Appendix

• Cyber warfare (CyW). Any act intended to compel an opponent to fulfill our national will, executed against the software controlling processes within an opponent‘s system. CyW includes the following modes of cyber attack: cyber infiltration, cyber manipulation, cyber assault, and cyber raid.
• Cyber infiltration (CyL). Penetration of the defenses of a software-controlled system such that the system can be manipulated, assaulted, or raided.
• Cyber manipulation (CyM). Following infiltration, the control of a system via its software, which leaves the system intact, then uses the capabilities of the system to do damage. For example, using an electric utility‘s software to turn off power.
• Cyber assault (CyA). Following infiltration, the destruction of software and data in the system, or attack on a system that damages the system capabilities. Includes viruses and overload of systems through email (email overflow).
• Cyber raid (CyR). Following infiltration, the manipulation or acquisition of data within the system, which leaves the system intact, results in transfer, destruction, or alteration of data. For example, stealing email or taking password lists from a mail server.
• Cyber attack. See CyL, CyM, CyA, or CyR.
• Cyber crime (CyC). Cyber attacks without the intent to affect national security or to further operations against national security.
• Intentional cyber warfare attack (IA). Any attack through cyber-means to intentionally affect national security (cyber warfare) or to further operations against national security. Includes cyber attacks by unintentional actors prompted by intentional actors. (Also see, "unintentional cyber warfare attack.")
• Intentional cyber actors (I-actors). Individuals intentionally prosecuting cyber warfare (cyber operators, cyber troops, cyber warriors, cyber forces).
• Unintentional cyber actors (U-actors). Individuals who unintentionally attack but affect national security and are largely unaware of the international ramifications of their actions. Unintentional actors may be influenced by I-actors but are unaware they are being manipulated to participate in cyber operations. U-actors include anyone who commits CyL, CyM, CyA, and CyR without intent to affect national security or to further operations against national security. This group also includes individuals involved in CyC, journalists, and industrial spies. The threat of journalists and industrial spies against systems including unintentional attacks caused by their CyL efforts should be considered high.
• Unintentional cyber warfare attack (UA). Any attack through cyber-means, without the intent to affect national security (cyber crime)

Blog Conclusion

To defend against all forms of cyber attack, the United States must have the ability to deter attacks. In most cases the first line of deterrence will be a strong defense to deny potential cyber attackers access to our systems. However, because of the inherently open nature of our systems, it will be impossible to stop all intrusions. As long as there is any risk for computer attack, we remain vulnerable. The second part of a strong deterrent policy will be the threat of retaliation or punishment. This ability to retaliate will be instrumental in establishing law and order in cyber space and will give us the ability to hold individuals, sub-state groups and states responsible for cyber attacks. Without this ability to retaliate, potential cyber attackers will continue to threaten US interests with impunity.

There are several technical and legal difficulties with identifying the perpetrator of a cyber attack. Because these attacks against our national information infrastructure and DOD networks are mainly perpetrated via computer intrusions from the Internet, it is very easy for the attacker to hide his identity through the World Wide Web. In addition, an attacker may also be able to hide his intentions by appearing to be a juvenile hacker but is actually collecting foreign intelligence or preparing for cyber warfare operations on behalf of a foreign government. Because of the difficulty in determining the type of attack without identifying the perpetrator, it is paramount to trace back the attack to the attacker.

Inherent in US law is the right to privacy, even on the Internet. The DOD is limited by US laws from obtaining information from computer systems located in the United States without proper legal authority, which can only be obtained via appropriate law enforcement agencies and US courts. Because of these legal restrictions, DOD must work closely with it‘s own investigative agencies and Department of Justice to be able to identify perpetrators and deter future attacks through the threat of punishment or military retaliation.

