Cyberwarfare Vulnerability Assessment (2007)

Published on February 2017 | Categories: Documents | Downloads: 54 | Comments: 0 | Views: 471

of 143

Content

Cyber-Warfare: The New Front A Technology Assessment

E 497 B Benjamin Franklin Scholars Capstone Final Report
December 5, 2007
Zach Adams Tyler Barker Matthew Bruchon Daniel Clark Kenny Fearn Garrett LaRue Chris Saunders Katie Woodruff

Table of Contents
0 EXECUTIVE SUMMARY ................................................................................................................................ 6
0.1 Introduction ............................................................................................................................................................ 7 0.1.1 Is Cyber-warfare a Real Threat? ............................................................................................................. 7 0.1.2 Defining Cyber-attacks ........................................................................................................................... 7 Tools....................................................................................................................................................................... 8 0.2.1 Hacking .................................................................................................................................................. 8 0.2.2 Denial of Service .................................................................................................................................... 8 0.2.3 Computer Viruses ................................................................................................................................... 9 0.2.4 Packet Sniffing ....................................................................................................................................... 9 0.2.5 Social Engineering .................................................................................................................................. 9 0.2.6 SCADA Systems .................................................................................................................................. 10 Targets .................................................................................................................................................................. 10 0.3.1 Military and Government ..................................................................................................................... 11 0.3.2 Financial Systems ................................................................................................................................. 11 0.3.3 Critical Infrastructure............................................................................................................................ 12 0.3.4 Transportation Systems ........................................................................................................................ 12 Consequences ....................................................................................................................................................... 13 0.4.1 Economic Consequences ...................................................................................................................... 13 0.4.2 Social Effects ........................................................................................................................................ 14 National Agencies and Legislation ....................................................................................................................... 14 0.5.1 E-Government Act of 2002................................................................................................................... 14 0.5.2 National Infrastructure Advisory Council............................................................................................. 15 0.5.3 National Strategy to Secure Cyberspace ............................................................................................... 15 0.5.4 United States Computer Emergency Response Team (US-CERT) ....................................................... 15 Policies ................................................................................................................................................................. 15 0.6.1 National Policies ................................................................................................................................... 16 0.6.2 Policy Goals.......................................................................................................................................... 16 0.6.3 Guiding Principles ................................................................................................................................ 16 0.6.4 Stakeholders ......................................................................................................................................... 17 0.6.5 Policies of Prevention ........................................................................................................................... 17 0.6.6 Policies of Response ............................................................................................................................. 17 0.6.7 Policies for Public Awareness and Training ......................................................................................... 18 0.6.8 Policies for Government Cyber-security............................................................................................... 19 0.6.9 Policies for U.S. and International Cyber-warfare Collaboration ......................................................... 19 0.6.10 Policies for Military Use of Cyber-warfare .......................................................................................... 20 Conclusion............................................................................................................................................................ 21 0.7.1 Is Cyber-warfare a Threat? ................................................................................................................... 21 0.7.2 The Way Forward ................................................................................................................................. 21

0.2

0.3

0.4

0.5

0.6

0.7

1

INTRODUCTION ............................................................................................................................................ 23
1.1 1.2 1.3 What Is at Stake? .................................................................................................................................................. 24 Is Cyber-Warfare a Real Threat? .......................................................................................................................... 25 Defining Cyber-attacks ......................................................................................................................................... 26

2

TOOLS FOR CYBER-ATTACKS ................................................................................................................. 27
2.1 2.2 Hacking ................................................................................................................................................................ 28 Denial of Service Attacks ..................................................................................................................................... 28 2.2.1 Vulnerabilities ...................................................................................................................................... 29 2.2.2 Sensor Networks ................................................................................................................................... 30 2.2.3 Denial of Service on the Internet .......................................................................................................... 30 2.2.4 Executing a Distributed DoS Attack ..................................................................................................... 31 2.2.5 Hacking Communities .......................................................................................................................... 33 2.2.6 Case Study - United States and China Cyber-Conflict in 2001: ........................................................... 34 2.2.7 Defense against DoS Attacks: ............................................................................................................... 35 2.2.8 Defending Individual Systems: ............................................................................................................. 35 2.2.9 Defending Local Networks: .................................................................................................................. 36 2.2.10 Defending Extended Networks: ............................................................................................................ 36 2.2.11 Case Study: Estonia DDos Attacked by Russia .................................................................................... 37 Computer Viruses ................................................................................................................................................. 37

2.3

2

2.4

2.5

2.6

2.3.1 Types of Viruses ................................................................................................................................... 38 2.3.2 Effects of Viruses ................................................................................................................................. 38 2.3.3 Defense against Viruses ........................................................................................................................ 39 Packet Sniffing ..................................................................................................................................................... 40 2.4.1 Data Streams and Packets ..................................................................................................................... 40 2.4.2 File Transfer Protocols ......................................................................................................................... 40 2.4.3 Networking Schemes ............................................................................................................................ 40 2.4.3.1 Ethernet Networks ................................................................................................................................ 40 2.4.3.2 WiFi Networks ..................................................................................................................................... 41 2.4.3.3 Network Interface Cards and Promiscuous Mode ................................................................................ 41 2.4.4 Implementations ................................................................................................................................... 42 2.4.4.1 Spoofing ............................................................................................................................................... 42 2.4.4.2 Limitations and Counters ..................................................................................................................... 42 2.4.5 Scenarios .............................................................................................................................................. 43 2.4.5.1 Public WiFi Service.............................................................................................................................. 43 2.4.5.2 University Networks............................................................................................................................. 44 Social Engineering ............................................................................................................................................... 44 2.5.1 Confidence Schemes or Trust and Attack Models ................................................................................ 44 2.5.2 Phishing ................................................................................................................................................ 44 2.5.3 Dumpster Diving .................................................................................................................................. 45 2.5.4 Case Studies.......................................................................................................................................... 45 SCADA Systems .................................................................................................................................................. 46 2.6.1 Scope of the Threat to SCADA Systems .............................................................................................. 47 2.6.2 Vulnerabilities ...................................................................................................................................... 48 2.6.2.1 Original Development Flaws ................................................................................................................ 48 2.6.2.2 Corporate Network Security ................................................................................................................. 49 2.6.2.3 Company Security Procedures.............................................................................................................. 49 2.6.2.4 Who Could Gain Access? ..................................................................................................................... 50 2.6.3 Case Studies.......................................................................................................................................... 51 2.6.3.1 Hunter Watertech ................................................................................................................................. 51 2.6.3.2 Roosevelt Dam ..................................................................................................................................... 51

3

TARGETS ........................................................................................................................................................ 52
3.1 Military and Government ..................................................................................................................................... 53 3.1.1 Data Theft and Corruption .................................................................................................................... 53 3.1.2 Battlefield Cyber-attacks ...................................................................................................................... 54 3.1.3 Foreign Threats ..................................................................................................................................... 56 Financial Systems as a Target .............................................................................................................................. 57 3.2.1 Overview .............................................................................................................................................. 57 3.2.2 Direct Attacks on Financial Systems .................................................................................................... 58 Infrastructure ........................................................................................................................................................ 59 3.3.1 Power Utilities ...................................................................................................................................... 59 3.3.1.1 Why is the Power Grid so Vulnerable? ................................................................................................ 60 3.3.1.2 What is Being Done?............................................................................................................................ 62 3.3.2 Emergency Response ............................................................................................................................ 62 3.3.3 Communications ................................................................................................................................... 63 Transportation Systems as a Target ...................................................................................................................... 63 3.4.1 Public Transit Systems ......................................................................................................................... 64 3.4.2 Shipping Networks ............................................................................................................................... 64 3.4.3 Air Transportation Networks ................................................................................................................ 66 3.4.3.1 Aircraft Internal Electronic Control Systems ....................................................................................... 67 3.4.3.2 Air Traffic Control System ................................................................................................................... 68 3.4.4 Conclusions .......................................................................................................................................... 70

3.2

3.3

3.4

4

CONSEQUENCES........................................................................................................................................... 72
4.1 Economic Consequences of Cyber-Warfare ......................................................................................................... 73 4.1.1 Economic Consequences of Hacking.................................................................................................... 73 4.1.2 Economic Consequences of Infrastructure Attacks .............................................................................. 73 4.1.3 Economic Consequence of Combined Attacks ..................................................................................... 75 Social Effects ........................................................................................................................................................ 76 4.2.1 Public Confidence in the Government .................................................................................................. 76 4.2.2 Public Confidence in Target ................................................................................................................. 77

4.2

3

5

NATIONAL AGENCIES AND LEGISLATION .......................................................................................... 79
5.1 5.2 5.3 5.4 E-Government Act of 2002 .................................................................................................................................. 80 National Infrastructure Advisory Council ............................................................................................................ 80 National Strategy to Secure Cyberspace ............................................................................................................... 81 United States Computer Emergency Response Team (US-CERT) ...................................................................... 81 5.4.1 US-CERT Einstein Program ................................................................................................................. 81 5.4.2 Collaborative Groups of US-CERT ...................................................................................................... 82 5.4.3 National Cyber Security Division (NCSD) ........................................................................................... 83 5.4.3.1 National Cyberspace Response System ................................................................................................ 83 5.4.3.2 Cyber Risk Management Programs ...................................................................................................... 84

6

POLICY ............................................................................................................................................................ 85
6.1 6.2 6.3 National Policies................................................................................................................................................... 86 Policy Goals ......................................................................................................................................................... 86 Guiding Principles ................................................................................................................................................ 87 6.3.1 Social Considerations ........................................................................................................................... 87 6.4 Stakeholders ......................................................................................................................................................... 88 6.5 Prevention............................................................................................................................................................. 90 6.5.1 Prevention Challenges .......................................................................................................................... 90 6.5.2 Prevention Products .............................................................................................................................. 91 6.5.3 Security Personnel ................................................................................................................................ 92 6.5.4 New Vulnerabilities .............................................................................................................................. 93 6.5.5 Computer Security and Liability ........................................................................................................... 93 6.5.6 Policy Options ...................................................................................................................................... 93 6.6 Response............................................................................................................................................................... 95 6.6.1 Judicial Response to Past Attacks ......................................................................................................... 95 6.6.1.1 Russian Man Sentenced for Hacking into Computers in the United States .......................................... 96 6.6.1.2 Melissa Virus ....................................................................................................................................... 96 6.6.1.3 Disgruntled Employee .......................................................................................................................... 96 6.6.1.4 Israeli Citizen Arrested in Israel for Hacking Government Computers ................................................ 96 6.6.1.5 Konopka Attacks .................................................................................................................................. 96 6.6.2 National Cyberspace Response System ................................................................................................ 97 6.6.3 Public and Private Ways to Communicate ............................................................................................ 98 6.6.4 Sharing Information .............................................................................................................................. 99 6.6.5 Policy Options ...................................................................................................................................... 99 6.7 Policies to Promote Cyber-security Awareness and Training ............................................................................. 100 6.7.1 Policies for Home and Small Business Users ..................................................................................... 100 6.7.2 Policies for Large Enterprises ............................................................................................................. 101 6.7.3 Policies for Critical Sectors and Infrastructures .................................................................................. 102 6.7.4 Policies for the Nation as a Whole ...................................................................................................... 103 6.8 Government Cyber-security ............................................................................................................................... 104 6.8.1 Federal Level Security ........................................................................................................................ 104 6.8.2 Agency Level Security ....................................................................................................................... 105 6.8.3 Areas for Improvement ....................................................................................................................... 106 6.9 US and International Cyber-warfare Collaboration ............................................................................................ 107 6.9.1 United States National Security Policies ............................................................................................ 107 6.9.1.1 Securing the Nation’s Cyberspace ...................................................................................................... 108 6.9.2 United States International Policies .................................................................................................... 109 6.9.2.1 Utilize International Organizations to Promote a Global “Culture of Security” ................................. 109 6.9.2.2 Develop Secure Networks .................................................................................................................. 109 6.9.2.3 Promote North American Cyberspace Security .................................................................................. 110 6.9.2.4 Establish International Network of Agencies for Information Relay.................................................. 110 6.9.2.5 Encourage Other Nations to Follow the Council of Europe Convention on Cyber-crime .................. 110 6.9.3 International Cyber-security Collaboration......................................................................................... 110 6.9.4 International Policies .......................................................................................................................... 111 6.9.4.1 United Kingdom ................................................................................................................................. 111 6.9.4.2 Germany ............................................................................................................................................. 111 6.9.4.3 Russia ................................................................................................................................................. 112 6.9.4.4 People’s Republic of China ................................................................................................................ 113 6.10 Military Policy .............................................................................................................................................. 113 6.10.1 Current Military Cyber Units .............................................................................................................. 113

4

6.10.2 6.10.3 6.10.4

Military Uses of Cyber-warfare .......................................................................................................... 114 Future of Cyber-warfare in the Military ............................................................................................. 114 Policy Questions ................................................................................................................................. 116

7

CONCLUSION............................................................................................................................................... 118
7.1 7.2 Is Cyber-warfare a threat? .................................................................................................................................. 119 The Way Forward ............................................................................................................................................... 119 7.2.1 What Can Be Done Now .................................................................................................................... 119 7.2.2 Policies for the Near Future ................................................................................................................ 120 7.2.3 Future Research .................................................................................................................................. 121 7.2.4 Conclusion .......................................................................................................................................... 121

8

APPENDIX ..................................................................................................................................................... 122
8.1 8.2 8.3 8.4 8.5 Policy Options .................................................................................................................................................... 123 Open Letter to the President ............................................................................................................................... 128 Interview with Douglas Reeves .......................................................................................................................... 133 DHS Presidential Directive ................................................................................................................................ 136 Works Cited........................................................................................................................................................ 137

5

0 Executive Summary

6

0.1

Introduction

In the United States, nearly every vital system is connected in some way to the Internet. Originally designed to allow communication in the event of a nuclear war, the Internet could be the next weapon to attack a society revolving around information technology. Cyber-warfare has the potential to cause catastrophic damage to these systems in a world vastly influenced by cyberspace. Given this assumption, one must address the probability of various types and combinations of cyber-attacks that could damage critical systems, as well as the options for response and prevention. Securing these systems will require significant resources from the public and private sector, as well as significant efforts from everyone connected to the Internet. Given the power and influence of cyber-warfare, there are also possibilities of cyber-warfare as an effective military offensive weapon. 0.1.1 Is Cyber-warfare a Real Threat? Many of our critical computer systems are not completely reliant on computers to make them appealing or practical targets for attack. This means that at present, a cyber-attack would most effective in conjunction with a traditional attack to cause physical damage; the more likely consequences of a focused cyber-attack are economic and social. However, as reliance on computers is increasing steadily with time, future threats will develop where current threats do not exist, and the risk of physical damage and loss of life from a cyber-attack will increase without implementation of proactive policies. 0.1.2 Defining Cyber-attacks There are three primary classes of cyber-attacks: cyber-crime, cyber-terrorism, and cyberwarfare. If an attack is not intended to threaten national security or further a national or ideological objective, it is considered cyber-crime.1 If it is inteneded to achieve a national or ideological objective, then it is classified as either cyber-warfare or cyber-terrorism. Cyber-terrorism refers to cyber-attacks launched by individuals or small organizations that are intended to further political or social objectives by coercing a government or its people2. Cyber-warfare has the same objectives as cyber-terrorism, except that it consists of cyber-attacks launched by a national government as an act of war, just as a physical attack would be3.

1

Alford, Jr., Lt. Col. Lionel D. "Cyber Warfare: Protecting Military Systems." Acquisition Review Quarterly Spring 2000: 101-120. 18 Oct. 2007 <http://www.dau.mil/pubs/arq/2000arq/alford.pdf> 2 Denning, D. (2001). "Is Cyber Terror Next?" New York: U.S. Social Science Research Council, at http://www.ssrc.org/sept11/essays/denning.htm 3 Alford, Jr., Lt. Col. Lionel D. "Cyber Warfare: Protecting Military Systems." Acquisition Review Quarterly Spring 2000: 101-120. 18 Oct. 2007 <http://www.dau.mil/pubs/arq/2000arq/alford.pdf>

7

0.2

Tools

0.2.1 Hacking Traditionally, the term “hacker” has simply been used to refer to a skilled computer user.4 In recent years, this term has been seized by the media and has come to refer specifically to malicious computer users. Due to the popularity and familiarity of the term, “hacking” will be used in this document to refer to all forms of cyber-attacks, and “hacker” for the individuals initiating them. Most hackers are either financially or socially motivated, and have Internet communities dedicated to hacking in which they can share software exploits and other methods of launching cyber-attacks. Sometimes hackers even sell these vulnerabilities on underground auction sites.5,6 Their goals usually consist of information theft or damage to computer systems, since they can use vulnerabilities in sensitive systems and stolen information to cripple vital computer processes. The tools in this section are a small section of a hacker’s arsenal, but provide a functional idea of how hackers view the systems that governments and corporations use to store and transfer information. 0.2.2 Denial of Service Denial of Service (DoS) attacks can disable networks or computers by overloading network traffic, cut off communication between two computers, deny an individual user access to a system, or disrupt service for a particular system or person. Unfortunately, DoS attacks exploit the most basic limits of computers: they have finite memory, finite processing speed, and finite communication bandwidth. 7 There will never be away to fully overcome these limitations and prevent DoS attacks, since a system can be disabled as soon as it runs out of one of these needed limited resources. DoS attacks can disable practically any networked device, including but not limited to sensor networks and cell phones, not just computers. A distributed DoS attack can take control of unprotected computers, usually by exploiting systems with a known security flaw, and then using these computers to attack a specific target. These security flaws are usually distributed throughout hacker communities, where hackers discuss and simplify their methods of cyberattack. In these past, these targets have included the DNS servers that keep the Internet operational.8

4

Raymond, Eric. The on-line hacker Jargon File 4.4.7. 29 Dec 2003. 26 Nov 2007 http://www.catb.org/jargon/html/index.html 5 Naraine, Ryan. Hackers Selling Vista Zero-Day Exploit. 15 Dec 2006. eWeek.com. 26 Nov 2007. <http://www.eweek.com/article2/0,1895,2073611,00.asp> 6 Evers, Joris. Russian hackers ‘sold WMF exploit’. 3 Feb 2006. ZDNet.co.uk. 26 Nov 2007. <http://news.zdnet.co.uk/software/0,1000000121,39250232,00.htm> 7 CERT Coodination Center – Denial of Service Attacks. 4 Jun 2001. US CERT. 30 Oct 2007 <http://www.cert.org/tech_tips/denial_of_service.html> 8 Garber, Lee. Denial-of-Service Attacks Rip The Internet . IEEE – Computer. Apr 2000. 12 - 17

8

0.2.3 Computer Viruses Viruses are a type of unwanted software that run on a computer and are designed to self-replicate and spread to other computers. They are characterized by the way they spread to other systems and their effects can range from displaying an annoying message to causing massive data loss, giving remote control of a computer, and disrupting network communication. There is a large industry based on the development of tools like virus scanners to eliminate viruses before they can cause damage. Virus scanners are a type of software that searches a computer for viruses and assists in their removal, and are regularly updated to defend against new viruses. However, hackers are constantly racing with security professionals to stay ahead of these tools, and they have the advantage in that they can create new viruses and use them to cause damage before the virus is discovered and the scanner is updated to detect and remove it. 9 0.2.4 Packet Sniffing Packet sniffing is used to monitor traffic between devices on a network, and has a number of legitimate uses. However, hackers can also use packet sniffing to obtain sensitive data packets without penetrating a computer network’s security measures. Hackers can collect data by many methods, including data streams between two computers, unencrypted e-mails, unsecured WiFi networks, and network interface cards running in “promiscuous mode.” 10 These techniques can be particularly valuable to hackers on large networks, like public WiFi access points or university networks, where a large amount of poorly secured information is frequently transferred. Once a hacker is a network, he can use a variety of free, open-source packet sniffing programs to collect data packets, or “spoof” his computer’s identity on a network to receive data that was not intended for him. However, limitations to the capabilities of packet sniffing are non-packet data transfers, secure programming with extra data encryption, packet sniffer detection programs, and increased public awareness about the threat. 0.2.5 Social Engineering Social engineering combines hacking with low-tech methods like confidence schemes, physical surveillance, and probing emails. A confidence scheme can be used to obtain answers to password protection questions for many major websites and email clients. Email passwords are particularly useful targets, as even more websites use password recovery systems that send the old or changed password to the user’s email. Another technique, called “phishing”, refers to fraudulent emails and websites designed to steal information from victims. Some hackers may even resort to dumpster diving, since many large companies simply throw out papers containing
9

Nachenberg, Carey. "Computer Virus-antivirus Coevolution." Communications of the ACM 40.1 (1997): 46-51. Crenshaw, Adrian. A Quick Intro to Sniffers. 30 July 2007. Iron Geek.com. 30 Oct 2007. <http://www.irongeek.com/i.php?page=security/AQuickIntrotoSniffers>.
10

9

information like tax records, payroll account logins and passwords, and building security alarm codes. 11 0.2.6 SCADA Systems Supervisory Control and Data Acquisition (SCADA) systems collect data from sensors in a factory or infrastructure plant and can make changes remotely to optimize a process based on the received data. These systems control a number of physical parameters, such as a conveyor belt’s speed, a tank’s temperature and pressure, or any process which can be controlled without direct human manipulation. As a result, hackers can infiltrate these systems and cause direct physical effects. 12 The biggest security vulnerabilities of SCADA systems are in their original design—most systems currently in use were designed twenty or more years ago, and are unsecured because they did not account for the emergence of corporate networks. Because they were not intended to be networked, most SCADA systems being used in critical infrastructure are not properly secured and have multiple entry points that can be exploited. 13 Moreover, security systems of corporate networks, through which hackers can reach the SCADA systems, are often improperly implemented. As a result, many serious cyber-incidents involving SCADA systems have already occurred, including one in Australia in which a former water company employee drained millions of gallons of sewage into parks and rivers, and one in which a 12-year-old boy accidentally gained control over the Roosevelt Dam’s floodgate controls.14

0.3

Targets

As the entire world continuously becomes more connected through the Internet, the threat of cyber-attacks has become an issue that should not be ignored. Our nation’s cyber-security is something that must be fixed due to the fact that cyber-attacks can be performed by any individual, group, or government. The difficult aspect of protecting ourselves is that cyberwarfare targets are not limited to governmental agencies and the military, it also affects global corporations, public utilities, and transportations systems. Because the United States is so dependant on its critical infrastructure (Internet, power, et cetera), it is absolutely critical that the government makes securing our cyberspace a top priority.

11

Grifter. Dumpster Diving – One Man’s Trash… Hack In The Box. 2002. 26 Nov 2007. <http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=6388&mode=thread&or der=0&thold=0> 12 Byres, Eric, and Justin Lowe. The Myths and Facts Behind Cyber Security Risks for Industrial. British Columbia Institute of Technology. 1-6. 15 Oct. 2007 <http://www.tswg.gov/tswg/ip/The_Myths_and_Facts_behind_Cyber_Security_Risks.pdf>. 13 Understanding SCADA System Security Vulnerabilities. Riptech. 2001. 1-5. 23 Oct. 2007 <http://www.iwar.org.uk/cip/resources/utilities/SCADAWhitepaperfinal1.pdf>. 14 Gellman, Barton. "U.S. Fears Al Qaeda Cyber Attacks." SecurityFocus 26 June 2002. 18 Oct. 2007 <http://www.securityfocus.com/news/502>.

10

Before policy options can be discussed, we must first review potential threats to and vulnerabilities of our systems. 0.3.1 Military and Government Because the government and military are what keeps the United States running, they are an obvious target for cyber-attack. Over the past decade, several data theft attempts have been documented in which hackers break through network defenses searching for critical governmental and military documents. One such attack, known as “Moonlight Maze,” resulted in troop structures and base configurations to be stolen from the Pentagon. 15 This example demonstrates the severity of our military’s cyber-security issues. Another form of cyber-attacks that concerns the military are battlefield attacks. Although the threat on the front lines is limited, hackers could infiltrate command and control systems in the rear, and give false commands or send incorrect troop information, leading to an ambush. 16 Therefore, due to the potential harm that can be done if the military’s communication system were infiltrated, cyber-defenses in this realm must be improved. 0.3.2 Financial Systems The biggest threat to our nation’s financial systems come from terrorist organizations that have no current interest in the welfare of the United States economy. Osama bin Laden made his goals very clear in 2001 when he stated:
If their economy is destroyed, they will be busy with their own affairs rather than enslaving the weak peoples. It is very important to concentrate on hitting the U.S. economy through all possible means. 17

From his comments, and the fact that over half of all cyber-attacks in 2001 targeted financial systems,18 the need to secure our banking and credit unions from cyber-attack is clear. Financial service providers have historically had a reputation for protecting clients’ critical data and financial assets, but current vulnerabilities in electronic financial transfer systems threaten to expose those assets and information to cyber-attack. For example, money transfers made through wireless Internet or cell phones can be intercepted, and the fiber optic cables that enable transfer of financial data around the world can be tapped without detection.

15

Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007 <http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/> 16 Krebs, Brian. “Cyber war games test future troops.” Washington Post: April 23, 2003. 17 “Capital Commerce. So How Goes Bin Laden’s War on the U.S. Economy?” Pethokoukis, James. September 11, 2007 18 Glaessner, Thomas. “Electronic Security: Risk Mitigation In Financial Transactions”. The World Bank: 2002.

11

0.3.3 Critical Infrastructure America’s critical infrastructure is one of the most vulnerable structures to cyber-attack in our nation. Systems such as power grids, communications, and emergency response are linked through thousands of miles of Internet lines, making it almost impossible to secure the entire network. 19 The threat of infrastructure attack was realized in 2001 when the FBI discovered that cyberintruders were researching utilities, government offices, and emergency systems of cities all over the country. This discovery became even more terrifying when, a few months later, American intelligence agencies seized Al Qaeda laptops and found what appeared to be a “broad pattern of surveillance of U.S. infrastructure.” 20 If an attacker successfully hacked into a power utility grid, they could potentially be able to shut down plants, and even break power generators. Although they would not be able to take out the entire power grid due to the redundancies built into the system, the attackers could shut off the power in a region causing significant damage to the area’s economy. 21 Another potentially disastrous situation dealing with power utilities and communication systems is if an opposing government used a cyber-attack in conjunction with a physical attack. This would cause power outages and public chaos due to the inability to relay information during a time of crisis. The government must lead research efforts to secure our infrastructures in order to prevent and defend against cyber-attacks. 0.3.4 Transportation Systems Transportation systems could conceivably be an appealing target to potential cyber-attackers due to the integral role they play in the economy. Over ten percent of the United State’s gross domestic product comes from transportation. 22 Of all the nation’s transportation systems, the aviation network currently has the highest risk of cyber-attack due to its extensive computer networks. Other systems that can be attacked are public transit systems and shipping networks, but their relatively low use of computer systems keep the potential for devastating attacks low. However, the air traffic control system for the

19

Shainker, R. “Electric Utility Responses to Grid Issues.” .” IEEE Power & Energy Magazine. March/April 2006: 31. 24 Oct. 2007 <http://www.lib.ncsu.edu:2178/iel5/8014/33609/01597993.pdf?tp=&arnumber=1597993&isnumber=33609>
20

“Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007 <http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/> 21 Meserve, J. “Staged cyber attack reveals vulnerability in power grid.” CNN. 26 September 2007. 4 Oct. 2007. < http://www.cnn.com/2007/US/09/26/power.at.risk/>
22

Szyliowicz, Joseph S. (2004).International transportation security. Review of Policy Research. 21

12

aviation network is extremely vulnerable due to the outdated computers and defenses that are being used. 23 Regional air traffic control centers have shut down several times in recent history, but in each case neighboring control centers were able to handle the additional traffic load. If an attacker were able to hack into the air traffic control computers and shut down the entire nation’s air traffic radar or communications sytems, though—something that has not happened to date— planes would have to navigate and land without assistance, raising the risk of accident and opening the door for some kind of conventional attack. Due to the potential worst-case damage that could result from cyber-attacks on the aviation network, these computer systems must be more fully secured.

0.4

Consequences

The discussion of vulnerabilities above demonstrated that the direct, physical damage caused by a cyber-attack depends completely on the nature of the attack and its target. While the potential economic and social consequences of an attack can also vary widely, and are speculative in nature, evidence suggests those consequences could be as considerable as the physical damage, if not more so. 0.4.1 Economic Consequences Cyber-warfare incidents can be costly even when conducted by small groups of attackers. There have been several incidents of hackers causing significant financial damage. For example, the “I Love You” virus caused $10 billion in damage. This virus was created by a single PhD thesisrejected student in the Philippines. An even greater threat lies in the many critical infrastructures that could be attacked. The transportation system is an appealing target to potential cyber-attackers due to the integral role they play in the economy. Transportation accounts for over 10 percent of the nation’s gross domestic product. The recent history of conventional terrorism also suggests that cyber-attackers may choose to target transportation systems, provided feasible opportunities exist. Eighteen of the twenty-five major terrorist attacks from 1983 to 2001 “involved the use of transportation vehicles as weapons, and another five involved attacks on planes.”24 Only one successful cyberattack on the transportation system that caused significant damage or loss of life would be needed for an impact to be felt on the economy and public perception. A successful attack on the power grid presents the greatest economic threat among critical infrastructures. The New York power outage that lasted only one day cost the United States an estimated $6 Billion.25 The cost of a regional power outage caused by a cyber-attack could
23 24

http://www.gao.gov/new.items/d05712.pdf Szyliowicz, Joseph S. (2004).International transportation security. Review of Policy Research. 21 25 “An Analysis of the Consequences of the August 14th 2003 Power Outage and its Potential Impact on Business Strategy and Local Public Policy”. 2004. < http://www.acp-international.com/southtx/docs/ne2003.pdf>

13

approach one trillion dollars per month. An impact this big on the U.S. economy affect almost every citizen in the country. 0.4.2 Social Effects Because there has not been, to date, a successful cyber-attack on the United States on a large enough scale to widely affect the general population, the possible social consequences are largely speculative. One predictable result of a successful, or nearly successful, attack is that the public could lose confidence in the government’s ability to protect the nation from cyber-attack. Polling already shows a majority of the public feels the nation needs new legislation to strengthen cyber-security26, and experts have repeatedly warned the government to do so.27 If a massive cyber-attack occurred, the public could lose faith in the government rapidly. If a specific private sector entity responsible for infrastructures or other critical systems were attacked, that entity could experience a similar loss of trust. However, data also exists to suggest that the social impacts of a cyber-attack would likely be brief unless the attack led to considerable physical damage or loss of life. For example, several accidents and other recent cyber-incidents have caused air traffic control centers to shut down, but no data exists to suggest those incidents had any effect on potential air travelers. Even in the case of September 11, the loss of demand for air travel was greatly reduced only two years later.28 Another case in which the social impacts might be long term would be ongoing successful attacks that may not cause considerable physical damage or loss of life, but were none the less unable to be prevented.

0.5

National Agencies and Legislation

In recent years, several documents and laws have been created to define the outline the government’s role in dealing with cyber-security issues, beginning with the E-Government Act of 2002. Since that time, several new agencies have been created to accomplish the nation’s cyber-security objectives. 0.5.1 E-Government Act of 2002 Much of the federal government’s current policy and organizational structure to deal with cyber-warfare was created by the E-Government Act of 2002. The Act established that the Office of Management and Budget (OMB) was responsible for overseeing other federal organizations’ cyber-security policies. The Department of Homeland Security
26

Poll Shows Americans Want Congress to Do More to Protect Them Online." Cyber Security Industry Alliance (2006): 30. 21 Oct. 2007 27 Interview: O. Sami Saydjari." Frontline: Cyber War! 23 Apr. 2003. PBS. 24 Oct. 2007 <http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/saydjari.html 28 Ito, Harumi, and Darin Lee. Assessing the Impact of the September 11 Terrorist Attacks on U.S. Airline Demand. Dept. of Econ., Brown U. 2004. 3-24. 26 Oct. 2007

14

has also become responsible for coordinating many of those agencies. The EGovernment Act also outlined the roles several other organizations should fill in dealing with cyber-security. 0.5.2 National Infrastructure Advisory Council One organization outlined by the E-Government Act is the President’s Critical Infrastructure Protection Board (PCIPB), now known as the National Infrastructure Advisory Council (NIAC).29 The NIAC is designed to supply the executive branch with the information needed to secure the information systems of critical infrastructure sectors, and it deals with both prevention and recovery strategies. 30 0.5.3 National Strategy to Secure Cyberspace In 2003, before its name was changed, the PCIPB published the National Strategy to Secure Cyberspace (NSSC), a document outlining stakeholders, guiding principles, and broad policy objectives to consider in improving the national cyber-warfare policy. This assessment uses the broad policy objectives in the NSSC as a starting point for its discussion of policies, but expands beyond the initial policy suggestions. 0.5.4 United States Computer Emergency Response Team (US-CERT) Another organization established by the E-Government Act of 2002 is the United States Computer Emergency Response Team (US-CERT), designed to protect the Internet from cyber-attacks by promoting the communication of cyber-incidents between private and public sector groups. A number of initiatives to improve cyber-security information sharing are handled by US-CERT, including the Einstein Program and several collaborative groups. US-CERT also includes the National Cyber Security Division (NCSD), which is designed to evaluate the risks of various attacks, determine what protective measures are needed, and create a set of protocols to follow in response to cyber-incidents.

0.6

Policies

The success of existing cyber-security policies has been mixed, and cyber-security remains an area in need of many new policies and programs. The key stakeholder groups currently being considered are sound, and the concerns currently being addressed
29

Bush, George W., and Jim Turner. "E-Government Act of 2002." The White House. 15 Nov. 2002. US Government. <http://www.whitehouse.gov/omb/egov/g-4-act.html>. 30 National Infrastructure Advisory Council." Department of Homeland Security. Oct. 2007. US Government. <http://www.dhs.gov/xprevprot/committees/editorial_0353.shtm>.

15

correspond loosely to the broad policy areas established by the NSSC. Still, much work remains to be done to improve cyber-security. 0.6.1 National Policies A portion of the Department of Homeland Security is dedicated to securing America from cyberattacks. According to the NSSC, existing national policy in this area has given the federal government a mandate to:31 1) Prevent cyber attacks against our critical infrastructures 2) Reduce our national vulnerabilities to cyber attack and 3) Minimize the damage and recovery time from cyber attacks that do occur. Ensure the federal government’s ability to perform essential national security missions and guarantee the general public’s health and safety 4) Make sure that state and local governments are able to maintain order and to deliver minimum essential public services 5) Aid in the private sector’s capability to ensure the orderly functioning of the economy and the delivery of essential services and 6) Support the public’s morale and confidence in our national economic and political institutions. 0.6.2 Policy Goals Although the NSSC has been a starting point for current national policies, those policies are not enough to protect our nation from cyber-warfare. Our policy discussion will be broken into the following major policy areas: prevention, response, cyber-security training and awareness, governmental cyber-security, international cyber-warfare collaboration, and military uses of cyber-warfare. 0.6.3 Guiding Principles In addition to meeting the above goals, several basic principles should guide future cyberwarfare policies. For example, policies should encourage the nationwide cooperation of private and public sector groups, strengthen rather than infringe upon personal privacies, and avoid mass regulation except whenever practical. Also, policies should be flexible enough to adapt to the ever-changing nature of cyber-warfare. Several social considerations exist with regard to cyber-warfare policies. One is the loss of privacy in cyberspace; another is the censorship of the Internet which would occur if the government began to block certain websites. These privacy concerns make the cooperation of public and private sector entities even more essential.

31

"National Policy and Guiding Principles." National Strategy to Secure Cyberspace. Feb. 2003. US Government. <http://www.whitehouse.gov/pcipb/policy_and_principles.pdf>.

16

0.6.4 Stakeholders American citizens and organizations are the primary stakeholders with regard to national cyberwarfare policy. That said, virtually everyone can be considered a stakeholder, either for their direct use of the Internet or for their reliance on the critical infrastructures that depend on computer systems. The NSSC describes five specific stakeholder groups: home and small business computer users, large enterprises such as corporations and universities, critical sectors and infrastructures, the nation as a whole, and the international community.32 0.6.5 Policies of Prevention While the government is taking steps to improve collaboration between groups in the response to cyber-attacks, much of the task of actually preventing cyber-attack is still in the hands of the private sector. One of the most effective means of preventing cyber-attacks is to affect a widespread change in behavior among systems administrators; for example, if they kept their computer systems up-todate with the latest security patches, a major vulnerability would be reduced. Many tools exist to safeguard against cyber-attacks, such as antivirus programs and firewalls, but they are optional purchases and are not available for many less standardized computer systems. Similarly, there are many different competing cyber-security certification programs and no uniform process for licensure or certification. Also, software and hardware makers are not legally required to include security features of any kind in their products. One controversial policy option would be to require by law that all computers be secured in specific ways; however, such a law would need to be abstract enough to accommodate the evolving nature of threats and should balance added security with added costs. Another is to hold software producers and systems administrators responsible for damage caused by their products or systems; again, the added cost of production and maintenance must be weighed. Also, a uniform process for cyber-security licensure and certification could be created to ensure a standardized level of cyber-security knowledge. One distinct area to consider is the prevention of cyber-attacks on infrastructure systems. A policy option in this area is to regulate a minimum level of cyber-security for all components of the national infrastructure, because one weak link can allow an attack to damage entire areas of infrastructure. 0.6.6 Policies of Response It is difficult to identify and apprehend cyber-attackers. Because of this, legal action against them is typically handled at the federal level. However, numerous case studies exist to suggest that the sentencing of convicted cyber-attackers is not nearly large enough to match the damage
32

National Policy and Guiding Principles." National Strategy to Secure Cyberspace. Feb. 2003. US Government. <http://www.whitehouse.gov/pcipb/policy_and_principles.pdf>.

