IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

 

Institute for National

StrategicStudies


WHAT IS INFORMATION WARFARE?

MARTIN LIBICKI

Chapter 7

Hacker Warfare

Winn Schwartau, Note 38 among others, uses the term information warfare to refer almost exclusively to attacks on computer networks. In contrast to physical combat, these attacks are specific to properties of the particular system because the attacks exploit knowable holes in the system's security structure. Note 39 In that sense the system is complicit in its own degradation.

Hacker warfare varies considerably. Attackers can be on site, although the popular imagination can place them anywhere. The intent of an attack can range from total paralysis to intermittent shutdown, random data errors, wholesale theft of information, theft of services (e.g., unpaid-for telephone calls), illicit systems' monitoring (and intelligence collection), the injection of false message traffic, and access to data for the purpose of blackmail. Among the popular devices are viruses, logic bombs, Trojan horses, and sniffers. Note 40

The hacker attacks discussed here are attacks on civilian targets (military hacker attacks come under the rubric of C2 warfare). Note 41 Although attacks on civilian and military targets share some characteristics of offense and defense, military systems tend to be more secure than civilian systems, because they are not designed for public access. Critical systems are often disconnected from all others -- "air gapped," as it were, by a physical separation between those system and all others.

From an operational point of view, civilian systems can be attacked at physical, syntactic, and semantic levels. Here, the focus is on syntactic attacks, which affect bit movement. Concern for physical attacks (see above, on C2W) is relatively low Note 42 (although some big computers on Wall Street can be disabled by going after the little computers that control their air-conditioning). Semantic attacks (which affect the meaning of what computers receive from elsewhere) are covered below, under cyberwarfare.

Hacker warfare can be further differentiated into defensive and offensive operations. The debate on defensive hacker warfare concerns the appropriate role for the DoD in safeguarding nonmilitary computers. The debate on offensive hacker warfare concerns whether it should take place at all. In contrast to, say, proponents of tank or submarine warfare, only a few hackers argue that the best defense against a hacker attack is a hacker attack.

Whether hacker warfare is a useful instrument of policy is a question that defense analysts and science fiction writers may be equally well placed to answer. Hacker warfare would, without doubt, be a new form of conflict, but it raises not only the usual questions -- is it real, is it war -- but also a third: should the United States wage it?

Is it Real?

Perhaps emblematic of the new concern about hacker warfare among defense analysts, in November 1994 the dean of the breed, Eliot Cohen, mentioned it three times in an analysis of the future defense posture of the United States Note 43 Incidents of network penetration by hackers are on the increase, rising faster than the total population of the Internet. The total cost of silicon fraud is several billion dollars (although two-thirds of that total consists of toll-call fraud perpetrated through private branch exchange [PBX] telephone switches).

It seems excessive, however, to extract a threat to national security from what, until now, has been largely a high-tech version of car theft and joy-riding. Even though many computer systems run with insufficient regard for network security, computer systems can nevertheless be made secure. They can be (not counting traitors on the inside), in ways that, say, neither a building nor a tank can be.

To start with the obvious method, a computer system that receives no input whatsoever from the outside world cannot be broken into. If the original software is trusted (and the National Security Agency [NSA] has developed multilayer tests of trustworthiness), the system is secure (whether the system functions well is a separate issue). A system of this sort is, of course, of limited value. The real concern is to allow systems to accept input from outside without at the same time allowing core operating programs to be compromised. One way to prevent compromise is to handle all inputs as data to be parsed (a process in which the computer decides what to do by analyzing what the message says) rather than as code to be executed directly. Security then consists of ensuring that no combination of computer responses to messages can affect a core operating program, directly or indirectly (almost all randomly generated data tend to result in error messages when parsed). Note 44

Unfortunately, systems need to accept changes to core operating programs, all the time. The trick is to draw a tight curtain of security around the few superusers granted the right to initiate changes. Although they might complain, their access methods could be tightly controlled (they might, for instance, work only from particular terminals that were hardwired to the network, which is an option in Digital's VAX operating system). The rapid speed and greater bandwidth of today's computers have made ubiquitous use of encryption and digital signatures possible. A digital signature establishes a traceable link from input back to the user attempting to pass rogue data into the system, and although it will not prevent all tampering (e.g., bugs in the parsing engine), it can eliminate most avenues of attack on a system. Note 45

Stringent security may make certain innovations in the global network difficult to implement, such as the practice of communicating by exchanging software objects (which bind potentially unsafe executable code to benign data). Systems can (with work) be designed to retain full functionality in face of necessary restrictions. Security comes with costs, particularly if legacy and otherwise reliable operating systems (e.g., Unix) must be rewritten in order to minimize security holes. If the threat is big enough, the dollars spent to protect mission-critical national systems may not seem so large. At present, civilian mission- critical systems can, for policy purposes, be limited to those that run phone lines, energy, and other utility systems, transfer funds transfer networks, and maintain safety systems.

