Report on the Defensive Information Warfare Symposium, New Orleans, December 11-12 1995

by Cynthia Irvine, Naval Postgraduate School

A few years ago I watched a film about an adolescent computer whiz who broke into a sensitive military command and control system and wreaked havoc before being identified and subdued. Those were the good old days. Then hacking was an arcane art requiring a high level of technical skill and was accomplished using dumb terminal interfaces. Perhaps that scenario was never particularly realistic, but now modern hackers come in many varieties and have a vast array of tools at their disposal. Novice hackers now have at their fingertips the tools to hijack sessions, run sweepers and sniffers, perform stealth diagnostics, and engage in packet spoofing attacks. They even have nice GUIs for point and click hacking. What does this mean for the officers in charge of today's command and control system? A much greater vulnerability to attack.

On December 11 and 12, 1995, the Defense Information Security Agency/ Center for Information System Security (DISA/CISS) and the Air Intelligence Agency/Air Force Information Warfare Center (AIA/AFWIC) jointly sponsored a symposium on Defensive Information Warfare (INFOWAR). For the 200 attendees at the New Orleans meeting, the fact that several participants were called away to work on aspects of increased U.S. involvement in the Balkan region merely emphasized the increasing importance of information warfare.

Joan Pohly and her associates at DISA/CISS put together an interesting series of presentations which helped to define the problem and illustrated ongoing defensive IW efforts. Highlights of the meeting are reported here.

From the outset, it was clear that, of the services, the Air Force has made the greatest effort to address information warfare problems. The Air Force supports an impressive range of programs of which a few are: emergency response teams, automated security profiling tools, distributed intrusion detection systems, and security prototyping facilities.

So, what is ``Information Warfare?'' The unclassified definition is: Actions taken to achieve information superiority in support of national military strategy by affecting adversary information and information systems while leveraging and protecting our information and information systems. In his keynote address, MG David J. Kelley, Vice Director of DISA, emphasized that information is a critical aspect of modern warfare. The battlespace presented to warfighters is dynamic and requires interoperability between systems for command and control, transmission of information, messaging, and processing. MG Kelley described how the Global Command and Control System, Defense Information System Network, Defense Message System, and Global Combat Support System will combine to provide a real time view of the combat situation with concurrent visibility of assets such as logistics, finance, and procurement. This defense information infrastructure will include air, land, and sea, as well as space-borne assets, and will require protection of critical portions of the frequency spectrum. Thus defensive information warfare specifically includes those ``measures to protect friendly information systems by preserving the availability, integrity and confidentiality of the systems and the information contained within those systems.''

As emphasized by MG Kelly and subsequent speakers, including Col. Kenneth Ritchart and Sarah Jane League, both of DISA/CISS, DoD now relies on an infrastructure of networked information systems and that infrastructure is vulnerable. Not only do teenaged hackers pose a threat, but there are dangers from criminal elements, malicious insiders, those engaged in industrial and economic espionage, foreign powers, and terrorists. Highly technical powers, such as the developed nations, are particularly vulnerable to attacks on their information infrastructures. These attacks have the following attributes:

How does the military go after a thirteen-year-old system penetrator, and what is the legal framework in which prosecutions can be successfully mounted? Legal issues pertaining to information warfare were discussed in a talk by Col. Robert Giovagnoni of the Air Force Office of Special Investigations. His challenge is to catch the intruder red-handed with his/her tools. Unfortunately, it is sometimes difficult to tell the normal users from the hackers until an attack is well underway and even when an attacker is identified, current legal mechanisms do not provide law enforcement with clear direction. Active defenses and hot pursuit of attackers are not usually options. For example, an attacker may be using someone else's computer as their launch point and cyberspace soldiers cannot just move in and take out an ``innocent'' system. Neither do the traditional concepts of search and seizure scale well to cyberspace. Finally, Col. Giovagnoni touched on the problem of civil and criminal liability for system administrators and investigators. Often users have an expectation of privacy and, even with the use of banner pages announcing that systems are routinely monitored, only nebulous legal protections are available for system defenders.

After a thorough discussion of the nature of the defensive information warfare problem, a series of presentations described ongoing efforts to address current system vulnerabilities.

The need for continued research and development in encryption, intrusion detection, and countermeasures was the focus of session on the second day. Robin Roberts of the CIA made a particularly interesting report (though I was unable to attend it) on the agency's Workstation and Network Encryption Program. Intended to provide NSA Type-1 encryption for permanent storage and network transport in PC and LAN environments, a crypto peripheral has been developed which can be used on servers, workstations and laptops. This ongoing project gives the community a new tool with which to insert cryptographic protection with minimal disruption to ongoing operations.

The state of system accreditation was presented by Jack Eller, of CISS. Problems facing accreditations today include: overlapping accreditation responsibilities, inconsistent and incomplete policies, the high cost of accreditation, and a shift in paradigms from one in which the data owner controlled the infrastructure to one of networked systems in which the data owner no longer controls the infrastructure. The DoD Information Technology Security Certification and Accreditation Process (DITSCAP) is intended to provide a degree of standardization in the certification process while promoting methods that will reuse existing documentation and analysis and that can be applied at any stage in a system's lifecycle.

LTC Bernard Krauss presented a discussion of how DISA/CISS uses Red Teams to assess the vulnerabilities of computer systems. These assessments involve examination of the usual holes found in network operating systems. A point made during this presentation and throughout the symposium was that once an attacker has entered one system, the trust relationships between multiple systems within a network permit access to most, if not all, of the remaining systems. It is worth noting that this is the same problem encountered when one depends upon firewalls: if the interlopers can break through the firewall (or better yet find a back door into your system) they are usually free to romp around at will. Krauss emphasized that although external penetration is a threat, today the vast majority of problems are caused by insiders. Of particular interest were his slides describing the use of social engineering techniques to convince an insider to divulge sensitive information -- call up and say that General X needs the information immediately, then fool a legitimate user into reading or FAXing the data in the clear. A presentation on the INFOSEC training and awareness programs being conducted by DISA/CISS under the supervision of George Bieber provided the audience with references to resources to help insure that inside personnel understand the importance of simple security measures and precautions.

Larry Merritt, the technical director of AFWIC, told the audience that today the United States would be unable to survive a structured IW attack. During the symposium, several areas of research and development were identified. Tools to warn administrators of ongoing attacks are needed. These include automated intrusion detection systems, incident response techniques, network mapping tools to describe who is hooked up to who, near-real-time risk management tools, and techniques for rapid deployment of counter measures. The need for continuous vulnerability analysis to assess system risks was identified along with active techniques for the detection and elimination of malicious code. Tools are needed to manage interconnections to global networks. Finally enhanced training and awareness are needed to avoid trivial vulnerabilities.

Although the symposium focused on DoD, the problem of information warfare is not restricted to the defense community. DoD is becoming increasingly dependent upon the civilian information infrastructure, which is essentially world-wide. Commercial systems are no less vulnerable than their military counterparts. Perhaps this year's version of the techno-flick will be more sinister as malicious entities attack not only command and control systems, but the power grid and telephone systems as well.