Information Operations & Cyberspace Newsletter

Compiled by: Mr. Jeff Harley and Mr. Garrett Hendrickson

US Army Space and Missile Defense CommandArmy Forces Strategic Command

Army Forces Cyber CommandG39, Information Operations and Cyberspace Division

Table of Contents

ARSTRAT IO Newsletter on OSS.net

Page 1

The articles and information appearing herein are intended for educational and non-commercial purposes to promote discussion of research in the public interest. The views, opinions, and/or findings and recommendations contained in this summary are those of the original authors and should not be construed as an official position, policy, or decision of the United States Government, U.S. Department of the Army, or U.S. Army Strategic Command.

Table of ContentsVol. 10, no. 03

1. A Most Dangerous Link

2. China Proves To Be an Aggressive Foe in Cyberspace

3. Cyber War: Sabotaging the System

4. U.S. Needs to Play Catch-up In Afghanistan

5. U.S. Must Focus On Protecting Critical Computer Networks from Cyber Attack, Experts Urge

6. The Cyberwar Plan

7. Mad Men vs. IEDs: Army Wants Anti-Bomb Ad Campaign in Afghanistan

8. Why is the antiquated leaflet still a key PSYOPs tool?

9. Cyberwar Readiness Recast as Low Priority

10. BULLETS AND BLOGS: NEW MEDIA AND THE WARFIGHTER

Page 2

ARSTRAT IO Newsletter on OSS.net

A Most Dangerous LinkColonel Steven P. Bucci, U.S. Army (Ret), Proceedings Magazine (U.S. Naval Institute), October 2009 Vol 135/10

 

We live today in the Cyber Era. Each individual one sees on the street carries more computing and communications power than entire cities had in the past. Everything is faster, more accurate, and more flexible. Simultaneously, we have faced numerous malware intrusions, seen nations attacked, and our own infrastructure assaulted. Given this plethora of threats, how do we properly plan? The military and security communities have for years used a paradigm to determine against which of a large number of possible threats they should plan. They determine the most dangerous and most likely threats, which are seldom the same. A similar process can help us thoughtfully address cyber issues.We face a scenario that fits the part of the most dangerous threat; we must also face and prepare for a most likely scenario that is unique. This threat will involve the merger of the growing cyber-crime capability with the terrorists' realization that the cyber realm is theirs for exploitation and that joining with cyber criminals will be the path to their goal. This second threat falls into the realm of homeland security.America, as the locus of a wide array of cyber threats, is a ripe target. Cyber mechanisms are at the core of nearly every significant societal interaction in the United States. Everyone seeks and expects the speed, accuracy, efficiency, and ease that a wired system of systems brings. The danger is that many individuals, groups, and nations aim to exploit those systems to do us harm for their own purposes.The Most DangerousIn the range of possible threats, an attack by another nation is easy to understand and resonates most readily. Developed nations, acting as peer competitors, are the most dangerous potential cyber threat. Even some weak nations can develop an asymmetric cyber capability.Nations are capable because they possess power of many varieties, hard and soft, including military, economic, industrial bases, and scale of assets. They can marshal intellectual capital to develop cyber armies-large numbers of operators with the best equipment, skilled at developing and using ever-evolving forms of attack. Cyber warriors can be used to facilitate conventional intelligence, signals, and mobility assets, making them even more effective, or use conventional assets to enhance the effect of cyber events. Some nations can also use their considerable coercive powers to harness civilian assets that fall outside the public sector. This can be done by requiring active or passive collusion with the government or by manipulating public sentiment to stir patriotic fervor while providing guidance (i.e., targeting) and tools to the faithful. This complicates attribution and gives governments some degree of cover.2Nation-state threats come in two groups. The first is a full-scale cyber attack. The closest example of this was the assault made on Estonia in 2007. There, the highly developed network of a small country was temporarily brought to its knees. Portrayed by some as a simple display of public outrage over the moving of a statue, most felt there was more going on and that a government hand was at play. Former Chairman of the Joint Chiefs of Staff, retired Marine Corps General Peter Pace stated that more than 1 million computers from over 70 countries were used in this event.3The other possibility is the cyber-supported kinetic attack. To date, only the 2008 assault on Georgia fits this category. Georgia was not as cyber-dependent as was Estonia, but the assault that preceded the Russian military's ground attack into disputed Ossetia severely hindered Georgia's response. In his 29 May 2009 Cyber Review, President Barack Obama cited this as the future of warfare. This assessment was supported by the U.S. Cyber Consequences Unit report analyzing the Georgian campaign.4 General Pace described it this way:[T]heir "cyber special operations forces" isolated the president by disabling all his cyber connectivity, then their "cyber air force" carpet bombed the entire national network, and finally their "cyber Delta Force" infiltrated and rewrote code that kept their network from working correctly even after it was brought back up. It was a highly sophisticated attack.5

