November 1996


The Implications of Cyberwar for National Security and Business

by Zachary Selden

In the Summer of 2003, Iran’s armed forces are closing in on Saudi Arabia in a bid to control Middle Eastern oil production. The U.S. gathers its allies and prepares to repel Iran, but finds itself virtually paralyzed as invisible and untraceable computer assailants shut down power grids, cause trains to collide, disrupt financial transactions and close down telephone systems. The Second Gulf War has become the First Cyberwar.

This not the opening chapter of Tom Clancy’s latest novel- it is the basis of an recent Pentagon exercise. US government officials are increasingly concerned about the national security implications of cyberwar and cyber-terrorism. In earlier forms of warfare, railroad junctions and communication systems were bombed to confound the enemy’s ability to transport equipment and transmit commands. Today, they can be rendered just as inoperable by a modem-equipped PC.

The terms information warfare, cyberwar and information security have become media buzzwords. But what is information warfare and what are the realistic threats to U.S. national security? Information warfare (IW) can encompass everything from electronic jamming to psychological operations. The focus here, however, is defense against the deliberate exploitation of information systems’ inherent vulnerabilities in a manner that affects national security. The reality of information warfare is that all systems are vulnerable. As states grow more dependent on information systems, vulnerabilities will increase.

These weaknesses are compounded by the fact that U.S. military and civilian information systems are intimately linked. Railroads, for example, are controlled by relatively penetrable civilian systems, and much of the military’s unclassified message traffic travels on the internet. In cyberwar, civilian information systems can be as critical as military systems, and any effort to built a truly secure national information system will require close cooperation between American business and government.

As war becomes more information intensive, the need for such cooperation grows. The Gulf War taught us that strong information management skills can translate into battlefield success. But, information technology shares one characteristic with older military technology: defensive countermeasures are both simpler and cheaper.

Cyberwar requires a small capital investment to achieve tremendous results. The necessary computer equipment is easily obtained and is becoming less expensive every day. A team of computer mercenaries could be hired for less than the cost of one fighter aircraft. Information warfare can also be carried out remotely. A state or terrorist organization could easily disperse its operatives around the world making it difficult to pinpoint any attack and retaliate. The bottom line is that information warfare is cheap, effective and well within the reach of almost any state or well-endowed terrorist organization. The potential for the Davids of the world to fling a well placed rock against the Goliaths may actually be greater in the information age than in the industrial age.

Information system vulnerabilities can also be exploited to fund terrorist activities. In the 1970s and 1980s, terrorists turned to hijackings and kidnappings to raise funds. With billions of dollars in electronic transit every day, cyberspace may provide a funding source that is both less risky and more profitable than conventional means of raising funds.

The vulnerabilities of military information systems are obviously an area of paramount concern. Most of the more than 250,000 attacks on military information systems each year fail, but a few successes can cause widespread damage. For example, in 1994, Air Force computer security experts discovered that their classified network at the Rome (New York) Laboratories had been breached. A subsequent investigation revealed that the hackers had gained complete access to all Rome Labs networks, and had breached other classified sites, like the South Korean Atomic Research Institute, through access to the Rome Labs system. This latter problem illustrates one of the most serious problems of network security: once a hacker has found a valid ID and logon, he can transfer to other sites that might be better defended. The security of an information system is only as good as its weakest link.

Identifying the intruders was virtually impossible because they skillfully manipulated the phone system and ran their connection through multiple locations from New York to Latvia. While the intruders’ computer codenames— Datastream and Kuji— were discovered, their identities remained secret until an informant revealed an e-mail conversation with a British hacker who bragged about his exploits in Rome Labs and left his phone number with the informant. A tap was put on the line and he was subsequently arrested. Datastream turned out to be a sixteen year-old armed with nothing more than a 486sx PC. Had he been a bit more mature, like his colleague Kuji who remains at large, he most likely would still be breaking into military sites at will.

National security planners face difficult questions: How many other Datastreams are out there, who will employ them and to what ends? If one teenager with fairly unsophisticated equipment can penetrate supposedly secure systems, consider the damage that ten or twenty equally skilled individuals could do in the employ of a rogue state or terrorist organization. The PC may soon be one of the most dangerous components in the terrorist’s arsenal.

If military sites can be compromised, civilian networks are even easier to crack. Financial institutions are reluctant to reveal information systems intrusions for fear of sparking a panic, but such incidents appear to be relatively common. In 1994, for example, Citibank lost $400,000 to a group of Russian hackers, who were attempting to steal millions. A survey of computer security companies by the Senate Subcommittee on Investigations revealed that their corporate clients in the United States had lost $400 million last year alone.1 It is impossible to estimate the additional loses in comparative advantage due to computer industrial espionage.

Without a serious effort to strengthen and coordinate security measures, American business stands to lose hundreds of millions every year, and the U.S. military effectiveness could be compromised. Incidents like the Rome Labs penetration have created a consensus in favor of action. While support for coordination information security programs is strong, this consensus breaks down when one moves to the level of specific recommendations.

To date, no clear government strategy for information security exists. A host of government agencies and informal public-private groups have been convened to discuss this problem, but actual results are minimal. One senior intelligence official compares the state of coordination to "a toddler soccer game where everyone just runs around trying to kick the ball somewhere."2

Efforts to comprehensively protect the entire information infrastructure will face strong opposition from private industry actors who are reluctant to encourage government intrusion. As Richard Wilhelm, Vice President Gore’s security advisor puts it, private companies "are not begging for more government meddling."3 The present battle over encryption—which pits civil liberties advocates and law enforcement officials who hope to "tap" information networks—is simply the tip of the iceberg. In today’s rapidly changing technological environment, the prospects for extensive government-industry cooperation remain limited. The lack of cooperation between industry and government on this issue is reflected in the President’s Commission on National Infrastructure Protection. While ostensibly a forum to bring together industry and government to coordinate the security of the nation’s information networks, some industry representatives claim that they have been relegated to minor positions in what has become a high-level bureaucrats club. The Commission is expected to release its report next year, but if industry is as isolated as some of its representatives believe, it will not be a comprehensive plan.

Clearly, there is some movement toward a plan to protect the national information infrastructure, but it has yet to move past the theoretical stages. As the global leader in technology and information systems, the United States is particularly vulnerable to cyberwar or cyber-terrorism. The requisite skill and technology to wreak havoc via computer already exists: it is only a question of time before a state or terrorist organization decides to wage cyberwar against the United States. Coping with this emerging threat will require cooperation between the American business community and Government to devise means of protecting both civilian and military information systems.

The information technology revolution spawned both tremendous promise and new threats. At the moment, however, the means of coping with the potential threat is barely in formation. While the recent attempts to secure the national information infrastructure appear to be a good start, they may ultimately prove to be a case of too little, too late.

1 U.S. Senate Permanent Subcommittee on Investigations, Staff Statement for Hearing on Security in Cyberspace. June 5 1996, p.41.
2 ibid, p.26
3 "IW Study May Guide U.S. Policy," Defense News, March 10, 1996: 3.

[Home] [What Is BENS?] [S.A. Weiss, Chairman] [T.G. McInerney] [What They Say About BENS]
[Objectives & Past Achievements] [Board of Directors] [BENS Makes News] [Regional Offices]
[Tail-to-Tooth Commission] [Reports & Other Publications] [Publication Archive] [Policy Team]
[Employment] [For More Information] [What's New] [Links] [BENS Forum]