THE ROLE OF INTERNATIONAL ORGANIZATIONS

Information on countries with offensive IW initiatives is less authoritatively documented, but studies and foreign press reporting help point to international organizations that probably have such an initiative underway. A 1996 U.S. General Accounting Office (GAO) report on the threat to Defense D systems stated that the Department of Energy and the National Security Agency estimated that 120 countries had established computer attack capabilities. At the low end, June 1998 the Director of Central Intelligence stated that several countries are sponsoring information warfare programs, and that nations developing these programs recognize the value of attaching their country’s computer systems—both on the battlefield and in the civilian arena. A March 1999 report by the Center for Strategic and International Studies (CSIS) identified Russia, China, the United Kingdom, France, Australia, and Canada as countries that have dedicated considerable resources toward developing IW capabilities. The March 1999 National Communications (NCS) report on the threat to U.S. telecommunications states that, among these, the National Intelligence Council reports that Russia, China, and France have acknowledged their IW programs. According to the NCS report, other countries, such as Bulgaria and Cuba, reportedly have initiatives focused on developing computer viruses (Table 12.1).

An independent review of international press reporting and military press articles on international organizations’ initiatives points to three other countries among those engaged in economic espionage (Iran, Iraq, and Taiwan) that are involved in the development of IW technologies, programs, or military capabilities. All of these countries publicly acknowledge pursuing defensive IW initiatives goal of protecting their military information capabilities or national information infrastructure:

• India established a National Information Infrastructure-Defensive group several years ago, apparently in response to China’s growing interest in IW.

• As recently as January 2001, the Israel Defense Forces (IDF) acknowledged the existence of an information warfare defense unit whose mission is to protect military systems, but noted that the electric utility had organized its own defense.

• Taiwan also recently announced creation of a task force to study ways to protect their information infrastructure from the growing IW threat from China.

Creation of national defensive information infrastructure program is a good (and probably necessary) indicator of an international offensive IW initiative. Defensive measures (deterrence, protection, and restoration) are difficult to implement without also developing an understanding of potential adversaries, investing in computer and software development, and creating a major operational capability—all steps directly applicable to creating an offensive IW capability. From a military strategic perspective, in an era when offensive IW has many technical advances over the complexities of cyber defense, a strong offensive IW capability provides both a defense and a virtually assured counter-strike capability against potential adversaries that is generally cost-effective.

The presence of a defensive IW initiative, however, is inadequate alone to assess that a foreign country is also developing its offensive counterpart. To judge that a country probably has an offensive IW initiative (including military theory, technology development, operational unit or individual training, or deployed forces) requires positive responses to at least one o following questions:

• Has a country been reliably identified as participating in offensive IW activities, especially in “preparation of the battlefield” activities (such as implanting and using trap doors) that would facilitate computer network attacks in a future conflict?

• Have authoritative, but unofficial, host country sources suggested that a country has an offensive IW program?

• Do specific activities of the national security or domestic information technology mind point to the development of capabilities usually (and preferably uniquely) associated with offensive IW?

Among the major foreign providers of software remediation services to Israel and, to a lesser extent, India, have acknowledged a defensive IW or national information infrastructure protection program, and also meet at least one of the supplemental criteria. For instance, Israel was involved in the 1991 penetration of U.S. defense computers and copying in on the Patriot missile defense system, according to the NCS report. Reliable reporting corroborates that Israel (see sidebar, “Israel’s Cyberwar Seminar”) is among the leading sources of intrusion attempts (protected defense information systems and networks). See sidebar, “Sampling Of Foreign Official Comments On National IW Initiatives,” for further information.

Cyberterrorism has evolved into more than just kiddie hackers and the odd denial-of-service attack. It’s a phenomenon that can affect the course of a conflict and the minds of the public—and it must be addressed.

The aim of the recently held symposium is to illuminate a relatively unexplored and unresearched dimension of the new media and cybermedia, how they are applied in the context of real war, how they compare with virtual war games, what really happens in virtual wars, are they really that important, and other implications. It’s not only the Israelis and the Palestinians who have taken their battles into cyberspace. Cyberterrorism is playing a part in conflicts around the world, from the former Yugoslavia and Kosovo to enmity between China and Taiwan, India, and Pakistan. The symposium will address the phenomenon in general, as well as the Middle Eastern angle.

Other implications may be cultural or religious, such as the repercussions when Jewish hackers add links to pornographic material to the Palestinian Hamas site. Are the attackers aware of the insult inflicted on religious (although certainly not necessarily pious) Hamasniks?

Speakers included members of the Israeli Parliament (the Knesset), and representatives from the Ministry of Foreign Affairs, Israeli ISP Netvision, and the Israeli Defense Forces, all of which have suffered cyberterrorist attacks that have brought down sites—in some cases for several days when content was not simply altered but, rather, deleted. The Israeli-Palestinian cyberwar, although not as old as the non-virtual enmity between the two sides, only adds to the difficulties of those attempting to broker a peace deal when hostilities don’t appear to be decreasing. With the current situation, the Internet may be the only place where collaboration from sides could take place.

Sampling of Foreign Official Comments on National IW Initiatives

Russia:

In a response to a question posed in a June 1998 interview about Russia’s new military doctrine, Col-Gen Valeriy Manilov, first deputy chief General Staff of the Armed Forces, stated that the doctrine under development acknowledges the world trend toward development and introduction of weapons of information warfare. On the other hand, it will define the forms and means of their use, and adequate protection against them.

France:

Air Marshal Francois Vallat, Commander of French Air Defense stated in 1993, “We must master the domain of information in order to acquire military supremacy.” This is difficult to do, especially if one must simultaneously deny the adversary the capacity to do the same. In crises and conflicts, tomorrow even more than yesterday, supremacy will belong to those who can best and most rapidly collect and exploit the most information.

