[ISN] Red storm rising

From: InfoSec News (alerts@private)
Date: Tue Aug 22 2006 - 23:57:17 PDT


By Dawn S. Onley and Patience Wait
GCN Staff
08/21/06 issue

DOD's efforts to stave off nation-state cyberattacks begin with China
A growing band of civilian units inside China is writing malicous code 
and training to launch cyberstrikes into enemy systems.

And for many of these units, the first enemy is the U.S. Defense 

Pentagon officials say there are more than three million daily scans of 
the Global Information Grid, the Defense Departments main network 
artery, and that the United States and China are the top two originating 

China has downloaded 10 to 20 terabytes of data from the NIPRNet (DODs 
Non-Classified IP Router Network), said Maj. Gen. William Lord, director 
of information, services and integration in the Air Forces Office of 
Warfighting Integration and Chief Information Officer, during the recent 
Air Force IT Conference in Montgomery, Ala.

Theyre looking for your identity so they can get into the network as 
you, said Lord, adding that Chinese hackers had yet to penetrate DODs 
secret, classified network. There is a nation-state threat by the 

Peoples Liberation Army writings in recent years have called for the use 
of all means necessary, includingor particularlyinformation warfare, to 
support or advance their nations interests.

To Chinas PLA, attacks against DOD systems would be the first salvo in a 
long-term strategy to cripple the U.S. militarys ability to communicate 
and deliver precision weapons.

A big part of the strategy is the PLAs civilian unitsIT engineers drawn 
from universities, institutes and corporations. The PLA views these 
militias as its trump card and a way of asserting virtual dominance to 
paralyze the United States and other potential adversaries.

The U.S. military is familiar with Chinas approach. In fact, its own 
strategy in cyberspace is similar to the PLAsthe countries doctrines and 
strategies almost mirror one another.

It is unclear how aggressive a posture the United States is taking when 
it comes to defending against cyberattacks. But DOD certainly is paying 
attention to Chinas offensive aggression, and even considering offensive 
actions of its own, Lord said. But the rules of engagement have to 
change before were fully engaged in cyberspace.

Taking advantage

The Pentagon has made net-centricity the core of its transformation into 
a modern military force, and it seeks ways to create a vast web of 
information accessible at every level of the warfighting operation, from 
ground troops to pilots, command staffs to logistics operations.

China, recognizing Americas dominance in C4 -- command, control, 
communications and computers -- wants to disrupt or even remove that 
advantage, experts have said.

If the armies of bygone days traveled on their stomachs, future armies 
will travel on invisible threads of data.

But the concern should not be limited to DOD. All federal agencies have 
to be aware of the Chinese view of information warfare.

Chinese military writings make it clear that in cyberspace there are no 
boundaries between military and civilian targets. If crashing a countrys 
financial system through computer attack will paralyze the foe, thats 
all part of the new face of war.

If DOD -- the most security-conscious of all federal agenciescan be 
attacked, can have information stolen, then other agencies must seem 
like low-hanging fruit by comparison.

China is not the only country targeting DOD systems. John Thompson, 
chairman and chief executive officer of Symantec Corp. of Cupertino, 
Calif., told the audience at the Air Force conference: There are at 
least 20 nations that have their own cyberattack programs. He said there 
is no way to know how many terrorist organizations have launched similar 

But China -- the largest country by population at 1.3 billion, third in 
area, and among the fastest-growing economically -- gets the most 
attention, in part because it is the single largest source of cheap 
goods sold in the United States, including technology.

While Defense and Homeland Security department officials are reluctant 
to make pointed accusations, events in cyberspace show how the two 
countries are jockeying for position in preparation for virtual 

 From at least 2003 to 2005, a series of coordinated cyberattacks hit 
U.S. military, government and contractor Web sites with abandon. The 
systematic intrusions, collectively dubbed Titan Rain, attacked hundreds 
of government computers.

Time magazine reported last year that the incursions originated on a 
local network that connected to three routers in Guangdong Province, 
though U.S. officials still offer only generic comments about this and 
other published reports about Titan Rain.

What I can say about this is [that] we have seen some attempts at access 
to our network. Weve seen some of that from China, said Air Force Lt. 
Gen. Robert Kehler, deputy commander of the U.S. Strategic Command. We 
are seeing attacks that traversed through China. I cant say with any 
real assurance that thats where they start, added Navy Rear Adm. 
Elizabeth Hight, deputy director of DODs Joint Task Force for Global 
Network Operations.

