The New Face of War
Americas dependence on technology
by Amara D. Angelica
Its started. Wall Street reports a massive loss of data as computers and backup tapes go up in smoke. ConEd and PG&E computers crash, plunging the East and West coasts into darkness. At OHare, the FAAs ATC computers crash, causing havoc across the Midwest. 911 emergency systems in major cities go down from a logic bomb. Internet traffic slows to a trickle as ISPs and telecom companies struggle with coordinated large-scale denial-of-service attacks from around the world. Meanwhile, in Wash ington, D.C., a micro wave antenna on a fake Channel 9 CBS-TV van slowly turns toward the White House West Wing and unleashes a billion watts toward the War Room, where the Feds are working frantically to assess and contain the chaos
"Thats the kind of nightmare call I worry about receiving on my red line every morning," says Barry Collin, senior research fellow at the Institute for Security and Intelligence (www.counterterrorism.org) in Palo Alto, who coined the term "cyberterrorism."
Such coordinated computer terrorism goes way beyond malicious hackers, he says. "Think of it as hacking with a body count."
The FBI defines terrorism as "the unlawful use of force or violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives."
For cyberterrorism, Collin adds to the definition: " ... through the exploitation of systems deployed by the target. While all other forms of terrorism (for example, the truck filled with explosives at the Oklahoma Federal Building or the sarin attack in the Tokyo subway) require the black hat to deliver and deploy a weapon of some kind, cyberterrorism leverages the high-technology systems we put in place. The more computerized systems we employ, the more systems there are to exploit and attack."
The Y2K issue has drawn attention to computer systems vulnerability to breakdowns. But while the Y2K threat has a very defined trigger (midnight on New Years Eve, 1999), cyberterrorists could attempt to cripple crucial systems at any time, for any reason and from practically any location. The threat is real enough that taxpayer money is being spent to assess (and prevent) attacks on the nations infrastructure.
The potential threat is not the product of stimulated imaginations. Hints of what is possible are already appearing in the headlines. Some recent examples:
"The curves getting steep; its definitely accelerating," says Winn Schwartau, quickly ticking off a few dozen major incidents around the world during the past year. Schwartau is CEO of Interpact Inc. and author of Information Warfare. He also runs www.infowar.com, a Web site that tracks cyberterrorism and information warfare on a daily basis.
In a speech to the International Symposium on Criminal Justice Issues last year, Collin cited other potential targets of cyberterrorism:
"Some of these have already occurred in various nations. The threats are real today," Collin says. Whats worse, "attackers could wage cyberwarfare from a computer anywhere in the world, undetected." Collins Institute for Security and Intelligence is located at Stanford but is not affiliated with the university.Infrastructure vulnerabilities
The core problem: Americas dependence on computers makes it more vulnerable than most countries to cyberattack.
The Presidents Commission on Critical Infrastructure Protection (www.pccip.gov/summary.html) has identified eight critical areas in need of protection: information and communications, electrical power systems, gas and oil (production, transportation and storage), banking and finance, transportation, water supply systems, emergency services and government services.
"Serious vulnerabilities and threats exist in all of these critical infrastructures," said Palo Alto-based Stanford Research International (SRI) principal scientist Peter G. Neumann in Senate testimony in May. These infrastructures are "closely interdependent; a failure on one sector can easily affect other sectors."
The Oct. 11 Intelligence Report from the Centre for Infrastructural Warfare Studies (www.iwar.org) lists more than 30 infrastructure-related incidents worldwide in just the previous two weeks. Although not directly resulting from cyberterrorism, they show how small events can cause fairly widespread damage. For example:
"Our national infrastructure depends not only on our interconnected information systems and networks, but also the public switched network, the air-traffic control systems, the power grids and many associated control systems, which themselves depend heavily on computers and communications," said Neumann in 1997 Senate testimony. "Global problems can result from seemingly isolated events, as exhibited by the early power-grid collapses, the 1980 ARPANET collapse and the 1990 long-distance collapseall of which began with single-point failures.
"Our defenses against isolated attacks and unanticipated events are inadequate. Risks include not just penetrations and insider misuse, but also insidious Trojan horse attacks that can lie dormant until triggered. Our defenses against large-scale coordinated attacks are even more inadequate."
According to CIA director George Tenet in congressional testimony in June, "We rely more and more on computer networks for the flow of essential information. Potential attackers range from national intelligence and military organizations, terrorists, criminals, industrial competitors, hackers and disgruntled or disloyal insiders."
