Excerpted from: ERRI DAILY INTELLIGENCE REPORT-ERRI Risk Assessment Services-Monday, March 20, 2000-Vol. 6, No. 080
20 Mar 2000
Recent DoS Attacks Point Out Already Known Vulnerability of U.S. Infrastructure
By: C. L. Staten, CEO and Sr. National Security Analyst
Emergency Response & Research Institute (ERRI)
"With the advent of the 21st Century, not only is it likely that many of the conflicts facing the United States and her allies will be of an asymmetrical and devolving nature, but it is also likely that the threats will come from diverse and differing vectors. Particularly of concern is the possibility that conventional terrorism and low-intensity conflict will be accompanied or compounded by computer/infrastructure attacks that may cause damage to vital commercial, military, and government information and confront communications systems." (1)
A number of experts have been worried about the possibility of what happened during February for the past several years. Richard Forno, security officer for a major internet registry company, prophesied just such a set of circumstances in 1998 in an article in which he warned of "empowered agents including "sponsored" or individual hackers, cyber-terrorists, criminals, or other individuals who degrade, destroy, or otherwise corrupt the system. In the most advanced case, empowered robotic agents, embedded in the system, could be used to take autonomous (timed) actions against the host or remote systems or networks."(2)
In the same article, Forno also laments the fact that today's networks are largely comprised of "commercial operating systems and software applications purchased with the assumption that such products are secure as shipped from the manufacturer." All too frequently we find that is not the case.
Unfortunately, many of the problems that have became evident in the past week were highlighted in a 1997 government review by a "Infrastructure Protection Task Force (IPTF)" that was put together by President Bill Clinton for the purpose of examining the nation's critical infrastructure. In particular, Barry C. Collin, Senior Research Fellow at the Institute for Security and Intelligence, noted that the task force faced a "virtually insurmountable challenge." Collin astutely defined that challenge that faced the government both then and now by saying that the problem was "build[ing] a [government] policy on the infrastructure, when the infrastructure itself is owned by the private sector..."(3)
In the same article, Collin correctly pointed out why vulnerabilities may exist in even leading, multi-million dollar, e-commerce providers. Collin rhetorically pointed out the crux of the problem by asking, "Who will effectively implement proposals on training, building a planning and response infrastructure, communications, and plans for further research and development... There aren't tax dollars, and no stockholder wants to see "preparing for theoretical disasters" on the income statement."(4) Perhaps, one might theorize, those skeptical stockholders at companies stricken in the past week would be more prepared today to pay the costs of collective security preparedness.
Further, it should also be noted that efforts to find possible solutions to these most recent problems are not new. Several groups of people did attempt in June of 1997(5) to resolve the issue by building a conduit that would enable "a channel to the private sector to facilitate the gathering and sharing of cyber threat data/information between government, the private sector, and the general public."
The multifaceted project, called "The Manhattan Cyber Project" (MCP), was a joint project developed by WarRoom Research, LLC, Winn Schwartau of Infowar.com,(5) The Infrastructure Protection Task Force, and a number of other government and private sector agencies and personnel.(6) The Emergency Response & Research Institute (ERRI) was also to have been a participant. The effort, while thought by many to be necessary and well-intentioned, never received the needed corporate or government support or funding it needed to actually begin to implement its jointly developed plans. The effort, however, did point out both the problem and some possible solutions.
The Nature of Today's Emerging Threat
Hopefully, last month's "Denial of Service" attacks may have been a "rude awakening" for both corporate and government executives. If nothing else, they may have demonstrated how vulnerable the internet actually is. Although none of the attacks were believed to be directed against national defense computers, administrators of those systems privately say that they watched the assaults on the "dot-coms," with the greatest interest.
Telephone companies, electrical utilities, gas companies, banks, emergency services and other essential infrastructure components also admit that they tried to hypothesize what would have happened had these same methods been used in an attempt to interrupt the services that they provide. Many reportedly found their security systems wanting and these hypothetical exercises troubling.
Worse, are the implications of future use of such tactics and techniques by international political adversaries or even non-state terrorist groups. The informed observer will shudder to think what effects might result if these attacks were undertaken by an foreign intelligence service, rather than a small group of teen-age malcontents.
