Chapter VI: Strategies and Solutions to Combat Information Terrorism

"Our responsibility is to build the world of tomorrow by embarking on a period of construction -- one based on current realities but enduring American values and interests." -- President Clinton; May, 1997, A National Security Strategy for a New Century.

Now that information terrorism has been contrasted with conventional terrorism, it is important to examine the defensive aspect of IW to examine what strategies and solutions might be effective against the information terrorist. Since information terrorism is different in many ways from conventional terrorism, traditional methods, which in themselves have not been as successful as needed, are wholly inadequate to protect the U.S. against information terrorism. Recently, the most extensive applications of IW within the U.S. have been defensive. Both government and private sectors have begun to realize the implications behind IW. Committees in Congress have started to tackle possible solutions to cyber or information attacks by considering the economical side to restrictions on exporting encryption technology and a few related First Amendment issues. However, Congressional thinking is still too limited in scope to be effective against the threat of information terrorism. On the other hand, the Executive Branch has been more responsive to the breadth of information terrorism at hand by creating the Presidential Commission on Critical Infrastructure Protection and implementing some of the Commission's recommendations. These have included the expansion of the FBI Computer Crime Division and the creation of the National Infrastructure Protection Center. Nevertheless, U.S. strategies and responses to combat information terrorist threats remain in their infancy.

Due to the impending threat to U.S. national security from information terrorism, this chapter will examine the initial strategies and solutions from the past and present. However, just as the U.S. is moving from the industrial age to the information age, so too are terrorists. As such, U.S. policies and procedures designed to combat conventional terrorism will be wholly ineffective against information terrorism. Additionally, this chapter will suggest revisions to these strategies and offer new approaches to combat the threat from information terrorism.

Past and Present Defense Strategies

To be secure in the agrarian age, people built moats or exploited the geographical features around them, such as lakes and rivers. In the industrial age, people needed brut physical force or protection with massive armaments. As the industrial age spawned the nuclear age, people built bomb shelters, initiated civil defense strategies, developed mutually assured destruction plans and operated in the tradition that the greatest defense was the strongest offense. After the collapse of the Soviet Union, however, if the wall was strong enough, then the citizens in the U.S. would be safe. In the information age, however, lakes, concrete barriers, and nuclear weapons cannot protect the U.S. from information terrorism. To understand some of the past strategies to defend against cyber-threats, it is important to look at previous EMP concerns, and how and why the majority of Congressional concerns focused on encryption standards and technology. It is also important to examine the most recent investigation into cyber-threats with the President's Commission on Critical Infrastructure Protection and see how the Commission's recommendations have been received.

In 1979 and 1980, concerns were growing that false EMP alerts at the North American Air Defense Command (NORAD) might inexplicably launch U.S. nuclear weapons toward the Soviet Union.1 Recognizing the threat, in 1981, President Ronald Reagan created the Strategic Forces Modernization Program.2 One of the goals of this program was "to develop and deploy EMP-resistant strategic communications. The Ground Wave Emergency Network (GWEN), an EMP-resistant network of radio towers and the associated equipment, ... [was] part of this program" (Reynolds 1989, i). GWEN was organized to protect the major military command and control (C2) resources, such as Strategic Air Command (SAC) headquarters, NORAD, Buckley, Ellsworth, Barksdale and Minot. The design was rather simple: to construct a tower similar to other radio towers that would protect the circumference of the area it reigned over. Eventually, the GWEN towers were to be constructed at critical locations all across the U.S. [See Figures 6.1 and 6.2]. While the goal of this program was to protect critical information infrastructures from IW-type damage, the level of effectiveness of the system was immediately called into serious question. In 1985, due to unfounded health concerns public protest against GWEN developed over the placement of a tower in Amherst, Massachusetts, and in that region GWEN became an issue in the 1988 Presidential race (Reynolds 1989, 29). As a result, fewer towers were installed and as of 1994, only 54 GWEN towers exist nationally, protecting only those military sites deemed essential to U.S. command, control, communication and intelligence (C3I) network (U.S. Congress 1993, Vote 255). Nor are there plans to extend the program. Although the evolution of GWEN culminated in the creation of the much more advanced MILSTAR satellite system in 1991,3 there are a massive number of communication networks and other parts of the civilian NII4 that remain wholly vulnerable to EMP/T. Thus, despite the narrow protection GWEN provides, it remains the only ground-based EMP resistant communications system in the U.S. (U.S. Congress 1993, Vote 255). In fact, a majority of the Senate still sees EMPs as the result of a nuclear attack and not purely the electronic attack from an IW standpoint.

