[Infowarrior] - Red storm rising

Mon Aug 21 09:04:37 EDT 2006

http://www.gcn.com/print/25_25/41716-1.html

Red storm rising
08/21/06
By Dawn S. Onley and Patience Wait,

DOD¹s efforts to stave off nation-state cyberattacks begin with China

A growing band of civilian units inside China are writing malicous code and
training to launch cyberstrikes into enemy systems.

And for many these units, the first enemy is the U.S. Defense Department.

Pentagon officials say there are more than three million daily scans of the
Global Information Grid, the Defense Department¹s main network artery, and
that the United States and China are the top two originating countries.

³China has downloaded 10 to 20 terabytes of data from the NIPRNet (DOD¹s
Non-Classified IP Router Network),² said Maj. Gen. William Lord, director of
information, services and integration in the Air Force¹s Office of
Warfighting Integration and Chief Information Officer, during the recent Air
Force IT Conference in Montgomery, Ala.

³They¹re looking for your identity so they can get into the network as you,²
said Lord, adding that Chinese hackers had yet to penetrate DOD¹s secret,
classified network. ³There is a nation-state threat by the Chinese.²

People¹s Liberation Army writings in recent years have called for the use of
all means necessary, including‹or particularly‹information warfare, to
support or advance their nation¹s interests.

To China¹s PLA, attacks against DOD systems would be the first salvo in a
long-term strategy to cripple the U.S. military¹s ability to communicate and
deliver precision weapons.

A big part of the strategy is the PLA¹s civilian units‹IT engineers drawn
from universities, institutes and corporations. The PLA views these militias
as its trump card and a way of asserting virtual dominance to paralyze the
United States and other potential adversaries.

The U.S. military is familiar with China¹s approach. In fact, its own
strategy in cyberspace is similar to the PLA¹s‹the countries¹ doctrines and
strategies almost mirror one another.

It is unclear how aggressive a posture the United States is taking when it
comes to defending against cyberattacks. But DOD certainly is paying
attention to China¹s offensive aggression, and even considering offensive
actions of its own, Lord said. ³But the rules of engagement have to change
before we¹re fully engaged in cyberspace.²

Taking advantage

The Pentagon has made net-centricity the core of its transformation into a
modern military force, and it seeks ways to create a vast web of information
accessible at every level of the warfighting operation, from ground troops
to pilots, command staffs to logistics operations.

China, recognizing America¹s dominance in C4‹command, control,
communications and computers‹wants to disrupt or even remove that advantage,
experts have said.

If the armies of bygone days traveled on their stomachs, future armies will
travel on invisible threads of data.

But the concern should not be limited to DOD. All federal agencies have to
be aware of the Chinese view of information warfare.

Chinese military writings make it clear that in cyberspace there are no
boundaries between military and civilian targets. If crashing a country¹s
financial system through computer attack will paralyze the foe, that¹s all
part of the new face of war.

If DOD‹the most security-conscious of all federal agencies‹can be attacked,
can have information stolen, then other agencies must seem like low-hanging
fruit by comparison.

China is not the only country targeting DOD systems. John Thompson, chairman
and chief executive officer of Symantec Corp. of Cupertino, Calif., told the
audience at the Air Force conference: ³There are at least 20 nations that
have their own cyberattack programs.² He said there is no way to know how
many terrorist organizations have launched similar efforts.

But China‹the largest country by population at 1.3 billion, third in area,
and among the fastest-growing economically‹gets the most attention, in part
because it is the single largest source of cheap goods sold in the United
States, including technology.

While Defense and Homeland Security department officials are reluctant to
make pointed accusations, events in cyberspace show how the two countries
are jockeying for position in preparation for ³virtual² conflict.

>From at least 2003 to 2005, a series of coordinated cyberattacks hit U.S.
military, government and contractor Web sites with abandon. The systematic
intrusions, collectively dubbed Titan Rain, attacked hundreds of government
computers.

Time magazine reported last year that the incursions originated on a local
network that connected to three routers in Guangdong Province, though U.S.
officials still offer only generic comments about this and other published
reports about Titan Rain.

