Information Warfare: Time to Prepare

IW presents special problems for U.S. defense planners. Many, if not most, targets of an IW attack against the United States would probably be commercial computer and communications systems. These systems are more vulnerable than those operated by the military. Commercial operators are seemingly unaware that they are potential IW targets, and few have taken any precautionary measures. Commercial software developers and hardware designers are also not attuned to the IW threat. Thanks to “Melissa,” the “Love Bug,” and other computer viruses, the public has become more aware of the importance of computer security. Several recent cases of cyber crime and denial-of-service (DoS) attacks have also made computer users more alert. Yet the IW threat is very different from vandalism and criminal activities.

Foreign military organizations and terrorist groups are likely to have more people and deeper pockets. They can work harder and longer on an assignment, which means that they can crack systems that might withstand an assault by a more casual opponent. They are likely to be more experienced and will use more sophisticated tactics. Most important, serious IW attackers would not reveal their activities until it is absolutely necessary. Unlike the typical hacker prankster who wants to attract as much attention as possible, sophisticated IW threats have an incentive to remain discreet and are likely to have the skills to evade detection. They would take weeks or months to lay the groundwork for an attack in secret and would then create diversions to confuse their targets so that the initial phases of an attack would be as effective as possible.

The dilemma for U.S. officials is that although commercial information systems are prime targets for IW attack, the government has limited influence over how these systems are designed, manufactured, and operated. The public is generally unaware of serious IW threats. It is hard to prove that a specific IW threat exists, let alone that it is planning to strike a specific target. Companies are always under pressure to reduce costs and maximize profit. All these factors make preparing for IW difficult.

But one factor makes preparing for IW harder than it needs to be. The relationship between the government and information industries has often been rocky in recent years. The two communities are often unfamiliar with each other and view their counterparts with suspicion. There is, in effect, a cultural divide between the government and the commercial sector that prevents the two communities from cooperating. Unless government officials and the information industries improve their relationship, the United States will become increasingly vulnerable as it becomes more dependent than ever on computers and the networks that interconnect them.

Commercial vulnerability

Virtually every aspect of life has become more dependent on computers, imbedded electronics, and communications systems. All these information systems–and especially those connected to a network–are potential targets for IW attack. When defense experts talk about the IW threat to commercial information systems, they do not mean hackers or even criminals. They are referring to well-funded, sophisticated, foreign military powers, intelligence organizations, and terrorist groups. Professional military journals in several countries, including Russia and China, have discussed computer network attacks as a military option. Usually these writers refer to foreign IW capabilities and plans, but it is reasonable to assume that any military organization that has discussed foreign plans for IW has considered the option for itself.

One difficulty in preparing to defend against IW is that the capabilities for such attacks are often easy to conceal, and the best IW powers are also probably best at concealing their capabilities. Even so, one can postulate what an IW team might look like. It might consist of a force of professional computer network operators, not just a few technically savvy malcontents. These technicians will know the holes that exist in popular software packages and the slip-ups network operators commonly make in maintaining firewalls and other security measures. They will also know from their own experience the shortcuts taken by sloppy or lazy operators.

Given enough time, such an IW force could penetrate most systems connected to a public network, in part because they would have ample support. An IW team would likely have an intelligence service helping it identify the vulnerable points of an adversary’s infrastructure and the computer systems they depend on. The intelligence service would also support the IW team through traditional espionage, such as stealing codebooks and passwords or planting agents who could assist an attack from inside the targeted network. IW and intelligence organizations could also work with each other to penetrate companies that produced or maintained commercial software. This would enable them to insert “trapdoors” and “Trojan horses” that they could trigger later.

