Chapter 13—
Protecting Cyberspace

Jacques S. Gansler

Information systems are the critical elements in the transformation of both military operations and the functioning of society, and they will be increasingly vital in the future. In the military area, the centrality of these systems varies from growing dependence on the real-time linking of distributed intelligence “sensors” and distributed “shooters” (through complex networked command, control, communications, and computers [C4] systems) to the rapid responsiveness provided by modern information-based logistics support systems. On the civil side, it includes the exponentially growing dependence on computer and communication networks for everything from government operations to the full infrastructure of the financial, medical, transportation, utilities, and other systems that determine the effective operation of modern society. The problem, of course, is that with this growing dependence on information systems, we expose ourselves to a rapidly growing and increasingly dangerous spectrum of information warfare (IW) operations. These might include direct military information system attacks aimed at prevention, disruption, intelligence gathering, or deception; cyberterrorism attacks on civil infrastructures, such as banks, water and power systems, air traffic, and hospitals; and even combined and simultaneous attacks on both military systems and their supporting civil infrastructures.

This vulnerability of modern military and civil society to information warfare must be addressed with appropriate defenses. Clearly, however, the potential benefits of offensive information warfare are also likely to be fully exploited by all sides. To better understand this cat-and-mouse game of offensive and defensive information warfare operations, consider the almost-ubiquitous Internet.

Origins of the Internet

The Internet has evolved from its roots 30 years ago as an academic research tool to become a global resource serving millions of individuals as well as providing critical connectivity for national security, industrial, economic, and governmental functions. To understand the current issues of Internet security, it is important to understand its history and heritage. The Department of Defense (DOD) Advanced Research Projects Agency (ARPA), now DARPA, sponsored the initial research on packet-switching technology, the enabling technology for the Internet, and published a plan for a computer network called ARPANET in 1967. In October 1969, the first four nodes were established at the University of California at Los Angeles, the Stanford Research Institute, the University of California at Santa Barbara, and the University of Utah.

The potential utility of computer networking was not lost on other communities, and by the mid-1970s other computer networks began to spring up at the Department of Energy, the National Aeronautics and Space Administration (NASA), the National Science Foundation (NSF, which funded CS-NET), and throughout a variety of academic communities. These networks were still largely incompatible until 1986, when ARPA and the NSF made their networks interoperable using the ARPA- developed communication protocol known as TCP/IP. The high-speed national links developed by the National Science Foundation (NSFNET) became the national backbone for this combined network, but it was still restricted to research and education; commercial use was, in fact, prohibited. Security was not believed to be an issue, since access was restricted to trusted users.

By 1990, the Internet had grown from 4 hosts to 300,000. The ARPANET was formally shut down, and the NSF began to manage the Internet. In 1991, liberalized restrictions on commercial use coupled with the growing availability of personal computers fueled the explosive growth of the Internet. In 1995, the Internet was privatized, and by January 2001, it had grown almost twenty-fold to 109,574,429 hosts.¹ Based on the nature of the Internet’s early evolution, however, security was not a primary consideration in the design. Partly for that reason, the Internet continues to provide many security challenges.

Increasing Public-Private Activity

In the near future, the Internet will be ubiquitous, transparent, and integrated into everything we do. The benefits of this cheap, reliable communication have been enormous. As the public and private sectors continue to look for ways to take advantage of opportunities created by the Internet, the interaction and activity between the two sectors will continue to increase in ways that often obscure the ways in which we are becoming dependent on it.

As a result of advances in information technologies, it is possible for us to tie together infrastructure, data, and daily operations in ways not possible before. Today, computer networks control the Nation’s powergrids, natural gas pipelines, and transportation systems. Both Federal Express and United Parcel Service, for example, depend upon computer networks to get packages where they are going on time. U.S. industries design and manufacture products on computer aided design/computer aided manufacturing (CAD/CAM) systems (for example, Boeing designed the Boeing 777 in “virtual space”). More than people realize, these systems and networks are all interconnected on the Internet. The business sector, early on, recognized the commercial potential of the information revolution and quickly made the Internet a commercial medium. Although there have been some setbacks, electronic commerce has a bright future; business-to-citizen revenues are estimated at $96 billion in 2001, and business-to-business online revenues at $448 billion, nearly double the previous year.

