Computer Espionage

The next level of threat to the DOD and US national security is cyber espionage. This threat is likely to be the most difficult to distinguish because it may appear to be hacker activity and will intentionally avoid causing damage or harm in order to avoid detection. Although there is little information in the public domain about the use of computer hacking in foreign intelligence operations, there is no doubt that this activity is prevalent among most state intelligence agencies around the world. The first documented computer espionage case was in 1986 and was immortalized in the best seller novel, "The Cuckoos Egg". In this case, the Soviet KGB levied five hackers (to include the Hanover Hacker) to hack into US DOD systems and provide information to the Soviets. These young hackers all had drug and financial problems and were easily exploited by the Soviet KGB.18 This early espionage investigation revealed the importance of cyber espionage to foreign intelligence services and also the proclivity for criminal hackers to be vetted and employed by foreign intelligence services.

According to Peter Schweizer‘s book Friendly Spies, Germany initiated one such (intelligence) program, dubbed Project Rehab after the harlot who helped the Israelites infiltrate Jericho, in the mid-1980s. The project was developed within Germany‘s intelligence agency, the Bundes Nacrichten Dienst (BND), as a joint effort between the BND‘s central office and the divisions for human and signals intelligence. The unit allegedly accessed computer systems in the United States, the former Soviet Union, Japan, France, Italy, and Great Britain, and in 1991 penetrated the Society for Worldwide Interbank Financial Telecommunications (SWIFT) network, which carries most international bank transfers.

These popular books —The Cuckoo‘s Nest“ and "Friendly Spies“ highlights the potential threat of foreign intelligence cyber operations against US and DOD information
systems.

Hacktivism

A new phenomenon in the spectrum of cyber conflict has emerged and can be described as electronic disobedience or hacktivism. Computerized activism operates in the tradition of non-violent direct action and civil disobedience and borrows the tactics of trespass and blockade from earlier social movements and applies them to the Internet.

A typical civil disobedience tactic is a ”sit-in‘ in which groups of people physically blockade, with their bodies, the entranceways of an opponent's office or physically occupy an opponent's office. Electronic Civil Disobedience, as a form of mass decentered electronic direct action, utilizes virtual blockades and virtual sit-ins. Unlike the participant in a traditional civil disobedience action, an ECD actor can participate in virtual blockades and sit-ins from home, from work, from the university, or from other points of access to the Net.

The origins of computerized activism extend back in pre-Web history to the mid-1980s. However, Hacktivism remained marginal to political and social movements until the explosion of the Internet in the mid-1990s. Now, in the post-Web Internet phase, there is widespread use by a large number of grassroots groups and other political actors in countries all over the world. There have been reports of hacktivity in Britain, Australia, India, China, and on almost every continent.

In the spring of 1998, a young British hacker known as "JF" accessed about 300 web sites. He replaced the sites‘ homepages with an image of a mushroom cloud and an 800word
declaration that began —This mass takeover goes out to all the people out there who want to see peace in this world“. Some affected sites were Web servers at India‘s atomic research center and the Saudi Royal Family.15 At that point, it was the biggest political hack of its kind. Since then, there have been numerous reports of web sites being accessed and altered with political content.

The desired goal of Hacktivism is to draw attention to particular issues by engaging in actions that are unusual and will attract some degree of media coverage. While it may be too early to make accurate predictions, the threat of Hacktivism has yet to be fully recognized or tested. It is important to include this new threat against DOD systems and understand the possible long term consequences posed for governments and states if groups of individual protestors can engage in forms of cyber space resistance across traditional geo-political borders.

Hacktivism is distinct from hacking in the purely criminal sense because it represents a political motivation with intent to not only do harm to a system, but to influence the public and government that it is protesting with its electronic civil disobedience. In some cases, if a large enough group of protesters from around the globe can launch an electronic attack, it has the potential to cause major damage and may be difficult to differentiate from an initial information warfare attack. Although, Hacktivism is also a criminal act, it is distinct because of the perpetrator‘s political intentions and may require a different if not unique response from the DOD or US government.

