Hacker
Warfare
WHAT IS INFORMATION WARFARE?
By Martin
LIBICKI
Winn Schwartau, Note 38 among
others, uses the term information warfare to refer almost
exclusively to attacks on computer networks. In contrast to
physical combat, these attacks are specific to properties of the
particular system because the attacks exploit knowable holes in the
system's security structure. Note 39
In that sense the system is complicit in its own degradation.
Hacker warfare varies considerably. Attackers can be on site,
although the popular imagination can place them anywhere. The
intent of an attack can range from total paralysis to intermittent
shutdown, random data errors, wholesale theft of information, theft
of services (e.g., unpaid-for telephone calls), illicit systems'
monitoring (and intelligence collection), the injection of false
message traffic, and access to data for the purpose of blackmail.
Among the popular devices are viruses, logic bombs, Trojan horses,
and sniffers. Note 40
The hacker attacks discussed here are attacks on civilian
targets (military hacker attacks come under the rubric of C2
warfare). Note 41 Although attacks
on civilian and military targets share some characteristics of
offense and defense, military systems tend to be more secure than
civilian systems, because they are not designed for public access.
Critical systems are often disconnected from all others -- "air
gapped," as it were, by a physical separation between those system
and all others.
From an operational point of view, civilian systems can be
attacked at physical, syntactic, and semantic levels. Here, the
focus is on syntactic attacks, which affect bit movement. Concern
for physical attacks (see above, on C2W) is relatively low Note 42 (although some big computers
on Wall Street can be disabled by going after the little computers
that control their air-conditioning). Semantic attacks (which
affect the meaning of what computers receive from elsewhere) are
covered below, under cyberwarfare.
Hacker warfare can be further differentiated into defensive
and offensive operations. The debate on defensive hacker warfare
concerns the appropriate role for the DoD in safeguarding
nonmilitary computers. The debate on offensive hacker warfare
concerns whether it should take place at all. In contrast to, say,
proponents of tank or submarine warfare, only a few hackers argue
that the best defense against a hacker attack is a hacker
attack.
Whether hacker warfare is a useful instrument of policy is a
question that defense analysts and science fiction writers may be
equally well placed to answer. Hacker warfare would, without doubt,
be a new form of conflict, but it raises not only the usual
questions -- is it real, is it war -- but also a third: should the
United States wage it?
Is it Real?
Perhaps emblematic of the new concern about hacker warfare among
defense analysts, in November 1994 the dean of the breed, Eliot
Cohen, mentioned it three times in an analysis of the future
defense posture of the United States
Note 43 Incidents of network penetration by hackers are on the
increase, rising faster than the total population of the Internet.
The total cost of silicon fraud is several billion dollars
(although two-thirds of that total consists of toll-call fraud
perpetrated through private branch exchange [PBX] telephone
switches).
It seems excessive, however, to extract a threat to national
security from what, until now, has been largely a high-tech version
of car theft and joy-riding. Even though many computer systems run
with insufficient regard for network security, computer systems can
nevertheless be made secure. They can be (not counting traitors on
the inside), in ways that, say, neither a building nor a tank can
be.
To start with the obvious method, a computer system that
receives no input whatsoever from the outside world cannot be
broken into. If the original software is trusted (and the National
Security Agency [NSA] has developed multilayer tests of
trustworthiness), the system is secure (whether the system
functions well is a separate issue). A system of this sort is, of
course, of limited value. The real concern is to allow systems to
accept input from outside without at the same time allowing core
operating programs to be compromised. One way to prevent compromise
is to handle all inputs as data to be parsed (a process in which
the computer decides what to do by analyzing what the message says)
rather than as code to be executed directly. Security then consists
of ensuring that no combination of computer responses to messages
can affect a core operating program, directly or indirectly (almost
all randomly generated data tend to result in error messages when
parsed). Note 44
Unfortunately, systems need to accept changes to core
operating programs, all the time. The trick is to draw a tight
curtain of security around the few superusers granted the right to
initiate changes. Although they might complain, their access
methods could be tightly controlled (they might, for instance, work
only from particular terminals that were hardwired to the network,
which is an option in Digital's VAX operating system). The rapid
speed and greater bandwidth of today's computers have made
ubiquitous use of encryption and digital signatures possible. A
digital signature establishes a traceable link from input back to
the user attempting to pass rogue data into the system, and
although it will not prevent all tampering (e.g., bugs in the
parsing engine), it can eliminate most avenues of attack on a
system. Note 45
Stringent security may make certain innovations in the global
network difficult to implement, such as the practice of
communicating by exchanging software objects (which bind
potentially unsafe executable code to benign data). Systems can
(with work) be designed to retain full functionality in face of
necessary restrictions. Security comes with costs, particularly if
legacy and otherwise reliable operating systems (e.g., Unix) must
be rewritten in order to minimize security holes. If the threat is
big enough, the dollars spent to protect mission-critical national
systems may not seem so large. At present, civilian mission-
critical systems can, for policy purposes, be limited to those that
run phone lines, energy, and other utility systems, transfer funds
transfer networks, and maintain safety systems.