17

caused by attacks. Accordingly, one policy option is to increase minimum and maximum sentencing guidelines for cyber-attackers, and to pursue longer sentences more vigorously. The National Cyberspace Response System is the current strategy to handle responses to cyberattacks. This response system includes analysis of cyber-attacks, communication of warnings when a cyber-attack might be repeated or may spread, reporting and classification of incidents, and recovery from a cyber-attack.33 Several recent exercises were organized to coordinate response efforts between public and private sector organizations, and were reported to be successful in increasing communication between groups.34 However, many private sector organizations worry of damage to their public image if a cyber-incident occurs and is publicized, and others think the existing channels to relay information are insufficient.35 New policies should define more clearly a method of communicating cyber-incidents to the public, so the actual risks and impacts of incidents will be understood. Also, private sector organizations could be given financial incentives for communicating reports of their cybersecurity measures and any incidents that occur. Finally, as attacks on the Internet can affect the world as a whole, the United States should open a new dialogue with other countries to create a uniform cyber-attack response policy. 0.6.7 Policies for Public Awareness and Training Several programs are in place to promote public awareness of cyber-security and the cybersecurity training of IT professionals. For example, US-CERT offers e-mail bulletins to inform the public of incidents and security tips, and the NCSD has created a website, Stay Safe Online, to inform computer users in all sectors of ways to improve personal cyber-security practices.36 However, while some studies have shown an awareness of cyber-security concerns among corporate IT personnel, others have shown that IT personnel fail to follow the most basic cybersecurity measures, such as reporting incidents to anyone outside the corporation.37 Because the US-CERT bulletin and Stay Safe Online have not reached high levels of public exposure, increased federal funding for these programs is needed. Another option is to provide financial incentives for small businesses and enterprises whose employees complete a basic cyber-security course. A uniform licensure and certification process, as described in the Policies for Prevention section, could help to ensure the proper level of training for IT personnel. Another option is to create a national database of cyber-incidents that occur at critical
33 34

Ibid "Fact Sheet: Protecting America’S Critical Infrastructure – Cyber Security." US-CERT. Department of Homeland Security. <http://www.us-cert.gov/press_room/050215cybersec.html>. 35 "Government Collaboration Groups and Efforts." US-CERT. Department of Homeland Security. <http://www.uscert.gov/federal/collaboration.html>. 36 National Cyber Security Alliance: Stay Safe Online. Retrieved October 31, 2007, from Stay Safe Online Web site: http://www.staysafeonline.org/ 37 Gagnon, B. (2004). Are We Headed For a Cyber-09/11? The American Failure in Cyberstrategy. Conference Papers -- International Studies Association, Retrieved October 24, 2007, from Academic Search Premier database.

18

infrastructure elements and a daily cyber-security threat level indicator; these would provide an incentive for the private sector to maintain a strong public image by preventing incidents and would raise overall public awareness. 0.6.8 Policies for Government Cyber-security The federal government is responsible for securing many critical institutions such as the military, emergency services, and financial institutions from cyber-attack. Accordingly, one priority of the government must be to protect its own computer systems. The OMB has assessed the vulnerabilities of many computer systems within the government and has established basic federal guidelines for agencies to follow; the guidelines must be met before an agency can obtain funding for system upgrades.38 A process has been established by which agencies can improve security and wok towards meeting those guidelines. However, at the level of individual agencies, there is no uniform cyber-security testing procedure, and many agencies rely on outside contractors to upgrade their computer systems. And while system upgrades are checked by the OMB for cyber-security measures, existing systems lack basic security measures such as password complexity requirements and security patches. At an agency level, new policies are needed to mandate more robust passwords and more frequent password changes; another possible measure is the creation of a physical identification card system whereby “smart cards” would be needed to access a government computer. Also, the IT departments of government agencies should be required to document the structure of their computer systems and their installation of security patches. One agency of special concern is the FAA. A mandate could be issued that future development of the FAA’s air traffic network continue to favor decentralized, redundant control centers. Also, the FAA (and possibly other government agencies as well) could be required to limit the access of outside IT contractors to only the areas that directly relate to their work assignments. Across all agencies, best-value evaluations should be used when selecting outside contractors; the OMB could establish which contractors provide the best services and establish a certification system. Another possible policy is that a federal “red team” of security testers be created to periodically test the cyber-security vulnerabilities of government computer systems. 0.6.9 Policies for U.S. and International Cyber-warfare Collaboration Because of the Internet’s worldwide presence and the interconnectedness of computer systems around the world, the United States must enact policies to secure our own systems from attacks originating from other countries. Of equal importance are policies for nations to work together to secure the global cyberspace.
38

“Priority IV.” The National Strategy to Secure Cyberspace. February 2003. 30 Oct. 2007 <http://www.whitehouse.gov/pcipb/priority_4.pdf>

19

To protect the nation from attacks originating abroad, more robust preventative and counterintelligence capabilities must be developed; almost no true counterintelligence options exist. Also, a better system for reporting cyber incidents to system administrators around the nation is needed. Many efforts have been made to influence the cyber-security efforts of other nations, including U.S. discussions with the Organization of Economic Cooperation and Development (OECD), the G-8, and the Asia-Pacific Economic Cooperation forum (APEC).39 However, there is no widely accepted international treaty or agreement to establish a global cyber-security policy, and no international network of agencies for information relay exists. The federal government should work with other nations to adopt a set of international cybersecurity standards to be followed, to ensure all international computer systems have a minimum level of security. One starting point in a global cyber-security policy could be the creation of a regional North American cyberspace “safe zone”40, in which the U.S. would work with Canada and Mexico to ensure the countries work to solve mutual cyber-security issues. Other regional alliances and unions, such as the European Union, should be encouraged to take similar steps. In 2001, an international Convention on Cyber-crime was held and a treaty to promote international cyber-crime collaboration was ratified by 43 countries. However, greater efforts should be made to follow the treaty’s guidelines and to encourage more nations to sign the treaty. Other nations have their own cyber-warfare policies that the United States can learn from. The U.K.’s policies are similar to ours, but their legal framework to handle cyber-attackers is more robust. Germany’s policy differs from ours in that they consider any attempt to control German media an act of war, and they are considering whether economic cyber-warfare could be used during a conflict with another nation. Russia considers cyber-attacks to be second only to nuclear attacks in terms of danger, and their policy is relatively aggressive; however, they have also made it illegal for Russian citizens to carry out a cyber-attack. China is actively developing its offensive cyber-warfare capabilities, which demonstrates the need for international collaboration. 0.6.10 Policies for Military Use of Cyber-warfare One policy area not discussed in the NSSC concerns the military’s policy with regard to the use of cyber-warfare against, and by, the Armed Forces. Cyber-warfare options have historically been handled by the Space Command, but in 2007 the Air Force was given that responsibility; the Computer Network Operations group (CNO) is specifically tasked with military cyberwarfare policies. 41

39

“Priority V.” The National Strategy to Secure Cyberspace. February 2003: 51. 23 Oct. 2007 <http://www.whitehouse.gov/pcipb/priority_5.pdf> 40 Ibid 41 Wilson, Clay, (2007) “CRS Report for Congress: Information Operations, Electronic Warfare,

20

There have been no confirmed uses of cyber-warfare by the United States military, though cyberwarfare tactics were considered and, some rumors state, used in Kosovo and Operation Iraqi Freedom.42 Also, the federal government is also leading efforts to promote cyber-warfare education, as evidenced by a cyber-warfare scholarship program sponsored by the Department of Homeland Security and the National Science Fund.43 It is likely that the use of cyber-attacks as an alternative to conventional attacks can reduce civilian damages, because infrastructure systems could be shut down temporarily but not permanently damaged; capabilities to carry out this sort of cyber-attack should be researched. Consideration of cyber-warfare tactics should be integrated into national strategic planning and any future discussions of redefining the military’s mission. One policy option is to expanding cyber-warfare training within the military and at universities to make our Armed Forces more skilled at cyber-warfare tactics, should the need to use them arise. Also, a set of rules to guide our use of cyber-warfare tactics, both offensively and defensively, should be developed, and a more clearly defined national cyber-warfare strategy should be developed. Finally, an international convention should be developed, possibly through the United Nations, to handle the legality of offensive cyber-attacks.

0.7

Conclusion

0.7.1 Is Cyber-warfare a Threat? Our vulnerability to cyber-attacks is clear, especially with the means of attack are so readily accessible. However, the effects from these vulnerabilities are still limited, and best exploited only with a coinciding physical attack. We do no face the doomsday that some predict, but we do have a system in need of a drastic overhaul and upgrade. With better implementation of established cyber-security practices, along with proactive research and development, we can reduce the glaring weaknesses in our cyber-defense and mitigate the vast majority of cyber threats. 0.7.2 The Way Forward This assessment’s recommended “best policies” are divided into policies to implement immediately, policies for the near future, and areas for future research.

and Cyberwar: Capabilities and Related Policy Issues” 30 October, 2007. <http://stinet.dtic.mil/cgibin/GetTRDoc?AD=ADA466599&Location=U2&doc=GetTRDoc.pdf?> 42 Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007 <http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/arquilla.html> 43 Wilson, Clay, (2007) “CRS Report for Congress: Information Operations, Electronic Warfare, and Cyberwar: Capabilities and Related Policy Issues” 30 October, 2007. <http://stinet.dtic.mil/cgibin/GetTRDoc?AD=ADA466599&Location=U2&doc=GetTRDoc.pdf?>

21

The policies to implement immediately are relatively simple and no significant barriers to their implementation exist. The government should immediately make sentencing standards for cyber-criminals more severe, increase publicity funding for existing federal programs for cybersecurity awareness, require government agencies to document their cyber-security progress, and expand cyber-security training within the military and at universities. The policies for the near future may take a few years to develop. For instance, a uniform cybersecurity licensure can be created, and a more robust process can be made to test the cybersecurity of federal agencies. Policies to encourage other nations to prevent cyber-attacks can be developed, and international cyber-security standards can be agreed upon. Cyber-warfare can be given a greater role in national strategic and military planning. Finally, a legally binding set of security requirements can be made for new software and hardware products. Though it will require extensive research, planning, and diplomatic efforts, a goal should be set to establish and ratify within ten years an international treaty creating a uniform cyber-security policy, a framework for interagency cooperation and response, and a global network for information sharing. In the same time period, a goal could be made to establish a cyber-warfare equivalent to the Geneva Convention to establish rules governing military use of cyber-warfare. Although there is never an impenetrable defense from cyber-attacks, the United States can greatly limit the threat of cyber-warfare over time by implementing these proactive policies.

22

1 Introduction

23

It is difficult to grasp how reliant the United States has become on computers and the networks that connect them. The Internet and computer networks are absolutely vital to a functioning electric power grid, a consistent water supply, nearly all communications networks, many transportation systems, key financial systems, public health systems, postal service, government and defense, and many other systems that support our nation. The Internet, originally designed to allow communication in the event of a nuclear war, could be the next weapon to attack a society revolving around information technology.44 Cyber-warfare indisputably has the potential to cause catastrophic damage to these systems in a world vastly influenced by cyberspace. Given this assumption, one must address the probability of various types and combinations of cyber-attacks that could damage critical systems, as well as the options for response and prevention. Securing this nervous system will require significant resources from the public and private sector, as well as significant efforts from everyone connected to the Internet. Given the power and influence of cyber-warfare, there are also possibilities of cyber-warfare as an effective offensive weapon that must be considered.

1.1

What Is at Stake?

The worst-case scenario of cyber-warfare would involve a combination of cyber-attacks and physical attacks. However, to get an idea of the potential scale of cyber-attacks, consider this hypothetical situation. It is a sunny week day in Chicago. A few days earlier, a terrorist organization hacks into the federal government’s electronic shipping manifest system. The terrorists find a shipment of nuclear material, and intercept the truck and steal its contents. They then load this nuclear material along with a detonator onto a chartered plane at a local air strip. Simultaneously, the terrorist organizations hack into the regional power grid and FAA computer systems. Once in the power grid, they gain control over a key power generator, and force it out of its natural oscillation, which in turn destroys the generator, and crashes the power grid in the greater Chicago area. In the FAA system, hackers knock out the radar systems in the area, and delete all recorded flight plans in the region. The chartered plane, in the air near Chicago, uses the immediate confusion to fly into restricted airspace directly over the heart of the city, and detonates in mid-air, raining nuclear material down over the entire city. Lastly, the terrorists hack into the SCADA system controlling Chicago’s water treatment facilities. Through a series of commands, they rout millions of gallons of untreated wastewater to release into the Chicago River, destroying the water quality and ecosystems down river. Ultimately, the water flows into the Mississippi River. All told, these terrorists rained radiation onto nearly 3 million residents, and required the entire area to be evacuated until the federal government could determine the radiation levels, and either
44

Global Society: Journal of Interdisciplinary International Relations; Jan2003, Vol. 17 Issue 1, p89, 9p

24

begin a clean-up program or abandon the city entirely. The mixture of sewage and the threat of radiation flowing down the Mississippi River creates panic all along the river basin, which includes St. Louis, Memphis, and New Orleans. Power in the region is significantly damaged, requiring new generators to return to pre-attack output level, straining surrounding systems, potentially knocking them offline as well. The cost in lives and dollars is unknown, but far higher than any attack on US soil.

1.2

Is Cyber-Warfare a Real Threat?

While it is highly unlikely that a terrorist organization could currently coordinate an attack as massive and complex as the scenario described above, each component of the scenario is more realistic by itself. Each component has either been described as a possibility by the United States government or private-sector entities, or has been shown to be possible by actual cyber-incidents. Is cyber-warfare a real threat? The immediate answer is that cyber-warfare is real enough that it cannot be ignored, although the scope and magnitude of this threat varies across different areas of key infrastructure. Even in cases where the current threat is limited, the threat will increase in the future. Some critics of this conclusion rely to the history of cyber-warfare.45 To date, there have been no successful large-scale cyber-attacks on the United States that have brought significant economic or social damage on a national scale. Many professionals in this group of skeptics contend that terrorist organizations are not capable of catastrophic cyber-attacks.46 These skeptics are also comfortable with nation-states who have cyber-warfare capabilities because there is currently not a strong motive to use their resources aggressively. While nation-states do not currently have an interest in engaging in a large-scale cyber-war, the majority of cyberattacks against the United States government are believed to be sponsored by other nations. There is also evidence that international terrorist organizations are actively recruiting and training specialists to adapt their operations to the cyber world. After the horrific attacks on September 11, 2001, reports repeatedly claimed that crashing commercial airliners into large buildings was an attack method that no one could have predicted. These reports did not take into account al-Qaeda’s attempt to crash an Airbus A300 into the Eiffel Tower in 1994 before French Special Forces stormed the plane.47 In 1994, the CIA prevented a plot to crash a plane into CIA Headquarters in Langley, Virginia.48 Ramzi Yousef was arrested in 1995 in the house of a family member of Osama bin Laden with plans for a suicide bombing of CIA headquarters and exploding eleven other U.S. Commercial Jets as they approached airports.49 The Federal Research Division warned in 1999 that “Suicide bomber(s)
45 46

Laprise, John. IEEE Technology & Society Magazine. Vol. 25 Issue 3, pg. 28. Ibid 47 http://www.cooperativeresearch.org/entity.jsp?entity=eiffel_tower Profile: Eiffel Tower. December 24, 1994: AlQaeda Connected Militants Attempt to Crash Passenger Jet into Eiffel Tower. 48 http://www.frontpagemag.com/articles/Read.aspx?GUID={245984FA-D9DF-46E9-8EF3-7B5259A51C0D} Clinton and 9/11. Favish, Allen J. FrontPageMagazine.com Tuesday, October 14, 2003.
49

http://query.nytimes.com/gst/fullpage.html?res=9F01E1DD1E39F933A05756C0A960958260&sec=&spon=&page wanted=all Wiren, Christopher S. May 30, 1996. The New York Times. Plot of Terror in the Skies Is Outlined by a Prosecutor.

25

belonging to al-Qaida's Martyrdom Battalion could crash-land an aircraft packed with high explosives (C-4 and Semtex) into the Pentagon, the headquarters of the Central Intelligence Agency (CIA), or the White House.”50 Because there were no previous successful attacks similar to those that occurred on September 11, 2001, America was unprepared and utterly shocked. A similar rationale is being applied to the possibilities of cyber-warfare. Evidence will be revealed in our research that cyber-warfare could be another catastrophe waiting to happen, and the government must take proactive measures to prevent another enduring loss. There are warning signs that terrorist organizations such as al-Qaeda are developing cyber-warfare capabilities, as well as clear signals that foreign nations are preparing for a future cyber war. There are clear warning signs—as this assessment will show—that the United Stated of America is vulnerable to cyber-attacks.

1.3

Defining Cyber-attacks

Before we can begin to assess cyber-crime, cyber-terrorism, and cyber-warfare, we must first differentiate between these concepts in order to establish the scope that each covers. There are many nuances between the three, including the scale of the cyber-attack and the objectives that it is intended to achieve. Defense Acquisition University classifies any cyber-attack that is not intended to threaten national security or further operations against national security as cybercrime51. Cyber-terrorism, on the other hand, refers to cyber-attacks launched by individuals or small terrorist organizations that are intended to further political or social objectives by coercing a government or its people52. Cyber-warfare has the same objectives as cyber-terrorism, except that it consists of cyber-attacks launched by a national government as an act of war, just as a physical attack would be53. One important distinction is that to be considered an act of cyber-terrorism or cyber-warfare, a cyber-attack must be an intentional operation against national security. An unintentional attack on national security, such as that of an inept hacker, is considered cyber-crime as long as the intent of the attack is self-serving, and not intended to further a national or ideological objective. However, that is not to say that these unintentional attacks on national security cannot be as harmful as cyber-warfare and cyber-terrorism, and for the purposes of this assessment, they will be treated the same way. While cyber-crime is a major problem in the US and many other countries, this assessment is concerned primarily with the effects of large-scale cyber-attacks on national security, and how the United States can be best prepared to both defend against and potentially execute them.

50

http://www.fas.org/irp/threat/frd.html The Sociology and Psychology of Terrorism: Who Becomes a Terrorist and Why? Hudson, Rex A. September, 1999. A Report Prepared under an Interagency Agreement by the Federal Research Division, Library of Congress
51

Alford, Jr., Lt. Col. Lionel D. "Cyber Warfare: Protecting Military Systems." Acquisition Review Quarterly Spring 2000: 101-120. 18 Oct. 2007 <http://www.dau.mil/pubs/arq/2000arq/alford.pdf> 52 Denning, D. (2001). "Is Cyber Terror Next?" New York: U.S. Social Science Research Council, at http://www.ssrc.org/sept11/essays/denning.htm 53 Alford, Jr., Lt. Col. Lionel D. "Cyber Warfare: Protecting Military Systems." Acquisition Review Quarterly Spring 2000: 101-120. 18 Oct. 2007 <http://www.dau.mil/pubs/arq/2000arq/alford.pdf>

26

2 Tools for Cyber-Attacks

27

2.1

Hacking

Hacking is a blanket term that has been seized by the media. Traditionally, a “hacker” has simply been a skilled computer user.54 A number of terms, including “cracker” specifically refer to malicious computer users who usually garner the attention of the media. Due to the popularity and familiarity of the term, “hacking” will be used in this document to refer to all forms of cyber-attacks, and “hacker” for the individuals initiating them. Hackers are usually either socially or financially motivated. The Internet has given hackers a community in which to share their exploits, in both senses of the word, and give ideas to new avenues of attack. Often, a newly found vulnerability will generate a flurry of activity in a hacking community, with different groups or individuals competing to be the first to distribute a new exploit. Alternatively, there are many documented cases where hackers discovered vulnerabilities in popular software and operating systems and offered to sell these finds on underground auction sites.55,56 These motivations are in addition to the motivation of theft through fraud and identity theft. Hackers’ primary goals typically consist of either information theft or damage to computer systems. Procured sensitive information can be the gateway to various forms of fraud, such as identity theft, or vulnerable systems such as SCADA systems. Hackers use common vulnerabilities in sensitive systems and even the aforementioned stolen information to cripple vital processes and functionality. With regards to cyber-warfare, possible targets include classified data, and a bevy of vital systems with control over communication and infrastructure. The tools outlined in this section are only a small view of a hacker’s arsenal, but they have been defined because awareness is the first step to eliminating the vulnerabilities they create, and they offer something of an idea of how hackers view the systems that governments and corporations use to store and transfer information.

2.2

Denial of Service Attacks

A “Denial of Service” attack, or DoS attack, is one of many methods employed by participants in cyber-warfare to cause damage. The damage caused by such an attack is the disabling of a computer or network. The extent of the damage is dependent upon the functions of the system being attacked; typically the attacks cause economic damage and sever communications. As organizations become more dependent on computers and the Internet, the consequences of DoS

54

Raymond, Eric. The on-line hacker Jargon File 4.4.7. 29 Dec 2003. 26 Nov 2007 http://www.catb.org/jargon/html/index.html 55 Naraine, Ryan. Hackers Selling Vista Zero-Day Exploit. 15 Dec 2006. eWeek.com. 26 Nov 2007. <http://www.eweek.com/article2/0,1895,2073611,00.asp> 56 Evers, Joris. Russian hackers ‘sold WMF exploit’. 3 Feb 2006. ZDNet.co.uk. 26 Nov 2007. <http://news.zdnet.co.uk/software/0,1000000121,39250232,00.htm>

28

attacks become more dangerous.57 There are many specific types of DoS attack, but the common effect of them all is that legitimate users of the services provided by a system are prevented from using that system. CERT (Computer Emergency Response Team) classifies the following activities as DoS attacks: ● attempts to "flood" a network, thereby preventing legitimate network traffic ● attempts to disrupt connections between two machines, thereby preventing access to a service ● attempts to prevent a particular individual from accessing a service 58 ● attempts to disrupt service to a specific system or person (CERT) The DoS attack takes advantage of the most basic limits of computers: finite memory, finite processing speed, and finite communication bandwidth. These limits, while rapidly growing, will always remain finite and cause problems when attackers manage to breach them. Once a computer runs out of a limited resource that it needs to function, the system becomes disabled, and can stay disabled for a wide range of time, depending on the style of DoS attack used and the determination of the attacker. In addition to consumption of the scarce resources of computers, Denial of Service can also be achieved by altering or destroying configuration files needed by a system, or even through physical destruction of components. Any device that communicates with a computer and is accessible through a network is vulnerable. The embedded computers that are present in many electronic devices have the same limits and vulnerabilities to DoS attacks as the common desktop systems, especially the ones that are connected to the Internet constantly. It is dangerous to assume that a device that does not look like a typical desktop computer cannot be a target, or that potential attackers will be unable to communicate with a device. Any computer-based system that can be communicated with remotely, and would have negative consequences if authorized users of the system were prevented from using it, can possibly be damaged by a Denial of Service attack.

2.2.1 Vulnerabilities Owners of computer systems often underestimate their vulnerabilities and fail to consider taking measures to prevent or respond to DoS attacks. A common assumption is that the system does not communicate to remote devices enough to be affected, or that only popular web shopping sites suffer from this attack. Individuals can also be targeted in addition to organizations, potentially cutting off a person's communication completely. A wide variety of machines rely on networks to function, which are not necessarily public web sites, though the web based incidents tend to be the most visible.

57

Moore, David et al. Inferring Internet Denial of Service Activity. ACM Transmission on Computer Systems. Vol. 24, No. 2, May 2006, 115–139. 58 CERT Coodination Center – Denial of Service Attacks. 4 Jun 2001. US CERT. 30 Oct 2007 <http://www.cert.org/tech_tips/denial_of_service.html>

29

2.2.2 Sensor Networks Sensor networks are an example of a class of practical devices that Denial of Service can target to cause harm. Various sensor devices are used to protect and monitor military, environmental, and other safety-critical infrastructures and resources. The failure of certain sensors can potentially cause physical damage to people. Machines exist that can record and transmit data on many different environmental properties, and are increasingly reliant on computers to function. These new sensor networks are often found replacing older systems where machinery was more confined to a limited and controlled environment. Systems of sensors communicate over a network with a computer which processes the data acquired by the devices and acts on the information appropriately. It is easy to imagine sensor networks forming warning systems and becoming part of military scenarios. With new advances in technology, sensor networks are finding many new applications and becoming smaller and cheaper, though many still use them under the assumption that they still operate in their old enclosed environments. The design of many sensor devices do not take security into consideration during the design process, allowing intelligent adversaries to hinder the usage of often critical information.59 Mobile devices like PDA's and cellular phones are also valid targets for DoS attacks. A mobile device can be remotely shut off, have its communications channels flooded, or be made to drain its battery power. Many devices can be crashed and made to shut off by sending specific pieces of data. Because phones and PDAs are small and weak compared to typical computers, overwhelming them with more messages than they can handle is not difficult to accomplish. Battery exhaustion techniques are a style of DoS attack unique to mobile devices. It is possible to feed data to a mobile device that forces its power to drain faster, such as repeatedly requesting a connection to the device, even if the connection is always denied. Portable wireless devices have become popular and widely depended upon in society. As mobile devices replace older technologies, many inappropriate assumptions from those old technologies are still applied to the new, which can cause the risk of a DoS attack to be neglected.60 2.2.3 Denial of Service on the Internet Denial of Service attacks on different systems have been happening for decades, but have not gained much attention until the first “Distributed Denial of Service” attacks, or DDoS attacks, started happening against computers connected to the Internet. DDoS attacks are different from regular DoS attacks in that the target is brought down by many networked computers working together. Regular DoS attacks on the Internet were not seen as a large threat because detecting an attack and blocking it was relatively simple. Malicious messages would come from a specific computer, which could be traced and banned from communication. Distributed DoS attacks were

59 60

Wood, Anthony & Stankovic, John. Denial of Service in Sensor Networks. IEEE – Computer. Oct 2002. 54 - 62 Dagon, David. Mobile Phones as Computing Devices: The Viruses Are Coming!. IEEE – Pervasive Computing. Oct – Dec 2004. 11 - 15

30

first noticed in 1999, which employed hundreds of computers in bringing down a target system, and presented new challenges to computer security experts61. Typically, when a target is bombarded with messages from hundreds of machines at the same time, it is forced to shut down for several hours. The sources of the messages are then tracked and blocked. Sites on the Internet can potentially have huge capacities for speed and memory, which require a skillful manipulation of larger numbers of computers in order to be shut down. Though some targets have a huge capacity, they remain vulnerable due to the ways attackers have adapted their techniques. One of the most significant DDoS attacks happened in February 2000, during which several of the world’s most frequently used web sites including Yahoo, Amazon, Buy.com, CNN, eBay, ZDNet, E Trade, and Excite were made inaccessible to Internet users. Many victims of the DDoS attack opted not to admit being attacked in order to avoid bad press and prevent copycats. These large shopping sites lose large amounts of money when they are not operational, and threaten the confidence in the online economy. This DDoS attack was so severe that Internet speed worldwide was slowed down.62 2.2.4 Executing a Distributed DoS Attack The method used to commit a DDoS attack like the incident in 2000 is twofold. First, the attacker must gain control over a team of computers, building a “botnet” or accumulating “zombies. Usually the process of seizing control over Internet connected computers is an automated process. An attacker discovers a flaw in the security of many systems, and performs a scan on large pieces of the Internet, which finds the specific systems that contain the desired security flaw. Computers connected to university networks or other fast and persistent connections make ideal zombies because they can send the attack data faster than most systems on the Internet. It is possible for attackers to probe the Internet for potential botnet computers in such a way that even recently connected systems can be found and controlled before their owners tell anybody that they exist. People all over the planet are constantly scanning large parts of the Internet to the point that it is almost inevitable that every system will be probed by a potential attacker, even if nobody knows about the system.63 Once a set of vulnerable systems is found, the attacker uses an automated tool known as an “exploit” in order to gain control of the systems. The attacker then destroys the evidence that can be used to identify the source of the attack, and installs tools that allow the system to be commanded remotely and anonymously. To form the attack group, the attacker assigns one machine as the master, while the rest of the set act as daemons under the master system’s command. With a team of computers under the attacker’s control, usually unknown to the actual owners of the breached systems, the attacker can then give the signal to the master system, which
61

Kessler, Gary. Defense against Distributed Denial of Service Attacks. Nov 2000. 30 Oct 2007 <http://www.garykessler.net/library/ddos.html> 62 Garber, Lee. Denial-of-Service Attacks Rip The Internet . IEEE – Computer. Apr 2000. 12 - 17 63 Know Your Enemy – Tools and Methodologies. 21 Jul 2000. 30 Oct 2007. <http://www.honeynet.org/papers/enemy/index.html>

31

starts an attack on a specific target. The following diagrams illustrate the process of forming a botnet and attacking a system. In the first picture, the DDos master (blue computer) reaches out to the compromised systems (magenta computers). Upon command of the DDos master, the compromised computers flood the victim computer (red computer) and overload the system.

Figure 2.1 Botnet Diagram

64

There are several types of attack that are used to bring down systems in different ways. One common type of attack is known as a UDP flood, during which the team of computers sends generated characters to their target, and requests that they be repeated back. The volume of data coming into the target system becomes so great, that it uses all of its resources to receive the dummy messages and respond to them, to the point that the target system is unable to spare enough time to handle legitimate uses.
64

Kessler, Gary. Defense against Distributed Denial of Service Attacks. Nov 2000. 30 Oct 2007 <http://www.garykessler.net/library/ddos.html>

32

Another common type of attack is called a SYN flood, which takes advantage of the finite memory that the target uses to remember who it is communicating with. Computers on the Internet are able to initiate transfers of large amounts of information, but must first negotiate a few details before the information can be exchanged. In a SYN flood attack, the team of attack systems each initiates many bogus connections with the target system, forcing the victim to fill up its memory with the false connection information. Once the targets memory is full, it is no longer able to initiate the connections it needs to communicate with its true users. In addition, there is a style of attack known as a the “smurf”, which is executed by sending a large number of computers a “ping” message, but forging the return address so that each pinged system sends its reply to a victim system, overwhelming it with information until it cannot process valid requests. A “ping” is a message used by computers to check if they can still contact each other, one computer sends and the other replies so that the system knows that the network is working correctly. When used for an attack, a ping message is sent, but the sender is forged, so that the receiver directs its reply to the target provided by the attacker, rather than sending the ping replies to the true source of the message. This final type of attack is unique in that the team of computers does not need to be breached by the attacker and fully controlled because ping messages are a standard service present on most computers. The messages sent are small compared to other types of attacks, making “smurf” style DoS attacks less dangerous than the flooding techniques.65 2.2.5 Hacking Communities Gathering groups of compromised systems for committing DoS attacks and engaging in other forms of Internet based disruption has grown into a widespread activity on the Internet. Hackers have formed groups which allow them to develop skills and align themselves with different interests and conduct cyber-warfare. Many hacker groups are based on ideology or loyalty to a country, but diverse hacker teams containing members from all over the planet are also common. In these communities, hackers can be found bragging about their achievements, making demands, exchanging attack techniques and even selling access to breached computers and stolen credit cards. Usually, these hacking groups are passionate private citizens operating without the instruction of any government, though some governments are criticized for encouraging the activities of these groups.66 Understanding how these communities work helps the effort to deal with their threats. Often, a hacker will discover a vulnerability that is likely to be present in many computers, and will use chat rooms and bulletin services to publish that information to others. Hackers quickly develop scripts which can be traded and executed to take advantage of security flaws and seize control over the vulnerable systems. Often, groups develop programs which automate and simplify the process of breaching a system so that a large number of attackers who might be unfamiliar with the details of the software flaw can still use it to gain control over systems. With the help of these communities, potential attackers do not need to develop much technical expertise, but instead
65 66

Garber, Lee. Denial-of-Service Attacks Rip The Internet . IEEE – Computer. Apr 2000. 12 - 17 Know Your Enemy – Motives. 21 Jul 2000. 30 Oct 2007. <http://www.honeynet.org/papers/motives/index.html?

