Defense leaders struggle with defensive and offensive information warfare

A laptop computer plugs into a hotel room Internet access port with a well-trained hacker at the keyboard.

Sep 1st, 2000

By J.R. Wilson

A laptop computer plugs into a hotel room Internet access port with a well-trained hacker at the keyboard. Hundreds of miles out to sea, a U.S. Navy warship suddenly changes course and follows false navigation data the hacker in the hotel plants in its steering system.

On the other side of the world, in what appears to be a deserted and heavily damaged farmhouse in the middle of a battle zone, another hacker types away, using a portable satellite connection to get his signal out. His target — a U.S. Army M-1 Abrams main battle tank — is about to close in on an enemy stronghold a few miles away until its systems begin shutting down. The tank is left blind, defenseless, and dead in its tracks.

These examples may not always be science fiction. In March U.S. Army Maj. Sheryl French, a program manager for the Army's Information Assurance Architecture for the Digitized Force, warned that hackers could potentially infiltrate the internal computer systems upon which modern tanks and ships rely for navigation, targeting, and command and control.

The potential vulnerability of U.S. weapon systems to computer hackers is a security issue unique to the modern battlefield, she adds, because "we've never had computers" in tanks and armored personnel carriers until now. French made her comments at the annual Army Directors of Information Management Conference in Houston.

As for the ship scenario — "this actually happened," according to a Defense Information Systems Agency (DISA) training CD-ROM on information assurance. "Fortunately, this was only a controlled test to see what could be done. In reality, the type of crime and its objective is limited only by peo-ple's imagination and ability."

Daily hacker attacks

In February 1999, Deputy Defense Secretary John Hamre said the U.S. Department of Defense (DOD) was "detecting 80 to 100 (potential hacking) events daily." That September, congressional auditors issued a report citing "serious weaknesses" in the Defense Department's information security systems.

In October 1999, the U.S. Space Command took over primary responsibility for DOD's Joint Task Force-Computer Network Defense. The computer-defense task force orchestrates the safeguarding of all DOD computer networks and systems and works with DISA to monitor cyber intrusions and potential threats, as well as coordinate efforts to stop or contain damage and restore computer network operations.

"The threat of cyber attack, or information warfare, by our adversaries now has the potential for mass disruption of our nation's infrastructure," reported U.S. Air Force Lt. Gen. Michael Hayden, director of the National Security Agency (NSA), to the Kennedy Political Union of American University in Washington in February. "We are at a historic decision point.

"The 21st Century represents unprecedented opportunities and more diverse and dispersed threats," Hayden continued. "Just as we organized to meet the challenges of the Cold War, we must adapt to capitalize on the opportunities of the next millennium. If we as a nation do not make serious, sustained investments in information security and intelligence over the next five to seven years, we may find that we have missed opportunities and foreclosed options that we will dearly wish we had left available."

Emergency response

DISA's Network Operations &#amp; Security Center and Space Command's computer-defense task force work closely together and with DOD and individual service computer emergency response teams to maintain the health and welfare of the defense information infrastructure (DII) from a global perspective. That includes monitoring the status of NIPRNET (Non-secure Internet Protocol Routing Network) and SIPRNET (Secure Internet Protocol Router Network), over which the bulk of the military's classified and non-classified data are transmitted.

"There are a lot of initiatives underway to include redesigning NIPRNET for better security, controlling the number of gateways, having a stronger connection approval process," says Col. Larry Huffman, commander of DISA network operations. "We also do a great deal of work with combatant commanders to define their enclaves and protect them."

Since 1998, DISA network operations also has been involved with vulnerability management — identifying critical vulnerabilities within DOD information systems.

"We've established a process where we push those vulnerabilities with corrective actions down to system administrators within DOD," Huffman says. "We ask for acknowledgment and compliance that remediation has been done. We have a very good start on making this an enterprise solution, although much work remains to be done."

One security-enhancement approach DOD is taking, in cooperation with NSA, is the system-wide implementation of public key infrastructure, a technology largely derived from the public sector. In fact, while such technologies as firewalls to defend computer systems against intruders grew out of research by the Defense Advanced Research Projects Agency, the DOD information security effort relies heavily on commercial technology.

The use of COTS

"Technology is changing so quickly that government-produced technology just can't keep pace; even commercial technology is having trouble keeping pace," Huffman says.

One recent addition to the security mix is NetFacade, released March 20 by GTE Federal Network Systems in Arlington, Va. The software creates a false front that mimics real network services, leaving any attackers hacking away at a mirage while the network administrator is alerted and given a chance to observe, learn, and take action against the intruder while the attack is still in progress. But because the attack is actually hitting a software-based service simulation visible only to unauthorized users, no real damage is done.

