AFCEA Argentina

Brian C. Lewis

Executive Summary

Purpose

This report aims to expand upon the work done by the Brown Commission and other recent commissions on the role of the U.S. Intelligence Community (IC) in advancing our foreign policy interests with and protecting our national security against information warfare. The Brown Commission dedicates only three paragraphs to affirming a role for the IC in information warfare policy but, calls for better definition of the role of the Intelligence Community in collecting information about information warfare threats posed by other countries and non-governmental groups. This report provides a more in depth context in which to understand "information warfare," discusses offensive and defensive information warfare and the role of the IC in them, and assesses the adjustment to this Post-Cold War era national security threat.

What is Information Warfare?

Information Warfare in its broadest sense is a struggle over the information and communications process, a struggle that began with the advent of human communication and conflict. Over the past few decades, the rapid rise in information and communication technologies and their increasing prevalence in our society has revolutionized the communications process and with it the significance and implications of information warfare. Information warfare is the application of destructive force on a large scale against information assets and systems, against the computers and networks that support the four critical infrastructures (the power grid, communications, financial, and transportation). However, protecting against computer intrusion even on a smaller scale is in the national security interests of the country and is important in the current discussion about information warfare.

Offensive Information Warfare

Information warfare is a veritable option for the U.S. to employ to advance its foreign policy interests. As the pre-eminent information society, the United States possesses the technological knowledge to wage an effective information war. Though information warfare falls under the auspices of the DoD, some information warfare techniques could be employed by the IC in executing covert action operations.

Defensive Information Warfare

The DoD and the IC have done a commendable job in identifying and adjusting to the new national security threat posed by information warfare. However, there is still work to be done. Thus the following is recommended: (1)National Institute of Standards and Technology (NIST) with the assistance of the National Security Agency (NSA) and Defense Information Systems Agency (DISA) should set computer security standards and objectives for the private sector; (2)a joint and powerful commission with representatives from law enforcement, industry, and the scientific community, as well as ranking members of Congress, should review the current policy on encryption and the political impasse that surrounds it; (3)the DoD must lessen its dependence on the National Information Infrastructure (NII) or develop a secure, emergency form of communication in the event of an information warfare attack; (4)the NII threat assessment should be prepared in a declassified format to be released to the public; (5)and there should be continued coordination, namely Dual Use Technology, between the government and industry.

Information Warfare

ANECDOTAL EVIDENCE

It is estimated that the Department of Defense (DoD) computers, numbering over 2.1 million, were the victim of as many as 250,000 cyber-attacks in 1995. The Defense Information Systems Agency (DISA) estimates that 65% of all electronic attacks on DoD computers and networks are successful. That calculates to DoD networks and computers having been infiltrated an astonishing 162,500 times in 1995 (about 445 times a day). While it has been suggested that the 250,000 cyber-attacks are inflated with harmless incorrect login attempts by legitimate users, the number is still alarming.

One of those numerous cyber-attacks occurred on March 28, 1994, when computer systems administrators at Rome Air Development Center, Griffiss Air Force Base in New York discovered a "sniffer" program covertly installed on one of their systems. Rome Laboratory is one of four Air Force "super" laboratories and a national center for the development of new technologies for command, control, communications, computers and intelligence (C4I). Areas of Rome Laboratory technology development include sensors for surveillance, computer science and software engineering, artificial intelligence, and battle management among other things.

The initial investigation showed that two unknown individuals electronically penetrated several systems, gained access to all the information residing on those systems, copied sensitive, but unclassified, battlefield simulation program data, and read, copied, and deleted users email messages. Further investigation showed that all of the 30 systems at Rome Labs had been infiltrated and were then used as a springboard to access and gather information from other military, government, academic, commercial systems, and even some foreign military systems. Investigators were able to identify the attackers by their nicknames: Datastream and Kuji.

With the aid of an informant, Air Force agents were able to discover that Datastream was a 16 year old boy from the UK "who liked to attack '.mil' sites because they were so insecure." On May 12, with the assistance of the New Scotland Yard, Datastream was located and his home searched. It was discovered that a 25 MHZ, 486 SX desktop computer with a 170 MB hard drive, about Ź the power of today's personal computer, was used to execute the attack. Datastream was arrested and interrogated about his actions and the identity of his partner, Kuji. As it turns out, Datastream only knew Kuji "electronically," having chatted on-line with him on several occasions. Apparently, Kuji assisted and trained Datastream. In return, Datastream gave all the information he obtained to Kuji. Datastream had no knowledge of the identity, the residence, the appearance, or any useful information about Kuji. The identity and motives of Kuji are still unknown and what was done with the stolen data is also a mystery.. What is known is that Kuji was able to hack into DoD computers, steal information, and evade the search of Air Force computer experts.

