These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • TwitThis
  • Digg
  • Technorati
  • YahooBuzz
  • Mixx
  • Wikio
  • Propeller
  • Facebook
  • MySpace
  • LinkedIn

Four Pillars of Cyber Warfare: Intelligence

November 9, 2009 by ADMIN · Comment

By Richard Stiennon, Chief Research Analyst, IT-Harvest

There are four pillars to the cyber war realm: intelligence, technology, logistics, and command.

One premise is that cyber warfare is a component of the ongoing struggle between philosophies of politics, governance, and markets to be waged by opposing interests be they nation vs. nation, law enforcement vs. criminals, religion vs. the world, or security forces vs. terrorists.

This summer the National Resource Council, a think tank that has published several reports on cyber threats, produced a book titled: Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities. I reviewed it here.

This book by NRC is a comprehensive look at the question of engaging in cyber war from the perspective of the United States. Its conclusion was that yes, the US should acquire cyberattack capabilities.

This is the first of four blog posts that elaborate just how the US, or any nation, would engage in cyber war.

By understanding these factors IT security practitioners can gauge the threat to their own organization from cyber war and perhaps take steps to prepare for either direct attacks or the fallout from an outbreak of cyber hostilities between nations.

According to the US Army Field Manual 106 Information Operations, August 1996, the goal of cyber war is information dominance defined as:

The degree of information superiority that allows the possessor to use information systems and capabilities to achieve an operational advantage in a conflict or to control the situation in operations short of war, while denying those capabilities to the adversary.

But there is much more entailed in cyber warfare than that encapsulated in this simple definition.

Intelligence gathering, in particular, as practiced by the Chinese Government and the People’s Liberation Army can provide the type of information dominance that would provide an advantage during any widespread conflict.

The results of effective intelligence gathering could provide a country with information that could create an advantage in many realms.

Political Intelligence Gathering

By knowing what your opponent is thinking, planning, and doing, an intelligence gathering operation could provide critical information at an important juncture.

Preparations for diplomatic engagements involve an understanding of the world situation and the points of view each party is bringing to a conference or treaty negotiation.

Winston Churchill reports the varied and fluid positions of Italy, Japan, the USSR, Poland, France, the UK, and Belgium during the lead up to the declaration of war against Germany by Britain.

There were many periods between 1933 and 1939 when the Second World War could have been avoided completely if a better understanding of each party’s thinking were available.

Hitler was engaged in a game of chess against the rest of the world.

Even the German High Command thought he was risking too much as he ordered the Anschutz of Austria, the annexation of Czechoslovakia, and the invasion and partitioning of Poland.

Hitler’s actions, according to Churchill, were based on the true interpretation of France’s and Britain’s lack of desire to engage in all out war.

True, that is, up to the invasion of Poland when Britain switched from pacifism to determination to prevail against all odds; by then the die was cast and world conflict had begun.

Weapons Intelligence

As the world powers turn from their historical aims of being able to fight protracted wars against one or two opposing countries to the recognition that fighting terrorists, rogue states, and groups dispersed throughout several countries, the weapons of war are changing.

Cruise missiles, satellite based weapons, remotely piloted drones, and rapidly deployed strike forces are areas of major investment for the US and other world powers today.

Gaining knowledge of planned weapons technology helps an adversary prepare weapons to counter the latest technology or even to copy that technology without the expense of research.

Military intelligence. Knowledge of an adversary’s military organization, the people in that organization, deployment numbers, disposition of resources, and state of preparedness are the domain of military intelligence.

One of the most pivotal pieces of information ever gained through espionage (in fact from decrypting German High Command Communications), was that in the spring of 1944 Hitler held two complete divisions in reserve in the Netherlands.

Knowing that Hitler’s forces were not concentrated led the Allied Command to launch the D-Day landings at Normandy that subsequently led to the fall of the Third Reich and the complete victory of the Allies.

Industrial intelligence targets a company’s or a country’s manufacturing, banking, energy, and retail operations to glean information that could provide a boost to economic competitiveness.

