The Real Threat - 1702-10 - Disaster Recovery Journal

Return to the
Spring 2004 Issue

DISASTER RECOVERY
JOURNAL

P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276
Fax: (314) 894-7474
Internet www.drj.com
E-mail drj@drj.com

PUBLISHER &
EDITOR-IN-CHIEF
Richard L. Arnold, CBCP
richard@drj.com

SENIOR EDITOR
Janette Ballman
janette@drj.com

MANAGING EDITOR
Jon Seals
jon@drj.com

COPY EDITORS
Richard Sandhofer
richards@drj.com
Pamela Clifton
pamelaclifton@hotmail.com

ADVERTISING
Robert Arnold
bob@drj.com

_____________

Corporate

President/CEO
Richard L. Arnold, CBCP
richard@drj.com

Vice President
Robert Arnold
bob@drj.com

CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com

CONFERENCE REGISTRAR
Merce Knese
mercedes@drj.com

CIRCULATION
Laura Baugh
laurab@drj.com

EXECUTIVE COUNCIL
Jeff Dato, MBCP, KPMG
John Jackson, IBM
Edward S. Devlin, E.S. Devlin & Associates
James Hammill, CBCP, JMH Consulting Inc.
Pat McAnally, SunGard Availability Services
Brian Turley, Strohl Systems
Belinda Wilson, Hewlett-Packard

INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity
Phone: 0161-237-1007
thomh@tempus.demon.co.uk

Australia: Anthony J. Harvey
Journal of Business Continuity
Phone: 0011-613-953-0055-8
fax: 0011-613-953-0528
sector@notability.com.au

Japan: Shinji Hosotsubo
Quake Japan Co., Ltd.
Phone: 03-3215-2880
fax: 03-3215-2881

Brazil: Jose Carlos Ferreira
Disaster Recovery Mercosul
Phone: 55 11 3666-9506
conc2000@uol.com.br
www.drms.com.br

Click Here for a Printable Version

The Real Threat

Cyberwarfare Threat Implications for FEMA

By GLENN FIEDELHOLTZ

Information warfare (IW) is not new in the United States. The Department of Defense (DOD) has for approximately 30 years been preparing for and defending against our adversaries’ employment of IW.
However, with the Sept. 11, 2001, attacks against the United States, the possibility of the threat of cyber attacks against our infrastructure have dramatically increased. This recent attack illustrates the terrorists’ use of new tactics to maximize their ideological aims in causing casualties and economic disruption to our society. Therefore, IW is not an emerging threat but may be a reality.
Louis J. Freeh, former director of the Federal Bureau of Investigation (FBI), in his testimony before the Senate Subcommittee for Technology, Terrorism and Government Information, stated that terrorists are increasingly using the Internet to formulate plans, raise funds, spread propaganda, and communicate securely. Freeh cited Director Tenet of the Central Intelligence Agency (CIA) as supporting his assertion that terrorist groups are increasingly utilizing computer files, e-mails, and encryption to support terrorist operations both domestically and internationally.
In one example of cyberspace terrorism, the former director reported that convicted terrorist Ramzi Yousef, the mastermind of the World Trade Center bombing in 1993 stored detailed plans to destroy United States airliners on encrypted files on his laptop computer with the intent to instruct terrorist groups to commit terrorist acts against the United States.
Similarly, Osman bin Laden, the mastermind of the Sept. 11, 2001, attacks on the World Trade Center, may have used the Internet to communicate with his co-conspirators to coordinate the murder of 3,000 innocent civilians.
The general definition of IW consists of those actions to protect, exploit, corrupt, deny, or destroy information or information resources in order to achieve a significant advantage, objective, or victory over an adversary.