The spectrum of cyber conflict depicts the range of possible cyber attacks and identifies whether law enforcement or the military could pursue the attacker based on location of the attacker. It also shows the range of possible punishment or retaliation by DOD or the US government based on the perpetrator and his intentions to harm national security. The spectrum progresses from hackers with no intent to affect national security and advances to intentional actors like political activists who use hacktivism to affect changes in national policy. It then increases in threat to cyber espionage and cyber terrorism, which harms national security. Finally, it culminates with full out cyber warfare that furthers military operations (warfare) against a nation. The purpose of this spectrum is not only to depict the different types of computer attack but also to highlight the similarities between computer intrusions and reveal the need to identify not only the perpetrator but understand his intentions. This may not always be possible but in order to strengthen our deterrence of cyber attack, we must improve our ability to trace and identify attackers and retaliate through either criminal prosecution or other means of government sponsored retaliation when necessary.

Appropriate US Response

Finally, the spectrum of cyber conflict as depicted in figure 5 speaks to the type of appropriate response from the US government in case of a cyber attack. In most cases, the appropriate response will be prosecution of the perpetrator either within the United States or by extradition to the US or through appropriate courts in other countries. However, there will be times that the identity of the perpetrator reveals intent by a foreign government to do harm to US national security interests. It may then be appropriate for the US government to apply diplomatic or economic pressure towards the offending country or in certain circumstances retaliate in kind with a cyber attack or through military strikes.

The spectrum of cyber conflict as depicted above attempts to bridge the gap between computer attacks perpetrated with criminal intent and attacks with national security intentions. Both types of attacks are on the same spectrum of conflict and often are difficult to distinguish. Because of this continuum of conflict from crime to warfare, the US and its Department of Defense must be prepared to work within the full constraints of US law and still be able to respond and retaliate against would-be attackers. Without this capability, we will not be able to prevent and deter future attack.

Law Enforcement Response

The only case as shown in the Spectrum of Cyber Conflict diagram in which the DOD would initially respond to a cyber attack would be in the case of a serious attack coming from outside the United States. However, even in these circumstances, DOD officials must work closely with Law Enforcement in case the trace is eventually looped back to the United States. In addition, in most cases if the attack is determined to be located within an allied or friendly foreign country, a US law Enforcement agency such as the FBI or DOD investigative agencies will work with the law enforcement officials from that country to further locate and prosecute the attacker.

So as depicted in figure 5, US law enforcement officials in concert with DOD will be intricately involved in most cyber attacks against the national information infrastructure and DOD systems. This type of relationship between DOD and law enforcement must fundamentally change the understanding and nature of national security defense. It must also shape the way DOD prepares to defend and deter against information warfare attacks.

Location of the Perpetrator (Outside or Within US)

As shown in figures 3 and 4, if the initial computer intrusion is identified as coming from outside the United States, the DOD does not violate any US laws by tracing the computer attack back to its source. However, if at any point during the trace back, the intrusion uses a computer system located within the US, DOD officials are not authorized by US law under the Privacy Act to obtain information from that system. At this point, appropriate law enforcement agencies would have to acquire court orders to obtain further information leading to the identification of the perpetrator.

Intention of Cyber-Actors

The intention of actors or perpetrators of cyber attack within the spectrum of cyber conflict can be broken down into two broad categories as relates to national security. These categories are outlined by Lionel D. Alford, Jr., in Appendix A of this paper and are defined as intentional cyber actors (I-actors) and unintentional cyber actors (Uactors).
Intentional actors are individuals intentionally prosecuting attack through cyber-means to affect national security. U-actors are individuals who unintentionally attack but affect national security and are largely unaware of the international ramifications of their actions.

