Phil Taylor's papers
BACK TO : INFORMATION WARFARE (IW) & INFORMATION OPERATIONS (IO) - see also PSYOPS
IO - a Canadian Perspective Information Operations July 17, 2001 Introduction With the advent of the personal desktop computer in 1980, the manner in which the public and private sectors conduct business and provide services to the public at large has changed. Over time, millions of computers and thousands of dissimilar networks worldwide have been connected through a global network of networks. Internet use has more than doubled annually for the last several years to an estimated 40 million users worldwide in nearly every country today. Connections between computer systems are growing at an ever increasing rate with the Internet adding a new network about every 30 minutes. According to a report by the Computer Industry Almanac, nearly 43 percent of Canadians use the Internet, which makes Canada the leading country for Internet use. The growing dependence of governments, institutions, business, groups and individuals on computer- based communications and information technologies has resulted in a constantly changing view of what constitutes threats in today's "information age." It is no longer necessary for "hostile actors" (individuals, extremist groups, terrorist groups, intelligence services and armed forces) to have direct physical access to a computer to copy, destroy or manipulate data. People can use a variety of techniques and software tools to exploit a targeted system once they gain unauthorised access remotely via the Internet or by dialling directly into the system using a telephone and a modem. Most legislation and protective measures address physical attacks on critical systems and data; however they have been, or are in the process of being, revised and updated to deal with the new class of computer-based threats defined as Information Operations (IO). Information Operations The concept of IO has its root in that of "Information Warfare" (IW), which is the physical and computer-based operations used by military forces to compromise the access to and viability of information received by the decision-makers of an enemy, while at the same time protecting their own information and information systems. The term IO is used to denote the use of IW tools and techniques at any time. The definition has changed over time to reflect the need for a state to maintain national security by protecting its critical information infrastructure (CII). The eight critical sectors in a state's infrastructure include: transportation; oil and gas; water; emergency services; continuity of government services; banking and finance; electrical power; and telecommunications. IO is the outgrowth of military doctrine that focussed on the use of electronic warfare measures to degrade the capabilities of adversaries on the battlefield. Operations conducted during the Desert Storm campaign indicated that technological development had provided the military with computer- based tools and techniques that could be used to degrade not only military systems but those of government and the private sector as well. Within the realm of IO, there is no safe haven and territorial boundaries become irrelevant as IO can be conducted at any time against any sector (public or private). All other "cyber" activity (cybercrime, cyberterrorism, cyberwar, netspionage, hacktivism, etc.) is a subset of IO. However, most discussions relating to the use of computer-based tools and techniques in the context of IO have come to focus on information assurance and the protection of computer-based systems and networks from an intrusion or attack. The Threat Information Operations could be used to target national information systems from anywhere in the world using inexpensive hardware and software. Degradation in the operation of a targeted computer system could cause significant social, political and economic impact that would have serious ramifications in the area of national security. Although security measures are being created to protect these infrastructures, the development of attack tools to circumvent these protective measures is ongoing and these attack mechanisms have come to be freely available via the Internet. The number of intrusions into computer-based systems is on the rise and the tools used to exploit existing vulnerabilities are growing in sophistication. Although only a small number of system intrusions are reported, indications are that the level of reported incidents and vulnerabilities is doubling roughly every six months. In 2000, statistics released from the Computer Emergency Response Team (CERT) at Carnegie Mellon University in Pittsburg, show that 1,334 computer security incidents were reported world-wide in 1993, compared to 9, 859 in 1999 and, in the first three quarters of 2000, the incidents rose to 15,167. The threat of unauthorised intrusions into computer systems and networks increases proportionately to the degree of connectivity to external networks like that of the Internet. Such connections create vulnerabilities that can be exploited, for whatever reason, by hostile actors, using malicious software e.g. viruses, Trojan Horses and worms via the Internet. In addition, physical attacks like the cutting of power cables or the destruction of hardware upon which the information infrastructure depends are the equivalent of physical denial of service (DoS) attacks. The latter form of attack prevents authorized users from gaining access to information systems and data. Any of these hostile actors can attack vulnerable infrastructure points using physical means and/or software. As a result, the growing capability of a variety of hostile actors to make offensive use of IO, in both its physical and nonphysical forms, has the potential to threaten the public safety of Canadians and the national security of Canada. This is especially true since international affairs, in all their dimensions, will increasingly involve competition for control of information networks. Discussions at the United Nations on the topic of the proliferation of IO tools are couched in the rhetoric of weapons proliferation. The language has evolved from mass destruction to include IO tools and weapons of mass corruption. The increasing reliance of states on computer networks makes critical infrastructures attractive targets for attack and exploitation and many countries have embarked on programs to develop IO technologies. According to American military and Congressional reports, Russia, China, India