Introduction and Background
Department of Defense Advanced Research Projects Agency ARPANET
It was not until the 1960s that computers began to be interconnected, initially on local area networks within an organization. By 1969, the first wide area network was operating in the United States.
Named after its sponsor, this computer network was referred to as the Department of Defense (DOD) Advanced Research Projects Agency ARPANET. This DOD organization was connected to the Stanford Research Institute, the University of California at Los Angeles, the University of California at Santa Barbara, and the University of Utah. It eventually evolved into the Internet – a network of networks that spans the globe.
When the DOD ARPANET was finally decommissioned in 1990, there were more than 300,000 hosts on the Internet. This jumped to 1 million in 1992, 10 million in 1996, and 30 million by 1998. Some estimates indicate that the Internet’s online population would leap to over 1 billion by the year 2003. It was demonstrated through this computer system that a cyber attack in one part of the interconnected infrastructure cascades to affect dozens or hundreds of other critical infrastructure systems.

Internet Transmission Control Protocol
The Internet is based on a collection of public-domain protocols, which include the Transmission Control Protocol (TCP) and the Internet Protocol (IP). These protocols specify the rules by which one computer talks to another and how messages are routed. The TCP/IP suite is now commonly used on internal corporate networks (intranets) and external corporate networks (extranets). Extranets link a corporation’s separate facilities and provide connections to customers, partners, and suppliers. Use of these standard protocols allows interoperability across networks.
While this facilitates communication and sharing, it also has drawbacks. Vulnerabilities can be pervasive across computer platforms and organizations, allowing thousands of systems to be swept up in a single attack.

Asymmetric Threats
Because terrorists cannot defeat the United States in terms of conventional military power or economic power, they may revert to “asymmetric attacks” or IW to sabotage our computer network. It is these asymmetric attacks that FEMA must be prepared to defend against. Lessons learned from FEMA’s Y2K experience can be utilized to mitigate these possible future attacks.
Often the IW type of attack by terrorists will be indistinguishable from “computer glitches,” which will result from everyday computer use. Because of the federal concern over future IW attacks against the computer infrastructure, the federal government is proposing a wide range of countermeasure initiatives, including the establishment of a Federal Intrusion Detection System (FIDNet), to be discussed in greater detail later.

Legislative History
Critical Infrastructure Coordination Group – PDD 63
On May 22, 1998, the Clinton administration issued Presidential Decision Directive (PDD) 63, which addressed the threat to our interconnected infrastructures; in particular this directive addressed policies for countering terrorism and protecting the infrastructure. The following are current legislative actions in response to the present IW threat.
The Critical Infrastructure Coordination Group will coordinate the implementation of interagency coordination under the authority of PDD 63.
Improvements in National Capabilities
Mandating the creation of national centers to alert the country in the event of an attack on U.S. information systems. The most important is the National Infrastructure Protection Center (NIPC) located Department of Homeland Security - Information Analysis and Infrastructure Protection; the NIPC will act as an assessment, warning, vulnerability detection, and law enforcement investigation and response entity to a cyberattacks against the federal government.

Characteristics of Information Warfare
- A new IW challenge: Poorly understood IW vulnerabilities and targets diminish the effectiveness of classical intelligence collection and analysis methods. A new field of analysis focused on strategic IW may have to be developed.
- Formidable tactical warning and attack assessment need to be improved. There is currently no adequate warning system for distinguishing between strategic IW attacks and other kinds of cyberspace activities, including espionage.
Recently, two forms of IW cyberattacks have been successful in disrupting U.S. computer systems:

Denial-of-Service Attacks
As recently as Feb. 7, 2000, there were significant cyber attacks against U.S. commercial civilian infrastructure on the Internet – Amazon.com, eBay, ETrade and others that disabled the sites.
Computer experts designate these cyber attacks as distribution denial-of-service attacks, which interrupt commercial business trade and consequently have an adverse economic impact upon them. Although the most recent distribution denial-of-service attack did not cripple the long-term commercial interests on the Internet, the frequency of these attacks as well as the scope and damage are increasing. Moreover, it illustrates that the Internet is extremely vulnerable to external threats and may need additional federal countermeasures beyond the existing capabilities of the FBI’s NIPC to combat the threat.

