Cyber Warfare: Protecting Military Systems

Cyber Warfare: Protecting Military Systems

99

Acquisition Review Quarterly—Spring 2000

100


101

TUTORIAL

CYBER WARFARE:PROTECTING

MILITARY SYSTEMSLt Col Lionel D. Alford, Jr., USAF

Software is a key component in nearly every critical system used by theDepartment of Defense. Attacking the software in a system—cyber warfare—is a revolutionary method of pursuing war. This article describes various cyberwarfare approaches and suggests methods to counter them.

and therefore the dependence on software-intensive systems—cyber systems—canmake nations vulnerable to warfarewithout violence.

FROM PROTECTING INFORMATION TOPROTECTING SOFTWARE-CONTROLLEDSYSTEMS

Cyber warfare is the conduct of mili-tary operations according to information-related principles (Arquilla and Ronfeldt,1992). This does not define the full degreeof capabilities now possible in cyber war-fare. Limiting the scope of cyber warfareto “information-related principles” doesnot describe what happens when an enemydisrupts the electrical power grid of anation by hacking into the controlling soft-ware (Figure 1). Information is not only

K arl von Clausewitz (1996) definedwar as “…an act of violence in-tended to compel our opponent to

fulfill our will… In order to attain thisobject fully, the enemy must be disarmed,and disarmament becomes therefore theimmediate object of hostilities….” At theend of the second millennium, this defi-nition no longer describes the full spec-trum of modern warfare. In the future, wewill have the potential to make war with-out the use of violence and fulfill the sec-ond half of von Clausewitz’s definition—with software alone. Today’s software-intensive systems make this possible.

“Cyber” describes systems that usemechanical or electronic systems toreplace human control. In this article theterm includes systems that incorporatesoftware as a key control element. Cyberwarfare can be executed without violence,


102

at risk—the fundamental control of thecivilization is. As technology pro-gresses,this “fundamental control” will devolveinto networks and software-controlledelectronics (Vatis, 1998).

This transition has already occurred inaviation. In the past, 100 percent of anaircraft’s performance and capabilitieswere defined by hardware—the physicalmakeup of the aircraft. Today in the mostadvanced aircraft, 75 percent or more ofthe aircraft’s performance and capabilityis absolutely dependent upon the software(U.S. Air Force, 1992). Without software,aircraft would not be controllable or reachthe desired performance capabilities.1 Insome cases, through software, aircraft per-formance is gaining limited independencefrom physical configuration.2

Software dependence and hardwareindependence are growing. For example,modern aircraft fly by wire, their engines

are controlled by wire, and their weaponsare fired and dropped by wire. Systemsthat in the past were entirely hardwarewith mechanical control are beingreplaced by software with softwarecontrol. Software defines the strength ofmodern systems, and provides a basis forthe integration of many disparate itemsthrough networking. These networkedsoftware systems are under attack today,and the attacks are increasing (Figure 2).

Current Department of Defense (DoD)doctrines and instructions do not ade-quately cover the scope of cyber warfare(Stein, 1995). The following all handleinformation warfare as a discrete part of amilitary system: Joint Publication (JP)3-13, “Joint Doctrine for InformationOperations”; JP 3-13.1, “Joint Doctrinefor Command and Control Warfare”; andinstructions such as DoD 5000.2-R,“Mandatory Procedures for Major

Figure 1. Infiltration of a Utility

Software controlled systems

Utility

Cyber manipulation: Take control of softwareCyber assault: Damage softwareCyber raid: Steal data

Cyber infiltration

Internet connectionsModems

LANs


103

Defense Acquisition Programs (MDAPs)and Major Automated Information System(MAIS) Acquisition Programs.” Currentdoctrine does not address software as themajor element of a military fightingsystem; yet as the above discussion shows,many software and software-controlledsystems cannot be separated from thesystem being developed.

The F–22 weapon system is an exampleof a software-controlled aircraft systemthat contains and communicates withintegrated information systems (Figure 3).The F–22 is not a closed system; externalinformation systems update and integrateF–22 combat operations during flight.Through these external connections, notjust the information systems but the basicsoftware systems of the F–22 can beattacked. Current information warfaredoctrine in the Joint Pubs is mainly

concerned with security of external C4I(command, control, communications,computers, and intelligence) systemsintegrated on the F–22, but software-intensive systems make internal systemsof the F–22 vulnerable to cyber warfareattack. Our doctrine must account forthese vulnerabilities and provide methodsof offense and defense. Definitions forbuilding future weapon systems and incyber forces doctrine and recommendedmethods to incorporate them follow.

CYBER WARFARE DEFINITIONS

JP 3-13, JP 3-13.1, and DoD 5000.2-Rfocus on information systems and not soft-ware-controlled systems; definitions thesedocuments provide are not sufficient todescribe the full range of cyber warfare.

