PARTICIPATING IN DEFENSIVE PREVENTIVE INFORMATION WARFARE PLANNING

A congressionally appointed panel of national security experts recently recommended the creation of a National Homeland Security Agency (NHSA) to oversee government and private sector IW planning efforts to protect the nation's critical infrastructure from cyber- and physical attacks. The U.S. Commission on National Security, headed by former senators Gary Hart and Warren B. Rudman, urged the Bush administration to form the new agency and to include a National Crisis Action Center as a focal point for monitoring emergencies and for coordinating federal support in a crisis to state and local governments, as well as to the private sector.

It is doubtful, however, whether a proposal for a new security agency would fly, given the large number of agencies and organizations seeking the same funds and authority. Central to the new agency would be a directorate of critical infrastructure protection (CIP) that would manage cyberdefenses for the various sectors of the economy, including banking and finance, telecommunications, transportation, and utilities. Most of the nation's critical infrastructure is owned and operated by private sector companies.

An attack on any one of several highly interdependent networks can cause collateral damage to other networks and the systems they connect. Some forms of disruption will lead merely to nuisance and economic loss, but other forms will jeopardize lives. One need only note the dependence of hospitals, air-traffic-control systems, and the food-processing industry on computer controls to appreciate the point.

According to the U.S. Commission on National Security's recommendations, the CIP directorate would have two primary responsibilities. The first would be to oversee the physical assets and information networks that make up the U.S. critical infrastructure. The second would be to coordinate government and private sector efforts to address the nation's vulnerability to electronic or physical attacks.

In partnership with the private sector, where most cyberassets are developed and owned, the Critical Infrastructure Protection Directorate would be responsible for enhancing information sharing on cyber- and physical security, tracking vulnerabilities, proposing improved risk-management policies, and delineating the roles of various government agencies in preventing, defending, and recovering from attacks.

That effort is now done through a maze of different agencies and private sector partnerships, such as the National Infrastructure Protection Center, the Critical Infrastructure Assurance Office, and the various information-sharing centers formed in the private sector. As a result, the commission recommended that the Bush administration consolidate these efforts. To do this, the government needs to better institutionalize its private sector liaison across the board with the owners and operators of critical infrastructures; hardware and software developers; server and service providers; manufacturers and producers; and applied technology developers.

Stopping DoS Attacks Together

The most recent round of denial-of-service (DoS) attacks shows that cyberterrorism is alive and well, and that ebusinesses and their service providers aren't doing enough to stop it. Unfortunately, all corporate America and ISPs seem to be focused on is who to blame. After the recent attack on Microsoft shut off access to everything from Expedia to Hotmail, the company attributed the problem to one employee's misconfiguration of a router. Yet experts noted a failure to distribute DNS servers made the company vulnerable to begin with.

If a private company is going to minimize the number and effect of DoS attacks, what's required is a spirit of cooperation between companies and their ISPs, as well as among the ISPs themselves. ISPs are starting to tackle the subject of networkwide security, but they're doing it by laying out requirements for their corporate customers. In many cases, customers either follow the ISP's security guidelines or find themselves a new ISP there's no room for negotiation. It's high time ISPs and their clients start sharing information about what works (and doesn't work) in terms of network architecture, data access, and security systems.

ISPs must ask themselves whether they're doing everything possible from a network monitoring and warning perspective. They should be giving serious thought to the latest security tools that can stop DoS attacks at their routers. After all, once an attack gets through the ISP, it's a lot tougher for an individual site to fend it off.

Everyone along the ebusiness food chain has something to lose when a DoS attack succeeds. The site that's been hit loses traffic, revenue, and customer loyalty. The ISP loses customer confidence and significant resources in combating the attack. Ultimately, every site that relies on the ISP must spend time and resources rethinking its security levels.

ISPs must communicate the types of attacks they're experiencing. They also must be prepared to notify one another of attacks, and even coordinate their responses when they do get hit. With so much at risk, it's hard to imagine why these conversations haven't been taking place all along.

Approaching IW Planning with IW Games

It's Independence Day, 2003. Glitches in air-traffic-controller screens cause a deadly mid-air collision above Chicago's O'Hare Airport killing over 345 people in both planes, and over 1,200 people on the ground when the planes plunge into a nearby crowded shopping center. Four weeks later, California Independent System Operator Corp., which controls California's power grid, somehow misplaces an electrical energy order to Northern California Edison, leaving three-fourths of Sacramento in the dark. Then in October, a high-power microwave burst fries the electronics at an e-bola virus lab research building at Fort Deterick (Frederick, Maryland).

Hypothetical 'information warfare' (IW) planning exercises like these are being played out around the country in preparation for what politicians, the military, and law enforcement officials fear will be an orchestrated cyberattack on critical U.S. private infrastructure companies (see sidebar, 'Five Easy Steps to Planning and Launching a Cyberattack'). The theory goes that if a well-funded, organized series of cyberattacks were to strike at a target's economic and structural nerve centers, it would send the target society into chaos and make it difficult for the military to communicate and move troops.

Here's how a computer invader plans and launches an attack on information systems:

1. Recon: Invader uses information-gathering programs and techniques to sniff traffic at the network gateway, then scans ports or vulnerable services.

2. Profile target: Invader gets passwords, then identifies machines and software running on the network.

3. Attack: Invader gains root or administrative privilege of unclassified systems, then seeks and modifies information.

4. Cover tracks: Invader hides the evidence trail and slips away.

5. Wait for results: Invader watches CNN to see what damage he or she wrought.

The weak areas of the preceding scenario are in predicting when someone is gathering information for a later attack. And, once a company has been attacked, the problem is in recovery.

Researchers are working on ways to tie an algorithm into other technologies also in research, including advanced forensics and a tracking system to follow a live evidence trail. Don't be surprised if algorithms eventually wind up in the private sector.

This particular information war game was played out among 86 IT executives attending an IW workshop at NSA Headquarters in Fort Meade, Maryland. In the worst-case scenario, every major industry sector would be affected.

When you're talking about information warfare, you're talking about information technology systems used to cripple the government and economy. Close to 92% of those critical infrastructure companies are privately owned and operated.

Since 1999, IW preparedness has moved forward the fastest in the highly regulated and well-organized financial, energy, and telecommunications sectors. But IT leaders in the private sector say they're hesitant to report incidents to agencies such as the NSA and the FBI. Still, the agencies need this information for intelligence and predictive analysis.

Although the impact of IW bears the same uncertainty as Y2k did, many IW experts say cyberterrorism and cyberwarfare are inevitable. In 2000, hacking hobbyists have shown how easy it is to propagate viruses throughout Internet-connected mail systems. They've also shown they can hack armies of unwitting computers and make those computers do their bidding. Now, the U.S. government is thinking about what terrorists with more resources could accomplish. And so are countries such as China and Russia, which are developing their own IW capabilities.

Yet, in spite of these indicators, IW thinkers say a cyberwar is years away. Clearly, the eventuality of such an attack is present. That's what motivated the Bush administration to move forward with a national plan. But, it's doubtful that anyone has the cybercapability today to launch an attack that would cripple the nation's infrastructure. The presidential directive predicts such a scenario is still years away.