Lately, we've been hearing a lot about "Information Warfare" - a catch-all term for technological attack and counter-attack against computing and electronic systems. We've been treated to stories such as TIME Magazine's fictional account of an InfoWar attack on the United States, in which chaos is produced by a concerted disruption of telephone systems and automated teller machines. A recent novel describes an Iraqi-chartered cyberninja who tries to destroy the entire US nuclear command and control network. Semi-credible sources describe spine-chilling scenarios of aircraft knocked out of the sky by directed electronic radiation cannon, and industrial spies reading computer displays from across the street using hypersensitive electronic listening systems. Does it all sound like a hodgepodge of the feverish imaginings of science fiction writers, cyberpunks, and Tom Clancy wannabees? It does. Because most of it is.
Most of the technology driving the InfoWar fad is very old. In his book Spycatcher, Peter Wright describes British intelligence agents' attempts to read video cameras' signals inside foreign embassies as early as the 1960s. Indeed, the US Government's TEMPEST specifications describe the type of shielding necessary for certain types of communications equipment, intended to prevent exactly the types of attacks we've just described. These are known forms of attack and the defenses against them are equally known. What's new and different about them? Mostly, they're being marketed and talked about openly, rather than in the hush-hush world of covert operatives, defense contractors, and subscribers to Soldier of Fortune Magazine.
As security practitioners we seem to have forgotten the basic rules of evaluating risks and their likelihoods which are a vital part of deciding on an appropriate response. In other words, nobody should discount these InfoWar attacks as impossible - they certainly are not - but they need to be considered in their place within the complete spectrum of threats against our computing/information infrastructure. If you're an ordinary citizen, and someone walks up to you, and starts telling you that you need insurance against meteorite damage, you're a fool if you don't consider whether you're more likely to have a fire than to be hit by a meteor, and you should protect yourself accordingly. In the case of InfoWar, you should also find out if the individual in question just happens to have a meteorite insurance policy they'd like to sell you. What an amazing coincidence!
Are we facing a real threat, or are we being presented with solutions in need of problems? The answer is a bit of both. There are real threats to our information infrastructure and someone who was sufficiently motivated could take advantage of them. Before we buy meteorite insurance, however, we need to make sure our security is balanced across the likely range of threats first. We need to address the likely targets before we spend a lot of time and money on the less likely ones.
I see this problem often when I'm asked about Internet security: "what about hackers breaking into our network through the Internet?" Usually, after a bit of looking around, it turns out that the network is at least as vulnerable to break-ins from the average user's desktop and the copy of PC Anywhere installed on it, as it is to attacks from over the Internet. Even in cases where there are no PCs with modems on desktops, it is often easy to walk into the building and find a room with an ethernet drop. The question to ask yourself, before you get really worried about a fancy attack is, "am I currently vulnerable to a really simple one?" If the answer is yes, then worry about the fancy attacks later. Defend against the simple attacks first. This is especially the case if the simple attack is easier, cheaper, and more effective than the fancy one! Don't worry unduly about a cyberninja crashing your network if a chainsaw applied to a utility pole can do the job just as easily and more permanently.
When considering what attacks are easy, cheap, and effective, we need to look closely at the most commonly offered scenario of InfoWar: a third-world tinpot dictatorship decides to attack the USA by destroying our information infrastructure and rendering us helpless. Usually, the novelist who write these stories are careful to have the cyberninjas who perform the attack be hirelings (presumably American college undergrads) who are amoral, technically super-skilled, completely without histories, and available for hire. Setting aside the technical problems of finding such a person, the scenario is one of basic state-sponsored terrorism. The goal is to disrupt communications, scare people, shake their confidence in their personal security, and cause them to expend huge resources trying to control the political and physical damage that they have suffered.
State-sponsored terrorism is popular because terrorists are cheap and easy. It doesn't cost much to inject a few fanatics into a target country, arm them, and set them out to commit mayhem. Let's compare the typical fanatical terrorist with a cyberninja:
|Level of training||foreign language helps||high|
|Equipment||money, guns, fertilizer, fuel oil||very specialized|
|Cost||dirt cheap||high hourly|
Remembering that the goal of the terrorist is fear and chaos, ask yourself which is scarier:
1) Loud explosions, smoking holes, bloody wreckage, brought into the living room live by CNN.
2) The automatic teller machine or telephone stops working mysteriously.
A year ago, a group of terrorists that periodically lobbed mortar bombs at London's Heathrow airport managed to frighten countless tourists, get worldwide press coverage, delay flights, and effectively make their point. Fortunately they didn't manage to hurt anyone. Ordinary terrorist methods are effective enough - it seems unlikely that anyone will hire a cyberninja to crash the computers on Wall Street when a car bomb will work better. Why would a terrorist waste the time to hack the air traffic control system to crash aircraft (imagine the compatibility problems!) when there is already ample evidence that it's possible to get a bomb onto a plane. From the standpoint of the Good Guys beefing up bomb detection technology seems to be a better investment than hackproofing the ancient computers that run air traffic.