John A. Serabian Jr., a CIA information operations official, in a recent article in the Washington Post said, "The foreign cyber threat constitutes a means to harm U.S. national interests in a nontraditional way using nontraditional attacks...It is transnational in origin, transcends geographic limitations and is wholly independent of military intervention."(7)
CHINA: The Re-Emerging Dragon
Particularly of concern in recent weeks is what appears to be an emerging cyberwarfare threat from the country of China. Warren P. Strobel, writing in the 13 March 2000 edition of Newsweek magazine(8) outlined recent developments in China, to include the possibility that China is about to create a fourth branch of its military(8)...dedicated solely to cyber-warfare. ERRI analysts say that this is a natural extension of a doctrine put forth in a revolutionary book entitled "Unrestricted Warfare" by PLA Colonels Qiao Liang and Wang Xiangsui that was first published in 1999.(9)
According to long-time unconventional warrior, Colonel G. I. Wilson, USMC, the Chinese are well versed in the arts of Sun Tzu (see "Art of War" by S. B. Griffin). Sun Tzu's and the Chinese view of warfare (recently reflected in "Unrestricted Warfare"), is that it is proper to take action prior to hostilities, for secret agents to separate the enemies allies from him and conduct a variety of clandestine subversive activities. Among their missions are efforts to spread false rumors and provide misleading information, corrupt and subvert officials, create and exacerbate internal discord, and nurture "fifth columns."
The Chinese today believe (like Sun Tzu) the prerequisite to victory involves making proper preparation in the enemy's camp so that the result is decided before hand. Gen. Griffin noted years ago that it is dangerous to assume that the Chinese will operate in accordance with any previous pattern. It is safe to expect them to change their tactics in infinite number of ways.
Mao said, "absorb what is useful, reject what is useless, and add what is specially our own." Wilson says that China today does NOT present a conventional military threat to the US (but, that some in the United States are demonizing them for that purpose and missing what is really going on there). It is clear China is laying the ground work for making sure "the result is decided before hand" maybe even as much as 10-30 years before the fact.
Essentially, "Unconventional War" acknowledges the fact that not China, nor any other country in the world today, has the capability to actually engage the United States in a conventional military campaign. Instead, the book advocates a chilling asymmetric warfare strategy that includes the use of terrorism, cyber-warfare, propaganda and the use of unconventional weapons (Read: Weapons of Mass Destruction) in an effort to defeat a militarily superior foe, such as the United States.
Observations, Recommendations, and Conclusions:
It would appear that the United States, at the advent of the 21st century, has grown awfully "fat and happy." Protected by two vast oceans and an admittedly down-sized but still extremely lethal military force, many Americans presently seem far more worried about the purchase of their next BMW and whether or not the NASDAQ rose again today. At least some polls would suggest that few Americans believe that there is a realistic possibility of an attack by another nation-state. In a word, America has become "complacent." And, at least to some extent, they are probably right.
As critics of any potential cyberwar scenario would point out, the likelihood of bringing America to her knees by means of a few Denial of Service (DoS) attacks (10) or the spread of computer viruses is probably nil or none. But, as America and our allies become increasingly dependent on our advanced technology for gains in our productivity and superiority in business, military, and diplomatic affairs, so do we become increasing dependant on our computer infrastructure for our future success.
A greater likelihood for a cyberwar attack is that it would be used during a time of unrelated crisis or other more conventional conflict, probably occurring elsewhere in the world. Infrastructure attacks could also be part of a cyber-terrorism campaign. It would be used as a "force multiplier" by using repeated or coordinated attacks our unprotected rear flank....namely on our domestic infrastructure. Cyberwar is a sneak attack in the best traditions of Pearl Harbor, designed to confuse and disrupt the various points that comprise the essence of our superiority.
It is a classic guerilla warfare tactic to attempt to disrupt the enemies lines of communications, electricity grids, and supply lines. And, it would appear that our adversaries have discovered that they can undertake these attacks from a distance by using a few highly trained saboteurs, armed with laptop computers and internet connections. Oh -- and the best part is -- that they can launch these attacks from any part of the world, without physical danger to themselves, and maybe even make it look like they were carried out by an ally.
Some Suggested Solutions:
* The government must find a way to communicate, coordinate, and cooperate with the private sector that owns and runs much of the critical infrastructure that runs our country. Presently existing national protection schemes do not have the confidence of the internet community and effective communications between the government and private sector remain strained by battles over encryption, privacy, and other issues.
* Maybe through the use of legal non-disclosure agreements or the "sanitizing" of reports, a method of two-way dissemination of threat, attack, and remediation information must be established between the U.S. government and private sector. Emphasis must be placed on the "two-way" part of this recommendation. The primary complaint heard from corporate computer network managers is that information and knowledge provided to the law enforcement community -- at various levels -- is rarely, if ever, reciprocated...and often not even acknowledged.