Intention of perpetrators of a cyber attack is important as relates to the type of response by the US. Regardless of severe damage, if the perpetrator against a DOD system is determined to be a juvenile hacker from Great Britain who had no intention of causing damage to US national security, the US would not respond in-kind with a cyberattack against the British Defense Establishment. However, if the Iraqi Intelligence Service in a cyber-warfare attack caused the same damage, the US may very likely consider an in-kind cyber attack or possibly a military retaliatory strike against Iraq. Obviously, it may be difficult to fully identity a perpetrator, especially if they are operating under the auspices of a foreign intelligence service, but if an attack could be
traced back to a country such as Iraq, the US government could use this information for diplomatic, economic or military action. In most cases, an attack from an I-actor will be perpetrated through US computer systems and it will be paramount that US law enforcement agencies be involved in obtaining required court orders to trace back and establish the location and identity of the cyber attacker.

Type of Attack

Cyber Crime
The first level of conflict is identified as Cyber crime and ranges from illegal exploration, hacking or other computer intrusions perpetrated by an individual or group with criminal or self-motivated interests and intent.

Hacktivism
The second level of cyber conflict is a relatively new phenomenon identified as "hacktivism" and is politically motivated. Hacktivism is computerized activism and operates in the tradition of non-violent direct action and civil disobedience. It uses the same tactics of trespass and blockade from earlier social movements and applies them to the Internet. The aim of hacktivism is to draw attention to particular issues by engaging in actions that are unusual and will attract some degree of media coverage and possibly affect public or private actions.

Cyber-Espionage
Cyber-espionage is the use of computer hacking in foreign intelligence operations to obtain information or access to foreign computer systems with the intent to commit espionage or have the access to commit state sponsored sabotage when necessary.

Cyber-Terrorism

Cyber-terrorism is the premeditated, politically motivated attack against information, computer systems, computer programs, and data, which result in violence against noncombatant targets by subnational groups or clandestine agents.

Cyber-Warfare

Cyber warfare is defined as the —use of computer intrusion techniques and other capabilities against an adversary‘s information-based infrastructure“ to intentionally affect national security or to further operations against national security.

Spectrum of Cyber Conflict

The purpose of developing a spectrum of cyber conflict is to show the range of cyber attacks from unintentional actors such as hackers and criminals with only self-serving interests to intentional actors with intent to affect national security. This spectrum will synthesize the type of attack, intentional or unintentional actors, location of attack, and will identify what agency will have the authority to identify and track down the perpetrator. It will also identify what type of appropriate response is likely to be taken by the US government against perpetrators ranging from criminal prosecution to extradition or a national policy response such as diplomatic, economic or military action against a state.

It is important to remember that any actor from a juvenile hacker to a sophisticated state intelligence service may have the capability to do extensive damage to our national information infrastructure and the capability to track and identify the perpetrator will always be extremely important regardless of the perpetrator‘s intentions. Sometimes, it may be as important to identify a criminal hacker with no national security interests as it may be to prove a state sponsored cyber warfare attack. Regardless, without the close coordination between DOD and law enforcement agencies, a quick and accurate response by the US government will not be possible.

Figure 5 depicts a spectrum of cyber conflict as discussed in this paper. The first discriminator is the type of attack. The type of attacks may range from cyber-crime to hacktivism, cyber-espionage, and cyber-terrorism all the way to cyber-warfare. The second distinction important to fully understand the cyber threat is the intention of the cyber actor (Unintentional vs. Intentional). Thirdly, it is paramount to identify the initial location of the attack and whether it is coming from within or outside the United States. These three factors (type of attack, intention of the perpetrator and location of perpetrator) will determine whether or not law enforcement or DOD initially responds to trace back the attack and will also affect the type of retaliation taken against the perpetrator. The following description will explain the Spectrum of Conflict as shown in Figure 5 below.
Figure

Legal Limitations

Law enforcement agencies face many challenges in responding to information attacks in cyber space, particularly attacks that cross national and regional borders and exploit technologies of concealment. It can be difficult to locate a hacker who has looped through multiple systems, used anonymous services, or entered through a wireless connection from a mobile unit. Another challenge is collection and preservation of evidence. Evidence may be encrypted or dispersed across several countries. Tracking an intruder who has used a computer located in the United States will require searches and seizures or wiretaps. These searches may encompass multiple jurisdictions and many laws are not uniform across jurisdictions. Also, many countries have weak laws or no laws at all, against some computer hacking activity. Even if laws exist, extradition may be prohibited, depending on agreements between countries.