Figure 2. Number of CERT Incidents Handled

1998 199919971996199519941993199219911990198919880

1000

1500

2000

2500

3000

3500

4000

4500

500

Num

ber

of In

cide

nts

Han

dled

Years

and climbing: 1st and 2nd quarters only


104

The CERT® Coordination Center doesprovide a strong set of common terms todefine cyber system security for the DoD(Carnegie Mellon, 1997), but these termsdo not discuss military doctrine or nationalsecurity. Furthermore, these terms focuson current methods of defense againstinfiltration and attack; they do not focuson future cyber force capabilities. We needa new taxonomy that includes the fullrange of cyber operations, and aids thedevelopment of a national cyber warfaredoctrine (see adjacent box).

MILITARY CYBER WARFARE TARGETS

Any military system controlled by soft-ware is vulnerable to cyber attack. The

first step in any attack is cyber infiltra-tion; all systems that incorporate softwareare vulnerable to cyber infiltration.4

Actions following cyber infiltration canaffect organizations via the transfer,destruction, and altering of records—cyber raid. Software within systems canbe manipulated—cyber manipulation.Systems controlled by that software canbe damaged or controlled—cyber manipu-lation. The software itself can be copied,damaged, or rewritten—cyber assault.

MILITARY C4IMilitary C4I systems are particularly

vulnerable, and are the primary focus ofDoD cyber-related doctrine. JP 3-13 andJP 3-13.1 both provide doctrine for infor-mation-related warfare. C4I systems are a

Figure 3. Infiltration of an Aircraft

Cyber infiltration

Cyber manipulation: Take control of softwareCyber assault: Damage softwareCyber raid: Steal data

Communication systems

Intelligence systems

Navigation systems

Flight control systems

Software-controlledsystems


105

A New Taxonony of Cyber Terms

Cyber warfare (CyW). Any act intended to compel an opponent to fulfill our national will,executed against the software controlling processes within an opponent’s system. CyWincludes the following modes of cyber attack: cyber infiltration, cyber manipulation,cyber assault, and cyber raid.

Cyber infiltration (CyI). Penetration of the defenses of a software-controlled system suchthat the system can be manipulated, assaulted, or raided.

Cyber manipulation (CyM). Following infiltration, the control of a system via its softwarewhich leaves the system intact, then uses the capabilities of the system to do damage.For example, using an electric utility’s software to turn off power.

Cyber assault (CyA). Following infiltration, the destruction of software and data in the sys-tem, or attack on a system that damages the system capabilities. Includes viruses andoverload of systems through e-mail (e-mail overflow).

Cyber raid (CyR). Following infiltration, the manipulation or acquisition of data within thesystem, which leaves the system intact, results in transfer, destruction, or alteration ofdata. For example, stealing e-mail or taking password lists from a mail server.

Cyber attack. See CyI, CyM, CyA, or CyR.

Cyber crime (CyC). Cyber attacks without the intent to affect national security or to furtheroperations against national security.

Intentional cyber warfare attack (IA). any attack through cyber-means to intentionally affectnational security (cyber warfare) or to further operations against national security.Includes cyber attacks by unintentional actors prompted by intentional actors. (Alsosee “unintentional cyber warfare attack.”)

IA can be equated to warfare; it is national policy at the level of warfare. Unintentionalattack is basically crime. UA may be committed by a bungling hacker or a professionalcyber criminal, but the intent is self-serving and not to further any specific national objec-tive. This does not mean unintentional attacks cannot affect policy or have devastatingeffects (Vatis, 1998).

Intentional cyber actors (I-actors). Individuals intentionally prosecuting cyber warfare (cyberoperators, cyber troops, cyber warriors, cyber forces).

Unintentional cyber actors (U-actors). Individuals who unintentionally attack but affectnational security and are largely unaware of the international ramifications of their actions.Unintentional actors may be influenced by I-actors but are unaware they are beingmanipulated to participate in cyber operations. U-actors include anyone who commitsCyI, CyM, CyA, and CyR without the intent to affect national security or to furtheroperations against national security. This group also includes individuals involved inCyC, journalists, and industrial spies.3 The threat of journalists and industrial spiesagainst systems including unintentional attacks caused by their CyI efforts should beconsidered high.

Unintentional cyber warfare attack (UA). Any attack through cyber-means, without theintent to affect national security (cyber crime).


106

“The possibilityexists for cyberattacks of everytype, and theresults can becatastrophic.”

very complex mix—from radios to radars,mainframes to personal computers. Mili-tary C4I uses interfaces through theInternet, base and organizational local areanetworks (LAN), modems, civilian andmilitary communication systems, naviga-tion systems, and radios in all frequencyranges.

Military C4I systems are extremely vul-nerable because they interconnect. Cyberinfiltration can enter at many points andpotentially affect a myriad of systems.

These systemsand their inter-actions are socomplex thatany modernmilitary orga-nization is un-likely to tracethe full poten-

tial of any single cyber infiltration. Thepossibility exists for cyber attacks of everytype, and the results can be catastrophic.For instance, nuclear weapon control sys-tems are incorporated into military C4I.As demonstrated by recent incursions inDoD networks, databases, and Web sites(Lemos, 1998), almost any dedicated foecan engage in cyber attacks against mili-tary computer systems (Vatis, 1998). Sincemilitary computers are the core of nationalC4I, successful IA and UA against suchtargets pose a national security peril.