Considering the vulnerabilities in U.S. computer systems discovered after the experiences at NORAD, not surprisingly Congress eventually decided to focus attention on the problem and protect U.S. computer networks by writing the Computer Security Act of 1987. After ten years, however, the effectiveness of the original piece of legislation has deteriorated, and the Computer Security Enhancement Act of 1997 was passed during the 105th Congress (H.R. 1903). Unfortunately, the enhancement of U.S. computer security was limited to creating export controls and restrictions on encryption software and technology, and to securing electronic commerce. Nonetheless, security solutions in the form of various encryption algorithms have had various degrees of success and controversy.

One way that the U.S. tried to enhance encryption technology has to due with key escrow and recovery. The key is essentially the tool that unlocks or decrypts an encrypted algorithm. Key escrow and recovery means that when stored data or electronic communications are encrypted, a third party has a copy of the key needed to decrypt the information.5 Without the key, the code is unbreakable. With the key, nothing encrypted is safe. For instance, in the movie Sneakers, a master key escrow device was created. This device could essentially decrypt any encrypted information. The potential chaos and control that such a device could have caused to the U.S. NII was paramount. According to government agencies who developed the standard 56-bit Data Encryption Standard (DES) key in 1977, the encryption keys of the past were once virtually impossible to break. The need for a stronger key has been the focal point for much of the NSA's current work. The reasoning is similar to a January 1997 challenge sponsored by RSA Data Security to break the former 40-bit key. The winner, a Berkeley graduate student, broke the 40-bit key in just 3.5 hours (Smith 1997, 2). Although the 56-bit key is 216 (65,536) times more difficult to break, even the integrity of the 56-bit key has already been compromised. The main effort now is to switch to a currently secure 128-bit key. But with a 128-bit key, such as the encryption code Pretty Good Privacy (PGP) widely available on the internet, and ineffective escrow encryption standards, such as the Clipper Chip project,6 U.S. vulnerabilities against would-be information terrorists remain (McLoughlin 1995, 1-2). This is a mainly due to the fact that people knowledgeable about IW, including information terrorists, are usually one-step ahead of slower government defenses. They know how to obtain copies of the key that decrypts information more quickly than bureaucrats can operate. Thus, past approaches to solving vulnerabilities in the NII do not seem to either be working or likely to work in the future.

Combined with the encryption standards themselves, however, concerns about privacy and First Amendment rights have continued. The Encrypted Communications Privacy Act of 1997 states that "there is a need to develop a national encryption policy that advances the development of the national and global information infrastructure, and preserves the right to privacy of Americans and the public safety and national security of the United States" (U.S. Congress. 105th. S. 376). The domestic emphasis of the bill leans toward the narrow path of encryption standards and defining which, if any, law enforcement agencies can act to protect our interests without infringing on our rights.7 The bill does allow for some global provisions, such as the requirements for the release of a decryption key, or U.S. assistance to a foreign country if "the United States has entered into a treaty or convention with a foreign country to provide mutual assistance with respect to encryption" (U.S. Congress. 105th. S. 376, 1997, 26). Unfortunately, since there are no major treaties on the subject matter of IW or encryption, the global provisions of the bill are weak, and the rest of the bill generally does not enhance the level of U.S. security against a potential information terrorist threat. What is clear is that most of the policies implemented in the past are very different than those that would have been implemented to combat conventional terrorism. There would not have been an issue with regard to economics, privacy or using a satellite to defend U.S. interests. Instead there would have been issues with regard to guns and bombs getting on airplanes, State Department and CIA intelligence attempting to infiltrate conventional groups, and other concerns with regard to conventional weaponry and U.S. interests.

