27 April 2006

Source: Hardcopy Defense Intelligence Journal.

Defense Intelligence Journal; 7-2 (1998), 81-121

DEVELOPING A STRATEGIC WARNING CAPABILITY FOR INFORMATION DEFENSE1

Lou Anne DeMattei

Lou Anne DeMattei is a Senior Analyst with the Department of Defense and a Lieutenant Commander, USNR. She earned a BS in Mathematics from the United States Naval Academy, a Master of Science in Management from Troy State University, and a Master of Science in Strategic Intelligence from the Joint Military Intelligence College.

The views expressed in this article are those of the author and do not reflect the official policy or position of the Defense Intelligence Agency, the Department of Defense or the US Government.

Although many studies have recommended the development of a strategic warning capability to guard against the threat of an "electronic Pearl Harbor," an effective warning system is not yet in place; the nation's information networks remain vulnerable to a surprise attack.2 This vulnerability is recognized as a critical national security concern, and has become a mainstay topic of commissions, congressional testimony, and the media. For its part, the Intelligence Community (IC) has established organizational structures to support the development of a warning system for attacks on critical US information systems, but its capabilities are extremely limited due to the unique characteristics of the information environment.3 Significant changes are required to address warning system weaknesses.

This article, therefore, examines surprise and warning set in the context of the information environment and reviews the extant threat to US information systems -- the "cyber" threat. As a basis for suggesting changes, it, then, discusses the vulnerability of US information systems and the US policy for information defense and warning, as well as the unique issues that face those charged with implementing that policy. Next, it describes the current state of the strategic warning system for information defense and finally, makes some recommendations for the strategic cyber threat warning system.

Surprise and Warning in the Information Environment

Strategic surprise is rooted in the failure of advance warning, a lack of defense preparedness, or a misjudgment concerning the threat or an adversary's decision to act. In the realm of information warfare (IW), strategic warning capability development efforts are numerous but immature, and are unconsolidated across the government, private, and public sectors. Information defense preparedness is extremely weak, and there are disparate expert views on the nature and scope of the cyber threat. Taken as a whole, the environment for strategic surprise exists.

Information security and defense measures are costly and difficult to coordinate, and the lack of resources directed towards these measures increases vulnerability. Of equal concern, defense doctrine assumes the availability of information systems, even in the face of the demonstrated cyber threat.4 As a result, the national security community has been slow to establish national level organizations to address this threat, and those that have been established are not yet able to provide effective strategic attack warning.

The Threat

The cyber threat is unique in scope; numerous actors engage in a broad variety of threat activities directed toward achieving a wide range of goals. Nevertheless, the cyber threat can be defined using a standard basic threat warning model, -- i.e., who are the adversaries, and what are their capabilities and intentions with respect to cyber attack?

A growing body of evidence documents significant efforts by many potential adversaries to develop and apply IW capabilities, especially in the form of cybernetic warfare. Cybernetic warfare is a form of IW involving operations to disrupt, deny, corrupt, or destroy information resident in computers and computer networks. S In today's information environment, it is logical to assume that cybernetic warfare capabilities will be employed in an attack to support any viable adversary's strategic goals. Thus, the strategic cyber threat can be defined as cybernetic warfare attacks -- i.e., "cyber attacks" -- aimed towards achieving long-term adverse impacts on US national security interests.

Potential Adversaries. Potential adversaries include hostile and friendly countries, drug cartels, terrorist organizations, political organizations, hackers, crackers -- i.e., criminal hackers, phreakers -- i.e., phone hackers, international organizations, multinational corporations, and militia groups.6 These entities possess, or can readily acquire, cyber attack capabilities. Their attacks may be state sponsored, but can also be non-state sponsored. Thus, it is useful to regard cyber attacks as strategic-criminal activity for analysis, warning and response action. What makes this strategic-criminal threat particularly challenging are its significant legal, organizational responsibility, intelligence oversight, defense resource distribution, and attack response implications, all set in the global community.

Capabilities. There is little dispute to the assessment that the capabilities and potential for strategic cyber attacks exist. Information attack capabilities potentially level the playing field and, as such, are an asymmetrical threat. Anyone, anywhere, at any time has access to attack capabilities. The international nature of many known cyber adversaries is particularly taxing for traditional regional and country-specific analysis frameworks. A 1996 Government Accounting Office (GAO) report found that over 120 countries have or are developing IW programs.7 Furthermore, recent exercises and incidents have shown that any serious adversary could assemble a small group with the correct mix of individuals and harness the readily available information technology resources needed to launch an attack targeting any element of the US critical information infrastructure and could conceivably do so undetected.8 Individuals or small groups with just moderate computer and telecommunications skills, a computer, and access to the Internet have the tools required to launch such an attack, and such an attack could have uncontrollable effects.

Intentions. Given adversary identification and capabilities, intentions are still not. easily discerned. The key information gaps are clear: What would the goals of a cyber attack be? Would the threat of cyber destruction compare to the nuclear deterrent? Would the effects of a successful attack compare to those of a strategic nuclear attack? Is cybernetic warfare more or less effective in achieving strategic goals than conventional methods of war?

To employ the Clausewitzian trilogy, how will cyber weapons of war be used to affect leadership decisions, the employment and focus of military capabilities, and the will of the people? Will their use evolve as noncombatant weapons of choice, or will they remain a facilitator in the destructive arsenal of modern weapons? Expert speculation, lacking a real life example of a strategic cyber attack, disagrees on these fundamental threat warning and response questions.

It is easy to conceive of the potential effectiveness of a cyber attack in achieving a number of common strategic objectives. For example, a cyber attack could be used to preempt or disrupt force movement, operations, or weapons deployment and used as a precursor to, or part of, conventional operations. Also possible is a diversionary attack; an adversary might elicit a response to a hoax attack so that the victim diverts resources from, or is denied the us~ of resources for, defending against the primary attack. Traditional intelligence tools should be able to provide warning of this type of attack. Further, although evidence of what has been called "information terrorism" is lacking, a cyber attack could conceivably be used for that purpose.

In general, potential motives for cyber attack could be to:

Vulnerability in the Information Environment

Having defined the cyber threat, it is important to characterize US vulnerability, what that vulnerability is and why it exists. US vulnerability to strategic cyber attack is rooted in a combination of information system vulnerabilities and intelligence deficiencies. Most system vulnerability is self-created; people, practices and resources are its key contributors. Intelligence has a key role in monitoring vulnerabilities; it must identify and analyze attempts to exploit vulnerabilities, and determine adversary attack capabilities and motives. Failure to do so effectively can contribute to strategic surprise. James P. Finley's review of historic intelligence failures provides an excellent framework for analyzing intelligence weaknesses in three main categories: process, information and judgement.9

Vulnerabilities Created by People. People are the most important element of information systems security. Security awareness, technical training at the user and system administrator levels, and implementation of basic security practices are extremely deficient. Policy makers have yet to establish and provide methods and procedures for enforcing security standards that work. Adding to the problem, networks naturally cross the boundaries of government, corporations, academia, and the private sector. The question of who establishes, implements, and enforces policy, thus, becomes exceedingly difficult to answer.

With the proliferation of networked systems, the person who was once the user of a stand-alone personal computer is today's weak link and network security hole. A relatively small percentage of system administrators understands the basic technical details of network security, and an even smaller percentage of individual users possesses this understanding. The best assurance systems in the world are ineffective when coupled with poor security practices, lack of technical knowledge, or "inside jobs" -- i.e., when those with access to the system act to deliberately interfere with it.

