September 30, 1996
A New Battlefield: Rethinking Warfare in the Computer Age
By STEVE LOHR
The potential targets range from financial markets to tanks. But experts debate whether these are imminent threats or worst-case nightmares.
AIRPLANES Destructive software could cause plane crashes by making on-board avionics malfunction. High-energy weapons, in theory, could also cause crashes by disabling computer systems.
BANKS AND STOCK EXCHANGES Sniffer programs can track funds transfers. Logic bombs could cripple the markets and destroy records of transactions. Computer hackers can crack into banking networks and steal money.
ELECTRIC UTILITIES Logic bombs or worms could knock out power grids, causing local or regional black outs.
TANKS AND ARMS Sophisticated computer controls are vulnerable to both destructive software and high-energy weapons. Everything from tanks to surveillance aircraft are potentially at risk.
TRAINS Logic bombs in traffic-control networks could cause crashes by misrouting trains.
t was the OPEC meeting in May 2000 that started the crisis. The oil-price hawks, led by Iran, demanded a sharp cutback in production to drive prices up to "at least $60 a barrel."
The stormy gathering of the Organization of Petroleum Exporting Countries ended on May 4, with a shouting match between the Iranian and Saudi Arabian oil ministers. Over the next two weeks, Iran and its allies mobilized troops and fired on Saudi warships. But they also unleashed an arsenal of high-technology weapons to try to destabilize the Saudi government and prevent the United States from intervening.
A huge refinery near Dhahran was destroyed by an explosion and fire because of a mysterious malfunction in its computerized controls. A software "logic bomb" caused a "new Metro-Superliner" to slam into a misrouted freight train near Laurel, Md., killing 60 people and critically injuring another 120.
The Bank of England found "sniffer" programs running amok in its electronic funds transfer system. And a "computer worm" started corrupting files in the Pentagon's top-secret force deployment data base.
The opening scenes from a Hollywood script or a new Tom Clancy novel? No, these are excerpts from a role-playing game conducted last year at the Government's National Defense University in Washington. The goal was to generate some serious thinking about "information warfare."
Today, there are a lot of people thinking seriously about information warfare, not only at the Pentagon and the CIA but also in the executive offices of banks, securities firms and other companies. Once dismissed as the stuff of science fiction, high-tech information warfare is fast becoming a reality.
Defense and intelligence officials believe that enemy nations, terrorists and criminal groups either already have the capability to mount information warfare strikes or soon will. Criminals are quickly progressing beyond the vandalism and petty theft associated with teen-age hackers and into robbery and extortion schemes ranging up to millions of dollars, corporate executives and private investigators say.
In the future, they fear, information warfare assaults could be made against commercial networks like the banking system or utilities in several states.
Yet there is a heated debate among experts in this emerging field about whether the kinds of catastrophic incidents cited in the National Defense University war game are imminent threats or worst-case nightmares.
"A couple of years ago, no one took information warfare seriously," said Howard Frank, director of the information technology office at the Defense Advanced Research Project Agency, or DARPA. "But the more you learn about it, the more concerned you become."
Others reply that the worst threats mentioned are mostly speculation. "Information warfare is a risk to our nation's economy and defense," said Martin Libicki, a senior fellow at the National Defense University. "But I believe we will find ways to cope with these attacks, adjust and shake them off, just as we do to natural disasters like hurricanes."
Experts on both sides of the debate do agree that the growing reliance on computer networks and telecommunications is making the nation increasingly vulnerable to "cyber attacks" on military war rooms, power plants, telephone networks, air traffic control centers and banks.
John Deutch, the director of central intelligence, told Congress in June that such assaults "could not only disrupt our daily lives, but also seriously jeopardize our national and economic security."
"The electron, in my view," Deutch warned, "is the ultimate precision-guided weapon."
President Clinton last July created a Commission on Critical Infrastructure Protection to craft a coordinated policy to deal with the threat.
Within the government, information warfare tactics and intelligence are highly classified issues. But the CIA has recently created an "Information Warfare Center." And the National Security Agency intends to set up an information warfare unit staffed by as many as 1,000 people, with both offensive and defensive expertise, as well as a 24-hour response team, according to a staff report by the Senate Permanent Subcommittee on Investigations, which was initiated by Sen. Sam Nunn.
Information warfare is a catchall term. The military, for example, often refers to information warfare broadly to include time-tested techniques and tools like disinformation, cryptography, radio jamming and bombing communications centers.
But it is high-tech information warfare that has been getting most of the attention and funding lately. This budding warfare industry is an eclectic field indeed, ranging from computer scientists whose work is funded by the government to hackers-for-hire who specialize in theft, extortion and sabotage. In his Senate testimony, Deutch said the CIA had determined that cyber attacks are now "likely to be within the capabilities of a number of terrorist groups," including the Hezbollah in the Middle East.
The weapons of information warfare are mostly computer software, like destructive logic bombs and eavesdropping sniffers, or advanced electronic hardware, like a high-energy radio frequency device, known as a HERF gun.