33

only need to know how to find exploit scripts and use tools provided by others. The community then allows hackers to specialize in specific tools or vulnerabilities. The attack on major websites in 2000 was conducted using a community tool known as trinoo.67 2.2.6 Case Study - United States and China Cyber-Conflict in 2001: When groups within the hacking community align themselves with conflicting interests, situations can quickly evolve into “cyber-warfare”. An incident between hackers in the United States and China happened in April of 2001, when an American spy plane and a Chinese jet collided over the South China Sea, killing the Chinese pilot and forcing the American plane to land in China. Once news of the incident was out, hackers from both countries began attacking each other's systems, often breaching them and leaving messages to their enemies. The incident attracted the attention of Wired Magazine, who described the attacks as a “private war” and “cyber-retaliation”. The hackers from both countries were not supported by their states, but rather were amateur computer hackers who channeled their anger over the airplane collision into an effort to ruin foreign information services.68 69 The attacks were mostly against web and email servers, but also included viruses and DDoS attacks. Two non-critical web sites maintained by the US Navy were defaced by Chinese hackers, replacing the original pages with protests relating to the crash. A commercial American web site was replaced with pictures of the killed Chinese pilot, the Chinese flag, and the statement “As we are Chinese, we love our motherland and its people deeply. We are so indignant about the intrusion from the imperialism. The only thing we could say is that, when we are needed, we are ready to devote anything to our motherland, even including our lives.”70 American hackers committed similar defacements on many Chinese servers as well, including messages taunting the Chinese and demands that China return the American plane and i's passengers. The messages that appeared on Chinese hacked sites were diverse, some criticized the press and the US government for taking the incidents too seriously, while others made dangerous threats. The following example of a hacked Chinese web site from the conflict demonstrates much of the concerns raised by cyber-warfare: Figure 2.2: Defaced Website
67

Dittrich, David. The DoS Project's "trinoo" distributed denial of service attack tool. 21 Oct 1999. University of Washington. <http://staff.washington.edu/dittrich/misc/trinoo.analysis> 68 Delio, Michelle. Crackers Expand Private War. 18 Apr 2001. Wired Magazine. 30 Oct 2002. <http://www.wired.com/politics/law/news/2001/04/43134?currentPage=2> 69 Delio, A Chinese Call to Hack the US. 11 Apr 2001. Wired Magazine. 30 Oct 2002. <http://www.wired.com/politics/law/news/2001/04/42982?currentPage=2> 70 Feds Warn of May Day Attacks on US Web Sites. 26 Apr 2001. CNN. 30 Oct 2002. <http://archives.cnn.com/2001/TECH/internet/04/26/hacker.warning/index.html>

34

With such messages appearing on hacked web sites, and attacks happening on other types of servers as well, the National Infrastructure Protection Center issued a warning to American networks to expect an increase in cyber-attacks from China. The incident happened during a week which contained several dates of historical significance in China, including May Day, Youth Day, and the anniversary of NATO bombing the Chinese Embassy in Yugoslavia. Youth day in China commemorates protests against foreign aggression, resulting in magnified hostile feelings as a result of the airplane collision and cyber-conflict. Despite the cyber-conflict, relations between the United States and China remained civil, China accepted the United State's regrets over the killed pilot, returned the crew operating the plane, and both governments prevented the conflict from escalating beyond cyber-space.71 2.2.7 Defense against DoS Attacks: The threat of DoS attacks paralyzing computer systems coupled with diplomatic crises like the incident with the Chinese jet collision has led to further consideration over what can be done to prevent cyber-damage. Denial of Service attacks present new technical challenges for experts attempting to protect their systems and identify offenders. Currently, a combination of technology and human vigilance is employed to defend against DoS. DoS is an actively researched area, with a wide variety of proposed solutions available. The costs of implementing these solutions changes dramatically with the scale of the system being defended. There are also published suggestions that apply to Internet Service Providers and the networks that form the core information paths on the Internet. 2.2.8 Defending Individual Systems: The first weak point that can be improved are the common personal computers ran by most of the population. Personal computers are usually the vulnerable systems which attackers are able to commandeer en mass and use to commit their decentralized attacks. Much to the frustration of larger systems which depend heavily on the Internet and spend major resources protecting themselves, large sets of commonly weak computers can still overwhelm protected systems. Reducing the amount of vulnerable systems that attackers can seize control of possible through several relatively simple tools and practices. Users need to keep their systems up to date. Many software packages automate the update process so that fixes to security happen regularly, while others require that the user regularly check the Internet for updates and download them. Updating software can be difficult for many computer users, but improvements to the update process can reduce the weak systems available to attackers. Another practice which can reduce vulnerability is for users to disable software which they do not use. By running the bare minimum of programs which attackers can communicate with and exploit, attackers will have fewer ways to take control of remote systems and use them to cause harm. Disabling unneeded software on a computer can also be difficult, but can be made easier if distributors of computers package them with default settings that run few exploitable programs and automate the update process.
71

Feds Warn of May Day Attacks on US Web Sites. 26 Apr 2001. CNN. 30 Oct 2002. <http://archives.cnn.com/2001/TECH/internet/04/26/hacker.warning/index.html>

35

Software placed on personal systems can also improve protections against DoS attacks. The most common tools of system protection are currently virus scanners and firewalls, both of which help to reduce the amount of systems which can be infiltrated. A firewall protects systems by limiting which of its processes can communicate with the network. A system that has fewer processes that remote users can communicate with has fewer ways by which attackers may take control of it. Virus scanners can also be used as a way to reduce DoS attacks because many viruses are designed to seize control of computers and commit DoS attacks automatically. Attackers often use mixed methods of cyber-attack, which take advantage of vulnerabilities in one area that cascade into vulnerabilities of another. Defenses against DoS attacks thus require defenses against other styles of computer-attack viruses. 2.2.9 Defending Local Networks: At the local networks, defense can be improved by using Intrusion Detection Systems and logging tools. Intrusion Detection Systems monitor networks for suspicious traffic and warn administrators of possible attacks. Detection can be adjusted for specific levels of caution, but the warnings provided by such systems require experiences administrators who know how to respond to them appropriately. Sometimes Intrusion Detection warnings are false alarms, but the systems are still helpful in protecting networks. 72 A variety of tools exist which log the activity of systems, allowing administrators to notice when their systems have changes unexpectedly, and aid in tracing the source of attacks. Logging can also act as a deterrent to attackers who worry about being caught. Hackers put a lot of effort into escaping detection by tampering with activity logs, but logging tools have responded to this tampering by developing more resistant logging systems. Local networks could also be made more secure by enforcing stricter rules on passwords, requiring that they be used and are not easily guessed. 2.2.10 Defending Extended Networks: On the wide area network level, many solutions to attacks have been proposed, and some solutions are already in place. Filtering at the core of the Internet, known as Ingress and Egress filters, helps to prevent attack messages from being broadcasted. Ingress and Egress filters work by comparing the source and destinations of data packets with maps of the network, and refuse to forward data that could not possibly travel through the route that it is found on, which reduces the amount of data traversing the Internet with forged source information. Changes to the core of the Internet are seen as the last resort, because of the far reaching affects that the changes may have. Cooperation among the interconnected networks allows for attacks to be limited more efficiently. During a DoS attack, attacked systems work to block the data floods at their sources by tracing the messages down the pathways and requesting that certain messages be blocked along each intersection of the network. DoS attacks can be limited if their messages are blocked

72

Ptaceck, Thomas & Newsham, Timothy. Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Jan 1998. Secure Networks Inc. 30 Oct 2007. <http://insecure.org/stf/secnet_ids/secnet_ids.html>

36

closer to their sources, but this requires rapid response across long distances and collaboration between business competitors.73 2.2.11 Case Study: Estonia DDos Attacked by Russia In April of 2007, Estonia relocated a monument of a Bronze World War II Russian soldier from the central square of its capital city, Tallinn. The relocation of this statue enraged Russians and started riots in Tallinn, and also incited DDoS attacks against Estonian government and banking services. Estonia has developed a strong dependence on the Internet, and has declared Internet access as a fundamental human right. Estonia has developed what they call the “paperless government” which operates largely over computer networks and allows citizens to vote online. The Internet infrastructure has led to Estonians referring to their country as “E-stonia” and has become a source of pride for the country.74 In response to the relocation of the Russian monument, attacks started against the Estonian foreign minister's web site, then spread to include all government institutions and key businesses. Russia was accused of launching the attack, and the Estonian Minister of Justice claimed the attacks had been traced to computers in Moscow belonging to the Russian government. Independent experts did not find convincing evidence that Russia orchestrated the DDoS attacks. Estonia called for technical assistance from NATO as their banks and government services were flooded. The attack lasted about a week, during which economic activity in the country was slowed down, and the government was without Internet communication. Eventually, Estonia had to cut off its Internet connections with other countries so that its population could access the needed government services. This had the side effect of making bank transactions between other countries difficult. In defending against the attack, Marty Lindner, a senior member of the technical staff at the Computer Emergency Response Team (CERT) said that “In the case of Estonia, they were only targeting 12 or 13 distinct Web sites, but the collateral damage was the national bandwidth resources,” Lindner says. “In the big scheme of things, short of getting people outside the country to filter the attack traffic, there wasn’t much somebody in Estonia could do but hold on for the ride.” In response to the incident, the European Union began discussing possible agreements that could help mitigate damage caused by DoS attacks. 75

2.3

Computer Viruses

Computer viruses are a subset of malware, which is broadly defined as any unwanted and problematic software running on a computer system. What separates a virus from other undesirable software is that viruses are made to self-replicate and spread to other computers. Most viruses are malicious programs written by computer hackers, though recently certain software distributed by businesses has been classified as a virus by some sources. Computer
73

Chang, Rocky. Defending Against Flooding Based Distributed Denial of Servie Attacks: A Tutorial. IEEE Communications Magazine. Oct 2002. 42 - 51 74 Lesk, Michael. The New Front Line: Estonia Under Cyber Assault. IEEE Security & Privacy. Jul/Aug 2007. 76 79 75 Goth, Greg. The New Politics of DDoS Attacks. IEEE Distributed Systems Online. Aug 2007. 1 - 4

37

viruses are a thoroughly researched sector of cyber security, led mostly by companies selling software designed to combat viruses. The practice of creating and distributing viruses has existed since the mid 1980s, though sources differ on when exactly it started due to differing opinions on what exactly constitutes a virus. Over time, virus production has grown increasingly sophisticated, and programs have been designed to cause a variety of negative effects. Viruses can be harmless pranks, causing nothing more than an annoying message, but are also capable of causing massive data loss, disrupting communication, and allowing attackers to control a computer remotely.76 2.3.1 Types of Viruses As new viruses are developed, security experts have classified them into categories by their behavior. The following terms describe subsets of computer viruses.
 Traditional Virus: These programs alter existing software on a computer so that when executed, the virus will attempt to insert itself into more pieces of software, resembling biological viruses spreading an infection. Worm: Software that relies on system vulnerabilities to replicate and spread is referred to as a worm. Worms are distinguished from other viruses in that they do not exist as parts of existing software, but rather as self contained programs that propagate through security exploits. Trojan Horse: Programs that trick the user into executing them by masquerading as a file that the user wants are referred to as Trojans. Trojans are unique in that they spread and infect computers by using social manipulation. Rootkit: Software which is designed to run at the highest level of access on a system, and use administrative permissions to hide its existence is known as a rootkit. Rootkits often have the ability to escape detection and take full control of the system. 77







2.3.2 Effects of Viruses Each type of virus is characterized by the way it spreads to other systems. The actual effect the virus has on a system once is it is infected is called the “payload”. The payloads of viruses vary greatly, allowing them to be used as pranks or dangerous weapons. Common virus payloads include offensive messages, forcing the system to send spam messages to others, allowing a hacker to control the system remotely, erasing potentially critical data, intercepting sensitive information, and even forcing the system to commit a DoS attack.

76

Harold Joseph Highland. A history of computer viruses -- Introduction, Computers & Security. Vol 16, Issue 5. 1997, p 412-415. <http://www.sciencedirect.com/science/article/B6V8G-3SX269W-2P/2/e96ee1d35ae6e62abd338c29a32234a7> 77 Perdue University. Virus Terminology. 2005. 1 Dec. 2005 <http://www.purdue.edu/securepurdue/steam/help/view.cfm?KBTopicID=210>.

38

2.3.3 Defense against Viruses Detection and removal of viruses is a heavily researched discipline. A large industry has grown for the development of tools to eliminate viruses before they can cause damage. Professionals work constantly to track viruses as they spread and automate the process of removing them for their customers. A virus scanner is a popular type of software which attempts to scan computers for viruses and assist in their removal. Hackers and security professionals are in a race to improve their tools. Hackers have a strategic advantage against security professionals in that they can create new viruses and use them to cause damage before the virus is discovered and the scanner is updated to detect and remove it. Virus scanning software is handicapped in the effort to eliminate viruses because it must be updated constantly to be equipped to handle the new threats that are constantly emerging. There is an inevitable lag involved in the process of developing scanning capabilities for every new virus that gets created, and hackers are using increasingly clever methods to circumvent virus scans. Many virus scanners have the capability to detect new viruses by closely observing the functions that the system is performing. Scanners have limited prediction capabilities that are sometimes capable of detecting and removing newly developed viruses; so that when new viruses share the same patterns of behavior as familiar viruses they can be found and eliminated.78

Figure 2.3: Virus Scanner Interface79

The development of new tools to detect and eliminate viruses is active and thriving, along with warning systems that enable computer users to anticipate viruses as they spread. With warnings in place, often describing how the virus arrives and how to notice if a system has been infected, users are better equipped to prevent infection and reduce damage. The main problems in defense

78 79

Nachenberg, Carey. "Computer Virus-antivirus Coevolution." Communications of the ACM 40.1 (1997): 46-51. US-CERT. Home Computer Security - Examples. 2002. 1 Nov. 2005 <http://www.cert.org/homeusers/HomeComputerSecurity/examples.html>.

39

against computer viruses at the moment are systems which use no virus scanning, scanners that are not updated for new viruses, and users who are easily tricked into infecting their computers

2.4

Packet Sniffing

Packet Sniffing is a network analysis technique used to monitor traffic between devices on a network. It is used extensively by network administrators, and has a number of legitimate uses. In the hands of a subversive computer user, however, packet sniffing becomes a useful tool for obtaining sensitive data without penetrating a computer network’s security measures. In order to understand how packet sniffing works, its uses both harmful and helpful, as well as its limitations and caveats, a few key concepts must be defined. 2.4.1 Data Streams and Packets The Ethernet connections that exist between computers are far from perfect, and, in order to compensate for lost data, many data transfer protocols break the data into small, contained packets of information. On the other end, the computer receiving the data easily pieces it back together, and immediately recognizes which packets were dropped. The packets themselves are small and self contained, with “header” information, which details where it goes in relation to other packets, its size, and so on, as well as diagnostic information used to ensure the packet was received in its entirety. Data streams are the lines of packets that stretch between the source and destination. When packet systems are used on a “connectionless” system, such as the Internet, the packets may take multiple paths to their destination in order to optimize the connection for speed and minimize packet loss. 2.4.2 File Transfer Protocols Different actions on the Internet use different file transfer protocols to guide how the computers in a network package information for transfer. For example, web surfing uses the HyperText Transfer Protocol (HTTP) to deliver the source code. Web based email services such as Hotmail and GMail, however, may use the IMAP4 or POP3 systems. This information is relevant to this topic because different file transfer protocols devote different levels of attention to security. IMAP4 and POP3, the previously mentioned email protocols, for example, make no attempt to encrypt the body of the email, meaning that merely intercepting a packet is enough for a sniffer to obtain and read a piece of that email. 2.4.3 Networking Schemes
2.4.3.1 Ethernet Networks

Most wired (as opposed to wireless) computer networks use an Ethernet configuration, either configured in a Local Area Network with cables physically connecting each device, or connected

40

to an outside connection, such as ADSL or Cable, to the Internet. Networks may also use a hybrid of these. Local Area Networks theoretically restrict connections to computers that are physically connected into the network. When one or more of those computers also has a connection to the Internet, however, a skilled user may communicate to any or all computers on that network, provided no firewall exists, or it has been compromised. Packet visibility in Local Area Networks is based largely on the physical layout of the Ethernet network. When computers are connected together using devices called “hubs”, each member of the network may monitor all of the traffic going through the hub. Hubs take the information sent from each member of the network and send it to every other member. Switches, however, are designed to isolate network members from each other unless they are communicating directly, though many packet-sniffing programs are designed to overcome this function.
2.4.3.2 WiFi Networks

WiFi networks allow computers to communicate wirelessly, using radio signals. WiFi connections are based off the 802.11 standard developed by IEEE, which is commonly seen in -b and –g varieties. Computer users can use WiFi connections to connect to the Internet through hubs while in “hotspots”, or connect directly to other computers with WiFi cards to establish “peer-to-peer” communications. Today, many businesses offer free WiFi on their premises offering unfettered access to the Internet, with traffic controlled only by User Agreements posted in the buildings with various degrees of visibility. WiFi network administrators have some options for securing their networks, including “whitelisting” and WEP. Whitelisting requires the administrator to manually input the Media Access Control (MAC) addresses of each computer he or she wants to have access. This method is vulnerable to “spoofing” (see below). Wireless Encryption Protocol (WEP) is a feature of 802.11 networks used to prevent computers that have not been given the WEP key to connect to the network. Unfortunately, open-source programs are available that can crack WEP keys. AirSnort80 is an example. Its webpage claims that it can crack a WEP key in under a second once the program has been allowed to monitor 510 million packets Once a computer is allowed onto a WiFi network, all packet transfers are visible to it, although most WiFi cards review and ignore packets destined for other nodes on the network. Many cards feature a “promiscuous mode” which causes it to pay attention to all packets. This may then be coupled with a packet-sniffing program.
2.4.3.3 Network Interface Cards and Promiscuous Mode

A Network Interface Card (NIC) is an internal computer component that connects to networks, either Ethernet or 802.11. With the exception of Ethernet networks with uncompromised switches, both network types allow NICs to see all packet traffic on the network. By default, NICs ignore all but the data streams with its host computer as the destination. This design is as
80

Airsnort Homepage. 31 Dec 2004. The Schmoo Group. 30 Oct 2007. <http://airsnort.shmoo.com/>.

41

much for efficiency as much as security. Nearly all NICs, however, have the capability of running in “promiscuous mode”.81 With this turned on, the NIC reads all of the packets that travel over the network. 2.4.4 Implementations Once a computer is on a network, the most difficult task is complete. Packet sniffing programs are easy to find, and many are free and open source. They work by putting the NICs in promiscuous mode, then analyzing the received packets. Many packet sniffers contain algorithms that will automatically look for user names and passwords, streamlining the process.
2.4.4.1 Spoofing

The term spoofing refers to a computer misrepresenting its network identity in order to receive data intended for another computer on the network. Examples of spoofing include MAC addresses and IP addresses. While this information is difficult for an unskilled user to obtain, a number of tools are available to hackers who seek it.
2.4.4.2 Limitations and Counters

When one computer spoofs another that is still operational, it can create inconsistencies in the return traffic that can clue in network administrators and well-designed programs. Hackers may try to counter this by coupling spoofing with Denial of Service attacks on the spoofed computer, in order to create the appearance of one computer using that network identity. Though the threat of packet sniffing may seem dire, a number of limitations impede the goals of hackers and spies. Some of these limitations are inherent to the packet sniffing method, while others are safety measures that system administrators may take to protect their networks. Non-packet transfers Not all data transfers use the packet transfer scheme. Communications such as Voice Over IP (VoIP) require a static connection between the source and the destination to ensure a high rate of transfer. Because these streams are constant, and follow a fixed path through the network, the chances of the hacker’s computer being used in the transfer path is lower, and the data is much harder to decode. In addition, the streamed audio data has no plain text component, and the hacker would have to be able to reconstruct the stream (no easy feat) in order to take any information out. Secure protocols HTTP, IMAP, and all the other previously mentioned transfer protocols are old, despite their ubiquity. New protocols, such as Secure Socket Layer, are meant to provide secure methods for transferring data. Like radio operators in World War II, however, cryptologists must fight to stay one step ahead of hackers trying to defeat their algorithms.

81

Crenshaw, Adrian. A Quick Intro to Sniffers. 30 July 2007. Iron Geek.com. 30 Oct 2007. <http://www.irongeek.com/i.php?page=security/AQuickIntrotoSniffers>.

42

Secure programming A concept being introduced into software engineering curricula with growing frequency, secure programming involves incorporating security into the very code of the applications that need to transfer data across networks. Some of the advantages of secure programming include increased security over normally unsecured transfer protocols like FTP and POP3, or an extra layer of encryption on top of WEP, SSL, etc. Packet sniffers, specifically, use computer algorithms to try to construct readable text from unordered machine code82, and the extra layer of encryption would likely render most of these algorithms useless. Packet Sniffer detection programs Packet sniffing programs generate little or no return traffic, instead monitoring the data passively. As such, they are fairly difficult to detect. Programs like Sniffdet83, however, can be used to detect NICs that are running in promiscuous mode. Sniffdet is open source, and free for anyone to use, though a certain level of computer skill is required to run the program correctly. Awareness Perhaps the best way to prevent packet sniffing is to educate the network administrators who set up and run the networks over which sensitive information travels. Adrian Crenshaw mentions simple practices like putting public terminals on separate networks from staff and administrator networks, and setting workstations to lock when not in use. Packet sniffing works because it is easy for hackers to do. Intelligent network setups and users can make this process much more difficult for hackers with relatively little effort. 2.4.5 Scenarios
2.4.5.1 Public WiFi Service

Many restaurants and cafés offer free WiFi service around their establishments, and users are not even strictly required to be customers. With the exception of vague user agreements, no attempts are made to limit access. An identity thief or hacker might set his or her laptop up within range of the establishment, though not necessarily inside or on the grounds. Meanwhile, a customer checks his or her email using a POP3 system. One of the messages is a confirmation email from an online business website, containing the customer’s user name, password, and credit card information.

82

Mendis, Surakshan. Packet Sniffing. 2005. SuraSoft. 30 Oct 2007. <http://www.surasoft.com/articles/packetsniffing.php>. 83 De Souza Reis, Ademar, and Filho, Milton Soares. Sniffdet – Remote Sniffer Detector for Linux. 10 Oct 2006. SourceForge.net. 30 Oct 2007. <http://sniffdet.sourceforge.net/>.

43

2.4.5.2 University Networks

North Carolina State University provides two wireless networks across its campuses, one for guests, and one for students and staff. However, a resourceful hacker could easily obtain the username and password from one of the thirty thousand users in the latter category. Running a packet-sniffing program, he or she would then have access to a significant amount of information. This could range from credit card information as before, to staff research performed on government grants.

2.5

Social Engineering

“The weakest link in an information-security chain is often the user because people can be manipulated.”84 Social engineering combines hacking with classic confidence schemes and other low-tech methods to obtain user information that may be used in information theft or system attacks. Social engineering attacks may be as simple as the 419 (Nigerian) Scams that send probing emails to thousands of addresses, or complex plans, involving surveillance and target “casing” in order to best obtain the target’s trust. 2.5.1 Confidence Schemes or Trust and Attack Models Confidence schemes bring con men to the world of cyber-attacks. Trust and attack models include constantly evolving scams tailored to each particular target. As the social engineering hacker learns more about the target or the target’s company, he or she incorporates this information into exchanges, either phone, email, or conversational, in order to appear more legitimate. The hacker may pose as a coworker in a large firm, or even a new acquaintance, and the information gleaned is not always, even rarely, technical in nature. Hobbies, and the names and birthdays of family members and pets, are commonly used to produce easy-to-remember passwords. An extremely simple example of a trust and attack model could take place in a dog park. The hacker takes a dog to the park and strikes up a conversation with the target, learning the name of the target’s dog. This information is a popular security question on many major websites, including Hotmail. Email passwords are particularly useful targets, as even more websites use password recovery systems that send the old or changed password to the user’s email. 2.5.2 Phishing Phishing is a term that refers to emails and websites that attempt to gather user information, typically through fraud and spoofing (see Error! Reference source not found.). At their simplest, phishing attacks can simply be used to determine whether email addresses are in active
84

Laribee, Lena, et. al. Analysis and Defensive Tools for Social-Engineering Attacks on Computer Systems. Information Assurance Workshop, 2006 IEEE. 388 – 389, 21-23 June 2006.

44

use, and/or the user is a likely candidate for social engineering. 419 scams begin in this way, then follow trust and attack models as hackers establish a relationship with the targets and convince them to commit fund transfers. More elaborate phishing attacks are more specifically targeted. In October of 2006, a number of employees at Dekalb Medical Center in Decatur, Georgia accidentally downloaded a key-logging program when they responded to an email spoofed from Dekalb’s domain, dekalb.org, which claimed that they had been laid off.85 2.5.3 Dumpster Diving “I have found private numbers for very important people on post-its. Building security alarm codes. And my personal favorite, payroll account login and passwords. It amazes me the things people write on these little brightly colored pieces of paper. They serve their purpose for a short time and are then balled up and thrown into the trash. How many people think to shred their Post-Its.”86 Provided no other laws are broken in the process, no federal law prohibits dumpster diving. At the state level, only theft and trespassing laws cover the activity. Most theft laws state that it is illegal to take “items of value”, and a number of questions have arisen regarding the value of objects thrown in the trash. Journalists, law enforcement officers, private investigators, and social engineers all use dumpster diving as an information collection technique. Only four states require companies to destroy personal information upon disposal.87 Besides user names and passwords, company trash may yield maps of corporate structures, phone lists, and interoffice communiqués, all useful for giving social engineering hackers more background information and, therefore, more legitimacy when phishing or running trust and attack schemes. 2.5.4 Case Studies Hacker-turned-contractor and writer Kevin Mitnick described a case of a Pakistani militant named Khalid Ibrahim, who offered money to American hackers to hack into government and military websites. In a test hack, Ibrahim offered $1,000 to a hacker who used the Internet handle of “ne0h” to obtain a number of usernames and passwords for a well-known Chinese engineering university. ne0h began by finding a kindred hacker among the students of the university, who offered him a number of user accounts with passwords without question. ne0h noticed that many of the users
85

Garretson, Cara. Spam that delivers a pink slip. ComputerWorld.com. 1 Nov 2006. 26 Nov 2007. <http://computerworld.com/action/article.do?articleId=9004698&command=viewArticleBasic&taxonomyName=se curity> 86 Grifter. Dumpster Diving – One Man’s Trash… Hack In The Box. 2002. 26 Nov 2007. <http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=6388&mode=thread&or der=0&thold=0> 87 Dumpster Diving. Washington State Office of the Attorney General. 26 Nov 2007. <http://www.atg.wa.gov/ConsumerIssues/ID-Privacy/DumpsterDiving.aspx>

45

had simply set the password to the user name. From there, the teenaged hacker found another college student through chat rooms and claimed to be looking for friends around the campus. The student responded with a list of email addresses, and ne0h quickly figured out the corresponding user names and passwords.88

2.6

SCADA Systems

Supervisory Control and Data Acquisition (SCADA) systems collect data from control sensors that measure physical parameters like flowrate, temperature, or pressure in a factory, infrastructure plant, or in other remote locations, and then send this data to be processed by a central computer. A computer alone is not a SCADA system—most SCADA systems consist of input and output signal hardware, controllers, networks, communications equipment, and a Human-Machine Interface (HMI). HMIs, like the one shown in Figure 1, are often controlled via common operating systems like Windows and Linux, which are vulnerable to many types of viruses and other cyber-attacks—these problems can be made worse if the operating system is not patched frequently89.

Figure 2.4: A Human-Machine Interface for a steam power plant operating in Windows 90

Remote programmable logic converters called Remote Terminal Units (RTU) interface directly with the controlled processes to carry out the operations performed by a SCADA system. These logic converters are usually programmed to meet specific process requirements and can often automatically make slight changes to monitored parameters to optimize functionality; for
88

Mitnick, Kevin, & Simon, William L. (2005). The Art of Intrusion: When Terrorists Come Calling. Indianapolis, IN: John Wiley and Sons, Inc. 89 Byres, Eric, and Justin Lowe. The Myths and Facts Behind Cyber Security Risks for Industrial. British Columbia Institute of Technology. 1-6. 15 Oct. 2007 <http://www.tswg.gov/tswg/ip/The_Myths_and_Facts_behind_Cyber_Security_Risks.pdf>. 90 SCADA Security and Terrorism: We're Not Crying Wolf. Black Hat. 2006. 1-36. 15 Oct. 2007 <http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf>.

46

example, the RTU might control the speed of a conveyor belt or the temperature of a holding tank at a chemical plant. RTU units are currently built with redundancies in hardware and communications channels in case of damage to the physical system, and can often operate on their own to control safety-related problems91. However, despite these automatic failsafes, input from a human can change or override these settings at any time92. 2.6.1 Scope of the Threat to SCADA Systems Currently, SCADA systems are involved in the manufacture of many consumer products, including pharmaceuticals, and in controlling critical infrastructures like electric power generators, water treatment plants, dams, nuclear power plants, and other systems93. According to Joe Weiss of Applied Control Solutions, the industry perceptions of a SCADA attack’s capabilities are greatly underestimated: “What people had assumed in the past is the worst thing you can do is shut things down. And that's not necessarily the case. A lot of times the worst thing you can do, for example, is open a valve -- have bad things spew out of a valve94.” Manipulating SCADA controls could allow a cyberattacker to accomplish anything from increasing the amount of waste in a local water supply to altering the oscillation in an electric power generator in such a way that it physically explodes. Consequently, the effects of a large-scale cyberattack utilizing remote access to SCADA systems could potentially be disastrous. Despite the importance of SCADA systems to critical infrastructures, these systems are rarely as safe or as isolated as the industry thinks. Of 13 cyber-security incidents involving SCADA systems between 1980 and 2000, only 31% of attacks originated from outside the company, the rest were either the result of accidents or disgruntled employees who had direct access to the systems95. However, between 2001 and 2003, the source of cyber-attacks on these shifted to 70% originating from outside the company (Figure 2).

91

SCADA Security and Terrorism: We're Not Crying Wolf. Black Hat. 2006. 1-36. 15 Oct. 2007 <http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf>. 92 "What is SCADA?" The Tech-FAQ. 2007. 27 Oct. 2007 <http://www.tech-faq.com/scada.shtml>. 93 "Multi-State Information Sharing and Analysis Center (MS-ISAC)." 2006. Multi-State Information Sharing and Analysis Center (MS-ISAC). 21 Oct. 2007 <http://www.msisac.org/scada/>. 94 Meserve, Jeanne. "Sources: Staged Cyber Attack Reveals Vulnerability in Power Grid." CNN 26 Sept. 2007. 27 Sept. 2007 <http://www.cnn.com/2007/US/09/26/power.at.risk/index.html>. 95 Byres, Eric, and Justin Lowe. The Myths and Facts Behind Cyber Security Risks for Industrial. British Columbia Institute of Technology. 1-6. 15 Oct. 2007 <http://www.tswg.gov/tswg/ip/The_Myths_and_Facts_behind_Cyber_Security_Risks.pdf>.

47

1980-2000
Figure 2.5: Origin of SCADA-related cyber-attacks96

2001-2003

While the threat of a SCADA attack due to an inside source is decreasing markedly, the rate of external attacks is increasing even faster, and this must be considered when making policy decisions.

2.6.2 Vulnerabilities
2.6.2.1 Original Development Flaws

Many SCADA systems are vulnerable to cyber-attacks, and this stems back to the way in which they were originally developed. The first SCADA systems were developed over twenty years ago, before the majority of other corporate networks were put into place, and many of these original SCADA systems are still in use today. This leads many information technology managers to believe that these networks are not linked, so that SCADA systems cannot be accessed through corporate networks or remote access points. In reality, many corporate IT networks and SCADA systems are linked so that engineers can control systems from remote points on the corporate network and managers can find critical data instantly. IT managers usually make these connections without a full understanding of the security risks, and the security policies of most corporations do not account for the possibility that SCADA systems could be accessible through other corporate networks97.

96

Byres, Eric, and Justin Lowe. The Myths and Facts Behind Cyber Security Risks for Industrial. British Columbia Institute of Technology. 1-6. 15 Oct. 2007 <http://www.tswg.gov/tswg/ip/The_Myths_and_Facts_behind_Cyber_Security_Risks.pdf>. 97 Understanding SCADA System Security Vulnerabilities. Riptech. 2001. 1-5. 23 Oct. 2007 <http://www.iwar.org.uk/cip/resources/utilities/SCADAWhitepaperfinal1.pdf>.

48

2.6.2.2 Corporate Network Security

Research into the security of corporate networks produces startling results—independent security researcher Shawn Merdinger discovered in 2006 that at least a handful of critical infrastructure companies who planned to attend the DEFCON hacking meeting in Las Vegas were connecting to the Internet using residential routers with documented vulnerabilities. Merdinger described these systems as being “almost as secure as my mom's computer.98” This is particularly alarming because, as long as these corporate networks are unprotected, the SCADA systems linked to them are equally as vulnerable. Other basic problems in companies’ network architecture include improper configuration of FTP or email servers to allow internal network access inadvertently, unsecured connections with corporate partners, and failure to implement firewalls and other network security measures internally, which leaves little to no separation between different sectors of the network99. This unawareness of network security flaws creates an even bigger problem, because SCADA systems were not originally designed with cyber-security in mind. Alan Paller, director of research for the SANS Institute, said of these design flaws, “It's not that these guys don't know what they are doing. Part of it is that these systems were engineered 20 years ago, and part of it is that the engineers designed these things assuming they would be isolated. But--wham!--they are not isolated anymore.100” One problem with this is that old SCADA systems do not utilize security updates like new corporate networks do, and cannot be protected independently by such measures. Because they were intended to be isolated, there are many basic security shortcomings built into SCADA systems as well, such as the absence of per-user authentication—users log in with easily guessed names like “admin” rather than a personal user ID101. This flaw not only makes it easier to infiltrate SCADA systems, but also makes the infiltrator much harder to track, since all users utilize the same login information.

2.6.2.3 Company Security Procedures

The weaknesses of SCADA systems often go beyond engineering design flaws into company security procedures as well. Many companies list data on their websites that can be useful for hackers, such as email addresses, employee names, and sometimes even corporate network system names. These problems could mostly be eliminated simply by removing information that could be useful to hackers from company websites.

98

Lemos, Robert. "SCADA System Makers Pushed Toward Security." SecurityFocus 26 July 2006. 19 Oct. 2007 <http://www.securityfocus.com/news/11402/2>. 99 Understanding SCADA System Security Vulnerabilities. Riptech. 2001. 1-5. 23 Oct. 2007 <http://www.iwar.org.uk/cip/resources/utilities/SCADAWhitepaperfinal1.pdf>. 100 Lemos, Robert. "SCADA System Makers Pushed Toward Security." SecurityFocus 26 July 2006. 19 Oct. 2007 <http://www.securityfocus.com/news/11402/2>. 101 SCADA Security and Terrorism: We're Not Crying Wolf. Black Hat. 2006. 1-36. 15 Oct. 2007 <http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf>.

49

2.6.2.4 Who Could Gain Access?

Without increased security measures, anyone with a basic knowledge of hacking could theoretically gain access to a SCADA system. Of the security incidents recorded between 2000 and 2003, the Internet was the single largest source, but security was also breached through other sources, like wireless systems, dial-up connections, and third party connections (Figure 3). Therefore, simply implementing measures to close off one access point, like an Internet firewall, is insufficient—as many entry points as possible should be protected102.

Figure 2.6: Entry points of SCADA-related cyber-attacks103

Because many companies lack knowledge about their own cyber-security vulnerabilities, infiltrating a SCADA system would not require a target assault from a country or terrorist organization: just one “average” hacker would be skilled enough to gain access. For example, in one penetration test by Black Hat Security, a single representative was able to find an unprotected WiFi access point and infiltrate the SCADA system using a ten-year-old exploit of Solaris, the Unix-based operating system on which the SCADA system was running104. Since the United States military invasion of Afghanistan in 2001, they have seized computers and

102

Byres, Eric, and Justin Lowe. The Myths and Facts Behind Cyber Security Risks for Industrial. British Columbia Institute of Technology. 1-6. 15 Oct. 2007 <http://www.tswg.gov/tswg/ip/The_Myths_and_Facts_behind_Cyber_Security_Risks.pdf>. 103 Byres, Eric, and Justin Lowe. The Myths and Facts Behind Cyber Security Risks for Industrial. British Columbia Institute of Technology. 1-6. 15 Oct. 2007 <http://www.tswg.gov/tswg/ip/The_Myths_and_Facts_behind_Cyber_Security_Risks.pdf>. 104 SCADA Security and Terrorism: We're Not Crying Wolf. Black Hat. 2006. 1-36. 15 Oct. 2007 <http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf>.

50

instruction manuals containing SCADA information relating to dams in Al Qaeda training camps, although they found no evidence of an actual plan to attack105. 2.6.3 Case Studies
2.6.3.1 Hunter Watertech

On April 23, 2000, a disgruntled ex-employee named Vitek Boden infiltrated the Hunter Watertech wastewater system in Queensland, Australia, using only a stolen computer and radio transmitter. From an external site, he entered the system by using software to identify himself as “pumping station 4” and deactivated all alarms that would alert IT security to his presence in the system. Though he was familiar with the system, all the equipment he used was commercially available, and he faced no obstacles when accessing the Hunter Watertech network106. After entering the system, Boden remotely controlled 300 SCADA nodes governing both sewage and drinking water, and flooded millions of gallons of sewage into parks, rivers, and hotel grounds. His actions destroyed the ecosystem of the affected rivers and caused a stench that was “unbearable” to residents107. While there were no reported human deaths, Boden’s case is currently the only known case in which a SCADA system has been used to cause harm.

2.6.3.2 Roosevelt Dam

However, SCADA systems have been accessed unintentionally in the past, and could have had disastrous results if mismanaged. In 1998, a 12-year-old hacker unknowingly infiltrated the computer system controlling the Roosevelt Dam in Arizona. Federal authorities claimed that the boy had complete control of the SCADA system that operates the dam’s floodgates, which hold back about 489 trillion gallons of water. If the gates were opened, the resulting flood would mostly stay in a flood plain around the cities of Mesa and Tempe, engulfing them with water. In this instance, in which the dam’s SCADA system was easily breached by a 12-year-old, the cyber-security risk is much greater than the physical risk, since physically destroying a dam would require “tons of explosives” according to Secretary of Homeland Security Michael Chertoff108. There are many misconceptions surrounding the security of SCADA systems, and these leave critical infrastructures vulnerable to attacks from both internal and external sources. While there is no need to panic, the use of SCADA systems in cyber-warfare is a legitimate concern threat that must be addressed more fully.

105

SCADA Security and Terrorism: We're Not Crying Wolf. Black Hat. 2006. 1-36. 15 Oct. 2007 <http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf>. 106 Gellman, Barton. "U.S. Fears Al Qaeda Cyber Attacks." SecurityFocus 26 June 2002. 18 Oct. 2007 <http://www.securityfocus.com/news/502>. 107 Gellman, Barton. "U.S. Fears Al Qaeda Cyber Attacks." SecurityFocus 26 June 2002. 18 Oct. 2007 <http://www.securityfocus.com/news/502>. 108 Gellman, Barton. "U.S. Fears Al Qaeda Cyber Attacks." SecurityFocus 26 June 2002. 18 Oct. 2007 <http://www.securityfocus.com/news/502>.

51

3 Targets

52

As we move further into the 21st century, our nation is increasingly threatened by cyber-warfare. Any foreign nation or terrorist group with a computer can wreak havoc throughout the United States, threatening anything connected to the internet. This threat is not limited to one specific group, but could affect global corporations, utilities, transportation systems, the federal government, and the military. Securing our critical infrastructures should be our chief concern as the government is the caretaker of our economic well being, security and defense, and social services.. Before we begin to discuss policy goals for the government to enact, it is vital to assess potential threats and vulnerabilities to the system as a whole.

3.1

Military and Government

As the keepers of our nation’s defense, the government and military are absolutely critical to the preservation of our nation, and consequently one of the leading targets for cyber-attack. Existing threats to the government and military are primarily data theft and data corruption. Since the late 1990’s, there have been several documented data theft attacks on the United States from unknown foreign nations. Presently, this is the most pressing issue to national security. The military is also potentially vulnerable on the battlefield to cyber-attack, although many of the vulnerabilities are electronic attacks rather than cyber-attacks, a distinction that will be clarified. Lastly, the military faces the prospect of global threats from foreign nations gaining cyber-attack capabilities that could be used against the nation as a whole or directly on the battlefield. 3.1.1 Data Theft and Corruption In the modern world, data theft and corruption are taking the place of traditional espionage and spying. Rather than transporting physical files to obtain government secrets, hackers can simply break through firewalls and other cyber-defense mechanisms to raid stored data in secure government systems. This is the greatest threat to our government, and will continue to present the foremost issue to counter when securing cyberspace. There have been several historical cases of data theft that have been reported to the general public. In 1997, a test called Eligible Receiver allowed an NSA ‘red team’ – hackers inside the organization that try to break into secure systems – to attempt to hack into the Pentagon. Ultimately they successfully infiltrated the Pentagon network, as well as gained control of Pacific command center computers, power grids and 911 systems.109 In 1999, the government accidentally stumbled upon a series of data thefts that were collectively coined Moonlight Maze. Hackers had been systematically infiltrating computers in the Pentagon, NASA, the Department of Energy, and private universities and research facilities dating back nearly two years. Data stolen included troop structure as well as military hardware

109

“Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007 <http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/>

53

and base configurations. The electronic trail was traced back to Russia, but the sponsor of the attacks is still unknown.110 A similar series of incidents, known as Titan Rain, resulted in widespread attacks from 2003 to 2005 against targets inside the government, military installations, as well as top level defense contractors. Although the data stolen was not classified, it included large quantities of sensitive material that was restricted by export control laws. It is not clear whether the data theft has ceased or who the culprit behind the attacks is. The data theft was traced back to China, but the Chinese government refuses to cooperate with US investigations.111 These types of attacks are a continuing threat to the government and military. The Pentagon announced that in June, hackers managed to break into computers in the Pentagon, including the computer of the Secretary of Defense, Robert Gates.112 Although the government did not suggest a culprit, there is some suspicion of Chinese People’s Liberation Army involvement. Hackers are continuing to penetrate the government, despite the best efforts of defense measures. Additionally, federal agencies such as the FBI are unable to investigate the sources of the attacks internationally without foreign approval, which prevents any precise knowledge of the attackers. Although we do not know of any classified information theft, the data stolen is staggering, and a major threat to the government. Similar to data theft is data corruption. Hackers break into computer systems, and are then able to alter code to perform many different actions. Common corruption includes leaving ‘back door’ code in place to allow hackers to re-enter previously exploited weaknesses. Compromised computers will often contain a ‘trojan horse,’ malicious code that in addition to enabling reentry, will allow hackers to control these computers remotely or shut the computers down.113 Many of the tools for attack previously described, such as DOS attacks, are reliant on these corrupted computers in order to work successfully. The combined danger of data theft and corruption present an ongoing and serious threat to both the government and the military. 3.1.2 Battlefield Cyber-attacks Direct battlefield threats due to cyber-warfare are hard to identify and evaluate. Some argue that any data theft by the military or information that is potentially compromised could lead to deaths on the field114, but the causal link is slightly stretched. Unlike other cyber-attacks, battlefield uses of cyber-warfare are only effective when coupled with a physical attack, as in conveying incorrect troop strength and then ambushing a military unit. Although these cyber-attacks could lead to casualties, in themselves they are not the most pressing concern. However, as the

110 111

Ibid. Thornburgh, Nathan (2005). “The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them)”, Time. 30 October, 2007, < http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html> 112 “Pentagon Admits Security Breach but won’t say who did it” NetworkWorld.com, 30 October, 2007 <http://www.networkworld.com/community/node/19041> 113 Thornburgh, Nathan (2005). “The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them)”, Time. 30 October, 2007, < http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html> 114 Ibid.