Most of the initial Internet-related efforts by Federal and state governments were aimed at making information available to internal users and to the citizens at large; the Federal Government, for example, maintains approximately 100 million Web pages at 25,000 Federal sites. DOD placed virtually all of its unclassified data online, including what was, in hindsight, sensitive data, such as the floor plan of the home of the Chairman of the Joint Chiefs of Staff; the operational status of Air Force wings; and unit personnel rosters. (DOD Web sites have since been “sanitized” and are continuously monitored for sensitive data.)

Government has absorbed lessons from private industry (for example, reengineering processes to reduce paperwork and delays can improve performance and efficiency). As government use of the Internet has broadened and become more sophisticated, so-called E-government is booming. Both Federal and state agencies are actively migrating many essential functions to the Internet. Agencies are now turning to the Internet to provide interactive electronic public services. For example, the Internal Revenue Service has a working presence online and is actively encouraging taxpayers to get help and to file their returns online. In 2001, 28 percent of U.S. returns were filed electronically. Federal employees are now able to access and manipulate their pension funds online, and some can monitor and manage their pay online. In the near future, we can expect that many other generally available services, such as Social Security, Medicare, and Medicaid, will be conducted primarily online, offering citizens better service and improving agency performance.

Additionally, agencies are turning increasingly to the Internet for “paperless acquisition.” Since Federal, state, and local governments spend approximately $550 billion annually on goods and services, there is significant incentive for process improvements and savings. The Department of Defense already has several mature electronic procurement sites, including the DOD “E-MALL,” an initiative to provide a single entry-point for DOD customers to find and acquire off-the-shelf goods and services, such as information technology (IT) equipment, textiles, and training from both the commercial marketplace and government sources. The E-MALL target market is in excess of $4 billion annually. The Defense Medical Logistics Standard Support (DMLSS) program is an integrated system to accommodate the needs of the Armed Forces at the wholesale and retail levels for medical logistics support. It relies on electronic commerce and Web-based technology to speed delivery of pharmaceutical, medical, and surgical items to customers, negating the need to stock large inventory at depots and military treatment facilities. At the Great Lakes Naval Hospital, one of the first sites online, inventory was cut from $3 million to $3,000 using DMLSS.

These examples illustrate the kinds of programs that the government is migrating to the Internet to make available and integrate fully online as many functions as possible with private citizens and private industry. Not only as we expand our definition of national security interests, particularly since September 11, to include financial security, healthcare, education, and personal privacy but also as ownership of critical IT infrastructures moves increasingly into private hands, it is clear that the Internet will require a public-private partnership with a high degree of collaboration to develop effective policy, goals, objectives, and, especially, defenses against information warfare attacks.

Growing Vulnerability

In the United States, we are blessed with wonderful geography from a national security perspective; we have friendly countries to the north and south and large oceans to the east and west. In the past, few enemies have ever had the means to threaten our homeland seriously. So, for most of our history, we have not had to worry about being attacked at home. There was a 40-year period during the Cold War when Soviet bombers and intercontinental ballistic missiles were poised to attack our cities, but with the demise of the Soviet Union, the successes of strategic arms reduction talks, and the warming of relations with Russia, we once again felt safe. Recent terrorist attacks, however, have reminded us of our physical vulnerability.

At the same time, we also are making the transition to the new borderless geography in cyberspace. As we grow more dependent on the Internet, its inherent vulnerabilities have put all of us—government, military, industry, and citizens—at risk. The Internet was originally designed to be open, based on the premise that users were known and trustworthy. Security was not designed in from the beginning, so as the Internet has evolved into the current global network of networks, we have found it difficult to provide security for our data and transactions. The rapid pace of technical innovation introduces unanticipated vulnerabilities with every advance, and commercial software suppliers are often more eager to get their new products out in the market than they are anxious to assure their invulnerability.² Our security planning, often based on the older models of mainframes or well-defined networks within a single organization, have proved inadequate for this new environment with its ever-increasing threat.

