04 November 1998
(From USIA electronic journal "U.S. Foreign Policy Agenda") (2400)
(Dr. Martin Libicki cites law enforcement as a primary area where
global information security can be enhanced. He calls for "the
harmonization of national laws against computer attack, multinational
cooperation in tracing attacks across national lines, international
treaties on extradition of attackers, and a readiness to impose
sanctions on those who protect attackers." He believes a willingness
to share information on research and development, on attack
indications and warnings, and on attack incidents and responses "can
also improve the efficacy of each nation's protective measures." The
following article is included in the November issue of the USIA
electronic journal "U.S. Foreign Policy Agenda," which addresses the
topic, "Cyberthreat: Protecting U.S. Information Networks.")
GHOSTS IN THE MACHINES?
By Dr. Martin Libicki
Senior Policy Analyst, RAND
No one looking for something new to worry about need look very far.
Everywhere, computers and other digital devices have insinuated
themselves into our lives. What was manual is now automated; what was
analog is now digital; and what once stood alone is now connected to
everything else. Increasingly, we have no choice but to trust them. If
they fail, we are sunk.
The faith that dependence breeds would be merited if such devices did
only what they were supposed to do. Some do fail on their own, and we
go on. But the prospect also exists that they may fail us because they
have fallen under the control of those with malign intent. In such
circumstances, they may not only go down, but reveal secrets with
which they have been entrusted, or produce corrupted information --
sometimes in ways beyond notice until it is too late to reverse
actions already set in motion.
Why the vulnerability? Digital devices are fast, cheap, accurate, and
rarely forget what they are told. But they are frightfully literal and
usually lack the discernment to understand the implications of what
they are asked to do or the integrity of those who ask them to do it.
The potential consequences of deliberately induced systems failure or
corruption are vast. By seizing control of the key systems that
undergird society, computer attackers can, in theory, listen to phone
calls, misroute connections, and stop phone service entirely; shut
down electrical power; get in the way of literally trillions of
dollars that change hands every week; hinder emergency services;
prevent the U.S. military from responding to crises abroad quickly;
reveal personal medical secrets; confuse transportation systems and
put travelers at risk; and much more. Life, as we know it, could grind
to a halt.
Computer attacks, if sufficiently systematic, may be war by other
means -- hence "information warfare," as an overarching concept. But
information warfare understood broadly -- attacking an adversary's
information and decision processes -- is as old as warfare itself.
Such tactics encompass psychological operations, attacks on an enemy's
command apparatus, espionage and counter-espionage, and operations
against adversary infrastructures and surveillance systems. During the
U.S. Civil War (1861-1865) there were incidents of propaganda
operations, snipers targeting opposing generals and observers in
hot-air balloons, marauders tearing up telegraph lines, cavalry
pickets and counter-cavalry demonstrations -- all information warfare.
World War II saw the advent of electronic warfare in the form of
radar, electronic deception, radio-frequency jamming, codemaking, and
computer-aided codebreaking.
Computer attacks fit snugly into this continuum of warfare. If one can
destroy enemy headquarters with shot and shell, what is wrong with
trying less violent means to break into and ruin the computer systems
that manage tomorrow's battles? Notions of strategic warfare by 1920
held that using air power against civilian targets would short-circuit
the gore of trench warfare. Strategic information warfare goes this
one better.
Are modern societies vulnerable? Most information systems have far
less security than they could have; many, less than they should have.
Networks and systems of many types have been attacked -- Internet
service, phone service, some transport services, financial
institutions, and corporate networks.
Computer attacks are, by any indication, a serious problem. Indeed,
the Federal Bureau of Investigation recently estimated that they cost
the American economy somewhere between a half a billion and five
billion dollars a year -- an estimate with a wide, and, in its way,
very telling, margin of error. No one really knows how many attacks
take place. Much evidence is anecdotal, and so people have to
extrapolate using popular precepts such as, "only amateurs leave
fingerprints, professionals never do," and, "people never want to talk
about how badly they have been hit." Thus are computer attacks likened
to icebergs, with America, supposedly, playing Titanic.
