IW-D Table of Contents

INFORMATION WARFARE - DEFENSE

APPENDIX A

THREAT ASSESSMENT

A.1 THE REALITY OF THE PROBLEM

Advances in the information infrastructure and the growing dependence of the economy and government itself on that infrastructure raise questions about its security. These questions are not new. In 1990 National Academy of Sciences, Computer Science and Telecommunications Board's (CSTB) report, Computers at Risk: Safe Computing in the Information Age, began by observing: "We are at risk. Increasingly, America depends on computers. They control power delivery, communications, aviation, and financial services. They are used to store vital information, from medical records to business plans to criminal records. Although we trust them, they are vulnerable to the effects of poor design and insufficient quality control, to accident, and perhaps most alarmingly, to deliberate attack. The modern thief can steal more with a computer than with a gun. Tomorrow's terrorist may be able to do more damage with a keyboard than with a bomb."

In 1989, another CSTB report, Growing Vulnerability of the Public Switched Network, sponsored by the National Communications System, cautioned that: "Virtually every segment of the nation depends on reliable communications .... The committee, after careful study, has concluded that a serious threat to communications infrastructure is developing. Public communications networks are becoming increasingly vulnerable to widespread damage from natural, accidental, capricious, or hostile agents."

Since those reports were written, use of networks and network-related systems has grown in the economy at large and in the government in particular. Within the government, Department of Defense (DoD) dependence on information systems and infrastructure has grown. This growing dependence is giving rise to heightened concern about the vulnerability to electronic threats of the Defense Information Infrastructure (DII) as well as the national and global information infrastructures (NII & GII) to which it is inextricably linked (notwithstanding intentionally separate components). Additional government computer and communications network vulnerability may come from the growing use of commercial off-the-shelf (COTS) systems. For example, COTS constitutes over 90 percent of the information systems procured by DoD. Additionally, government procures over 95 percent of its domestic telecommunications network services from U.S. commercial carriers. These numbers are at levels that underscore the inherent linkage between defense, commercial, and civilian security concerns. Consider the following examples as additional input:

US Dependence on Information Systems Industry increasingly reliant on communications infrastructures -- Internet presence as of May 1994 (internet info as quoted in the Computer Security Journal, Fall 1995)    As a sample: Exxon had 261 registered networks; GTE had 228 registered networks; Boeing had 139 registered networks; Motorola had 137 registered networks; Martin Marietta had 62 registered networks, Lockheed had 62 registered networks -- "The number of users who have access to the Internet within companies is growing at a rate of 10% every six months." EDP Weekly, by Computer Age, 6 Nov 95, p. 4 Governmental Structure of the US dependent on a tenuously secured communications infrastructure -- One switch handles all federal funds transfers and transactions DoD information infrastructure is enmeshed -- with other Governmental structures and industry and private citizens through shared resources of the electrical grid, telecommunications, and the Internet

Trends

• On line services are a $9.6B industry growing at 100% CGR
     - Address by Michael A.Braun, President and CEO of Kaleida Labs, Multimedia 94, 30 July 1994

• US Financial Institutions

- transfer more than $1 trillion every day via computer

- Federal Reserve System handles more than 24,000 wire transfers per day
     - Pittsburg City Paper,Vol 4, No.34, August 24-30, 1994, pp 8-9

• Intel Chairman Andy Grove predicts that by the end of this decade, PC sales will surpass 100 million units worldwide - more than sales of cars or TVs.
     - Egii Juliusen, "Small Computers:' IEEE Spectrum, January 1995, p. 44

• By 1993, 32.7% of US households had a personal computer
     - Marvin Sirbu, CMU

• 12 million copies of Microsoft Office have been distributed worldwide as of December 1995
     - Microsoft Corporation Annual Report 1995

A.2 ASSESSMENT OF THE THREAT

In today's information intensive environment, the information warfare threat can come in many forms. The challenge in evaluating that threat, and the appropriate level of protection or response, has been in sorting out the actual from the perceived, and determining the potential for future developments. In order to adequately assess this threat, the Task Force divided the subject into three categories:

• What is known -- the validated threat.

• What is suspected -- trends, indications, and the assessment process.

• What is unknown -- potential events based on existing capabilities.