People are a vital element of information system defense:

The Vulnerabilities Created by Common Practices. Practices refer to the full range of system security engineering and management processes. They involve system configuration, monitoring and audit, anomaly identification and reporting, follow-up actions, and user training. The challenge for security procedures is apparent; given one unauthorized access, entire networks can be compromised. Unauthorized accesses often result from poor security practices, such as unchanged vendor-assigned operating system passwords, residual old user accounts, and lack of periodic password changes.

Another key process challenge is network control. Networked systems can be vulnerable at any node; if each node on a net is not protected, a path for intrusion is available. Given the global and proliferated nature of networked systems, this is a difficult standard to achieve. Additionally, as information systems become more complex and more broadly networked, and critical infrastructures become more dependent on networks, they also become more vulnerable to a strategic attack.

Assuming network control is possible; Who will establish, implement, and enforce policy when network nodes cross the boundaries of government, industry, and the private sector in a global environment? This quandary can be resolved only through extensive cooperation and agreement between all parties. Additionally, although a recognized need for years, no security certification standard has been widely adopted. Many standards have been developed but not broadly applied. One well-known standard developed by the National Security Agency (NSA) is the Orange Book which establishes criteria for rating computer system security within the Department of Defense (DoD).

Another process vulnerability challenge is the widespread availability of open source technical information on potential infrastructure, defense, and public targets. A sample of publicly available information is the Local Exchange Routing Guides. These provide detailed information on major telecommunications switches, petro-chemical plant risk management plans, and federal building blueprints. to

Additionally, publishing and posting technical system documentation by DoD agencies on the Internet creates additional unnecessary information system vulnerability, and is a growing problem. Too often, pre-development or pre-deployment documentation that details system configuration, capabilities, applications, functionality, and hardware is posted to ease data sharing. This provides adversaries with a significant advantage in targeting systems important to command and control, as well as to intelligence collection and dissemination. In what is, unfortunately, not a unique or rare example, the Global Command and Control System (GCCS) Version 2.1: GCCS Version Description Document and System Users Manual were posted to the Internet through early 1998. These described GCCS workstation configuration, host database systems, installed applications, network protocols and browsers to be used. They covered all interfaced systems -- including intelligence, force deployment, and message handling systems. They provided a system inventory -- including hardware, memory, and power requirements -- and described basic operator functions, database query procedures, and system error messages. This vulnerability problem is all too obvious. The details of some of the most important US programs, capabilities, and configurations are made available to the world via the Internet.

Some key factors and practices that create information system vulnerabilities are that:

Vulnerabilities Created by Insufficient Resources. Systems are generally designed to maximize access to information and sharing, not ensure security. While techniques for reducing vulnerabilities may be known, widespread fielding has not been funded. Most companies view information system security as overhead cost. II Additionally, commercial security techniques provide "only a minimal capability to detect and conquer sophisticated information attacks."12 As a result, systems often possess numerous vulnerabilities and provide an easier job for the attacker than the victim. "The nature of the threat and countermeasures poses distinctive problems for security specialists. The attacker must find but one of possibly multiple vulnerabilities in order to succeed; the security specialist must develop countermeasures for all."13

While the percentage of resources dedicated to information security efforts is improving, it still seriously lags. Admiral McConnell, former Director of NSA, has estimated that it could take ten years and $18 billion to close the information system security gap.14 However, a little security can go along way. According to a Boston-based computer security company, 'just employing 20 percent of the available technology makes a drastic impact on the site's level of security."15

While technology solutions can significantly reduce vulnerabilities and should be fully implemented, they cannot eliminate vulnerability entirely. Indeed, "It is impossible to build systems that are guaranteed to be invulnerable to a high-grade threat, that is, a dedicated and resourceful adversary capable of and motivated to organize an attack as an industrial enterprise."16

Some factors related to resource allocation for information system defense are that:

Deficiencies in the Intelligence Process. Intelligence process deficiencies involve slow, disrupted, or disjointed information flow, as well as technology failure or misuse of technology.

In information defense, piecemeal collection, analysis and distribution of cyber threat activity information across government, public, and private sectors degrades coherent analysis at the strategic level. Because a cyber attack may be strategic-criminal, the responsibility for intelligence collection, analysis and warning resides in different intelligence agencies. The non-state sponsored nature of many of the threat actors makes intelligence collection a job for law enforcement and counterintelligence agencies. However, the charter for the strategic threat warning system is largely the responsibility of traditional US foreign intelligence organizations. A system to quickly distinguish between domestic or international criminal non-strategic activity and strategic cyber threat activity has thus far proven elusive.

Additionally, laws and existing legal procedures constrain intelligence sharing and agency coordination. Efforts to establish clear lines of organizational responsibility, from individual information system users through the national command authority, are in progress to address this deficiency, but a specific process has not yet been established for this warning function.

The potential for over-reliance on the newest network monitoring and auditing tools and automatic attack response systems, at the expense of building normalcy awareness and gaining understanding of how cyber attack activity fits in the strategic security environment, is a risk. The tendency to look for technology solutions has also resulted in less focus on implementing basic, standard security procedures for existing networks and operating systems.

Deficiencies in Intelligence Information. These deficiencies are caused by the difficulties in assessing new and unexpected applications of technology as well as the more traditional problems of understanding adversary capabilities and intentions and recognizing adversary deception activities. In cyber attack scenarios, basic warning information elements -- who, what, where, why -- are somewhat unique.

The potential for an adversary to develop new information technology applications -- such as software weapons -- for which development and capability can be virtually undetectable, is great. Technology and current legal constraints combine to allow attackers to remain relatively anonymous, and new network technologies will continue to improve anonymity capabilities. Capabilities can be developed on closed networks, as well. Thus, "who" may be hard to identify.

The "where" of cyber attack also presents a non-traditional challenge. Attacks can be launched from anywhere, and their points of origin might be unknown. The likely attack target -- the "what" -- is less ambiguous. US critical infrastructures are the most likely targets of a strategic attack because of their inherent strategic nature, vulnerability, and interdependency, and include:

As for the "why", successful attacks on such targets can seriously erode strategic advantages which depend on the critical infrastructures.

Deficiencies in Intelligence Judgment. Finally, judgment is the greatest risk area for strategic cyber attack warning failure. Expectations and the assumption of US technological superiority may allow misjudgment of adversary capabilities to launch a strategic attack. For example, expert opinions commonly assess the probability of a coordinated attack as "very low." This attitude may also permit incorrect assessment of the timing· or location of an attack, as well as allow incorrect assumptions concerning precipitating factors for a cyber attack.

The Bottom Line on Vulnerability. All networked systems are vulnerable. Vulnerability is largely a self-created problem. Security systems are deficient in scope, resources, standardization and implementation. Vulnerability assessments have been required for years, but are not routinely conducted. According to Dr. Martin Libicki, Senior Fellow at the National Defense University, information warfare ... "must shed its overwrought metaphor of twenty-first century strategic warfare and acquire instead the pedestrian status of safety engineering .... Defensive information warfare must similarly be taken seriously when institutions rely on information systems."18

Challenges Created by Information System Vulnerabilities and Intelligence Deficiencies. There are significant policy implications for controlling the resources that require defense. Since traditional boundaries are crossed, effective systems will require unprecedented cooperation of government, industry, and private citizens to establish, implement, and enforce standards. Attempts by government agencies to dictate measures to the private sector will likely be challenged with privacy considerations. Perhaps most importantly, a successful national defense will depend not only on the ability of the individual user to engage in secure practices, but also on the nation's ability to establish, share, and monitor security across global networks.