WEAPON SYSTEMSNo current DoD doctrine adequately

covers cyber attacks on military hardwaresystems such as aircraft and vehicles thatrequire software to operate (JP 3-13, 1998;JP 3-13.3, 1996; and DoD 5000.4-R,1998). As noted previously, the F–22 is acyber-controlled aircraft (Figure 3).

Infiltration and degradation of theaircraft’s systems directly or via its C4Iconnections can be as devastating asshooting it out of the sky.

Cyber infiltration of the C4I system pro-viding data to modern aircraft allows anavenue for cyber raid, manipulation, andassault. Because many systems like theGlobal Positioning System (GPS)automatically update aircraft informationand intelligence, they can allow undetec-ted infiltration of the aircraft. Intelligence,navigation, and communication systemsare integrated to each other and input andoutput to a host of other aircraft systems—the flight control system (through the autopilot), propulsion system (through the autothrottles), radar system, master warningsystem, and environmental control sys-tem. Using the correct control sequences,inputs, or reprogramming, an infiltratorcould produce any level of systems dam-age, from driving the aircraft off courseto overwriting the flight control software.

IDENTIFYING CYBER WARFAREVULNERABILITIES

The first rule in identifying cyberwarfare vulnerabilities is that any soft-ware-controlled system that can accept aninput can theoretically be infiltrated andattacked! This means all systems thataccept inputs are vulnerable. Fundamen-tally, cyber systems can be infiltrated intwo ways—by physical and signal inputs.

PHYSICAL INFILTRATIONPhysical infiltration is made through the

system hardware. For example, the on/offswitch, keyboard, mouse, cockpitcontrols, flight controls, and removable


107

media provide physical inputs into asystem. The first line of defense for a soft-ware-based system is to secure the physi-cal inputs and outputs of the system. Ifthese are not secure, the system is notsecure. Any system can be compromisedif a cyber attacker can enter the facility,aircraft, or vehicle and directly infiltratethe system. The cyber infiltration can bemaintained afterwards by the installationof repeaters and remote input devices onthe hardware. For example, electronicbugs on phone lines are a common methodof surreptitious surveillance; modem andLAN lines are equally vulnerable.

An easy method of physical infiltrationis to use a spare LAN connection on a hubor route. Using common network parts, aconnection can be made directly, orthrough a Radio Frequency (RF)transmitter (wireless connection) from the

LAN to an infiltrator’s computer. Theseinfiltration methods are only discoveredby careful system audits or visualinspection (Marshall, 1991).

SIGNAL INFILTRATIONSignal infiltration comes through

existing indirect or direct connections toa system. These connections are typicallyLANs, infrared (IR) devices, RF connec-tions (radios), and modems (phone lines).Any system with an external connectioncan theoretically be infiltrated. Thenumber of potential entry points is limitedonly by the number of direct and indirectconnections into the system. For instance,a system with an Internet server isvulnerable to cyber infiltration from anycomputer connected to the Internet. Anisolated network with a modem isvulnerable to any computer that can call

The F–22 is a cyber-controlled aircraft


108

into it. These input paths are used toinfiltrate the system and then assault,manipulate, or raid it.

Physical infiltration may be protectedby physical security: walls, fences, restrictedareas, identification, guards, etc. Signal in-filtration has similar defenses, but these areincorporated within the software or hard-ware itself (for instance, passwords, codedsignals, firewalls, terminal identification,isolation, and system monitors).

The second rule of identifying CyWvulnerabilities is to expect every software-controlled system to be the objective ofan attempted cyber infiltration. Even iso-lated systems can experience cyber as-sault through a computer virus broughtin on a contaminated floppy disk. Becausecyber attacks are largely unpredictable, allsystems must have some degree ofprotection, and the level of protectionmust be commensurate with the likelihood

and consequences of expected attack.Every vulnerable system needs proactiveand effective virus-protection in place.

Assume U-actors will be influenced byI-actors. The anonymity of the Internetmakes it possible for a cyber operative topass on information about password-cracking, system phone numbers, infiltra-tion techniques, and programs to U-actors(Figure 4). Many U-actors are young,immature, and unsophisticated. Theydon’t understand the ramifications of theiractions. However, some attacks thatappear unintentional may be made by I-actors, operating through U-actors on theInternet. The recent cyber infiltration ofinformation systems by California teenstrained by the Israeli hacker “Analyzer” isan example of this mentoring relationship(Cole, 1998).

