Cyberwarfare Vulnerability Assessment (2007)
-
Upload
matthew-bruchon -
Category
Documents
-
view
55 -
download
1
description
Transcript of Cyberwarfare Vulnerability Assessment (2007)
Cyber-Warfare: The New Front
A Technology Assessment
E 497 B Benjamin Franklin Scholars Capstone
Final Report December 5, 2007
Zach Adams
Tyler Barker
Matthew Bruchon
Daniel Clark
Kenny Fearn
Garrett LaRue
Chris Saunders
Katie Woodruff
2
Table of Contents
0 EXECUTIVE SUMMARY ................................................................................................................................ 6
0.1 Introduction ............................................................................................................................................................ 7 0.1.1 Is Cyber-warfare a Real Threat? ............................................................................................................. 7 0.1.2 Defining Cyber-attacks ........................................................................................................................... 7
0.2 Tools ....................................................................................................................................................................... 8 0.2.1 Hacking .................................................................................................................................................. 8 0.2.2 Denial of Service .................................................................................................................................... 8 0.2.3 Computer Viruses ................................................................................................................................... 9 0.2.4 Packet Sniffing ....................................................................................................................................... 9 0.2.5 Social Engineering .................................................................................................................................. 9 0.2.6 SCADA Systems .................................................................................................................................. 10
0.3 Targets .................................................................................................................................................................. 10 0.3.1 Military and Government ..................................................................................................................... 11 0.3.2 Financial Systems ................................................................................................................................. 11 0.3.3 Critical Infrastructure............................................................................................................................ 12 0.3.4 Transportation Systems ........................................................................................................................ 12
0.4 Consequences ....................................................................................................................................................... 13 0.4.1 Economic Consequences ...................................................................................................................... 13 0.4.2 Social Effects ........................................................................................................................................ 14
0.5 National Agencies and Legislation ....................................................................................................................... 14 0.5.1 E-Government Act of 2002................................................................................................................... 14 0.5.2 National Infrastructure Advisory Council ............................................................................................. 15 0.5.3 National Strategy to Secure Cyberspace ............................................................................................... 15 0.5.4 United States Computer Emergency Response Team (US-CERT) ....................................................... 15
0.6 Policies ................................................................................................................................................................. 15 0.6.1 National Policies ................................................................................................................................... 16 0.6.2 Policy Goals .......................................................................................................................................... 16 0.6.3 Guiding Principles ................................................................................................................................ 16 0.6.4 Stakeholders ......................................................................................................................................... 17 0.6.5 Policies of Prevention ........................................................................................................................... 17 0.6.6 Policies of Response ............................................................................................................................. 17 0.6.7 Policies for Public Awareness and Training ......................................................................................... 18 0.6.8 Policies for Government Cyber-security ............................................................................................... 19 0.6.9 Policies for U.S. and International Cyber-warfare Collaboration ......................................................... 19 0.6.10 Policies for Military Use of Cyber-warfare .......................................................................................... 20
0.7 Conclusion ............................................................................................................................................................ 21 0.7.1 Is Cyber-warfare a Threat? ................................................................................................................... 21 0.7.2 The Way Forward ................................................................................................................................. 21
1 INTRODUCTION ............................................................................................................................................ 23
1.1 What Is at Stake? .................................................................................................................................................. 24 1.2 Is Cyber-Warfare a Real Threat? .......................................................................................................................... 25 1.3 Defining Cyber-attacks ......................................................................................................................................... 26
2 TOOLS FOR CYBER-ATTACKS ................................................................................................................. 27
2.1 Hacking ................................................................................................................................................................ 28 2.2 Denial of Service Attacks ..................................................................................................................................... 28
2.2.1 Vulnerabilities ...................................................................................................................................... 29 2.2.2 Sensor Networks ................................................................................................................................... 30 2.2.3 Denial of Service on the Internet .......................................................................................................... 30 2.2.4 Executing a Distributed DoS Attack ..................................................................................................... 31 2.2.5 Hacking Communities .......................................................................................................................... 33 2.2.6 Case Study - United States and China Cyber-Conflict in 2001: ........................................................... 34 2.2.7 Defense against DoS Attacks: ............................................................................................................... 35 2.2.8 Defending Individual Systems: ............................................................................................................. 35 2.2.9 Defending Local Networks: .................................................................................................................. 36 2.2.10 Defending Extended Networks: ............................................................................................................ 36 2.2.11 Case Study: Estonia DDos Attacked by Russia .................................................................................... 37
2.3 Computer Viruses ................................................................................................................................................. 37
3
2.3.1 Types of Viruses ................................................................................................................................... 38 2.3.2 Effects of Viruses ................................................................................................................................. 38 2.3.3 Defense against Viruses ........................................................................................................................ 39
2.4 Packet Sniffing ..................................................................................................................................................... 40 2.4.1 Data Streams and Packets ..................................................................................................................... 40 2.4.2 File Transfer Protocols ......................................................................................................................... 40 2.4.3 Networking Schemes ............................................................................................................................ 40 2.4.3.1 Ethernet Networks ................................................................................................................................ 40 2.4.3.2 WiFi Networks ..................................................................................................................................... 41 2.4.3.3 Network Interface Cards and Promiscuous Mode ................................................................................ 41 2.4.4 Implementations ................................................................................................................................... 42 2.4.4.1 Spoofing ............................................................................................................................................... 42 2.4.4.2 Limitations and Counters ..................................................................................................................... 42 2.4.5 Scenarios .............................................................................................................................................. 43 2.4.5.1 Public WiFi Service.............................................................................................................................. 43 2.4.5.2 University Networks............................................................................................................................. 44
2.5 Social Engineering ............................................................................................................................................... 44 2.5.1 Confidence Schemes or Trust and Attack Models ................................................................................ 44 2.5.2 Phishing ................................................................................................................................................ 44 2.5.3 Dumpster Diving .................................................................................................................................. 45 2.5.4 Case Studies .......................................................................................................................................... 45
2.6 SCADA Systems .................................................................................................................................................. 46 2.6.1 Scope of the Threat to SCADA Systems .............................................................................................. 47 2.6.2 Vulnerabilities ...................................................................................................................................... 48 2.6.2.1 Original Development Flaws ................................................................................................................ 48 2.6.2.2 Corporate Network Security ................................................................................................................. 49 2.6.2.3 Company Security Procedures.............................................................................................................. 49 2.6.2.4 Who Could Gain Access? ..................................................................................................................... 50 2.6.3 Case Studies .......................................................................................................................................... 51 2.6.3.1 Hunter Watertech ................................................................................................................................. 51 2.6.3.2 Roosevelt Dam ..................................................................................................................................... 51
3 TARGETS ........................................................................................................................................................ 52
3.1 Military and Government ..................................................................................................................................... 53 3.1.1 Data Theft and Corruption .................................................................................................................... 53 3.1.2 Battlefield Cyber-attacks ...................................................................................................................... 54 3.1.3 Foreign Threats ..................................................................................................................................... 56
3.2 Financial Systems as a Target .............................................................................................................................. 57 3.2.1 Overview .............................................................................................................................................. 57 3.2.2 Direct Attacks on Financial Systems .................................................................................................... 58
3.3 Infrastructure ........................................................................................................................................................ 59 3.3.1 Power Utilities ...................................................................................................................................... 59 3.3.1.1 Why is the Power Grid so Vulnerable? ................................................................................................ 60 3.3.1.2 What is Being Done? ............................................................................................................................ 62 3.3.2 Emergency Response ............................................................................................................................ 62 3.3.3 Communications ................................................................................................................................... 63
3.4 Transportation Systems as a Target ...................................................................................................................... 63 3.4.1 Public Transit Systems ......................................................................................................................... 64 3.4.2 Shipping Networks ............................................................................................................................... 64 3.4.3 Air Transportation Networks ................................................................................................................ 66 3.4.3.1 Aircraft Internal Electronic Control Systems ....................................................................................... 67 3.4.3.2 Air Traffic Control System ................................................................................................................... 68 3.4.4 Conclusions .......................................................................................................................................... 70
4 CONSEQUENCES ........................................................................................................................................... 72
4.1 Economic Consequences of Cyber-Warfare ......................................................................................................... 73 4.1.1 Economic Consequences of Hacking .................................................................................................... 73 4.1.2 Economic Consequences of Infrastructure Attacks .............................................................................. 73 4.1.3 Economic Consequence of Combined Attacks ..................................................................................... 75
4.2 Social Effects ........................................................................................................................................................ 76 4.2.1 Public Confidence in the Government .................................................................................................. 76 4.2.2 Public Confidence in Target ................................................................................................................. 77
4
5 NATIONAL AGENCIES AND LEGISLATION .......................................................................................... 79
5.1 E-Government Act of 2002 .................................................................................................................................. 80 5.2 National Infrastructure Advisory Council ............................................................................................................ 80 5.3 National Strategy to Secure Cyberspace ............................................................................................................... 81 5.4 United States Computer Emergency Response Team (US-CERT) ...................................................................... 81
5.4.1 US-CERT Einstein Program ................................................................................................................. 81 5.4.2 Collaborative Groups of US-CERT ...................................................................................................... 82 5.4.3 National Cyber Security Division (NCSD) ........................................................................................... 83 5.4.3.1 National Cyberspace Response System ................................................................................................ 83 5.4.3.2 Cyber Risk Management Programs ...................................................................................................... 84
6 POLICY ............................................................................................................................................................ 85
6.1 National Policies................................................................................................................................................... 86 6.2 Policy Goals ......................................................................................................................................................... 86 6.3 Guiding Principles ................................................................................................................................................ 87
6.3.1 Social Considerations ........................................................................................................................... 87 6.4 Stakeholders ......................................................................................................................................................... 88 6.5 Prevention............................................................................................................................................................. 90
6.5.1 Prevention Challenges .......................................................................................................................... 90 6.5.2 Prevention Products .............................................................................................................................. 91 6.5.3 Security Personnel ................................................................................................................................ 92 6.5.4 New Vulnerabilities .............................................................................................................................. 93 6.5.5 Computer Security and Liability ........................................................................................................... 93 6.5.6 Policy Options ...................................................................................................................................... 93
6.6 Response............................................................................................................................................................... 95 6.6.1 Judicial Response to Past Attacks ......................................................................................................... 95 6.6.1.1 Russian Man Sentenced for Hacking into Computers in the United States .......................................... 96 6.6.1.2 Melissa Virus ....................................................................................................................................... 96 6.6.1.3 Disgruntled Employee .......................................................................................................................... 96 6.6.1.4 Israeli Citizen Arrested in Israel for Hacking Government Computers ................................................ 96 6.6.1.5 Konopka Attacks .................................................................................................................................. 96 6.6.2 National Cyberspace Response System ................................................................................................ 97 6.6.3 Public and Private Ways to Communicate ............................................................................................ 98 6.6.4 Sharing Information .............................................................................................................................. 99 6.6.5 Policy Options ...................................................................................................................................... 99
6.7 Policies to Promote Cyber-security Awareness and Training ............................................................................. 100 6.7.1 Policies for Home and Small Business Users ..................................................................................... 100 6.7.2 Policies for Large Enterprises ............................................................................................................. 101 6.7.3 Policies for Critical Sectors and Infrastructures .................................................................................. 102 6.7.4 Policies for the Nation as a Whole ...................................................................................................... 103
6.8 Government Cyber-security ............................................................................................................................... 104 6.8.1 Federal Level Security ........................................................................................................................ 104 6.8.2 Agency Level Security ....................................................................................................................... 105 6.8.3 Areas for Improvement ....................................................................................................................... 106
6.9 US and International Cyber-warfare Collaboration ............................................................................................ 107 6.9.1 United States National Security Policies ............................................................................................ 107 6.9.1.1 Securing the Nation’s Cyberspace ...................................................................................................... 108 6.9.2 United States International Policies .................................................................................................... 109 6.9.2.1 Utilize International Organizations to Promote a Global “Culture of Security” ................................. 109 6.9.2.2 Develop Secure Networks .................................................................................................................. 109 6.9.2.3 Promote North American Cyberspace Security .................................................................................. 110 6.9.2.4 Establish International Network of Agencies for Information Relay.................................................. 110 6.9.2.5 Encourage Other Nations to Follow the Council of Europe Convention on Cyber-crime .................. 110 6.9.3 International Cyber-security Collaboration......................................................................................... 110 6.9.4 International Policies .......................................................................................................................... 111 6.9.4.1 United Kingdom ................................................................................................................................. 111 6.9.4.2 Germany ............................................................................................................................................. 111 6.9.4.3 Russia ................................................................................................................................................. 112 6.9.4.4 People’s Republic of China ................................................................................................................ 113
6.10 Military Policy .............................................................................................................................................. 113 6.10.1 Current Military Cyber Units .............................................................................................................. 113
5
6.10.2 Military Uses of Cyber-warfare .......................................................................................................... 114 6.10.3 Future of Cyber-warfare in the Military ............................................................................................. 114 6.10.4 Policy Questions ................................................................................................................................. 116
7 CONCLUSION............................................................................................................................................... 118
7.1 Is Cyber-warfare a threat? .................................................................................................................................. 119 7.2 The Way Forward ............................................................................................................................................... 119
7.2.1 What Can Be Done Now .................................................................................................................... 119 7.2.2 Policies for the Near Future ................................................................................................................ 120 7.2.3 Future Research .................................................................................................................................. 121 7.2.4 Conclusion .......................................................................................................................................... 121
8 APPENDIX ..................................................................................................................................................... 122
8.1 Policy Options .................................................................................................................................................... 123 8.2 Open Letter to the President ............................................................................................................................... 128 8.3 Interview with Douglas Reeves .......................................................................................................................... 133 8.4 DHS Presidential Directive ................................................................................................................................ 136 8.5 Works Cited ........................................................................................................................................................ 137
6
0 Executive Summary
7
0.1 Introduction
In the United States, nearly every vital system is connected in some way to the Internet.
Originally designed to allow communication in the event of a nuclear war, the Internet could be
the next weapon to attack a society revolving around information technology. Cyber-warfare
has the potential to cause catastrophic damage to these systems in a world vastly influenced by
cyberspace.
Given this assumption, one must address the probability of various types and combinations of
cyber-attacks that could damage critical systems, as well as the options for response and
prevention. Securing these systems will require significant resources from the public and private
sector, as well as significant efforts from everyone connected to the Internet. Given the power
and influence of cyber-warfare, there are also possibilities of cyber-warfare as an effective
military offensive weapon.
0.1.1 Is Cyber-warfare a Real Threat?
Many of our critical computer systems are not completely reliant on computers to make them
appealing or practical targets for attack. This means that at present, a cyber-attack would most
effective in conjunction with a traditional attack to cause physical damage; the more likely
consequences of a focused cyber-attack are economic and social. However, as reliance on
computers is increasing steadily with time, future threats will develop where current threats do
not exist, and the risk of physical damage and loss of life from a cyber-attack will increase
without implementation of proactive policies.
0.1.2 Defining Cyber-attacks
There are three primary classes of cyber-attacks: cyber-crime, cyber-terrorism, and cyber-
warfare. If an attack is not intended to threaten national security or further a national or
ideological objective, it is considered cyber-crime.1 If it is inteneded to achieve a national or
ideological objective, then it is classified as either cyber-warfare or cyber-terrorism.
Cyber-terrorism refers to cyber-attacks launched by individuals or small organizations that are
intended to further political or social objectives by coercing a government or its people2.
Cyber-warfare has the same objectives as cyber-terrorism, except that it consists of cyber-attacks
launched by a national government as an act of war, just as a physical attack would be3.
1 Alford, Jr., Lt. Col. Lionel D. "Cyber Warfare: Protecting Military Systems." Acquisition Review Quarterly Spring
2000: 101-120. 18 Oct. 2007 <http://www.dau.mil/pubs/arq/2000arq/alford.pdf> 2 Denning, D. (2001). "Is Cyber Terror Next?" New York: U.S. Social Science Research Council, at
http://www.ssrc.org/sept11/essays/denning.htm 3 Alford, Jr., Lt. Col. Lionel D. "Cyber Warfare: Protecting Military Systems." Acquisition Review Quarterly Spring
2000: 101-120. 18 Oct. 2007 <http://www.dau.mil/pubs/arq/2000arq/alford.pdf>
8
0.2 Tools
0.2.1 Hacking
Traditionally, the term “hacker” has simply been used to refer to a skilled computer user.4 In
recent years, this term has been seized by the media and has come to refer specifically to
malicious computer users. Due to the popularity and familiarity of the term, “hacking” will be
used in this document to refer to all forms of cyber-attacks, and “hacker” for the individuals
initiating them.
Most hackers are either financially or socially motivated, and have Internet communities
dedicated to hacking in which they can share software exploits and other methods of launching
cyber-attacks. Sometimes hackers even sell these vulnerabilities on underground auction sites.5,6
Their goals usually consist of information theft or damage to computer systems, since they can
use vulnerabilities in sensitive systems and stolen information to cripple vital computer
processes. The tools in this section are a small section of a hacker’s arsenal, but provide a
functional idea of how hackers view the systems that governments and corporations use to store
and transfer information.
0.2.2 Denial of Service
Denial of Service (DoS) attacks can disable networks or computers by overloading network
traffic, cut off communication between two computers, deny an individual user access to a
system, or disrupt service for a particular system or person. Unfortunately, DoS attacks exploit
the most basic limits of computers: they have finite memory, finite processing speed, and finite
communication bandwidth. 7
There will never be away to fully overcome these limitations and prevent DoS attacks, since a
system can be disabled as soon as it runs out of one of these needed limited resources. DoS
attacks can disable practically any networked device, including but not limited to sensor
networks and cell phones, not just computers. A distributed DoS attack can take control of
unprotected computers, usually by exploiting systems with a known security flaw, and then using
these computers to attack a specific target. These security flaws are usually distributed
throughout hacker communities, where hackers discuss and simplify their methods of cyber-
attack. In these past, these targets have included the DNS servers that keep the Internet
operational.8
4 Raymond, Eric. The on-line hacker Jargon File 4.4.7. 29 Dec 2003. 26 Nov 2007
http://www.catb.org/jargon/html/index.html 5 Naraine, Ryan. Hackers Selling Vista Zero-Day Exploit. 15 Dec 2006. eWeek.com. 26 Nov 2007.
<http://www.eweek.com/article2/0,1895,2073611,00.asp> 6 Evers, Joris. Russian hackers ‘sold WMF exploit’. 3 Feb 2006. ZDNet.co.uk. 26 Nov 2007.
<http://news.zdnet.co.uk/software/0,1000000121,39250232,00.htm> 7CERT Coodination Center – Denial of Service Attacks. 4 Jun 2001. US CERT. 30 Oct 2007
<http://www.cert.org/tech_tips/denial_of_service.html> 8Garber, Lee. Denial-of-Service Attacks Rip The Internet . IEEE – Computer. Apr 2000. 12 - 17
9
0.2.3 Computer Viruses
Viruses are a type of unwanted software that run on a computer and are designed to self-replicate
and spread to other computers. They are characterized by the way they spread to other systems
and their effects can range from displaying an annoying message to causing massive data loss,
giving remote control of a computer, and disrupting network communication.
There is a large industry based on the development of tools like virus scanners to eliminate
viruses before they can cause damage. Virus scanners are a type of software that searches a
computer for viruses and assists in their removal, and are regularly updated to defend against
new viruses. However, hackers are constantly racing with security professionals to stay ahead of
these tools, and they have the advantage in that they can create new viruses and use them to
cause damage before the virus is discovered and the scanner is updated to detect and remove it. 9
0.2.4 Packet Sniffing
Packet sniffing is used to monitor traffic between devices on a network, and has a number of
legitimate uses. However, hackers can also use packet sniffing to obtain sensitive data packets
without penetrating a computer network’s security measures. Hackers can collect data by many
methods, including data streams between two computers, unencrypted e-mails, unsecured WiFi
networks, and network interface cards running in “promiscuous mode.” 10
These techniques can be particularly valuable to hackers on large networks, like public WiFi
access points or university networks, where a large amount of poorly secured information is
frequently transferred. Once a hacker is a network, he can use a variety of free, open-source
packet sniffing programs to collect data packets, or “spoof” his computer’s identity on a network
to receive data that was not intended for him. However, limitations to the capabilities of packet
sniffing are non-packet data transfers, secure programming with extra data encryption, packet
sniffer detection programs, and increased public awareness about the threat.
0.2.5 Social Engineering
Social engineering combines hacking with low-tech methods like confidence schemes, physical
surveillance, and probing emails. A confidence scheme can be used to obtain answers to
password protection questions for many major websites and email clients. Email passwords are
particularly useful targets, as even more websites use password recovery systems that send the
old or changed password to the user’s email. Another technique, called “phishing”, refers to
fraudulent emails and websites designed to steal information from victims. Some hackers may
even resort to dumpster diving, since many large companies simply throw out papers containing
9 Nachenberg, Carey. "Computer Virus-antivirus Coevolution." Communications of the ACM 40.1 (1997): 46-51.
10 Crenshaw, Adrian. A Quick Intro to Sniffers. 30 July 2007. Iron Geek.com. 30 Oct 2007.
<http://www.irongeek.com/i.php?page=security/AQuickIntrotoSniffers>.
10
information like tax records, payroll account logins and passwords, and building security alarm
codes. 11
0.2.6 SCADA Systems
Supervisory Control and Data Acquisition (SCADA) systems collect data from sensors in a
factory or infrastructure plant and can make changes remotely to optimize a process based on the
received data. These systems control a number of physical parameters, such as a conveyor belt’s
speed, a tank’s temperature and pressure, or any process which can be controlled without direct
human manipulation. As a result, hackers can infiltrate these systems and cause direct physical
effects. 12
The biggest security vulnerabilities of SCADA systems are in their original design—most
systems currently in use were designed twenty or more years ago, and are unsecured because
they did not account for the emergence of corporate networks. Because they were not intended
to be networked, most SCADA systems being used in critical infrastructure are not properly
secured and have multiple entry points that can be exploited. 13
Moreover, security systems of corporate networks, through which hackers can reach the SCADA
systems, are often improperly implemented. As a result, many serious cyber-incidents involving
SCADA systems have already occurred, including one in Australia in which a former water
company employee drained millions of gallons of sewage into parks and rivers, and one in which
a 12-year-old boy accidentally gained control over the Roosevelt Dam’s floodgate controls.14
0.3 Targets
As the entire world continuously becomes more connected through the Internet, the threat of
cyber-attacks has become an issue that should not be ignored. Our nation’s cyber-security is
something that must be fixed due to the fact that cyber-attacks can be performed by any
individual, group, or government. The difficult aspect of protecting ourselves is that cyber-
warfare targets are not limited to governmental agencies and the military, it also affects global
corporations, public utilities, and transportations systems.
Because the United States is so dependant on its critical infrastructure (Internet, power, et
cetera), it is absolutely critical that the government makes securing our cyberspace a top priority.
11
Grifter. Dumpster Diving – One Man’s Trash… Hack In The Box. 2002. 26 Nov 2007.
<http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=6388&mode=thread&or
der=0&thold=0> 12
Byres, Eric, and Justin Lowe. The Myths and Facts Behind Cyber Security Risks for Industrial. British Columbia
Institute of Technology. 1-6. 15 Oct. 2007
<http://www.tswg.gov/tswg/ip/The_Myths_and_Facts_behind_Cyber_Security_Risks.pdf>. 13
Understanding SCADA System Security Vulnerabilities. Riptech. 2001. 1-5. 23 Oct. 2007
<http://www.iwar.org.uk/cip/resources/utilities/SCADAWhitepaperfinal1.pdf>. 14
Gellman, Barton. "U.S. Fears Al Qaeda Cyber Attacks." SecurityFocus 26 June 2002. 18 Oct. 2007
<http://www.securityfocus.com/news/502>.
11
Before policy options can be discussed, we must first review potential threats to and
vulnerabilities of our systems.
0.3.1 Military and Government
Because the government and military are what keeps the United States running, they are an
obvious target for cyber-attack. Over the past decade, several data theft attempts have been
documented in which hackers break through network defenses searching for critical
governmental and military documents. One such attack, known as “Moonlight Maze,” resulted
in troop structures and base configurations to be stolen from the Pentagon. 15
This example
demonstrates the severity of our military’s cyber-security issues.
Another form of cyber-attacks that concerns the military are battlefield attacks. Although the
threat on the front lines is limited, hackers could infiltrate command and control systems in the
rear, and give false commands or send incorrect troop information, leading to an ambush. 16
Therefore, due to the potential harm that can be done if the military’s communication system
were infiltrated, cyber-defenses in this realm must be improved.
0.3.2 Financial Systems
The biggest threat to our nation’s financial systems come from terrorist organizations that have
no current interest in the welfare of the United States economy. Osama bin Laden made his
goals very clear in 2001 when he stated:
If their economy is destroyed, they will be busy with their own affairs rather than
enslaving the weak peoples. It is very important to concentrate on hitting the U.S.
economy through all possible means. 17
From his comments, and the fact that over half of all cyber-attacks in 2001 targeted financial
systems,18
the need to secure our banking and credit unions from cyber-attack is clear.
Financial service providers have historically had a reputation for protecting clients’ critical data
and financial assets, but current vulnerabilities in electronic financial transfer systems threaten to
expose those assets and information to cyber-attack. For example, money transfers made
through wireless Internet or cell phones can be intercepted, and the fiber optic cables that enable
transfer of financial data around the world can be tapped without detection.
15
Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007
<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/> 16
Krebs, Brian. “Cyber war games test future troops.” Washington Post: April 23, 2003. 17
“Capital Commerce. So How Goes Bin Laden’s War on the U.S. Economy?” Pethokoukis, James. September
11, 2007 18
Glaessner, Thomas. “Electronic Security: Risk Mitigation In Financial Transactions”. The World Bank: 2002.
12
0.3.3 Critical Infrastructure
America’s critical infrastructure is one of the most vulnerable structures to cyber-attack in our
nation. Systems such as power grids, communications, and emergency response are linked
through thousands of miles of Internet lines, making it almost impossible to secure the entire
network. 19
The threat of infrastructure attack was realized in 2001 when the FBI discovered that cyber-
intruders were researching utilities, government offices, and emergency systems of cities all over
the country. This discovery became even more terrifying when, a few months later, American
intelligence agencies seized Al Qaeda laptops and found what appeared to be a “broad pattern of
surveillance of U.S. infrastructure.” 20
If an attacker successfully hacked into a power utility grid, they could potentially be able to shut
down plants, and even break power generators. Although they would not be able to take out the
entire power grid due to the redundancies built into the system, the attackers could shut off the
power in a region causing significant damage to the area’s economy. 21
Another potentially disastrous situation dealing with power utilities and communication systems
is if an opposing government used a cyber-attack in conjunction with a physical attack. This
would cause power outages and public chaos due to the inability to relay information during a
time of crisis. The government must lead research efforts to secure our infrastructures in order to
prevent and defend against cyber-attacks.
0.3.4 Transportation Systems
Transportation systems could conceivably be an appealing target to potential cyber-attackers due
to the integral role they play in the economy. Over ten percent of the United State’s gross
domestic product comes from transportation. 22
Of all the nation’s transportation systems, the aviation network currently has the highest risk of
cyber-attack due to its extensive computer networks. Other systems that can be attacked are
public transit systems and shipping networks, but their relatively low use of computer systems
keep the potential for devastating attacks low. However, the air traffic control system for the
19
Shainker, R. “Electric Utility Responses to Grid Issues.” .” IEEE Power & Energy Magazine. March/April 2006:
31. 24 Oct. 2007
<http://www.lib.ncsu.edu:2178/iel5/8014/33609/01597993.pdf?tp=&arnumber=1597993&isnumber=33609>
20
“Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007
<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/> 21
Meserve, J. “Staged cyber attack reveals vulnerability in power grid.” CNN. 26 September 2007. 4 Oct. 2007. <
http://www.cnn.com/2007/US/09/26/power.at.risk/>
22
Szyliowicz, Joseph S. (2004).International transportation security. Review of Policy Research. 21
13
aviation network is extremely vulnerable due to the outdated computers and defenses that are
being used. 23
Regional air traffic control centers have shut down several times in recent history, but in each
case neighboring control centers were able to handle the additional traffic load. If an attacker
were able to hack into the air traffic control computers and shut down the entire nation’s air
traffic radar or communications sytems, though—something that has not happened to date—
planes would have to navigate and land without assistance, raising the risk of accident and
opening the door for some kind of conventional attack. Due to the potential worst-case damage
that could result from cyber-attacks on the aviation network, these computer systems must be
more fully secured.
0.4 Consequences
The discussion of vulnerabilities above demonstrated that the direct, physical damage
caused by a cyber-attack depends completely on the nature of the attack and its target.
While the potential economic and social consequences of an attack can also vary widely,
and are speculative in nature, evidence suggests those consequences could be as
considerable as the physical damage, if not more so.
0.4.1 Economic Consequences
Cyber-warfare incidents can be costly even when conducted by small groups of attackers. There
have been several incidents of hackers causing significant financial damage. For example, the “I
Love You” virus caused $10 billion in damage. This virus was created by a single PhD thesis-
rejected student in the Philippines.
An even greater threat lies in the many critical infrastructures that could be attacked. The
transportation system is an appealing target to potential cyber-attackers due to the integral role
they play in the economy. Transportation accounts for over 10 percent of the nation’s gross
domestic product. The recent history of conventional terrorism also suggests that cyber-attackers
may choose to target transportation systems, provided feasible opportunities exist. Eighteen of
the twenty-five major terrorist attacks from 1983 to 2001 “involved the use of transportation
vehicles as weapons, and another five involved attacks on planes.”24
Only one successful cyber-
attack on the transportation system that caused significant damage or loss of life would be
needed for an impact to be felt on the economy and public perception.
A successful attack on the power grid presents the greatest economic threat among critical
infrastructures. The New York power outage that lasted only one day cost the United States an
estimated $6 Billion.25
The cost of a regional power outage caused by a cyber-attack could
23
http://www.gao.gov/new.items/d05712.pdf 24
Szyliowicz, Joseph S. (2004).International transportation security. Review of Policy Research. 21 25
“An Analysis of the Consequences of the August 14th
2003 Power Outage and its Potential Impact on Business
Strategy and Local Public Policy”. 2004. < http://www.acp-international.com/southtx/docs/ne2003.pdf>
14
approach one trillion dollars per month. An impact this big on the U.S. economy affect almost
every citizen in the country.
0.4.2 Social Effects
Because there has not been, to date, a successful cyber-attack on the United States on a
large enough scale to widely affect the general population, the possible social
consequences are largely speculative.
One predictable result of a successful, or nearly successful, attack is that the public could
lose confidence in the government’s ability to protect the nation from cyber-attack.
Polling already shows a majority of the public feels the nation needs new legislation to
strengthen cyber-security26
, and experts have repeatedly warned the government to do
so.27
If a massive cyber-attack occurred, the public could lose faith in the government
rapidly. If a specific private sector entity responsible for infrastructures or other critical
systems were attacked, that entity could experience a similar loss of trust.
However, data also exists to suggest that the social impacts of a cyber-attack would likely
be brief unless the attack led to considerable physical damage or loss of life. For
example, several accidents and other recent cyber-incidents have caused air traffic control
centers to shut down, but no data exists to suggest those incidents had any effect on
potential air travelers. Even in the case of September 11, the loss of demand for air travel
was greatly reduced only two years later.28
Another case in which the social impacts
might be long term would be ongoing successful attacks that may not cause considerable
physical damage or loss of life, but were none the less unable to be prevented.
0.5 National Agencies and Legislation
In recent years, several documents and laws have been created to define the outline the
government’s role in dealing with cyber-security issues, beginning with the E-Government Act
of 2002. Since that time, several new agencies have been created to accomplish the nation’s
cyber-security objectives.
0.5.1 E-Government Act of 2002
Much of the federal government’s current policy and organizational structure to deal with
cyber-warfare was created by the E-Government Act of 2002. The Act established that
the Office of Management and Budget (OMB) was responsible for overseeing other
federal organizations’ cyber-security policies. The Department of Homeland Security
26
Poll Shows Americans Want Congress to Do More to Protect Them Online." Cyber Security Industry Alliance
(2006): 30. 21 Oct. 2007 27
Interview: O. Sami Saydjari." Frontline: Cyber War! 23 Apr. 2003. PBS. 24 Oct. 2007
<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/saydjari.html 28
Ito, Harumi, and Darin Lee. Assessing the Impact of the September 11 Terrorist Attacks on U.S. Airline Demand.
Dept. of Econ., Brown U. 2004. 3-24. 26 Oct. 2007
15
has also become responsible for coordinating many of those agencies. The E-
Government Act also outlined the roles several other organizations should fill in dealing
with cyber-security.
0.5.2 National Infrastructure Advisory Council
One organization outlined by the E-Government Act is the President’s Critical
Infrastructure Protection Board (PCIPB), now known as the National Infrastructure
Advisory Council (NIAC).29
The NIAC is designed to supply the executive branch with
the information needed to secure the information systems of critical infrastructure sectors,
and it deals with both prevention and recovery strategies. 30
0.5.3 National Strategy to Secure Cyberspace
In 2003, before its name was changed, the PCIPB published the National Strategy to
Secure Cyberspace (NSSC), a document outlining stakeholders, guiding principles, and
broad policy objectives to consider in improving the national cyber-warfare policy.
This assessment uses the broad policy objectives in the NSSC as a starting point for its
discussion of policies, but expands beyond the initial policy suggestions.
0.5.4 United States Computer Emergency Response Team (US-CERT)
Another organization established by the E-Government Act of 2002 is the United States
Computer Emergency Response Team (US-CERT), designed to protect the Internet from
cyber-attacks by promoting the communication of cyber-incidents between private and
public sector groups.
A number of initiatives to improve cyber-security information sharing are handled by
US-CERT, including the Einstein Program and several collaborative groups. US-CERT
also includes the National Cyber Security Division (NCSD), which is designed to
evaluate the risks of various attacks, determine what protective measures are needed, and
create a set of protocols to follow in response to cyber-incidents.
0.6 Policies
The success of existing cyber-security policies has been mixed, and cyber-security
remains an area in need of many new policies and programs. The key stakeholder groups
currently being considered are sound, and the concerns currently being addressed
29
Bush, George W., and Jim Turner. "E-Government Act of 2002." The White House. 15 Nov. 2002. US
Government. <http://www.whitehouse.gov/omb/egov/g-4-act.html>. 30
National Infrastructure Advisory Council." Department of Homeland Security. Oct. 2007. US Government.
<http://www.dhs.gov/xprevprot/committees/editorial_0353.shtm>.
16
correspond loosely to the broad policy areas established by the NSSC. Still, much work
remains to be done to improve cyber-security.
0.6.1 National Policies
A portion of the Department of Homeland Security is dedicated to securing America from cyber-
attacks. According to the NSSC, existing national policy in this area has given the federal
government a mandate to:31
1) Prevent cyber attacks against our critical infrastructures
2) Reduce our national vulnerabilities to cyber attack and
3) Minimize the damage and recovery time from cyber attacks that do occur. Ensure the
federal government’s ability to perform essential national security missions and guarantee
the general public’s health and safety
4) Make sure that state and local governments are able to maintain order and to deliver
minimum essential public services
5) Aid in the private sector’s capability to ensure the orderly functioning of the economy
and the delivery of essential services and
6) Support the public’s morale and confidence in our national economic and political
institutions.
0.6.2 Policy Goals
Although the NSSC has been a starting point for current national policies, those policies are not
enough to protect our nation from cyber-warfare. Our policy discussion will be broken into the
following major policy areas: prevention, response, cyber-security training and awareness,
governmental cyber-security, international cyber-warfare collaboration, and military uses of
cyber-warfare.
0.6.3 Guiding Principles
In addition to meeting the above goals, several basic principles should guide future cyber-
warfare policies. For example, policies should encourage the nationwide cooperation of private
and public sector groups, strengthen rather than infringe upon personal privacies, and avoid mass
regulation except whenever practical. Also, policies should be flexible enough to adapt to the
ever-changing nature of cyber-warfare.
Several social considerations exist with regard to cyber-warfare policies. One is the loss of
privacy in cyberspace; another is the censorship of the Internet which would occur if the
government began to block certain websites. These privacy concerns make the cooperation of
public and private sector entities even more essential.
31
"National Policy and Guiding Principles." National Strategy to Secure Cyberspace. Feb. 2003. US Government.
<http://www.whitehouse.gov/pcipb/policy_and_principles.pdf>.
17
0.6.4 Stakeholders
American citizens and organizations are the primary stakeholders with regard to national cyber-
warfare policy. That said, virtually everyone can be considered a stakeholder, either for their
direct use of the Internet or for their reliance on the critical infrastructures that depend on
computer systems. The NSSC describes five specific stakeholder groups: home and small
business computer users, large enterprises such as corporations and universities, critical sectors
and infrastructures, the nation as a whole, and the international community.32
0.6.5 Policies of Prevention
While the government is taking steps to improve collaboration between groups in the response to
cyber-attacks, much of the task of actually preventing cyber-attack is still in the hands of the
private sector.
One of the most effective means of preventing cyber-attacks is to affect a widespread change in
behavior among systems administrators; for example, if they kept their computer systems up-to-
date with the latest security patches, a major vulnerability would be reduced. Many tools exist to
safeguard against cyber-attacks, such as antivirus programs and firewalls, but they are optional
purchases and are not available for many less standardized computer systems. Similarly, there
are many different competing cyber-security certification programs and no uniform process for
licensure or certification. Also, software and hardware makers are not legally required to include
security features of any kind in their products.
One controversial policy option would be to require by law that all computers be secured in
specific ways; however, such a law would need to be abstract enough to accommodate the
evolving nature of threats and should balance added security with added costs. Another is to hold
software producers and systems administrators responsible for damage caused by their products
or systems; again, the added cost of production and maintenance must be weighed. Also, a
uniform process for cyber-security licensure and certification could be created to ensure a
standardized level of cyber-security knowledge.
One distinct area to consider is the prevention of cyber-attacks on infrastructure systems. A
policy option in this area is to regulate a minimum level of cyber-security for all components of
the national infrastructure, because one weak link can allow an attack to damage entire areas of
infrastructure.
0.6.6 Policies of Response
It is difficult to identify and apprehend cyber-attackers. Because of this, legal action against
them is typically handled at the federal level. However, numerous case studies exist to suggest
that the sentencing of convicted cyber-attackers is not nearly large enough to match the damage
32
National Policy and Guiding Principles." National Strategy to Secure Cyberspace. Feb. 2003. US Government.
<http://www.whitehouse.gov/pcipb/policy_and_principles.pdf>.
18
caused by attacks. Accordingly, one policy option is to increase minimum and maximum
sentencing guidelines for cyber-attackers, and to pursue longer sentences more vigorously.
