IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Google Ads



Richard C. Schaeffer, Jr.
Director, Infrastructure and Information Assurance
Office of the Assistant Secretary of Defense
(Command, Control, Communication, and Intelligence)

before a hearing 
of the

Subcommittee on Government Management, 
Information, and Technology

July 26, 2000

Computer Security: 
Cyber Attacks - War without Borders


Mr. Chairman, and Members of the Committee, I appreciate the opportunity to be here today to discuss this very important topic in relation to the challenge of providing a coordinated response to computer security threats.

To set the stage for my remarks I'd like to say a few words about the environment in which the Department of Defense (DoD) conducts its daily operations-during peacetime, crisis, and war. The Department's steadily increasing dependence on a global information environment, over which it has little control, heightens its exposure and vulnerability to a rapidly growing number of increasingly sophisticated internal and external threats. Globally internet-worked and interdependent information systems tend to level the playing field between allies and adversaries, and offer adversaries access to potentially high-value and (currently) low-risk information infrastructure targets. These targets, if successfully attacked, have the potential to impact the full spectrum of DoD operations. To attack a large number of systems, an adversary need only find and attack a single exploitable connection to the system (through the use of a wide and growing variety of commonly available and inexpensive hacker tools). Once inside a system, an adversary can exploit it and the systems networked to it. This global marriage of systems and networks creates what has become a shared risk environment. Further, with every advance in information technology, new vulnerabilities are created that must quickly be discovered and effectively neutralized.

Given the risks and the fact that weakness in any portion of the Defense Information Infrastructure (DII) is a threat to the operational readiness of all Components, the Department is moving aggressively to ensure the continuous availability, integrity, authentication, confidentiality, and non-repudiation of its information and the protection of its information infrastructure. Exercises and real-life events clearly demonstrate that Defense-wide improvement in Information Assurance (IA) is an absolute and continuous operational necessity. We can no longer be satisfied with reactive or after-the-fact solutions. As the Department modernizes its information infrastructure, it must also continuously invest in the research, development, and timely integration of products, procedures, and training necessary to sustain its ability to defend it. Providing for the protection of the DII is one of the Department's highest priorities and most formidable challenges.

However, perfect protection is an unattainable goal. As stated above, an adversary need only find and attack a single exploitable connection to the system. This location could be at any base, post, camp or station, worldwide. It could be the location of an elite military unit or an entirely civilian element responsible for the extraordinary range of support activities critical to the successful execution of DoD missions.

The first challenge we face is to identify that an attack has occurred. I use the term attack here in a very broad sense to mean any malicious event perpetrated by an unauthorized (or authorized) user of a DoD information system. This is a non-trivial problem. Yes, there is technology available today to detect anomalous events. And, while this technology continues to increase in capability, for the most part, it will always lag behind the capability of the adversary, particularly the sophisticated adversary, to develop new attack capabilities. Within the Department, we have deployed a vast array of sensors to provide indications and warning of an ongoing attack. Once anomalous activity is detected the process of sorting through vast amounts of audit data is then required to attribute the attack to a specific person, organization, or entity (to include nations states and/or transnational elements). As a point of reference, during 1999, over 22,000 attacks were reported to the Joint Task Force-Computer Network Defense (JTF-CND).

The next challenge is attribution. Within U.S. borders, any attack is viewed first as a law enforcement (LE) issue-it's viewed as a crime rather than a national security matter. If, and only if, it can be shown that the attack is being perpetrated by a foreign entity, from foreign soil, does the attack become a national security matter. Because of the anonymity with which attacks can be perpetrated, and the ease with which an attacker can move from one computer (Host) to another, the delay in identifying the adversary, let alone their intention(s), can be very long.

Attribution is a complex undertaking that requires coordination among several elements. [In this context, a host is any computer from which an attack is launched. This could be an attacker's own computer, a server at a local Internet Service Provider (ISP), a server at a U.S. college or university, or a server at another government department or agency.] Under our constitutional system, information essential to attribute the attack to a specific entity typically can be gathered only pursuant to criminal investigative authorities. The host owner can, or course, cooperate with law enforcement officials without the need for a warrant, and fortunately this frequently occurs. Regardless, collection and analysis of audit data from the host is a necessary component of the attribution process. A court order must be obtained, which can take from hours to days, and then the data must be obtained and analyzed. I don't want to over simplify the analysis process-it is extremely difficult. It is this analysis, together with other information gained as part of the investigative process (and, as appropriate, intelligence processes) that provides a picture of the perpetrator's, motivation, and purpose. Coordination between responsible elements, both internal and external to the DoD during these activities is essential.

Within the DoD, we have established detailed procedures for the coordination of all cyber events. The JTF-CND was formed on December 30, 1998 to provide a single command with authority to coordinate and direct the defense of the DoD computer systems and networks. Originally formed as a separate JTF reporting directly to the Secretary of Defense, JTF-CND became a direct reporting command of U.S. SPACE Command on October 1, 1999 when SPACE Command was assigned the mission of computer network defense for the Department of Defense. The JTF-CND provides DoD with a focal point for dealing with cyber threats and answered the "Who's in charge?" question. Prior to the formation of the JTF, no single entity had the authority to coordinate and direct a DoD wide response to a computer network attack. The JTF-CND and the National Infrastructure Protection Center (NIPC), which serves as a focal point for the Federal Government's efforts to detect, assess, warn of, and respond to cyber attacks, form a strong collaborative team for dealing with attacks on DoD systems and networks.

Several examples are provided to elaborate on the responsibilities of the JTF-CND.

During the Melissa Virus incident in March 1999, the JTF-CND, in cooperation with the DoD Computer Emergency Response Team (CERT) and the JTF's Service components, was able to quickly assess the threat, develop a defensive strategy, and direct appropriate defensive actions. Despite damage to the private sector in the hundreds of millions of dollars, DoD experienced relatively little effect and no operational impact.

The JTF-CND began working on countermeasures for distributed denial of service tools in November 1999. While not finding any direct antidote, the efforts provided significant data for the creation of a DoD functional plan for countering this type of attack while simultaneously ensuring that DoD systems are not subverted into taking part in attacks on others.

The JTF was at the center of DoD's response to the Year 2000 event. The JTF provided valuable staff analysis of the situation, and coordinated with the numerous ad hoc organizations formed to implement the federal government's response. The JTF was integral in ensuring that DoD took a coordinated and measured approach.

The ILOVEYOU virus provided another example of rapid action. The JTF staff rapidly identified the potential damage and provided rapid notification to the CINCs, Services and agencies that enabled them to effectively respond.

Over the last 18 months, the JTF-CND has developed processes for identifying attacks against DoD networks, assessing the importance of those attacks, notifying appropriate headquarters of the information, developing and implementing responses to them, and coordinating with external organizations such as the NIPC. The DoD relies on the NIPC to coordinate cyber attack indication and warnings with the nation's Critical Infrastructure elements (Communications, Power, etc.) upon which the Department depends for mission success.

In closing, I'd like to say just a few words about where we are today and where we need to be in the future. Today it takes us, at best, hours to transition from detection to warning; at worst this could be days-the attacks are executed in milliseconds. We must develop the technology, capabilities, processes, and legal framework to respond to cyber events in near real time. There will come a time when our capabilities WILL be tested and national security or the economic security of the nation will depend on components like the JTF-CND, NIPC, and others working collaboratively in response to the event.

I want to thank the subcommittee again for providing an opportunity for the Department of Defense to present its views on this very important issue. I look forward to working with Congress to ensure that we are able to meet these ever increasing challenges.

IWS Mailing Lists

Mailing Lists Overview