Figure 2 highlights the jurisdictional problems with tracking a hacker who has used several computer systems to illegally gain access to AF Systems in Tampa, FL. Each location requires a separate court order from a court with jurisdiction for the geographic location of the computer system that is used. Although, law enforcement agencies have the technology to trace back to the origin of the hacker, each time they access another computer system in the United States, they must have legal authorization to do so. This can cause many delays and difficulties in obtaining the evidence and identifying and eventually locating the perpetrator of a computer attack.

It is this area of identifying the perpetrator of a computer attack that causes the most difficulty for the Department of Defense. The first line of defense is to prevent the attack or intrusion from occurring. However, a strong defense from attack will never be able to completely eliminate all attacks. When an attack occurs, there will be many times when it will be vital for DOD to determine the identity of the intruder and their intentions, whether they be an intentional actor with intent to affect national security or not. It will be impossible for DOD to respond to these actors or for the United States government to take other actions such as economic sanctions or military action without definitely knowing the identity of the perpetrator. As long as the perpetrator uses computer systems located within the United States, DOD will be restricted by law from tracing these actors without assistance from law enforcement agencies using proper court channels.

Although the DOD and its intelligence community have the same tools to trace back information warfare attacks as Law Enforcement; they must abide by US laws within the jurisdiction of the US. When an initial intrusion is identified, they are allowed to track back one connection to determine the immediate origination of the attack.11 However, if the system is located within the US, the DOD is prohibited by US privacy laws to intrude into that system to determine the next link in the chain of attack. The following figure shows the geographic limitations, which restrict DOD in locating and identifying perpetrators of cyber attacks.
Figure.

The next figure shows that if the attack comes directly from overseas, DOD may trace and track the attack. However, if at any time the trace returns back to a US computer system, DOD must abide by US privacy laws

This distinction of US laws dictating the type of response for a computer attack against national and defense information structures is key to how the United States may defend and deter against cyber attacks. Geographic jurisdiction when locating and identifying the perpetrator is an important limitation when discussing the concept of defensive information warfare. Now the concept of computer attacks against the US has blurred the distinction between individual and state acts against the United States. In addition, a country may be at war with us in the sense of conducting information warfare

attacks against our infrastructure and we may not know its identity. This is why it is paramount that DOD build its own robust military criminal investigative organizations as well as continue to work closely with the FBI to identify the perpetrator of cyber attacks. Without this ability to identify and locate the perpetrator, it will be impossible for the US to retaliate against cyber attackers.

Technical Limitations

The vast array of public and private networks connecting computers and users all over the globe is known as cyberspace. Indeed, it is often characterized as a "virtual world" that transcends space. People log onto computers and on-line services without regard to their own geographic location or the location of the system they enter. Computers are addressed through domain names such as "abc.xyz.com," which give no indication of physical location. Similarly, individuals correspond using domain-based addresses such as "smith@abc.xyz.com".

Because a user may be able to log into a computer from anyplace in the world (e.g., using telnet or a dial-up line), there is no way of identifying the geographic location of a user even when the location of the computer where the account is held is known. With mobile phones and computing, the location of the user becomes even more difficult to determine. The consequence of this lack of grounding in physical space is that actions can take place in cyberspace without anyone knowing exactly where they originated and the jurisdictions effected.

Finding the perpetrator of a computer intrusion or any crime in cyberspace is extremely difficult and often impossible, especially when the perpetrator has "looped" through numerous machines throughout the world to get to a target. 3 Figure 1 shows an example of how a hacker in New York City may weave and loop through a government computer in Latvia, to a computer belonging to the NY times, through GW University in
Washington DC and finally to his final target, an Air Force system in Tampa, Florida.