There are plenty of incentives, he said: "Trillions of dollars in financial transactions and commerce moving over a medium with minimal protection and sporadic law enforcement; increasing quantities of intellectual property residing on networked systems; and the opportunity to disrupt military effectiveness and public safety, with the elements of surprise and anonymity."New cyberweapons
The cyberterrorists traditional weapons of choice include computer viruses (such as logic bombs that wake up on a certain date, worms and trojan horses), cracking (accessing computer systems illegally), sniffing (monitoring Net traffic for passwords, credit card numbers and other data), social engineering (fooling people into revealing passwords and other information) and dumpster diving (sorting through the trash).
But a new tactic, coordinated large-scale attacks, emerged on March 2 and was detailed in a Sept. 4 memo that has been posted on a Navy Web site. Stephen Northcutt, a primary analyst for the Naval Surface Warfare Center, reported the details of intrusion attempts involving multiple attackers working together from different IP addresses, many in different countries and continents. The intent apparently was to make the attacks more difficult to detect, increase the "firepower" and acquire more data, he said.
Northcutt said commercially available IDS (intrusion detection systemssee "Batten Down the Hatches," TechWeek Oct. 19) cannot detect such large-scale attacks. But the Navys SHADOW (Secondary Heuristic Analysis for Defensive Online Warfare) software can detect and track such attacks, he said. (Download SHADOW free at www.nswc.navy.mil/ISSEC/CID for Unix/Linux/ FreeBSD.)Remote snooping
Another advanced cyberterrorist tool is monitoring computers, fax machines, printers and other devices by picking up their electromagnetic radiation. TEMPEST devices (Transient Electro-Magnetic Pulse Emanation Standard, also called "Van Eck" devices after Wim van Eck who wrote the first paper on the subject in 1985) pick up radiation mainly from monitors and connecting cables. They allow cyberspies to intercept your password, proprietary business plan or embarrassing love letter, clearly displayed on their monitors.
Such monitors can be as far away as 1 kilometeror further if they have special fast-fourier-transform chips and other classified systems designed by the National Security Agency (or its foreign counterparts or your competitors). And theres no way for you to know youre being monitored.Zapyour computers dead
It sounds like science fiction: weapons that can zap your computer into oblivion from a distance. But RF weapons are real, according to top military experts at congressional Joint Economic Committee hearings held earlier this year (http://jya.com/rfw-jec.htm).
RF weapons consist of a power supply, transmitter and antenna. One type of RF weapon, HPM (high-power microwave), generates gigawatts (billions of watts) of short, intense energy pulses focused into a narrow beam capable of silently burning out electronic equipment, according to retired U.S. Army Lieutenant General Robert L. Schweitzer in congressional testimony in June.
RF weapons are also packaged as RF munitions, which use explosives to produce radio-frequency energy. "In the hands of skilled Russian scientists, these munitions come as hand grenades, mortar rounds, or large artillery shells or missiles," Schweitzer said.
Former computer design engineer and computer industry consultant Carlo Kopp, who is currently completing his Ph.D. at Monash University in Australia, has written a well-researched technical paper on RF munitions: "The Electromagnetic Bomba Weapon of Electrical Mass Destruction" (www.cadre.maxwell.af.mil/airchronicles/kopp/apjemp.html). It in cludes defenses against electromagnetic bombs, such as shielded rooms called Faraday cages.
"The horse is out of the barn," warned Schweitzer. "We are the most vulnerable nation on earth to electronic warfare. Our vulnerability arises from the fact that we are the most advanced nation electronically and the greatest user of electricity in the world."
Schweitzer said potential targets of RF weapons include computers and other electronic devices used in the national telecommunications systems, the national power grid, the national transportation system, mass media, oil and gas control and refining, manufacturing processing, inventory control, shipment and tracking, public works, civil emergency service and finance and banking systems, including a banks ability to dispense cash.
"Ninety percent of our military communications now passes over public networks. If an electromagnetic pulse takes out the telephone systems, we are in deep double trouble because our military and non-military nets are virtually inseparable. It is almost equally impossible to distinguish between the U.S. national telecommunications network and the global one. What this means is that it is finally becoming possible to do what Sun Tzu wrote about 2,000 years ago: to conquer an enemy without fighting.
"The paradigm of war may well be changing. If you can take out the civilian economic infrastructure of a nation, then that nation in addition to not being able to function internally cannot deploy its military by air or sea, or supply them with any real effectivenessif at all."
Schweitzer also said the former Soviet Union developed RF weapons because they realized they could not match the capability of Western electronics but believed RF weapons "have the potential to be effective against our sophisticated electronics."
With the reduction in military spending, Russia is now offering this advanced weaponry to foreign customers to further its own R&D efforts, he said. Based on proceedings of 20 years of international conferencesmany hosted and initiated by the United StatesChina is also well ahead in this field, and many other nations are emerging. Even more frightening: Used radar systems available at surplus sales can be modified to create lower-power but effective RF weapons.