Shared Threat

Cyberspace tends to level the playing field between the entities in that space and offers attackers many high-value, low-risk targets. The threats can come from a hacker, an insider, a criminal, a terrorist, a hostile nation-state, or even some combination of these. The motivations can be equally diverse—mischief, theft, data collection, disruption of operations, falsification of data. The threats, obviously, can be aimed equally well against military or civilian targets. The weapons, with innocuous-sounding names like worms, viruses, and even Trojan horses, are themselves readily available on the Internet. Most important, the Internet itself is a very attractive target.

Unlike physical break-ins, Internet attacks are easy. An attacker who gets access to a Web site can roam around freely and from a safe distance. Although in the past, a great deal of technical sophistication was required to penetrate a computer network, attacks are now possible even by much less well-informed adversaries; successful intruders share their programs—often with “hacking for dummies” type scripts—enabling anyone to duplicate their efforts.

Attackers can and do obfuscate who and where they are, making Internet intrusions and attacks difficult to trace. Additionally, because the Internet allows packets to flow easily across political, administrative, and geographic boundaries, cooperation from many different entities, many without a vested interest, may be required to trace an attack. Consequently, attackers often operate (or appear to operate) from other countries, and thus international cooperation is required to trace and investigate attacks.

Internet attacks are low-risk: since the attackers do not need to be physically present, the risk of identification is greatly reduced. Much of the activity is often masked by legitimate or unrelated activity, and because multiple jurisdictions may be involved, prosecution can be difficult and sometimes impossible.

As a result of these factors, and in spite of increased awareness and security measures, attempted penetrations of Internet sites are steadily increasing. The number of incidents reported worldwide grew from approximately 2,000 in 1997 to 21,756 in 2000. Fully 15,476 incidents had been reported in the first half of 2001.³ Since this reporting is voluntary, these figures presumably understate the actual number considerably and reflect merely the trends in the numbers.

The Department of Defense

Hundreds, and more likely thousands, of attacks are attempted against DOD systems and networks each week. DOD estimates that, in 2001 alone, it was likely to face around 40,000 attempted attacks.⁴ Most of these are unsuccessful, but in 2000, 715 documented attacks were reported that achieved varying degrees of success. Of course, many others may have gone undetected.

ülthough the threat to and vulnerability of U.S. information systems has been the focus of much discussion, DOD perception of the information warfare threat has particularly been shaped by several real-world events. In 1997, recognizing that the American information infrastructure was at risk, DOD planned the first large-scale exercise to test Defense ability to respond to a cyber attack on the national infrastructure, nicknamed ELIGIBLE RECEIVER 97 (ER97).⁵ It was planned and executed by a team of National Security Agency (NSA) computer specialists.⁶ Their role in the exercise was to play the adversary making a concerted effort to hack into U.S. systems.⁷

The offensive team operated under many restrictions: they had to conduct their attacks without violating any U.S. law; they could not take advantage of any insider information or collateral intelligence; and they could only use tools that could be claimed to be in an adversary’s hands (all tools and techniques were based on unclassified, open-source data).

During the exercise, NSA specialists scripted attacks that would have resulted in a series of rolling electricity blackouts and an overload of the 911 emergency telephone service in Washington, DC, and a handful of other cities. The potential for attack on the powergrid was demonstrated by simulated attacks on the computerized sensing and control devices that are commonly used in operating electrical, oil, gas, transportation, and water treatment systems.⁸

Even with restrictions and a tight 3-month schedule, the exercise demonstrated many weaknesses.⁹ It was clear that a dedicated and moderately sophisticated adversary with modest resources could inflict considerable damage unless the target systems were more effectively protected.¹⁰

In 1998, the United States was involved in a serious weapons inspection crisis with Iraq, which was refusing to permit United Nations (UN) inspectors unrestricted access. The United States, in addition to being involved in the UN negotiations with Iraq, was preparing for possible military strikes.¹¹ Several cyberattacks—unauthorized intrusions into approximately six military networks around the country—were picked up in the U.S. Air Force’s Information Warfare Center in San Antonio, Texas.¹² Five hundred domain name servers were compromised. The attacks used the same technique to exploit a vulnerability in the Sun Solaris operating system. The intrusions were initially tracked to Abu Dhabi in the United Arab Emirates.¹³ Under the circumstances, there was considerable concern about a major asymmetric attack by Iraq or its sympathizers on logistics, medical, or resource systems during the crisis period.¹⁴