The National Cyberspace Response System is the current strategy to handle responses to cyber-
attacks. This response system includes analysis of cyber-attacks, communication of warnings
when a cyber-attack might be repeated or may spread, reporting and classification of incidents,
and recovery from a cyber-attack.33
Several recent exercises were organized to coordinate response efforts between public and
private sector organizations, and were reported to be successful in increasing communication
between groups.34
However, many private sector organizations worry of damage to their public
image if a cyber-incident occurs and is publicized, and others think the existing channels to relay
information are insufficient.35
New policies should define more clearly a method of communicating cyber-incidents to the
public, so the actual risks and impacts of incidents will be understood. Also, private sector
organizations could be given financial incentives for communicating reports of their cyber-
security measures and any incidents that occur. Finally, as attacks on the Internet can affect the
world as a whole, the United States should open a new dialogue with other countries to create a
uniform cyber-attack response policy.
0.6.7 Policies for Public Awareness and Training
Several programs are in place to promote public awareness of cyber-security and the cyber-
security training of IT professionals. For example, US-CERT offers e-mail bulletins to inform
the public of incidents and security tips, and the NCSD has created a website, Stay Safe Online,
to inform computer users in all sectors of ways to improve personal cyber-security practices.36
However, while some studies have shown an awareness of cyber-security concerns among
corporate IT personnel, others have shown that IT personnel fail to follow the most basic cyber-
security measures, such as reporting incidents to anyone outside the corporation.37
Because the US-CERT bulletin and Stay Safe Online have not reached high levels of public
exposure, increased federal funding for these programs is needed. Another option is to provide
financial incentives for small businesses and enterprises whose employees complete a basic
cyber-security course. A uniform licensure and certification process, as described in the Policies
for Prevention section, could help to ensure the proper level of training for IT personnel.
Another option is to create a national database of cyber-incidents that occur at critical
33
Ibid 34
"Fact Sheet: Protecting America’S Critical Infrastructure – Cyber Security." US-CERT. Department of Homeland
Security. <http://www.us-cert.gov/press_room/050215cybersec.html>. 35
"Government Collaboration Groups and Efforts." US-CERT. Department of Homeland Security. <http://www.us-
cert.gov/federal/collaboration.html>. 36
National Cyber Security Alliance: Stay Safe Online. Retrieved October 31, 2007, from Stay Safe Online Web site:
http://www.staysafeonline.org/ 37
Gagnon, B. (2004). Are We Headed For a Cyber-09/11? The American Failure in Cyberstrategy. Conference
Papers -- International Studies Association, Retrieved October 24, 2007, from Academic Search Premier database.
19
infrastructure elements and a daily cyber-security threat level indicator; these would provide an
incentive for the private sector to maintain a strong public image by preventing incidents and
would raise overall public awareness.
0.6.8 Policies for Government Cyber-security
The federal government is responsible for securing many critical institutions such as the military,
emergency services, and financial institutions from cyber-attack. Accordingly, one priority of
the government must be to protect its own computer systems. The OMB has assessed the
vulnerabilities of many computer systems within the government and has established basic
federal guidelines for agencies to follow; the guidelines must be met before an agency can obtain
funding for system upgrades.38
A process has been established by which agencies can improve
security and wok towards meeting those guidelines.
However, at the level of individual agencies, there is no uniform cyber-security testing
procedure, and many agencies rely on outside contractors to upgrade their computer systems.
And while system upgrades are checked by the OMB for cyber-security measures, existing
systems lack basic security measures such as password complexity requirements and security
patches.
At an agency level, new policies are needed to mandate more robust passwords and more
frequent password changes; another possible measure is the creation of a physical identification
card system whereby “smart cards” would be needed to access a government computer. Also,
the IT departments of government agencies should be required to document the structure of their
computer systems and their installation of security patches.
One agency of special concern is the FAA. A mandate could be issued that future development
of the FAA’s air traffic network continue to favor decentralized, redundant control centers.
Also, the FAA (and possibly other government agencies as well) could be required to limit the
access of outside IT contractors to only the areas that directly relate to their work assignments.
Across all agencies, best-value evaluations should be used when selecting outside contractors;
the OMB could establish which contractors provide the best services and establish a certification
system. Another possible policy is that a federal “red team” of security testers be created to
periodically test the cyber-security vulnerabilities of government computer systems.
0.6.9 Policies for U.S. and International Cyber-warfare Collaboration
Because of the Internet’s worldwide presence and the interconnectedness of computer systems
around the world, the United States must enact policies to secure our own systems from attacks
originating from other countries. Of equal importance are policies for nations to work together
to secure the global cyberspace.
38
“Priority IV.” The National Strategy to Secure Cyberspace. February 2003. 30 Oct. 2007
<http://www.whitehouse.gov/pcipb/priority_4.pdf>
20
To protect the nation from attacks originating abroad, more robust preventative and
counterintelligence capabilities must be developed; almost no true counterintelligence options
exist. Also, a better system for reporting cyber incidents to system administrators around the
nation is needed.
Many efforts have been made to influence the cyber-security efforts of other nations, including
U.S. discussions with the Organization of Economic Cooperation and Development (OECD), the
G-8, and the Asia-Pacific Economic Cooperation forum (APEC).39
However, there is no widely
accepted international treaty or agreement to establish a global cyber-security policy, and no
international network of agencies for information relay exists.
The federal government should work with other nations to adopt a set of international cyber-
security standards to be followed, to ensure all international computer systems have a minimum
level of security. One starting point in a global cyber-security policy could be the creation of a
regional North American cyberspace “safe zone”40
, in which the U.S. would work with Canada
and Mexico to ensure the countries work to solve mutual cyber-security issues. Other regional
alliances and unions, such as the European Union, should be encouraged to take similar steps.
In 2001, an international Convention on Cyber-crime was held and a treaty to promote
international cyber-crime collaboration was ratified by 43 countries. However, greater efforts
should be made to follow the treaty’s guidelines and to encourage more nations to sign the treaty.
Other nations have their own cyber-warfare policies that the United States can learn from. The
U.K.’s policies are similar to ours, but their legal framework to handle cyber-attackers is more
robust. Germany’s policy differs from ours in that they consider any attempt to control German
media an act of war, and they are considering whether economic cyber-warfare could be used
during a conflict with another nation. Russia considers cyber-attacks to be second only to
nuclear attacks in terms of danger, and their policy is relatively aggressive; however, they have
also made it illegal for Russian citizens to carry out a cyber-attack. China is actively developing
its offensive cyber-warfare capabilities, which demonstrates the need for international
collaboration.
0.6.10 Policies for Military Use of Cyber-warfare
One policy area not discussed in the NSSC concerns the military’s policy with regard to the use
of cyber-warfare against, and by, the Armed Forces. Cyber-warfare options have historically
been handled by the Space Command, but in 2007 the Air Force was given that responsibility;
the Computer Network Operations group (CNO) is specifically tasked with military cyber-
warfare policies. 41
39
“Priority V.” The National Strategy to Secure Cyberspace. February 2003: 51. 23 Oct. 2007
<http://www.whitehouse.gov/pcipb/priority_5.pdf> 40
Ibid 41
Wilson, Clay, (2007) “CRS Report for Congress: Information Operations, Electronic Warfare,
21
There have been no confirmed uses of cyber-warfare by the United States military, though cyber-
warfare tactics were considered and, some rumors state, used in Kosovo and Operation Iraqi
Freedom.42
Also, the federal government is also leading efforts to promote cyber-warfare
education, as evidenced by a cyber-warfare scholarship program sponsored by the Department of
Homeland Security and the National Science Fund.43
It is likely that the use of cyber-attacks as an alternative to conventional attacks can reduce
civilian damages, because infrastructure systems could be shut down temporarily but not
permanently damaged; capabilities to carry out this sort of cyber-attack should be researched.
Consideration of cyber-warfare tactics should be integrated into national strategic planning and
any future discussions of redefining the military’s mission. One policy option is to expanding
cyber-warfare training within the military and at universities to make our Armed Forces more
skilled at cyber-warfare tactics, should the need to use them arise. Also, a set of rules to guide
our use of cyber-warfare tactics, both offensively and defensively, should be developed, and a
more clearly defined national cyber-warfare strategy should be developed. Finally, an
international convention should be developed, possibly through the United Nations, to handle the
legality of offensive cyber-attacks.
0.7 Conclusion
0.7.1 Is Cyber-warfare a Threat?
Our vulnerability to cyber-attacks is clear, especially with the means of attack are so readily
accessible. However, the effects from these vulnerabilities are still limited, and best exploited
only with a coinciding physical attack. We do no face the doomsday that some predict, but we
do have a system in need of a drastic overhaul and upgrade. With better implementation of
established cyber-security practices, along with proactive research and development, we can
reduce the glaring weaknesses in our cyber-defense and mitigate the vast majority of cyber
threats.
0.7.2 The Way Forward
This assessment’s recommended “best policies” are divided into policies to implement
immediately, policies for the near future, and areas for future research.
and Cyberwar: Capabilities and Related Policy Issues” 30 October, 2007. <http://stinet.dtic.mil/cgi-
bin/GetTRDoc?AD=ADA466599&Location=U2&doc=GetTRDoc.pdf?> 42
Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007
<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/arquilla.html> 43
Wilson, Clay, (2007) “CRS Report for Congress: Information Operations, Electronic Warfare,
and Cyberwar: Capabilities and Related Policy Issues” 30 October, 2007. <http://stinet.dtic.mil/cgi-
bin/GetTRDoc?AD=ADA466599&Location=U2&doc=GetTRDoc.pdf?>
22
The policies to implement immediately are relatively simple and no significant barriers to their
implementation exist. The government should immediately make sentencing standards for
cyber-criminals more severe, increase publicity funding for existing federal programs for cyber-
security awareness, require government agencies to document their cyber-security progress, and
expand cyber-security training within the military and at universities.
The policies for the near future may take a few years to develop. For instance, a uniform cyber-
security licensure can be created, and a more robust process can be made to test the cyber-
security of federal agencies. Policies to encourage other nations to prevent cyber-attacks can be
developed, and international cyber-security standards can be agreed upon. Cyber-warfare can be
given a greater role in national strategic and military planning. Finally, a legally binding set of
security requirements can be made for new software and hardware products.
Though it will require extensive research, planning, and diplomatic efforts, a goal should be set
to establish and ratify within ten years an international treaty creating a uniform cyber-security
policy, a framework for interagency cooperation and response, and a global network for
information sharing. In the same time period, a goal could be made to establish a cyber-warfare
equivalent to the Geneva Convention to establish rules governing military use of cyber-warfare.
Although there is never an impenetrable defense from cyber-attacks, the United States can
greatly limit the threat of cyber-warfare over time by implementing these proactive policies.
23
1 Introduction
24
It is difficult to grasp how reliant the United States has become on computers and the networks
that connect them. The Internet and computer networks are absolutely vital to a functioning
electric power grid, a consistent water supply, nearly all communications networks, many
transportation systems, key financial systems, public health systems, postal service, government
and defense, and many other systems that support our nation. The Internet, originally designed
to allow communication in the event of a nuclear war, could be the next weapon to attack a
society revolving around information technology.44
Cyber-warfare indisputably has the potential to cause catastrophic damage to these systems in a
world vastly influenced by cyberspace. Given this assumption, one must address the probability
of various types and combinations of cyber-attacks that could damage critical systems, as well as
the options for response and prevention. Securing this nervous system will require significant
resources from the public and private sector, as well as significant efforts from everyone
connected to the Internet. Given the power and influence of cyber-warfare, there are also
possibilities of cyber-warfare as an effective offensive weapon that must be considered.
1.1 What Is at Stake?
The worst-case scenario of cyber-warfare would involve a combination of cyber-attacks and
physical attacks. However, to get an idea of the potential scale of cyber-attacks, consider this
hypothetical situation.
It is a sunny week day in Chicago. A few days earlier, a terrorist organization hacks into the
federal government’s electronic shipping manifest system. The terrorists find a shipment of
nuclear material, and intercept the truck and steal its contents. They then load this nuclear
material along with a detonator onto a chartered plane at a local air strip.
Simultaneously, the terrorist organizations hack into the regional power grid and FAA computer
systems. Once in the power grid, they gain control over a key power generator, and force it out
of its natural oscillation, which in turn destroys the generator, and crashes the power grid in the
greater Chicago area. In the FAA system, hackers knock out the radar systems in the area, and
delete all recorded flight plans in the region.
The chartered plane, in the air near Chicago, uses the immediate confusion to fly into restricted
airspace directly over the heart of the city, and detonates in mid-air, raining nuclear material
down over the entire city.
Lastly, the terrorists hack into the SCADA system controlling Chicago’s water treatment
facilities. Through a series of commands, they rout millions of gallons of untreated wastewater
to release into the Chicago River, destroying the water quality and ecosystems down river.
Ultimately, the water flows into the Mississippi River.
All told, these terrorists rained radiation onto nearly 3 million residents, and required the entire
area to be evacuated until the federal government could determine the radiation levels, and either
44
Global Society: Journal of Interdisciplinary International Relations; Jan2003, Vol. 17 Issue 1, p89, 9p
25
begin a clean-up program or abandon the city entirely. The mixture of sewage and the threat of
radiation flowing down the Mississippi River creates panic all along the river basin, which
includes St. Louis, Memphis, and New Orleans. Power in the region is significantly damaged,
requiring new generators to return to pre-attack output level, straining surrounding systems,
potentially knocking them offline as well. The cost in lives and dollars is unknown, but far
higher than any attack on US soil.
1.2 Is Cyber-Warfare a Real Threat?
While it is highly unlikely that a terrorist organization could currently coordinate an attack as
massive and complex as the scenario described above, each component of the scenario is more
realistic by itself. Each component has either been described as a possibility by the United States
government or private-sector entities, or has been shown to be possible by actual cyber-incidents.
Is cyber-warfare a real threat? The immediate answer is that cyber-warfare is real enough that it
cannot be ignored, although the scope and magnitude of this threat varies across different areas
of key infrastructure. Even in cases where the current threat is limited, the threat will increase in
the future.
Some critics of this conclusion rely to the history of cyber-warfare.45
To date, there have been
no successful large-scale cyber-attacks on the United States that have brought significant
economic or social damage on a national scale. Many professionals in this group of skeptics
contend that terrorist organizations are not capable of catastrophic cyber-attacks.46
These
skeptics are also comfortable with nation-states who have cyber-warfare capabilities because
there is currently not a strong motive to use their resources aggressively. While nation-states do
not currently have an interest in engaging in a large-scale cyber-war, the majority of cyber-
attacks against the United States government are believed to be sponsored by other nations.
There is also evidence that international terrorist organizations are actively recruiting and
training specialists to adapt their operations to the cyber world.
After the horrific attacks on September 11, 2001, reports repeatedly claimed that crashing
commercial airliners into large buildings was an attack method that no one could have predicted.
These reports did not take into account al-Qaeda’s attempt to crash an Airbus A300 into the
Eiffel Tower in 1994 before French Special Forces stormed the plane.47
In 1994, the CIA
prevented a plot to crash a plane into CIA Headquarters in Langley, Virginia.48
Ramzi Yousef
was arrested in 1995 in the house of a family member of Osama bin Laden with plans for a
suicide bombing of CIA headquarters and exploding eleven other U.S. Commercial Jets as they
approached airports.49
The Federal Research Division warned in 1999 that “Suicide bomber(s)
45
Laprise, John. IEEE Technology & Society Magazine. Vol. 25 Issue 3, pg. 28. 46
Ibid 47
http://www.cooperativeresearch.org/entity.jsp?entity=eiffel_tower Profile: Eiffel Tower. December 24, 1994: Al-
Qaeda Connected Militants Attempt to Crash Passenger Jet into Eiffel Tower. 48
http://www.frontpagemag.com/articles/Read.aspx?GUID={245984FA-D9DF-46E9-8EF3-7B5259A51C0D}
Clinton and 9/11. Favish, Allen J. FrontPageMagazine.com Tuesday, October 14, 2003. 49
http://query.nytimes.com/gst/fullpage.html?res=9F01E1DD1E39F933A05756C0A960958260&sec=&spon=&page
wanted=all Wiren, Christopher S. May 30, 1996. The New York Times. Plot of Terror in the Skies Is Outlined by
a Prosecutor.
26
belonging to al-Qaida's Martyrdom Battalion could crash-land an aircraft packed with high
explosives (C-4 and Semtex) into the Pentagon, the headquarters of the Central Intelligence
Agency (CIA), or the White House.”50
Because there were no previous successful attacks
similar to those that occurred on September 11, 2001, America was unprepared and utterly
shocked. A similar rationale is being applied to the possibilities of cyber-warfare. Evidence will
be revealed in our research that cyber-warfare could be another catastrophe waiting to happen,
and the government must take proactive measures to prevent another enduring loss. There are
warning signs that terrorist organizations such as al-Qaeda are developing cyber-warfare
capabilities, as well as clear signals that foreign nations are preparing for a future cyber war.
There are clear warning signs—as this assessment will show—that the United Stated of America
is vulnerable to cyber-attacks.
1.3 Defining Cyber-attacks
Before we can begin to assess cyber-crime, cyber-terrorism, and cyber-warfare, we must first
differentiate between these concepts in order to establish the scope that each covers. There are
many nuances between the three, including the scale of the cyber-attack and the objectives that it
is intended to achieve. Defense Acquisition University classifies any cyber-attack that is not
intended to threaten national security or further operations against national security as cyber-
crime51
. Cyber-terrorism, on the other hand, refers to cyber-attacks launched by individuals or
small terrorist organizations that are intended to further political or social objectives by coercing
a government or its people52
. Cyber-warfare has the same objectives as cyber-terrorism, except
that it consists of cyber-attacks launched by a national government as an act of war, just as a
physical attack would be53
.
One important distinction is that to be considered an act of cyber-terrorism or cyber-warfare, a
cyber-attack must be an intentional operation against national security. An unintentional attack
on national security, such as that of an inept hacker, is considered cyber-crime as long as the
intent of the attack is self-serving, and not intended to further a national or ideological objective.
However, that is not to say that these unintentional attacks on national security cannot be as
harmful as cyber-warfare and cyber-terrorism, and for the purposes of this assessment, they will
be treated the same way. While cyber-crime is a major problem in the US and many other
countries, this assessment is concerned primarily with the effects of large-scale cyber-attacks on
national security, and how the United States can be best prepared to both defend against and
potentially execute them.
50 http://www.fas.org/irp/threat/frd.html The Sociology and Psychology of Terrorism: Who Becomes a
Terrorist and Why? Hudson, Rex A. September, 1999. A Report Prepared under an
Interagency Agreement by the Federal Research Division, Library of Congress 51
Alford, Jr., Lt. Col. Lionel D. "Cyber Warfare: Protecting Military Systems." Acquisition Review Quarterly
Spring 2000: 101-120. 18 Oct. 2007 <http://www.dau.mil/pubs/arq/2000arq/alford.pdf> 52
Denning, D. (2001). "Is Cyber Terror Next?" New York: U.S. Social Science Research Council, at
http://www.ssrc.org/sept11/essays/denning.htm 53
Alford, Jr., Lt. Col. Lionel D. "Cyber Warfare: Protecting Military Systems." Acquisition Review Quarterly
Spring 2000: 101-120. 18 Oct. 2007 <http://www.dau.mil/pubs/arq/2000arq/alford.pdf>
27
2 Tools for Cyber-Attacks
28
2.1 Hacking
Hacking is a blanket term that has been seized by the media. Traditionally, a “hacker” has
simply been a skilled computer user.54
A number of terms, including “cracker” specifically refer
to malicious computer users who usually garner the attention of the media. Due to the popularity
and familiarity of the term, “hacking” will be used in this document to refer to all forms of
cyber-attacks, and “hacker” for the individuals initiating them.
Hackers are usually either socially or financially motivated. The Internet has given hackers a
community in which to share their exploits, in both senses of the word, and give ideas to new
avenues of attack. Often, a newly found vulnerability will generate a flurry of activity in a
hacking community, with different groups or individuals competing to be the first to distribute a
new exploit. Alternatively, there are many documented cases where hackers discovered
vulnerabilities in popular software and operating systems and offered to sell these finds on
underground auction sites.55,56
These motivations are in addition to the motivation of theft
through fraud and identity theft.
Hackers’ primary goals typically consist of either information theft or damage to computer
systems. Procured sensitive information can be the gateway to various forms of fraud, such as
identity theft, or vulnerable systems such as SCADA systems. Hackers use common
vulnerabilities in sensitive systems and even the aforementioned stolen information to cripple
vital processes and functionality. With regards to cyber-warfare, possible targets include
classified data, and a bevy of vital systems with control over communication and infrastructure.
The tools outlined in this section are only a small view of a hacker’s arsenal, but they have been
defined because awareness is the first step to eliminating the vulnerabilities they create, and they
offer something of an idea of how hackers view the systems that governments and corporations
use to store and transfer information.
2.2 Denial of Service Attacks
A “Denial of Service” attack, or DoS attack, is one of many methods employed by participants in
cyber-warfare to cause damage. The damage caused by such an attack is the disabling of a
computer or network. The extent of the damage is dependent upon the functions of the system
being attacked; typically the attacks cause economic damage and sever communications. As
organizations become more dependent on computers and the Internet, the consequences of DoS
54
Raymond, Eric. The on-line hacker Jargon File 4.4.7. 29 Dec 2003. 26 Nov 2007
http://www.catb.org/jargon/html/index.html 55
Naraine, Ryan. Hackers Selling Vista Zero-Day Exploit. 15 Dec 2006. eWeek.com. 26 Nov 2007.
<http://www.eweek.com/article2/0,1895,2073611,00.asp> 56
Evers, Joris. Russian hackers ‘sold WMF exploit’. 3 Feb 2006. ZDNet.co.uk. 26 Nov 2007.
<http://news.zdnet.co.uk/software/0,1000000121,39250232,00.htm>
29
attacks become more dangerous.57
There are many specific types of DoS attack, but the common
effect of them all is that legitimate users of the services provided by a system are prevented from
using that system. CERT (Computer Emergency Response Team) classifies the following
activities as DoS attacks:
● attempts to "flood" a network, thereby preventing legitimate network traffic
● attempts to disrupt connections between two machines, thereby preventing access to a
service
● attempts to prevent a particular individual from accessing a service
● attempts to disrupt service to a specific system or person (CERT)58
The DoS attack takes advantage of the most basic limits of computers: finite memory, finite
processing speed, and finite communication bandwidth. These limits, while rapidly growing, will
always remain finite and cause problems when attackers manage to breach them. Once a
computer runs out of a limited resource that it needs to function, the system becomes disabled,
and can stay disabled for a wide range of time, depending on the style of DoS attack used and the
determination of the attacker.
In addition to consumption of the scarce resources of computers, Denial of Service can also be
achieved by altering or destroying configuration files needed by a system, or even through
physical destruction of components. Any device that communicates with a computer and is
accessible through a network is vulnerable. The embedded computers that are present in many
electronic devices have the same limits and vulnerabilities to DoS attacks as the common
desktop systems, especially the ones that are connected to the Internet constantly. It is dangerous
to assume that a device that does not look like a typical desktop computer cannot be a target, or
that potential attackers will be unable to communicate with a device. Any computer-based
system that can be communicated with remotely, and would have negative consequences if
authorized users of the system were prevented from using it, can possibly be damaged by a
Denial of Service attack.
2.2.1 Vulnerabilities
Owners of computer systems often underestimate their vulnerabilities and fail to consider taking
measures to prevent or respond to DoS attacks. A common assumption is that the system does
not communicate to remote devices enough to be affected, or that only popular web shopping
sites suffer from this attack. Individuals can also be targeted in addition to organizations,
potentially cutting off a person's communication completely. A wide variety of machines rely on
networks to function, which are not necessarily public web sites, though the web based incidents
tend to be the most visible.
57
Moore, David et al. Inferring Internet Denial of Service Activity. ACM Transmission on Computer Systems. Vol.
24, No. 2, May 2006, 115–139. 58
CERT Coodination Center – Denial of Service Attacks. 4 Jun 2001. US CERT. 30 Oct 2007
<http://www.cert.org/tech_tips/denial_of_service.html>
30
2.2.2 Sensor Networks
Sensor networks are an example of a class of practical devices that Denial of Service can target
to cause harm. Various sensor devices are used to protect and monitor military, environmental,
and other safety-critical infrastructures and resources. The failure of certain sensors can
potentially cause physical damage to people. Machines exist that can record and transmit data on
many different environmental properties, and are increasingly reliant on computers to function.
These new sensor networks are often found replacing older systems where machinery was more
confined to a limited and controlled environment. Systems of sensors communicate over a
network with a computer which processes the data acquired by the devices and acts on the
information appropriately. It is easy to imagine sensor networks forming warning systems and
becoming part of military scenarios.
With new advances in technology, sensor networks are finding many new applications and
becoming smaller and cheaper, though many still use them under the assumption that they still
operate in their old enclosed environments. The design of many sensor devices do not take
security into consideration during the design process, allowing intelligent adversaries to hinder
the usage of often critical information.59
Mobile devices like PDA's and cellular phones are also valid targets for DoS attacks. A mobile
device can be remotely shut off, have its communications channels flooded, or be made to drain
its battery power. Many devices can be crashed and made to shut off by sending specific pieces
of data. Because phones and PDAs are small and weak compared to typical computers,
overwhelming them with more messages than they can handle is not difficult to accomplish.
Battery exhaustion techniques are a style of DoS attack unique to mobile devices. It is possible to
feed data to a mobile device that forces its power to drain faster, such as repeatedly requesting a
connection to the device, even if the connection is always denied. Portable wireless devices have
become popular and widely depended upon in society. As mobile devices replace older
technologies, many inappropriate assumptions from those old technologies are still applied to the
new, which can cause the risk of a DoS attack to be neglected.60
2.2.3 Denial of Service on the Internet
Denial of Service attacks on different systems have been happening for decades, but have not
gained much attention until the first “Distributed Denial of Service” attacks, or DDoS attacks,
started happening against computers connected to the Internet. DDoS attacks are different from
regular DoS attacks in that the target is brought down by many networked computers working
together. Regular DoS attacks on the Internet were not seen as a large threat because detecting an
attack and blocking it was relatively simple. Malicious messages would come from a specific
computer, which could be traced and banned from communication. Distributed DoS attacks were
59
Wood, Anthony & Stankovic, John. Denial of Service in Sensor Networks. IEEE – Computer. Oct 2002. 54 - 62 60
Dagon, David. Mobile Phones as Computing Devices: The Viruses Are Coming!. IEEE – Pervasive Computing.
Oct – Dec 2004. 11 - 15
31
first noticed in 1999, which employed hundreds of computers in bringing down a target system,
and presented new challenges to computer security experts61
.
Typically, when a target is bombarded with messages from hundreds of machines at the same
time, it is forced to shut down for several hours. The sources of the messages are then tracked
and blocked. Sites on the Internet can potentially have huge capacities for speed and memory,
which require a skillful manipulation of larger numbers of computers in order to be shut down.
Though some targets have a huge capacity, they remain vulnerable due to the ways attackers
have adapted their techniques.
One of the most significant DDoS attacks happened in February 2000, during which several of
the world’s most frequently used web sites including Yahoo, Amazon, Buy.com, CNN, eBay,
ZDNet, E Trade, and Excite were made inaccessible to Internet users. Many victims of the DDoS
attack opted not to admit being attacked in order to avoid bad press and prevent copycats. These
large shopping sites lose large amounts of money when they are not operational, and threaten the
confidence in the online economy. This DDoS attack was so severe that Internet speed world-
wide was slowed down.62
2.2.4 Executing a Distributed DoS Attack
The method used to commit a DDoS attack like the incident in 2000 is twofold. First, the
attacker must gain control over a team of computers, building a “botnet” or accumulating
“zombies. Usually the process of seizing control over Internet connected computers is an
automated process. An attacker discovers a flaw in the security of many systems, and performs a
scan on large pieces of the Internet, which finds the specific systems that contain the desired
security flaw. Computers connected to university networks or other fast and persistent
connections make ideal zombies because they can send the attack data faster than most systems
on the Internet. It is possible for attackers to probe the Internet for potential botnet computers in
such a way that even recently connected systems can be found and controlled before their owners
tell anybody that they exist. People all over the planet are constantly scanning large parts of the
Internet to the point that it is almost inevitable that every system will be probed by a potential
attacker, even if nobody knows about the system.63
Once a set of vulnerable systems is found, the attacker uses an automated tool known as an
“exploit” in order to gain control of the systems. The attacker then destroys the evidence that can
be used to identify the source of the attack, and installs tools that allow the system to be
commanded remotely and anonymously. To form the attack group, the attacker assigns one
machine as the master, while the rest of the set act as daemons under the master system’s
command. With a team of computers under the attacker’s control, usually unknown to the actual
owners of the breached systems, the attacker can then give the signal to the master system, which
61
Kessler, Gary. Defense against Distributed Denial of Service Attacks. Nov 2000. 30 Oct 2007
<http://www.garykessler.net/library/ddos.html> 62
Garber, Lee. Denial-of-Service Attacks Rip The Internet . IEEE – Computer. Apr 2000. 12 - 17 63
Know Your Enemy – Tools and Methodologies. 21 Jul 2000. 30 Oct 2007.
<http://www.honeynet.org/papers/enemy/index.html>
32
starts an attack on a specific target. The following diagrams illustrate the process of forming a
botnet and attacking a system. In the first picture, the DDos master (blue computer) reaches out
to the compromised systems (magenta computers). Upon command of the DDos master, the
compromised computers flood the victim computer (red computer) and overload the system.
Figure 2.1 Botnet Diagram64
There are several types of attack that are used to bring down systems in different ways. One
common type of attack is known as a UDP flood, during which the team of computers sends
generated characters to their target, and requests that they be repeated back. The volume of data
coming into the target system becomes so great, that it uses all of its resources to receive the
dummy messages and respond to them, to the point that the target system is unable to spare
enough time to handle legitimate uses.
64
Kessler, Gary. Defense against Distributed Denial of Service Attacks. Nov 2000. 30 Oct 2007
<http://www.garykessler.net/library/ddos.html>
33
Another common type of attack is called a SYN flood, which takes advantage of the finite
memory that the target uses to remember who it is communicating with. Computers on the
Internet are able to initiate transfers of large amounts of information, but must first negotiate a
few details before the information can be exchanged. In a SYN flood attack, the team of attack
systems each initiates many bogus connections with the target system, forcing the victim to fill
up its memory with the false connection information. Once the targets memory is full, it is no
longer able to initiate the connections it needs to communicate with its true users.
In addition, there is a style of attack known as a the “smurf”, which is executed by sending a
large number of computers a “ping” message, but forging the return address so that each pinged
system sends its reply to a victim system, overwhelming it with information until it cannot
process valid requests. A “ping” is a message used by computers to check if they can still contact
each other, one computer sends and the other replies so that the system knows that the network is
working correctly. When used for an attack, a ping message is sent, but the sender is forged, so
that the receiver directs its reply to the target provided by the attacker, rather than sending the
ping replies to the true source of the message. This final type of attack is unique in that the team
of computers does not need to be breached by the attacker and fully controlled because ping
messages are a standard service present on most computers. The messages sent are small
compared to other types of attacks, making “smurf” style DoS attacks less dangerous than the
flooding techniques.65
2.2.5 Hacking Communities
Gathering groups of compromised systems for committing DoS attacks and engaging in other
forms of Internet based disruption has grown into a widespread activity on the Internet. Hackers
have formed groups which allow them to develop skills and align themselves with different
interests and conduct cyber-warfare. Many hacker groups are based on ideology or loyalty to a
country, but diverse hacker teams containing members from all over the planet are also common.
In these communities, hackers can be found bragging about their achievements, making
demands, exchanging attack techniques and even selling access to breached computers and
stolen credit cards. Usually, these hacking groups are passionate private citizens operating
without the instruction of any government, though some governments are criticized for
encouraging the activities of these groups.66
Understanding how these communities work helps the effort to deal with their threats. Often, a
hacker will discover a vulnerability that is likely to be present in many computers, and will use
chat rooms and bulletin services to publish that information to others. Hackers quickly develop
scripts which can be traded and executed to take advantage of security flaws and seize control
over the vulnerable systems. Often, groups develop programs which automate and simplify the
process of breaching a system so that a large number of attackers who might be unfamiliar with
the details of the software flaw can still use it to gain control over systems. With the help of these
communities, potential attackers do not need to develop much technical expertise, but instead
65
Garber, Lee. Denial-of-Service Attacks Rip The Internet . IEEE – Computer. Apr 2000. 12 - 17 66
Know Your Enemy – Motives. 21 Jul 2000. 30 Oct 2007. <http://www.honeynet.org/papers/motives/index.html?
34
only need to know how to find exploit scripts and use tools provided by others. The community
then allows hackers to specialize in specific tools or vulnerabilities. The attack on major websites
in 2000 was conducted using a community tool known as trinoo.67
2.2.6 Case Study - United States and China Cyber-Conflict in 2001:
When groups within the hacking community align themselves with conflicting interests,
situations can quickly evolve into “cyber-warfare”. An incident between hackers in the United
States and China happened in April of 2001, when an American spy plane and a Chinese jet
collided over the South China Sea, killing the Chinese pilot and forcing the American plane to
land in China. Once news of the incident was out, hackers from both countries began attacking
each other's systems, often breaching them and leaving messages to their enemies. The incident
attracted the attention of Wired Magazine, who described the attacks as a “private war” and
“cyber-retaliation”. The hackers from both countries were not supported by their states, but
rather were amateur computer hackers who channeled their anger over the airplane collision into
an effort to ruin foreign information services.68
69
The attacks were mostly against web and email servers, but also included viruses and DDoS
attacks. Two non-critical web sites maintained by the US Navy were defaced by Chinese
hackers, replacing the original pages with protests relating to the crash. A commercial American
web site was replaced with pictures of the killed Chinese pilot, the Chinese flag, and the
statement “As we are Chinese, we love our motherland and its people deeply. We are so
indignant about the intrusion from the imperialism. The only thing we could say is that, when we
are needed, we are ready to devote
anything to our motherland, even
including our lives.”70
American hackers
committed similar defacements on many
Chinese servers as well, including
messages taunting the Chinese and
demands that China return the American
plane and i's passengers. The messages
that appeared on Chinese hacked sites
were diverse, some criticized the press
and the US government for taking the
incidents too seriously, while others
made dangerous threats. The following
example of a hacked Chinese web site
from the conflict demonstrates much of
the concerns raised by cyber-warfare:
67
Dittrich, David. The DoS Project's "trinoo" distributed denial of service attack tool. 21 Oct 1999. University of
Washington. <http://staff.washington.edu/dittrich/misc/trinoo.analysis> 68
Delio, Michelle. Crackers Expand Private War. 18 Apr 2001. Wired Magazine. 30 Oct 2002.
<http://www.wired.com/politics/law/news/2001/04/43134?currentPage=2> 69
Delio, A Chinese Call to Hack the US. 11 Apr 2001. Wired Magazine. 30 Oct 2002.
<http://www.wired.com/politics/law/news/2001/04/42982?currentPage=2> 70
Feds Warn of May Day Attacks on US Web Sites. 26 Apr 2001. CNN. 30 Oct 2002.
<http://archives.cnn.com/2001/TECH/internet/04/26/hacker.warning/index.html>
Figure 2.2: Defaced Website
35
With such messages appearing on hacked web sites, and attacks happening on other types of
servers as well, the National Infrastructure Protection Center issued a warning to American
networks to expect an increase in cyber-attacks from China. The incident happened during a
week which contained several dates of historical significance in China, including May Day,
Youth Day, and the anniversary of NATO bombing the Chinese Embassy in Yugoslavia. Youth
day in China commemorates protests against foreign aggression, resulting in magnified hostile
feelings as a result of the airplane collision and cyber-conflict. Despite the cyber-conflict,
relations between the United States and China remained civil, China accepted the United State's
regrets over the killed pilot, returned the crew operating the plane, and both governments
prevented the conflict from escalating beyond cyber-space.71
2.2.7 Defense against DoS Attacks:
The threat of DoS attacks paralyzing computer systems coupled with diplomatic crises like the
incident with the Chinese jet collision has led to further consideration over what can be done to
prevent cyber-damage. Denial of Service attacks present new technical challenges for experts
attempting to protect their systems and identify offenders. Currently, a combination of
technology and human vigilance is employed to defend against DoS. DoS is an actively
researched area, with a wide variety of proposed solutions available. The costs of implementing
these solutions changes dramatically with the scale of the system being defended. There are also
published suggestions that apply to Internet Service Providers and the networks that form the
core information paths on the Internet.
2.2.8 Defending Individual Systems:
The first weak point that can be improved are the common personal computers ran by most of
the population. Personal computers are usually the vulnerable systems which attackers are able to
commandeer en mass and use to commit their decentralized attacks. Much to the frustration of
larger systems which depend heavily on the Internet and spend major resources protecting
themselves, large sets of commonly weak computers can still overwhelm protected systems.
Reducing the amount of vulnerable systems that attackers can seize control of possible through
several relatively simple tools and practices. Users need to keep their systems up to date. Many
software packages automate the update process so that fixes to security happen regularly, while
others require that the user regularly check the Internet for updates and download them.
Updating software can be difficult for many computer users, but improvements to the update
process can reduce the weak systems available to attackers. Another practice which can reduce
vulnerability is for users to disable software which they do not use. By running the bare
minimum of programs which attackers can communicate with and exploit, attackers will have
fewer ways to take control of remote systems and use them to cause harm. Disabling unneeded
software on a computer can also be difficult, but can be made easier if distributors of computers
package them with default settings that run few exploitable programs and automate the update
process.
71
Feds Warn of May Day Attacks on US Web Sites. 26 Apr 2001. CNN. 30 Oct 2002.
<http://archives.cnn.com/2001/TECH/internet/04/26/hacker.warning/index.html>
36
Software placed on personal systems can also improve protections against DoS attacks. The most
common tools of system protection are currently virus scanners and firewalls, both of which help
to reduce the amount of systems which can be infiltrated. A firewall protects systems by limiting
which of its processes can communicate with the network. A system that has fewer processes
that remote users can communicate with has fewer ways by which attackers may take control of
it. Virus scanners can also be used as a way to reduce DoS attacks because many viruses are
designed to seize control of computers and commit DoS attacks automatically. Attackers often
use mixed methods of cyber-attack, which take advantage of vulnerabilities in one area that
cascade into vulnerabilities of another. Defenses against DoS attacks thus require defenses
against other styles of computer-attack viruses.
