This is not going to be a very jolly page. I would really rather not put it up, but I figure you need an opportunity to start thinking about what you would do if this happened. Please be careful who you talk to about this. The average American and European thinks that the elite and governors of the world are so very clever and alert that they will catch this before it happens. My experience with bureaucrats leads me to believe that we are in great peril. Most of our civil servants are only marginally intelligent, and there are thousands of computer savvy characters out there who could slip by our police and Feds. Thus...
all manner of heinous attacks that if successful could "destabilize and eventually destroy targeted states and societies," according to a gloomy new report from the Center for Strategic and International Studies.
The report, which offers recommendations for averting cyberwarfare, has in its introduction alone enough dire news to make the year 2000 computer glitch seem like a minute blip on the worry scale.
Consider this: "Information warfare specialists at the Pentagon estimate that a properly prepared and well-coordinated attack by fewer than 30 computer virtuosos strategically located around the world, with a budget of less than $10 million, could bring the United States to its knees."
"Such a strategic attack, mounted by a cyberterrorist group ... would shut down everything from electric power grids to air traffic control centers. A combination of cyberweapons, poison gas, and even nuclear devices could produce a global Waterloo for the United States."
For those who believe U.S. intelligence and law enforcement agencies have a handle on the threat of cyberterrorism, consider this: "In fact, law enforcement's electronic capabilities are from 5 to 10 years behind the transnational crime curve."
With that comforting thought in mind, the report notes, "Cyberterrorists, acting for rogue states or groups that have declared holy war against the United States, are known to be plotting America's demise as a superpower."
At the top of the list of rogue cyberterrorists is Osama bin Laden, who allegedly is plotting terrorist attacks on either New York or Washington, D.C. Computers are key in his arsenal, said the CSIS report.
"In today's electronic environment, many haters can become a Saddam Hussein and take on the world's most technologically vulnerable nation," notes the report, which tells of satellite uplinks among terrorist liaisons around the globe. The authors make it clear that they are indeed trying to scare the complacency out of us.
While enemies of the U.S. realize they can't take on the nation with conventional weapons, their alternative is cyberweapons launched by keyboards. "Information warfare tools" like logic bombs, viruses, worms, and Trojan horses are proliferating.
"They are no longer the stuff of science fiction. America's adversaries know that the country's real assets are in electronic storage, not in Fort Knox," the report said. CSIS counts eight countries with cyberwarfare capabilities as advanced as ours.
The U.S. has no laws or regulations regarding when to launch a cyberattack or counterattack in this new postnuclear age.
"Most political leaders are reluctant to face the fact that not only are the traditional prerogatives of national sovereignty being challenged by the Information Revolution but they are disappearing rapidly in cyberspace," the report said. "The nineteenth-century model of an independent state has become one of trappings rather than substance."
Explain the threat. U.S. officials should tell those in charge of critical infrastructures and its major users just what is the threat from strategic information warfare, and how to prepare.
Develop national security policies that consider the Information Revolution. CSIS recommends setting policy and objectives, determining who has authority for "offensive IW" (information warfare), and setting guidelines for targets.
Make strategic information dominance a national security objective.
Adopt policies to ensure critical government services will continue.
Work with the private sector.
Prepare the U.S. military and U.S. intelligence agencies for cyberwarfare.
This "back door" is the single most vulnerable aspect in cyberspace. Why? Answer: If a hacker ever finds the "back Door" to our Federal agencies and Banks, we are dead as a nation. So read this article with that in mind. I know two Federal employees who are "back door" people by vocation FOR the Feds. This is for real.
CNN- July 27, 1998
FORT MEADE, Maryland (IDG) -- Back in the days of the cold war, Washington insiders used to joke that NSA stood for "No Such Agency." The government denied the very existence of this group, which is dedicated to intercepting and decoding foreign communications.
That was then. Today the National Security Agency is well known, and spends a lot of time leaning on software, switch and router vendors, pushing them to re-tool their products. The agency's goal: to ensure that the government has access to encrypted data.
The industry is facing a year-end deadline to add a government-approved back door into network gear. Vendors that don't provide this access risk losing export privileges.
Cruising up and down Silicon Valley, NSA spooks from the agency's Fort Meade headquarters have been making pit stops at companies ranging from industry leaders Netscape Communications Corp. and Sun Microsystems, Inc. to start-ups such as VPNet Technologies, Inc. in order to get a peek at products still on the drawing board. The NSA wants software vendors to make sure that any product with strong encryption have some way for the government to tap into the data. And because practically every commercial network application, router or switch these days includes encryption or an option for it, almost every vendor now has to answer to the NSA if it wants to export.
Hot line to the NSA
It's gotten to the point where no vendor hip to the NSA's power will even start building products without checking in with Fort Meade first. This includes even that supposed ruler of the software universe, Microsoft Corp. "It's inevitable that you design products with specific [encryption] algorithms and key lengths in mind," said Ira Rubenstein, Microsoft attorney and a top lieutenant to Bill Gates. By his own account, Rubenstein acts as a "filter" between the NSA and Microsoft's design teams in Redmond, Wash. "Any time that you're developing a new product, you will be working closely with the NSA," he noted.
When it comes to encryption, it's widely known that a 40-bit encryption key is easily breakable and hence rather useless. Until not long ago, this is what the U.S. government allowed for the export of software.
But the Clinton administration a year and a half ago said it would allow the export of products with stronger encryption keys by any vendor that agreed to add a "key-recovery" feature to its products by year-end - giving the government access to encrypted data without the end user's knowledge.
According to Bill Reinsche, Department of Commerce undersecretary for the Bureau of Export Controls, about 50 vendors have submitted plans for government-approved key-recovery, also called data-recovery. These companies, which include IBM, were rewarded with Key Management Infrastructure (KMI) export licenses to export products with 56-bit or stronger encryption until year-end.
But some companies are discovering that dealing with the Commerce Department for a KMI license means more involvement with the NSA.
The Bureau of Export Control is actually just a front for the NSA, said Alison Giacomelli, director of export compliance at VPNet Technologies, Inc., a San Jose, Calif.-based vendor of IP-based encryption gateways. "The NSA has sign-off authority on these KMI licenses," Giacomelli said. In return for the KMI license, VPNet opened itself up for an NSA audit.
