Information Operations (the cyber threat)

“The cyberbattlefield is real. It’s a place where computers are used instead of guns, data packets instead of bullets, and firewalls are used instead of barbed wire.”- Richard Tracy¹, Cybercrime... Cyberterrorism... Cyberwarfare... : Averting an Electronic Waterloo, November 1998, Center For Strategic and International Studies.

Canada, like other developed countries, is experiencing profound changes. These changes are being propelled by the arrival of the “Information Age.” The wide proliferation of computers, linked together by modern telecommunication networks (such as the Internet) is the basis for this “Information Age.” It is redefining how nations communicate, conduct business and ensure national security. Although this information revolution brings with it great benefits, it also creates new and unexpected vulnerabilities.

All aspects of Canadian society are becoming increasingly dependant on electronic information and its supporting technology. The key sectors dependant on this new technology include telecommunications, banking and finance, transportation, electrical power, oil and gas, water supplies, emergency services and vital government operations. As this dependance increases, so too does our vulnerability to any disruption or compromise of our national information infrastructure. This infrastructure is comprised of: the national network within, and over which Canadian information is stored, processed and transported; the people who manage the network; and the information itself.

(For more information on the protection of critical infrastructures, please see the attached excerpt from the 1999 Report of the Special Senate Committee on Security and Intelligence chaired by the Honourable William M. Kelly.)

Computer users bent on causing harm have an array of techniques to destroy, steal or interfere with electronically stored or transmitted information. This malicious activity is referred to as Information Operations (IO).

A perpetrator of an IO attack could be anyone with a computer, a modem connected to a telephone line, and a motive to cause harm. However, the Service’s concern focuses on those who would use this new technology to engage in espionage, sabotage, foreign influence or terrorism as defined by the CSIS Act. Within this context, we are concerned with foreign governments, terrorist groups and politically motivated extremists who may engage in IO as a new way to pursue their traditional activities.

Individuals wishing to launch an IO attack could easily find many of its techniques on hacker sites posted on the World Wide Web or they could employ a hacker-for-hire to conduct the attack. The resources necessary to conduct an IO attack are now commonplace and it is becoming increasingly possible for even computer amateurs to cause serious harm to computer-dependant systems anywhere in the world. Moreover, as there exist inherent difficulties in tracing the perpetrators of IO attacks through cyber space, anonymity is a key advantage of using this technique.

Targets of IO could include governments of all levels, the armed forces, police forces, commercial entities, private institutions, political groups and prominent individuals—in short, virtually any organization or person with a computer hooked up to a modem.

Media reporting suggests that foreign intelligence services are using the Internet to conduct espionage operations. The rationale proffered for intelligence service activity in this area, is that it is a simple, low-cost, non-threatening and relatively risk-free way for to collect classified, proprietary or sensitive information.

In addition to IO being used for espionage purposes, analysts predict that terrorists will add IO to their arsenal of weapons. The rationale for terrorist activity in this area is that attacking computer systems rather than physical targets allows these groups to cause economic damage and serious disruptions to society without bloodshed, and in a fashion that reduces the chance of detection or capture.

(For more information on cyber-terrorism, please see the attached excerpt from the 1999 Report of the Special Senate Committee on Security and Intelligence chaired by the Honourable William M. Kelly.)

Canada’s geographic location has, to some extent, been conducive to limiting terrorist acts. However, because of our seamless connectivity to global cyber-space, a perpetrator of an IO attack could stage his action from a foreign country and hit a Canadian target site in seconds. Canada’s geographic location provides no natural protection to IO attacks—we are as vulnerable as any other country.

Given the potential that individuals or groups may use IO to harm Canada’s national security, the Service has the responsibility to advise government on this emerging threat. Specifically, the threat posed by IO falls within Sections 2 (a), (b) and (c) of the Act in that IO can be used to conduct acts of espionage, sabotage, foreign influence or terrorism.

Excerpt from the 1999 Report of the Special Senate Committee on Security and Intelligence chaired by the Honourable William M. Kelly (page 41).

