Georgetown Journal of International Affairs, Volume 1, Number 1, Winter/Spring 2000

CIAO DATE: 05/02

Georgetown Journal of International Affairs

Volume 1, Number 1, Winter/Spring 2000

Cyber Threats: Ten Issues to Consider
by Frank Cilluffo & Paul Byron Pattak

As the United States hurtles into the Information Age, we are forced to grapple with a new set of national security problems heretofore not contemplated. Distance, time, and geography have been reduced to the point of irrelevancy. Information networks have given the United States an unrivaled, perhaps unsurpassable, lead over the rest of the world in virtually every facet of modern life. To an unprecedented degree American national security and economic well–being depend upon critical infrastructures, such as banking and finance, electric power, information and communications, oil and gas production, transportation, water supply, emergency services, and the continuity of government services. These infrastructures in turn depend upon telecommunications and networked information systems. Along with the clear rewards of information systems come new risks and a host of unintended consequences that need to be better understood by corporate and government leaders.

The United States faces threats from peer nations, trading partners, hostile countries, non–state actors, terrorists, organized crime, insiders, and teenage hackers. While few adversaries would attempt to confront the United States in a conventional war on the traditional battlefield, its adversaries recognize that terrorism and other asymmetric forms of conflict, such as cyber attacks, are more effective methods of striking the United States where it is most vulnerable. Bits and bytes will never completely replace bullets and bombs, but they can be synergistically combined. Imagine if the Oklahoma City bombing had been accompanied by electronic disruptions of federal, state, and local emergency and public safety communications systems, including Emergency–911.

The ability to network has far outpaced the ability to protect networks. When the Internet was created, it was designed with “openness” and accessibility as guiding principles. Most information systems have been engineered in the most economically efficient manner, and are therefore dependent upon a small number of critical nodes, making them vulnerable to attack. As computer systems become increasingly interdependent, damage to one can potentially cascade and impact others.

America’s vulnerabilities were dramatized during a 1997 Joint Chiefs of Staff exercise, code–named “Eligible Receiver.” The purpose of the exercise was to test the United States’ ability to respond to cyber attacks. The results opened the eyes of skeptics. Using software widely available from hacker websites, the thirty–five–person team showed how they could have disabled elements of the U.S. electric power grid by exploiting Supervisory Control and Data Acquisition (SCADA) systems (which allow remote control of the systems). They also demonstrated how to incapacitate portions of U.S. military command–and–control systems in the Pacific and Emergency–911 systems in the United States.

In response to the emerging threat of cyber terrorism, on May 22, 1998, Presidential Decision Directive (PDD–63) authorized the creation of a National Infrastructure Protection Center (NIPC). The NIPC is now housed within the Federal Bureau of Investigation (FBI) and serves as a lookout for attempted intrusions and to monitor cyber attacks. PDD–63 also led to the establishment of the Critical Infrastructure Assurance Office (CIAO) within the Department of Commerce to serve as a policy coordination staff for infrastructure assurance issues within the Executive Branch.

While the U.S. government has taken these important steps, a more holistic, high–level policy debate is required. Information warfare, cyber crime, and cyber terrorism all overlap, yet require different domain expertise and varied responses. At present it is impossible to refer to clearly delineated rules. Before committing ourselves to policies with enormous potential for adverse results and misspent taxpayer dollars, the United States must first fully understand the dangers of cyber threats. Ten issues require thoughtful consideration.

1. Defining Conflict in Cyberspace. Cyber warfare raises serious questions about how future conflicts and wars are prosecuted. What constitutes an act of war? How does one differentiate between a terrorist attack and a financial crime committed with a computer? What is the adequate balance between protecting civil liberties, businesses, and national security? To a large extent, determining whether the United States is at war depends on the antagonist. A cyber attack by China’s People’s Liberation Army requires a substantially different series of responses than an attack by teenagers from China, although American victims of an attack might never know the difference.

In late January and early February 1998, as the United States considered deploying forces to the Persian Gulf, hackers attacked scores of Defense Department networks. Pentagon and FBI investigators thought that these intrusions might have been launched in response to a military build–up in the Persian Gulf. Fearing the worst, senior Defense officials informed the White House that an Iraqi information warfare campaign may have been underway. Their fears were substantiated because the hackers used foreign Internet service providers, including one located in the United Arab Emirates, as a staging point for their attacks.

