At War With Sweepers, Sniffers, Trapdoors, and Worms

March 1, 1997

In spring 1994, Air Force security officers tracking a computer intrusion suddenly found themselves face-to-face with a horrifying prospect: inadvertent cyberwar–and perhaps worse–between the United States and North Korea.

The Air Force had for weeks been trying to catch a hacker they knew only as “Datastream Cowboy.” From a base that appeared to be located in Britain, Datastream was rampaging through the computers of Rome Laboratory, N.Y., and other defense installations.

He was downloading files and leaving behind “sniffer”1 programs capable of eavesdropping on sensitive electronic communications. Worse, he was using these same Air Force systems as launching pads for false-flag Internet attacks on other computers–including those of other nations.

On April 15, as Air Force investigators covertly watched, Datastream came online at the Rome Lab system and then quickly gained access to a third computer. On-screen file data identified this other computer as belonging to a “Korean Atomic Research Institute.” The hacker filched all the data on the Korean system, pulling it back and storing it in a corner of Rome’s memory.

The Air Force investigators were shocked. They couldn’t tell if the computer that Datastream had just penetrated belonged to South Korea or North Korea. Had this vandal just stolen the most sensitive secrets of the unpredictable “Hermit Kingdom”? If so, how would the often paranoid and always dangerous North Koreans react

“Act of War”

The Air Force conducted a full study, results of which were released this year. The report stated, in part, “The concern was that . . . the North Koreans would think the . . . transfer . . . was an intrusion by the US Air Force, which could be perceived as an aggressive act of war.”

As it turned out, there was no actual cause for worry that an enraged Pyongyang would hurl missiles or troops south to retaliate against US forces; the computer in question belonged to South Korea. Datastream himself was no terrorist or foreign military operative but a London teenager named Richard Pryce, who curled up on the floor and cried when police arrived to arrest him.

Still, American officials viewed the incident as a clear wake-up call for the entire Department of Defense. In his brief rampage, one youthful hacker had compromised 30 Rome Lab computer systems. The specter of an international incident and perhaps open conflict flashed before Washington officials. Surely some of America’s adversaries had, or would soon have, the capability to do far worse.

Such incidents have convinced the US government that information warfare is no longer just the stuff of role-playing exercises set safely in the next century. As far as many experts in the US government are concerned, it is already here–and it is time to start planning serious defenses.

“Just as we prepare for a conventional weapons attack, we must be ready for attacks on our computer networks,” said Sen. Sam Nunn, the now-retired Georgia Democrat, during wide-ranging Congressional hearings on the issue last summer.

Today, the Pentagon, the White House, the intelligence community, and many private businesses are spending lots of time considering the implications of a broad subject they have dubbed “IW,” for information warfare.

“Information warfare has become central to the way nations fight wars, and it is critical to Air Force operations in the twenty-first century,” says service guidance issued by Air Force Chief of Staff Gen. Ronald R. Fogleman.

For the military, “information warfare” means much more than providing physical security for defense-related computers. Info war has an offensive component, too, comprising various capabilities for attacking an adversary’s computers, communications, and information sources. It can even cover a time-honored military means of achieving victory: the timely use of superior information about terrain or opposing forces for tactical purposes.

Maj. Gen. John P. Casciano, the assistant chief of staff for Intelligence, spelled out the breadth of IW at AFA’s Los Angeles symposium, held in October. The definition of IW used by the Air Force, he explained, was “any action to deny, exploit, corrupt, or destroy the enemy’s information and its functions; protecting ourselves against those actions; and exploiting our own military information functions.”

It is not a purely modern phenomenon, USAF officials said, but the concept has become much more important in the information age. Satellites, computers, faxes, video cameras, and modems have given today’s military forces a startling capability to create and disseminate information. This flood of data changes battlefield realities, alters conclusions, and redirects actions.

Information technologies have proven to be tremendous military force-multipliers. Their very usefulness creates a defensive problem, however.

