IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Computer Terrorism: What are the risks?

 


Chapter 4: Information Warfare

General

Information Warfare 6 is the hot topic of many world wide armies especially in the United States. It is a large field, grouping together several concepts 7 such as electronic warfare, psychological warfare, information and hacker warfare (hackerwar). Dr. John Algiers proposes the following definition [HAENI95]:

Actions taken to achieve information superiority by affecting adversary information, information based processes, and information systems, while defending ones own information, information based processes and information systems.

Winn Schwartau proposes following classification:

Class 1: Personal Information Warfare

This class includes attacks against individual privacy. This includes the disclosure of information stored in an unspecified data base. We currently do not have any control over our own data stored all over the place such as credit card history, banking accounts, medical files, criminal records, etc. In summary, we should remember the following points:

  • Hundreds of data bases contain a digital image of our life.
  • Available Information is not necesserily accurate.
  • It is almost impossible to correct erroneous information.

Class 2: Corporate Information Warfare

Concretely, today, this class corresponds to competition between companies which clash in a war without pity. Industrial espionage is one of the possible activities, but misinformation is a very effective means to get rid of a competitor. Presently, it is very easy to launch rumors with a world range, using Internet. Moreover, it is well-known that the more a fact is contradicted, the more public opinion believes it.

Class 3: Global Information Warfare

This type of conflict is aimed at industries, the whole of the economic forces, the whole of a country. In this class, it is necessary to multiply the power of classes 1 and 2 by a great factor. With ridiculous investments with respect to those authorized in the case of " traditional " weapons, it is possible for a terrorist group or a country to bring a great economic power to its knees. The advantage for the attacker, if it is included in the category of developing countries, is that it will not be as sensitive to reprisals of comparable nature. Moreover, it would be very difficult for an industrialized democratic country to answer an attack of this kind by armed reprisals, without hurting public opinion [DEVOST95]

Diverging opinions

Certain authors think that the first information war was the Gulf.War. The allied coalition led by the United States had total control of information on the battle field (satellites, AWACS, JSTARS, etc), whereas Iraq had been, from the war's first moments, deprived of its principal communication infrastructures.

Others, on the other hand, find that the means employed during the conflict came from not only the "industrial wave" 8 (use of massive bombing) but also of the "information wave" (dropping of " intelligent " bombs on communication centers). For them, this war was not "pure" a war of information.

Security of military computers

Paradoxically, it was only after the Gulf War that the United States became aware of its vulnerability. By request of the Pentagon, DISA brought together a team of hackers, gave them access to the Internet, and asked them to break into the most DoD computers possible. They took control of 88 % of the 8900 computers which they attacked and only 4 % of the attacks were announced to the various persons in charge of the computers! While combining these results with 350 detected intrusions coming from unidentified hackers, they concluded that 300' 000 DoD computer intrusions took place in 1994! [MUNRO95]

The military computers which are connected on Internet, generally do not contain confidential information and do not carry out vital tasks. However, these computers are nevertheless in charge of logistics, accounting, and personnel management, which can appear sensitive. At the time of the Gulf War the United States used the Internet to transmit logistics information, sometimes even without encryption. Personnel information can be used with an aim of determining potential targets for blackmail or corruption in order to obtain access to confidential information.[BRANDT95] A group of Dutch hackers would have proposed to Saddam Hussein to disturb the communications of the army over Internet for a million dollars. He would have declined the offer. [WALLER95]

 

Dependence of the army with respect to civil infrastructures

As we saw before, the army has well protected computers for its critical activities . However, American military bases (it must also be the case in other countries) depend upon civil infrastructures particularly for power supply and the communications. Nearly 95 % of the American army's communications use the normal telephone network. Transport of troops by rail or by plane is also done under the control of the civilian infrastructure ! [RAND95]

Simulations

In order to determine the problem of information warfare, the American Defense Department asked the company RAND to lead strategic exercises of simulations on this subject [RAND95] [THOMPM95] Six exercises took place between January and June 1995. The participants were highly placed persons in charge of national security as weel as industrialists from the communication sector . One of the situations was the following :

February 2000.

