From: iw@all.net
Subject: IW Mailing List iw/951222
---------------------------------------------
Date: Thu, 21 Dec 1995 23:50:48 -0500
From: gooddent@pa.net (Tom Goodden)
Subject: Re: IW Mailing List iw/951221, USAF Attack on USN

>Moderator's Note:
...
>According to my sources ... It was a controlled experiment ... performed
>using DoD owned and properly keyed cryptographic devices designed to be
>allowed to communicate with the systems being attacked.

Bob Brewin has reported elsewhere (and separately confirmed to me) that
the attack took place from INSIDE a DoD proprietary, classified network. 
So, I believe that makes the USAF Captain a 'trusted user' to the victim
computer.  No?
---------------------------------------------
From: jps@monad.semcor.com (Jack P. Starrantino)
Subject: Re: Air Force hacks Navy? Eeeek!
Date: Fri, 22 Dec 1995 12:14:45 -0500 (EST)

The following article is from Defense News Oct. 9-15, 1995 pp1,37.

Hacker Exposes U.S. Vulnerability
By Pat Cooper and Frank Oliveri
Defense News Staff Writers

Washington -- A U.S. Air Force captain, using a personal computer and a
modem, penetrated the command and control systems of U.S. Navy ships
operating in the Atlantic Ocean, exhibiting the awesome offensive
capability of information warfare and the significant danger U.S. forces
are just beginning to learn how to counter.

Air Force personnel based at Hanscom Air Force Base, Mass., with the
knowledge and permission of the Navy, penetrated the computer systems of
naval ships in the Atlantic Ocean, Air Force Lt.  Gen.  John Fairfield,
deputy chief of staff for command, control, communications and
computers, said Sept.  25. 

Using standard computers, Air Force operators tapped into the Internet,
via a telephone link to the information superhighway, and connected with
a ship through an electronic mail link in one of the ships' networked
computers, Air Force Officials said Sept. 28.

Once inside the ship's computer network, Air Force Operators navigated
to the ships command and control system and could have given the ship
bogus steering commands, Fairfield said.

The methods of the break-in and the actual vulnerabilities it exposed
are classified. ...

[Moderator's Note: Another list member indicated that the attack
actually used a DoD network, not the Internet. In time, we hope to
get a really accurate rendition of the facts.]
---------------------------------------------
   FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
...
Date: Fri, 22 Dec 1995 00:59:09 -0500
From: RSRMadison@aol.com
Subject: Re: Naval Battleship takeover (Long, RISKS-17.55)

A message from the InfoWar list noted that: <>

As stated, this is true. However, let the record show that the US Navy still
flies the flag daily over 1 commissioned battleship, the USS Arizona,
permanently stationed in Honolulu.

...
Date: Fri, 22 Dec 1995 10:53:56 -0500
From: Bob Brewin 
Subject: Re: Naval Battleship takeover (Long, RISKS-17.55)

Yikes.  This story will not die -- it just lives on a Web site at the
Daily Telegraph in London.  Having worked for a British news
organization (Reuters) for years, if you believe the Telly story, call
me about a bridge I have for sale. 

The Air Force did not hack the Navy over the Internet.  They did it over
a secure network (SIPRNET) which is firewalled from the Internet. 

The Air Force conducted this attack with the Navy's knowledge and
permission. 

The Navy does not have any battleships on active duty.

The Air Force did not get control of the none-existent battleship.

Yep. This does have the makings of a legend.

Bob Brewin editor-at-large (whatever that means) federal computer week
antenna@fcw.com brewin@access.digex.net
...
---------------------------------------------
From: fc (Dr. Frederick B. Cohen)
Subject: Re: IW Mailing List iw/951221
Date: Thu, 21 Dec 1995 21:57:38 -0500 (EST)

> From: "Marcus J. Ranum" 
> Date: Wed, 20 Dec 1995 21:48:19 -0500 (EST)
...
> "IW" is an uninteresting subset of strategy, and any strategic thinker
> worth a pinch of salt will incorporate intelligence and adverse
> intelligence operations into their strategic picture. ...

Interesting is a relative term.  If you aren't interested, why do you
participate in this list? I guess it's not all that uninteresting after
all.

In terms of being a subset of strategy, I am confused by the statement. 
My dictionariy's definition of Strategy is:

	"1a) The science and art of using all the forces of a nation to
	execute approved plans as effectively as possible.  1b) The
	science and art of militarycommand as applied to the overall
	planning and conduct of large scale operations.  2) A plan of
	action intended to accomplish a specific goal."

I'll summarize it as a synonym for "plan".

You seem to think that IW is a subset of planning and that any planner
worth a pinch of salt will incorporate intelligence and adverse
intelligence operations into their plan.  But, other than the fact that
successful warriors make plans for many of the things that they do, how
is planning related to (for example):

	exploiting a software bug to disable an enemy
	missile's targeting computer?

I would think that most people would consider this attack as an example
of IW, and yet it seems more of a tactical application of informational
force than the making of a plan.

