WHAT THE CYBER MASSES HAVE TO LOSE

Previous page
Table of content
Next page

  < Day Day Up > 


As previously explained in the preceding chapters, information warfare (IW) is the latest development in a long list of revolutions in military affairs based on new technology (other examples include the introduction of airplanes, the atom bomb, and long-range missiles). IW is defined as an attack on information systems for military advantage using tactics of destruction, denial, exploitation, and/or deception. The information cycle is vulnerable to these tactics at each step from information gathering to data entry to data transmission to information processing to information dissemination. Current research is searching for robust solutions at each step in the information cycle but the problem is systemic in that for every new solution, a new threat is developed in response to what the cyber masses have to lose.

The rise of IW is linked to widespread diffusion of information technology. The most important enabling feature of the diffusion of information technology is declining cost. Since the 1950s, costs have declined 94% every five years and most experts expect this trend to continue.

The IW threat will continue to grow at the expense of the cyber masses because entry costs are low and decreasing, leading a large number of foreign governments to already organize strategic IW organizations within their military. A second feature of IW that affects IW is that as the technology becomes less expensive, it becomes more efficient to decentralize away from a hierarchical command structure such as is traditional to military tradition.

Information systems are so critical to military operations that it is often more effective to attack an opponent’s information systems than to concentrate on destroying its military forces directly. There is a perception within military circles that control of information may become more important than air superiority in previous wars. This has lead to a reevaluation of military doctrine referred to as a revolution in military affairs (RMA).

A revolution in military affairs is a major change in the nature of warfare brought about by the innovative new application of new technologies which, when combined with dramatic changes in military doctrine and operational and organizational concepts, fundamentally alters the character and conduct of military operations.

The United States is potentially vulnerable to IW attack because it is more dependent on information systems than any other country in the world. For example, in the United States, 99% of all military communications is carried over civilian infrastructure, thus intermingling military/civilian targets. In a civilian context, the quality of life of our most basic needs is dependent on automated information-management systems.

The U.S. Department of Defense (DoD) has budgeted billions of dollars to IW and all the military services have formed distinct IW organizations, which are drafting IW military strategies. In January 1997, the Defense Science Board within the Pentagon released a task force report warning of U.S. vulnerability to a “Electronic Pearl Harbor,” which puts the cyber masses at great risk with a lot to lose.

The Defense Advanced Research Projects Agency (DARPA) is funding millions of dollars in research to develop an “electronic immune system” that will provide some level of protection to the cyber masses against IW attacks. The Pentagon already spends $5 billion to protect its information military systems.

A Presidential Commission was recently formed by Executive Order 13010 to issue recommendations on how to best protect the cyber masses from IW. Eight critical national infrastructures were considered so vital that their incapacity or destruction would have a debilitating effect on the defense and economic security of the United States. These eight critical national infrastructures as listed by the executive order are:

  1. Electric power system (see sidebar, “Electric Power System Vulnerabilities”)

  2. Gas and oil storage and transportation

  3. Telecommunications

  4. Banking and finance

  5. Transportation

  6. Water-supply systems

  7. Emergency services (including medical, police, fire, and rescue)

  8. Continuity of government services (including federal, state, and local government services)

start sidebar
Electric Power System Vulnerabilities

Nationwide rolling blackouts could have a devastating impact on the economy, but experts also fear that the stress being placed on the nation’s power grid could make it more susceptible to disruptions from hackers. In California’s Silicon Valley, large Internet data centers have been blamed for stressing the region’s power grid beyond what its Korean War-era design can handle. Now, other states, including Oregon, Utah, and Washington, are preparing for possible rolling blackouts.

From a cybersecurity perspective, the electric power grids in the West are now more fragile, and margins for error are significantly less. With diminishing margins and power reserves, the probability for cascading catastrophic effects is higher.