Viruses
Recently, a rogue worm software program, borne by an “I Love You” message, was propelled around the world, jamming and crashing e-mails and destroying data on hundreds of thousands of computers.
Underscoring how interconnected the world’s personal computers have become, the program also made its impact felt in government, including the White House, the Pentagon, Congress, and the British House of Commons.

Foreign IW Programs
At present, more than a dozen nations, including Russia and China and such potentially hostile states as Libya, Iraq, and Iran, are known to have active IW programs. Foreign teams have broken into both U.S. government and corporate computer systems to find vulnerable points and, perhaps, to deposit unseen digital “trap doors” and logic bombs.
The United States has substantial information-based infrastructure resources on the Internet, including the control of electric power, money flow, air traffic, oil and gas, and other independent-dependent items. Conceptually, if and when potential adversaries attempt to damage these systems using IW techniques, it will have a major adverse effect on the national security of the United States. As stated above, adversaries may take advantage of our network because it will be impossible to distinguish between computer breakdown and IW attacks.

Vectors for Terrorist Threats
Realizing that on Feb. 7, 2000, the United States computer network systems were attacked and that terrorists’ cyber attacks are increasing, it is important to identify generally the nature of these threats and how our adversaries can utilize them to potentially disrupt our critical infrastructure computer network. The IW can be employed by our enemies to disrupt our network – inside or outside the targeted organization.

Insider Threats
The insider threat to the security of the U.S. computer network is very serious. The penetration of information systems and networks can be accomplished through inserting bad code or data, password-cracking programs, and the utilization of the security analysis tool for auditing network programs.
A significant amount of information is passed along to the outside hacker by an insider in a particular organization, usually in the form of passwords. In addition, Internet and service providers and commercial computer system administrators will often unwittingly volunteer information about the configurations and frailties of their own computer system to potential hackers.
- Data attacks occur when an opponent inserts data into an information system to make the system malfunction or be tricked to perform unauthorized actions or response.
- Software attacks can resemble data attacks because software itself often resembles data and can be handled by data. Software, like data, can be transferred through media such as tapes and disks or can be transmitted over cable, glass fiber, or radio links.
The more sophisticated versions of software attacks are designed to elude detection and even to take countermeasures against would-be defenders. The best-known forms of software attacks are probably computer viruses, but there are others such as “trap doors” that, once installed, allow a hostile party continual access to disrupt a system.

Outsider Threats
Defending against outside computer attacks usually includes building better defenses or protective measures (encryption, physical isolation of especially sensitive systems, and firewalls that bar outsiders from reaching designated areas of networks).
Hacking consists of seizing or attempting to exploit an information system – or a vital part of an information system – to disrupt, deny, use, steal resources, steal data of value, monitor surreptitiously, or otherwise cause harm. In essence, hacking refers to an unauthorized entry into an information system by those who seek to interact with its workings to cause mischief, fraud, theft, deception, destruction, or some other harm.
A significant amount of information on both hacker tools and targets can be obtained from the open sources – Internet, conferences, and public libraries.
The difficulty in responding to an IW attack against our computer network is to identify the attacker. These strikes are often anonymous and therefore difficult to retaliate against. However, it is important that, confronted with the IW threat, FEMA and other federal agencies execute their continuity-of-operations plan and ensure that the government’s essential services to the American people are maintained.

Federal Warning Cyber-System Capabilities
National Infrastructure Protection Center
The National Infrastructure Plan was established in 1998 by the FBI. Its mission is to serve as an interagency national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigations and response entity. In addition to more frequent distribution denial-of-service attacks – a 36 percent increase from 1999 – there have been significant increases in the use of cyberspace for terrorist purposes against the United States.
The NIPC is an interagency center operating within the Department of Homeland Security.