One reason computer security lags is that incidents of breaking in so far have not been compelling. Note 46 Although many facilities have been entered through their Internet gateways, the Internet itself has only once been brought down (by the infamous Morris worm). The difficulty in extrapolating from the current spate of attacks on the Internet is that the Internet was designed to trust the kindness of strangers. If it is to be considered a mission-critical system for which compromise is a serious problem, it must evolve and will necessarily become more secure. Note 47

Although the signalling systems that govern the nation's telephones have permitted hackers to affect service to specific customers, the system itself has yet to experience a catastrophic failure from attack. None of the few broad phone outages that have occurred has been shown to have been caused by anything other than faulty software. Note 48 No financial system has ever had its basic integrity become suspect (although intermittent failures occur, such as NASDAQ's frequent problems). An analogy has been drawn between the threat of hacking and the security of the nation's rail system: train tracks, especially unprotected tracks in rural countryside, are easy to sabotage, and with grimmer results than network failure, but such incidents are rare.

Although important computer systems can be secured against hacker attacks at modest cost in usability, that does not mean that they will be secured. Increasing and increasingly sophisticated attempts may be the best guarantor that national computer systems will be made secure. The worst possibility is that the absence of important incidents will lull systems administrators into inattention, allowing some organized group to plot and initiate a broad, simultaneous, disruptive attack across a variety of critical systems. The barn door closes but the prize racehorse has been lost. Are today's hackers doing us a favor? Not everyone thinks so; Dorothy Denning, of Georgetown University, has argued that today's volume of random hacking raises the sophistication of hackers, thus raising the cost of recapturing the desired level of systems security. Note 49

Is it useful to test systems against hackers the way new software is tested against computer illiterates? Probably. Much of hacking is determining the construction of a system -- which rarely is obvious to the outside user -- that is, finding where the holes are and pinpointing and exploiting them. Testers could be given the source code that says how the system works and set the problem of converting that into the kind of search for holes hackers undertake to see if they can punch through. If the job of testers is to make systems foolproof, they can test faster than hackers can hack (but if it consists of obscuring the faults, their thorough knowledge of the system prevents them from testing how well the system can protect itself through self-obfuscation).

Perhaps the most pernicious aspect of hacker warfare is that by creating a dense aura of magic around hacking it raises the status of professional paranoids. One particularly egregious hobgoblin has whispered that deliberate flaws are planted from overseas in a popular computer chip or operating system and that the flaws can disable the world's microcomputer systems just when the United States will be confounded by an opponent's military challenge. Getting two such events to coincide would in itself be an engineering tour de force. Note 50

All told, hacker warfare appears to be a problem that is not a problem until it is a problem, when it will shortly cease to be a problem.

Is it war?

Hacker attacks on military information systems can reinforce conventional military operations as well as any other form of information warfare. Crucial military systems are supposed to be designed with sufficient security and redundancy (and sufficient separateness from the rest of the world) to defeat such attacks. Note 51

Hacker attacks on commercial information systems, precisely orchestrated, can distract the political leadership from national security duties. How effective are hacker attacks as warfare? That is, what power do hacker attacks have to affect the power of the state to defend its vital interests?

A flurry of hacker attacks can rival terrorist attacks for annoyance value, and, indeed, can disrupt the lives of more people. Is annoyance without political content an act of war? Can hacker attacks force change any more than terrorist attacks do? If so, repeated terrorist attacks would have to tire the target populace and erode support for countering those for whom the terrorists work. Yet hacker warfare depends for effect on specific, thus remediable, characteristics of the target system. Repeated attacks presume either a population of doltish systems administrators or increasingly clever hackers. Can either be counted on? Applying the terrorist model, again, perhaps hacker attacks could force change by inducing repressive state countermeasures, which then would alienate uninvolved citizenry. But hacker warfare is not liable to set off random repression of undesirables. Although populations may chafe a bit at computer security measures instituted in the wake of attacks, such measures are a long way from invading houses and hauling the usual suspects off to police headquarters.

In its ability to bring a country to its knees, hacker warfare is a pale shadow of economic warfare, itself of limited value. Suppose that hackers could shut down all phone service (and, with that, say, credit card purchases) nationwide for a week. The event would be disruptive certainly and costly (more so every year), but probably less disruptive than certain natural events, such as snow, flood, fire, or earthquake -- indeed, far less so in terms of lost output than a modest-size recession. Would such a hacker attack prompt the U.S. public to demand the United States disengage from opposing the state that perpetrated the countermove, just because of great inconvenience? Probably not. The United States is more likely to disengage from an overseas conflict in the face of opponents whose neighborhoods are judged less important than initially estimated. It is less likely to withdraw in the face of an opponent whose power to strike the U.S. economic system suggests why this opponent must be dealt with harshly. Note 52

Should the United States Wage Hacker Warfare?