Intelligence has a key role in information defense and monitoring vulnerabilities. Intelligence must identify the adversaries, determine what they are doing in the information attack arena, what their potential capabilities for attack are, and why they are attacking. Intelligence cannot and should not collect information about every potential attacker; the challenge is to determine the most significant threats, work cooperatively with all other stakeholders and, then, focus capability and resources on the intelligence information gaps. This implies that significant change is in order for IC processes.

Policy and Issues in Information Defense

The national security interests with respect to the cyber attack threat are clearly identified in key policy statements. The requirements and challenges facing both policy makers and the IC are also identified in policy documents, are significant and difficult, and stem from the unique characteristics of the new information environment. These unique characteristics fall into four categories: the global nature of the information environment, new threat characteristics, technology impacts, and legal-ethical considerations.

National Policy. The 1997 National Security Strategy (NSS), A National Security Strategy for a New Century, with the broad goal of ensuring general welfare, defense, and economic prosperity of the US through global engagement, identified the capability to respond to sabotage of information systems as a national imperative.19 It recognized the vulnerability of the nation's information infrastructure and identified the development of concepts and technologies to protect and defend against the vulnerabilities as a priority. Executive Order 13010 established the President's Commission on Critical Infrastructure Protection and the National Infrastructure Protection Task Force in 1996, and directed development of a strategy for protecting the critical infrastructures against both physical and cyber threats.20 DoD functions and systems are an integral part of, and dependent on, the critical infrastructures. A third key policy statement is provided in the US national information policy. It states the US intention to ... "promote sharing of information technology and exchange of information to increase international trust, and advance ... free markets, democratic institutions, and global cooperation."21

The policy directs information technology proliferation and information sharing, and highlights the need for assuring the integrity of systems and information. These policy statements clearly identify information availability and information defense as critical capabilities, and recognize the strategic cyber threat and infrastructure vulnerability. They also demonstrate that, while the goals and motives of a strategic cyber attack may be unclear, cyber attack capabilities are serious and will likely be used in any future conflict.

Intelligence Requirements and Challenges. Traditional intelligence tasks -- identifying adversary capabilities and intentions; characterizing the threat; providing attack warning, detection, and damage assessment -- present unique challenges in the cyber realm. A key topic is that of intelligence requirements. Given that it is often difficult to identify attackers and intentions, even when attacks are detected, it is exceptionally difficult to develop target sets for intelligence collection. Potential adversaries range from small groups with malicious intent, to hostile and friendly countries. Although all adversaries can potentially effect catastrophic results, the cost and feasibility of targeting such a broad audience is too great. Thus, choices are difficult but required. Accordingly, the potential to miss strategic warning is significant.

The challenge to intelligence is obvious. The distribution of knowledge on attack scenarios is limited; much information stays within classified channels and losses in the private sector are often concealed due to fear of losing consumer confidence. This can effectively slow the ability to correctly characterize and counter threats on a large scale.22

Finally, it is interesting to note that IW is listed among the top intelligence priorities for 1998.23 In addressing this requirement, the IC is not only constrained by privacy considerations in implementing collection and analysis programs, but is also up against longstanding distrust of some government institutions by the general population. Additionally, the IC will probably need to cooperate internationally in order to effectively address the very global nature of the threat to information systems.

Issues of Raised by the Global Nature of the Information Environment. The global nature of networked information systems has introduced a new non-state-centered asset to defend. The concept of defending national boundaries and state assets is losing applicability as the government, private and public sectors, and academia increasingly rely on systems, interfaces, and processes that are physically international, space-based, and not controlled by a central authority. As US and potential adversaries come to rely on the same technologies and distributed networks, and the vulnerabilities of the playing field become more widely dispersed, threat response will need to acquire a more international flavor. This environment suggests the eventual need for extensive international cooperation on cyber threat warning, detection, and response.

Within the US, there is disagreement not only on which organization is responsible for defending cyberspace, but also on what should be defended. Through mid-l 998, DoD maintained that it was responsible for defending only its own systems, not those of the general public. Furthermore, even if DoD were to assume national information defense responsibility, would it ever gain the authority needed to establish and implement effective system security measures across government, private sector, and even international boundaries?

New Threat Characteristics. New threat characteristics make traditional approaches to strategic warning less effective in some important ways. First, the likely anonymity of the information attacker, coupled with the difficulties of physically locating the threat source, add a significant level of uncertainty to the threat equation. Identifying the adversary prior to, or concurrent with, attack detection may be somewhat problematic. Technology and current legal constraints offer a significant level of anonymity to attackers. Additionally, the activities of hackers, crackers, and spies appear similar in the cyber world. Certainly, a delayed understanding of attack motives should be expected. Second, the activity indicators expected in an information attack environment will likely be diverse, technically-oriented, and difficult to correlate using current threat warning processes. Third, the information attacker may come from anywhere among the entire range of state and non-state actors, and relationships between state and non-state actors may be formed to carry out a strategic cyber attack. Because of this increased uncertainty through the very late stages of the warning process, the range of threat potentialities and possible outcomes will be difficult to minimize. Finally, the proliferation of information attack capabilities makes the use of this instrument likely across the widest range of goals. These goals cover the entire spectrum of conflict, from criminal activity to social change, territory seizures and power grabs. Importantly, this threat instrument, at worst, provides a non-violent complement to conventional conflict and at best, an alternative to violent conflict. It is this non-immediate catastrophic impact, non-violent and uncontrollable nature that some experts believe decreases the likelihood of strategic information attack, and makes its employment as a precursor to, and component of, conventional conflict probable.24

F or the near term, then, it is likely that the information attack instrument will be used in conjunction with, and not as a replacement for, traditional violent instruments of change and policy. If the power of information technology remains centered in the US, the greatest vulnerability to information attack will also remain there. As a result of these new threat characteristics, more information defense resources and greater defense preparedness are required to provide threat warning, attack detection, and effective response.

Some of the characteristics with which the Intelligence Community must deal in providing strategic warning in support of information defense are:

The Impact of Technology. New technologies may signal the most influential change in national security issues and military strategy of the future, and will likely level the playing field for the US in the long term.25 New information technologies and new applications will continue to grow and proliferate at an exponential rate.

Information technology, quickly, will continue to offer new intrusion and anonymity methods that, if applied together in a strategic attack, could be overwhelming. The information technology future also offers path redundancy which· can render real-time network reconstruction, a technique now heavily used in the IC, extremely difficult. One renowned expert holds that critical nodes will become obsolete targets, and network reconstruction will become nearly impossible, as communications paths and connectivity options proliferate databases, models, connectivity, and software for use as weapons and enabling tools, in an environment where allies and adversaries are interoperable. As a result, the notion of a national strategic sanctuary or an isolated set of essential nodes for the Defense Information Infrastructure (DII) as a defensive response to an information warfare attack, are found to be irrelevant concepts in the global information environment.26

But, technology also provides better security tools. While options for anonymity are increasing, the need to identify attackers, in a tactical cyber attack sense, may also diminish. New tools are being developed and tested that provide a unique, automated network attack-detection-response capability.27 New network security tools, however, can also introduce new vulnerabilities, and are often turned into the newest information weapons. As information technology proliferates, it is likely a matter of time before new defensive capabilities are countered. The rapid pace of technology change will be a major challenge to the analytic and warning communities in the defensive IW arena.

Encryption offers significant defense capabilities; however, its dual-use nature has slowed its integration and standardization. Furthermore, encryption is sometimes defeatable in a strategic sense and is no panacea. Finally, while US concerns over encryption proliferation are well documented, and encryption surely offers a significant improvement to data security, technology has rendered many current cryptographic systems inadequate. A study conducted by renowned cryptographers reported, as a bottom line, that a 90-bit key was the minimum recommended length for secure encryption in 1995. It noted that, if properly implemented, the 90-bit key could provide adequate security for most business applications for the next 20 years.28 For military applications, the cost of using a larger encryption key is much less than that required to break the key.29 Publicly available encryption -- i.e., "PGP" -- now offers a 128-bit key.