Federal Intrusion Detection Network (FIDNet)
Unauthorized intrusions of federal computer systems threaten not only delivery of vital government services to the public, but they also threaten the privacy and civil liberties of American citizens, since data stored on these computers can contain private information, such as taxpayer information or veterans’ medical records.
The proposed FIDNet will operate as a burglar alarm for critical computer networks at civilian federal agencies. FIDNet will connect the various agency intrusion-detection systems to an analysis and warning center located at the Federal Computer Incident Response Capability (FedCirc) within the General Services Administration (GSA).
Intrusion detection systems are designed to sound an alarm whenever they detect anomalous network activity, which could threaten the integrity of the network.
Many federal agencies have installed intrusion detection systems on individual computers. These systems allow system administrators to detect unauthorized intrusions before attacks are able to gain access to critical data or inject malicious code into the agency’s computers. While effective, the installation of intrusion detection systems on individual computer systems or networks does not provide adequate protection of the federal government’s critical infrastructure. In order to understand the threat of IW, it is important to be cognizant of the characteristics of strategic information warfare.

Lessons Learned From the Eligible Receiver Exercise
Evidence of the seriousness of the IW threat to U.S. infrastructure can be observed in the National Security Agency’s (NSA’s) eligible receiver exercise of June 1998.
The exercise was designed to test the national ability to respond to an IW attack. Using software widely available from the hacker Web sites, the attackers proved that they could have disabled portions of the U.S. electric power grid.
Agents pretending to be North Koreans infiltrated the command and control facilities of the U.S. Pacific Command in Honolulu. This exercise demonstrated the U.S. enemies’ ability to neutralize most U.S. armed forces from Okinawa to San Diego for many hours without firing a shot.
Appearing before the Senate judiciary subcommittee on technology, terrorism, and government, IW experts stated that the success of the red team demonstrated that it doesn’t take a lot of people to interrupt our critical infrastructure.
Specialized computer viruses, Trojan horses, and trap doors designed specifically for IW and possibly based on biological models that allow them to evolve and adapt in order to evade detection or eradication were used for this exercise. Viruses can be included in the content of e-mail or attachments and floppy disks. When the user opens the attachment or inserts the diskette, the virus is unleashed. In these situations, the integrity of both the medium carrying the virus and the computer is compromised.

Recommendations
Cyberwarfare Best Practices and Concept of Operations Plan
Because the IW terrorist threat problem is dramatically increasing as evidenced by the “I Love You” virus, it is important that FEMA’s plans, policies, and procedures be updated, tested, and evaluated in response to the potential or actual computer problems and that their consequences upon the critical infrastructure sectors of the American society be mitigated. We need to ensure that the integrity of our critical infrastructure – for example, transportation, communication, 911, and energy facilities – are maintained in order to efficiently dispatch emergency personnel to a disaster scene.
Furthermore, because of the unique nature of the problem and its potential scope, it is important that FEMA preparedness activities be robust. For example, the formulation of a compendium of a best practices manual and a cyberwarfare annex with a concept of operations plan is needed. The concept of operations plan will be a joint effort with the response and recovery directorate and will clearly delineate the roles and responsibilities of the federal response plan signatories and the federal and regional emergency personnel responding to an actual IW event. The lessons learned from Y2K can be a foundation for FEMA’s Cyberwarfare Plan.
Cyberwarfare Public Education
Although the probability of an IW attack is much lower than of a natural or technological disaster occurring, the damage that a cyberattack can have on the U.S. critical infrastructure is considerable. Therefore, FEMA should allocate funding for training of emergency personnel to respond to a cyber attack. Moreover, the focus of the funding and resources concerning this problem should be in the area of public education of all local, state, and federal emergency personnel.

Glenn Fiedelholtz, a former senior counter terrorist analyst for the Federal Emergency Management Agency (FEMA) from 1998-2001, is a senior analyst at Analytic Services (ANSER) in Arlington, Va. He participated in the Harvard Kennedy School executive session on domestic preparedness and wrote the Top Officials II scenario. He has written policy papers for the White House National Security Council, the FBI, and other federal departments and agencies involved in preparedness for and response to terrorist incidents. He has extensive experience in exercise planning, development, execution, and controller evaluation. Fiedelholtz has developed planning guidance for local, state, and federal governments concerning weapons of mass destruction, and he has briefed senior FBI and FEMA staff in response to terrorist events.

To comment on this article, go to 1702-10 at www.drj.com/feedback.