"They've already come out once, and they'll be coming out again," Giacomelli said. VPNet remains committed to meeting the deadline for adding key-recovery to its product but has one major problem: uncertainty about what the NSA really wants. The confusion means "there's a lot of risk . . . in terms of engineering and resources," Giacomelli said.
Clearly wary of granting the government supervision over its products, Microsoft has stubbornly refused to submit a data-recovery plan, even though the Redmond giant already includes a data-recovery feature in its Exchange Server.
"The Exchange Server can only be used when this feature is present," Rubenstein said. "Because we haven't filed a product plan, it's harder for us to export this than for companies that have filed plans."
But in an odd-couple sort of joint-partner arrangement, Microsoft and the NSA did work together to build what's called Server Gated Cryptography. Primarily intended to help banks use Web servers to do business internationally, the technology lets a server with a special digital certificate provide 128-bit encryption support to a Web browser outside the U.S.
Sybase, Inc., which also submitted a plan to add key-recovery to its products, found it hard to satisfy the government's demands. "They approved our technological approach but disapproved each of our applications with it," said Sybase President and CEO Mitchell Kertzman. "It's been frustrating."
Documents recently obtained under the Freedom of Information Act (FOIA) by the Washington, D.C.-based Electronic Privacy Information Center contain the data-recovery plan Netscape filed at the Commerce Department last year.
Netscape's plan explains that the "escrow of private encryption keys" could be achieved by developing client and server products that can only issue an X.509 digital certificate after the private key has been escrowed. The key can only be held by an entity chosen by the intranet administrator who handles security policy.
The Netscape plan called for introducing a certificate server with recovery capabilities in the first quarter of this year, with the introduction of S/MIME clients with basic recovery features in the second quarter.
Netscape hasn't actually carried out this plan, and the company declined to discuss it. Netscape attorney Peter Harter would only say officially, "We had no choice but to submit the plan, no matter how much we opposed key-escrow, in order to be part of the ongoing dialog."
Other FOIA documents show that Netscape was regularly briefing the NSA on its product plans since 1996 and that then NSA Deputy Director William Crowell took a special interest in trying to dissuade Netscape from using strong encryption.
Crowell, now vice president for product marketing and strategy at Cylink Corp., said he had frequent discussions with Netscape, especially concerning changes to Netscape Navigator. "Their product didn't have a separate signature key, so if the government used the product for key-escrow later, you'd have to store the signature key with a third party, which we thought was a bad idea," Crowell said. He added that Netscape Navigator 3.0 adopted the changes the NSA wanted.
According to Crowell, the NSA has a great deal of expertise in securing communications, and it wants to ensure that products bought by the Defense Department meet NSA standards. "In addition, as part of the NSA's intelligence mission, [the agency needs] to have a thorough understanding of where commercial products are headed."
Taher Elgamal, author of the Netscape data-recovery plan, who recently left Netscape to start his own venture, said Netscape had no choice but to maintain constant contact with the NSA. "They're costing the industry a lot of money," Elgamal said.
Others agree. "Everyone in Silicon Valley, including us, has to have specific staff - highly paid experts - to deal with them," said Chris Tolles, security group product manager at Sun. "Their job is to wrangle this from a policy standpoint."
Sun has had run-ins with the NSA in the past. Two years ago, the NSA objected to Sun including encryption in the exportable version of Java 1.1. The end result was that Sun stripped encryption out of Java 1.1 and the software was delayed by about six months.
Excerpt-- CNN article-- Sept. 25, 1998
And the private sector may not have much choice. U.S. policy-makers in the White House, on Capitol Hill and in national security roles say the threat of information weapons coming not only from terrorist operatives but also from foreign governments is a very real potential danger. The targeting of infrastructure facilities through the use of widely available cracking techniques could disable such network-connected services as electric power, banking and telephone. The vulnerability of both government systems and those in private industry has been underscored by the slew of attacks this year on everything from Pentagon computers to The New York Times' Web site.
As the telecommunications structure is changing rapidly, Irving acknowledges that his agency's study will be a snapshot in time. But it will alert both government and private industry to the need for building protections into information and telecommunications systems. "We built an entire system of sidewalks with no curb carve-outs," he said. "If you're building the protections in as you go along, it's much easier."
Foreword & Summary of Recommendations
The United States is now exposed to a host of new threats to the economy, indeed to the whole of society. It has erected immensely complex information systems on insecure foundations. The ability to network has far outpaced the ability to protect networks. The economy is totally dependent on these systems. America's adversaries and enemies recognize this dependency and are developing weapons of mass disruption and destruction.
In today's electronic environment, many haters can become a Saddam Hussein and take on the world's most technologically vulnerable nation. America's most wanted transnational terrorist Osama bin Laden uses laptops with satellite uplinks and heavily encrypted messages to liaise across national borders with his global underground network. There is no shortage of terrorist recipes on the Internet, step-by-step cookbooks for hackers and crackers (criminal hackers) and cyberterrorists.
Testifying before a congressional committee in June 1996, Director of Central Intelligence John Deutch said criminal hackers were offering their services to so-called rogue states with "various schemes to undo vital U.S. interests through computer intrusions" and warned that an "electronic Pearl Harbor" was now a real threat. In his commencement address to the U.S. Naval Academy in May 1998, President Clinton outlined the magnitude of the new electronic perils:
Our security is challenged increasingly by nontraditional threats from adversaries, both old and new, not only hostile regimes, but also international criminals and terrorists who cannot defeat us in traditional theaters of battle, but search instead for new ways to attack by exploiting new technologies and the world's increasing openness.
The president was not referring to the future when he added, "Intentional attacks against our critical systems are already under way." Even traditionally friendly nations have used their electronic capabilities to penetrate triple firewalls protecting the systems of high-tech corporations and have stolen billions in proprietary secrets. Tomorrow's frontline commanders will be drawn from the ranks of computer wizards. The sandal culture is challenging the wingtips. The National Security Agency's (NSA) new electronic sheriff, responsible for protecting NSA's ground stations, is a 23-year-old GS-14. In the civilian sector, "techies" have moved into senior management positions.
Computers Are the Weapons and the Front Line Is Everywhere is the subtitle of the recently published (Simon & Schuster) book, The Next World War, by James Adams. What is at stake is a redefinition of U.S. security interests. And that is the challenge that this report has confronted. Keyboard attacks do not draw blood or emotion but they can paralyze the nation's critical nerve centers. A smoking keyboard does not convey the same drama as a smoking gun, but it has already proved just as destructive. Armed with the tools of cyberwarfare, substate or nonstate or even individual actors are now powerful enough to destabilize and eventually destroy targeted states and societies.