³What I can say about this is [that] we have seen some attempts at access to
our network. We¹ve seen some of that from China,² said Air Force Lt. Gen.
Robert Kehler, deputy commander of the U.S. Strategic Command. ³We are
seeing attacks that traversed through China. I can¹t say with any real
assurance that that¹s where they start,² added Navy Rear Adm. Elizabeth
Hight, deputy director of DOD¹s Joint Task Force for Global Network
Operations.

A military attache at the Chinese Embassy in Washington insisted that, to
his knowledge, Beijing ³does not want² to use hackers to attack the United
States.

³The official answer is, I have no idea about this,² said Sr. Col. Wang in a
brief telephone interview.

The fallout from this cybercampaign continues among other agencies.

In June, the Energy Department revealed that names and other personal
information on more than 1,500 employees of the National Nuclear Security
Administration had been stolen in a network incursion that took place more
than two years ago. NNSA didn¹t discover the breach for more than a year
after it happened.

Officials would not confirm for the record that the data breach was part of
Titan Rain, but Alan Paller, research director for the SANS Institute of
Bethesda, Md., called it ³an example of the kind of attack and extraction
that [has been] going on for the last 2 1Ž2 years.²

Also in June, hackers broke into State Department unclassified networks. In
this incident, investigators believe the hackers, who they say launched the
attacks from East Asia, stole sensitive information and passwords and
planted back doors in unclassified government computers to allow them to
return at will, according to a CNN story.

ŒTip of the iceberg¹

³Any average computer geek knows about spyware, viruses and the countless
other hardware and software devices and capabilities that could jeopardize
the security of our networks and the information they contain,² Michael
Wessel, a commissioner with the U.S.-China Economic and Security Review
Commission, said in May. ³These, of course, are only the tip of the
iceberg.²

And DOD is not alone in trying to keep out hackers from China and other
nation states.

³On the commercial side, Internet usage and broadband adoption from China
has grown,² said Betsy Appleby, vice president of the public sector at
Akamai Technologies of Cambridge, Mass., and former Net-Centric Enterprise
Services program director at the Defense Information Systems Agency.
³Specifically considering that the Chinese government is pretty much in
control, you can do the math and figure it out.²

China has existed as an identifiable society for more than 6,000 years. Its
name for itself, in Chinese, is Jhongguo, or Middle Kingdom, sometimes
characterized as the land below heaven but above the rest of the world. The
country has been under Communist rule for less than 60 years. The
millennia-old expectation that China rules, or should rule, ³all under
heaven² is a permanent subtext in the country¹s psyche, many Sinologists
believe.

This gives the Chinese great patience; its leaders may take a decades-long
view of a problem and its possible solutions.

So what the United States characterizes as attacks on its military networks
could, to the Chinese, be in-depth reconnaissance.

³If you were an adversary, and you wanted to assess somebody¹s strengths and
weaknesses, one of the ways to do it would be to probe their defenses, so
you would want to take a look at their computer situation,² said John Stack,
enterprise architecture and security solutions manager for Northrop Grumman
Information Technology¹s Defense Group of McLean, Va.

For more than a decade, the Chinese military has observed how DOD is
modernizing its troops and tactics. The first Gulf War was considered ³a
watershed event² in terms of how the Chinese viewed future warfare,
according to the Defense Department¹s 2004 Annual Report on The Military
Power of the People¹s Republic of China.

³The PLA noted that the rapid defeat of Iraqi forces‹which resembled the PLA
at that time in many ways‹revealed how backward and vulnerable China would
be in a modern war,² the report said. ³The Gulf War also spurred internal
PLA debate on the implications of an emergent revolution in military
affairs, in which the conflict became a point of reference for efforts to
build capabilities in command, control, communications, computers,
intelligence, surveillance and reconnaissance, information warfare, air
defense, precision strike and logistics.²

³There have been Chinese writings for over a decade regarding the People¹s
Liberation Army studying cyberwarfare and evolving concepts toward
development of information warfare doctrine,² said a Defense Intelligence
Agency spokesman.

Perhaps one of the most important milestones was the 1999 publication in
China of Unrestricted Warfare, a book authored by two colonels in the PLA,
that was generated by the PLA¹s observations on Desert Storm. The CIA¹s
Foreign Broadcast Information Service obtained and translated it, and it can
now be found on the Internet.