Far from merely a helpless victim, the United States has also exploited the insecurities of the networked world. American intelligence agents infiltrated the computer systems of the European Parliament and European Commission, allegedly, as part of an international espionage campaign aimed at stealing economic and political secrets. American intelligence agents used Internet routers to access the parliament's internal network, exploiting the fact that components of the European computer system were manufactured by American firms. European officials also claim that the American government used information obtained from the electronic raid to assist them in the General Agreement on Tariffs and Trade (GATT) last year. Despite Lord Plumb's, leader of the British Tory in the European Parliament, vow to take "this [incident] up directly with the American ambassador," no confession or even acknowledgment has been issued by any United States intelligence agency.

INTRODUCTION

This report aims to expand upon the work done by the Brown Commission and other recent commissions on the role of the U.S. Intelligence Community (IC) in advancing our foreign policy interests with and protecting our national security against information warfare. The Brown Commission dedicates only three paragraphs to affirming a role for the IC in information warfare policy but, calls for better definition of the role of the Intelligence Community in collecting information about information warfare threats posed by other countries and non-governmental groups. This report provides a more in depth context in which to understand "information warfare," discusses offensive and defensive information warfare and the possible role of the IC in them, and assesses the adjustment to this Post-Cold War era national security threat.

WHAT IS INFORMATION WARFARE?

Information warfare has become the new post-Cold War era national security catch phrase. The Senate Permanent Subcommittee on Investigation held Security in Cyberspace hearings in June of 1996. President Clinton issued Executive Order #13010 on July 15, 1996, forming a commission to conduct a risk assessment of our national information infrastructure to protect against information warfare. On October 25, 1996, The New York Times ran the story "A New Battlefield: Rethinking Warfare in the Computer Age," outlining possible threats to national security and tranquillity posed by information warfare.

Despite its rise in prominence among the concerns of our national leaders and increased public discussion, information warfare remains an ambiguous and vague concept that has been used in a variety of contexts. Much of the discussion surrounding information warfare has focused primarily on the means of information warfare (organization and resource issues), while the scope and meaning of information warfare have remained largely undefined. Therefore, a clear and lucid definition of information warfare is needed.

Information warfare in its broadest sense is a struggle that involves the communications process, a struggle that began with the advent of human communication and conflict. Over the past few decades, the rapid rise in information and communication technologies and their increasing prevalence in our society has revolutionized the communications process and with it the significance and implications of information warfare. A modern society's communication and information processes are now composed of four critical, extremely interrelated infrastructures: (1)the power grid, (2)the communications infrastructure, (3)the financial infrastructure, and (4)the transportation infrastructure. Electricity and thus the power grid are the foundations of the entire system. Without electricity nothing works and we are back to using smoke signals. The communications infrastructure requires power and provides the ability to exchange information for news, business transactions, research, etc. The financial infrastructure requires power and communications and allows for the electronic flow of money. Of America's $7 trillion GNP only about 3% of it is actual hard currency within our borders. The transportation infrastructure (including the air traffic control system and the train routing systems) also requires the power and communications infrastructures and allows for rapid and massive transportation of people and goods throughout the nation. A modern battle over the communications process involves all of these infrastructures. Information warfare now includes the electricity that powers our homes and hospitals, the phones, faxes, and computers that we and our government at large use to communicate and share information, the trillions of dollars that drive our economy, and the trains and planes that we use to get from one place to another. The new attention given to information warfare does not mark the birth of a new form of conflict, which some have implied. Rather, it marks a significant change in the implications of an old one.

The Brown Commission defines information warfare as "activities undertaken by government, groups, or individuals to gain electronic access to information systems in other countries ... as well as activities undertaken to protect against it." This definition is problematic. It is overly broad and runs the risk of confusing mischief and crime with warfare. With no distinction between crime and mischief on the one hand and war on the other, the DoD might find itself launching a counter-offensive against a 13 year old boy. The definition also does not account for a physical assault (i.e. a good old-fashioned bombing) of the nation's information infrastructure. Information warfare must be considered what it is called, warfare. It is the application of destructive force on a large scale against information assets and systems, against the computers and networks that support the four critical infrastructures (the power grid, communications, financial, and transportation). However, the definition given by the Brown Commission highlights the important fact that protecting against computer intrusion, even on a smaller scale, is currently in the national security interests of the country and is important in the current discussion about information warfare.