Security is no longer defined by armed forces standing between the aggressor and the homeland. The weapons of information warfare can outflank and circumvent military establishments and compromise the common underpinnings of both U.S. military and civilian infrastructure, which is now one and the same. Almost all of the Fortune 500 corporations have been penetrated electronically by cybercriminals. The FBI estimates that electronic crimes are running at about $10 billion a year. But only 17 percent of the companies victimized report these intrusions to law enforcement agencies. Their main concern is protecting consumer confidence and shareholder value. They say that reporting cyberrobberies exposes them to leaks and that there is no substitute for constantly enhancing their own defensive electronic security.
Internet scams are also proliferating. Almost 100,000 investors were lured to a Web site touting a high-tech start-up with revolutionary Internet devices, a partnership with Microsoft, and an initial public offering (IPO) with the Securities and Exchange Commission (SEC) all phony. But the imaginative perpetrator pulled in $190,000, including $10,000 wired from Hong Kong. Soon 14 million will have on-line trading accounts and millions more are surfing the 'Net for stock tips. Slick looking ghost sites, perfect replicas of legitimate logos, are clever Ponzi schemes. The SEC's Internet cyberforce scans the Web for scams and investigates 100-odd complaints each day.
Probing attacks against the Pentagon there are tens of thousands a year are routed and looped through half a dozen other countries to camouflage where the attack originated. Information warfare specialists at the Pentagon estimate that a properly prepared and well-coordinated attack by fewer than 30 computer virtuosos strategically located around the world, with a budget of less than $10 million, could bring the United States to its knees. Such a strategic attack, mounted by a cyberterrorist group, either substate or nonstate actors, would shut down everything from electric power grids to air traffic control centers. A combination of cyberweapons, poison gas, and even nuclear devices could produce a global Waterloo for the United States.
A red team put together by the intelligence community in 1997 pretended to be North Korea. Some 35 men and women specialists, using hacking tools freely available on 1,900 Web sites, managed to shut down large segments of America's power grid and silenced the command and control system of the Pacific Command in Honolulu. The Defense Information Systems Agency (DISA) launched some 38,000 attacks against its own systems to test their vulnerabilities. Only 4 percent of the people in charge of targeted systems realized they were under attack and of these only 1 in 150 reported the intrusion to superior authority. Ninety-five percent of DISA's traffic the equivalent of one entire Library of Congress every four hours moves along highly vulnerable public lines.
Hacker attacks on federal agencies have grown exponentially, as have the 'Netizens on the World Wide Web. Internet users now number 120 million 70 million of them in the United States. An estimated 1 billion people one-sixth of humanity will be on-line by 2005, two-thirds of them abroad. There is a new Web site every four seconds. The challenges to intelligence and law enforcement agencies grow at the same dizzying pace. At the beginning of the 1990s, a computer hard drive seized in a criminal investigation would contain some 50,000 pages of text. Now law enforcement agents have to deal with 5 million to 50 million pages of data. But the ability of these agencies to retain computer talent is seriously jeopardized by the compensation packages offered by the private sector.
Logic bombs, Trojan horses, worms, viruses, denial of service, and other information warfare tools are now the arsenal in a new geopolitical calculus whereby foes can take on a superpower that can no longer be challenged with conventional weapons. No enemy can match the U.S. military, as demonstrated in the Gulf War. Cyberterrorism and cyberwarfare thus become a plausible alternative.
They are no longer the stuff of science fiction. America's adversaries know that the country's real assets are in electronic storage, not in Fort Knox. Virtual corporations, cashless electronic transactions, and economies without inventories based on just-in-time deliveries will make attacks on data just as destructive as attacks on actual physical inventories. Bytes, not bullets, are the new ammo. Or, most dramatically, a combination of bytes, bullets, and bombs.
The forces of global integration also lubricate the counterforces of disintegration and corruption. The criminal economy has gone global and is branching out as fast as the legal economy. But these transnational criminals are not interested in bringing down the system. They know that technology and the Internet have changed the landscape for financial services. A new breed of transnational criminals with high-tech methodologies has made its debut. They are recruiting top-drawer computer skills for their global operations that know no borders. Law enforcement, on the other hand, is stymied by frontiers that are not even lines on the map in cyberspace. In fact, law enforcement's electronic capabilities are from 5 to 10 years behind the transnational crime curve. Budget-constrained government agencies average about 49 months to order, acquire, and install new computer systems vs. about 9 months in the private sector. Crime syndicates purchase state-of-the-art as soon as it becomes available. Ten thousand high-powered scanners are being smuggled in from Asia every month. They can intercept and record law enforcement agencies' mobile phones, faxes, and even landline communications. They are also used by organized crime groups to steal proprietary secrets from high-tech companies. As law enforcement's computer crimes detectives follow cybertrails, they often find themselves being followed by the same criminals they are tracking. Imagine a serial killer shadowing the homicide detectives to find out how much they knew, which would provide the killer the opportunity to perfect the technique of killing, explained one cybersleuth.
The National Computer Security Center has reported a sharp rise in cybercrimes and other information security breaches. Of the 520 large U.S. corporations, government agencies, and universities that responded, 64 percent reported intrusions, up 16 percent in a year. The Internet was the main point of attack.
The Internet is already its own global state, with its own economy and its own digicash, and is starting to change the way the world economy functions. Direct sales over the 'Net are expected to reach $5 trillion in the United States and Europe by 2005.
Cyberterrorists, acting for rogue states or groups that have declared holy war against the United States, are known to be plotting America's demise as a superpower. Director of Central Intelligence George Tenet says, "an adversary capable of implanting the right virus or accessing the right terminal can cause massive damage." And hackers from around the world have proved they can do just that. They have crashed systems from abroad (a 16-year-old English boy took down some 100 U.S. defense systems in 1994); rerouted calls from 911 emergency numbers in Florida to Yellow Pages sex-service numbers from Sweden; disrupted troop deployments to the Gulf in February 1998 from California where two youngsters, directed by a hacker in Israel (codenamed The Analyzer), launched attacks against the Pentagon's systems, NSA, and a nuclear weapons research lab. The deployment disruptions were described by Deputy Secretary of Defense John Hamre as "the most organized and systematic attack" on U.S. defense systems ever detected. In fact, they were so expertly conducted that President Clinton was warned in the early phases that Iraq was most probably the electronic attacker.
