Subject: IW Mailing List iw/951226
Date: Tue, 26 Dec 1995 14:29:39 -0500
From: (kenpyle)
Subject: Re: IW Mailing List iw/951222

>	"I would hardly say that one individual, with even a moderate
>	amount of resources, could harness enough IT to potentially come
>	to bear against actual armed forces."
>	How many people with what level of sophistocation does it take
>	to form a substantive threat against actual armed forces?  What
>	kind of forces are we talking about? How do they operate? (i.e.,
>	What are their dependencies? What are the vulnerabilities associated
>	with those dependencies?  What threat profiles are adequate to
>	present what levels of risk?) How much IT do you have to harness
>	to have what sort of effect against what kind of force?
>I hope to hear the answers to these questions (maybe even with some
>examples) so I can get a deeper understanding and appreciation of the
>points you are both making.

Dr.  Cohen is correct in assessing that the actual risk to the armed
forces does not necessarily occur on the battlefield itself.  From a
military perspective (and this is purely my opinion, not my employer's)
it would take more than a small-group of cyber-terrorists to
significantly harm the United States military forces in their wartime

Even assuming that the cyber-terrorists were extremely well-versed in
computer and network security, to substantially effect the military
supply line, the terrorists would have to spend significant amounts of
time actually inside the infrastructure studying the exact ways that the
United States defense infrastructure works. 

The military is not known to follow many civilian approaches to problems
and often, this situation included, adopts its own unique approach to
its problem.  The importance of this is that it would take any group of
cyber terrorists a significant amount of prior planning and espionage to
learn the intricacies of the DoD internal network.  Also - almost all of
the key DoD computers aren't even on the Internet or approachable by a
modem bank.  For obvious security reasons, the most important and
sensitive, life-threatening and saving information is on
physically-secure, Tempest-shielded computers that sit in the basements
of places like the National Security Agency and never see an modem or a
line to the Internet.  It is a naive view that the military is so far
behind the "information warfare times" that it would allow it's most
important assets to be violated by a group of teenage hackers. 

Hence, a successful cyber-terrorist movement would be well-funded,
either by an independent source or by another nation with reason to see
the fall of the NII.  It would not have any immediate goal, or at least
have a long time frame to work with.  They would be patient and
extremely careful.  Ultimately, the organization that we are talking
about is almost identical to the spy-campaigns waged by the world's
intelligence agencies during the Cold-War.  Long term missions that show
little immediate return. 

If an agency like this was willing to expend the dollars, and infiltrate
someone, or more practically, many people, into the defense hierarchy,
they would have the capability of having someone on-site to perform the
actual strikes with a fore-knowledge of the methods and means that the
US military uses to perform strategic resupply, intelligence operations,
etc.  This group could and would, INDIRECTLY, pose a significant risk to
the guns, tanks, and howitzers that the US uses on the actual
battlefield.  A tank would do little good if a terrorist altered
shipping schedules and airlift orders and the tank never received it's
next shipment of ammunition.