ARCHIVED: Report No. 2001/11: Information Operations

Report No. 2001/11 has been archived.

May 6, 2002

Introduction

1. With the advent of the personal desktop computer in 1980, the manner in which the public and private sectors conduct business and provide services to the public at large has changed. Over time, millions of computers and thousands of dissimilar networks worldwide have been connected through a global network of networks. Internet use has more than doubled annually for the last several years to an estimated 40 million users worldwide in nearly every country today. Connections between computer systems are growing at an ever-increasing rate, with the Internet adding a new network about every 30 minutes. This is especially true as businesses are beginning to engage in e-commerce, or conduct business on-line, and governments begin to provide information and services via an electronic environment, or e-government. According to a report by the Computer Industry Almanac, nearly 43 percent of Canadians use the Internet, which makes Canada one of the leading countries for Internet use.

2. The growing dependence of governments, institutions, business, groups and individuals on computer-based communications and information technologies has resulted in a constantly changing view of what constitutes threats in today's "information age." It is no longer necessary for "hostile actors"⁽¹⁾ to have direct physical access to a computer to copy, destroy or manipulate data. People can use a variety of techniques and software tools to exploit a targeted system once they gain unauthorized access remotely via the Internet or by dialling directly into the system using a telephone and a modem. Most legislation and protective measures address physical attacks on critical systems and data; however, they have been or are in the process of being revised and updated to deal with the new class of computer-based threats defined as Information Operations (IO).

Information Operations

3. The concept of IO has its root in that of "Information Warfare" (IW), which is the physical and computer-based operations used by military forces in time of conflict and near-conflict to compromise the access to and viability of information received by the decision-makers of an enemy, while at the same time protecting their own information and information systems. The term IO is used to denote the use of IW tools and techniques. The definition has evolved over time to reflect the need for a state to maintain national security by protecting its critical infrastructure. The critical sectors in a state's infrastructure are those of: transportation; oil and gas; water; emergency services; continuity of government services; banking and finance; electrical power; and telecommunications.

4. IO is the outgrowth of military doctrine that focussed on the use of electronic warfare measures to degrade the capabilities of adversaries on the battlefield. Operations conducted during the Desert Storm campaign in 1991 indicated that technological development had provided the military with computer-based tools and techniques that could be used to degrade not only military systems but those of government and the private sector as well.

5. Within the realm of IO, there is no safe haven and territorial boundaries become irrelevant as IO can be conducted at any time against any sector, public or private. All other "cyber" activity, such as cybercrime⁽²⁾, cyberterrorism⁽³⁾, cyberwar⁽⁴⁾, netspionage and hacktivism⁽⁵⁾ is a subset of IO. However, most discussions relating to the use of computer-based tools and techniques in the context of IO have come to focus on information assurance and the protection of computer-based systems and networks from an intrusion or attack.

The Threat

6. Information Operations could be used to target national information systems from anywhere in the world using inexpensive hardware and software.⁽⁶⁾ The potential threats to the critical infrastructure from a variety of hostile actors with such tools and techniques include:

• the disruption of components of the national infrastructure;
• the exploitation of information;
• the manipulation of information for political, economic, or military purposes; and
• the destruction of information or infrastructure components.

7. Degrading of the operation of, or damaging, a targeted computer system could have significant negative impacts on social, political and economic activities, which would entail serious ramifications in the area of national security. Although security measures are being created to protect these infrastructures, the development of attack tools to circumvent these protective measures is ongoing and these attack mechanisms have become freely available through the Internet. The number of intrusions into computer-based systems is on the rise and the tools used to exploit existing vulnerabilities are growing in sophistication and simplicity. Although only a small number of system intrusions are reported, indications are that the level of reported incidents and vulnerabilities is doubling annually. In 2002, statistics released by the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University in Pittsburgh show that 1,334 computer security incidents were reported worldwide in 1993, compared to 21,756 in 2000 and 52,658 in 2001.

8 The threat of unauthorized intrusions into computer systems and networks increases proportionately to the commonality of applications used and degree of connectivity to external networks like that of the Internet. The requirement for interoperability coupled with such connections create vulnerabilities that can be exploited, for whatever reason, by hostile actors, using malicious software such as viruses, Trojan Horses and worms⁽⁷⁾ via the Internet. In addition, physical attacks like cutting power cables or destroying the hardware upon which the information infrastructure depends are the equivalent of physical denial of service (DoS) attacks. The latter form of attack prevents authorized users from gaining access to information systems and data. Any of these hostile actors can attack vulnerable infrastructure points using physical means and/or software. As a result, the growing capability of a variety of hostile actors to make offensive use of IO, in both its physical and non-physical forms, has the potential to threaten the public safety of Canadians and the national security of Canada.

