Technology -- Essential Yet Vulnerable:
How Prepared Are We for Attacks?"
September 26, 2001
Institute for Security Technology Studies
Subcommittee on Government Efficiency,
and Intergovernmental Relations
Mr. Chairman, you and other members of Congress
have devoted much attention over the past few years to the state of our
preparedness to deal with cyber attacks. You have devoted particular attention
to the security of computer networks at various federal agencies, and
your work has revealed the severe shortcomings across many different agencies
in this area. I therefore will not dwell on that issue here today. Some
members of this Subcommittee have also heard me testify in the past about
the enormous improvements that have been made over the past few years
in the government’s ability to detect, warn of, and respond to cyber attacks,
principally through the National Infrastructure Protection Center. And
my esteemed colleague, NIPC Director Ron Dick, is here today to tell you
about the most recent efforts of the NIPC in this regard.
Accordingly, I would like to devote my testimony
today to two other issues. I would first like to provide this Subcommittee
with our assessment at the Institute for Security Technology Studies of
the probability of cyber attacks that could take place against the U.S.
information infrastructure during the war on terrorism. We conclude, based
on factual analysis of recent precedents, cyber attack trends, and the
geopolitical situation today that:
- the likelihood of cyber attacks against U.S.
and allied information infrastructures is high;
- such attacks could come from terrorists and/or
their nation-state sponsors, but are more likely to come from sympathizers
of terrorists or of nation-states targeted by U.S.-led military operations
and from hackers with anti-U.S. sentiments;
- such attacks will almost certainly target the
web sites of government agencies and private companies in the U.S. and
allied countries, but could also attack more high-value targets such
as the networks that control critical infrastructures;
- such attacks could utilize destructive worms
and viruses, Distributed Denial of Service exploits, and intrusions
to disrupt targeted networks;
- and such cyber exploits could be combined into
a potent mix to cause widespread disruption, and also combined with
physical terrorist attacks to maximize the destructive potential of
both sets of terrorist tools.
Second, I would like to discuss the importance
of technology research and development to the overall cause of counterterrorism,
and to the cause of protecting against cyber attacks in particular. I
believe what is needed today is essentially a "Manhattan Project"
for counterterrorism technology, so that America’s leading scientists
in industry, academia, and government can help us use one of our greatest
strengths – our technological prowess – to design tools and technology
to assist in the war on terrorism. A significant portion of this effort
should focus on technology to secure the information infrastructure that
provides the foundation for much of our economy and our national security.
Background on ISTS
Before I turn to the main substance
of my testimony, I would like to provide background on the Institute for
Security Technology Studies at Dartmouth College. ISTS was created last
year as the result of congressional appropriations to the Department of
Justice, National Institute of Justice. Its mission is to serve as a national
center for counterterrorism technology R&D, with a significant focus
on technology to address cyber attacks. I came on board as ISTS’s first
Director this past Spring.
ISTS has numerous significant research
projects underway to develop technology to enhance cyber security and
cyber attack investigations. It also is conducting research into counterterrorism
technology, including tools for addressing the threat of chemical and
biological weapons. Most of these projects involve mid- and long-term
research to develop technology. In the wake of the September 11, 2001
attacks, we also initiated several short-term analytical projects in the
interest of helping policymakers, law enforcement and intelligence officials,
and system administrators in industry and government address some of the
challenges we will face in the coming weeks and months. One of those projects
was to analyze the possibility of cyber attacks against the U.S. information
infrastructure during the war on terrorism, which I have attached as an
Appendix to my Statement for the Record. That analysis is the focus of
the next part of my testimony.
Cyber Attacks During the War on
As a starting point, we examined several recent
political conflicts that led to attacks on cyber systems: the recent clashes
between India and Pakistan, Israel and the Palestinians, and NATO and
Serbia in Kosovo, and the tensions between the U.S. and China over the
collision between a Chinese fighter plane and an American surveillance
plane. From these case studies, we concluded that:
For instance, in the Israel/Palestinian conflict,
there were increases in the number of cyber attacks immediately following
physical attacks, such as car bombings and mortar shellings.