These threats to the National and Defense Information Infrastructures vary greatly in terms of intent, sophistication, technical means, and potential impact. The threats can be categorized into the following groups:

• Incompetent, inquisitive or unintentional blunderer; mischief makers and pranksters. 9 Hackers driven by technical challenge.

• Disgruntled employee, unhappy customer intent on seeking revenge for some perceived wrong.

• A crook interested in personal financial gain or stealing services.

• Major organized crime operation interested in financial gain or in covering their crimes.

• Individual political dissident attempting to draw attention to a cause.

• Organized terrorist group or nation state trying to influence U.S. policy by isolated attacks.

• Foreign espionage agents seeking to exploit information for economic, political, or military intelligence purposes.

• Tactical countermeasure intended to disrupt specific U.S. military weapon or command system.

• Multi-faceted tactical IW capability applied in a broad orchestrated manner to disrupt a major U.S. military mission.

• Large organized group or major nation-state intent on overthrowing the U.S. by crippling the National Information Infrastructure.

Based on validated incidents, some of these threats clearly exist today. Others are less certain, but can be estimated based on available technology and analysis of continuing trends in development. An estimate of the likelihood for each of these threat categories is shown below.

IW Threat Estimate

	Validated Existence	Existence Likely but not Validated	Likely by 2005	Beyond 2005
Incompetent	W	////////////////////	////////////////////	////////////////////
Hacker	W	////////////////////	////////////////////	////////////////////
Disgruntled Employee	W	////////////////////	////////////////////	////////////////////
Crook	W	////////////////////	////////////////////	////////////////////
Organized Crime	L		W	////////////////////
Political Dissident		W////////	////////////////////	////////////////////
Terrorist Group		L	W	////////////////////
Foreign Espionage	L			////////////////////
Tactical Countermeasures		W////////	////////////////////	////////////////////
Orchestrated Tactical IW			L	W  ///////
Major Strategic Disruption of U.S.				L

W = Widespread; L = Limited

The information throughout this Appendix was compiled from unclassified sources and briefings received by the DSB from subject matter experts within the Department of Defense, and throughout the civilian sector.

A.3 THE VALIDATED THREAT

IW-related incidents date back to the mid 1980s with the growth of personal computers on a worldwide scale.

IW-Related Incidents Hanover Hackers.                                                            late 1980s Software time bombs in Public Network switches in Denver, Atlanta, and New Jersey.                                      mid-1989 Dutch teenagers intrusion into Pentagon computers during the Gulf War.                                                        Nov 1991 Rome Labs INTERNET intrusions.                                   Apr 1994 Organized crime attack on Citibank.                                  Aug 1994 INTERNET Liberation Front: 22-man group; 4 currently indicted.                                                         Dec 1994 Numerous other hackers apprehended and awaiting prosecution (e.g. Mitnick, Poulsen).                                    Ongoing   Sniffer programs found on all major INTERNET providers. MCI Communications switch penetrations. USAF Captain hacks into U.S. Atlantic Fleet ship computers as a test of system vulnerability.                         Sep 1995 There Really Is A Smoking Gun

The well known case involving the Hanover Hackers is one of the first recorded incidents and is considered to be an example of hacker activity performed for the challenge of gaining entry into someone else's system -- without malicious intent.

Although most Public Network (PN) attacks are aimed at accessing other systems, or avoiding toll charges, the software time bomb attacks indicate that denial of service was the objective.¹ (Note: References are at Attachment 1to this Appendix). In the case involving Dutch teenagers, sensitive information related to U.S. war operations during Desert Storm was modified or copied. Access techniques used in this case included INTERNET and other networks.² The Rome Labs incident is another highly publicized case which eventually revealed that over 150 INTERNET intrusions had occurred between 23 March and 16 April 1994. The intrusions were accomplished by a 16-year old British hacker and an unknown accomplice. Several research programs and systems were compromised through the use of Trojan Horses and Network Sniffers. The individual was eventually apprehended by Scotland Yard, and is awaiting prosecution.³