I'm concerned that our government may decide that offensive InfoWar is worth developing proficiency in. InfoWar sounds so much cleaner than "state-sponsored terrorism" but it's hard to see a difference. Terrorizing, disrupting, or destabilizing an enemy's economy or populace is categorically not an extension of politics by other means. Marketing InfoWar as cool, technologically hip stuff conveniently hides the fact that practicing it may be morally wrong. Bombing enemy command-and-control systems is more effective than crashing their stock market. If we learned one thing from the strategic counter-populace bombing campaigns in WWII and the Vietnam war, it should be a respect for the stubbornness of humans under fire. Civilians have survived months in Sarajevo without electricity, let alone telephone service, automatic teller machines, and Internet access.
Much of the InfoWar label includes basic military intelligence operations. I suspect that's one reason it is so popular. In a time when our intelligence community is constantly getting bad press, and skeletons are popping out of closets, it is convenient to have a new post-Soviet threat to justify budget dollars. As a fellow cynic neatly described it, "Information Warfare is computer security with money."
As with the terrorism problem, the InfoWar proponents are advocating spending a huge amount of money to try to solve a problem that we're not addressing effectively even when the attackers are using low-tech attacks! What is the point in hiring a cyberninja or crawling around with a video-snooper gun when you can buy an Aldrich Ames for a few hundred thousand dollars. There will always be Kim Philbys that betray their countries for ideology. Historically, people are one of the biggest weaknesses in security systems. Perhaps we invest so much effort in the mechanical parts of the system because we know in our heart of hearts that they're the only part we really can control.
The proponents of InfoWar appeal to industry as well as to the Department of Defense. The threat is loss of trade secrets, time to market, patents, downtime, and damage to reputation. These are all risks that corporations have been facing since capitalism was invented. Is it good business practice to hire your competitors' top people by offering them better wages, or is it InfoWar? Many companies have strategic market analysts on staff - shall we re-title them InfoWarriors? Perhaps it's only InfoWar when it's illegal. There's been plenty of that to go around, too.
A recent issue of 2600 Magazine describes techniques for hackers to get jobs as janitors at financial and high tech companies. Doubtless this is InfoWar. It's also common sense. Any organization that has staff in potentially damaging positions of responsibility has a duty to be careful who they hire, or be prepared to perish. Still - the occasional Ames or Philby is going to happen.
If you're concerned about InfoWar, follow common sense security practices. Encourage others to do so. US businesses show a strange mix of incredible nonchalance and insane paranoia about security problems. Until we learn to think clearly and consistently about security, we will be vulnerable to the unexpected attack. One of the reasons we don't think clearly and consistently about security is because we've trained ourselves to knee-jerk in response to computer security hype. There are many many CIOs who believe Internet is a major threat but desktops with PCanywhere is not. That's because Internet security problems are newsworthy, but little slip-ups are not.
This is why I believe that hyping InfoWar is unwise. One the one hand, many security professionals believe that "any attention about computer security is good" but on the other hand, what we're getting is lopsided attention that erodes faith in the viability of the system. It is a short-sighted security professional who scares his customers AWAY as part of scaring them into doing business. Convincing people our information infrastructure is so vulnerable to attack that it's not useable without spending billions of dollars is, perhaps, itself a form of InfoWar that will scare people into rendering it useless.
We need to encourage people to think about security by prioritizing risks and fixing the worst problems before worrying about the distant ones. Don't buy meteor impact insurance. Buy fire insurance. And before you've bought fire insurance, buy a smoke detector and an alarm system.
Who's making money from InfoWar? Budgets are being re-aligned in the post-Cold War defense establishment, and a certain amount of mission juggling is taking place. The old guard of computer security spent millions of dollars and years trying to solve some of the very intractable problems of computer security. With the stunning success of the Web, open networks, and Internet, it's a good career move to re-align oneself with the new technology.
There are some blatant attempts to capitalize on Info War fears. Recently, a US-based security consultant "broke" the news that a number of banks in Europe had been subjected to Info War-type attacks and extortion. Some of the claims made were quite scary: millions of dollars had been paid to invisible and uncatchable attackers that had disabled bank systems remotely. "Off the record" comments from "NSA Officials" and "bank officers" hinted at a coverup. As members of the security community scrambled to corroborate the story, nobody came forward - the entire story seems to have been wildly exaggerated based on a single case in which an employee attempted to extort management at a bank after they had been terminated: nothing really happened. Why was everyone ready to believe this story? Partly because the Info War hype has already gained significant mindshare among the technically illiterate. These kinds of scare tactics by unscrupulous consultants and fear-mongers are completely unethical: Perhaps they are the only real case of Info War I've ever seen.
Two years ago, any research proposal that had the word "Internet" in the title was a shoo-in for funding. Now it's "InfoWar" or "Internet Security." That's good news for the security community, since many of us feel that security is finally getting some of the attention it deserves, but we need to be careful not to be irresponsible in our duty to our customers. We need to fight the very real fires we face today, not sell meteorite strike insurance. It's bad enough already out there. Let's focus on educating our customers, not scaring them with monster stories.