³The new principles of war are no longer Œusing armed force to compel the
enemy to submit to one¹s will,¹ but rather are Œusing all means, including
armed force or nonarmed force, military and nonmilitary, and lethal and
nonlethal means to compel the enemy to accept one¹s interests,¹ ² the
colonels wrote.

The book argues that the spread of IT and access to the Internet has removed
traditional boundaries and expanded the arena beyond traditional
warfighters.

³[T]his kind of war means that all means will be in readiness, that
information will be omnipresent, and the battlefield will be everywhere,²
the colonels wrote. It ³also means that many of the current principles of
combat will be modified, and even that the rules of war may need to be
rewritten.²

The DIA spokesman said a Chinese major general recently described
information warfare ³as containing six elements in its application:
operational security, military deception, psychological warfare, electronic
warfare, computer network warfare and physical destruction.²

Getting the edge

The PLA¹s new information warfare focus illustrates a growing recognition
that cyberattacks launched against the U.S. military could give China a
decisive advantage in the event of a crisis.

One such crisis scenario, according to people who have studied the issue,
would be the prospect of American intervention to aid Taiwan in the event of
an attack from China. A 1979 law requires the United States to defend the
island nation from attack.

Chinese leaders have a conundrum of their own‹how the People¹s Liberation
Army can move against Taiwan but forestall U.S. action long enough to make
it a fait accompli.

³For the PLA, using [information warfare] against U.S. information systems
to degrade or even delay a deployment of forces to Taiwan offers an
attractive asymetric strategy,² wrote James Mulvenon in 1998. Mulvenon is
deputy director for advanced analysis at the Defense Group Inc.¹s Center for
Intelligence Research and Analysis in Washington, and widely regarded as one
of the foremost authorities on the Chinese military¹s use of IT.

³American forces are highly information-dependent and rely heavily on
precisely coordinated logistics networks,² he wrote. ³If PLA information
operators ... were able to hack or crash these systems, thereby delaying the
arrival of a U.S. carrier battle group to the theater, while simultaneously
carrying out a coordinated campaign of short-range ballistic missile
attacks, Œfifth column¹ and [information warfare] attacks against Taiwanese
critical infrastructure, then Taipei might be quickly brought to its knees
and forced to capitulate to Beijing.²

This is the role of information warfare, many experts now believe:
Cyberattacks on military C4 systems will amplify the effects of kinetic
weapons, to bring matters to a swift conclusion with a minimum of bloodshed.

Rear Adm. Hight, of JTF-GNO, said DOD is taking note of the incursions and
data extractions, and looking at the department¹s defensive measures.

³Our daily efforts are all about assessing and mitigating risks. We are
students of Sun Tzu and other philosophical thinkers who have a wonderful
way of capturing warfighting concepts,² Hight said. ³The key to this type of
warfare is just what you might think of as traditional warfare. You can¹t
forget the foundations. You can¹t forget the basics. The cyberworld relies,
in many cases, on foundational concepts in terms of how you protect it.²

America¹s standing as the current sole superpower is a source of internal
conflict for Chinese policies, said James Gilmore III, former governor of
Virginia and now with Kelley Drye Collier Shannon¹s Homeland Security
Practice Group, a Washington law firm. He was chairman of the Advisory Panel
to Access Domestic Response Capabilities for Terrorism Involving Weapons of
Mass Destruction, created by the Clinton administration in 1999.

³An adversary or partner of the U.S. ... They are prepared to be either
one,² Gilmore said. [IMGCAP(4)] Should its leaders feel it is in their
interests, China would seek to ³disrupt the DOD¹s capacity to communicate
overseas and maneuver their people,² he added.

Cortez Cooper III, director of East Asia Studies with Hicks and Associates
Inc., a defense and national security consulting company in McLean, Va.,
told the U.S.- China Commission that the Chinese understand their military
focus must use niche capabilities to counter the moves of a technologically
superior adversary that might challenge their interests.

Rehearsing both roles

To address the cybersecurity threat, DOD and intelligence officials are
playing both offensive and defensive roles.

Pentagon officials acknowledge DOD is developing capabilities to deny an
adversary the use of its own computer systems to attack U.S. computer
networks.

