Defensive Information Warfare Running head: Defensive Information Warfare

Defensive Information Warfare: A review of selected literature James R Francisco

December 2003

Defensive Information Warfare Abstract Information warfare is a threat not only to military formations but to the civilian population as

well. Private organizations need to understand the context in which information warfare happens and be able to defend against attacks when they occur. This article reviews the current literature about defensive information warfare and suggests some avenues for ongoing research.

Defensive Information Warfare Table of Contents

Defensive Information Warfare: A review of selected literature.................................................... 4 Threats to the Information Infrastructure.................................................................................... 4 National Policy, Law and Ethics................................................................................................. 9 Law and Ethics........................................................................................................................ 9 National Policy...................................................................................................................... 11 Defensive Information Warfare Strategies ............................................................................... 13 Deterrence ............................................................................................................................. 13 Protective Measures .............................................................................................................. 14 Conclusions............................................................................................................................... 15 References..................................................................................................................................... 17

Defensive Information Warfare Defensive Information Warfare: A review of selected literature In 1991, Martin Van Creveld published The Transformation of War. In that volume, he proposed a new paradigm for analyzing warfare based on the growth of low-intensity conflicts

around the world.(Creveld, 1991) Recently, Van Creveld published a critique of the article where he reviewed the differences between his 1991 predictions and the present. In that critique, he comments that he never considered information warfare as a method.(Creveld, 2002) Defensive information warfare is the practice of protecting an organizations computer systems against attack by hostile sources. In this review, the literature discussing defensive information warfare will be reviewed. The existing literature falls into three broad categories; threats to the information infrastructure, national policy, and defensive strategies. Threats to the Information Infrastructure The information security literature is replete with details of differing methods that a hostile attacker may choose to attempt to harm an organizations information system. However, it is helpful to understand the nature and the motivations of the actors who are creating the threats as well. In early discussions about information warfare, Jensen pointed out that the goals of information warfare are centered on the concept of the precision strike that paralyzes the enemy without creating large numbers of casualties among either friendly or hostile forces. (Jensen, 1994) While assessing the potential threats from an attack on the nations information infrastructure, Berkowitz raised the idea of sending agents into the country covered as computer science students who, after gaining the needed skills, would attack the nation from within. (B. D. Berkowitz, 1995) He has also characterized the advent of information warfare as the dark side: of the information revolution. Berkowitz reasons that the vulnerabilities that have arisen in the

Defensive Information Warfare military and the private sector relate directly to the spread of information technology. (1995) Another point that he raises relates to the fragmented nature of the threat from information warfare. There is no guarantee that different hostile nations, terrorist groups, or criminal gangs will attack the nations information systems in the same way or at the same entities. Nor will

they limit themselves to military or governmental systems. Civilian information systems are also high profile targets of information warfare.(B. D. Berkowitz, 1995) Organizationally, the rise of information technology has provided fruitful ground for the development of networked organizations sometimes at the expense of traditional forms. (Arquilla & Ronfeldt, 1999) Arquilla and Ronfeldt argue that this increased ability of networked organizations to compete with traditional hierarchal organizations represents a departure from the normal organizational structures used in conflict and crime. In this model, organizations take on topologies that are familiar to network engineers such as chains and stars. The most challenging type of organization is what Arquilla and Ronfeldt describe as the all-channel network where all of the actors interconnect with each other with no identifiable central leadership. (1999)This type of organization also is the hardest to identify and deal with on a permanent basis because of the manner in which the organization relies on communications in order to convey its values and conduct operational planning. One attack mode of networked organizations in the information systems arena is the swarm where attackers approach a target from a number of perspectives. This does suggest that when an organization is being attacked in one manner, such as a distributed denial of service attack, network engineers need to be on guard for other types of attacks against the system.(Arquilla & Ronfeldt, 1999) This concept of netwar has been expanded and integrated in to a comprehensive model of the threat environment for a nation that is under attack from terrorist organizations.(Bunker, 2002)