In addition, the program's "honey pot" attribute captures the IP address of unwitting hackers while they access the decoy networks, along with valuable data on how they gained entry. In some respects, a hacker who mounts a long and involved attack is doing the "victim" a favor, enabling the administrator to learn more and more about the system's vulnerabilities.

"Traditionally, organizations erect firewalls to protect internal resources and use Intrusion Detection Systems (IDS) as a firewall backup to detect intrusions and misuse of the system," notes Randy Richmond, business development manager at GTE Federal Network Systems. "NetFacade is successful in detecting all intrusions because it runs passively on the system, complementing the firewall and installed IDS while grabbing all suspicious activity regardless of the traffic on the network."

Internet traffic

One area of great vulnerability for the military is the interface of such DOD systems as NIPRNET with the commercial Internet. About 70 percent of all traffic NIPRNET processes originates with the Internet, which is a major platform for the military's business processes by linking to suppliers and contractors. While officials control access points between the two, it remains a serious security concern. Some reports claim military networks experienced more than 18,500 intrusions last year, more than three times the number reported in 1998.

SIPRNET does not share that vulnerability, being a tightly controlled, secure network. But that does not mean it is invulnerable to attack.

"The threat to the SIPRNET is an insider threat," warns computer-defense task force operations director Col. Larry Frank. "That is a difficult problem to ever be 100 percent certain of, but we spend more resources on that issue than any other. But with something as big as the government, there will be failings."

Convicted computer hacker Kevin Mitnick drove that point home to the U.S. Senate Governmental Affairs Committee March 2. "The human side of computer security is easily exploited and constantly overlooked," Mitnick told lawmakers. "Companies spend millions of dollars on firewalls, encryption, and secure access devices — and it's money wasted because none of these measures address the weakest link in the security chain: the people who use, administer, and account for computer systems that contain protected information."

Offensive information warfare

As with all defensive efforts by the military, information security is a two-edged sword. Officials of U.S. Space Command also are looking at the offensive side to degrade adversary air defenses and disrupt other vital computer-based services in time of war. As one senior commander put it, the services "are trying to attract the best and the brightest" to the role of military "hacker". Using such forces to quickly bring down an enemy's ability to fight or support its war effort also avoids the death and destruction more traditional weapons leave behind, U.S. war planners note.

"It is no secret that the U.S. military's operational capability depends on information superiority — our ability to make smarter, faster decisions," says U.S. Air Force Gen. Ralph Eberhart, commander of U.S. Space Command. "This is both a tremendous advantage and a potential vulnerability. The threat is broad-based, coming from a wide spectrum of actors," Eberhart told the Senate Armed Services Committee 8 March.

"Hackers are by no means the only threat we face," Eberhart continued. "Criminal groups, disgruntled insiders, and non-state actors pose serious challenges, as well. Perhaps the most significant threat comes from several foreign nations believed to be developing information warfare doctrine, systems and forces to employ during peacetime, crisis or war."

Attacks on commercial computer networks also can be serious blows to the nation's military readiness, given DOD's growing reliance on the commercial marketplace for parts, supplies, components, and systems. The chaos created by this year's distributed system denial of service (DSDoS) attacks on some of the world's largest commercial Internet sites also is seen as a potential threat.

"We have been looking at this problem since we became aware of it last fall," Frank says. "DoS attacks have been around almost as long as networks have been around, but distributed DoS has stepped up how well it is orchestrated and increased the volume."

Heightening the potential threat of DSDoS is this: no technical knowledge or skills are necessary to co-opt thousands of unprotected Internet nodes, then use them in a coordinated attack against selected targets. The attacker simply fills in a simple form he can find on-line, clicks on "go," and returns to his life, in complete anonymity, while the software he accessed does all the work.

DSDoS programs survey the Internet to find unprotected servers, a few of which become "masters" that control vast numbers of others called "daemons". The owner of the co-opted site is unlikely to know it has been compromised, with the intruding program hiding itself, awaiting orders, and even continuing to run if it is discovered and deleted or if the system is rebooted.

Once the program creates a daemon, it announces itself to several predefined masters, which may wait days or months before ordering wave after wave of daemons to attack, change targets, shut down, or even switch masters. The attack order can include the address of the victim, how long an attack should continue, and a host of other parameters. Once the order goes out, no further contact between master and daemon is necessary. A DSDoS attack sends thousands of messages flooding into the target system to overwhelm it and block its ability to transact normal business.

For the military, the battle against DSDoS is two-fold: Do not become a victim, do not become an unwitting participant, either as master or daemon.

"We have been working diligently at finding methods to counter these," Frank says. "It's not easy in any event, but it is easier if you are prepared. We are trying to make sure those sites likely to be attacked are prepared with continuity of operations plans," Frank says. "You may not be able to stop an attack, but have some kind of plan to operate critical systems to continue your mission."

More in Communications