and Cuba have acknowledged preparations for cyberwar and are actively developing IO capabilities; North Korea, Libya, Iran, Iraq and Syria have some IO capabilities. Even though many countries are developing IO capabilities, few have the means to fully integrate various IO tools into a comprehensive attack which would cripple a country's infrastructure. However, some could develop the required abilities to mount such attacks over the next decade. Security of Systems and Data The development of IO tools and techniques is evolving in pace with the rate of technological change in the communications and computer industries. The ability to communicate and connect to networks worldwide almost instantaneously has created both advantages and vulnerabilities. As government departments and businesses globally have experienced both intrusions into their networks and the loss of sensitive information, they have attempted to install security measures to protect both systems and data. Unfortunately, these security packages have a short life span. Surveys and intrusion assessments conducted by private-sector security firms and by government agencies worldwide indicate that a large number of security packages and monitoring tools, many of which are commercially available, are ineffective or misused. A number of surveys conducted in the United States and the United Kingdom indicate that more than 80% of respondents in one case did not use firewalls or any other security measures to protect their systems and data. Up to 93% of respondents in another case were vulnerable to rudimentary attacks even if firewalls were used. As more and more persons, businesses and government departments become dependent on computer-based communications and the operations of interconnected networks, the configuration of interacting computer networks and operating systems becomes more complex and creates vulnerabilities. Natural forces (like storms), the natural evolution of network processes, and IO tools could pressure these vulnerabilities and cause failures that could have a profound affect, both short- and long-term, on the operation of government and the private sector. For example, during the 1998 ice storm in Quebec and eastern Ontario, the destruction of the essential electrical power infrastructure cascaded into a disruption of key services such as water supply, financial services, telecommunications, and transportation with devastating effect for some Canadians. Examples of Information Operations Many examples of IO-related activity can be drawn from the experience of American government departments in dealing with computer intrusions and system exploitation. These experiences have been related in speeches given before Senate and Congressional committees and in documents produced by the General Accounting Office. Extremist organizations, criminal groups and governments are acquiring expertise in the area of IO and could threaten various systems if they possess the proper tools and techniques to exploit vulnerabilities, and the intent to do so. Testimony provided during committee hearings held within government in the United States revealed the fact that an increasing number of countries have or are developing offensive IO programs. Further, there is data to indicate that an increasing number of extremist groups and intelligence services are becoming proficient in the development and / or use of IO tools and techniques. A number of these hostile actors may intend to use IO tools to achieve specific goals. Recent media reports indicate that protected military networks in the United States have been easily hacked using rudimentary tools. One American government-sponsored exercise (Eligible Receiver) demonstrated that software tools obtained from hacker sites on the Internet can not only degrade the operations of government departments but can threaten the critical infrastructure. In April 1998, hackers belonging to the "Masters of Downloading" (MOD), which is international in membership, claimed they had broken into NASA and DoD classified computerized systems, having acquired the means to gain access to these systems with impunity, and to control military satellite and other systems. With at least two Russian members, the MOD was considered by computer experts to be more secretive, careful and sophisticated - and hence more dangerous - than Analyzer. The MOD threatened to sell information about American systems to terrorist groups or foreign governments. MOD members allegedly communicate using an elaborate system of passwords and cover their tracks by routing messages through a variety of computer systems all over the world. Claims made by the MOD have not been publicly corroborated to date. In February 2000, national infrastructures suffered degradation from virus and distributed denial of service attacks (DDoS). The attacks, which centred on a number of companies, each with a significant presence on the Internet, were estimated to have caused damage in the order of billions of dollars. The subsequent infestation of computers around the world with the "I Love You" virus had even a more profound affect on systems and networks. This was due in part to the fact that the phrase "I Love You" in the subject line of an e-mail message was a simple psychological operations ploy that enticed many individuals to open the virus-laden e-mail attachment and infect their computer systems. The DDoS attacks of February 2000 acted as a proof of concept to show that a number of computers that previously had been compromised by hacker activity could be used in concert to focus attacks on a single target or on a number of targets. Political tensions have resulted in hacking duels between hacker groups and others in various countries. In 1999, there were hacking exchanges between China and Japan over the issue of the Nanking massacre, between China and Taiwan, and between India and Pakistan over Kashmir. In 2000, Armenians placed false information in the Azerbaijan daily Zerkalo, and the current tensions between Israel and Palestinians resulted in hacking activity by the supporters of each side. This latter activity on the part of pro-Palestinian supporters expanded to include corporations and a pro-Israel organization in North America as targets. Protection of the Canadian Critical Infrastructure The Report of the Special Senate Committee on Security and Intelligence, published in 1999, addressed the issue of the protection of Canada's critical infrastructure. The critical infrastructure consists of