After several days of investigating, the FBI learned that two California–based teenagers, mentored by an eighteen–year–old Israeli national, had conducted the attack. They were able to preserve the anonymity of their attack by routing it through a host of computer systems around the world. They successfully breached U.S. military computer defenses and gained access to the Defense Department’s unclassified (yet important) logistics networks. The attack and the subsequent investigation, dubbed “Solar Sunrise,” were characterized by John Hamre, Deputy Secretary of Defense, as “the most organized and systematic attack” on U.S. defense networks discovered thus far.

Cyber warriors can systemically attack vital American networks in relative anonymity. The person on the other end could just as easily be a child, a competitor, or a foreign intelligence service. A few months after “Solar Sunrise,” a Massachusetts teenager was charged with disabling the FAA control tower at Worcester Regional Airport for six hours. Incoming planes could not use the runway lights. Later in 1998, a man in Toborg, Sweden managed to disable major portions of South Florida’s Emergency–911 system.

To date, most of these denial–of–service incidents have either been perpetrated by insiders or hackers and are best characterized as annoyances. Hackers, largely thrill–seeking young people, have demonstrated that vulnerabilities can be exploited by those with hostile intent. Any one of the increasing number of groups and individuals hostile to U.S. interests could exploit these vulnerabilities to harm those interests.

Current U.S. policy does not draw clear distinctions between these various scenarios. Without established rules of engagement, there is no battle plan in place to address the dangers raised by the various attacks. Likewise, because of the virtual nature of cyberspace, conventional force projection will not pre–empt or prevent cyber assaults. As we are by and large dealing with “actors without addresses,” conventional military projection will not prevent a cyber assault. But a well–defined policy and an established strategy would go a long way towards showing our adversaries that the United States is willing and able to respond both in kind and conventionally. In the final analysis, the nation’s best deterrent may be the ability to quickly reconstitute our damaged systems, regardless of the perpetrator.

2. Rules of Engagement. National planners need to define carefully the criteria for U.S. rules of engagement for cyberspace. In short, they must determine how the United States selects information warfare targets, as well as who and what are fair game. In turn, this may be a harbinger of how U.S. systems will be targeted by adversaries.

According to U.S. media reports, President Clinton issued a highly classified finding authorizing the CIA to use covert means to undermine Serbian President Slobodan Milosevic. The President allegedly authorized government agencies to conduct cyber operations against Mr. Milosevic by tapping into his bank accounts. Intelligence sources believe Mr. Milosevic secreted money in Swiss, Russian, Greek, Cypriot, and Chinese banks. A compelling reason to support this effort is that it personalized the target and did not result in collateral damage–in this case innocent Serbian civilians.

The problem with this particular “covert” action is that it ceased to be covert upon the public’s awareness of its occurrence. Accordingly, it is substantially more difficult to execute this type of plan when the would–be target is aware of the action. The first rule of covert action is to keep it clandestine and maintain plausible deniability. An information arms race does not bode well for the United States given its unparalleled dependence on critical infrastructures. In many ways, it is the reverse of Cold War nuclear deterrence policy–America’s ability to defend ourselves is now more important than its ability to project power.

3. Non–State Actors. The increased availability of advanced technology has strengthened the capabilities of hostile non–state actors. The situation will only worsen as the requisite level of knowledge and skill decreases while the power and technological sophistication of these cyber attack tools increase exponentially. As a result, terrorists have become empowered and have moved away from the fringes of world affairs toward the center stage.

Cyber warfare can also be a tool to collect intelligence in support of terrorist operations and campaigns, and to communicate and disseminate propaganda. Given today’s state of technology and dual–use applications, terrorist groups can easily acquire an inexpensive, yet robust communications intelligence (COMINT) collection capability. First, terrorists can intercept valuable political, economic, and military secrets; run counter–surveillance on law enforcement; and perform profiling analyses to identify individuals who can be bribed, co–opted, coerced, or “neutralized.” Much of this work can be done anonymously, diminishing the risk of reprisal and increasing the likelihood of success. Second, terrorists can use advanced technology for communication and tradecraft. The Internet and other information systems provide terrorist groups a global and near real–time command, control, and communications capability. The availability of sophisticated encryption devices and anonymous re–mailers also provides relatively secure communications or stored data.1

Nearly all major terrorist organizations have a website, including the Shining Path, HAMAS, the Revolutionary Armed Forces of Columbia (FARC), the Liberated Tamil Tigers of Eelam (LTTE), and the Irish Republican Army (IRA). They look to the Internet largely to disseminate communiqués, fundraise, and recruit. The United States’ most–wanted transnational terrorist, Osama bin Laden, uses laptops with satellite uplinks and encrypted messages to conduct operations and maintain links across national borders with his terrorist network.