A military attache at the Chinese Embassy in Washington insisted that, 
to his knowledge, Beijing does not want to use hackers to attack the 
United States.

The official answer is, I have no idea about this, said Sr. Col. Wang in 
a brief telephone interview.

The fallout from this cybercampaign continues among other agencies.

In June, the Energy Department revealed that names and other personal 
information on more than 1,500 employees of the National Nuclear 
Security Administration had been stolen in a network incursion that took 
place more than two years ago. NNSA didnt discover the breach for more 
than a year after it happened.

Officials would not confirm for the record that the data breach was part 
of Titan Rain, but Alan Paller, research director for the SANS Institute 
of Bethesda, Md., called it an example of the kind of attack and 
extraction that [has been] going on for the last 2 1/2 years.

Also in June, hackers broke into State Department unclassified networks. 
In this incident, investigators believe the hackers, who they say 
launched the attacks from East Asia, stole sensitive information and 
passwords and planted back doors in unclassified government computers to 
allow them to return at will, according to a CNN story.

Tip of the iceberg

"Any average computer geek knows about spyware, viruses and the 
countless other hardware and software devices and capabilities that 
could jeopardize the security of our networks and the information they 
contain, Michael Wessel, a commissioner with the U.S.-China Economic and 
Security Review Commission, said in May. These, of course, are only the 
tip of the iceberg.

And DOD is not alone in trying to keep out hackers from China and other 
nation states.

On the commercial side, Internet usage and broadband adoption from China 
has grown, said Betsy Appleby, vice president of the public sector at 
Akamai Technologies of Cambridge, Mass., and former Net-Centric 
Enterprise Services program director at the Defense Information Systems 
Agency. Specifically considering that the Chinese government is pretty 
much in control, you can do the math and figure it out.

China has existed as an identifiable society for more than 6,000 years. 
Its name for itself, in Chinese, is Jhongguo, or Middle Kingdom, 
sometimes characterized as the land below heaven but above the rest of 
the world. The country has been under Communist rule for less than 60 
years. The millennia-old expectation that China rules, or should rule, 
all under heaven is a permanent subtext in the countrys psyche, many 
Sinologists believe.

This gives the Chinese great patience; its leaders may take a 
decades-long view of a problem and its possible solutions.

So what the United States characterizes as attacks on its military 
networks could, to the Chinese, be in-depth reconnaissance.

If you were an adversary, and you wanted to assess somebodys strengths 
and weaknesses, one of the ways to do it would be to probe their 
defenses, so you would want to take a look at their computer situation, 
said John Stack, enterprise architecture and security solutions manager 
for Northrop Grumman Information Technologys Defense Group of McLean, 

For more than a decade, the Chinese military has observed how DOD is 
modernizing its troops and tactics. The first Gulf War was considered a 
watershed event in terms of how the Chinese viewed future warfare, 
according to the Defense Departments 2004 Annual Report on The Military 
Power of the Peoples Republic of China.

The PLA noted that the rapid defeat of Iraqi forceswhich resembled the 
PLA at that time in many waysrevealed how backward and vulnerable China 
would be in a modern war, the report said. The Gulf War also spurred 
internal PLA debate on the implications of an emergent revolution in 
military affairs, in which the conflict became a point of reference for 
efforts to build capabilities in command, control, communications, 
computers, intelligence, surveillance and reconnaissance, information 
warfare, air defense, precision strike and logistics.

"There have been Chinese writings for over a decade regarding the 
Peoples Liberation Army studying cyberwarfare and evolving concepts 
toward development of information warfare doctrine, said a Defense 
Intelligence Agency spokesman.

Perhaps one of the most important milestones was the 1999 publication in 
China of Unrestricted Warfare [1], a book authored by two colonels in 
the PLA, that was generated by the PLAs observations on Desert Storm. 
The CIAs Foreign Broadcast Information Service obtained and translated 
it, and it can now be found on the Internet.

The new principles of war are no longer using armed force to compel the 
enemy to submit to ones will, but rather are using all means, including 
armed force or nonarmed force, military and nonmilitary, and lethal and 
nonlethal means to compel the enemy to accept ones interests,  the 
colonels wrote.