In addition, the IW team would coordinate its plans with the commanders of conventional military forces. The IW team could support a conventional strike by jamming or confusing the enemy’s air defense computer network, or it could magnify the effects of a military strike by hacking the databases civilian authorities need for fire and rescue operations. An IW team might spend weeks or months “footprinting” targeted computer networks; in effect, creating a mirror image of the system’s design to identify its weak points. Once it had a footprint, the IW team would update its analysis regularly, as is done with any military contingency plan. With these plans in place, an IW team would be ready to go into action when needed. The potential civilian targets of an IW strike could be any communications system or computer network, or any part of a country’s infrastructure that depends on such networks. For example:

• U.S. military forces depend on commercial transportation systems for logistics and, in many cases, for moving units to the scene of battle. These transportation systems depend on computer networks to control machinery, keep track of inventories, and coordinate their operations. A foreign adversary could significantly hinder U.S. forces in reaching, say, the Persian Gulf or Taiwan Straits by attacking the computers at commercial harbor facilities used to ship ammunition or the air traffic control system that would be needed to support and airlift personnel and supplies.
• The commercial broadcast systems and commercial Internet would be critical during a national emergency to coordinate public safety efforts and keep the country informed. Some of the recent virus and DoS attacks were targeted against companies such as CNN and AOL; it does not require much effort to imagine how these companies might be forced to curtail operations by a more concerted, professionally orchestrated strike.
• A serious opponent would probably target specific suppliers and companies that are especially important to either U.S. weapons production or mobilization. Attacks on small, seemingly unimportant companies might be lost in the heat of a national crisis and might be hard for such companies to detect in any case.
• Most military and government personnel use the same banks and financial institutions as the general public. If these are insecure, it would be possible for an adversary to target the data records of key individuals, either to collect compromising information or to plant disinformation.

Some writers have described how an IW attack could lead to catastrophic results: the proverbial “electronic Pearl Harbor.” Such a strike might be theoretically possible, but it misses the point. IW is an inevitable byproduct of the Information Revolution. Our foreign adversaries, both regular military forces and terrorist organizations, will target U.S. information systems simply because it is possible and because it offers them another channel for effective action. As information systems become more capable, we become more dependent on them and, as we become more dependent, they will become irresistible targets. That is why we need to prepare defenses, and this requires cooperation between government and industry.

Deal with it

U.S. officials were reluctant even to discuss IW threats until the mid-1990s, when they began to understand that it was impossible to prepare for such attacks without greater public awareness of the problem. One of the first studies to discuss the threat openly was a report published by the Defense Science Board in 1996. This study, Information Warfare–Defense (IW-D), triggered more action. President Clinton appointed a commission under retired Air Force General Robert T. Marsh to study foreign threats to information systems and other infrastructure, such as transportation and power generation. Several of the Marsh Commission’s recommendations were later enacted through Presidential Decision Directives 62 and 63, which President Clinton signed in May 1998. These directives officially acknowledged threats to the U.S. infrastructure (including cyber attacks) and proposed measures to protect it. At the same time, the president appointed a national coordinator for security, infrastructure protection, and counterterrorism to oversee the implementation of the new policies.

Several obstacles undercut these efforts, especially in their effectiveness against serious, well-supported IW threats. One problem was a result of bureaucratic politics. Agencies competed for roles in dealing with the newly acknowledged threat. The Department of Justice won the right in February 1998 to put the National Infrastructure Protection Center (NIPC) in the FBI. The NIPC was, in effect, supposed to be the federal government’s command post for monitoring attacks on information systems.

Unfortunately, the FBI is a law enforcement organization. Although law enforcement organizations may be effective against hackers, criminals, and the odd troublemaker, they are ill-equipped to deal with foreign military threats and large international terrorist networks. Law enforcement organizations are designed to respond to crimes, apprehend suspects, bring them to trial, and put them in jail. Military organizations, in contrast, are designed to win wars. Both functions are important, but each type of organization operates under different rules and at a different tempo. Law enforcement is reactive and emphasizes dogged detective work. Defense is preventive, and military operations aim at ending conflicts as expeditiously as possible on terms favorable to the United States. Law enforcement requires respecting and protecting the civil rights of defendants, who are presumed innocent until proven guilty. Military operations frequently require violence and ruthlessness to defeat (and if necessary, destroy) an adversary. It is hard to design an organization to do both, which is, in effect, what the NIPC is expected to do.