The newly established National Infrastructure Protection Center (NIPC) coordinated a multiagency investigation into the attacks (code-named SOLAR SUNRISE) that determined within a few more days that they were not the work of Iraqi agents operating from the Middle East but were in fact orchestrated by two California teenagers with the help of an Israeli citizen.¹⁵

The Department of Defense was still evaluating the implications of ER97 and the SOLAR SUNRISE investigation when, in January 1999, DOD, the Department of Energy, military contractors, and civilian university computer systems were attacked in the largest assault yet.¹⁶ Congressman Curt Weldon (R-PA), quoting Deputy Secretary of Defense John Hamre, stated: “We are at war right now. We are in a cyberwar.” Weldon characterized these attacks as being in a different class from the approximately 400 probes picked up each week: “These attacks are organized, very capable efforts that have very specific goals, based upon what we’ve seen.”¹⁷

The attacks, which apparently originated in Russia, began at a low level in January and reportedly gained “root access” to certain systems. The penetrations were on unclassified but nonpublic systems; they apparently achieved no access to classified data. Nevertheless, the damage could be significant because these unclassified systems often contain useful and sensitive information.¹⁸ After 3 years of investigations and thousands of files stolen, the evidence still points to Russia. James Adams, a consultant who serves on the NSA Advisory Board, wrote in May 2001:

the assault has continued unabated....Despite all the investigative effort, the United States still does not know who is behind the attacks, what additional information has been taken and why; to what extent the public and private sectors have been penetrated; and what else has been left behind that could still damage the vulnerable networks.¹⁹

A more recent example was a malicious denial-of-service attack that took place on July 19, 2001. According to the NIPC, Code Red, an Internet worm, infected more than 250,000 Internet systems in just 9 hours; Computer Economics, Inc., estimated over 1,000,000 infections worldwide.²⁰ Code Red damaged sites by defacing Web pages; it also denied access to certain Internet addresses by sending massive amounts of data, which effectively shut down the addresses. As a result of the attacks, DOD was forced to shut down its Web sites; the White House was forced to change its Internet address; the Department of the Treasury Financial Management System was infected and had to be disconnected from the Web; users of the Qwest high-speed Internet service experienced outages nationwide; and the Federal Express package-tracking system was infected, causing delivery delays. The initial economic cost was estimated at over $2.4 billion in costs associated with cleaning, inspecting, and patching servers, as well as damage to productivity.

Shared Responsibilities

Public and private sectors are increasingly dependent on the Internet, even with its many systematic vulnerabilities to a broad range of threats. There is no question that defending against information warfare and assuring unhampered access to the Internet is a responsibility shared by both public and private sectors. The government has a clear responsibility in the protection of information systems, especially where national security is at stake. One of the Federal Government’s fundamental responsibilities is to protect the Nation from all threats, foreign and domestic, and this, of course, includes protection from threats to the collective information systems that comprise the Internet. There are, additionally, law enforcement responsibilities for protecting these systems against terrorist threats and criminal activity. While attacks to date have not caused devastating disruption, the potential for catastrophic damage is significant. As the events of September 11 demonstrated, sometimes even the unimaginable is possible. Cyberterrorism is clearly a growing and very real probability.²¹

The private sector, on the other hand, owns most of the information infrastructure and develops most of the technology and software that
enable it. As a result of these factors, the shared public-private responsibility of providing security to our information systems suffers from a misalignment of authority, responsibility, and capability: “those with authority to act often lack the capability, while those with the capability to act often do not have the responsibility.”²²

Directions for Solutions

As the way in which we use information and information systems continues to evolve, it may be some time before the public and private
elements are correctly aligned. In the interim, if we are to improve our capability against cyberattacks, we must do a much better job of sharing information between the public and private sectors. First, having information on threats and on actual incidents experienced by others can help an organization better understand the risks that it faces and determine what preventive measures should be implemented. Today’s nuisance incidents may in fact be tests or probes for future attacks. Information attacks cannot be launched blindly but, like any other weapon, must be tested. In addition, urgent real-time warnings can help an organization take immediate steps to mitigate an imminent attack. Finally, information sharing and coordination after an attack are critical to facilitate criminal investigations, which may cross many jurisdictional boundaries. After-the-fact coordiaation will be essential to speed the recovery from a devastating attack, should one ever occur.