Weakness in Strength

“We must recognize . . . that the same qualities making modern information functions so indispensable, make them alarmingly vulnerable,” said Col. Frank Morgan, commander of the Air Force Information Warfare Center, Kelly AFB, Tex.

By itself, the military cannot hope to address every one of these vulnerabilities. The dependence of US armed forces on commercial technologies and communications may represent a weak link in America’s info war armor.

Not too long ago, almost all of the information critical to Air Force planning and execution was transmitted over secure links. Now, 90 percent of it travels through commercial systems, according to service estimates. For instance, service officials point out that fuel orders and logistics data–information essential to the success of a sudden deployment–usually travels over essentially unprotected commercial lines. Blood and medical supplies are ordered the same way. Telemedicine capabilities are becoming increasingly important in the military for long-distance health diagnostics; these capabilities, based on rapid electronic transmissions, are also at risk.

Even something as common as an automatic teller machine might represent a military vulnerability. A sophisticated adversary might be able to track the movements of key military personnel via ATM withdrawal data, for instance. Alternatively, the simple electronic looting of a soldier’s financial accounts could profoundly affect his or her morale.

“We have to streamline our support functions to take advantage of technology and cut down costs, but it means we are more at risk,” said General Casciano.

Furthermore, vulnerabilities of commercial systems could cause problems at a strategic level. IW attacks might play havoc with the US electrical grid, for instance, or decimate commercial banking systems. Clever hackers could redirect speeding trains onto the same track or cause air traffic controllers to misdirect airliners.

Wary of the emerging dangers, the White House last July established a Commission on Critical Infrastructure Protection to weigh the implications of the threat. Members are considering whether it is a truly imminent danger or possibly an overhyped annoyance. “Is [the IW problem] a Sherman tank coming at us, or is it just a kid carrying a Ping-Pong paddle?” asks Roger Molander, a Rand Corp. analyst and one of the country’s foremost experts on IW. “No one really knows.”

Most of the weapons of IW are themselves composed of electrons and focus on software.

Worms on the March

For years, hackers have been using the simple technique of guessing the passwords needed to enter remote computing systems. (The word “password,” for instance, is a more common password than one might think.) Once inside a computer’s cyberspace, vandalism can be easy. More sophisticated users can then insert a self-replicating program, often known as a “worm.” Churning worms keep growing and growing, taking up more and more memory, and eventually jam system software.

The spread of powerful personal computers has made it possible for hackers to crack password defenses simply by trying many possible combinations of letters. Once inside, the covert insertion of a software “backdoor” allows adversaries to reenter a system at will. Another hacker tool–the “sweeper”–will do just what its name suggests: sweep all data banks clean of their information. “Sniffers” are eavesdropping programs that monitor electronic communications, providing useful intelligence analogous to that achieved by wiretapping telephones.

Today, however, the highest form of software attack may be what is called “packet forge spoofing.” This activity results in the subtle–and secret–alteration of data. A file containing an adversary’s order of battle, for instance, may suddenly show a fighter squadron where none existed before. The idea, explained one defense contractor whose firm works on the offensive side of cyberwar, is simple. “It’s much better to get a guy’s system to give him wrong information than no information at all,” he said.

Moreover, powerful workstations are not necessary to create these weapons. The attacks on Rome Lab were launched from the computer equivalent of a Cessna prop plane; it was a slow, 25-megahertz, 486 SX desktop computer whose hard drive contained only 170 megabytes of space. After all, a whole arsenal of IW software is openly posted at various sites on the Internet. Log in, point and click, and–presto!–you’re an electron warrior.

Other tools could directly target the embedded computers in aircraft and other high-tech weapon systems. Directed energy bursts, for example, might fry an aircraft’s avionics, and the alteration of Global Positioning System navigation data could put a long-range bomber far off course. Flight controls might be disabled through radio-frequency insertion of corrupt computer codes.