The most recent attempt at securing the U.S. from information or cyber-threats, however, was more appropriate. On July 15, 1996, President Clinton signed Executive Order 13010, creating the Presidential Commission on Critical Infrastructure Protection (PCCIP).8 The goal of the PCCIP was to help head off IW attacks on our nation's infrastructures, and then to recommend a national strategy to the President for protecting and assuring the integrity of critical infrastructures. The Commission was by far the most comprehensive positive attempt to differentiate NII and IW problems from a non-military approach. In the PCCIP final report, Critical Foundations, the PCCIP warned the White House about terrorists who may use computers to further their aims, and urged the President to immediately create an "information and warning office that will carefully monitor possible threats to computer [and other infrastructures] in both government and private sectors" (PCCIP Press Release 22 October 1997).9

Shortly after the PCCIP issued their unclassified report, several important defensive IW strategies were enacted. One of the biggest reasons why IW and information terrorism have become a threat to the U.S. is due to the fact that individual information attacks have not been either reported, investigated or assessed in conjunction with other attacks. Instead, these attacks have been viewed as single events, similar to the analogy given by Stein of simply viewing the tail instead of the entire an elephant. For instance, if one system manager finds a hacker searching for the words "chemical weapons" he may think little of it, but if 100 managers report the same thing, it may be cause for some alarm. As the PCCIP recognized this important defensive weakness, they urged the President to create the Office of National Infrastructure Assurance along with other national and federal level offices and support and warning centers (PCCIP 1997, 24). In response, President Clinton, along with Attorney General Janet Reno, ordered the creation of the FBI's Computer Investigations and Infrastructure Threat Assessment Center (Kornblum 1998, 2). While many military agencies have already set up defensive and offensive IW teams, notably the USAF IW Division, the emphasis on the private sector information infrastructures was much weaker. Since October, the FBI has also been given the green light to create a National Infrastructure Protection Center to begin the journey toward cyber-security on the information super-highways.

The Center will "act as a national clearinghouse for computer crime, and perhaps be directly linked to various Computer Emergency Response Teams (CERTs) throughout the country to monitor and assess potential threats (Kornblum 1998, 2). Unlike previous attempts, the Center will work with both the U.S. government and private sector interests in mind (Kornblum 1998, 2). The February 28, 1998 announcement of the expansion at Lawrence Berkeley Livermore (LBL) National Laboratories was also symbolically significant because it was LBL that Cliff Stoll first encountered and recorded the most serious infiltration into U.S. national defenses via computer espionage.10 Had the hacker had ulterior terrorist goals, with his computer skills the consequences would have been no less serious than any scenario previously mentioned, such as an attack on NORAD, a metropolitan area or any other part of the NII. Since the Center is in its infancy, as are other policy-solutions that were created following the PCCIP report, the success that the Center will have with future threats can not yet be determined. With enough latitude, however, the Center should be a positive step in the protection of the U.S. NII and the citizens who rely on the NII. Additionally, due to the sheer quantity and quality of recommendations from the PCCIP, it will be important to decisively analyze and implement them without haste. While protective policies are being formulated over the next decade, however, the NII will remain vulnerable to information terrorist attacks until the U.S. government initiates stronger defenses.

Possible Future Defenses

"We are at the dawn of a new century. Now is the moment to be farsighted as we chart a path into the new millennium." -- President Clinton

While the PCCIP report offered many useful defensive recommendations, information terrorists are still able to sidestep and circumvent traditional defenses. Laws are either weak or not present to adequately defend the U.S. NII against information attacks. The tactics and weaponry of information terrorists are harder to trace, yet easier to gain access to and use in a variety of locations. Since the victim-targets of information attacks are information and information systems, as opposed to physical objects or people, information terrorists can detour around conventional defenses, such as geographical or physical barriers. While computers provide for attacks from greater distances behind a veil of anonymity, infiltrating an information terrorist organization will offer both advantages and disadvantages to counter-information terrorist efforts. To address the concerns that information terrorism defenses are poorly prepared for potential attacks, a series of questions that Devost, a systems analyst and engineer from SAIC, has posed previously will be discussed to offer changes in the current defensive network.11