In the 1994 attack on Citibank, an international crime group used the electronic transfer system and the international phone network to gain access and transfer approximately $12M to their own accounts. Prosecution of individuals apprehended in Russia and several European countries is pending at this time.⁴ In December 1994, a group known as the INTERNET Liberation Front was charged with stealing phone net data, performing INTERNET attacks for money, and development of highly sophisticated attack tools. Numerous phone, information service, and INTERNET providers were attacked, including some government systems. There was also a substantial international component to their activity based on membership involving at least eight countries.⁵ The MCI incident involved an engineer who electronically collected 60,000 calling card numbers and sold them to an international crime ring. To accomplish this task, the individual penetrated several barriers which could have shut down the switch for a prolonged period.⁶

A final example is a case involving a programmed test of electronic systems vulnerabilities. An Air Force hacker remotely entered the command and control system of a ship at sea, through use of a standard computer, INTERNET connection, and the E-mail system onboard the ship. Access included ship navigational control systems which could have effected ship performance or response to guidance commands.⁷

The cases listed here are certainly not an all-inclusive list. They do support an alarming trend toward widespread vulnerability on a case by case basis. The major concern involves what the potential outcome would be if these types of attacks were coordinated to occur simultaneously, or if the tools and techniques used were applied with a more subversive intent.

A.4 THE SUSPECTED THREAT -- AND THE ASSESSMENT PROCESS

In order to more clearly identify the suspected threat, the Task Force considered a variety of sources for analytical support, and paid particular attention to some of the more detailed threat and vulnerability assessments accomplished within the last year.

The Defense Information Systems Agency (DISA) conducted an extensive vulnerability assessment of government network systems in 1994 and 1995. A summary of the DISA focus, and findings is shown below⁸:

IW Assessments - DISA Report (Developing the Information Warfare Defense: A DISA Perspective, Dec 1995) Focus: DISA ability to support defensive information warfare (DIW) initiatives. Assessment of vulnerabilities. Findings: DISA is organized to effectively support DIW initiatives, but lacks personnel and funding in many key areas. It is estimated that DoD is attacked about 250,000 times per year, but only 1 in 500 attacks are detected and reported. - DISA assessment verified that less than 5% of all attacks are ever detected, and of those, less than 3% are reported. -Most damaging attacks come from insiders, but hacker tools commonly available on the Internet are capable of intruding on a majority of DoD systems.

The result of this report was an increased awareness of a growing problem, but the initial actions were primarily focused on security awareness training, and increased training for Local Area Network (LAN) managers. Indications from DISA are that numbers of reported attacks remain at single digit percentage levels, and the problem continues to grow.

At the request of Congress, the General Accounting Office (GAO) conducted an assessment, with the report published in June, 1996. A summary of the GAO focus, findings, and recommendations is shown below ⁹:

IW Assessments - GAO Report (Information Security: Computer Attacks at Department of Defense Pose Increasing Risks, 22 June'96) Focus: Potential for further damage to DoD computer systems. Challenges DoD faces in securing sensitive information on its computer systems. Findings: DoD relies on a complex information infrastructure to design weapons, identity and track enemy targets, pay soldiers, mobilize reservists, and manage supplies. Use of the Internet to enhance communication and information sharing has increased DoD exposure to attack. DoD information is unclassified, but it is sensitive, and should be protected. DISA estimates that DoD is attacked about 250,000 times per year, but only 1 in 500 attacks are detected and reported. Attackers have stolen, modified, and destroyed data and software, disabled protection systems, and shut down entire systems and networks. Security breaches cost DoD hundreds of millions of dollars annually, and pose a risk to national security, yet CERT teams are inadequately staffed, limiting response capability. Policy and training regarding computer security and network management are greatly outdated. There is no uniform policy for assessing risks, protecting systems, responding to incidents, or assessing damage. Recommendations: Develop departmentwide policies for preventing, detecting, and responding to attacks, mandating the following: - Report all security incidents within the Department. - Perform risk assessments routinely. - Correct vulnerabilities and deficiencies expeditiously. - Expeditiously assess damage from intrusions to insure integrity of data and systems compromised. Require military services and Defense agencies to use training and other mechanisms to increase awareness and accountability. Require trained information system security officers at all installations. Continue developing and cost-effectively using departmentwide network monitoring and protection technologies. Evaluate the incident response capabilities within DISA, the military services, and the Defense agencies to ensure that they are sufficient to handle the projected threat. The Secretary should assign clear responsibility and accountability within OSD, the military services, and Defense agencies for ensuring the successful implementation of this computer security program.