There is no shortage of terrorist “cookbooks” on the Internet, step–by–step recipes for hackers, crackers (criminal hackers), and cyber terrorists.2 An adversary can circumvent national militaries completely, armed only with automated “weapons of mass disruption.” It is only a matter of time before there is a convergence between those with hostile intent and those with techno–savvy–where the real bad guys exploit the real good stuff.

4. Public Opinion. Malfeasants can easily hide in cyberspace’s void and lash out either precisely or indiscriminately. The Internet also provides the perfect medium for people to communicate their ideas, organize initiatives, and execute activities on a distributed basis.3 This raises the possibility that adversaries could organize covertly on an unprecedented scale. The activities of “hacktivists” such as the J18 and the Electronic Disturbance Theater (EDT) begin to illustrate the potential for global organization and mobilization.

On June 18, 1999, demonstrators organized a global protest, with manifestations in major cities on several continents and along a broad spectrum of agendas. Groups were implored to demonstrate against the rubric of globalization, but without a unified theme or format.

The result was simultaneously orchestrated global disruptions and Internet attacks. In London, individuals described in the media as “evil savages” and “masked thugs” assembled in the financial district in a rampage against capitalism. Stilt–walkers, magicians, jugglers, and musicians lined the streets, targeting the London International Financial Futures and Options Exchange. Dismissed locally as a drunken mob, the “New Age guerrillas” managed to disrupt the ebb and flow of business.

Meanwhile, on the same day in Austin, Texas, a bicycle ride by a group called Critical Mass arrived at a particular coffee shop to be part of a global “reclaim the street” project. As the first set of bikers started to arrive, they encouraged others to stand in the street, which had been barricaded to interrupt traffic. The organizers managed to briefly address the crowd and hand out fliers before the police arrived and dispersed them.

While people protested, the Electronic Disturbance Theater organized a “virtual sit–in,” a denial–of–service attack that called on people around the world to point their Internet browser toward the Zapatista Floodnet URL between 4:00 p.m. and 10:00 p.m. (GMT). The computers continually sent reload commands to the Floodnet site. Floodnet then redirected these requests to the Mexican Embassy in London. Thus, much like the previous two examples, the Internet “streets” were crowded with “people.” The results of the virtual sit–in were even more impressive than the physical demonstrations: 18,615 unique contributors from forty–six countries were part of the assault.

The events of June 18, 1999 raise frightening possibilities. Protesters in more than forty countries mobilized on the same day, physically and virtually. If the protests had existed for a single organized purpose, the results could have been devastating. These events further illustrate that the Internet can be both a tool and a target. J18 passed largely unnoticed by the media, which to date has focused only on highly visible activities, while ignoring many of cyber warfare’s subtle dangers.

The November 1999 World Trade Organization (WTO) meetings became the site of the most recent iteration of Internet–mobilized protests. Under the same anti–globalization banner, chief organizer Michael Dolan used the Internet to organize and mobilize a large unrelated group of protesters under the collective banner of “NO2WTO.” The protesters represented a panoply of issues. Everyone from animal rights activists to supporters of the Zapatistas in Mexico came from all across North America to voice their grievances. The result was the “Battle in Seattle.” Individual messages were lost in the ensuing violence. Through their website, a group calling themselves the “Electrohippies” organized a virtual sit–in, shorthand for a denial–of–service attack, just as other groups had done with J18.

J18 and NO2WTO were successful protests in that they succeeded in disrupting that day’s, and even that week’s, events. They illustrate a new model or principle dubbed “disorganization,” or decentralization by experts. This precept encourages many simultaneous local protests addressing specific concerns. Protesters thereby benefit from “demonstrations of scale.”

NO2WTO also introduced new faces to the protest crowd. It showed the appeal of being not only able to reach a wider audience, but also in drawing from a larger pool. In many ways, however, this was a one–trick pony. Groups with an established constituency and a defined message, like the AFL–CIO, clearly suffered some loss in legitimacy by association with violent protests. While future protests may lose several better–known organizations, the more radical elements have everything to gain by joining forces and in this paradoxical global–local protest.

Already many of the groups that brought the world J18 and NO2WTO, including the Direct Action Network (DAN) and People’s Global Action (PGA), are planning MayDay2000. As May Day has a tradition of protests, chances are that MayDay2000 will be larger in scope than J18 and NO2WTO. Local governments and emergency responders need to be aware of the potential for the type of disruption displayed in Seattle and plan accordingly.