both physical and cyber-based systems that are essential to the day-to-day operations of the economy and government. Historically, elements of this critical infrastructure were physically segregated. However, these elements gradually converged, became linked and became more interdependent. Advances in computer and communications technologies resulted in a growing level of automation in the operation of critical systems. The report stated that the growth of, and our increased reliance on, the critical infrastructure, combined with its complexity, has made it a potential target for physical or cyber-based terrorism. In its recommendations, the Committee suggested that the government take action to protect the critical infrastructure and to: - develop policies and resources to deal with any attacks; create the capability to assess and reduce infrastructure vulnerabilities, and to prevent or respond to physical and cyber attacks; - create public sector-private sector partnerships to protect the critical infrastructure; and - ensure that the National Counterterrorism Plan regularly be reviewed and updated, especially relating to the impact created by new and emerging technologies that may be used by terrorists. Similar to other countries, the Canadian government has recently announced the creation of a new agency which is designed to protect Canada's electronic infrastructure against possible cyber based attacks and natural disasters. The new agency, which is named the Office of Critical Infrastructure Protection and Emergency Preparedness, will report to the Minister of National Defense and will collaborate with the Solicitor General's department, the provinces and municipalities, private industry and other countries. In addition, each federal government department and agency has information technology (IT) policies and procedures. The Communications Security Establishment (CSE) advises the federal government on the security aspects of government automated information systems The Role of CSIS The CSIS Information Operations program was initiated in 1997. As with all CSIS investigations, this program derives its authority from the CSIS Act. Under sections 2 (a) (b) and (c) of the Act, threats to the security of Canada are defined as: espionage or sabotage, foreign influence activities, or serious acts of violence against persons or property in support of achieving a political objective. The information operations threat may fall under any of these three sections. The Service focuses its investigations on threats or incidents where the integrity, confidentiality, or availability of critical information infrastructure is affected. As a result, three conditions must appear in order to initiate a CSIS "information operations" investigation. That is, the incident: a) must be a computer-based attack b) must, within reason, appear to be orchestrated by a foreign government, terrorist group or politically motivated extremists; c) must be done for the purpose of espionage, sabotage, foreign influence or politically motivated violence. This definition excludes many of the computer intrusions occurring within Canada. For example, most hacking activity is being done by thrill seeking amateurs with no political agenda. Moreover, a certain amount of hacking is conducted by criminals for monetary gain and by corporations seeking an unfair competitive advantage over another company. These types of computer intrusions fall outside the CSIS mandate but may be of interest to law enforcement. The Service confines its investigation to computer intrusions conducted with a "political motivation". That is, whether a hostile intelligence service is hacking into Canadian computer systems, or an extremist group is targeting a government web site - there must be a political aspect to the computer intrusion in order for CSIS to be involved. Since the threat from cyber sabotage and cyber terrorism is part of a broader economic threat to key sectors of Canadian society, CSIS works closely with other government departments such as the Royal Canadian Mounted Police, the Department of National Defense and the Communications Security Establishment. Furthermore, within the international milieu, CSIS liaises and exchanges information with allied agencies to remain abreast of the global threat and how it may impact on Canada's national security. CSIS also participates with the federal government in broader G-8 efforts aimed at addressing the cyber threat. Outlook One of the greatest challenges in countering the threat in the realm of IO is that borders have become meaningless to anyone operating in a virtual environment. Even if great diligence was taken in the effort to remove vulnerabilities, it would be almost impossible to eliminate them entirely because attack tools, networks and network control systems are in a constant state of evolution. As new technologies develop so too will new attack tools and mechanisms. As a result, governments will have to set procedures in place to allow security initiatives to evolve to deal with new threats as they arise. For example, the risks involved with the movement of the private sector to an e-commerce environment, the initiatives within the private sector to provide services and system interconnection via wireless means, and the use of personal digital assistants all present challenges from a security perspective. Hacking is becoming easier to a certain extent because some elements of both the private and public sectors around the world have been more interested in connecting to the Internet than in facilitating their operations securely via the Internet. National Liaison Awareness Program CSIS maintains a national Liaison Awareness Program . The program seeks to develop an ongoing dialogue with both public and private organizations concerning the threat posed to Canadian interests from cyber-based attacks. The purpose of the program is to enable CSIS to collect and analyse information that will assist it in its investigation of these threats which could have implications on Canada's national security. The Service then assesses the threat, and provides advice to government accordingly. This program is an important vehicle used by the Service to articulate its message to the Canadian public. Contact For comments/enquiries, please contact the National Coordinator, Economic and Information Security, Canadian Security Intelligence Service (CSIS) c/o P.O. Box 9732, Postal Station T, Ottawa, Ontario, K1G 4G4. Telephone (613) 231-0100 or Fax (613) 842-1390. |