[iwar] Interesting article

From: Fred Cohen (fc@all.net)
Date: 2001-08-11 07:43:41


Return-Path: <sentto-279987-1590-997541025-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Sat, 11 Aug 2001 07:46:14 -0700 (PDT)
Received: (qmail 8049 invoked by uid 510); 11 Aug 2001 13:45:49 -0000
Received: from n11.groups.yahoo.com (216.115.96.61) by 204.181.12.215 with SMTP; 11 Aug 2001 13:45:49 -0000
X-eGroups-Return: sentto-279987-1590-997541025-fc=all.net@returns.onelist.com
Received: from [10.1.4.52] by c3.egroups.com with NNFMP; 11 Aug 2001 14:43:45 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_3_1); 11 Aug 2001 14:43:44 -0000
Received: (qmail 39357 invoked from network); 11 Aug 2001 14:43:43 -0000
Received: from unknown (10.1.10.27) by m8.onelist.org with QMQP; 11 Aug 2001 14:43:43 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta2 with SMTP; 11 Aug 2001 14:43:41 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id HAA05701 for iwar@onelist.com; Sat, 11 Aug 2001 07:43:41 -0700
Message-Id: <200108111443.HAA05701@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Sat, 11 Aug 2001 07:43:41 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] Interesting article
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit


Information Operations

July 17, 2001

Introduction

With the advent of the personal desktop computer in 1980, the manner in
which the public and private sectors conduct business and provide services
to the public at large has changed. Over time, millions of computers and
thousands of dissimilar networks worldwide have been connected through a
global network of networks. Internet use has more than doubled annually for
the last several years to an estimated 40 million users worldwide in nearly
every country today. Connections between computer systems are growing at an
ever increasing rate with the Internet adding a new network about every 30
minutes. According to a report by the Computer Industry Almanac, nearly 43
percent of Canadians use the Internet, which makes Canada the leading
country for Internet use.

The growing dependence of governments, institutions, business, groups and
individuals on computer- based communications and information technologies
has resulted in a constantly changing view of what constitutes threats in
today¹s ³information age.² It is no longer necessary for ³hostile actors²
(individuals, extremist groups, terrorist groups, intelligence services and
armed forces) to have direct physical access to a computer to copy, destroy
or manipulate data. People can use a variety of techniques and software
tools to exploit a targeted system once they gain unauthorised access
remotely via the Internet or by dialling directly into the system using a
telephone and a modem. Most legislation and protective measures address
physical attacks on critical systems and data; however they have been, or
are in the process of being, revised and updated to deal with the new class
of computer-based threats defined as Information Operations (IO).

Information Operations

The concept of IO has its root in that of ³Information Warfare² (IW), which
is the physical and computer-based operations used by military forces to
compromise the access to and viability of information received by the
decision-makers of an enemy, while at the same time protecting their own
information and information systems. The term IO is used to denote the use
of IW tools and techniques at any time. The definition has changed over time
to reflect the need for a state to maintain national security by protecting
its critical information infrastructure (CII). The eight critical sectors in
a state's infrastructure include: transportation; oil and gas; water;
emergency services; continuity of government services; banking and finance;
electrical power; and telecommunications.

IO is the outgrowth of military doctrine that focussed on the use of
electronic warfare measures to degrade the capabilities of adversaries on
the battlefield. Operations conducted during the Desert Storm campaign
indicated that technological development had provided the military with
computer- based tools and techniques that could be used to degrade not only
military systems but those of government and the private sector as well.

Within the realm of IO, there is no safe haven and territorial boundaries
become irrelevant as IO can be conducted at any time against any sector
(public or private). All other ³cyber² activity (cybercrime, cyberterrorism,
cyberwar, netspionage, hacktivism, etc.) is a subset of IO. However, most
discussions relating to the use of computer-based tools and techniques in
the context of IO have come to focus on information assurance and the
protection of computer-based systems and networks from an intrusion or
attack.