There are other problems, too. Although the military services and intelligence community have representatives at the NIPC, most of its staff comes from law enforcement organizations. Even if defense and intelligence organizations had greater representation at the NIPC, it would probably still be hard to attract up-and-coming officers to serve there. Spending a few years at a law enforcement organization monitoring hacker reports is hardly the ticket punch that gets a rising officer promoted. Also, the NIPC is not well connected into the military command system. For example, there do not appear to be clear guidelines that would define how and when a hacking incident would be determined to be military problem rather than a criminal investigation, and how the organization would change its operation to deal with such a situation.

Meanwhile, military commanders have not concentrated on protecting commercial systems from foreign attack. They have focused mainly on ensuring that military computer systems and communications networks work. IW attacks against targets within the United States, such as state-sponsored biological and chemical weapon attacks, fall into the new mission of “homeland defense.” The military services are still not certain how to address this mission, as it is very different from the kinds of operations U.S. forces prepared for throughout the 20th century. Homeland defense requires new kinds of forces and new kinds of plans, many of which do not fit into the traditional concepts of how a military force should operate. It also raises legal issues; just as law enforcement organizations are unsuited to dealing with military threats, U.S. military forces are prohibited by statute from serving in a law enforcement function.

In addition to creating the NIPC, the federal government has undertaken several other initiatives to reduce the threat of cyber crime and cyber terrorism. Some of these involve partnerships with industry, but there are also problems that leave the government and the private sector ill-prepared to respond jointly against serious IW threats. For example, several reporting organizations have been established to share information and issue warnings about hacker attacks and computer viruses. One of the first of these was the Computer Emergency Response Team/Coordination Center (CERT/CC) at Carnegie Mellon University. CERT/CC was set up as a federally funded R&D center by the Defense Advanced Research Projects Agency in December 1988 after an early virus attack disabled 10 percent of the computers then connected to the Internet. Since then, CERT/CC has effectively become the 911 number that civilian computer operators call to report such incidents. Other organizations in the United States and abroad have since established local CERTs and reporting operations. The FBI also has its Awareness of National Security Issues and Response (ANSIR) Program, which alerts industry and infrastructure operators to espionage and sabotage threats.

During its last year in office, the Clinton administration stepped up its efforts to deal with cybersecurity issues. One of its most visible initiatives was unveiled in February 2000, when the president announced he would provide $9 million in accelerated funding for computer security education programs and a new Institute for Information Infrastructure Protection. (This was to supplement $2 billion the administration had already proposed for cybersecurity initiatives in FY 2001.) The administration also planned to encourage industry to create new Information Sharing and Analysis Centers (ISACs). These centers, two of which have already been established for the financial and communications industries, are designed to allow companies targeted by hackers or cybercriminals to share information in a secure semi-anonymous environment. ISACs protect companies from having to disclose proprietary information when reporting such incidents and also control the flow of publicity, so customers are informed but not unnecessarily alarmed.

The problem with CERT/CC, ANSIR, ISACs, and similar programs is that they are geared to peacetime operations, not to providing wartime “indications and warning.” Also, they do not routinely deal with military commands. In other words, the most likely targets for an IW strike against the United States are commercial computers and networks, and the first signs of an IW strike would likely appear in the private sector. But the reporting network that commercial operators are coming to rely on is focused mainly on pranks, crime, and natural disasters, not well-prepared terrorist or military threats. In effect, the commercial sector–our canary in the coal mine–is ill-prepared and disconnected from the organizations that would have to respond to an attack on the United States.