One reason computer security lags is that incidents of
breaking in so far have not been compelling. Note 46 Although many facilities have
been entered through their Internet gateways, the Internet itself
has only once been brought down (by the infamous Morris worm). The
difficulty in extrapolating from the current spate of attacks on
the Internet is that the Internet was designed to trust the
kindness of strangers. If it is to be considered a mission-critical
system for which compromise is a serious problem, it must evolve
and will necessarily become more secure.
Note 47
Although the signalling systems that govern the nation's
telephones have permitted hackers to affect service to specific
customers, the system itself has yet to experience a catastrophic
failure from attack. None of the few broad phone outages that have
occurred has been shown to have been caused by anything other than
faulty software. Note 48 No
financial system has ever had its basic integrity become suspect
(although intermittent failures occur, such as NASDAQ's frequent
problems). An analogy has been drawn between the threat of hacking
and the security of the nation's rail system: train tracks,
especially unprotected tracks in rural countryside, are easy to
sabotage, and with grimmer results than network failure, but such
incidents are rare.
Although important computer systems can be secured against
hacker attacks at modest cost in usability, that does not mean that
they will be secured. Increasing and increasingly sophisticated
attempts may be the best guarantor that national computer systems
will be made secure. The worst possibility is that the
absence of important incidents will lull systems
administrators into inattention, allowing some organized group to
plot and initiate a broad, simultaneous, disruptive attack across
a variety of critical systems. The barn door closes but the prize
racehorse has been lost. Are today's hackers doing us a favor? Not
everyone thinks so; Dorothy Denning, of Georgetown University, has
argued that today's volume of random hacking raises the
sophistication of hackers, thus raising the cost of recapturing the
desired level of systems security. Note
49
Is it useful to test systems against hackers the way new
software is tested against computer illiterates? Probably. Much of
hacking is determining the construction of a system -- which rarely
is obvious to the outside user -- that is, finding where the holes
are and pinpointing and exploiting them. Testers could be given the
source code that says how the system works and set the problem of
converting that into the kind of search for holes hackers undertake
to see if they can punch through. If the job of testers is to make
systems foolproof, they can test faster than hackers can hack (but
if it consists of obscuring the faults, their thorough knowledge of
the system prevents them from testing how well the system can
protect itself through self-obfuscation).
Perhaps the most pernicious aspect of hacker warfare is that
by creating a dense aura of magic around hacking it raises the
status of professional paranoids. One particularly egregious
hobgoblin has whispered that deliberate flaws are planted from
overseas in a popular computer chip or operating system and that
the flaws can disable the world's microcomputer systems just when
the United States will be confounded by an opponent's military
challenge. Getting two such events to coincide would in itself be
an engineering tour de force. Note
50
All told, hacker warfare appears to be a problem that is not
a problem until it is a problem, when it will shortly cease to be
a problem.
Is it war?
Hacker attacks on military information systems can reinforce
conventional military operations as well as any other form of
information warfare. Crucial military systems are supposed to be
designed with sufficient security and redundancy (and sufficient
separateness from the rest of the world) to defeat such attacks. Note 51
Hacker attacks on commercial information systems, precisely
orchestrated, can distract the political leadership from national
security duties. How effective are hacker attacks as warfare? That
is, what power do hacker attacks have to affect the power of the
state to defend its vital interests?
A flurry of hacker attacks can rival terrorist attacks for
annoyance value, and, indeed, can disrupt the lives of more people.
Is annoyance without political content an act of war? Can hacker
attacks force change any more than terrorist attacks do? If so,
repeated terrorist attacks would have to tire the target populace
and erode support for countering those for whom the terrorists
work. Yet hacker warfare depends for effect on specific, thus
remediable, characteristics of the target system. Repeated attacks
presume either a population of doltish systems administrators or
increasingly clever hackers. Can either be counted on? Applying the
terrorist model, again, perhaps hacker attacks could force change
by inducing repressive state countermeasures, which then would
alienate uninvolved citizenry. But hacker warfare is not liable to
set off random repression of undesirables. Although populations may
chafe a bit at computer security measures instituted in the wake of
attacks, such measures are a long way from invading houses and
hauling the usual suspects off to police headquarters.
In its ability to bring a country to its knees, hacker warfare
is a pale shadow of economic warfare, itself of limited value.