The new pervasive tools of information technology blend truth and fiction in ways not easily discernible to decisionmakers. The Internet is also a global superhighway for disinformation. Thus, potentially damaging decisions can be taken as shortened time lines mandate immediate action. Cyberterrorists clearly perceive a new global reach for their activities as they train themselves with tools of information warfare. People are trained to become Rangers and Seals, supersonic fighter pilots and astronauts, and daredevil mercenaries. Hackers and crackers similarly can be turned into a network of global terrorists whose mission might be, as it was for the Supreme Truth cult in Japan when it launched a sarin gas attack against the Tokyo subway system in 1995, the collapse of capitalism in the United States
Using the tools of information warfare, cyberterrorists can overload telephone lines with special software; disrupt the operations of air traffic control as well as shipping and railroad computers; scramble the software used by major financial institutions, hospitals and other emergency services; alter by remote control the formulas for medication at pharmaceutical plants; change the pressure in gas pipelines to cause a valve failure; sabotage the New York Stock Exchange.
More and more, 'Net watchers see groups of activists and extremists even terrorist groups with their own Web sites, from the unreconstructed Marxist left to the neo-Nazi far right interfacing with like-minded individuals in a process that bypasses national governments, unbeknownst even to their intelligence services. Civil protests in cyberspace are also becoming more common. A hacker group that supports the Mexican Zapatista rebels recently attempted to deny service of the Pentagon's primary information Internet site, DefenseLink. The attacks protested U.S. counternarcotics technology transfers to Mexican authorities. Monitoring the 'Net now entails 500 million pages, soon to be several billion.
Mr. Hamre believes "the new tools of terror," which can be used against civilian as well as military targets, have posed "a very real and increasing danger to national security." And these information warfare tools are acquiring doomsday potential with the electronic equivalent of the deadly human Ebola virus.
In 1986, a book entitled SOFTWAR documented how the Warsaw Pact countries could soon cripple the West by launching attacks against U.S. and NATO military and financial computer systems. The geometric growth in the power and speed of personal computers had barely begun. Bill Gates was not on anyone's radar screen. Then, three years later, the Cold War ended. Now the threat is real and constant. Eight nations have developed cyberwarfare capabilities comparable to America's. More than 100 countries are trying to develop them. Twenty-three nations have cybertargeted U.S. systems, according to knowledgeable intelligence sources. The head of the French equivalent of NSA was quoted in a French magazine as saying, "information warfare is a permanent warfare."
China's army newspaper, Jiefangjun Bao, in a March 24, 1998, article emphasized the need "to learn to launch an electronic attack on an enemy" and ensure electromagnetic control in a area and at a time favorable to us. To this end, we should cultivate partial information superiority by combining active interference with passive interference, electronic interference with repressive interference . In a system confrontation, we should learn to conduct a structural analysis and study ways of structural sabotage.
Not since the advent of the atomic age in 1945 has the United States confronted weapons that have the potential for altering the way wars are waged. The United States has readied a powerful arsenal of cyberweapons (e.g., planting logic bombs in foreign computer networks to paralyze a would-be opponent's air defense system and shut down power and phone service, and project video onto his TV stations), but at the same time the United States keeps testing its own vulnerabilities. They are enormous. There is still no technology for pinpointing the source of a cyberattack. Nor are there laws or regulations for deciding when to launch a cyberattack or counterattack. There has been no debate in Congress about the use and nonuse of cyberweapons. Under what circumstances would the United States resort to taking down the computer-dependent infrastructure of a foreign country? U.S. regional commanders have been ordered to review war plans in the context of cyberweapons with the aim of conducting deadly but bloodless operations.
Most political leaders are reluctant to face the fact that not only are the traditional prerogatives of national sovereignty being challenged by the Information Revolution but they are disappearing rapidly in cyberspace. The nineteenth-century model of an independent state has become one of trappings rather than substance. Information technology is also eroding hierarchies that have long served as information filters for the people they rule or govern, thus constraining the actions of officials within government structures.
The ever increasing speed of the technological revolution makes today's snapshot irrelevant tomorrow. In the past four years, the computer chip has gone from 1.1 million transistors to 120 million (Intel engineers believe they can reach 400 million and, beyond that, 1 billion before they run out of silicon gas), and supercomputers from 256 billion moves per second to a mind-numbing 1 trillion. By coupling supercomputers, scientists and engineers have achieved 10 trillion operations per second. The latest desktop personal computers have now acquired the speed of yesterday's supercomputer.
Intelligence augmentation is displacing artificial intelligence. Already a man has been able to control a computer by thought alone after receiving an electronic implant that fused with his brain cells. Emory University's Roy Bakay got a volunteer's brain cells to grow into his implant, thus linking up with its electronics. Quantum computing and neural connectivity computing, based on the 73 trillion cells in the human body, will be the next technological breakthroughs.
The mainstream media have been inexplicably silent in reporting life and death developments in cyberspace. Ignored was the November 1996 report by the Defense Science Board Task Force on Information Warfare. It called for "extraordinary action" because, it said, "current practices and assumptions are the ingredients in a recipe for a national security disaster." It also predicted that shortly after the turn of the century attacks on U.S. information systems by terrorists, transnational crime syndicates, and foreign espionage agencies would be "widespread."
A year later, in November 1997, the Presidential Commission on Critical Infrastructure Vulnerabilities said its fundamental conclusion was that "[w]aiting for disaster is a dangerous strategy. Now is the time to act to protect our future." The commission said that skilled computer operators have demonstrated their ability to gain access to networks without authorization . Whatever the motivation, their success in entering networks to alter data, extract financial or proprietary information, or introduce viruses demonstrates that in the future, some party wishing to do serious damage to the United States will do so by the same means.
Computerized interaction within and among infrastructures has become so complex, the report warned, that we may be faced with harm "in ways we cannot yet conceive."