In theory, at least, these weapons could cripple the computer systems that control everything from the electronic funds transfer systems of banks to electric utilities to battlefield tanks.
For the military, information warfare raises the prospect of a new deal for America's adversaries. Cyberwar units could sidestep or cripple conventional weaponry, undermining the advantage the United States holds.
"Even a third-tier country has access to first-class programmers, to state-of-the-art computer hardware and expertise in this area," said Barry Horton, principal deputy assistant secretary of defense, who oversees the Pentagon's information warfare operations. "There is a certain leveling of the playing field."
Cyberspace also plays havoc with traditional definitions: What is a military and what is a commercial target, if 95 percent of military communications are over commercial networks; what is within United States jurisdiction and what is an international issue, when cyberspace has no geographic borders?
Mostly, the weapons of information warfare are the digital bits of software. The C.I.A. terms the electron "the ultimate guided weapon."
A software program that "detonates" at a specific time, or when certain instructions are executed. It then typically destroys or rewrites data.
An eaves-dropping program that can monitor communications or commercial transactions.
A high-energy radio frequency weapon. It shoots a high-power radio signal at an electronic target and disables it.
A self-replicating program that uses disk space and memory and can eventually shut down computer systems.
"We have to redefine national security for the information age," Horton said.
There is, to be sure, an aspect of self-interest in the information warfare alarms raised by defense and intelligence agencies. Those bureaucracies are sizable and costly, and in the post Cold-War era, they are in need of new enemies.
"The people who are concerned about information warfare tend to magnify its significance," said Libicki of the National Defense University.
The Electronic Industries Association estimates that over the next decade, the government's information warfare procurement, mainly for specialized software and services, will grow sevenfold, to more than $1 billion annually.
Yet the projected information warfare spending amounts to pocket change, compared with next year's military budget of $257 billion.
"The point of information warfare is that you don't need fighter planes and billions of dollars to launch an attack on the United States anymore," said Winn Schwartau, an author and president of Interpact Inc., a security consulting firm.
The government's computer systems are clearly susceptible to intruders. In 1988, a Cornell student sent a worm program over the Internet that penetrated military and intelligence systems, shutting down 6,000 computers.
In 1994, a 16-year-old British hacker broke into the computer system at an Air Force laboratory in Rome, N.Y.
And in "red team" exercises, the military's experts have been able to break into 65 percent of the Defense Department systems they tried to penetrate, using hacking tools available over the Internet.
But nearly all these intrusions have been into some of the 2 million computers in military networks that handle unclassified information -- though that information can be useful to enemies, defense officials concede. The classified information is on the other 10 percent of the military's computer networks, which do not have open links to the outside.
Private companies and banks typically do not have the luxury of making their networks off-limits to outsiders.
"We invite our customers into our computer networks," said Colin Crook, the senior technology officer of Citibank. "I think our problem is more challenging than the government's."
Citibank got an alarming brush with the problem two years ago, when a Russian computer hacker tapped into the bank's funds transfer system, taking more than $10 million. Citibank will not discuss the case, but investigators say the bank recovered all but $400,000.
In the business world, the reported hacker activity to date is mostly stealing credit card numbers, vandalizing software or harassing Internet service companies.
"At the moment, we're dealing with penny ante stuff," said Peter Neumann, a computer scientist at SRI International, a research firm in Menlo Park, Calif. "But the risk of much greater damage is there."
Frank of DARPA speaks of a "frightening vulnerability" of utilities systems, of the private data networks of the international financial system and of the digital switches at the core of modern phone systems.
Major breakdowns caused by computer intruders have not yet occurred. But there is evidence that more sophisticated hackers are now at work. The Science Applications International Corp., a defense contractor and technology security firm, surveyed more than 40 major corporations who confidentially reported that they lost an estimated $800 million due to computer break-ins last year, both in lost intellectual property and money.
Private investigators and bankers say they are aware of four banks, three in Europe and one in New York, that have made recent payments of roughly $100,000 each to hacker extortionists. The bankers and investigators would not name the banks, but the weapon used to blackmail the banks was a logic bomb -- a software program that, when detonated, could cripple a bank's internal computer system. In each case, the sources said, the banks paid the money, and then took new security measures.
Frequently, experts say, the tighter security measures are nothing fancy. One problem is modems on employees' computers. They are open connections to the outside world, potentially giving hackers access to an internal network.
"You can't eliminate risk of information attacks, but you can minimize it," said William Marlow, a senior vice president of Science Applications International. "Many of the steps are not all that high-tech or expensive."
After it got stung in the Russia episode, Citibank has taken a series of measures, from instructing employees to never assume a computer network is secure to aggressively pursuing hackers.
"You mess with us and we're going after you," Crook said. "This is a big deal for us now."
Following are links to the external Web sites mentioned in this article. These sites are not part of The New York Times on the Web, and The Times has no control over their content or availability. When you have finished visiting any of these sites, you will be able to return to this page by clicking on your Web browser's "Back" button or icon until this page reappears.
Copyright 1996 The New York Times Company