OFFENSIVE INFORMATION WARFARE

Should the U.S. engage in offensive information warfare? What might be the role of the Intelligence Community in engaging in such activities?

First, it is important to state that the United States has one of the most developed information infrastructures in the world. This information dominance, as it has been called, produces an ironic asymmetry. The information age produces more vulnerabilities to U.S. national security than it provides new means in which to wage war with other nations. Thus, information warfare is more of a defensive concern than an offensive one. This will change in time as information technologies spread and the national information infrastructure becomes more globalized.

With that said, are there special ethical concerns that should prevent the United States from developing information warfare as a veritable avenue to pursue U.S. foreign policy? This author can muster no moral or ethical reasons as to why the U.S. should categorically exclude information warfare as opposed to other vehicles (e.g. diplomacy, conventional warfare, etc.) for advancing U.S. policy. Information warfare is a decidedly remote form of confrontation and if executed correctly may very well permit the United States to avoid the conventional deployment of troops and munitions. It may be more morally acceptable (especially in the age of CNN televised war) to disrupt the enemy's information infrastructure, rather than bomb them into submission with weapons of destruction that lead directly to the loss of human lives, often civilians. However, while an information attack may avoid direct human casualties there may be considerable indirect death and damages. Disrupting the information infrastructure of another nation will shut down hospitals, cause planes and trains to crash, cause starvation in isolated regions, etc. Though there are no direct casualties when logic bombs destroy the information infrastructure of another nation, they may cause significant collateral death, most likely civilian. In addition, information warfare can be used for immoral or unethical purposes. The use of information warfare to cause unjustified harm on civilian populations of another nation in order to pressure its leaders is unethical. All of this taken into consideration, an offensive information warfare capability, with its nuances and implications being carefully considered, should be developed.

The DoD has recognized the need to establish superiority in information warfare. Because information warfare is warfare, the DoD is the appropriate agency to make plans for it. DISA has extensive knowledge of information warfare techniques and its Vulnerability Analysis and Assessment Program red-teams the DoD in order to test their security. In their own words "DISA personnel have long worked behind the scenes to identify and stop unauthorized intrusions into DoD's military networks." They provide an excellent resource for the Pentagon to employ in assessing offensive information warfare capabilities. The DoD could use offensive software (viruses, Trojan horses, etc.), sniffing technologies to monitor networks, chipping (malicious alterations of computer hardware), and even directed energy weapons which disable or destroy electronic systems (e.g. High Energy Radio Frequency (HERF) guns and EMP (Electromagnetic Pulse) bombs) to accomplish their ends.

Relevant to the IC, the nature of information warfare techniques makes them excellent candidates for tools to be used by intelligence agencies. Cyber-attacks are rarely detected. Of those detected, fewer are reported. Once detected and reported it is still extremely difficult to identify and apprehend the offending party. In DISA's testing of DoD systems it found that only 4% of attacks were detected and of those only 27% were reported. If used by intelligence agencies, these electronic clandestine covert operations require a Presidential finding and timely notification of Congress. They the equivalent of a traditional covert operation launched against another nation.

In addition, if other nations adopt a similar definition of information warfare as proposed in the Brown Commission, then allowing intelligence agents to merely break into other nations' computers will be viewed as an act of war. If intelligence agents are allowed to engage in these activities as intelligence collection then they could get us involved in a full information warfare (or conventional warfare depending how the other nation chooses to retaliate) without presidential or congressional knowledge. This is a risk that we may not want to take. Such clandestine collection activities should be assessed to see if they need to be considered covert operations thus, requiring a presidential finding and timely congressional notification.

Some, including information warfare expert Winn Schwartau, have called for the creation of a "Fourth Force," a force of information warriors, to conduct information warfare. Perhaps in the future, as our society is transformed by new technologies, there will arise a need for a fourth force. But at present there simply is not a need for one. In a time of down-sizing government the creation of a fourth force would be nearly impossible to fund.

DEFENSIVE INFORMATION WARFARE

In 1990, President Bush issued National Security Directive 42, portions of which were declassified on April 1, 1992. This directive recognized the vulnerability to national telecommunications and information processing systems. The directive calls them "highly susceptible to interception, unauthorized access, and related forms of technical exploitation as well as other dimensions of the foreign intelligence threat." The directive also notes that "the technology to exploit these electronic systems is widespread and is used extensively by foreign nations and can be employed, as well, by terrorists groups and criminal elements." On June 5, 1996 the U.S. Senate Government Affairs Committee Permanent Committee on Investigations released the Minority Staff Report, Security in Cyberspace, that called for swift attention to the defense of our National Information Infrastructure (NII). On June 25, 1996, former Director of Central Intelligence (DCI) John Deutch testified before this committee warning that the country will face some "very large and uncomfortable" incidents at the hands of foreign computer terrorists. Deutch testified that these information attacks could not only "disrupt our daily lives, but also seriously jeopardize our national or economic security." Deutch also noted that "virtually any 'bad actor' can acquire the hardware and software needed to attack some of our critical information-based infrastructures."