This commission's report spawned two presidential decision directives that are designed to protect the nation's critical computer infrastructure. Now overseeing America's defense against cyberattack are two NSC staff members: Richard Clarke, national coordinator for security, infrastructure protection and counterterrorism; and Jeffrey Hunker, director of the critical infrastructure assurance office. They have been empowered to craft a national protection plan. The CSIS Task Force concluded that these presidential decision directives were good as far as they went but that they did not go far enough. The battleground of the future will encompass the very foundations of America's knowledge-based high-tech economy. There are now info-guerrillas intent on doing major damage to the citadel of capitalism, and cybergeniuses in their late teens and early 20s are the new frontline fighters, arguably more important to the nation's defense than the men and women who fought the country's wars in the past.
A national protection plan cannot be accomplished without private and public partnerships because many of the key targets for cyberattack power and telecom grids, financial flows, transportation systems are in private hands. Such a partnership is a prerequisite of designing and developing a defense system to protect both the private and the public sectors against critical infrastructure attack. These partnerships extend beyond humans to the technology itself. The National Research Council recently completed its report, Trust in Cyberspace, which advocated the need to build trustworthy systems from untrustworthy components.
The president's commission has identified only the tip of a very large iceberg. The national security threat is strategic information warfare. This CSIS report explores the hidden part of the iceberg and makes recommendations for a strategy designed to avert an electronic Waterloo.
Judge William H. Webster Project Chair
Arnaud de Borchgrave Project Director
The most important step U.S. officials can take is to articulate and explain to the leaderships of critical infrastructure providers and major, dependent users the nature of the strategic information warfare (SIW) threat, the threat's significance, and the need to prepare for it. The public develops its perceptions of threats from many sources, but the public is more likely to take these threats seriously if leaders demonstrate their seriousness by implementing effective organizational reforms and resource allocation priorities.
A policy to protect the United States against an information warfare (IW) attack should be part of a broader strategy that addresses the total impact of the Information Revolution on U.S. national security. To date, no U.S. policy review has considered how the Information Revolution has affected the country's beliefs about security or proper preparations for dealing with such threats.
The president should issue an executive order (EO) establishing U.S. policy and explaining U.S. national security objectives vis-à-vis the SIW threat.
The EO should go beyond recent directives and should address the threat of a concerted IW attack by a sophisticated, determined opponent.
The EO should require a top-down review of existing organizations assigned responsibilities related to IW, information security, security policy, and cybercrime. The review should result in recommendations ensuring that organizations' roles are consistent, do not overlap, and do not leave gaps and specifying how and under what conditions they will interface with each other.
The EO should establish U.S. policy and guidance for the use of offensive IW; this policy should address U.S. strategic doctrine and several objectives in the use of offensive IW:--Identify the officials who will have the authority to approve the use of offensive IW under various specified conditions;--Draft guidelines for acceptable and prohibited targets under specified conditions;--Define roles and responsibilities of the White House, the national security agencies, and the intelligence community under various specified forms of offensive IW;
--Determine procedures for approval and oversight of the use of offensive IW (including congressional oversight); and
--Identify high-priority functions for maintaining national defense, rule of law, emergency preparedness, and continuity of government, and ensure that these functions can be sustained in the face of SIW.
Currently the United States is a leader in the development and application of information technology, and it is important that the United States maintain this strategic information dominance (SID).
To retain leadership in the development and application of information technology and the dominance of U.S. firms in the computer, communications, and media industries, the United States must maintain a friendly environment for businesses in the information industries. The United States should undertake a review of policies and statutes that affect the ability of the United States to maintain its SID; areas to be reviewed should include antitrust policies, trade policies, technology export controls, and other regulations that affect the business environment and U.S. competitiveness.
Federal, state, and local governments have unique roles in ensuring vital government services national defense, rule of law, and emergency services readiness even under the stressful conditions of IW attack. Maintaining continuity in these areas can prove challenging and expensive. Government officials need to identify those functions that only government can perform and ensure that government has secure information systems and processes to maintain these functions. This requires updating and expanding government plans for the Information Age and securing the essential infrastructures upon which all levels of government depend.
Most experts agree that commercial telecommunications and information systems supporting critical infrastructures will likely be the primary targets in preparation for an IW strike against the United States. Cooperation by industry will be critical to the ability of the United States to defend against, detect, and contain such attacks. Reports by industry leaders suggest that the federal government mind-set still is "government leads, industry follows."
Indeed, government and business have different objectives and operating modes and often have good reasons to limit their cooperation. The cultures of government and the U.S. telecommunications and information industries are very different. The private sector will need to assume much of the responsibility for protecting itself. Government can help in specific, but limited, areas:
Provide information on the nature and extent of the IW threat. The government still has some sources of intelligence about the threat that private companies cannot obtain on their own, but analysts and law enforcement officials may not be able to recognize the evidence of IW aimed at the telecommunications and information systems of the critical infrastructures. Recent policy directives, including the establishment of the National Infrastructure Protection Center under the Federal Bureau of Investigation, aim to improve information sharing, but some legal barriers still need to be overcome and officials in the law enforcement and intelligence communities need to cooperate for these measures to be effective.
Raise the visibility of the threat to the leadership of critical infrastructure providers and major, dependent users.
Support private sector efforts (for example, the Information Systems Security Board [ISSB] proposed by the National Security Telecommunications Advisory Committee) to improve information security.
Review the adequacy and effectiveness of privacy laws, property laws, antitrust laws, and liability issues that are the legal foundation of the private sector's ability to maintain its integrity and protect itself from intrusion.
Provide incentives to the private sector so that it takes measures that not only improve its own security against SIW threats but also benefit the country as a whole.
U.S. officials should review the role of IW in U.S. military policy to ensure that U.S. military forces are prepared:
Assess the overall role of IW in U.S. defense policy. The major-regional-conflict standard on which the U.S. military currently bases its planning is increasingly irrelevant as information systems become the more likely target of attack. Traditional weapons systems and force structure that dominate debates on defense spending may become less relevant as IW capabilities develop.
Clarify U.S. policy on deterrence with respect to IW. Policy should articulate the linkage between IW and other forms of power projection.
Ensure effective oversight with respect to offensive IW. Because much offensive IW could be covert, U.S. leaders need to ensure that effective oversight procedures exist.
Overcome legal obstacles with respect to red-team exercises.
Information warfare threats, which can be generated quickly and from many sources, will require the United States to rethink many of its most entrenched concepts about how intelligence is supposed to work. U.S. officials should develop new intelligence methods necessary to monitor SIW threats:
Revamp the U.S. intelligence organization and process to adapt to a less hierarchical, less rigidly knowledge-based approach. More effective methods for working cooperatively with the law enforcement community and the industry supporting and building the critical infrastructures platforms and technologies also are needed. Provide indications and warning of possible attack by working more closely with the private sector as a source of expertise and information.