Results of this report have been forwarded to the Senate Armed Services Committee and House Committee on National Security; the Senate Committee on Appropriations, Subcommittee on Defense, and the House Committee on Appropriations, Subcommittee on National Security; the Senate Select Committee on Intelligence and the Permanent Select Committee on Intelligence; the Secretary of Defense; the secretaries of the military services; and the Director, Defense Information Systems Agency.

The report concludes that there are significant risks based on these findings:

• Defense cannot locate or deliver supplies promptly without properly functioning inventory and logistics systems.

• Defense relies heavily on computer technology --especially a network of simulators that emulate complex battle situation -- to train staff.

• It is impossible to pay, assign, move, or track people without globally networked information systems.

• Defense cannot control costs, pay vendors, let or track contracts, allocate or release funds, or report on activities without automation.

• Defense systems handle billions of dollars in financial transactions for pay, contract reimbursement, and economic commerce.

According to the FBI and Defense Investigative Service (DIS), high technology and defense- related industries remain the primary targets of foreign economic intelligence collection operations. This finding continues a trend reported in the 1995 Annual Report. The most likely industry targets of economic espionage and other collection activities during the past year include the following areas, most of which are included on the 1996 Military Critical Technology List (MCTL):¹⁰

• Advanced materials and coatings

• Advanced transportation and engine technology

• Aeronautics systems

• Aerospace

• Armaments and energetic materials

• Biotechnology

• Chemical and biological systems

• Computer software and hardware

• Defense and armaments technology

• Directed and kinetic energy systems

• Electronics

• Energy research

• Guidance, navigation, and vehicle control

• Information systems

• Information warfare

• Manufacturing processes

• Marine systems

• Materials

• Nuclear systems

• Semiconductors

• Sensors and lasers

• Signature control

• Space systems

• Telecommunications

• Weapons effects and countermeasures.

According to a DIS summary of suspicious contacts reported in FY95, entities associated with 26 foreign countries displayed an interest in 16 of 18 technology categories listed in the new MCTL. The U.S. considers all of the above industries to be strategically important because they produce classified products for the government, produce dual-use technology used in both the public and private sectors, or are responsible for the leading-edge technologies required to maintain U.S. economic security.¹⁰

FBI Director Freeh provided the following five examples of foreign targeting activities in his 28 February 1996 statement before the Senate Judiciary and Intelligence Committees:

• One foreign government controlled corporation targeted U.S. proprietary business documents and information from U.S. telecommunications competitors.

• Another foreign competitor acquired the technical specifications from a U.S. automotive manufacturer.

• In violation of U.S. export laws, a foreign company attempted to acquire a U.S. company's restricted radar technology.

• Several U.S. companies reported the targeting and acquisition of proprietary biotechnology information.

• One U.S. company reported the foreign theft of its manufacturing technology regarding its microprocessors.

Types of U.S. government economic information -- pre-publication or unpublished "insider" data -- of special interest to governments and intelligence services include:¹⁰

• Bid proposals

• Economic, trade, and financial agreements

• Energy policies

• Marketing plans

• Price structuring

• Proposed legislation affecting the profitability of foreign firms operating in the U.S.

• Tax and other monetary policies

• Technology transfer and munitions control regulations

• Trade developments.

Three additional case studies were reviewed by the Task Force involving a southeast U.S. port city, a rail traffic control center, and a 1996 Federal Aviation Administration (FAA) vulnerability assessment. A summary of the findings:

Port City Assessment: - Identified single point of failure for infrastructures supporting military mobilization and deployment Rail Traffic Control Center Assessment: - Central control switching facility for east coast rail traffic. - Potential contributor to problems resulting in fatal Maryland rail collision of AMTRAC and MARC trains in fall of 1995. FAA Assessment: - Not vulnerable today due to antiquated systems, limited networking, and proprietary software. - Upgrades will lead to vulnerabilities due to widespread use of COTS technologies and increased networking.