The book argues that the spread of IT and access to the Internet has 
removed traditional boundaries and expanded the arena beyond traditional 

[T]his kind of war means that all means will be in readiness, that 
information will be omnipresent, and the battlefield will be everywhere, 
the colonels wrote. It also means that many of the current principles of 
combat will be modified, and even that the rules of war may need to be 

The DIA spokesman said a Chinese major general recently described 
information warfare as containing six elements in its application: 
operational security, military deception, psychological warfare, 
electronic warfare, computer network warfare and physical destruction.

Getting the edge

The PLAs new information warfare focus illustrates a growing recognition 
that cyberattacks launched against the U.S. military could give China a 
decisive advantage in the event of a crisis.

One such crisis scenario, according to people who have studied the 
issue, would be the prospect of American intervention to aid Taiwan in 
the event of an attack from China. A 1979 law requires the United States 
to defend the island nation from attack.

Chinese leaders have a conundrum of their ownhow the Peoples Liberation 
Army can move against Taiwan but forestall U.S. action long enough to 
make it a fait accompli.

For the PLA, using [information warfare] against U.S. information 
systems to degrade or even delay a deployment of forces to Taiwan offers 
an attractive asymetric strategy, wrote James Mulvenon in 1998. Mulvenon 
is deputy director for advanced analysis at the Defense Group Inc.s 
Center for Intelligence Research and Analysis in Washington, and widely 
regarded as one of the foremost authorities on the Chinese militarys use 
of IT.

American forces are highly information-dependent and rely heavily on 
precisely coordinated logistics networks, he wrote. If PLA information 
operators ... were able to hack or crash these systems, thereby delaying 
the arrival of a U.S. carrier battle group to the theater, while 
simultaneously carrying out a coordinated campaign of short-range 
ballistic missile attacks, fifth column and [information warfare] 
attacks against Taiwanese critical infrastructure, then Taipei might be 
quickly brought to its knees and forced to capitulate to Beijing.

This is the role of information warfare, many experts now believe: 
Cyberattacks on military C4 systems will amplify the effects of kinetic 
weapons, to bring matters to a swift conclusion with a minimum of 

Rear Adm. Hight, of JTF-GNO, said DOD is taking note of the incursions 
and data extractions, and looking at the departments defensive measures.

Our daily efforts are all about assessing and mitigating risks. We are 
students of Sun Tzu and other philosophical thinkers who have a 
wonderful way of capturing warfighting concepts, Hight said. The key to 
this type of warfare is just what you might think of as traditional 
warfare. You cant forget the foundations. You cant forget the basics. 
The cyberworld relies, in many cases, on foundational concepts in terms 
of how you protect it.

Americas standing as the current sole superpower is a source of internal 
conflict for Chinese policies, said James Gilmore III, former governor 
of Virginia and now with Kelley Drye Collier Shannons Homeland Security 
Practice Group, a Washington law firm. He was chairman of the Advisory 
Panel to Access Domestic Response Capabilities for Terrorism Involving 
Weapons of Mass Destruction, created by the Clinton administration in 

An adversary or partner of the U.S. ... They are prepared to be either 
one, Gilmore said.

Should its leaders feel it is in their interests, China would seek to 
disrupt the DODs capacity to communicate overseas and maneuver their 
people, he added.

Cortez Cooper III, director of East Asia Studies with Hicks and 
Associates Inc., a defense and national security consulting company in 
McLean, Va., told the U.S.- China Commission that the Chinese understand 
their military focus must use niche capabilities to counter the moves of 
a technologically superior adversary that might challenge their 

Rehearsing both roles

To address the cybersecurity threat, DOD and intelligence officials are 
playing both offensive and defensive roles.

Pentagon officials acknowledge DOD is developing capabilities to deny an 
adversary the use of its own computer systems to attack U.S. computer 

JTF-GNO is tasked with operating and defending the GIG, while the 
National Security Agency has the responsibility for the nondefensive 
parts of operations in cyberspace, according to Army Maj. Gen. Dennis 
Moran, vice director for command, control, communications and computer 
systems for the Joint Chiefs of Staff.