Defensive Information Warfare

The civil information infrastructure has taken on a greater significance in an environment where an increasing amount of the information that passes between civilian entities is dependent on that infrastructure. In this environment, attacks on critical points in the economy can be more harmful to the nation than attacks on military units.(Cobb, 1999) Cobb has identified some areas of vulnerability that hostile actors could use to attack a nation. The energy industry is a significant target for hostile attackers. The impact of events like the 2003 regional power grid failure in the northeast United States point out the potential disruptions to society that a successful attack could cause. The energy distribution network is increasingly computerized and Cobb uses examples from Australia to illustrate the ways that attacking a single choke point can have a devastating impact on the ability of an organization, community, or nation to be able to respond to attacks against it. (Cobb, 1999) Other industries that are at risk in Cobbs examples are the telecommunications and finance industries. In each case, Cobb gives examples of chokepoints in the Australian economy that could be the source of major disruptions to society if successfully disabled or destroyed.(1999) The ranks of potential attackers are long and the list seems to grow on a regular basis. Schwartau describes the situation as being a case of asymmetry between the opposing sides. (Schwartau, 2000) Nations and other entities, knowing that attempting to compete with the United States on the physical battlefield have expressly stated their intentions to attack civilian organizations and infrastructure. Chinese military officers have specifically stated their intent to attack the financial services industry, transportation, communications systems, and the national power grid in the case of a major conflict with the United States.(Schwartau, 2000) The Russian military also takes the threat of information warfare seriously. Schwartau relates that the Russians consider information warfare as second only to the use of nuclear weapons. The losses

Defensive Information Warfare from information warfare are not limited to damage caused by attacks that shut down systems.

There are ongoing economic losses from theft of information as well. In 2000, the FBI estimated that the losses to U. S. businesses from online industrial and economic espionage exceeded $300 billion.(Schwartau, 2000) The threat to businesses from information warfare is not reduced by the dilatory responses of the United State government to the potential risks. Schwartau describes several laws that put businesses in the United States at a disadvantage to the rest of the world in the effort to protect intellectual assets.(Schwartau, 2000) Berkowitz discusses issues with the original placement of the National Infrastructure Protection Center under the management of the FBI. (B. Berkowitz, 2000)The core of Berkowitzs argument is based on the difference in traits between the FBI, which is structured to find and arrest criminals, and the military, which has the purpose of defeating the nations enemies.(2000) Although several programs have been initiated by the government to help identify and contain information systems attacks, Berkowitz points out that they do not have good communications channels with the military commands that have the capability to respond to the attacks in a forceful manner. He also discusses the ways in which the government has mishandled relationships with the very information technology companies that would be the greatest help in creating solutions and systems that would protect both business and government from hostile cyberattacks. (B. Berkowitz, 2000) Berkowitz does also point out some of the actions of the software industry that have made information systems vulnerable to attack. He particularly identifies the conflict between designing systems for ease of use and the need for secure systems that are secure. (2000) Other writers have given some attention to what types of strategies hostile organizations may use against businesses and society. Erbschloe and Vacca write that, the types of

Defensive Information Warfare information warfare that will be most likely waged against large industrial computer-dependent countries are sustained terrorist information warfare, random terrorist information warfare, sustained rogue information warfare, random rogue information warfare, and amateur rogue

