OFFENSIVE RUINOUS INFORMATION WARFARE TOOLS AND TACTICS

The U.S. military has a new mission: Be ready to launch an offensive ruinous cyberattack against potential adversaries, some of whom are stockpiling cyberweapons. Such an attack would likely involve launching massive distributed denial-of-service assaults, unleashing crippling computer viruses or Trojans, and jamming the enemy’s computer systems through electronic radio-frequency interference.

An order from the National Command Authority (backed by President Bush and Secretary of Defense Colin Powell) recently instructed the military to gear up to wage cyberwar. The ability of the United States to conduct such warfare doesn’t exist today.

The military sees three emerging threats: ballistic missiles, cyberwarfare, and space control. The U.S. Space Command, the agency in charge of satellite communications, has begun to craft a computer network attack strategy. This strategy would detail actions to be followed by the Unified Commanders in Chief (CINC) if the President and the Secretary of Defense order a cyberstrike. The CINCs are senior commanders in the Army, Navy, Air Force, and Marines deploying U.S. forces around the world.

The information-warfare strategy will be detailed in a defense plan called “OPLAN 3600,” which will require unprecedented cooperation with commercial enterprises and other organizations. There’s no set deadline for completing OPLAN 3600.

The U.S. may end up with a new type of weaponry for launching massive distributed denial-of-service attacks and computer viruses. The Chinese recently indicated they are already moving along with this.

In addition to the possibility of cybercombat between nations, the military acknowledges that terrorists without the backing of any country can potentially use cyberweapons to disrupt U.S. telecommunications or banking systems that are largely electronic. That’s one reason the U.S. Space Command is joining with the FBI to build an information-warfare strategy.

This requires a close relationship between military and law enforcement. The FBI will have to help determine if any cyberattack (see sidebar, “Cyberoffense Mired in Cold War”) suffered by U.S. military or business entities calls for a military or law enforcement response.

The absence of a catastrophic cyberattack against the United States has created a false sense of cybersecurity and has allowed costly Cold War-era Pentagon programs to siphon money from critically needed information technology and security programs. The United States is still mired in a Cold War-era defense-spending mentality.

The rapid advance of IT has created real and potentially catastrophic vulnerabilities. The consequences of a cyberterrorist attack “could be devastating.”

Eye of the Beholder

However, senior security officials are battling a perception problem, according to IW experts. Without a clear-cut example of an “electronic Pearl Harbor,” where a surprise cyberattack cripples financial markets and other critical systems, it’s difficult to convince top military and political leaders that IT research and development should be a bigger priority in the budget process.

Cyberterrorism is not an abstract concept. Although attacks historically have been labeled as “nuisances,” that may not be the correct way to look at the problem. The government is dealing with an “enormous educational deficit” when it comes to IT security.

Part of the problem is the fact that the Defense Department remains committed to lobbying Congress for money to pay for programs such as the F-22 Joint Strike Fighter instead of increasing funding for IT programs. That is not affordable even in this age of surpluses. DOD’s assumptions about future budget gains are “wrong.”

More money should be spent on advanced sensors, precision-guided weapons, and other IT programs. That type of investment would preclude the need to buy costly systems such as the F-22.

But even events such as the outbreak of the “love bug,” which reportedly cost the U.S. economy billions of dollars, have not convinced people in and out of government that the problem is real. Usually, when a major crisis costs people a lot of money, it leads to many visits to Capitol Hill and requests for help. But, that never happened after the love bug outbreak.

Some experts have questioned the government’s liberal use of the term terrorism to describe acts of mass disruption on the Internet. However, when asked about the seeming lack of interest in cyberattacks by well-known terrorists such as Osama bin Laden, a senior White House official said the focus should not be on what bin Laden does or does not do, but on being proactive and understanding that a major attack may be coming.

The U.S. is attempting to be proactive. But, many believe that the U.S. is going to get seriously nailed.

The National Security Agency is one of the federal entities that has taken a proactive approach toward security cooperation between government and industry. But one of the biggest challenges facing the nation, highlighted during the love bug incident, remains to be convincing industry that security is as important as making money.

Vendors and users have to treat information assurance as a fundamental precept of doing business. It has to become part of the business case.

The Internet is ubiquitous. It allows attacks from anywhere in the world. Attackers can loop in from many different Internet providers.

It could start across the street but appear to be coming from China. And something that might look like a hacker attack could be the beginning of cyberwarfare.

The growing bullets-and-guns conflict in the Middle East between Israel and the Palestinians, with Islamic supporters elsewhere, is being accompanied by cyberattacks from each side against the other. It’s serious enough that the FBI issued an alert about it to the U.S. Space Command, giving U.S. forces warning that the action on the cyber front could affect them as well.