9. Discussions at the United Nations on the topic of the proliferation of IO tools are couched in the rhetoric of weapons proliferation. The language has evolved from mass destruction to include IO tools and weapons of mass corruption/disruption. The increasing reliance of states on computer networks makes critical infrastructures attractive targets for attack and exploitation, and many countries have embarked on programs to develop IO doctrines and technologies.

10. According to American military and Congressional reports, Russia, China, India and Cuba have acknowledged preparations for cyberwar and are actively developing IO capabilities; North Korea, Libya, Iran, Iraq and Syria have some IO capabilities. Even though many countries are developing IO capabilities, few have the means to fully integrate various IO tools into a comprehensive attack which would cripple a country's infrastructure. However, some could develop the required abilities to mount such attacks over the next decade.

11. In his testimony before the Senate Select Committee on Intelligence on the "Worldwide Threat 2001: National Security in a Changing World," 7 February 2001, Director of Central Intelligence George J. Tenet stated that new communications technologies have enabled the efforts of terrorists, who have used these technologies to advance their capabilities to raise money, spread dogma, find recruits, and plan operations. He added that some groups were acquiring rudimentary cyberattack tools. It is the Internet which helps terrorist groups adopt the model of "leaderless resistance".

Security of Systems and Data

12. The development of IO tools and techniques is evolving in pace with the rate of technological change in the communications and computer industries. The ability to communicate and connect to networks worldwide almost instantaneously has created both advantages and vulnerabilities.

13. As government departments and businesses globally have experienced both intrusions into their networks and the loss of sensitive information, they have attempted to install security measures to protect both systems and data. Unfortunately, these security packages have a short life span. Surveys and intrusion assessments conducted by private-sector security firms and by government agencies worldwide indicate that a large number of security packages and monitoring tools, many of which are commercially available, are ineffective or misconfigured. A number of surveys conducted in the United States and the United Kingdom indicate that more than 80% of respondents in one case did not use firewalls or any other security measures to protect their systems and data. Up to 93% of respondents in another case were vulnerable to rudimentary attacks even if firewalls were used.

14. As more and more persons, businesses and government departments become dependent on computer-based communications and the operations of interconnected networks, the configuration of interacting computer networks and operating systems becomes more complex and creates vulnerabilities. Natural forces (like storms), the normal development of new hardware and software, and IO tools could pressure these vulnerabilities and cause failures entailing a profound effect, both short- and long-term, on the operation of government and the private sector.

15. In his testimony before a Congressional subcommittee, the Director of the Internet Security Alliance stated that 80% of all major security vulnerabilities were common to all organizations. For the most part, this is due to the use of the same vulnerable software. Generally, the ability to network has far outpaced the ability to protect these networks. The private sector, including some critical infrastructures, are installing and using wireless networks to facilitate their activities. However, many of these systems are not configured securely and are open to exploitation.

Examples of Information Operations

16. Many examples of IO-related activity can be drawn from the experience of American government departments dealing with computer intrusions and system exploitation. These experiences have been related in speeches given before Senate and Congressional committees and in documents produced by the U.S. General Accounting Office.

17. Extremist organizations, criminal groups and governments are acquiring expertise in the area of IO and could threaten various systems if they possessed the proper tools and techniques to exploit vulnerabilities, and the intent to do so. Testimony provided during committee hearings held within government in the United States revealed the fact that an increasing number of countries have or are developing offensive IO programs. Further, there is data indicating that an increasing number of extremist groups and intelligence services are becoming proficient in developing and / or using of IO tools and techniques. A number of these hostile actors may intend to use IO tools to achieve traditional threat-related activities.