HPM systems use narrow-band transmitters that require large, expensive power supplies. But a new class of ultra-wide band (UWB) devices, also known as Transient Electromagnetic Devices (TEDs), are easier to construct and use. They may be "the RF weapon of choice to the modern cyber or infrastructure RF warrior," said engineer David Schriner before the congressional Joint Economic Committee.
According to Schriner, TEDs generate a spike-like electromagnetic pulse that is only one or two hundred picoseconds (or trillionths of a second) in length at very high peak power. They radiate over a broad band of frequencies, so they can burn out a broad range of devices, with effects on electronics systems that are similar to a lightning strike. TED power supplies are smaller, cheaper, require less power and are easier to build. They use simple spark-gap switches and can be assembled from automobile ignition, fuel pump and other readily available parts in about a week for about $300 using unclassified literature.
The compact devices could fit in a briefcase or be "placed in a small van or directed at buildings that the van was driven past." With a six-foot backyard satellite TV-dish antenna and more advanced spark-gap unit, terrorists could point them at flying aircraft.Taking action
So how can you defend against these weapons? For starters, you can harden your computers, networks, cables, printers and other devicesthat is, make them more resistant to electromagnetic radiation. Kopps "Hardening Your Computing Assets" (www.infowar.com/CLASS_3/harden.html-ssi) is a good start. A side benefit of hardening is that it helps protect you from TEMPEST snooping.
But a more fundamental question is: What is the U.S. government doing about it, besides holding hearings? The Presidents Commission on Critical Infrastructure Protection researched cyberterrorism for more than a year and in October 1997 delivered its report (www.pccip.gov).
"In the cyber dimension there are no boundaries," said the report. "Our infrastructures are exposed to new vulnerabilities and the defenses that served us so well in the past offer little protection from the cyber threat. Our infrastructures can now be struck directly by a variety of malicious tools."
The report also recommended the creation of two new organizations.
The National Infrastructure Protection Center (www.fbi.gov/nipc/index.htm), located within FBI headquarters in Washington, was formed in February of this year with $64 million in taxpayer money. According to the centers chief, Michael Vatis, "The NIPCs mission is to serve as the U.S. governments focal point for threat assessment, warning, investigation and response for threats or attacks against our critical infrastructures."
The formation of the Critical In frastructure Assurance Office (www.ciao.gov), was announced in May 1998 with the task to create a national plan to protect the infrastructure.
"A key problem with these organizations is getting the private sector to report problems," says Collin. "They dont trust the government and dont see it as a two-way street. But not reporting a crime and taking steps to mitigate damages could backfire later in court.
"Beyond prevention and detection, fighting back is the issue we are now looking at," says Collin. "Right now, we are constrained by law to defensive measures, for the most part. With needed changes in legislation, we may be able to respond more effectively to attacks on our critical infrastructure."
Whats ahead? Schwartau warns us to watch for some upcoming events cyberterrorists may try to take advantage of:
Says Collin: "Cyberterrorists will use predictable system failures as execution points for their attacks, hoping that efforts to fix the system failures will either draw attention away from the attack or leave insufficient personnel to address the security breach. Its not unlike the Tet Offensive: Hit the enemy while they are otherwise occupied. The Year 2000 issue is the first global deadline we have ever had, and the black hats are gearing up."
"It may take a Chernobyl-scale event to raise awareness levels adequately, perhaps bringing several of the national infrastructures to their knees simultaneously," says Neumann of SRI. However, he adds, "If you are overly concerned with the Y2K fiasco, you may be blindsided by the deeper problems. Unfortunately, security in the long run is an even more critical problem."
On the Cypherpunks list, Markus Kuhn described a low-cost way to test your system or network for emanations. Connect a standard VHF (TV) antenna through an antenna amplifier to your VCRs RF tuner. Connect baseband video from the tuner to the "video in" pins of a multisync monitor and feed vertical and horizontal sync to the monitor from a PC video card set to the same video mode as the target system (or use sync generators). Tune through the VHF bands, starting with your target systems dot clock frequency.
This is an effective way to convince your boss to budget for shielding your computer systems and networks.
TEMPEST systems are commercially available for purchase and are legal to use, believe it or not (but be careful, there are known snake oil sales operations in this field). Antennas are easily disguised inside a van with a plastic panel or even on the roof of a "electronics repair" or "TV station" van.
So how do you stop them? Well, you can add shielding to your systems and switch to optical fibers, or use "TEMPEST fonts" that decrease radiation from monitors. Or if you have a security clearance, you can purchase expensive TEMPEST-certified systems. Or you can buy used TEMPEST-shielded computers and other devices without a clearance. For other ideas, see Grady Wards "TEMPEST in a teapot" (www.eff.org/pub/Privacy/Security/tempest_monitoring.article).