The government has clearly recognized the national security threat involved with information warfare and the NII. Articles and papers abound laced with the fear of a "digital Pearl Harbor," a phrase coined by Winn Schwartau in his 1991 testimony before Congress. But, what has been proposed to protect us against a digital Pearl Harbor and what has the government done in attempting to accomplish this task? And, perhaps most importantly what remains to be done?

The Day After in Cyberspace, RAND Corporation

RAND Corporation calls for cooperation between the U.S. government and the computer industry to develop security standards that would make networked civilian computers more secure. They also call for the creation of a national clearinghouse, similar to the Center for Disease Control (CDC), that would collect and assess information on disparate cyberspace security incidents. RAND would like to see an institution created for the testing and evaluation of security provisions of infrastructure software and systems. Finally, they call for a study of the ability to sterilize data passing through the NII, in such a manner that the NSA could assist in the monitoring and tracking of perpetrators without collecting intelligence on U.S. citizens.

Security in Cyberspace, Senate Permanent Subcommittee on Investigation (Minority Staff Report)

This Senate report calls for the creation of a national policy that clarifies the roles and missions of agencies concerned with the NII. The report also claims that robust encryption must become part of the NII security process, thus the debate concerning cryptography must be addressed and settled. The report also calls for the creation of a National Information Infrastructure Threat Center with representatives from law enforcement, the intelligence community, the defense community, and a liaison from the private sector. This center would also serve as a clearinghouse for intrusion reports. According to the subcommittee, the DCI should complete an NII threat estimate, with an unclassified version to be disseminated among private industry. Finally the government should create an agency to perform regular vulnerability assessments of the NII.

Martin Libicki, Information Warfare Expert (Author of What is Information Warfare? Currently at the National Defense University)

Libicki wants the government to determine how vulnerable the NII actually is. He wants the funding of research and development on enhanced security practices and their timely dissemination. He believes the U.S. government should work toward an international consensus on what constitute bad behavior on the part of a state and what appropriate reprisals might be. He stresses that the government should not waste much more effort on traditional intelligence for information warfare. It takes very little to be a hacker, mostly intelligence and motive, two things that are not visible. A skilled hacker can use a home computer system to infiltrate many systems.

Government Action

In 1990, President Bush issued National Security Directive 42, recognizing the vulnerabilities of telecommunications and information processing systems. In 1993, President Clinton issued Executive Order #12864. This established the Information Infrastructure Task Force (IITF), the body was to address "national security, emergency preparedness, system security, and network protection implications" concerning the NII among other things. In 1995, a secret report was drafted by the Security Policy Board, an interagency body established by President Clinton with former DCI John Deutch as its chairman. The report concluded that at least 30 countries are actively working on information warfare programs. In 1996, the NSA formed the Information Warfare Technology Center with a charter to serve domestic and military security. President Clinton also issued Executive Order #13010 which established a commission to conduct a risk assessment of and recommend ways to mitigate unacceptable risks to eight critical infrastructure elements. While the Commission conducts its study, the FBI will manage an interagency task force to coordinate, as needed, existing Federal agency responsibilities to respond to an incident involving the infrastructure elements. Congress passed the National Information Infrastructure Protection Act of 1996 which revises Federal criminal code provisions regarding fraud and related activity in connection with computers.

The federal government has responded well to this Post-Cold War era national security threat, including the IC (namely, the CIA who assisted in collecting intelligence that documented 30 foreign information warfare programs and the NSA who is operating the new Information Warfare Technology Center). But there are still serious improvements that can and must be made in order to keep this Post-Cold War threat at bay.

Recommendations and Discussion

Due to our nation's dependence on the NII and it's demonstrated vulnerability, we must implement a five part strategy, in addition to what's already been done, to prepare properly for an information warfare attack.

