An Overview Of The Intricacies And Multifaceted Dimensions Of Offensive Cyber Operations
By Richard Kaplan
Wednesday, February 6th, 2013 @ 12:49AM
The following is an informative, clear summary of the problems, as well as U.S. government preparedness and efforts to detect and prevent them. But the recent attacks and official public statements and reports attest to the urgency for better protection.
The unfolding events over the past twenty-four months forced the White House and the Pentagon to expand the personnel of the U.S. Cyber Command by as many as five-thousand.
One hopes that unlike the recent wars, the U.S. government is not readying itself, again, to fight yesterday’s war. Rapidly evolving technological innovations could leave us soon behind with irreparable damage and painful recovery.
An Overview of the Intricacies and Multifaceted Dimensions of
Offensive Cyber Operations
by Richard Kaplan*
In the past several weeks there have been numerous stories in the press regarding hacking incidents against major newspapers in the United States that have been attributed to the People’s Republic of China. These incidents follow closely on other reports of hacking incidents against U.S. financial institutions that were attributed to the Islamic Republic of Iran.
There are two major hacker groups. The first is independent hackers, usually young disenfranchised youth that conduct computer intrusions as a dare or some sport. The second, and most dangerous to the national security of the U.S., are the state sponsored hackers, such as those from China and Iran.
On any given day, state-sponsored hackers conduct tens of thousands of “probes and scans” of the U.S. federal government and commercial websites. They are looking for system vulnerabilities in an attempt to gain access to sensitive information on national defense and critical technology subjects.
First, they “scan” the computer system to evaluate its vulnerabilities. When they find an opening, they “probe” it in an attempt to gain access to the site content.
The U.S. government computer systems, especially those of the Department of Defense, and defense contractors, are subjected to hundreds of thousands of scans and probes by foreign entities, individual hackers, hacker groups, and information brokers on a daily basis.
At the present time, the DoD maintains three distinct computer information systems. The first is for unclassified information, the second is for information classified as secret, and the third is for information classified as top secret and above. DoD’s unclassified computer systems are, out of necessity, connected to the Internet. These are systems that deal with logistics and personnel related information that need to interface with other information systems. However, both secret and top secret computer systems are not linked to the Internet, minimizing the chance that unauthorized users can gain access to these sensitive categories of information. The only caveat here is, that out of operational necessity, the secret and top-secret systems that contain our nation’s most sensitive information have what are known as Secret and Below Interoperability (SABI) Connections, which are essentially bridges to the unclassified Internet. The one and only time that the two DoD classified systems were ever compromised was when the “I Love You” (V)irus found a SABI connection and infected one classified system.
Of course classified systems are always subject to what is commonly referred to as the “Insider Threat,” such as the actions of PFC Bradley Manning when he downloaded data from a computer system containing secret information then passed that data on to WikiLeaks. Although the U.S. Intelligence Community has taken measures to eliminate the “Insider Threat” by making it difficult to download data from classified systems, the Army failed to install these secure systems in Iraq.
The Internet, the “Information Super Highway,” is the vehicle used by intruders to gain access to both government and private sector computer systems. Once an adversary discovers a system vulnerability, they can usually bypass the Intrusion Detection Sensors (IDS), and the system’s “firewall” to gain entrance into a computer system. Once they have entered a system, the intruder can conduct a number of activities such as defacing a website, exploiting the computer’s data, or removing data from the system.
The ability of an unauthorized user to gain access to a computer system is wholly dependent upon the cyber security devices that are installed on a given system. Those computer systems that employ a mix of IDS Sensors will detect more offensive cyber scans and probes, and be able to take immediate measures to protect the security of their computer systems. These actions also include employing the latest firewall and IDS technology.
Most often, U.S. financial institutions, and other sectors of the U.S. National Critical Infrastructure, maintain an internal Intranet for the exchange of sensitive information. A company Intranet would not be linked to the public Internet, therefore, it would be difficult for an intruder to gain access to a closed system.
Financial institutions that do maintain a public Internet for such activities as customer online banking, maintain redundant, or backup systems in the event of an unauthorized intrusion. This is to ensure that customer accounts are not subject to the unauthorized removal of funds.