Legal and Ethical Considerations. The strategic cyber threat presents unique legal and ethical factors for information defense strategies. Legal issues stem primarily from personal privacy and corporate responsibility considerations as well as international law.

Current laws are focused to protect individual privacy, as well as to prevent government and military intrusion into private affairs. As well, legal constraints delay response times, and prevent the rapid flow of information required for an effective coordination within the strategic warning system. In the responsibility debate, there is ongoing discourse as to the culpability of information systems providers for losses due to attacks against their systems, versus the culpability of the government to defend society against large-scale threats.

International law is also a concern in information defense applications. An excellent discussion by Major Richard Aldrich, USAF, points out key issues with each of the basic principles of the law of armed conflict. He finds that IW generally meets the principle of military necessity but, in doctrine, it likely exceeds degree of force criteria -- i.e., the principle of humanity. It also violates treaties on international communications, and calls into question proportionality, deception activities, and the concept of protecting neutrals.30 His investigation suggests that a significant international cooperative effort to define rules and standards of conflict for IW is needed. Like domestic law, international law requires reinterpretation and, possibly, significant modification and tailoring, to adequately address the needs of strategic warning and information defense.

The moral debate in defensive IW centers around hacker activity. While there is little debate that criminal hacking activity is wrong, there is significant opposition to the idea and laws that characterize unauthorized information systems access as criminal activity. L0pht, a group of computer security experts by day and expert hackers by night, maintains that hacking uncovers vulnerabilities, improves systems security awareness, and results in improved information systems security. One other view of hacker activity is that,

The miracle is that no planes have crashed, no missiles have been fired, no companies have gone bankrupt.. .. [The hackers] are playing in another sort of game entirely, not very pleasant, and often seriously dopey, but relatively harmless in the scheme of things. And they serve as a warning.31

Further, it is interesting to note that criminal sanctions against the common hacker are often not popular and serve to further alienate this subculture.

The State of the Strategic Cyber Threat Warning System

The capabilities and limitations of the evolving strategic cyber threat warning system are demonstrated through the establishment of national-level and DoD information defense organizations, planning documents and doctrine publications, and exercises. While most government organizations have now established computer incident response emergency teams, cross-agency coordination for cyber threat defense and response has not been effected.

Department of Justice Organizations and Roles. Ongoing discussion gives evidence to the problems of assigning overall responsibility for cyber threat warning to a single organization. While it may seem natural to assign such responsibility to the DoD, it is unclear that this is a proper or viable role, given the nature of the information environment. As the lead law enforcement and counterintelligence agency in the US, the Federal Bureau of Investigation (FBI) has the authority to conduct and coordinate investigations and operations within the United States. Among the eight key issues identified in its National Security Threat List (NSTL), the FBI lists "Targeting the National Information Infrastructure" and "Perception Management." Specific areas of concern under these two elements include foreign targeting of facilities; personnel; information; or computer, cable, satellite, or telecommunications systems associated with the National Information Infrastructure (NII); and any foreign-sponsored activity involving information or data manipulation, falsification or deception.32 Given the obvious overlap of defense responsibilities, DoD and the Department of Justice (DoJ) have assumed joint responsibility for cyber threat warning, specifically focusing on the critical infrastructures. In the private sector, industries and companies have taken a variety of steps to provide information system protection and to participate in attack response activities, but a central authority and process for threat warning has not been fully coordinated.

The DoJ is the lead agency for the National Infrastructure Protection Center (NIPC), an inter-agency, national-level organization established to perform cyber threat warning. Opened in May 1998 and operating out of the FBI, the NIPC is primarily a joint DoJ-DoD organization whose charter includes indications and warning, crisis management and coordination, computer security, and education and awareness. NIPC operations incorporate the FBI's existing Computer Investigations and Infrastructure Threat Assessment Center and use the DoD-sponsored Carnegie Mellon computer emergency response team (CERT) as a model and to focus on these threat priorities.33

Functionally, cyber attack indicators will be investigated, first, as criminal activity, and, then, shared with DoD for joint investigation and response, should other foreign threat or foreign intelligence activity become apparent. Initially, NIPC headquarters staffing is planned at 85 persons for DoJ and 14 for DoD.34 CIA and the Department of State, as well as the private sector, are envisioned to have crisis management roles. The establishment of the NIPC demonstrates a key policy shift that recognizes the growing threat and strategic nature of cyber attacks.

Formal interfaces with a new private sector element of the NIPC, the Information Sharing and Analysis Center, are planned. While cumbersome in information sharing and timeliness, this effort provides the first national-level organization charged with a strategic cyber threat warning mission.

Department of Defense Organizations and Roles. The Assistant Secretary of Defense for Command, Control, Communications and Intelligence (ASD/C3I), designated the Chief Information Officer for the DoD, is responsible for information assurance of DoD systems. The Deputy Assistant Secretary of Defense for Security and Information Operations, one of four subordinate ASD/C3I elements, is responsible for information operations functions.

While discussion of whether DoD should assume a lead role in infrastructure defense and whether DoD can become capable of providing such a defense continues, the Defense Department announced plans to create a new organization in Fiscal Year (FY) 99 to the lead the effort in protecting US critical infrastructures. Although an indications and warning methodology has not yet been specified, and the organization is only in the conceptual phase, the announcement marked the first time that DoD has. assumed responsibility for protecting resources that it does not fully control within the US.35

The bulk of current cyber threat warning capabilities -- people, processes, resources -- lies within the DoD. These capabilities include defense agency and service-level IW activities. Another organization established early in 1998 to support information defense requirements is the Defense Information Assurance Program (DIAP). The organization's mission, simply stated, is to provide protection for the DII by focusing on the implementation of operational assurance programs and functions across the DoD. The Defense Information Systems Agency's Information Security (INFOSEC) Program Management Office (IPMO) carries the same mission.36 The cross-organizational focus of these programs should foster coordination, standardization, and routine among information assurance elements throughout DoD, and will provide a forum for implementing the basic requirements of an effective information defense program. As the most IW-experienced agency, DoD will need to refocus resources and liaison efforts outside of DoD agencies to best support national information defense requirements.

Information defense requirements are included in formal DoD planning, and currently focus on the DII. Defense requirements include developing capabilities to provide indications and warning of cyber attacks; developing information environment protection and information assurance capabilities; developing response and restoration processes; and providing auto-detection, alert, damage containment, and restoration in response to cyber attacks.37 While it is probably the best approach for the DoD to assume responsibility for its own systems security and not that of systems that it doesn't control - i.e., those of the broader NII -- DoD systems and processes are largely dependent on the NII.

Defense Doctrine. Joint Doctrine for Information Operations provides operational guidance for joint information operations (IO) throughout the range of military operations, with the key defensive objective of protecting the GCCS. It defines IO as encompassing the two categories upon which the foregoing discussion has focused; offensive IO -- i.e., information warfare (IW) -- and defensive IO -formerly called defensive IW, now referred to as information assurance (IA). IO planning activities are specifically defined for each phase of deliberate planning and crisis action planning.38

While suggesting that IO may be the main element of a Joint Force Commander's operation and might best be applied in peace and during initial crisis stages, the planning process clearly subordinates IO planning as an element of traditional military operations, rather than an overarching strategy. This approach has shortfalls for crisis and operations other than war scenarios.39 Additionally, while acknowledging a role for non-DoD government agencies, joint doctrine does not provide guidance on how to integrate vital non-military players, including appropriate private sector elements, into the overall IO plan. In an integrated information society in which the DII is part of, and inseparable from, the larger national and global infrastructures, this is a planning weakness. Further, the IW threat source is often difficult to characterize, as it may not be a traditional state actor. Capturing this type of threat in a deliberate planning process may prove elusive. Responding to this type of threat by applying standard crisis action procedures may be impossible. Given that the scope of IO and resources required for IO extend beyond traditional military operations, roles, and control, the current planning process framework falls short for both deliberate planning and crisis action planning in an IW environment

Defense Information Defense Planning. Critical vulnerabilities of information systems are information processes, resources, and people. Assuming that these key elements will be the targets of an information attack, and that surprise can be achieved, interesting implications for deliberate and crisis action planning are illuminated.

The goal of deliberate planning is deterrence. Deterrence in IW defense is achieved through information resources, procedures, and personnel skills focused on comprehensive development of IA capabilities. Deliberate planning for a threat scenario with a strong IA element would need to focus planning to include: strategic information system inventories, network architecture and redundancies, systems security status and control processes, and information systems knowledge and capabilities. These are not currently included as standard Joint Operational Planning and Execution (JOPES) reference files, but would be critical to implementing an effective defense. This knowledge database would highlight key information system elements and vulnerabilities and, in turn, support more effective crisis response in the event of a strategic cyber attack. A successful crisis response to an IW attack clearly has its roots in deliberate planning.

Crisis action planning in an IW environment is focused on defensive response. That translates to the activities of cyber attack detection, damage containment, reconstitution and deployment capabilities, and attack response. Although the six phases of the crisis action planning framework provide coverage of these elements, the planning system does not count and prepare the resources that can be brought to bear in an IW attack environment. Current IW planning capabilities do not include an encompassing national IW crisis action plan; databases of IW procedures, systems, and personnel resources developed through deliberate planning; nor situation, resource management, and deployment issues in the IW realm that are rapidly knowable. Consequently, the capability for quick response to a strategic threat is eroded.

Finally, a national warning structure for a tailored cyber attack is not included as a crisis action planning element. The assumption is that the existing warning capability will provide sufficient recognition and response to a strategic cyber attack. Given the high-tech actions and capabilities likely needed to respond effectively to such an attack, and the specific skill sets needed to effect a response, this assumption is probably ill-founded.

International Coordination. There is much evidence of international cooperation in combating computer crime. The European Institute for Computer Anti-Virus Research (EICAR); drawing from academia, industry, the media, security, and legal experts from civil and military organizations provides a consolidated non-commercial effort against computer crime.40 The North Atlantic Treaty Organization's (NATO) Allied Command Europe (ACE) formed a counterintelligence activity code-named "Lathe-Gambit" in the early 1990's to focus on cyber crime.41 These efforts provide an important nascent international cyber threat warning response capability.

The Bottom Line on the State of the Strategic Cyber Threat Warning System. The argument that the strategic warning process, in a macro sense, is working for the strategic cyber attack threat is easily substantiated. The need for an effective cyber attack indications and warning capability has been thoroughly documented. Through extensive investigation, exercises, and analysis, organizations and procedures have been developed at national and defense agencies directed toward this capability. Additionally, the international community is slowly moving towards cooperative efforts. Although this capability is in its infancy, the foundation for developing an effective cyber threat warning capability is being laid.

Given that the object of strategic warning is to be safe, providing information on the highest threat potentiality even if the likelihood of its occurrence is remote, the warning system has made its cyber threat case known, and decision makers are responding. Efforts to develop information attack warning capabilities are found at the national, defense, service-level, and in the public and private sectors.

Recommendations for the Strategic Cyber Threat Warning System.

Preventing or reducing the likelihood of a strategic cyber surprise depends on cyber threat warning capabilities, preparedness of information defense, and accurate analysis of adversary information attack capabilities and intentions. Because threat warning and analysis depend heavily on intelligence capabilities, the central role of the IC in providing focus and action for cyber threat warning is clear. Foregoing discussion and analysis suggest not only that much can be done to improve warning capabilities for the strategic cyber threat, but also that the approaches and technologies to start incremental improvements are already available. If the current information infrastructure could be regarded as a prototype, and a new secure architecture for information systems based on now available and informed requirements could be developed, the job of warning would be greatly simplified. However, it is unlikely that the resources necessary for a wholesale restructure could be provided quickly. Thus, it is useful to investigate warning needs and gaps and, then, identify warning improvement approaches across all areas of information systems processes, resources, and organizations.

Warning Needs and Potential Solutions. While an advance warning capability for information attack is not generally available, significant planning and research efforts have been underway since the mid-1990's. Lieutenant General Minihan,USAF, Director of NSA, stated that capabilities for warning and targeting intelligence for information operations are needed "at levels of detail and timeliness comparable to those achieved for conventional and nuclear warfare."42 To carry the analogy further, it is useful to review warning needs and capability gaps in four increments of attack precursor and launch activity:

It is noteworthy that the requirement to understand adversary attack capabilities development and testing, along with attack execution via intrusion detection, depend largely on systemic improvements in information technology (IT) process, organization, and resource capabilities. In contrast, the requirement to understand the remaining two elements -- the flash point resulting in a launch decision and IW attack planning -- is largely a function of traditional basic, current, and warning intelligence. Taken together, the voluminous potential outcomes for attack scenarios would indicate that a newer analysis methodology -- such as the Lockwood Analytical Method for Prediction (LAMP) suggested in John Coale's 1996 thesis on IW decision making or the C.A.R.V.E.R. risk assessment model for evaluating and comparing total risk between various physical sites -- would be beneficial.43 This suggests that traditional intelligence analysis methodologies, coupled with tailored intelligence efforts focused on adversary IT capabilities, intentions and technology solutions for intrusion detection, will enable an effective warning intelligence capability. Additionally, all-source fusion and warning analysts will require IT-enhanced skill sets to effectively support the IW warning problem.

Overarching Challenges. Some limitations to developing a strategic cyber threat warning system are found across all information technology processes, resources, and organizations. One key overarching weakness is the lack of standards for network security practices in the private sector and, to some extent, shortfalls in network security compliance and oversight in both government and the private sector. These deficiencies prevent effective identification and tracking of adversary IW capabilities and testing. There are problems in detecting and evaluating probes, detecting malicious code, and understanding the extent of adversary capabilities to harm the infrastructure. Overarching deficiencies also prevent the quick isolation and characterization of a detected intrusion as a strategic attack. While struggling to keep pace with the rapid IT advances, the IT industry places embedded security tools much lower in priority for incorporation than new development. This is especially true in commercial-off-the-shelf (COTS) products. For the government's part, management control and mandatory vulnerability assessment programs for information security have been required for more than a decade, but the standards and practices are not rigorously enforced. This is a management prioritization problem, not a technical shortfall. To solve this problem, the National Institute of Standards and Technology (NIST), supported by NSA, might provide overarching network and systems security standards criteria.44 Security practices must be established and people trained. Then, the practices must be audited and enforced. Until government, industry, and academia establish system security practices as the top priority through training, education and continuous reinforcement, people and processes will continue be key sources of system weaknesses.

For oversight, the Environmental Protection Agency (EPA) might serve as an organizational model for a government agency responsible for assuring information technology security standards enforcement. Other government agency models that have been suggested include the Centers for Disease Control and Underwriters' Laboratory.45 Alternatively, the formation of a composite UN-sponsored organization such as an IT-equivalent of the International Telecommunications Union, may be the best approach to security solutions.

One possible point of departure for standards would be NSA's Orange Book, which specifies product security requirements. Another well-developed approach would be a security engineering version of the Software Engineering Institute's Capability Maturity Model (CMM). The CMM for Software provides five levels of key process areas and practices for software capabilities. Industry organizations are rated at one of five specific CMM levels based on adherence to proscribed standards. Such a model would provide a very effective means of standards implementation and rating in security engineering. Additionally, the requirement for an automated means of assessing defensive posture, attack activity, and content reliability has been specified, but compliance criteria has not yet been defined, and a method for systematic organization and implementation of many existing security tools is not yet specified.46 Further, secure COTS-based computing clusters, databases, and tools to support policy enforcement are not implemented across various platforms in a system-wide approach.47 There is a market for certification standards, albeit relatively immature. For example, the private National Computer Security Association's "International Computer Security Association" of Carlisle, Pennsylvania provides independent, objective certification services for computer security products.48

Potential Technology Solutions. Additional technology solutions for defensive IO are under development. Technology solutions will directly support basic intelligence information needs for IW attack warning. The 1996, 1997, and 1998 Defense Science and Technology Plans articulate IA technology plans, and budgeting through FY02. It is interesting to note that both the FY96 and FY98 planning elements list the same nine information security limitations and eight key technologies which need to be addressed for IA. Key early warning challenges include the lack of anticipatory or predictive network management capabilities, lack of attack sensors, lack of ability for intrusion detectors to provide automated damage assessment and attack response, and limited techniques to recognize coordinated attacks and filter normal hacking activity.49 Annual program funding planned in FY98, FY99, and FY00 was $78.8 million, $89.2 million, and $49.3 million, respectively. This money is to address technologies development for defensive IO and automated intrusion detection for warning. This planning is consistent with the findings of the 1996 Defense Science Board Task Force on IW-Defense, which recommended outlays of an additional $3 billion for information security programs through FY01. Unfortunately, the $69.9 million that had been planned for Defense Department efforts in FY99 for infrastructure protection was reduced by Congress to $0.5 million, to be focused on software security research.50 This reduction is surprising in the face of demonstrated weaknesses in strategic cyber threat warning readiness.

It is important to understand, also, that new technologies require integration into existing systems and processes. Often the integration effort is as challenging as the basic technology development effort. These system integration requirements appear to be understated in Defense planning. One system assurance solution that may significantly reduce the likelihood of a successful large-scale attack is node diversity and redundancy. The concept employs the idea that different systems are vulnerable in different ways so, when they are networked together, there are built in barriers to proliferation of a problem. Another security solution is to isolate and, thereby, secure critical information networks. While costly, a closed network configuration or stand-alone system will provide the only truly unbreachable system. If national security needs dictate, such an approach could provide a solution to the vulnerability problem. Many businesses are turning to this type of solution -- for example, Virtual Private Networks provide isolation through private leased data lines.51

Simple, Common Sense Security Actions. Possibly the best motto for enhancing network security is "just do it." To complement technology solutions, there are a myriad of simple, common sense security practices with large payoffs in vulnerability reduction and warning capabilities. Resources should be focused to reduce vulnerabilities, and there are significant opportunities to do so by focusing on the "low hanging fruit" -- i.e., the most accessible and easiest to achieve fixes. Training and dedicated security resources are the key to effective vulnerability reduction and successful information defense. Guidelines provided for protection of unclassified national security-related telecommunications, such as those prioritized in the joint doctrine, should be implemented and actively checked for compliance.52 These simple actions would bring under control the hemorrhage of sensitive military, political, economic, and special topics information currently available via the Internet, and enable more focused analysis of potential adversary interests and intentions indicated by probing activities.

Firewalls and encryption raise the security bar considerably. These technologies are widely available, even free. A former NSA researcher turned Trusted Company founder offers a free version of his $17-$50 thousand "Gauntlet" firewall over the Internet.53 Jenesys, LLC offers "WinFiles.com", a web site providing access to a wide range of Windows-based shareware and freeware, including over 100 downloadable encryption software packages for folders, files, drives, mail, images, and audio files. There are numerous firewall applications for enhancing network security and data integrity. Virus protection at the organizational level can be significantly enhanced; external drives can be removed from individual computer workstations and removable media can be located behind a firewall where new data and media can be validated prior to introduction into a protected or secured net area. The same action could be taken for Internet downloads. This approach would help to isolate most malicious code prior to infection, and would enable an anticipatory, vice reactionary capability.

Another largely understaffed and low-priority but required function is audit trail monitoring. Many tools are available to provide automated and semi-automated support for practical implementation of this function. A little used implementation would be to employ the monitoring capability at the system user level in addition to the system administrator level. This kind of regular monitoring would serve to educate the users and system administrators on normalcy levels, improve recognition of intrusion attempts, and increase the likelihood of initiating an attack identification process. Audit trail monitoring is a basic building block of developing a cyber attack warning capability. If you are not regularly looking at who is accessing your systems, you will never be able to detect unauthorized intrusions! Benefits to enhancing the warning capability through audit monitoring are obvious, yet this is a poorly implemented function, even at the system administrator level.

Applying Widely Available Resources. Even a cursory scan for on-line security resources can provide overwhelming results in terms of solutions. Sword and Shield, Inc. offers a "Top Ten" list of security actions, covering key security areas of information system security policy, use, and data assurance.54 CERT provides packet filtering guidelines, specifying which services should be filtered to assist in preventing intruder network mapping activities.55 The Department of Energy's Computer Incident Advisory Capability (CIAC) offers how-to guides for securing Internet and Windows NT servers and detecting intrusions on UNIX-based systems, as well as a host of downloadable security tools and anti-virus packages.56 For a more technical subject treatment, Purdue University's Computer Operations, Audit, and Security Technology (COAST) project offers more than 50 on-line security publications, and Hacker Proof: The Ultimate Guide to Network Security, provides a comprehensive and readable technical treatment of security, along with a companion CD-ROM containing a network firewall, packet analyzers, vulnerability analysis tools, audit trail generators.57 A Practical Exercise in Securing an Open VMS System is provided by a Griffith University student.58 This list can easily be extended tenfold. Unfortunately, while this summary addresses some of the most common systems in use, many system administrators and most system users are not aware of, and do not implement, the practical procedures and guidelines provided in resources such as those mentioned above.

System administrators and users are often not adequately trained, and security tasks often do not receive requisite management oversight, support, planning and coordination. Often, the senior system administrator for an organization is·not placed among the key management team. When an organization's structure does not prioritize basic system security functions as key organizational processes to be worked by key staff members, systems will remain vulnerable. System and network vulnerabilities will remain until management commitments and well trained work forces are in place. As a result, an effective warning process will remain elusive due to the voluminous vulnerabilities which make systems and networks penetrable. The good news is that the bulk of problems can be fixed.

Process Solutions. Recommendations for security process approaches abound. Use of techniques such as red teaming, IW simulations, and war gaming is growing and found to be highly effective in improving security postures and developing short and long-term strategies for information defense. Red teaming provides a comprehensive information system vulnerability assessment process, complete with controlled penetration testing. A DoD Information Warfare Red Team (IWRT) was formed in 1995 to conduct and demonstrate vulnerabilities in DoD information systems, focusing on selected Advance Concept Technology Demonstrations. (ACTD)59 Dr. Fred Cohen, a former Principal Member of Technical Staff at Sandia National Laboratories and now Senior Partner of Fred Cohen and· Associates, who has been credited with designing the first ever computer virus in the 1980's, hosts a red team mail list at http://all.net.60 His purpose is to foster sharing of controlled penetration testing strategies and applications and to provide a comprehensive taxonomy of computer threats, attacks, and defenses Others detail a standard methodology for analyzing individual system security and network penetration vulnerability using commonly available tool sets.61 The Manhattan Cyber Project was formed in May 1997 as an outgrowth of a 1996 US Senate security survey. The organization's goals are to gain a "more secure infrastructure and corporate America through free education and awareness," and an extensive outreach program.62 Thus, sound security information and tools are available and can to be widely applied in formal, structured programs.

Scenarios and simulations are naturally complex and expensive, but are highly effective in stimulating strategic thought and decision making for information defense. Simulations and exercises contribute significantly to the development of cyber warning capabilities. Decision makers experience the impact of system vulnerabilities; policy, enforcement, and procedural inconsistencies; and technology limitations to effective information defense, then, develop strategic plans to address those deficiencies. As an example, Rand has modified its benchmark three-step "Day After" exercise methodology into a two-step approach, providing a scenario of cyberspace attacks in some future time.63

What about warning capabilities at the individual user level? Special Agent Jim Christy, Law Enforcement Liaison to the Pentagon's Directorate of Information Assurance and involved in computer security since the Hanover Hacker case of the mid-1980s, suggests a unique approach to combating cyber crime with a view toward critical infrastructure protection. He would establish what could be called "cyber neighborhood watches," by which anomalies are reported immediately to authorities by concerned citizens.64 An approach such as this would possibly enable early harnessing of the young talent pool currently populating the hacker ranks. This could lead to significantly improved self-policing and, possibly, usher in a reduction in the most prevalent cyber nuisance activity, while also reducing the likelihood of cyber accidents and the volume of intrusion activity into critical infrastructure and defense systems. These results would obviously simplify the warning activities of attacker and motive identification, as well as possibly providing a smaller, more focused potential adversary list.

Prospects for a Viable Cyber Threat Warning Capability. The strategic cyber threat warning system is at present evolutionary. The existing strategic warning capability is deficient, but the strategic warning process is certainly functioning. The warning system is accomplishing its primary purpose; it is effecting policy, procedural, and technology changes. While the capability to detect a specific strategic cyber attack is lacking, tailored methodologies, organizations, and missions are emerging to address the overall strategic cyber threat. In so doing, the warning community has been redefined and greatly expanded.

The warning community is charged with developing a cyber threat warning capability in an environment characterized by rapid, continuous, and high-tech change, along with increasing uncertainty in the global threat environment. Technology-driven cyber threat capabilities have developed a cyclical attack capabilities-countermeasures-new capabilities nature. By coupling existing threat warning capabilities with ones tailored to the cyber threat in order to address key attack precursors, and by implementing information defense improvements, effective strategic warning is possible.

In A History of Warfare, John Keegan argued that cultural and material changes may be bringing an end to the five-thousand year old institution of violent war "through which the embittered, the depressed, the naked of the earth, the hungry masses yearning to be free, express their anger, jealousies, and pent-up urge to violence."65 IW can be a non-violent alternative to violent war. As the institution of violent war gives way to IW, we are certainly capable of meeting, and should ensure we are ready to meet, this new institution with an effective cyber threat warning· capability.

__________

Notes

1. This article is based on the thesis of the same title submitted by the author to thesis advisor Dr. Jonathon Lookwood and the faculty of the Joint Military Intelligence College in partial fulfillment of the requirements for the degree of Master of Science of Strategic Intelligence. That thesis won the 1998 Military Order of World Wars Award for the Best Thesis on a National Security Topic. The full text of the thesis with all notes and appendices can be obtained from the DIA/JMIC unclassified library.

2. Defense Science Board (DSB) Task Force, Report of the DSB Task Force on Information Warfare Defense (IW-D) (Washington, DC: GPO, 1997), URL: <http://cryptome.org/iwd.htm> [revised to fit], accessed on 1 March 1997.

3. DSB.

4. DSB.

5. Lieutenant General Patrick Hughes,USA, Director, Defense Intelligence Agency, "Global Threats and Challenges: The Decades Ahead," Statement for the Senate Select Committee on Intelligence, 28 January 1998.

6. Jerome Kruczek, "Information Warfare," photocopy of slides presented at the National Security Agency (NSA), Fort George G. Meade, MD, 4-6 February 1997.

7. US Government Accounting Office, Information Security - Computer Attacks at Department of Defense Pose Increasing Risks (Washington, DC: Government Printing Office, 1996), 4.

8. Alan D. Campen, "National Vulnerability Intensifies As Infrastructure Reliance Grows," SIGNAL (July 1998): 20.

9. James P. Finley, "Intelligence Failure Matrix," Military Intelligence (January-March 1994).

10. Captain Brent Green, USN, DoD Representative to the President's Commission on Infrastructure Protection, lecture at National Military Industrial Association symposium "IW, Terrorism and Cyber Crime: Are We Winning the War?" Marriott Crystal Gateway Hotel, Arlington, VA, 4 September 1997.

11. "Sword and Shield - Cyber Crime Rap Sheet," Sword and Shield Computer Services Inc., 30 December 1997, URL: <http://www.sscs.net/cybercrime.html> [dead], accessed on 5 July 1998.

12. Lieutenant General Kenneth Minihan. USAF, "Conflict in the Information Age: Threat and Response," American Intelligence Journal 17, nos. 1,2 (1996): 9.

13. National Research Council (NRC), System Security Study Committee, Computers at Risk, 3rd ed. (Washington, DC: National Academy Press, 1991), 14.

14. Cambridge Work Group Report, Feature: High Tech Society Vulnerable to Online Attack, (Cambridge Publishing Inc., 1996), accessed via Electric Library, URL:<http://www2.elibrary.com> [dead] under key words "information warfare"on 28 October 1996 and on 2 April 1997.

15. John Fontana, "Pragmatic Plan Eases Security Fears," Communications Week, URL: <http://x10.jdejanews.com> [dead], under key words "Tenet" and "national security," accessed on 1 March 1998.

16. NRC, 283.

17. Infrastructure Protection Task Force, URL: <http://www.fbi.gov/programs/iptf.htm> [dead], accessed on 7 May 1998.

18. Martin Libicki, Defending Cyberspace and Other Metaphors (Washington, DC: National Defense University, 1997), URL: <http://www.ndu.edu/inss/actpubs/dcom/dcom.html> [dead], accessed on 21 May 1997.

19. US President, A National Security Strategy for a New Century, May 1997, URL: <http://jya.com/nsstrat.htm>, assessed on 30 May 1998.

20. US President, Executive Order 13010, United States Federal Information Technologies, 16 July 1996.

21. Lieutenant Colonel Robert Walker, USA, from the office of the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence (ASDC3I), "The DoD Perspective," a lecture presented at the National Military Intelligence Association symposium, "Information Warfare 98: Taking Stock of Where We Are in IW," Marriott Hotel, Tyson's Corner, VA 19 May 1998.

22. Robert Steele, "Intelligence and Information Warfare," The Journal of Infrastructural Warfare (Spring 1997), URL: <http://www.iwar.org/restricted/lsl.html>[dead], accessed on 21 April 1997.

23. George C. Tenet, Director of Central Intelligence, Statement before the Senate Select Committee on Intelligence, 28 January 1998 (Washington DC: Federal Document Clearing House, Inc., 28 January 1998).

24. Fred Cohen, Principal Member of the Technical Staff, Sandia National Laboratories, telephone interview by author, 26 February 1998.

25. Martin C. Libicki, "Technology and Warfare," in 2015: Power and Progress, ed., Patrick M. Cronin (Washington, DC: National Defense University Press, 1996), 145.

26. William B. Black, lecture presented at the National Military Intelligence Association symposium "Information Warfare 98: Taking Stock of Where We Are in IW," Marriott Hotel, Tyson's Corner, VA, 19 May 1998.

27. Clarence A. Robinson, Jr., "Make-My-Day Server Throws Gauntlet to Network Hackers," Signal, (19 May 1998): 19-24.

28. Matt Blaze and others, "Minimal Key Lengths for Symmetric Cyphers to Provide Adequate Commercial Security: A Report by an Ad Hoc Group of Crytographers and Computer Scientists," (January 1996).

29. Libicki, 137.

30. Major Richard W. Aldrich, USAF, "The International Legal Implications of Information Warfare," Airpower Journal, (Fall 1996): 99-109.

31. John Carroll, "A Kind Word for Hackers," Computerlife, (June 1998):128. 32. Lieutenant Colonel Robert C. Walker, USA, "The DoD Perspective," a lecture presented at the National Military Intelligence symposium "Information Warfare 98: Taking Stock of Where We are in IW," Marriott Hotel, Tyson's Corner, VA, 19 May 1998.

33. "ANSIR on the Internet", URL: <http://www.fbi.gov/ansir.htm> [dead], accessed on 28 March 1998.

34. Robert Ackerman, "Justice Department Readies Infrastructure Defense Plans," Signal, (July 1998):17-19.

35. Daniel Verton, "DoD Preps Office for Cyberdefense," Federal Computer Week, (13 July 1998).

36. Gregory Slabodkin, "FBI Suspects Two Teens in DOD Systems Attack," Government Computer News, (9 March 1998), URL: <http://www.gcn.com/gcn/1998/March9/new1.htm> [dead], accessed in August 1998; "DISA INFOSEC Program Management Office (IPMO)," URL: <http://www.disa.mil/ciss/> [dead], accessed on 11 July 1998.

37. Joint Chiefs of Staff, Joint Doctrine for Information Operations. Pub 3-13 (First Draft) (Washington DC: Government Printing Office, 21 January 1997), III-3 to III-24.

38. Ibid., V-12 to V-16.

39. Rick Brennan and R. Evan Ellis, "Information Warfare in Multilateral Peace Operations: A Case Study of Somalia," (18 April 1996), URL: <http://sac.saic.com/Somalia.htm> [dead], accessed on 12 January 1998.

40. European Institute for Computer Anti-Virus Research, URL: <http://www.eicar.com>, accessed on 21 July 1998.

41. M. J. Zuckerman, "Terrorism on the Net: Post Cold War Hysteria or a National Threat?" USA Today, (5 June 1996), accessed via Electric Library under keywords "information"and "vulnerability," on 4 February 1997.

42. Lieutenant General Kenneth A. Minihan, "Conflict in the Information Age," a speech at the Air Force Association, Air Warfare Symposium. 30 January 1997, URL: <http://www.aef.org:80/ol12.html> [dead], accessed 4 February 1997.

43. John Coale, "Decision Making for Peace: A Future View of Information Warfare," MSSI Thesis (Wash. DC: Joint Military Intelligence College, August 1996): "Risk Assessment: C.A.R.V.E.R.," The Proteus Security Group, Inc. 1997, URL: <http://www.anti-terrorism.com/risk.html> [dead], accessed on 27 January 1998.

44. Recommendation by Brian C. Lewis in "Information Warfare," URL: <http://www.fas.org/irp/eprint/snyder/infowarfare.htm>, accessed 3 January 1998.

45. Robert H. Anderson and Anthony C. Hearn, " Appendix B: Scenarios and Instructional Material Used in Exercise," The Day After...in Cyberspace-II (ARPA), 23 March 1996, URL: <http://www.rand.org/publications/MR/MR797/appb.html>, accessed 7 February 1998.

46. National Research Council, "Technology for the United States Navy and Marine Corps, 2000-2035: Becoming a 21st-Century Force", Information Warfare, vol 3, (Washington, DC: National Academy Press, 1997), 81.

47. Defense Technical Information Center, "1996 Joint Warfighting Science and Technology Plan", URL: <http://www.dtic.mil>. accessed on 20 March 1997.

48. Peter Tippett, "ICSA Certified: Goal and Generic Criteria," National Computer Software Association, 1997, URL: <http://www.ncsa.com/services/certification/about.htm> [dead], accessed 10 February 1998.

49. Defense Technical Information Center. "1996 Joint Warfighting Science and Technology Plan" and "1998 Defense Technology Objectives," accessed on 26 July 1998.

50. Daniel Verton and Heather Harreld, "Senate Panel Obliterates Infowar Funds," Federal Computer Week, (6 July 1998): 1, 52.

51. Rajiv Chandrasekaran, "The Guardians of Computer Security." The Washington Post, Washington Business Magazine, (16 March 1998): 12-14.

52. Chairman, Joint Chiefs of Staff, Defensive Information Operations, CJCSI 6510.01B (Washington, DC: GPO, 22 August 1997), D-B-1 - D-B-A-7.

53. Chandrasekaran, 14.

54. "Top 10 List of Proactive Security Measures," Sword and Shield Computer Services, Inc. URL: <http://www.sscs.net/top10.html>, accessed 10 May 1998.

55. Carnegie-Mellon University CERT, "Packet Filtering for Firewall Systems," October 1997, URL: <ftp://info.cert.org/pub/tech_tips/packet_filtering> [dead], accessed 13 January 1998.

56. Department of Energy CIAC Team, "Securing Internet Information Servers" (CIAC-2308 R.2), December 1994; Karen Pichnarczyk, Steve Weeber, and Richard Feingold, "Unix Incident Guide: How to Detect an Intrusion," December 1994; and various linked documents at URL: <http://ciac.llnl.gov>, accessed June 1997 - July 1998.

57. "COAST Library," 17 August 1996, URL: <http://www.cs.purdue.edu/coast/coast-library.html>, accessed on 7 February 1998; Lars Klander, Hacker Proof: The Ultimate Guide to Network Security (Houston: Jamsa Press, 1997).

58. Rob McMillan "A Practical Exercise in Securing an Open VMS System," The University of Queensland, January 1995, URL: <ftp://ftp.auscert.org.au/pub/auscert>, accessed on 3 January 1998.

59. "Information Warfare Red Team," ACTD Master Plan, Appendix 5, URL: <http://www.fas.org/spp/military/docpos/defense/actd_mp/A5.htm> [dead], accessed on 10 May 1998.

60. Fred Cohen, "Managing Network Security: Red Teaming and Other Aggressive Auditing Techniques," (February 1998), and other links also at URL: <http://all.net/> [dead], accessed on 23 February 1998.

61. Mark Abene, Gerald L. Kovacich, and Steven Lutz, "Workshops: Intrusion Detection Provides a Pound of Prevention," Network Computing, (15 August 1997): 120 CMF Media, Inc., accessed via Electric Library, under key words "information warfare,"on 31 August 1997.

62. "Manhattan Cyber Project", URL: <http://www.WarRoomResearch.com/MCP> [dead], accessed on 7 May 1998.

63. Anderson, accessed 7 February 1998.

64. James V. Christy, Special Agent, Law Enforcement Liaison, Directorate of Information Assurance, Assistant Secretary of Defense for Command, Control, Communications and Intelligence, interview by author, 3 June 1998.

65. John Keegan, A History of Warfare, 1st rev. ed. (New York: First Vintage Books, 1994), 56.

HTML by Cryptome.