First, how can the U.S. national security establishment respond to the informational attack of terrorists when the terrorists hide behind a veil of digital anonymity? To answer this, the understanding of power and security must be reevaluated. Currently, an actor is viewed as powerful or a threat to U.S. security only if they have substantial conventional means, including people, money and conventional weapons. While information and information systems in the U.S. are deemed valuable, they are not protected as much as conventional assets. For instance, to obtain access to almost any military base requires extensive security checks and clearances. If one wanted to attack a base, the level of brut force needed to succeed would be quite large. However, to gain access to a major power plant or almost any part of the NII, an actor would require a substantially little, if any, special clearances as security, both digital and physical, is extremely weaker. Even if the central network system is secure physically, such as the power distribution center for the East coast, the nodes and major power relays from the station usually lack protection altogether. Thus, the first step to answering this question is to think of and eventually treat information and information systems as essential to the security of the U.S. The PCCIP began to do this but the scope of their recommendations are still too limited.

Once information and information systems of the NII are deemed of national security interests, the second related question that needs to be answered is how can a centralized, geographically focused national security establishment respond effectively to a digitally networked international enemy? Here the government needs to stop compartmentalizing every issue of IW. For instance, currently the field of IW is primarily recognized as important only to the U.S. military establishment. IW tools, such as van Eck monitoring and EMP/T technology, are still primarily classified as military research and development projects. Thus, the defenses to such IW tools are not available to the private sector and NII as they should be. This makes the private sector and NII extremely vulnerable to IW tactics. Considering that the IW field incorporates many disciplines, there is a necessity to recognize the vast cross-disciplinary approach that a defense against IW and information terrorism mandates. [See Figure 6.3]. Information terrorism is not just an issue for the government or Joint Chiefs of Staff to deal with. It also branches into the related fields of psychology, computer science, engineering and sociology. Since IW tactics can transcend conventional defenses, such as geographical features or physical defenses, the government and various military establishments must work together and with the private sector to develop a mutual doctrine on potential threats to the NII and actually implement defensive strategies.

One way that the military and private sector can work together is by reporting incidents of successful or attempted information attacks to a central location or assessment center. While there are numerous conventional terrorist threat assessment centers, manuals on how to deal with terrorist events like hijackings, and specialized training, there is not a true concentration of information available on either IW or information terrorism. This is important because once an information attacker is stopped from manipulating one information system, it does not means that an attacker is no longer a threat. While reporting attacks might cause bad publicity for institutions like banks, which may in turn result in a decrease in consumer confidence, agreements need to be made between cyber-security teams at the executive level to benefit from shared information instead of using it against competition. Maybe if this would have occurred in London then only one bank would have been forced out of $12 million dollars and not several.12 The truth is that society in general still operates even defensively with a slower vertical power structure and bureaucracy. At the same time, information terrorists are able to operate much quicker using horizontal team-base environments. In other words, the U.S. needs many groups similar to the Nuclear Emergency Search Team (NEST) to specifically search out information terrorists, and we need them today. Although following the worm incident by Robert Morris the U.S. DoD created Computer Emergency Search Teams (CERTs) that work off of the same horizontal power-organization structure as information terrorists, CERTs are extremely limited in scope.13 For that reason, the PCCIP created National Infrastructure Protection Center may not be as beneficial as needed without accompanying changes. Instead, the U.S. needs an overall electronic civil defense plan at the basic information and infrastructure level, and the U.S. government needs to let its citizens know of the real risks from the information terrorist instead of thinking the threats are only in "fictional" novels or movies.14 The truth is out there, but so long as the citizens believe the threat from IW is fictional, the question becomes when will the U.S. fully recognize and accept that citizens need to be informed of the threat from information terrorism and IW.