The government has recognized its central role in this information-sharing function and has several developing efforts. At the Federal level, for example, the National Infrastructure Protection Center, located at the Federal Bureau of Investigation (FBI), was established to serve as a focal point in the Federal Government for gathering information on threats, as well as to facilitate and coordinate responses to incidents affecting key infrastructures. It is also charged with issuing attack warnings to private-sector and government entities, as well as alerts about changes in threat conditions. The National Institute of Standards and Technology is building a database containing detailed information on computer attacks. The Federal Government also sponsors the Computer Emergency Response Team Coordination Center at Carnegie Mellon University, which studies Internet security vulnerabilities, handles computer security incidents, publishes security alerts, researches long-term changes in networked systems, and develops information and training. Early in 2001, the Department of Commerce sponsored the formation of a private-sector nonprofit alliance, the Information Technology Information Sharing and Analysis Center (IT-ISAC). Its mission is to exchange information on potential and known threats and vulnerabilities for the information sector and sharing that information with Federal law enforcement. (It joins existing ISACs for the energy, financial services, transportation, and telecommunications sectors.) IT-ISAC has 19 members so far, including major corporations, such as AT&T, IBM, Cisco, and Microsoft. President George W. Bush has appointed Richard Clarke as a special adviser to work with Governor Tom Ridge in the Office of Homeland Security to coordinate the protection of the Nation’s computer infrastructure.

One of the key elements to the success of information-sharing partnerships is developing trusted relationships among the broad range of stakeholders involved with providing information assurance, including the public and Internet community at large, law enforcement, government agencies, the intelligence community, providers of network and other key infrastructure services, technology and security product developers, incident response teams, and international standard-setting bodies. Information sharing must be seen as equitable, and it must provide value over and above the costs that it imposes. There are some real and perceived industry concerns that range from antitrust issues of sharing information with industry partners to subjecting information to Freedom of Information Act (FOIA) disclosures. Inadvertent releases of trade secrets or proprietary information are a concern because they could damage reputations, lower consumer confidence, and hurt competitiveness. Sharing information with law enforcement could result in costly compliance with strict rules for preserving the integrity of evidence. The government is reluctant to share classified information, even though it could be of value to the private sector in deterring or thwarting electronic intrusions and information attacks. This is particularly the case with any potential offensive tools and techniques, which are extremely sensitive from a national security perspective but are, of course, necessary for effective testing of defensive capabilities. The government clearly must work with industry to develop mechanisms to overcome each of these impediments.

Specific Recommendations

Some useful actions to decrease U.S. vulnerability to information warfare include the following: First, we need to have meaningful information sharing, and for this, we must develop standard definitions and terminology for use throughout the government and industry. A clear understanding of what is meant by an attack and how to categorize an incident will be essential to enable faster and more efficient reporting, responding, and remediation. Distinguishing between an incident that is classified as criminal and one that is a national security threat will help determine the type and timeframe of the response. We may, for example, choose to let potential criminal activity proceed to gather evidence but may need to react immediately to a national security attack.

Second, we need to overcome information-sharing roadblocks. Information sharing between the government and private sector remains a vitally important yet elusive goal. Among the several Federal Government initiatives, its primary focus is with the NIPC, which is housed within the FBI and has a decided emphasis on criminal investigation. This creates a problem within the government since it puts the FBI in a position to decide what information other agencies need to see. Industry, to say nothing of any international partners, will also naturally be reluctant to report
incidents to the FBI. Another source of private-sector reluctance to share information with the government is the requirements imposed on government by FOIA.²³ To facilitate uninhibited information exchange and protect competitive positions, sensitive industry data needs to be exempted from FOIA requirements. Other models for collection and dissemination of vulnerability and threat information—for example, a single nonprofit information clearinghouse—should be explored and developed.