The recent power shortages come as the Critical Infrastructure Assurance Office (CIAO) of the U.S. Department of Commerce delivered to Congress the first status report on private-sector efforts to bolster cyberdefenses for systems that run critical sectors of the economy. Although progress has been made in improving information sharing, officials acknowledged that they still know very little about how failures in one sector could affect other sectors.

In the context of broader infrastructure assurance, the scale and complexities of the energy infrastructure and their impact on infrastructure security and reliability are not fully understood. The energy industry continues to be the target of Internet-based probes and hacker attacks that seek to exploit known vulnerabilities in off-the-shelf software and systems that are increasingly being used to control and manage the power grid.

Likewise, the sector continues to fall victim to poor personnel security practices, ports, and services that are open to the Internet; outdated software without current security patches, and improperly configured systems. With the system itself teetering on the brink of collapse, it becomes easier for a smaller incident to have a wider impact. For instance, if someone were to find a way to force the shutdown of a single power plant or a section of the power grid, the results would be much more devastating, because there is not enough reserve capacity to take up the slack.

In addition to the technical risks, the publicity generated by the recent crisis in California, and the possibility that hackers may try to exploit known vulnerabilities, there exists the possibility of making a bad situation worse. One risk with a situation like this is that it exposes the flaws of the system to public scrutiny. It shows everyone how vulnerable the cyber masses economy is to a power disruption. Like it or not, there are people in the world who pay attention to such revelations.

Anytime the visibility of a system is raised, it acts as an attack magnet. It is recommended that companies, particularly utility companies, treat the power crisis as a signal to begin stepping up network monitoring and security operations. The link between the stress level on the power grid and its vulnerabilities act “like blood in water to a shark.” Hackers smell weakness and a chance for their 15 minutes of fame.

But electric companies have made significant progress in stepping up their security preparedness and have also set up information sharing and analysis centers to enable system administrators to share information with the FBI’s National Infrastructure Protection Center. When a transmission system is stressed, the system operators and security coordinators are operating at a heightened level of alert so they can quickly address and return the transmission system to normal from any situation that may occur. The electric system can withstand sudden disturbances such as electric short circuits or unanticipated loss of system elements. This was the case decades ago, and it is still true today.

end sidebar

The U.S. government should face the ethical consequences of the new global battleground now before a crisis arises by having a declarative policy concerning IW attacks. During the Cold War, the United States used a policy of strategic nuclear deterrence, warning that any attack on the United States could expect total destruction in return. It is commonly believed that this policy of deterrence was successful but is impossible to prove. By analogy, analysts have wondered if a similar strategy might deter IW attacks on the U.S. National Information Infrastructure (NII). For a strategy of deterrence to work the following must hold:

  • The incident must be well defined.

  • The identity of the perpetrator must be unambiguous.

  • The will and ability to carry out a deterrence strike must be believed.

  • The perpetrator must have something of value at stake.

  • The deterrence strike must be controllable.

This strategy of deterrence must be measured in the context of the inherent vulnerability of large technologically based systems. In what has been called the “complex-system issue,” there are axioms:

  1. Complex systems fail in unpredictable ways from causes that seem to be minor and, often, obvious flaws in retrospect.

  2. The failure of a complex system may be exceptionally difficult to discover and repair.

  3. Complex systems fail at inopportune moments—usually during demanding system use when the consequences of failure are highest.

It must be possible to determine if an “event” involving one of the United States’ vital infrastructures is the result of an accident, criminal attack, isolated terrorist incident, or an act of war. The damage to the cyber masses from an event may be the same regardless of the cause, but the cause of the event will determine the jurisdiction and nature of the response from the U.S. Government. Possible jurisdictions include private industry, the FBI/Department of Justice, CIA/NSA, or DoD; possible responses range from doing nothing to a nuclear retaliatory strike.

Ethical Challenges of IW to Prevent Cyber Masses Losses

This part of the chapter analyzes the most significant ethical questions of IW as a new form of warfare. Many of the questions have been raised before in previous contexts, but the unique characteristics of IW bring urgency to the search for new relevant answers.