54

nation’s military becomes increasingly advanced and reliant upon technology, some fear exists that these electronic systems could become vulnerable to attack – albeit an electronic attack. Cyber-attacks, as we have defined them, are primarily attacks launched through the internet in order to hack into a system for theft, corruption, or control of the compromised computer. Losing control of a compromised computer can also lead to malicious activities such as DOS attacks. There is concern for cyber security on the battlefield, as a porous or weak network could result in distributing poor troop information to soldiers, with the potential for friendly fire accidents or enemy ambushes.115 While rear areas may depend upon a computer network for command and control, key information devices on the field are not susceptible to traditional cyber-attacks. A prominent example is the GPS system. Although initiated as a military system, the widespread proliferation of GPS has made it a useful navigation system for the military, civilians, and adversaries alike. The system is based on receivers and satellites, meaning that cyber-attacks on the battlefield would not interfere with the system, as it is not plugged into the internet. Current GPS ‘blockers’ are questionable in their effectiveness. In Operation Iraqi Freedom, the Iraqi military had acquired several GPS jammers, which the United States ironically destroyed with GPS guided missiles.116 This is not to say that the system is not vulnerable, but that the system faces electronic warfare threats. Electronic warfare, a distinct from cyber-warfare, is defined by the military as using electromagnetic pulses to disrupt or destroy enemy systems in contrast to using computer code and hacking to achieve the same goal. Theoretically, electronic warfare could disrupt GPS satellites in space, overheat and permanently damage circuitry in electronic devices, control adversary radio signals, or even misdirect unmanned crafts or robots. 117 Although military technologies are widely classified, the ability of electronic warfare to damage robots could pose a threat to the Predator drone and other modern aerial robotics. This is not to dismiss cyber-attacks as threats to the military, but rather to suggest that on a soldier level, cyber-attacks are not a direct threat. There is some battlefield communication and organization through a local network that could be compromised, but soldiers still communicate per radio, something unhampered by cyber threats. Direct communication and navigation has not yet crossed into technologies that are vulnerable to cyber-attack. In the future, electronic warfare may play a preeminent role on the battlefield, but this is beyond the current scope of cyber-warfare.

115

Krebs, Brian, (2003). “Cyber War Games Tests Future Troops” Washington Post, October 30, 2007. <http://www.washingtonpost.com/ac2/wp-dyn/A21871-2003Apr23> 116 “ CENTCOM Operation Iraqi Freedom Briefing - 25 March 2003” October 30, 2007. <http://www.gulfinvestigations.net/document348.html?PHPSESSID=64c6f060d1f4997faf0ff91799fa777f> 117 Wilson, Clay, (2007) “CRS Report for Congress: Information Operations, Electronic Warfare, and Cyberwar: Capabilities and Related Policy Issues” 30 October, 2007. <http://stinet.dtic.mil/cgibin/GetTRDoc?AD=ADA466599&Location=U2&doc=GetTRDoc.pdf?>

55

3.1.3 Foreign Threats Arguably the greatest threat, albeit primarily a future threat, is the growing ability of foreign nations to conduct aggressive cyber operations against the United States. Cyber-warfare is widely accessible because of the limited infrastructure required for effective operations. As a result, many nations including China, Iran, and North Korea are trying to develop means of attacking the United States. There are more than a dozen nations with credible cyber-warfare capability, although not all are hostile to the United States.118 However, due to the vast supply of resources and evolving national strategy, China appears to be the most significant threat in the growing field of cyber-warfare. In the past few years, China has increasingly placed emphasis on cyber capabilities in their national strategy. In 2005, the PLA started to include offensive cyber operations in military exercises, with the explicit goal of achieving cyber dominance and a first strike capability. In 2006, China added the goal of achieving dominance throughout the electromagnetic spectrum over its main adversaries by 2050.119 Earlier this year, the Pentagon was reported to release a document describing China’s cyber capabilities, which included a plan to disable an American carrier task force. Additionally, China has successfully hacked into the United States defense networks, as well as Whitehall in Great Britain and Germany’s government systems.120 As our strongest adversary, it is important to examine how China is attempting to achieve their cyber dominance. First, the PLA has ‘cyber units’ specifically designed in the military to develop and use cyber attacks. They are essentially military sponsored hacking rings, with the full backing of the national government. Additionally, the nation is scouring its population to find the best talent for cyber units. Through education programs for teens and hacking competitions to recruit talent, the ‘best and the brightest’ are either working for the government on cyber-research or as independent contractors in order to give the government plausible deniability. These units are working off of a “virtual guidebook” developed after reading dozens of western manuals on military tactics and cyber-tactics. 121 Assessing China’s actual cyber-capabilities is difficult at best. China has already shown proficiency at hacking into foreign government systems, but little else is known. Possibly their greatest strength is that the United States is increasingly dependent upon electronic systems, which in turn enlarges the area for vulnerabilities, and increases the risk of China using cyberwarfare to disrupt America’s technological advantage. Unfortunately, very little unclassified material is available regarding China’s capabilities. However, the small glimpses released to the public show a nation arming itself for what could be the Cold War of the 21st century – with cyber weapons instead of nuclear missiles.
118

“Cyber War Nightmares” (2006), 30 October, 2007. <http://www.strategypage.com/htmw/htiw/articles/20060829.aspx> 119 Rogin, Josh, (2006). “DOD: China fielding cyberattack units” 30 October, 2007 <http://www.fcw.com/online/news/94650-1.html> 120 Reid, Tim, (2007). “China’s cyber army is preparing to march on America, says Pentagon” The Times. 30 October, 2007. <http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article2409865.ece> 121 Ibid.

56

3.2

Financial Systems as a Target

3.2.1 Overview There are powerful nations developing cyber-warfare in an attempt to achieve cyber dominance. If a cyber-war were to erupt, these nations would likely attack our critical financial systems in an attempt to thwart the U.S. economy. Fortunately, the nations that have developed intensive cyber-warfare capabilities have a vested interest in the United States economy. Nations such as North Korea who do not have a strong connection with our economy have yet to pose a serious threat in the cyber-realm. A more imminent threat lies in the terrorist organizations that have no current interest in the welfare of the U.S. economy and often thrive in times of economic turmoil. Organizations such as al-Qaeda make no attempts to hide the fact that they aim to attack our economy with any available resources. Osama bin Laden made his goals very clear in December of 2001, stating “If their economy is destroyed, they will be busy with their own affairs rather than enslaving the weak peoples. It is very important to concentrate on hitting the U.S. economy through all possible means." Al Qaeda’s second-in-command, Ayman al-Zawahiri, said in September 2002: "We will also aim to continue, by the permission of Allah, the destruction of the American economy […] It is very important to concentrate on hitting the U.S. economy through all possible means […] look for the key pillars of the U.S. economy. The key pillars of the enemy should be struck.”122 The United States has an economy nearly 300% larger than Japan’s second largest national economy.123 This massive economy has become the target of many terrorist and malicious organizations and could be the targets of nation states in the future. We know there is a motive; we must uncover and understand the vulnerabilities of this economic target. Condoleezza Rice, the U.S. Secretary of State, stated in the Partnership for Critical Infrastructure annual meeting in Washington, Today, the cyber economy is the economy. And I don't mean the dot coms. I mean virtually every vital service -- water supply, transportation, energy, banking and finance, telecommunications, public health. All of these rely upon computers and the fiber-optic lines, switchers and routers that connect them. Corrupt those networks, and you disrupt the nation. It is a paradox of our times: the very technology that makes our economy so dynamic and our military forces so dominating -- also makes us more vulnerable. As the President's National Security Advisor, I have to worry about that vulnerability. But each

122

Pethokoukis, James. (2007) “So How Goes Bin Laden’s War on the U.S. Economy?” U.S. News & World Report. 27 Oct 2007. <http://www.usnews.com/blogs/capital-commerce/2007/9/11/so-how-goes-bin-ladens-waron-the-us-economy.html> 123 “Data and Statistics”. International Monetary Fund. 17 Oct 2007. 27 Oct 2007. <http://www.imf.org/external/data.htm#data>

57

corporate CEO has to worry about the fact that a much smaller cyber attack than on the U.S. could place the very existence of your company at issue.124 It has been established that our economy is a target; a discussion will now follow about the vulnerabilities of our financial systems. 3.2.2 Direct Attacks on Financial Systems Financial institutions such as banks and credit unions have historically been known for protecting critical data. Their business depends on keeping their clients’ money safe and secure. Given that over half of all major cyber attack incidents in 2001 targeted financial institutions, cyber-security is a top priority.125 Institutions spend a large percentage of their profits to ensure the systems handling all of their financial records and transactions are cyber-secure. Unfortunately, the financial sector has taken a giant step back since the development of high speed wireless systems. Electronic funds transfers (EFTs) are exchanged at a volume of over one trillion dollars per day. Of course, all of the data in these transfers is encrypted, but there are numerous possibilities for how the transfers made through wireless internet could be vulnerable to hackers. One such vulnerability was discovered in GSM phones. When making a banking transfer, the data must cross from GSM wireless encryption to standard internet encryption. In the split second the data is stored in the gateway between wireless and wired internet, a hacker could intercept an unencrypted transmission. While the skill level and luck needed to perform such a task are considerable, so is the reward, with billions of dollars to be stolen.126 Another vulnerability in the transfer of financial information exists in the 180 million miles of fiber optic cable currently connecting the entire globe. Seth Page, CEO of Oyster Optics, explains a shocking vulnerability. “For both public and private networks, optical taps and analytical devices are required and inexpensive maintenance equipment in common use worldwide today. Various types of optical taps, however, both off-the-shelf and customized, are also used for corporate espionage, government espionage, network disruption and other potential terrorist-type activities. Used nefariously, optical taps allow access to all voice and data communication transiting a fiber link.”127 This vulnerability may be very problematic because taps can be installed without detection. Network carriers see glitches similar to those caused by the insertion of an optical tap on a daily basis. While financial institutions do make efforts to encrypt data transferred over networks,
124

“National Security Advisor Rice on Protecting U.S. Infrastructure”. 22 March 2001. 27 Oct 2007. <http://www.usembassy.it/file2001_03/alia/a1032210.htm> 125 Glaessner, Thomas, Tom Kellermann, and Valerie McNevin (2002). “Electronic Security: Risk Mitigation In Financial Transactions”. The World Bank. p 43. 29 Oct 2007. <http://info.worldbank.org/etools/docs/library/83592/esecurity_risk_mitigation.pdf> 126 “Wireless Vulnerabilities”. Maisonbisson. 24 Sept 2002. 30 Oct 2007. <http://maisonbisson.com/blog/post/10387/wireless-vulnerabilities> 127 Kabay, M. E. (2003) “Tapping Fiber Optics Gets Easier”. Network World. 29 Oct 2007. <http://www.networkworld.com/newsletters/sec/2003/0303sec1.html>

58

there are millions of hackers worldwide working for nation-states and terrorist organizations to crack data encryption. Financial institutions are an extremely valuable a target for hackers, which is why such a large percentage of cyber-attacks are made in this sector. The Communications Management Association (CMA) conducted a survey that revealed thirty-two percent of the UK's top 1,000 public and private institutions acknowledged their institution had suffered a cyber attack ranging from data theft to infiltration of corporate bank accounts.128 Further, half of the senior workers considered the attacks a major threat to their institutions’ survival. The financial institutions must constantly adapt if our economy is to remain safe from a thinking enemy.

3.3

Infrastructure

The United States’ critical infrastructure—power grids, water lines, communications, emergency response systems, etc.—is one of the most vulnerable and potentially devastating targets available for enemy states and terrorist groups. This was first discovered in 1997 when the aforementioned operation known as “Eligible Receiver” used NSA hackers in an attempt to infiltrate various infrastructure systems. Their ‘red team’ was limited to using computers and hacking software that were available to the public, but was still “able to infiltrate and take control of the Pacific command center computers, as well as power grids and 911 systems in nine major U.S. cities.”129 Another, more distressing, cyber-attack that has been reported happened in the summer of 2001 when the Webmaster for the city of Mountain View, CA recognized an odd site-intrusion pattern. He contacted the FBI, and upon further investigation it was found that similar attacks had been happening in multiple cities around the country. The intruders were found to be researching the cities’ utilities, government offices, and emergency systems. When the sources of the attacks were traced, the signals seemed to be coming from the Middle East and Southern Asia. This information became particularly interesting when American intelligence agencies seized Al Qaeda laptops after the Sept. 11 attacks and found what appeared to be a “broad pattern of surveillance of U.S. infrastructure.”130 Due to the number of threats on America’s infrastructures via cyber-warfare, the following presents the history and current dangers that our nation faces. 3.3.1 Power Utilities Of all critical infrastructures, power utilities are perhaps the most desirable target for enemies due to their interconnectedness and relative lack of security backups, plans, and software. In fact, every day large power utilities must fight off hundreds, and even thousands of attackers attempting to shut down the power system, steal important data about the plant, or gain control of
128 129

Gwin, Peter. (2001) “Is the Internet the Next Front in the Terror War?” Europe. Issue 410. “Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007 <http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/> 130 “Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007 <http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/>

59

the regional grid.131 However, due to the natural complexity of the generators and operating systems, very few successful attacks have occurred. This lack of successful attacks is the main reason why little effort has been put into defending our infrastructures up to this point.132 Even though only a few successful attacks on utilities have been recorded, that is no reason for their importance to be overlooked. For example, in 2003 the “Slammer Worm” began to continually propagate through thousands of unprotected computers. The payload of the information being sent eventually became so large that it crashed the safety monitoring system at the Davis-Besse nuclear power plant in Ohio.133 Fortunately the plant had built in redundancies and therefore the backup security system was not affected. In turn, no long-term damage was done to either the plant or the surrounding area. In a more recent event, the Department of Energy’s Idaho Lab conducted an experiment in March of 2007 in which they were able to remotely destroy a power generator. The team built a replica of a power plant’s control system, hacked into the operating system, and commanded the generator to oscillate in a way not natural to the machine’s design. This unbalanced rotation forced the generator to release significant amounts of smoke and eventually shut down, breaking the generator.134 The experiment was done in order to prove the vulnerability of our power grids if an enemy obtains the necessary security codes and generator specifications.
3.3.1.1 Why is the Power Grid so Vulnerable?

The basis of problems within the power grid stems from the fact that all power systems within the United States are interconnected, yet the owners and operators of each individual power plant rarely communicate security weaknesses to each other. The problems continue when the utility companies try to improve their security systems, yet the research and information needed is scarce due to the limited information offered by government agencies. This lack of information leads to utility executives making “security-related decisions on the basis of sparse, uncertain, or anecdotal information.”135 Because the communication between government agencies and power utilities is so poor, the industry has a naturally weak foundation due to a lack of security. This raises the question of why the utility companies don’t take the initiative and fund their own security research. Because the power companies have faced economic struggles in the past decade, they are all now in competition with each other to remain functional. Because of this,
131

Shainker, R. “Electric Utility Responses to Grid Issues.” IEEE Power & Energy Magazine. March/April 2006: 32. 24 Oct. 2007 <http://www.lib.ncsu.edu:2178/iel5/8014/33609/01597993.pdf?tp=&arnumber=1597993&isnumber=33609> 132 “Cyberwarfare on the Electricity Infrastructure.” Office of Scientific and Technical Information. 12 Sep. 2007. < http://www.osti.gov/bridge/product.biblio.jsp?osti_id=769245> 133 Poulsen, K. “Slammer worm crashed Ohio nuke plant network.” Security Focus. 19 August 2003. 12 Sep. 2007. < http://www.securityfocus.com/news/6767> 134 Meserve, J. “Staged cyber attack reveals vulnerability in power grid.” CNN. 26 September 2007. 4 Oct. 2007. < http://www.cnn.com/2007/US/09/26/power.at.risk/>
135

Shainker, R. “Electric Utility Responses to Grid Issues.” .” IEEE Power & Energy Magazine. March/April 2006: 32. 24 Oct. 2007 <http://www.lib.ncsu.edu:2178/iel5/8014/33609/01597993.pdf?tp=&arnumber=1597993&isnumber=33609>

60

many companies are unable to spare the resources for research.136 However, some individual power utilities have pioneered the field and have found some useful information. This information has not led to an overall improvement in cyber-security, though, due to the lack of “effective technology transfer and broad industry support.”137 This simply reflects the fact that individual companies do not share their research findings, and in turn, most are unprotected. This causes a problem because “cyber-security is only as strong as the ‘weakest link’ in the chain of interconnected information and communication systems that utilities use.”138 Because of this dilemma, Richard Clarke, former White House Cyber-Security Advisor, says that this is the one sector that federal regulation makes sense. He believes that if the government does not step in and set a standard for security then the companies are not going to do it themselves. Clarke continues by stating, “For once, we have the companies saying they want it to be regulated, so that they're all required to do it simultaneously. There's the even playing field, and no one has competitive disadvantage by improving security.”139 While a lack of cyber-security research is the main reason for the vulnerability in the power utility field, other problems also exist. One such problem is the sheer size and interconnectedness of the American power system. In some ways it is both a curse and a gift. It is a curse because it contains 200,000 miles of high-powered lines, making the entire system impossible to defend against a terrorist attack. In fact, as the power grids continue to grow and become more interconnected, the vulnerability of the systems will continue to increase due to the number of entry points. However, the system’s size is a gift in the sense that if a terrorist organization were to take over a power grid, they would only be able to affect a specific region. This would cause economic damage to the attacked area, but not cripple the entire country’s economy if the power was restored within a few days.140 Another source of vulnerability is the ever-changing business practices that are being employed by the power companies. Many are turning to third-party vendors for administrative services such as payroll and accounting. This means the power station’s control system may inadvertently be connected to the vendor’s network. This can cause a problem because the thirdparty’s security system may not be firewalled as robustly as the power plant’s control center, which opens the control center to attack via the vendor’s network.141

136

Interview. Richard Clarke. “Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007 <http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/> 137 Shainker, R. “Electric Utility Responses to Grid Issues.” .” IEEE Power & Energy Magazine. March/April 2006: 32. 24 Oct. 2007 <http://www.lib.ncsu.edu:2178/iel5/8014/33609/01597993.pdf?tp=&arnumber=1597993&isnumber=33609> 138 Ibid. 139 Interview. Richard Clarke. “Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007 <http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/> 140 Shainker, R. “Electric Utility Responses to Grid Issues.” .” IEEE Power & Energy Magazine. March/April 2006: 31. 24 Oct. 2007 <http://www.lib.ncsu.edu:2178/iel5/8014/33609/01597993.pdf?tp=&arnumber=1597993&isnumber=33609>
141

Id. at 35

61

3.3.1.2 What is Being Done?

In 2000, the Energy Information Security (EIS) program was developed by the Electric Power Research Institute to provide individual utilities with the tools they could use to enhance their own security programs. This included cyber-security awareness training, information sharing, and risk management protocols. The program has led to early exploratory work on fast encryption technologies to protect data and control systems.142 However, as Clarke points out, tools similar to the ones that EIS provided for the utilities’ systems were too difficult to install, took too long to install, or the system would end up with an incompatibility and another problem was then created.143 Therefore, the EIS program has not lead to any significant improvements in cyber-security other than fast encryption research. Another attempt at utility cyber-security happened in 2004 when the Department of Homeland Security established the Process Control Systems Forum (PCSF). The Forum focuses on “threats to the computerized automated control systems that underlie operation of most of the country’s critical infrastructure, including the electric power grid.”144 The Forum, in other words, is gathering security knowledge that has been obtained in different infrastructure fields, and is attempting to stimulate communication between the utility companies in order to increase the nation’s infrastructure security. Although some positive results have come from these programs, the ever-growing power grid and constantly-improving terrorist techniques and knowledge call for a larger, more comprehensive approach to solving the cyber-security dilemma. After gathering security information from over 60 different utilities and government organizations, the PowerSec Initiative was formed in an attempt to map the strengths and weaknesses of the power system. From the information that has and will be gathered, PowerSec is able to “evaluate the industry’s current cyber-attack readiness, identify gaps in this readiness, and specify existing best practices for filling these gaps.”145 Through this program, the power utility industry will eventually be able to know exactly what does and does not work in protecting their systems. 3.3.2 Emergency Response “Eligible Receiver” has been the only recorded instance in America in which a 911 system has been taken over. The emergency response system was shut down for about an hour in Estonia

142

Shainker, R. “Electric Utility Responses to Grid Issues.” .” IEEE Power & Energy Magazine. March/April 2006: 35-6. 24 Oct. 2007 <http://www.lib.ncsu.edu:2178/iel5/8014/33609/01597993.pdf?tp=&arnumber=1597993&isnumber=33609> 143 Interview. Richard Clarke. “Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007 <http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/> 144 Shainker, R. “Electric Utility Responses to Grid Issues.” .” IEEE Power & Energy Magazine. March/April 2006: 34. 24 Oct. 2007 <http://www.lib.ncsu.edu:2178/iel5/8014/33609/01597993.pdf?tp=&arnumber=1597993&isnumber=33609> 145 Shainker, R. “Electric Utility Responses to Grid Issues.” .” IEEE Power & Energy Magazine. March/April 2006: 36. 24 Oct. 2007 <http://www.lib.ncsu.edu:2178/iel5/8014/33609/01597993.pdf?tp=&arnumber=1597993&isnumber=33609>

62

when Russia launched its DoS attack against the Baltic Country. No research in the field has been published. 3.3.3 Communications Although no loss of communications systems has been recorded in America, Homeland Security and Defense Telecommunication Systems spending will increase from $15.2b in 2004 to $21b by 2009 in order to expand the network in case of cyber-attack.146 Estonia lost most of its international communication ability for a few days after the Russian DoS attack. No research in the field has been published.

3.4

Transportation Systems as a Target

According to Joseph Szyliowicz, a member of the Transportation Research Board, “cyber warfare is of direct relevance to transportation, given the ever-growing dependence on modern information, tracking, and data processing systems by transportation companies and agencies.”
147

Transportation systems could conceivably be an appealing target to potential cyber-attackers due to the integral role they play in the economy. Szyliowicz notes that transportation accounts for over 10 percent of the nation’s gross domestic product. The recent history of conventional terrorism also suggests that cyber-attackers may choose to target transportation systems, provided feasible opportunities exist. Eighteen of the twenty-five major terrorist attacks from 1983 to 2001 “involved the use use of transportation vehicles as weapons, and another five involved attacks on planes.”148 At present, the aviation system is more at risk of a focused cyber-attack than any other component of the nation’s transportation infrastructure. Other transportation networks, such as urban public transit systems, rely less on computer systems to function. Ports and shipping networks may be open to certain cyber-attacks with limited scope, but these vulnerabilities seem to pale in comparison to physical vulnerabilities, and cyber-attacks on these networks have been the subject of relatively little research. Following a discussion of public transit systems and shipping networks, this assessment focuses on aviation systems as a target of cyber-attacks.

146

“Homeland Security and Defense Telecommunications Spending to Increase 40 Percent by 2009.” Business Wire. 3 August 2004. 28 Oct. 2007. <http://findarticles.com/p/articles/mi_m0EIN/is_2004_August_3/ai_n6139915> 147 Szyliowicz, Joseph S. (2004).International transportation security. Review of Policy Research. 21 148 Ibid

63

3.4.1 Public Transit Systems Public transit systems, such as buses, metros, light rail, and ferries, do not appear to be a likely target of cyber-attacks. They are generally manually controlled, and can be operated independently of any centralized computer systems or the Internet.
Shootings Ambushes

Other explosives (e.g. grenades, rockets and landmines)

Misc. Hijackings Bombs

Worldwide Terrorist Attacks on Public Transit, 1980-2005 3

Figure 3.1 There were 235 attempted terrorist attacks on public transit systems around the world from 1980 to 2005, but none of those attempts used electronic methods of attack or targeted any computer systems149. Their main vulnerability to cyber-attacks stems from their use of communications and power systems; both of those systems were discussed previously in this report. 3.4.2 Shipping Networks To date, studies of the risk of cyber-attacks on ports and domestic freight and shipping networks have been mostly speculative. It appears the threat cyber-attacks currently pose to shipping networks is small compared to other areas of the transportation infrastructure. As with other areas of the national infrastructure, shipping networks will become more vulnerable to cyberattacks as they rely more on computer systems. According to a 2003 Transportation Research Board report, the nation’s shipping infrastructure is a fragmented patchwork of private companies “operating different modes of transport (e.g.,

149

Pike, J. (2007, July 7). Chronology of terrorist attacks against public transit. Retrieved October 30, 2007, from Global Security Web site: http://www.globalsecurity.org/security/ops/mass-transit-chron.htm

64

ship, truck, train, air)” with a small degree of overall system coordination and varying local, state and federal regulations150. A breakdown of the industry by transportation mode is shown below.

Figure 3.2: Value and Tonnage of Domestic Freight Shipments 151

The freight industry’s current use of computer systems is largely focused on replacing paper manifest documents with electronic versions. In the maritime and air shipping sectors, freight carriers are now allowed the option of submitting manifests electronically to reduce their cargo’s processing time. Participation in a similar system was made mandatory in January, 2007 for truck carriers entering the country; carriers can enter information through the Internet or electronic data interchange (EDI)152. This could potentially introduce the ability of cyber-attackers to gain access to shipping manifests, but no easily obtainable data exists to suggest that this is viable. The risk is mitigated by the fact that in a regime of voluntary participation, as is the case with maritime and air shipping, carriers often opt to use traditional paper manifests. In the case of the trucking industry, for example, only 4 to 9 percent of incoming trucks filed electronic manifests before participation was made mandatory. In the trucking industry in particular, changes to the type of cargo and the carrier’s route are frequent153. In the future, one source of vulnerability could result from the use of electronic container tags and seals. Electronic tags would store information on a container’s contents, while electronic seals would signal whether a container had been opened or tampered with. These technologies

150

Transportation Research Board. (2003). Cybersecurity of freight information systems: A scoping study Washington, D.C.: Transportation Research Board. 151 Transportation Research Board. (2003). Cybersecurity of freight information systems: A scoping study Washington, D.C.: Transportation Research Board. 152 Moore, J. (2007 February 26). FCW.com. Retrieved October 25, 2007, from Freight security programs and test projects proliferate Web site: http://www.fcw.com/print/13_5/news/97727-1.html 153 Moore, J. (2007 February 26). FCW.com. Retrieved October 25, 2007, from A long haul for freight security Web site: http://www.fcw.com/print/13_5/news/97727-1.html

65

are in the planning phases,154 so it isn’t clear exactly how viable it would be to exploit these electronic devices. The most substantial cyber-security assessment of the shipping network is found in the 2003 Transportation Research Board report discussed above155. That report outlined three possible cyber-attack scenarios. The first scenario involved a denial-of-service attack on freight information systems, such as those used by customs agencies. However, the fragmented nature of the freight industry may help reduce the damage of a denial-of-service attack. The Transportation Research Board concluded that more research needs to be done, but these attacks would likely be “easiest to perpetrate but the least damaging”. The two other scenarios do not involve pure cyber-attacks, but rather the use of cyber-attacks to strengthen a conventional attack. Attackers could conceivably use electronic manifest information to intercept a hazardous materials shipment, or plant false manifest information to disguise a shipment of weapons or hazardous materials. The Transportation Review Board concluded the latter case “may be the least likely, and the IT role in the attack may not be central.” Because these technologies are largely in the test phase, there are no case studies or assessments of the feasibility of this scenario. 3.4.3 Air Transportation Networks At present, the aviation system uses computer technologies more heavily than any other component of the nation’s transportation infrastructure. The Federal Aviation Administration’s air traffic control system has been described by the Government Accountability Office as “a vast network of computer hardware, software, and communications equipment156.” The FAA estimates that the air transportation industry accounts for 5.4 percent of the nation’s GDP. On an average day, nearly 2 million passengers fly in U.S. airspace, and up to 7,000 civilian and military aircraft are aloft over the U.S. at any given time157. Only one would need to be targeted in a cyber-attack for an impact to be felt on the economy and public perception, even if the attack did not result in physical damage.

154

Transportation Research Board. (2003). Cybersecurity of freight information systems: A scoping study Washington, D.C.: Transportation Research Board. 155 Transportation Research Board. (2003). Cybersecurity of freight information systems: A scoping study Washington, D.C.: Transportation Research Board. 156 Government Accountability Office. (2003). Information security: Progress made, but Federal Aviation Administration needs to improve controls over air traffic systems. Washington, D.C.: Government Accountability Organization. 157 FAA Air Traffic Organization. (2006). Moving America safely: 2005 annual performance report Washington, D.C.: Federal Aviation Administration.

66

Figure 3.3: FAA Traffic Situation Display of Civilian and Military Aircraft158

3.4.3.1 Aircraft Internal Electronic Control Systems

One potentially serious, but largely unrealistic vulnerability to cyber-attack is introduced by the reliance of commercial aircraft on electronic flight control systems. Many newer commercial aircraft use electronic fly-by-wire (FBW) control systems, including, as of 2001, 2,300 out of 11,000 aircraft made by Boeing and Airbus, the two most popular manufacturers.159 In these FBW systems, the cockpit is connected to the plane’s wing and tail control mechanisms by solid state electrical control systems instead of by direct mechanical or hydraulic connections. In some planes, such as the Boeing 777 and the Airbus A380, there is no hydraulic or mechanical backup control system, and the pilot cannot completely disable the plane’s computers and bypass the FBW system160. However, in commercial FBW aircraft, the pilot can still disable automatic navigation systems and manually input flight instructions to the FBW system. This implies there is no way for a commercial aircraft to be electronically hijacked while it is airborne. Systems allowing authorities to remotely control a commercial aircraft in an emergency have been conceived, but industry leaders have concluded these systems would introduce more vulnerabilities than the

158

Government Accountability Office. (2003). Information security: Progress made, but Federal Aviation Administration needs to improve controls over air traffic systems. Washington, D.C.: Government Accountability Organization. 159 Wald, M. L. Can Computers Foil Air Pirates?. (2002, April 11). New York Times 160 Alford, L. (2000). Cyber warfare: Protecting military systems. Acquisition Review Quarterly, Spring 2000 volume

67

benefit would warrant161. Also, in 1993, one study concluded that fears of electromagnetic radiation disrupting an aircraft’s electrical control system were “unfounded”162. The vulnerability of the FBW system’s software to the insertion of malicious code is another conceivable risk factor, but the system’s built-in redundancies make this impractical for a cyberattacker to exploit. Airbus uses a software-based approach, in which several teams of software developers develop unique implementations of the FBW software from a common set of specifications. The multiple implementations are run in parallel in the final design, and a voting system is used to choose the most recommended output163. This means any attempt to insert malicious code into an Airbus flight control system from the inside would require “renegade” software developers to be on a majority of the development teams. Boeing’s 777 uses a hardware-based approach instead in its “triple-triple redundant” FBW system, largely similar to that of the newer 787. There are three independent, isolated flight computer channels, and each channel has three independently-powered “computer lanes” with three dissimilar microprocessors. Among other things, this means the software code is compiled in three different ways; according to the system’s design specifications, this dissimilar redundancy should reduce the risk of hardware being compromised by a factor of one million164. It is conceivable that as future aircraft rely more heavily on computer systems, they may become more vulnerable to cyber-attacks. At present, though, disrupting or hijacking a commercial aircraft’s navigation system is infeasible to the extent that the risk of a cyber-attack to an aircraft’s computer system is far outweighed by the risk of conventional attacks. Cyber-attackers are likely to look elsewhere for a more practical target.
3.4.3.2 Air Traffic Control System

The nationwide air traffic control system is more exposed to cyber-attack than individual aircraft are, and is accordingly a more realistic target. The most recent Government Accountability Office report on the FAA’s cyber-security, published in 2005, found that despite ongoing efforts to improve information security, the agency’s computer systems were “vulnerable to unauthorized access, use, modification, and destruction that could disrupt aviation operations.165”

161 162

Wald, M. L. Can Computers Foil Air Pirates?. (2002, April 11). New York Times Clough, B.T., Cope, B., & Donley, S. (1993). Microwave induced upset of digital flight control systems. Digital Avionics Systems Conference. 12, 179-184. 163 Greenwell, W.S. and J.G. Alsbrooks (2007). Excerpt From "Digital Control Systems". Retrieved November 3, 2007, from IEEE Computer Society Web site: http://www.computer.org/portal/site/ieeecs/menuitem.c5efb9b8ade9096b8a9ca0108bcd45f3/index.jsp?&pName=iee ecs_level1&path=ieeecs/ReadyNotes&file=s_k_sample.xml&xsl=generic.xsl& 164 Yeh, Y.C. (2001).Safety critical avionics for the 777 primary flight controls system. Digital Avionics Systems. 1, 1-11. 165 Government Accountability Office. (2003). Information security: Progress made, but Federal Aviation Administration needs to improve controls over air traffic systems. Washington, D.C.: Government Accountability Organization.

68

Some vulnerabilities found by the GAO were a result of outdated or poorly configured computers. In one case, a computer system’s operating system had been unpatched since 1991 despite several vulnerabilities; in many other cases patches were not applied consistently or quickly enough. Networks were not configured to prevent intrusion or denial-of-service attacks—though a fix was in progress at the time of the report—and intrusions were not traceable to a specific user or location. Other problems found by the GAO were related to the staffing policies of the FAA and user access permissions. For example, the FAA relies on outside contractors for much of its information technology, and access to sensitive areas of the computer systems was often granted when it wasn’t necessary for a worker to perform their job. There was little segregation between software development, testing, and production control—another issue the FAA had plans to fix—meaning developers could introduce malicious code. However, while vulnerabilities to intrusion and malicious code exist, the same report stated that the nature of the FAA’s computer systems makes them somewhat less susceptible to a cyberattack. The systems are highly proprietary and out-of-date relative to typical computer systems, meaning they are more vulnerable to an attack from within the agency than from an outsider or from the average hacker. While the FAA does, as the GAO report states, rely on computer systems to ensure “safe, orderly and efficient” air transportation, it isn’t clear that any physical damage would result from cyberattacks on air traffic systems. According to the Center for Strategic & International Studies, if computer networks are unavailable, backup communications equipment exists which isn’t dependent on the Internet, and air traffic’s “control and decision making process” includes a “high level of human involvement” that reduces the potential damage of a cyber-attack. Furthermore, pilots are trained to operate aircraft without support from air traffic control in emergency situations 166 and modern commercial aircraft include automatic collision avoidance systems. Case studies help reveal the realistic impact that would result from a cyber-attack on aviation systems. In 1997, a juvenile hacker disabled the local phone service in Rutland, Massachusetts, resulting in the disabling of the air traffic control tower’s main radio transmitter at Worcester Regional Airport for six hours. 167 No accidents, close calls or disruptions were reported at the airport, which handled an average of about 165 flights per day that year, but this demonstrates how vulnerable systems have been in the past. In September of 2004, the FAA servers that allowed air traffic controllers in Southern California to communicate with the 800 airplanes aloft in their airspace crashed for three hours. Planes that had not taken off were held on the ground and delayed or cancelled.168 Air traffic controllers affected by the server crash used their cell phones to pass control of the airborne planes to other
166

Lewis, J.. (2002). Assessing the risks of cyber terrorism, cyber war and other cyber threats Washington, D.C.: Center for Strategic & International Studies. 167 Thomas, Pierre (1998). Teen hacker faces federal charges. Retrieved October 25, 2007, from CNN.com Web site: http://www.cnn.com/TECH/computing/9803/18/juvenile.hacker/index.html 168 Wald, M.L. Air control failure disrupts traffic. (2004, September 15). New York Times.