information warfare.(Erbschloe & Vacca, 2001) These authors categorize rogue attacks as those mounted by criminal organization as opposed to the terrorist attacks, which may or may not have state sponsorship and the amateur rogue attacks carried out by individuals. Perhaps the largest threat to businesses and society is not from the economic damage that comes from a single large-scale attack that succeeds but from a few small, well-publicized attacks that undermine the confidence of the public in the systems that are attacked. (B. Berkowitz & Hahn, 2003) This strategy would not require major destruction, just little inconveniences for the public from time to time until they became convinced that the systems were unreliable. There is some dispute about the nature of the threats facing the nation from information warfare. Smith points out that with the exception of some large scale virus releases, the scenarios for attacks outlined by scholars and other writers concerned about information warfare remain scenarios for discussion.(Smith, 1998) From time to time, the government has been less than helpful in dealing with building the organizations, systems, and credibility needed to deal with these threats. In fact, government statements have inflated the number of systems attacked over the years by a significant margin.(Smith, 1998) Skibell discusses the ways that a mythological framework has arisen around the hacker and how that has diverted resources away from other issues of corporate security such as protecting the organizations information system from internal theft and sabotage.(Skibell, 2002) Having examined the nature of the threats to society from

Defensive Information Warfare

information warfare, it is necessary to understand the legal and ethical positions that drive public policy and constrain the range of possible actions that a firm might take to defend itself. National Policy, Law and Ethics The range of responses to external information security threats that are acceptable for information systems organizations are bounded by law, ethics, and national policy. At a fundamental level, law and ethics drive national policy. Law and Ethics There are ethical issues to consider when developing a strategy to respond to information warfare attacks against business and private information systems. Arquilla (1998) initiates a discussion about the nature of information warfare and the application of the principles of just war in cyberspace. He argues for an interpretation of the use of information warfare that is similar to the no first use doctrine that the United States adheres to for of weapons of mass destruction. This philosophical position restricts the range of responses that are available to lawfully constituted governments even though the author recognizes that the actors in an information warfare attack may be a terrorist organization or a criminal enterprise not connected to any established government. (Arquilla, 1998) Information systems professionals in western nations are also often personally constrained by the ethical codes of the professional societies to which they belong. Several elements of the Code of Ethics for the Association for Computing Machinery have an impact on the responses of ACM members to information warfare. The general moral imperatives of the code suggest that while participation in offensive information warfare would be unethical, element 1.2, that says, Avoid harm to others, and section 1.5, respect property rights, suggests that members may be come involved in protecting the information assets of an

Defensive Information Warfare organization. ("ACM Code of Ethics and Professional Conduct," 1991) Although an ethical

10

approach may seem to put the organization at a disadvantage with respect to the hostile attackers, the ethical approach is crucial to maintaining the legitimacy of the organization in the eyes of third-party observers. The law is also a constraining factor when considering the range of available responses to an attack. International law has some specific criteria for an armed response by a nation to a provocation. This test is known as the Caroline Test based on an incident in New York State in 1837 where British forces crossed from Canada to New York to seize Caroline, a ship that had been engaged in smuggling weapons into Canada. The Caroline test calls for three critical elements to coexist in any lawful states forcible act of self defense: (1) the act in question must be necessary; (2) the use of force involved must be proportionate and not excessive in terms of the means employed; and (3) the timing of the forcible defensive act must leave absolutely no doubt that the given act was the very last option at hand.(Delibasis, 2002) Delibasis also suggests that this classic interpretation of international law is supported by Article 51 of the United Nations charter. (2002) However, the language of Article 51 leaves open the question whether an information warfare attack is an armed attack within the spirit of the article. This conflict is resolved in article 2(4) of the U. N. Charter which further defines an attack as both the use of arms and a violation of international law, which involves an exercise of power in the territorial domain but no use of arms. (Delibasis, 2002) Although the U. N. charter clearly grants nations the right to assertively defend themselves from electronic attacks through information systems. There are national laws that influence the ability of organizations to respond to information warfare attacks. For the United States government and organizations subject to the laws of the United States the issue is clearly stated in 18 USC 1030 (a)(5) where most of the activities short of

Defensive Information Warfare actual physical counterstrikes are prohibited by law not only to the civilian population, but the government as well. One possible offensive response that has been discussed is the idea of a

