NATIONAL SECURITY REPORT:
Information Warfare and International Security

By Vernon J. Ehlers

This article is from a report by the Science and Technology Committee of the North Atlantic Assembly, presented by Congressman Vernon J. Ehlers, (R-MI), former Professor of Nuclear Physics at Berkley where he received his Ph.D.

The importance of Information Technology (IT) to the functioning of our societies is evident in everything from government operations to transportation, from energy to finance, from telecommunications to water management. Every day, an enormous amount of information is exchanged or stored by electronic means and trillions of dollars travel throughout the world electronically. Information technology has become even more pervasive with the widespread dispersion of personal computers, 120 million of which are connected to the Internet--70 million in the United States alone.

The pace of technological change and our increasing reliance on technology are even more impressive. Microsoft experts assert that Internet traffic doubles every 100 days and, according to other estimates, one billion people (one-sixth of humanity) will be online by 2005.

The reliance of our societies on computers and the fact that many critical infrastructures are electronically interconnected poses evident security problems. Although computer experts have been working on these problems for years, only in the mid-1990s did Western defense analysts begin to pay serious attention to them. In a variety of studies and reports, a strategic catchphrase emerged to define a new concept: Information Warfare. In a 1997 Report, the NAA (North Atlantic Assembly) Science and Technology Committee provided a first assessment of Information Warfare, analyzing most of the available sources on the subject. The threat of possible attacks on information systems and the potential risks for our military and civilian infrastructures were first documented in that report. In the last two years, information warfare and information security have been extensively discussed and analyzed, both within and outside the information technology and defense communities.

This paper analyses these new developments, starting with some new definitions of information warfare, assesses the effective strategic threats, and reports about the U.S. and other governments' initiatives to counter them.

What Is Information Warfare?

One definition proposed by the Institute for the Advanced Study of Information Warfare is as follows: "Information warfare is the offensive and defensive use of information and information systems to exploit, corrupt or destroy an adversary's information and information systems, while protecting one's own. Such actions are designed to achieve advantages over military or business adversaries."

The Washington-based Center for Strategic and International Studies (CSIS) recently published a comprehensive study on these issues and admitted that so many different activities have been classified under the label "information warfare," that it is now difficult to understand exactly what it is. Nonetheless, this study classifies information warfare activities according to the source, the form and the tactical objectives of the attack. Thus, information warfare can be viewed as a combination of these three dimensions.

First, an attack could originate either from outside or from within the targeted organization or system. Second, four categories of attack can be identified:

-- Data attacks are conducted by inserting data into a system to make it malfunction.

-- Software attacks, similar to data attacks, are conducted by penetrating systems with software, causing failure or making them perform functions different from those intended.

-- Hacking or cracking is seizing or attempting to seize control of an Information system (or a vital part of it) to disrupt, deny use, steal resources or data, or cause any other kind of harm.

-- Physical attacks are the traditional form of attack (bombing, assaulting, and destroying) directed against information systems. An electromagnetic pulse (EMP) produced by nuclear explosion can also be included in this kind of attack.

All these different forms of information warfare attack can be categorized by their goals or tactical objectives--they could be aimed at exploitation, deception, disruption or destruction of information systems.

Assessing the Threat

In general terms, a threat can be defined as the combination of capability and a hostile Intent. According to many analysts, the reason for concern about attacks upon information systems, or information warfare, is that the means of offense are widely available, inexpensive and easy to use. In a world where even governments and the military tend to rely on computer hardware and software available commercially off-the-shelf (COTS), virtually anybody with a computer and the technical skills could become a cracker or a cyberterrorist. Moreover, the progress in information technology makes the electronic tools needed to conduct such attacks more sophisticated every day and, through the Internet and the interlinked computer world, easier to acquire. But the most potentially dangerous feature of information warfare is that it can be conducted from anywhere in the world and the possibilities of discovering the attack's origin, or even its presence, are extremely difficult.

The potential enemies of the West, and of the United States in particular, are now no longer limited to so-called "rogue" states capable of developing weapons of mass destruction and the terrorist groups that these states often support, but can also include crackers, criminal organizations, industrial spies and independent terrorists. However, some experts doubt the effectiveness, capability or willingness of these non-state actors to conduct attacks that can seriously threaten national security. But considering the importance of information technology in our societies, it is clear that the possible existence of a "cyberthreat" or the risk of "cyberattack" has to be taken seriously.