As part of a good defense, and I dont care if youre defending a forward 
operating base in a country, or no matter what it is physically, you do 
a very good analysis of what your vulnerabilities are. And there have 
been analyses within the department to determine what we need to protect 
and how should we prioritize our resources, Moran said.

The resources required to provide that defense are being allocated 
against those priorities, Moran said. Now, Im certainly not going to 
talk about those in detail, because that would certainly be an 
opportunity to tell someone these are what we are concerned about.

But Moran did talk about the protocols DOD has been working on to 
improve its network security posture.

If you look at the whole net-centric strategy that we have in the DOD, 
the focus is, first of all, identify your data, then appropriately tag 
that data so it can be made available to other people who are authorized 
users, Moran said. We are putting in place a service-oriented 
architecture across the GIG which is able to find, locate and securely 
move that data to an application. Security is a critical tenet to this 
whole architecture, because if youre doing business one way and (another 
agency) is doing business another way, we are creating seams that an 
intruder can take advantage of.

Kehler said DOD officials also are mandating full public-key 
infrastructure implementation for user authentication, requiring 
automated patch management and looking in the mirror to increase the 
departments defensive position.

Were looking at ourselves pretty hard to understand where our 
vulnerabilities are, Kehler said. Sometimes we find that our worst enemy 
in protecting our information is ourselves. In order to make things 
better faster, sometimes our people leave doorways open into our 

The key to closing those doorways is a layered defense-in-depth 
strategy, Hight said.

We dont have a single approach. Were trying to protect the house by 
locking the doors, locking the windows, making sure wires that come in 
and out of the house are protected, Hight said. Our organization is very 
transient, so as we get systems administrators moving around the world, 
we want to make sure they know they have a consistent and well-defined 
set of procedures that they adhere to and provide consistent protections 
for the network.

To accomplish this, JTF-GNO is looking at the best way to train Defense 
employees on cybersecurity mechanisms, what types of protective software 
to employ and how to standardize processes.

Additionally, Hight said, the organization soon will release a Network 
Operations Concept of Operations (Netops/Conops) document, which will 
detail for military personnel how to secure their systems.

Hight said the document describes three basic concepts that make up the 
departments larger doctrinal view:

 * Ensuring systems and networks that deliver information are available
 * Ensuring information can move freely from one point to another
 * Ensuring information is protected at the right level.

When you go to Amazon.com, you can see what Amazon chooses for you to 
see, their book titles and other information. You cant see Amazons 
financial information, because they mask that from you, Hight said. So 
the protection of information might be something as simple as where you 
put that information and [whom] you make that available to.

The exploitation of network weaknesses doesnt mean that more traditional 
forms of espionage targeting cyberassets can be overlooked. For 
instance, in August 2001, U.S. Customs officers arrested two men for 
trying to export military encryption technology to China.

Whats a real threat? Four months earlier, enraged Chinese hackers had 
defaced dozens of U.S. military Web sites following the collision of a 
U.S. surveillance plane and a Chinese fighter plane. The Chinese pilot 
died as a result of the accident. Is that kind of threat, whether from 
China or another country, real? John Hamre, president and chief 
executive officer of the Center for Strategic and International Studies, 
believes so. He served in the 1990s as comptroller, then deputy 
secretary of Defense.

I was so deeply involved in cybersecurity issues when I was the deputy 
secretary, but have not been involved in these issues since, he said. I 
continue to believe that cyberthreats will overwhelmingly be from 
competent national state security elements, and that intelligence is the 
higher goal, not disruption. Still, Donavan Lewis, chief of the Defense 
Intelligence Agencys threat analysis division, wants the United States 
to think more about long-term trends.

China has shifted its dependence away from the United States to 
[countries such as Malaysia and South Korea], while our dependence on 
them has grown, he said during a Defense conference in Salt Lake City in 
May. Weve got to adjust our thinking, our calculus about how we put 
together a system of systems.

He admits to being worried about the possibility that subversive 
functionality could be embedded in technology.

The Defense acquisition community is not used to thinking of itself as 
part of computer security, he said.

1996-2006 Post-Newsweek Media, Inc. All Rights Reserved.

[1] http://www.c4i.org/unrestricted.pdf 

HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/

This archive was generated by hypermail 2.1.3 : Wed Aug 23 2006 - 00:04:21 PDT