The cultural divide

It would be easier to defend against IW threats if government and industry could cooperate more effectively. Unfortunately, the two have collided on several issues recently. These clashes have undermined the more highly publicized efforts of the Clinton administration to promote public-private partnerships. Some specific points of contention have included:

• Antitrust. Microsoft, Intel, and America Online have all been the targets of antitrust suits or investigation by the Department of Justice. True, computer and communications companies have long been targets of antitrust suits; indeed, the IBM and AT&T cases were landmarks. But it is hard for government to try to develop a close relationship with the new information companies with one hand, while trying to break them up with the other.
• Encryption. The federal government tried throughout the 1980s and most of the 1990s to regulate encryption technology. Law enforcement and intelligence agencies feared losing their ability to intercept communications. The information industry, however, believed that developing electronic commerce was impossible without strong encryption.
• Criminal investigations. In July 2000, the FBI became ensnared in a controversy when the press reported its use of “Carnivore,” a portable computer system for implementing court-ordered intercepts of e-mail at Internet service providers (ISPs). Civil liberties groups criticized the system as an invasion of privacy. The Clinton administration, which had moved slowly on Internet privacy issues, was unprepared to explain either how the system worked or how it intended to protect the rights of e-mail users and address the concerns of ISPs.
• Immigration. Immigration laws have prevented IT companies from hiring the foreign talent they believe they need. This has increased their labor costs and threatened their competitiveness with foreign companies. Such restrictions also conflicted with the New Economy zeitgeist of borderless markets.

Paradoxically, from the perspective of preparing defenses against an IW strike, the government’s position on all of these issues was counterproductive. Americans would probably be safer from an IW attack if U.S. companies dominated commercial markets for software and hardware, and such domination often requires a monopoly. Antitrust litigation opens opportunities for foreign competitors. (How would national security be affected if a foreign company designed the software used in U.S. banks or in popular Internet browsers?) Similarly, although encryption cannot guarantee that a commercial computer network is secure against an IW attack, it is probably impossible to make a system secure without strong encryption. Finally, immigration restrictions have encouraged U.S. companies to outsource software development to foreign countries, where there is a greater chance that it will be compromised by foreign military organizations and intelligence services.

Yet these disagreements run deeper than just quibbles over policy details. The recent disputes reflect a clash of cultures. How did this clash occur?

Part of the problem may simply be geography and history. The first-generation computer companies such as IBM, Burrows, Sperry, NCR, Control Data, and Digital were mainly based in the east and the midwest. So was AT&T, which operated as a heavily regulated government-sanctioned monopoly until its breakup in 1984. Most of these companies had long histories as contractors to the Department of Defense or other government agencies. As a result, they were accustomed to cooperating with the government, even when “cooperation” really meant following instructions. They also shared similar cultures. Many company officials had served in the military or had at least worked closely with government agencies. There were also cultural parallels: hierarchical organizations, formal rules, and even a uniform dress code at IBM.

The new companies that led the personal computer and Internet revolutions–Intel, Apple, Netscape, Oracle, and, of course, Microsoft–were different. Most took root on the west coast. Many corporate leaders had little experience with government and had never served in the military, having been born too late to be eligible for the Vietnam era draft (Bill Gates and Steve Jobs were born in 1955; Steve Case in 1958; Marc Andreessen in 1973). The new leaders often learned computers on their own and often rejected the usual course of formal education and earning professional credentials. Gates and Jobs both left college early to concentrate on business; Andreessen completed a normal stay at the University of Illinois, but once claimed he was not sure whether he received a degree or not. Their model for success was the startup and the IPO, not climbing the corporate ladder; and they believed that the consumer market was more important than government sales. Generalizations are always risky: Andreessen, for example, worked on Mosaic under government-funded research, and Larry Ellison created Oracle partly with Air Force funding. But it seems fair to say that the new corporate leaders lacked many of the government ties their predecessors had. Many see government, along with high interest rates and tight-fisted investment bankers, as just another threat that could put them out of business.