Make Private Sector Adequately Responsible. The private sector must bear the majority of the burden for its own protection. Remember, information warfare is the application of a destructive force on a large scale against the nation's critical infrastructures. The private sector must protect itself against targeted hacker attacks. Consider it in this manner. If a family left its doors and windows open and found all of their valuables stolen, they would not contact the DoD. They would start locking their doors and windows. However, if the country was invaded and the invading forces looted their home, they would be justified in contacting the DoD. The same applies for networked computers. The private sector cannot leave their systems vulnerable to targeted crime and expect the DoD to protect them. The private sector needs to begin locking their windows and doors. However, in the information and economic age knowledge is precious. Economic espionage, theft of information, etc. can pose serious economic security risks for the nation. This provides proper incentive for the government to assist the private sector in protecting themselves. Therefore, I recommend that the National Institute of Standards and Technology (NIST) set security standards (or objectives) for the private sector to follow. NIST's primary mission is to promote U.S. economic growth by working with industry to develop and apply technology, measurements, and standards. Its location in the commerce department will remove a stigma from the standards that would exist if they were handed down from the DoD. The NSA and DISA should lend NIST any guidance or assistance it may need. Both organizations have extensive experience in computer and network security. Furthermore, NIST and NSA have worked together in the past, working to develop the Clipper Chip. There should be no need for additional funding or manpower for this addition to the mission of NIST. They boast 3,300 scientists, engineers, technicians, and support personnel, plus an additional 1,250 visiting researchers each year. With the wealth of knowledge that the NSA and DISA should be able to provide from the work they are already tasked to do, NIST should assume this responsibility fairly smoothly.
Resist IW funding becoming the next Manhattan Project. Adequate, but not excessive, resources should be devoted to the collection of intelligence on possible foreign information warfare threats. Despite abundant literature referring to a digital Pearl Harbor, information warfare, though a legitimate national security concern, is not threatening to destroy us all and no Manhattan Project size effort is required to provide adequate defense. The RAND Corporation did recently publish "The Day After in Cyberspace" report, exploring current U.S. ability to respond to an information warfare attack. RAND used the same "Day After" methodology to develop policy in the event of a full scale nuclear holocaust. Martin Libicki at the National Defense University, however, sees information warfare attacks more as a national nuisance and inconvenience, rather than the next paramount national security threat. Libicki says that paranoia about the threat of an information warfare attack is unwarranted. He does not, however, dismiss completely the threat of a Digital Pearl Harbor. But he notes that in RAND's "Day After in Cyberspace" over twenty incidents befall the United Stated and their allied information infrastructures, many that stretch the limits of plausibility.
Resolve the Encryption Debate. Encryption provides a reasonably reliable method of protection for the private sector to use for their own computer networks and systems, which they certainly have a vested interest and responsibility to do. However, robust encryption may remove from the government its long held ability to tap into communication channels of criminals. Therefore, a joint and powerful commission, with representatives from law enforcement, industry, and the scientific community, as well as ranking members of Congress who carry political weight, should review the current policy on encryption and the political impasse that surrounds it. This commission's focus should be on ironing out the politics of the matter and producing a viable solution that can be passed into law immediately.
Provide alternative for Government Communication. The most dangerous and frightening aspect of our vulnerabilities is the way that it could affect our military. The military's dependence on the NII has reached a critical dependence with now over 95% of the military's communications traveling through the NII. During the Persian Gulf War, for example, commercial communication satellites carried 24% of Central Command's long-haul communications. Logistics planning for Operation Desert Shield made extensive use of the Saudi and international civil telephone networks. In the event of an information warfare attack the military's ability to communicate and thus, mobilize efficiently would be jeopardized. Adversaries may be able to appreciably undermine U.S. military power by attacking the information systems upon which it depends for deployment and sustenance. A well executed information warfare strike might very well be the leveling force for a less equipped army. Or it might lower the national defenses and allow for the occurrence of another physical Pearl Harbor. If the military is going to maintain such a heavy dependence on the NII, then it must develop a secure, emergency form of communication. If not, then the military must decrease its dependence on the NII and develop a more extensive Defense Information Infrastructure (DII) that will remain functional in the event of an information warfare attack.
Declassify the NII Threat Assessment. The NII threat assessment required of the DCI by the Intelligence Authorization Act for Fiscal Year 1997 should be prepared in a declassified format to be released to the public. As the public assumes the responsibility of protecting itself, it must know the scope of its vulnerabilities. This declassification can be done in accordance with Director of Central Intelligence Directive (DCID) 1/7, which encourages producing reports in an easy to declassify format.
Continue Coordination. Continued close coordination, namely Dual Use Technology, between DoD, especially the NSA, and industry can only benefit both parties and ensure the maximum possible security.