Details of the assessment which could impact deployment of units and follow-on forces which rely on transport out of the port terminal region are provided in Reference 13. Investigation of the AMTRAK - MARC collision indicated human error, but vulnerabilities were detected in the control center, making it a potential single point of failure for exploitation. The FAA assessment, provided in briefing form to the Task Force in June, 1996, concluded that even though vulnerabilities were likely to grow, financial realities restricted the ability to plan protective measures into proposed upgrades until mandated, or in worst case, following a major incident.¹¹

A.5 ARE WE AWAITING AN ELECTRONIC PEARL HARBOR?

The trends seen in development of intrusive tools on the INTERNET, growth in hacker activity, and related incidents cause further concern. A summary of recent trends is given below:

IW Trends Open availability of intrusion tools. - SATAN made available to the public, April 1995. - Rootkit: Recently available, used to mask intrusions. Continued growth of hacker activity: - Masters of Deception: Programmed attacks on phone companies. - Legion of Doom: Phone switching/billing, and credit card abuses. - Poulsen/Mitnick/Shadowhawk: Phone, system access, computer code abuses. - 5 hacker group break-in of computers at University of Washington, Bank of America, ITT, and Martin Marietta, (1993). - Operation Moon Angel: Federal agents arrest 74 hackers nationwide for unauthorized entry into business and government computers (April 1995). Continued growth in reported computer crimes: - Academy of Criminal Justice Sciences Study indicates that 98.5% of participating businesses had been victims of computer theft or attempted theft. Cell phone cloning. Terrorist acts: World Trade Center Bombing.

Tools: The NSTAC Assessment of Risk to Security of Public Networks reported in February, 1996 that SATAN, the Security Administrator Tool for Analyzing Networks, scans and reports system vulnerabilities, which if improperly used, could enable system attacks. It was made openly available on the INTERNET in April, 1995. The report also identifies Rootkit as a tool which falsifies data, making detection of intrusion difficult even with state-of-the-art technology. Rootkit is also openly available on the Internet

Hacker growth: Additional case study information is provided at Attachment 1 for first three listings. In the case of the 5-hacker group, one raid wiped out data on the Learning Link, a NYC public television station computer serving hundreds of schools.² The Moon Angel offenses included breaking into NASA computers controlling the Hubble telescope, and rerouting calls from the White House.

In October, 1995 New York officials made arrests in what was declared the largest cell phone cloning operation in the country. Estimates are that over 27,000 phones were cloned within a seven month period at an estimated loss of $1.5M per day in cell phone revenue nationwide.²

Finally, consider the World Trade Center bombing as a case which might be a good example of physical versus virtual attack: Twin tower, 110 story building; 50,000 workers and 80,000 visitors daily vs. Global marketplace nerve center, many City/State/Federal offices, several international office, $3M phone switch station, telecom for Wall Street to the World.¹²

These trends are cause for a growing concern -- the unknown threat, and the potential for an attack having strategic significance.

A.6 THE UNKNOWN THREAT - POTENTIAL EVENTS BASED ON EXISTING CAPABILITIES (THE DEVELOPMENT OF A STRATEGIC THREAT)

Existing, easily acquired capabilities make the potential for an attack having strategic significance a reality. The most common capabilities for IW-related attacks are, by themselves, often seen as more of a localized nuisance, rather than a strategic threat. When applied in a coordinated attack however, the results are far more widespread. Consider the Nth order effects in the following example from Col Charles Dunlap's essay, "How We Lost the High-Tech War of 2007", published in The Weekly Standard, January 29, 1996:

The Setting: (The year 2007):

• Downsizing and cuts in military infrastructure are "off-set" by information technology.

• COTS technology used widely by U.S. and her adversaries.

• Open architecture provides information equality - not information dominance.

• U.S. insistence on open architecture leaves sources of information readily available to opponents - News media is a particularly valuable source.

• Warfare has become even more savage - not cleaner, more high-tech. Televised atrocities and deaths of U.S. troops become a tool of adversaries to sway public opinion.

The Indirect Attack - U.S. C2-Protect efforts are successful in countering direct attack - leading adversary to indirect attack with many Nth order effects:

• Mexican economy attacked - computers corrupted on a massive scale

• Counterfeit electronic pesos flood Mexican bank accounts

• Hyperinflation; economy collapses

• Refugees flood into U.S.

• Call for troops to be brought home to face domestic situation.