Another way for the U.S. to deal with the threat of potential information terrorist attack from the second question is to address IW and information terrorism concerns before they become reality. This is the approach taken by Joseph S. Nye, the former Chairman of the National Intelligence Council and current Dean at the John F. Kennedy School of Government: educate the masses and spread out the strongest defensive technology (Nye and Owens 1996, 20-36). Right now most citizens have a general understanding of what a conventional terrorist attack would look like, however, despite the fact that IW can cause the same outcome as conventional terrorism, there is not the same awareness of the threat. If people at least know about the vulnerabilities in critical information and information systems, then they can put public pressure on the private sector, the States and Congress. One private corporation essentially took on this challenge by using possible hackers to its advantage. The corporation issued a statement that one million dollars would go to anyone who found and reported a security hole in their security software program. As a result, thousands of hackers have focused their attention on the program in a positive manner. One can only imagine the benefit that using hackers and other people in the computer and information security field could yield as a national resource against information terrorists.15 Unlike conventional terrorist groups that are quite secure, infiltrating an information terrorist organization with a broad spectrum of hackers would be considerably easier. This would minimize an information terrorist group's ability to use a veil of anonymity or even remain completely cohesive. Or, if people are not afraid of an information attack because they have taken individual precautions, then conventional terrorists may hesitate before choosing to use IW. Thus, an education and orientation to the threat from information terrorists and IW and information terrorism must be addressed to the entire population: Congress, the States, the private sector, and the public.

Educating the masses and creating working partnerships between the government and private sector, however, will not be enough to defend the U.S. against information terrorist or IW threats. Vulnerabilities in U.S. information systems, both the digital and physical in nature, must be assessed, plugged, and sealed immediately. While there is a similar policy for conventional terrorists, currently there are either few, if any, coordinated efforts to deal with information vulnerabilities. Thus, attributes of the U.S. NII must be enhanced and protected based on the value of the information that the information systems hold. Although initially protecting an entire information infrastructure could be prohibitively expensive, the U.S. needs to consider the potential costs of an attack and the rising risks that an attack will occur on sensitive areas of the NII. While the information security field has become a multi-billion dollar industry in the 1990's, the creation of the latest firewall, encryption code, or anti-virus software program, is not enough. For conventional terrorism, a concrete barrier is still a concrete barrier and a metal detector is still a metal detector. However, static firewalls or virus programs like Norton, Anti-Virus, or Find Virus are inadequate for the pending information threats. Instead, programs which internally duplicate themselves, work from genetic mutation algorithms and actively hunt viruses, need to be created or expanded upon. Greater checks need to be made when hiring and reviewing personnel at any of the National Information Infrastructure locations. If people and insiders have access to internal information or information system, procedures such as background checks need to be implemented. Sensitive databases also need to be protected from HERF, EMP/T and van Eck monitoring. To protect an important database, disconnecting a terminal or database from all other terminals, especially those that have connections any non-intranet are essential first-steps to information security. To protect against EMP or van Eck, defensive actions might also include physically securing the information or information system by using protective shielding.

Once an internal information system is protected, such as a main PTN center, every vulnerable area external to the system, such as the relay or distribution nodes, within the U.S. must be examined and protected. Again, since the costs to do this are currently prohibitively expensive, an education of the masses or electronic civil defense to monitor and report attacks is necessary to accompany the transition from being vulnerable to being secure. For instance, external nodes, secondary plants or systems, and lines between systems all should be secured as well because they provide an access point to the larger system. This is similar to the idea presented earlier in Fig. 3.2. Telephone lines, for instance, need to be protected from information terrorists who might use very distant van Eck IW monitoring. Thus, a new cable/phone line similar to that of the fiber-optic cable, but with a better frequency and signal protection mechanism needs to be created. Technology and information that can protect against electronic eavesdropping like van Eck, if available, must also be made more readily available to the private sector from the government and NSA. Although this technology would still be prohibitively expensive to protect an average citizen's computer or phone line, if the U.S. government places a major order with AT & T, the costs for such technology will decrease. As such, the more vulnerable and likely targeted areas of the NII, such as Wall Street, would likely be willing to sacrifice the short run costs in exchange for the security that the technology could provide. Although some individuals will inevitably use this information protection software and equipment for illegal purposes, a generally secure network needs to be established immediately to protect everyone else from information terrorists.16

