INLS 187 - Information
Security
Future Forecast - Cyberwarfare and its Implications on Information Security
February 08, 2003
As American troops prepare themselves for possible confrontations in Iraq and North Korea soldiers of a different kind must prepare themselves for a different type of battle. Cyberwarfare might see its first full fledged use in the forthcoming skirmish from both sides of the trenches. I would like to take this opportunity to explore the topic and offer my predications on it and its ramifications for information security.
Worldwide use of information technology for communication and data storage has risen dramatically over the last 10 years with its increasing speeds. This means that modern military efforts will be focused on disrupting these types of communications. Military hackers and crackers from both sides of the war will be attempting to try and break into each other's systems in an effort to dislodge information for a tactical advantage, plant misinformation, or to just jam all systems and cripple critical infrastructure.
American President George W. Bush has recently called for an outline for planned and orchestrated cyberattacks by trained troops, "Bush Orders Guidelines for Cyberwarfare" (1). President Bush has, "signed a secret directive ordering the government to develop, for the first time, national-level guidance for determining when and how the United States would launch cyber-attacks against enemy computer networks...".
What does this mean? Well it says that for the first time in public knowledge America will be taking the offensive in a cyberattack on a foreign country. After being the target for many years the US will be striking back with a number of weapons that it has been developing.
In "White House Officials Debating Rules for Cyberwarfare" (2) Richard C. Clarke, retiring head of the Office of Cyberspace Security, said that "Our goal is not to prevent cyberattacks but to withstand them". This is a completely logical statement to make because regardless of how secure a system is there are always vulnerabilities. Even the most fortified castle always has a weak point but a wise tactician is knowledgeable about the weaknesses and uses it to their advantage. If you can watch over the unprotected or weak areas you may be able to snare cyberthreats and turn the tables on them.
So how is a system administrator charged with the information's security go about securing his system from attack from a foreign national? Well the simple answer that a nonmilitary person could give is to make sure that your system and all of its software is up to date on all mission critical patches, that all users have rock solid passwords, and constantly checking listservs and other communication areas for news and alerts. By running simple and complex in-house cracking tools to try and exploit your own systems you could insure its integrity and possibly keep out crackers.
While the United States government is attempting to implement policy that would create a national information security directive I see this as a future failure because of the dynamic nature of computers. By attempting to create a uniform policy it will fail to take in account the different kinds of computers and servers in the world and call for some idiotic changes. This is the nature of government edicts though. By trying to cover all possible scenarios they gloss over simple or obvious solutions and the policy becomes vanilla and ineffectual for everyone. The responsibility of keeping a vigilant stance over security should fall on the people who deal with a given system everyday. These women and men are the people who know a given system in and out and should be held accountable for them.
How do we insure that all system admins are knowledgeable about their security? As lame as this sounds the US government might want to consider making a pathfinder for information security and update it on a daily basis. The sections of the web page could contain all new mission critical patches from all of the companies which could be harvested with a PERL script from the appropriate companies. A message board where registered users could meet and discuss problems and solutions. A list of credible listservs that system admins should be subscribed to. There could be plenty more here that would need to be further devised but I feel this has more promise than a national security doctrine. This web page would move faster and be more dynamic like the subject matter that it is dealing with as opposed to the static document that the Bush administration has proposed.
What could happen if the US telecommunication infrastructure was attacked and ground to a halt? Well do you remember September 11, 2001 when you couldn't make a phone call and the web was like molasses following the attacks on the Pentagon and the World Trade Center? That was just a taste of what could happen. Americans flooded the Internet and telephones and pushed the system over its limit, similar to a denial of service attack for computer servers. And this was a self-imposed infrastructure stretch. What would happen if this were malicious? Chaos or order? The jury is still out on this scenario and let us hope that it never comes to a decision.
Who are the people who could execute such an attack against the United States? Well Iraq and North Korea are likely candidates considering the United States current stance against them but they are not alone. Many other countries do not look favorably on the US and would like to carry out a cyberattack. This is not even mentioning homegrown threats like religious groups, far right and left wing groups, and meddlesome kids.
It does not require that much training to attempt a crack on a system, but the more sophisticated the attacker the more complex the attack. Are people being trained overseas for this purpose? Logic would dictate that there are groups who are cultivating crackers and other programmers for these very deeds. Because America relies heavily on its telecommunications infrastructure for societal function this would be a quick and cheap way to attack the country without leaving your home/office.
Of course this threat works both ways. America has stepped up its cyberwarfare division and could also attack the infrastructure of another country. I think that the US may be hesitant to use its cybertools for fearing of killing innocents, but I don't think that opposing countries would hesitate to use their cybertools against the US. The forthcoming months may show us what happens when countries do cyberbattle.
The current state of information security is really not that great. People have just recently become aware of the significance of this topic for their businesses and a larger degree the integrity of the country. People in charge of information security must make a stronger effort to insure their systems from attack. To achieve this level of security requires work and diligence on many people's parts. Everyone in the country that runs a server that is connected to the Internet or a phone line should be aware of this possible threat.
My future forecast? There will continue to be holes in everyone's server that will be exploited by individuals. As far as cyberwarfare goes I hope that the US will take the necessary steps to protect their critical systems from attack and have countermeasures in place.
Information security is at best a triage effort. No matter how prepared a system is there will always be vulnerabilities. The true test will be how effective a system admin or security officer is at patching a given system or how successfully they can ward off an attack without damaging the country's infrastructure.
(1) Graham, Bradley, "Bush Orders Guidelines for Cyber-Warfare" Washington Post, Friday, February 7, 2003; Page A01, accessed Saturday, February 8, 2003, 08:42 am.
(2) Cha, Ariana Eunjung and Jonathan Krim, "White House Officials Debate Rules for Cyberwarfare" Washington Post, Thursday, August 22, 2002; Page A02, accessed Saturday, February 8, 2003, 08:12 am.
Short Bibliography
Cha, Ariana Eunjung and Jonathan Krim, "White House Officials Debate Rules for Cyberwarfare" Washington Post, Thursday, August 22, 2002; Page A02, accessed Saturday, February 8, 2003, 08:12 am.
Graham, Bradley, "Bush Orders Guidelines for Cyber-Warfare" Washington Post, Friday, February 7, 2003; Page A01, accessed Saturday, February 8, 2003, 08:42 am.
O'Harrow Jr., Robert. "Sleuths Invade Military PCs with Ease" Washington Post, Friday, August 16, 2002; Page A01, accessed Saturday, February 8, 2003, 10:39 am.
Pollitt, Mark."Cyberterrorism - Fact or Fantasy?" Accessed Saturday, February 8, 2003, 09:47 am.
Neal Stephenson's Snow Crash deals with a future where a virus threatens to cripple the world. The book has a similar feel to a type of cyberwarfare, plus I like the image of Hiro standing there with his swords against the metaverse.