18. Recent media reports indicate that protected military networks in the United States have been easily hacked using rudimentary tools. American government-sponsored examinations undertaken by the General Accounting Office indicate that software tools obtained from hacker sites on the Internet can not only degrade the operations of government departments but also threaten the critical infrastructure. A recent National Institute of Standards and Technology report highlights the fact that hackers post approximately 30 to 40 new tools on hacking sites on the Internet every month. An examination of system defacement statistics for 2001 indicates there were 22,379 Web site defacements, and out of a total 29,000 defacements recorded for the period 1998 to 22 January 2002, sites in the United States "domain" were defaced 868 times, those in the United Kingdom "domain" numbered 519, those is the Australia "domain" totalled 345 and there were 205 defacements of sites in the Canada "domain."⁽⁸⁾ While this type of data is incomplete, since all defacements and other system attacks are not reported, the information indicates a trend, namely that the number of system intrusions is on the rise.

19. In February 2000, national infrastructures suffered degradation from virus and distributed denial of service (DDoS) attacks. The attacks, which centred on a number of companies, each with a significant presence on the Internet, were estimated to have caused damage in the order of billions of dollars. The DDoS attacks of February 2000 acted as a proof of concept to show that a number of computers that previously had been compromised by hacker activity could be used in concert to focus attacks on a single target or on a number of targets.

20. The subsequent infestation of computers around the world with the "I Love You" virus had an even more profound effect on systems and networks. This was due in part to the fact that the phrase "I Love You" in the subject line of an e-mail message was a simple psychological operations ploy that enticed many individuals to open the virus-laden e-mail attachment and infect their computer systems. The digital threats posed by viruses, worms and Trojan Horses result in billions of damage yearly; US$17.1 billion⁽⁹⁾ in 2000 and US$13.2 billion in 2001, according to estimates issued by the market research firm Computer Economics.

21. A 1997 Electric Power Risk Assessment conducted in the United States concluded that the power grid was riddled with vulnerabilities. Some elements of the grid used unsecured supervisory control and data acquisition (SCADA)⁽¹⁰⁾ systems and were accessible through insider use of corporate local area networks (LANs). In other instances, unsecured SCADA systems could be accessed and controlled remotely via telephone. Anyone with knowledge of the phone numbers required to gain such access could affect the operation of the grid.

22. In Australia, in 2001, Vitek Boden was found guilty of using wireless technology to hack into computers that used a SCADA system to control some of the functions of a sewage treatment plant. His activities in early 2000 resulted in the release of sewage into local water systems. This was deemed to be the first recorded instance of wireless hacking. SCADA systems are used to control a variety of "critical infrastructure" processes such as electrical power distribution, natural gas delivery, and sewage and water distribution projects around the world, including those in Canada.

23. Regional, political tensions have resulted in hacking duels between hacker groups and others in various countries:

• in 1999, there were hacking exchanges between China and Japan over the issue of the Nanking massacre;
• between China and Taiwan over the issue of the latter's independence of the former;
• between India and Pakistan over control of Kashmir;
• in 2000, Armenians placed false information in the Azerbaijan daily newspaper "Zerkalo;"
• the 1999-2000 tensions between Israel and Palestinians resulted in hacking activity by supporters on each side, with the activity of pro-Palestinian supporters expanding to include corporations and a pro-Israel organization in North America as targets;
• supporters of the Former Republic of Yugoslavia performed virus and denial-of-service attacks on NATO computers;
• the collision between an American surveillance plane and a Chinese fighter in April 2001 resulted in a hacking duel between the supporters of the US and China; and
• the Alqaeda Muslim Alliance - a hacker coalition composed of GForce Pakistan, the Pakistan Hackerz Club, and the Anti India Crew that appears to support Al Qaida and the Palestinian cause - hacked a number of American sites, including that of the General Accounting Office, threatening to continue attacks against Indian, American, and Israeli sites.

24. Cyberattacks tend to accompany regional tensions and/or physical attacks undertaken by hostile actors, and politically motivated computer-based attacks are increasing in volume and sophistication, and are becoming more coordinated.

Protection of the Canadian Critical Infrastructure

25. The Report of the Special Senate Committee on Security and Intelligence, published in 1999, addressed the issue of the protection of Canada's critical infrastructure. The critical infrastructure consists of both physical and cyber-based systems that are essential to the day-to-day operations of the economy and government. Historically, elements of this critical infrastructure were physically segregated. However, these elements gradually converged, became linked and became more interdependent. Advances in computer and communications technologies resulted in a growing level of automation in the operation of critical systems. The report stated that the growth of, and our increased reliance on, the critical infrastructure, combined with its complexity, has made it a potential target for physical or cyber-based terrorism.