To make matters worse, the government has been losing clout. It is no longer the most important customer for computers and often does not have a lead in technology. For example, government officials could once boast that the most capable supercomputers in the world resided at the government’s nuclear labs and the National Security Agency (NSA), where they were used to design hydrogen bombs and break foreign codes. Today, however, the most powerful computers available are as often in the private sector, being used, for example, by Boeing to generate three-dimensional designs for airliners or by Pixar to create animated cartoons.

The government’s diminishing influence has been clear in its efforts to promote security standards for commercial information systems: a key component of any defense against the IW threat. At one time, the National Institute of Standards and Technology (NIST) could issue a standard such as the Data Encryption Standard and assume that industry would adopt it because there was nothing better. By the mid-1980s, though, some companies began offering encryption technology that approached or surpassed that offered by the government and that would have been difficult or impossible for government agencies to defeat. In 1994 the government tried and failed to convince industry to adopt Clipper, an NSA-developed encryption system that would have given law enforcement and intelligence organizations the means to break ciphers under certain legally authorized conditions. Because it was no longer dependent on the government for the best encryption and because its commercial interests seemed to diverge from the government’s efforts to restrict the technology, industry refused to go along.

Government authorities have had difficulty adapting to the new situation. Even as the controversy over encryption and Clipper ensued, NSA and NIST created the National Information Assurance Partnership (NIAP) in August 1997. NIAP, a joint program to test and evaluate commercial security technology, works with industry and with standard-setting agencies in other countries. Alas, figuring out how to negotiate and facilitate, rather than impose, industry standards has put government officials on new and unfamiliar ground. Officials are still trying to make the process work, and representatives from industry have been slow to forget that its partners were only recently opposed to any process in which they had a significant say about this key component of information security.

To be sure, the information industry was not blameless. Even as companies complained about government restrictions on encryption, most software packages designed for consumers have been designed to be easy to use, not secure. The automatic features that make popular programs easy to use also often make them easy to hack. Similarly, although companies warned that government agencies threatened the privacy of their customers for the sake of national security or law enforcement, industry often had an even more cavalier attitude toward privacy. Witness the use of “cookies” to monitor surfing habits on the World Wide Web, the selling of customer databases, and often ambiguous self-policing privacy standards. And there is the immortal quotation of Scott McNealy, chief operating officer of Sun Microsystems, who said when asked about security features in a new network software product, “You have zero privacy anyway. Get over it.”

Taking steps

The Clinton administration’s efforts during its final year to smooth relations between government and industry will help prepare the country against IW threats. Possibly the most important step was the administration’s January 2000 reversal on encryption restrictions that, for all practical purposes, deregulated a key technology necessary for security against IW attack. Administration officials also began to meet more often with representatives from industry. Even so, there are several measures that the next administration should undertake that would further close the gap between the commercial sector and the government and better prepare the country for the IW threat.

The new administration must appoint officials who are willing and able to establish a better relationship with the private sector. (Lt. Gen. Michael Hayden, the current director of NSA, is an example.) Officials must appreciate that global markets will usually defeat any efforts to limit technology. Intelligence and law enforcement are always challenging tasks, and figuring out how to gain access to an opponent’s communications is simply part of the job. Government agencies will probably lose any fight in which they try to maintain access to sources simply through regulation. Besides, allowing industry to develop better information security technology is not only essential to privacy and electronic commerce, it is essential to protecting the country against IW attacks.

Another step would be to concentrate on improving the private sector’s understanding of the IW threat. It is impossible for any government organization to identify and fix all the vulnerabilities that may exist in the private sector’s information systems. The infrastructure is too large, and there are too many restrictions on proprietary data, intellectual property, and consumer privacy that will limit the government’s ability to act. Commercial software developers and network operators need to build defenses into their own systems. They need to be aware that they are the likely targets of attack, and they should have incentives to take precautions. Education is key. Colleges should be encouraged to include IW as a topic in computer science departments’ curricula on information system security. Dorothy Denning, a Georgetown University computer science professor, currently offers such a course, which is a possible model. Some of the additional funding the Clinton administration proposed for cybersecurity education could be used to develop such courses. Law enforcement, military, and intelligence organizations might also make some of their personnel available to support these courses.