It should be noted that this analysis is also pertinent to other military situations generally referred to as operations other than war (OOTW), such as peacekeeping missions, preludes to conflict, alternatives to conflict, sanctions, and blockades. For example, in an IW analogy to the U.S. blockade of Cuba during the Cuban missile crisis, there are IW techniques (jamming and denial of service attacks) that could be used to block and, thus, isolate rogue nations from international communications without circumventing physical sovereignty—much in the same way the British decided to sever all transatlantic telegraph cables that linked Germany to international communications at the outset of World War I.

What Constitutes an Act of War in the Information Age?

The nation-state combines the intangible idea of a people (nation) with the tangible construct of a political and economic entity (state). A state under international law possesses sovereignty, which means that the state is the final arbiter of order within its physical geographical borders. Implicit to this construct is that a state is able to define and defend its physical geography. Internally, a state uses dominant force to compel obedience to laws, and externally, a state interacts with other states, interaction in either friendly cooperation, competition, or to deter and defeat threats.

At the core view of any nation-state’s view of war should be a national information policy that clearly delineates national security thresholds over which another nation-state must not cross. This national information policy must also include options that consider individuals or other non-state actors who might try to provoke international conflicts.

Increasingly, the traditional attributes of the nation-state are blurring as a result of information technology. With IW, the state does not have a monopoly on dominant force, nor can even the most powerful state reliably deter and defeat IW attacks. Non-state actors are attacking across geographic boundaries, eroding the concept of sovereignty based on physical geography. With the advent of the information age, the United States has lost the sanctuary that it has enjoyed for over 200 years. In the past, U.S. citizens and businesses could be protected by government control of our air, land, and sea geographical borders, but now, an IW attack may be launched directly through (or around) these traditional geographical physical defenses.

War contemplates armed conflict between nation-states. Historically, war has been a legal status that could be specified by declaration and/or occur by way of an attack accompanied by an intention to make war. The modern view of war provides a new look at just war tradition, “jus ad bellum,” (when it is right to resort to armed force) and “jus in bello,” (what is right to do when using force). The six requirements of “jus ad bellum” were developed by Thomas Aquinas in the 13th century:

  1. The resort to force must have a just cause.

  2. It must be authorized by a competent authority.

  3. It is expected to produce a preponderance of good over evil.

  4. It must have a reasonable chance of success.

  5. It must be a last resort.

  6. The expected outcome must be peace.

There are two requirements for “jus in bello”: The use of force must be discriminate (it must distinguish the guilty from the innocent), and the use of force must be proportional (it must distinguish necessary force from gratuitous force). The application of just war reasoning to future IW conflicts is problematic, but there is a growing voice that there is a place for the use of force under national authority in response to broader national security threats to the values and structures that define the international order.

Looking at one aspect of the application of just war reasoning to IW is the problem of proportionality. It is impossible to respond to every IW action, because there are too many. At what threshold in the lives of the cyber masses and their money, should the United States consider an IW attack an act of war? How many cyber masses live for a certain IW attack or what is the threshold in monetary terms or physical destruction.

Article 51 in the United Nations Charter encourages settlement of international disputes by peaceful means. However, nothing in the Charter impairs the inherent right of individual or collective self-defense if an armed attack occurs.

Note 

Infringement of sovereign geographical boundaries by itself is not considered an “armed attack.” Experts do not equate “use of force” with an “armed attack.” Thus, certain kinds of data manipulation as a result of IW that are consistent with “use of force” would not constitute an “armed attack” under Article 51.

On the other hand, Article 41 of the United Nations specifically states measures that are not considered to be an “armed attack”: complete or partial interruption of economic relations and of rail, sea, air, postal, telegraphic, radio, and other means of communications. IW might still be considered an Act of War, however, if fatalities are involved.