2.2.9 Defending Local Networks:
At the local networks, defense can be improved by using Intrusion Detection Systems and
logging tools. Intrusion Detection Systems monitor networks for suspicious traffic and warn
administrators of possible attacks. Detection can be adjusted for specific levels of caution, but
the warnings provided by such systems require experiences administrators who know how to
respond to them appropriately. Sometimes Intrusion Detection warnings are false alarms, but the
systems are still helpful in protecting networks. 72
A variety of tools exist which log the activity
of systems, allowing administrators to notice when their systems have changes unexpectedly, and
aid in tracing the source of attacks. Logging can also act as a deterrent to attackers who worry
about being caught. Hackers put a lot of effort into escaping detection by tampering with activity
logs, but logging tools have responded to this tampering by developing more resistant logging
systems. Local networks could also be made more secure by enforcing stricter rules on
passwords, requiring that they be used and are not easily guessed.
2.2.10 Defending Extended Networks:
On the wide area network level, many solutions to attacks have been proposed, and some
solutions are already in place. Filtering at the core of the Internet, known as Ingress and Egress
filters, helps to prevent attack messages from being broadcasted. Ingress and Egress filters work
by comparing the source and destinations of data packets with maps of the network, and refuse to
forward data that could not possibly travel through the route that it is found on, which reduces
the amount of data traversing the Internet with forged source information. Changes to the core of
the Internet are seen as the last resort, because of the far reaching affects that the changes may
have. Cooperation among the interconnected networks allows for attacks to be limited more
efficiently. During a DoS attack, attacked systems work to block the data floods at their sources
by tracing the messages down the pathways and requesting that certain messages be blocked
along each intersection of the network. DoS attacks can be limited if their messages are blocked
72
Ptaceck, Thomas & Newsham, Timothy. Insertion, Evasion, and Denial of Service: Eluding Network Intrusion
Detection. Jan 1998. Secure Networks Inc. 30 Oct 2007. <http://insecure.org/stf/secnet_ids/secnet_ids.html>
37
closer to their sources, but this requires rapid response across long distances and collaboration
between business competitors.73
2.2.11 Case Study: Estonia DDos Attacked by Russia
In April of 2007, Estonia relocated a monument of a Bronze World War II Russian soldier from
the central square of its capital city, Tallinn. The relocation of this statue enraged Russians and
started riots in Tallinn, and also incited DDoS attacks against Estonian government and banking
services. Estonia has developed a strong dependence on the Internet, and has declared Internet
access as a fundamental human right. Estonia has developed what they call the “paperless
government” which operates largely over computer networks and allows citizens to vote online.
The Internet infrastructure has led to Estonians referring to their country as “E-stonia” and has
become a source of pride for the country.74
In response to the relocation of the Russian monument, attacks started against the Estonian
foreign minister's web site, then spread to include all government institutions and key businesses.
Russia was accused of launching the attack, and the Estonian Minister of Justice claimed the
attacks had been traced to computers in Moscow belonging to the Russian government.
Independent experts did not find convincing evidence that Russia orchestrated the DDoS attacks.
Estonia called for technical assistance from NATO as their banks and government services were
flooded. The attack lasted about a week, during which economic activity in the country was
slowed down, and the government was without Internet communication. Eventually, Estonia had
to cut off its Internet connections with other countries so that its population could access the
needed government services. This had the side effect of making bank transactions between other
countries difficult. In defending against the attack, Marty Lindner, a senior member of the
technical staff at the Computer Emergency Response Team (CERT) said that “In the case of
Estonia, they were only targeting 12 or 13 distinct Web sites, but the collateral damage was the
national bandwidth resources,” Lindner says. “In the big scheme of things, short of getting
people outside the country to filter the attack traffic, there wasn’t much somebody in Estonia
could do but hold on for the ride.” In response to the incident, the European Union began
discussing possible agreements that could help mitigate damage caused by DoS attacks.75
2.3 Computer Viruses
Computer viruses are a subset of malware, which is broadly defined as any unwanted and
problematic software running on a computer system. What separates a virus from other
undesirable software is that viruses are made to self-replicate and spread to other computers.
Most viruses are malicious programs written by computer hackers, though recently certain
software distributed by businesses has been classified as a virus by some sources. Computer
73
Chang, Rocky. Defending Against Flooding Based Distributed Denial of Servie Attacks: A Tutorial. IEEE
Communications Magazine. Oct 2002. 42 - 51 74
Lesk, Michael. The New Front Line: Estonia Under Cyber Assault. IEEE Security & Privacy. Jul/Aug 2007. 76 -
79 75
Goth, Greg. The New Politics of DDoS Attacks. IEEE Distributed Systems Online. Aug 2007. 1 - 4
38
viruses are a thoroughly researched sector of cyber security, led mostly by companies selling
software designed to combat viruses.
The practice of creating and distributing viruses has existed since the mid 1980s, though sources
differ on when exactly it started due to differing opinions on what exactly constitutes a virus.
Over time, virus production has grown increasingly sophisticated, and programs have been
designed to cause a variety of negative effects. Viruses can be harmless pranks, causing nothing
more than an annoying message, but are also capable of causing massive data loss, disrupting
communication, and allowing attackers to control a computer remotely.76
2.3.1 Types of Viruses
As new viruses are developed, security experts have classified them into categories by their
behavior. The following terms describe subsets of computer viruses.
Traditional Virus: These programs alter existing software on a computer so that when executed,
the virus will attempt to insert itself into more pieces of software, resembling biological viruses
spreading an infection.
Worm: Software that relies on system vulnerabilities to replicate and spread is referred to as a
worm. Worms are distinguished from other viruses in that they do not exist as parts of existing
software, but rather as self contained programs that propagate through security exploits.
Trojan Horse: Programs that trick the user into executing them by masquerading as a file that the
user wants are referred to as Trojans. Trojans are unique in that they spread and infect computers
by using social manipulation.
Rootkit: Software which is designed to run at the highest level of access on a system, and use
administrative permissions to hide its existence is known as a rootkit. Rootkits often have the
ability to escape detection and take full control of the system. 77
2.3.2 Effects of Viruses
Each type of virus is characterized by the way it spreads to other systems. The actual effect the
virus has on a system once is it is infected is called the “payload”. The payloads of viruses vary
greatly, allowing them to be used as pranks or dangerous weapons. Common virus payloads
include offensive messages, forcing the system to send spam messages to others, allowing a
hacker to control the system remotely, erasing potentially critical data, intercepting sensitive
information, and even forcing the system to commit a DoS attack.
76
Harold Joseph Highland. A history of computer viruses -- Introduction, Computers & Security. Vol 16, Issue 5.
1997, p 412-415.
<http://www.sciencedirect.com/science/article/B6V8G-3SX269W-2P/2/e96ee1d35ae6e62abd338c29a32234a7> 77
Perdue University. Virus Terminology. 2005. 1 Dec. 2005
<http://www.purdue.edu/securepurdue/steam/help/view.cfm?KBTopicID=210>.
39
2.3.3 Defense against Viruses
Detection and removal of viruses is a heavily researched discipline. A large industry has grown
for the development of tools to eliminate viruses before they can cause damage. Professionals
work constantly to track viruses as they spread and automate the process of removing them for
their customers. A virus scanner is a popular type of software which attempts to scan computers
for viruses and assist in their removal. Hackers and security professionals are in a race to
improve their tools. Hackers have a strategic advantage against security professionals in that they
can create new viruses and use them to cause damage before the virus is discovered and the
scanner is updated to detect and remove it.
Virus scanning software is handicapped in the effort to eliminate viruses because it must be
updated constantly to be equipped to handle the new threats that are constantly emerging. There
is an inevitable lag involved in the process of developing scanning capabilities for every new
virus that gets created, and hackers are using increasingly clever methods to circumvent virus
scans. Many virus scanners have the capability to detect new viruses by closely observing the
functions that the system is performing. Scanners have limited prediction capabilities that are
sometimes capable of detecting and removing newly developed viruses; so that when new
viruses share the same patterns of behavior as familiar viruses they can be found and
eliminated.78
Figure 2.3: Virus Scanner Interface
79
The development of new tools to detect and eliminate viruses is active and thriving, along with
warning systems that enable computer users to anticipate viruses as they spread. With warnings
in place, often describing how the virus arrives and how to notice if a system has been infected,
users are better equipped to prevent infection and reduce damage. The main problems in defense
78
Nachenberg, Carey. "Computer Virus-antivirus Coevolution." Communications of the ACM 40.1 (1997): 46-51. 79
US-CERT. Home Computer Security - Examples. 2002. 1 Nov. 2005
<http://www.cert.org/homeusers/HomeComputerSecurity/examples.html>.
40
against computer viruses at the moment are systems which use no virus scanning, scanners that
are not updated for new viruses, and users who are easily tricked into infecting their computers
2.4 Packet Sniffing
Packet Sniffing is a network analysis technique used to monitor traffic between devices on a
network. It is used extensively by network administrators, and has a number of legitimate uses.
In the hands of a subversive computer user, however, packet sniffing becomes a useful tool for
obtaining sensitive data without penetrating a computer network’s security measures. In order to
understand how packet sniffing works, its uses both harmful and helpful, as well as its
limitations and caveats, a few key concepts must be defined.
2.4.1 Data Streams and Packets
The Ethernet connections that exist between computers are far from perfect, and, in order to
compensate for lost data, many data transfer protocols break the data into small, contained
packets of information. On the other end, the computer receiving the data easily pieces it back
together, and immediately recognizes which packets were dropped.
The packets themselves are small and self contained, with “header” information, which details
where it goes in relation to other packets, its size, and so on, as well as diagnostic information
used to ensure the packet was received in its entirety.
Data streams are the lines of packets that stretch between the source and destination. When
packet systems are used on a “connectionless” system, such as the Internet, the packets may take
multiple paths to their destination in order to optimize the connection for speed and minimize
packet loss.
2.4.2 File Transfer Protocols
Different actions on the Internet use different file transfer protocols to guide how the computers
in a network package information for transfer. For example, web surfing uses the HyperText
Transfer Protocol (HTTP) to deliver the source code. Web based email services such as Hotmail
and GMail, however, may use the IMAP4 or POP3 systems.
This information is relevant to this topic because different file transfer protocols devote different
levels of attention to security. IMAP4 and POP3, the previously mentioned email protocols, for
example, make no attempt to encrypt the body of the email, meaning that merely intercepting a
packet is enough for a sniffer to obtain and read a piece of that email.
2.4.3 Networking Schemes
2.4.3.1 Ethernet Networks
Most wired (as opposed to wireless) computer networks use an Ethernet configuration, either
configured in a Local Area Network with cables physically connecting each device, or connected
41
to an outside connection, such as ADSL or Cable, to the Internet. Networks may also use a
hybrid of these. Local Area Networks theoretically restrict connections to computers that are
physically connected into the network. When one or more of those computers also has a
connection to the Internet, however, a skilled user may communicate to any or all computers on
that network, provided no firewall exists, or it has been compromised.
Packet visibility in Local Area Networks is based largely on the physical layout of the Ethernet
network. When computers are connected together using devices called “hubs”, each member of
the network may monitor all of the traffic going through the hub. Hubs take the information sent
from each member of the network and send it to every other member. Switches, however, are
designed to isolate network members from each other unless they are communicating directly,
though many packet-sniffing programs are designed to overcome this function.
2.4.3.2 WiFi Networks
WiFi networks allow computers to communicate wirelessly, using radio signals. WiFi
connections are based off the 802.11 standard developed by IEEE, which is commonly seen in -b
and –g varieties. Computer users can use WiFi connections to connect to the Internet through
hubs while in “hotspots”, or connect directly to other computers with WiFi cards to establish
“peer-to-peer” communications. Today, many businesses offer free WiFi on their premises
offering unfettered access to the Internet, with traffic controlled only by User Agreements posted
in the buildings with various degrees of visibility.
WiFi network administrators have some options for securing their networks, including
“whitelisting” and WEP. Whitelisting requires the administrator to manually input the Media
Access Control (MAC) addresses of each computer he or she wants to have access. This method
is vulnerable to “spoofing” (see below).
Wireless Encryption Protocol (WEP) is a feature of 802.11 networks used to prevent computers
that have not been given the WEP key to connect to the network. Unfortunately, open-source
programs are available that can crack WEP keys. AirSnort80
is an example. Its webpage claims
that it can crack a WEP key in under a second once the program has been allowed to monitor 5-
10 million packets
Once a computer is allowed onto a WiFi network, all packet transfers are visible to it, although
most WiFi cards review and ignore packets destined for other nodes on the network. Many cards
feature a “promiscuous mode” which causes it to pay attention to all packets. This may then be
coupled with a packet-sniffing program.
2.4.3.3 Network Interface Cards and Promiscuous Mode
A Network Interface Card (NIC) is an internal computer component that connects to networks,
either Ethernet or 802.11. With the exception of Ethernet networks with uncompromised
switches, both network types allow NICs to see all packet traffic on the network. By default,
NICs ignore all but the data streams with its host computer as the destination. This design is as
80
Airsnort Homepage. 31 Dec 2004. The Schmoo Group. 30 Oct 2007. <http://airsnort.shmoo.com/>.
42
much for efficiency as much as security. Nearly all NICs, however, have the capability of
running in “promiscuous mode”.81
With this turned on, the NIC reads all of the packets that
travel over the network.
2.4.4 Implementations
Once a computer is on a network, the most difficult task is complete. Packet sniffing programs
are easy to find, and many are free and open source. They work by putting the NICs in
promiscuous mode, then analyzing the received packets. Many packet sniffers contain
algorithms that will automatically look for user names and passwords, streamlining the process.
2.4.4.1 Spoofing
The term spoofing refers to a computer misrepresenting its network identity in order to receive
data intended for another computer on the network. Examples of spoofing include MAC
addresses and IP addresses. While this information is difficult for an unskilled user to obtain, a
number of tools are available to hackers who seek it.
2.4.4.2 Limitations and Counters
When one computer spoofs another that is still operational, it can create inconsistencies in the
return traffic that can clue in network administrators and well-designed programs. Hackers may
try to counter this by coupling spoofing with Denial of Service attacks on the spoofed computer,
in order to create the appearance of one computer using that network identity.
Though the threat of packet sniffing may seem dire, a number of limitations impede the goals of
hackers and spies. Some of these limitations are inherent to the packet sniffing method, while
others are safety measures that system administrators may take to protect their networks.
Non-packet transfers
Not all data transfers use the packet transfer scheme. Communications such as Voice Over IP
(VoIP) require a static connection between the source and the destination to ensure a high rate of
transfer. Because these streams are constant, and follow a fixed path through the network, the
chances of the hacker’s computer being used in the transfer path is lower, and the data is much
harder to decode. In addition, the streamed audio data has no plain text component, and the
hacker would have to be able to reconstruct the stream (no easy feat) in order to take any
information out.
Secure protocols
HTTP, IMAP, and all the other previously mentioned transfer protocols are old, despite their
ubiquity. New protocols, such as Secure Socket Layer, are meant to provide secure methods for
transferring data. Like radio operators in World War II, however, cryptologists must fight to stay
one step ahead of hackers trying to defeat their algorithms.
81
Crenshaw, Adrian. A Quick Intro to Sniffers. 30 July 2007. Iron Geek.com. 30 Oct 2007.
<http://www.irongeek.com/i.php?page=security/AQuickIntrotoSniffers>.
43
Secure programming
A concept being introduced into software engineering curricula with growing frequency, secure
programming involves incorporating security into the very code of the applications that need to
transfer data across networks.
Some of the advantages of secure programming include increased security over normally
unsecured transfer protocols like FTP and POP3, or an extra layer of encryption on top of WEP,
SSL, etc. Packet sniffers, specifically, use computer algorithms to try to construct readable text
from unordered machine code82
, and the extra layer of encryption would likely render most of
these algorithms useless.
Packet Sniffer detection programs
Packet sniffing programs generate little or no return traffic, instead monitoring the data
passively. As such, they are fairly difficult to detect. Programs like Sniffdet83
, however, can be
used to detect NICs that are running in promiscuous mode. Sniffdet is open source, and free for
anyone to use, though a certain level of computer skill is required to run the program correctly.
Awareness Perhaps the best way to prevent packet sniffing is to educate the network administrators who set
up and run the networks over which sensitive information travels. Adrian Crenshaw mentions
simple practices like putting public terminals on separate networks from staff and administrator
networks, and setting workstations to lock when not in use.
Packet sniffing works because it is easy for hackers to do. Intelligent network setups and users
can make this process much more difficult for hackers with relatively little effort.
2.4.5 Scenarios
2.4.5.1 Public WiFi Service
Many restaurants and cafés offer free WiFi service around their establishments, and users are not
even strictly required to be customers. With the exception of vague user agreements, no attempts
are made to limit access. An identity thief or hacker might set his or her laptop up within range
of the establishment, though not necessarily inside or on the grounds. Meanwhile, a customer
checks his or her email using a POP3 system. One of the messages is a confirmation email from
an online business website, containing the customer’s user name, password, and credit card
information.
82
Mendis, Surakshan. Packet Sniffing. 2005. SuraSoft. 30 Oct 2007.
<http://www.surasoft.com/articles/packetsniffing.php>. 83
De Souza Reis, Ademar, and Filho, Milton Soares. Sniffdet – Remote Sniffer Detector for Linux. 10 Oct 2006.
SourceForge.net. 30 Oct 2007. <http://sniffdet.sourceforge.net/>.
44
2.4.5.2 University Networks
North Carolina State University provides two wireless networks across its campuses, one for
guests, and one for students and staff. However, a resourceful hacker could easily obtain the
username and password from one of the thirty thousand users in the latter category. Running a
packet-sniffing program, he or she would then have access to a significant amount of
information. This could range from credit card information as before, to staff research
performed on government grants.
2.5 Social Engineering
“The weakest link in an information-security chain is often the user because people can be
manipulated.”84
Social engineering combines hacking with classic confidence schemes and other
low-tech methods to obtain user information that may be used in information theft or system
attacks.
Social engineering attacks may be as simple as the 419 (Nigerian) Scams that send probing
emails to thousands of addresses, or complex plans, involving surveillance and target “casing” in
order to best obtain the target’s trust.
2.5.1 Confidence Schemes or Trust and Attack Models
Confidence schemes bring con men to the world of cyber-attacks. Trust and attack models
include constantly evolving scams tailored to each particular target. As the social engineering
hacker learns more about the target or the target’s company, he or she incorporates this
information into exchanges, either phone, email, or conversational, in order to appear more
legitimate. The hacker may pose as a coworker in a large firm, or even a new acquaintance, and
the information gleaned is not always, even rarely, technical in nature. Hobbies, and the names
and birthdays of family members and pets, are commonly used to produce easy-to-remember
passwords.
An extremely simple example of a trust and attack model could take place in a dog park. The
hacker takes a dog to the park and strikes up a conversation with the target, learning the name of
the target’s dog. This information is a popular security question on many major websites,
including Hotmail. Email passwords are particularly useful targets, as even more websites use
password recovery systems that send the old or changed password to the user’s email.
2.5.2 Phishing
Phishing is a term that refers to emails and websites that attempt to gather user information,
typically through fraud and spoofing (see Error! Reference source not found.). At their
simplest, phishing attacks can simply be used to determine whether email addresses are in active
84
Laribee, Lena, et. al. Analysis and Defensive Tools for Social-Engineering Attacks on Computer Systems.
Information Assurance Workshop, 2006 IEEE. 388 – 389, 21-23 June 2006.
45
use, and/or the user is a likely candidate for social engineering. 419 scams begin in this way,
then follow trust and attack models as hackers establish a relationship with the targets and
convince them to commit fund transfers.
More elaborate phishing attacks are more specifically targeted. In October of 2006, a number of
employees at Dekalb Medical Center in Decatur, Georgia accidentally downloaded a key-logging
program when they responded to an email spoofed from Dekalb’s domain, dekalb.org, which
claimed that they had been laid off.85
2.5.3 Dumpster Diving
“I have found private numbers for very important people on post-its. Building
security alarm codes. And my personal favorite, payroll account login and
passwords. It amazes me the things people write on these little brightly colored
pieces of paper. They serve their purpose for a short time and are then balled up
and thrown into the trash. How many people think to shred their Post-Its.”86
Provided no other laws are broken in the process, no federal law prohibits dumpster diving. At
the state level, only theft and trespassing laws cover the activity. Most theft laws state that it is
illegal to take “items of value”, and a number of questions have arisen regarding the value of
objects thrown in the trash. Journalists, law enforcement officers, private investigators, and
social engineers all use dumpster diving as an information collection technique.
Only four states require companies to destroy personal information upon disposal.87
Besides
user names and passwords, company trash may yield maps of corporate structures, phone lists,
and interoffice communiqués, all useful for giving social engineering hackers more background
information and, therefore, more legitimacy when phishing or running trust and attack schemes.
2.5.4 Case Studies
Hacker-turned-contractor and writer Kevin Mitnick described a case of a Pakistani militant
named Khalid Ibrahim, who offered money to American hackers to hack into government and
military websites. In a test hack, Ibrahim offered $1,000 to a hacker who used the Internet
handle of “ne0h” to obtain a number of usernames and passwords for a well-known Chinese
engineering university.
ne0h began by finding a kindred hacker among the students of the university, who offered him a
number of user accounts with passwords without question. ne0h noticed that many of the users
85
Garretson, Cara. Spam that delivers a pink slip. ComputerWorld.com. 1 Nov 2006. 26 Nov 2007.
<http://computerworld.com/action/article.do?articleId=9004698&command=viewArticleBasic&taxonomyName=se
curity> 86
Grifter. Dumpster Diving – One Man’s Trash… Hack In The Box. 2002. 26 Nov 2007.
<http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=6388&mode=thread&or
der=0&thold=0> 87
Dumpster Diving. Washington State Office of the Attorney General. 26 Nov 2007.
<http://www.atg.wa.gov/ConsumerIssues/ID-Privacy/DumpsterDiving.aspx>
46
had simply set the password to the user name. From there, the teenaged hacker found another
college student through chat rooms and claimed to be looking for friends around the campus.
The student responded with a list of email addresses, and ne0h quickly figured out the
corresponding user names and passwords.88
2.6 SCADA Systems
Supervisory Control and Data Acquisition (SCADA) systems collect data from control sensors
that measure physical parameters like flowrate, temperature, or pressure in a factory,
infrastructure plant, or in other remote locations, and then send this data to be processed by a
central computer. A computer alone is not a SCADA system—most SCADA systems consist of
input and output signal hardware, controllers, networks, communications equipment, and a
Human-Machine Interface (HMI). HMIs, like the one shown in Figure 1, are often controlled via
common operating systems like Windows and Linux, which are vulnerable to many types of
viruses and other cyber-attacks—these problems can be made worse if the operating system is
not patched frequently89
.
Figure 2.4: A Human-Machine Interface for a steam power plant operating in Windows
90
Remote programmable logic converters called Remote Terminal Units (RTU) interface directly
with the controlled processes to carry out the operations performed by a SCADA system. These
logic converters are usually programmed to meet specific process requirements and can often
automatically make slight changes to monitored parameters to optimize functionality; for
88
Mitnick, Kevin, & Simon, William L. (2005). The Art of Intrusion: When Terrorists Come Calling.
Indianapolis, IN: John Wiley and Sons, Inc. 89
Byres, Eric, and Justin Lowe. The Myths and Facts Behind Cyber Security Risks for Industrial. British Columbia
Institute of Technology. 1-6. 15 Oct. 2007
<http://www.tswg.gov/tswg/ip/The_Myths_and_Facts_behind_Cyber_Security_Risks.pdf>. 90
SCADA Security and Terrorism: We're Not Crying Wolf. Black Hat. 2006. 1-36. 15 Oct. 2007
<http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf>.
47
example, the RTU might control the speed of a conveyor belt or the temperature of a holding
tank at a chemical plant. RTU units are currently built with redundancies in hardware and
communications channels in case of damage to the physical system, and can often operate on
their own to control safety-related problems91
. However, despite these automatic failsafes, input
from a human can change or override these settings at any time92
.
2.6.1 Scope of the Threat to SCADA Systems
Currently, SCADA systems are involved in the manufacture of many consumer products,
including pharmaceuticals, and in controlling critical infrastructures like electric power
generators, water treatment plants, dams, nuclear power plants, and other systems93
. According
to Joe Weiss of Applied Control Solutions, the industry perceptions of a SCADA attack’s
capabilities are greatly underestimated: “What people had assumed in the past is the worst thing
you can do is shut things down. And that's not necessarily the case. A lot of times the worst thing
you can do, for example, is open a valve -- have bad things spew out of a valve94
.” Manipulating
SCADA controls could allow a cyberattacker to accomplish anything from increasing the amount
of waste in a local water supply to altering the oscillation in an electric power generator in such a
way that it physically explodes. Consequently, the effects of a large-scale cyberattack utilizing
remote access to SCADA systems could potentially be disastrous.
Despite the importance of SCADA systems to critical infrastructures, these systems are rarely as
safe or as isolated as the industry thinks. Of 13 cyber-security incidents involving SCADA
systems between 1980 and 2000, only 31% of attacks originated from outside the company, the
rest were either the result of accidents or disgruntled employees who had direct access to the
systems95
. However, between 2001 and 2003, the source of cyber-attacks on these shifted to
70% originating from outside the company (Figure 2).
91
SCADA Security and Terrorism: We're Not Crying Wolf. Black Hat. 2006. 1-36. 15 Oct. 2007
<http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf>. 92
"What is SCADA?" The Tech-FAQ. 2007. 27 Oct. 2007 <http://www.tech-faq.com/scada.shtml>. 93
"Multi-State Information Sharing and Analysis Center (MS-ISAC)." 2006. Multi-State Information Sharing and
Analysis Center (MS-ISAC). 21 Oct. 2007 <http://www.msisac.org/scada/>. 94
Meserve, Jeanne. "Sources: Staged Cyber Attack Reveals Vulnerability in Power Grid." CNN 26 Sept. 2007. 27
Sept. 2007 <http://www.cnn.com/2007/US/09/26/power.at.risk/index.html>. 95
Byres, Eric, and Justin Lowe. The Myths and Facts Behind Cyber Security Risks for Industrial. British Columbia
Institute of Technology. 1-6. 15 Oct. 2007
<http://www.tswg.gov/tswg/ip/The_Myths_and_Facts_behind_Cyber_Security_Risks.pdf>.
48
Figure 2.5: Origin of SCADA-related cyber-attacks
96
While the threat of a SCADA attack due to an inside source is decreasing markedly, the rate of
external attacks is increasing even faster, and this must be considered when making policy
decisions.
2.6.2 Vulnerabilities
2.6.2.1 Original Development Flaws
Many SCADA systems are vulnerable to cyber-attacks, and this stems back to the way in which
they were originally developed. The first SCADA systems were developed over twenty years
ago, before the majority of other corporate networks were put into place, and many of these
original SCADA systems are still in use today. This leads many information technology
managers to believe that these networks are not linked, so that SCADA systems cannot be
accessed through corporate networks or remote access points. In reality, many corporate IT
networks and SCADA systems are linked so that engineers can control systems from remote
points on the corporate network and managers can find critical data instantly. IT managers
usually make these connections without a full understanding of the security risks, and the
security policies of most corporations do not account for the possibility that SCADA systems
could be accessible through other corporate networks97
.
96
Byres, Eric, and Justin Lowe. The Myths and Facts Behind Cyber Security Risks for Industrial. British Columbia
Institute of Technology. 1-6. 15 Oct. 2007
<http://www.tswg.gov/tswg/ip/The_Myths_and_Facts_behind_Cyber_Security_Risks.pdf>. 97
Understanding SCADA System Security Vulnerabilities. Riptech. 2001. 1-5. 23 Oct. 2007
<http://www.iwar.org.uk/cip/resources/utilities/SCADAWhitepaperfinal1.pdf>.
1980-2000 2001-2003
49
2.6.2.2 Corporate Network Security
Research into the security of corporate networks produces startling results—independent security
researcher Shawn Merdinger discovered in 2006 that at least a handful of critical infrastructure
companies who planned to attend the DEFCON hacking meeting in Las Vegas were connecting
to the Internet using residential routers with documented vulnerabilities. Merdinger described
these systems as being “almost as secure as my mom's computer.98
” This is particularly
alarming because, as long as these corporate networks are unprotected, the SCADA systems
linked to them are equally as vulnerable. Other basic problems in companies’ network
architecture include improper configuration of FTP or email servers to allow internal network
access inadvertently, unsecured connections with corporate partners, and failure to implement
firewalls and other network security measures internally, which leaves little to no separation
between different sectors of the network99
.
This unawareness of network security flaws creates an even bigger problem, because SCADA
systems were not originally designed with cyber-security in mind. Alan Paller, director of
research for the SANS Institute, said of these design flaws, “It's not that these guys don't know
what they are doing. Part of it is that these systems were engineered 20 years ago, and part of it
is that the engineers designed these things assuming they would be isolated. But--wham!--they
are not isolated anymore.100
” One problem with this is that old SCADA systems do not utilize
security updates like new corporate networks do, and cannot be protected independently by such
measures. Because they were intended to be isolated, there are many basic security
shortcomings built into SCADA systems as well, such as the absence of per-user
authentication—users log in with easily guessed names like “admin” rather than a personal user
ID101
. This flaw not only makes it easier to infiltrate SCADA systems, but also makes the
infiltrator much harder to track, since all users utilize the same login information.
2.6.2.3 Company Security Procedures
The weaknesses of SCADA systems often go beyond engineering design flaws into company
security procedures as well. Many companies list data on their websites that can be useful for
hackers, such as email addresses, employee names, and sometimes even corporate network
system names. These problems could mostly be eliminated simply by removing information that
could be useful to hackers from company websites.
98
Lemos, Robert. "SCADA System Makers Pushed Toward Security." SecurityFocus 26 July 2006. 19 Oct. 2007
<http://www.securityfocus.com/news/11402/2>. 99
Understanding SCADA System Security Vulnerabilities. Riptech. 2001. 1-5. 23 Oct. 2007
<http://www.iwar.org.uk/cip/resources/utilities/SCADAWhitepaperfinal1.pdf>. 100
Lemos, Robert. "SCADA System Makers Pushed Toward Security." SecurityFocus 26 July 2006. 19 Oct. 2007
<http://www.securityfocus.com/news/11402/2>. 101
SCADA Security and Terrorism: We're Not Crying Wolf. Black Hat. 2006. 1-36. 15 Oct. 2007
<http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf>.
50
2.6.2.4 Who Could Gain Access?
Without increased security measures, anyone with a basic knowledge of hacking could
theoretically gain access to a SCADA system. Of the security incidents recorded between 2000
and 2003, the Internet was the single largest source, but security was also breached through other
sources, like wireless systems, dial-up connections, and third party connections (Figure 3).
Therefore, simply implementing measures to close off one access point, like an Internet firewall,
is insufficient—as many entry points as possible should be protected102
.
Figure 2.6: Entry points of SCADA-related cyber-attacks
103
Because many companies lack knowledge about their own cyber-security vulnerabilities,
infiltrating a SCADA system would not require a target assault from a country or terrorist
organization: just one “average” hacker would be skilled enough to gain access. For example, in
one penetration test by Black Hat Security, a single representative was able to find an
unprotected WiFi access point and infiltrate the SCADA system using a ten-year-old exploit of
Solaris, the Unix-based operating system on which the SCADA system was running104
. Since
the United States military invasion of Afghanistan in 2001, they have seized computers and
102
Byres, Eric, and Justin Lowe. The Myths and Facts Behind Cyber Security Risks for Industrial. British Columbia
Institute of Technology. 1-6. 15 Oct. 2007
<http://www.tswg.gov/tswg/ip/The_Myths_and_Facts_behind_Cyber_Security_Risks.pdf>. 103
Byres, Eric, and Justin Lowe. The Myths and Facts Behind Cyber Security Risks for Industrial. British Columbia
Institute of Technology. 1-6. 15 Oct. 2007
<http://www.tswg.gov/tswg/ip/The_Myths_and_Facts_behind_Cyber_Security_Risks.pdf>. 104
SCADA Security and Terrorism: We're Not Crying Wolf. Black Hat. 2006. 1-36. 15 Oct. 2007
<http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf>.
51
instruction manuals containing SCADA information relating to dams in Al Qaeda training
camps, although they found no evidence of an actual plan to attack105
.
2.6.3 Case Studies
2.6.3.1 Hunter Watertech
On April 23, 2000, a disgruntled ex-employee named Vitek Boden infiltrated the Hunter
Watertech wastewater system in Queensland, Australia, using only a stolen computer and radio
transmitter. From an external site, he entered the system by using software to identify himself as
“pumping station 4” and deactivated all alarms that would alert IT security to his presence in the
system. Though he was familiar with the system, all the equipment he used was commercially
available, and he faced no obstacles when accessing the Hunter Watertech network106
.
After entering the system, Boden remotely controlled 300 SCADA nodes governing both sewage
and drinking water, and flooded millions of gallons of sewage into parks, rivers, and hotel
grounds. His actions destroyed the ecosystem of the affected rivers and caused a stench that was
“unbearable” to residents107
. While there were no reported human deaths, Boden’s case is
currently the only known case in which a SCADA system has been used to cause harm.
2.6.3.2 Roosevelt Dam
However, SCADA systems have been accessed unintentionally in the past, and could have had
disastrous results if mismanaged. In 1998, a 12-year-old hacker unknowingly infiltrated the
computer system controlling the Roosevelt Dam in Arizona. Federal authorities claimed that the
boy had complete control of the SCADA system that operates the dam’s floodgates, which hold
back about 489 trillion gallons of water. If the gates were opened, the resulting flood would
mostly stay in a flood plain around the cities of Mesa and Tempe, engulfing them with water. In
this instance, in which the dam’s SCADA system was easily breached by a 12-year-old, the
cyber-security risk is much greater than the physical risk, since physically destroying a dam
would require “tons of explosives” according to Secretary of Homeland Security Michael
Chertoff108
.
There are many misconceptions surrounding the security of SCADA systems, and these leave
critical infrastructures vulnerable to attacks from both internal and external sources. While there
is no need to panic, the use of SCADA systems in cyber-warfare is a legitimate concern threat
that must be addressed more fully.
105
SCADA Security and Terrorism: We're Not Crying Wolf. Black Hat. 2006. 1-36. 15 Oct. 2007
<http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf>. 106
Gellman, Barton. "U.S. Fears Al Qaeda Cyber Attacks." SecurityFocus 26 June 2002. 18 Oct. 2007
<http://www.securityfocus.com/news/502>. 107
Gellman, Barton. "U.S. Fears Al Qaeda Cyber Attacks." SecurityFocus 26 June 2002. 18 Oct. 2007
<http://www.securityfocus.com/news/502>. 108
Gellman, Barton. "U.S. Fears Al Qaeda Cyber Attacks." SecurityFocus 26 June 2002. 18 Oct. 2007
<http://www.securityfocus.com/news/502>.
52
3 Targets
53
As we move further into the 21st century, our nation is increasingly threatened by cyber-warfare.
Any foreign nation or terrorist group with a computer can wreak havoc throughout the United
States, threatening anything connected to the internet. This threat is not limited to one specific
group, but could affect global corporations, utilities, transportation systems, the federal
government, and the military. Securing our critical infrastructures should be our chief concern as
the government is the caretaker of our economic well being, security and defense, and social
services.. Before we begin to discuss policy goals for the government to enact, it is vital to
assess potential threats and vulnerabilities to the system as a whole.
3.1 Military and Government
As the keepers of our nation’s defense, the government and military are absolutely critical to the
preservation of our nation, and consequently one of the leading targets for cyber-attack. Existing
threats to the government and military are primarily data theft and data corruption. Since the late
1990’s, there have been several documented data theft attacks on the United States from
unknown foreign nations. Presently, this is the most pressing issue to national security. The
military is also potentially vulnerable on the battlefield to cyber-attack, although many of the
vulnerabilities are electronic attacks rather than cyber-attacks, a distinction that will be clarified.
Lastly, the military faces the prospect of global threats from foreign nations gaining cyber-attack
capabilities that could be used against the nation as a whole or directly on the battlefield.
3.1.1 Data Theft and Corruption
In the modern world, data theft and corruption are taking the place of traditional espionage and
spying. Rather than transporting physical files to obtain government secrets, hackers can simply
break through firewalls and other cyber-defense mechanisms to raid stored data in secure
government systems. This is the greatest threat to our government, and will continue to present
the foremost issue to counter when securing cyberspace.
There have been several historical cases of data theft that have been reported to the general
public. In 1997, a test called Eligible Receiver allowed an NSA ‘red team’ – hackers inside the
organization that try to break into secure systems – to attempt to hack into the Pentagon.
Ultimately they successfully infiltrated the Pentagon network, as well as gained control of
Pacific command center computers, power grids and 911 systems.109
In 1999, the government accidentally stumbled upon a series of data thefts that were collectively
coined Moonlight Maze. Hackers had been systematically infiltrating computers in the
Pentagon, NASA, the Department of Energy, and private universities and research facilities
dating back nearly two years. Data stolen included troop structure as well as military hardware
109
“Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007
<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/>
54
and base configurations. The electronic trail was traced back to Russia, but the sponsor of the
attacks is still unknown.110
A similar series of incidents, known as Titan Rain, resulted in widespread attacks from 2003 to
2005 against targets inside the government, military installations, as well as top level defense
contractors. Although the data stolen was not classified, it included large quantities of sensitive
material that was restricted by export control laws. It is not clear whether the data theft has
ceased or who the culprit behind the attacks is. The data theft was traced back to China, but the
Chinese government refuses to cooperate with US investigations.111
These types of attacks are a continuing threat to the government and military. The Pentagon
announced that in June, hackers managed to break into computers in the Pentagon, including the
computer of the Secretary of Defense, Robert Gates.112
Although the government did not
suggest a culprit, there is some suspicion of Chinese People’s Liberation Army involvement.
Hackers are continuing to penetrate the government, despite the best efforts of defense measures.
Additionally, federal agencies such as the FBI are unable to investigate the sources of the attacks
internationally without foreign approval, which prevents any precise knowledge of the attackers.
Although we do not know of any classified information theft, the data stolen is staggering, and a
major threat to the government.
Similar to data theft is data corruption. Hackers break into computer systems, and are then able
to alter code to perform many different actions. Common corruption includes leaving ‘back
door’ code in place to allow hackers to re-enter previously exploited weaknesses. Compromised
computers will often contain a ‘trojan horse,’ malicious code that in addition to enabling reentry,
will allow hackers to control these computers remotely or shut the computers down.113
Many of
the tools for attack previously described, such as DOS attacks, are reliant on these corrupted
computers in order to work successfully. The combined danger of data theft and corruption
present an ongoing and serious threat to both the government and the military.