- Politically Motivated Cyber Attacks Are Increasing
in Volume, Sophistication, and Coordination
For instance, after the collision between the Chinese
fighter plane and an American surveillance plane, approximately 1,200
U.S. web sites, including those belonging to the White House and other
government agencies, were reportedly subjected to Distributed Denial of
Service attacks or defaced with pro-Chinese images in just one week.
- Cyber Attackers Are Attracted to High Value
For instance, during the Israel/Palestinian conflict,
pro-Palestinian hackers have attacked the web sites of Israeli banking
and financial institutions. And during the NATO action in Kosovo, pro-Serbian
hackers repeatedly targeted NATO communications infrastructures.
Next, we looked at general trends in cyber attacks,
including those lacking any apparent political motivation. From this part
of our analysis, we concluded that cyber attacks during the war on terrorism
could utilize far more destructive techniques than those witnessed during
previous political conflicts. Whether motivated by financial gain or simply
the challenge of breaking through network defenses, attackers have been
gradually ratcheting up the sophistication of their attacks for years.
Furthermore, the wide and rapid dissemination of new exploit "scripts"
has made it possible for even unsophisticated programmers to take advantage
of these advanced techniques. Thus, in recent years, we have seen an explosive
growth in cyber attack tools such as:
A worm is an independent program that replicates
itself from machine to machine across network connections, often congesting
networks as it spreads. In recent weeks, the Code Red and Nimda worms
have demonstrated the increasing destructiveness of this malicious technology.
- Distributed Denial of Service Attacks
DDoS attacks employ armies of "zombie"
machines, taken over and controlled by a single master, to overwhelm the
resources of victims with floods of packets. Most of the world first became
aware of this attack tool during the high-profile attacks of February
2000, in which popular e-commerce web sites were shut down by simultaneous
attacks. Since that time, the popularity of high-speed home Internet access
(via cable modems and DSL) has increased, and the commanders of DDoS zombie
armies are taking advantage of this popularity to plant malicious programs
on home computers, making those machines the unwitting participants in
Computer intrusions enable attackers to abscond
with sensitive information from government agencies and businesses, to
steal money or credit card numbers, or to alter information. Such tools
are increasingly being used by organized crime groups and potentially
by foreign adversaries.
Thus, a variety of increasingly sophisticated tools
are available to those who would attack the U.S. information infrastructure
during the war on terrorism. The next question, then, is who might engage
in such attacks. We determined that there are four principal categories
of potential attackers:
While it is unclear whether Osama
bin Laden’s Al Qaeda organization has developed cyber attack capabilities,
members of this network use information technology to formulate plans
and communicate securely. For instance, Ramzi Yousef, who was convicted
of planning the first World Trade Center bombing in 1993, had details
of future terrorist plots (including the planned bombing of 12 airliners
in the Pacific) stored on encrypted files on his laptop computer. At the
same time, the September 11, 2001 attacks on the World Trade Center and
Pentagon demonstrate an increasing desire by terrorist groups to attack
critical infrastructure targets. It is only a small step to using information
technology as a weapon against critical infrastructure targets.
Several nation-states, including
not only Afghanistan, but also U.S.-designated supporters of terrorism,
such as Syria, Iraq, Iran, Sudan and Libya, could possibly become the
focus of U.S. and allied military operations. Among those nations, at
least Iraq and Libya are reported to have developed information warfare
capabilities that could be turned against the U.S. and its allies. China,
North Korea, Cuba, and Russia, among others, are also believed to be developing
cyber warfare capabilities.
This category contains those actors
probably most likely to engage in attacks. If the American campaign against
terrorism is perceived as a "crusade" against people of the
Muslim faith, a variety of pro-Muslim hacker groups could launch cyber
attacks against the United States and its allies. Others with anti-U.S.
or anti-allied sentiments, such as members of the anti-capitalism and
anti-globalization movements, or Chinese hackers still upset about the
surveillance plane incident or the accidental NATO bombing of the Chinese
Embassy in Belgrade could join in such attacks.
Any conflict that plays out in
cyberspace will invariably attract a huge number of hackers and "script
kiddies" who simply want to gain notoriety through high profile attacks.
Those just jumping on the bandwagon of a cyber conflict between the United
States and its enemies pose a relatively low threat to American systems.