I-actors can easily influence the direc-tion of attacks by providing system access

Intentional cyber warfare

Intentionalactor

Unintentional actors

Masquerading as anunintentional attack

Cyber attack tools

Figure 4. Cyber Warfare Method using UA and IA


109

“Passwords canbe stolen, bypassed,or obtained bydeception (andin theory, anypassword orauthenticationcan be cracked).”

numbers and system passwords. Trojanhorse programs written and passed to U-actors achieve an entirely different resultthan the U-actor intended. The outcome,from the perspective of the I-actor, is thesame as if the attack had been madedirectly. Because passwords and infiltra-tion data are shared by U-actors across thenet, the I-actor’s mission package is likelyfarmed out to more than one U-actor, ordata may be passed through multiple U-actors. This ensures many attacks on thesame target and further muddies the trailback to the source. This also means orga-nizations that detect attacks and neutral-ize them should be prepared to receive thesame attack over and over again. In ad-dition, organizations that detect attacksmust share data on the attacks immedi-ately with other organizations (Howard,1997).

DEFENSE AGAINST CYBER WARFARE

The exploitation of system weaknessesand social engineering5 are the primaryavenues of attack against cyber systems(Howard, 1997). System weaknesses andsocial engineering techniques take advan-tage of computer and human limitationsto steal and bypass signal and physicaldefenses, mainly passwords and machine-to-machine authentication. Unfortunately,the largest part of signal and physicaldefenses is based on identification andauthentication codes—passwords. Pass-words can be stolen, bypassed, or obtainedby deception (and in theory, any passwordor authentication can be cracked). Until adifferent method of protection is invented,dependency on password identificationand authentication guarantees that all

systems will be in some degree vulnerableto cyber infiltration.

Use dedicated and redundant securityto protect cyber systems. Twenty-twosecurity methods are compiled below.Each method is described, along withsome specificexamples to ac-complish it.This list is in-tended to pro-vide a startingpoint for deci-sion makingand risk analy-sis; in somecases, especiallysystems integration and offensivemethods, these suggestions run counter tocurrent DoD policy and practice.

These methods are intended to provokethoughtful examination of all cybersecurity options to allow a tailoredapproach to military cyber systemsdevelopment. To provide the best defense,these techniques must be customized,combined, and layered with one another.In every case, cyber systems should be setup so U- and I-actors can get into decoysections6 of the security network. Thisallows identification and containment ofthe infiltrator. Only when infiltration isidentified can it be solved.

INACTIVE DEFENSE METHODS

Physical security is the primary meansof cyber system protection. Without somedegree of physical security, all of thedefenses mentioned below will fail.

Isolate all critical systems. Provide nosystem inputs outside of a physically


110

“All connectionsinto a systemmust be physicallycontrolled andmonitored toprevent cyberinfiltration.”

secure area. Many agencies handle clas-sified systems this way (Federal Infor-mation Processing Standards [FIPS]Publication 112, 1985); the systems them-selves are physically isolated from anyother inputs or systems. Isolation of criti-cal systems also reduces damage causedby cyber infiltration.

Put critical operations under manualcontrol. Critical functions should not becontrolled directly by software. Forexample, an electrical power systemshould not be turned on or off throughsoftware. To be effective, the capability

must be entire-ly eliminatedfrom softwarecontrol. Forexample, in awater utility,any setting thatcould causewater contami-nation should

be manual so the system cannot bebreached electronically. MIL-STD-882,“System Safety Program Requirements,”is used by the military to classify criticalfunctions. A basic rule for all critical cybersystems is that systems should bemanual, when possible, so critical func-tions cannot be addressed by software.With industries such as nuclear power thisis impossible; with military systems, thiscan be achieved by hardwiring criticalfunctions—such as missile launches.

Reduce integration. Integrationincreases cyber warfare risk because thereare more avenues for cyber infiltration(and all system interconnections may notbe known). To reduce cyber warfarevulnerability, integration should be limitedas much as possible, and all system inputs

and outputs must be fully defined. Criti-cal cyber functions should be isolatedphysically so there are no inputs fromoutside. This type of compartmentaliza-tion should be considered when the useof cyber systems to control criticaloperations is necessary or desirable.

Keep the human element in the loopwhen integrating systems. Many soft-ware-controlled systems are integrated toreduce human workload. Although somesystems require cyber integration tooperate, many do not. When it is possibleto keep a person in the loop or when aperson can monitor or control a criticalsystem, it is better to increase necessarymonitoring and provide human interactionrather than automate the process. This isanother way to isolate a system.

For instance, a request to shut downelectrical power may generate a systemmessage to tell a human operator to flip aswitch. Only after the switch is moved canthe automatic shutdown take place. Aneven safer setup would direct the opera-tor through the shutdown sequence,instead of automating any of it. Thesemethods may seem like we are turningback the technological clock, but protect-ing essential systems in this manner isnecessary.

Inherent breach-points. Communica-tion connections into the system areinherent, potential breaches of security.All connections into a system must bephysically controlled and monitored toprevent cyber infiltration. The strongestbreach-point occurs where the system isphysically connected to an outside input.This part is also the most vulnerable tophysical infiltration. Security must patrol,track, and control these inherent breach-points to prevent physical infiltration.


111

ACTIVE DEFENSE METHODS

These methods make up the softwareprogramming that protects the systemfrom unauthorized use.