3.1.2 Battlefield Cyber-attacks
Direct battlefield threats due to cyber-warfare are hard to identify and evaluate. Some argue that
any data theft by the military or information that is potentially compromised could lead to deaths
on the field114
, but the causal link is slightly stretched. Unlike other cyber-attacks, battlefield
uses of cyber-warfare are only effective when coupled with a physical attack, as in conveying
incorrect troop strength and then ambushing a military unit. Although these cyber-attacks could
lead to casualties, in themselves they are not the most pressing concern. However, as the
110
Ibid. 111
Thornburgh, Nathan (2005). “The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them)”,
Time. 30 October, 2007, < http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html> 112
“Pentagon Admits Security Breach but won’t say who did it” NetworkWorld.com, 30 October, 2007
<http://www.networkworld.com/community/node/19041> 113
Thornburgh, Nathan (2005). “The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them)”,
Time. 30 October, 2007, < http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html> 114
Ibid.
55
nation’s military becomes increasingly advanced and reliant upon technology, some fear exists
that these electronic systems could become vulnerable to attack – albeit an electronic attack.
Cyber-attacks, as we have defined them, are primarily attacks launched through the internet in
order to hack into a system for theft, corruption, or control of the compromised computer.
Losing control of a compromised computer can also lead to malicious activities such as DOS
attacks. There is concern for cyber security on the battlefield, as a porous or weak network could
result in distributing poor troop information to soldiers, with the potential for friendly fire
accidents or enemy ambushes.115
While rear areas may depend upon a computer network for command and control, key
information devices on the field are not susceptible to traditional cyber-attacks. A prominent
example is the GPS system. Although initiated as a military system, the widespread proliferation
of GPS has made it a useful navigation system for the military, civilians, and adversaries alike.
The system is based on receivers and satellites, meaning that cyber-attacks on the battlefield
would not interfere with the system, as it is not plugged into the internet. Current GPS
‘blockers’ are questionable in their effectiveness. In Operation Iraqi Freedom, the Iraqi military
had acquired several GPS jammers, which the United States ironically destroyed with GPS
guided missiles.116
This is not to say that the system is not vulnerable, but that the system faces
electronic warfare threats.
Electronic warfare, a distinct from cyber-warfare, is defined by the military as using
electromagnetic pulses to disrupt or destroy enemy systems in contrast to using computer code
and hacking to achieve the same goal. Theoretically, electronic warfare could disrupt GPS
satellites in space, overheat and permanently damage circuitry in electronic devices, control
adversary radio signals, or even misdirect unmanned crafts or robots. 117
Although military
technologies are widely classified, the ability of electronic warfare to damage robots could pose
a threat to the Predator drone and other modern aerial robotics.
This is not to dismiss cyber-attacks as threats to the military, but rather to suggest that on a
soldier level, cyber-attacks are not a direct threat. There is some battlefield communication and
organization through a local network that could be compromised, but soldiers still communicate
per radio, something unhampered by cyber threats. Direct communication and navigation has
not yet crossed into technologies that are vulnerable to cyber-attack. In the future, electronic
warfare may play a preeminent role on the battlefield, but this is beyond the current scope of
cyber-warfare.
115
Krebs, Brian, (2003). “Cyber War Games Tests Future Troops” Washington Post, October 30, 2007.
<http://www.washingtonpost.com/ac2/wp-dyn/A21871-2003Apr23> 116
“ CENTCOM Operation Iraqi Freedom Briefing - 25 March 2003” October 30, 2007.
<http://www.gulfinvestigations.net/document348.html?PHPSESSID=64c6f060d1f4997faf0ff91799fa777f> 117
Wilson, Clay, (2007) “CRS Report for Congress: Information Operations, Electronic Warfare,
and Cyberwar: Capabilities and Related Policy Issues” 30 October, 2007. <http://stinet.dtic.mil/cgi-
bin/GetTRDoc?AD=ADA466599&Location=U2&doc=GetTRDoc.pdf?>
56
3.1.3 Foreign Threats
Arguably the greatest threat, albeit primarily a future threat, is the growing ability of foreign
nations to conduct aggressive cyber operations against the United States. Cyber-warfare is
widely accessible because of the limited infrastructure required for effective operations. As a
result, many nations including China, Iran, and North Korea are trying to develop means of
attacking the United States. There are more than a dozen nations with credible cyber-warfare
capability, although not all are hostile to the United States.118
However, due to the vast supply of
resources and evolving national strategy, China appears to be the most significant threat in the
growing field of cyber-warfare.
In the past few years, China has increasingly placed emphasis on cyber capabilities in their
national strategy. In 2005, the PLA started to include offensive cyber operations in military
exercises, with the explicit goal of achieving cyber dominance and a first strike capability. In
2006, China added the goal of achieving dominance throughout the electromagnetic spectrum
over its main adversaries by 2050.119
Earlier this year, the Pentagon was reported to release a
document describing China’s cyber capabilities, which included a plan to disable an American
carrier task force. Additionally, China has successfully hacked into the United States defense
networks, as well as Whitehall in Great Britain and Germany’s government systems.120
As our strongest adversary, it is important to examine how China is attempting to achieve their
cyber dominance. First, the PLA has ‘cyber units’ specifically designed in the military to
develop and use cyber attacks. They are essentially military sponsored hacking rings, with the
full backing of the national government. Additionally, the nation is scouring its population to
find the best talent for cyber units. Through education programs for teens and hacking
competitions to recruit talent, the ‘best and the brightest’ are either working for the government
on cyber-research or as independent contractors in order to give the government plausible
deniability. These units are working off of a “virtual guidebook” developed after reading dozens
of western manuals on military tactics and cyber-tactics. 121
Assessing China’s actual cyber-capabilities is difficult at best. China has already shown
proficiency at hacking into foreign government systems, but little else is known. Possibly their
greatest strength is that the United States is increasingly dependent upon electronic systems,
which in turn enlarges the area for vulnerabilities, and increases the risk of China using cyber-
warfare to disrupt America’s technological advantage. Unfortunately, very little unclassified
material is available regarding China’s capabilities. However, the small glimpses released to the
public show a nation arming itself for what could be the Cold War of the 21st century – with
cyber weapons instead of nuclear missiles.
118
“Cyber War Nightmares” (2006), 30 October, 2007.
<http://www.strategypage.com/htmw/htiw/articles/20060829.aspx> 119
Rogin, Josh, (2006). “DOD: China fielding cyberattack units” 30 October, 2007
<http://www.fcw.com/online/news/94650-1.html> 120
Reid, Tim, (2007). “China’s cyber army is preparing to march on America, says Pentagon” The Times. 30
October, 2007.
<http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article2409865.ece> 121
Ibid.
57
3.2 Financial Systems as a Target
3.2.1 Overview
There are powerful nations developing cyber-warfare in an attempt to achieve cyber dominance.
If a cyber-war were to erupt, these nations would likely attack our critical financial systems in an
attempt to thwart the U.S. economy. Fortunately, the nations that have developed intensive
cyber-warfare capabilities have a vested interest in the United States economy. Nations such as
North Korea who do not have a strong connection with our economy have yet to pose a serious
threat in the cyber-realm.
A more imminent threat lies in the terrorist organizations that have no current interest in the
welfare of the U.S. economy and often thrive in times of economic turmoil. Organizations such
as al-Qaeda make no attempts to hide the fact that they aim to attack our economy with any
available resources. Osama bin Laden made his goals very clear in December of 2001, stating
“If their economy is destroyed, they will be busy with their own affairs rather than enslaving the
weak peoples. It is very important to concentrate on hitting the U.S. economy through all
possible means." Al Qaeda’s second-in-command, Ayman al-Zawahiri, said in September 2002:
"We will also aim to continue, by the permission of Allah, the destruction of the American
economy […] It is very important to concentrate on hitting the U.S. economy through all
possible means […] look for the key pillars of the U.S. economy. The key pillars of the enemy
should be struck.”122
The United States has an economy nearly 300% larger than Japan’s second largest national
economy.123
This massive economy has become the target of many terrorist and malicious
organizations and could be the targets of nation states in the future. We know there is a motive;
we must uncover and understand the vulnerabilities of this economic target. Condoleezza Rice,
the U.S. Secretary of State, stated in the Partnership for Critical Infrastructure annual meeting in
Washington,
Today, the cyber economy is the economy. And I don't mean the dot coms. I mean
virtually every vital service -- water supply, transportation, energy, banking and finance,
telecommunications, public health. All of these rely upon computers and the fiber-optic
lines, switchers and routers that connect them. Corrupt those networks, and you disrupt
the nation. It is a paradox of our times: the very technology that makes our economy so
dynamic and our military forces so dominating -- also makes us more vulnerable. As the
President's National Security Advisor, I have to worry about that vulnerability. But each
122
Pethokoukis, James. (2007) “So How Goes Bin Laden’s War on the U.S. Economy?” U.S. News & World
Report. 27 Oct 2007. <http://www.usnews.com/blogs/capital-commerce/2007/9/11/so-how-goes-bin-ladens-war-
on-the-us-economy.html> 123
“Data and Statistics”. International Monetary Fund. 17 Oct 2007. 27 Oct 2007.
<http://www.imf.org/external/data.htm#data>
58
corporate CEO has to worry about the fact that a much smaller cyber attack than on the
U.S. could place the very existence of your company at issue.124
It has been established that our economy is a target; a discussion will now follow about the
vulnerabilities of our financial systems.
3.2.2 Direct Attacks on Financial Systems
Financial institutions such as banks and credit unions have historically been known for
protecting critical data. Their business depends on keeping their clients’ money safe and secure.
Given that over half of all major cyber attack incidents in 2001 targeted financial institutions,
cyber-security is a top priority.125
Institutions spend a large percentage of their profits to ensure
the systems handling all of their financial records and transactions are cyber-secure.
Unfortunately, the financial sector has taken a giant step back since the development of high
speed wireless systems.
Electronic funds transfers (EFTs) are exchanged at a volume of over one trillion dollars per day.
Of course, all of the data in these transfers is encrypted, but there are numerous possibilities for
how the transfers made through wireless internet could be vulnerable to hackers. One such
vulnerability was discovered in GSM phones. When making a banking transfer, the data must
cross from GSM wireless encryption to standard internet encryption. In the split second the data
is stored in the gateway between wireless and wired internet, a hacker could intercept an
unencrypted transmission. While the skill level and luck needed to perform such a task are
considerable, so is the reward, with billions of dollars to be stolen.126
Another vulnerability in the transfer of financial information exists in the 180 million miles of
fiber optic cable currently connecting the entire globe. Seth Page, CEO of Oyster Optics,
explains a shocking vulnerability.
“For both public and private networks, optical taps and analytical devices are required
and inexpensive maintenance equipment in common use worldwide today. Various types
of optical taps, however, both off-the-shelf and customized, are also used for corporate
espionage, government espionage, network disruption and other potential terrorist-type
activities. Used nefariously, optical taps allow access to all voice and data
communication transiting a fiber link.”127
This vulnerability may be very problematic because taps can be installed without detection.
Network carriers see glitches similar to those caused by the insertion of an optical tap on a daily
basis. While financial institutions do make efforts to encrypt data transferred over networks,
124 “National Security Advisor Rice on Protecting U.S. Infrastructure”. 22 March 2001. 27 Oct 2007.
<http://www.usembassy.it/file2001_03/alia/a1032210.htm> 125
Glaessner, Thomas, Tom Kellermann, and Valerie McNevin (2002). “Electronic Security: Risk Mitigation In
Financial Transactions”. The World Bank. p 43. 29 Oct 2007.
<http://info.worldbank.org/etools/docs/library/83592/esecurity_risk_mitigation.pdf> 126
“Wireless Vulnerabilities”. Maisonbisson. 24 Sept 2002. 30 Oct 2007.
<http://maisonbisson.com/blog/post/10387/wireless-vulnerabilities> 127
Kabay, M. E. (2003) “Tapping Fiber Optics Gets Easier”. Network World. 29 Oct 2007.
<http://www.networkworld.com/newsletters/sec/2003/0303sec1.html>
59
there are millions of hackers worldwide working for nation-states and terrorist organizations to
crack data encryption.
Financial institutions are an extremely valuable a target for hackers, which is why such a large
percentage of cyber-attacks are made in this sector. The Communications Management
Association (CMA) conducted a survey that revealed thirty-two percent of the UK's top 1,000
public and private institutions acknowledged their institution had suffered a cyber attack ranging
from data theft to infiltration of corporate bank accounts.128
Further, half of the senior workers
considered the attacks a major threat to their institutions’ survival. The financial institutions
must constantly adapt if our economy is to remain safe from a thinking enemy.
3.3 Infrastructure
The United States’ critical infrastructure—power grids, water lines, communications, emergency
response systems, etc.—is one of the most vulnerable and potentially devastating targets
available for enemy states and terrorist groups. This was first discovered in 1997 when the
aforementioned operation known as “Eligible Receiver” used NSA hackers in an attempt to
infiltrate various infrastructure systems. Their ‘red team’ was limited to using computers and
hacking software that were available to the public, but was still “able to infiltrate and take
control of the Pacific command center computers, as well as power grids and 911 systems in nine
major U.S. cities.”129
Another, more distressing, cyber-attack that has been reported happened in the summer of 2001
when the Webmaster for the city of Mountain View, CA recognized an odd site-intrusion pattern.
He contacted the FBI, and upon further investigation it was found that similar attacks had been
happening in multiple cities around the country. The intruders were found to be researching the
cities’ utilities, government offices, and emergency systems. When the sources of the attacks
were traced, the signals seemed to be coming from the Middle East and Southern Asia. This
information became particularly interesting when American intelligence agencies seized Al
Qaeda laptops after the Sept. 11 attacks and found what appeared to be a “broad pattern of
surveillance of U.S. infrastructure.”130
Due to the number of threats on America’s infrastructures
via cyber-warfare, the following presents the history and current dangers that our nation faces.
3.3.1 Power Utilities
Of all critical infrastructures, power utilities are perhaps the most desirable target for enemies
due to their interconnectedness and relative lack of security backups, plans, and software. In
fact, every day large power utilities must fight off hundreds, and even thousands of attackers
attempting to shut down the power system, steal important data about the plant, or gain control of
128
Gwin, Peter. (2001) “Is the Internet the Next Front in the Terror War?” Europe. Issue 410. 129
“Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007
<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/> 130
“Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007
<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/>
60
the regional grid.131
However, due to the natural complexity of the generators and operating
systems, very few successful attacks have occurred. This lack of successful attacks is the main
reason why little effort has been put into defending our infrastructures up to this point.132
Even though only a few successful attacks on utilities have been recorded, that is no reason for
their importance to be overlooked. For example, in 2003 the “Slammer Worm” began to
continually propagate through thousands of unprotected computers. The payload of the
information being sent eventually became so large that it crashed the safety monitoring system at
the Davis-Besse nuclear power plant in Ohio.133
Fortunately the plant had built in redundancies
and therefore the backup security system was not affected. In turn, no long-term damage was
done to either the plant or the surrounding area.
In a more recent event, the Department of Energy’s Idaho Lab conducted an experiment in
March of 2007 in which they were able to remotely destroy a power generator. The team built a
replica of a power plant’s control system, hacked into the operating system, and commanded the
generator to oscillate in a way not natural to the machine’s design. This unbalanced rotation
forced the generator to release significant amounts of smoke and eventually shut down, breaking
the generator.134
The experiment was done in order to prove the vulnerability of our power grids
if an enemy obtains the necessary security codes and generator specifications.
3.3.1.1 Why is the Power Grid so Vulnerable?
The basis of problems within the power grid stems from the fact that all power systems within
the United States are interconnected, yet the owners and operators of each individual power plant
rarely communicate security weaknesses to each other. The problems continue when the utility
companies try to improve their security systems, yet the research and information needed is
scarce due to the limited information offered by government agencies. This lack of information
leads to utility executives making “security-related decisions on the basis of sparse, uncertain, or
anecdotal information.”135
Because the communication between government agencies and
power utilities is so poor, the industry has a naturally weak foundation due to a lack of security.
This raises the question of why the utility companies don’t take the initiative and fund their own
security research. Because the power companies have faced economic struggles in the past
decade, they are all now in competition with each other to remain functional. Because of this,
131
Shainker, R. “Electric Utility Responses to Grid Issues.” IEEE Power & Energy Magazine. March/April 2006: 32.
24 Oct. 2007
<http://www.lib.ncsu.edu:2178/iel5/8014/33609/01597993.pdf?tp=&arnumber=1597993&isnumber=33609> 132
“Cyberwarfare on the Electricity Infrastructure.” Office of Scientific and Technical Information. 12 Sep. 2007.
< http://www.osti.gov/bridge/product.biblio.jsp?osti_id=769245> 133
Poulsen, K. “Slammer worm crashed Ohio nuke plant network.” Security Focus. 19 August 2003. 12 Sep. 2007.
< http://www.securityfocus.com/news/6767> 134
Meserve, J. “Staged cyber attack reveals vulnerability in power grid.” CNN. 26 September 2007. 4 Oct. 2007. <
http://www.cnn.com/2007/US/09/26/power.at.risk/>
135
Shainker, R. “Electric Utility Responses to Grid Issues.” .” IEEE Power & Energy Magazine. March/April 2006:
32. 24 Oct. 2007
<http://www.lib.ncsu.edu:2178/iel5/8014/33609/01597993.pdf?tp=&arnumber=1597993&isnumber=33609>
61
many companies are unable to spare the resources for research.136
However, some individual
power utilities have pioneered the field and have found some useful information. This
information has not led to an overall improvement in cyber-security, though, due to the lack of
“effective technology transfer and broad industry support.”137
This simply reflects the fact that
individual companies do not share their research findings, and in turn, most are unprotected.
This causes a problem because “cyber-security is only as strong as the ‘weakest link’ in the chain
of interconnected information and communication systems that utilities use.”138
Because of this
dilemma, Richard Clarke, former White House Cyber-Security Advisor, says that this is the one
sector that federal regulation makes sense. He believes that if the government does not step in
and set a standard for security then the companies are not going to do it themselves. Clarke
continues by stating, “For once, we have the companies saying they want it to be regulated, so
that they're all required to do it simultaneously. There's the even playing field, and no one has
competitive disadvantage by improving security.”139
While a lack of cyber-security research is the main reason for the vulnerability in the power
utility field, other problems also exist. One such problem is the sheer size and
interconnectedness of the American power system. In some ways it is both a curse and a gift. It
is a curse because it contains 200,000 miles of high-powered lines, making the entire system
impossible to defend against a terrorist attack. In fact, as the power grids continue to grow and
become more interconnected, the vulnerability of the systems will continue to increase due to the
number of entry points. However, the system’s size is a gift in the sense that if a terrorist
organization were to take over a power grid, they would only be able to affect a specific region.
This would cause economic damage to the attacked area, but not cripple the entire country’s
economy if the power was restored within a few days.140
Another source of vulnerability is the ever-changing business practices that are being employed
by the power companies. Many are turning to third-party vendors for administrative services
such as payroll and accounting. This means the power station’s control system may
inadvertently be connected to the vendor’s network. This can cause a problem because the third-
party’s security system may not be firewalled as robustly as the power plant’s control center,
which opens the control center to attack via the vendor’s network.141
136
Interview. Richard Clarke. “Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007
<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/> 137
Shainker, R. “Electric Utility Responses to Grid Issues.” .” IEEE Power & Energy Magazine. March/April 2006:
32. 24 Oct. 2007
<http://www.lib.ncsu.edu:2178/iel5/8014/33609/01597993.pdf?tp=&arnumber=1597993&isnumber=33609> 138
Ibid. 139
Interview. Richard Clarke. “Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007
<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/> 140
Shainker, R. “Electric Utility Responses to Grid Issues.” .” IEEE Power & Energy Magazine. March/April 2006:
31. 24 Oct. 2007
<http://www.lib.ncsu.edu:2178/iel5/8014/33609/01597993.pdf?tp=&arnumber=1597993&isnumber=33609>
141
Id. at 35
62
3.3.1.2 What is Being Done?
In 2000, the Energy Information Security (EIS) program was developed by the Electric Power
Research Institute to provide individual utilities with the tools they could use to enhance their
own security programs. This included cyber-security awareness training, information sharing,
and risk management protocols. The program has led to early exploratory work on fast
encryption technologies to protect data and control systems.142
However, as Clarke points out,
tools similar to the ones that EIS provided for the utilities’ systems were too difficult to install,
took too long to install, or the system would end up with an incompatibility and another problem
was then created.143
Therefore, the EIS program has not lead to any significant improvements in
cyber-security other than fast encryption research.
Another attempt at utility cyber-security happened in 2004 when the Department of Homeland
Security established the Process Control Systems Forum (PCSF). The Forum focuses on “threats
to the computerized automated control systems that underlie operation of most of the country’s
critical infrastructure, including the electric power grid.”144
The Forum, in other words, is
gathering security knowledge that has been obtained in different infrastructure fields, and is
attempting to stimulate communication between the utility companies in order to increase the
nation’s infrastructure security.
Although some positive results have come from these programs, the ever-growing power grid
and constantly-improving terrorist techniques and knowledge call for a larger, more
comprehensive approach to solving the cyber-security dilemma. After gathering security
information from over 60 different utilities and government organizations, the PowerSec
Initiative was formed in an attempt to map the strengths and weaknesses of the power system.
From the information that has and will be gathered, PowerSec is able to “evaluate the industry’s
current cyber-attack readiness, identify gaps in this readiness, and specify existing best practices
for filling these gaps.”145
Through this program, the power utility industry will eventually be
able to know exactly what does and does not work in protecting their systems.
3.3.2 Emergency Response
“Eligible Receiver” has been the only recorded instance in America in which a 911 system has
been taken over. The emergency response system was shut down for about an hour in Estonia
142
Shainker, R. “Electric Utility Responses to Grid Issues.” .” IEEE Power & Energy Magazine. March/April 2006:
35-6. 24 Oct. 2007
<http://www.lib.ncsu.edu:2178/iel5/8014/33609/01597993.pdf?tp=&arnumber=1597993&isnumber=33609> 143
Interview. Richard Clarke. “Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007
<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/> 144
Shainker, R. “Electric Utility Responses to Grid Issues.” .” IEEE Power & Energy Magazine. March/April 2006:
34. 24 Oct. 2007
<http://www.lib.ncsu.edu:2178/iel5/8014/33609/01597993.pdf?tp=&arnumber=1597993&isnumber=33609> 145
Shainker, R. “Electric Utility Responses to Grid Issues.” .” IEEE Power & Energy Magazine. March/April 2006:
36. 24 Oct. 2007
<http://www.lib.ncsu.edu:2178/iel5/8014/33609/01597993.pdf?tp=&arnumber=1597993&isnumber=33609>
63
when Russia launched its DoS attack against the Baltic Country. No research in the field has
been published.
3.3.3 Communications
Although no loss of communications systems has been recorded in America, Homeland Security
and Defense Telecommunication Systems spending will increase from $15.2b in 2004 to $21b by
2009 in order to expand the network in case of cyber-attack.146
Estonia lost most of its
international communication ability for a few days after the Russian DoS attack. No research in
the field has been published.
3.4 Transportation Systems as a Target
According to Joseph Szyliowicz, a member of the Transportation Research Board, “cyber
warfare is of direct relevance to transportation, given the ever-growing dependence on modern
information, tracking, and data processing systems by transportation companies and agencies.”
147
Transportation systems could conceivably be an appealing target to potential cyber-attackers due
to the integral role they play in the economy. Szyliowicz notes that transportation accounts for
over 10 percent of the nation’s gross domestic product. The recent history of conventional
terrorism also suggests that cyber-attackers may choose to target transportation systems,
provided feasible opportunities exist. Eighteen of the twenty-five major terrorist attacks from
1983 to 2001 “involved the use use of transportation vehicles as weapons, and another five
involved attacks on planes.”148
At present, the aviation system is more at risk of a focused cyber-attack than any other
component of the nation’s transportation infrastructure. Other transportation networks, such as
urban public transit systems, rely less on computer systems to function. Ports and shipping
networks may be open to certain cyber-attacks with limited scope, but these vulnerabilities seem
to pale in comparison to physical vulnerabilities, and cyber-attacks on these networks have been
the subject of relatively little research. Following a discussion of public transit systems and
shipping networks, this assessment focuses on aviation systems as a target of cyber-attacks.
146
“Homeland Security and Defense Telecommunications Spending to Increase 40 Percent by 2009.” Business
Wire. 3 August 2004. 28 Oct. 2007.
<http://findarticles.com/p/articles/mi_m0EIN/is_2004_August_3/ai_n6139915> 147
Szyliowicz, Joseph S. (2004).International transportation security. Review of Policy Research. 21 148
Ibid
64
3.4.1 Public Transit Systems
Public transit systems, such as buses, metros, light rail, and ferries, do not appear to be a likely
target of cyber-attacks. They are generally manually controlled, and can be operated
independently of any centralized computer systems or the Internet.
Worldwide Terrorist Attacks on Public Transit, 1980-20053
Ambushes
Hijackings
Misc.
Shootings
Bombs
Other explosives
(e.g. grenades,
rockets and
landmines)
There were 235 attempted terrorist attacks on public transit systems around the world from 1980
to 2005, but none of those attempts used electronic methods of attack or targeted any computer
systems149
. Their main vulnerability to cyber-attacks stems from their use of communications
and power systems; both of those systems were discussed previously in this report.
3.4.2 Shipping Networks
To date, studies of the risk of cyber-attacks on ports and domestic freight and shipping networks
have been mostly speculative. It appears the threat cyber-attacks currently pose to shipping
networks is small compared to other areas of the transportation infrastructure. As with other
areas of the national infrastructure, shipping networks will become more vulnerable to cyber-
attacks as they rely more on computer systems.
According to a 2003 Transportation Research Board report, the nation’s shipping infrastructure
is a fragmented patchwork of private companies “operating different modes of transport (e.g.,
149
Pike, J. (2007, July 7). Chronology of terrorist attacks against public transit. Retrieved October 30, 2007, from
Global Security Web site: http://www.globalsecurity.org/security/ops/mass-transit-chron.htm
Figure 3.1
65
ship, truck, train, air)” with a small degree of overall system coordination and varying local, state
and federal regulations150
. A breakdown of the industry by transportation mode is shown below.
Figure 3.2: Value and Tonnage of Domestic Freight Shipments
151
The freight industry’s current use of computer systems is largely focused on replacing paper
manifest documents with electronic versions. In the maritime and air shipping sectors, freight
carriers are now allowed the option of submitting manifests electronically to reduce their cargo’s
processing time. Participation in a similar system was made mandatory in January, 2007 for
truck carriers entering the country; carriers can enter information through the Internet or
electronic data interchange (EDI)152
.
This could potentially introduce the ability of cyber-attackers to gain access to shipping
manifests, but no easily obtainable data exists to suggest that this is viable. The risk is mitigated
by the fact that in a regime of voluntary participation, as is the case with maritime and air
shipping, carriers often opt to use traditional paper manifests. In the case of the trucking
industry, for example, only 4 to 9 percent of incoming trucks filed electronic manifests before
participation was made mandatory. In the trucking industry in particular, changes to the type of
cargo and the carrier’s route are frequent153
.
In the future, one source of vulnerability could result from the use of electronic container tags
and seals. Electronic tags would store information on a container’s contents, while electronic
seals would signal whether a container had been opened or tampered with. These technologies
150
Transportation Research Board. (2003). Cybersecurity of freight information systems: A scoping study
Washington, D.C.: Transportation Research Board. 151
Transportation Research Board. (2003). Cybersecurity of freight information systems: A scoping study
Washington, D.C.: Transportation Research Board. 152
Moore, J. (2007 February 26). FCW.com. Retrieved October 25, 2007, from Freight security programs and test
projects proliferate Web site: http://www.fcw.com/print/13_5/news/97727-1.html 153
Moore, J. (2007 February 26). FCW.com. Retrieved October 25, 2007, from A long haul for freight security Web
site: http://www.fcw.com/print/13_5/news/97727-1.html
66
are in the planning phases,154
so it isn’t clear exactly how viable it would be to exploit these
electronic devices.
The most substantial cyber-security assessment of the shipping network is found in the 2003
Transportation Research Board report discussed above155
. That report outlined three possible
cyber-attack scenarios.
The first scenario involved a denial-of-service attack on freight information systems, such as
those used by customs agencies. However, the fragmented nature of the freight industry may
help reduce the damage of a denial-of-service attack. The Transportation Research Board
concluded that more research needs to be done, but these attacks would likely be “easiest to
perpetrate but the least damaging”.
The two other scenarios do not involve pure cyber-attacks, but rather the use of cyber-attacks to
strengthen a conventional attack. Attackers could conceivably use electronic manifest
information to intercept a hazardous materials shipment, or plant false manifest information to
disguise a shipment of weapons or hazardous materials. The Transportation Review Board
concluded the latter case “may be the least likely, and the IT role in the attack may not be
central.” Because these technologies are largely in the test phase, there are no case studies or
assessments of the feasibility of this scenario.
3.4.3 Air Transportation Networks
At present, the aviation system uses computer technologies more heavily than any other
component of the nation’s transportation infrastructure. The Federal Aviation Administration’s
air traffic control system has been described by the Government Accountability Office as “a vast
network of computer hardware, software, and communications equipment156
.”
The FAA estimates that the air transportation industry accounts for 5.4 percent of the nation’s
GDP. On an average day, nearly 2 million passengers fly in U.S. airspace, and up to 7,000
civilian and military aircraft are aloft over the U.S. at any given time157
. Only one would need to
be targeted in a cyber-attack for an impact to be felt on the economy and public perception, even
if the attack did not result in physical damage.
154
Transportation Research Board. (2003). Cybersecurity of freight information systems: A scoping study
Washington, D.C.: Transportation Research Board. 155
Transportation Research Board. (2003). Cybersecurity of freight information systems: A scoping study
Washington, D.C.: Transportation Research Board. 156
Government Accountability Office. (2003). Information security: Progress made, but Federal Aviation
Administration needs to improve controls over air traffic systems. Washington, D.C.: Government Accountability
Organization. 157
FAA Air Traffic Organization. (2006). Moving America safely: 2005 annual performance report Washington,
D.C.: Federal Aviation Administration.
67
Figure 3.3: FAA Traffic Situation Display of Civilian and Military Aircraft
158
3.4.3.1 Aircraft Internal Electronic Control Systems
One potentially serious, but largely unrealistic vulnerability to cyber-attack is introduced by the
reliance of commercial aircraft on electronic flight control systems. Many newer commercial
aircraft use electronic fly-by-wire (FBW) control systems, including, as of 2001, 2,300 out of
11,000 aircraft made by Boeing and Airbus, the two most popular manufacturers.159
In these
FBW systems, the cockpit is connected to the plane’s wing and tail control mechanisms by solid
state electrical control systems instead of by direct mechanical or hydraulic connections. In some
planes, such as the Boeing 777 and the Airbus A380, there is no hydraulic or mechanical backup
control system, and the pilot cannot completely disable the plane’s computers and bypass the
FBW system160
.
However, in commercial FBW aircraft, the pilot can still disable automatic navigation systems
and manually input flight instructions to the FBW system. This implies there is no way for a
commercial aircraft to be electronically hijacked while it is airborne. Systems allowing
authorities to remotely control a commercial aircraft in an emergency have been conceived, but
industry leaders have concluded these systems would introduce more vulnerabilities than the
158
Government Accountability Office. (2003). Information security: Progress made, but Federal Aviation
Administration needs to improve controls over air traffic systems. Washington, D.C.: Government Accountability
Organization. 159
Wald, M. L. Can Computers Foil Air Pirates?. (2002, April 11). New York Times 160
Alford, L. (2000). Cyber warfare: Protecting military systems. Acquisition Review Quarterly, Spring 2000
volume
68
benefit would warrant161
. Also, in 1993, one study concluded that fears of electromagnetic
radiation disrupting an aircraft’s electrical control system were “unfounded”162
.
The vulnerability of the FBW system’s software to the insertion of malicious code is another
conceivable risk factor, but the system’s built-in redundancies make this impractical for a cyber-
attacker to exploit. Airbus uses a software-based approach, in which several teams of software
developers develop unique implementations of the FBW software from a common set of
specifications. The multiple implementations are run in parallel in the final design, and a voting
system is used to choose the most recommended output163
. This means any attempt to insert
malicious code into an Airbus flight control system from the inside would require “renegade”
software developers to be on a majority of the development teams.
Boeing’s 777 uses a hardware-based approach instead in its “triple-triple redundant” FBW
system, largely similar to that of the newer 787. There are three independent, isolated flight
computer channels, and each channel has three independently-powered “computer lanes” with
three dissimilar microprocessors. Among other things, this means the software code is compiled
in three different ways; according to the system’s design specifications, this dissimilar
redundancy should reduce the risk of hardware being compromised by a factor of one million164
.
It is conceivable that as future aircraft rely more heavily on computer systems, they may become
more vulnerable to cyber-attacks. At present, though, disrupting or hijacking a commercial
aircraft’s navigation system is infeasible to the extent that the risk of a cyber-attack to an
aircraft’s computer system is far outweighed by the risk of conventional attacks. Cyber-attackers
are likely to look elsewhere for a more practical target.
3.4.3.2 Air Traffic Control System
The nationwide air traffic control system is more exposed to cyber-attack than individual aircraft
are, and is accordingly a more realistic target. The most recent Government Accountability
Office report on the FAA’s cyber-security, published in 2005, found that despite ongoing efforts
to improve information security, the agency’s computer systems were “vulnerable to
unauthorized access, use, modification, and destruction that could disrupt aviation operations.165
”
161
Wald, M. L. Can Computers Foil Air Pirates?. (2002, April 11). New York Times 162
Clough, B.T., Cope, B., & Donley, S. (1993). Microwave induced upset of digital flight control systems. Digital
Avionics Systems Conference. 12, 179-184. 163
Greenwell, W.S. and J.G. Alsbrooks (2007). Excerpt From "Digital Control Systems". Retrieved November 3,
2007, from IEEE Computer Society Web site:
http://www.computer.org/portal/site/ieeecs/menuitem.c5efb9b8ade9096b8a9ca0108bcd45f3/index.jsp?&pName=iee
ecs_level1&path=ieeecs/ReadyNotes&file=s_k_sample.xml&xsl=generic.xsl& 164
Yeh, Y.C. (2001).Safety critical avionics for the 777 primary flight controls system. Digital Avionics Systems. 1,
1-11. 165
Government Accountability Office. (2003). Information security: Progress made, but Federal Aviation
Administration needs to improve controls over air traffic systems. Washington, D.C.: Government Accountability
Organization.
69
Some vulnerabilities found by the GAO were a result of outdated or poorly configured
computers. In one case, a computer system’s operating system had been unpatched since 1991
despite several vulnerabilities; in many other cases patches were not applied consistently or
quickly enough. Networks were not configured to prevent intrusion or denial-of-service
attacks—though a fix was in progress at the time of the report—and intrusions were not traceable
to a specific user or location.
Other problems found by the GAO were related to the staffing policies of the FAA and user
access permissions. For example, the FAA relies on outside contractors for much of its
information technology, and access to sensitive areas of the computer systems was often granted
when it wasn’t necessary for a worker to perform their job. There was little segregation between
software development, testing, and production control—another issue the FAA had plans to
fix—meaning developers could introduce malicious code.
However, while vulnerabilities to intrusion and malicious code exist, the same report stated that
the nature of the FAA’s computer systems makes them somewhat less susceptible to a cyber-
attack. The systems are highly proprietary and out-of-date relative to typical computer systems,
meaning they are more vulnerable to an attack from within the agency than from an outsider or
from the average hacker.
While the FAA does, as the GAO report states, rely on computer systems to ensure “safe, orderly
and efficient” air transportation, it isn’t clear that any physical damage would result from cyber-
attacks on air traffic systems. According to the Center for Strategic & International Studies, if
computer networks are unavailable, backup communications equipment exists which isn’t
dependent on the Internet, and air traffic’s “control and decision making process” includes a
“high level of human involvement” that reduces the potential damage of a cyber-attack.
Furthermore, pilots are trained to operate aircraft without support from air traffic control in
emergency situations 166
and modern commercial aircraft include automatic collision avoidance
systems.
Case studies help reveal the realistic impact that would result from a cyber-attack on aviation
systems. In 1997, a juvenile hacker disabled the local phone service in Rutland, Massachusetts,
resulting in the disabling of the air traffic control tower’s main radio transmitter at Worcester
Regional Airport for six hours. 167
No accidents, close calls or disruptions were reported at the
airport, which handled an average of about 165 flights per day that year, but this demonstrates
how vulnerable systems have been in the past.
In September of 2004, the FAA servers that allowed air traffic controllers in Southern California
to communicate with the 800 airplanes aloft in their airspace crashed for three hours. Planes that
had not taken off were held on the ground and delayed or cancelled.168
Air traffic controllers
affected by the server crash used their cell phones to pass control of the airborne planes to other
166
Lewis, J.. (2002). Assessing the risks of cyber terrorism, cyber war and other cyber threats Washington, D.C.:
Center for Strategic & International Studies. 167
Thomas, Pierre (1998). Teen hacker faces federal charges. Retrieved October 25, 2007, from CNN.com Web site:
http://www.cnn.com/TECH/computing/9803/18/juvenile.hacker/index.html 168
Wald, M.L. Air control failure disrupts traffic. (2004, September 15). New York Times.
70
FAA facilities. There were no accidents, but there were five incidents of planes traveling more
closely than normal; in the closest call, two planes were separated horizontally by one mile.169
This demonstrates that while temporary disruptions to air traffic control do not overwhelmingly
increase the risk of an accident, the risk is still greater than during normal operation.
A similar incident happened at the FAA’s Memphis Control Center in September of 2007, when
radar and phone communication were lost for two hours. Again, when their capabilities to
communicate directly with aircraft was lost, air traffic controllers handed control of the planes in
their 100,000 square miles of airspace to seven adjacent control centers via cell phone. No
accidents or close calls resulted. There were many delayed flights, but few cancellations; out of
740 flights that day, Northwest Airlines cancelled 13 and diverted 19.
One possible cyber-attack scenario would involve the insertion of malicious code into FAA
software, either by a renegade FAA employee or contractor or by remotely accessing FAA
servers. There is not much available research into what the worst-case effects of this could be—
possibly for national security reasons—but it is conceivable that the air traffic control system
could be disabled. Another possible cyber-attack could target communication systems such as
local phone systems or power systems that air traffic control centers rely on.
The effects of these kinds of attack would be similar to those of the case studies previously
discussed. The affected areas of the national air traffic system would put a hold on departing
flights, and the flights in the air would most likely be managed by air traffic control centers that
were still operational. Any delays and cancellations would have economic consequences in
proportion to the duration and scope of the shutdown, and public confidence could erode in any
scenario. The worst case scenario, in which all air traffic control centers would be disabled for
an extended period of time, is purely speculative and highly unlikely, given the distributed and
redundant nature of the air traffic system.