Industry should expand its current efforts to develop institutions that allow companies to share information about cyber attacks without compromising their customers’ privacy. But an additional step is required. Industry and the Defense Department should establish operational links that will ensure that companies can work with military commanders if they are targeted by an IW strike. These links would be parallel to the existing reporting links to the NIPC, but would have a military, rather than a law enforcement, approach. There should be a clearly defined cooperative procedure that would allow military, defense, and industry representatives to reach a consensus on which mode of operations is most appropriate in a given situation.

One practical difficulty in establishing these links is that military commanders need precise, specific information that they can act on, but almost all companies would have difficulty justifying the cost of the additional people and facilities required to provide this information. There is also the always-present problem of how a company can provide information to government authorities without compromising its business interests or legal responsibilities. One approach might be for military commands to assign active or reserve officers to CERTs and the ISACs now being established. The officers would be responsible for generating the information the military commands require and would be paid by the government, but they would operate under the supervision of the civilian heads of these organizations. The relationship might also be facilitated if the military personnel provided assistance to commercial organizations in preparing their own security plans.

These links would be critical if the United States found itself under a serious IW attack. Industry would need assistance in taking defensive measures. During the summer of 2000, the U.S. Space Command was assigned responsibility for coordinating information operations by U.S. military forces, so this is where the most important connection between government and industry is required. It is especially important to develop personal relationships at the working level between people who will need to share information to respond to an attack. Exercises simulating an IW attack would give military and industry personnel a better understanding of potential threats and give them an opportunity to test and practice their response. Such exercises would also give military personnel a better appreciation of industry’s concerns, and commercial operators a better appreciation of the military’s concerns. Again, this is one specific activity that the proposed funding for cybersecurity education could usefully support.

The government should provide a combination of carrots (such as subsidies) and sticks (such as liability statutes defining standard accepted industry practices) to encourage commercial operators to take reasonable security and privacy measures that would also protect against IW attack. For example, the level of redundancy required to ensure that a commercial computer network, communications link, or database is available during wartime may exceed the level of protection a company can justify. The government could offer programs in which it would pay for this redundancy for companies willing to participate.

Certain legislation could also help. For example, some companies are reluctant to cooperate with government on cybersecurity issues because they fear that even if officials protect their proprietary data in good faith, they may be required to release the information to comply with disclosure statutes and regulations. Some experts believe that once such information is in the possession of the government, it might be subject to a Freedom of Information Act (FOIA) request. There is some disagreement on this point, and there are already many exemptions protecting information from FOIA requests. For example, technical information that companies create under cooperative development projects with the government is exempt from FOIA, as is most information that would compromise national security if released. But legislation would make the exemptions required for cooperation on cybersecurity clear, and it is doubtful that industry will participate without such ironclad guarantees. The Cyber Security Information Act of 2000, introduced by Reps. Tom Davis (R-Va.) and Jim Moran (D-Va.) last year, would provide these. Other legislation that would facilitate preparation against IW threats would stipulate disclosure requirements. For example, financial institutions could be required to report whether they meet industry standards for protecting their networks and data. And most legislation aimed at protecting the privacy of consumers and other users of the Internet would have the added benefit of improving security against IW.

Finally, all these institutions need to have effective oversight mechanisms to ensure the privacy of consumers. Despite recent controversies, government officials, civil liberties advocates, the information industry, and the public all need to understand that they have common interests. A system that ensures privacy is also more resistant to IW strikes and criminal attack. With a little cooperation and foresight, everyone wins.