Passwords and authentications. Pass-words and authentications are necessaryparts of system security to allow autho-rized human and other cyber system input.Because personal passwords are not usu-ally very long (10 digits is the standardmaximum [FIPS Publication 112, 1985]),they are relatively easy to decode orpredict. The longer the password, the bet-ter. Long passwords (32 characters ormore) make code-breaking theoreticallyimpossible, but codes that length are notcommonly used and require other com-puters or hardware code devices such astokens. Short passwords (eight charactersor less) should be mixed into unpredict-able, alphanumeric combinations and withother methods to provide an assured levelof security. FIPS Publication 112, “Stan-dard for Password Usage,” provides spe-cific information on the use of short pass-words. Nicknames, popular words, andstreet names are easily predicted by somehacker programs.

Anthropomorphic measures. Thesemeasurements and data use a person’sphysical features—fingerprints, retinalscans, or face. These are better than pass-words and can provide a much longercode, but are still relatively easy to break.Due to daily human physical changes,anthropomorphic measures cannot pro-duce a large enough number to give asuper-long password. For instance, if yourface has swollen 0.001 of an inch duringthe night and the measure is to 0.0001inch, you would not be able to log on yourcomputer. However, anthropomorphic

measures provide good security whencombined with other methods such aspasswords.

Tokens. These include magnetic cardsor other code modules. They contain pass-words and are read mechanically or elec-tronically. Cards, modules, and otherdevices enable the use of very long codesand provide excellent security. Futureencryption methods that use devices con-taining extremely long codes have thepotential to make code-breaking almostimpossible. A major drawback is that theymust be keptphysically se-cure becausethey can be lostor stolen. To-kens should becombined withanthropomor-phic passwordsto provide thebest security.

Multiple authentications or log-ons.More than one interrogation is requiredto get into the system. For instance, log-on may require a basic password followedby an anthropomorphic measure (finger-print, for example), or a password followedby a token. Figure 5 shows an example ofthis type of authentication scheme. Thefirst layer should be a decoy layer andshould be easy to crack but difficult toreprogram and disconnect. The secondpassword layer should be very secure.Intrusions are recorded for investigationwhen the first layer is passed but thesecond layer is not. An infiltrator willinvade the first layer, but not pass thesecond: then hopefully the infiltrator canbe identified. In addition, the decoy layercan be filled with various offensive

“The first lineof defense for asoftware-basedsystem is to securethe physical inputsand outputs of thesystem.”


112

programs that allow the identificationand neutralization of the infiltrator. Thistype of log-on should be required for allvulnerable systems and especially forsystems that interface with and supportsoftware-controlled aircraft and vehicles.

Multiple connection log-ons. Morethan one log-on over different addressesor lines is required for system entry. Forinstance, a log-on may be required at onephone number that activates a second, ac-tual communication line. Another methodis the call-back system. Using call-back,the user calls the computer and logs on,then the computer hangs up and calls backto the number authorized for the user. Theuser completes the sequence by loggingon again with a second password. Thismethod of log-on can also be used forInternet and LAN addresses.

Multiple log-on addresses. This requireseither a call over two separate phone lines

or two separate addresses at the same time.The signal is resolved in the user’s com-puter only when both signals are receivedand the security authentication is passedon both lines. Multiple methods make it easyto detect cyber infiltration. Infiltrators wholog-on in the initial layer, but whose sec-ond log-on fails, are instantly identified.

Monitoring software (Marshall, 1991).At the lowest level, this software recordsthe user’s activities on the system. In manysystems, this software limits the user’saccess based on a security level. Morecomplex systems monitor activity andalert the system or people monitoringwhen a user attempts to access resourcesnot authorized at the user’s security level.These programs provide audit trails andsystem logs that are a primary means oftracking unauthorized access and opera-tions. This kind of software also detectsmultiple attempts at system log-on.

Figure 5. An Example of Different Security Layers on a Cyber System

Administrativelayer

Working layer

Decoy layer Cyber System

First-layer password

Second-layer password

Third-layer password


113

ACTIVE OFFENSIVE METHODS

These methods include software pro-gramming and cyber operations thatidentify, attack, disable, tag, and captureI- and U-actors and their equipment. Thechief problem to gaining the offensive isthe detection of cyber infiltration. At least75 percent or more cyber infiltrations arenot detected (Howard, 1997). To anunsophisticated security system, cyberinfiltration appears to be a normal con-nection. The security itself needs a foot-print that is unpredictable to the infiltra-tor—that separates authorized fromunauthorized operators. The techniquesdescribed in the previous Active DefenseMethods section give some ideas how thiscan be accomplished.

This section provides methods that canbe used against infiltrators after they aredetected. Some of these techniques aretheoretical and based on extrapolations ofcurrent program capabilities. Simpleactive programs (e.g., Microsoft macroviruses) and passive programs can be usedagainst unsophisticated computer securityand systems with crippling results.Commercially available system monitor-ing software can be used to accomplishcyber infiltration, assault, raid, andmanipulation; to cyber infiltrate password-secured LANs requires only a rewrite ofcommercially available software.