This technical difficulty in locating and identifying the perpetrator can be overcome by several law enforcement methods. These methods consist of packet sniffers, keystroke monitoring, and other environmental surveillance methods such as cameras, imagery systems and electromagnetic signal reception. Designed and developed by the FBI, the most common law enforcement diagnostic tool is a packet sniffer, which has recently become well known by the name "Carnivore." A sniffer such as "Carnivore" placed on any computer connected to the network can read all messages flowing through the network regardless of their destination. Whereas a machine would normally be configured to read only messages that are addressed to it, it can be set to "promiscuous mode" so that it sees all traffic. In addition, it can also be configured to ignore those communications which they (FBI) are not authorized to intercept.

The Carnivore device provides the FBI with a "surgical" ability to intercept and collect the communications, which are the subject of the lawful order. This type of tool is necessary to meet the stringent requirements of the federal wiretapping statutes. The Carnivore device works much like commercial "sniffers" and other network diagnostic tools used by Internet Service Providers (ISPs) every day, except that it provides the FBI
with a unique ability to distinguish between communications which may be lawfully intercepted and those which may not. For example, if a court order provides for the lawful interception of one type of communication (e.g., e-mail), but excludes all other communications (e.g., online shopping), the Carnivore tool can be configured to intercept only those e-mails being transmitted either to or from the named subject. Carnivore serves to limit the messages viewable by human eyes to those, which are strictly included within the court order. ISP knowledge and assistance, as directed by court order, is required to install the device.

In 1995, federal agents, using a packet sniffer, traced down an Argentine student who had hacked into a system at Harvard University.

The hacker was using the Harvard network as a springboard to hack into Defense Department systems including the Naval Research Laboratory and Los Alamos National Laboratory. After a court order was issued, investigators placed a computer between Harvard‘s network and the Internet and set it to scan for messages that appeared to come from the hacker. By sifting through the messages, they traced the attacks to Julio Cesar Ardita, a 21-year-old university student located in Argentina. During this process, four separate screening procedures were used to protect the privacy of other users on the network. Ardita eventually pled guilty to illegal wiretapping and computer crime felonies and was sentenced to 3 years probation and a $5,000 fine.

Federal investigators have the technology to track down a hacker both inside and outside the United States; however, it still involves many legal barriers to include court-ordered wiretaps, which can take weeks to obtain.

Determination of Perpetrator

If the Department of Defense wants to have the ability to retaliate against a computer attack whether it is a cyber crime or a cyber warfare attack, they must be able to determine who has committed the attack and their intentions. This chapter will explore the technical and legal difficulties with determining who the perpetrator is and address the necessity for DOD to establish a strong operational relationship with both civil and military law enforcement organizations in order to be able to react quickly to potential cyber warfare.

Cyber Warfare

The highest level of threat on the spectrum of cyber conflict is cyber warfare. Defining exactly what is meant by cyber or information warfare can be difficult and encompasses many aspects of traditional attacks against information systems and also warfare waged by using computer systems to attack computer network or software
systems. For the purpose of this paper, cyber warfare will be defined as the "use of computer intrusion techniques and other capabilities against an adversary‘s information-based infrastructure" to intentionally affect national security or to further operations against national security. The basic tools for attack such as the computer, modem, telephone, and software, are essentially the same as those used by other actors on the spectrum of cyber conflict. 

If the basic cyber attack tools and skills are common across the spectrum, it may be difficult to distinguish recreational hackers from Information Warriors. Said another way:

An IW attack against US infrastructures may be little more than a series of hacker attacks, conducted against carefully chosen targets, synchronized in time, to accomplish specific purposes. An adversary could combine cyber attacks with physical attacks in an effort to paralyze or panic large segments of society. It could damage our capability to respond to incidents (by disabling the 911 system or emergency communications, for example), hamper our ability to deploy conventional military forces, and otherwise limit the freedom of action of our national leadership.