In the last 15 years, both the private and public sectors' information systems have been subjected to attacks that have substantially increased with the growth of the Internet. Computer viruses have been a primary concern of information security experts.

It is possible for a military organization or a terrorist group to assemble a team of experts capable of creating malicious viruses and using them to conduct information warfare attacks. But computer viruses are extremely unpredictable and far from precise in their behavior, and they might eventually damage the attacker as much as the victim. In addition, the international anti-virus industry is mature and is well positioned to create necessary antidotes to almost any new virus.

Other, more dangerous attacks on information systems have been conducted by hacking intruders. Private corporations, particularly in the financial sector, are regularly penetrated by cybercriminals. The FBI estimates that these electronic intrusions cause yearly losses of about $10 billion in the United States alone. This is probably only the tip of the iceberg. In fact, concerns about protecting shareholder value and customer confidence may keep many firms from reporting all the attacks to law enforcement agencies.

Electronic intrusions into the military information infrastructure cause deep concern in the United States. According to the CSIS, probe attacks against the Pentagon number in the tens of thousands every year. John J. Hamre, Deputy Secretary of Defense, recently stated that from January to mid-November 1998, the National Security Agency (NSA) recorded more than 3,800 incidents of intrusion attempts against the Defense Department's unclassified computer systems and networks. Over 100 of these attacks reached root-level access and many were even able to break down some kinds of service. This reflects only what has been reported to NSA, but "the actual number of intrusions probably is considerably higher."

The literature and the chronicles are full of examples of successful network intrusions at the U.S. Department of Defense (DoD) and other Western defense institutions. While most of the attacks in the last few years were generally conducted by individuals or by small groups of intruders, with little or no political purpose, recently some cases suggested the possibility of state-sponsored hacking or cracking. Additionally, some anti-state, politically motivated activity has occurred. In October 1998, China launched a new website to publicize its efforts in human rights. A few days later, hackers replaced the home page of that site with a message condemning Beijing for its poor record in human rights.

The NATO information system was indirectly threatened in November 1998, when hackers penetrated a web server in Albania and put up a web message announcing the intention to attack the Alliance's information system. The organization temporarily closed all foreign access to its web server and its website was down for two days. Realizing that the electronic defenses of the NATO web server were extremely weak, experts took the necessary countermeasures. More recently, during the first days of the NATO strikes against Yugoslavia, hackers attacked the Alliance website, causing a line saturation of the server by using a "bombardment strategy." NATO also had to defend itself from macro viruses from Yugoslavia trying to corrupt its email system, which was also being saturated by one individual sending 2,000 messages a day.

Such cases might not prove the existence of state-sponsored information warfare or cyberterrorism, but they offer good examples of what could happen if the capability is coupled with a hostile intent. The subsequent question is could a group of state-sponsored terrorists or individual crackers damage the information infrastructure of another nation so as to cause a major strategic disruption? The U.S. Department of Defense seems to think so.

In the summer of 1997, a simulation exercise called "Eligible Receiver" was conducted at the Pentagon, ordered by the Joint Chiefs of Staff, to test the ability of the nation's military and civilian infrastructure to resist a concerted information warfare attack. A team of fictional hackers, the Red Team, was allowed to use only COTS materiel and information available on the web and had to act within the U.S. law. So far, the results of this exercise remain strictly "top secret." Nonetheless, many officials have referred to it in public declarations and some have partially revealed the outcome. James Adams, a journalist based in Washington, D.C., claimed in a book to have interviewed senior officials about "Eligible Receiver":

"The [simulated] attacks focused on three main areas: the national information infrastructure, the military leadership and the political leadership. In each of these three areas, the hackers found it exceptionally easy to penetrate apparently well-defended systems. Air traffic control systems were taken down, power grids made to fail, and oil refineries stopped pumping--all initially apparent incidents. At the same time, in response to a hypothetical international crisis, the Defense Department was moving to deploy forces overseas and the logistics network was swinging into action. It proved remarkably easy to disrupt that network by changing orders...and interrupt[ing] the logistics flow.... The hackers began to feed false news reports into the decision-making process so that the politicians faced a lack of public will about prosecuting a potential conflict and lacked detailed and accurate information."

In conclusion, according to Adams' sources, a team of skilled hackers, using standard equipment and publicly available information and playing by the rules, was able to cause a "serious degradation of the Pentagon's ability to deploy and to fight". In other words, they demonstrated that an "electronic Pearl Harbor" was possible.

