Kuji Media Corporation Ltd.

INFORMATION SECURITY:

The Implications of Cyberwar for National Security and Business

by Zachary Selden

November 1996

In the Summer of 2003, Iran?s armed forces are closing in on Saudi Arabia in a bid to control Middle Eastern oil production. The U.S. gathers its allies and prepares to repel Iran, but finds itself virtually paralyzed as invisible and untraceable computer assailants shut down power grids, cause trains to collide, disrupt financial transactions and close down telephone systems. The Second Gulf War has become the First Cyberwar.

This not the opening chapter of Tom Clancy?s latest novel- it is the basis of an recent Pentagon exercise. US government officials are increasingly concerned about the national security implications of cyberwar and cyber-terrorism. In earlier forms of warfare, railroad junctions and communication systems were bombed to confound the enemy?s ability to transport equipment and transmit commands. Today, they can be rendered just as inoperable by a modem-equipped PC.

The terms information warfare, cyberwar and information security have become media buzzwords. But what is information warfare and what are the realistic threats to U.S. national security? Information warfare (IW) can encompass everything from electronic jamming to psychological operations. The focus here, however, is defense against the deliberate exploitation of information systems? inherent vulnerabilities in a manner that affects national security. The reality of information warfare is that all systems are vulnerable. As states grow more dependent on information systems, vulnerabilities will increase.

These weaknesses are compounded by the fact that U.S. military and civilian information systems are intimately linked. Railroads, for example, are controlled by relatively penetrable civilian systems, and much of the military?s unclassified message traffic travels on the internet. In cyberwar, civilian information systems can be as critical as military systems, and any effort to built a truly secure national information system will require close cooperation between American business and government.

As war becomes more information intensive, the need for such cooperation grows. The Gulf War taught us that strong information management skills can translate into battlefield success. But, information technology shares one characteristic with older military technology: defensive countermeasures are both simpler and cheaper.

Cyberwar requires a small capital investment to achieve tremendous results. The necessary computer equipment is easily obtained and is becoming less expensive every day. A team of computer mercenaries could be hired for less than the cost of one fighter aircraft. Information warfare can also be carried out remotely. A state or terrorist organization could easily disperse its operatives around the world making it difficult to pinpoint any attack and retaliate. The bottom line is that information warfare is cheap, effective and well within the reach of almost any state or well-endowed terrorist organization. The potential for the Davids of the world to fling a well placed rock against the Goliaths may actually be greater in the information age than in the industrial age.

Information system vulnerabilities can also be exploited to fund terrorist activities. In the 1970s and 1980s, terrorists turned to hijackings and kidnappings to raise funds. With billions of dollars in electronic transit every day, cyberspace may provide a funding source that is both less risky and more profitable than conventional means of raising funds.

The vulnerabilities of military information systems are obviously an area of paramount concern. Most of the more than 250,000 attacks on military information systems each year fail, but a few successes can cause widespread damage. For example, in 1994, Air Force computer security experts discovered that their classified network at the Rome (New York) Laboratories had been breached. A subsequent investigation revealed that the hackers had gained complete access to all Rome Labs networks, and had breached other classified sites, like the South Korean Atomic Research Institute, through access to the Rome Labs system. This latter problem illustrates one of the most serious problems of network security: once a hacker has found a valid ID and logon, he can transfer to other sites that might be better defended. The security of an information system is only as good as its weakest link.

Identifying the intruders was virtually impossible because they skillfully manipulated the phone system and ran their connection through multiple locations from New York to Latvia. While the intruders? computer codenames? Datastream and Kuji? were discovered, their identities remained secret until an informant revealed an e-mail conversation with a British hacker who bragged about his exploits in Rome Labs and left his phone number with the informant. A tap was put on the line and he was subsequently arrested. Datastream turned out to be a sixteen year-old armed with nothing more than a 486sx PC. Had he been a bit more mature, like his colleague Kuji who remains at large, he most likely would still be breaking into military sites at will.

National security planners face difficult questions: How many other Datastreams are out there, who will employ them and to what ends? If one teenager with fairly unsophisticated equipment can penetrate supposedly secure systems, consider the damage that ten or twenty equally skilled individuals could do in the employ of a rogue state or terrorist organization. The PC may soon be one of the most dangerous components in the terrorist?s arsenal.

If military sites can be compromised, civilian networks are even easier to crack. Financial institutions are reluctant to reveal information systems intrusions for fear of sparking a panic, but such incidents appear to be relatively common. In 1994, for example, Citibank lost $400,000 to a group of Russian hackers, who were attempting to steal millions. A survey of computer security companies by the Senate Subcommittee on Investigations revealed that their corporate clients in the United States had lost $400 million last year alone.1 It is impossible to estimate the additional loses in comparative advantage due to computer industrial espionage.

Without a serious effort to strengthen and coordinate security measures, American business stands to lose hundreds of millions every year, and the U.S. military effectiveness could be compromised. Incidents like the Rome Labs penetration have created a consensus in favor of action. While support for coordination information security programs is strong, this consensus breaks down when one moves to the level of specific recommendations.