The Threat

Information Operations could be used to target national information systems
from anywhere in the world using inexpensive hardware and software.
Degradation in the operation of a targeted computer system could cause
significant social, political and economic impact that would have serious
ramifications in the area of national security. Although security measures
are being created to protect these infrastructures, the development of
attack tools to circumvent these protective measures is ongoing and these
attack mechanisms have come to be freely available via the Internet. The
number of intrusions into computer-based systems is on the rise and the
tools used to exploit existing vulnerabilities are growing in
sophistication. Although only a small number of system intrusions are
reported, indications are that the level of reported incidents and
vulnerabilities is doubling roughly every six months. In 2000, statistics
released from the Computer Emergency Response Team (CERT) at Carnegie Mellon
University in Pittsburg, show that 1,334 computer security incidents were
reported world-wide in 1993, compared to 9, 859 in 1999 and, in the first
three quarters of 2000, the incidents rose to 15,167.

The threat of unauthorised intrusions into computer systems and networks
increases proportionately to the degree of connectivity to external networks
like that of the Internet. Such connections create vulnerabilities that can
be exploited, for whatever reason, by hostile actors, using malicious
software e.g. viruses, Trojan Horses and worms via the Internet. In
addition, physical attacks like the cutting of power cables or the
destruction of hardware upon which the information infrastructure depends
are the equivalent of physical denial of service (DoS) attacks. The latter
form of attack prevents authorized users from gaining access to information
systems and data. Any of these hostile actors can attack vulnerable
infrastructure points using physical means and/or software. As a result, the
growing capability of a variety of hostile actors to make offensive use of
IO, in both its physical and nonphysical forms, has the potential to
threaten the public safety of Canadians and the national security of Canada.

This is especially true since international affairs, in all their
dimensions, will increasingly involve competition for control of information
networks. Discussions at the United Nations on the topic of the
proliferation of IO tools are couched in the rhetoric of weapons
proliferation. The language has evolved from mass destruction to include IO
tools and weapons of mass corruption. The increasing reliance of states on
computer networks makes critical infrastructures attractive targets for
attack and exploitation and many countries have embarked on programs to
develop IO technologies. According to American military and Congressional
reports, Russia, China, India and Cuba have acknowledged preparations for
cyberwar and are actively developing IO capabilities; North Korea, Libya,
Iran, Iraq and Syria have some IO capabilities. Even though many countries
are developing IO capabilities, few have the means to fully integrate
various IO tools into a comprehensive attack which would cripple a country¹s
infrastructure. However, some could develop the required abilities to mount
such attacks over the next decade.

Security of Systems and Data

The development of IO tools and techniques is evolving in pace with the rate
of technological change in the communications and computer industries. The
ability to communicate and connect to networks worldwide almost
instantaneously has created both advantages and vulnerabilities.

As government departments and businesses globally have experienced both
intrusions into their networks and the loss of sensitive information, they
have attempted to install security measures to protect both systems and
data. Unfortunately, these security packages have a short life span. Surveys
and intrusion assessments conducted by private-sector security firms and by
government agencies worldwide indicate that a large number of security
packages and monitoring tools, many of which are commercially available, are
ineffective or misused. A number of surveys conducted in the United States
and the United Kingdom indicate that more than 80% of respondents in one
case did not use firewalls or any other security measures to protect their
systems and data. Up to 93% of respondents in another case were vulnerable
to rudimentary attacks even if firewalls were used.

As more and more persons, businesses and government departments become
dependent on computer-based communications and the operations of
interconnected networks, the configuration of interacting computer networks
and operating systems becomes more complex and creates vulnerabilities.
Natural forces (like storms), the natural evolution of network processes,
and IO tools could pressure these vulnerabilities and cause failures that
could have a profound affect, both short- and long-term, on the operation of
government and the private sector. For example, during the 1998 ice storm in
Quebec and eastern Ontario, the destruction of the essential electrical
power infrastructure cascaded into a disruption of key services such as
water supply, financial services, telecommunications, and transportation
with devastating effect for some Canadians.

Examples of Information Operations

Many examples of IO-related activity can be drawn from the experience of
American government departments in dealing with computer intrusions and
system exploitation. These experiences have been related in speeches given
before Senate and Congressional committees and in documents produced by the
General Accounting Office.