If data manipulation is such that the primary effects are indistinguishable from conventional kinetic weapons, then IW may be considered an “armed attack.” The paradigm shift is that weapons are devices designed to kill, injure, or disable people or to damage and destroy property, and have not traditionally included electronic warfare devices.

So, what are the ethical implications of the blurring distinction between acts of war from acts of espionage from acts of terrorism? Let’s take a look.

Ethical Implications

It is important to be precise in what the cyber masses identify as a crime and what they identify as an act of war. An “armed attack” as stated in Article 51 contemplates a traditional military attack using conventional weapons and does not include propaganda, information gathering, or economic sanctions. Espionage is a violation of domestic and not international law.

The threat analysis section of the 1997 Defense Science Board Report indicates that a significant threat includes activities engaged on behalf of competitor states. This introduces the new concept of low-intensity conflict in the form of economic espionage between corporations. In the age of multinational corporations that view geographical boundaries and political nation-states as historical inconveniences, should economic warfare between multinational corporations involve the military?

The new IW technologies make it difficult to distinguish between espionage and war. If espionage is conducted by computer to probe a nation’s databanks and military control systems, when is it an act of war versus an act of espionage? Does it depend on whether the intelligence was passively read versus information actively destroyed in battle and/or manipulated? Does it depend on whether the intelligence was used for military advantage or for political or criminal advantage? Does the answer depend on whether a state of war exists?

A different scenario is modifying internal computer software (via viruses, Trojan horse, or logic bomb) or hardware (chipping) before shipment to cause an enemy’s computer to behave in a manner other than they would expect. If during peacetime, gaining entry to a computer’s internal operating system could be considered a criminal offense or act of espionage, despite the fact that the action in question took place before the enemy had acquired ownership of the computer. Is this prudent preparation for IW or is this a hostile action that could precipitate a war? If the computer hardware “chip” is commercially manufactured and altered, what are the legal and ethical implications for a company inserting internal hardware hooks as specified in cooperation with national security at the “request” of the government—especially if the company has international sales? Finally, is IW a potential step that might lead to an escalated conventional military conflict that could have been avoided by other means?

Can IW Be Considered Nonlethal?

Nonlethal weapons are defined as weapons whose intent is to nonlethally overwhelm an enemy’s lethal force by destroying the aggressive capability of his or her weapons and temporarily neutralizing their soldiers. Nonlethal most often refers to immediate casualty counts, not on downstream collateral effects.

In response to the power of cyber masses opinion and instant global media coverage, the U.S. military has begun to develop a new kind of weaponry designed to minimize bloodshed by accomplishing objectives with the minimum use of lethality. This weaponry includes sticky foam cannons, sonic cannons, and electromagnetic weapons—which effectively temporarily paralyze the enemy without killing them.

Is it more ethical to use a sophisticated smart bomb precisely targeted to kill 30–40 soldiers immediately or is it more ethical to choose a nonlethal weapon that has the same tactical effect with no immediate casualty count, but an indirect collateral effect of 300–400 cyber mass deaths? Ethically, the function of the target against which the weapon is used and the existence or lack of a state of war determines one ethical framework for analysis. For instance, disabling the electronics of a fighter plane or air defense radar during wartime is the goal of a large investment in electronic warfare equipment by the United States, and is considered fair and ethical. However, disabling the electronics of a civilian airliner or air traffic control, during either peacetime or wartime, violates the principles of discrimination of combatants and proportionality of response, and is considered unethical and a act against the cyber masses.

Is It Ethical to Set Expectations for a “Bloodless War” Based on IW?

As nonlethal weaponry of all types (especially IW weapons) advance from novelty to norm, however, many potential pitfalls will need to be faced. The most important of these is the expectation that such weapons will ultimately allow wars to be fought without casualties.