Cyber Crime (Illegal Exploration and Hacking)

The first type of computer attack combines several different types of unintentional actors into one category defined as cyber crime or "hacker". Although this category of hacker includes many kinds of cyber criminals, from a DOD perspective, the motivation of a hacker without intent to damage the national security of the United States is the importance difference. Therefore, it is necessary to differentiate between cyber crime and other levels of computer attack because it will affect the type of DOD response.

Cyber crime in the form of a cyber intrusion (hacking) is illegal access into a network system and can range from simple exploration causing no damage to malicious hackers who are intent on causing loss or damage. Most information systems tend to divide the world into at least three parts: outsiders, users, and superusers. A popular route of attack for hackers is first to use a password attack so that the outsider becomes a user, and then once a user, he will use known weaknesses of Unix programs so that he can access superuser privileges. Once a superuser, a hacker can read or alter files; control the system; make it easier to re-enter the system (even after tougher security measures are enforced); and insert rogue code (e.g., a virus, logic bomb, Trojan Horse, etc. for later exploitation. Although the other levels of cyber-attack to include cyberespionage,
cyber-terrorism and information warfare also use a similar method of hacking into an internet connected system, the main distinction between a hacker and the other levels is the intention of the perpetrator.

In his book, "Fighting Computer Crime", Wiley identifies several types of cyber criminals. They range from pranksters who perpetrate tricks on others to career criminals. Pranksters generally do not intend any particular or long-lasting harm. Wiley identifies hackers as individuals who explore other‘s computer systems for education, out of curiosity, to achieve idealized social justice or to compete with their peers. They may be attempting to gain the use of a more powerful computer, gain respect from fellow hackers, build a reputation, or gain acceptance as an expert without formal education. Malicious Hackers, sometimes called crackers, are intent on causing loss (in contrast to achieving illegal gain) to satisfy some antisocial motives. Many computer virus creators and distributors also fall into this category.

Another form of cyber criminal is the career criminal. These individuals earn part or all of their income from crime, although they do not necessarily engage in crime as a full time occupation. Some have a job and steal a little and then move on to another job to repeat the process. In some cases they conspire with others or work within organized crime gangs such as the Mafia. According to the FBI, many of these criminal alliances use advanced information technology and encrypted communications to elude capture. 

In most cases, hackers who are intent on penetrating DOD systems are doing it for the challenge and thrill. Hackers are motivated by a variety of factors, including thrill, challenge, pleasure, knowledge, recognition, power and friendship

In a survey of 164 hackers, the three main reasons for hacking were (in decreasing order) challenge, knowledge, and pleasure, all of which are positive aspects beneficial to discovery learning. These accounted for nearly half (49%) of the reasons cited. Another 24% were attributed to recognition, excitement, (of doing something illegal), and friendship. The remaining 27% were ascribed to self-gratification, addiction, espionage, theft, profit, vengeance, sabotage, and freedom.

The Centre for Infrastructural Warfare Studies estimated in December 1997 that there were fewer than 1,000 professional hackers worldwide at the time. They defined ”professional hacker‘ as someone who is ”capable of building and creating original cracking methods‘. He has superior programming skills in a number of machine languages and has original knowledge of telecommunications networks. In terms of objectives, his goals are usually financial.

This first group of cyber criminals or "hackers" can be categorized as Unintentional Cyber actors. Although they have a variety of motivations ranging from simple exploration to criminal intent to defraud or financially gain in some manner, they are not considered intentional cyber actors targeting national security. Because they are simply criminals, a DOD response to these types of cyber attacks should be considered as a legal response to stop and prosecute criminal actors.

Types of Computer Attacks

This study will divide the types of computer attacks into two distinct categories based on the intent of the perpetrator of the computer intrusion. This differentiation can be defined as intentional cyber warfare attack (IA) with intentional actors (I-actors) or Unintentional cyber warfare attack (UA) with U-actors (unintentional cyber actors).1 An intentional cyber warfare attack (IA) is any attack through cyber-means to intentionally affect national security (cyber warfare) or to further operations against national security. IA can be equated to warfare; it is national policy at the level of warfare. It includes any act intended to compel an opponent to fulfill national will, executed against an opponent‘s computer and software systems.