Highly proficient programmers canwrite machine code programs that can besent across a data stream into a Webbrowser or other communications pro-gram. For example, “Back Orifice” is aTrojan horse program that surreptitiouslysends information through the Internetback to its originator. Most I-actors arenot proficient enough to write these

advanced programs, but simple offensiveprograms are available now on theInternet. Advanced programs can bewritten to do almost anything to a com-puter. They can tag a computer for identi-fication (cookies), operate the differentcomponents of the computer, and rewriteprograms in the computer.

Password-cracking programs. Thesewere the first programs used for cyberinfiltration. Password-cracking programs,at their simplest, repeatedly try differentcodes until they get a log-on. The mainmethod of pro-tecting againstthese simpleprograms is au-tomatic moni-toring that cutsoff users whoattempt mul-tiple unsuccessful log-ons. Complex pass-word cracking programs can potentiallydisable monitoring and other securitymethods. Super-long passwords and thedefensive methods mentioned aboveprotect against password cracking.

Identification, location, sniffer, spoof-ing, and watcher programs. Identifica-tion and location programs identify com-puters and users in a system. Sniffer andwatcher programs glean passwords andother information from the system. Manyof these programs are passive—that is,they are used by LANs to keep track ofwhich computers and users are logged on.Some are active spoofers, actually askingfor information from the user or thesystem.

The most widespread software-basedmethod of obtaining passwords and otherconfidential information is through snifferand watcher programs that monitor

“Advancedprograms canbe written todo almost anythingto a computer.”


114

network traffic. These are commonly de-ployed using Trojan horse programs suchas “Back Orifice.” Defeat these programsby applying the password encryptionmethods delineated in FIPS Pub 112

(1985). So-p h i s t i c a t e didentificationprograms canmake unde-tectable que-ries to theuser’s com-puter and evenallow the cyberraid of data.The main line

of protection from these programs isactive-defense methods. Cyber protectionsystems should use covert identificationprograms to discover information aboutan infiltrator.

Attack programs. An attack programis any program used to cripple or destroya computer or computer system. Theseprograms are complex and uncommon.They are like viruses, but are directed andsingular, instead of random and replicat-ing. Attack programs can be developed toimpair the target’s software, writablesystem basic input/output systems(BIOS),7 and disks. When employed indefense, these programs should be usedby cyber forces to immediately stop anycyber attack-in-progress, to prevent theinfiltrator from continuing operationsfrom the attacking computer. Any cyberattack should tag the system foridentification.

Protection against direct attacks is bestaccomplished by defensive methods.However, because all parts of a networkor the Internet may not be secure, each

individual computer must have some wayof independently identifying attacks andrejecting them. Similar methods are usedextensively now to protect against virusesand reject cookies.

Tagging programs. These programsinsert data on a computer for later identi-fication and cyber infiltration. These pro-grams can be as simple as a “cookie”8 oras complex as a BIOS tag. Some versionswrite data to the boot sector on the harddrive; the drive must be low-level refor-matted to remove it. Cyber forces shouldbe able to tag a computer for later criminalinvestigation. Methods of defense fromtagging are similar to those from attackprograms.

Viruses. These are programs that rep-licate themselves by attaching their codesto other programs, disk boot sectors, andwritable-system BIOSs. Viruses can beused both for malicious terrorism andcyber warfare (Symantic AntivirusResearch Center, 1994). This capabilitycan be added to any offensive program. Itattacks computers in the opponent’s sys-tem except for the primary infiltrator’scomputer. Virus capabilities can be addedto tagging programs when there is a threatthat the infiltrator will destroy the systemor hard drives attacked, and thus attemptto prevent later identification. Because oftheir ability to get into nonopponentcomputer systems, viruses should be usedcautiously by cyber forces. Viruses can bewritten with checks that only targetspecific systems.

Methods of defense from viruses are:

• programs that scan for identifiedviruses and virus-like code (virusscanners),

“As experiments,failure is not onlyallowed, it is a keyaspect of success inallowing the systemto be refined in thesame environmentit will ultimatelybe used.”


115

• inoculation of systems by identifica-tion of authorized programs and data(Cyclic Redundancy Code [CRC]records; many virus checkers providethis capability), and

• personnel training.

Unfortunately, by 1997 as many as15,500 viruses were identified and anestimated 400 new ones are reported eachmonth (Dr. Solomon Company, 1997).This makes absolute protection fromviruses and viruslike programs impossiblewithout the use of the defensive methodsenumerated previously.

Trojan horses. These programs are themost common method of cyber infiltra-tion (Howard, 1997). These are programsthat perform like any other program a usermay wish to run, but they execute unau-thorized operations (Carnegie Mellon,1997). A common example of a Trojanhorse program is a Microsoft macro virus.Trojan horses can be defeated by the samemethods used against viruses.

System overflows. One method ofcyber infiltration and cyber assault is theuse of large amounts of data to cause asystem overflow or “crash.” The typicale-mail pyramid letter is a crude exampleof e-mail overflow. This kind of letter canaccumulate an address tail that will chokeany e-mail system. A cyber attacker can alsobe attacked and infiltrated in this manner.