Defense planners also maintain that the physical destruction of crucial computer assets qualifies as an act of information war. Such activity might be as simple as attachment of a powerful magnet to a hard drive by special operations forces or as blunt as an old-fashioned laser-guided bomb down the air vent of an underground computer center.

Air Force officials separate the IW threat into three categories, of varying degrees of danger.

  • The thrill-seeking hackers–or “ankle biters,” in General Casciano’s phrase–who pose the most limited challenge. Datastream Cowboy was an archetype of this threat.
  • Freelancers with a purpose. These can range from a lone individual with an antinuclear agenda to subnational groups, such as the Strano Leftist Network, a loose Internet-oriented Italian agglomeration that recently launched politically oriented attacks on computers in France and Mexico.
  • Nation-states. US officials worry that info war might take place on something of a level battlefield. For example, production of stealth aircraft takes a huge national investment, but the production of a truly deadly computer virus might be cheap enough for even the poorest government to afford.

250,000 Hacks

The threat no longer is theoretical. A recent General Accounting Office study estimated that Pentagon computers absorb some 250,000 hacker attacks per year–and that 65 percent of these attacks are at least partially successful. In late 1996, most DoD information on the Internet had to be temporarily shut down after a hacker damaged an Air Force home page on the World Wide Web.

Most hackers tend to scoff at the notion that they represent a national security threat. The overwhelming majority of them, they point out, target military computers that handle unclassified information. Even so, their actions can be costly and exasperating. Some hackers do gain access to sensitive areas: Datastream Cowboy managed to make off with communications that had been classified “secret.” In the late 1980s, the so-called “Hannover Hacker” attacked US systems, searching for data to sell to the East German government.

As for other nations, about 18 have active defensive or offensive IW programs, according to Air Force documents.

To date, it is not clear whether and to what extent this activity constitutes a direct threat to the US. The US National Intelligence Council has produced a classified report on known foreign efforts or plans to attack crucial national data networks, such as the Defense Switched Network telephone system. Officials have not revealed its conclusions publicly, though they acknowledge that computer-assisted intrusions into the systems used by banks and other financial institutions have so far been isolated, with the goal limited to theft.

John M. Deutch, then CIA director, told Congress last summer that such incidents may begin to threaten the nation’s economic well-being if they increase. “In addition, we do not fully understand the real source and purpose of these events,” he said. “Some may be sponsored by foreign adversaries in support of broader political, economic, or military goals.”

Three Thrusts

Information warfare is currently the focus of three general, overlapping efforts within the US defense-industrial structure. One of these efforts centers on activity in think tanks. Science Applications International Corp., for instance, recently launched a Center for Information Strategy and Policy to run seminars and produce papers on the subject, as well as systems planning and crisis simulations. Rand Corp. has carried out ground-breaking IW work, including several well-attended game-playing exercises for government officials. A 1995 game focused on a Persian Gulf War scenario, with Iran attempting to destabilize Saudi Arabia. The game setup called for Iran to use such methods as destruction of a Dhahran refinery by meddling with its computerized controls. In 1996, the Rand story line was tension between China and Taiwan. Sixty mid- to upper-level US officials attended.

The other hotbeds of IW thinking are, first, the Pentagon and the armed services and, second, the White House and the intelligence community.

Within the US military, all evidence is that the services take IW seriously. All branches, for instance, have headquarters staff position papers on the subject that are in various stages of development. The Air Force seems clearly out in front when it comes to IW planning. That’s not just the opinion of USAF leaders, either.

“The Air Force is furthest along,” says Rand’s Mr. Molander. “They’ve got some good training programs going.”

USAF leaders have rejected any notion of a separate IW command and say, instead, that all major commands must be ready to conduct defensive info war functions.

Specialized organizations established so far include the 609th Information Warfare Squadron, a prototype unit located at Shaw AFB, S. C., that studies the use of offensive and defensive IW tactics and techniques, and the Air Force Information Warfare Center, charged with developing and maintaining general IW capabilities.