The technologies required to perform this these types of attack are available today. The issue of whether or nor they comprise a strategic threat is more a matter coordinated timing. Some may come in the form of a simple attack on a target identified as a single point of failure:

A more complex, coordinated attack takes on a multi-dimensional nature:

In either of these cases, the timing of the attack is what in fact may have made it strategic in nature. Consider the port city example:¹³

• A power outage, communications failure, or road/rail disruption would be an inconvenience to citizens on an average day.

• However, these same incidents coordinated to occur at the peak of Desert Storm deployment could easily have constituted a strategic threat which would have altered arrival of troops and equipment which played a critical part in the outcome of the war.

• Combine these with the previous examples of attacks on Pentagon computers. Rome Lab, Citibank, and the MCI switch, and the result is widespread loss of confidence in the government's ability to respond to problems both at home and abroad.

To demonstrate the relative ease of achieving an IW capability, the Threat Panel prepared the following table:

As an example of a country heavily involved with developing their own capability, consider Russia. Of the 15 categories listed, Russia has a significant capability in seven categories. and a good capability in four (total: 11 of 15). These developments continue, even in the face of widespread economic difficulties. More importantly, almost any nation is capable of developing significant Information Warfare capabilities. Unlike nuclear capabilities, however, IW is relatively inexpensive, and quick to obtain, given the volume of available markets. Thus, a country such as Iran could acquire a strategic capability to threaten the United States without requiring a significant investment, or a long-term development cycle.

A.7 THREAT CONCLUSION

In order to best understand the significance of a potential IW threat, we must consider the often opposing views of information security between the private/commercial sector, and the national security view:

Merging Two Views On Information Security Into One (Concepts expressed in NSA briefing "Ensuring Information Superiority for the 21st Century", presented by LtGen Minihan at NSTAC session, May 1996) National Security View: Protection of information has intrinsic value - National interest. Cost of compromise difficult - can be life threatening. Risk avoidance approach is traditional response. Private Sector / Commercial View: Cost of doing business - pass the expense on to the customer. Countermeasures have a definite expected value. "Insurance" approach is the traditional response. National and Private Sector Information Security Are Now Inexorably Intertwined: Zone of cooperation is emerging. Risk management approach is needed. Strategic Sanctuary Is At Risk

The private sector has viewed IW as a cost of doing business that was often passed on to the customer. The national focus still struggles with the concept of what constitutes a strategic threat. The response has been to avoid risk rather than manage and anticipate it. A zone of cooperation is now emerging which must be better defined:

• Where do protection, detection, and response responsibilities lie?

• Risk management rather than risk avoidance is a critical step.

These issues are at the heart of the defensive information warfare issues.

ATTACHMENT 1

REFERENCES

1. NSTAC Assessment of Risk to Security of Public Networks, Feb 1996.

2. Trends and Experiences in Computer-Related Crime, Academy of Criminal Justice Sciences, 1996.

3. Rome Lab Attacks Final Report, 20 Jan 1995.

4. Senate hearing on Security in Cyberspace, 5 June 1996.

5. Trends and Experiences in Computer-Related Crime, Academy of Criminal Justice Sciences, 1996.

6. 1995 DSB Report.

7. "Hacker Exposes U.S. Vulnerability," Defense News, Oct 9-15, 1995.

8. DIS Briefing, "Developing the Information Warfare Defense: A DISA Perspective," given by Mr. Bob Ayers, March 1996.

9. GAO Report, Information Security: Computer Attacks at Department of Defense Pose Increasing Risks, 22 June 1996.

10. 1996 CSI/FBI Computer Crime and Security Survey, as reported in Computer Security Issues and Trends, Volume II, Number 2, Spring 1996.

11. FAA Briefing, "Security of the Air Traffic Control System," given by FAA representatives, Mr. Dennis Hupp and Ms. Trish Hammer, June 1996.

12. NSA Briefing, "Ensuring Information Superiority for the 21st Century," Driven by LtGen Minihan, May 1996.

13. Joint Program Office (JPO) Briefing, "Infrastructure Assurance Supporting Military Operations," given by the Joint Program Office for Special Technology Countermeasures, Ms. Susan Hudson and Mr. Bob Podlesney, July 1996.