India:

Although New Delhi has not officially acknowledged an offensive IW initiative, India’s Chief of Naval Staff Admiral Vishnu Bhagwat stated in an interview with the Indian press that the Navy had recently commissioned an IW air squadron that will equip them to secure information dominance of the new millennium.

Israel:

A May 24th 1999 article in the Jerusalem Post states that Israel has never made any official mention of its offensive capabilities, and the IDF spokesperson refused to allow questions on the topic in an interview with the head of the cyberwarfare defense unit. Nonetheless, Lt. Col. Evtan, head of the IW unit, noted that in the future, this (cyberwar) would be a central part of the battlefield. It doesn’t mean there won’t be divisions and fighters, but the fighting capability in the digital battlefield and the cyberwarfare will certainly be very significant. It does not necessarily have to be damage in the battlefield casualties, but in damage that could lead to total chaos. The article goes on to note that cyberattacks can come from allies sitting across the world.

The case that India also has an offensive IW is more problematic. The 2000 ASIS survey report identifies Indian nationals as among the top five sources of economic espionage against the United States, but does not indicate whether these nationals use cyber techniques nor whether they targeted more commercial information.

Ranking the Risks

The results of this analysis point to a tiered set of foreign national risks to U.S. computing and network systems remediation involving the insertion of malicious code. For example, at the top, the United States, India, and Israel are the most likely countries to use the broad opportunity remediation in light of their historic involvement in economic espionage, and the likelihood that they have ongoing offensive IW initiatives.

On the other hand, France, Germany, Russia, and Taiwan comprise a second tier of countries that have been identified as participants in economic espionage against the United States and that have developed initiatives, but are not believed to be major foreign sources of U.S. remediation services. Although their efforts may have less impact on the national-level integrity of networks, companies and government agencies utilizing services provided by these countries are still at significant risk. Also, the governments and companies in the other countries that have engaged in economic espionage against the United States may also utilize this unique opportunity to take advantage of these espionage objectives.

Protecting and Responding

The ability to protect corporate or government systems and networks against these foreign (domestic) risks hinges on comprehensive testing and validation of the integrity of the remediation software by a trusted independent source before it is implemented. Analysis of the software and testing for trap doors and other accesses are key elements in this risk reduction.

Besides testing for intended performance analysis, the content of the program is most important. Evaluators should ensure that all the program code has a legitimate business purpose; any user code should be extracted. Often evaluators will have access to the object code (the applications-level information used to operate the software) rather than the program-language source code, which undermines the effectiveness of content analysis. Customers may wish that the source code be shared with the evaluator so its integrity can be examined. The evaluator needs to match the object code against what is actually used in the corporate application to validate the testing.

Preventing unauthorized access in the future is a second essential step in ensuring the integrity of the system or network. Evaluators can begin by using standard hacker tools to see if the software displays any access vulnerabilities. At a second level, a red team approach (actually trying the software) can be taken to explore more deeply whether trap doors exist. Special attention needs be paid to all authorized software accesses, such as those for remote system administration which could result in future introduction of malicious code. These software accesses should be protected and they should be able to identify and halt delivery of malicious code.

In the event malicious code is identified in testing or operation of the remediated software, specially trained FBI agents and computer specialists can preserve critical evidence that can be used in identifying and prosecuting the perpetrator. They can also use such evidence to compare similar events and facilitate the restoration of protected service to the system. Early FBI involvement in addressing criminal computer intrusions has helped smooth the national computing transition to the next millennium.

Proposed Cybercrime Laws Stir Debate within International Organizations

Lots of countries still haven’t updated their laws to cover Internet-based crimes, leaving companies in many parts of the world without legal protections from malicious hackers and other attackers who are looking to steal their data. But corporate executives and IT managers may not necessarily like the laws that are starting to emerge in some regions. Of special concern is a proposed cybercrime treaty being developed by the 41-nation Council of Europe, which some business groups fear could affect corporate data-retention policies. For example, the Global Internet Project, an Arlington, Virginia-based organization that’s trying to head off government regulation of the Internet, in November 2000, claimed that the proposed treaty could actually hamper efforts to stop cybercrime and to track down people who launch computer-related attacks. Those concerns were echoed by attendees at a forum on international cyberlaw sponsored by McConnell International LLC, the consulting firm that issued the new report on cybercrime laws.

Privacy advocates are also raising an alarm, arguing that the proposed European treaty may tread on privacy rights. They fear that they are going into an area where the problem is not too little law but too much law.

What’s clear, however, is that many countries are beginning to wake up to the issue. There is competition among countries for leadership and excellence in the digital economy. There is a kind of a race to see which countries are going to be the leaders in this new way of doing business.

The European cybercrime treaty could be ready for approval by the middle of 2002, and is then expected to be adopted by the United States and other countries outside of Europe. Its intent is to help law enforcement officials track down malicious attackers and child pornographers by easing cooperation among police. The treaty also seeks to prevent data havens—areas in which laws governing cybercrimes are weak.

However, the treaty has left companies such as WorldCom Inc. uncertain about what its legal requirements or liability risks will ultimately be. There is so much gray area.

A key area of concern is data retention. Internet service providers are worried that they may face new obligations to hold onto data in response to requests from law enforcers. For example, the treaty as it now stands could enable countries to demand that companies keep data sought for use in investigations for as long as government officials deem necessary. Clarification on the data-retention issue is going to be needed.

France appeared on a list of legal laggards. But a recent court ruling in that country required Santa Clara, California-based Yahoo Inc. to prevent French citizens from trafficking in Nazi paraphernalia. The court action illustrates the point that there are too many laws on the books already.