69

FAA facilities. There were no accidents, but there were five incidents of planes traveling more closely than normal; in the closest call, two planes were separated horizontally by one mile.169 This demonstrates that while temporary disruptions to air traffic control do not overwhelmingly increase the risk of an accident, the risk is still greater than during normal operation. A similar incident happened at the FAA’s Memphis Control Center in September of 2007, when radar and phone communication were lost for two hours. Again, when their capabilities to communicate directly with aircraft was lost, air traffic controllers handed control of the planes in their 100,000 square miles of airspace to seven adjacent control centers via cell phone. No accidents or close calls resulted. There were many delayed flights, but few cancellations; out of 740 flights that day, Northwest Airlines cancelled 13 and diverted 19. One possible cyber-attack scenario would involve the insertion of malicious code into FAA software, either by a renegade FAA employee or contractor or by remotely accessing FAA servers. There is not much available research into what the worst-case effects of this could be— possibly for national security reasons—but it is conceivable that the air traffic control system could be disabled. Another possible cyber-attack could target communication systems such as local phone systems or power systems that air traffic control centers rely on. The effects of these kinds of attack would be similar to those of the case studies previously discussed. The affected areas of the national air traffic system would put a hold on departing flights, and the flights in the air would most likely be managed by air traffic control centers that were still operational. Any delays and cancellations would have economic consequences in proportion to the duration and scope of the shutdown, and public confidence could erode in any scenario. The worst case scenario, in which all air traffic control centers would be disabled for an extended period of time, is purely speculative and highly unlikely, given the distributed and redundant nature of the air traffic system. It is also conceivable that a cyber-attack could be used to disable some component of the air traffic control system in conjunction with a more traditional form of attack. For example, if every FAA control center were disabled while a plan was hijacked, it is conceivable that more damage could result. While this sort of total collapse of the FAA’s control network would be completely without precedent and is purely speculative, it is not known to be impossible. However, these combined cyber and traditional attacks on aviation are the subject of little research, and it is unclear how much of a negative effect the system being disabled would realistically add to the conventional attack. 3.4.4 Conclusions In all areas of the nation’s transportation infrastructure, the threat currently posed by cyberwarfare is significantly smaller than that posed by conventional methods of attack. Public transit systems are currently not reliant on computer systems enough to be an attractive target to cyberattackers. Similarly, shipping networks’ vulnerability to cyber-attacks are limited at present, and
169

Mullen, M. (2004, September 16). Human error caused chaos in the sky. Retrieved October 25, 2007, from MSNBC Online Web site: http://www.msnbc.msn.com/id/6021929/

70

any cyber-attack on shipping networks would need occur in conjunction with a conventional attack to cause major damage. Also, there are enough glaring physical vulnerabilities that attackers would be less likely to focus on cyber-warfare on shipping networks. In the case of the nation’s aviation network, the air traffic control system has several major vulnerabilities to cyber-attacks that should be addressed, as demonstrated by previous incidents. However, because of the degree of redundancy and human involvement present, the potential physical damage caused by cyber-attacks is unlikely to approach the damage conventional attacks can cause. This makes cyber-warfare a less favorable tool for aggressors, especially if not used in conjunction with some form of traditional attack. At present, the primary effects of a cyber-attack on the transportation infrastructure would be economic, not physical. However, as systems become more dependent on computer systems, they will be inherently more vulnerable to cyber-attacks, and the effects may become more severe. This means cyber-security should remain central to the development of transportation systems.

71

4 Consequences

72

4.1

Economic Consequences of Cyber-Warfare

It is difficult to quantify the economic effects of cyber-warfare because the scale of such attacks varies widely. Assumptions must be made on the degree of success of attacks and their consequences must then be analyzed. Previous attacks and electronic disruptions provide insight on potential costs. 4.1.1 Economic Consequences of Hacking Cyber-warfare incidents can be costly even when conducted by small groups of attackers. A group of 12 people led by Jonathan Bosanac from San Diego “hacked into a digital cache of unpublished telephone numbers at the White House, portions of the national power grid, air traffic control systems, the FBI’s National Crime Information Center, credit-reporting databases, and telephone networks such as MCI, WorldCom, Sprint, and AT&T.” These 12 attackers cost the United States and businesses an estimated $1.85 million.170 In 1999, a computer hacker from New Jersey created a virus called “Melissa” that spread through thousands of computers through email. The virus attacked personal, government and corporate computers using an “X-rated Web site.” This computer virus alone, created by one man, caused an estimated $80 million.171 A virus called “I Love You”, created in 2000, caused $10 billion in damage. When “Love-Letter-For-You.txt.vbs” was opened from a recipient’s email, the virus would copy itself onto three locations in the computer, initiating various start-up commands upon computer boot-up, and sending itself as an attachment to addresses in the recipient’s address book.172 This virus was created by a single PhD thesis-rejected student in the Philippines. 4.1.2 Economic Consequences of Infrastructure Attacks There are many critical infrastructures that could be attacked and result in economic damage, but there are two sectors that are more significant individual threats. The transportation system is an appealing target to potential cyber-attackers due to the integral role they play in the economy. Transportation accounts for over 10 percent of the nation’s gross domestic product. The recent history of conventional terrorism also suggests that cyber-attackers may choose to target transportation systems, provided feasible opportunities exist. Eighteen of the twenty-five major terrorist attacks from 1983 to 2001 “involved the use of transportation vehicles as weapons, and another five involved attacks on planes.”173

170

Dot.Con: The Dangers of Cyber Crime and a Call for Proactive Solutions. Granville, J. Australian Journal of

Politics & History. March, 2003, Vol. 49 Issue 1. Pg. 104
171 172

Ibid Ibid 173 Szyliowicz, Joseph S. (2004).International transportation security. Review of Policy Research. 21

73

The FAA estimates that the air transportation industry accounts for 5.4 percent of the nation’s GDP. On an average day, nearly 2 million passengers fly in U.S. airspace, and up to 7,000 civilian and military aircraft are aloft over the U.S. at any given time174. Only one would need to be targeted in a cyber-attack for an impact to be felt on the economy and public perception, even if the attack did not result in physical damage. A successful attack on the power grid presents the greatest economic threat among critical infrastructures. An Independent Task Force under the Council of Foreign Relations describes in a report how vulnerable the power grid really is. Refined oil would be a likely target, as “A coordinated attack on several key pumping stations- most of which are in remote areas, are not staffed, and possess no intrusion-detection devices- could cause mass disruption to these flows. Nearly 50 percent of California’s electrical supply comes from natural gas power plants, and 30 percent of California’s natural gas comes from Canada. Compressor stations to maintain pressure cost up to $40 million each and are located every sixty miles on a pipeline. If these compressor stations were targeted, the pipeline would be shut down for an extended period of time. A coordinated attack on a selected set of key points in the electrical power system could result in multi-state blackouts. While power might be restored in parts of the region within a matter of days or weeks, acute shortages could mandate rolling blackouts for as long as several years.”175 Even with a new advanced backup power source installed in December of 2006, the system is only expected to last for 4 months.176 The cost of power outages alone is tremendous, not to mention public confidence and effects on critical infrastructures. “The average cost of a one-second outage among industrial and DE firms is $1,477, vs. an average [per second] cost of $2,107 for a three minute outage and $7,795 for a one-hour outage.”177 These figures demonstrate that the average cost per second increases as the duration of the power outage increases. The New York power outage that lasted only one day cost the United States an estimated $6 Billion.178 An extended outage for one company alone could cost approximately $5 million dollars per month. Considering that there are thousands of distributed energy firms in any given region of the U.S., these figures could approach one trillion dollars per month. An impact this big on the U.S. economy affect almost every citizen in the country.

174

FAA Air Traffic Organization. (2006). Moving America safely: 2005 annual performance report Washington, D.C.: Federal Aviation Administration. 175 http://www.cfr.org/content/publications/attachments/Homeland_TF.pdf 176 http://www.buyerzone.com/facilities/generators/rbic-taking-stock.html 177 Lineweber, David and Shawn McNulty (2001). “The Cost of Power Disturbances to Industrial & Digital Economy Companies”. Electric Power Research Institute, Inc. 30 Oct 2007. <http://www.epriintelligrid.com/intelligrid/docs/Cost_of_Power_Disturbances_to_Industrial_and_Digital_Technology_Companies.p df> 178 “An Analysis of the Consequences of the August 14th 2003 Power Outage and its Potential Impact on Business Strategy and Local Public Policy”. 2004. < http://www.acp-international.com/southtx/docs/ne2003.pdf>

74

Figure 4.1

4.1.3 Economic Consequence of Combined Attacks Even more costly than an attack on the power grid would be a coordinated attack on multiple systems. The various sectors of the current critical infrastructures in the U.S. are extremely codependent. Oil refineries, power plants, dams, water treatment plants, security operations, and many other infrastructures all depend on the internet and a constant electric power source. The loss of these interconnected systems could cascade and result in immense economic consequences. In November, 2004, a project conducted by the Department of Energy with the code name “Black Ice” revealed the interdependencies between critical infrastructures. The exercise showed how an ice storm that knocks out a major portion of the power grid would first disrupt telecommunications systems, and later water supply, natural gas supply, and even emergency response systems.179 When one considers the possibilities of organizational attacks and the compounding effect of the loss of public confidence, the potential economic impact rises dramatically. This loss of confidence would be the exact target of a terrorist organization. Terrorists aim “to create fear by causing confusion and uncertainty within a given population… (Terrorist organizations) generally use symbolic means to attack the sanctity of the society… Such actions result in confusion and uncertainty about a government’s ability to protect its citizens. This is when citizens are most vulnerable to influence by others.” Not only could they receive media attention for their efforts, the terrorist would also accomplish degrading the economic systems as the population lost confidence in the market of such a vulnerable nation.180 If there was a coordinated attack on a combination of systems in a large region, the estimated economic impacts approach two trillion dollars.
179

http://archives.cnn.com/2001/TECH/ptech/10/21/black.ice.idg/index.html Utah’s ‘Black Ice’: Cyber-attack scenario. Verton, Dan. October 21, 2001. 180 “National Infrastructure Protection Center Highlights”. National Infrastructure Protection Agency. 15 June 2001, p. 2. 30 Oct 2007 <http://www.iwar.org.uk/infocon/nipc-highlights/2002/highlight02-03.pdf>

75

4.2

Social Effects

The negative effects of cyber-attacks extend far beyond damage to the economy, particularly in the case of cyber-terrorism. Currently, no one has ever launched a successful cyber-attack on the United States, so the social effects of such an attack are purely speculative. Because the Bush administration categorizes cyber-attacks along with chemical, biological, nuclear, and other major attacks, the only attack large enough to act as a point of comparison is the September 11th World Trade Center attacks. However, because the effects of a cyber-attack could vary greatly, this comparison is tenuous at best: the public’s reaction could differ greatly between a cyberattack that causes widespread erasure of credit card information but caused no direct fatalities, and a cyber-attack that opened a dam’s floodgates and killed thousands. Nevertheless, it is likely that a successful act of cyber-war or cyber-terrorism on the United States would have profound social effects, particularly in terms of public confidence in the government and in the area of infrastructure affected by the attack. 4.2.1 Public Confidence in the Government There is a great deal of speculation among cyber-security professionals whether the United States government is undereducated about the capabilities of cyber-attacks. According to Joe Weiss, a consulting executive for KEMA Inc, this likely stems from ignorance within the information technology industry itself about how well many systems are protected . Weiss claims that materials that have reached Senate and congressional staffers about cyber-security were technically flawed and lacking important basic information; one report about SCADA systems’ threat to infrastructure that even to identify that the electrical industry uses SCADA systems181. Many cyber-security industry professionals feel that because of this ignorance in Washington, neither enough attention nor funding is given to measures that could secure our country from cyber-attacks. The public itself is also uneducated about cyber-security: a National Cyber Security Alliance poll from October 2007 shows that of the 87% of computer users who said they use anti-virus software, 48% had not updated their software within a month. Furthermore, 81% of respondents had a firewall installed on their computer, but only 64% actually used the firewall182. These discrepancies indicate a universal need to increase awareness and education about cyber-warfare and cyber-security in both the public and private sectors. However, it is not entirely accurate to say that the Bush administration has not taken any action to improve the nation’s cyber-security. In terms of budgeting, between 2002 and 2004, the government increased the fiscal year budget federal records protection from $2.7 billion to $4.9 billion, and the National Strategy to Defend Cyberspace laid out a defense plan around which further budgeting could be based. Despite these budget increases to federal cyber-security, critics say that the government is still not giving infrastructure enough funding to allow companies to make the changes outlined in the defense plan183. Furthermore, polls show that the
181

"Interview: Joseph Weiss." Frontline: Cyber War! 23 Apr. 2003. PBS. 24 Oct. 2007 <http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/weiss.html>. 182 "Report Reveals Perception Gap in Cyber Security Awareness." Security Products 2 Oct. 2007. 20 Oct. 2007 <http://www.secprodonline.com/articles/50717/>. 183 "Interview: Richard Clarke." Frontline: Cyber War! 23 Apr. 2003. PBS. 24 Oct. 2007 <http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/clarke.html

76

majority of Americans, both Republican and Democrat, agree that Congress should pass a “strong data security law184.” The public has shown in the aftermath of September 11th that it quickly loses faith in the government if there is evidence that a legitimate threat to national security is ignored. A 2004 poll shows that 49.3% of New York City residents and 41% of New York state citizens believed that the government had foreknowledge of the September 11th attacks185 in the wake of speculation that the Clinton and Bush administrations ignored warnings of the attacks. This weakening faith in the government is partially reflected in presidential approval ratings, which have fallen steadily since 2001186. Industry experts have repeatedly warned the government to bolster cyber-security, even asking for a cyber-security initiative on the scale of the Manhattan Project187. While a concrete plan to launch a cyber-war on American interests has not been identified, the public could have a similar response to the government’s failure to heed the experts’ warnings if a successful cyber attack large enough to garner national attention were successfully launched 4.2.2 Public Confidence in Target Currently, the public seems to have little faith in businesses concerning cyber-attacks: a 2006 Cyber Security Industry Alliance poll found that only 24% of Americans felt that businesses were properly emphasizing protection for information systems and networks188. The poll mainly asked about e-commerce, but the security systems used by infrastructure companies are often the same as those used by corporations. Statistics show that since 2001, sales of cyber-security implements have not increased due to increased corporate awareness of cyber-security threats, and most critical infrastructure networks are still unprotected from many types of cyber-attack189. In general, many experts believe that the public is not as concerned about cyber-attacks as physical attacks because their effects are not as tangible; most people are not aware of the extent to which our society’s infrastructure relies upon computers. Moreover, most cyber attacks would not be as “flashy” as physical attacks—a cyber-attack on California’s power grid, for example, might have similar effects to the brownouts of 1998, which caused economic distress but not terror or widespread panic. Most experts agree that a large scale cyber-attack on the United States power grid is the “nightmare scenario,” but some disagree about the feasibility of such an attack. Former White House cyber-security advisor Richard Clarke concedes that it would be
184

"Poll Shows Americans Want Congress to Do More to Protect Them Online." Cyber Security Industry Alliance (2006): 30. 21 Oct. 2007 <https://www.csialliance.org/news/pr/view?item_key=e5b543c0cf207bb110c9c65b61ac476ec45e03fe>. 185 "Poll: 50% of NYC Says U.S. Govt Knew." 30 Aug. 2004. Zogby International Polling/Market Research. 28 Oct. 2007 <http://www.911truth.org/article.php?story=20040830120349841>. 186 Ruggles, Steven. Historical Bush Approval Ratings. Dept. of Hist., U. of Minnesota. 2007. 27 Oct. 2007 <http://www.hist.umn.edu/~ruggles/Approval.htm>. 187 "Interview: O. Sami Saydjari." Frontline: Cyber War! 23 Apr. 2003. PBS. 24 Oct. 2007 <http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/saydjari.html 188 "Poll Shows Americans Want Congress to Do More to Protect Them Online." Cyber Security Industry Alliance (2006): 30. 21 Oct. 2007 <https://www.csialliance.org/news/pr/view?item_key=e5b543c0cf207bb110c9c65b61ac476ec45e03fe>. 189 Hancock, Bill. National Infrastructure Protection Issues. International Telecommunication Union. 2002. 25 Oct. 2007 <http://www.itu.int/osg/spu/ni/security/workshop/presentations/cni.18.pdf>.

77

possible to bring down the national power grid for a day or two, but it is “unrealistic” to think that the grid could be taken down for a longer period. On the other hand, Cyber Defense Agency CEO Sami Saydjari claims that a targeted attack requiring about 300 people and $500,000 could be capable of bringing down the national power grid for a month or more190. Current trends in public knowledge about cyber-security and industries’ hesitance to disclose that they have experienced small-scale cyber-attacks suggest that only cyber-attacks on a very large scale would actually receive public attention. For example, despite the successful disruption of air traffic control systems as recently as September 2007, there is no data to suggest that these cyber-incidents have discouraged the public from using commercial airlines. The only ways the public would likely have a strong, noticeable response against a company or section of infrastructure are if a cyber-attack of a large magnitude were to be launched, or if there were any successful cyber-attack that resulted in civilian casualties. If the public became aware of such an attack, the response would likely be similar to the public’s apprehension about using airlines immediately after September 11. Those attacks resulted in an immediate 30% decline in demand for commercial airline services, and an ongoing 7.4% decline through 2003191. A successful attack or a prolonged series of unsuccessful attacks would probably result in the same pattern: an immediate decline in public confidence, with a smaller prolonged loss of public confidence if no other incidents occurred.

190

"Interview: O. Sami Saydjari." Frontline: Cyber War! 23 Apr. 2003. PBS. 24 Oct. 2007 <http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/saydjari.html 191 Ito, Harumi, and Darin Lee. Assessing the Impact of the September 11 Terrorist Attacks on U.S. Airline Demand. Dept. of Econ., Brown U. 2004. 3-24. 26 Oct. 2007 <http://www.brown.edu/Departments/Economics/Papers/2003/2003-16_paper.pdf>.

78

5 National Agencies and Legislation

79

In order to coordinate an effort to secure cyberspace through federal initiatives, various documents have been created to define and dictate how the government prepares for and reacts to cyber-attacks. Also, several agencies have been created to regulate this information and ensure that communication and awareness achieve cyber-security objectives. It is the responsibility of various departments within the federal government to abide by these documents and agencies.

5.1

E-Government Act of 2002

The E-Government Act of 2002 serves as an origin to the government’s current role in cyberwarfare. Enacted on December 17th, 2002 (Public Law No: 107-347)192, one of the main attributes of this act is the role established for the Office of Management and Budget (OMB). The Director of OMB is required by FISMA (Federal Information Security Management Act193) to oversee federal agency information security policies and practices as well as coordinate a thorough risk-based approach for managing information security issues. Also, the OMB oversees the operation of a central federal information security incident center, formerly known as FedCirc. This sector is now known as US-CERT and will be discussed later in the report. The OMB, through US-CERT, provides guidance to Federal agencies on types of cyber-attacks and ways to report and communicate them throughout the government. Another key point in the E-Government Act of 2002 is to allow government agencies to use technology as a way of obtaining secure government information. Furthermore, the Act lists ways in which several departments are responsible for satisfying the need for cyber-warfare strategies. Finally, the Act suggests that a Critical Infrastructure Protection Policy Coordinating Committee will advise the Homeland Security Council on policy amongst agencies related to protection against cyber attacks. This Committee is now known as the NIAC. Passed on December 17, 2003, the Homeland Security Presidential Directive offers suggestions regarding the responsibility of several governmental agencies.

5.2

National Infrastructure Advisory Council

The National Infrastructure Advisory Council (NIAC), formerly known as the President’s Critical Infrastructure Protection Board, operates within the U.S. Department of Homeland Security. The purpose of this council is to supply the President with enough information and advice to continue to secure critical infrastructure sectors and their information systems.194 Consisting of 30 members maximum, the NIAC is composed of citizens appointed by the President from various areas such as private industry, academia, state, and local government.
192

Bush, George W., and Jim Turner. "E-Government Act of 2002." The White House. 15 Nov. 2002. US Government. <http://www.whitehouse.gov/omb/egov/g-4-act.html>. 193 "FISMA." National Institute of Standards and Technology. 24 Oct. 2002. US Government. <http://csrc.nist.gov/groups/SMA/fisma/>. 194 "National Infrastructure Advisory Council." Department of Homeland Security. Oct. 2007. US Government. <http://www.dhs.gov/xprevprot/committees/editorial_0353.shtm>.

80

The NIAC focuses mostly on preventing attacks on critical infrastructure as well as recovering from attacks. The NIAC notes that both cyber and physical functions of critical infrastructure are vital in maintaining American economy, security, and way of life. Currently, the federal government has divided the responsibility of cyber infrastructure into several different departments. However, it should be noted that the devices that control our physical systems, such as power grids, are increasingly dependent on the Internet. As a result, a cyber-attack has the ability to affect several areas.

5.3

National Strategy to Secure Cyberspace

The National Strategy to Secure Cyberspace, also known as NSSC, is meant to inform and implore Americans to secure the sections of cyberspace that they own, operate, control, or utilize.195 The idea of securing cyberspace is a challenge that requires effort and awareness from the federal, state, and local governments, as well as the private sector and the American citizens. This document, published in February of 2003, can be seen as an interpretation of the National Strategy for the Physical Protection of Critical Infrastructure and Key Assets in terms of cyberprotection. Policies and guidelines found in both documents are represented in the missions of both federal and private agencies concerned with cyber-attacks.

5.4

United States Computer Emergency Response Team (US-CERT)

United States Computer Emergency Response Team, also known as US-CERT, was created shortly after the release of the National Strategy to Secure Cyberspace. It allows the combination of federal and private sectors to relay information about cyber incidents and situations.196 US-CERT was established for the sole purpose of protecting the Internet against and responding to cyber-attacks. One key component of US-CERT is the Einstein Program, which enables the effective communication of cyber-incidents.

5.4.1 US-CERT Einstein Program The Einstein Program allows agencies of the federal government to effectively distribute information about cyber-attacks so that they can be analyzed and shared between agencies.197 This is significant because, due to the complexity and integration of the Internet in almost every critical infrastructure, many agencies find it difficult to relate any information without a uniform institution to assist in communication. By collecting information from participating federal
195

National Strategy to Secure Cyberspace. Feb. 2003. US Government. <http://www.whitehouse.gov/pcipb/policy_and_principles.pdf>. 196 "United States Computer Emergency Readiness Team." Department of Homeland Security. US Government. <http://www.uscert.gov/>. 197 "Privacy Impact Assessment EINSTEIN Program Collecting, Analyzing, and Sharing Computer Security Information Across the Federal Civilian Government." US-CERT. Sept. 2004. Department of Homeland Security. <http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_eisntein.pdf>.

81

agencies, US-CERT is able to build and enhance America’s cyber-related situational awareness. Likewise, the increase in awareness will help in identifying and responding to cyber-threats and attacks. Also, the more information known about these attacks, the easier it is to improve network security, increase the resilience of electronically delivered government services, and enhance the survivability of the Internet. There are several ways in which the Einstein program helps federal agencies protect themselves from cyber-attacks. The program is able to determine the scope and possible threat of a specific worm and how it relates to both the federal government and the Internet community. Also, detection of irregular network behavior is possible through the Einstein program, which is then able to take this information and determine whether the possible attack is focused or part of a larger Internet-related attack. Likewise, specific agencies tend to have internet traffic problems that may be attributed to outside cyber attacks. One of the most useful aspects of the Einstein program that US-CERT developed was its ability to decide how invasive and threatening an attack is, and its resulting effect on the United States.198 It is able to detect the source of an attack through the analysis of trends in cyberincidents and IP tracking. These trends are documented in close to real-time to raise awareness about their existence amongst federal agencies.

5.4.2 Collaborative Groups of US-CERT  Government Forum of Incident Response and Security Teams (GFIRST) – Comprised of over 50 incident response teams199, GFIRST helps coordinate the action and communication of several federal agencies in order to ensure the security of the federal government. Multi-State Information Sharing Analysis Center (MS-ISAC) – MS-ISAC gathers information pertaining to how cyber-threats may effect critical infrastructure and then relay that information with states and local governments.200 The significance of this group is not only the amount of people involved in ensuring that communication is adequate, but also in providing a means to raise awareness and response to possible cyber-attacks. MS-ISAC is composed of volunteers that have formed their organization based on the needs discussed in the National Strategy to Secure Cyberspace.



198

"Fact Sheet: Protecting America’S Critical Infrastructure – Cyber Security." US-CERT. Department of Homeland Security. <http://www.us-cert.gov/press_room/050215cybersec.html>. 199 "Government Collaboration Groups and Efforts." US-CERT. Department of Homeland Security. <http://www.uscert.gov/federal/collaboration.html>. 200 "Government Collaboration Groups and Efforts." US-CERT. Department of Homeland Security. <http://www.uscert.gov/federal/collaboration.html>.

82



National Cyber Response Coordination Group (NCRCG) – Initially intended to join the Department of Defense with the Department of Justice in efforts to defend against cyber attack, NCRCG is the federal government’s main interagency organization that focuses on responding to and recovering from cyber-attacks that affect national security.201

5.4.3 National Cyber Security Division (NCSD) The National Cyber Security Division (NCSD) works collaboratively with public, private, and international entities to secure cyberspace and America’s cyber-assets.202 The National Cyber Security Division continuously seeks to protect the critical cyber-infrastructure in order to ensure a steady surveillance is kept for possible cyber-attacks.
5.4.3.1 National Cyberspace Response System

The National Cyberspace Response System coordinates the protocols that determine when and what actions may need to be taken in response to cyber-attacks.  Cyber Security Preparedness and the National Cyber Alert System – Due to the lack of awareness of cyber-threats, many citizens do not actually know whether their computer systems are secure, despite the level of security they think they have. Cyberthreats are constantly adapting to overcome new security measures. The Cyber Security Preparedness and National Cyber Alert System both help in raising the awareness among citizens to try to reduce the susceptibility of their networks. Anyone can sign up to be alerted by these systems if new and significant information is obtained regarding cyberthreats. US-CERT Operations – As mentioned above, the US-CERT is one of the most significant organizations that both analyzes and standardizes the level of threat each cyber-attack may have. The US-CERT makes it easier to determine the significance of a possible attack through its well thought-out and established method of prioritizing attacks. National Cyber Response Coordination Group – A group that interacts with USCERT, the NCRCG’s significance can be noted above. In terms of response, NCRCG is significant due to its participating 13 federal agencies that help determine what response is necessary in case of an attack. The NCRCG helps coordinate federal response, law enforcement, and the intelligence community in the case of an attack.





201

"Government Collaboration Groups and Efforts." US-CERT. Department of Homeland Security. <http://www.uscert.gov/federal/collaboration.html>. 202 "National Cyber Security Division." Department of Homeland Security. 23 Sept. 2006. US Government. http://www.dhs.gov/xabout/structure/editorial_0839.shtm.

83



Cyber Cop Portal – Meant to share information amongst over 5,500 investigators worldwide, the Cyber Cop Portal helps find and convict the people responsible for cyberattacks.

5.4.3.2 Cyber Risk Management Programs

The National Cyber Security division is able to evaluate the risk and determine what kind of protective measures are necessary to secure cyberspace. The following three programs are a part of the Cyber-Risk Management Program:  Cyber Exercises: Cyber Storm – Cyber Storm began in February of 2006 in order to evaluate the preparedness in response to a cyber-attack. The Department of Homeland Security used Cyber Storm to determine how equipped the federal agencies were in case an attack were to happen. Also, DHS used the Cyber Storm exercise in private and international sectors. The significance of the idea of involving private sectors shows how defense against cyber attacks is both a government and industrial responsibility. National Outreach Awareness Month – October of every year is known as the National Outreach Awareness Month and is meant to raise awareness of the threat of cyber-attacks. Software Assurance Program – Intended to lessen the susceptibility of software programs, SAP also suggests ways to improve the development and installation of software products.





84

6 Policy

85

6.1

National Policies

The United States Government has recently dedicated a portion of the Department of Homeland Security to securing and protecting Americans from cyber-attacks. Current policies and guiding principles are vital to determine the progress the government has made in ensuring that its citizens are protected from cyber-attacks. The establishment of agencies to protect and raise awareness against cyber-attacks has proliferated throughout the Department of Homeland security, but many flaws and a lack of funding to these agencies has still shown the need for a more cooperative support against possible cyber-offenses. The current national policy, The National Strategy to Secure Cyberspace (NSSC), outlines the direction for current government policy for dealing with cyber-warfare. The current policy from NSSC has operated as a baseline for the following policy analysis, with additional policy suggestions included. Current national policies regarding the ways in which the federal government has mandated how to secure cyberspace are to:203       Prevent cyber attacks against our critical infrastructures Reduce our national vulnerabilities to cyber attack and Minimize the damage and recovery time from cyber attacks that do occur. Ensure the federal government’s ability to perform essential national security missions and guarantee the general public’s health and safety Make sure that state and local governments are able to maintain order and to deliver minimum essential public services Aid in the private sector’s capability to ensure the orderly functioning of the economy and the delivery of essential services and Support the public’s morale and confidence in our national economic and political institutions.

6.2

Policy Goals

Although the NSSC was used as a starting point, the current government policy is not enough to protect our nation from cyber-warfare. First we will discuss guiding principles to keep in mind as the government defines a new policy, as well the primary stakeholders for our policy. Our policy discussion will then be broken into six major areas:   
203

Prevention Response Security Training and Awareness

"National Policy and Guiding Principles." National Strategy to Secure Cyberspace. Feb. 2003. US Government. <http://www.whitehouse.gov/pcipb/policy_and_principles.pdf>.

86

  

Government Cyber-security International Cyber-warfare Military Uses of Cyber-warfare

6.3

Guiding Principles

Any cyber-security policies that the government decides to enact should not only minimize or prevent disruptions in critical infrastructures to protect American national security, but also adhere to some guiding principles to protect civil liberties and ensure cooperation from all sectors. One such guiding principle is the idea that American cyber-security must be a national effort. Thus, the government must work with private and commercial groups to formulate policies that are both technologically sound and agreeable to all parties. In doing this, any policies the government employs must strengthen cyber-security regarding personal privacy, rather than infringing upon privacy. Outside privacy analysts and experts should frequently be consulted to ensure that nonpublic information is handled reliably and privately. Another guiding principle is that in most cases, the government should avoid mass regulation of cyber-security. Setting a mandate for how corporations must protect their networks would create a “lowest common denominator approach to cyber-security,” which could easily be exploited on a widespread scale. Currently, some federal regulatory agencies have guidelines for cybersecurity, but in the private sector, the market itself should force the evolution of cyber-security technologies. Furthermore, because of the rapidly-changing nature of cyber-threats, it is essential that all cyber-security policies be flexible in their ability to prevent and respond to attacks. Flexible policies allow both government and corporate organizations to reassess threats and plan protection strategies based on growing and changing threats. Because these threats are constantly growing, it is essential that government agencies form long term (multi-year) plans for updating cyber-security so that they can sustain their roles in protecting American national security. It is also recommended that other public- and private-sector organizations also adopt long-term plans for this reason. 6.3.1 Social Considerations In formulating policies to protect against cyber-attacks, there is the potential for negative social consequences. One such consequence is the loss of privacy in cyberspace, which has already occurred as the result of some government security policies. From 2000-2001, the FBI used an email-surveillance system called Carnivore, a byproduct of the US PATRIOT Act, which operated as a basic packet-sniffer, to monitor the electronic transmissions on the networks of Internet service providers. However, this system and systems like it could violate federal privacy laws and the United States Constitution’s ban on unreasonable searches and seizures. The Carnivore system intercepted the traffic of all users on whatever network it was connected to, a practice which former federal prosecutor Mark Rasch describes as “the electronic equivalent of

87

listening to everybody's phone calls to see if it's the phone call you should be monitoring.” Though the warrantless wiretapping system was reportedly discontinued, it serves as a warning of the social hazards that can result from implementing badly-planned policies.204 In addition to monitoring Internet traffic, the government could also decide to block access to certain websites. For example, the European Union recently signed legislation to block access to websites with information about bomb-making. The Australian government is planning to allow the Australian federal police to compile a list of websites suspected to be related to terrorism that will be mandatory to be blocked by Internet filters. In the wake of these international events, the United States has argued before a federal court that it has the right to restrict access to legal websites that are hosted anywhere in the world. Beyond the risk to civil liberties, restricting international content could cause an “arms race” over Internet censorship: if the United States has the right to block information from other countries, then those other countries can directly censor information based in the United States as well.205 Due to the dangers to privacy, it is important that the public and private sectors are dealt with as independent but cooperating entities when forming cyber-security policies. While the federal government must develop the cyber-security technologies that provide a basis for the public, the private sector generally develops these security products and is responsible for adhering to good security practices themselves. For example, the Global Information Grid, a multibillion dollar military project to link weapons, intelligence, and personnel, interconnects with networks in the civilian sector, and is therefore vulnerable to any threat to which civilian networks could be vulnerable. Military and civilian networks must work together to come up with a defense system that will be suitable to both parties without infringing on the civil rights granted by the Constitution.206

6.4

Stakeholders

American citizens are the primary stakeholders in regards to cyber-attacks against the US. Other stakeholders are the US government, state and local governments, other nations and their citizens, private companies, health and medical institutions, financial institutions, and various departments within the US government (such as the Department of Justice). In an analysis of the dependency of the Internet, it is difficult to determine what well-established country would not be affected if cyber-attacks were to become more prevalent. It appears as though the more dependent a nation becomes on the Internet, the more secure its government is required to be in order to ensure it will not be affected by cyber-attacks. Similarly, citizens and private companies can be negatively affected if their networks are exploited. Electronic medical records are at stake, as well as the financial status of citizens and companies. The Federal Government has made a special note of particular stakeholders, as seen in the figure below. These stakeholders include the home user and small business, large enterprise, critical infrastructures and sectors, national implications, and global.

204 205

http://www.wired.com/politics/law/news/2000/07/37503 http://abcnews.go.com/Technology/Story?id=3771510&page=1 206 http://www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf

88

Figure 6.1 Roles and Responsibilities in Securing Cyberspace from NSSC



Home User and Small Business – stakeholders in this category rarely communicate incidents, according to US-CERT. However, many of the cyberattacks discovered develop through the use of their systems. Home and small business users are prevalent stakeholders in securing cyber-space Large Enterprise – Bigger companies are stakeholders in relation to cyberattacks because of their dependency on network systems. Many of their records and critical documentation are electronically stored and accessed on their networks and destruction or damage would adversely affect their business and profits. Critical Infrastructure and Sectors – Critical infrastructures can be physically affected by a cyber attack. These sectors are increasingly becoming dependent on software and network systems and are thus vulnerable to cyber-attacks. National Implications – The US government is a primary stakeholder in cyberattacks. If damage or information theft were to occur to federal systems, chaos and lack of control could ensue and threaten national security. Global – International stakeholders are affected by cyber-attacks because of the range of damage these attacks can span. The Internet and networks cross the









89

globe, so an attack in a geographically different area could still result in damage in another location.

6.5

Prevention

Many cyber protection and warning systems are currently available from both private and government organizations. Most major software publishers also employ personnel who specialize in security issues and work to correct their software quickly once vulnerabilities are revealed. In organizations with critical networks, there are often professionals in place who are responsible for protecting the systems from cyber-attack. The software market is aware of the need for cyber security and has responded by providing a wide variety of services which attempt to satisfy the need for defense. The government currently has agencies in place which receive reports on cyber incidents, researches them, observes trends, and publishes appropriate warnings. While a wide variety of warnings, products and services exist for the purpose of preventing cyber damage, major issues remain which leave systems open to attack. 6.5.1 Prevention Challenges While it is impossible to prevent all cyber-attacks and make computer systems completely invulnerable, there are many changes in behavior that could greatly reduce vulnerabilities. Any policies created to address issues in preventing cyber-damage should take these problems into consideration.
●

Security in cyber-space is a never ending arms race between attackers and security professionals, it is incorrect to assume that one can simply buy a product and be secure. Despite the promises some of these products tend to make, attackers work constantly to circumvent these products. Preventing cyber damage requires more attention than buying a product and ignoring it. Warnings of newly found security vulnerabilities and software updates designed to address new problems are common, but many administrators neglect to heed these warnings and update their systems. Critical systems can sometimes be found with software that is years behind current security standards, due to the difficulty in updating software and ignorance of the people maintaining the systems. Companies which experience attacks and publishers of software containing security vulnerabilities often fail to provide information which can be used to prevent further damage, because of fears that admitting to security failures will damage their reputations. Requiring software makers to disclose defects to potential customers would improve security but could also harm business. Warnings of vulnerabilities and published material about securing computers present solutions as well as new problems. Attackers can use this knowledge to develop their skills in attacking just as easily as administrators can use the information to improve their

●

●

●

90

defenses. Sometimes the warnings inspire attackers to take advantage of newly published vulnerabilities faster than the same warnings can be addressed by system administrators.

●

The attackers themselves who are constantly developing new cyber-attack strategies have security information resources of their own, many of which can be viewed by security personnel and used to anticipate their attacks. Releasing information relating to security requires good judgment in order to prevent problems; this “security through obscurity” issue is one of the most debated points in the cyber-security community. Experts in computer security have conflicting opinions on the best ways protect systems; any mandates relating to system security will need to include flexibility to allow for the different approaches used by different system protectors.