> ---------------------------------------------
> From: winn@infowar.com
> >From: "Jesse A Whyte" 
> > ... I would hardly say that one individual, with even a
> > moderate amount of resources, could harness enough IT to potentially
> > come to bear against actual armed forces.
>
> I do not assume that my IW attack is against armed forces or the
> military or the government.  Depending upon my motivation, I am going to
> strike at the weakest point (Clauswitz) and that will likely be a
> civilian/private infrustructure component. 
> 
> Do not fall into the trap that IW is an exclusive MIL domain.  Far from
> it.  That it why I allow small-time cyber-terrorists into my model. 

I think the issue being brought out here is one of whether random acts
of violence constitute warfare, or perhaps more importantly, whether
they are an effective form of warfare.

winn@infowar.com thinks that anything involving conflict and information
is IW (and has openly said so).  Cadet.Jesse.Whyte@cadet2.usma.edu is
concerned with how effective many of these acts are in terms of high
intensity conflict.  As long as we talk across purposes, we are unlikely
to get very far.

winn@infowar.com (and I think rightly) points out that civilian/private
infrustructure components are easier targets in many cases than classical
military targets, but this is hardly new.

In "Protection and Security on the Information Superhighway" I (among
other things) make the (not necessarily novel) argument that:
		Dependency + Vulnerability + Threat => Risk

I think that perspective may be useful in this discussion:

	winn@infowar.com is pointing out (I think) is that there is high
	dependency on civilian/private infrastructure elements, and he
	is right, except that this is not adequate for true
	understanding of risks.

	Cadet.Jesse.Whyte@cadet2.usma.edu points out that the threat
	associated with individual actions is rarely so severe that it
	is likely to have a substantial impact on risks to substantial
	military enterprises, and he is right, except that this too is
	not adequate for true understanding of risks. 

In order to get a true understanding of risks, we must combine these
different perspectives and consider them in a particular context.  For
example, in a recent wargame, there was a fairly substantial discussion
about whether, within different fantasy scenarios, each of two future
forces might use a particularly devastating attack against the US. 

	In the first case, a rag-tag enemy was the threat, and although
	there was a very high dependency, the vulnerability seemed like
	it required more sophistocation than the threat was likely to be
	able to muster.  Thus the risk was considered low.

	In the second case, a well-organized and very capable enemy was
	considered for the same threat, but in this case, the enemy was
	so strong and so identifiable, that we felt that the risk of
	Nuclear war would be too high for the enemy to exersize the
	particular threat, even though we thought they were capable.

If we are going to analyze things in the perspective of strategic risks
(i.e., consider how to plan for different eventualities) as opposed to
proposing scenarios that may or may not be worth considering and making
off-handed judgements about the relative merits of different threats, we
must go deeper than either of these points of view.

I want to hear views that look deeper.  To help do this, I want to pose
some questions:

winn@infowar.com:
	"Depending upon my motivation, I am going to strike at the
	weakest point (Clauswitz) and that will likely be a
	civilian/private infrustructure component...  I allow small-time
	cyber-terrorists into my model."

	What class of civilian/private targets you think are weak enough
	to be successfully attacked by what size and sophistocation of
	small-time cyber-terrorists?  (i.e., What is the vulnerability?
	What is the threat?) What they would hope to accomplish by
	attacking these targets? (i.e., What is the dependency and who
	is dependent on that for what?  What is the net effect?)  What
	do you think we should do about it? (i.e., What is the risk?  Is
	it worth defending against? How much should we spend to defend?
	How effectively can we defend for that cost?)

Cadet.Jesse.Whyte@cadet2.usma.edu:
	"I would hardly say that one individual, with even a moderate
	amount of resources, could harness enough IT to potentially come
	to bear against actual armed forces."

	How many people with what level of sophistocation does it take
	to form a substantive threat against actual armed forces?  What
	kind of forces are we talking about? How do they operate? (i.e.,
	What are their dependencies? What are the vulnerabilities associated
	with those dependencies?  What threat profiles are adequate to
	present what levels of risk?) How much IT do you have to harness
	to have what sort of effect agains what kind of force?

I hope to hear the answers to these questions (maybe even with some
examples) so I can get a deeper understanding and appreciation of the
points you are both making.
---------------------------------------------
Date: Fri, 22 Dec 1995 14:29:41 -0500
From: cobbjw@ornl.gov (John W. Cobb)
Subject: subscribe iw cobbje@ornl.gov

For me personally, there are three ativities that occur:

1) Military operations by nation-states, rebels, or terroists where part
or all of the means of waging hostilities (weather low-intensity or not)
is by disrupting or replacing part of the information infrastructure
that is part of modern combat, especially command and control (or C3I,
etc)

2) Industrial espionage betwee non-governmental, and sometimes
international or multi-national firms where the object is to steal or
sabotage critical information, primarily of an eceonomic nature in
order to change an existing competitive relationship in a marketplace

3) Activities waged between individuals where one person or persons
seeks to harm another by deleting or publishing personal information. 
This includes invasions of privacy where medical records are made public
(or similar disclosures such as movie rental lists, library card
checkkouts, lists of phone calls made, etc).  It also includes deleting
vital personal information in databases of private firms or
goevernmental agencies.  It also includes economic fraud such as using
credit-card information, electronic check forging, or evein in a more
severe case, identity stealing. 
---------------------------------------------