11

logic bomb that counterattacks the computer system of the attacker. There is a risk that this kind of attack may come from the computer of an innocent bystander.(DiCenso, 1999) DiCenso has expressed a position held in the legal community of the United States Air Force that in at least the initial phases of the investigation of an attack against an organizational information system, criminal law procedures should be followed. (1999) National Policy The discussion about national policy with respect to information security has grown in importance with the growth of the internet. Schwartau identified some if the threats and potential targets for information warfare at an early point in the life of the commercial internet.(Schwartau, 1995) At that time, he also started advocating the development of a national information policy to structure the activities of organizations defending against information systems attacks. In an effort to impress the significance of the need for a strong policy, Schwartau portrays several worst-case scenarios including the wrong hands could extract the most personal information about the "digital you," not the least of which could be medical, financial, business, legal, and criminal documentation. An individual could alter his/her own records to eradicate nefarious histories. Or an individual could alter anyone' s electronic documentation for any reason.(Schwartau, 1995)

The interest of the United States government in defending against penetration attacks of information systems is a recent development. In 1995, the Department of Defense (DOD) was discounting the threat posed by the nearly 160,000 successful penetrations of DOD computer

Defensive Information Warfare systems because no highly classified information had been compromised. (Davies, 1999) In recent years, there has been a change in the thought within DOD on information systems and security. In 1996 the U. S. Justice department initiated a commission to study the issues and requirements for a national information security policy.(Munro, 1996) Munro points out that there is not unanimity in society about the need for or the desirable nature of and information security policy. There are a number of concerns that are raised in the public debate about

12

information security. The software development industry is opposed to restrictions on the sale of encryption software on grounds of lost profit and harm to the international competitive standing of U.S. software publishers. There are elements of the civil liberties community that are concerned about intrusions affecting individual privacy. (Munro, 1996) In this environment, there is a need for the active cooperation of private industry that has been lacking in the past so that protective efforts in the future can be successful. The RAND corporation has developed a decision making framework to assist policy makers properly evaluate the impact of their decisions. (Molander, Wilson, & Mesic, 1998) In order to provide a common infrastructure and enhance security; the Defense department has proposed a project Backbone to create a common internet protocol infrastructure and set of networking strategies for the defense community. (Grasso & DeMarines, 2003) A number of writers have challenged the policies of the government concerning the defensive environment. Schwartau questions the legal policies that prohibit businesses from assertively protecting their assets. (Schwartau, 2000) Welch and other officers at West Point have observed that defensive warfare does not usually win the day. They have advocated a change in the policy and the law to allow organizations to engage in active countermeasures against their attackers. From the law and the published ethical standards of the professional

Defensive Information Warfare

13

computer societies, we will be able to develop strategies and tools to defend against information systems attacks. Defensive Information Warfare Strategies Given the constraints of 18 USC 1030 (a) (5) which prohibits the use of counterstrikes against entities that attack an organizations computer systems, it is necessary to consider purely defensive strategies for protecting the information infrastructure. These defensive strategies can be characterized into two categories; deterrence and protective measures. Deterrence The objective of deterrence is to discourage potential hostile attackers from launching an attack in the first place. At the international level, there are serious discussions about how to prevent information warfare. Worden and France have proposed a deterrence strategy that integrates information warfare deterrence with the general strategy of the United States regarding deterring the use of weapons of mass destruction.(Worden & France, 2001) The prime minister of Russia has been in discussions with the United Nations to discuss ways to ban information warfare.(Blank, 2001) This should be taken as an example of how seriously other powers consider the potential threat to their national infrastructure. Blank discusses how information warfare is a risk to the concept of deterrence of the use of weapons of mass destruction. He goes on to suggest that it may not be possible to deter information warfare attacks at the national policy level because the attacks themselves are oriented at and disable the very monitoring systems that are critical for that kind of approach to be viable.(Blank, 2001) Given the problematic nature of attempting to prevent information warfare attacks using national policy, we can consider systems and software engineering approaches that either stop an attack from occurring or mitigate any potential damage. One deterrence approach that has been

Defensive Information Warfare suggested is to develop software that prevents computers from being used as the source of an