Protection of Critical Infrastructures

Critical infrastructures are both physical and cyber-based systems essential to the day-to-day operations of the economy and government. Critical infrastructures include, but are certainly not limited to, telecommunications, energy, banking and finance, transportation, water, sewage and emergency systems. Historically, critical infrastructures were physically segregated. Because of advances in technology, however, critical infrastructures have progressively converged and have become linked, sometimes interdependent. Advances in technology have also resulted in a high and growing level of automation in the operation of critical infrastructures. The growth of and our increased reliance on critical infrastructures, combined with their complexity, have made them potential targets for physical or cyber-attacks.

Not surprisingly, the rapid advances in interconnections and information technology create a huge challenge in protecting the systems from intrusions and perhaps even sabotage. This is particularly true where various generations of systems are connected, making the older and less sophisticated a potential entry point through which to attack the entire system.

Witnesses before the Committee, from various government agencies, used the example of the recent ice storm to illustrate their concern with the devastating impact a serious disruption in our critical infrastructures could have on Canadian lives and indeed on the security of the country. The Committee heard repeated evidence from witnesses, including the Solicitor General, of efforts under way to protect our critical infrastructures. The Committee was informed that this effort is being coordinated at a senior level in the Privy Council Office and that international efforts are also underway to address these very serious risks.

With the explosion in new technologies, government departments and agencies responsible for the security of Canada's critical infrastructures have a major challenge to address. The results of vulnerability tests performed in certain departments to replicate a cyber-attack have not been comforting. The Committee was assured that federal departments and agencies are well aware of the challenges and that they have much to do to meet them; but they are confident that they can do it. Canada's close cooperation and mutual interest with the United States in this regard should be very helpful.

The United States has taken concerted measures to address the vulnerability of their government and private sector critical infrastructures beginning with Presidential Directive 39 in 1995. That Directive created a small interdepartmental task force (the Critical Infrastructure Working Group or "CIWG"). In its 1996 report, the Critical Infrastructure Working Group recommended development of a national strategy to protect critical infrastructures and an interim group to coordinate the federal government's existing assets should an infrastructure attack occur (the Infrastructure Protection Task Force or "IPTF". The United States government also conducted exercises to assess the vulnerability of critical infrastructures in various departments, including the Department of Defense and Federal Bureau of Investigation. On May 22, 1998 the President issued Presidential Directive 63. That directive, among other things, organizes the United States economy and government into four horizontal sectors, each headed by a lead agency. Each sector is supposed to assess the level of vulnerabilities of its critical infrastructures and devise a plan to reduce those vulnerabilities, develop a system to identify and prevent major attacks and also develop a system to respond to an attack in conjunction with the Federal Emergency Management Agency ("FEMA"). The goal is to be able to protect United States' critical infrastructures from deliberate sabotage by 2003. Should sabotage occur after that date, the subsidiary objective is to ensure the effects would be "brief, infrequent, manageable, geographically isolated and minimally detrimental to the welfare of the United States."

At the heart of the United States' structure is the National Infrastructure Protection Centre (NIPC). The National Infrastructure Protection Centre is part of the Federal Bureau of Investigation and utilizes the resources of the Federal Bureau of Investigation's Computer Investigations and Infrastructure Centre ("CITAC"). The National Infrastructure Protection Centre's mandate is to conduct vulnerability analyses and to detect, deter, respond to and investigate unlawful intrusions into public or private networks. A sub-division of the National Infrastructure Protection Centre is FedCERT (Federal Computer Emergency Response Team), in effect a SWAT team for major cyber-terrorist attacks or network sabotage. In 1997, FedCERT identified 2,300 "hits" (illegal penetrations or intrusions) on the networks under their supervision. In addition, many departments of the United States government have their own CERTS to counter an attack on their critical infrastructures.

Canada has no government organization equivalent to the National Infrastructure Protection Centre or FedCERT. In fact, Canada is one of the few information-intensive nations that is not part of FIRST, the Forum for Incident Response Teams. The Forum for Incident Response Teams is an international coalition of vulnerability analysts and computer incident response teams from governments as well as the private sector. There is in Canada, however, a private sector organization, CANCERT (the "Canadian Computer Emergency Response Team") that performs a role analogous to that of FedCERT. CANCERT was evidently established in an attempt to fill a vacuum left by government.