●

●

6.5.2 Prevention Products There are a wide variety of tools on the market that are sold for the purpose of securing computers, though these products are not available for every vulnerable platform, especially the proprietary systems which were not reliant on computers in the past. As products are developed, new exploits are also made which present new kinds of threats. The previous examples (see 2.3.2) about Distributed Denial of Service attacks and Rootkits are relatively new attacks. Before 1999, the old style of DoS attack from a single attacking system was addressed by firewalls and largely prevented, which led to the development of new methods of attack. Programs employing stealth techniques meant to evade detection and removal by security products like virus scanners have become much more prevalent in recent years. The anti-virus company McAfee reports the following trend in new software which attempts to avoid detection:

91

207

Figure 6.2 While attacks are becoming more sophisticated, products designed to prevent them are also adapting, employing the appropriate products is definitely helpful in improving security, but system administrators must be careful not to rely on those products too much. Firewalls, Intrusion Detection Systems, system logging tools, virus scanners, and automated software updates are some of the types of products available to assist in securing computers, but cannot completely prevent attacks without people in place to protect critical systems. The amount of solutions available can be overwhelming, and many products make false promises. Currently the only method of confirming that a security company actually increases security and has products that do what they promise is the market and the media. One step that can be taken to prevent cyber-attack is an institution in place that independently confirms if a software product actually delivers the security that it promises, perhaps in a similar way to the FDA’s process of confirming that drugs actually do what their sellers promise, though this also raises concerns about the impact on the fragile software industry. 6.5.3 Security Personnel Many professionals are employed to protect computer networks, and have varying degrees of success doing so. One of the more popular excuses for the failure of system protection is undertrained administrators. The cyber-attack situation is unique in that every networked device is a potential target, and that security professionals are needed in more places than they were in the past. Businesses are rapidly realizing that cyber-security is part of the cost of doing business today, often after suffering from an attack that their IT department was not prepared to prevent.
207

Rootkits: The Growing Threat. 2006 McAfee Inc. 1 Nov 2007. <http://download.nai.com/products/mcafeeavert/WhitePapers/AKapoor_Rootkits1.pdf>

92

Many private certifications exist that confirm an employee is trained in cyber-security, unfortunately cyber-security is an ever-changing field and requires constant study to remain prepared. A system of licensure for cyber-security professionals would help to ensure that competent personnel are selected to defend critical systems. Further, a standard could be defined that clarifies which systems need such professionals to protect them. Addressing the issue of ignorant security personnel is complex, because administrators are in a constant race against hackers to learn about vulnerabilities and defense strategies, and many organizations now relying on computer networks are not aware that they need trained employees to defend them. 6.5.4 New Vulnerabilities Products and personnel who work to protect their systems can help to prevent cyber attacks, but another important area to address in potential policy is how software reaches the public with flawed security in the first place. Software developers bear a great responsibility in distributing products which do not leave their customers vulnerable to cyber attack. Much speculation exists for the reasons that so many flaws exist in current software. 6.5.5 Computer Security and Liability There are active debates on how liable producers of software should be for vulnerabilities introduced into systems by their products. Most products which contain these security flaws are distributed with “End User License Agreements” which take effect as a condition of installing the software. These agreements usually contain language that exempt the software companies from all responsibility for any attacks that their customers may suffer from through vulnerabilities in their products. Courts have repeatedly upheld these agreements, to the point that holding software authors liable for security flaws in their products would require changes to the law. Despite this lack of liability for vulnerabilities in their products, software companies still have incentive for making secure programs. The damage to a company’s reputation after enabling a new kind of attack on its customers can cost a business a lot of money. In this way, while they are not legally liable, they remain morally liable and continually work to improve their security, though perhaps not as well as they would if vulnerabilities in their products were a greater risk for them financially. The debate surrounding software liability also raises concerns about increased software costs and the extra difficulty involved in identifying vulnerabilities in software compared to defects in physical products. 6.5.6 Policy Options Taking these challenges into consideration, there are several possibilities for policy changes that could help to prevent successful cyber-attacks, which can be applied to individuals, security professionals, and the designers of networks. Each potential policy would require careful wording and sensitivity to the needs of businesses and the rights of individuals as well as the technical consequences.

93

 Policy Option 6.5.1: Require by law that all computers be secured in specific ways. A policy that demands all systems be secured is a tempting idea, but carries with it many consequences. Explicitly defining which precautions to make about cybersecurity increases government encroachment on individuals and if worded improperly could actually make computers less secure. Diversity is an important part of system protection, which a law explicitly demanding specific security precautions might eliminate, and actually giving attackers more potential targets. A law requiring security precautions would need to be worded in abstract terms to allow for the diverse systems which currently exist. Specific security measures required by law might raise the cost of computers and reduce the performance of the technology. Defining a bare minimum of precautions that must be taken might lead to fewer systems protecting themselves beyond that minimum. It may be possible to create a law which requires certain precautions with minimal negative side effects that could reduce vulnerability, but such a law would have to be created very carefully.  Policy Option 6.5.2: Change the policies about liability for software makers and/or system administrators. A policy might be drafted which could hold system administrators responsible for damage caused by their systems. The law would give administrators a larger motivation to secure their systems so that attackers could not commandeer them and execute attacks. In a way, administrators are already responsible for their systems, because security breaches under their watches tend to hurt their careers, so the necessity of this policy is debatable. Changes in liability rules would increase the stress put on those with increased responsibility, possibly raise the cost of their service and reduce the number of people willing to take the risk of working to protect networks. In some limited systems, changes in liability rules might be more appropriate than others. For example, administrators responsible for maintaining networks controlling critical infrastructures or connected to extremely high-capacity Internet links might deserve more legal motivation to secure their systems than owners of personal computers. Applying new responsibility to software developers would slow down the development process and increase the cost. Software prices would rise to offset the legal costs relating to new liabilities, while programmers would be under legal pressure to secure their products, possibly at the expense of performance. The private sector already has motivation to secure its products, but perhaps is not as concerned as it should be that flaws in one system can be used to cause damage to the systems of others. Certain violations of software security might be more appropriate to hold developers responsible for than others; it may be possible to make adjustments in liability rules which improve security with minimal impact on the cost and performance of software. Imported software and outsourced developers would also have to be taken into consideration in any policy about the liability of software developers.

94

 Policy Option 6.5.3: Create programs to approve security products and personnel. Institutions exist for the licensure of many different professionals and the approval of different products which might be similarly created to address cyber-attack possibilities. Policy makers can expect debates over whether government or the private sector can better provide cyber-security approval services. Having a compulsory form of certification may be helpful, since current methods of approving software and personnel for security still allow for false products and charlatan professionals to exist. A government approval process for allowing individuals to practice securing systems would have to be carefully crafted by experts to insure that certified individuals are qualified for their positions. Creating new institutions would be costly, and defining the specific software packages and personnel under their jurisdiction would be difficult, but having more qualified security personnel and higher quality defense products would be helpful. Additionally, infrastructure has significant holes in prevention measures.  Policy Option 6.5.4: Federally demand a minimum level of security for critical infrastructure systems. In 2001, the Energy Information Security program was created in an attempt to develop better defense technologies for our nation's critical infrastructures. Due to the difficulty of and the time needed for installing these technologies, many companies have not kept their systems up to date. Because they are not properly secured, it leaves even the "secured" infrastructure companies vulnerable to attack simply due to them being connected to the same network as the unprotected companies. Therefore, the minimum level of security for our nation's infrastructure must be federally regulated so that the United States' power utilities, water lines, communication systems, and emergency response will not fail due to a "weak link" in their network connections.

6.6

Response

6.6.1 Judicial Response to Past Attacks One of the main difficulties in prosecuting cyber attackers is that they are difficult to capture and apprehend. Taking legal action against these criminals is not as common in the federal and state governments, therefore many of the established fines and lengths of imprisonment are subjective. A few examples of past sentencing on individuals show how the extensive differences in damage and punishment. The only known instances in which the fine charged to the criminal and the cost of the damage caused were the same were in incidents regarding disgruntled employees and the company that employed them. The case information represented below was found at the Department of Justice’s website for Computer Crime Cases.208

208

"Computer Crime Cases." Computer Crime and Intellectual Property Section. US Department of Justice. <http://www.usdoj.gov/criminal/cybercrime/cccases.html>.

95

6.6.1.1 Russian Man Sentenced for Hacking into Computers in the United States

Russian citizen Alexey Ivanov pleaded guilty to several charges of conspiracy, hacking, computer fraud, credit card and wire fraud, and extortion. From Russia, Ivanov and others hacked into dozens of United States computers. After extracting important data such as passwords and credit card information, Ivanov and the others then deleted all of the original data and destroyed the computer systems. The estimated cost of damage was approximately $25 million. Ivanov was sentenced, at the age of twenty-three, to four years in prison and three years of supervised release. US Attorney Kevin O’Conner played a major part in Ivanov’s trial, and he mentioned how Ivanov’s prosecution “demonstrates the ability and resolve of the Department of Justice to vigorously investigate and pursue cyber-criminals who attack American computer systems. We are committed to tracking down and prosecuting those individuals wherever they may be”.
6.6.1.2 Melissa Virus

Much of the information regarding the legal action placed upon the creator of the Melissa Virus, David L. Smith of New Jersey, is private and has not been fully disclosed to the public. However, it is known that the maximum charge that he could be given in the state government is 5 years in prison and a $250,000 fine. In federal court, the cyber-criminal could be facing 10 years in prison and $150,000 fine. Officially, the Melissa Virus caused over $80 million in damage.
6.6.1.3 Disgruntled Employee

Timothy Allen Lloyd of Delaware has begun serving 41 months in prison and charged with a $2 million for letting loose a “time bomb” that deleted all the production programs used by his former employer. The cost of damage caused by this cyber attack was over $10 million.
6.6.1.4 Israeli Citizen Arrested in Israel for Hacking Government Computers

Both the United States and Israeli government computers, as well as hundreds of commercial and educational systems, were hacked into and attacked by Ehud Tenebaum in February of 1998. He pursued these attacks to extract sensitive data from all systems and damage the attacked computers. Ehud was sentenced to 12 months probation and a $17,000 fine. Ehud’s capture was an orchestrated effort by both the United States and Israeli government. Attorney General Janet Reno said that “the prompt arrest of the Israeli hacker demonstrates the effectiveness of international cooperation in cases involving transnational criminal conduct”.209
6.6.1.5 Konopka Attacks

Between February 14, 1998 and January 25, 2001 Joseph Konopka of Wisconsin carried out 9 different violations to federal law relating to conspiracy, destruction of energy, air navigation and telecommunication facilities, arson, trafficking counterfeit goods, and causing damage to a
209

"Israeli Citizen Attacks Government Computers." Computer Crime and Intellectual Property Section. US Department of Justice. <http://www.usdoj.gov/criminal/cybercrime/cccases.html>.

96

protected computer. It was also predicted that 53 acts attributed to Konopka caused excessive damage and that more acts were supposed to occur had he not been discovered and prosecuted. Konopka knowingly caused 28 power outages and other disruptions which affected 30,000 power customers and caused over $800,000 in damages. The maximum sentence he can serve is 5 years in prison with a $250,000 fine. Clearly, there is a disconnect between the punishment for cyber-crimes and the crimes themselves. The judicial system is extremely limited in persecuting cyber-criminals, and even when an attacker is caught, they are soon released and back online.  Policy Option 6.6.1: Create a more forceful and concentrated effort to prosecute cyber-criminals to the full extent of the damage they caused. It is dangerous to allow criminals who have caused millions of dollars in damage to be allowed to access computer systems after only a few years of imprisonment. Additionally, minimum and maximum sentences need to be increased to reflect the widespread damages caused by cyber-attacks. 6.6.2 National Cyberspace Response System The National Cyberspace Response System is the federal government’s current method of analyzing and responding to cyber-attacks that occur against United States citizens and the government. Analysis of an attack, warning, incident management, and response and recovery from an attack are the four primary steps used by the National Cyberspace Response System. It also includes governmental and nongovernmental information sharing and analysis centers such as MS-ISACs. National Cyberspace Response System Structure

Figure 6.3 National Cyberspace Security Response System . 210
210

"Priority I”. National Strategy to Secure Cyberspace. Feb. 2003. US Government. <http://www.whitehouse.gov/pcipb/policy_and_principles.pdf>.

97

 Analysis The analysis of cyber-attacks is essential for preparing the nation to handle effects caused by cyber-warfare. Through careful evaluation of incidents, inductive inferences can be made to warn and organize stakeholders about future attacks. Also, constant assessment of vulnerabilities can show what area an attacker may be most likely to damage.  Warning The National Cyberspace Security Response System finds it critical to communicate warnings to vital areas that would be affected by a nation-wide cyber-attack. A bulletin board that not only describes incidents but also suggests unnoticed vulnerabilities is currently being used as a method of communication by US-CERT.  Incident Management US-CERT currently has in place a method for reporting and classifying incidents. Anyone with access to the Internet can review this information and ask to be alerted if any critical incidents are found.  Response/Recovery The National Cyberspace Security Response System makes note that the OMB, via FISMA, requires federal agencies to take responsibility in noticing and recovering from cyber attacks.211 6.6.3 Public and Private Ways to Communicate The federal government has taken an initiative to communicate with private sectors, as seen by the Blue Cascades II and Purple Crescent II projects. These regional exercises took place in Seattle, WA and New Orleans, LA in order to assess the cyber-readiness of individuals and businesses. Both Blue Cascades II and Purple Crescent II brought together more than 200 government and private sector officials to analyze response procedures to cyber attacks, and to emphasize the importance of cyber security in critical infrastructure protection.212 These exercises also allowed discussion on ways to integrate physical security and cyber security. The brief success of these exercises suggests that more training programs would benefit private sectors in their efforts to secure their cyber-space.

211

"Priority I”. National Strategy to Secure Cyberspace. Feb. 2003. US Government. <http://www.whitehouse.gov/pcipb/policy_and_principles.pdf>. 212 "Fact Sheet: Protecting America’S Critical Infrastructure – Cyber Security." US-CERT. Department of Homeland Security. <http://www.us-cert.gov/press_room/050215cybersec.html>.

98

6.6.4

Sharing Information

The federal government has taken some initiative for sharing information, as seen by US-CERT. Inter-agency communication has become standardized and easy flowing.213 Many companies and private sectors do not feel as though there is an adequate portal to relay information related to cyber-attacks. In addition, many companies feel as though a publicized vulnerability within their system may negatively affect the success of their business. Confidentiality, therefore, is a significant attribute that must be included in securing the nation against cyber-attacks. Even though exercises have been done to emphasize its importance, it is still difficult to integrate public and private communication effectively. A reevaluation of the motivations for private sectors to partake in securing against and responding to cyber-attacks may help clarify why communication has been unproductive between the government and its citizens. Due to the variability of cyber-attacks, it is not suggested to incorporate a law that would make it mandatory for businesses to secure their networks to one specific standard. Because of the constantly changing methods of cyber-attacks, a law mandating network security may not ensure that systems are fully protected against all cyber-attacks. 6.6.5 Policy Options The stakeholders involved in policies regarding the response to cyber-attacks include large businesses, critical infrastructures, and the US government. Below are several policy options that have not been fully enacted. While several Federal agencies have been funded to create systems which respond effectively to cyber-attacks, these agencies are still not established as a reputable source to place action upon cyber-criminals. It has also been noted how the prosecution of cybercriminals is much more powerful against disgruntled employees than against orchestrated efforts to attack the government’s computers. Response, therefore, must work with policy options from other divisions such as raising awareness of cyber-incidents and international cooperation.  Policy Option 6.6.2: Apply a more concrete method of analyzing cyber-attacks in such a way that a general audience is able to comprehend. This will be useful in enhancing the quality of communication between the government and its citizens.  Policy Option 6.6.3: Allow incentives for private sectors in their own attempts to secure their networks. Due to the lack of profit directly resulting from securing their cyber-space, private companies do not see the benefit in taking the initiative to prevent cyber-attacks on their own system. If the government were to provide incentives or prominent recognition of companies who successfully work to secure themselves, private sectors will be more likely to conform to the government’s view of cyber-security.  Policy Option 6.6.4: Attempt to increase communication not only with home users and small businesses, but also with other nations. A better response to cyber-attacks is dependent on increased communication and analysis of attack trends. Opening up
213

"Government Collaboration Groups and Efforts." US-CERT. Department of Homeland Security. <http://www.uscert.gov/federal/collaboration.html>.

99

an international dialogue related to cyber-attacks could prepare the US government and citizens for possible future attacks.  Policy Option 6.6.5: Establish a network in which local police and firefighters are able to coordinate effective response systems in regards to local cyber-attacks. For example, have a hotline for businesses and computer users to have access to in case of a cyber-attack. The difficulty with this policy is finding a way to communicate in case telecommunications were disrupted as well. Perhaps the most reliable method is to create a useful two-way radio between departments that could be accessed by heads of Information Technology departments at companies as well.

6.7

Policies to Promote Cyber-security Awareness and Training

The awareness and training policy priority described in the NSSC has two components: increasing all computer users’ awareness of secure computer usage and ensuring that the IT professionals who design and maintain large computer systems receive cyber-security training. According to the NSSC, programs to address these two issues should target four stakeholder areas: home and small business users, large enterprises, critical sectors and infrastructures, and the nation as a whole.214 While programs have been established to address concerns in each of these stakeholder areas, their level of success has been mixed. 6.7.1 Policies for Home and Small Business Users Several government programs are in place to inform home and small business users of the security risks associated with daily computer use, and how to protect themselves against that risk. US-CERT maintains two email bulletins, one to distribute security tips and the other to distribute security alerts. The security tips inform readers of everyday security practices such as maintaining privacy on the Internet; while the security alerts “provide timely information about current security problems” so the reader can protect their “home or small business computer.”215 However, it isn’t clear that any concerted efforts have been made to popularize or advertise these email bulletins, and no statistics on their subscription numbers were readily available. The Department of Homeland Security’s National Cyber Security Division organizes an annual Cyber Security Awareness Month each October, a joint effort with numerous public and private sector organizations. As part of Cyber Security Awareness Month, the N.C.S.D. sponsors

214

“Priority III.” The National Strategy to Secure Cyberspace. February 2003: 37-41. 23 Oct. 2007 <http://www.whitehouse.gov/pcipb/priority_3.pdf> 215 US-CERT, National Cyber Alert System. Retrieved October 25, 2007, from US-CERT Web site: http://www.uscert.gov/referral_pg/

100

several conventions, conferences and other events each day.216 Most of the events take place at universities, and this year’s theme was “Protect Yourself Before You Connect Yourself.”217 Also, the Natl. Cyber Security Alliance has created Stay Safe Online, a website to inform the general public of how to use computers safely.218 The site is extensive and includes many articles and exercises, such as a test to determine how safe a computer user is from cyber-attacks and tips for protecting a small business. The site is divided into sections targeting educators, families and children, and small businesses. It could be of great use, but it evidently has not been advertised heavily enough, as its current level of daily traffic places it outside of the one million most visited websites.219  Policy Option 6.7.1: Increase advertisement funding for the federally-managed websites and email lists described above. These websites have the potential to increase public awareness, but are not receiving the traffic needed to make an impact.220 Advertising them more vigorously would improve their public exposure.  Policy Option 6.7.2: Create greater incentives for small businesses to inform their employees of cyber-security concerns. For example, small businesses could receive tax credits if a certain percentage of their employees subscribe to US-CERT’s e-mail bulletins or undergo an educational training course on cyber-security. Many of the Stay Safe Online website’s content could be used for such a course. 6.7.2 Policies for Large Enterprises There are fewer federal programs designed to inform large enterprises. However, one of the largest sources of vulnerabilities in large enterprises comes from the Internet usage of individual employees, so some of the programs described above also apply to large enterprises. The USCERT cyber-alert email bulletin and Cyber Security Awareness Month are two such programs. Some companies sponsor Cyber Security Awareness Month programs to educate their employees, and in 2007 the month’s schedule included several events related to enterprise-level security, such as one forum on “Best Practices for Managing IT Security and Compliance”. 221 Recent polling data is mixed on whether enterprises are aware of the risk created by poor cybersecurity. One IBM study from 2006 showed that 75 percent of corporate IT managers are wary

216

National Cyber-Security Alliance (2007): National Cyber Security Awareness Month 2007 Calendar of Events. Retrieved October 30, 2007, from Stay Safe Online. Web site: http://www.staysafeonline.org/events/index.html 217 US-CERT, (2007). October is National Cyber Security Awareness Month. Retrieved November 3, 2007, from US-CERT Web site: http://www.us-cert.gov/press_room/ncsamonth.html 218 National Cyber Security Alliance: Stay Safe Online. Retrieved October 31, 2007, from Stay Safe Online Web site: http://www.staysafeonline.org/ 219 Traffic details for staysafeonline.info. Retrieved November 3, 2007, from Alexa: The Web Information Company. Web site: http://alexa.com/data/details/traffic_details?url=staysafeonline.info 220 Ibid 221 National Cyber-Security Alliance (2007): National Cyber Security Awareness Month 2007 Calendar of Events. Retrieved October 30, 2007, from Stay Safe Online. Web site: http://www.staysafeonline.org/events/index.html

101

of the risk of cyber-attacks from within the company.222 On the other hand, a 2004 USA Today poll indicated that 40 percent of companies were not notifying anyone after a cyber-attack occurred, which indicates a lack of attention to the most basic security procedures.223 This suggests enterprise-level awareness is an area where more federal resources are needed, because many corporate IT managers still do not fully consider the importance of cyber-security. The priority of training IT professionals is a larger issue for enterprises than for small businesses. Many small businesses have relatively simple computer networks, and are able to rely on established, industry-standard software and network technologies. Other small businesses choose to periodically call on technology consulting services to meet their IT needs. Large enterprises, on the other hand, are more likely to create their own proprietary software systems and vast, complex internal computer networks. For this reason, large enterprises are more likely to have their own in-house dedicated IT departments. Policies to encourage cyber-security training of these IT professionals are lacking and must be developed.  Policy Option 6.7.3: Provide tax incentives for enterprises whose employees undergo an educational cyber-security course. As in the case of small businesses, this could be an effective way to increase awareness of secure computing practices among individual workers.  Policy Option 6.7.4: Work with private industry to create a standardized set of essential skills for IT professionals in the area of cyber-security, for the purpose of creating a certification program. If such a standard were created, the IT professionals responsible for designing and maintaining companies’ internal computer systems could be trained to meet the program’s requirements and could take a test to become certified. 6.7.3 Policies for Critical Sectors and Infrastructures Governmental attempts to increase cyber-security awareness and training within the private sector entities involved in critical infrastructure sectors have been insufficient. As described previously, the federal government has enacted mandatory completion of electronic shipping manifests in some modes of transportation (trucking), and has advertised optional submission of electronic manifests in others (shipping by water and train). However, the focus has been on increasing participation, and no attempt has been made to ensure that participating companies are aware of the added cyber-security risk. As certain critical infrastructures have been increasingly privatized, some private corporations have formed alliances to increase training in security issues. One example is Cisco’s Critical Infrastructure Assurance Group, which trains teams of technical experts who can then assess the
222

Messmer, Ellen (2006, March 14). IBM survey on cybercrime shows IT managers wary. Retrieved November 1, 2007, from Network World. Web site: http://www.networkworld.com/news/2006/031406-ibm-surveycybercrime.html 223 Gagnon, B. (2004). Are We Headed For a Cyber-09/11? The American Failure in Cyberstrategy. Conference Papers -- International Studies Association, Retrieved October 24, 2007, from Academic Search Premier database.

102

security of various infrastructure-related corporations.224 However, the free markets alone may not be enough to promote these efforts; the CIAG recently announced it would scale back future research efforts and growth.225  Policy Option 6.7.5: Accompany existing efforts to encourage electronic submission of shipping manifests with efforts to encourage safe and secure handling of the electronic manifest data. An additional option to consider is an incentive program for companies that implement and document measures taken to secure electronic shipment manifests and shipment tracking systems.  Policy Option 6.7.6: Make available and widely publicize a national database of cyber-incidents and attempted cyber-attacks at critical infrastructure components such as transportation, power, and communication systems. By increasing the public’s attention to these areas, such a database could add pressure on infrastructure companies to focus more on their own cyber-security prevention and response. 6.7.4 Policies for the Nation as a Whole The previously mentioned public awareness policies target specific areas of concern for cybersecurity awareness and training, but there a few other programs designed to increase awareness across all sectors of the nation. One example is the National Telecommunications and Information Administration. One organization within the NTIA, the Critical Infrastructure Protection, has a stated objective to “assist policy makers, industry, and consumers to become more educated about how to manage risks and protect cyberspace”.226  Policy Option 6.7.7: Increase funding for university-level research of cyber-security and preparedness measures, and provide funding for universities and community colleges to create dedicated cyber-security training and research programs. This could significantly improve the training of America’s future IT workforce.  Policy Option 6.7.8: Create a cyber-warfare threat level indicator system, possibly similar to the Department of Homeland Security’s color-coded daily threat level indicator. This sort of indicator system could be used by media outlets to help publicize the issue of cyber-security, and would increase overall awareness of the issue across all sectors.

224

Critical Infrastructure Assurance Group Online. Retrieved November 1, 2007, from Security@Cisco Web site: http://www.cisco.com/web/about/security/security_services/ciag/index.html 225 Heise Security (2007, October 11). Report: Cisco closes down Critical Infrastructure Assurance security research group. Retrieved November 3, 2007, from Heise Security Web site: http://www.heise-security.co.uk/news/97205 226 NTIA: Critical Infrastructure Protection. Retrieved November 3, 2007, from NTIA Web site: http://www.ntia.doc.gov/ntiahome/infrastructure

103

6.8

Government Cyber-security

In addition to working nationally to secure cyberspace, the government must take the lead in securing their own networks. The federal government is responsible for a variety of critical institutions including the military, taxes and social services, emergency services, and financial and banking institutions. As a keeper of the public trust, it is required that the government ensures that all of its internal systems are secured from cyber-attack, and lead the nation by example. The efforts of the federal government to secure itself from cyber-warfare can then be translated to state and local governments, as well as a model for private efforts. Through recent reforms, the government has adopted a uniform policy on securing cyberspace, which is largely thorough except for a few areas. 6.8.1 Federal Level Security In 2002, the OMB released an assessment of the relative strengths and vulnerabilities of the security of individual systems in the government. It identified six areas needing improvement: lack of senior management attention, lack of performance monitoring, poor security education and awareness, failure to integrate into capital investment planning, lack of contractor oversight, and failure to detect and report vulnerabilities.227 Unfortunately, these deficiencies had been identified as weaknesses for the previous six years (1996-2002) with no policy for improvement. In order to resolve these weaknesses, the OMB established federal guidelines for the oversight of individual agencies. Using a defined minimum level of security, the OMB is now able to ensure that any future IT systems have been analyzed and patched for any security weaknesses as well as track progress in fixing existing vulnerabilities. This allows for a government wide IT standard previously missing.228 The current administration has sought to remedy security weaknesses primarily through funding restrictions. Before systems can be funded by the Office of Management and Budget (OMB), the department must show that any IT weaknesses have been addressed within the system. As a result, security is a top priority for any system upgrades or investments, and a baseline of security is achieved.229 Additionally, the lifecycle costs for security are required to be identified and integrated as part of submitted budgets. Failure to having the costs integrated or identified weaknesses remedied results in a complete rejection of the entire system upgrade. Additional areas of concern include government wireless networks and user authentication. Wireless networks are of special concern, as they are often easy to breach and often unsecured. Data transferred wirelessly can be intercepted, presenting the risk of data theft. Agencies must ensure that their networks are secured, check for any unauthorized access, and report any

227

“Priority IV.” The National Strategy to Secure Cyberspace. February 2003. 30 Oct. 2007 <http://www.whitehouse.gov/pcipb/priority_4.pdf> 228 Ibid. 229 Ibid.

104

security breaches.230 User authentication also presents a security threat, although relatively easy to counteract.  Policy Option 6.8.1: Mandate user password complexity and frequent changes, logouts after a short time of inactivity, and require secondary identification (in the form of ID cards required to run the computer). 6.8.2 Agency Level Security Although the OMB has established a baseline for monitoring and grading IT threats and vulnerabilities across the government, it is vital to have a process for each agency to reach the desired level of security. Agencies must document and define their system structure, continuously assess threats and vulnerabilities, and enact security controls and install any security patches. The first step, identifying and documenting the system structure, primarily assesses the security of each agency. Included is the current status of all parts of the system and their security level, as well as any interaction amongst other agencies in the government. This inventory and assessment of system processes as a whole offers a view of the current state of government security. The agencies will then receive funding to remedy any weaknesses as well as bring the entire government system up to a baseline level. Additionally, updated systems can allow IT personnel to easily modify and secure computers agency wide.231 Secondly, each agency must stay aware of any new threats or vulnerabilities in their systems. Through auditing systems, each agency will monitor computer usage and determine the effectiveness of control mechanisms, such as restricted website access. Additionally, the control mechanism will allow the agency to update the security of their system as threats are identified by the federal government. Through measuring effectiveness of the security systems as well as centralized control over updates and patches, agencies can work to meet government wide standards for security. Finally, the agencies must implement the results of any findings they might have. Security patches must be installed, as many viruses work through known flaws in programming that often have available solutions. Through control systems, risk can be widely mitigated, and with constant assessment of existing programs as well as future programs, vulnerabilities can be remedied.  Policy Option 6.8.2: IT departments should be required to submit system structure documents, detailing the systems used throughout their agency. Departments should institute a government wide internet control program to restrict potentially threatening website access. Additionally, they must show prompt response and 100% implementation of security patches for their systems.

230 231

Ibid. Ibid.

105

Following the discussion of the vulnerabilities in the FAA, there is a pair of policy options specific to the FAA, but could form a model for other governmental agencies.  Policy Option 6.8.3: Mandate that the future development of the FAA's air traffic control system continue to favor decentralized, redundant regional control centers. This will ensure that it remains impractical for a cyber-attack to disable the air traffic system on a nationwide level. One possibility is to make backup computer systems run in parallel with the main systems, but with a different implementation (e.g. a different hardware configuration or operating system), so a vulnerability exploited on the main system may not affect the backup.  Policy Option 6.8.4: Require that the FAA (or other government agencies) limit outside IT contractors' access to the computer systems they are directly involved with. As discussed previously in Section 3.4.3.2, contractors are currently given full access to systems that are not relevant to their work assignments. This simple measure would limit the risk of an outside contractor inserting malicious code into the agency's computer systems, and remove one vulnerability from the air traffic control system. 6.8.3 Areas for Improvement Although the preceding sections of government policy are adequate to address security issues, there are two main areas in need of improvement. First is the oversight and security of contractors, an issue identified by the OMB. Secondly is the lack of a uniform testing procedure. Many skeptics of cyber-warfare suggest that the knowledge needed to penetrate systems and wreak havoc is so advanced that only those inside of an agency could perpetrate an attack. However, these skeptics fail to realize that a significant portion of cyber-attacks come from within an organization. Due to the nature of the government and costs of labor, large chunks of work are outsourced to contractors or depend upon private corporations for security solutions. Currently there is not an effective plan for oversight of government contractors and little attention or support is given to IT fields from management. The government needs to establish a procedure to evaluate outside contractors to ensure quality and secure technical assistance or hire professionals for in-house IT departments. Additionally, the government agencies need to work together to exercise buying power to leverage companies to produce more secure products, and as a result raise security standards in private industry. Additionally, the government needs to put a larger emphasis on testing the security of its systems. Although the military has identified the need for actual testing, the current national policy is void of procedures for this type of testing. Returning to historical examples of data theft like Eligible Receiver, the government needs to hire ‘red teams’ from NSA and private companies to deliberately test and break agency security systems. Without these unique and realistic tests, IT departments can overlook security openings that could lead to a significant cyber incident. However, the government must be cautious to ensure that any ‘red team’ personnel meet security standards and do not use their knowledge against the government.

106

 Policy Option 6.8.5: Use best-value evaluations when selecting outside contractors. The OMB should establish which IT contractors present the best services, and encourage agencies to select the best contractor and not the lowest bid. Additionally, the OMB could establish a certification system for IT contractors to complete and show minimum proficiency.  Policy Option 6.8.6: Require regular ‘red team’ testing of any agency or private corporation that is connected to the government network. The ‘red team’ should be a multi-agency force that has regular turnover to ensure new ideas are constantly applied in security testing.

6.9

US and International Cyber-warfare Collaboration

Over the past decade, international cyber-warfare has become an increasingly prominent subject as attempted attacks on economic and social infrastructures continue to occur. One of the first recorded attempts at international cyber-warfare happened in June of 1999 when a group that called themselves “J18” urged people all over the world to plan individual actions that focused on disrupting “financial centers, banking districts and multinational corporate power bases." The group planned for the actions to coincide with the G8 convention in Cologne, Germany, and suggested that the followers either march through the streets or hack into computer systems in protest of capitalism. The group attracted teams of hackers from Indonesia, Israel, Germany, and Canada that eventually attacked at least 20 companies’ computers, including both the Stock Exchange and Barclays. By the end of the protests, more than 10,000 cyber-attacks were recorded over a 5-hour period.232 With America highly interconnected to the rest of the world, we must be prepared to prevent and respond to any international cyber-attack in an effective manner. This response, however, is complicated by the trouble distinguishing between cyber-warfare, terrorism, and crime, and appropriate responses across and through foreign borders. Systems supporting our national defense, intelligence community, and critical infrastructures “must be secure, reliable, and resilient – able to withstand attack regardless of the origin of attack.”233 Therefore, America’s policy should focus on securing our own systems from international attacks, and developing a cyber-warfare policy between ourselves and other nations. 6.9.1 United States National Security Policies America should be concerned with two distinct forms of cyber-warfare, espionage and attacks on infrastructure. In the former, nations or terrorist groups may attempt to steal crucial documents during peacetime from the government, private companies, and university research centers about
232

Denning, Dorathy. "Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy." Internet and International Systems. December 1999: 101-120. 28 Oct. 2007 <http://www.nautilus.org/gps/info-policy/workshop/papers/denning.html> 233 “Priority V.” The National Strategy to Secure Cyberspace. February 2003: 49. 23 Oct. 2007 <http://www.whitehouse.gov/pcipb/priority_5.pdf>

107

information systems and key target locations, as well as “lace our infrastructure with ‘back doors’ and other means of access” designed for future use.234 On the other end of the spectrum, during wartime our adversaries can potentially attack critical infrastructures in order to intimidate and erode public confidence in information systems.235 They could also attack the Department of Defense (DoD) and the intelligence community in an attempt to slow the U.S. military response. Due to such a wide range of possible attacks, the U.S. government stated that it must be able to protect infrastructures that are considered “national security assets.” It also believes that we must develop the capability to quickly identify the attackers.236 The following outlines the policies needed to fulfill these goals.
6.9.1.1 Securing the Nation’s Cyberspace

One of the largest problems that our nation faces today in attempting to secure cyberspace is the data mining and intelligence collection against the United States government, critical infrastructure companies, and educational research facilities. To date, almost no true counterintelligence technologies have been developed. Therefore, the United States must first work to better understand our enemies’ capabilities, and in turn the FBI and intelligence community will be able to develop and implement stronger forms of counterintelligence.237 In addition to working with underdeveloped counterintelligence abilities, the Department of Defense, intelligence community, and law enforcement agencies are unable to quickly trace the source of the cyber-attack, assuming that the person or group can be traced. Therefore, the government should work to promote better attribution technologies so that the previously listed groups are able to easily and quickly identify the culprit and take action if necessary. Preventative techniques are also lacking and must be better developed in order to protect critical systems and infrastructures.238 Although the DHS has created several agencies for incident reporting and interagency communication, cyber-attacks still fail to reach the proper agencies. Therefore, the United States must develop a better network and system for distributing reported incidents throughout the various defense, law enforcement, and national security agencies depending on the nature of the cyber-attack. The National Security Council and the Office of Homeland Security are leading research to ensure that the proper technologies and procedures are in place so that these attacks can easily be distributed to the proper agency. 239

234

“Priority V.” The National Strategy to Secure Cyberspace. February 2003: 50. 23 Oct. 2007 <http://www.whitehouse.gov/pcipb/priority_5.pdf> 235 Ibid. 236 Ibid. 237 Ibid. 238 “Priority V.” The National Strategy to Secure Cyberspace. February 2003: 50. 23 Oct. 2007 <http://www.whitehouse.gov/pcipb/priority_5.pdf> 239 Ibid.

108

6.9.2 United States International Policies Not only must America work towards improving our own security and detection systems, but it will also need to work with nations all over the world in order to secure the global cyberspace and economy. To date, relatively little has been done to globally advance the idea that all nations should work together to secure our world market. The policies and general plans to accomplish international security are outlined below:

6.9.2.1 Utilize International Organizations to Promote a Global “Culture of Security”

Due to our nation’s infrastructure being directly linked with Asia, Canada, Europe, Mexico, and South America, the United States has a vested interest in securing global cyberspace. The global economy increasingly depends on the vast information networks that connect markets and multinational corporations. Because the world is becoming so interconnected, America needs to push for a global “culture of security” in order to protect every nation’s international economy. Countries must work together for this goal, because “the vast majority of cyber-attacks originates or passes through systems abroad, crosses several borders, and requires international investigative cooperation to be stopped.”240 Because of the international participation needed to fulfill this goal, the United States is determined to work with other nations to help raise awareness, share ideas and defense technologies, and prosecute all who engage in cyber-crimes in order to maintain the highest level of integrity within global information networks. Up to this point in American cyber-warfare policies, the government has worked with public international organizations such as the Organization of Economic Cooperation and Development (OECD), G-8, the Asia Pacific Economic Cooperation forum (APEC), and the Organization of American States (OAS). The government has also worked with organizations in order to help coordination within the private sector, such as the Transatlantic Business Dialogue.241
6.9.2.2 Develop Secure Networks

In order to develop secure networks, the United States urges that international technical standards for these systems be developed and adopted so that every nation has a base level of security. In turn, this baseline would make the entire global market and information systems more secure. The government will also facilitate the collaboration and research between the world’s top scientists and researchers. Additionally, the government will encourage American industries to engage with their foreign counterparts in an attempt to both make a business case for cyber-security and develop a plan for successful partnerships with governments. 242
240

“Priority V.” The National Strategy to Secure Cyberspace. February 2003: 51. 23 Oct. 2007 <http://www.whitehouse.gov/pcipb/priority_5.pdf> 241 “Priority V.” The National Strategy to Secure Cyberspace. February 2003: 51. 23 Oct. 2007 <http://www.whitehouse.gov/pcipb/priority_5.pdf>. 242 Ibid.

