The Third World War will be an information war
Military hackers to wage bloodless Blitzkrieg on
London -- Hacking used to be the exclusive domain of computer geeks, but as criminal organizations, companies, and even governments have started to get in on the action, it has been rechristened information warfare.
And as a new form of warfare, it is the 21st century equivalent to the Blitzkrieg, according to Maxim Kovel, a U.S. defense consultant.
Speaking at the Information Warfare conference, Kovel briefed representatives of the British, Dutch, and Swedish ministries of defense on the new threat emerging: systematic assaults on financial, transportation, and communications networks and systems.
"The aim of information warfare is mass disruption, rather than mass destruction," said Kovel.
Developments that are seen as positive in the commercial world, such as interoperability, convergence, and globalization, actually increase the risk of hacking. "There are now 40 million computers in the world capable of searching the Pentagon's UNCL files," said Kovel. "And the increasing trend to use standard off-the-shelf applications and hardware makes it easier for hackers to break into systems, because they can buy the systems themselves and examine them for weaknesses."
The level of knowledge needed to break into systems is also dropping. "Only a few years ago, hackers had to be very knowledgeable people," said Kovel. "Now you can download packages for hacking over the Internet."
As the knowledge spreads, so does the danger. More than 250,000 attacks buffeted Pentagon computer systems last year, and the number of attempts is doubling every year, he said.
Despite the threat to military targets, it is commercial civilian networks that are at the greatest risk, according to a study called Keeping Information War in Perspective by D.C. Gompert of the Washington-based Rand consultancy.
"There is more uncertainty and more potential for disruption in the domestic and economic spheres than in the military arena. Military commanders are accustomed to dealing with changing threats and confusion. By contrast, we at home are not well rehearsed in defending ourselves. Americans are accustomed to things working, whether it's telephones, light switches, automatic tellers, or air traffic control systems," the report stated. (See the attached sidebar for, the Pentagon's plans for an information war).
My enemy, my ally
Despite the growing awareness of a threat, nobody is really sure who the enemy is.
"Who is the enemy?" said a Swedish Ministry of Defense official. "We believe that there is a greater threat from the inside than there is from the outside."
Kovel agrees that in the commercial world the greatest threats are from within organizations, from people who steal corporate or product information, conduct internal espionage, and disseminate false information.
"The biggest single contributing factor to corporate information warfare is the reluctance to reveal instances of information theft, or compromise," said Kovel.
However, there are significant legal and regulatory problems in policing the networks. "If somebody from Europe attacks a U.S. network or vice versa, how do you prosecute them?" said Kovel. "Are they breaking a U.S. law or an EC law?" (See the attached sidebar for a look at how U.S. laws hamstring U.S. organizations that seek to defend themselves from attacks).
Furthermore, there is no single cohesive strategy to protect both military and civilian networks. No one organization is responsible for protecting all networks in the U.S. or in Europe. In the UK, for instance, the Ministry of Defense has a strategy for protecting its own networks, but it leaves the protection of commercial networks to commercial organizations.
Furthermore, observers say, it would be naive to assume that all government efforts are to protect domestic networks when governments openly acknowledge offensive capabilities aimed at their foes. Such offensive tactics, Kovel said, include using hackers to infiltrate and damage computer systems by introducing viruses, logic bombs, worms, and Trojan horses.
According to Vice Admiral Arthur Cebrowskhi of the U.S. Navy: "The power of the cyberspace deterrent would lie somewhere between the nuclear and conventional weapons. The objective would be to sabotage the banking systems, train systems, power systems and isolate the enemy from the rest of the world." --Niall McKay, IDG News Service, London Bureau
If you have technical problems with this magazine, contact email@example.com
The U.S. Department of Defense (DoD) is at the forefront of research into information warfare, testing data communications technology in battlefield manuevers, trying out new telecommunications links in war-torn Bosnia, and integrating antihacking products into new networks.
In the last five years the DoD has created several centers to study information warfare and for the first time last year, the annual U.S. armed forces maneuvers tested information warfare techniques, according to Maxim Kovel, a defense consultant. Kovel spoke at the Information Warfare conference sponsored by H. Silver & Associates Ltd., an organizer of military-related conferences.
In the maneuvers, a U.S. Air Force captain using a PC and a modem accessed the Navy's e-mail systems and from there entered the command and control systems of U.S. Navy ships operating in the North Atlantic.
After the maneuvers, in August 1995, the DoD's Defense Advanced Research Projects Agency (DARPA) set up the Information Technology Office with the aim of tackling information warfare issues. And information warfare figured in five of the top 10 priorities to emerge from the 1995 maneuvers. They were:
Originally, the U.S. Army wanted to deploy a technology demonstration in South Korea, but the development of peace-keeping efforts in Bosnia proved a more timely testing ground, Kovel said. The peace-monitoring effort in Bosnia is ideal for testing technical systems that can be used to gain an advantage over an enemy by superior use of information, while disrupting the enemy's information channels.