It could be as simple as stealing pricing data to help a competitor price their own products, or it could be stealing games, software, or video content for illegal reproduction.

Despite the movement in recent years to a world economy that recognizes each country’s contribution to global commerce each nation state still strives to grow and prosper in competition with the others.

Industrial espionage is a tool of economic competition that is easily turned to enhancing a state’s war fighting capability.

An example of how information can benefit one party and harm the other can be found in the critical contract negotiations that Lee Iococca held with the United Auto Workers at a critical juncture for Chrysler as it struggled for survival in the late 70’s.

A janitor, a union member who worked in the computer center at Chrysler, fished a green bar printout from the trash that contained the salaries of all of the executives and white collar staff.

This printout was famously taken to the negotiating table and thrown down in support of the union’s position.

Aside from harming management’s position in union contract negotiations that incident led to a revamping of security in Chrysler’s computer operations.

In particular, union members were barred from working in the data center!

The world has become digital since the late 70’s. Most information resides on computers. Most transmittal of information goes over networks, usually unencrypted.

Most internal discussion of critical matters is recorded via electronic means and shared electronically and therefore is vulnerable to cyber espionage.

One of the scariest examples of successful espionage is the alleged theft of compact nuclear warhead design from the US.

The US invested billions of dollars in advanced research to develop a warhead with minimum weight and size.

Every ounce that can be removed from a missile payload means smaller, cheaper rockets that can fire longer ranges.

In the case of the the W88, an 800 pound thermonuclear bomb, the acquisition of design data by China forever tipped the balance of power.

Recent examples of successful espionage are surely a small fraction of the number of instances of successful data theft.

The US Military reports that the Chinese People’s Liberation Army is now in possession of most of the design data for the Advanced Joint Strike Fighter designed and built at a cost of over $100 billion.

A terabyte of data has been systematically culled from the so-called non-classified NIPRnet that ties together military contractors and government networks.

The value of information transmitted across the un-encrypted NIPR net is often minimized. Yet even encrypted network traffic can give an adversary critical information.

There is a field of espionage called signal analysis. It is the practice of monitoring the source, direction, and length of transmissions to glean critical information.

It was put to good use during WWII to monitor transmissions to and from German U-boats, and by the Germans to locate cargo convoys.

In modern practice signal analysis can be applied to email, Instant Messaging, VoIP (voice over Internet Protocol) calls, and file transfers.

All IP packets have to contain a source and destination address, even if their payloads are encrypted with the strongest measures.

By counting the volumes, frequency and times of transmissions it is possible to determine much. If those transmissions are correlated with other activity it would be possible to determine things such as:

  • Preparations for troop, aircraft, or ship deployments as transmission volume increases between an operations center and an airfield or naval base.
  • Participants in a particular military contract as the project center sends emails and files to defense contractors.
  • Diplomatic activity as volumes of traffic increased between the State Department and a consulate or embassy.
  • In the event of a national emergency the volumes of transmissions and the participants in those communications would reveal the inner workings of a government’s response capabilities.

Thus even so-called secure networks such as the US Military SIPRnet are subject to signal analysis and valuable information can be determined from the flow of encrypted data.

Countering cyber espionage takes a concerted effort that goes far beyond most organizations’ current efforts to secure their cyber environments.

Treating signal analysis goes a step further and means that the parties to critical transmissions have to take steps to obfuscate the timing and volume of their transmissions.

One method, filling the communication pipe with a constant stream of encrypted data, would be an impractical solution.

Too many such packed channels would add to the cost of maintaining those networks and clog the public networks.

One of the prime targets for the cyber spy is an email server.

Controlling an adversary’s email server gives the assailant the ability to copy all emails, block the sending of certain emails, and even to modify emails in transit.

If cyber spies were to gain such control over the email servers of the Pentagon, Whitehall (UK Military Command), and the German Chancellery, they would have a goldmine of information.

And, in fact, each of these organizations have reported such incursions.

The Pentagon claims they have spent the gargantuan sum of $100 million cleaning up after their email servers were breached by attacks apparently launched from source IP addresses owned by the Chinese People’s Liberation Army.

