WHAT INDUSTRY GROUPS HAVE DONE TO PREPARE FOR INFORMATION WARFARE?

On December 18, 2000, the National Security Council held the first meeting of the recently formed Cyberincident Steering Group, aimed at fostering cooperation between the private industry group sector and government to secure systems from domestic and international cyberattack. This meeting was an important first step in building computer security programs for the nation. Among topics discussed were the creation of a rapid response system and communications between industry and government.

The U.S. intelligence community voiced its concerns with the release of “Global Trends 2015,” a wide-ranging analysis by the CIA, its sister U.S. spy shops, and outside experts. According to the report, foes of a militarily dominant United States, rather than challenging it head-on, would seek to target an Achilles’ heel in cyberspace or threaten the use of the deadliest chemical, nuclear, or biological weapons (see sidebar, “Doomsday Software”).

After years of surveillance, Tokyo police thought they’d seen everything about Aum Shinrikyo, the high-tech doomsday sect behind the 1995 nerve-gas attack on that city’s subway system. But even the cops were surprised after raiding cult facilities in February 2000, and finding evidence that Aum had developed software programs for at least 10 government agencies, including the Defense Ministry, as well as some 90 Japanese firms. With their identity hidden behind a web of front companies and subcontractors, Aum engineers sold as many as 200 systems ranging from databases for clients to an Internet messaging service.

Although no evidence has yet emerged that Aum installed so-called trapdoors to secretly gain access to its clients’ data, authorities have reason to worry. In the mid-1990s, sect members burglarized and stole secrets from Japan’s top defense contractor and its top semiconductor maker—part of an extraordinary campaign to develop biological agents, laser guns, and other high-tech weapons. Until now, Japan has shown an almost unbelievably low sense of its need for cybersecurity. That may soon change.

Such asymmetric approaches (whether undertaken by states or nonstate actors) will become the dominant characteristic of most threats to the U.S. homeland. Over time, attacks are increasingly likely to be fired off through computer networks rather than conventional arms, as the skill of U.S. adversaries in employing them evolve.

FBI Fingers China

Many unnamed countries are developing technologies (previously discussed) to complicate what the U.S. military refers to as “power projection” and to undermine morale at home. The interagency, FBI-led National Infrastructure Protection Center, uses a slide depicting China’s Great Wall in its standard presentation on cyberthreats, along with a quote from Sun Tzu, author of a treatise on war in about 350 B.C.

“Subjugating the enemy’s army without fighting is the true pinnacle of excellence,” the FBI’s slide quotes the ancient Chinese strategist as saying. In a telltale update, the slide includes a 1999 quote from a Chinese newspaper referring to information warfare as a means of achieving strategic victory over a militarily superior enemy.

Industry Groups Prepare to Fight Cyberattacks

Another group of technology heavyweights including Microsoft and Intel have recently unveiled a new resource in their efforts to strengthen cybersecurity. The group is establishing a new initiative through which high-tech companies can share information about the vulnerabilities in their software and hardware products. Participants in the undertaking, dubbed IT-ISAC (Information Technology Information Sharing and Analysis Center), also plan to exchange information about their security practices.

Board members of IT-ISAC have outlined the goals, mission, and operations of the new center. In attendance during the outline of the goals were representatives from Microsoft, AT&T, Oracle, IBM, Hewlett-Packard, Computer Associates, EDS, Entrust Technologies, KPMG Consulting, Cisco Systems,^{[iii ]}Nortel Networks, and other companies. Other organizations involved in the new center include the Information Technology Association of America, Veridian, Symantec, RSA Security, Titan Systems, and Verisign Global Registry Services. Members have created the center in hopes of improving responses to cyberattacks and hacking against corporate computer networks.

A number of giant companies, including Microsoft, have recently seen their corporate networks hacked. In such attacks, aimed at organizations large and small, some hackers may deface a Web site with graffiti or more pointed messages. Others toy with private information such as customer data and personal profiles. Many companies have increased security measures to safeguard valuable intellectual property, but a number of reports indicate that most continue to be vulnerable to such incidents.

According to a study by the American Society for Industrial Security (ASIS) and consulting firm Pricewaterhouse Coopers, Fortune 1000 companies sustained losses of more than $56 billion in 2000 from the theft of proprietary information—up from mid-1990s’ estimates by the FBI that pegged the cost at roughly $24 billion a year. Tech companies reported the majority of those hacking incidents. The average tech company reported nearly 78 individual attacks, with the average theft resulting in about $26 million in lost business.

Following a string of attacks on federal systems, President Clinton in 2000 launched a $2 billion plan for combating cyberterrorism that included an educational initiative to recruit and train IT workers. The plan also included conducting federal agency vulnerability analyzes and developing agency-critical infrastructure protection plans. With the aftermath of the 9-11 terrorist attacks, the Bush administration is upgrading the preceding plan twenty-fold.

^{[iii ]}John R. Vacca, High-Speed Cisco Networks: Planning, Design, and Implementation, CRC Press, 2002.