"Unintentional cyber actors are individuals who unintentionally attack but affect national security and are largely unaware of the international ramifications of their actions. U-actors include anyone who commits cyber infiltration and penetrates the defenses of a system such that the system can be manipulated, assaulted, or raided.“ Uactors have a large variety of motivations and intentions but do not intend on inflicting damage to national security or to further operations against national security. These Uactors can be categorized as hackers and although they commit cyber crime, they are not intentionally prosecuting cyber warfare. It is important to note that unintentional actors may be influenced by I-actors but are unaware they are being manipulated to participate in cyber operations.

Introduction

The United States must be able to deter computer attacks against our critical information infrastructure. A strong deterrence policy involves both a strong defense and the threat of retaliation or punishment. Despite a strong defense to deny cyber attackers access to our systems, we remain vulnerable because it is nearly impossible to stop all intrusions. Therefore, we must be able to punish or retaliate against individuals, sub-state groups or states that are responsible for cyber attacks. This ability to retaliate involves more than just an offensive information warfare capability. In most cases, the DOD must use US law enforcement to assist in identifying and locating the perpetrator. In the realm of cyber defense, law enforcement now plays a critical role in national security and national defense.

Our reliance on computers and information-based technologies within DOD has greatly increased the vulnerability of our military forces if our information systems are attacked. DOD systems now receive numerous intrusion attempts daily and this trend appears to be increasing. In 1994 the total of network attacks reported throughout DOD was only 225. By 1999, the total number of reported events was just over 22,000, and if the trend continues, there will be over 24,000 by year‘s end.1 This increased threat of network attack has highlighted a new US vulnerability and increased the importance of defensive information warfare for the US military.

There is much written on the subject of information warfare and how this new type of warfare will affect and shape the future of war. The discussion of information warfare always deals with both offensive and defensive information operations and discusses our ability to defend and deter against information warfare attack. It is logical to categorize defending against cyber warfare in traditional military terms when military terms are used to explain and define this concept called information warfare. Unfortunately, this broad generalization of information warfare and defense against information attack neglects one fundamental difference between traditional warfare and information warfare. The difference is that an attack against our information infrastructures located in the United States is actually a crime and must be countered within the legal requirements and jurisdictions of US code.

The very nature of defending our critical national infrastructure from an information warfare attack cannot be viewed in a traditional military sense and must be thought of and countered differently than traditional warfare. A strong defense against information warfare attack can be effective either by denial or a threat of punishment. Denial against information attack rests on very strong defenses so that an aggressor cannot achieve his objective and requires effective identification and authentication mechanisms. The threat of punishment or governmental reprisal against an attacker requires identifiable targets that can be located and attacked and relies on auditing and trace-back methods.

The US military has focused a large proportion of its efforts on denying and preventing cyber attacks and rightly so. It is paramount that we do everything within our power to deny the adversary access or the ability to attack our systems. Unfortunately, we can never be 100 percent certain that our systems are invulnerable to attack. Cyber attackers can always find trapdoors and glitches in software that allow them to get around obstacles; or, if that fails, they can try launching very sophisticated password cracking programs. This vulnerability was highlighted after a 1998 investigation at a Department of Energy Laboratory, where a hack had shut down the facility for a few weeks. After this event, systems security administrators were running a password-cracking program to help assess and limit the risk of future intrusion. But, even after a year, their program was still able to guess one in ten new passwords every week.3 Based on this inherent fallibility with information systems, especially as network linkage increases, we can never totally rely on a strategy of denial. Therefore, it is important to also address deterrence and the ability to counter cyber attack by threat of punishment or military reprisal.

The important issue in countering a cyber-attack through threat of reprisal is to discern the type of attack, identify the adversary and respond appropriately. Given the current US national information infrastructure (NII) and the US military‘s reliance on the NII, most cases of identifying the perpetrator of an information warfare attack or any attack against DOD systems will be the responsibility of US law enforcement. In most cases, the traditional war fighting military is prohibited from executing this mission domestically because of US laws.

This spectrum of cyber-conflict will show the correlation between computer attacks and criminal activity and highlight why the US military cannot counter or respond to information attacks until after the perpetrator is identified. DOD must develop a robust law enforcement function to assist in a strategy of countering cyber attacks. Without law enforcement‘s assistance, appropriate US government reprisals such as criminal punishment or US national policy responses in the form of diplomatic or economic sanctions or military reprisals will not be possible. Finally, without this credible response capability, the US will lack the vital ability to deter future network attacks.