Nonlethal military capabilities are not new, although IW weapons are the newest weapons in the nonlethal arsenal. Military forces have used riot-control chemical agents, defoliants, rubber bullets, and electric stun weapons for decades. As U.S. military forces are involved in missions that require extended direct contact with civilians (Somalia, Bosnia), force can no longer be viewed as either on or off, but rather as a continuum with nonlethal weapons on one end and nuclear devices on the other end. In more traditional conventional warfare, IW attacks to disrupt, deny, and destroy C4I capabilities (command, control, communication, and computer intelligence) are a core part of military tactics and strategy. If IW weapons can be used to remotely blind an opponent to incoming aircraft, disrupt logistics support, and destroy or exploit an adversary’s communications, then many of the problems associated with the use of ground forces for these missions can be avoided.

It is important to point out that although nonlethal weapons are not meant to be fatal, they can still kill if used improperly or against people particularly susceptible to their effects. Because these technologies are potentially lethal in these circumstances, the term “nonlethal” has not been universally accepted within the U.S. military. For example, the U.S. Marines Corps uses the term “less lethal” to imply that there is no guarantee of nonlethality.

Asserting that IW will ultimately allow future wars to be fought without a casualty is a widespread misconception likely to prove counterproductive and even potentially dangerous to the cyber masses. First, all nonlethal weapons are not equally applicable to all military missions. Second, overselling of nonlethal capabilities without providing a context can lead to operational failures, deaths, and policy failure. Third, unrealistic expectations about nonlethal weapon capabilities inhibit their adoption by military forces that need to build confidence in these weapons.

There is a large asymmetry in global military power when comparing the United States to other nation-states. In 1994, the U.S. DoD budget exceeded that of Russia, China, Japan, France, and Great Britain combined. This asymmetry makes it unlikely another nation-state would challenge the United States in a direct high-technology conventional war, except in circumstances that cyber masses should not depend on (incredible miscalculations and/or ignorant dictators, which were both present in the Gulf War.

Despite the luxury of a bumbling opponent, the success of the Gulf War has lead the U.S. citizenry to expectations of low casualties in all future conflicts. These expectations go against two cardinal rules of military strategy: (1) you do not plan to refight the last war and (2) the future battlefields cannot be dictated by the United States. The next battlefield for which the U.S. DoD is preparing is a global battlefield with weapons of information warfare targeting the civilian infrastructure. Even in this scenario, military and civilian casualties will be likely from either primary or secondary effects from IW attacks.

Is It Ethically Correct to Respond to IW Tactics with IW Tactics?

If the United States is attacked by IW weapons, how should the U.S. government respond? By changing perspectives from defense to offense, what is in the U.S. arsenal to wage IW against an adversary:

  • Offensive software (viruses, worms, trojan horses)

  • Sniffing or “wiretapping” software (enabling the capture of an adversary’s communications)

  • Chipping (malicious software embedded in systems by manufacturer)

  • Directed energy weapons (designed to destroy electronics & not humans/buildings)

  • Psychological operations (sophisticated and covert propaganda techniques)

A strategy that uses these weapons in various combinations has the potential to replace conventional military forces. The questions remains: Is it ethically correct for the United States to defend its security interests by resorting to the same IW tactics that are being used against it? Should information attacks be punished by information counterattacks? The options include maintaining the United States’ superpower status at all costs; covertly listening to their adversaries, but not actively disrupting operations; or contracting mercenaries, who are not officially affiliated with the U.S. government, to do their dirty work.

Cracking computers to deter and punish computer cracking erodes any moral basis the United States has for declaring the evils of IW warfare. It is also harder to predict secondary effects due to the globalization of systems. Retaliation may produce effects ranging from nothing to being counterproductive through destruction of U.S. interests. A nation-state or nonstate actor that sponsors an attack on the United States. NII might lack an NII of their own for the United States to attack in punishment, and, thus, not be intimidated by a U.S. IW deterrence strategy.