This is the theory, at any rate. But is it a prospect? Unlike
virtually all other forms of warfare, there is no forced entry in
cyberspace. If hackers enter a system they invariably have done so
along paths resident in the system itself: some are features and some
are bugs (that is, undocumented features) never removed. Either way,
travel along these paths is under the complete control of whoever is
running the system. This being so, vigilance suffices for protection.
Indeed, protections exist. Many information systems operate with
several layers: there are ways to screen illegitimate from legitimate
users, locks to keep legitimate users from taking deliberate or
inadvertent control of computer systems, and safety devices so that
even the usurpation of control does not create a public hazard.
Attackers, for their part, must first fool a system into thinking they
are legitimate users (e.g., by stealing or guessing a password), and
second, acquire control privileges (often by exploiting endemic
faults) denied to most common users. With such "super-user"
privileges, attackers can purge key files, write errant nonsense in
others, or plant a backdoor for later reentry.
There is also little doubt that defenses, if need be, could be better
than today's common practice.
Most systems use passwords to limit entry, but passwords have many
well-known problems: too many are easy to guess; they can be stolen as
they flow over networks, and they are too commonly stored in expected
places on a server. Cryptographic methods such as digital signatures
work around these problems (capturing and replaying access messages
does not work). Digital signatures even help ensure that any change to
a data base or program, once electronically signed, can be traced to
its originator -- also useful, if the attacker is an insider entrusted
with systems privileges.
Computer and network operating systems are susceptible to
hacker-inserted programs such as viruses (software that infects
software and causes it to infect other software), Trojan horses
(seemingly useful software with hidden traps), and logic bombs
(software that lies dormant until signalled). Virus-protection
programs may work, but if worries persist, why not put all the
critical files on an unalterable medium (e.g., a CD-ROM)? Such a
medium can also prevent information from being erased or corrupted by
a would-be attacker's digital footprints. Indeed, given the low cost
of such devices, there is no legitimate excuse for losing information
anymore.
Systems can also be put at risk from other systems they hold to be
trustworthy. Two precautions can be taken against this danger: culling
the list of trustworthy systems and limiting the number of messages
that one's own system will react to. Banking systems, for instance, do
this to protect their computers from being corrupted by ATMs
(automatic teller machines) sitting on a public street corner. The
computer ignores anything from the ATM that is not a legitimate
transaction. No legitimate transaction can wreck the bank computer.
A final precaution is to pull the plug. As a last resort, many systems
(e.g., nuclear power plants) work almost as well even if unconnected
to the outside world.
How far must a system's owners go? Relatively low-cost security
protection (e.g., firewalls and intrusion detectors) may seem good
enough for the current environment. After all, an office system may
not be worth spending great sums of money to protect if, for example,
an attack will only disrupt service temporarily. Many companies
perceive no serious threat and invest accordingly. They may be right
-- but what if they are wrong? If and as threats mount, systems owners
can increase security -- even in the short run (e.g., by preventing
users from logging in from home, or carrying out certain actions if
logged on).
Indeed, it is precisely the lack of good security features throughout
the national information infrastructure today that leads to some
confidence that computer systems could, if necessary, be made safe.
(By contrast, good defenses against nuclear warfare were
technologically impossible for decades, and, if possible today, are
very costly.) Even if many systems can be taken down temporarily, it
is another matter to keep them down for a long time while systems
administrators work fiendishly to restore essential services. Anyone
who would hold the U.S. information infrastructure at risk must
realize that the mere threat of doing so -- if taken seriously --
erodes soon after being announced as people react.
What should the role of government be? Can those responsible for
protecting the nation on the ground, on the water, in the air, and in
outer space also protect the nation in cyberspace? Should they?