Each federal government department and agency has information technology security ("ITS") policy and procedures. The organizations within the security and intelligence community have particularly aggressive information technology security programs. The Communications Security Establishment and the Royal Canadian Mounted Police also co-chair the Interdepartmental Information Operations Working Group ("IIOWG") that shares information relating to threats to networks and discusses issues of mutual concern. The Communications Security Establishment, in its mandate to advise the federal government on the security aspects of its automated information systems, also has work underway that includes: developing a threat and vulnerability database; evaluating the threat posed by hacker tools and technologies; seeking partnerships with industry; developing and evaluating new security devices to thwart a cyber-attack; and discussing cooperation between Canada and existing CERT organizations. The Royal Canadian Mounted Police's Security Evaluation and Inspection Team ("SEIT") conducts security vulnerability services for government departments that include vulnerability analyses of computer systems. The Canadian Security Intelligence Service has designed its networks to be stand-alone and maintains its own ITS to respond to a major incident.[Return]

Excerpt from the 1999 Report of the Special Senate Committee on Security and Intelligence chaired by the Honourable William M. Kelly (page 16).

Cyber-Terrorism

In 1989, the Internet was not nearly as ubiquitous as it is today and the security threat it presents was not as widespread. Today, any nation that relies on computer systems is vulnerable to cyber-terrorism. In Canada, this includes our defence, telecommunications, energy, air traffic and banking systems; indeed most of the governmental and private systems we rely on daily. Marshall McLuhan wrote that "World War III would be a guerilla information war with no division between the civilian and military populations." Louis J. Freeh, Director of the United States Federal Bureau of Investigation has characterized Canada as a "hacker haven" because of our sophisticated information technology system and our open society. According to evidence given to the Committee, a Sudbury man was recently charged with 27 counts of hacking into government and university computers in the United States and Canada.

No evidence of a major cyber-attack against Canadian critical infrastructures in Canada was given to the Committee. However, there has been a number of minor incidents in Canada and a number of incidents (or alleged incidents) elsewhere. These include incidents involving the Federal Bureau of Investigation and NASA web sites in the United States, downloading top secret information from the computer systems at India's Bhabha Atomic Research Centre and shutting down a communications satellite operated by the Peoples' Republic of China. A few of the groups involved, including the group that claims to have shut down the Chinese satellite, are based in Canada, making use of our highly sophisticated and international information technology systems to mount actions abroad.

Cyber terrorism is extremely difficult to guard against. Cyber terrorists are often well educated, with the expertise and equipment to stay ahead of advances in protective security. Yet, the havoc wreaked by a major cyber-attack could be enormous. An illustration is to imagine that the power outages that affected Eastern Ontario and Quebec in January 1998 were brought about by a major cyber-attack, rather than by an ice storm. The Committee was advised by government witnesses of the steps being taken by the Government of Canada to protect against cyber-terrorism.

Taking Credit: The established norm of behaviour used to be that terrorist groups would announce their threats and rush to take credit for their actions. In this way, their existence and their objectives would be as widely-known as possible.

A new trend is for terrorists not to take responsibility for their actions. The destruction, killing or maiming of targets is sufficient to the cause. Eschewing responsibility also avoids the prospect of retaliation, as occurred with the United States' bombing of Libya in 1986 in retaliation for a bombing attack on a German pub frequented by the United States soldiers. Not taking credit does not necessarily avoid retaliation, however. No group or individual took responsibility for the August, 1998 bombings of the United States Embassies in Nairobi and Kenya. Notwithstanding, the United States retaliated against the suspected perpetrators by bombing a terrorist training facility in Afghanistan and a chemical plant in The Sudan.

The trend to avoid responsibility makes it more difficult to track terrorist organizations, to trace responsibility for terrorist acts and to bring those responsible to justice. [Return]

¹Richard Tracy, Telos Corporation, is a member of the Global Organized Crime Project task force, Information Warfare/Information Assurance for the Center For Strategic and International Studies.

[Return]

[Counter-Intelligence][Economic & Information Security]