Short of an official declaration of war, nation-states may seek UN Security Council action authorizing “all necessary means” even in the absence of an “armed attack” in cases of any threat to peace, breach of peace, or act of aggression. Every breach of international law creates a duty to pay for loss or damages; nation-states may seek recompense under “state responsibility doctrine.” In additional to recompense, retribution in the form of proportional countermeasures is authorized when an IW attack that does not involve the use of force violates international law. IW may violate multiple international laws depending on the scenario including the following:

  • UN Convention on Law of the Sea (prohibits unauthorized broadcasts from the high seas)

  • International Telecommunications Convention of 1982 (requires nations to avoid “harmful interference”)

  • INTELSAT Convention (satellite communications for nonmilitary purposes)[i]

  • INMARSAT (maritime satellite communications for “only peaceful purposes”)

  • Chicago Convention (refrain from endangering safety of flight)

According to DoD policy Directive 5100.77, U.S. military forces are bound by law to follow the rules of engagement of the specific conflict as follows: “The Armed Forces of the United States shall comply with the law of war in the conduct of military operations and related activities, however such conflicts are characterized.” The problem is that there are no characterized rules of engagement for IW conflicts, which can take the form of isolated operations, acts of retribution, or undeclared wars.

The most serious problem for using IW retaliation to counter IW attacks is that adversaries could counter and/or copy IW capabilities. Every breakthrough in offensive technology eventually inspires a matching advance in defensive technology, thus escalating an IW weapons race.

A last issue related to retaliation is the ethical dilemma faced by the intermingling of the military and civilian sides of society. Given the uncertainty of deterrence and identifying the enemy, the strategy that is the most ethical for retaliation is a strategy that attempts to separate the military from civilians and, in so doing, having a diminished impact, which potentially prolongs the duration of the conflict; or a strategy that attempts to minimize lethality and duration, but deliberately targets civilian systems?

Can Protection from IW Take Place in the United States Given Our Democratic Rights?

How much government control of the U.S. NII is permissible in a free society? Most of the IW technology is software—which is easy to replicate, hard to restrict, and dual-use by nature (uses for both civilian or military). In the 1997 Defense Science Board report, it states that the DoD is “confused” about when a court order is required to monitor domestic communications. This raises basic questions about the constitutional and ethical balance between privacy[ii] and national security in a new IW context.

A “Big Brother” approach that places all of a nation’s telecommunications under a single government jurisdiction is improbable given the diffusion and complexity of technology and the shrinking size of government. Most systems were built to serve commercial users who will vehemently object to unfunded mandates (taxes) and new requirements not driven by business demand (CLIPPER chip encryption and key escrow accounts). Regardless, it is critical to the future security of the United States that the cyber masses find a way to protect their infrastructure from IW attack and have contingency plans for potential IW crises. If the IW attack is detected and the enemy identified, but the United States is unable to react promptly due to bureaucratic inefficiency or indifference from private industry, it may be too late to react at all.

Current political discussion has floated tax incentives and direct subsidies to promote industry cooperation. In a related matter that may provide a precedent, the government has pledged to provide telephone companies with at least $900 million

to ensure that FBI officials can access telephone conversations over digital circuits (as opposed to accessing telephone conversations over analog circuits, which is technically much easier).

Now, let’s take a look at how much damage and/or destruction cyberattacks actually cause.

[i]John R. Vacca, Satellite Encryption, Academic Press, 1999.

[ii]John R. Vacca, Net Privacy: A Guide to Developing & Implementing an Ironclad ebusiness Privacy Plan, McGraw-Hill, 2001.


  < Day Day Up > 


Previous page
Table of content
Next page
Computer Forensics. Computer Crime Scene Investigation
Computer Forensics: Computer Crime Scene Investigation (With CD-ROM) (Networking Series)
ISBN: 1584500182
EAN: 2147483647
Year: 2002
Pages: 263
Authors: John R. Vacca
BUY ON AMAZON
Inside Network Security Assessment: Guarding Your IT Infrastructure
The Complete Cisco VPN Configuration Guide
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Mapping Hacks: Tips & Tools for Electronic Cartography
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy