Osama bin Laden, from his sanctuary in Southwestern Asia, sends out streams of malicious code via his PC that collapse the Internet and force America into an electronic Stone Age. Is this a probable scenario for information warfare? While not impossible, I do not think such an attack likely to destroy American society.
As the latest buzzword to succeed Y2K on the media’s “terror throne,” information warfare (IW), as a useful term, begs for realistic definition. No doubt, bin Laden can attack us. Graduate students at Cal Tech, MIT, or UCLA and tenth-graders at your local high school can also launch “volleys” against corporate America. How effective such invasions would be is the critical issue. In the Gulf War, Iraqi anti-aircraft batteries expended vast rounds against allied planes, and it was almost totally ineffective. Sheer bulk doesn’t always equate to victory.
Our digital infrastructure is not monolithic. Composed of individual networks, each with a different character, we have more robust diversity than the media recognizes. True, Denial of Service (DoS) attacks have brought our systems down, but they have not destroyed them. Even the infamous Internet Worm, released as a graduate student’s experiment, did not bring America to its knees. The Pentagon deals with a hundred hacker attacks a day and survives.
A real information warfare offensive, an electronic Pearl Harbor, would have to be both broad and specific. First, it would have to offer good propagating characteristics: being able to infect systems widely and quickly. But, even more important, the attack wave must be mutable enough to exploit the idiosyncrasies of individual systems and network configurations. Otherwise, such a code-based attack may not be able to get beyond the level of establishing beachheads. The “inner digital country” may remain unconquered.
To launch a code-based invasion, supercomputers and good infrastructure are essential. Such an investment, while not as expensive as conventional warfare, still requires backing by a government. Who are the possible players then in IW? China, Russia, India, and perhaps Iran, all come to mind. Though they have the talent and resources, keep in focus that they would not readily share such technology with terrorists. Terrorists become wild dogs with just slight changes in the ideological winds. Even rogue states hesitate to place that power (on par with nuclear weapons) in the arsenals of freelancers.
And, with governments as the main players, also we have to consider the vulnerability to electromagnetic attacks. Computer systems and networks are highly vulnerable to high-energy bursts of electromagnetic radiation. Electromagnetic Pulse (EMP) technologies exist and are becoming highly portable. They can fry computers.
The twin demons of malicious code and EMPs have entered the arsenals of foreign powers. But, the United States also has these capabilities. Will then an IW balance of power (or terror) likely develop? I think the answer is a guarded “Yes.” As always, it depends on economic and political developments. A country in severe economic distress may resort to IW to cripple rival nations’ financial and industrial clout.
Information security professionals should have their minds open to developments in the IW arena, but keep their fingers off any panic buttons. Private companies, however, in industries such as electric power generation and distribution, gas production and distribution, petroleum refining, railroads, and water and wastewater utilities need to pay closer attention. The same goes for businesses such as pharmaceutical manufacturing and food processing. The danger lies not only in massive failures, which would be catastrophic, but also in strategic misdirection. Placing trains carrying explosive cargo on collision courses around the country may not be noticed until too late. Mislabeled medications could kill.
A reasonable role for government should be helping critical industries prepare for IW. Some of that preparedness know-how will then filter into the less critical sectors. We want to avoid, however, overly burdensome requirements for every operator of a network or Web server in the U.S. This dialogue about IW between private industry and the U.S. government will heat up over the next few years. Yet, unnecessary and excessive preparedness will not guarantee protection. And, such measures will only drain already limited security budgets.
Pundits can practice doomsaying about anything. Only time establishes the truth of their predictions. In 1996 “Hack Attack” in Forbes ASAP forecasted an “all-out war” against American corporations by hackers was “coming soon.”
Fortunately, in the last four years, we’ve avoided the onslaught. As Mark Twain observed, “In my life I have known many troubles, but few have come to past.” As professionals, let’s be cognizant of IW’s threats but rational and realistic in our response.
For a mega-resource on Information Warfare, try this Web link:
Institute for the Advanced Study of Information Warfare (IASIW)
This site has everything, including the kitchen sink, about IW, computer security, Trojan Horses, electronic spying, and so on.
Ronald L. Mendell is a Certified Internet Security Specialist. Employed at Netpliance, Inc. in Austin, Texas, he also works as a writer and researcher specializing in security and investigative issues. Charles C. Thomas published his most recent book, Investigating Computer Crime: A Primer for Security Managers, in 1998. (http://www.ccthomas.com)