Computer Terrorism: What are the risks?
Chapter 4: Information Warfare
Information Warfare 6 is the hot
topic of many world wide armies especially in the United States. It is
a large field, grouping together several concepts 7
such as electronic warfare, psychological warfare, information and hacker
warfare (hackerwar). Dr. John Algiers proposes the following definition
Actions taken to achieve information superiority by affecting adversary
information, information based processes, and information systems, while
defending ones own information, information based processes and information
Winn Schwartau proposes following classification:
Class 1: Personal Information Warfare
This class includes attacks against individual privacy. This includes
the disclosure of information stored in an unspecified data base. We currently
do not have any control over our own data stored all over the place such
as credit card history, banking accounts, medical files, criminal records,
etc. In summary, we should remember the following points:
- Hundreds of data bases contain a digital image of our life.
- Available Information is not necesserily accurate.
- It is almost impossible to correct erroneous information.
Class 2: Corporate Information Warfare
Concretely, today, this class corresponds to competition between companies
which clash in a war without pity. Industrial espionage is one of the
possible activities, but misinformation is a very effective means to get
rid of a competitor. Presently, it is very easy to launch rumors with
a world range, using Internet. Moreover, it is well-known that the more
a fact is contradicted, the more public opinion believes it.
Class 3: Global Information Warfare
This type of conflict is aimed at industries, the whole of the economic
forces, the whole of a country. In this class, it is necessary to multiply
the power of classes 1 and 2 by a great factor. With ridiculous investments
with respect to those authorized in the case of " traditional "
weapons, it is possible for a terrorist group or a country to bring a
great economic power to its knees. The advantage for the attacker, if
it is included in the category of developing countries, is that it will
not be as sensitive to reprisals of comparable nature. Moreover, it would
be very difficult for an industrialized democratic country to answer an
attack of this kind by armed reprisals, without hurting public opinion
Certain authors think that the first information war was the Gulf.War.
The allied coalition led by the United States had total control of information
on the battle field (satellites, AWACS, JSTARS, etc), whereas Iraq had
been, from the war's first moments, deprived of its principal communication
Others, on the other hand, find that the means employed during the conflict
came from not only the "industrial wave" 8
(use of massive bombing) but also of the "information wave"
(dropping of " intelligent " bombs on communication centers).
For them, this war was not "pure" a war of information.
Security of military computers
Paradoxically, it was only after the Gulf War that the United States
became aware of its vulnerability. By request of the Pentagon, DISA brought
together a team of hackers, gave them access to the Internet, and asked
them to break into the most DoD computers possible. They took control
of 88 % of the 8900 computers which they attacked and only 4 % of the
attacks were announced to the various persons in charge of the computers!
While combining these results with 350 detected intrusions coming from
unidentified hackers, they concluded that 300' 000 DoD computer intrusions
took place in 1994! [MUNRO95]
The military computers which are connected on Internet, generally do
not contain confidential information and do not carry out vital tasks.
However, these computers are nevertheless in charge of logistics, accounting,
and personnel management, which can appear sensitive. At the time of the
Gulf War the United States used the Internet to transmit logistics information,
sometimes even without encryption. Personnel information can be used with
an aim of determining potential targets for blackmail or corruption in
order to obtain access to confidential information.[BRANDT95]
A group of Dutch hackers would have proposed to Saddam Hussein to disturb
the communications of the army over Internet for a million dollars. He
would have declined the offer. [WALLER95]
Dependence of the army with respect to civil infrastructures
As we saw before, the army has well protected computers for its critical
activities . However, American military bases (it must also be the case
in other countries) depend upon civil infrastructures particularly for
power supply and the communications. Nearly 95 % of the American army's
communications use the normal telephone network. Transport of troops by
rail or by plane is also done under the control of the civilian infrastructure
In order to determine the problem of information warfare, the American
Defense Department asked the company RAND to lead strategic exercises
of simulations on this subject [RAND95]
[THOMPM95] Six exercises took place
between January and June 1995. The participants were highly placed persons
in charge of national security as weel as industrialists from the communication
sector . One of the situations was the following :
The crisis: A Middle East state decides the time is ripe for a power
grab in the Persian Gulf and directs its threat to an oil-rich neighbor
that the United States is pledged to protect. Determined not to repeat
Saddam Hussein's mistake, the aggressors elect not to challenge America
in a head-on military confrontation. Instead they prepare a more insidious
assault. In the United States and abroad among U.S. allies, a pattern
of computer mayhem begins to emerge in a cascading sequence of events.