Mandate high-priority intelligence collection requirements concerning IW. The intelligence community must re-examine and coordinate its collection methods and requirements.
Develop plans for recruiting and outsourcing for the special talent needed to analyze the SIW threat.
Designate a national intelligence officer (NIO) whose portfolio is dedicated to offensive and defensive IW.
The Internet makes an appealing target to terrorists, thieves, and malicious pranksters: all that information, all that electronic vulnerability, all that money...and most important, all that access.
Add to that the relative lack of expense involved in mounting a cyberattack. Bombs cost money and have to be physically transported to hard targets. Creating electronic weapons often costs no more than some programming time. Delivering the blow can be as simple as clicking on an email package's Send button.
Think about how much damage cyberterror can do. The Net is not the only thing that's vulnerable. Suppose some evil bit of code takes down the air traffic control system. Or scrambles the computers in a large hospital. Or introduces a destructive program into the computers of a stock exchange or a bank. Or knocks out power to a whole region of the United States. (Indeed, some media commentators invoked this very possibility earlier this year when much of the West went dark.) The possibilities are endless--and endlessly terrifying.
Finally, tack on the relative ease with which a terrorist can maintain anonymity. No airport checkpoints to pass through. No fingerprints left on steering wheels or bomb fragments. No human presence at Ground Zero. It's no wonder, then, that so many cyberterrorists are out there with so many different types of weapons at their disposal.
The oldest and best-known software weapons, computer viruses come in all shapes and flavors, from "harmless" prank messages to electronic forms of Ebola that chew up your data and spit it out as garbage. The very openness of the Internet--and the number of relatively inexperienced newcomers using it--makes it likely we'll be hearing about a lot of virus-ridden computers in the next few years.
According to experts at McAfee Associates, a maker of virus detection and protection software, as many as 10,000 viruses may be currently in circulation. And the company estimates that 300 to 400 new viruses are being created and circulated per month. That's a dozen or so new ones every day.
Some viruses infect your PC's boot sector--the first data area your computer seeks when you start it up--and rewrite the sector, crippling your system. Others infect the files that launch or run most of your software, rendering your programs unusable. (According to McAfee, macro viruses, which take effect when you execute a macro command from an application such as a word processor or spreadsheet, are now the most common type of virus being developed.)
Other deadly viruses erase your computer's CMOS setup tables (the records that tell your machine what sort of system it is), making it impossible for your computer to work.
Or consider a virus that makes only the smallest and most subtle of changes to your computer's data, the sort of thing you wouldn't notice until the moment when you really need something--and it's been corrupted.
But the nature of viruses and the fear they engender has led to another weapon of cyberterrorism, even subtler and more insidious than an actual virus: the false virus warning. The most infamous of these is the Good Times virus announced in December 1994, with warnings appearing on computers around the world. In fact, there was no Good Times virus, but the warning and the paranoia it created live on.
Worms are breeder programs, reproducing themselves endlessly to fill up memory and hard disks. Worms are often designed to send themselves throughout a network, making their spread active and deliberate, rather than taking the hitchhiker approach used by most viruses.
Logic bombs are embedded pieces of destructive code that detonate on preset dates or when a specified set of instructions is executed, unleashing destructive actions within a computer or throughout a network. Often left by disgruntled employees to wreak their havoc years later, logic bombs can be very hard to find.
Bots (from robot) are pieces of code designed to rove the Internet and perform specific actions. A newsbot, for example, might fetch only the news you want. In the wrong hands, though, bots can be destructive--cancelbots that erase newsgroup messages, censorbots that delete postings that their creators find offensive, and so on. On September 22, 1996, Usenet groups lost about 25,000 messages to a cancelbot.
SYN attacks involve sending a torrent of connection requests--the same sort you make every time you click on a Web site--to targeted sites. In effect, a SYN flood creates a major traffic jam at the site, cutting it off. SYN floods are spreading, and any site can be a target. In September, a popular chess site was checkmated as a result of such an attack. SYN floods are attractive to wanna-be hackers because they require only simple programming--in some cases just a few lines of code. And sample SYN code is readily available both online and in print.
A mere threat can be as effective as an actual attack. Within the past year, according to unnamed sources, several U.S. banks have paid six-figure fees to buy off hackers who cracked the banks' security codes.
As more money moves on the Internet, the more appealing the Net will become to crooks. A survey by Science Applications Corporation reported that computer break-ins at 40 corporations resulted in losses exceeding $800 million last year alone. It's a battlefield out there--and it may already be expanding into your machine.
Electronic terrors are very real and are being met by very real activity on a number of fronts. Government and military groups are mounting aggressive research programs and other forms of defense aimed at stymieing the likeliest data-doomsday scenarios. According to McAfee Associates, virus detection software is already a multibillion-dollar industry. Investment in corporate information security dwarfs that, with tens of billions being spent on firewalls, encryption technologies, and secure-communications protocols. Already we are seeing many corporations and institutions cutting themselves off from the Internet, sealing their information transfers into intranets to keep outsiders--and their schemes--out.
Firewalls themselves are spawning corporations devoted to protecting the firewalls against vulnerability. (For more information, consult the National Computer Security Association's firewall certification program.) One risk is that as more and more firewalls are erected, we may find ourselves cut off from previously public Internet sites.
Computer security has always been a thriving business; now it's explosively expanding. The federal government's National Security Agency plans to assign as many as 1,000 people to an information warfare department. Its shape, goals, and ultimate budget are not yet known, but its establishment sends a clear signal that federal security officials are watching cyberterrorism with growing concern.
The Internet itself may be relatively safe from full-scale attack, but the aftermath of the Morris worm continues to be felt. All it takes is a single vulnerable spot and a smart antagonist, and we could experience a Net-wide apocalypse.
But what about us, the individual users? In our case, the very openness of the Internet--what makes it so vulnerable--also works to our advantage: word about new viruses and other forms of sabotage spreads quickly. Software to deal with the problem can be distributed with equal speed.