Another question that needs to be answered is how do the laws and treaties deal with the threat of information terrorism or IW? With conventional terrorism this is almost a non-issue. As President Clinton stated, however, "as borders open and the flow of information, technology, money, trade and people across borders increases, the lines between domestic and foreign policy [will continue] to blur."17 Currently, as described earlier, the laws presently are either weak or misdirected and only incidentally protect the U.S. from IW and information terrorism. The best and most probable way for the U.S. to handle President Clinton's dilemma between domestic and foreign policies in the future is to expand traditional mechanisms and treaties. As Aldrich noted in the "International Legal Implications of Information Warfare," the Hague and Geneva Conventions are prime examples of how treaties and laws in the past dealt with the land, sea, air and space dichotomy which are simply not applicable to IW or information terrorism. This is because IW and information terrorism are able to instantly transcend distinctions of national borders or sovereignty rights. Additionally, other major weaknesses in treaties like the U.N. Charter, which limits "aggression" only to "armed force," essentially renders the principle international treaty between nations inapplicable and irrelevant (Aldrich 1996, 19). As a result, immediate changes are necessary in these documents, and in others, such as the Outer Space Treaty, the Moon Treaty, or the International Telecommunications Treaty (Aldrich 1996, 18-24).18 For instance the Outer Space Treaty prohibits the orbiting of weapons of mass destruction. However, since "mass destruction" is limited to chemical, biological and nuclear weapons, a satellites used as distant relay node to send an EMP to a distant location would be technically legal. Once changes in these international documents are implemented, similar changes and additions to multi-national conventional terrorist and telecommunications treaties must be made. Should a weakness or hole in the legal security of the U.S. still exist, new treaties will need to be written altogether with a greater expansion of similar domestic laws.

While creating possible defenses, the U.S. also faces a task more difficult than many other nation-states: how can the national security establishment balance defending the NII while being sensitive to civil "cyber-liberties" and rights to privacy (Devost 1997, 3)? This is a question which is virtually a non-issue with conventional terrorism. The dilemma of competing forces between issues of national security and the counterbalancing need to protect First Amendment and other Constitutional rights is an important distinction, but one that will likely detract from an immediate legal solution to either IW or information terrorism.19 While many of the questions presented in this section have many possible answers, those that I have provided are primarily meant to generate additional ideas to combat the threat of both information terrorism and IW. Of course there are many other questions that can and should be answered in the attempt to combat information terrorism. How much of information terrorism is a military concern and how much is within the jurisdiction of federal law enforcement? How can the U.S. better discern what is a political crime ad what is a "common" crime (e.g. motivated by greed) in the information-sphere (Devost 1997, 3)?20 How will new technology and science change the group organization of information terrorism and how will other policies need to be changed because of technology?

Conclusion

At the same time that the U.S. is trying to recognize our military, governmental and NII vulnerabilities, other nation-states, organizations and individual actors continue to gain ground in the field of IW and information terrorism. President Clinton said in his 1997 State of the Union Address, "we face no imminent threat, but we do have an enemy--the enemy of our time is inaction." As such, the strategies and solutions that the U.S. has developed in the recent past, such as the creation of the National Infrastructure Protection Center and the expansion of the FBI Computer Crime Division, were extremely important defensive steps toward a more secure future. However, there is much work yet to be accomplished.

Since current defenses, such as GWEN, are reserved for the slow vertical hierarchy of the military or other government bureaucracies, general information and defensive technology on the threat of IW and information terrorism needs to be dispersed or made available to everyone. This will essentially begin the spread of an electronic civil defense against information terrorism and IW. Domestic and international laws also need to be strengthened and information and digital defenses need to be established in addition to traditional physical defenses. While many of these questions have spawned valuable dialogue in and of themselves, the responses need to be monitored for positive contributions to the overall cause of securing our nation against information terrorism and not just rhetoric. Once the U.S. is able to fully implement all of the recommendations from the PCCIP while keeping in mind the questions and answers discussed for the future defenses, the U.S. should be on its way to a continued strong national presence in the 21st century.

CHAPTER V

Return To Index

CONCLUSION