109

6.9.2.3 Promote North American Cyberspace Security

Although global cyber-security is a high priority in this field, the United States must first secure North American cyber-assets before focusing on the rest of the world. Therefore, the government should look to cooperate with Canada and Mexico in order to form a strong “Safe Cyber Zone.” This zone will be accomplished by identifying all networks that the three countries share and solving the security issues that exist between the borders.243 In turn, the “Safe Cyber Zone” will provide for a strong defense system no matter where an attack originates.
6.9.2.4 Establish International Network of Agencies for Information Relay

The United States encourages all nations to appoint a single organization that will inform governments and public all over the world of cyber-attacks or viruses. The U.S. government also calls for larger organizations, such as the European Union, to create information hierarchies. By creating such a network, the increased amount of information being shared about these attacks will make defense research easier. Another way in which an international communications network could improve both defense and defense research is if each country were to develop a system that would automatically inform its government agencies, the public, and other nations about impending cyber-attacks or viruses. 244
6.9.2.5 Encourage Other Nations to Follow the Council of Europe Convention on Cyber-crime

The United States has signed and put into effect the Council of Europe Convention on Cybercrime (described below), and encourages other nations to both sign and abide by the treaty, in turn helping other nations find and prosecute the criminal offenders.245 6.9.3 International Cyber-security Collaboration In November of 2001, the Council of Europe held the Convention on Cyber-crime in which a treaty was completed and signed by 39 European countries, as well as Canada, Japan, South Africa, and the United States. The treaty establishes that all countries part of the collaboration will work together in order to help investigate any cyber-crime that may be coming from one’s respective country, similar to the American policy outlined above. This can be seen in the treaty when it says, “Believing that an effective fight against cyber-crime requires increased, rapid and well-functioning international co-operation in criminal matters.”246 The treaty continues this idea
243

“Priority V.” The National Strategy to Secure Cyberspace. February 2003: 51. 23 Oct. 2007 <http://www.whitehouse.gov/pcipb/priority_5.pdf> 244 Ibid. 245 Ibid. 246 Convention on Cybercrime. Council of Europe. 23 Nov. 2001 <http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CL=ENG>

110

of cooperation by establishing the idea that legitimate interests in information technologies should be protected when cooperating with other nation states. In other words, all nations should respect the distinction between private and public information, allowing defense companies who are developing new cyber-warfare technologies the opportunity to succeed by selling the products instead of having the information leaked to the public. The United States initially signed this document in November of 2001, when it was first written. However, it has just been ratified and put into effect within the past year. 247 Therefore, the government should strive to use and enforce the policies agreed upon in the document so that global cyber-security and international prosecution of criminals both improve. 6.9.4 International Policies Although no explicit cyber-warfare policies have been found for other nations, we have an idea of how some view the use of the internet as a weapon. Some countries, such as the United Kingdom and Germany, have relatively similar views as the United States. However, others’ ideas such as Russia and China differ from our nation’s policies in retaliation efforts and future military practices, respectively.
6.9.4.1 United Kingdom

The United Kingdom has very similar views to the United States in regards to cyber-warfare policy. They believe cyber-warfare to be actions that affect others’ information systems in support of national objectives. Also included in their definition of cyber-warfare is the defense of one’s own infrastructure and systems via the internet. The UK is even a step ahead the United States government in the sense that they are using legal framework that already exists that they believe can be applied to cyberspace attacks. In other words, the British are now treating any cyber-attack on a person or company as a crime that is prosecutable if the culprit is found. In order to help find attackers, the Regulation of Investigatory Powers Act 2000 (RIP) was created to allow the government to intercept and read e-mail, as well as force someone to decrypt personal files. The British believe that this will help “combat the threat posed by rising criminal use of strong encryption,” and have even promised that the program will not get out of hand due to an independent overseer of the powers of RIP. 248
6.9.4.2 Germany

In general, the German perspective of cyber-warfare policy is similar to that of the United States and the United Kingdom. However, the Germans do have a couple ideas that differ from American policy. The first of which considers the management of the media as “an element of information warfare.” This means that if anyone were to try to control any form of German media, it will be seen as an act of war against the country. Also, due to a reported case of
247 248

Ibid. http://www.fas.org/irp/crs/RL30735.pdf

111

industrial espionage by the French that cost the German economy significant losses, their government is considering the use of economic cyber-warfare as a means of keeping enemies on a level playing field.249 This does not mean, however, that they intend to use this as an offensive measure. Instead, it will simply be used while in conflict with another nation as a way to help end the dispute.
6.9.4.3 Russia

The Russian view of cyber-warfare is drastically different than that of the American government. In fact, many Russians argue that cyber-warfare is the second most dangerous attack, the first being a nuclear attack: From a military point of view, the use of Information Warfare against Russia or its armed forces will categorically not be considered a non-military phase of a conflict whether there were casualties or not . . . considering the possible catastrophic use of strategic information warfare means by an enemy, whether on economic or state command and control systems, or on the combat potential of the armed forces . . . Russia retains the right to use nuclear weapons first against the means and forces of information warfare, and then against the aggressor state itself.250 They also believe that the goal for “competing sides” is to gain complete control of the other’s information systems, decision making processes, and even populace.251 Some Russians have even said that computer viruses can be used as “powerful force multipliers” when in conflict with another entity. All of this shows the dire need for international cooperation in securing the global infrastructure and economy. If Russia successfully took out another country’s critical infrastructure or banking systems the country would be effectively destroyed, not to mention the effect it would have on the global economy. Therefore, the American government must follow through with the International Cyber-security Collaboration (Sec. 6.9.3) and lead the path in developing strong defense capabilities for the entire world. An international treaty could also be constructed in order to lay out rules of engagement in regards to cyber-warfare. However, it must be noted that Russia has also enacted laws against any form of cyber-attack and has made its intentions clear that the aggressor will be investigated and prosecuted. Because their government has made these laws, Russian comments of nuclear retaliation can possibly be seen as threats, but they must also be taken with heed and international cyber-security must be increased.

249

Hildreth, Steven A. “Cyberwarfare.” CRS Report for Congress. June 19, 2000. <http://www.fas.org/irp/crs/RL30735.pdf>. 250 Ibid. 251 Lester W. Grau and Timothy L. Thomas. “A Russian View of Future War: Theory and Direction,” The Journal of Slavic Military Studies. Issue 9.3 (Sept. 1996), pp. 501-518.

112

6.9.4.4 People’s Republic of China

China is another country that demonstrates the need for international collaboration in defending our cyberspace. Over the past decade, its military has aggressively developed cyber-warfare technologies and has incorporated these technologies into its military organization, doctrine, and training. The large push towards information warfare stems from its country’s indigenous modern and ancient concepts of how to conduct war, the People’s War concept and the 36 Stratagems, respectively. Their warfare is based around “deception, knowledge-style war, and seeking asymmetrical advantages over an adversary.252” Because of the Chinese theories on gaining lop-sided advantages, the international need for cyber-defense is even more apparent. If China were to attack a weaker country with limited cyber-security, it would potentially be able to take over every aspect of their infrastructure, similar to Russia’s attack on Estonia. The Chinese have also been pursuing the idea of a Net Force that would consist of thousands of computer professionals who have all been trained at various universities and training facilities. It has also been reported that several large scale cyber-training seminars have been held since 1997.253 Due to China’s obvious efforts to gain military dominance through cyber-warfare, the United States military should begin to contract its own computer experts in order to develop the technologies needed to protect both our allies and ourselves against any attacks no matter the source.

6.10 Military Policy
As the global balance of power continues to shift, it is crucial that the United States military stay ahead of foreign powers, especially in the area of cyber dominance. Although cyber dominance includes electronic warfare, this policy analysis will be primarily limited to cyber-warfare only. 6.10.1 Current Military Cyber Units Although cyber threats have existed for most of a decade, the military has been slow to respond in the form of specific military units designated to respond to the growing arena of cyberwarfare. Initially cyber-warfare was lumped under Space Command, but as of year 2007 the 8th Air Force was designated Cyber Command, an independent command charged with compiling the resources and personnel required for the new theatre of war. The new mission of the Air Force as stated by Secretary of the Air Force Michael W. Wynne is to “fly and fight in air, space, and cyberspace.”254

252

Hildreth, Steven A. “Cyberwarfare.” CRS Report for Congress. June 19, 2000. <http://www.fas.org/irp/crs/RL30735.pdf>. 253 Ibid. 254 Wilson, Clay, (2007) “CRS Report for Congress: Information Operations, Electronic Warfare, and Cyberwar: Capabilities and Related Policy Issues” 30 October, 2007. <http://stinet.dtic.mil/cgibin/GetTRDoc?AD=ADA466599&Location=U2&doc=GetTRDoc.pdf?>

113

Before delving into policy recommendations for the military, it is important to briefly describe the current divisions of cyber-warfare in existence. Cyber-warfare is grouped under the large umbrella of Information Operations (IO), which is any action designed to disrupt enemy information systems while protecting your own system. Sub-groups include Psychological Operations, Military Deception, Operational Security, Computer Network Operations, and Electronic Warfare. While all groups deal with the electromagnetic spectrum, the Computer Network Operations (CNO) is the group specifically tasked to cyber-warfare.255 Under CNO are three main components: Computer Network Defense (CND), Computer Network Exploitation (CNE), and Computer Network Attack (CNA). CND’s mission is to defend network systems against disruption, intrusion, or destruction. Additionally, they monitor any aggressive activity and intrusions, which they attempt to prevent through passive measures such as firewalls or more aggressive actions such as determining enemy capability before they can attack the military system. CNE is an emerging section that tries to penetrate enemy systems to determine vulnerabilities in order to plan strategy against various enemy targets. Lastly is CNA, which uses digital signals to enter and control or destroy enemy computer systems. 6.10.2 Military Uses of Cyber-warfare To date, there are no known cyber-attacks perpetrated by the US military. However, the military has debated using cyber-warfare in the most recent military actions – Kosovo and Operation Iraqi Freedom. In both cases the military had defined plans for attack, but were worried about potential side effects of the attack as well as rights violations under the Geneva accords, specifically the restriction against targeting civilian populations. There was concern, especially in Iraq, that using cyber-attacks could cause cascading failures that would destroy the economic systems of the country and hurt the population. Iraq’s banking system was connected to Europe while internal military and civilian systems were closely integrated. US officials ultimately decided against cyber-attacks because of the inability to only target Iraqi military and not hurt both Iraqi civilians and Europeans.256 Although there is no evidence of cyber-attacks in Kosovo, there appeared to be a cyber tactic used against Serbian air defense systems, although exactly what the attack was is still uncertain.257 6.10.3 Future of Cyber-warfare in the Military As both civilian populations and foreign militaries become increasingly reliant upon technology, the military will play an increasing role in national defense and begin to integrate offensive operations into global strategy. In that aim, the military should undertake or further develop four areas: create national defense strategies against foreign nations, continue to expand cyber units and cyber education, and involve the private sector in development and research while continuing to develop offensive capabilities using cyber-warfare.
255 256

Ibid. Ibid. 257 “Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007 <http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/arquilla.html>

114

Since the end of the nineteenth century our nation has developed military strategies for various nations in case of the outbreak of war. As we move into the cyber-age, we must integrate cyberattacks into the national strategy, but also be wary of foreign cyber-attacks. Just as every country requires different physical military responses, various nations will require more sophisticated strategies that will need to avoid cascading damages that could result from a poorly managed attack. Although China appears to be our greatest adversary, the military cannot be short sighted and fail to examine capabilities of other nations as well as terrorist groups. As the role of cyber-warfare grows in national planning, the military needs to grow in personnel. As previously mentioned, this year saw the formation of a Cyber Command, as well as the introduction of new job codes specifically for cyber units in the Air Force.258 These job codes create a specific cyber job title, with the airmen working on cyber activities for the entirety of their career. This will not only provide a dedicated job force, but also increase the education and ability in the command. Additionally, the military has increased efforts in cyber education. The Air Force offers a ten week cyber boot camp for officer candidates as well as civilian university students that focuses on both the means of cyber-attacks and the legal and political issues regarding cyber-warfare. The Department of Homeland Security and National Science Fund are sponsoring two year scholarships for students in cyber-warfare on the condition that recipients must then work with a government agency for two years following graduation. Due to the cyber boot camp, Syracuse University has begun to offer courses in cyber defense in local high schools. Over 148 high schools in the north east have cyber classes that offer college credits if successfully completed.259 Since 2000, small groups of cadets at West Point, the Naval Academy, and the Air Force Academy would build small networks that would then be tested and broken by NSA hackers.260 While these steps are beneficial, education must be further expanded in the coming years. Although the military has made great strides in recent years in identifying the threat of cyberwarfare, it is still in the beginning stages of offensive cyber capabilities. Cyber-attacks were not used in previous engagements in part because of the uncertainty of the potential effects of their attacks. Rather than developing cyber capabilities similar to a cluster bomb, the military needs precision offensive capabilities to attack specific targets with low risk of civilian damages. A clear contrast can be made in regard to the first Gulf War. During the course of our bombing campaign, the US military targeted both water treatment plants and key electrical infrastructure as part of the strategy to force Iraq out of Kuwait. Following the war, the lack of a functioning sanitation system led to 110,000 civilian deaths compared to 3,500 deaths during the course of the war. With the right technology, the US military could have instead disrupted the plants and destroyed them electronically to achieve the same military objectives. However, the cyber
258

Shane, Leo III, (2007). “AF Taking Careers into Cyberspace” 30 October, 2007, <http://www.military.com/features/0,15240,152400,00.html?wh=benefits> 259 Wilson, Clay, (2007) “CRS Report for Congress: Information Operations, Electronic Warfare, and Cyberwar: Capabilities and Related Policy Issues” 30 October, 2007. <http://stinet.dtic.mil/cgibin/GetTRDoc?AD=ADA466599&Location=U2&doc=GetTRDoc.pdf?> 260 Krebs, Brian, (2003). “Cyber War Games Tests Future Troops” Washington Post, October 30, 2007. <http://www.washingtonpost.com/ac2/wp-dyn/A21871-2003Apr23>

115

damage could be such that simple repairs could restore the systems and prevent the mass loss of life. In the endeavor to further develop cyber tools, the military has begun to seek outside help in both development and testing. Earlier in the year both the Air Force and Army solicited assistance from the computer industry in developing offensive capabilities.261 Currently the Pentagon is regularly tested by NSA ‘red teams’ for security holes, a job that could also be given to outside contractors who may have a different tact that would present other potential weaknesses. Defensive capabilities are necessary to protect the nation, and it is vital for future military operations to further develop offensive capabilities, and integrate cyber-attacks as key tools in combat.  Policy Option 6.10.1: Continue to integrate cyber-warfare into national strategic planning, especially in the areas of growing the military and creating or redefining the mission of the military. This would include increasing the number of units dedicated to cyber-warfare, and expansion throughout the cyber domain.  Policy Option 6.10.2: Increase funding for cyber education, both in the civilian and government sectors. Expanding cyber-warfare training in the military would result in more effective troops, and the civilian sector could offer outside aid and ideas for the military.  Policy Option 6.10.3: Develop specific national strategies for use of cyber-warfare, both offensively and defensively, against nations and terrorist organizations. These policies should focus on the capabilities of foreign powers, as well as specific technologies that could exploit enemy defenses or thwart their offensive capabilities. Any technology discussed in these reports should be fully researched to achieve its maximum effect. 6.10.4 Policy Questions While the military seeks to improve its defensive capabilities, there are significant policy restrictions that hamper effective cyber operations. In March of this year Marine Gen. James Cartwright, commander of the Strategic Command, told the House Armed Services committee that the nation needed more than passive defensive measures in regard to cyber-warfare. He commented that although the military was positioned to prevent lower level hacking, focusing on network defenses amounts to little more than a modern Maginot Line. Instead, Gen. Cartwright asked the Congress to help solve technical and legal international issues that restrict cyber capabilities of the military.262
261

Brewin, Bob (2007) “Army, Air Force seek to go on offensive in cyber war” 30 October, 2007. <http://www.govexec.com/story_page.cfm?filepath=/dailyfed/0607/061307bb1.htm>

“STATEMENT OF GENERAL JAMES E. CARTWRIGHT COMMANDER UNITED STATES STRATEGIC COMMAND BEFORE THE HOUSE ARMED SERVICES COMMITTEE ON UNITED STATES STRATEGIC COMMAND 21 March 2007” 30 October, 2007 <http://armedservices.house.gov/pdfs/FC032107/Cartwright_Testimony032007.pdf>
262

116

Essentially, the United States is unable to conduct any cyber actions legally without foreign cooperation. The investigation into the source of cyber-attacks such as Titian Rain is stalled due to Chinese refusal to cooperate with investigations. Through vigilante type assistance, the government has civilians who try to work outside of the legal framework to monitor and track foreign hackers, and even managed to trace the Titan Rain hackers to a specific router in China. However, without international agreements or cooperation, the investigative trail is cut off.263 Additionally, there is the potential for US cyber-activity to create an international incident similar to other intelligence activities. What would the ramifications be if military monitoring or hacking was detected and proven by China or another antagonistic government? A more interesting question is what would be the response from an ally nation if we were monitoring them as well? Also, what is the line before a cyber activity violates the law of Armed Conflict against another nation? Other questions include the appropriate response to an internal, civilian attack, as well as the possibility of using a neutral party to route cyber activity.264 Although there is not a clear answer to these questions, they are policy issues that should be discussed both in congress and abroad as an international community. As new weapons come onto the scene, international cooperation has determined the effectiveness and appropriateness of these weapons, and banned cruel and inhumane weapons. Unfortunately, it usually requires a war or widespread use of a technology before policy is adopted – but can we afford to allow a debilitating cyber-attack before we determine international standards for action?  Policy Option 6.10.4: Establish an international convention regarding cyber-warfare, possibly through the United Nations. Work to establish legal framework for the tracking and use of cyber-attacks, as well as classifications of cyber-attacks. From these classifications (military, terrorist, criminal, etc.) establish protocol for international sanction (if necessary) and rules of engagement or retribution.

Cyber-warfare is the next battlefield, one that the military has acknowledged and is starting to include in both defensive and aggressive planning. The military must further both offensive and defensive operations, as well as develop a culture in the military that acknowledges the use and effectiveness of cyber attacks, as well as the potential for widespread destruction. Increased education programs and cooperation with the public sector will bring the best and the brightest to turn a potential weakness into another area of US dominance.

263

Thornburgh, Nathan (2005). “The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them)”, Time. 30 October, 2007, < http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html> 264 Wilson, Clay, (2007) “CRS Report for Congress: Information Operations, Electronic Warfare, and Cyberwar: Capabilities and Related Policy Issues” 30 October, 2007. <http://stinet.dtic.mil/cgibin/GetTRDoc?AD=ADA466599&Location=U2&doc=GetTRDoc.pdf?>

117

7 Conclusion

118

7.1

Is Cyber-warfare a threat?

This assessment began with the hypothetical scenario of Chicago being permanently evacuated due to nuclear radiation and the Mississippi River being contaminated and full of sewage. Clearly, this is the worst case cyber-warfare scenario, not the most realistic. However, the vulnerabilities discussed throughout the paper show that the scenario’s individual components are within the realm of possibility. As a nation, should we be concerned by cyber-attacks? It is known that cyber-attackers could potentially compromise elements our critical infrastructure and steal sensitive government data. Foreign nations are preparing for a cyber-war, with the threat of disabling entire military units. On the other hand, the actual effects of many of these cyber-attacks are limited in scope. Data stolen to date has not been classified information, aircraft can be flown without catastrophe even without guidance from air traffic control networks, and many economic and social consequences are short-term in nature. On the other hand, successful large-scale attacks on the power sector could be extremely costly, but may not be feasible in the near future. But can we dismiss these threats or should we place them as a high national priority? Ultimately, the answer is mixed. Our vulnerability to cyber-attacks is clear, especially seeing that the means of attack are so readily accessible. An increasing reliance on computer systems will only expand our vulnerability, especially in areas such as the military that are not yet fully dependent upon networked systems. However, this vulnerability does not translate into the doomsday scenarios that many suggest. At present, a large-scale cyber-attack would almost certainly be part of a larger conventional attack, in which the cyber-attack would simply be used to make an already catastrophic event worse. We are threatened as a nation, but we do not have a crisis on our hands yet, and a future crisis can be prevented by taking wise policy steps now. With better implementation of established cyber-security practices, along with proactive research and development, we can reduce the glaring weaknesses in our cyber-defense and mitigate the vast majority of cyber threats.

7.2

The Way Forward

Action must be taken to counter the current and future threat of cyber-warfare. The federal government should continue to advance the broad policy objectives outlined in the NSSC and additional measures should be enacted to fill gaps that have become evident in the current policy. We have compiled our suggested “best policies” to fill these gaps. 7.2.1 What Can Be Done Now Our research has shown that there are no significant barriers to keep the Unites States Government from implementing the following policies and actions immediately:  Create more severe standards for sentencing convicted cyber-criminals.

119

 Increase federal funding for the US-CERT bulletin and Stay Safe Online, specifically for the marketing initiatives to inform the general public.  Require the IT departments of government agencies to document the structure of their computer systems and their installation of security patches.  Expand cyber-warfare training within the military and at universities to make our Armed Forces more skilled in cyber-warfare tactics. 7.2.2 Policies for the Near Future The following policies and actions should be given immediate consideration, but will take some time to develop. Our suggested timeline for implementing these suggested policies and actions would be two to five years:  Create a uniform cyber-security licensure and certification process, which could help to ensure the proper level of training for IT professionals.  Create a uniform cyber-security testing procedure for federal agencies and contractors that is able to constantly evolve with new challenges. Creating a federal “red team” of security testers that periodically tests the cyber-security vulnerabilities of government computer systems would help with the evolution of cyber-security.  Enact policies to encourage other nations to prevent cyber-attacks from originating within their borders.  Work with other nations to adopt a set of international cyber-security standards to be followed, to ensure all international computer systems have a minimum level of security. One starting point in a global cyber-security policy could be the creation of a regional North American cyberspace “safe zone”, in which the U.S. would work with Canada and Mexico to ensure the countries work to solve mutual cyber-security issues.  Integrate policies related to cyber-warfare tactics into national strategic planning and any future discussions of redefining the military’s mission.  Create a legally binding set of security requirements for software and hardware. Such a law will need to be abstract enough to accommodate the evolving nature of threats and should balance added security with added costs.

120

7.2.3 Future Research The following policies and actions will need extensive research and time before implemented. A general timeframe for putting into practice the following policies would be approximately ten years.  Establish a widely accepted international treaty or agreement to create a global cybersecurity policy, a framework for interagency cooperation and legal response, and an international network of agencies for sharing information.  Establish a cyber-warfare equivalent to the Geneva Convention to establish rules for military use of cyber-warfare tactics. 7.2.4 Conclusion These “best policies” are a framework based on our research that must be further developed. Special attention should be paid to increasing overall awareness of the issue of cyber-warfare. This would help increase the emphasis placed of cyber-security in both the private and public sectors, including international corporations. Increased awareness could stimulate research and development, spread concerns of cyber-security from IT departments to boardrooms, and help the private sector understand that stronger cyber-security measures are a financially sound undertaking. However, the government must be sure to balance regulation and legal enforcement of the private sector’s cyber-security with the economic costs that would result. One balanced option is to use financial incentives to encourage change. Although there is never an impenetrable defense, the United States can greatly limit the threat of cyber-warfare over time with more robust cyber-security policies that are able to adapt and evolve to the changing times.

121

8 Appendix

122

8.1

Policy Options
 Policy Option 6.5.1: Require by law that all computers be secured in specific ways. A policy that demands all systems be secured is a tempting idea, but carries with it many consequences. Explicitly defining which precautions to make about cybersecurity increases government encroachment on individuals and if worded improperly could actually make computers less secure. Diversity is an important part of system protection, which a law explicitly demanding specific security precautions might eliminate, and actually giving attackers more potential targets. A law requiring security precautions would need to be worded in abstract terms to allow for the diverse systems which currently exist. Specific security measures required by law might raise the cost of computers and reduce the performance of the technology. Defining a bare minimum of precautions that must be taken might lead to fewer systems protecting themselves beyond that minimum. It may be possible to create a law which requires certain precautions with minimal negative side effects that could reduce vulnerability, but such a law would have to be created very carefully.  Policy Option 6.5.2: Change the policies about liability for software makers and/or system administrators. A policy might be drafted which could hold system administrators responsible for damage caused by their systems. The law would give administrators a larger motivation to secure their systems so that attackers could not commandeer them and execute attacks. In a way, administrators are already responsible for their systems, because security breaches under their watches tend to hurt their careers, so the necessity of this policy is debatable. Changes in liability rules would increase the stress put on those with increased responsibility, possibly raise the cost of their service and reduce the number of people willing to take the risk of working to protect networks. In some limited systems, changes in liability rules might be more appropriate than others. For example, administrators responsible for maintaining networks controlling critical infrastructures or connected to extremely high-capacity Internet links might deserve more legal motivation to secure their systems than owners of personal computers. Applying new responsibility to software developers would slow down the development process and increase the cost. Software prices would rise to offset the legal costs relating to new liabilities, while programmers would be under legal pressure to secure their products, possibly at the expense of performance. The private sector already has motivation to secure its products, but perhaps is not as concerned as it should be that flaws in one system can be used to cause damage to the systems of others. Certain violations of software security might be more appropriate to hold developers responsible for than others; it may be possible to make adjustments in liability rules which improve security with minimal impact on the cost and performance of software. Imported software and outsourced developers would also

Below are the assembled policy options outlined in the report.

123

have to be taken into consideration in any policy about the liability of software developers.  Policy Option 6.5.3: Create programs to approve security products and personnel. Institutions exist for the licensure of many different professionals and the approval of different products which might be similarly created to address cyber-attack possibilities. Policy makers can expect debates over whether government or the private sector can better provide cyber-security approval services. Having a compulsory form of certification may be helpful, since current methods of approving software and personnel for security still allow for false products and charlatan professionals to exist. A government approval process for allowing individuals to practice securing systems would have to be carefully crafted by experts to insure that certified individuals are qualified for their positions. Creating new institutions would be costly, and defining the specific software packages and personnel under their jurisdiction would be difficult, but having more qualified security personnel and higher quality defense products would be helpful.  Policy Option 6.5.4: Federally demand a minimum level of security for critical infrastructure systems. In 2001, the Energy Information Security program was created in an attempt to develop better defense technologies for our nation's critical infrastructures. Due to the difficulty of and the time needed for installing these technologies, many companies have not kept their systems up to date. Because they are not properly secured, it leaves even the "secured" infrastructure companies vulnerable to attack simply due to them being connected to the same network as the unprotected companies. Therefore, the minimum level of security for our nation's infrastructure must be federally regulated so that the United States' power utilities, water lines, communication systems, and emergency response will not fail due to a "weak link" in their network connections.  Policy Option 6.6.1: Create a more forceful and concentrated effort to prosecute cyber-criminals to the full extent of the damage they caused. It is dangerous to allow criminals who have caused millions of dollars in damage to be allowed to access computer systems after only a few years of imprisonment. Additionally, minimum and maximum sentences need to be increased to reflect the widespread damages caused by cyber-attacks.  Policy Option 6.6.2: Apply a more concrete method of analyzing cyber-attacks in such a way that a general audience is able to comprehend. This will be useful in enhancing the quality of communication between the government and its citizens.  Policy Option 6.6.3: Allow incentives for private sectors in their own attempts to secure their networks. Due to the lack of profit directly resulting from securing their cyber-space, private companies do not see the benefit in taking the initiative to prevent cyber-attacks on their own system. If the government were to provide incentives or prominent recognition of companies who successfully work to secure

124

themselves, private sectors will be more likely to conform to the government’s view of cyber-security.  Policy Option 6.6.4: Attempt to increase communication not only with home users and small businesses, but also with other nations. A better response to cyber-attacks is dependent on increased communication and analysis of attack trends. Opening up an international dialogue related to cyber-attacks could prepare the US government and citizens for possible future attacks.  Policy Option 6.6.5: Establish a network in which local police and firefighters are able to coordinate effective response systems in regards to local cyber-attacks. For example, have a hotline for businesses and computer users to have access to in case of a cyber-attack. The difficulty with this policy is finding a way to communicate in case telecommunications were disrupted as well. Perhaps the most reliable method is to create a useful two-way radio between departments that could be accessed by heads of Information Technology departments at companies as well.  Policy Option 6.7.1: Increase advertisement funding for the federally-managed websites and email lists described above. These websites have the potential to increase public awareness, but are not receiving the traffic needed to make an impact. Advertising them more vigorously would improve their public exposure.  Policy Option 6.7.2: Create greater incentives for small businesses to inform their employees of cyber-security concerns. For example, small businesses could receive tax credits if a certain percentage of their employees subscribe to US-CERT’s e-mail  Policy Option 6.7.3: Provide tax incentives for enterprises whose employees undergo an educational cyber-security course. As in the case of small businesses, this could be an effective way to increase awareness of secure computing practices among individual workers.  Policy Option 6.7.4: Work with private industry to create a standardized set of essential skills for IT professionals in the area of cyber-security, for the purpose of creating a certification program. If such a standard were created, the IT professionals responsible for designing and maintaining companies’ internal computer systems  Policy Option 6.7.5: Accompany existing efforts to encourage electronic submission of shipping manifests with efforts to encourage safe and secure handling of the electronic manifest data. An additional option to consider is an incentive program for companies that implement and document measures taken to secure electronic shipment manifests and shipment tracking systems.  Policy Option 6.7.6: Make available and widely publicize a national database of cyber-incidents and attempted cyber-attacks at critical infrastructure components such as transportation, power, and communication systems. By increasing the public’s

125

attention to these areas, such a database could add pressure on infrastructure companies to focus more on their own cyber-security prevention and response  Policy Option 6.7.7: Increase funding for university-level research of cyber-security and preparedness measures, and provide funding for universities and community colleges to create dedicated cyber-security training and research programs. This could significantly improve the training of America’s future IT workforce.  Policy Option 6.7.8: Create a cyber-warfare threat level indicator system, possibly similar to the Department of Homeland Security’s color-coded daily threat level indicator. This sort of indicator system could be used by media outlets to help publicize the issue of cyber-security, and would increase overall awareness of the issue across all sectors.  Policy Option 6.8.1: Mandate user password complexity and frequent changes, logouts after a short time of inactivity, and require secondary identification (in the form of ID cards required to run the computer).  Policy Option 6.8.2: IT departments should be required to submit system structure documents, detailing the systems used throughout their agency. Departments should institute a government wide internet control program to restrict potentially threatening website access. Additionally, they must show prompt response and 100% implementation of security patches for their systems.  Policy Option 6.8.3: Mandate that the future development of the FAA's air traffic control system continue to favor decentralized, redundant regional control centers. This will ensure that it remains impractical for a cyber-attack to disable the air traffic system on a nationwide level. One possibility is to make backup computer systems run in parallel with the main systems, but with a different implementation (e.g. a different hardware configuration or operating system), so a vulnerability exploited on the main system may not affect the backup.  Policy Option 6.8.4: Require that the FAA (or other government agencies) limit outside IT contractors' access to the computer systems they are directly involved with. As discussed previously in Section 3.4.3.2, contractors are currently given full access to systems that are not relevant to their work assignments. This simple measure would limit the risk of an outside contractor inserting malicious code into the agency's computer systems, and remove one vulnerability from the air traffic control system.  Policy Option 6.8.5: Use best-value evaluations when selecting outside contractors. The OMB should establish which IT contractors present the best services, and encourage agencies to select the best contractor and not the lowest bid. Additionally, the OMB could establish a certification system for IT contractors to complete and show minimum proficiency.

126

 Policy Option 6.8.6: Require regular ‘red team’ testing of any agency or private corporation that is connected to the government network. The ‘red team’ should be a multi-agency force that has regular turnover to ensure new ideas are constantly applied in security testing.  Policy Option 6.10.1: Continue to integrate cyber-warfare into national strategic planning, especially in the areas of growing the military and creating or redefining the mission of the military. This would include increasing the number of units dedicated to cyber-warfare, and expansion throughout the cyber domain.  Policy Option 6.10.2: Increase funding for cyber education, both in the civilian and government sectors. Expanding cyber-warfare training in the military would result in more effective troops, and the civilian sector could offer outside aid and ideas for the military.  Policy Option 6.10.3: Develop specific national strategies for use of cyber-warfare, both offensively and defensively, against nations and terrorist organizations. These policies should focus on the capabilities of foreign powers, as well as specific technologies that could exploit enemy defenses or thwart their offensive capabilities. Any technology discussed in these reports should be fully researched to achieve its maximum effect.  Policy Option 6.10.4: Establish an international convention regarding cyber-warfare, possibly through the United Nations. Work to establish legal framework for the tracking and use of cyber-attacks, as well as classifications of cyber-attacks. From these classifications (military, terrorist, criminal, etc.) establish protocol for international sanction (if necessary) and rules of engagement or retribution.

127

8.2

Open Letter to the President

27 February 2002 George W. Bush President of the United States The White House 1600 Pennsylvania Avenue, NW Washington, DC 20500 Mr. President, Our nation is at grave risk of a cyber attack that could devastate the national psyche and economy more broadly than did the September 11th attack. We, as concerned scientists and leaders, seek your help and offer ours. The critical infrastructure of the United States, including electrical power, finance, telecommunications, health care, transportation, water, defense and the Internet, is highly vulnerable to cyber attack. Fast and resolute mitigating action is needed to avoid national disaster. We urge you to act immediately by former a Cyber-Warfare Defense Project modeled in the style of the Manhattan Project. Consider the following scenario. A terrorist organization announces one morning that they will shut down the Pacific Northwest electrical power grid for six hours starting at 4:00 PM; they then do so. The same group then announces that they will disable the primary telecommunication trunk circuits between the U.S. East and West Coasts for a half day; they then do so, despite our best efforts to defend against them. Then, they threaten to bring down the air traffic control system supporting New York City, grounding all traffic and diverting inbound traffic; they then do so. Other threats follow, and are successfully executed, demonstrating the adversary's capability to attack our critical infrastructure. Finally, they threaten to cripple e-commerce and credit card service for a week by using several hundred thousand stolen identities in millions of fraudulent transactions. Their list of demands is then posted in the New York Times, threatening further actions if their demands are not met. Imagine the ensuing public panic and chaos. If this scenario were to unfold, Americans everywhere would feel that our national sovereignty had been compromised; we would wonder how, as a nation, we could have let this happen. Mr. President, what makes this scenario both interesting and alarming is that all of the aforementioned events have already happened, albeit not concurrently nor all by malicious intent. They occurred as isolated events, spread out over time; some during various technical failures, some during simple (government-sponsored) exercises, and some during real-world cyber attacks. All of them, however, could be effected through remote cyber attack by any adversary who so chooses, whether individual or state-sponsored. The resources required are modest -- far less than the cost of one army tank. All that is required is a small group of competent computer scientists, a few inexpensive PCs, and Internet access. Even the smallest nation-states and terrorist organizations can easily muster such capabilities, let alone betterorganized groups such as Al Qaeda.