14

attack.(Bruschi & Rosti, 2000) This approach envisions the creations of filters that are installed on computers that will monitor outgoing packets for characteristic types of activity and then disable the ability to send that traffic. This approach is one that could be implemented by operating system vendors as a part of a service update or a new release. Bruschi and Rosti have developed a demonstration system for this concept. It applies packet filtering rules to the outgoing packets when they are ready to be passed on to the data link layer. The packet flow is checked against attack signatures of known attacks and blocked when an attack attempt is detected.(Bruschi & Rosti, 2000) The appeal of this approach is found in the simplicity of the implementation. The preventive measure is installed with the operating system and potential attackers have to reconfigure the computer in order to make it useful as a means of attack.(2000) Protective Measures Protective measures are things that an organization can do to either block an attack or recover quickly from an attack. One proposal for protecting database systems is to develop a way to recover damaged data.(Panda & Giordano, 1998) This approach uses a modified transaction log to store the record of transactions in a form that can be analyzed and used to recover the data compromised in the attack. Panda and Giordano have developed paradigm for structuring defensive activities. Their goals are stated very simply; protect, detect, and react.(Panda & Giordano, 1999) Panda and Tripathy have taken the recovery of databases a step further by developing a method for segmenting the transaction logs of a database server to reduce the amount of time that is needed for detecting and repairing damaged sections of data.(Panda & Tripathy, 2000) Continuing this work, Panda and Yalmanchili have developed another approach

Defensive Information Warfare

15

to recovery that fuses bad transactions together in the log and facilitates their rapid removal and the recovery of the data that was damaged in the process.(Panda & Yalamanchili, 2001) Another approach to defense is to make the individual applications as durable as possible and rely on the concept of "survival by defense."(Pal, Webber, & Schantz, 2001) The objective of this approach in the words of the authors is We make a distinction between survival by protection, which seeks to prevent the attacker from gaining privileges, and survival by defense, which includes protection but also seeks to frustrate an attacker in case protection falls and the attacker gains some privileges anyway.(Pal et al., 2001) In this strategy, it is possible to run applications on untrustworthy systems because the application is secure in and of itself. The United States Army has taken an interest in defensive strategies due to the constraints of the law on counter actions against the hostile entity in the information attack. West Point has developed The Information Analysis and Research (IWAR) laboratory as a tool for training cadets and other in the techniques of defensive information warfare.(Lathrop, Conti, & Ragsdale, 2003) This program has been a significant factor in instruction in both information warfare and information assurance education at the academy. Liu and Zang have developed a model for analyzing the attacker intent. From a defensive stand point, this type of modeling allows defenders to tailor their responses to the level of the threat.(Liu & Zang, 2003) Conclusions The study of defensive information warfare is s relatively new area for information technology management scholars. Despite the significant similarities and the reliance on the body of information security literature for much of the understanding about the specific tasks that must be done in defending an information system, this is an area that merits ongoing research. When information managers can place their defensive measures in a context that is supportive of

Defensive Information Warfare national level desires to preserve the technological balance between this nation and its adversaries, they then can leverage the efforts of others in order to improve their organizations security.

16

Opportunities for further research include developing a costing model to quantify the true costs of security to an organization and further development of defensive measures that can be installed into the computer at the time of manufacture and protect that that system and older systems without the upgraded systems.

Defensive Information Warfare References ACM Code of Ethics and Professional Conduct. (1991). Recovered on 12/10/2003 from http://www.acm.org. Arquilla, J. (1998). Can information warfare ever be just? Ethics and Information Technology, 1(3), 203 - 212. Arquilla, J., & Ronfeldt, D. (1999). The Advent of Netwar: Analytic Background. Studies in Conflict & Terrorism, 22(3), 193-207. Berkowitz, B. (2000). Information Warfare: Time to Prepare. Issues in Science & Technology, 17(2), 38-46. Berkowitz, B., & Hahn, R. W. (2003). Cybersecurity: Who' s Watching the Store? Issues in Science & Technology, 19(3), 55-53.

