The Web As Weapon
Will the networked world become a new digital battleground?
This is part of IEEE Spectrum's special report: Always On: Living in a Networked World
This fall, as tensions in the Middle East erupted into vicious street fighting, a different sort of pitched battle was being waged behind the scenes. With all the fervor of their comrades in arms, computer-savvy patriots on both sides managed to infiltrate or disable enemy Web servers. And so the Hezbollah site was reprogrammed to play the Israeli national anthem, while Israeli government sites were slowed to a crawl by wave upon wave of hostile e-mail.
As displays of warlike aggression go, the bombs, bullets, and mortar fire that claimed the lives of some 300 Palestinians and Israelis were far more troubling. That said, the prospect of cyber warfare, or information warfare, is a deadly serious matter in military circles. "The electron is the ultimate precision-guided weapon," former Central Intelligence Agency head John Deutch once opined. Indeed, the more heavily we come to rely on computer networks, the greater the fear that adversaries will attack the networks themselves. In the very worst case—what some have termed an electronic Pearl Harbor—a sudden, all-out network assault would knock out communications as well as financial, power, transportation, military, and other critical infrastructures, resulting in total societal collapse.
Civilian and military networks are increasingly intertwined, noted Steve Taylor, an information warfare expert at the U.S. Air Force Research Laboratory's Rome Laboratories, in Rome, N.Y. "The advent of the Internet means there really isn't an outside anymore. Even when we're planning an Air Force mission, it coexists within the World Wide Web infrastructure."
Another concern is that the military's push toward commercial off-the-shelf technology is exposing vital networks to attack. "A lot of important decisions are being made that will affect the future of information war, but they're being made in Washington State"—home of Microsoft Corp.—"not Washington, D.C.," said Martin Libicki, a senior analyst at the Rand Corp., in Arlington, Va.
Beyond the odd idiot
Military networks tend to be favored targets for hackers. The Pentagon figures it fends off something like a quarter-million attacks a year. Annoying and costly as that may be, it's not the chief worry, said Taylor. "The odd idiot trying to break in--that happens all the time. Our primary concern is the government that's prepared to invest heavily in coordinated strategic attacks on our military and civilian networks." So, although the line between cyber-crime and information warfare often blurs, what separates the two is that the latter is state-sponsored.
For the information warrior, Taylor said, the basic issues are protecting oneself from attack, identifying the attacker, and then responding. By far the most effort has gone into the first area, network security. Here, commercial firms have led the way, producing a host of off-the-shelf hardware, software, and services, from firewalls to intrusion sensors to encryption schemes. [For the civilian world's take on network security, see "No Longer in Denial,"]
The U.S. military is generally regarded as being farthest along in its information warfare preparedness. A fairly recent recognition has been that "it is not possible to simultaneously defend the myriad military, civilian, and commercial networks," Taylor said.
A further recognition has been that simply trying to "keep the bad guys out" is futile, said Dennis McCallam, senior technical staff member at Logicon Inc., Herndon, Va. "No system is perfect--somebody's always going to get in."
New information technology will open up new attack routes, alongside whatever desirable features it offers
Nowadays the focus is on keeping so-called mission-critical networks up and running, and detecting intruders early on, before any real harm gets done. Work is now going into developing early-warning systems for information networks, akin to the radar and satellites that watch for long-range missile attacks. "A system administrator typically only has local knowledge of the health of his own system," explained William Mularie, of the U.S. Defense Department's Defense Advanced Research Projects Agency (Darpa), in Arlington, Va.
A bird's-eye view, by contrast, would allow analysts to correlate attacks from the same IP addresses, or having the same mode of operation, or occurring in a certain time frame. Achieving such a network-wide perspective is the aim of Cyberpanel, a new Darpa program. [ Mularie discusses other information security activities at Darpa in the interview.]
WetStone Technologies Inc., in Freeville, N.Y., a developer of information security products, is at work on a similar tool known as SIFI (short for Synthesizing Information from Forensic Investigations). Any given network will generate forensic data, and that data can come from any of a number of intrusion detection programs, explained Chet Hosmer, WetStone's president and chief executive officer. Once that data is posted on SIFI's Web site, it is automatically synthesized so that analysts can "examine, search, correlate, and graph information on attacks that have happened across many locations," Hosmer said.