Suppose that hackers could shut down all phone service (and, with
that, say, credit card purchases) nationwide for a week. The event
would be disruptive certainly and costly (more so every year), but
probably less disruptive than certain natural events, such as snow,
flood, fire, or earthquake -- indeed, far less so in terms of lost
output than a modest-size recession. Would such a hacker attack
prompt the U.S. public to demand the United States disengage from
opposing the state that perpetrated the countermove, just because
of great inconvenience? Probably not. The United States is more
likely to disengage from an overseas conflict in the face of
opponents whose neighborhoods are judged less important than
initially estimated. It is less likely to withdraw in the face of
an opponent whose power to strike the U.S. economic system suggests
why this opponent must be dealt with harshly. Note 52
Should the United States Wage Hacker Warfare?
The answer depends on whether defensive or offensive hacker warfare
is intended. Defensive hacker warfare is an essential but everyday
task of bolstering network security. Few doubt that military
information systems should be guarded against attack (unclassified
open-logistics system are of particular concern); the same is true
for mission-critical civilian systems, and perhaps even for the
coming national information infrastructure.
Should the government ensure the security of systems critical
to the national economy? On one hand, threatening the economy by
targeting its systems may affect the state. On the other hand, is
systems security a problem whose solution should be socialized
rather than remain private? If a foreign missile hits a refinery
that blows up and damages its neighborhood, would the damage be
refiner's fault? No: the problem has been socialized in that the
United States has a military to protect itself against such
attacks. If a gunman hits a refinery tower and causes a similar
explosion, would that be the refiner's fault? Yes and no: the
problem is partially socialized through public law enforcement.
Yet, the refiner -- as an owner of potentially dangerous equipment
-- is reasonably expected to take precautions (e.g., perimeter
fencing, security guards). If a hacker on the Internet gains access
to the refiner's system and commands a valve to stay open, creating
an explosion and damaging the neighborhood, should the refiner be
at fault? Yes: it should know everything about its information
systems whereas the government may now absolutely nothing. Thus,
the refiner should be responsible for protecting its internal
systems and ensuring that software-generated events (e.g., software
bugs) cannot do catastrophic damage. If a bank's deposit records
were destroyed, do the depositors lose their money? No: a deposit
constitutes a promise made by the bank to replay a loan. The
bank's legal obligations cannot be erased by erasing its silicon
memory of these obligations.
If the government is to protect the security of non military
systems, which agency should take the lead? The NSA clearly has the
greatest expertise, yet in civilian circles it also one of the
least trusted agencies because of the highly classified nature of
most of what it does. Note 53 If and
when network security receives more attention, adherence to minimal
standards of security may become a precondition for federal
regulatory approval (e.g., phone system or power-generation
franchises often carry legal obligations for certain levels of
assured service), for federal contract approval (e.g., bank
systems), or for handling certain records (e.g., personal health
data). Care must be taken lest the criteria used to define adequate
security reflect military specifications (MILSPECs) and the array
of threats particular to military systems, rather than criteria
more appropriate to critical civilian networks.
The question of whether to develop a U.S. capability for
offensive hacker warfare echoes arguments attendant on any
discussion of nouvelle weaponry. If the United States
forgoes, will others also forgo? Analogies to atomic weaponry
suggest that hacker offensive warfare is not at all like atomic
warfare (where linkages existed between the level of U.S. and
Soviet stockpiles and delivery systems). Nations against which the
United States might be preparing hacker warfare capabilities are
less likely to react to U.S. capabilities than those against whom
the United States might be preparing nuclear capabilities (in part
because hacker warfare capabilities tend to be developed in and
need to be used in great secrecy). It is also difficult to argue
that attacking a society's computers with malevolent software is
especially immoral when almost all are other targets are
acceptable.
The argument against developing a capability for offensive
hacker warfare concerns glass houses and stones. The United States
is far more dependent on computer systems than other nations are. Note 54 The U.S. edge in perpetrating
hacker attacks may be narrower than imagined. Roughly 60 percent of
the doctorates granted here in computer science and security are
awarded to citizens of foreign countries, two-thirds from Islamic
countries or India. Analogies to biological warfare suggest that
the United States should stop contemplating certain types of
attacks until it has developed antidotes for them. It would be
quite embarrassing if a virus intended for another country's
computer systems leaked and contaminated ours.
Defensive hacker warfare presents a fundamental barrier to
offensive hacker warfare. One way to promote the security of U.S.
systems is to develop and distribute tools, tests, and code that
ease the burden of securing civilian systems, and, thus, many
multinational systems. If the tools have merit, potential
adversaries will install them, too. Trap doors could be built into
these products, but pulling that off requires greater cooperation
between the vendors of systems security and the U.S. government Note 55 than the current debate over
the Clipper chip suggests may be possible.
As the world becomes interlinked, most defenses the U.S. might
employ defend not only this country but others as well. Out of the
desire to ensure that U.S. corporations deposits in banks in
foreign countries are secure, the United States cannot help
promoting operational practices that in turn ensure that the
deposits of evil dictators in the same bank are equally secure.
Because hacking is cheap, nations at war might as well see what
mischief it can be used to cause, and those that fall victims to
such attacks will then have only themselves to blame.
|