However, such individuals can still have significant disruptive impact,
as evidenced by the February 2000 DDoS attacks and recent destructive
The next issue is what targets
these attacks could be used against. We determined that the following
were possible targets.
Politically motivated web site
defacements will likely continue to escalate during the war on terrorism.
The most serious consequences of web site defacements would involve "semantic"
attacks, which entail changing the content of a web page subtly, thus
disseminating false information. A semantic attack on a news site or government
agency site, causing its web servers to provide false information at a
critical juncture in the war on terrorism, could have a significant impact
on the American population. Web sites could also be targeted with DDoS
attacks, particularly government and military sites.
Domain Name Servers (DNS) are the
"Yellow Pages" that computers consult in order to obtain the
mapping between the name of a system (or web site) and the numerical address
of that system. An attacker could disseminate false information with a
successful attack on a select Domain Name Server (or group of servers),
bypassing the need to break into the actual web servers themselves. Moreover,
a DNS attack would prevent access to the original web site, depriving
the site of traffic.
DDoS attacks against critical communication
nodes would be particularly harmful, especially during a period of crisis.
Potential targets for DDoS attacks are chat and mail servers, search engines,
and news services. Military and government communications systems are
especially likely to receive DDoS attack variants.
Routers are the "air traffic
controllers" of the Internet, ensuring that information, in the form
of packets, gets from source to destination. Routing operations have not
yet seen deliberate disruption from malicious activity, but the lack of
diversity in router operating systems leaves open the possibility for
a massive routing attack. While routers are less vulnerable than most
computers due to the fact that they offer fewer services, there is the
possibility that a current or as yet undiscovered vulnerability could
be used to gain control of a number of backbone routers.
Information systems associated
with critical infrastructures (such as banking and financial institutions,
voice communications systems, electrical power supplies, water resources,
and oil and gas delivery systems) must be considered a likely target for
terrorists, nation-states, and anti-U.S. hackers in the age of asymmetric
warfare. Such systems could be targeted through unauthorized intrusions,
DDoS attacks, worms, Trojan horse programs, or malicious insiders.
New worms may contain a sleep phase, in which the worm will infect
as many hosts as possible, before activating its destructive payload,
perhaps in order to coordinate with a conventional terrorist attack.
A multi-faceted attack employing
some or all of the attack scenarios in compound fashion could be devastating
if the United States and its allies are unprepared. A compound cyber attack
by terrorists or nation-states could have disastrous effects on infrastructure
systems, potentially resulting in human casualties. Such an attack could
also be coordinated to coincide with physical terrorist attacks, in order
to maximize the impact of both.
Finally, we recommended several
specific steps that government agencies, private companies, and others
can take to reduce their vulnerability to such attacks. These include:
System administrators and government
officials should be on high alert for the warning signs of hostile cyber
activity, particularly during periods immediately following military strikes.
Changes in "normal" scanning activity should be considered suspicious
and reported to the appropriate authorities. Logging levels should be
temporarily raised to trap as many events as possible to enable law enforcement
and/or counterintelligence investigations and the issuance of specific
warnings by the NIPC and other appropriate entities to other potential
victims. Systematic and routine risk assessments should be undertaken,
an incident management plan should be developed, and law enforcement contact
numbers should be readily available in case of an attack.
Best practices for maintaining
systems should be followed, including: regular updating of operating systems
and software, enforcement of password policies, locking down of systems,
disabling of unnecessary services, installing and updating anti-virus
software, and employing intrusion detection systems and firewalls.
Measures for securing critical
systems should be implemented, such as: checking for characters associated
with popular web server exploits, using existing authentication mechanisms
in border routers, running only recent and secure software in Domain Name
Servers, backing up all vital data and storing it off-site, copying and
maintaining log records in a secure location, and explaining all measures
in an enforceable security policy.
- Employing Ingress and Egress Filtering
Routers should be programmed to
discard any outbound packets whose source IP address does not belong to
the router’s client networks ("egress filtering"). Likewise,
any inbound IP packets with un-trusted source addresses should be filtered
out before they have a chance to enter the network ("ingress filtering").