Last summer, the computer network in one of the Department of Defense's (DOD's) battle management systems came under attack. Erroneous times and locations began showing up on screen; planes needing refueling were sent to rendezvous with tankers that never materialized, and one tanker was dispatched to two sites simultaneously. Within minutes, though, a recovery program installed on the network sniffed out the problem and fixed it.
The DOD itself staged the attack as a simulation, so as to demonstrate the first-ever "real-time information recovery and response" during an information warfare attack. In the demo, staged by Logicon, software agents were used to catch data conflicts in real time, allowing the system to remain on-line. [ Darpa's James Hendler discusses agent-based systems in the interview]
That last step is key. "We have to ensure the flow of information to the war-fighter," said Paul Zavidniak, who is the technical lead on Logicon's information-warfare-related intrusion detection and forecasting. Network recovery also means preserving the so-called minimum essential data, the basic set of information one would need to regenerate a system should it be disabled.
New information technology will undoubtedly open up new attack routes, alongside whatever desirable features it may offer. Take wireless technology. Jamming remains the tried-and-true mode of attack. But what if, instead of blocking signals, the enemy were to infiltrate communications links and send out false data? Just detecting such an RF attack is tricky. "Unlike the IP [Internet protocol] world, there are no virus checkers or intrusion detectors, and there are a lot of different types of radios and tactical data links," said Zavidniak, whose company recently began studying the vulnerability of military wireless networks.
He points to software-defined radios, such as the Joint Tactical Radio System now under development. JTRS will support, in a single downstream box, all the legacy waveforms and provide interoperability among all existing and envisioned tactical radios. It will also feature software-defined cryptographic capabilities. Being computer-based, however, "introduces a whole new threat to radios that didn't exist before," Zavidniak said.
Of course, an offensive side of information warfare also exists. "Given that you're able to determine the culprit, what is the appropriate response?" asked the Air Force's Taylor. "Obviously you'd have one response for a teenage hacker at a university in the United States, and quite a different one for somebody abroad who is working for a government."
Not surprisingly, the military is rather tight-lipped about its offensive IW capabilities. It's safe to assume, though, that the arsenal includes all the tactics deployed by ordinary hackers--worms, viruses, trapdoors, logic bombs—as well as surveillance technology for intelligence purposes.
The more we rely on networks, the greater the fear that adversaries will attack the networks themselves
Here it may be helpful to distinguish between weapons of mass destruction—which in the case of information warfare would be a widescale assault on assorted military and civilian networks—and what E. Anders Eriksson, a defense analyst in Sweden's Defense Research Establishment, in Stockholm, calls "weapons of precision disruption." The latter comprise lower-level strikes on specific targets, carried out over months or years by, say, an insider whose cooperation has been volunteered, bought, or coerced by a foreign state. That slow-drip mode of attack can be both harder to detect and more damaging over time, Eriksson argued. Pulling off an electronic Pearl Harbor, on the other hand, would mean not just bringing down vast and disparate networks, but keeping them down long enough to inflict real harm.
Information warfare may also be waged as a social engineering campaign. Attacks on important, highly visible sites—the Nasdaq, say—might well shake public confidence. "If you could plant a lot of bogus earnings reports out there, so that you see a 50 percent sell-off in a single day, that would be enough to spook even long-term investors," said Chris Brenton, a researcher at Dartmouth College's Institute for Security Technology Studies, in Hanover, N.H. "I think that type of attack is what we're most vulnerable to, and should be our greatest concern."
Threat to the Net?
So how vulnerable is vulnerable? Not all agree with the dire claims made about information warfare. "Anyone still caught uttering 'electronic Pearl Harbor'... is either an ex-Cold Warrior trying to drum up anti-terrorism funding through the clever use of propaganda, completely out of it, or a used-car salesman/white-collar crook of some type," wrote George Smith, in his often-irreverent computer security newsletter Crypt.
"It's a problem, but not a crisis," is how Rand's Libicki puts it. "Look, any time you institute a new technology, there's going to be downsides. You buy boilers, you get heat, but they may blow up. And so the way to have the positives and not the negatives is to attend to the safety and security issues." Computer networks are no different, Libicki argues. "If the national security of the United States were really on the line, there's a lot people could do that they haven't done yet." Diligent use of encryption and authentication, better policing of network activity, and air-gapping—keeping critical networks separate from noncritical ones—are all possible right now.
"This is not to say that you shouldn't have a few cops on the beat," to keep an eye out for anomalous on-line activity, Libicki added. "But life is not risk-free."