AFIWC has been up and running since 1993 at Kelly AFB. Its experts were crucial in cracking the Datastream case. AFIWC hacker teams travel throughout the Air Force to assess computer security at individual Air Force bases. For instance, a recent AFIWC simulated attack on Charleston AFB, S. C., breached six computer systems–with two of these taken over completely. These attack techniques range from sophisticated cracking efforts to such simple acts as flipping over user mouse pads and keyboards in search of passwords written down by forgetful users.

Under the Base Network Control Center initiative, the Air Force is building electronic “fences” around all of its installations. This $68 million effort will erect data fire walls between base local networks and the Internet and other commercial communications providers, while providing network monitoring equipment to detect any hacker intrusions.

For the near future, the most significant Air Force IW item concerns education, according to officials. Air University has produced a video on the subject, called “Cyberstrike,” and is now circulating it around the Air Force. Maxwell AFB, Ala., home of Air University, is offering two IW courses–a three-day version for general officers and senior civilians and a five-day version for others. USAF’s first Information Warfare Training Lab is now open for business at Goodfellow AFB, Tex.

Surprise Attack

Not everyone believes the Pentagon is taking information warfare seriously enough or is putting enough resources into its efforts. In January, the Defense Science Board, issuing a report on defenses against IW, warned that the nation faced a possible electronic Pearl Harbor in the near future. DSB members are recommending that DoD spend at least $3 billion more than planned on IW over the next five years.

The study concluded that the Defense Department needs to designate a focal point for IW in the Pentagon. It recommends establishment of a Pentagon-wide electronic “aggressor” team to help assess vulnerability. And it says that R&D spending in the area needs to be expanded.

Though today’s commercial products can provide some quick protection for the military’s 2.1 million computers, they generally aren’t able to handle the sheer scale of the Pentagon’s distributed computer environment, according to the DSB. One particular need: a system that can automatically track an attack to its source. In addition, said the DSB report, the US needs to be prepared for the aftermath of a determined IW attack. That means identifying and hardening a minimum essential information infrastructure–a limited fail-safe system capable of surviving large outages and performing critical defense functions.

“The infrastructure must be designed to function in the presence of failed components, systems, and networks,” concluded the study. “The risk . . . must be managed since it cannot be avoided.”

The DSB is not the only high-level government group working on the overall IW problem. The President’s Commission on Critical Infrastructure Protection is charged with looking at vulnerabilities in broad commercial systems, including telecommunications nets, electrical power systems, supply systems, banking, and transportation. The panel expects to issue its own report in early summer.

Protection of these high-level strategic targets may be the most challenging–and important–aspect of IW as the twenty-first century approaches. That is because the Pentagon needs to maintain its access to such systems, yet it cannot exert much control over how they defend themselves.

Mr. Molander, the Rand analyst, warned, “The services are in no position to foster protection for these elements of the infrastructure, which they’re going to depend upon.”

Defense officials point out that big commercial systems, by their very nature, foster interaction with the outside world and with potential problems. Banks judge themselves successful if they can convince more people to use their ATM networks. Cellular phones are spreading around the world faster than any electronic technology since television, yet in some markets they’re already losing up to 30 percent of their revenue via fraud.

“Information warfare has no front line,” says a comprehensive Rand study of the subject. “In addition, the means of deterrence and retaliation are uncertain and may rely on traditional military instruments in addition to IW threats. In sum, the US homeland may no longer provide a sanctuary from outside attack.”

Peter Grier, the Washington bureau chief of the Christian Science Monitor, is a longtime defense correspondent and regular contributor to Air Force Magazine. His most recent article, “The Jet Age in Review,” appeared in the February 1997 issue.

1 SNIFFER is a registered trademark of Network General Technology Corp., a wholly owned subsidiary of Network General Corp. The Network General SNIFFER product should not be confused or mistaken with any other products.