* Official agencies attempting to thwart computer related crimes, cyberwar, and cyberterrorism must find ways to move more expeditiously in their pursuit of perpetrators. Probably due to a lack of technically qualified personnel, and/or appropriate detection or analysis software, official agencies have not so far shown that they can disrupt attacks as they are underway. Secondarily, due to an increasing back-log of computer-related crime cases, investigations are often stretching into months -- not days or even weeks -- thus allowing perpetrators to continue with their illegal activities for extended periods.
* A public education program is necessary to alert both businesses and the general public about the implications of cyberwarfare and cyberterrorism. All Americans must be made to feel as though they are part of a larger system to help protect our nation. This can be accomplished through the development and wide dissemination of methods of safe computing practices, public service announcements, publication of informational articles in the general press, and public speeches by political and business leaders.
* A nation-wide, private, not-for-profit, institute -- staffed by members of the military, government, all parts of the private business sector, and with public oversight -- might prove useful in further research and the timely dissemination of emerging threat information.
This paper certainly is not the definitive statement in regard to cyber-war or cyber-terror. It is presented in an attempt to foster communications and to encourage further exploration and discussion of the issues contained herein. The author welcomes questions, comments, suggestions, criticism, or recommendations pertaining to its content. Please feel free to send "Letters to the Editor" to the address listed below.
1. "Asymmetric Warfare, the Evolution and Devolution of Terrorism; The Coming Challenge For Emergency and National Security Forces," Staten, C. L., 04/27/98, published in the Journal of Counter-Terrorism and Security International, Winter, 1999 edition, Vol. 5, No. 4, Pg. 8-11
Available on the internet at: http://www.emergency.com/asymetrc.htm
2. "Hidden Threats And Vulnerabilities To Information Systems At The Dawn Of A New Century," Forno, R. F., 11/22/98, ERRI/EmergencyNet News Service, Available on the internet at: http://www.emergency.com/techthrt.htm
3. "Reflections on the 1997 Commission on Critical Infrastructure Protection (PCCIP)Report," Staten, C. L., 10/23/97, ERRI/Emergencynet News Available on the internet at: http://www.emergency.com/pcciprpt.htm
4. ibid, PCCIP Report
5. "Manhatten Cyber Project is Announced," Schwartau, W., 06/06/97, Press Release by Interpact, Inc. Available on the internet at: http://www.infowar.com/civil_de/civil_q.html-ssi
6. "U.S. Government to Participate in the Manhattan Cyber Project," Marshall, L., 09/08/97, Press release by Schwartz Communications
Available on the internet at: http://www.infowar.com/civil_de/civil_090897c.html-ssi
7. "Cyberwar's Economic Threat; U.S. Is Vulnerable to Foreign Attacks, Hill Panel Is Told," Loeb, V., Washington Post, February 24, 2000; Page A19. Available on the Internet at: http://www.washingtonpost.com/wp-srv/WPlate/2000-02/24/160l-022400-idx.html
8. "A Glimpse of Cyber-Warfare," U.S. News and World Report, 13 March 2000, Vol. 128, No. 10, Pg. 32-33. Available on the internet at: http://www.usnews.com/usnews/issue/000313/cyberwar.htm
9. "Unrestricted Warfare," by Qiao Liang and Wang Xiangsui, Beijing: PLA Literature and Arts Publishing House, February 1999, Translation by FBIS. Available on the internet at: http://www.terrorism.com/documents/unrestricted.pdf (note - requires Adobe .pdf reader)
10. "Series of 'Real-time' EmergencyNet News Reports Concerning Denial of Service Attacks on Leading Web Sites on the Internet - 08 Feb 2000 to 16 Feb 2000," by ERRI, Available on the internet at:
23 Mar 2000, 16:27 PM CST--"Big Increase In Net Warfare Predicted," and interview with Sen. Jon Kyl, R-Ariz., by Robert MacMillan, Newsbytes
February 18, 2000 -- NIPC INFORMATION SYSTEM ADVISORY 00-035: WIN9X VERSION OF DDOS TOOL
January 3, 2000 -- CERT® Advisory CA-2000-01 Denial-of-Service Developments
December 30, 1999 --TRINOO/Tribal Flood Net/tfn2k
December 28, 1999 -- CERT® Advisory CA-99-17 Denial-of-Service Tools
© Copyright, EmergencyNet NEWS Service, 2000 - All Rights Reserved. Further redistribution/publication without permission is prohibited by law.
Emergency Response and Research Institute
6348 N Milwaukee Ave, Suite 312,
Chicago, Illinois 60646 USA
773-631-ERRI - Voice/Voice Mail
773-631-4703 - Fax
http://www.emergency.com/: Main Webpage
Return to the EmergencyNet News page
Return to the ERRI Technical/Computer Operations Archive