5. Media Misunderstanding. The most visible attacks on American systems result in a disproportionate amount of media attention. Indeed, there has been no shortage of headlines with the recent battle between federal officials and computer intruders. Websites maintained by the Senate, the FBI, the Interior Department, the White House, the U.S. Army, and the North Atlantic Treaty Organization (NATO), to name a few, were defaced in 1999. The transgressions were usually nothing more than graffiti and unsightly annoyances. Meanwhile, a number of truly dangerous incidents have passed relatively unnoticed.

The recent spate of hacker events has drawn a great deal of publicity. The media focused on the attacks against the FBI and Senate web pages and dutifully reported that a top U.S. Justice Department official labeled the attacks as “serious.” On June 2, 1999, apparently in retaliation for FBI raids against their peers, hackers overwhelmed the agency’s Web site and left messages criticizing the FBI’s investigation of the hacker incidents. They were limited to the web pages and did not penetrate the FBI’s main computer systems. These attacks were serious in that they disrupted the government’s ability to effectively communicate its message to the population at large, but they are not the most serious threats. While the perpetrators should be punished, they do not warrant the highest level of coverage or attention.

Young hackers want to show off, and hacktivists seek to use the Internet as simply another means to draw attention to their respective causes. What both groups have in common is a desire for attention, and the media is happy to oblige. Insufficiently covered in press reports are the discreet and often silent efforts by serious adversaries to develop tools, techniques, and doctrines for conducting information warfare against the United States and its interests. The imbalance of reporting must change in order for the American public to better understand the extent of the emerging threats.

Despite the extensive coverage of web hacks and Web site vandalism, they amount to mere graffiti in cyberspace. While it is essential that the media act responsibly and not panic the citizenry, they play a crucial role in educating the public as to the dangers, both overt and subtle, presented by information warfare.

6. Lessons from Y2K. Insiders and internal saboteurs, either disgruntled employees or moles, are perfectly positioned to wreak havoc within organizations. Moreover, these people know where the most sensitive information is stored, how to access it, and what to steal or damage. Insiders are ideal candidates for subversion by foreign governments or terrorist organizations. Pressure to solve the Y2K dilemma led the United States government and private industry to emphasize expediency over safety in many cases. As a result, thousands of Y2K consultants have been given unprecedented access to systems that are otherwise strictly protected.

Most crisis managers knew a lot about the Y2K problem, but not enough about its possible consequences. There are some issues that have not generated much media interest, but which present possible national security hazards. Aside from the counterintelligence concerns, backdoor Y2K access can be exploited for theft or disruption. Some of the programmers contracted to exterminate the Y2K bug may have exploited their position by leaving a “backdoor,” granting them the ability to subsequently access the system undetected. The profile of likely perpetrators in such a scenario would be a highly skilled software engineer who worked on Y2K remediation efforts and understands both the information systems and the business processes of the enterprise that hired them.

Ideally, the Y2K experience should serve as both a wake–up call and a training exercise so that industry and government can use the lessons learned to become better informed about the potential effects and consequences of cyber threats. Hopefully, Y2K will inspire both industry and government to strengthen information protection and infrastructure assurance. Success is possible with plans in place and a course of action.

7. Cyber Invasion. Currently, several countries possess offensive information warfare capabilities comparable to those of the United States. Most of these nations, however, would be foolish to take down U.S. systems, as this would compromise a valuable intelligence collection method for them. Nevertheless, they are conducting surveillance, mapping critical nodes that can be exploited during future crises.

The ability to identify and reconnoiter such targets is today possible due to the Internet and powerful search engines on the World Wide Web. Moreover, information warfare extends the battlefield to incorporate all of society. In the same way that we can no longer rely upon Fort Knox’s steel and concrete to protect U.S. financial assets, Americans can no longer rely upon the two oceans to prevent a mainland invasion.

The myth persists that the continental United States has not been invaded since 1812. In reality, invasion through cyberspace has become a daily occurrence. Currently, an Internet–connected computer or server in the United States is broken into every twenty seconds. While an assailant can penetrate borders in a matter of nanoseconds, the law enforcement official charged with their apprehension must stop at these borders and cannot adequately pursue the attacker. In essence, we have created a “global village” without a police department.

Enemies also have the luxury of choosing between civilian and military targets. As military targets become better protected, assailants will naturally turn to more vulnerable prey. Industry and government need to solidify their partnership in the face of this reality.

8. Public and Private Overlap. Due to financial considerations and efficiency principles, military and civilian sectors are interdependent. The U.S. military is becoming increasingly dependent on applications developed by the civilian world. Specifically, U.S. forces rely on Commercial Off–The–Shelf (COTS) technology, and commercial systems and services. U.S. forces also count on commercial transportation services and facilities for mobilization and logistics support. These all have an information technology component, be they air traffic control or ground transportation. These systems are largely under civilian control and are responsible for ensuring the delivery of people and machines from place to place.