Computer systems that are vital to the operations of the U.S. national critical infrastructure, such as electric power generation facilities, dams, hydroelectric facilities, communications, air traffic control, and a multitude of other critical assets, are controlled by Supervisory Control and Data Acquisition (SCADA) Systems. These are independently controlled, “Stand Alone” computer systems that, once again, are not linked to the Internet so there is less opportunity for unauthorized users to gain access to these critical operating systems.
The recent series of cyber intrusions by “State Sponsored Hackers,” showed that the U.S. is not defenseless against foreign offensive cyber operations. Since the invention of DARPA Net, which is also considered to be the birth of the Internet, the U.S. government has been actively engaged in developing protective tools and methods for responding to hackers’ threats. For years this responsibility fell on the National Security Agency (NSA). Today, the U.S. Cyber Command, co-located with the National Security Agency at Fort Meade, Maryland, is in charge. In addition, each military service also maintains its own Cyber Operations and Computer Emergency Response Team (CERT) capability. Monitoring and protection of government agencies outside of the DoD is done by the Federal Computer Emergency Response Team (FEDCERT). In the event of attempted foreign cyber intrusions on the private sector, that information is passed on to the FEDCERT for action.
In addition to monitoring the security of computer networks, the U.S. Cyber Command, and the various CERT’s, employ preventive measures to maintain the security of computer networks. These activities include constant monitoring and evaluation of the tactics, techniques, and procedures employed by adversaries to gain access to U.S. computer networks. This also includes reviewing scans and probes of critical networks to determine foreign intentions.
When new tools and software have been employed by an adversary, the U.S. develops “Patches” to safeguard the networks. In addition, the U.S. Cyber Command and the military service cyber elements constantly conduct “vulnerability assessments.” These are accomplished in the form of “penetratioesting,” where certain tools are employed to test the operational security of a computer network. “Red Teaming” techniques are also employed; U.S. cyber security specialists use adversarial hacking tools previously employed against U.S. computer systems to once again test the operational security of a computer network.
In the event of a computer intrusion, the DoD and the military maintain computer forensics laboratories that can evaluate computer hard drives to determine what data had been taken, as well as the type of adversarial tool that was used for the attack. For example, on Feb. 1st, following the attacks on the Washington Post, the U.S. Cyber Command requested certain computers hard drives to determine the nature and scope of the attack.
One of the main questions that seem to perplex people is how a computer network intrusion can be attributed to a specific individual, or “State Sponsored Hacker Group.” This process is referred to as “Trace Back” or “Hop Back.” The process allows cyber security professionals to follow the path of the intrusion back through the Internet Protocol (IP) addresses of the machines involved in the intrusion. Even if a hacker is using what are commonly referred to as “Ghost Sites” or “Jump Sites” (computers belonging to individuals, companies, or groups not associated with the intruder), the digital signal can be traced back to its point of origin. Using this technique allowed U.S. cyber officials to determine that China was the point of origin for the cyber intrusions of U.S. newspapers, and that Iran is responsible for attacking U.S. financial institutions.
Developing offensive cyber operations is the new arms race of the 21st Century and cyberspace is fast becoming tomorrow’s new battlefield.
While U.S. adversaries will continue to refine, expand, and develop new tools, techniques, and procedures to enhance their offensive capabilities, the U.S. must work aggressively to meet this threat by developing effective cyber countermeasures. It must also ensure the protection of scientific and technical research by universities and private sector organizations on the Internet. However, risking Internet intrusion is the price that organizations and individuals must pay for living in a free and open society.
*Mr. Kaplan is an Advisory Board Member of the Center for American Democracy, Economic Warfare Institute. He is a Strategic Intelligence, Counterintelligence, and International Law Advisor to the UN . Until his recent retirement, he was assigned to the Office of Intelligence and Counterintelligence at the U.S Department of Energy. Mr. Kaplan’s view expressed here, is his own and do not necessarily reflect those of the American Center for Democracy/Economic Warfare Institute.