--Get a good, frequently updated virus detection program. (You can download McAfee's VirusScan from the Web; or invest in a commercial package such as Trend's PC-cillin, Symantec's Norton AntiVirus, or Dr. Solomon's Anti-Virus Toolkit.) Use it every time you use your computer, and be obsessed with keeping it current. Change your passwords frequently, never give them out, and make sure they're random and unrelated to any of your personal information that may be on the Net.
--Be careful what you download and where it comes from.
--Use encryption software such as PGP to protect your electronic communications from the prying eyes of interceptors.
--Stay informed of the latest cyberterrorist goings-on; you need to know what you're up against before you can protect yourself from it.
--Make sure everyone who uses your computer follows the same precautions you do.
This is one potential apocalypse that will not go away as a result of software fixes or hardware upgrades. Money alone will not keep determined crooks at bay. Whether or not cyberterrorism brings down the Net depends on staying a step ahead of the best and brightest of the cyberwarriors.
[ Please don't read this one just before going to bed. ]
Where the Physical and Virtual Worlds Converge
Barry C. Collin Institute for Security and Intelligence
Institute for Security and Intelligence
P.O. Box 9877
Stanford, CA 94309-9877 USA
The definition of "terrorism" has been well studied, defined, and documented. There is also a degree of understanding of the meanings of CyberTerrorism, either from the popular media, other secondary sources, or personal experience. This paper examines the future of CyberTerrorism - a term the author coined a decade ago, as the indicia of technological dependence and frailty were forming in our New World disOrder. Indeed, that future has come to fruition, today.
The face of terrorism is changing. While the motivations remain the same, we are now facing new and unfamiliar weapons. The intelligence systems, tactics, security procedures and equipment that were once expected to protect people, systems, and nations, are powerless against this new, and very devastating weapon. Moreover, the methods of counter-terrorism that our world's specialists have honed over the years are ineffectual against this enemy. Because, this enemy does not attack us with truckloads of explosives, nor with briefcases of Sarin gas, nor with dynamite strapped to the bodies of fanatics. This enemy attacks us with one's and zero's, at a place we are most vulnerable: the point at which the physical and virtual worlds converge. Let us first define theses two domains.
The physical world is matter and energy - light, dark, hot and cold, all physical matter - that place in which we live and function.
The virtual world is symbolic - true, false, binary, metaphoric representations of information - that place in which computer programs function and data moves.
The physical and virtual worlds are inherently disparate worlds. It is now the intersection, the convergence, of these two worlds that forms the vehicle of CyberTerrorism, the new weapon that we face.
This convergence of the physical and virtual worlds, this lattice, is growing larger and more complex as we venture further into technological dependence. Each day, we move ahead with blinding speed into the computerization of every task and process that we face. We are becoming ever more inextricably reliant and dependent on the convergence of these two worlds.
What are some of the more obvious points of convergence?
A garage door opener.
A heart pacemaker.
The computer chip in a late model car. A microwave oven.
These are all things taken for granted. Yet, as we progress into a far more technological world, what other points of convergence are taken for granted?
Food processing plants
Pharmaceutical processing plants
Electric and natural gas utilities
Train crossings and traffic control systems
Next generation air traffic control systems
Virtually all modern military equipment
Military and public safety communications
What is driving the convergence of these two worlds? There are three goals:
1.Access: the goal of universal, ubiquitous interface;
2.Control: the goal of remote administration; and
3.Mining: the goal of knowledge acquisition.
To achieve these goals, there are four vehicles:
Transmission: longer lines across land and through space;
Connections: more links to more points;
Aggregation: more information centralized, and disconnected information linked; and
Retrieval: more ways of retrieving information, and more importantly, knowledge.
So how does a CyberTerrorist achieve his mission? Like any terrorist, a CyberTerrorist actively exploits the goals of the target population in areas in which they take for granted.
There are three potential acts in CyberTerrorism at the point of convergence:
3.Acquisition and retransmission (these are a unit).
As we will see, these three types of acts are most heinous at the point where the physical and virtual worlds converge.
To achieve a true terrorist goal, as we know, we must have scale and publicity. So how does the CyberTerrorist approach a new age - an age of convergence of the physical and virtual worlds? An age where, thanks to our goals, he can perform his CyberTerrorist acts from his living room, undetected, from 8,000 kilometers away?
A great deal of "cracks" are committed for the purposes of anarchy, humor, or as often stated by the perpetrators, "to be annoying." However, is this the mindset of a CyberTerrorist? Does the CyberTerrorist make a garage door go up and down? Does he change an Internet web site to say a country's government is evil? Does he hack into a major corporation's voice mail system to make long distance calls? No - that is not the domain of the CyberTerrorist - that is the domain of the amateur cracker community that exists worldwide.
A CyberTerrorist's mindset is quite different. A CyberTerrorist would not alter a voice mail, or even abuse credit cards.
Let us examine some example CyberTerrorist acts. Based on the definitions of terrorism, a determination can be made if they in fact constitute terrorism:
A CyberTerrorist will remotely access the processing control systems of a cereal manufacturer, change the levels of iron supplement, and sicken and kill the children of a nation enjoying their food. That CyberTerrorist will then perform similar remote alterations at a processor of infant formula. The key: the CyberTerrorist does not have to be at the factory to execute these acts.
A CyberTerrorist will place a number of computerized bombs around a city, all simultaneously transmitting unique numeric patterns, each bomb receiving each other's pattern. If bomb one stops transmitting, all the bombs detonate simultaneously. The keys: 1) the CyberTerrorist does not have to be strapped to any of these bombs; 2) no large truck is required; 3) the number of bombs and urban dispersion are extensive; 4) the encrypted patterns cannot be predicted and matched through alternate transmission; and 5) the number of bombs prevents disarming them all simultaneously. The bombs will detonate.
A CyberTerrorist will disrupt the banks, the international financial transactions, the stock exchanges. The key: the people of a country will lose all confidence in the economic system. Would a CyberTerrorist attempt to gain entry to the Federal Reserve building or equivalent? Unlikely, since arrest would be immediate. Furthermore, a large truck pulling along side the building would be noticed. However, in the case of the CyberTerrorist, the perpetrator is sitting on another continent while a nation's economic systems grind to a halt. Destabilization will be achieved.
A CyberTerrorist will attack the next generation of air traffic control systems, and collide two large civilian aircraft. This is a realistic scenario, since the CyberTerrorist will also crack the aircraft's in-cockpit sensors. Much of the same can be done to the rail lines.