About 95 percent of Defense Department communications travel over commercial networks, services, and lines. The substance of the communiqués can be protected through encryption, which can better protect confidentiality of information, and to a lesser extent, the integrity of the information. All of the encryption in the world, however, cannot prevent denial–of–service attacks. The physical connections–the satellite links, glass fibers, metal wires, and microwave stations–go relatively unprotected. Additionally, in embracing COTS, the Pentagon is now more likely to purchase hardware, software, and firmware from various domestic and overseas sources. Similar risks occur in business with just–in–time delivery and reliance on electronic information transfers.

9. Privacy vs. National Security. The delicate balance between privacy and security is an ever–present tension in American society. One hundred years ago, government employees did not undergo background investigations for security clearances in the same manner as today. However, over the course of the tumultuous twentieth century, background investigations, security clearances, and loyalty oaths became the necessary price that many Americans paid to serve in critical civilian and military positions.

As government and other organizations compile databases to track everything from driver’s licenses to medical histories, Americans have become more sensitive to privacy issues and the specter of numerous “Little Brothers” in addition to “Big Brother.” Serious debates are also raging on such matters as encryption technology and the ability to track and trace cellular phones.

Tools that ensure privacy and convenience for the United States do the same for its adversaries. The encryption software that protects sensitive financial information also allows a terrorist to conceal a destructive plot. The ability to track cellular phones may prove critical in stopping or capturing those who are conducting hostile operations. The key issue here is not whether a line must be drawn, but rather, where it will be drawn. The United States must reallocate and manage intelligence assets in order to ensure that policymakers develop an accurate, comprehensive understanding of the threat posed by information warfare. Information must not be trapped in narrow channels, but should instead flow to all sources that may be affected, including business concerns. We do not have to choose between privacy and national security–we can have both.

10. The Rule of Law. Almost all of the issues discussed in this article have legal implications, yet the United States has only just begun to consider the necessity of amending existing laws and passing new ones. Laws that do not necessarily appear to have a direct application to national security are relevant. Unless changes are made to the Freedom of Information Act and certain anti–trust statutes, it will be virtually impossible for industry and government to share information that would help defend against cyber threats.

Almost all U.S. national security legislation is based on American operations in air, on land, on water, and in space. And it is not surprising that a large percentage of U.S. laws concern physical property and associated rights. Many of these laws, and the entities that enforce them, have their authority based upon, and limited by, geography. But with the movement of conflict to the electronic domain, the United States, without delay, must conform its statutes to reflect the corresponding jurisdictional issues. Our legislative and legal mechanisms are admittedly cautious in a world that is moving with ever–increasing speed. Mindful of the tradeoff between these deliberative processes and the rapid development of cyber threats, the United States cannot effectively address twenty–first–century crimes armed only with nineteenth–century laws.

Community and Defense. The United States has faltered in the face of cyber threats because, despite considerable efforts, the national focus is strategically misplaced. The media misdirects the nation’s attention, using more ink to report hacker exploits than the substantive national security threats made possible by information technology. This same technology has also enhanced the role of individuals in the national security arena. Gone are the days when one needed to raise an army, build a command structure, train soldiers, and purchase weapons to attack an adversary. The price of entry is at an all–time low. Widespread destruction can be perpetrated from the comfort of one’s living room with inexpensive tools, or over telecommunications networks designed, ironically, for collective convenience. Industry and government must establish a genuine partnership. In some way, we must introduce the “sandals” to the “wingtips.” The Department of Defense should not be the only entity concerned with defending American interests in cyberspace. Government no longer has the luxury of having all the knowledge or assuming that it will be in a position to provide all of the answers. If we are to ensure that all relevant parties have a seat at the table, a bigger table must be furnished.

The administration should be applauded for its initial first efforts with PDD–63. However, to truly enhance national security, such efforts must extend beyond the government–centered parameters of PDD–63. The United States must make an irrevocable commitment in terms of education, awareness, sensible application of technology, and decisive action.

Perhaps the old notion that security begins in the communities–neighbors watching out for each other–is more significant now than ever before. Interconnectedness will become the sine qua non of everyday life now that everyone has a vested interest in community protection. As interdependence among institutions and individuals grows, particularly in the realm of cyberspace, the distinctions between public and private, industry and government, and “your” and “my” responsibility fade, and are replaced by “our” responsibility.

President John F. Kennedy once said, “The best time to fix the roof is when the sun is shining.” The time to begin thinking about, and addressing, the challenges posed by cyber threats is now.