It is also conceivable that a cyber-attack could be used to disable some component of the air
traffic control system in conjunction with a more traditional form of attack. For example, if
every FAA control center were disabled while a plan was hijacked, it is conceivable that more
damage could result. While this sort of total collapse of the FAA’s control network would be
completely without precedent and is purely speculative, it is not known to be impossible.
However, these combined cyber and traditional attacks on aviation are the subject of little
research, and it is unclear how much of a negative effect the system being disabled would
realistically add to the conventional attack.
3.4.4 Conclusions
In all areas of the nation’s transportation infrastructure, the threat currently posed by cyber-
warfare is significantly smaller than that posed by conventional methods of attack. Public transit
systems are currently not reliant on computer systems enough to be an attractive target to cyber-
attackers. Similarly, shipping networks’ vulnerability to cyber-attacks are limited at present, and
169
Mullen, M. (2004, September 16). Human error caused chaos in the sky. Retrieved October 25, 2007, from
MSNBC Online Web site: http://www.msnbc.msn.com/id/6021929/
71
any cyber-attack on shipping networks would need occur in conjunction with a conventional
attack to cause major damage. Also, there are enough glaring physical vulnerabilities that
attackers would be less likely to focus on cyber-warfare on shipping networks.
In the case of the nation’s aviation network, the air traffic control system has several major
vulnerabilities to cyber-attacks that should be addressed, as demonstrated by previous incidents.
However, because of the degree of redundancy and human involvement present, the potential
physical damage caused by cyber-attacks is unlikely to approach the damage conventional
attacks can cause. This makes cyber-warfare a less favorable tool for aggressors, especially if
not used in conjunction with some form of traditional attack.
At present, the primary effects of a cyber-attack on the transportation infrastructure would be
economic, not physical. However, as systems become more dependent on computer systems,
they will be inherently more vulnerable to cyber-attacks, and the effects may become more
severe. This means cyber-security should remain central to the development of transportation
systems.
72
4 Consequences
73
4.1 Economic Consequences of Cyber-Warfare
It is difficult to quantify the economic effects of cyber-warfare because the scale of such attacks
varies widely. Assumptions must be made on the degree of success of attacks and their
consequences must then be analyzed. Previous attacks and electronic disruptions provide insight
on potential costs.
4.1.1 Economic Consequences of Hacking
Cyber-warfare incidents can be costly even when conducted by small groups of attackers. A
group of 12 people led by Jonathan Bosanac from San Diego “hacked into a digital cache of
unpublished telephone numbers at the White House, portions of the national power grid, air
traffic control systems, the FBI’s National Crime Information Center, credit-reporting databases,
and telephone networks such as MCI, WorldCom, Sprint, and AT&T.” These 12 attackers cost
the United States and businesses an estimated $1.85 million.170
In 1999, a computer hacker from New Jersey created a virus called “Melissa” that spread through
thousands of computers through email. The virus attacked personal, government and corporate
computers using an “X-rated Web site.” This computer virus alone, created by one man, caused
an estimated $80 million.171
A virus called “I Love You”, created in 2000, caused $10 billion in
damage. When “Love-Letter-For-You.txt.vbs” was opened from a recipient’s email, the virus
would copy itself onto three locations in the computer, initiating various start-up commands
upon computer boot-up, and sending itself as an attachment to addresses in the recipient’s
address book.172
This virus was created by a single PhD thesis-rejected student in the
Philippines.
4.1.2 Economic Consequences of Infrastructure Attacks
There are many critical infrastructures that could be attacked and result in economic damage, but
there are two sectors that are more significant individual threats.
The transportation system is an appealing target to potential cyber-attackers due to the integral
role they play in the economy. Transportation accounts for over 10 percent of the nation’s gross
domestic product. The recent history of conventional terrorism also suggests that cyber-attackers
may choose to target transportation systems, provided feasible opportunities exist. Eighteen of
the twenty-five major terrorist attacks from 1983 to 2001 “involved the use of transportation
vehicles as weapons, and another five involved attacks on planes.”173
170
Dot.Con: The Dangers of Cyber Crime and a Call for Proactive Solutions. Granville, J. Australian Journal of
Politics & History. March, 2003, Vol. 49 Issue 1. Pg. 104 171
Ibid 172
Ibid 173
Szyliowicz, Joseph S. (2004).International transportation security. Review of Policy Research. 21
74
The FAA estimates that the air transportation industry accounts for 5.4 percent of the nation’s
GDP. On an average day, nearly 2 million passengers fly in U.S. airspace, and up to 7,000
civilian and military aircraft are aloft over the U.S. at any given time174
. Only one would need to
be targeted in a cyber-attack for an impact to be felt on the economy and public perception, even
if the attack did not result in physical damage.
A successful attack on the power grid presents the greatest economic threat among critical
infrastructures. An Independent Task Force under the Council of Foreign Relations describes in
a report how vulnerable the power grid really is. Refined oil would be a likely target, as “A
coordinated attack on several key pumping stations- most of which are in remote areas, are not
staffed, and possess no intrusion-detection devices- could cause mass disruption to these flows.
Nearly 50 percent of California’s electrical supply comes from natural gas power plants, and 30
percent of California’s natural gas comes from Canada. Compressor stations to maintain
pressure cost up to $40 million each and are located every sixty miles on a pipeline. If these
compressor stations were targeted, the pipeline would be shut down for an extended period of
time. A coordinated attack on a selected set of key points in the electrical power system could
result in multi-state blackouts. While power might be restored in parts of the region within a
matter of days or weeks, acute shortages could mandate rolling blackouts for as long as several
years.”175
Even with a new advanced backup power source installed in December of 2006, the
system is only expected to last for 4 months.176
The cost of power outages alone is tremendous, not to mention public confidence and effects on
critical infrastructures. “The average cost of a one-second outage among industrial and DE firms
is $1,477, vs. an average [per second] cost of $2,107 for a three minute outage and $7,795 for a
one-hour outage.”177
These figures demonstrate that the average cost per second increases as the
duration of the power outage increases. The New York power outage that lasted only one day
cost the United States an estimated $6 Billion.178
An extended outage for one company alone
could cost approximately $5 million dollars per month. Considering that there are thousands of
distributed energy firms in any given region of the U.S., these figures could approach one trillion
dollars per month. An impact this big on the U.S. economy affect almost every citizen in the
country.
174
FAA Air Traffic Organization. (2006). Moving America safely: 2005 annual performance report Washington,
D.C.: Federal Aviation Administration. 175
http://www.cfr.org/content/publications/attachments/Homeland_TF.pdf 176
http://www.buyerzone.com/facilities/generators/rbic-taking-stock.html 177
Lineweber, David and Shawn McNulty (2001). “The Cost of Power Disturbances to Industrial & Digital
Economy Companies”. Electric Power Research Institute, Inc. 30 Oct 2007. <http://www.epri-
intelligrid.com/intelligrid/docs/Cost_of_Power_Disturbances_to_Industrial_and_Digital_Technology_Companies.p
df> 178
“An Analysis of the Consequences of the August 14th
2003 Power Outage and its Potential Impact on Business
Strategy and Local Public Policy”. 2004. < http://www.acp-international.com/southtx/docs/ne2003.pdf>
75
4.1.3 Economic Consequence of Combined Attacks
Even more costly than an attack on the power grid would be a coordinated attack on multiple
systems. The various sectors of the current critical infrastructures in the U.S. are extremely co-
dependent. Oil refineries, power plants, dams, water treatment plants, security operations, and
many other infrastructures all depend on the internet and a constant electric power source. The
loss of these interconnected systems could cascade and result in immense economic
consequences. In November, 2004, a project conducted by the Department of Energy with the
code name “Black Ice” revealed the interdependencies between critical infrastructures. The
exercise showed how an ice storm that knocks out a major portion of the power grid would first
disrupt telecommunications systems, and later water supply, natural gas supply, and even
emergency response systems.179
When one considers the possibilities of organizational attacks and the compounding effect of the
loss of public confidence, the potential economic impact rises dramatically. This loss of
confidence would be the exact target of a terrorist organization. Terrorists aim “to create fear by
causing confusion and uncertainty within a given population… (Terrorist organizations)
generally use symbolic means to attack the sanctity of the society… Such actions result in
confusion and uncertainty about a government’s ability to protect its citizens. This is when
citizens are most vulnerable to influence by others.” Not only could they receive media attention
for their efforts, the terrorist would also accomplish degrading the economic systems as the
population lost confidence in the market of such a vulnerable nation.180
If there was a
coordinated attack on a combination of systems in a large region, the estimated economic
impacts approach two trillion dollars.
179
http://archives.cnn.com/2001/TECH/ptech/10/21/black.ice.idg/index.html Utah’s ‘Black Ice’: Cyber-attack
scenario. Verton, Dan. October 21, 2001. 180
“National Infrastructure Protection Center Highlights”. National Infrastructure Protection Agency. 15 June
2001, p. 2. 30 Oct 2007 <http://www.iwar.org.uk/infocon/nipc-highlights/2002/highlight02-03.pdf>
Figure 4.1
76
4.2 Social Effects
The negative effects of cyber-attacks extend far beyond damage to the economy, particularly in
the case of cyber-terrorism. Currently, no one has ever launched a successful cyber-attack on the
United States, so the social effects of such an attack are purely speculative. Because the Bush
administration categorizes cyber-attacks along with chemical, biological, nuclear, and other
major attacks, the only attack large enough to act as a point of comparison is the September 11th
World Trade Center attacks. However, because the effects of a cyber-attack could vary greatly,
this comparison is tenuous at best: the public’s reaction could differ greatly between a cyber-
attack that causes widespread erasure of credit card information but caused no direct fatalities,
and a cyber-attack that opened a dam’s floodgates and killed thousands. Nevertheless, it is likely
that a successful act of cyber-war or cyber-terrorism on the United States would have profound
social effects, particularly in terms of public confidence in the government and in the area of
infrastructure affected by the attack.
4.2.1 Public Confidence in the Government
There is a great deal of speculation among cyber-security professionals whether the United
States government is undereducated about the capabilities of cyber-attacks. According to Joe
Weiss, a consulting executive for KEMA Inc, this likely stems from ignorance within the
information technology industry itself about how well many systems are protected . Weiss
claims that materials that have reached Senate and congressional staffers about cyber-security
were technically flawed and lacking important basic information; one report about SCADA
systems’ threat to infrastructure that even to identify that the electrical industry uses SCADA
systems181
. Many cyber-security industry professionals feel that because of this ignorance in
Washington, neither enough attention nor funding is given to measures that could secure our
country from cyber-attacks. The public itself is also uneducated about cyber-security: a National
Cyber Security Alliance poll from October 2007 shows that of the 87% of computer users who
said they use anti-virus software, 48% had not updated their software within a month.
Furthermore, 81% of respondents had a firewall installed on their computer, but only 64%
actually used the firewall182
. These discrepancies indicate a universal need to increase awareness
and education about cyber-warfare and cyber-security in both the public and private sectors.
However, it is not entirely accurate to say that the Bush administration has not taken any action
to improve the nation’s cyber-security. In terms of budgeting, between 2002 and 2004, the
government increased the fiscal year budget federal records protection from $2.7 billion to $4.9
billion, and the National Strategy to Defend Cyberspace laid out a defense plan around which
further budgeting could be based. Despite these budget increases to federal cyber-security,
critics say that the government is still not giving infrastructure enough funding to allow
companies to make the changes outlined in the defense plan183
. Furthermore, polls show that the
181
"Interview: Joseph Weiss." Frontline: Cyber War! 23 Apr. 2003. PBS. 24 Oct. 2007
<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/weiss.html>. 182
"Report Reveals Perception Gap in Cyber Security Awareness." Security Products 2 Oct. 2007. 20 Oct. 2007
<http://www.secprodonline.com/articles/50717/>. 183
"Interview: Richard Clarke." Frontline: Cyber War! 23 Apr. 2003. PBS. 24 Oct. 2007
<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/clarke.html
77
majority of Americans, both Republican and Democrat, agree that Congress should pass a
“strong data security law184
.”
The public has shown in the aftermath of September 11th
that it quickly loses faith in the
government if there is evidence that a legitimate threat to national security is ignored. A 2004
poll shows that 49.3% of New York City residents and 41% of New York state citizens believed
that the government had foreknowledge of the September 11th
attacks185
in the wake of
speculation that the Clinton and Bush administrations ignored warnings of the attacks. This
weakening faith in the government is partially reflected in presidential approval ratings, which
have fallen steadily since 2001186
. Industry experts have repeatedly warned the government to
bolster cyber-security, even asking for a cyber-security initiative on the scale of the Manhattan
Project187
. While a concrete plan to launch a cyber-war on American interests has not been
identified, the public could have a similar response to the government’s failure to heed the
experts’ warnings if a successful cyber attack large enough to garner national attention were
successfully launched
4.2.2 Public Confidence in Target
Currently, the public seems to have little faith in businesses concerning cyber-attacks: a 2006
Cyber Security Industry Alliance poll found that only 24% of Americans felt that businesses
were properly emphasizing protection for information systems and networks188
. The poll mainly
asked about e-commerce, but the security systems used by infrastructure companies are often the
same as those used by corporations. Statistics show that since 2001, sales of cyber-security
implements have not increased due to increased corporate awareness of cyber-security threats,
and most critical infrastructure networks are still unprotected from many types of cyber-attack189
.
In general, many experts believe that the public is not as concerned about cyber-attacks as
physical attacks because their effects are not as tangible; most people are not aware of the extent
to which our society’s infrastructure relies upon computers. Moreover, most cyber attacks would
not be as “flashy” as physical attacks—a cyber-attack on California’s power grid, for example,
might have similar effects to the brownouts of 1998, which caused economic distress but not
terror or widespread panic. Most experts agree that a large scale cyber-attack on the United
States power grid is the “nightmare scenario,” but some disagree about the feasibility of such an
attack. Former White House cyber-security advisor Richard Clarke concedes that it would be
184
"Poll Shows Americans Want Congress to Do More to Protect Them Online." Cyber Security Industry Alliance
(2006): 30. 21 Oct. 2007
<https://www.csialliance.org/news/pr/view?item_key=e5b543c0cf207bb110c9c65b61ac476ec45e03fe>. 185
"Poll: 50% of NYC Says U.S. Govt Knew." 30 Aug. 2004. Zogby International Polling/Market Research. 28 Oct.
2007 <http://www.911truth.org/article.php?story=20040830120349841>. 186
Ruggles, Steven. Historical Bush Approval Ratings. Dept. of Hist., U. of Minnesota. 2007. 27 Oct. 2007
<http://www.hist.umn.edu/~ruggles/Approval.htm>. 187
"Interview: O. Sami Saydjari." Frontline: Cyber War! 23 Apr. 2003. PBS. 24 Oct. 2007
<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/saydjari.html 188
"Poll Shows Americans Want Congress to Do More to Protect Them Online." Cyber Security Industry Alliance
(2006): 30. 21 Oct. 2007
<https://www.csialliance.org/news/pr/view?item_key=e5b543c0cf207bb110c9c65b61ac476ec45e03fe>. 189
Hancock, Bill. National Infrastructure Protection Issues. International Telecommunication Union. 2002. 25 Oct.
2007 <http://www.itu.int/osg/spu/ni/security/workshop/presentations/cni.18.pdf>.
78
possible to bring down the national power grid for a day or two, but it is “unrealistic” to think
that the grid could be taken down for a longer period. On the other hand, Cyber Defense Agency
CEO Sami Saydjari claims that a targeted attack requiring about 300 people and $500,000 could
be capable of bringing down the national power grid for a month or more190
.
Current trends in public knowledge about cyber-security and industries’ hesitance to disclose that
they have experienced small-scale cyber-attacks suggest that only cyber-attacks on a very large
scale would actually receive public attention. For example, despite the successful disruption of
air traffic control systems as recently as September 2007, there is no data to suggest that these
cyber-incidents have discouraged the public from using commercial airlines. The only ways the
public would likely have a strong, noticeable response against a company or section of
infrastructure are if a cyber-attack of a large magnitude were to be launched, or if there were any
successful cyber-attack that resulted in civilian casualties. If the public became aware of such an
attack, the response would likely be similar to the public’s apprehension about using airlines
immediately after September 11. Those attacks resulted in an immediate 30% decline in demand
for commercial airline services, and an ongoing 7.4% decline through 2003191
. A successful
attack or a prolonged series of unsuccessful attacks would probably result in the same pattern: an
immediate decline in public confidence, with a smaller prolonged loss of public confidence if no
other incidents occurred.
190
"Interview: O. Sami Saydjari." Frontline: Cyber War! 23 Apr. 2003. PBS. 24 Oct. 2007
<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/saydjari.html 191
Ito, Harumi, and Darin Lee. Assessing the Impact of the September 11 Terrorist Attacks on U.S. Airline Demand.
Dept. of Econ., Brown U. 2004. 3-24. 26 Oct. 2007
<http://www.brown.edu/Departments/Economics/Papers/2003/2003-16_paper.pdf>.
79
5 National Agencies and Legislation
80
In order to coordinate an effort to secure cyberspace through federal initiatives, various
documents have been created to define and dictate how the government prepares for and reacts to
cyber-attacks. Also, several agencies have been created to regulate this information and ensure
that communication and awareness achieve cyber-security objectives. It is the responsibility of
various departments within the federal government to abide by these documents and agencies.
5.1 E-Government Act of 2002
The E-Government Act of 2002 serves as an origin to the government’s current role in cyber-
warfare. Enacted on December 17th
, 2002 (Public Law No: 107-347)192
, one of the main
attributes of this act is the role established for the Office of Management and Budget (OMB).
The Director of OMB is required by FISMA (Federal Information Security Management Act193
)
to oversee federal agency information security policies and practices as well as coordinate a
thorough risk-based approach for managing information security issues. Also, the OMB oversees
the operation of a central federal information security incident center, formerly known as
FedCirc. This sector is now known as US-CERT and will be discussed later in the report. The
OMB, through US-CERT, provides guidance to Federal agencies on types of cyber-attacks and
ways to report and communicate them throughout the government.
Another key point in the E-Government Act of 2002 is to allow government agencies to use
technology as a way of obtaining secure government information. Furthermore, the Act lists
ways in which several departments are responsible for satisfying the need for cyber-warfare
strategies.
Finally, the Act suggests that a Critical Infrastructure Protection Policy Coordinating Committee
will advise the Homeland Security Council on policy amongst agencies related to protection
against cyber attacks. This Committee is now known as the NIAC. Passed on December 17,
2003, the Homeland Security Presidential Directive offers suggestions regarding the
responsibility of several governmental agencies.
5.2 National Infrastructure Advisory Council
The National Infrastructure Advisory Council (NIAC), formerly known as the President’s
Critical Infrastructure Protection Board, operates within the U.S. Department of Homeland
Security. The purpose of this council is to supply the President with enough information and
advice to continue to secure critical infrastructure sectors and their information systems.194
Consisting of 30 members maximum, the NIAC is composed of citizens appointed by the
President from various areas such as private industry, academia, state, and local government.
192
Bush, George W., and Jim Turner. "E-Government Act of 2002." The White House. 15 Nov. 2002. US
Government. <http://www.whitehouse.gov/omb/egov/g-4-act.html>. 193
"FISMA." National Institute of Standards and Technology. 24 Oct. 2002. US Government.
<http://csrc.nist.gov/groups/SMA/fisma/>. 194
"National Infrastructure Advisory Council." Department of Homeland Security. Oct. 2007. US Government.
<http://www.dhs.gov/xprevprot/committees/editorial_0353.shtm>.
81
The NIAC focuses mostly on preventing attacks on critical infrastructure as well as recovering
from attacks. The NIAC notes that both cyber and physical functions of critical infrastructure are
vital in maintaining American economy, security, and way of life. Currently, the federal
government has divided the responsibility of cyber infrastructure into several different
departments. However, it should be noted that the devices that control our physical systems,
such as power grids, are increasingly dependent on the Internet. As a result, a cyber-attack has
the ability to affect several areas.
5.3 National Strategy to Secure Cyberspace
The National Strategy to Secure Cyberspace, also known as NSSC, is meant to inform and
implore Americans to secure the sections of cyberspace that they own, operate, control, or
utilize.195
The idea of securing cyberspace is a challenge that requires effort and awareness from
the federal, state, and local governments, as well as the private sector and the American citizens.
This document, published in February of 2003, can be seen as an interpretation of the National
Strategy for the Physical Protection of Critical Infrastructure and Key Assets in terms of cyber-
protection. Policies and guidelines found in both documents are represented in the missions of
both federal and private agencies concerned with cyber-attacks.
5.4 United States Computer Emergency Response Team (US-CERT)
United States Computer Emergency Response Team, also known as US-CERT, was created
shortly after the release of the National Strategy to Secure Cyberspace. It allows the
combination of federal and private sectors to relay information about cyber incidents and
situations.196
US-CERT was established for the sole purpose of protecting the Internet against
and responding to cyber-attacks. One key component of US-CERT is the Einstein Program,
which enables the effective communication of cyber-incidents.
5.4.1 US-CERT Einstein Program
The Einstein Program allows agencies of the federal government to effectively distribute
information about cyber-attacks so that they can be analyzed and shared between agencies.197
This is significant because, due to the complexity and integration of the Internet in almost every
critical infrastructure, many agencies find it difficult to relate any information without a uniform
institution to assist in communication. By collecting information from participating federal
195
National Strategy to Secure Cyberspace. Feb. 2003. US Government.
<http://www.whitehouse.gov/pcipb/policy_and_principles.pdf>. 196
"United States Computer Emergency Readiness Team." Department of Homeland Security. US Government.
<http://www.uscert.gov/>. 197
"Privacy Impact Assessment EINSTEIN Program Collecting, Analyzing, and Sharing Computer Security
Information Across the Federal Civilian Government." US-CERT. Sept. 2004. Department of Homeland Security.
<http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_eisntein.pdf>.
82
agencies, US-CERT is able to build and enhance America’s cyber-related situational awareness.
Likewise, the increase in awareness will help in identifying and responding to cyber-threats and
attacks. Also, the more information known about these attacks, the easier it is to improve
network security, increase the resilience of electronically delivered government services, and
enhance the survivability of the Internet.
There are several ways in which the Einstein program helps federal agencies protect themselves
from cyber-attacks. The program is able to determine the scope and possible threat of a specific
worm and how it relates to both the federal government and the Internet community. Also,
detection of irregular network behavior is possible through the Einstein program, which is then
able to take this information and determine whether the possible attack is focused or part of a
larger Internet-related attack. Likewise, specific agencies tend to have internet traffic problems
that may be attributed to outside cyber attacks.
One of the most useful aspects of the Einstein program that US-CERT developed was its ability
to decide how invasive and threatening an attack is, and its resulting effect on the United
States.198
It is able to detect the source of an attack through the analysis of trends in cyber-
incidents and IP tracking. These trends are documented in close to real-time to raise awareness
about their existence amongst federal agencies.
5.4.2 Collaborative Groups of US-CERT
Government Forum of Incident Response and Security Teams (GFIRST) –
Comprised of over 50 incident response teams199
, GFIRST helps coordinate the action
and communication of several federal agencies in order to ensure the security of the
federal government.
Multi-State Information Sharing Analysis Center (MS-ISAC) – MS-ISAC gathers
information pertaining to how cyber-threats may effect critical infrastructure and then
relay that information with states and local governments.200
The significance of this
group is not only the amount of people involved in ensuring that communication is
adequate, but also in providing a means to raise awareness and response to possible
cyber-attacks. MS-ISAC is composed of volunteers that have formed their
organization based on the needs discussed in the National Strategy to Secure
Cyberspace.
198
"Fact Sheet: Protecting America’S Critical Infrastructure – Cyber Security." US-CERT. Department of
Homeland Security. <http://www.us-cert.gov/press_room/050215cybersec.html>. 199
"Government Collaboration Groups and Efforts." US-CERT. Department of Homeland Security. <http://www.us-
cert.gov/federal/collaboration.html>. 200
"Government Collaboration Groups and Efforts." US-CERT. Department of Homeland Security. <http://www.us-
cert.gov/federal/collaboration.html>.
83
National Cyber Response Coordination Group (NCRCG) – Initially intended to join
the Department of Defense with the Department of Justice in efforts to defend against
cyber attack, NCRCG is the federal government’s main interagency organization that
focuses on responding to and recovering from cyber-attacks that affect national
security.201
5.4.3 National Cyber Security Division (NCSD)
The National Cyber Security Division (NCSD) works collaboratively with public, private, and
international entities to secure cyberspace and America’s cyber-assets.202
The National Cyber
Security Division continuously seeks to protect the critical cyber-infrastructure in order to ensure
a steady surveillance is kept for possible cyber-attacks.
5.4.3.1 National Cyberspace Response System
The National Cyberspace Response System coordinates the protocols that determine when and
what actions may need to be taken in response to cyber-attacks.
Cyber Security Preparedness and the National Cyber Alert System – Due to the lack
of awareness of cyber-threats, many citizens do not actually know whether their
computer systems are secure, despite the level of security they think they have. Cyber-
threats are constantly adapting to overcome new security measures. The Cyber Security
Preparedness and National Cyber Alert System both help in raising the awareness among
citizens to try to reduce the susceptibility of their networks. Anyone can sign up to be
alerted by these systems if new and significant information is obtained regarding cyber-
threats.
US-CERT Operations – As mentioned above, the US-CERT is one of the most
significant organizations that both analyzes and standardizes the level of threat each
cyber-attack may have. The US-CERT makes it easier to determine the significance of a
possible attack through its well thought-out and established method of prioritizing
attacks.
National Cyber Response Coordination Group – A group that interacts with US-
CERT, the NCRCG’s significance can be noted above. In terms of response, NCRCG is
significant due to its participating 13 federal agencies that help determine what response
is necessary in case of an attack. The NCRCG helps coordinate federal response, law
enforcement, and the intelligence community in the case of an attack.
201
"Government Collaboration Groups and Efforts." US-CERT. Department of Homeland Security. <http://www.us-
cert.gov/federal/collaboration.html>. 202
"National Cyber Security Division." Department of Homeland Security. 23 Sept. 2006. US Government.
http://www.dhs.gov/xabout/structure/editorial_0839.shtm.
84
Cyber Cop Portal – Meant to share information amongst over 5,500 investigators
worldwide, the Cyber Cop Portal helps find and convict the people responsible for cyber-
attacks.
5.4.3.2 Cyber Risk Management Programs
The National Cyber Security division is able to evaluate the risk and determine what kind of
protective measures are necessary to secure cyberspace. The following three programs are a part
of the Cyber-Risk Management Program:
Cyber Exercises: Cyber Storm – Cyber Storm began in February of 2006 in order to
evaluate the preparedness in response to a cyber-attack. The Department of
Homeland Security used Cyber Storm to determine how equipped the federal
agencies were in case an attack were to happen. Also, DHS used the Cyber Storm
exercise in private and international sectors. The significance of the idea of involving
private sectors shows how defense against cyber attacks is both a government and
industrial responsibility.
National Outreach Awareness Month – October of every year is known as the
National Outreach Awareness Month and is meant to raise awareness of the threat of
cyber-attacks.
Software Assurance Program – Intended to lessen the susceptibility of software
programs, SAP also suggests ways to improve the development and installation of
software products.
85
6 Policy
86
6.1 National Policies
The United States Government has recently dedicated a portion of the Department of Homeland
Security to securing and protecting Americans from cyber-attacks. Current policies and guiding
principles are vital to determine the progress the government has made in ensuring that its
citizens are protected from cyber-attacks. The establishment of agencies to protect and raise
awareness against cyber-attacks has proliferated throughout the Department of Homeland
security, but many flaws and a lack of funding to these agencies has still shown the need for a
more cooperative support against possible cyber-offenses.
The current national policy, The National Strategy to Secure Cyberspace (NSSC), outlines the
direction for current government policy for dealing with cyber-warfare. The current policy from
NSSC has operated as a baseline for the following policy analysis, with additional policy
suggestions included.
Current national policies regarding the ways in which the federal government has mandated how
to secure cyberspace are to:203
Prevent cyber attacks against our critical infrastructures
Reduce our national vulnerabilities to cyber attack and
Minimize the damage and recovery time from cyber attacks that do occur. Ensure the
federal government’s ability to perform essential national security missions and guarantee
the general public’s health and safety
Make sure that state and local governments are able to maintain order and to deliver
minimum essential public services
Aid in the private sector’s capability to ensure the orderly functioning of the economy and
the delivery of essential services and
Support the public’s morale and confidence in our national economic and political
institutions.
6.2 Policy Goals
Although the NSSC was used as a starting point, the current government policy is not enough to
protect our nation from cyber-warfare. First we will discuss guiding principles to keep in mind
as the government defines a new policy, as well the primary stakeholders for our policy. Our
policy discussion will then be broken into six major areas:
Prevention
Response
Security Training and Awareness
203
"National Policy and Guiding Principles." National Strategy to Secure Cyberspace. Feb. 2003. US Government.
<http://www.whitehouse.gov/pcipb/policy_and_principles.pdf>.
87
Government Cyber-security
International Cyber-warfare
Military Uses of Cyber-warfare
6.3 Guiding Principles
Any cyber-security policies that the government decides to enact should not only minimize or
prevent disruptions in critical infrastructures to protect American national security, but also
adhere to some guiding principles to protect civil liberties and ensure cooperation from all
sectors.
One such guiding principle is the idea that American cyber-security must be a national effort.
Thus, the government must work with private and commercial groups to formulate policies that
are both technologically sound and agreeable to all parties. In doing this, any policies the
government employs must strengthen cyber-security regarding personal privacy, rather than
infringing upon privacy. Outside privacy analysts and experts should frequently be consulted to
ensure that nonpublic information is handled reliably and privately.
Another guiding principle is that in most cases, the government should avoid mass regulation of
cyber-security. Setting a mandate for how corporations must protect their networks would create
a “lowest common denominator approach to cyber-security,” which could easily be exploited on
a widespread scale. Currently, some federal regulatory agencies have guidelines for cyber-
security, but in the private sector, the market itself should force the evolution of cyber-security
technologies.
Furthermore, because of the rapidly-changing nature of cyber-threats, it is essential that all
cyber-security policies be flexible in their ability to prevent and respond to attacks. Flexible
policies allow both government and corporate organizations to reassess threats and plan
protection strategies based on growing and changing threats. Because these threats are
constantly growing, it is essential that government agencies form long term (multi-year) plans for
updating cyber-security so that they can sustain their roles in protecting American national
security. It is also recommended that other public- and private-sector organizations also adopt
long-term plans for this reason.
6.3.1 Social Considerations
In formulating policies to protect against cyber-attacks, there is the potential for negative social
consequences. One such consequence is the loss of privacy in cyberspace, which has already
occurred as the result of some government security policies. From 2000-2001, the FBI used an
email-surveillance system called Carnivore, a byproduct of the US PATRIOT Act, which
operated as a basic packet-sniffer, to monitor the electronic transmissions on the networks of
Internet service providers. However, this system and systems like it could violate federal privacy
laws and the United States Constitution’s ban on unreasonable searches and seizures. The
Carnivore system intercepted the traffic of all users on whatever network it was connected to, a
practice which former federal prosecutor Mark Rasch describes as “the electronic equivalent of
88
listening to everybody's phone calls to see if it's the phone call you should be monitoring.”
Though the warrantless wiretapping system was reportedly discontinued, it serves as a warning
of the social hazards that can result from implementing badly-planned policies.204
In addition to monitoring Internet traffic, the government could also decide to block access to
certain websites. For example, the European Union recently signed legislation to block access to
websites with information about bomb-making. The Australian government is planning to allow
the Australian federal police to compile a list of websites suspected to be related to terrorism that
will be mandatory to be blocked by Internet filters. In the wake of these international events, the
United States has argued before a federal court that it has the right to restrict access to legal
websites that are hosted anywhere in the world. Beyond the risk to civil liberties, restricting
international content could cause an “arms race” over Internet censorship: if the United States
has the right to block information from other countries, then those other countries can directly
censor information based in the United States as well.205
Due to the dangers to privacy, it is important that the public and private sectors are dealt with as
independent but cooperating entities when forming cyber-security policies. While the federal
government must develop the cyber-security technologies that provide a basis for the public, the
private sector generally develops these security products and is responsible for adhering to good
security practices themselves. For example, the Global Information Grid, a multibillion dollar
military project to link weapons, intelligence, and personnel, interconnects with networks in the
civilian sector, and is therefore vulnerable to any threat to which civilian networks could be
vulnerable. Military and civilian networks must work together to come up with a defense system
that will be suitable to both parties without infringing on the civil rights granted by the
Constitution.206
6.4 Stakeholders
American citizens are the primary stakeholders in regards to cyber-attacks against the US. Other
stakeholders are the US government, state and local governments, other nations and their
citizens, private companies, health and medical institutions, financial institutions, and various
departments within the US government (such as the Department of Justice). In an analysis of the
dependency of the Internet, it is difficult to determine what well-established country would not
be affected if cyber-attacks were to become more prevalent. It appears as though the more
dependent a nation becomes on the Internet, the more secure its government is required to be in
order to ensure it will not be affected by cyber-attacks. Similarly, citizens and private companies
can be negatively affected if their networks are exploited. Electronic medical records are at
stake, as well as the financial status of citizens and companies. The Federal Government has
made a special note of particular stakeholders, as seen in the figure below. These stakeholders
include the home user and small business, large enterprise, critical infrastructures and sectors,
national implications, and global.
204
http://www.wired.com/politics/law/news/2000/07/37503 205
http://abcnews.go.com/Technology/Story?id=3771510&page=1 206
http://www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf
89
Figure 6.1 Roles and Responsibilities in Securing Cyberspace from NSSC
Home User and Small Business – stakeholders in this category rarely
communicate incidents, according to US-CERT. However, many of the cyber-
attacks discovered develop through the use of their systems. Home and small
business users are prevalent stakeholders in securing cyber-space
Large Enterprise – Bigger companies are stakeholders in relation to cyber-
attacks because of their dependency on network systems. Many of their records
and critical documentation are electronically stored and accessed on their
networks and destruction or damage would adversely affect their business and
profits.
Critical Infrastructure and Sectors – Critical infrastructures can be physically
affected by a cyber attack. These sectors are increasingly becoming dependent on
software and network systems and are thus vulnerable to cyber-attacks.
National Implications – The US government is a primary stakeholder in cyber-
attacks. If damage or information theft were to occur to federal systems, chaos
and lack of control could ensue and threaten national security.
Global – International stakeholders are affected by cyber-attacks because of the
range of damage these attacks can span. The Internet and networks cross the
90
globe, so an attack in a geographically different area could still result in damage
in another location.
6.5 Prevention
Many cyber protection and warning systems are currently available from both private and
government organizations. Most major software publishers also employ personnel who
specialize in security issues and work to correct their software quickly once vulnerabilities are
revealed. In organizations with critical networks, there are often professionals in place who are
responsible for protecting the systems from cyber-attack. The software market is aware of the
need for cyber security and has responded by providing a wide variety of services which attempt
to satisfy the need for defense. The government currently has agencies in place which receive
reports on cyber incidents, researches them, observes trends, and publishes appropriate warnings.
While a wide variety of warnings, products and services exist for the purpose of preventing cyber
damage, major issues remain which leave systems open to attack.
6.5.1 Prevention Challenges
While it is impossible to prevent all cyber-attacks and make computer systems completely
invulnerable, there are many changes in behavior that could greatly reduce vulnerabilities. Any
policies created to address issues in preventing cyber-damage should take these problems into
consideration.
● Security in cyber-space is a never ending arms race between attackers and security
professionals, it is incorrect to assume that one can simply buy a product and be secure.
Despite the promises some of these products tend to make, attackers work constantly to
circumvent these products. Preventing cyber damage requires more attention than buying
a product and ignoring it.
● Warnings of newly found security vulnerabilities and software updates designed to address
new problems are common, but many administrators neglect to heed these warnings and
update their systems. Critical systems can sometimes be found with software that is years
behind current security standards, due to the difficulty in updating software and
ignorance of the people maintaining the systems.
● Companies which experience attacks and publishers of software containing security
vulnerabilities often fail to provide information which can be used to prevent further
damage, because of fears that admitting to security failures will damage their reputations.
Requiring software makers to disclose defects to potential customers would improve
security but could also harm business.
● Warnings of vulnerabilities and published material about securing computers present
solutions as well as new problems. Attackers can use this knowledge to develop their
skills in attacking just as easily as administrators can use the information to improve their
91
defenses. Sometimes the warnings inspire attackers to take advantage of newly published
vulnerabilities faster than the same warnings can be addressed by system administrators.
● The attackers themselves who are constantly developing new cyber-attack strategies have
security information resources of their own, many of which can be viewed by security
personnel and used to anticipate their attacks.
● Releasing information relating to security requires good judgment in order to prevent
problems; this “security through obscurity” issue is one of the most debated points in the
cyber-security community.
● Experts in computer security have conflicting opinions on the best ways protect systems;
any mandates relating to system security will need to include flexibility to allow for the
different approaches used by different system protectors.
6.5.2 Prevention Products
There are a wide variety of tools on the market that are sold for the purpose of securing
computers, though these products are not available for every vulnerable platform, especially the
proprietary systems which were not reliant on computers in the past. As products are developed,
new exploits are also made which present new kinds of threats. The previous examples (see
2.3.2) about Distributed Denial of Service attacks and Rootkits are relatively new attacks. Before
1999, the old style of DoS attack from a single attacking system was addressed by firewalls and
largely prevented, which led to the development of new methods of attack. Programs employing
stealth techniques meant to evade detection and removal by security products like virus scanners
have become much more prevalent in recent years. The anti-virus company McAfee reports the
following trend in new software which attempts to avoid detection:
92
Figure 6.2
207
While attacks are becoming more sophisticated, products designed to prevent them are also
adapting, employing the appropriate products is definitely helpful in improving security, but
system administrators must be careful not to rely on those products too much. Firewalls,
Intrusion Detection Systems, system logging tools, virus scanners, and automated software
updates are some of the types of products available to assist in securing computers, but cannot
completely prevent attacks without people in place to protect critical systems. The amount of
solutions available can be overwhelming, and many products make false promises. Currently the
only method of confirming that a security company actually increases security and has products
that do what they promise is the market and the media. One step that can be taken to prevent
cyber-attack is an institution in place that independently confirms if a software product actually
delivers the security that it promises, perhaps in a similar way to the FDA’s process of
confirming that drugs actually do what their sellers promise, though this also raises concerns
about the impact on the fragile software industry.