Extremist organizations, criminal groups and governments are acquiring
expertise in the area of IO and could threaten various systems if they
possess the proper tools and techniques to exploit vulnerabilities, and the
intent to do so. Testimony provided during committee hearings held within
government in the United States revealed the fact that an increasing number
of countries have or are developing offensive IO programs. Further, there is
data to indicate that an increasing number of extremist groups and
intelligence services are becoming proficient in the development and / or
use of IO tools and techniques. A number of these hostile actors may intend
to use IO tools to achieve specific goals.

Recent media reports indicate that protected military networks in the United
States have been easily hacked using rudimentary tools. One American
government-sponsored exercise (Eligible Receiver) demonstrated that software
tools obtained from hacker sites on the Internet can not only degrade the
operations of government departments but can threaten the critical
infrastructure.

In April 1998, hackers belonging to the &quot;Masters of Downloading&quot; (MOD),
which is international in membership, claimed they had broken into NASA and
DoD classified computerized systems, having acquired the means to gain
access to these systems with impunity, and to control military satellite and
other systems. With at least two Russian members, the MOD was considered by
computer experts to be more secretive, careful and sophisticated - and hence
more dangerous - than Analyzer. The MOD threatened to sell information about
American systems to terrorist groups or foreign governments. MOD members
allegedly communicate using an elaborate system of passwords and cover their
tracks by routing messages through a variety of computer systems all over
the world. Claims made by the MOD have not been publicly corroborated to
date.

In February 2000, national infrastructures suffered degradation from virus
and distributed denial of service attacks (DDoS). The attacks, which centred
on a number of companies, each with a significant presence on the Internet,
were estimated to have caused damage in the order of billions of dollars.
The subsequent infestation of computers around the world with the ³I Love
You² virus had even a more profound affect on systems and networks. This was
due in part to the fact that the phrase ³I Love You² in the subject line of
an e-mail message was a simple psychological operations ploy that enticed
many individuals to open the virus-laden e-mail attachment and infect their
computer systems. The DDoS attacks of February 2000 acted as a proof of
concept to show that a number of computers that previously had been
compromised by hacker activity could be used in concert to focus attacks on
a single target or on a number of targets.

Political tensions have resulted in hacking duels between hacker groups and
others in various countries. In 1999, there were hacking exchanges between
China and Japan over the issue of the Nanking massacre, between China and
Taiwan, and between India and Pakistan over Kashmir. In 2000, Armenians
placed false information in the Azerbaijan daily Zerkalo, and the current
tensions between Israel and Palestinians resulted in hacking activity by the
supporters of each side. This latter activity on the part of pro-Palestinian
supporters expanded to include corporations and a pro-Israel organization in
North America as targets.

Protection of the Canadian Critical Infrastructure

The Report of the Special Senate Committee on Security and Intelligence,
published in 1999, addressed the issue of the protection of Canada¹s
critical infrastructure. The critical infrastructure consists of both
physical and cyber-based systems that are essential to the day-to-day
operations of the economy and government. Historically, elements of this
critical infrastructure were physically segregated. However, these elements
gradually converged, became linked and became more interdependent. Advances
in computer and communications technologies resulted in a growing level of
automation in the operation of critical systems. The report stated that the
growth of, and our increased reliance on, the critical infrastructure,
combined with its complexity, has made it a potential target for physical or
cyber-based terrorism.

In its recommendations, the Committee suggested that the government take
action to protect the critical infrastructure and to:


€ develop policies and resources to deal with any attacks;
€ create the capability to assess and reduce infrastructure vulnerabilities,
and to prevent or respond to physical and cyber attacks;
€ create public sector-private sector partnerships to protect the critical
infrastructure; and
€ ensure that the National Counterterrorism Plan regularly be reviewed and
updated, especially relating to the impact created by new and emerging
technologies that may be used by terrorists.

Similar to other countries, the Canadian government has recently announced
the creation of a new agency which is designed to protect Canada¹s
electronic infrastructure against possible cyber based attacks and natural
disasters. The new agency, which is named the Office of Critical
Infrastructure Protection and Emergency Preparedness, will report to the
Minister of National Defense and will collaborate with the Solicitor
General¹s department, the provinces and municipalities, private industry and
other countries.

