IS THE UNITED STATES GOVERNMENT PREPARED FOR INFORMATION WARFARE?

The answer to the preceding question is a resounding “no.” A reasonable question that should be asked is “Why are we vulnerable?” In a recent report by the Defense Science Board Task Force on Information Warfare, the task force unequivocally lays the blame at the U.S. government’s own doorstep.

The reality is that the vulnerability of the Department of Defense (and of the nation) to offensive information warfare attack is largely a self-created problem. Program by program, economic sector by economic sector, the U.S. government has based critical functions on inadequately protected telecomputing services. In aggregate, the U.S. government created a target-rich environment and the U.S. industry has sold globally much of the generic technology that can be used to strike these targets. From the standpoint of psychological operations, it’s not so much exploited technology as it is that the U.S. government has created a global information system it does not control and does not understand, and this in turn creates additional targets for exploitation. Most recently, this problem is being exacerbated by the growing emergence of “always-on” connections being made to individual homes and small businesses.

Recently, for example, a private security company alerted the FBI that it found a malicious program on some 3,000 computers that could be remotely activated to launch an attack on a site of choice—a Trojan. Many of these computers are privately owned and are on cable-modem or digital line subscriber (DSL) always-on connections. In addition to the technological risk posed by the fact that many of these computers have very limited or no security, the users of these computers often are attractive targets for social engineering efforts for a simple reason. The very thought that they would be targeted for an attack is foreign to the owners.

From an information warfare perspective, there are three primary target audiences for the attacker using psychological operations—PSYOPS. The attacker can focus on the enemy, those who are friendly to his or her cause, or the neutrals; with each target chosen for a specific purpose. If the attacker is simply a hacker/cracker/ script-kiddy, it might be for nothing more than to grab a credit card number or prove to friends that he or she could do it. Unfortunately, the dangers the U.S. government faces are not limited to those groups. The government also faces the threat of multinational efforts to subvert their defenses and find an economic, diplomatic, or military advantage. These efforts might be aimed not only at the U.S. defense structure, but also at the U.S. utility infrastructure, transportation, communications, finance, and much more. The U.S. government also cannot discount the potential entrance of organized crime into the equation, not to mention political activists and disgruntled employees.

So, as more individuals (the neutrals) turn to the Internet to help them with tasks that have usually been served by personal service or other traditional means, tasks such as banking, tax filing, shopping, and personal communications, the Internet as a loci for commerce and communication becomes increasingly critical both to the individual and to the business and industries that serve the individual. And although the commercial sector is beginning to realize the importance of security, the information on the virtually unprotected personal machines may very well hold the key to a crippling attack on any sector simply because those sectors exist to allow the personal machines to connect to do business.

From a PSYOPS point of view, however, how is it done? In any attack, finding and exploiting a trust relationship can be a key to success for the attacker. Let’s look at how a trust relationship can be exploited. One of the most often cited examples of a physical trust relationship that was exploited successfully is the Mitnick attack. Here Kevin Mitnick discovered a relationship between host A and host B. He was able to determine the probable response that host A would give to host B after receiving the initiating packet in a three-way handshake. He blocked host B with a Denial of Service attack and sent a packet to A crafted to look as if it came from B. He then sent the expected response along with a small payload that contaminated host A’s .rhost file and caused host A at that point to completely trust Mitnick’s computer. He dropped the attack on host B and simply accessed A as a trusted root user.

So, how might an attacker employ PSYOPS against a trust relationship? One of the more common examples used to explain trust exploitation is that of the overworked call center. Imagine a worker at a large corporate call center. The caller has done some research and discovered that the CEO has hired a new personal report. He calls and identifies himself as Bert Jackson who has just been hired by the boss. He tells him he’s been working all day researching a project that the CEO wants a report on in the morning and he needs access to the system to put the report together. Unfortunately, he’s forgotten his password and it’s already 11 p.m. Can he get a new password or should he call the CEO and have him call? In a shop with strong security that would be an easy call, but it’s easy to see that, in many cases, the call center worker would simply trust that the caller is who he or she says he or she is and give out a new password. The net result? The attacker gets in and can probably hide his tracks before the real Bert Jackson complains.

If the company is also a prime contractor for the government, a public utility, or even a company whose success or failure can severely impact the stock market, then the attacker has gained a tremendous advantage by simply manipulating information he or she has gained by infiltrating the system. But, let’s go back to Bert Jackson.