6.5.3 Security Personnel
Many professionals are employed to protect computer networks, and have varying degrees of
success doing so. One of the more popular excuses for the failure of system protection is under-
trained administrators. The cyber-attack situation is unique in that every networked device is a
potential target, and that security professionals are needed in more places than they were in the
past. Businesses are rapidly realizing that cyber-security is part of the cost of doing business
today, often after suffering from an attack that their IT department was not prepared to prevent.
207
Rootkits: The Growing Threat. 2006 McAfee Inc. 1 Nov 2007. <http://download.nai.com/products/mcafee-
avert/WhitePapers/AKapoor_Rootkits1.pdf>
93
Many private certifications exist that confirm an employee is trained in cyber-security,
unfortunately cyber-security is an ever-changing field and requires constant study to remain
prepared. A system of licensure for cyber-security professionals would help to ensure that
competent personnel are selected to defend critical systems. Further, a standard could be defined
that clarifies which systems need such professionals to protect them. Addressing the issue of
ignorant security personnel is complex, because administrators are in a constant race against
hackers to learn about vulnerabilities and defense strategies, and many organizations now relying
on computer networks are not aware that they need trained employees to defend them.
6.5.4 New Vulnerabilities
Products and personnel who work to protect their systems can help to prevent cyber attacks, but
another important area to address in potential policy is how software reaches the public with
flawed security in the first place. Software developers bear a great responsibility in distributing
products which do not leave their customers vulnerable to cyber attack. Much speculation exists
for the reasons that so many flaws exist in current software.
6.5.5 Computer Security and Liability
There are active debates on how liable producers of software should be for vulnerabilities
introduced into systems by their products. Most products which contain these security flaws are
distributed with “End User License Agreements” which take effect as a condition of installing
the software. These agreements usually contain language that exempt the software companies
from all responsibility for any attacks that their customers may suffer from through
vulnerabilities in their products. Courts have repeatedly upheld these agreements, to the point
that holding software authors liable for security flaws in their products would require changes to
the law.
Despite this lack of liability for vulnerabilities in their products, software companies still have
incentive for making secure programs. The damage to a company’s reputation after enabling a
new kind of attack on its customers can cost a business a lot of money. In this way, while they
are not legally liable, they remain morally liable and continually work to improve their security,
though perhaps not as well as they would if vulnerabilities in their products were a greater risk
for them financially. The debate surrounding software liability also raises concerns about
increased software costs and the extra difficulty involved in identifying vulnerabilities in
software compared to defects in physical products.
6.5.6 Policy Options
Taking these challenges into consideration, there are several possibilities for policy changes that
could help to prevent successful cyber-attacks, which can be applied to individuals, security
professionals, and the designers of networks. Each potential policy would require careful
wording and sensitivity to the needs of businesses and the rights of individuals as well as the
technical consequences.
94
Policy Option 6.5.1: Require by law that all computers be secured in specific ways.
A policy that demands all systems be secured is a tempting idea, but carries with it
many consequences. Explicitly defining which precautions to make about cyber-
security increases government encroachment on individuals and if worded improperly
could actually make computers less secure. Diversity is an important part of system
protection, which a law explicitly demanding specific security precautions might
eliminate, and actually giving attackers more potential targets. A law requiring
security precautions would need to be worded in abstract terms to allow for the
diverse systems which currently exist. Specific security measures required by law
might raise the cost of computers and reduce the performance of the technology.
Defining a bare minimum of precautions that must be taken might lead to fewer
systems protecting themselves beyond that minimum. It may be possible to create a
law which requires certain precautions with minimal negative side effects that could
reduce vulnerability, but such a law would have to be created very carefully.
Policy Option 6.5.2: Change the policies about liability for software makers and/or
system administrators.
A policy might be drafted which could hold system administrators responsible for
damage caused by their systems. The law would give administrators a larger
motivation to secure their systems so that attackers could not commandeer them and
execute attacks. In a way, administrators are already responsible for their systems,
because security breaches under their watches tend to hurt their careers, so the
necessity of this policy is debatable. Changes in liability rules would increase the
stress put on those with increased responsibility, possibly raise the cost of their
service and reduce the number of people willing to take the risk of working to protect
networks. In some limited systems, changes in liability rules might be more
appropriate than others. For example, administrators responsible for maintaining
networks controlling critical infrastructures or connected to extremely high-capacity
Internet links might deserve more legal motivation to secure their systems than
owners of personal computers.
Applying new responsibility to software developers would slow down the
development process and increase the cost. Software prices would rise to offset the
legal costs relating to new liabilities, while programmers would be under legal
pressure to secure their products, possibly at the expense of performance. The private
sector already has motivation to secure its products, but perhaps is not as concerned
as it should be that flaws in one system can be used to cause damage to the systems of
others. Certain violations of software security might be more appropriate to hold
developers responsible for than others; it may be possible to make adjustments in
liability rules which improve security with minimal impact on the cost and
performance of software. Imported software and outsourced developers would also
have to be taken into consideration in any policy about the liability of software
developers.
95
Policy Option 6.5.3: Create programs to approve security products and personnel.
Institutions exist for the licensure of many different professionals and the approval of
different products which might be similarly created to address cyber-attack
possibilities. Policy makers can expect debates over whether government or the
private sector can better provide cyber-security approval services. Having a
compulsory form of certification may be helpful, since current methods of approving
software and personnel for security still allow for false products and charlatan
professionals to exist. A government approval process for allowing individuals to
practice securing systems would have to be carefully crafted by experts to insure that
certified individuals are qualified for their positions. Creating new institutions would
be costly, and defining the specific software packages and personnel under their
jurisdiction would be difficult, but having more qualified security personnel and
higher quality defense products would be helpful.
Additionally, infrastructure has significant holes in prevention measures.
Policy Option 6.5.4: Federally demand a minimum level of security for critical
infrastructure systems.
In 2001, the Energy Information Security program was created in an attempt to
develop better defense technologies for our nation's critical infrastructures. Due to
the difficulty of and the time needed for installing these technologies, many
companies have not kept their systems up to date. Because they are not properly
secured, it leaves even the "secured" infrastructure companies vulnerable to attack
simply due to them being connected to the same network as the unprotected
companies. Therefore, the minimum level of security for our nation's infrastructure
must be federally regulated so that the United States' power utilities, water lines,
communication systems, and emergency response will not fail due to a "weak link" in
their network connections.
6.6 Response
6.6.1 Judicial Response to Past Attacks
One of the main difficulties in prosecuting cyber attackers is that they are difficult to capture and
apprehend. Taking legal action against these criminals is not as common in the federal and state
governments, therefore many of the established fines and lengths of imprisonment are subjective.
A few examples of past sentencing on individuals show how the extensive differences in damage
and punishment. The only known instances in which the fine charged to the criminal and the
cost of the damage caused were the same were in incidents regarding disgruntled employees and
the company that employed them. The case information represented below was found at the
Department of Justice’s website for Computer Crime Cases.208
208
"Computer Crime Cases." Computer Crime and Intellectual Property Section. US Department of Justice.
<http://www.usdoj.gov/criminal/cybercrime/cccases.html>.
96
6.6.1.1 Russian Man Sentenced for Hacking into Computers in the United States
Russian citizen Alexey Ivanov pleaded guilty to several charges of conspiracy, hacking,
computer fraud, credit card and wire fraud, and extortion. From Russia, Ivanov and others
hacked into dozens of United States computers. After extracting important data such as
passwords and credit card information, Ivanov and the others then deleted all of the original data
and destroyed the computer systems. The estimated cost of damage was approximately $25
million. Ivanov was sentenced, at the age of twenty-three, to four years in prison and three years
of supervised release. US Attorney Kevin O’Conner played a major part in Ivanov’s trial, and he
mentioned how Ivanov’s prosecution “demonstrates the ability and resolve of the Department of
Justice to vigorously investigate and pursue cyber-criminals who attack American computer
systems. We are committed to tracking down and prosecuting those individuals wherever they
may be”.
6.6.1.2 Melissa Virus
Much of the information regarding the legal action placed upon the creator of the Melissa Virus,
David L. Smith of New Jersey, is private and has not been fully disclosed to the public.
However, it is known that the maximum charge that he could be given in the state government is
5 years in prison and a $250,000 fine. In federal court, the cyber-criminal could be facing 10
years in prison and $150,000 fine. Officially, the Melissa Virus caused over $80 million in
damage.
6.6.1.3 Disgruntled Employee
Timothy Allen Lloyd of Delaware has begun serving 41 months in prison and charged with a $2
million for letting loose a “time bomb” that deleted all the production programs used by his
former employer. The cost of damage caused by this cyber attack was over $10 million.
6.6.1.4 Israeli Citizen Arrested in Israel for Hacking Government Computers
Both the United States and Israeli government computers, as well as hundreds of commercial and
educational systems, were hacked into and attacked by Ehud Tenebaum in February of 1998. He
pursued these attacks to extract sensitive data from all systems and damage the attacked
computers. Ehud was sentenced to 12 months probation and a $17,000 fine.
Ehud’s capture was an orchestrated effort by both the United States and Israeli government.
Attorney General Janet Reno said that “the prompt arrest of the Israeli hacker demonstrates the
effectiveness of international cooperation in cases involving transnational criminal conduct”.209
6.6.1.5 Konopka Attacks
Between February 14, 1998 and January 25, 2001 Joseph Konopka of Wisconsin carried out 9
different violations to federal law relating to conspiracy, destruction of energy, air navigation
and telecommunication facilities, arson, trafficking counterfeit goods, and causing damage to a
209
"Israeli Citizen Attacks Government Computers." Computer Crime and Intellectual Property Section. US
Department of Justice. <http://www.usdoj.gov/criminal/cybercrime/cccases.html>.
97
protected computer. It was also predicted that 53 acts attributed to Konopka caused excessive
damage and that more acts were supposed to occur had he not been discovered and prosecuted.
Konopka knowingly caused 28 power outages and other disruptions which affected 30,000
power customers and caused over $800,000 in damages. The maximum sentence he can serve is
5 years in prison with a $250,000 fine.
Clearly, there is a disconnect between the punishment for cyber-crimes and the crimes
themselves. The judicial system is extremely limited in persecuting cyber-criminals, and even
when an attacker is caught, they are soon released and back online.
Policy Option 6.6.1: Create a more forceful and concentrated effort to prosecute
cyber-criminals to the full extent of the damage they caused. It is dangerous to allow
criminals who have caused millions of dollars in damage to be allowed to access
computer systems after only a few years of imprisonment. Additionally, minimum
and maximum sentences need to be increased to reflect the widespread damages
caused by cyber-attacks.
6.6.2 National Cyberspace Response System
The National Cyberspace Response System is the federal government’s current method of
analyzing and responding to cyber-attacks that occur against United States citizens and the
government. Analysis of an attack, warning, incident management, and response and recovery
from an attack are the four primary steps used by the National Cyberspace Response System. It
also includes governmental and nongovernmental information sharing and analysis centers such
as MS-ISACs.
National Cyberspace Response System Structure
Figure 6.3 National Cyberspace Security Response System .
210
210
"Priority I”. National Strategy to Secure Cyberspace. Feb. 2003. US Government.
<http://www.whitehouse.gov/pcipb/policy_and_principles.pdf>.
98
Analysis
The analysis of cyber-attacks is essential for preparing the nation to handle effects
caused by cyber-warfare. Through careful evaluation of incidents, inductive
inferences can be made to warn and organize stakeholders about future attacks. Also,
constant assessment of vulnerabilities can show what area an attacker may be most
likely to damage.
Warning
The National Cyberspace Security Response System finds it critical to communicate
warnings to vital areas that would be affected by a nation-wide cyber-attack. A
bulletin board that not only describes incidents but also suggests unnoticed
vulnerabilities is currently being used as a method of communication by US-CERT.
Incident Management
US-CERT currently has in place a method for reporting and classifying incidents.
Anyone with access to the Internet can review this information and ask to be alerted if
any critical incidents are found.
Response/Recovery
The National Cyberspace Security Response System makes note that the OMB, via
FISMA, requires federal agencies to take responsibility in noticing and recovering
from cyber attacks.211
6.6.3 Public and Private Ways to Communicate
The federal government has taken an initiative to communicate with private sectors, as seen by
the Blue Cascades II and Purple Crescent II projects. These regional exercises took place in
Seattle, WA and New Orleans, LA in order to assess the cyber-readiness of individuals and
businesses. Both Blue Cascades II and Purple Crescent II brought together more than 200
government and private sector officials to analyze response procedures to cyber attacks, and to
emphasize the importance of cyber security in critical infrastructure protection.212
These
exercises also allowed discussion on ways to integrate physical security and cyber security. The
brief success of these exercises suggests that more training programs would benefit private
sectors in their efforts to secure their cyber-space.
211
"Priority I”. National Strategy to Secure Cyberspace. Feb. 2003. US Government.
<http://www.whitehouse.gov/pcipb/policy_and_principles.pdf>. 212
"Fact Sheet: Protecting America’S Critical Infrastructure – Cyber Security." US-CERT. Department of
Homeland Security. <http://www.us-cert.gov/press_room/050215cybersec.html>.
99
6.6.4 Sharing Information
The federal government has taken some initiative for sharing information, as seen by US-CERT.
Inter-agency communication has become standardized and easy flowing.213 Many companies
and private sectors do not feel as though there is an adequate portal to relay information related
to cyber-attacks. In addition, many companies feel as though a publicized vulnerability within
their system may negatively affect the success of their business. Confidentiality, therefore, is a
significant attribute that must be included in securing the nation against cyber-attacks.
Even though exercises have been done to emphasize its importance, it is still difficult to integrate
public and private communication effectively. A reevaluation of the motivations for private
sectors to partake in securing against and responding to cyber-attacks may help clarify why
communication has been unproductive between the government and its citizens. Due to the
variability of cyber-attacks, it is not suggested to incorporate a law that would make it mandatory
for businesses to secure their networks to one specific standard. Because of the constantly
changing methods of cyber-attacks, a law mandating network security may not ensure that
systems are fully protected against all cyber-attacks.
6.6.5 Policy Options
The stakeholders involved in policies regarding the response to cyber-attacks include large
businesses, critical infrastructures, and the US government. Below are several policy options that
have not been fully enacted. While several Federal agencies have been funded to create systems
which respond effectively to cyber-attacks, these agencies are still not established as a reputable
source to place action upon cyber-criminals. It has also been noted how the prosecution of cyber-
criminals is much more powerful against disgruntled employees than against orchestrated efforts
to attack the government’s computers. Response, therefore, must work with policy options from
other divisions such as raising awareness of cyber-incidents and international cooperation.
Policy Option 6.6.2: Apply a more concrete method of analyzing cyber-attacks in
such a way that a general audience is able to comprehend. This will be useful in
enhancing the quality of communication between the government and its citizens.
Policy Option 6.6.3: Allow incentives for private sectors in their own attempts to
secure their networks. Due to the lack of profit directly resulting from securing their
cyber-space, private companies do not see the benefit in taking the initiative to
prevent cyber-attacks on their own system. If the government were to provide
incentives or prominent recognition of companies who successfully work to secure
themselves, private sectors will be more likely to conform to the government’s view
of cyber-security.
Policy Option 6.6.4: Attempt to increase communication not only with home users
and small businesses, but also with other nations. A better response to cyber-attacks
is dependent on increased communication and analysis of attack trends. Opening up
213
"Government Collaboration Groups and Efforts." US-CERT. Department of Homeland Security. <http://www.us-
cert.gov/federal/collaboration.html>.
100
an international dialogue related to cyber-attacks could prepare the US government
and citizens for possible future attacks.
Policy Option 6.6.5: Establish a network in which local police and firefighters are
able to coordinate effective response systems in regards to local cyber-attacks. For
example, have a hotline for businesses and computer users to have access to in case of
a cyber-attack. The difficulty with this policy is finding a way to communicate in case
telecommunications were disrupted as well. Perhaps the most reliable method is to
create a useful two-way radio between departments that could be accessed by heads
of Information Technology departments at companies as well.
6.7 Policies to Promote Cyber-security Awareness and Training
The awareness and training policy priority described in the NSSC has two components:
increasing all computer users’ awareness of secure computer usage and ensuring that the IT
professionals who design and maintain large computer systems receive cyber-security training.
According to the NSSC, programs to address these two issues should target four stakeholder
areas: home and small business users, large enterprises, critical sectors and infrastructures, and
the nation as a whole.214
While programs have been established to address concerns in each of
these stakeholder areas, their level of success has been mixed.
6.7.1 Policies for Home and Small Business Users
Several government programs are in place to inform home and small business users of the
security risks associated with daily computer use, and how to protect themselves against that
risk.
US-CERT maintains two email bulletins, one to distribute security tips and the other to distribute
security alerts. The security tips inform readers of everyday security practices such as
maintaining privacy on the Internet; while the security alerts “provide timely information about
current security problems” so the reader can protect their “home or small business computer.”215
However, it isn’t clear that any concerted efforts have been made to popularize or advertise these
email bulletins, and no statistics on their subscription numbers were readily available.
The Department of Homeland Security’s National Cyber Security Division organizes an annual
Cyber Security Awareness Month each October, a joint effort with numerous public and private
sector organizations. As part of Cyber Security Awareness Month, the N.C.S.D. sponsors
214
“Priority III.” The National Strategy to Secure Cyberspace. February 2003: 37-41. 23 Oct. 2007
<http://www.whitehouse.gov/pcipb/priority_3.pdf> 215
US-CERT, National Cyber Alert System. Retrieved October 25, 2007, from US-CERT Web site: http://www.us-
cert.gov/referral_pg/
101
several conventions, conferences and other events each day.216
Most of the events take place at
universities, and this year’s theme was “Protect Yourself Before You Connect Yourself.”217
Also, the Natl. Cyber Security Alliance has created Stay Safe Online, a website to inform the
general public of how to use computers safely.218
The site is extensive and includes many
articles and exercises, such as a test to determine how safe a computer user is from cyber-attacks
and tips for protecting a small business. The site is divided into sections targeting educators,
families and children, and small businesses. It could be of great use, but it evidently has not
been advertised heavily enough, as its current level of daily traffic places it outside of the one
million most visited websites.219
Policy Option 6.7.1: Increase advertisement funding for the federally-managed
websites and email lists described above. These websites have the potential to
increase public awareness, but are not receiving the traffic needed to make an
impact.220
Advertising them more vigorously would improve their public exposure.
Policy Option 6.7.2: Create greater incentives for small businesses to inform their
employees of cyber-security concerns. For example, small businesses could receive
tax credits if a certain percentage of their employees subscribe to US-CERT’s e-mail
bulletins or undergo an educational training course on cyber-security. Many of the
Stay Safe Online website’s content could be used for such a course.
6.7.2 Policies for Large Enterprises
There are fewer federal programs designed to inform large enterprises. However, one of the
largest sources of vulnerabilities in large enterprises comes from the Internet usage of individual
employees, so some of the programs described above also apply to large enterprises. The US-
CERT cyber-alert email bulletin and Cyber Security Awareness Month are two such programs.
Some companies sponsor Cyber Security Awareness Month programs to educate their
employees, and in 2007 the month’s schedule included several events related to enterprise-level
security, such as one forum on “Best Practices for Managing IT Security and Compliance”.221
Recent polling data is mixed on whether enterprises are aware of the risk created by poor cyber-
security. One IBM study from 2006 showed that 75 percent of corporate IT managers are wary
216
National Cyber-Security Alliance (2007): National Cyber Security Awareness Month 2007 Calendar of Events.
Retrieved October 30, 2007, from Stay Safe Online. Web site: http://www.staysafeonline.org/events/index.html 217
US-CERT, (2007). October is National Cyber Security Awareness Month. Retrieved November 3, 2007, from
US-CERT Web site: http://www.us-cert.gov/press_room/ncsamonth.html 218
National Cyber Security Alliance: Stay Safe Online. Retrieved October 31, 2007, from Stay Safe Online Web
site: http://www.staysafeonline.org/ 219
Traffic details for staysafeonline.info. Retrieved November 3, 2007, from Alexa: The Web Information
Company. Web site: http://alexa.com/data/details/traffic_details?url=staysafeonline.info 220
Ibid 221
National Cyber-Security Alliance (2007): National Cyber Security Awareness Month 2007 Calendar of Events.
Retrieved October 30, 2007, from Stay Safe Online. Web site: http://www.staysafeonline.org/events/index.html
102
of the risk of cyber-attacks from within the company.222
On the other hand, a 2004 USA Today
poll indicated that 40 percent of companies were not notifying anyone after a cyber-attack
occurred, which indicates a lack of attention to the most basic security procedures.223
This
suggests enterprise-level awareness is an area where more federal resources are needed, because
many corporate IT managers still do not fully consider the importance of cyber-security.
The priority of training IT professionals is a larger issue for enterprises than for small businesses.
Many small businesses have relatively simple computer networks, and are able to rely on
established, industry-standard software and network technologies. Other small businesses
choose to periodically call on technology consulting services to meet their IT needs. Large
enterprises, on the other hand, are more likely to create their own proprietary software systems
and vast, complex internal computer networks. For this reason, large enterprises are more likely
to have their own in-house dedicated IT departments. Policies to encourage cyber-security
training of these IT professionals are lacking and must be developed.
Policy Option 6.7.3: Provide tax incentives for enterprises whose employees undergo
an educational cyber-security course. As in the case of small businesses, this could
be an effective way to increase awareness of secure computing practices among
individual workers.
Policy Option 6.7.4: Work with private industry to create a standardized set of
essential skills for IT professionals in the area of cyber-security, for the purpose of
creating a certification program. If such a standard were created, the IT professionals
responsible for designing and maintaining companies’ internal computer systems
could be trained to meet the program’s requirements and could take a test to become
certified.
6.7.3 Policies for Critical Sectors and Infrastructures
Governmental attempts to increase cyber-security awareness and training within the private
sector entities involved in critical infrastructure sectors have been insufficient. As described
previously, the federal government has enacted mandatory completion of electronic shipping
manifests in some modes of transportation (trucking), and has advertised optional submission of
electronic manifests in others (shipping by water and train). However, the focus has been on
increasing participation, and no attempt has been made to ensure that participating companies are
aware of the added cyber-security risk.
As certain critical infrastructures have been increasingly privatized, some private corporations
have formed alliances to increase training in security issues. One example is Cisco’s Critical
Infrastructure Assurance Group, which trains teams of technical experts who can then assess the
222
Messmer, Ellen (2006, March 14). IBM survey on cybercrime shows IT managers wary. Retrieved November 1,
2007, from Network World. Web site: http://www.networkworld.com/news/2006/031406-ibm-survey-
cybercrime.html 223
Gagnon, B. (2004). Are We Headed For a Cyber-09/11? The American Failure in Cyberstrategy. Conference
Papers -- International Studies Association, Retrieved October 24, 2007, from Academic Search Premier database.
103
security of various infrastructure-related corporations.224
However, the free markets alone may
not be enough to promote these efforts; the CIAG recently announced it would scale back future
research efforts and growth.225
Policy Option 6.7.5: Accompany existing efforts to encourage electronic submission
of shipping manifests with efforts to encourage safe and secure handling of the
electronic manifest data. An additional option to consider is an incentive program for
companies that implement and document measures taken to secure electronic
shipment manifests and shipment tracking systems.
Policy Option 6.7.6: Make available and widely publicize a national database of
cyber-incidents and attempted cyber-attacks at critical infrastructure components such
as transportation, power, and communication systems. By increasing the public’s
attention to these areas, such a database could add pressure on infrastructure
companies to focus more on their own cyber-security prevention and response.
6.7.4 Policies for the Nation as a Whole
The previously mentioned public awareness policies target specific areas of concern for cyber-
security awareness and training, but there a few other programs designed to increase awareness
across all sectors of the nation. One example is the National Telecommunications and
Information Administration. One organization within the NTIA, the Critical Infrastructure
Protection, has a stated objective to “assist policy makers, industry, and consumers to become
more educated about how to manage risks and protect cyberspace”.226
Policy Option 6.7.7: Increase funding for university-level research of cyber-security
and preparedness measures, and provide funding for universities and community
colleges to create dedicated cyber-security training and research programs. This
could significantly improve the training of America’s future IT workforce.
Policy Option 6.7.8: Create a cyber-warfare threat level indicator system, possibly
similar to the Department of Homeland Security’s color-coded daily threat level
indicator. This sort of indicator system could be used by media outlets to help
publicize the issue of cyber-security, and would increase overall awareness of the
issue across all sectors.
224
Critical Infrastructure Assurance Group Online. Retrieved November 1, 2007, from Security@Cisco Web site:
http://www.cisco.com/web/about/security/security_services/ciag/index.html 225
Heise Security (2007, October 11). Report: Cisco closes down Critical Infrastructure Assurance security research
group. Retrieved November 3, 2007, from Heise Security Web site: http://www.heise-security.co.uk/news/97205 226
NTIA: Critical Infrastructure Protection. Retrieved November 3, 2007, from NTIA Web site:
http://www.ntia.doc.gov/ntiahome/infrastructure
104
6.8 Government Cyber-security
In addition to working nationally to secure cyberspace, the government must take the lead in
securing their own networks. The federal government is responsible for a variety of critical
institutions including the military, taxes and social services, emergency services, and financial
and banking institutions. As a keeper of the public trust, it is required that the government
ensures that all of its internal systems are secured from cyber-attack, and lead the nation by
example. The efforts of the federal government to secure itself from cyber-warfare can then be
translated to state and local governments, as well as a model for private efforts. Through recent
reforms, the government has adopted a uniform policy on securing cyberspace, which is largely
thorough except for a few areas.
6.8.1 Federal Level Security
In 2002, the OMB released an assessment of the relative strengths and vulnerabilities of the
security of individual systems in the government. It identified six areas needing improvement:
lack of senior management attention, lack of performance monitoring, poor security education
and awareness, failure to integrate into capital investment planning, lack of contractor oversight,
and failure to detect and report vulnerabilities.227
Unfortunately, these deficiencies had been
identified as weaknesses for the previous six years (1996-2002) with no policy for improvement.
In order to resolve these weaknesses, the OMB established federal guidelines for the oversight of
individual agencies. Using a defined minimum level of security, the OMB is now able to ensure
that any future IT systems have been analyzed and patched for any security weaknesses as well
as track progress in fixing existing vulnerabilities. This allows for a government wide IT
standard previously missing.228
The current administration has sought to remedy security weaknesses primarily through funding
restrictions. Before systems can be funded by the Office of Management and Budget (OMB),
the department must show that any IT weaknesses have been addressed within the system. As a
result, security is a top priority for any system upgrades or investments, and a baseline of
security is achieved.229
Additionally, the lifecycle costs for security are required to be identified
and integrated as part of submitted budgets. Failure to having the costs integrated or identified
weaknesses remedied results in a complete rejection of the entire system upgrade.
Additional areas of concern include government wireless networks and user authentication.
Wireless networks are of special concern, as they are often easy to breach and often unsecured.
Data transferred wirelessly can be intercepted, presenting the risk of data theft. Agencies must
ensure that their networks are secured, check for any unauthorized access, and report any
227
“Priority IV.” The National Strategy to Secure Cyberspace. February 2003. 30 Oct. 2007
<http://www.whitehouse.gov/pcipb/priority_4.pdf> 228
Ibid. 229
Ibid.
105
security breaches.230
User authentication also presents a security threat, although relatively easy
to counteract.
Policy Option 6.8.1: Mandate user password complexity and frequent changes, log-
outs after a short time of inactivity, and require secondary identification (in the form
of ID cards required to run the computer).
6.8.2 Agency Level Security
Although the OMB has established a baseline for monitoring and grading IT threats and
vulnerabilities across the government, it is vital to have a process for each agency to reach the
desired level of security. Agencies must document and define their system structure,
continuously assess threats and vulnerabilities, and enact security controls and install any
security patches.
The first step, identifying and documenting the system structure, primarily assesses the security
of each agency. Included is the current status of all parts of the system and their security level,
as well as any interaction amongst other agencies in the government. This inventory and
assessment of system processes as a whole offers a view of the current state of government
security. The agencies will then receive funding to remedy any weaknesses as well as bring the
entire government system up to a baseline level. Additionally, updated systems can allow IT
personnel to easily modify and secure computers agency wide.231
Secondly, each agency must stay aware of any new threats or vulnerabilities in their systems.
Through auditing systems, each agency will monitor computer usage and determine the
effectiveness of control mechanisms, such as restricted website access. Additionally, the control
mechanism will allow the agency to update the security of their system as threats are identified
by the federal government. Through measuring effectiveness of the security systems as well as
centralized control over updates and patches, agencies can work to meet government wide
standards for security.
Finally, the agencies must implement the results of any findings they might have. Security
patches must be installed, as many viruses work through known flaws in programming that often
have available solutions. Through control systems, risk can be widely mitigated, and with
constant assessment of existing programs as well as future programs, vulnerabilities can be
remedied.
Policy Option 6.8.2: IT departments should be required to submit system structure
documents, detailing the systems used throughout their agency. Departments should
institute a government wide internet control program to restrict potentially threatening
website access. Additionally, they must show prompt response and 100%
implementation of security patches for their systems.
230
Ibid. 231
Ibid.
106
Following the discussion of the vulnerabilities in the FAA, there is a pair of policy options
specific to the FAA, but could form a model for other governmental agencies.
Policy Option 6.8.3: Mandate that the future development of the FAA's air traffic
control system continue to favor decentralized, redundant regional control centers.
This will ensure that it remains impractical for a cyber-attack to disable the air traffic
system on a nationwide level. One possibility is to make backup computer systems
run in parallel with the main systems, but with a different implementation (e.g. a
different hardware configuration or operating system), so a vulnerability exploited on
the main system may not affect the backup.
Policy Option 6.8.4: Require that the FAA (or other government agencies) limit
outside IT contractors' access to the computer systems they are directly involved with.
As discussed previously in Section 3.4.3.2, contractors are currently given full access
to systems that are not relevant to their work assignments. This simple measure
would limit the risk of an outside contractor inserting malicious code into the
agency's computer systems, and remove one vulnerability from the air traffic control
system.
6.8.3 Areas for Improvement
Although the preceding sections of government policy are adequate to address security issues,
there are two main areas in need of improvement. First is the oversight and security of
contractors, an issue identified by the OMB. Secondly is the lack of a uniform testing procedure.
Many skeptics of cyber-warfare suggest that the knowledge needed to penetrate systems and
wreak havoc is so advanced that only those inside of an agency could perpetrate an attack.
However, these skeptics fail to realize that a significant portion of cyber-attacks come from
within an organization. Due to the nature of the government and costs of labor, large chunks of
work are outsourced to contractors or depend upon private corporations for security solutions.
Currently there is not an effective plan for oversight of government contractors and little
attention or support is given to IT fields from management. The government needs to establish a
procedure to evaluate outside contractors to ensure quality and secure technical assistance or hire
professionals for in-house IT departments. Additionally, the government agencies need to work
together to exercise buying power to leverage companies to produce more secure products, and
as a result raise security standards in private industry.
Additionally, the government needs to put a larger emphasis on testing the security of its
systems. Although the military has identified the need for actual testing, the current national
policy is void of procedures for this type of testing. Returning to historical examples of data
theft like Eligible Receiver, the government needs to hire ‘red teams’ from NSA and private
companies to deliberately test and break agency security systems. Without these unique and
realistic tests, IT departments can overlook security openings that could lead to a significant
cyber incident. However, the government must be cautious to ensure that any ‘red team’
personnel meet security standards and do not use their knowledge against the government.
107
Policy Option 6.8.5: Use best-value evaluations when selecting outside contractors.
The OMB should establish which IT contractors present the best services, and
encourage agencies to select the best contractor and not the lowest bid. Additionally,
the OMB could establish a certification system for IT contractors to complete and
show minimum proficiency.
Policy Option 6.8.6: Require regular ‘red team’ testing of any agency or private
corporation that is connected to the government network. The ‘red team’ should be a
multi-agency force that has regular turnover to ensure new ideas are constantly
applied in security testing.
6.9 US and International Cyber-warfare Collaboration
Over the past decade, international cyber-warfare has become an increasingly prominent subject
as attempted attacks on economic and social infrastructures continue to occur. One of the first
recorded attempts at international cyber-warfare happened in June of 1999 when a group that
called themselves “J18” urged people all over the world to plan individual actions that focused
on disrupting “financial centers, banking districts and multinational corporate power bases." The
group planned for the actions to coincide with the G8 convention in Cologne, Germany, and
suggested that the followers either march through the streets or hack into computer systems in
protest of capitalism. The group attracted teams of hackers from Indonesia, Israel, Germany, and
Canada that eventually attacked at least 20 companies’ computers, including both the Stock
Exchange and Barclays. By the end of the protests, more than 10,000 cyber-attacks were
recorded over a 5-hour period.232
With America highly interconnected to the rest of the world, we must be prepared to prevent and
respond to any international cyber-attack in an effective manner. This response, however, is
complicated by the trouble distinguishing between cyber-warfare, terrorism, and crime, and
appropriate responses across and through foreign borders. Systems supporting our national
defense, intelligence community, and critical infrastructures “must be secure, reliable, and
resilient – able to withstand attack regardless of the origin of attack.”233
Therefore, America’s
policy should focus on securing our own systems from international attacks, and developing a
cyber-warfare policy between ourselves and other nations.
6.9.1 United States National Security Policies
America should be concerned with two distinct forms of cyber-warfare, espionage and attacks on
infrastructure. In the former, nations or terrorist groups may attempt to steal crucial documents
during peacetime from the government, private companies, and university research centers about
232
Denning, Dorathy. "Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign
Policy." Internet and International Systems. December 1999: 101-120. 28 Oct. 2007
<http://www.nautilus.org/gps/info-policy/workshop/papers/denning.html> 233
“Priority V.” The National Strategy to Secure Cyberspace. February 2003: 49. 23 Oct. 2007
<http://www.whitehouse.gov/pcipb/priority_5.pdf>
108
information systems and key target locations, as well as “lace our infrastructure with ‘back
doors’ and other means of access” designed for future use.234
On the other end of the spectrum,
during wartime our adversaries can potentially attack critical infrastructures in order to
intimidate and erode public confidence in information systems.235
They could also attack the
Department of Defense (DoD) and the intelligence community in an attempt to slow the U.S.
military response. Due to such a wide range of possible attacks, the U.S. government stated that
it must be able to protect infrastructures that are considered “national security assets.” It also
believes that we must develop the capability to quickly identify the attackers.236
The following
outlines the policies needed to fulfill these goals.
6.9.1.1 Securing the Nation’s Cyberspace
One of the largest problems that our nation faces today in attempting to secure cyberspace is the
data mining and intelligence collection against the United States government, critical
infrastructure companies, and educational research facilities. To date, almost no true
counterintelligence technologies have been developed. Therefore, the United States must first
work to better understand our enemies’ capabilities, and in turn the FBI and intelligence
community will be able to develop and implement stronger forms of counterintelligence.237
In addition to working with underdeveloped counterintelligence abilities, the Department of
Defense, intelligence community, and law enforcement agencies are unable to quickly trace the
source of the cyber-attack, assuming that the person or group can be traced. Therefore, the
government should work to promote better attribution technologies so that the previously listed
groups are able to easily and quickly identify the culprit and take action if necessary.
Preventative techniques are also lacking and must be better developed in order to protect critical
systems and infrastructures.238
Although the DHS has created several agencies for incident reporting and interagency
communication, cyber-attacks still fail to reach the proper agencies. Therefore, the United States
must develop a better network and system for distributing reported incidents throughout the
various defense, law enforcement, and national security agencies depending on the nature of the
cyber-attack. The National Security Council and the Office of Homeland Security are leading
research to ensure that the proper technologies and procedures are in place so that these attacks
can easily be distributed to the proper agency. 239
234
“Priority V.” The National Strategy to Secure Cyberspace. February 2003: 50. 23 Oct. 2007
<http://www.whitehouse.gov/pcipb/priority_5.pdf> 235
Ibid. 236
Ibid. 237
Ibid. 238
“Priority V.” The National Strategy to Secure Cyberspace. February 2003: 50. 23 Oct. 2007
<http://www.whitehouse.gov/pcipb/priority_5.pdf> 239
Ibid.
109
6.9.2 United States International Policies
Not only must America work towards improving our own security and detection systems, but it
will also need to work with nations all over the world in order to secure the global cyberspace
and economy. To date, relatively little has been done to globally advance the idea that all
nations should work together to secure our world market. The policies and general plans to
accomplish international security are outlined below:
6.9.2.1 Utilize International Organizations to Promote a Global “Culture of Security”
Due to our nation’s infrastructure being directly linked with Asia, Canada, Europe, Mexico, and
South America, the United States has a vested interest in securing global cyberspace. The global
economy increasingly depends on the vast information networks that connect markets and
multinational corporations. Because the world is becoming so interconnected, America needs to
push for a global “culture of security” in order to protect every nation’s international economy.
Countries must work together for this goal, because “the vast majority of cyber-attacks originates
or passes through systems abroad, crosses several borders, and requires international
investigative cooperation to be stopped.”240
Because of the international participation needed to fulfill this goal, the United States is
determined to work with other nations to help raise awareness, share ideas and defense
technologies, and prosecute all who engage in cyber-crimes in order to maintain the highest level
of integrity within global information networks. Up to this point in American cyber-warfare
policies, the government has worked with public international organizations such as the
Organization of Economic Cooperation and Development (OECD), G-8, the Asia Pacific
Economic Cooperation forum (APEC), and the Organization of American States (OAS). The
government has also worked with organizations in order to help coordination within the private
sector, such as the Transatlantic Business Dialogue.241
6.9.2.2 Develop Secure Networks
In order to develop secure networks, the United States urges that international technical
standards for these systems be developed and adopted so that every nation has a base level of
security. In turn, this baseline would make the entire global market and information systems
more secure. The government will also facilitate the collaboration and research between the
world’s top scientists and researchers. Additionally, the government will encourage American
industries to engage with their foreign counterparts in an attempt to both make a business case
for cyber-security and develop a plan for successful partnerships with governments. 242
240
“Priority V.” The National Strategy to Secure Cyberspace. February 2003: 51. 23 Oct. 2007
<http://www.whitehouse.gov/pcipb/priority_5.pdf> 241
“Priority V.” The National Strategy to Secure Cyberspace. February 2003: 51. 23 Oct. 2007
<http://www.whitehouse.gov/pcipb/priority_5.pdf>. 242
Ibid.
110
6.9.2.3 Promote North American Cyberspace Security
Although global cyber-security is a high priority in this field, the United States must first secure
North American cyber-assets before focusing on the rest of the world. Therefore, the
government should look to cooperate with Canada and Mexico in order to form a strong “Safe
Cyber Zone.” This zone will be accomplished by identifying all networks that the three
countries share and solving the security issues that exist between the borders.243 In turn, the “Safe
Cyber Zone” will provide for a strong defense system no matter where an attack originates.