Many things have changed in the last two years due to the fast pace of progress in information technology. Moreover, the policies and actions taken by the U.S. government may have reduced the vulnerability of the nation's infrastructure. Nonetheless, if technology is helping Western governments establish better defenses, it also helps potential enemies improve their capabilities to attack. The recently announced new breed of hacker software, that can learn and adapt to the network environment it attacks, may represent a new threat. According to information technology experts, the new programs can change their mode of operation, or their targets, based on external stimulants. Pre-programmed to search for specific types of files common to most networks, such software, once in the system, can target data or files of interest to the intruders, even those marked secure or for internal use only.

In addition, many nations are trying to acquire the capabilities needed to conduct information warfare operations and new terrorist groups like Osama bin Laden's are known to use computers and satellite telecommunications. China has recently intensified its information warfare programs, both to protect its own military infrastructures and to enable the People's Liberation Army to conduct electronic attacks. According to James Mulvenon, a defense specialist at Rand Corporation, Beijing, "is seeking the ability both to interfere with Taiwan's command system, and ultimately to hack into U.S. military networks which control deployment in the Asian region."

The effects of the electromagnetic pulse (EMP), produced by nuclear explosions, can pose a serious physical threat to information systems. The immediate energy release from a detonated nuclear device produces intense, rapidly varying electric and magnetic fields that can extend for considerable distances and severely affect all electronic equipment and electrical or radar transmissions even to the point of destroying equipment circuits, microprocessors, and other components. Therefore, a single, very high-altitude nuclear blast above Europe or the United States, which may cause no physical damage to structures or people, could disable or disrupt all information systems. While few nations currently have both nuclear weapons and the missiles capable of delivering them in space, the increasing number of "rogue" nations with nuclear weapons that are also developing or acquiring long-range missiles may present an extremely serious EMP threat in the near future.

EMP effects from nuclear explosions and non-nuclear weapons, such as High-Energy Radio Frequency (HERP) guns or Electro Magnetic Pulses Transformer (EMP/T) bombs, may be much more dangerous for civilian information systems than for military ones, most of which are now EMP hardened. Shielding of iron or other materials such as copper mesh or non-magnetic metals is generally available only for the protection of sensitive military technology.

Responses to the Threat

Efforts to respond to the threat of attacks to information systems, or information warfare, have been made by many nations. Generally, the military and the defense "think tanks" have been the first to address the issue, but now most Western governments have taken steps toward more coordinated and structured responses.

In the United States, different panels, commissions and study groups have been examining these issues since the early 1990s and the government has taken several important measures. Congressional Committees have held hearings to investigate the nature of the information warfare threat. The National Defense University has extensively worked on the issue since the early 1990s. However, the most comprehensive appraisal of the nation's vulnerabilities in the field of information technology has been provided by the Presidential Commission on Critical Infrastructure Protection, created in 1996, involving officials from the energy, defense, commerce and law enforcement areas, as well as representatives of the private sector. After 15 months of study, the Commission published an extensive report highlighting the vulnerabilities of the U.S. infrastructure and the weakness of the information systems, which proved to be a potentially easy target for any concerted attack. The report also indicated that government and industry do not efficiently share information that might give warning of an electronic attack and that the federal R&D budget does not include the analysis of the threats to the information systems in the infrastructure.

The work of the Presidential Commission resulted in the issuing, in May 1998, of Presidential Decision Directives 62 and 63, on Critical Infrastructure Protection. The provisions of these Directives included:

-- interagency co-ordination for critical infrastructure protection;

-- definition of the roles and responsibilities of U.S. agencies in fighting terrorism;

-- improvements in capabilities for protecting the national information structure, the most important of which is the creation of a National Infrastructure Protection Center (NIPC) in the FBI;

-- promotion of partnerships with industry and other private players to enhance computer security; and

-- study of plans for minimizing damage and recovering rapidly from attacks to its vital infrastructures.

Some experts criticized the U.S. administration decisions, claiming that the above provisions underestimated the realities of the information warfare threat. Nonetheless this is the most comprehensive and complete initiative taken so far by any Western government to respond to the risks of attacks on information systems.

Moreover, DoD, actively participating in the government initiatives, has recently created a Joint Task Force for Computer Network Defense (JTF--CND) to coordinate all the activities in this field and direct the Pentagon's response to computer network attacks. The JTF will plan defensive measures, leverage existing capabilities and develop procedures for the military commanders-in-chief, services and agencies, as well as provide strategic focus at all levels. Fully operational in the summer of 1999, the JTF will also develop relationships with intelligence and law enforcement agencies, the NIPC and the private sector.