Government can help, but there is much government cannot do -- or
should not do. Yes, electricity is essential, but protecting its
supply from hackers depends almost entirely on how power companies
manage their computer systems: this includes the network and operating
system software they buy, how such software is configured, how access
privileges are awarded and protected, and how the various fail-safe
and manual override mechanisms are emplaced throughout the companies'
generation and distribution systems. It is inconceivable that any
power company would wish the government to "protect" it by telling it
how to do these things. More generally, the government cannot build a
firewall around the United States -- if only because so many internal
networks span the globe.
The government can and does enforce laws against computer attacks --
and has experienced considerable success considering how anonymous
(and faraway) attackers can be. So far, most of the well-publicized
hacker attacks that have been detected have been the work of amateurs
not professionals.
Should the government try to inhibit information warfare by
threatening retaliation against perpetrators? Assume their identity
can be established. The U.S. government may threaten like for like,
but many rogue states have little in the way of comparable systems
(e.g., North Korea lacks a stock market to take down). Conversely, it
is problematic to respond violently to an information warfare attack
that wasted the victim's time and money, but wounded no one.
While much of what the government can do to enhance security is
indirect, the President's Commission on Critical Infrastructure
Protection and other entities have made the following recommendations:
-- Make sure the government's own systems are protected, because they
are important to national security and for setting a standard for
others.
-- Use research, development, and first-user acquisition to promote
the rapid development of security tools.
-- Disseminate warnings of impending information warfare attacks (if
they can be detected -- no small task).
-- Promote a legal framework that induces private parties to protect
their own systems to the optimal extent.
-- Provide a neutral clearinghouse that encourages private parties to
collaborate on sharing their experiences and countermeasures on a
confidential basis.
By and large, such measures are progressing.
Unfortunately, U.S. government restrictions, extant and threatened, on
hard encryption have inhibited one of the better tools for protecting
systems and also have reduced the credibility of government actions in
the information warfare area.
International Activities: Extending most of these government actions
overseas suggests an opening agenda for guiding international
activities against information warfare.
Law enforcement is a big area. The harmonization of national laws
against computer attack, multinational cooperation in tracing attacks
across national lines, international treaties on extradition of
attackers, and a readiness to impose sanctions on those who protect
attackers can all aid global information security.
A readiness to share information on research and development, on
attack indications and warnings, as well as attack incidents and
responses can also improve the efficacy of each nation's protective
measures. However these areas are often the province of intelligence
agencies, not historically noted for transparency in such matters.
Conclusions and Harbingers: In the post-Cold War world, there is an
increase in new and unconventional threats (e.g., nuclear-armed
terrorists) which are scary, but, as yet, notional. Information
warfare is among them. The more that information systems pervade
society -- its defenses, commerce, and day-to-day life -- the more
their well-being matters to us all. The potential for major mischief
does exist, particularly if undertaken in a systematic way by a
well-financed adversary. But what is also striking is the fact that
even though information warfare is relatively inexpensive, so far,
there has been a paucity of really damaging incidents.
Two indicators may reveal a great deal about the true risk from
systems attack. One is how people react to the year 2000 computer
problem. Assume a large share of the world's information systems crash
at midnight on December 31, 1999. Will panic and paralysis result, or
will people quickly find ways of working around the problem or doing
without information for awhile? If lawsuits erupt, what precedents
will be established to assign responsibility to people for harm done
if their systems fail?
The other harbinger is of more recent origin. Were one to imagine the
most plausible perpetrator of serious information warfare terrorism,
it would be someone with nothing that can be held at risk (i.e., not a
country), several hundred million dollars in hidden cash, an
appreciation of technology, an international network of nefarious
friends, and a vicious score (real or imagined) to settle with the
United States or some other nation. Sound familiar? If it does, what
happens in the next year may reveal whether powerful individuals or
groups might try to bring a country to its knees through information
warfare -- or whether they direct their efforts elsewhere.