Countermeasures for DDoS can also include cooperation from "upstream"
Internet service providers (ISPs) to limit the rate at which packets typically
associated with attacks (SYN and ICMP packets) are sent downstream to
client networks. By rate limiting these particular packets, the effects
of a malicious flood can be minimized without seriously disrupting normal
The Importance of Research and
Development to Improving Cyber Security
Improving cyber security is a multifaceted problem.
As the other witnesses here have testified, part of the task is to ensure
that government agencies charged with warning of and responding to the
problem, such as the NIPC, have adequate resources. This has been a significant
and ongoing problem, which Congress and the Administration should urgently
address. Part of the task also involves creating market incentives for
manufacturers to build security into products from the ground up. This
can be done in part through government purchases, but the biggest incentive
of all is consumer demand - when consumers demand better security, manufacturers
will respond accordingly.
Perhaps most important of all,
is the task of researching and developing new technology to secure the
information infrastructure against attacks. The Internet itself was never
designed with security as a primary consideration. Therefore, the very
foundation of our information infrastructure has embedded within it vulnerabilities
that make it inherently susceptible to attack. And as the use of that
foundation continues to grow exponentially, the vulnerabilities grow as
well, as do the numbers of people who are willing and able to exploit
those vulnerabilities. The ultimate solution, then, lies in developing
technology that builds in security from the ground up; security features
that render networks more resistant, robust, and resilient in the face
Much work is currently underway
in the private sector to develop new virus detection software, firewalls,
and the like. But commercial research is largely focused on existing threats
and near-term, profit-making developments. What remains sorely needed
is research that can look at the mid- and long-term threats. Research
to develop technologies, for which there may be little commercial incentive,
may be vital to protecting the computer networks that underpin our economy
and our national security. As the White House Office of Science and Technology
Policy (OSTP) emphasized a year ago: "The Federal government and
the private sector are now making substantial investments in cyber security
technologies. However, neither the private nor public sectors are adequately
elucidating the fundamental principles that underlie complex, interconnected
infrastructures, or developing key technologies or analytical methodologies
crucial to protecting the information infrastructure. Therefore, government
becomes the only realistic underwriter to ensure that these technologies
ISTS is already playing an important
role in developing such technologies. The following are just a few examples
of significant ongoing work being accomplished at the ISTS in the cyber
System Security Evaluation
Test-bed - This project produces a visual representation
of an attack on a network, yielding insight into network behavior.
Prototypes of this system are under development, with simulation technology
deployable within 2 years.
Software System Protection
- This ISTS research is examining software security models and implementations
that may be based on roles and may use public key or other security
infrastructures. The significance of this research lies in the philosophy
of software security as the primary directive for software architecture
Internet Health Monitoring
System and Data Archive - The increased dependence of our
nation's infrastructure on information technology has created a need
for tools that monitor the health of the Internet and provide early
warning. A prototype system is already operational, with deployment
to test sites expected next year.
Statistically Based Network
Intrusion Detection - This project will provide an increased
detection capability for intrusion detection experts, system administrators,
and investigators. A major derivative of this project is additional
techniques for protecting critical communications infrastructures.
Assessing and Mining of
Data from Network Sensors - This project will permit system administrators
or investigators to perform rapid analyses of a network's health or
disability, leading to the discovery of the commission of cyber attacks
and the gathering of evidence of those attacks. This research is poised
to deliver its agent-based information gathering system.
BGP Data Archive -
This project will assist the tracing of cyber attacks by creating
an archive of Internet routing tables, which can be queried, developing
methods for simulating "trace routes" based on historical
tables. System administrators and law enforcement agents will be enabled
with tools to reconstruct routes for specific dates and times.
Honeynet - The Honeynet
project is a simulated computer or computer networks that both system
administrators and government agencies can use to analyze or track
cyber attackers. This system allows users to monitor attackers' activities
and provides valuable data on attack methods, techniques, and, most
importantly, sharing of information between trusted parties.
Detection of Digital Tampering
- ISTS research is leading to new methods for detecting digital tampering,
including steganography (which some have speculated may be used by
terrorists for covert communication). Experiments on commercial steganography
tools are underway.