"The Battlefield Awareness and Data Dissemination system (BADD) being used in Bosnia will act as a model for future operations by creating an environment to demonstrate advanced developing systems," he said.
The DoD has spent $88 million in Bosnia creating a dedicated communications infrastructure for the military, putting in place telecom bandwidth that is the equivalent of a million telephone lines, according to Kovel. The infrastructure includes an MCI Corp. underwater fiber-optic link between the U.S. and the UK for imaging and telemedicine, plus high-speed links to unmanned aircraft that relay pictures back to the ground. For the senior officers, there is a six-foot screen for viewing events, alongside a TV running CNN news.
Underpinning the DoD's efforts to ensure that its information technology is better than that of any enemy, Kovel said, is a continuing project to build a secure and cost-effective communications network linking all branches of the armed forces.
The DoD set up the Multilevel Information Systems Security Initiative (MISSI) about three years ago, Kovel noted. MISSI is a $800 million project to create a Defense Messaging Network. Based on Asynchronous Transfer Mode (ATM) protocols, the Defense Messaging Network will replace several existing DoD networks and will be capable of handling both secret and unclassified traffic.
The network will rely on smart card technology to ensure that only authorized users gain access to the system, Kovel said. Users authorized to access the network will attach a smart-card holder to the port of commercially available machines, he added. Users will connect over commercial networks and the World Wide Web where necessary.
The DoD has also developed several antihacker techniques, including the use of the CyberLocator product from ISR of Boulder, CO. The product uses satellite positioning to determine the exact location of authorized users' machines, which will be fitted with special sensors.
If the DoD can establish a trace to the machine of an authorized user that is being disturbed by a hacker, it is prepared to "fry" the equipment, Kovel said. He did not explain how that would be done.
He underlined that MISSI will be a continuing project. "The half life of your equipment is three to six months. There is always something new coming along," Kovel said. --Ron Condon, IDG News Service, London Bureau
Palo Alto, CA -- Networks outside the U.S. are vulnerable to security breaches as a result of strict U.S. encryption technology export regulations, a CompuServe Inc. executive said in early July. These regulations limit the encryption services that U.S. Internet access providers can offer overseas.
"The networks overseas are not reliable or secure," Tim Oren, vice president and general manager of CompuServe's Internet Division, said during a panel discussion at the Security and Freedom through Encryption (SAFE) Forum at Stanford University.
"There is a deliberate policy of the [U.S.] administration to fragment the marketplace" by prohibiting export of encryption software stronger than 40 bits in key length and banning export to certain countries altogether, Oren said. As a result, CompuServe is "seen as a less trusted provider overseas," he said.
In Russia and other countries that Oren declined to name, hackers have been acquiring CompuServe user information and "stealing services," according to Oren.
"Our loss due to data theft, particularly in Russia, is significant. ... Passwords are easily compromised," he said. "We, along with our competitors, all use overseas partners, and there's no evidence that the data of users couldn't be compromised."
CompuServe has corrected the situation in Russia by eliminating the transmission of unencrypted passwords and IDs, according to Oren. "One log-in hole we can patch. The other one we've been unable to," he said, referring to "snoopers" taking a look at user e-mail and conferences.
Now, CompuServe is taking a look at using foreign cryptography for its non-U.S. services since it can't use strong U.S. encryption software, Oren said.
Speakers at the SAFE Forum, which was sponsored by about 40 companies and organizations including the Center for Democracy and Technology, as well as CompuServe and Microsoft Corp., discussed how firms are losing money as a result of the U.S. government's encryption export policy. Customers can easily get products with strong encryption from non-U.S. companies, they said.
"We've been trying to export cryptography software for 10 years, and we've been hampered by the laws," said Jim Omura, chief technical officer at Cylink Corp.
"Two companies in Beijing wanted secure links to the U.S.," he said, but Cylink couldn't work with them because China was on the list of countries to which U.S. firms could not provide encryption. The problem is the same with the nations of the former Soviet Union and countries such as Peru, Omura said, adding that the "bad guys list" is ever-changing.
About 500 different cryptographic products are available from companies in more than 65 countries, said Thomas Parenty, director of data and communications security development at Sybase Inc.
"The current export controls do not keep strong crypto out of the hands of terrorists, criminals, drug lords," he said. "It keeps crypto out of the hands of businesses."
Meanwhile, overseas users are not interested in the U.S. administration's key escrow proposal to increase the key length to 64 bits as long as the U.S. government has access to part of the coded messages.
Swedish telco Telia wants to offer its customers the strongest
possible encryption, mostly made by U.S. firms, according to Mattias
Soderhielm, Telia's director of business development. However, Telia is
"concerned to tell customers that a foreign government [the U.S.] will be
able to read their e-mail," he told a panel at the conference.
--Elinor Mills, IDG News Service, San Francisco Bureau