WHAT THEY WILL DO NEXT-THE INFORMATION WARFARE GAMES

WHAT THEY WILL DO NEXT—THE INFORMATION WARFARE GAMES

Finally, the number of cyberattacks and intrusions into Pentagon computer networks in 2001 is expected to top off at 35,000, an increase of 6% compared to the number of intrusions that occurred 2000, according to the Department of Defense. However, the overwhelming majority of those intrusions are due to known vulnerabilities and poor security practices. Ninety-nine percent of the successful attacks and intrusions can be attributed to known vulnerabilities and security gaps that have gone unfixed and poor security practices by defense agencies.

Malicious hackers and other criminals penetrated Pentagon network security at least 25,160 times during the first seven months of 2000. Hackers stung the Pentagon at least 22,144 times in 1999 and 5,844 times in 1998.

These incidents will have served a constructive purpose if the Pentagon is willing and able to learn from them. By exposing and highlighting vulnerabilities, the attacks can actually help to inoculate the system during times of crisis—but only if the appropriate lessons are learned now.

The number of successful attacks raises questions about the Pentagon’s preparedness to withstand more skilled adversaries. The Pentagon is currently operating in a relatively benign international environment, yet they were hard pressed to deal with the detected hacks. The Pentagon has a raging case of technological hubris and is ready to be taken to the cleaners by a savvy adversary.

In addition to weak security practices by Defense of Department (DoD) network administrators, the increase in the number of attacks can be attributed to the greater availability of sophisticated hacker tools on the Internet. Someone with a very limited amount of computer skills can do a lot of damage. The increase in the number and the sophistication of the attacks pose a significant threat to DoD plans to use computer networks as part of its overall strategy to fight future conflicts, a concept known throughout the Pentagon as “network-centric warfare.”

Despite claims by senior officials that DoD’s classified systems are immune from attack, there are several connections between the Pentagon’s top secret and secret networks and the unclassified network that connects to the global Internet that make them vulnerable. However, sophisticated encryption devices designed by the National Security Agency protect the classified networks. All of the Pentagon’s various layers of networks are connected. Regardless of classification, there are connections and you are dependent on that infrastructure.

However, legal restrictions have hampered the DoD’s ability to respond to attacks and track down hackers. Due to legal and privacy^[iii] restrictions, the department is prohibited from pursuing hackers beyond its networks. The agency can take defensive measures to stop a hacker, but to actively catch and prosecute a hacker, it must go through the FBI. The agency doesn’t go outside of their firewalls, but they’d like to.

One solution that the department is working on is a concept called “legal hot pursuit.” Pentagon criminal investigators are searching for a legal framework that would enable them to use one search warrant to track hackers back through the multitude of Web sites they often use as launching pads for their attacks. Today, these investigations require separate search warrants for every system used as part of a distributed denial-of-service attack.

How Other Countries Are Getting into the IW Games

According to the CIA, other countries are developing cyberattack capability. The United States could become a target of cyberattacks from a growing list of terrorists and foreign countries, including Russia, China, and even Cuba (see sidebar, “Has Cuba Joined the IW Games?”

These must be jittery times for anyone in the military who uses the Internet. Not only do they have to guard against Love Bug worms and security holes in Micro-soft Outlook but also they’ve got to worry about Fidel Castro hacking into their computers.

According to the Defense Intelligence Agency, the 75-year-old communist dictator may be preparing a cyberattack against the United States. Castro’s armed forces could initiate an “information warfare or computer network attack” that could disrupt the military.

One can say there is a real threat that Cuba might go that route. There’s certainly the potential for Cuba to employ those kinds of tactics against the U.S.’s modern and superior military. Cuba’s conventional military might is lacking, but its intelligence operations are substantial.

In addition to Cuba, terrorists such as Osama bin Laden are now using the Internet and encryption to cloak communications within their organizations. So, you know, you recruit people on Internet sites, and you use encryption. You move your operational planning and judgments over Internet sites’ use of encryption. You raise money.

Bin Laden allegedly uses encryption (and a variant of the technology, called steganography) to evade U.S. efforts to monitor his organization. Also, bin Laden and his global network of lieutenants and associates remain the most immediate and serious threat to America.

And what about Castro? It might seem odd to view a country best known for starving livestock, Elian Gonzalez, and acute toilet paper shortages as a looming threat, but the Pentagon seems entirely serious. Cuba is not a strong conventional military threat. But, their ability to ploy asymmetric tactics against the U.S.’s military superiority would be significant. They have strong intelligence apparatus, good security, and the potential to disrupt the U.S.’s military through asymmetric tactics. Asymmetric tactics is military-ese for terrorist tactics when your opponent has a huge advantage in physical power.

The CIA is detecting with increasing frequency, the appearance of doctrine and dedicated offensive cyberwarfare programs in other countries. They have identified several (countries), based on all-source intelligence information, that are pursuing government-sponsored offensive cyberprograms.

Information warfare is becoming a possible strategic alternative for countries that realize that, in conventional military confrontation with the United States, they will not prevail. For instance, a cyberattack against a national target such as a transportation center or electrical power distribution center would, by virtue of its catastrophic consequences, completely overlap with the use of weapons of mass destruction.

The U.S. can make the enemy’s command centers ineffective by changing their data system. The enemy’s headquarters can then be used to make incorrect judgment(s) by sending mis- or disinformation. The enemy’s banking system and even its entire social order can also be dominated.

Cyber-warfare represents a viable strategy for countries that are outmanned in conventional warfare. These countries perceive that cyberattacks, launched from within or outside the U.S., represent the kind of asymmetric option they will need to level the playing field during an armed crisis against the U.S. With the advent of the cyber threat, the U.S. is faced with the need to function in the medium of ‘cyberspace’ where it will conduct its business in new and challenging ways.

The technology to launch cyberattacks is already well-known. The very same means that the cyber vandals used recently (in a much-publicized denial of service cyberattack that temporarily shut down several large Web sites) could also be used on a much more massive scale at the nation-state level to generate truly damaging interruptions to the national economy and infrastructure.

Interestingly, both the Chinese and Russians have expressed interest in some form of international effort to place curbs on such attacks. The Russians have gone so far as to formally propose via the Secretary General of the United Nations the development of “an international legal regime” to combat information crime and terrorism. Organizations such as Interpol have the structure in place to facilitate in sharing information warfare data between countries, but a common basis of legislation, policy and procedures is still needed.

^[iii]John R. Vacca, Net Privacy: A Guide to Developing & Implementing an Ironclad ebusiness Privacy Plan, McGraw-Hill, 2001.