6.9.2.4 Establish International Network of Agencies for Information Relay
The United States encourages all nations to appoint a single organization that will inform
governments and public all over the world of cyber-attacks or viruses. The U.S. government also
calls for larger organizations, such as the European Union, to create information hierarchies. By
creating such a network, the increased amount of information being shared about these attacks
will make defense research easier. Another way in which an international communications
network could improve both defense and defense research is if each country were to develop a
system that would automatically inform its government agencies, the public, and other nations
about impending cyber-attacks or viruses. 244
6.9.2.5 Encourage Other Nations to Follow the Council of Europe Convention on Cyber-crime
The United States has signed and put into effect the Council of Europe Convention on Cyber-
crime (described below), and encourages other nations to both sign and abide by the treaty, in
turn helping other nations find and prosecute the criminal offenders.245
6.9.3 International Cyber-security Collaboration
In November of 2001, the Council of Europe held the Convention on Cyber-crime in which a
treaty was completed and signed by 39 European countries, as well as Canada, Japan, South
Africa, and the United States. The treaty establishes that all countries part of the collaboration
will work together in order to help investigate any cyber-crime that may be coming from one’s
respective country, similar to the American policy outlined above. This can be seen in the treaty
when it says, “Believing that an effective fight against cyber-crime requires increased, rapid and
well-functioning international co-operation in criminal matters.”246 The treaty continues this idea
243
“Priority V.” The National Strategy to Secure Cyberspace. February 2003: 51. 23 Oct. 2007
<http://www.whitehouse.gov/pcipb/priority_5.pdf> 244
Ibid. 245
Ibid. 246
Convention on Cybercrime. Council of Europe. 23 Nov. 2001
<http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CL=ENG>
111
of cooperation by establishing the idea that legitimate interests in information technologies
should be protected when cooperating with other nation states. In other words, all nations should
respect the distinction between private and public information, allowing defense companies who
are developing new cyber-warfare technologies the opportunity to succeed by selling the
products instead of having the information leaked to the public.
The United States initially signed this document in November of 2001, when it was first written.
However, it has just been ratified and put into effect within the past year. 247 Therefore, the
government should strive to use and enforce the policies agreed upon in the document so that
global cyber-security and international prosecution of criminals both improve.
6.9.4 International Policies
Although no explicit cyber-warfare policies have been found for other nations, we have an idea
of how some view the use of the internet as a weapon. Some countries, such as the United
Kingdom and Germany, have relatively similar views as the United States. However, others’
ideas such as Russia and China differ from our nation’s policies in retaliation efforts and future
military practices, respectively.
6.9.4.1 United Kingdom
The United Kingdom has very similar views to the United States in regards to cyber-warfare
policy. They believe cyber-warfare to be actions that affect others’ information systems in
support of national objectives. Also included in their definition of cyber-warfare is the defense
of one’s own infrastructure and systems via the internet. The UK is even a step ahead the United
States government in the sense that they are using legal framework that already exists that they
believe can be applied to cyberspace attacks. In other words, the British are now treating any
cyber-attack on a person or company as a crime that is prosecutable if the culprit is found. In
order to help find attackers, the Regulation of Investigatory Powers Act 2000 (RIP) was created
to allow the government to intercept and read e-mail, as well as force someone to decrypt
personal files. The British believe that this will help “combat the threat posed by rising criminal
use of strong encryption,” and have even promised that the program will not get out of hand due
to an independent overseer of the powers of RIP. 248
6.9.4.2 Germany
In general, the German perspective of cyber-warfare policy is similar to that of the United States
and the United Kingdom. However, the Germans do have a couple ideas that differ from
American policy. The first of which considers the management of the media as “an element of
information warfare.” This means that if anyone were to try to control any form of German
media, it will be seen as an act of war against the country. Also, due to a reported case of
247
Ibid. 248
http://www.fas.org/irp/crs/RL30735.pdf
112
industrial espionage by the French that cost the German economy significant losses, their
government is considering the use of economic cyber-warfare as a means of keeping enemies on
a level playing field.249
This does not mean, however, that they intend to use this as an offensive
measure. Instead, it will simply be used while in conflict with another nation as a way to help
end the dispute.
6.9.4.3 Russia
The Russian view of cyber-warfare is drastically different than that of the American government.
In fact, many Russians argue that cyber-warfare is the second most dangerous attack, the first
being a nuclear attack:
From a military point of view, the use of Information Warfare against Russia or
its armed forces will categorically not be considered a non-military phase of a
conflict whether there were casualties or not . . . considering the possible
catastrophic use of strategic information warfare means by an enemy, whether
on economic or state command and control systems, or on the combat potential
of the armed forces . . . Russia retains the right to use nuclear weapons first
against the means and forces of information warfare, and then against the
aggressor state itself.250
They also believe that the goal for “competing sides” is to gain complete control of the other’s
information systems, decision making processes, and even populace.251
Some Russians have
even said that computer viruses can be used as “powerful force multipliers” when in conflict
with another entity. All of this shows the dire need for international cooperation in securing the
global infrastructure and economy. If Russia successfully took out another country’s critical
infrastructure or banking systems the country would be effectively destroyed, not to mention the
effect it would have on the global economy. Therefore, the American government must follow
through with the International Cyber-security Collaboration (Sec. 6.9.3) and lead the path in
developing strong defense capabilities for the entire world. An international treaty could also be
constructed in order to lay out rules of engagement in regards to cyber-warfare.
However, it must be noted that Russia has also enacted laws against any form of cyber-attack
and has made its intentions clear that the aggressor will be investigated and prosecuted. Because
their government has made these laws, Russian comments of nuclear retaliation can possibly be
seen as threats, but they must also be taken with heed and international cyber-security must be
increased.
249
Hildreth, Steven A. “Cyberwarfare.” CRS Report for Congress. June 19, 2000.
<http://www.fas.org/irp/crs/RL30735.pdf>. 250
Ibid. 251
Lester W. Grau and Timothy L. Thomas. “A Russian View of Future War: Theory and
Direction,” The Journal of Slavic Military Studies. Issue 9.3 (Sept. 1996), pp. 501-518.
113
6.9.4.4 People’s Republic of China
China is another country that demonstrates the need for international collaboration in defending
our cyberspace. Over the past decade, its military has aggressively developed cyber-warfare
technologies and has incorporated these technologies into its military organization, doctrine, and
training. The large push towards information warfare stems from its country’s indigenous
modern and ancient concepts of how to conduct war, the People’s War concept and the 36
Stratagems, respectively. Their warfare is based around “deception, knowledge-style war, and
seeking asymmetrical advantages over an adversary.252
” Because of the Chinese theories on
gaining lop-sided advantages, the international need for cyber-defense is even more apparent. If
China were to attack a weaker country with limited cyber-security, it would potentially be able to
take over every aspect of their infrastructure, similar to Russia’s attack on Estonia.
The Chinese have also been pursuing the idea of a Net Force that would consist of thousands of
computer professionals who have all been trained at various universities and training facilities. It
has also been reported that several large scale cyber-training seminars have been held since
1997.253
Due to China’s obvious efforts to gain military dominance through cyber-warfare, the
United States military should begin to contract its own computer experts in order to develop the
technologies needed to protect both our allies and ourselves against any attacks no matter the
source.
6.10 Military Policy
As the global balance of power continues to shift, it is crucial that the United States military stay
ahead of foreign powers, especially in the area of cyber dominance. Although cyber dominance
includes electronic warfare, this policy analysis will be primarily limited to cyber-warfare only.
6.10.1 Current Military Cyber Units
Although cyber threats have existed for most of a decade, the military has been slow to respond
in the form of specific military units designated to respond to the growing arena of cyber-
warfare. Initially cyber-warfare was lumped under Space Command, but as of year 2007 the 8th
Air Force was designated Cyber Command, an independent command charged with compiling
the resources and personnel required for the new theatre of war. The new mission of the Air
Force as stated by Secretary of the Air Force Michael W. Wynne is to “fly and fight in air, space,
and cyberspace.”254
252
Hildreth, Steven A. “Cyberwarfare.” CRS Report for Congress. June 19, 2000.
<http://www.fas.org/irp/crs/RL30735.pdf>. 253
Ibid. 254
Wilson, Clay, (2007) “CRS Report for Congress: Information Operations, Electronic Warfare,
and Cyberwar: Capabilities and Related Policy Issues” 30 October, 2007. <http://stinet.dtic.mil/cgi-
bin/GetTRDoc?AD=ADA466599&Location=U2&doc=GetTRDoc.pdf?>
114
Before delving into policy recommendations for the military, it is important to briefly describe
the current divisions of cyber-warfare in existence. Cyber-warfare is grouped under the large
umbrella of Information Operations (IO), which is any action designed to disrupt enemy
information systems while protecting your own system. Sub-groups include Psychological
Operations, Military Deception, Operational Security, Computer Network Operations, and
Electronic Warfare. While all groups deal with the electromagnetic spectrum, the Computer
Network Operations (CNO) is the group specifically tasked to cyber-warfare.255
Under CNO are three main components: Computer Network Defense (CND), Computer Network
Exploitation (CNE), and Computer Network Attack (CNA). CND’s mission is to defend
network systems against disruption, intrusion, or destruction. Additionally, they monitor any
aggressive activity and intrusions, which they attempt to prevent through passive measures such
as firewalls or more aggressive actions such as determining enemy capability before they can
attack the military system. CNE is an emerging section that tries to penetrate enemy systems to
determine vulnerabilities in order to plan strategy against various enemy targets. Lastly is CNA,
which uses digital signals to enter and control or destroy enemy computer systems.
6.10.2 Military Uses of Cyber-warfare
To date, there are no known cyber-attacks perpetrated by the US military. However, the military
has debated using cyber-warfare in the most recent military actions – Kosovo and Operation
Iraqi Freedom. In both cases the military had defined plans for attack, but were worried about
potential side effects of the attack as well as rights violations under the Geneva accords,
specifically the restriction against targeting civilian populations. There was concern, especially
in Iraq, that using cyber-attacks could cause cascading failures that would destroy the economic
systems of the country and hurt the population. Iraq’s banking system was connected to Europe
while internal military and civilian systems were closely integrated. US officials ultimately
decided against cyber-attacks because of the inability to only target Iraqi military and not hurt
both Iraqi civilians and Europeans.256
Although there is no evidence of cyber-attacks in Kosovo,
there appeared to be a cyber tactic used against Serbian air defense systems, although exactly
what the attack was is still uncertain.257
6.10.3 Future of Cyber-warfare in the Military
As both civilian populations and foreign militaries become increasingly reliant upon technology,
the military will play an increasing role in national defense and begin to integrate offensive
operations into global strategy. In that aim, the military should undertake or further develop four
areas: create national defense strategies against foreign nations, continue to expand cyber units
and cyber education, and involve the private sector in development and research while
continuing to develop offensive capabilities using cyber-warfare.
255
Ibid. 256
Ibid. 257
“Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007
<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/arquilla.html>
115
Since the end of the nineteenth century our nation has developed military strategies for various
nations in case of the outbreak of war. As we move into the cyber-age, we must integrate cyber-
attacks into the national strategy, but also be wary of foreign cyber-attacks. Just as every country
requires different physical military responses, various nations will require more sophisticated
strategies that will need to avoid cascading damages that could result from a poorly managed
attack. Although China appears to be our greatest adversary, the military cannot be short sighted
and fail to examine capabilities of other nations as well as terrorist groups.
As the role of cyber-warfare grows in national planning, the military needs to grow in personnel.
As previously mentioned, this year saw the formation of a Cyber Command, as well as the
introduction of new job codes specifically for cyber units in the Air Force.258
These job codes
create a specific cyber job title, with the airmen working on cyber activities for the entirety of
their career. This will not only provide a dedicated job force, but also increase the education and
ability in the command.
Additionally, the military has increased efforts in cyber education. The Air Force offers a ten
week cyber boot camp for officer candidates as well as civilian university students that focuses
on both the means of cyber-attacks and the legal and political issues regarding cyber-warfare.
The Department of Homeland Security and National Science Fund are sponsoring two year
scholarships for students in cyber-warfare on the condition that recipients must then work with a
government agency for two years following graduation. Due to the cyber boot camp, Syracuse
University has begun to offer courses in cyber defense in local high schools. Over 148 high
schools in the north east have cyber classes that offer college credits if successfully completed.259
Since 2000, small groups of cadets at West Point, the Naval Academy, and the Air Force
Academy would build small networks that would then be tested and broken by NSA hackers.260
While these steps are beneficial, education must be further expanded in the coming years.
Although the military has made great strides in recent years in identifying the threat of cyber-
warfare, it is still in the beginning stages of offensive cyber capabilities. Cyber-attacks were not
used in previous engagements in part because of the uncertainty of the potential effects of their
attacks. Rather than developing cyber capabilities similar to a cluster bomb, the military needs
precision offensive capabilities to attack specific targets with low risk of civilian damages. A
clear contrast can be made in regard to the first Gulf War. During the course of our bombing
campaign, the US military targeted both water treatment plants and key electrical infrastructure
as part of the strategy to force Iraq out of Kuwait. Following the war, the lack of a functioning
sanitation system led to 110,000 civilian deaths compared to 3,500 deaths during the course of
the war. With the right technology, the US military could have instead disrupted the plants and
destroyed them electronically to achieve the same military objectives. However, the cyber
258
Shane, Leo III, (2007). “AF Taking Careers into Cyberspace” 30 October, 2007,
<http://www.military.com/features/0,15240,152400,00.html?wh=benefits> 259
Wilson, Clay, (2007) “CRS Report for Congress: Information Operations, Electronic Warfare,
and Cyberwar: Capabilities and Related Policy Issues” 30 October, 2007. <http://stinet.dtic.mil/cgi-
bin/GetTRDoc?AD=ADA466599&Location=U2&doc=GetTRDoc.pdf?> 260
Krebs, Brian, (2003). “Cyber War Games Tests Future Troops” Washington Post, October 30, 2007.
<http://www.washingtonpost.com/ac2/wp-dyn/A21871-2003Apr23>
116
damage could be such that simple repairs could restore the systems and prevent the mass loss of
life.
In the endeavor to further develop cyber tools, the military has begun to seek outside help in both
development and testing. Earlier in the year both the Air Force and Army solicited assistance
from the computer industry in developing offensive capabilities.261
Currently the Pentagon is
regularly tested by NSA ‘red teams’ for security holes, a job that could also be given to outside
contractors who may have a different tact that would present other potential weaknesses.
Defensive capabilities are necessary to protect the nation, and it is vital for future military
operations to further develop offensive capabilities, and integrate cyber-attacks as key tools in
combat.
Policy Option 6.10.1: Continue to integrate cyber-warfare into national strategic
planning, especially in the areas of growing the military and creating or redefining the
mission of the military. This would include increasing the number of units dedicated
to cyber-warfare, and expansion throughout the cyber domain.
Policy Option 6.10.2: Increase funding for cyber education, both in the civilian and
government sectors. Expanding cyber-warfare training in the military would result in
more effective troops, and the civilian sector could offer outside aid and ideas for the
military.
Policy Option 6.10.3: Develop specific national strategies for use of cyber-warfare,
both offensively and defensively, against nations and terrorist organizations. These
policies should focus on the capabilities of foreign powers, as well as specific
technologies that could exploit enemy defenses or thwart their offensive capabilities.
Any technology discussed in these reports should be fully researched to achieve its
maximum effect.
6.10.4 Policy Questions
While the military seeks to improve its defensive capabilities, there are significant policy
restrictions that hamper effective cyber operations. In March of this year Marine Gen. James
Cartwright, commander of the Strategic Command, told the House Armed Services committee
that the nation needed more than passive defensive measures in regard to cyber-warfare. He
commented that although the military was positioned to prevent lower level hacking, focusing on
network defenses amounts to little more than a modern Maginot Line. Instead, Gen. Cartwright
asked the Congress to help solve technical and legal international issues that restrict cyber
capabilities of the military.262
261
Brewin, Bob (2007) “Army, Air Force seek to go on offensive in cyber war” 30 October, 2007.
<http://www.govexec.com/story_page.cfm?filepath=/dailyfed/0607/061307bb1.htm> 262 “STATEMENT OF GENERAL JAMES E. CARTWRIGHT COMMANDER UNITED
STATES STRATEGIC COMMAND BEFORE THE HOUSE ARMED SERVICES
COMMITTEE ON UNITED STATES STRATEGIC COMMAND 21 March 2007” 30 October,
2007 <http://armedservices.house.gov/pdfs/FC032107/Cartwright_Testimony032007.pdf>
117
Essentially, the United States is unable to conduct any cyber actions legally without foreign
cooperation. The investigation into the source of cyber-attacks such as Titian Rain is stalled due
to Chinese refusal to cooperate with investigations. Through vigilante type assistance, the
government has civilians who try to work outside of the legal framework to monitor and track
foreign hackers, and even managed to trace the Titan Rain hackers to a specific router in China.
However, without international agreements or cooperation, the investigative trail is cut off.263
Additionally, there is the potential for US cyber-activity to create an international incident
similar to other intelligence activities. What would the ramifications be if military monitoring or
hacking was detected and proven by China or another antagonistic government? A more
interesting question is what would be the response from an ally nation if we were monitoring
them as well? Also, what is the line before a cyber activity violates the law of Armed Conflict
against another nation? Other questions include the appropriate response to an internal, civilian
attack, as well as the possibility of using a neutral party to route cyber activity.264
Although there is not a clear answer to these questions, they are policy issues that should be
discussed both in congress and abroad as an international community. As new weapons come
onto the scene, international cooperation has determined the effectiveness and appropriateness of
these weapons, and banned cruel and inhumane weapons. Unfortunately, it usually requires a
war or widespread use of a technology before policy is adopted – but can we afford to allow a
debilitating cyber-attack before we determine international standards for action?
Policy Option 6.10.4: Establish an international convention regarding cyber-warfare,
possibly through the United Nations. Work to establish legal framework for the
tracking and use of cyber-attacks, as well as classifications of cyber-attacks. From
these classifications (military, terrorist, criminal, etc.) establish protocol for
international sanction (if necessary) and rules of engagement or retribution.
Cyber-warfare is the next battlefield, one that the military has acknowledged and is starting to
include in both defensive and aggressive planning. The military must further both offensive and
defensive operations, as well as develop a culture in the military that acknowledges the use and
effectiveness of cyber attacks, as well as the potential for widespread destruction. Increased
education programs and cooperation with the public sector will bring the best and the brightest to
turn a potential weakness into another area of US dominance.
263
Thornburgh, Nathan (2005). “The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them)”,
Time. 30 October, 2007, < http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html> 264
Wilson, Clay, (2007) “CRS Report for Congress: Information Operations, Electronic Warfare,
and Cyberwar: Capabilities and Related Policy Issues” 30 October, 2007. <http://stinet.dtic.mil/cgi-
bin/GetTRDoc?AD=ADA466599&Location=U2&doc=GetTRDoc.pdf?>
118
7 Conclusion
119
7.1 Is Cyber-warfare a threat?
This assessment began with the hypothetical scenario of Chicago being permanently evacuated
due to nuclear radiation and the Mississippi River being contaminated and full of sewage.
Clearly, this is the worst case cyber-warfare scenario, not the most realistic. However, the
vulnerabilities discussed throughout the paper show that the scenario’s individual components
are within the realm of possibility.
As a nation, should we be concerned by cyber-attacks? It is known that cyber-attackers could
potentially compromise elements our critical infrastructure and steal sensitive government data.
Foreign nations are preparing for a cyber-war, with the threat of disabling entire military units.
On the other hand, the actual effects of many of these cyber-attacks are limited in scope. Data
stolen to date has not been classified information, aircraft can be flown without catastrophe even
without guidance from air traffic control networks, and many economic and social consequences
are short-term in nature. On the other hand, successful large-scale attacks on the power sector
could be extremely costly, but may not be feasible in the near future. But can we dismiss these
threats or should we place them as a high national priority?
Ultimately, the answer is mixed. Our vulnerability to cyber-attacks is clear, especially seeing
that the means of attack are so readily accessible. An increasing reliance on computer systems
will only expand our vulnerability, especially in areas such as the military that are not yet fully
dependent upon networked systems. However, this vulnerability does not translate into the
doomsday scenarios that many suggest. At present, a large-scale cyber-attack would almost
certainly be part of a larger conventional attack, in which the cyber-attack would simply be used
to make an already catastrophic event worse. We are threatened as a nation, but we do not have
a crisis on our hands yet, and a future crisis can be prevented by taking wise policy steps now.
With better implementation of established cyber-security practices, along with proactive research
and development, we can reduce the glaring weaknesses in our cyber-defense and mitigate the
vast majority of cyber threats.
7.2 The Way Forward
Action must be taken to counter the current and future threat of cyber-warfare. The federal
government should continue to advance the broad policy objectives outlined in the NSSC and
additional measures should be enacted to fill gaps that have become evident in the current policy.
We have compiled our suggested “best policies” to fill these gaps.
7.2.1 What Can Be Done Now
Our research has shown that there are no significant barriers to keep the Unites States
Government from implementing the following policies and actions immediately:
Create more severe standards for sentencing convicted cyber-criminals.
120
Increase federal funding for the US-CERT bulletin and Stay Safe Online, specifically for
the marketing initiatives to inform the general public.
Require the IT departments of government agencies to document the structure of their
computer systems and their installation of security patches.
Expand cyber-warfare training within the military and at universities to make our Armed
Forces more skilled in cyber-warfare tactics.
7.2.2 Policies for the Near Future
The following policies and actions should be given immediate consideration, but will take some
time to develop. Our suggested timeline for implementing these suggested policies and actions
would be two to five years:
Create a uniform cyber-security licensure and certification process, which could help to
ensure the proper level of training for IT professionals.
Create a uniform cyber-security testing procedure for federal agencies and contractors
that is able to constantly evolve with new challenges. Creating a federal “red team” of
security testers that periodically tests the cyber-security vulnerabilities of government
computer systems would help with the evolution of cyber-security.
Enact policies to encourage other nations to prevent cyber-attacks from originating within
their borders.
Work with other nations to adopt a set of international cyber-security standards to be
followed, to ensure all international computer systems have a minimum level of security.
One starting point in a global cyber-security policy could be the creation of a regional
North American cyberspace “safe zone”, in which the U.S. would work with Canada and
Mexico to ensure the countries work to solve mutual cyber-security issues.
Integrate policies related to cyber-warfare tactics into national strategic planning and any
future discussions of redefining the military’s mission.
Create a legally binding set of security requirements for software and hardware. Such a
law will need to be abstract enough to accommodate the evolving nature of threats and
should balance added security with added costs.
121
7.2.3 Future Research
The following policies and actions will need extensive research and time before implemented. A
general timeframe for putting into practice the following policies would be approximately ten
years.
Establish a widely accepted international treaty or agreement to create a global cyber-
security policy, a framework for interagency cooperation and legal response, and an
international network of agencies for sharing information.
Establish a cyber-warfare equivalent to the Geneva Convention to establish rules for
military use of cyber-warfare tactics.
7.2.4 Conclusion
These “best policies” are a framework based on our research that must be further developed.
Special attention should be paid to increasing overall awareness of the issue of cyber-warfare.
This would help increase the emphasis placed of cyber-security in both the private and public
sectors, including international corporations. Increased awareness could stimulate research and
development, spread concerns of cyber-security from IT departments to boardrooms, and help
the private sector understand that stronger cyber-security measures are a financially sound
undertaking. However, the government must be sure to balance regulation and legal
enforcement of the private sector’s cyber-security with the economic costs that would result.
One balanced option is to use financial incentives to encourage change.
Although there is never an impenetrable defense, the United States can greatly limit the threat of
cyber-warfare over time with more robust cyber-security policies that are able to adapt and
evolve to the changing times.
122
8 Appendix
123
8.1 Policy Options
Below are the assembled policy options outlined in the report.
Policy Option 6.5.1: Require by law that all computers be secured in specific ways.
A policy that demands all systems be secured is a tempting idea, but carries with it
many consequences. Explicitly defining which precautions to make about cyber-
security increases government encroachment on individuals and if worded
improperly could actually make computers less secure. Diversity is an important part
of system protection, which a law explicitly demanding specific security precautions
might eliminate, and actually giving attackers more potential targets. A law
requiring security precautions would need to be worded in abstract terms to allow for
the diverse systems which currently exist. Specific security measures required by law
might raise the cost of computers and reduce the performance of the technology.
Defining a bare minimum of precautions that must be taken might lead to fewer
systems protecting themselves beyond that minimum. It may be possible to create a
law which requires certain precautions with minimal negative side effects that could
reduce vulnerability, but such a law would have to be created very carefully.
Policy Option 6.5.2: Change the policies about liability for software makers and/or
system administrators.
A policy might be drafted which could hold system administrators responsible for
damage caused by their systems. The law would give administrators a larger
motivation to secure their systems so that attackers could not commandeer them and
execute attacks. In a way, administrators are already responsible for their systems,
because security breaches under their watches tend to hurt their careers, so the
necessity of this policy is debatable. Changes in liability rules would increase the
stress put on those with increased responsibility, possibly raise the cost of their
service and reduce the number of people willing to take the risk of working to protect
networks. In some limited systems, changes in liability rules might be more
appropriate than others. For example, administrators responsible for maintaining
networks controlling critical infrastructures or connected to extremely high-capacity
Internet links might deserve more legal motivation to secure their systems than
owners of personal computers.
Applying new responsibility to software developers would slow down the
development process and increase the cost. Software prices would rise to offset the
legal costs relating to new liabilities, while programmers would be under legal
pressure to secure their products, possibly at the expense of performance. The private
sector already has motivation to secure its products, but perhaps is not as concerned
as it should be that flaws in one system can be used to cause damage to the systems
of others. Certain violations of software security might be more appropriate to hold
developers responsible for than others; it may be possible to make adjustments in
liability rules which improve security with minimal impact on the cost and
performance of software. Imported software and outsourced developers would also
124
have to be taken into consideration in any policy about the liability of software
developers.
Policy Option 6.5.3: Create programs to approve security products and personnel.
Institutions exist for the licensure of many different professionals and the approval of
different products which might be similarly created to address cyber-attack
possibilities. Policy makers can expect debates over whether government or the
private sector can better provide cyber-security approval services. Having a
compulsory form of certification may be helpful, since current methods of approving
software and personnel for security still allow for false products and charlatan
professionals to exist. A government approval process for allowing individuals to
practice securing systems would have to be carefully crafted by experts to insure that
certified individuals are qualified for their positions. Creating new institutions would
be costly, and defining the specific software packages and personnel under their
jurisdiction would be difficult, but having more qualified security personnel and
higher quality defense products would be helpful.
Policy Option 6.5.4: Federally demand a minimum level of security for critical
infrastructure systems.
In 2001, the Energy Information Security program was created in an attempt to
develop better defense technologies for our nation's critical infrastructures. Due to
the difficulty of and the time needed for installing these technologies, many
companies have not kept their systems up to date. Because they are not properly
secured, it leaves even the "secured" infrastructure companies vulnerable to attack
simply due to them being connected to the same network as the unprotected
companies. Therefore, the minimum level of security for our nation's infrastructure
must be federally regulated so that the United States' power utilities, water lines,
communication systems, and emergency response will not fail due to a "weak link" in
their network connections.
Policy Option 6.6.1: Create a more forceful and concentrated effort to prosecute
cyber-criminals to the full extent of the damage they caused. It is dangerous to allow
criminals who have caused millions of dollars in damage to be allowed to access
computer systems after only a few years of imprisonment. Additionally, minimum
and maximum sentences need to be increased to reflect the widespread damages
caused by cyber-attacks.
Policy Option 6.6.2: Apply a more concrete method of analyzing cyber-attacks in
such a way that a general audience is able to comprehend. This will be useful in
enhancing the quality of communication between the government and its citizens.
Policy Option 6.6.3: Allow incentives for private sectors in their own attempts to
secure their networks. Due to the lack of profit directly resulting from securing their
cyber-space, private companies do not see the benefit in taking the initiative to
prevent cyber-attacks on their own system. If the government were to provide
incentives or prominent recognition of companies who successfully work to secure
125
themselves, private sectors will be more likely to conform to the government’s view
of cyber-security.
Policy Option 6.6.4: Attempt to increase communication not only with home users
and small businesses, but also with other nations. A better response to cyber-attacks
is dependent on increased communication and analysis of attack trends. Opening up
an international dialogue related to cyber-attacks could prepare the US government
and citizens for possible future attacks.
Policy Option 6.6.5: Establish a network in which local police and firefighters are
able to coordinate effective response systems in regards to local cyber-attacks. For
example, have a hotline for businesses and computer users to have access to in case of
a cyber-attack. The difficulty with this policy is finding a way to communicate in case
telecommunications were disrupted as well. Perhaps the most reliable method is to
create a useful two-way radio between departments that could be accessed by heads
of Information Technology departments at companies as well.
Policy Option 6.7.1: Increase advertisement funding for the federally-managed
websites and email lists described above. These websites have the potential to
increase public awareness, but are not receiving the traffic needed to make an impact.
Advertising them more vigorously would improve their public exposure.
Policy Option 6.7.2: Create greater incentives for small businesses to inform their
employees of cyber-security concerns. For example, small businesses could receive
tax credits if a certain percentage of their employees subscribe to US-CERT’s e-mail
Policy Option 6.7.3: Provide tax incentives for enterprises whose employees undergo
an educational cyber-security course. As in the case of small businesses, this could
be an effective way to increase awareness of secure computing practices among
individual workers.
Policy Option 6.7.4: Work with private industry to create a standardized set of
essential skills for IT professionals in the area of cyber-security, for the purpose of
creating a certification program. If such a standard were created, the IT professionals
responsible for designing and maintaining companies’ internal computer systems
Policy Option 6.7.5: Accompany existing efforts to encourage electronic submission
of shipping manifests with efforts to encourage safe and secure handling of the
electronic manifest data. An additional option to consider is an incentive program for
companies that implement and document measures taken to secure electronic
shipment manifests and shipment tracking systems.
Policy Option 6.7.6: Make available and widely publicize a national database of
cyber-incidents and attempted cyber-attacks at critical infrastructure components such
as transportation, power, and communication systems. By increasing the public’s
126
attention to these areas, such a database could add pressure on infrastructure
companies to focus more on their own cyber-security prevention and response
Policy Option 6.7.7: Increase funding for university-level research of cyber-security
and preparedness measures, and provide funding for universities and community
colleges to create dedicated cyber-security training and research programs. This
could significantly improve the training of America’s future IT workforce.
Policy Option 6.7.8: Create a cyber-warfare threat level indicator system, possibly
similar to the Department of Homeland Security’s color-coded daily threat level
indicator. This sort of indicator system could be used by media outlets to help
publicize the issue of cyber-security, and would increase overall awareness of the
issue across all sectors.
Policy Option 6.8.1: Mandate user password complexity and frequent changes, log-
outs after a short time of inactivity, and require secondary identification (in the form
of ID cards required to run the computer).
Policy Option 6.8.2: IT departments should be required to submit system structure
documents, detailing the systems used throughout their agency. Departments should
institute a government wide internet control program to restrict potentially threatening
website access. Additionally, they must show prompt response and 100%
implementation of security patches for their systems.
Policy Option 6.8.3: Mandate that the future development of the FAA's air traffic
control system continue to favor decentralized, redundant regional control centers.
This will ensure that it remains impractical for a cyber-attack to disable the air traffic
system on a nationwide level. One possibility is to make backup computer systems
run in parallel with the main systems, but with a different implementation (e.g. a
different hardware configuration or operating system), so a vulnerability exploited on
the main system may not affect the backup.
Policy Option 6.8.4: Require that the FAA (or other government agencies) limit
outside IT contractors' access to the computer systems they are directly involved with.
As discussed previously in Section 3.4.3.2, contractors are currently given full access
to systems that are not relevant to their work assignments. This simple measure
would limit the risk of an outside contractor inserting malicious code into the
agency's computer systems, and remove one vulnerability from the air traffic control
system.
Policy Option 6.8.5: Use best-value evaluations when selecting outside contractors.
The OMB should establish which IT contractors present the best services, and
encourage agencies to select the best contractor and not the lowest bid. Additionally,
the OMB could establish a certification system for IT contractors to complete and
show minimum proficiency.
127
Policy Option 6.8.6: Require regular ‘red team’ testing of any agency or private
corporation that is connected to the government network. The ‘red team’ should be a
multi-agency force that has regular turnover to ensure new ideas are constantly
applied in security testing.
Policy Option 6.10.1: Continue to integrate cyber-warfare into national strategic
planning, especially in the areas of growing the military and creating or redefining the
mission of the military. This would include increasing the number of units dedicated
to cyber-warfare, and expansion throughout the cyber domain.
Policy Option 6.10.2: Increase funding for cyber education, both in the civilian and
government sectors. Expanding cyber-warfare training in the military would result in
more effective troops, and the civilian sector could offer outside aid and ideas for the
military.
Policy Option 6.10.3: Develop specific national strategies for use of cyber-warfare,
both offensively and defensively, against nations and terrorist organizations. These
policies should focus on the capabilities of foreign powers, as well as specific
technologies that could exploit enemy defenses or thwart their offensive capabilities.
Any technology discussed in these reports should be fully researched to achieve its
maximum effect.
Policy Option 6.10.4: Establish an international convention regarding cyber-warfare,
possibly through the United Nations. Work to establish legal framework for the
tracking and use of cyber-attacks, as well as classifications of cyber-attacks. From
these classifications (military, terrorist, criminal, etc.) establish protocol for
international sanction (if necessary) and rules of engagement or retribution.
128
8.2 Open Letter to the President
27 February 2002
George W. Bush
President of the United States
The White House
1600 Pennsylvania Avenue, NW
Washington, DC 20500
Mr. President,
Our nation is at grave risk of a cyber attack that could devastate the national psyche and
economy more broadly than did the September 11th attack. We, as concerned scientists and
leaders, seek your help and offer ours. The critical infrastructure of the United States, including
electrical power, finance, telecommunications, health care, transportation, water, defense and the
Internet, is highly vulnerable to cyber attack. Fast and resolute mitigating action is needed to
avoid national disaster. We urge you to act immediately by former a Cyber-Warfare Defense
Project modeled in the style of the Manhattan Project.
Consider the following scenario. A terrorist organization announces one morning that they will
shut down the Pacific Northwest electrical power grid for six hours starting at 4:00 PM; they
then do so. The same group then announces that they will disable the primary telecommunication
trunk circuits between the U.S. East and West Coasts for a half day; they then do so, despite our
best efforts to defend against them. Then, they threaten to bring down the air traffic control
system supporting New York City, grounding all traffic and diverting inbound traffic; they then
do so. Other threats follow, and are successfully executed, demonstrating the adversary's
capability to attack our critical infrastructure. Finally, they threaten to cripple e-commerce and
credit card service for a week by using several hundred thousand stolen identities in millions of
fraudulent transactions. Their list of demands is then posted in the New York Times, threatening
further actions if their demands are not met. Imagine the ensuing public panic and chaos. If this
scenario were to unfold, Americans everywhere would feel that our national sovereignty had
been compromised; we would wonder how, as a nation, we could have let this happen.
Mr. President, what makes this scenario both interesting and alarming is that all of the
aforementioned events have already happened, albeit not concurrently nor all by malicious
intent. They occurred as isolated events, spread out over time; some during various technical
failures, some during simple (government-sponsored) exercises, and some during real-world
cyber attacks. All of them, however, could be effected through remote cyber attack by any
adversary who so chooses, whether individual or state-sponsored. The resources required are
modest -- far less than the cost of one army tank. All that is required is a small group of
competent computer scientists, a few inexpensive PCs, and Internet access. Even the smallest
nation-states and terrorist organizations can easily muster such capabilities, let alone better-
organized groups such as Al Qaeda.
129
Many nations, including Iran and China, for example, have already developed cyber-offense
capabilities that threaten our economy and the economies of our allies.
There is no doubt that such a serious national vulnerability is a real and present danger. This has
been affirmed by a number of distinguished bodies, including the President's Commission on
Critical Infrastructure Protection (1997), the National Academy of Sciences (Computers at Risk,
1990; Trust in Cyberspace, 1999), and the U.S. Defense Science Board on Information Warfare
Defense (1996, 2000).
The consequence of successfully exploiting these vulnerabilities would be significant damage to
the U.S. economy, degraded public trust with concomitant long-term retardation of economic
growth, degradation in quality of life, and a severe erosion of the public's confidence that the
government can adequately protect their security. We have seen the amplification effects, on our
economy and on public apprehension, from a single event such as the World Trade Center and
Pentagon attacks. Aggregate damages resulting from amateur cyber attacks (e.g., 1998 Internet
Worm, Melissa Virus, I-LOVE-YOU virus, Code Red Virus and the Nimda virus) are estimated
to have been $12 billion for the year 2001 alone. Extrapolating from this, a professionally-
executed, coordinated cyber attack on our national critical infrastructure could easily result in a
100-fold amplification -- 10-fold from being professionally-executed and another 10-fold from
indirect e-commerce suppression effects. In terms of a dollar value, this could amount to several
hundred billion dollars in damage to the U.S. economy. Moreover, some community experts and
reports (such as those cited above) estimate a high probability of a serious attack on U.S. critical
infrastructure within the next few years.
The goal of our proposed Manhattan-style undertaking would be to create a national-scale cyber-
defense policy and capability to prevent, detect, and respond to cyber threats to our critical
infrastructure. We mean Manhattan-style in several senses: national priority, inclusion of top
scientists, focus, scope, investment, and urgency with which a national capability must be
developed. To prevent attacks, we need a coordinated effort to work with our critical-
infrastructure providers in defending their most critical information systems. To detect attacks,
we need to permeate our critical networks with a broad sensor grid imbued with the capability to
detect large-scale attacks by correlating and fusing seemingly unrelated events that are, in fact,
part of a coordinated attack. To respond to attacks, we need to devise strategies and tactics to
pre-plan effective actions in the face of major cyber-attack scenarios; we need to augment our
national infrastructure with mechanisms that support the defined strategies and tactics when
attacks are detected and verified. We believe that all this can be done with a close partnership
between the public and private sectors while maintaining sensitivity to public concerns about
privacy and fairness, consistent with American values and laws. The result should be a resilient
critical infrastructure that is resistant to cyber attack, plus next-generation technology which
enables our critical infrastructure to be more easily secured. Given private-sector economic
realities, our nation's economy and well-being will continue to rely on the existing vulnerable
infrastructure for the indefinite future, unless strong government investment leads the way.
