discussed in sidebar, “Renegotiating the Human– Machine Interface.”

Creating inherently secure and robust information technologies for the U.S. military is one of the chief aims of the information technology systems (ITS) office at the Defense Advanced Research Projects Agency (Darpa), in Arlington, Virginia. The work at the Darpa ITS office is defensive, rather than offensive, in nature. They’re like the people who worry about seatbelts in cars, rather than the designers of large, fast engines.

Historically, Darpa not only was significant in generating technologies such as the Internet, but also in developing methods for protecting these systems. Fundamental protocols such as TCP/IP (transmission control protocol/Internet protocol) were meant for a very benign environment, and they’re very leaky. Darpa spent the early to mid-’90s sort of patching the holes in these initial systems. They now need to start investing in the next-generation architecture.

One problem is that Darpa is making plans on moving ground. The sort of network attacks of two years ago were not nearly as sophisticated, serious, or numerous as what they are seeing now. In looking at the next-generation networks, they have to work iteratively so that functionality and security are negotiated in tandem.

Up until now Darpa didn’t have any experience in designing for large-scale systems, in an operational environment. Their attitude was: They fund this work, which leads to commercial products, which the Department of Defense (DOD) then buys, and that’s how they fulfill their defense mission. But DOD has problems that aren’t addressed by the commercial world, such as having to deploy large, heterogeneous systems.

So Darpa plans to start working with the Pacific Command, which covers about 53% of the earth’s surface. They’re going to move out from the laboratory and develop their tools in their operational environment. Nothing will test what they do more than that.

Which Technologies Look Promising for Information Warfare?

Darpa sees great potential in optical networking. Eventually, an all-optical network might look like a telecommunications network, with a single switch from one person to you, and with a central hub. Thus, things like distributed denial-of-service attacks are ruled out. Also, it is almost impossible to detect the connection, because the signal is highly multiplexed over several wavelengths. It’s clear they can do that for local-area networks (LANs). If Darpa can field these advanced systems for a DOD environment, which would involve maybe a hundred thousand nodes, they could be the precursors of what will enter the commercial market.

Right now, a typical defense analyst who wants to gain an understanding of the enemy will spend most of his or her time scouring databases, rather than doing what humans do best, which is using deep cognitive abilities. The defense analyst is not only looking for needles in a haystack but also pieces of needles. And as the world moves much faster, humans really can’t keep up.

So Darpa has to start assigning to machines more of the job of searching data, looking for associations, and then presenting to the analyst something he or she can understand. It’s like prosthesis, except it doesn’t just assist the analyst, it lets the analyst do a 40-foot pole vault. It amplifies what the human is good at.

In the future, Darpa will be operating with increasingly heterogeneous forces—human soldiers alongside robotic forces. So how does a machine understand a commander’s intent? To allow them to communicate, Darpa needs machine prosthesis to do the translation.

WetStone Technologies Inc., in Freeville, New York, a developer of information security products, is at work on a similar tool known as Synthesizing Information from Forensic Investigations (SIFI). Any given network will generate forensic data, and that data can come from any of a number of intrusion detection programs. Once that data is posted on SIFI’s Web site, it is automatically synthesized so that analysts can examine, search, correlate, and graph information on attacks that have happened across many locations.

In regards to rapid recovery: In the summer of 2000, the computer network in one of the Department of Defense’s (DOD’s) battle management systems came under attack. Erroneous times and locations began showing up on screen; planes needing refueling were sent to rendezvous with tankers that never materialized, and one tanker was dispatched to two sites simultaneously. Within minutes, though, a recovery program installed on the network sniffed out the problem and fixed it.

The DOD itself staged the attack as a simulation, so as to demonstrate the first-ever “real-time information recovery and response” during an information warfare attack. In the demo, staged by Logicon, software agents were used to catch data conflicts in real time, allowing the system to remain on-line (see sidebar, “Agent-Based Systems”).

Software agents are defined very broadly—enabling real machine-to-machine communications, allowing machines to understand content, send messages, do negotiations, and so on.

Darpa Agent Markup Language (DAML) is a fairly large project to create a next-generation Web language, a successor to extensible markup language (XML). It’s aimed at semantic interoperability—to make more of what’s on-line-machine-readable. Right now, when a machine gets to a Web page, it sees natural language, photos, and things like that, none of which are easy for machines to process. You can’t ask it to do a content-based search for you, because it can’t understand the content.

Making more readable content would involve anything from describing what’s on the page (“this is a homepage,” “this is an advertisement”) all the way up to “this page is about such-and-such and it relates to the following facts.” The more that machines can recognize content, the more they can share content, and the more agent-based systems can be built.