17

Berkowitz, B. D. (1995). Warfare in the information age. Issues in Science & Technology, 11(1), 59-67. Blank, S. (2001). Can Information Warfare Be Deterred? Defense Analysis, 17(2), 121-149. Bruschi, D., & Rosti, E. (2000). Disarming offense to facilitate defense. Paper presented at the 2000 workshop on New security paradigms, Ballycotton, County Cork, Ireland. Bunker, R. J. (2002). Battlespace Dynamics, Information Warfare to Netwar, and BondRelationship Targeting. Small Wars & Insurgencies, 13(2), 97-108. Cobb, A. (1999). Electronic Gallipoli? Australian Journal of International Affairs, 53(2), 133150. Creveld, M. V. (1991). The Transformation of War. New York: Free Press. Creveld, M. V. (2002). The Transformation of War Revisited. Small Wars & Insurgencies, 13(2), 3-16.

Defensive Information Warfare Davies, P. H. J. (1999). Information Warfare and the Future of the Spy. Information Communication & Society, 2(2), 115-133. Delibasis, D. (2002). The Right of States to Use Force in Cyberspace: Defining the Rules of Engagement. Information & Communications Technology Law, 11(3), 255-269. DiCenso, D. J. (1999). IW Cyberlaw. Airpower Journal, 13(2), 85-102.

18

Erbschloe, M., & Vacca, J. R. (2001). Information Warfare: How to Survive Cyber Attacks. New York, NY: McGraw-Hill. Grasso, A., & DeMarines, V. A. (2003). From dot-mil to dot-com. Armed Forces Journal International, 140(5), 32-34. Jensen, O. E. (1994). Information warfare: Principles of third-wave war. Airpower Journal, 6(4). Lathrop, S. D., Conti, G. J., & Ragsdale, D. J. (2003). Information warfare in the trenches. In Security education and critical infrastructures. Norwell, MA: Kluwer Academic Publishers. Liu, P., & Zang, W. (2003). Incentive-based modeling and inference of attacker intent, objectives, and strategies. Paper presented at the 10th ACM conference on Computer and communication security, Washington D.C., USA. Molander, R. C., Wilson, P., & Mesic, R. F. (1998). Strategic Information Warfare Rising: RAND Corporation. Munro, N. (1996). Sketching a national information warfare defense plan. Communications of the ACM, 39(11), 15-17. Pal, P., Webber, F., & Schantz, R. (2001). Survival by defense-enabling. Paper presented at the Workshop on New security paradigms, Cloudcroft, New Mexico.

Defensive Information Warfare

19

Panda, B., & Giordano, J. (1998). An overview of post information warfare data recovery. Paper presented at the ACM symposium on Applied Computing, Atlanta, Georgia. Panda, B., & Giordano, J. (1999). Defensive information warfare. Communications of the ACM, 42(7), 30-32. Panda, B., & Tripathy, S. (2000). Data dependency based logging for defensive information warfare. Paper presented at the Symposium on Applied Computing, Como, Italy. Panda, B., & Yalamanchili, R. (2001). Transaction Fusion in the Wake of Information Warfare. Paper presented at the ACM symposium on Applied computing, Las Vegas, Nevada. Schwartau, W. (1995). Information Warfare: Chaos on the Electronic Superhighway: Avalon Publishing Group. Schwartau, W. (2000). Asymmetrical Adversaries. Orbis, 44(2), 197-206. Skibell, R. (2002). The Myth of the Computer Hacker. Information Communication & Society, 5(3), 336-356. Smith, G. (1998). An electronic Pearl Harbor? Not likely. Issues in Science & Technology, 15(1), 68-73. Worden, S. P., & France, M. E. B. (2001). Towards an Evolving Deterrence Strategy: Space and Information Dominance. Comparative Strategy, 20(5), 453-466.