The proposed Manhattan-style cyber-defense project will cost a fraction of the expense we will
incur from a single major cyber attack. We estimate the project would require an investment of
$500 million per year initially, and could reach the billion dollar level in the out-years. The
130
project would run over the course of five years to create a national-scale initial operating
capability no later than year three, and more advanced defensive and offensive capabilities by
year five. We recommend that you appoint a small board of top computer scientists and
engineers to work out the details of a plan, and set the plan in motion within ninety days. The
plan should include an appropriate balance between engineering and focused research to support
the national capability and the policy, laws, and procedures that would be needed to deploy and
support the cyber-defense technology.
The clock is ticking. We look to you, as America's leader, to act on behalf of the nation. Your
conscientious and effective defense of our physical homeland should extend into the increasingly
vital frontier of U.S. cyberspace. We anticipate that the nation will fully endorse and even expect
this forward-thinking and courageous action in the face of such a major threat to national
security. We stand ready to help in any way we can in taking this very important next step to
defend our country.
Very respectfully,
[signed]
O. Sami Saydjari Founder Cyber Defense Research
Center
Former Information Assurance
Program
Manager, DARPA
Former Fellow, National Security
Agency
Dr. Robert Balzer Chief Technology Officer
Teknowledge Corporation
Terry C. Vickers Benzel Vice President of Advanced
Security Research
Network Associates, Inc.
Thomas A. Berson, Ph.D. Principal Scientist, Palo Alto
Research Center
Past-President, International
Association for Cryptologic
Research
Past-Chair, IEEE Technical
Committee on
Security and Privacy
Bob Blakely Chief Scientist, Security and
Privacy
Salvatore J. Stolfo Professor of Computer Science
Columbia University
Dr. Curtis R. Carlson Chief Executive Officer
SRI International
George Cybenko Dorothy and Walter Gramm
Professor
Thayer School of Engineering
Dartmouth College
John C. Davis Director of Information Security
Mitretek Systems Inc.
Former Commissioner on PCCIP
Former Director of NCSC/NSA
Matt Donlon Former Director, Security and
Intelligence Office
Defense Advanced Research
Projects
Agency
Patrick Lincoln Member of Defense Science
Board Panels
2000-2001
Roy A. Maxion, Ph.D. Director, Dependable Systems
Laboratory
Computer Science Department
Carnegie Mellon University
David J. Farber Moore Professor of
Telecommunications and
Professor of Business and Public
Policy
University of Pennsylvania
Richard J. Feiertag Manager of Strategic Planning
NAI Labs, Security Research
Division
Network Associates, Inc.
Edward A. Feigenbaum Kumagai Professor of Computer
Science
Emeritus
Stanford University, and
Chief Scientist, United States Air
Force
(1994-97)
Dr. Tiffany M. Frazier Director, Advanced Computing
131
IBM Tivoli Software
Seymour E. Goodman Professor of International Affairs
and Computing
Co-Director, Georgia Tech
Information Security Center
Georgia Institute of Technology
Dr. J. Thomas Haigh Chief Technology Officer
Secure Computing Corporation
Walter L. Heimerdinger, PhD
Patrick M. Hughes Lieutenant General, U.S. Army,
Retired
President, PMH Enterprises LLC
Former Director, Defense
Intelligence
Agency
Former Director of Intelligence (J-
2),
Joint Chiefs of Staff
Stephen T. Kent Chief Scientist -- Information
Security
BBN Technologies -- A Verizon
Company
(member of "Computers at Risk"
& "Trust
in Cyber Space" NRC committees)
Angelos D. Keromytis Assistant Professor,
Computer Science Dept.
Columbia University
Dr. Marvin J. Langston Deputy Chief Information Officer,
Department of Defense, 1998-
2001
Director Information Systems
Office,
Defense Advanced Research
Projects
Agency, 1997-98
Chief Information Officer,
Department of
Navy, 1996-1997
Karl N. Levitt
Director, Computer Science
Laboratory
SRI International
John H. Lowry Division Engineer
Technical Director for Information
Security
BBN Technologies/Verizon
Stephen J. Lukasik Consultant, Science Applications
International Corporation
Former Director, Department of
Defense Advanced Research
Projects Agency
Former Chief Scientist, Federal
Communications Commission
David Luckham Research Professor of Electrical
Engineering
Stanford University
Dr. Joseph Markowitz
Robert T. Marsh General, USAF (Retired)
Former Chairman, President's
Commission on Critical
Infrastructure
Protection
Terry Mayfield Institute for Defense Analyses
J.M. McConnell Former Director, National
Security Agency
John McHugh, PhD Carnegie Mellon University
Fred B. Schneider Professor of Computer Science
and
Director of Cornell/AFRL
Information
Assurance Institute
Gregg Schudel Formerly, Senior Engineer and
Manager
of Experimentation, DARPA
Alphatec, Inc.
Roderick A. Moore Systems Engineer
Former National Security Council
Staff
Pres. Reagan and Pres. Bush
Administrations
Dr. Charles L. Moorefield Board Chairman,
Alphatech, Inc.
Peter G. Neumann Computer Science Lab
SRI International
Dr. Clifford Neuman Sr. Research Scientist and
Associate Division Director --
Computer Networks Division
Information Sciences Institute
University of Southern California
E. Rogers Novak, Jr. Managing Member
Novak Biddle Venture Partners
Allen E. Ott Orincon Information Assurance
President
Dr. Michael Paige Former Director, Xerox PARC
Dr. Vern Paxson Senior Scientist, International
Computer Science Institute
Staff Scientist, Lawrence Berkeley
National Laboratories
Phillip A. Porras Program Director
System Design Laboratory
SRI International
Laura S. Tinnel Deputy Program Manager and
Research
Scientist
Information & Systems Assurance
Group
132
Professor of Computer Science
Director of the UC David Security
Laboratory
Department of Computer Science
University of California, Davis
Marcus Ranum Chief Technology Officer
NFR Security, Inc.
Jaisook Rho Principal Computer Scientist
Network Associates, Inc.
Dr. Arthur S. Robinson President, System/Technology
Development Corporation
Formerly Technical Director of
RCA
R&D for U.S.N. Aegis Weapons
Systems
S. Shankar Sastry Professor and Chair, Department
of Electrical Engineering and
Computer Sciences
Formerly, Director, Information
Technology Office, DARPA, US
DoD
Information Assistance Program
Larry J. Schumann President, EnterpriseTec, Inc.
Member of the President's
National
Security Telecommunications
Advisory
Committee (1996-2000)
Jonathan M. Smith Professor
Computer and Information
Science Department
University of Pennsylvania
Teknowledge Corporation
J. Douglas Tygar Professor of Computer Science
and Information Management
University of California, Berkeley
J. Kendree Williams Chief Technology Officer
Zel Technologies, LLC
CDR, USN (Ret)
R. James Woolsey Director of Central Intelligence,
1993-95
Larry T. Wright Chairman, Defense Science Board
Task Force on Defensive
Information Operations
2000-2001
133
8.3 Interview with Douglas Reeves
The following are excerpts from an interview with Dr. Douglas Reeves, a member of N.C. State's
Cyber Defense Laboratory, on November 6, 2007.
What is your definition of cyber-warfare?
I'm not sure I have one, but I'll make one up. It's people trying to protect their assets, and people
trying to take advantage of those assets, conflicting with each other. Assets can mean your
computer system, your network, your data, your private information--it could mean a variety of
things.
What kind of research have you done in the area of cybersecurity?
For about seven or eight years, I've worked in the field of network security, which has involved a
number of different projects. I've done some work on intrusion detection, which is how you tell
if someone's attacking you. Sometimes it's not obvious until the damage is already done, so
you'd like to detect it as early as you can. I've also done some work on what I'll generically call
forensics, or finding out who's attacking you. Just as in conventional crime, you want to be able
to prosecute somebody if they've committed a crime. You'd like to know who's attacking your
system.
More recently, I've had a project that has to do with software security. What are the ways in
which people break software, and how can you recognize when something is an attempt to break
or misuse software? The attackers are quite clever, actually. This is one of the more interesting
sides of research in this field, that your adversary is a person--you’re not fighting the laws of
physics, or some abstract cost factors or availability or properties of materials or the capabilities
of manufacturers, the standard stuff that you do in engineering. What you're fighting is other
people, so it's very interesting, because people--including the bad guys--are extremely clever. In
fact, maybe especially the bad guys.
What are some of the projects the Army Research Organization had you work on?
That was mainly for intrusion detection. Most of us now have some form of intrusion detection.
You just call it a virus checker. You know that when you have attachments for emails, you need
to check before you open them whether there's some exploit embedded in that attachment.
Besides what we run on our personal computers, corporations and enterprises like universities
also inspect across the enterprise incoming traffic to see whether it contains attempts to break
into computer systems, or what they can notice when someone's attempting to break into
computer systems. There are a wide variety of products; this type of thing has been available for
at least ten years, and some of them are commercially very successful and well documented.
One common problem with intrusion detection is that it's almost too good. Imagine if you had
an alarm system, and you wanted to be sure that any attempt to break into your home, whether it
was coming through a window or picking a lock or any other means of entry someone might
have, you want to make sure that you detected it, that it was sensitive enough that you would
134
never miss any attempt to break into your home. That would be very desirable, but it would be
very unfortunate if the result was that the alarm was so sensitive that it kept going off all the
time. You know, a bird flies past the building and alarm goes off, or a heavy truck rumbles by
on the road and the system thinks that's a break-in attempt and sets an alarm. So the real
problem with a lot of intrusion detection systems is that to make them very accurate, they're set
to be so sensitive that they squawk about all kinds of stuff, some of which is not attacks and
some of which is.
Another problem is that many attacks are conducted in multiple steps. So, again to take the
analogy of someone breaking into your home or office, maybe there are multiple steps to enter.
Maybe they have to go into an entry gate, then they have to evade detection by a security camera,
and then thirdly they have to figure out the combination to a door lock, and then fourthly they
have to turn off the burglar alarm. So, there's a series of stuff they have to do. Well, if there is
an attack but it takes a hundred steps, and you get an alarm for every one of those steps, then the
combination of being overly sensitive and giving you information about every individual
potential step--and imagine this is not an alarm system for one home or office, but it's for a
thousand places of business, as intrusion detection for an enterprise is--the result of that is that
you, the security administrator, are sitting there in front of a log looking at 10,000 messages a
day go by, and you just can't deal with that volume of information. It's too much. So one choice
is that you turn down your alarm to be less sensitive, so it doesn't keep squawking all the time,
but you stand the chance of missing something if you do that, so there's a tradeoff.
Our particular research was, don't make the alarm systems less sensitive, but process the
information produced by the alarm systems to do some of the kind of mental digestion or
processing of the alarm information that previously had been done in people's head, then present
to them your summary of what that information might mean. Now instead of their being a
hundred events related to a break-in, it might say, "I think there's been a break-in, and if you
want more information, click here and I'll show you the steps that led to me concluding that there
might have been a break-in." Or if you find that there are sequences of events that individually
could be part of attacks, it turns out that those particular sequences of events are exhibited by
innocuous, benign activities that are known to be people accessing databases for legitimate
purposes. Then you can say, "After analyzing the low-level data, I can conclude there's no
reason for you to be alerted this time."
So that's what we were doing for the army--analysis of the data that's used for intrusion detection
systems.
Once an intruder is detected, how difficult is it to detect what geographic location the
intrusion came from?
In general, it's extremely difficult. The joke that I tell in some presentations is that what the
defenders want is what you see in TV shows. In a cop show or whatever, somebody's in a chat
room for pedophiles or something, and they say, "Get a trace on that guy," and then the next
frame they're banging on the door of Apartment 3-G on 65 Main Street, and throwing the guy on
the floor. You want that traceability, not to an IP address, but to a geographic location, because
you want to be able to send the cops or the military to that location.
135
That's what we would all like, but unfortunately, it doesn't work like that. There are many
concealment techniques, many techniques for making it difficult or impossible for someone to
tell where you are when you launch an attack or set an attack in motion. That's been one of our
main research projects for quite a while, is how to combat at least some of the more widely used
techniques.
So, another analogy here is that you're trying to trace somebody and periodically, that person
goes in buildings and you don't have access to those buildings they go into. You can watch all
the exits to see if they emerge at some new location and start on new directions so you don't lose
the trail. But you can't go in the building. But while they're in the building, they can undergo all
kinds of disguises. They can change their shoes, they can stand taller, they can have new facial
hair, they can put on new clothing, they can don glasses, all the standard stuff you can use for
disguise. So you watch all these exits, but you have to somehow detect that it's them coming out
even though they're wearing an elaborate disguise. And particularly if it's a building with lots of
people going in and coming out, that's not exactly trivial to do. It's going to be a pretty difficult
to task.
So what you'd like to do is pick some characteristic of a person that's somewhat difficult to
disguise--not impossible, but somewhat difficult to disguise--and if you key it in on whether they
have a mustache or not, obviously they can put on or shave a mustache. If you key it in on their
weight, it's a little more difficult to disguise their weight. But to use something that's somewhat
similar to what we do, if you key it on the way they walked, it's a little difficult to disguise the
way they walk. You can try to fake a limp or walk faster than you typically do, or shorter steps,
but it turns out the way you walk is fairly characteristic of a person's skeletal structure and
habits. It's not completely straightforward to change the way you walk. So we have conducted
research on the equivalent of this, which is looking at the timing characteristics of traffic, which
are difficult to disguise. They can be modified, but we're able to overcome the simpler
modifications so that people might try to still recognize those timing characteristics.
So is getting into a computer system and hiding your identity something an amateur hacker
can do?
Well, in the hacker community, the term hacker is a contentious term, because in some circles,
the term hacker doesn't mean a bad person, it just means a skilled person. There is another term,
cracker or blackhead or bad guy or something like that, would be more widely agreed upon than
hacker.
The hacker community, unfortunately, shares what they know. They're very generous with each
other. So, they go out of their way to make stuff easy to use and download, and well
documented, and as close to pushbutton automation as you can make it, which means that a
moron can use this stuff. If somebody gives them a link to find whatever it is that they want, to
try it out and direct it at whatever your target is takes almost no intelligence whatsoever. So, it
not hard at all to use these things.
136
8.4 DHS Presidential Directive
December 17, 2003 Homeland Security Presidential Directive
The Homeland Security Presidential Directive of December 17th
, 2003 establishes a more
concrete list of responsibilities assigned to several departments within the United States
Government.
265
Bush, George W. "December 17, 2003 Homeland Security Presidential Directive." The White House. 17 Dec.
2003. US Government. <http://www.whitehouse.gov/news/releases/2003/12/20031217-5.html>.
(a) The Department of State, in conjunction with the Department, and the Departments of Justice, Commerce, Defense, the
Treasury and other appropriate agencies, will work with foreign countries and international organizations to strengthen the
protection of United States critical infrastructure and key resources.
(b) The Department of Justice, including the Federal Bureau of Investigation, will reduce domestic terrorist threats, and
investigate and prosecute actual or attempted terrorist attacks on, sabotage of, or disruptions of critical infrastructure and key
resources. The Attorney General and the Secretary shall use applicable statutory authority and attendant mechanisms for
cooperation and coordination, including but not limited to those established by presidential directive.
(c) The Department of Commerce, in coordination with the Department, will work with private sector, research, academic,
and government organizations to improve technology for cyber systems and promote other critical infrastructure efforts,
including using its authority under the Defense Production Act to assure the timely availability of industrial products,
materials, and services to meet homeland security requirements.
(d) A Critical Infrastructure Protection Policy Coordinating Committee will advise the Homeland Security Council on
interagency policy related to physical and cyber infrastructure protection. This PCC will be chaired by a Federal officer or
employee designated by the Assistant to the President for Homeland Security.
(e) The Office of Science and Technology Policy, in coordination with the Department, will coordinate interagency research
and development to enhance the protection of critical infrastructure and key resources.
(f) The Office of Management and Budget (OMB) shall oversee the implementation of government-wide policies, principles,
standards, and guidelines for Federal government computer security programs. The Director of OMB will ensure the
operation of a central Federal information security incident center consistent with the requirements of the Federal
Information Security Management Act of 2002.
(g) Consistent with the E-Government Act of 2002, the Chief Information Officers Council shall be the principal interagency
forum for improving agency practices related to the design, acquisition, development, modernization, use, operation, sharing,
and performance of information resources of Federal departments and agencies.
(h) The Department of Transportation and the Department will collaborate on all matters relating to transportation security
and transportation infrastructure protection. The Department of Transportation is responsible for operating the national air
space system. The Department of Transportation and the Department will collaborate in regulating the transportation of
hazardous materials by all modes (including pipelines).
(i) All Federal departments and agencies shall work with the sectors relevant to their responsibilities to reduce the
consequences of catastrophic failures not caused by terrorism265
137
8.5 Works Cited
Airsnort Homepage. 31 Dec 2004. The Schmoo Group. 30 Oct 2007. <http://airsnort.shmoo.com/>.
Alford, Jr., Lt. Col. Lionel D. "Cyber Warfare: Protecting Military Systems." Acquisition Review Quarterly Spring
2000: 101-120. 18 Oct. 2007 http://www.dau.mil/pubs/arq/2000arq/alford.pdf
“An Analysis of the Consequences of the August 14th
2003 Power Outage and its Potential Impact on Business
Strategy and Local Public Policy”. 2004. < http://www.acp-international.com/southtx/docs/ne2003.pdf>
Brewin, Bob (2007) “Army, Air Force seek to go on offensive in cyber war” 30 October, 2007.
http://www.govexec.com/story_page.cfm?filepath=/dailyfed/0607/061307bb1.htm
Bush, George W., and Jim Turner. "E-Government Act of 2002." The White House. 15 Nov. 2002. US Government.
<http://www.whitehouse.gov/omb/egov/g-4-act.html>.
http://www.buyerzone.com/facilities/generators/rbic-taking-stock.html
Byres, Eric, and Justin Lowe. The Myths and Facts Behind Cyber Security Risks for Industrial. British Columbia
Institute of Technology. 1-6. 15 Oct. 2007
<http://www.tswg.gov/tswg/ip/The_Myths_and_Facts_behind_Cyber_Security_Risks.pdf>.
“Capital Commerce. So How Goes Bin Laden’s War on the U.S. Economy?” Pethokoukis, James. September 11,
2007
CENTCOM Operation Iraqi Freedom Briefing - 25 March 2003” October 30, 2007.
<http://www.gulfinvestigations.net/document348.html?PHPSESSID=64c6f060d1f4997faf0ff91799fa777f>
CERT Coodination Center – Denial of Service Attacks. 4 Jun 2001. US CERT. 30 Oct 2007
http://www.cert.org/tech_tips/denial_of_service.html
http://www.cfr.org/content/publications/attachments/Homeland_TF.pdf
Clough, B.T., Cope, B., & Donley, S. (1993). Microwave induced upset of digital flight control systems. Digital
Avionics Systems Conference. 12, 179-184.
http://www.cooperativeresearch.org/entity.jsp?entity=eiffel_tower Profile: Eiffel Tower. December 24, 1994: Al-
Qaeda Connected Militants Attempt to Crash Passenger Jet into Eiffel Tower.
"Computer Crime Cases." Computer Crime and Intellectual Property Section. US Department of Justice.
<http://www.usdoj.gov/criminal/cybercrime/cccases.html>.
Convention on Cybercrime. Council of Europe. 23 Nov. 2001
http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CL=ENG
Crenshaw, Adrian. A Quick Intro to Sniffers. 30 July 2007. Iron Geek.com. 30 Oct 2007.
<http://www.irongeek.com/i.php?page=security/AQuickIntrotoSniffers>.
Critical Infrastructure Assurance Group Online. Retrieved November 1, 2007, from Security@Cisco Web site:
http://www.cisco.com/web/about/security/security_services/ciag/index.html
Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007
http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/
138
“Cyber War Nightmares” (2006), 30 October, 2007.
http://www.strategypage.com/htmw/htiw/articles/20060829.aspx
“Cyberwarfare on the Electricity Infrastructure.” Office of Scientific and Technical Information. 12 Sep. 2007. <
http://www.osti.gov/bridge/product.biblio.jsp?osti_id=769245>
Dagon, David. Mobile Phones as Computing Devices: The Viruses Are Coming!. IEEE – Pervasive Computing. Oct
– Dec 2004. 11 – 15
“Data and Statistics”. International Monetary Fund. 17 Oct 2007. 27 Oct 2007.
<http://www.imf.org/external/data.htm#data>
Denning, D. (2001). "Is Cyber Terror Next?" New York: U.S. Social Science Research Council, at
http://www.ssrc.org/sept11/essays/denning.htm
Delio, Michelle. Crackers Expand Private War. 18 Apr 2001. Wired Magazine. 30 Oct 2002.
<http://www.wired.com/politics/law/news/2001/04/43134?currentPage=2>
Delio, A Chinese Call to Hack the US. 11 Apr 2001. Wired Magazine. 30 Oct 2002.
<http://www.wired.com/politics/law/news/2001/04/42982?currentPage=2>
Denning, Dorathy. "Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign
Policy." Internet and International Systems. December 1999: 101-120. 28 Oct. 2007
<http://www.nautilus.org/gps/info-policy/workshop/papers/denning.html>
De Souza Reis, Ademar, and Filho, Milton Soares. Sniffdet – Remote Sniffer Detector for Linux. 10 Oct 2006.
SourceForge.net. 30 Oct 2007. <http://sniffdet.sourceforge.net/>.
Dittrich, David. The DoS Project's "trinoo" distributed denial of service attack tool. 21 Oct 1999. University of
Washington. http://staff.washington.edu/dittrich/misc/trinoo.analysis
Dot.Con: The Dangers of Cyber Crime and a Call for Proactive Solutions. Granville, J.. Australian Journal of
Politics & History. March, 2003, Vol. 49 Issue 1. Pg. 104
Dumpster Diving. Washington State Office of the Attorney General. 26 Nov 2007.
http://www.atg.wa.gov/ConsumerIssues/ID-Privacy/DumpsterDiving.aspx
http://www.epri-
intelligrid.com/intelligrid/docs/Cost_of_Power_Disturbances_to_Industrial_and_Digital_Technology_Companies.p
df
Evers, Joris. Russian hackers ‘sold WMF exploit’. 3 Feb 2006. ZDNet.co.uk. 26 Nov 2007.
http://news.zdnet.co.uk/software/0,1000000121,39250232,00.htm
FAA Air Traffic Organization. (2006). Moving America safely: 2005 annual performance report Washington, D.C.:
Federal Aviation Administration.
"Fact Sheet: Protecting America’S Critical Infrastructure – Cyber Security." US-CERT. Department of Homeland
Security. <http://www.us-cert.gov/press_room/050215cybersec.html>.
http://www.fas.org/irp/crs/RL30735.pdf
"FISMA." National Institute of Standards and Technology. 24 Oct. 2002. US Government.
<http://csrc.nist.gov/groups/SMA/fisma/>.
139
http://www.frontpagemag.com/articles/Read.aspx?GUID={245984FA-D9DF-46E9-8EF3-7B5259A51C0D} Clinton
and 9/11. Favish, Allen J. FrontPageMagazine.com Tuesday, October 14, 2003.
Feds Warn of May Day Attacks on US Web Sites. 26 Apr 2001. CNN. 30 Oct 2002.
http://archives.cnn.com/2001/TECH/internet/04/26/hacker.warning/index.html
Gagnon, B. (2004). Are We Headed For a Cyber-09/11? The American Failure in Cyberstrategy. Conference Papers
-- International Studies Association, Retrieved October 24, 2007, from Academic Search Premier database.
http://www.gao.gov/new.items/d05712.pdf
Garber, Lee. Denial-of-Service Attacks Rip The Internet . IEEE – Computer. Apr 2000. 12 – 17
Garretson, Cara. Spam that delivers a pink slip. ComputerWorld.com. 1 Nov 2006. 26 Nov 2007.
http://computerworld.com/action/article.do?articleId=9004698&command=viewArticleBasic&taxonomyName=secu
rity
Gellman, Barton. "U.S. Fears Al Qaeda Cyber Attacks." SecurityFocus 26 June 2002. 18 Oct. 2007
<http://www.securityfocus.com/news/502>.
Glaessner, Thomas, Tom Kellermann, and Valerie McNevin (2002). “Electronic Security: Risk Mitigation In
Financial Transactions”. The World Bank. p 43. 29 Oct 2007.
<http://info.worldbank.org/etools/docs/library/83592/esecurity_risk_mitigation.pdf>
Global Society: Journal of Interdisciplinary International Relations; Jan2003, Vol. 17 Issue 1, p89, 9p
Government Accountability Office. (2003). Information security: Progress made, but Federal Aviation
Administration needs to improve controls over air traffic systems. Washington, D.C.: Government Accountability
Organization.
"Government Collaboration Groups and Efforts." US-CERT. Department of Homeland Security. <http://www.us-
cert.gov/federal/collaboration.html>.
Greenwell, W.S. and J.G. Alsbrooks (2007). Excerpt From "Digital Control Systems". Retrieved November 3, 2007,
from IEEE Computer Society Web site:
http://www.computer.org/portal/site/ieeecs/menuitem.c5efb9b8ade9096b8a9ca0108bcd45f3/index.jsp?&pName=iee
ecs_level1&path=ieeecs/ReadyNotes&file=s_k_sample.xml&xsl=generic.xsl&
Grifter. Dumpster Diving – One Man’s Trash… Hack In The Box. 2002. 26 Nov 2007.
http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=6388&mode=thread&orde
r=0&thold=0
Gwin, Peter. (2001) “Is the Internet the Next Front in the Terror War?” Europe. Issue 410.
Hancock, Bill. National Infrastructure Protection Issues. International Telecommunication Union. 2002. 25 Oct.
2007 <http://www.itu.int/osg/spu/ni/security/workshop/presentations/cni.18.pdf>.
Harold Joseph Highland. A history of computer viruses -- Introduction, Computers & Security. Vol 16, Issue 5.
1997, p 412-415.
http://www.sciencedirect.com/science/article/B6V8G-3SX269W-2P/2/e96ee1d35ae6e62abd338c29a32234a7
Harris, Leslie, http://abcnews.go.com/Technology/Story?id=3771510&page=1
Heise Security (2007, October 11). Report: Cisco closes down Critical Infrastructure Assurance security research
group. Retrieved November 3, 2007, from Heise Security Web site: http://www.heise-security.co.uk/news/97205
140
Hildreth, Steven A. “Cyberwarfare.” CRS Report for Congress. June 19, 2000.
<http://www.fas.org/irp/crs/RL30735.pdf>.
“Homeland Security and Defense Telecommunications Spending to Increase 40 Percent by 2009.” Business Wire. 3
August 2004. 28 Oct. 2007. <http://findarticles.com/p/articles/mi_m0EIN/is_2004_August_3/ai_n6139915>
http://www.fas.org/irp/threat/frd.html The Sociology and Psychology of Terrorism: Who Becomes a Terrorist and
Why? Hudson, Rex A. September, 1999. A Report Prepared under an Interagency Agreement by the Federal
Research Division, Library of Congress
Interview: O. Sami Saydjari." Frontline: Cyber War! 23 Apr. 2003. PBS. 24 Oct. 2007
<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/saydjari.html
"Israeli Citizen Attacks Government Computers." Computer Crime and Intellectual Property Section. US
Department of Justice. <http://www.usdoj.gov/criminal/cybercrime/cccases.html>.
Ito, Harumi, and Darin Lee. Assessing the Impact of the September 11 Terrorist Attacks on U.S. Airline Demand.
Dept. of Econ., Brown U. 2004. 3-24. 26 Oct. 2007
Kabay, M. E. (2003) “Tapping Fiber Optics Gets Easier”. Network World. 29 Oct 2007.
http://www.networkworld.com/newsletters/sec/2003/0303sec1.html
Kessler, Gary. Defense against Distributed Denial of Service Attacks. Nov 2000. 30 Oct 2007
http://www.garykessler.net/library/ddos.html
Know Your Enemy – Tools and Methodologies. 21 Jul 2000. 30 Oct 2007.
http://www.honeynet.org/papers/enemy/index.html
Krebs, Brian. “Cyber war games test future troops.” Washington Post: April 23, 2003.
Laprise, John. IEEE Technology & Society Magazine. Vol. 25 Issue 3, pg. 28.
Laribee, Lena, et. al. Analysis and Defensive Tools for Social-Engineering Attacks on Computer Systems.
Information Assurance Workshop, 2006 IEEE. 388 – 389, 21-23 June 2006.
Lemos, Robert. "SCADA System Makers Pushed Toward Security." SecurityFocus 26 July 2006. 19 Oct. 2007
<http://www.securityfocus.com/news/11402/2>.
Lineweber, David and Shawn McNulty (2001). “The Cost of Power Disturbances to Industrial & Digital Economy
Companies”. Electric Power Research Institute, Inc. 30 Oct 2007. <http://www.epri-
intelligrid.com/intelligrid/docs/Cost_of_Power_Disturbances_to_Industrial_and_Digital_Technology_Companies.p
df>
Lester W. Grau and Timothy L. Thomas. “A Russian View of Future War: Theory and
Direction,” The Journal of Slavic Military Studies. Issue 9.3 (Sept. 1996), pp. 501-518.
Lewis, J.. (2002). Assessing the risks of cyber terrorism, cyber war and other cyber threats Washington, D.C.:
Center for Strategic & International Studies.
Mendis, Surakshan. Packet Sniffing. 2005. SuraSoft. 30 Oct 2007.
<http://www.surasoft.com/articles/packetsniffing.php>.
Meserve, J. “Staged cyber attack reveals vulnerability in power grid.” CNN. 26 September 2007. 4 Oct. 2007. <
http://www.cnn.com/2007/US/09/26/power.at.risk/>
141
Messmer, Ellen (2006, March 14). IBM survey on cybercrime shows IT managers wary. Retrieved November 1,
2007, from Network World. Web site: http://www.networkworld.com/news/2006/031406-ibm-survey-
cybercrime.html
Mitnick, Kevin, & Simon, William L. (2005). The Art of Intrusion: When Terrorists Come Calling. Indianapolis,
IN: John Wiley and Sons, Inc.
Moore, David et al. Inferring Internet Denial of Service Activity. ACM Transmission on Computer Systems. Vol.
24, No. 2, May 2006, 115–139.
Moore, J. (2007 February 26). FCW.com. Retrieved October 25, 2007, from Freight security programs and test
projects proliferate Web site: http://www.fcw.com/print/13_5/news/97727-1.html
Mullen, M. (2004, September 16). Human error caused chaos in the sky. Retrieved October 25, 2007, from MSNBC
Online Web site: http://www.msnbc.msn.com/id/6021929/
"Multi-State Information Sharing and Analysis Center (MS-ISAC)." 2006. Multi-State Information Sharing and
Analysis Center (MS-ISAC). 21 Oct. 2007 <http://www.msisac.org/scada/>.
Nachenberg, Carey. "Computer Virus-antivirus Coevolution." Communications of the ACM 40.1 (1997): 46-51.
Naraine, Ryan. Hackers Selling Vista Zero-Day Exploit. 15 Dec 2006. eWeek.com. 26 Nov 2007.
<http://www.eweek.com/article2/0,1895,2073611,00.asp>
National Cyber Security Alliance: Stay Safe Online. Retrieved October 31, 2007, from Stay Safe Online Web site:
http://www.staysafeonline.org/
"National Cyber Securtiy Division." Department of Homeland Security. 23 Sept. 2006. US Government.
<http://www.dhs.gov/xabout/structure/editorial_0839.shtm>.
National Infrastructure Advisory Council." Department of Homeland Security. Oct. 2007. US Government.
<http://www.dhs.gov/xprevprot/committees/editorial_0353.shtm>.
“National Infrastructure Protection Center Highlights”. National Infrastructure Protection Agency. 15 June 2001, p.
2. 30 Oct 2007 http://www.iwar.org.uk/infocon/nipc-highlights/2002/highlight02-03.pdf
“National Security Advisor Rice on Protecting U.S. Infrastructure”. 22 March 2001. 27 Oct 2007.
http://www.usembassy.it/file2001_03/alia/a1032210.htm
National Strategy to Secure Cyberspace. Feb. 2003. US Government.
<http://www.whitehouse.gov/pcipb/policy_and_principles.pdf>.
http://www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf
NTIA: Critical Infrastructure Protection. Retrieved November 3, 2007, from NTIA Web site:
http://www.ntia.doc.gov/ntiahome/infrastructure
“Pentagon Admits Security Breach but won’t say who did it” NetworkWorld.com, 30 October, 2007
http://www.networkworld.com/community/node/19041
Perdue University. Virus Terminology. 2005. 1 Dec. 2005
<http://www.purdue.edu/securepurdue/steam/help/view.cfm?KBTopicID=210>.
Pethokoukis, James. (2007) “So How Goes Bin Laden’s War on the U.S. Economy?” U.S. News & World Report.
27 Oct 2007. http://www.usnews.com/blogs/capital-commerce/2007/9/11/so-how-goes-bin-ladens-war-on-the-us-
economy.html
142
Pike, J. (2007, July 7). Chronology of terrorist attacks against public transit. Retrieved October 30, 2007, from
Global Security Web site: http://www.globalsecurity.org/security/ops/mass-transit-chron.htm
Poll Shows Americans Want Congress to Do More to Protect Them Online." Cyber Security Industry Alliance
(2006): 30. 21 Oct. 2007
<https://www.csialliance.org/news/pr/view?item_key=e5b543c0cf207bb110c9c65b61ac476ec45e03fe>.
"Poll: 50% of NYC Says U.S. Govt Knew." 30 Aug. 2004. Zogby International Polling/Market Research. 28 Oct.
2007 <http://www.911truth.org/article.php?story=20040830120349841>.
Poulsen, K. “Slammer worm crashed Ohio nuke plant network.” Security Focus. 19 August 2003. 12 Sep. 2007. <
http://www.securityfocus.com/news/6767>
"Privacy Impact Assessment EINSTEIN Program Collecting, Analyzing, and Sharing Computer Security
Information Across the Federal Civilian Government." US-CERT. Sept. 2004. Department of Homeland Security.
<http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_eisntein.pdf>.
Raymond, Eric. The on-line hacker Jargon File 4.4.7. 29 Dec 2003. 26 Nov 2007
http://www.catb.org/jargon/html/index.html
Reid, Tim, (2007). “China’s cyber army is preparing to march on America, says Pentagon” The Times. 30 October,
2007.
http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article2409865.ece
"Report Reveals Perception Gap in Cyber Security Awareness." Security Products 2 Oct. 2007. 20 Oct. 2007
<http://www.secprodonline.com/articles/50717/>.
Rootkits: The Growing Threat. 2006 McAfee Inc. 1 Nov 2007. http://download.nai.com/products/mcafee-
avert/WhitePapers/AKapoor_Rootkits1.pdf
Rogin, Josh, (2006). “DOD: China fielding cyberattack units” 30 October, 2007
http://www.fcw.com/online/news/94650-1.html
Ruggles, Steven. Historical Bush Approval Ratings. Dept. of Hist., U. of Minnesota. 2007. 27 Oct. 2007
<http://www.hist.umn.edu/~ruggles/Approval.htm>.
SCADA Security and Terrorism: We're Not Crying Wolf. Black Hat. 2006. 1-36. 15 Oct. 2007
<http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf>.
Shainker, R. “Electric Utility Responses to Grid Issues.” .” IEEE Power & Energy Magazine. March/April 2006:
31. 24 Oct. 2007
<http://www.lib.ncsu.edu:2178/iel5/8014/33609/01597993.pdf?tp=&arnumber=1597993&isnumber=33609>
Shane, Leo III, (2007). “AF Taking Careers into Cyberspace” 30 October, 2007,
http://www.military.com/features/0,15240,152400,00.html?wh=benefits
“STATEMENT OF GENERAL JAMES E. CARTWRIGHT COMMANDER UNITED STATES STRATEGIC
COMMAND BEFORE THE HOUSE ARMED SERVICES COMMITTEE ON UNITED STATES STRATEGIC
COMMAND 21 March 2007” 30 October, 2007
<http://armedservices.house.gov/pdfs/FC032107/Cartwright_Testimony032007.pdf>
Szyliowicz, Joseph S. (2004).International transportation security. Review of Policy Research. 21
143
Thornburgh, Nathan (2005). “The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them)”,
Time. 30 October, 2007, < http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html>
Thomas, Pierre (1998). Teen hacker faces federal charges. Retrieved October 25, 2007, from CNN.com Web site:
http://www.cnn.com/TECH/computing/9803/18/juvenile.hacker/index.html
Transportation Research Board. (2003). Cybersecurity of freight information systems: A scoping study Washington,
D.C.: Transportation Research Board.
Traffic details for staysafeonline.info. Retrieved November 3, 2007, from Alexa: The Web Information Company.
Web site: http://alexa.com/data/details/traffic_details?url=staysafeonline.info
Understanding SCADA System Security Vulnerabilities. Riptech. 2001. 1-5. 23 Oct. 2007
<http://www.iwar.org.uk/cip/resources/utilities/SCADAWhitepaperfinal1.pdf>.
"United States Computer Emergency Readiness Team." Department of Homeland Security. US Government.
<http://www.uscert.gov/>.
US-CERT. Home Computer Security - Examples. 2002. 1 Nov. 2005
<http://www.cert.org/homeusers/HomeComputerSecurity/examples.html>.
http://archives.cnn.com/2001/TECH/ptech/10/21/black.ice.idg/index.html Utah’s ‘Black Ice’: Cyber-attack
scenario. Verton, Dan. October 21, 2001.
Wald, M. L. Can Computers Foil Air Pirates?. (2002, April 11). New York Times
Wilson, Clay, (2007) “CRS Report for Congress: Information Operations, Electronic Warfare,
and Cyberwar: Capabilities and Related Policy Issues” 30 October, 2007. http://stinet.dtic.mil/cgi-
bin/GetTRDoc?AD=ADA466599&Location=U2&doc=GetTRDoc.pdf?
http://query.nytimes.com/gst/fullpage.html?res=9F01E1DD1E39F933A05756C0A960958260&sec=&spon=&page
wanted=all Wiren, Christopher S. May 30, 1996. The New York Times. Plot of Terror in the Skies Is Outlined by
a Prosecutor.
http://www.wired.com/politics/law/news/2000/07/37503
“Wireless Vulnerabilities”. Maisonbisson. 24 Sept 2002. 30 Oct 2007.
<http://maisonbisson.com/blog/post/10387/wireless-vulnerabilities>
"What is SCADA?" The Tech-FAQ. 2007. 27 Oct. 2007 <http://www.tech-faq.com/scada.shtml>.
Wood, Anthony & Stankovic, John. Denial of Service in Sensor Networks. IEEE – Computer. Oct 2002. 54 – 62
Yeh, Y.C. (2001).Safety critical avionics for the 777 primary flight controls system. Digital Avionics Systems. 1, 1-
11.