128

Many nations, including Iran and China, for example, have already developed cyber-offense capabilities that threaten our economy and the economies of our allies. There is no doubt that such a serious national vulnerability is a real and present danger. This has been affirmed by a number of distinguished bodies, including the President's Commission on Critical Infrastructure Protection (1997), the National Academy of Sciences (Computers at Risk, 1990; Trust in Cyberspace, 1999), and the U.S. Defense Science Board on Information Warfare Defense (1996, 2000). The consequence of successfully exploiting these vulnerabilities would be significant damage to the U.S. economy, degraded public trust with concomitant long-term retardation of economic growth, degradation in quality of life, and a severe erosion of the public's confidence that the government can adequately protect their security. We have seen the amplification effects, on our economy and on public apprehension, from a single event such as the World Trade Center and Pentagon attacks. Aggregate damages resulting from amateur cyber attacks (e.g., 1998 Internet Worm, Melissa Virus, I-LOVE-YOU virus, Code Red Virus and the Nimda virus) are estimated to have been $12 billion for the year 2001 alone. Extrapolating from this, a professionallyexecuted, coordinated cyber attack on our national critical infrastructure could easily result in a 100-fold amplification -- 10-fold from being professionally-executed and another 10-fold from indirect e-commerce suppression effects. In terms of a dollar value, this could amount to several hundred billion dollars in damage to the U.S. economy. Moreover, some community experts and reports (such as those cited above) estimate a high probability of a serious attack on U.S. critical infrastructure within the next few years. The goal of our proposed Manhattan-style undertaking would be to create a national-scale cyberdefense policy and capability to prevent, detect, and respond to cyber threats to our critical infrastructure. We mean Manhattan-style in several senses: national priority, inclusion of top scientists, focus, scope, investment, and urgency with which a national capability must be developed. To prevent attacks, we need a coordinated effort to work with our criticalinfrastructure providers in defending their most critical information systems. To detect attacks, we need to permeate our critical networks with a broad sensor grid imbued with the capability to detect large-scale attacks by correlating and fusing seemingly unrelated events that are, in fact, part of a coordinated attack. To respond to attacks, we need to devise strategies and tactics to pre-plan effective actions in the face of major cyber-attack scenarios; we need to augment our national infrastructure with mechanisms that support the defined strategies and tactics when attacks are detected and verified. We believe that all this can be done with a close partnership between the public and private sectors while maintaining sensitivity to public concerns about privacy and fairness, consistent with American values and laws. The result should be a resilient critical infrastructure that is resistant to cyber attack, plus next-generation technology which enables our critical infrastructure to be more easily secured. Given private-sector economic realities, our nation's economy and well-being will continue to rely on the existing vulnerable infrastructure for the indefinite future, unless strong government investment leads the way. The proposed Manhattan-style cyber-defense project will cost a fraction of the expense we will incur from a single major cyber attack. We estimate the project would require an investment of $500 million per year initially, and could reach the billion dollar level in the out-years. The

129

project would run over the course of five years to create a national-scale initial operating capability no later than year three, and more advanced defensive and offensive capabilities by year five. We recommend that you appoint a small board of top computer scientists and engineers to work out the details of a plan, and set the plan in motion within ninety days. The plan should include an appropriate balance between engineering and focused research to support the national capability and the policy, laws, and procedures that would be needed to deploy and support the cyber-defense technology. The clock is ticking. We look to you, as America's leader, to act on behalf of the nation. Your conscientious and effective defense of our physical homeland should extend into the increasingly vital frontier of U.S. cyberspace. We anticipate that the nation will fully endorse and even expect this forward-thinking and courageous action in the face of such a major threat to national security. We stand ready to help in any way we can in taking this very important next step to defend our country. Very respectfully, [signed]

O. Sami Saydjari Founder Cyber Defense Research Center Former Information Assurance Program Manager, DARPA Former Fellow, National Security Agency Dr. Robert Balzer Chief Technology Officer Teknowledge Corporation Terry C. Vickers Benzel Vice President of Advanced Security Research Network Associates, Inc. Thomas A. Berson, Ph.D. Principal Scientist, Palo Alto Research Center Past-President, International Association for Cryptologic Research Past-Chair, IEEE Technical Committee on Security and Privacy Bob Blakely Chief Scientist, Security and Privacy

Salvatore J. Stolfo Professor of Computer Science Columbia University Dr. Curtis R. Carlson Chief Executive Officer SRI International George Cybenko Dorothy and Walter Gramm Professor Thayer School of Engineering Dartmouth College John C. Davis Director of Information Security Mitretek Systems Inc. Former Commissioner on PCCIP Former Director of NCSC/NSA Matt Donlon Former Director, Security and Intelligence Office Defense Advanced Research Projects Agency Patrick Lincoln Member of Defense Science Board Panels 2000-2001

Roy A. Maxion, Ph.D. Director, Dependable Systems Laboratory Computer Science Department Carnegie Mellon University David J. Farber Moore Professor of Telecommunications and Professor of Business and Public Policy University of Pennsylvania Richard J. Feiertag Manager of Strategic Planning NAI Labs, Security Research Division Network Associates, Inc. Edward A. Feigenbaum Kumagai Professor of Computer Science Emeritus Stanford University, and Chief Scientist, United States Air Force (1994-97) Dr. Tiffany M. Frazier Director, Advanced Computing

130

IBM Tivoli Software Seymour E. Goodman Professor of International Affairs and Computing Co-Director, Georgia Tech Information Security Center Georgia Institute of Technology Dr. J. Thomas Haigh Chief Technology Officer Secure Computing Corporation Walter L. Heimerdinger, PhD Patrick M. Hughes Lieutenant General, U.S. Army, Retired President, PMH Enterprises LLC Former Director, Defense Intelligence Agency Former Director of Intelligence (J2), Joint Chiefs of Staff Stephen T. Kent Chief Scientist -- Information Security BBN Technologies -- A Verizon Company (member of "Computers at Risk" & "Trust in Cyber Space" NRC committees) Angelos D. Keromytis Assistant Professor, Computer Science Dept. Columbia University Dr. Marvin J. Langston Deputy Chief Information Officer, Department of Defense, 19982001 Director Information Systems Office, Defense Advanced Research Projects Agency, 1997-98 Chief Information Officer, Department of Navy, 1996-1997 Karl N. Levitt

Director, Computer Science Laboratory SRI International John H. Lowry Division Engineer Technical Director for Information Security BBN Technologies/Verizon Stephen J. Lukasik Consultant, Science Applications International Corporation Former Director, Department of Defense Advanced Research Projects Agency Former Chief Scientist, Federal Communications Commission David Luckham Research Professor of Electrical Engineering Stanford University Dr. Joseph Markowitz Robert T. Marsh General, USAF (Retired) Former Chairman, President's Commission on Critical Infrastructure Protection Terry Mayfield Institute for Defense Analyses J.M. McConnell Former Director, National Security Agency John McHugh, PhD Carnegie Mellon University Fred B. Schneider Professor of Computer Science and Director of Cornell/AFRL Information Assurance Institute Gregg Schudel Formerly, Senior Engineer and Manager of Experimentation, DARPA

Alphatec, Inc. Roderick A. Moore Systems Engineer Former National Security Council Staff Pres. Reagan and Pres. Bush Administrations Dr. Charles L. Moorefield Board Chairman, Alphatech, Inc. Peter G. Neumann Computer Science Lab SRI International Dr. Clifford Neuman Sr. Research Scientist and Associate Division Director -Computer Networks Division Information Sciences Institute University of Southern California E. Rogers Novak, Jr. Managing Member Novak Biddle Venture Partners Allen E. Ott Orincon Information Assurance President Dr. Michael Paige Former Director, Xerox PARC Dr. Vern Paxson Senior Scientist, International Computer Science Institute Staff Scientist, Lawrence Berkeley National Laboratories Phillip A. Porras Program Director System Design Laboratory SRI International Laura S. Tinnel Deputy Program Manager and Research Scientist Information & Systems Assurance Group

131

Professor of Computer Science Director of the UC David Security Laboratory Department of Computer Science University of California, Davis Marcus Ranum Chief Technology Officer NFR Security, Inc. Jaisook Rho Principal Computer Scientist Network Associates, Inc. Dr. Arthur S. Robinson President, System/Technology Development Corporation Formerly Technical Director of RCA R&D for U.S.N. Aegis Weapons Systems S. Shankar Sastry Professor and Chair, Department of Electrical Engineering and Computer Sciences Formerly, Director, Information Technology Office, DARPA, US DoD

Information Assistance Program Larry J. Schumann President, EnterpriseTec, Inc. Member of the President's National Security Telecommunications Advisory Committee (1996-2000) Jonathan M. Smith Professor Computer and Information Science Department University of Pennsylvania

Teknowledge Corporation J. Douglas Tygar Professor of Computer Science and Information Management University of California, Berkeley J. Kendree Williams Chief Technology Officer Zel Technologies, LLC CDR, USN (Ret) R. James Woolsey Director of Central Intelligence, 1993-95 Larry T. Wright Chairman, Defense Science Board Task Force on Defensive Information Operations 2000-2001

132

8.3

Interview with Douglas Reeves

The following are excerpts from an interview with Dr. Douglas Reeves, a member of N.C. State's Cyber Defense Laboratory, on November 6, 2007. What is your definition of cyber-warfare? I'm not sure I have one, but I'll make one up. It's people trying to protect their assets, and people trying to take advantage of those assets, conflicting with each other. Assets can mean your computer system, your network, your data, your private information--it could mean a variety of things. What kind of research have you done in the area of cybersecurity? For about seven or eight years, I've worked in the field of network security, which has involved a number of different projects. I've done some work on intrusion detection, which is how you tell if someone's attacking you. Sometimes it's not obvious until the damage is already done, so you'd like to detect it as early as you can. I've also done some work on what I'll generically call forensics, or finding out who's attacking you. Just as in conventional crime, you want to be able to prosecute somebody if they've committed a crime. You'd like to know who's attacking your system. More recently, I've had a project that has to do with software security. What are the ways in which people break software, and how can you recognize when something is an attempt to break or misuse software? The attackers are quite clever, actually. This is one of the more interesting sides of research in this field, that your adversary is a person--you’re not fighting the laws of physics, or some abstract cost factors or availability or properties of materials or the capabilities of manufacturers, the standard stuff that you do in engineering. What you're fighting is other people, so it's very interesting, because people--including the bad guys--are extremely clever. In fact, maybe especially the bad guys. What are some of the projects the Army Research Organization had you work on? That was mainly for intrusion detection. Most of us now have some form of intrusion detection. You just call it a virus checker. You know that when you have attachments for emails, you need to check before you open them whether there's some exploit embedded in that attachment. Besides what we run on our personal computers, corporations and enterprises like universities also inspect across the enterprise incoming traffic to see whether it contains attempts to break into computer systems, or what they can notice when someone's attempting to break into computer systems. There are a wide variety of products; this type of thing has been available for at least ten years, and some of them are commercially very successful and well documented. One common problem with intrusion detection is that it's almost too good. Imagine if you had an alarm system, and you wanted to be sure that any attempt to break into your home, whether it was coming through a window or picking a lock or any other means of entry someone might have, you want to make sure that you detected it, that it was sensitive enough that you would

133

never miss any attempt to break into your home. That would be very desirable, but it would be very unfortunate if the result was that the alarm was so sensitive that it kept going off all the time. You know, a bird flies past the building and alarm goes off, or a heavy truck rumbles by on the road and the system thinks that's a break-in attempt and sets an alarm. So the real problem with a lot of intrusion detection systems is that to make them very accurate, they're set to be so sensitive that they squawk about all kinds of stuff, some of which is not attacks and some of which is. Another problem is that many attacks are conducted in multiple steps. So, again to take the analogy of someone breaking into your home or office, maybe there are multiple steps to enter. Maybe they have to go into an entry gate, then they have to evade detection by a security camera, and then thirdly they have to figure out the combination to a door lock, and then fourthly they have to turn off the burglar alarm. So, there's a series of stuff they have to do. Well, if there is an attack but it takes a hundred steps, and you get an alarm for every one of those steps, then the combination of being overly sensitive and giving you information about every individual potential step--and imagine this is not an alarm system for one home or office, but it's for a thousand places of business, as intrusion detection for an enterprise is--the result of that is that you, the security administrator, are sitting there in front of a log looking at 10,000 messages a day go by, and you just can't deal with that volume of information. It's too much. So one choice is that you turn down your alarm to be less sensitive, so it doesn't keep squawking all the time, but you stand the chance of missing something if you do that, so there's a tradeoff. Our particular research was, don't make the alarm systems less sensitive, but process the information produced by the alarm systems to do some of the kind of mental digestion or processing of the alarm information that previously had been done in people's head, then present to them your summary of what that information might mean. Now instead of their being a hundred events related to a break-in, it might say, "I think there's been a break-in, and if you want more information, click here and I'll show you the steps that led to me concluding that there might have been a break-in." Or if you find that there are sequences of events that individually could be part of attacks, it turns out that those particular sequences of events are exhibited by innocuous, benign activities that are known to be people accessing databases for legitimate purposes. Then you can say, "After analyzing the low-level data, I can conclude there's no reason for you to be alerted this time." So that's what we were doing for the army--analysis of the data that's used for intrusion detection systems. Once an intruder is detected, how difficult is it to detect what geographic location the intrusion came from? In general, it's extremely difficult. The joke that I tell in some presentations is that what the defenders want is what you see in TV shows. In a cop show or whatever, somebody's in a chat room for pedophiles or something, and they say, "Get a trace on that guy," and then the next frame they're banging on the door of Apartment 3-G on 65 Main Street, and throwing the guy on the floor. You want that traceability, not to an IP address, but to a geographic location, because you want to be able to send the cops or the military to that location.

134

That's what we would all like, but unfortunately, it doesn't work like that. There are many concealment techniques, many techniques for making it difficult or impossible for someone to tell where you are when you launch an attack or set an attack in motion. That's been one of our main research projects for quite a while, is how to combat at least some of the more widely used techniques. So, another analogy here is that you're trying to trace somebody and periodically, that person goes in buildings and you don't have access to those buildings they go into. You can watch all the exits to see if they emerge at some new location and start on new directions so you don't lose the trail. But you can't go in the building. But while they're in the building, they can undergo all kinds of disguises. They can change their shoes, they can stand taller, they can have new facial hair, they can put on new clothing, they can don glasses, all the standard stuff you can use for disguise. So you watch all these exits, but you have to somehow detect that it's them coming out even though they're wearing an elaborate disguise. And particularly if it's a building with lots of people going in and coming out, that's not exactly trivial to do. It's going to be a pretty difficult to task. So what you'd like to do is pick some characteristic of a person that's somewhat difficult to disguise--not impossible, but somewhat difficult to disguise--and if you key it in on whether they have a mustache or not, obviously they can put on or shave a mustache. If you key it in on their weight, it's a little more difficult to disguise their weight. But to use something that's somewhat similar to what we do, if you key it on the way they walked, it's a little difficult to disguise the way they walk. You can try to fake a limp or walk faster than you typically do, or shorter steps, but it turns out the way you walk is fairly characteristic of a person's skeletal structure and habits. It's not completely straightforward to change the way you walk. So we have conducted research on the equivalent of this, which is looking at the timing characteristics of traffic, which are difficult to disguise. They can be modified, but we're able to overcome the simpler modifications so that people might try to still recognize those timing characteristics. So is getting into a computer system and hiding your identity something an amateur hacker can do? Well, in the hacker community, the term hacker is a contentious term, because in some circles, the term hacker doesn't mean a bad person, it just means a skilled person. There is another term, cracker or blackhead or bad guy or something like that, would be more widely agreed upon than hacker. The hacker community, unfortunately, shares what they know. They're very generous with each other. So, they go out of their way to make stuff easy to use and download, and well documented, and as close to pushbutton automation as you can make it, which means that a moron can use this stuff. If somebody gives them a link to find whatever it is that they want, to try it out and direct it at whatever your target is takes almost no intelligence whatsoever. So, it not hard at all to use these things.

135

8.4

DHS Presidential Directive

December 17, 2003 Homeland Security Presidential Directive

(a) The Department of State, in conjunction with the Department, and the Departments of Justice, Commerce, Defense, the Treasury and other appropriate agencies, will work with foreign countries and international organizations to strengthen the protection of United States critical infrastructure and key resources. (b) The Department of Justice, including the Federal Bureau of Investigation, will reduce domestic terrorist threats, and investigate and prosecute actual or attempted terrorist attacks on, sabotage of, or disruptions of critical infrastructure and key resources. The Attorney General and the Secretary shall use applicable statutory authority and attendant mechanisms for cooperation and coordination, including but not limited to those established by presidential directive. (c) The Department of Commerce, in coordination with the Department, will work with private sector, research, academic, and government organizations to improve technology for cyber systems and promote other critical infrastructure efforts, including using its authority under the Defense Production Act to assure the timely availability of industrial products, materials, and services to meet homeland security requirements. (d) A Critical Infrastructure Protection Policy Coordinating Committee will advise the Homeland Security Council on interagency policy related to physical and cyber infrastructure protection. This PCC will be chaired by a Federal officer or employee designated by the Assistant to the President for Homeland Security. (e) The Office of Science and Technology Policy, in coordination with the Department, will coordinate interagency research and development to enhance the protection of critical infrastructure and key resources. (f) The Office of Management and Budget (OMB) shall oversee the implementation of government-wide policies, principles, standards, and guidelines for Federal government computer security programs. The Director of OMB will ensure the operation of a central Federal information security incident center consistent with the requirements of the Federal Information Security Management Act of 2002. (g) Consistent with the E-Government Act of 2002, the Chief Information Officers Council shall be the principal interagency forum for improving agency practices related to the design, acquisition, development, modernization, use, operation, sharing, and performance of information resources of Federal departments and agencies. (h) The Department of Transportation and the Department will collaborate on all matters relating to transportation security and transportation infrastructure protection. The Department of Transportation is responsible for operating the national air space system. The Department of Transportation and the Department will collaborate in regulating the transportation of hazardous materials by all modes (including pipelines). (i) All Federal departments and agencies shall work with the sectors relevant to their responsibilities to reduce the consequences of catastrophic failures not caused by terrorism 265

The Homeland Security Presidential Directive of December 17th, 2003 establishes a more concrete list of responsibilities assigned to several departments within the United States Government.

265

Bush, George W. "December 17, 2003 Homeland Security Presidential Directive." The White House. 17 Dec. 2003. US Government. <http://www.whitehouse.gov/news/releases/2003/12/20031217-5.html>.

136

8.5

Works Cited

Airsnort Homepage. 31 Dec 2004. The Schmoo Group. 30 Oct 2007. <http://airsnort.shmoo.com/>. Alford, Jr., Lt. Col. Lionel D. "Cyber Warfare: Protecting Military Systems." Acquisition Review Quarterly Spring 2000: 101-120. 18 Oct. 2007 http://www.dau.mil/pubs/arq/2000arq/alford.pdf “An Analysis of the Consequences of the August 14th 2003 Power Outage and its Potential Impact on Business Strategy and Local Public Policy”. 2004. < http://www.acp-international.com/southtx/docs/ne2003.pdf> Brewin, Bob (2007) “Army, Air Force seek to go on offensive in cyber war” 30 October, 2007. http://www.govexec.com/story_page.cfm?filepath=/dailyfed/0607/061307bb1.htm Bush, George W., and Jim Turner. "E-Government Act of 2002." The White House. 15 Nov. 2002. US Government. <http://www.whitehouse.gov/omb/egov/g-4-act.html>. http://www.buyerzone.com/facilities/generators/rbic-taking-stock.html Byres, Eric, and Justin Lowe. The Myths and Facts Behind Cyber Security Risks for Industrial. British Columbia Institute of Technology. 1-6. 15 Oct. 2007 <http://www.tswg.gov/tswg/ip/The_Myths_and_Facts_behind_Cyber_Security_Risks.pdf>. “Capital Commerce. So How Goes Bin Laden’s War on the U.S. Economy?” Pethokoukis, James. September 11, 2007 CENTCOM Operation Iraqi Freedom Briefing - 25 March 2003” October 30, 2007. <http://www.gulfinvestigations.net/document348.html?PHPSESSID=64c6f060d1f4997faf0ff91799fa777f> CERT Coodination Center – Denial of Service Attacks. 4 Jun 2001. US CERT. 30 Oct 2007 http://www.cert.org/tech_tips/denial_of_service.html http://www.cfr.org/content/publications/attachments/Homeland_TF.pdf Clough, B.T., Cope, B., & Donley, S. (1993). Microwave induced upset of digital flight control systems. Digital Avionics Systems Conference. 12, 179-184. http://www.cooperativeresearch.org/entity.jsp?entity=eiffel_tower Profile: Eiffel Tower. December 24, 1994: AlQaeda Connected Militants Attempt to Crash Passenger Jet into Eiffel Tower. "Computer Crime Cases." Computer Crime and Intellectual Property Section. US Department of Justice. <http://www.usdoj.gov/criminal/cybercrime/cccases.html>. Convention on Cybercrime. Council of Europe. 23 Nov. 2001 http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CL=ENG

Crenshaw, Adrian. A Quick Intro to Sniffers. 30 July 2007. Iron Geek.com. 30 Oct 2007. <http://www.irongeek.com/i.php?page=security/AQuickIntrotoSniffers>. Critical Infrastructure Assurance Group Online. Retrieved November 1, 2007, from Security@Cisco Web site: http://www.cisco.com/web/about/security/security_services/ciag/index.html Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007 http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/

137

“Cyber War Nightmares” (2006), 30 October, 2007. http://www.strategypage.com/htmw/htiw/articles/20060829.aspx “Cyberwarfare on the Electricity Infrastructure.” Office of Scientific and Technical Information. 12 Sep. 2007. < http://www.osti.gov/bridge/product.biblio.jsp?osti_id=769245> Dagon, David. Mobile Phones as Computing Devices: The Viruses Are Coming!. IEEE – Pervasive Computing. Oct – Dec 2004. 11 – 15 “Data and Statistics”. International Monetary Fund. 17 Oct 2007. 27 Oct 2007. <http://www.imf.org/external/data.htm#data> Denning, D. (2001). "Is Cyber Terror Next?" New York: U.S. Social Science Research Council, at http://www.ssrc.org/sept11/essays/denning.htm Delio, Michelle. Crackers Expand Private War. 18 Apr 2001. Wired Magazine. 30 Oct 2002. <http://www.wired.com/politics/law/news/2001/04/43134?currentPage=2> Delio, A Chinese Call to Hack the US. 11 Apr 2001. Wired Magazine. 30 Oct 2002. <http://www.wired.com/politics/law/news/2001/04/42982?currentPage=2> Denning, Dorathy. "Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy." Internet and International Systems. December 1999: 101-120. 28 Oct. 2007 <http://www.nautilus.org/gps/info-policy/workshop/papers/denning.html> De Souza Reis, Ademar, and Filho, Milton Soares. Sniffdet – Remote Sniffer Detector for Linux. 10 Oct 2006. SourceForge.net. 30 Oct 2007. <http://sniffdet.sourceforge.net/>. Dittrich, David. The DoS Project's "trinoo" distributed denial of service attack tool. 21 Oct 1999. University of Washington. http://staff.washington.edu/dittrich/misc/trinoo.analysis Dot.Con: The Dangers of Cyber Crime and a Call for Proactive Solutions. Granville, J.. Australian Journal of Politics & History. March, 2003, Vol. 49 Issue 1. Pg. 104 Dumpster Diving. Washington State Office of the Attorney General. 26 Nov 2007. http://www.atg.wa.gov/ConsumerIssues/ID-Privacy/DumpsterDiving.aspx http://www.epriintelligrid.com/intelligrid/docs/Cost_of_Power_Disturbances_to_Industrial_and_Digital_Technology_Companies.p df Evers, Joris. Russian hackers ‘sold WMF exploit’. 3 Feb 2006. ZDNet.co.uk. 26 Nov 2007. http://news.zdnet.co.uk/software/0,1000000121,39250232,00.htm FAA Air Traffic Organization. (2006). Moving America safely: 2005 annual performance report Washington, D.C.: Federal Aviation Administration. "Fact Sheet: Protecting America’S Critical Infrastructure – Cyber Security." US-CERT. Department of Homeland Security. <http://www.us-cert.gov/press_room/050215cybersec.html>. http://www.fas.org/irp/crs/RL30735.pdf "FISMA." National Institute of Standards and Technology. 24 Oct. 2002. US Government. <http://csrc.nist.gov/groups/SMA/fisma/>.

138

http://www.frontpagemag.com/articles/Read.aspx?GUID={245984FA-D9DF-46E9-8EF3-7B5259A51C0D} Clinton and 9/11. Favish, Allen J. FrontPageMagazine.com Tuesday, October 14, 2003. Feds Warn of May Day Attacks on US Web Sites. 26 Apr 2001. CNN. 30 Oct 2002. http://archives.cnn.com/2001/TECH/internet/04/26/hacker.warning/index.html Gagnon, B. (2004). Are We Headed For a Cyber-09/11? The American Failure in Cyberstrategy. Conference Papers -- International Studies Association, Retrieved October 24, 2007, from Academic Search Premier database. http://www.gao.gov/new.items/d05712.pdf Garber, Lee. Denial-of-Service Attacks Rip The Internet . IEEE – Computer. Apr 2000. 12 – 17 Garretson, Cara. Spam that delivers a pink slip. ComputerWorld.com. 1 Nov 2006. 26 Nov 2007. http://computerworld.com/action/article.do?articleId=9004698&command=viewArticleBasic&taxonomyName=secu rity Gellman, Barton. "U.S. Fears Al Qaeda Cyber Attacks." SecurityFocus 26 June 2002. 18 Oct. 2007 <http://www.securityfocus.com/news/502>. Glaessner, Thomas, Tom Kellermann, and Valerie McNevin (2002). “Electronic Security: Risk Mitigation In Financial Transactions”. The World Bank. p 43. 29 Oct 2007. <http://info.worldbank.org/etools/docs/library/83592/esecurity_risk_mitigation.pdf> Global Society: Journal of Interdisciplinary International Relations; Jan2003, Vol. 17 Issue 1, p89, 9p Government Accountability Office. (2003). Information security: Progress made, but Federal Aviation Administration needs to improve controls over air traffic systems. Washington, D.C.: Government Accountability Organization. "Government Collaboration Groups and Efforts." US-CERT. Department of Homeland Security. <http://www.uscert.gov/federal/collaboration.html>. Greenwell, W.S. and J.G. Alsbrooks (2007). Excerpt From "Digital Control Systems". Retrieved November 3, 2007, from IEEE Computer Society Web site: http://www.computer.org/portal/site/ieeecs/menuitem.c5efb9b8ade9096b8a9ca0108bcd45f3/index.jsp?&pName=iee ecs_level1&path=ieeecs/ReadyNotes&file=s_k_sample.xml&xsl=generic.xsl& Grifter. Dumpster Diving – One Man’s Trash… Hack In The Box. 2002. 26 Nov 2007. http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=6388&mode=thread&orde r=0&thold=0 Gwin, Peter. (2001) “Is the Internet the Next Front in the Terror War?” Europe. Issue 410. Hancock, Bill. National Infrastructure Protection Issues. International Telecommunication Union. 2002. 25 Oct. 2007 <http://www.itu.int/osg/spu/ni/security/workshop/presentations/cni.18.pdf>. Harold Joseph Highland. A history of computer viruses -- Introduction, Computers & Security. Vol 16, Issue 5. 1997, p 412-415. http://www.sciencedirect.com/science/article/B6V8G-3SX269W-2P/2/e96ee1d35ae6e62abd338c29a32234a7 Harris, Leslie, http://abcnews.go.com/Technology/Story?id=3771510&page=1 Heise Security (2007, October 11). Report: Cisco closes down Critical Infrastructure Assurance security research group. Retrieved November 3, 2007, from Heise Security Web site: http://www.heise-security.co.uk/news/97205

139

Hildreth, Steven A. “Cyberwarfare.” CRS Report for Congress. June 19, 2000. <http://www.fas.org/irp/crs/RL30735.pdf>. “Homeland Security and Defense Telecommunications Spending to Increase 40 Percent by 2009.” Business Wire. 3 August 2004. 28 Oct. 2007. <http://findarticles.com/p/articles/mi_m0EIN/is_2004_August_3/ai_n6139915> http://www.fas.org/irp/threat/frd.html The Sociology and Psychology of Terrorism: Who Becomes a Terrorist and Why? Hudson, Rex A. September, 1999. A Report Prepared under an Interagency Agreement by the Federal Research Division, Library of Congress Interview: O. Sami Saydjari." Frontline: Cyber War! 23 Apr. 2003. PBS. 24 Oct. 2007 <http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/saydjari.html "Israeli Citizen Attacks Government Computers." Computer Crime and Intellectual Property Section. US Department of Justice. <http://www.usdoj.gov/criminal/cybercrime/cccases.html>. Ito, Harumi, and Darin Lee. Assessing the Impact of the September 11 Terrorist Attacks on U.S. Airline Demand. Dept. of Econ., Brown U. 2004. 3-24. 26 Oct. 2007 Kabay, M. E. (2003) “Tapping Fiber Optics Gets Easier”. Network World. 29 Oct 2007. http://www.networkworld.com/newsletters/sec/2003/0303sec1.html Kessler, Gary. Defense against Distributed Denial of Service Attacks. Nov 2000. 30 Oct 2007 http://www.garykessler.net/library/ddos.html Know Your Enemy – Tools and Methodologies. 21 Jul 2000. 30 Oct 2007. http://www.honeynet.org/papers/enemy/index.html Krebs, Brian. “Cyber war games test future troops.” Washington Post: April 23, 2003. Laprise, John. IEEE Technology & Society Magazine. Vol. 25 Issue 3, pg. 28. Laribee, Lena, et. al. Analysis and Defensive Tools for Social-Engineering Attacks on Computer Systems. Information Assurance Workshop, 2006 IEEE. 388 – 389, 21-23 June 2006. Lemos, Robert. "SCADA System Makers Pushed Toward Security." SecurityFocus 26 July 2006. 19 Oct. 2007 <http://www.securityfocus.com/news/11402/2>. Lineweber, David and Shawn McNulty (2001). “The Cost of Power Disturbances to Industrial & Digital Economy Companies”. Electric Power Research Institute, Inc. 30 Oct 2007. <http://www.epriintelligrid.com/intelligrid/docs/Cost_of_Power_Disturbances_to_Industrial_and_Digital_Technology_Companies.p df> Lester W. Grau and Timothy L. Thomas. “A Russian View of Future War: Theory and Direction,” The Journal of Slavic Military Studies. Issue 9.3 (Sept. 1996), pp. 501-518. Lewis, J.. (2002). Assessing the risks of cyber terrorism, cyber war and other cyber threats Washington, D.C.: Center for Strategic & International Studies. Mendis, Surakshan. Packet Sniffing. 2005. SuraSoft. 30 Oct 2007. <http://www.surasoft.com/articles/packetsniffing.php>. Meserve, J. “Staged cyber attack reveals vulnerability in power grid.” CNN. 26 September 2007. 4 Oct. 2007. < http://www.cnn.com/2007/US/09/26/power.at.risk/>

140

Messmer, Ellen (2006, March 14). IBM survey on cybercrime shows IT managers wary. Retrieved November 1, 2007, from Network World. Web site: http://www.networkworld.com/news/2006/031406-ibm-surveycybercrime.html Mitnick, Kevin, & Simon, William L. (2005). The Art of Intrusion: When Terrorists Come Calling. Indianapolis, IN: John Wiley and Sons, Inc. Moore, David et al. Inferring Internet Denial of Service Activity. ACM Transmission on Computer Systems. Vol. 24, No. 2, May 2006, 115–139. Moore, J. (2007 February 26). FCW.com. Retrieved October 25, 2007, from Freight security programs and test projects proliferate Web site: http://www.fcw.com/print/13_5/news/97727-1.html Mullen, M. (2004, September 16). Human error caused chaos in the sky. Retrieved October 25, 2007, from MSNBC Online Web site: http://www.msnbc.msn.com/id/6021929/ "Multi-State Information Sharing and Analysis Center (MS-ISAC)." 2006. Multi-State Information Sharing and Analysis Center (MS-ISAC). 21 Oct. 2007 <http://www.msisac.org/scada/>. Nachenberg, Carey. "Computer Virus-antivirus Coevolution." Communications of the ACM 40.1 (1997): 46-51. Naraine, Ryan. Hackers Selling Vista Zero-Day Exploit. 15 Dec 2006. eWeek.com. 26 Nov 2007. <http://www.eweek.com/article2/0,1895,2073611,00.asp> National Cyber Security Alliance: Stay Safe Online. Retrieved October 31, 2007, from Stay Safe Online Web site: http://www.staysafeonline.org/ "National Cyber Securtiy Division." Department of Homeland Security. 23 Sept. 2006. US Government. <http://www.dhs.gov/xabout/structure/editorial_0839.shtm>. National Infrastructure Advisory Council." Department of Homeland Security. Oct. 2007. US Government. <http://www.dhs.gov/xprevprot/committees/editorial_0353.shtm>. “National Infrastructure Protection Center Highlights”. National Infrastructure Protection Agency. 15 June 2001, p. 2. 30 Oct 2007 http://www.iwar.org.uk/infocon/nipc-highlights/2002/highlight02-03.pdf “National Security Advisor Rice on Protecting U.S. Infrastructure”. 22 March 2001. 27 Oct 2007. http://www.usembassy.it/file2001_03/alia/a1032210.htm National Strategy to Secure Cyberspace. Feb. 2003. US Government. <http://www.whitehouse.gov/pcipb/policy_and_principles.pdf>. http://www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf NTIA: Critical Infrastructure Protection. Retrieved November 3, 2007, from NTIA Web site: http://www.ntia.doc.gov/ntiahome/infrastructure “Pentagon Admits Security Breach but won’t say who did it” NetworkWorld.com, 30 October, 2007 http://www.networkworld.com/community/node/19041 Perdue University. Virus Terminology. 2005. 1 Dec. 2005 <http://www.purdue.edu/securepurdue/steam/help/view.cfm?KBTopicID=210>. Pethokoukis, James. (2007) “So How Goes Bin Laden’s War on the U.S. Economy?” U.S. News & World Report. 27 Oct 2007. http://www.usnews.com/blogs/capital-commerce/2007/9/11/so-how-goes-bin-ladens-war-on-the-useconomy.html

141

Pike, J. (2007, July 7). Chronology of terrorist attacks against public transit. Retrieved October 30, 2007, from Global Security Web site: http://www.globalsecurity.org/security/ops/mass-transit-chron.htm Poll Shows Americans Want Congress to Do More to Protect Them Online." Cyber Security Industry Alliance (2006): 30. 21 Oct. 2007 <https://www.csialliance.org/news/pr/view?item_key=e5b543c0cf207bb110c9c65b61ac476ec45e03fe>. "Poll: 50% of NYC Says U.S. Govt Knew." 30 Aug. 2004. Zogby International Polling/Market Research. 28 Oct. 2007 <http://www.911truth.org/article.php?story=20040830120349841>. Poulsen, K. “Slammer worm crashed Ohio nuke plant network.” Security Focus. 19 August 2003. 12 Sep. 2007. < http://www.securityfocus.com/news/6767> "Privacy Impact Assessment EINSTEIN Program Collecting, Analyzing, and Sharing Computer Security Information Across the Federal Civilian Government." US-CERT. Sept. 2004. Department of Homeland Security. <http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_eisntein.pdf>. Raymond, Eric. The on-line hacker Jargon File 4.4.7. 29 Dec 2003. 26 Nov 2007 http://www.catb.org/jargon/html/index.html Reid, Tim, (2007). “China’s cyber army is preparing to march on America, says Pentagon” The Times. 30 October, 2007. http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article2409865.ece "Report Reveals Perception Gap in Cyber Security Awareness." Security Products 2 Oct. 2007. 20 Oct. 2007 <http://www.secprodonline.com/articles/50717/>. Rootkits: The Growing Threat. 2006 McAfee Inc. 1 Nov 2007. http://download.nai.com/products/mcafeeavert/WhitePapers/AKapoor_Rootkits1.pdf Rogin, Josh, (2006). “DOD: China fielding cyberattack units” 30 October, 2007 http://www.fcw.com/online/news/94650-1.html Ruggles, Steven. Historical Bush Approval Ratings. Dept. of Hist., U. of Minnesota. 2007. 27 Oct. 2007 <http://www.hist.umn.edu/~ruggles/Approval.htm>. SCADA Security and Terrorism: We're Not Crying Wolf. Black Hat. 2006. 1-36. 15 Oct. 2007 <http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf>. Shainker, R. “Electric Utility Responses to Grid Issues.” .” IEEE Power & Energy Magazine. March/April 2006: 31. 24 Oct. 2007 <http://www.lib.ncsu.edu:2178/iel5/8014/33609/01597993.pdf?tp=&arnumber=1597993&isnumber=33609> Shane, Leo III, (2007). “AF Taking Careers into Cyberspace” 30 October, 2007, http://www.military.com/features/0,15240,152400,00.html?wh=benefits “STATEMENT OF GENERAL JAMES E. CARTWRIGHT COMMANDER UNITED STATES STRATEGIC COMMAND BEFORE THE HOUSE ARMED SERVICES COMMITTEE ON UNITED STATES STRATEGIC COMMAND 21 March 2007” 30 October, 2007 <http://armedservices.house.gov/pdfs/FC032107/Cartwright_Testimony032007.pdf>

Szyliowicz, Joseph S. (2004).International transportation security. Review of Policy Research. 21

142

Thornburgh, Nathan (2005). “The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them)”, Time. 30 October, 2007, < http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html> Thomas, Pierre (1998). Teen hacker faces federal charges. Retrieved October 25, 2007, from CNN.com Web site: http://www.cnn.com/TECH/computing/9803/18/juvenile.hacker/index.html Transportation Research Board. (2003). Cybersecurity of freight information systems: A scoping study Washington, D.C.: Transportation Research Board. Traffic details for staysafeonline.info. Retrieved November 3, 2007, from Alexa: The Web Information Company. Web site: http://alexa.com/data/details/traffic_details?url=staysafeonline.info Understanding SCADA System Security Vulnerabilities. Riptech. 2001. 1-5. 23 Oct. 2007 <http://www.iwar.org.uk/cip/resources/utilities/SCADAWhitepaperfinal1.pdf>. "United States Computer Emergency Readiness Team." Department of Homeland Security. US Government. <http://www.uscert.gov/>. US-CERT. Home Computer Security - Examples. 2002. 1 Nov. 2005 <http://www.cert.org/homeusers/HomeComputerSecurity/examples.html>. http://archives.cnn.com/2001/TECH/ptech/10/21/black.ice.idg/index.html Utah’s ‘Black Ice’: Cyber-attack scenario. Verton, Dan. October 21, 2001. Wald, M. L. Can Computers Foil Air Pirates?. (2002, April 11). New York Times Wilson, Clay, (2007) “CRS Report for Congress: Information Operations, Electronic Warfare, and Cyberwar: Capabilities and Related Policy Issues” 30 October, 2007. http://stinet.dtic.mil/cgibin/GetTRDoc?AD=ADA466599&Location=U2&doc=GetTRDoc.pdf? http://query.nytimes.com/gst/fullpage.html?res=9F01E1DD1E39F933A05756C0A960958260&sec=&spon=&page wanted=all Wiren, Christopher S. May 30, 1996. The New York Times. Plot of Terror in the Skies Is Outlined by a Prosecutor. http://www.wired.com/politics/law/news/2000/07/37503 “Wireless Vulnerabilities”. Maisonbisson. 24 Sept 2002. 30 Oct 2007. <http://maisonbisson.com/blog/post/10387/wireless-vulnerabilities> "What is SCADA?" The Tech-FAQ. 2007. 27 Oct. 2007 <http://www.tech-faq.com/scada.shtml>. Wood, Anthony & Stankovic, John. Denial of Service in Sensor Networks. IEEE – Computer. Oct 2002. 54 – 62 Yeh, Y.C. (2001).Safety critical avionics for the 777 primary flight controls system. Digital Avionics Systems. 1, 111.

143

Cyberwarfare Vulnerability Assessment (2007)

Comments

Content

Sponsor Documents

Recommended