The answer depends on whether defensive or offensive hacker warfare is intended. Defensive hacker warfare is an essential but everyday task of bolstering network security. Few doubt that military information systems should be guarded against attack (unclassified open-logistics system are of particular concern); the same is true for mission-critical civilian systems, and perhaps even for the coming national information infrastructure.

Should the government ensure the security of systems critical to the national economy? On one hand, threatening the economy by targeting its systems may affect the state. On the other hand, is systems security a problem whose solution should be socialized rather than remain private? If a foreign missile hits a refinery that blows up and damages its neighborhood, would the damage be refiner's fault? No: the problem has been socialized in that the United States has a military to protect itself against such attacks. If a gunman hits a refinery tower and causes a similar explosion, would that be the refiner's fault? Yes and no: the problem is partially socialized through public law enforcement. Yet, the refiner -- as an owner of potentially dangerous equipment -- is reasonably expected to take precautions (e.g., perimeter fencing, security guards). If a hacker on the Internet gains access to the refiner's system and commands a valve to stay open, creating an explosion and damaging the neighborhood, should the refiner be at fault? Yes: it should know everything about its information systems whereas the government may now absolutely nothing. Thus, the refiner should be responsible for protecting its internal systems and ensuring that software-generated events (e.g., software bugs) cannot do catastrophic damage. If a bank's deposit records were destroyed, do the depositors lose their money? No: a deposit constitutes a promise made by the bank to replay a loan. The bank's legal obligations cannot be erased by erasing its silicon memory of these obligations.

If the government is to protect the security of non military systems, which agency should take the lead? The NSA clearly has the greatest expertise, yet in civilian circles it also one of the least trusted agencies because of the highly classified nature of most of what it does. Note 53 If and when network security receives more attention, adherence to minimal standards of security may become a precondition for federal regulatory approval (e.g., phone system or power-generation franchises often carry legal obligations for certain levels of assured service), for federal contract approval (e.g., bank systems), or for handling certain records (e.g., personal health data). Care must be taken lest the criteria used to define adequate security reflect military specifications (MILSPECs) and the array of threats particular to military systems, rather than criteria more appropriate to critical civilian networks.

The question of whether to develop a U.S. capability for offensive hacker warfare echoes arguments attendant on any discussion of nouvelle weaponry. If the United States forgoes, will others also forgo? Analogies to atomic weaponry suggest that hacker offensive warfare is not at all like atomic warfare (where linkages existed between the level of U.S. and Soviet stockpiles and delivery systems). Nations against which the United States might be preparing hacker warfare capabilities are less likely to react to U.S. capabilities than those against whom the United States might be preparing nuclear capabilities (in part because hacker warfare capabilities tend to be developed in and need to be used in great secrecy). It is also difficult to argue that attacking a society's computers with malevolent software is especially immoral when almost all are other targets are acceptable.

The argument against developing a capability for offensive hacker warfare concerns glass houses and stones. The United States is far more dependent on computer systems than other nations are. Note 54 The U.S. edge in perpetrating hacker attacks may be narrower than imagined. Roughly 60 percent of the doctorates granted here in computer science and security are awarded to citizens of foreign countries, two-thirds from Islamic countries or India. Analogies to biological warfare suggest that the United States should stop contemplating certain types of attacks until it has developed antidotes for them. It would be quite embarrassing if a virus intended for another country's computer systems leaked and contaminated ours.

Defensive hacker warfare presents a fundamental barrier to offensive hacker warfare. One way to promote the security of U.S. systems is to develop and distribute tools, tests, and code that ease the burden of securing civilian systems, and, thus, many multinational systems. If the tools have merit, potential adversaries will install them, too. Trap doors could be built into these products, but pulling that off requires greater cooperation between the vendors of systems security and the U.S. government Note 55 than the current debate over the Clipper chip suggests may be possible.

As the world becomes interlinked, most defenses the U.S. might employ defend not only this country but others as well. Out of the desire to ensure that U.S. corporations deposits in banks in foreign countries are secure, the United States cannot help promoting operational practices that in turn ensure that the deposits of evil dictators in the same bank are equally secure. Because hacking is cheap, nations at war might as well see what mischief it can be used to cause, and those that fall victims to such attacks will then have only themselves to blame.

|Table of Contents | Next Chapter |