A CyberTerrorist will remotely alter the formulas of medication at pharmaceutical manufacturers. The potential loss of life is unfathomable. The CyberTerrorist may then decide to remotely change the pressure in the gas lines, causing a valve failure, and a block of a sleepy suburb detonates and burns. Likewise, the electrical grid is becoming steadily more vulnerable.
In effect, the CyberTerrorist will make certain that the population of a nation will not be able to eat, to drink, to move, or to live. In addition, the people charged with the protection of their nation will not have warning, and will not be able to shut down the terrorist, since that CyberTerrorist is most likely on the other side of the world.
Sadly, these examples are not science fiction. All of these scenarios can be executed today. As you may know, some of these incidents already have occurred in various nations. More of such acts will take place tomorrow. Are you prepared?
The purpose of this paper is to help you understand the threats that exist, and hopefully, to help you prevent these types of atrocities. But know this - there are people out there with very different goals, who are our real threats, and who are, or will be, attacking us. Make no mistake, the threats are real, today.
Who are the CyberTerrorists? There a great many poor movies and too many works of fiction about the hacker and cracker communities. In the popular media, there recently was the Kevin Mitnick incident, where one cracker broke into another cracker's systems. This spawned endless press and at least two best selling books. While this incident received much attention, the events amounted to meaningless children's games.
By and large, the cracker community, based primarily in the United States, Europe, the Middle East, Asia, and in the nations of the former Soviet Union, is composed of individuals who see the cracking process merely as a challenge, a brain teaser, a puzzle. They view themselves as not only being innocent of any crime, but perhaps even doing something righteous, something to counter the dark monoliths of the corporate and government worlds. They believe they are being persecuted. These individuals believe that what they are doing is not doing any true damage. At its least harmful, these crackers just look at information. However, privacy issues and military secrecy can render such infiltrations acts of terror.
Sometimes crackers make minor changes, just for fun, to be annoying, or to make a statement. The potential for damage here is enormous.
Individuals with a background in intelligence are aware that a frequent element of case execution is enlisting the indigenous, sometimes called "facilitators," to assist in a campaign. At the convergence of the physical and virtual worlds, the indigenous are the crackers.
There is the incorrect assumption in the cracking community that they, the crackers, are so sophisticated or so knowledgeable as to know when they are being approached for a truly illicit reason (e.g., to be enlisted as a facilitator to commit an act of terrorism). However, despite cracker arrogance, these individuals are easy targets for enlistment.
What about those crackers who actively wish to cross the line, or more basically, need money? To a teenager, a $1,000 U.S. can purchase a good many compact disks, a new modem, and a great deal of libation. Beyond youths, there are professionals in this arena as well.
Historically, individuals engaged in the practice of terror tended not to be people working upon a computer 20 hours per day. Terrorists have not been in the business of tracking the latest holes found in UNIX or an obscure government telnet opportunity. There are people, however, who are in that business - for illicit as well as good cause. As stated, just as indigenous people may be turned into soldiers, so can crackers be turned into CyberTerrorists. Sometimes such a transition may be motivated by money or prestige. Usually, this transition will occur without the cracker's cognizance. The potential threat from such transitions is mind boggling, considering the damage even one mis-directed cracker can cause.
Further, as young, educated people are brought into the folds of terrorist groups, this new generation will have the talent to execute the acts of CyberTerrorism of which we have spoken.
We are going to see increasing levels of in-house expertise, and concomitant exponential increases CyberTerrorism. Unlike other methods of terrorism, CyberTerrorism is safe and profitable, and difficult to counter without the right expertise and understanding of the CyberTerrorist's mind. Combine our increasing vulnerability, with the explosive increases in the level of violence, and increasing expertise available inside terrorist organizations through new blood and outside through facilitators, and we can see that at the point where the physical and virtual worlds converge, the old models of managing terrorism are obsolete.
We must consider the following elements when building a counter-CyberTerrorist program:
We must accept that while the theories of terrorism stand true, the way in which we approach counter-terrorism, in this case, counter-CyberTerrorism, must change.
We must cooperate and share intelligence in ways we have never have before.
We must enlist the assistance of those individuals who understand the weapons we are facing and have experienced fighting these wars.
We must learn the new rules, the new technologies, and the new players.
Unfortunately, one cannot learn how to fight this very unconventional warfare from someone who hasn't been there, nor from someone whose experience is in the old ways and old technologies. The old data processing, auditing, and computer security models in use today are obsolete. On this battlefield, against this weapon, the terrorist is already far ahead. The building of a counter-CyberTerrorist team must be real-time and dynamic, as the weapons will continually change, to morph, in an attempt to beat you, your systems, and your people. There is no re-machining, and unlike other terrorists, if the CyberTerrorist loses today, he does not die - he learns what did not work, and will use that information against you tomorrow.
If a computer security advisor states that you, your organization, and your country are safe behind firewalls, behind a system put into place by people who have never fought cyberbattles, behind audit trails, passwords, and encryption, then a great and dangerous fallacy (or fantasy) is being perpetrated upon you. The only solution is the quick deployment of a counter-CyberTerrorist - someone who knows what you are up against today, someone who lives in the world of the people who are, and will be, attacking - someone who can train the people who must fight the battles.
An effective auditing system will only inform the target manager that they have taken a hit; perhaps a fatal hit. By that point, it is too late. Now is the time to take action. Unfortunately, due to this open nature of this document, specific counter-CyberTerrorism measures cannot be discussed. Those discussions must be reserved for secured facilities.
Counter-terrorists of all backgrounds are duty-bound to save property, and more importantly, save lives. However, we are not isolated. We are all increasingly connected, dependent, and vulnerable. The very basic things we take for granted (e.g., food, medicine, energy, air, freedom of movement, communications, freedom from violence) are being threatened by the new weapon of CyberTerrorism.
If we do not work together, we will be responsible for the outcome. If we fail to be ready when and where the virtual and physical worlds converge, then all that will be left is terror - in one's and zero's.
The above material was not a bed time story was it? I felt that I needed to let my readers know that the world of the Internet is getting very dangerous, while it is also a place of great open freedom. I am really concerned that One Worlders may decide to set us up with a false crisis on the Web in order to establish the alleged "need" for controls. In any case, we must all be doing whatever we can understand and afford to defend ourselves.
Editor: Balaams Ass Speaks