To date, no clear government strategy for information security exists. A host of government agencies and informal public-private groups have been convened to discuss this problem, but actual results are minimal. One senior intelligence official compares the state of coordination to “a toddler soccer game where everyone just runs around trying to kick the ball somewhere.”2

Efforts to comprehensively protect the entire information infrastructure will face strong opposition from private industry actors who are reluctant to encourage government intrusion. As Richard Wilhelm, Vice President Gore?s security advisor puts it, private companies “are not begging for more government meddling.”3 The present battle over encryption? which pits civil liberties advocates and law enforcement officials who hope to “tap” information networks?is simply the tip of the iceberg. In today?s rapidly changing technological environment, the prospects for extensive government-industry cooperation remain limited. The lack of cooperation between industry and government on this issue is reflected in the President?s Commission on National Infrastructure Protection. While ostensibly a forum to bring together industry and government to coordinate the security of the nation?s information networks, some industry representatives claim that they have been relegated to minor positions in what has become a high-level bureaucrats club. The Commission is expected to release its report next year, but if industry is as isolated as some of its representatives believe, it will not be a comprehensive plan.

Clearly, there is some movement toward a plan to protect the national information infrastructure, but it has yet to move past the theoretical stages. As the global leader in technology and information systems, the United States is particularly vulnerable to cyberwar or cyber-terrorism. The requisite skill and technology to wreak havoc via computer already exists: it is only a question of time before a state or terrorist organization decides to wage cyberwar against the United States. Coping with this emerging threat will require cooperation between the American business community and Government to devise means of protecting both civilian and military information systems.

The information technology revolution spawned both tremendous promise and new threats. At the moment, however, the means of coping with the potential threat is barely in formation. While the recent attempts to secure the national information infrastructure appear to be a good start, they may ultimately prove to be a case of too little, too late.

1 U.S. Senate Permanent Subcommittee on Investigations, Staff Statement for Hearing on Security in Cyberspace. June 5 1996, p.41.

2 ibid, p.26

3 “IW Study May Guide U.S. Policy,” Defense News, March 10, 1996: 3.

Source: Business Executives for National Security; http://www.bens.org/ pubs/Cyber.html

Infowar.Com & Interpact, Inc. WebWarrior@Infowar.Com

Submit articles to: infowar@infowar.com
Voice: 813.393.6600 Fax: 813.393.6361
Last modified: Sun, 03 Jan 1999 00:05:58 GMT

23 Mar 97 SOUTH CHINA MORNING POST: HACKER OF THE WEEK
:The teenage security threat: Asia Intelligence Wire

RICHARD PRYCE

If you had to imagine the number one threat to America’s security, you might go for a terrorist group or a coalition of Iraq, Libya and North Korea. You would be unlikely to select a teenage double bass player at a British music college.

But RICHARD PRYCE, from a north London suburb, can count himself among those who have been elevated to the ranks of major threats to United States national security up there alongside Iraqi leader Saddam Hussein.

Pryce’s claim to fame, or infamy, lies in the way he hacked into America’s deepest defence secrets. At one point, he was even accused of having caused more harm to the US defence and missile systems than Russian intelligence. One might, equally, imagine that such a number one threat would operate from a secret base filled with the latest computers and advanced software. But PRYCE did it all from his bedroom in the suburb of Colindale, with equipment worth a grand total of GBP7SO (HK$9,315).

He was just 16 at the time. PRYCE, who only got a D grade in computer science, obtained the passwords to download super-secret computer records in New York and California, including an Air Force base which deals with sensitive subjects such as artificial intelligence.

When he was brought to trial last week, his solicitor said that officials believed he was being manipulated by an East European outfit.
A US congressional report on computer attacks said he had been seizing control of defence department computers on the direction of an unknown third In the Senate in Washington, PRYCE was accused of “causing more harm than the KGB” and described as the number one threat to US security.
The magistrates took a more lenient view. Fining PRYCE GBP1,200 on Friday, they accepted his innocent motives after he admitted 12 charges of gaining access to the computers.

But they did order his computer equipment to be confiscated.
PRYCE, now 19, was arrested after the US Air Force Office of Special Intelligence investigated the hacking.
They codenamed the unknown culprit “Datastream Cowboy”, and finally got his name from other computer users.

The Pentagon said yesterday it was taking measures to stop its systems coming under computer attack.

23 Jun 96 BRITON CHARGED WITH HACKING INTO PENTAGON DATA: REUTER NEWS

LONDON

British police said on Sunday they had charged a second man with hacking into US military computers months after the arrest of a teenage whizzkid accused of gaining access to messages from US agents in North Korea. MATHEW BEVAN, a 21-year-old information technology technician, has been charged with conspiracy to gain unauthorised access to computers and conspiracy to cause unauthorised modification to computers.

A spokeswoman for Scotland Yard said both charges related to computer systems operated by the US military and the Lockheed missile and space company.
Bevan’s co-defendant, RICHARD PRYCE, was charged last year with using a computer in his bedroom in north London to tap into several US Defence Department systems over a period of seven months.

PRYCE, who was just 16 at the time, got access to files on ballistic weapons research and messages from US agents in North Korea during a crisis over nuclear inspection in 1994, according to reports last year in The Independent newspaper.

Police sources said the two were arrested after a long search instigated by the US Air Force’s Office of Special Investigations based in Washington. BEVAN, from Cardiff in Wales, is to appear before magistrates in central London on July 11.
A recent study by the General Accounting Office of Congress said attempts to hack into Pentagon computers were running at a rate of 250,000 a year.
The GAO said the attacks were, at least, a multi-million dollar nuisance and, at worst, could pose a serious threat to national security.

(c) Reuters Limited 1996
Reuter News Service – United Kingdom. Reuter Economic News.
Companies: LCKHED LOCKHEED MARTIN CORPORATION HLDG (USA)
Reuter Textline
Copyright (C) Reuters Limited 1980-1997