In most cases, the only way to differentiate between a hacker or cyber warfare attack may be in the intensity, organization or damage of the attack and perhaps only if it is conducted in conjunction with other traditional warfare attacks or a declaration of war by an enemy state.

This difficulty in distinguishing between the type of attack on the cyber conflict spectrum exposes the most important issue in defining the type of cyber threat. The definition must include identity of the perpetrator and his intentions. During an attack, we may not know if it is cyber war unless it is in conjunction with a traditional war against a known enemy. It could also be an act of cyber crime, hacktivism, or cyber terrorism. The key issue will be who is the perpetrator and what are his intentions.

Computer Terrorism

The next threat identified on the spectrum of cyber attack is cyber terrorism. Barry Collin, a senior research fellow at the Institute for Security and Intelligence in California, established the term "cyber terrorism“ to refer to the convergence of cyber space and terrorism. 20 Mark Pollitt, special agent for the FBI, offers a working definition: "Cyber terrorism is the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against noncombatant targets by subnational groups or clandestine agents."

Early indications suggest that terrorist groups may use the Internet more to influence public perception and coordinate their activities than to launch highly destructive and disruptive attacks. An example can be found in the struggle between Zapatista National Liberation Army (EZLN) and the government of Mexico. The Zapatistas and their supporters have used the Internet to spread word about their situation and to coordinate activities. One group of New York supporters, the Electronic Disturbance Theater (EDT) organized an attack against Mexican President Zedillo‘s Web site. On April 10, 1998, participants in the attack pointed their web browsers to a site with FloodNet software, which bombarded the site with traffic.

On September 9, 1998, EDT once again struck the Web site of President Zedillo, along with those of the Pentagon and the Frankfurt Stock exchange. The Net strike was launched in conjunction with the Arts Electronic Festival in Infowar, held in Liz, Austria. According to Brett Stalbaum, author of the FloodNet software used in the attack, the Pentagon was chosen because —we believe that the US military trained the soldiers carrying out the human rights abuses.“ Stalbaum said the Frankfurt Stock Exchange was chosen because is represented globalization, which was at the root of the Chiapas‘ problems. EDT estimated that up to 10,000 people participated in the demonstration delivering 600,000 hits per minute to each of the three sites. The Web servers operated by the Pentagon and the Mexican government struck back. When they sensed an attack from the FloodNet servers, they launched a counter-offensive against the users‘ browsers, in some cases forcing the protestors to reboot their computers. The Frankfurt stock Exchange reported that they normally get 6 million hits a day and that services appeared unaffected.“

Although this may be more of an example of hacktivism on the part of the EDT, it shows how a terrorist organization can use the Internet to broadcast their message and misdirect or misinform the general population in multiple nations simultaneously.

Another form of cyber terrorism is known as "cybotage" which includes acts of disruption and destruction against information infrastructures by terrorists who learn the skills of cyber attack. Although most experts still believe that terrorism will continue to focus on lethal, destructive acts, there is also the belief that some terrorist will stress disruption over destruction. These networked terrorists will no doubt continue to destroy
things and kill people, but their principal strategy may move toward the nonlethal end of the spectrum, where command and control nodes and vulnerable information infrastructures provide rich sets of targets

Whether cyber terrorism in the future is used more as a means to influence public perception or as a forum to conduct politically motivated network attacks, most experts agree that terrorist groups will increase their use of computers to intimidate and coerce societies and governments.

Before the US Senate Judiciary Committee, Clark Staten, executive director of the Emergency Response and Research Institute (ERRI) in Chicago, testified that it was believed that ”members of some Islamic extremist organizations have been attempting to develop a ”hacker network‘ to support their computer activities and even engage in offensive information warfare attacks in the future.

The increased threat of cyber terrorism by sub state or state sponsored actors against the US national infrastructure will require the US to identify and retaliate against cyber terrorist attacks in order to deter and prevent future attacks.