The crisis: A Middle East state decides the time is ripe for a power grab in the Persian Gulf and directs its threat to an oil-rich neighbor that the United States is pledged to protect. Determined not to repeat Saddam Hussein's mistake, the aggressors elect not to challenge America in a head-on military confrontation. Instead they prepare a more insidious assault. In the United States and abroad among U.S. allies, a pattern of computer mayhem begins to emerge in a cascading sequence of events. Actually, the war has already begun but no one in the United States yet realizes it; keyboard mice, logic bombs and computer viruses don't make much noise.

The attack: A three-hour power blackout in a Middle Eastern city has no reasonable explanation, computer-controlled telephone systems in the United States "crash" or are paralyzed for hours, misrouted freight and passenger trains collide, killing and injuring many passengers; malfunctions of computerized flow-control mechanisms trigger oil refinery explosions and fires . . . electronic "sniffers" sabotage the global financial system by disrupting international fund-transfer networks, causing stocks to plunge on the New York and London exchanges. In America, local automatic teller machines begin randomly crediting or debiting thousands of dollars to customers' accounts; as news spreads across the country, people panic and rush to make withdrawals. Television stations in the Middle East lose control of their programming and a misinformation campaign of unknown orchestration sows widespread confusion. Computerized dial-in attacks paralyze the phone systems at bases where U.S. troops are scheduled to begin deployment; various groups flood the Internet calling for massive rallies to protest U.S. war preparations; computers at U.S. military bases around the world are stricken--slowing down, disconnecting, crashing; more ominous, some of the military's most sophisticated computer-controlled weapon systems are exhibiting flickering screens and other signs of electronic malaise.

From there, the participants in the exercise had 50 minutes to find what to make...

The principal conclusions drawn from these exercises were:

  • Everyone can attack you.
  • You cannot know what is real.
  • It is difficult to know that you are under attack.

Not all the soldiers believe in this kind of disaster scenario. For Martin Libicki, teacher at the National Defense University, it is excessive to extrapolate a threat to national security starting from facts which until now were only electronic versions of a "joyride in a a stolen car"!

Various techniques

The goal of this section is to highlight certain techniques usable at the time of an information warfare of which the general public issurely unaware.

Chipping

Chipping is the hardware version of a Trojan horse. That consists in adding a function, without the knowledge of the purchaser, in an electronic component of a weapon (or other hardware), so that if one day this weapon were to be used against the country of the manufacturer, it can be neutralized at a distance [WALLER95]

Bombs EMP-T

Since the beginning of the atomic era, soldiers undertook to protect their electronic systems from electromagnetic radiations which would be produced during a nuclear explosion. Without adequate protective measures, it is possible to destroy the electronic systems of a country by exploding an atomic bomb at a high altitude.

Since years, non-lethal weapons are developed, charged to neutralize the enemy electronic systems. According to Winn Schwartau 14, EMP-T bombs (Electro-Magnetic Pulse Transformer) can be built for a few hundreds dollars, and are able to erase information stored on a magnetic medium around 200 meter.

Van Eck Radiations

Until now, I have primarily treated cases of hacking which have taken place because the target computer was connected to the external world, by a computer network or by telephone. If I told you that your personal computer, without an external connection to the world and on which you are writing a confidential report can reveal your secret to a person who is only one hundred meter from your office, without your knowledget, you would say that it science fiction.

You are wrong! It is possible. Your computer screen emits radiations, even with the strictest standards (civil), and it is possible, with the adequate equipment, to reconstitute the contents of your remote screen. This technique was employed by the FBI during the monitoring of Aldrich Ames, a KGB agent found within the CIA.

The term used by the American army to describe this technology is TEMPEST 10 monitoring. Equipment protected from this type of listening is known as TEMPEST certified. The standard 11 defining the details, such as the quantity of emitted radiations authorized, in order to avoid any detection is classified. In the United States, it seems that the use of the TEMPEST monitoring 12 is possible by the government without court authorization 13, whereas it is illegal, for a private individual or a private company, to protect himself ! [SELINE89]

Frank Jones, who works in a company producing equipment in the field, amongst other things, of computer security, coarsely explains [JONES96] how they have designed such detection equipment in order to their customers' computers. Once developed, they successfully tested their hardware, on targets such as banks, police stations, banknote distributors, television sets and offices.

If the design of such equipment is within the range of a team of engineers, then it is extremely probable that bad guys can also procure such equipment without problem to devote themselves to criminal activities.


Next page
Previous page
Contents
Lexicon