In addition, each federal government department and agency has information
technology (IT) policies and procedures. The Communications Security
Establishment (CSE) advises the federal government on the security aspects
of government automated information systems

The Role of CSIS

The CSIS Information Operations program was initiated in 1997. As with all
CSIS investigations, this program derives its authority from the CSIS Act.
Under sections 2 (a) (b) and (c) of the Act, threats to the security of
Canada are defined as: espionage or sabotage, foreign influence activities,
or serious acts of violence against persons or property in support of
achieving a political objective. The information operations threat may fall
under any of these three sections.

The Service focuses its investigations on threats or incidents where the
integrity, confidentiality, or availability of critical information
infrastructure is affected. As a result, three conditions must appear in
order to initiate a CSIS ³information operations² investigation. That is,
the incident: 

a) must be a computer-based attack

b) must, within reason, appear to be orchestrated by a foreign government,
terrorist group or politically motivated extremists;

c) must be done for the purpose of espionage, sabotage, foreign influence or
politically motivated violence.

This definition excludes many of the computer intrusions occurring within
Canada. For example, most hacking activity is being done by thrill seeking
amateurs with no political agenda. Moreover, a certain amount of hacking is
conducted by criminals for monetary gain and by corporations seeking an
unfair competitive advantage over another company. These types of computer
intrusions fall outside the CSIS mandate but may be of interest to law
enforcement. The Service confines its investigation to computer intrusions
conducted with a ³political motivation². That is, whether a hostile
intelligence service is hacking into Canadian computer systems, or an
extremist group is targeting a government web site‹there must be a political
aspect to the computer intrusion in order for CSIS to be involved.

Since the threat from cyber sabotage and cyber terrorism is part of a
broader economic threat to key sectors of Canadian society, CSIS works
closely with other government departments such as the Royal Canadian Mounted
Police, the Department of National Defense and the Communications Security
Establishment.

Furthermore, within the international milieu, CSIS liaises and exchanges
information with allied agencies to remain abreast of the global threat and
how it may impact on Canada¹s national security. CSIS also participates with
the federal government in broader G-8 efforts aimed at addressing the cyber
threat.

Outlook

One of the greatest challenges in countering the threat in the realm of IO
is that borders have become meaningless to anyone operating in a virtual
environment. Even if great diligence was taken in the effort to remove
vulnerabilities, it would be almost impossible to eliminate them entirely
because attack tools, networks and network control systems are in a constant
state of evolution.

As new technologies develop so too will new attack tools and mechanisms. As
a result, governments will have to set procedures in place to allow security
initiatives to evolve to deal with new threats as they arise. For example,
the risks involved with the movement of the private sector to an e-commerce
environment, the initiatives within the private sector to provide services
and system interconnection via wireless means, and the use of personal
digital assistants all present challenges from a security perspective.

Hacking is becoming easier to a certain extent because some elements of both
the private and public sectors around the world have been more interested in
connecting to the Internet than in facilitating their operations securely
via the Internet. 

National Liaison Awareness Program

CSIS maintains a national Liaison Awareness Program . The program seeks to
develop an ongoing dialogue with both public and private organizations
concerning the threat posed to Canadian interests from cyber-based attacks.
The purpose of the program is to enable CSIS to collect and analyse
information that will assist it in its investigation of these threats which
could have implications on Canada¹s national security. The Service then
assesses the threat, and provides advice to government accordingly. This
program is an important vehicle used by the Service to articulate its
message to the Canadian public.

Contact

For comments/enquiries, please contact the National Coordinator, Economic
and Information Security, Canadian Security Intelligence Service (CSIS) c/o
P.O. Box 9732, Postal Station T, Ottawa, Ontario, K1G 4G4. Telephone (613)
231-0100 or Fax (613) 842-1390.

--This communication is confidential to the parties it is intended to serve--
Fred Cohen		Fred Cohen & Associates.........tel/fax:925-454-0171
fc@all.net		The University of New Haven.....http://www.unhca.com/
http://all.net/		Sandia National Laboratories....tel:925-294-2087


------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:39 PDT