Assume, for this scenario, that a group wanted to create a deleterious impact on the stock market. That group, perhaps over a period of months, maps IP ranges that are known to belong to public Internet service providers (ISPs) providing high-speed, always-on access to individuals and small-businesses and they map for the Netbios ports. As they map, a second team begins the infiltration process, finding those machines that are unprotected and that contain information, such as passwords to personal investment accounts, banking, and the like. Even though these passwords may be encrypted, with modern cracking tools being what they are, at the end of the mapping period, they very well could have discovered thousands of accounts, including Bert Jackson’s, that could be exploited. Choosing the time to strike, they simultaneously use these accounts to issue massive sell orders to the various brokers and close thousands of bank accounts with the money transferred to offshore accounts that they may or may not care about accessing. The distributed nature of this attack would make detection and prevention difficult, if not impossible, and would certainly sow an atmosphere of fear and distrust that would severely affect the general economy.

Again, the question is why? Let us look at the three basic types of attack— strategic, consolidation, and battlefield. If the preceding scenario were executed by organized crime, it would probably fall into the battlefield type because they probably would be looking to cause a drop in stock market prices where they could step in and buy cheaply, thus allowing them to see an impressive gain as confidence rebounded. If a foreign government perpetrated the attack, it might very well fall into one of the other two categories. The attackers might be trying to distract the attention of the current administration away from what they might be attempting elsewhere (strategic) or attempting to bring together the economic resources needed to launch a more serious battlefield attack against us later (consolidation).

But, what is it that causes you, as a whole, to make it easy for those who would want to abuse that trust? In a culture where the phrase “trust is earned” is a familiar maxim, it would seem that you would be more eager to challenge than you really are. However, trust also seems to be a social construct between two or more individuals. In both social and business milieu, as alluded to earlier, a need to trust develops out of the need to foster cooperation to achieve goals and objectives.

If that is, in fact, the case, then how does the U.S. government overcome this tendency and manage to protect their critical resources? Part of the difficulty they face here is that their focus tends to be on strengthening the security of their physical defenses, whether that be through encryption, perimeter-based defenses, host-based defenses, or, preferably, a combination of the three. Unfortunately, the U.S. government still has too few in system administrative positions who are security-aware enough to alter default installations on whatever machine they are setting up (whether it be Microsoft based or Unix based) to give an acceptable initial level of protection to their users. But these are technological trust defenses and likely will always be open to attack. And although hardening those physical defenses is undeniably important, the U.S. government often overlooks the most dangerous vulnerability (their users), and that is where they spend the least amount of time in education. Why do computer viruses such as the “I Love You” virus work? Because users, whether corporate, governmental, or private, haven’t been taught how to protect themselves and change the paradigm of automatically trusting the e-mail that announces it comes from Aunt Barbara.

The U.S. government must begin focusing on the end user and on those who provide connections to the end users. When virtually all private connections to the Internet were made over modems connecting to a Dynamic Host Configuration Protocol (DHCP) server where each session was served with a different IP address, it was much less likely for a private machine to be compromised and efforts to compromise machines tended to be focused on commercial, governmental, and educational systems. Today, however, that situation is rapidly changing and ISPs must accept the responsibility of advising or requiring their customers to install personal firewalls and give them the advice needed to properly configure and maintain those firewalls. They also must understand the need to properly filter their outgoing traffic to block and detect activity coming from within their networks that can be harmful to the general Internet community.

Educating the end user is going to be the most daunting task. The recent proliferation of e-mail-related viruses has certainly helped to awaken many to the dangers, but there must be a broader effort to educate and assist users in protecting themselves and the U.S. government from the bad guys. To do this, the security community needs to do a better job in educating first the media and then the public through the media. PSYOPS can work both ways. The difference between the U.S. government and the bad guys is that the government has permission—they have the intent to do what is right. So it is with perception management. The U.S. government can manage perception so that people will realize the risks they actually face and take steps to protect themselves. In helping them to protect themselves, the U.S. government also helps to protect the rest of the users on the Internet who could be attacked by their systems if they are compromised. Trust is wonderful when exercised in an environment where it is reasonable. In a global environment where criminals, unfriendly political forces, and people who just don’t care about others have the same rights and access as anyone, trust can be dangerous.

Education, not legislation, is the key component. The U.S. government can pass all the laws it wishes, but it won’t affect the traffic that is coming out of countries such as Korea, China, and Singapore. The government needs to be communicating these messages with intelligence. If the U.S. government knows what needs to be done and doesn’t communicate it effectively, then whatever else it does is irrelevant. If the government scattershots their communications without filtering them through an understanding of the message they need to pass, then all they are sending out is noise.