Among European nations, France appears to have developed a coherent strategy to deal with attacks on information systems. In the absence of a general program for infrastructure protection, such as that in the United States, the Ministry of Defense has concentrated technical activities in the field of information warfare at the Centre d'électronique de I'armement (CELAR). This center gathers some 900 experts in many scientific and technological areas, and has resources and capabilities with probably no equal on the continent. All CELAR activities are related to information warfare (guerre de l'information), defensive and offensive, and are divided into five tasks: weapon systems for electronic warfare, information security, information systems, telecommunications, and electronic components. CELAR analyses the threats, establishes the needs, and tests the proficiency and the limits of the systems and equipment. In particular, within the information security field of CELAR, the Centre de I'armement pour la sécurité des systèmes d'iformation (CASSI), is responsible for the development of all security programs and strategies in the Ministry of Defense and acts as a consultant for other ministries and governmental agencies.

In Germany, the efforts of the Government and the Bundestag to address the problem of security in information technology led to the creation, in 1991, of a Federal Agency for Security in Information Technology (Bundesamt für Sicherheit in der Informationstechnik, or BSI). The BSI is responsible for assessing the risks and developing the criteria, tools and procedures to assure the security of vital information systems. However, according to German officials, the BSI has concentrated its work on the non-military aspects of information warfare. In other words, it has considered the possibility of attacks to information systems only in the civilian field. At the same time, the German military has conducted some studies on information warfare and has recently initiated a new one, called "2020," which will consider the future evolution of the topic. Recently, a working group has been created at a federal level to draft a policy paper on "Information Warfare and IT Security," aimed at reaching a better coordination within the civilian and military fields.

The UK Ministry of Defense (MoD) has addressed, in various areas, the problems related to information warfare, recognizing that "the potential vulnerabilities and risks arising from information warfare go much wider than the Armed Forces and the defense infrastructure." The MoD is, therefore, known to be working with other areas of Government, allies and suppliers of key services to coordinate security policies and find technical solutions to protect the nation's infrastructure.

Other countries have taken similar initiatives and NATO has analyzed the threats of information warfare attacks and given indications to member states. For the moment, the most relevant studies conducted by the Alliance on the subject are classified.

Conclusion

It is clear, even from the words of the most skeptical analysts, that the security of information systems must be a high priority for any nation.

The first priority should be to seek objectivity in the assessment of the real threats. An independent group should be set up to provide such assessment, maybe at the international level. A serious evaluation of the claims of computer security software and hardware producers could be the first task of such a group.

Programs to raise public awareness and encourage education in the field of computer security and infrastructure protection would be extremely useful, and they should cover all possible audiences. They should include conferences, university studies, presentations at industry associations and professional societies, and sponsorship of graduate studies and programs. In addition, research efforts are needed to both substantially improve and deploy more widely the existing technology. In particular, new capabilities for detection and identification of intrusion and improved simulation and modeling capability to understand the effects upon interconnected and interdependent infrastructures would be beneficial.

Since most experts agree that commercial information systems are now more vulnerable to external attacks, it is essential to foster public-private cooperation. Much of the information that private companies need to protect their information systems may be available from the defense, intelligence and law enforcement communities. Often the private sector can better identify, understand and evaluate the threats. In many countries, cooperation between industries and their governments could be extremely helpful to share information and techniques related to risk management assessment, including incident reports, identification of weak spots, plans and technology to prevent attacks and disruptions, and plans for how to recover from them. Of course, public-private collaboration also has its limits, such as classified and secret materials or proprietary and competitively sensitive information.

Finally, in most Western countries, but particularly in the United States, the military should address many questions concerning the effective role of the information warfare programs in their general policy. Programs like those going under the definition of "Revolution in Military Affairs" (RMA) have already tried to assess the future impact that the use of information technology could have on weapon systems and on military organization and strategy. However, the U.S. military still needs to clarify its policy about the options for deterring an attack on vital information systems and the possible use of offensive information warfare. The link between information warfare and other military strategies should be better articulated. For instance, would it be possible to respond to an information warfare attack with conventional forces? Moreover, the possibility that the United States, or any other Western country, would develop and deploy offensive information warfare techniques has not been adequately discussed in public forums. This can be essential in order to build a national and possibly international consensus about the role of offensive information warfare and to clearly define its policies of use. --NSR