Actually, the war has already begun but no one in the United States yet
realizes it; keyboard mice, logic bombs and computer viruses don't make
The attack: A three-hour power blackout in a Middle Eastern city has no
reasonable explanation, computer-controlled telephone systems in the United
States "crash" or are paralyzed for hours, misrouted freight
and passenger trains collide, killing and injuring many passengers; malfunctions
of computerized flow-control mechanisms trigger oil refinery explosions
and fires . . . electronic "sniffers" sabotage the global financial
system by disrupting international fund-transfer networks, causing stocks
to plunge on the New York and London exchanges. In America, local automatic
teller machines begin randomly crediting or debiting thousands of dollars
to customers' accounts; as news spreads across the country, people panic
and rush to make withdrawals. Television stations in the Middle East lose
control of their programming and a misinformation campaign of unknown
orchestration sows widespread confusion. Computerized dial-in attacks
paralyze the phone systems at bases where U.S. troops are scheduled to
begin deployment; various groups flood the Internet calling for massive
rallies to protest U.S. war preparations; computers at U.S. military bases
around the world are stricken--slowing down, disconnecting, crashing;
more ominous, some of the military's most sophisticated computer-controlled
weapon systems are exhibiting flickering screens and other signs of electronic
From there, the participants in the exercise had 50 minutes to find what
The principal conclusions drawn from these exercises were:
- Everyone can attack you.
- You cannot know what is real.
- It is difficult to know that you are under attack.
Not all the soldiers believe in this kind of disaster scenario. For Martin
Libicki, teacher at the National Defense University, it is excessive to
extrapolate a threat to national security starting from facts which until
now were only electronic versions of a "joyride in a a stolen car"!
The goal of this section is to highlight certain techniques usable at
the time of an information warfare of which the general public issurely
Chipping is the hardware version of a Trojan
horse. That consists in adding a function, without the knowledge of
the purchaser, in an electronic component of a weapon (or other hardware),
so that if one day this weapon were to be used against the country of
the manufacturer, it can be neutralized at a distance [WALLER95]
Since the beginning of the atomic era, soldiers undertook to protect
their electronic systems from electromagnetic radiations which would be
produced during a nuclear explosion. Without adequate protective measures,
it is possible to destroy the electronic systems of a country by exploding
an atomic bomb at a high altitude.
Since years, non-lethal weapons are developed, charged to neutralize
the enemy electronic systems. According to Winn Schwartau 14,
EMP-T bombs (Electro-Magnetic Pulse Transformer) can be
built for a few hundreds dollars, and are able to erase information stored
on a magnetic medium around 200 meter.
Van Eck Radiations
Until now, I have primarily treated cases of hacking which have taken
place because the target computer was connected to the external world,
by a computer network or by telephone. If I told you that your personal
computer, without an external connection to the world and on which you
are writing a confidential report can reveal your secret to a person who
is only one hundred meter from your office, without your knowledget, you
would say that it science fiction.
You are wrong! It is possible. Your computer screen emits radiations,
even with the strictest standards (civil), and it is possible, with the
adequate equipment, to reconstitute the contents of your remote screen.
This technique was employed by the FBI during the monitoring of Aldrich
Ames, a KGB agent found within the CIA.
The term used by the American army to describe this technology is TEMPEST
10 monitoring. Equipment protected
from this type of listening is known as TEMPEST certified. The standard
11 defining the details, such as
the quantity of emitted radiations authorized, in order to avoid any detection
is classified. In the United States, it seems that the use of the TEMPEST
monitoring 12 is possible by the
government without court authorization 13,
whereas it is illegal, for a private individual or a private company,
to protect himself ! [SELINE89]
Frank Jones, who works in a company producing equipment in the field,
amongst other things, of computer security, coarsely explains [JONES96]
how they have designed such detection equipment in order to their customers'
computers. Once developed, they successfully tested their hardware, on
targets such as banks, police stations, banknote distributors, television
sets and offices.
If the design of such equipment is within the range of a team of engineers,
then it is extremely probable that bad guys can also procure such equipment
without problem to devote themselves to criminal activities.