Germany and the UK have also publicly attributed the successful attacks on their email servers to China.

The Ghost Net researchers at SecDev uncovered that the Office of the Dalai Lama had lost control of their mail server to Chinese operatives as well.

The effective use of cyber intelligence is therefore one of the four pillars of successful cyber warfare operations. There are three steps to creating and operating an effective cyber espionage capability: reconnaissance, acquisition, and analysis.

Cyber reconnaissance is the systematic discovery of target assets. Military command determines the types of information desired and the organizations to target.

Let us for the moment name a new branch of the military or intelligence function: the cyber corps. The cyber corps carries on a continuous discovery of IT assets associated with each target.

The targets may be the army, navy, air force, military command center, offices of the President, Prime Minster, Chancellor, State Department or Foreign Office.

The assets to be discovered include DNS servers, web servers, mail servers, routers, firewalls, and databases. The reason reconnaissance requires continuous activity is that the assets are changing continuously.

DNS servers are moved, web servers, databases, and networks are updated on a daily basis.

Cyber reconnaissance is the practice of tracking all of those changes as well as the discovery of new assets as they are brought online or some change in network architectures exposes them.

Reconnaissance would not be limited to external penetration activities but would include the input from in-situ spies and informants.

Acquisition is the execution of an attack against an identified target for the purpose of gathering the information it contains.

Databases, web servers, and email servers are ripe for such activities. Under concerted attack they yield their store of military plans, diplomatic correspondence, weapons design, and even economic data such as customer lists, prices, and financials.

The actual movement of the discovered data is called exfiltration in military parlance.

Analysis of material discovered via cyber espionage is the most challenging task. Usually the information must be translated.

Then it has to be interpreted, evaluated, turned into useful form, and finally delivered to the department or organization that can make best use of it:

Industrial plans, designs, and processes sent to the internal industry, diplomatic content sent to State department or Foreign office, weapons, and troop movements sent to the military.

All three of these operations: reconnaissance, acquisition, and analysis, are linked in that analysis of cyber intelligence may lead to the identification of new targets for reconnaissance, as may the acquisition activity.

The cyber espionage operations are integrated with the larger intelligence community engaged in news analysis, psyops (psychological operations), and covert operations.

Cyber intelligence also contributes to the other three branches of an effective cyber war operation.

(Next week:  Four Pillars of Cyber Warfare: TECHNOLOGY)

* * *

Stay Informed With ISR News Alerts:

Email:

by FeedBurner

* * *

Announcing the birth of Cyber Defense Weekly, a newsletter created to give participants in this new category a comprehensive summary of the week’s news, product announcements, and escalations in cyber threats.

Simply provide your email address here to become a subscriber.

Comments and input are welcome as always on this critical new category.

Richard Stiennon, security expert and industry analyst, is known for shaking up the industry and providing actionable guidance to vendors and end users. He recently re-launched the security blog ThreatChaos.com and is the founder of IT-Harvest, an independent analyst firm that researches the 1,200 IT security vendors. He was Chief Marketing Officer for Fortinet, Inc. the leading UTM vendor. Prior to that he was VP Threat Research at Webroot Software. Before Webroot, Mr. Stiennon was VP Research at Gartner Inc. where he covered security topics including firewalls, intrusion detection, intrusion prevention, security consulting, and managed security services for the Security and Privacy group. He is a holder of Gartner’s Thought Leadership award and was named “One of the 50 most powerful people in Networking” by NetworkWorld Magazine.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • TwitThis
  • Digg
  • Technorati
  • YahooBuzz
  • Mixx
  • Wikio
  • Propeller
  • Facebook
  • MySpace
  • LinkedIn

Filed under: Breach, D&O Liability, FEATURE ARTICLE, Financial, Government, ISR News, Insider Threat, Military, PCI, Richard Stiennon, Sarbanes-Oxley, Uncategorized, due diligence, hackers, healthcare, identity-theft, malware, national security, privacy, virtualization 

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,




Tell us what you're thinking...