Military Applications of DAML

One of the military applications of DAML is in intelligence, which is used for collecting facts and, more important, for linking facts. Different communities have different terms for the same thing, or the same term for different things. One community may refer to a Russian fighter plane as a MIG 29A, and another group may call it a Hornet. On the current Web, you can’t search on one term and find the other.

The other domain for DAML is command and control, where Darpa is trying to recognize what information relates to which entities. A famous failure of that system is the U.S. bombing of the Chinese embassy during Kosovo. An agent that could have said “this map is old” might have allowed the U.S. to recognize what was really going on.

But all that only works if Darpa’s systems, which were built by different people talking different languages and using different approaches, can be integrated. In one of Darpa’s other projects (control of agent-based systems [CoABS]), they’re trying to set up middleware that makes it easy for systems, including legacy systems, to communicate. The ability to quickly throw together systems in a command center or on the battlefield is crucial. Both CoABS and DAML are aimed at creating that kind of infrastructure, for much richer machine-to-machine communication and understanding.

Broad Academic–Industry–Government Collaborations

In DAML, for example, Darpa is working very closely with the World Wide Web Consortium. They’re also funding a group at Massachusetts Institute of Technology (MIT) who is helping refine the language. That group includes Tim Berners-Lee, one of the developers of hypertext markup language (HTML), and Ralph Swick, one of the developers of XML. They’re making sure Darpa learns from their experiences.

That last step is key. One has to ensure the flow of information to the war-fighter. Network recovery also means preserving the so-called minimum essential data, the basic set of information one would need to regenerate a system should it be disabled.

New information technology will undoubtedly open up new attack routes, alongside whatever desirable features it may offer. Take wireless technology.^{[i ]}Jamming remains the tried-and-true mode of attack. But what if, instead of blocking signals, the enemy was to infiltrate communications links and send out false data? Just detecting such a RF attack is tricky.

Unlike the Internet protocol (IP) world, there are no virus checkers or intrusion detectors, and there are a lot of different types of radios and tactical data links. For example, Joint Tactical Radio System (JTRS) will support, in a single downstream box, all the legacy waveforms and provide interoperability among all existing and envisioned tactical radios. It also features software-defined cryptographic capabilities. Being computer-based, however, it introduces a whole new threat to radios that didn’t exist before.

Of course, an offensive side of information warfare also exists: striking back. Given that you’re able to determine the culprit, what is the appropriate response? Obviously, you’d have one response for a teenage hacker at a university in the United States, and quite a different one for somebody abroad who is working for a government.

Not surprisingly, the military is rather tight-lipped about its offensive IW capabilities. It’s safe to assume, though, that the arsenal includes all the tactics deployed by ordinary hackers (worms, viruses, trapdoors, logic bombs), as well as surveillance technology for intelligence purposes.

Here it may be helpful to distinguish between weapons of mass destruction (which in the case of information warfare, would be a widescale assault on assorted military and civilian networks) and “weapons of precision disruption.” The latter comprise lower-level strikes on specific targets, carried out over months or years by, say, an insider whose cooperation has been volunteered, bought, or coerced by a foreign state. That slow-drip mode of attack can be both harder to detect and more damaging over time. Pulling off an electronic Pearl Harbor, on the other hand, would mean not only bringing down vast and disparate networks, but also keeping them down long enough to inflict real harm.

Information warfare may also be waged as a social engineering campaign. Attacks on important, highly visible sites (the Nasdaq, say) might shake public confidence. If you could plant a lot of bogus earnings reports out there, so that you see a 50% sell-off in a single day, that would be enough to spook even long-term investors. Therefore, this type of attack is what the military is most vulnerable to, and should be their greatest concern.

So how vulnerable is vulnerable? Not all agree with the dire claims made about information warfare. Anyone still caught uttering ‘electronic Pearl Harbor’... is either an ex-Cold Warrior trying to drum up antiterrorism funding through the clever use of propaganda, or a used-car salesman/white-collar crook of some type.

It’s a problem, but not a crisis. Look, any time you institute a new technology, there are going to be downsides. You buy boilers, you get heat, but they may blow up. Thus, the way to have the positives and not the negatives is to attend to the safety and security issues. Computer networks are no different. If the national security of the United States were really on the line, there’s a lot people could do that they haven’t done yet. Diligent use of encryption and authentication, better policing of network activity, and air-gapping (keeping critical networks separate from noncritical ones) are all possible right now.

This is not to say that you shouldn’t have a few cops on the beat to keep an eye out for anomalous on-line activity. But life is not risk-free.

Now, let’s get down to specifics and look at the military tactics themselves.

^{[i ]}John R. Vacca, Wireless Broadband Networks Handbook, McGraw-Hill, 2001.