Overflows are most effective when theoverflow is not detected immediately. Thiscan be achieved when the infiltrator has avery fast connection or when there is asecond signal input line to the attackingcomputer. Data overflows are also anexcellent method to mask the transmis-sion of offensive programs. Methods of

defense from overflows are e-mail scan-ners that check for very large e-mail files,and personnel training. For instance, allpersonnel must be taught not to pass ondubious e-mail warnings, chain e-mails,and massive official e-mail. In addition,all employees should never open filesfrom questionable sources or unofficialfiles.

Direct manipulation. When a com-puter is connected to another computer,current soft-ware makes itrelatively easyto take controlof many of thebasic functionsof the computer.Machine codeand operatingsystems address codes can be used to turnon peer-to-peer sharing or to directlymanipulate devices controlled through theoperating system and BIOS. Cyber forcesshould develop programs that will allowthis kind of manipulation of infiltratorcomputers. Cyber systems must lock outunauthorized system requests at all levels.

Logic bombs. Some code sequences indata files manipulate both the programsusing the data files and the address codesof the BIOS and operating system. Thisis evident in macro viruses found indocument files and files that result inprogram and operating system crashes.These kinds of programs can be writtento achieve even more pointed results: forexample, tagging or systems impairment.Logic bombs can also be used againstinfiltrators when they are attached to pass-word data bases, classified data files, orto other files that might be downloadedfollowing cyber infiltration.

“One method ofcyber infiltrationand cyber assaultis the use of largeamounts of datato cause a systemoverflow or ‘crash.’”


116

Statutory action (legal actions). Cyberforces cannot be fully effective withoutcapturing and prosecuting both U- and I-actors. The primary goal of offensivecyber operations must be to identify andtag infiltrating systems. These actionsallow prosecution as well as confirmationof the infiltration. Because it is relatively

simple to backup systems andreplace dam-aged computercomponents,the infiltratorwill not be outof action forlong unless

legal action is taken. When it is not pos-sible to extradite and prosecute U- or I-actors outside the United States, nationalpolicy must determine the extent of thecyber operations to be undertaken againstthe shielding foreign nation.

MEASURING THE EFFECTIVENESS OFCYBER DEFENSES AND OPERATIONS

The effectiveness of cyber forces can-not be measured by a lack of detectedcyber infiltration against targets This isbecause undetected cyber infiltration iscertainly taking place (Lee, 1998), andmost cyber infiltrations and attacks goundetected (Howard, 1997). The onlyreasonable measure of effectiveness isdetecting cyber infiltration when ithappens. This is why a multilayeredapproach to cyber system defenses isnecessary. If the policy of the UnitedStates regarding CyW is wholly one ofdefense, the absolutely perfect measureof defense effectiveness is that every

cyber infiltration is identified and the U-or I-actor neutralized.

The success of cyber operations againstand in support of the U.S. governmentmust be classified. As mentioned previ-ously, when a cyber attack occurs, withdue regard for active cyber operations, thedetecting agency should immediatelyinform all possible targets (Howard,1997). But, when an agent of the govern-ment is the victim of successful cyberinfiltration or attack, that agency shouldnot release the degree or effects of anycyber operation against it. Acknowledg-ing the results would be similar toacknowledging the classification ofpublicly published materials. It would tellthe enemy they are successful and provideinformation so the next attack might beeven more effective.

The best approach is for the agency tomake no comment at all and provideimmediate recovery and cleanup as partof its cyber operations. This keeps theI- and U-actors guessing and allows theeffective use of the offensive and defen-sive methods outlined above. This is notto say the agency should not report theattack to proper authorities and providesuggested methods of protection.

NEW DOCTRINE

The first step to develop a strong doc-trine that includes all the dimensions ofcurrent and future cyber warfare threats.Taxonomy and cataloged security meth-ods go a long way to build a frameworkfor this doctrine. The challenge is to putthe required effort and funding forwardto ensure a strong level of security for allsoftware-controlled systems.

“The primarygoal of offensivecyber operationsmust be to identifyand tag infiltratingsystems.”


117

Lt Col Lionel D. Alford, Jr., U.S. Air Force, is an aeronautical test policy managerfor the Headquarters Air Force Materiel Command, Wright-Patterson Air ForceBase, OH. He is an Air Force experimental test pilot with more than 3,600 hoursin more than 40 different kinds of aircraft and is a member of the Society ofExperimental Test Pilots. He is a graduate of the Air Ground Operations School,the Combat Aircrew Training School, the All Weather Aerial Delivery TrainingSchool, Defense Systems Management College, and the U.S. Air Force TestPilot School. He has a master’s degree in mechanical engineering from BostonUniversity and a bachelor’s degree in chemistry from Pacific Lutheran University.

(E-mail address: [email protected])

CONCLUSION

Cyber operations have the potential toovercome any system controlled bysoftware. The military systems we aredeveloping today depend on software andsoftware-controlled components tooperate. Cyber warfare defenses must beincorporated into all of these militarysystems. The future of warfare makes itimperative that cyber warfare concernsbecome the interest of every software andhardware developer—not only of militarysystems but civilian systems as well.