TEMPEST consulting, testing and manufacturing is a $1 billion-a-year business, says Joel McNamara on his "Complete, Unofficial TEMPEST Information Page" (www.eskimo.com/~joelm/Tempest.html), which lists companies involved in this work. Also see www.emclab.umr.edu/ieee_emc/jobs.html for job listings. Skills sought: EMC (electromagnetic compatibility)/EMI (electromagnetic interference) design and test engineers and technicians.
Were sitting ducks. Theres currently no organization geared up to handle cyberterrorist attacks on the nations infrastructures.
Richard Forno, security officer for a major Internet services firm in Virginia and consultant to the Department of Defense, has proposed a solution: the Joint Information Warfare Activity Reserve Component.
This would be a "military reserve component that doesnt require uniforms, physical training or full-time commitment," says Forno. "The reasoning is to tap into the brain trust of academic and IT America, and hopefully be able to create a viable IO/IW [information operations/infowar] solution in the military world without dealing with the current IT brain drain of highly-skilled tech folks leaving the military for high-paying private sector jobs."
After Forno wrote an article on the idea earlier this year, the Pentagon contacted him to develop a presentation defining plans for a 300-person reserve unit. The unit would create "Crisis Response Teams" and "Red Teams" that "conduct penetration tests, risk assessments and other analysis on organizations to discover vulnerabilities and weaknesses in their systems, procedures, policies and overall security posture," according to his presentation made available to TechWeek.
In June, Janes Defense Weekly reported that Joint Chiefs of Staff Chairman General Henry Shelton is expected to recommend to Defense Secretary William Cohen that a "computer attack response cell" be formed to counter cyberwarfare incidents.
If the idea goes through, "the reserve unit would be looking for computer scientists and infrastructure specialists, such as PBX telecom experts," says Forno. "Theyd also need to qualify for a security clearance and be willing to serve TDY [temporary duty] when needed, just like current Reservists do."
RF weapons expert Carlo Kopp speculates a portable RF weapon might consist of a  backpack housing batteries, power supply and transmitter tube; a  rifle stock or assault weapon handgrip that would have a  protective mesh reflector mounted on it and a  helix or Yagi antenna mounted inside the reflector dish.
The best Web sites offering comprehensive, up-to-date links on cyberterrorism are www.infowar.com and the Federation of American Scientists "Information Warfare" site at www.fas.org/irp/wwwinfo.html.
To keep up to date on computer risks, subscribe to the Risks Forum (www.csl.sri.com/risksinfo.html), a moderated digest that is also available on the comp.risk newsgroup. For infrastructure vulnerabilities and threat analyses, subscribe to the Centre for Infrastructural Warfare Studies report (www.iwar.org), available free to qualified subscribers.
The most readable, comprehensive introduction to cyberterrorismand the broader area of information warfareis Winn Schwartaus Information Warfare (Thunders Mouth Press, 1996). The book covers every aspect of the subject, from malicious software and viruses to "HERF" weapons, TEMPEST machines and military and commercial defenses against cyberattacks. The second edition adds 400 pages written by top experts in the field.
Schwartaus Time-Based Security (Thunders Mouth Press, Nov. 1998) offers a novel method for quantifiably testing and measuring enterprise security effectiveness and making informed decisions. Written for managers as well as security practitioners, the book offers an alternative to the unworkable "fortress" mentality, the author says.
For serious infowarriors, Information Warfare: Principles and Operations by Edward Waltz (Artech House, 1998) offers in-depth academic analyses of defensive and offensive infowarfare strategies and technologies.
Other recently-published books include The Next World War: Computers Are the Weapons & the Front Line Is Everywhere by James Adams (Simon & Schuster, 1998); The Advent of Netwar by John Arquilla and David Ronfelt (Rand Corporation, 1998), and In Athenas Camp: Preparing for Conflict in the Information Age (Rand Corporation, 1998).
E-commerce Security by Anup K. Ghosh (John Wiley & Sons, 1998) is "mandatory reading for anyone thinking about getting into e-commerce," says security authority Peter G. Neumann. It covers intrusions (with an excellent chapter on malicious code), vulnerabilities and ways to secure digital transactions and commerce servers.
Intrusion Detection by Terry Escamilla (John Wiley & Sons, 1998) is a readable, up-to-date look at intrusion detection systems, authentication, firewalls and access controls, including detailed comparisons between leading IDS product categories. This is a must-have for computer security professionals.
Protecting Networks with SATAN by Martin Freiss (OReilly & Associates, 1998) is a practical hands-on guide to installing, using and extending the Security Administrator Tool for Analyzing Networks, (SATAN). It also explains how to defend your site by detecting when intruders are using SATAN to probe your hosts and network and by repelling the attack.