Finally, government needs to develop mechanisms to share sensitive and perhaps even classified threat data about pending attacks with industry partners, both domestic and international. This will help ensure that all information is available to those entities that are best equipped to mitigate the impact. Government must be willing to share all appropriate information in response to industry concerns if it hopes to overcome the hurdles to achieving a mutually beneficial partnership.

Although improving organizational information sharing can significantly improve our ability to defend against an IW attack in the near term, there are still many technical challenges to providing security and assurance within a distributed information environment. Our goal should be to create an Internet infrastructure that is highly automated, adaptive, and resilient to all types of attacks. An obvious first step is to improve the overall quality of software security. Identifying products with easily exploitable vulnerabilities and preventing them from being widely used will reduce the more pedestrian attacks. Incentives should be created for firms to improve the attention and resources that they devote to enhancing their software and system protections; this suggests a useful role for government managers and buyers, and even more for senior industrial managers and buyers.²⁴

In addition, there are technologies that could, if properly developed, be useful in resisting and responding to inevitable cyberattacks. Among those that merit increased attention are some in the area of intelligence gathering. We should be developing tools that allow us to take the initiative to gain insight into the capabilities and intentions of potential adversaries. For example, it would be quite useful to have an active software agent, using secure mobile code, that could monitor and collect information on hostile entities in order to provide early warning of attack. We currently have difficulty identifying novel attack patterns, especially against the Internet’s widely distributed network. Insiders pose a particular threat to all information systems; therefore, developing systems to automate the processes of detecting, identifying, and analyzing novel attack patterns and anomalous behavior would improve our ability to provide warnings and reduce false alarms.

Opportunities for disruption will only increase as the complexity of the Internet networks increases. We need to continue research and development to guard against unknown attacks and to protect against systems with unknown flaws. We need to develop automated mechanisms to detect and nullify malicious codes that may be left behind in an undetected attack. We have designed many fault-tolerant systems to cope with naturally occurring faults and failures, and we need to extend these capabilities to develop networks that are resistant to insertion of intentional faults and to denial-of-service attacks conducted by adversaries. Present capabilities for detecting large-scale intrusions against multiple systems are limited. We need to accelerate the development of an advanced intrusion detection capability that can fuse and correlate information from distributed sensors.

Even with an adequate warning system and good defenses, some attacks will be successful. Thus, we need to have the technology in place to address the consequences of these attacks. We need to be able to assess systems quickly and answer important questions: Was something done to the system? If so, what was done? Is the system okay? What is the reliability of the data? When we understand the answers to these questions, we need to be able to move quickly to restore user trust in the system. If a system has been attacked successfully, we need to be able to recover quickly from the attack, bring the system back to full performance, and take corrective action so that it will not be susceptible to a similar attack.

This discussion has focused on information-sharing processes and technology, but we should also recognize that one of the most critical elements in any comprehensive defense against an information warfare attack is the people who use and operate our systems. Whatever else we do, we must develop a continuing program to promote understanding of security policies and controls and of the risks that prompted their adoption. Better understanding of the risks will allow executives to make more informed decisions regarding the resources required to protect their systems. The first line of defense is the system user, who must understand the importance of complying with policies and controls.

One of the most effective ways for both the private and public sector to assure secure systems is to conduct frequent red team attacks on their own systems. Skilled attackers can test the vulnerabilities of systems and fix them before someone else finds them. While many in the private and public sector have a reluctance to test their own systems, the return on investment here is extremely worthwhile.

Conclusion

While this discussion has focused on the illustrative case of the Internet, its expansion to other systems—both military and civilian—is obvious. Today, we know that 20 foreign nations are developing information warfare doctrine, programs, and capabilities for use against U.S. military and private sector networks; numerous terrorist networks have similarly recognized the potential of these “weapons of mass disruption” and have begun to exploit them. Of course, the United States can also take full advantage of the offensive military potential of information warfare to broaden its military options and capabilities. However, as a military force and as a civil society, the United States is already the world’s most dependent on information systems, and we are moving more and more in that direction. As we transform our forces and our society in the information age, we become ever more vulnerable. Thus, we have a very real requirement to address our information systems vulnerabilities before it is too late.

Notes