JTF-GNO is tasked with operating and defending the GIG, while the National
Security Agency has the responsibility for the ³nondefensive parts of
operations in cyberspace,² according to Army Maj. Gen. Dennis Moran, vice
director for command, control, communications and computer systems for the
Joint Chiefs of Staff.

As ³part of a good defense, and I don¹t care if you¹re defending a forward
operating base in a country, or no matter what it is physically, you do a
very good analysis of what your vulnerabilities are. And there have been
analyses within the department to determine what we need to protect and how
should we prioritize our resources,² Moran said.

³The resources required to provide that defense are being allocated against
those priorities,² Moran said. ³Now, I¹m certainly not going to talk about
those in detail, because that would certainly be an opportunity to tell
someone these are what we are concerned about.²

But Moran did talk about the protocols DOD has been working on to improve
its network security posture.

³If you look at the whole net-centric strategy that we have in the DOD, the
focus is, first of all, identify your data, then appropriately tag that data
so it can be made available to other people who are authorized users,² Moran
said. ³We are putting in place a service-oriented architecture across the
GIG which is able to find, locate and securely move that data to an
application. Security is a critical tenet to this whole architecture,
because if you¹re doing business one way and (another agency) is doing
business another way, we are creating seams that an intruder can take
advantage of.²

Kehler said DOD officials also are mandating full public-key infrastructure
implementation for user authentication, requiring automated patch management
and looking in the mirror to increase the department¹s defensive position.

³We¹re looking at ourselves pretty hard to understand where our
vulnerabilities are,² Kehler said. ³Sometimes we find that our worst enemy
in protecting our information is ourselves. In order to make things better
faster, sometimes our people leave doorways open into our network.²

The key to closing those doorways is a layered defense-in-depth strategy,
Hight said.

³We don¹t have a single approach. We¹re trying to protect the house by
locking the doors, locking the windows, making sure wires that come in and
out of the house are protected,² Hight said. ³Our organization is very
transient, so as we get systems administrators moving around the world, we
want to make sure they know they have a consistent and well-defined set of
procedures that they adhere to and provide consistent protections for the
network.²

To accomplish this, JTF-GNO is looking at the best way to train Defense
employees on cybersecurity mechanisms, what types of protective software to
employ and how to standardize processes.

Additionally, Hight said, the organization soon will release a Network
Operations Concept of Operations (Netops/Conops) document, which will detail
for military personnel how to secure their systems.

Hight said the document describes three basic concepts that make up the
department¹s larger doctrinal view:

    * Ensuring systems and networks that deliver information are available
    * Ensuring information can move freely from one point to another
    * Ensuring information is protected at the right level.

³When you go to Amazon.com, you can see what Amazon chooses for you to see,
their book titles and other information. You can¹t see Amazon¹s financial
information, because they mask that from you,² Hight said. ³So the
protection of information might be something as simple as where you put that
information and [whom] you make that available to.²

The exploitation of network weaknesses doesn¹t mean that more traditional
forms of espionage targeting cyberassets can be overlooked. For instance, in
August 2001, U.S. Customs officers arrested two men for trying to export
military encryption technology to China.

What¹s a real threat? Four months earlier, enraged Chinese hackers had
defaced dozens of U.S. military Web sites following the collision of a U.S.
surveillance plane and a Chinese fighter plane. The Chinese pilot died as a
result of the accident. Is that kind of threat, whether from China or
another country, real? John Hamre, president and chief executive officer of
the Center for Strategic and International Studies, believes so. He served
in the 1990s as comptroller, then deputy secretary of Defense.

³I was so deeply involved in cybersecurity issues when I was the deputy
secretary, but have not been involved in these issues since,² he said. ³I
continue to believe that cyberthreats will overwhelmingly be from competent
national state security elements, and that intelligence is the higher goal,
not disruption.² Still, Donavan Lewis, chief of the Defense Intelligence
Agency¹s threat analysis division, wants the United States to think more
about long-term trends.

³China has shifted its dependence away from the United States to [countries
such as Malaysia and South Korea], while our dependence on them has grown,²
he said during a Defense conference in Salt Lake City in May. ³We¹ve got to
adjust our thinking, our calculus about how we put together a system of
systems.²

He admits to being worried about the possibility that ³subversive
functionality could be embedded² in technology.

³The Defense acquisition community is not used to thinking of itself as part
of computer security,² he said.