Cyber warfare may be the greatestthreat that nations have ever faced. Neverbefore has it been possible for one personto potentially affect an entire nation’s

security. And never before has one personhad the ability to cause such widespreadharm as is possible in cyber warfare. Likeradioactive fallout, the affects of cyberwarfare can devastate economies and civi-lizations long after the shooting war isover.

This genie can’ t be put back into thebottle; societies will not want to give upthe manifold prosperity brought about bycyber systems. But a nation must ensurethat it maintains the upper hand in cyberwarfare. If our nation can’ t, then even withthe most powerful military and defenseeconomy in the world, we face an insur-mountable threat to our future prosperityand security.


118

REFERENCES

Arquilla, J., & Ronfeldt, D. (1992). Emer-gent modes of conflict. In Cyberwaris coming. Santa Monica, CA. TheRAND Corporation.

Carnegie Mellon. (1997). Glossary ofterms. Software Engineering Institute,CERT® Coordination Center. http://www.cert.org/research/JHThesis/appendix_html/Glossary.html

Cole, R. (1998). FBI hunts “masterhacker.” ABC News: High Technol-ogy, The Associated Press.

DoD 5000.2-R. (1998, February 27).Mandatory procedures for majordefense acquisition programs(MDAPs) and major automated infor-mation system (MAIS) acquisitionprograms.

DoD Joint Publication (JP) 3-13. (1998,October 9). Joint doctrine forinformation operations.

DoD Joint Publication (JP) 3-13.1. (1996,February 7). Joint doctrine forcommand and control warfare.

Dr. Solomon Company. (1997). The fu-ture impact of viruses. Dr. Solomon’sVirus Central. http:/www.drsolomon.com/vircen/vanalyse/future.html

Federal Information Processing Standards(FIPS) Publication 112. (1985). Stan-dard for password usage.

Hafner, K. (1998, July 23). Chiquita caseillustrates vulnerability of voice mail.New York Times. http://www.nytimes.com/library/tech/98/07/circuits/articles/23voic.html

Howard, J. D. (1997). An analysis ofsecurity incidents in the Internet1989–1995. Carnegie Mellon Univer-sity. http://www.cert.org/research/JHThesis/Start.html

Lee, S. (1998). Most computer hackers gounnoticed. South China MorningPost.http: / /www.infowar.com/HACKER/hack_030198s_b.html-ssi

Lemos, R. (1998). DoD confirms hackerboast. ZDNN. http://www.zdnet.com/zdnn/content/zdnn/0421/309056.html

Marshall, V. H. (1991). Intrusion detec-tion in computers. Summary of theTrusted Information Systems (TIS)report on intrusion detection systems.h t tp : / / cs rc.n i s t .gov /secpubs /auditool.txt

Stein, G. J. (1995, Spring). Informationwarfare. Airpower Journal, IX( 1).

Symantic Antivirus Research Center.(1994). Computer viruses—An execu-tive brief. http://www.symantec.com/avcenter/reference/corpst.html


119

Vatis, M. A. (1998). Cybercrime,transnational crime, and intellectualproperty theft. Statement for therecord before the Congressional JointEconomic Committee. http://www.ilspi.com/vatis.htm

von Clausewitz, K. (1976). In M. Howard& P. Paret (Trans.), On War (Book I).Princeton, NJ: Princeton UniversityPress.

U.S. Air Force (1992). Bold stroke.Executive Software Course.


120

ENDNOTES

5. Social engineering refers here to boththe process of gaining privilegedinformation, such as passwords, bydeception (3) and the use of Trojanhorse programs.

6. A decoy section is a first layer area ofa cyber system that appears to pro-vide access to the system but in factonly simulates the inner layers.

7. A basic input/output system is a setof instructions stored on a ROM chipinside IBM PCs and PC-compatibles,which handles all input-outputfunctions.

8. A cookie is a set of data that a Website server gives to a browser the firsttime the user visits the site, that isupdated with each return visit. Theremote server saves the informationthe cookie contains about the user andthe user’s browser does the same, asa text file stored in the Netscape orExplorer system folder. Not allbrowsers support cookies.

1. The F-16 is unstable below Mach 1,and uncontrollable without its soft-ware-based flight control system. TheBoeing 777 and the Airbus 330 havesoftware flight control systems with-out any manual backup; the perfor-mance of these aircraft is dependenton their digital flight control systems.

2. The F–22 in high angle of attack flightuses software-controlled vectoredthrust and flight controls to maneuverthe aircraft.

3. As seen in allegations that a Cincin-nati Enquirer reporter stole voice mailmessages from Chiquita Brands Inter-national (Hafner, 1998), CyR isbecoming a common method to takeinformation from cyber systems.

4. The “hacker” is a U-actor commonlycharacterized as affecting cyber infil-tration without further damage to acomputer system.

Cyber Warfare: Protecting Military Systems

Documents

Transcript of Cyber Warfare: Protecting Military Systems