26. In its recommendations, the Committee suggested that the government take action to protect the critical infrastructure and to:

• develop policies and resources to deal with any attacks;
• create the capability to assess and reduce infrastructure vulnerabilities, and to prevent or respond to physical and cyberattacks;
• create public sector-private sector partnerships to protect the critical infrastructure; and
• ensure that the National Counter terrorism Plan is regularly reviewed and updated, especially with respect to the impact created by new and emerging technologies that may be used by terrorists.

27. Like other countries, the Canadian government recently created a new agency designed to protect Canada's electronic infrastructure against possible cyber-based attacks and natural disasters. The new agency, the Office of Critical Infrastructure Protection and Emergency Preparedness, will report to the Minister of National Defence and will collaborate with the Solicitor General's department, the provinces and municipalities, private industry and other countries.

The Post-11 September Threat Environment

28. After the terrorist attacks of 11 September 2001, the issue of CIP changed. While the urgency of the issue has not changed, the awareness that there is an urgency has. In the United States, a number of new agencies and legislation were created to deal with "Homeland Security," a concept that has as its goal the defence of a nation's territory, critical infrastructure and population from attack. Similar antiterrorist legislation was formulated, discussed or enacted in Canada, the United Kingdom and Australia. As a corollary to this growing security awareness, information perceived as having the potential to be used by terrorists to target critical infrastructures began to be removed from a number of Web sites that provided data about critical infrastructure locations and contingency plans. Overall, greater attention is being paid to the national security ramifications of all types of cyber-based activity. What used to be viewed as an abstract threat is now viewed by some as both possible and probable.

Outlook

29. One of the greatest challenges in countering the threat in the realm of IO is that borders have become meaningless to anyone operating in a virtual environment. Even if great diligence was taken in the effort to remove vulnerabilities, it would be almost impossible to eliminate them entirely because attack tools, networks and network control systems are in a constant state of evolution.

30. As new technologies develop, so too will new attack tools and mechanisms. As a result, governments will have to set procedures in place to allow security initiatives to evolve to deal with new threats as they arise. For example, the risks associated with e-government, the movement of the private sector to an e-commerce environment, the initiatives within the private sector to provide services and system interconnection via wireless means, and the use of personal digital assistants all present challenges from a security perspective.

31. Vulnerabilities can be reduced in number but cannot be removed totally from computer-based systems. As a result, systems that are not protected in a robust manner will continue to be compromised and exploited. In general, the tools and techniques to effect such attacks on systems are becoming both easier to use and more sophisticated in their operation. A variety of hostile actors appear to be developing IO capabilities that could become significant in the near future.

---

1. Hostile actors can be individuals, extremist groups, terrorist groups, criminal organizations, intelligence services or armed forces.

2. A crime related to technology, computers and the Internet, but more specifically, all forms of attack on automated data-processing systems.

3. While there are a number of definitions for the term, "cyberterrorism," in the context of this paper, will be defined as premeditated, politically motivated attacks against information, computer systems, computer programs, and data which can result in violence against noncombatant targets by subnational groups or clandestine agents.

4. A synonym for Information Warfare.

5. Hacktivism is the act of hacking or breaking into a computer system for a politically or socially motivated purpose. It is the combination of hacking and on-line activism.

6. The National Security Agency (NSA) conducted 37 computer intrusion exercises during the past three and one-half years, and 99% of the attacks performed on American computer systems were undetected. The attack teams taking part in these exercises used only the tools and techniques that could be acquired via the Internet.

7. A Trojan Horse is a destructive software program that masquerades as a benign application. Unlike a virus, it does not replicate itself. A virus is software code that reproduces itself by attaching to another program. It may damage data directly or it may degrade system performance by taking over system resources which cannot be made available to authorized users. A worm is a program or piece of software code that resides in distributed systems or networks. It replicates itself in order to use as much of the system's resources for its own processing needs, clogging networks and computer systems as it spreads.

8. These statistics are incomplete as they only represent reported defacements. Some defacements and other forms of system compromise and exploitation are not reported and/or recorded. The statistics for the various "domains" that are mentioned above do not include the ".com, .net, .org, .edu" and other non-country-specific "domains."

9. The higher level of damage for 2000 is due to the effects of the "I Love You" virus.

10. SCADA is a software application program used for process control, the gathering of data in real time from remote locations, and processes data in order to control equipment. SCADA systems consist of hardware and software components and provides warnings when operating conditions become hazardous. SCADA is used in power plants, oil and gas refining, telecommunications, transportation, and water and waste control.