Research and development of technology
to enhance cyber security and protect the information infrastructure are
an enormous undertaking, far too big for one academic institution to undertake
alone. Moreover, the necessary expertise is located at many places across
the country. That is why a major goal of ISTS is to establish a collaborative
community of focused research among numerous universities, private companies,
and government agencies nationwide. A significant percentage of ISTS’s
first-year work has taken place outside of Hanover, New Hampshire, at
places like George Mason University in Fairfax, Virginia; Los Alamos National
Laboratories and Sandia National Laboratories in New Mexico; Harvard University
in Cambridge, Massachusetts; the University of Massachusetts; Columbia
University in New York City; the University of Washington in Seattle;
the University of California at Santa Barbara; the University of Michigan;
the University of Tulsa; Mitretek in McLean, Virginia; and BBN Technologies
of Cambridge, Massachusetts. In its second year, ISTS intends to expand
its collaborations by establishing research partnerships with other notable
academic centers of excellence in the computer security and counterterrorism
Beyond this research, the ISTS
is also in the process of establishing a consortium with other academic
centers of excellence, which would form a "virtual" institute
for information infrastructure protection. This institute, which will
be called the Institute for Information Infrastructure Protection (or
"I3P"), is based on the recommendations of several expert groups
over the last three years, including the President’s Committee of Advisors
on Science and Technology (PCAST), a joint study by the White House Office
of Science and Technology Policy and the National Security Council, and
an analysis by the Institute for Defense Analyses for the Department of
Defense. These studies all called for a cyber security R&D institute,
whose mission would be to: (1) develop a national R&D agenda for information
infrastructure protection, which would identify the priority R&D needs;
and (2) fund research directed at those needs.
We are just beginning the outreach
necessary to form this consortium, speaking with the leaders of principal
centers in academia, government and industry about this idea and inviting
their participation. These centers will together form the nucleus of the
I3P, with ISTS serving as the I3P’s executive agent.
With currently available funding
(less than $3 million), the I3P would not be able to fund technology research
and development. Initially, its role would be limited to developing a
national research agenda that will set forth the top computer security
areas requiring research. This agenda would be based on a comprehensive
"needs assessment" that taps the expertise and experience of
the consortium members and other experts in industry, academia, and government.
The development of a national R&D
agenda in itself would constitute a significant accomplishment and provide
great value to the Nation. While there are currently numerous research
activities underway on cyber security in academia, industry, and the government,
there has, to date, been no comprehensive agenda developed, based on the
input of all the relevant experts, to prioritize the main needs. The need
for such an agenda has been emphasized by numerous government and private
sector organizations that have studied the problem, including not only
the PCAST, the IDA, OSTP and NSC, but also the President’s Commission
on Critical Infrastructure Protection, and the Partnership for Critical
This agenda, which will be re-evaluated
and updated each year, can then serve as the blueprint to guide research
conducted at academic and other institutions across the country, including
the members of the I3P consortia and others. It could also be used as
an assessment and measuring tool by government agencies that provide funding
for cyber security research. Similarly, private companies can use the
agenda to develop ideas for commercially sponsored research. If future
funding permits, then the I3P can quickly take on the additional responsibility
of directly funding research that addresses priority items set forth in
the continually evolving national agenda.
In addition to this basic function
of establishing a national R&D agenda, the I3P would serve the critical
function of providing a neutral forum for the exchange of information
among experts in the field concerning network vulnerabilities, technological
developments, and fields of ongoing research. This would create opportunities
for collaboration and enhance ongoing research efforts across all the
Mr. Chairman, I would like to extend my thanks
again to you and the members of the Subcommittee for inviting me to testify
before you today. You have brought attention to a critical issue at an
important juncture, when much of the country’s attention is understandably
focused elsewhere. In light of the continued vulnerability of the Nation’s
information infrastructures, we must ensure in the days, weeks, and months
ahead that we take the necessary steps to protect ourselves against potential
cyber attacks during the war on terrorism. Over the long term, research
and development will play a crucial role in securing the information infrastructure,
and thereby protecting our national security against some of the new threats
we face in the 21st Century.
1: Cyber Attacks During the War on Terrorism: A Predictive Analysis