Page 3

In an interesting twist, there has been one known defensive use of cyber attack. During the Israeli Defense Force's incursion into Gaza at the beginning of 2009, a massive distributed denial of services attack was launched against numerous Israeli networks. It did not hinder the attack, but did give the Israeli government a jolt given their dependence on cyber means for communicating internally.6Today's cyber espionage or probing of defenses can, in the blink of an eye, be turned into a massive attack on the infrastructure of an adversary. Georgia in particular demonstrated that cyber attacks could be used to disable defenses and blind intelligence capabilities in preparation for a kinetic strike. These methods can slow defensive reactions by clouding the operational picture or fouling communications. Such an attack could bring down key command and control nodes, paralyzing any response. It can also hinder the ability to rally consequence-management assets. Continued intrusions will not only keep victims from striking back with any real effect, but may make them ineffectual in mobilizing their first-responder forces at home.7Such a large-scale attack across the territory of a target country can only come from a nation. Fortunately, that is not very likely because of old-fashioned deterrence. In the same way our cyber and physical infrastructures make us vulnerable to this scenario, those capabilities and kinetic forces used in the attack are also targets, as is the remainder of the attacker's infrastructure.Additional Cyber ThreatsLower-level threats can be directed at an individual, a company, a government agency, or a nation. The same techniques are used to exploit a lazy home computer user, an inefficient corporate information technology system, or a weak national infrastructure defense.The lowest danger is the individual hacker. He operates for personal benefit-pride or financial gain-and constitutes an annoyance. The hacker category also includes small groups who write malware, sometimes called "hacktivists," who attack small organizations because of personal or political grievances. Also at the low-end are small criminal enterprises. They operate Internet scams and bilk people out of personal information.Four threats can be considered medium level: terrorist use of the Internet, espionage, organized crime, and terrorist attacks. The first three, which occur regularly and define the ongoing significant threats faced each day, can have extremely detrimental effects on a person, business, government, or region. The fourth is an emerging threat, which combines two existing threats.Cyber crime is a booming business that began as an offshoot of individual hackers and has grown into a huge and expanding industry that steals, cheats, and extorts the equivalent of billions of dollars. Whether it is a simple scam to get the gullible to give up money and allow access to accounts, or sophisticated technical means of harvesting mass amounts of data, cyber crime is motivated by money. Perhaps the most lucrative target today is commercial data. This goes well beyond personal identity and financial information. Infiltrating businesses and stealing industrial secrets, pharmaceutical formulas, and like data can reap huge profits.Latin American utility facilities are reportedly having their supervisory control and data acquisition systems hacked and seized by criminals. Attackers have threatened to shut down a facility or cause accidents for which the owners would be liable if the attackers were not paid enormous sums. The seriousness of the threats is unknown as in each case the ransom was paid.The most interesting and frightening criminal threat is the rise of botnets-networks of software robots. Crime syndicates may not command an entire nation of computers, but they have developed worldwide networks of computers controlled without their owners' awareness. These zombie networks serve their criminal masters without question or hesitation for distributed denial of service attacks, phishing, and malware distribution. They are also rented out for cash. This is the origin of a new and very dangerous potential.The so-called Korean virus attacks in July 2009 were actually more akin to this type of scenario than the previously noted nation attacks. The perpetrators used a virus to build a spontaneous botnet specifically for this set of attacks. The same code that captured the zombies also gave the commands regarding what and when to attack. While this situation has been dismissed by some as little more than a spam-like annoyance, we should take note of a few key aspects. Although several U.S. entities, including DOD and the White House, fended off these attacks easily, others faired less

Page 4

well. Several organizations were down for days. The government weathered this event passably, but the unevenness of success is troubling. We have yet to achieve a consistent level of cyber protection, and this creates gaps and seams that can easily be exploited by sophisticated adversaries. It should not be dismissed, but should be-yet another-wake-up call.8Present Terrorist UseMajor terrorist organizations such as al Qaeda have yet to fully exploit the cyber realm having proven to be limited in their understanding of the medium's potential. This will not last. Terrorists use the Internet extensively, but so far not for offensive operations. Intelligence and law enforcement agencies agree that terrorists have been limited to communications, propaganda, fund raising and money transfers, recruitment, and intelligence.Since the National Security Agency's capabilities of tracking communications became public knowledge during the trial of the first World Trade Center bombers, terrorists worry about operational security. The security of the Internet is very attractive. The anonymity and difficulty of tracing interactions in restricted, password-protected chat rooms and the use of encrypted e-mail give terrorists a much greater degree of operational security than other means of communication.Clearly, the terrorists are good and getting better at using the Internet for propaganda and fund-raising. The increasing sophistication of their messaging shows an understanding of the potential of the cyber medium. Internet messaging keeps the most geographically isolated spokesperson prominent and relevant in the minds of the mass audience. The reach and timeliness of the net cannot be matched by other communication means and greatly aid in their fund-raising efforts among dispersed people.These same characteristics apply to their recruitment programs. Individual radicalization, which has always been a vulnerable point for terrorist organizations, no longer has to take place in person. These efforts can be greatly enhanced by cyber communication and instruction, and can in some cases replace face-to-face contact.The tendency of Western countries to post nearly everything there is to know about critical infrastructures on unsecured Web sites is a great boon to the terrorists and requires no more expertise than an ability to use rudimentary search engines that children have mastered. Google Earth and other similar free programs provide street-view photos of potential targets, as well as excellent route and obstacle information.The Most Likely Major ThreatTerrorists need mentors to reach the next level of cyber operations. Unfortunately, they can easily reach out to cyber criminals where they will find willing partners.The West has a huge number of intelligence and law enforcement assets dedicated to stopping the proliferation of weapons of mass destruction, and many arrests have been made of those attempting to traffic in WMD or materials. Any movement of related devices or materials will sound the alarm across the world. No similar watchdog systems are in place to prevent the proliferation of cyber capabilities.Terrorists could develop their own cyber assets. They can find a number of highly educated, intelligent, computer-literate people in agreement with their cause who can be trained to develop code, write malware, and hack as well as anyone. They cannot, however, develop in a timely manner the kind of large-scale operational capabilities that a nation possesses. This economy of scale is what they need to make a truly effective cyber assault on the West.Two points negate the economy-of-scale hindrance. First, they need not attack an entire nation to achieve success. While they desire to create a large event, it does not necessarily need to be as extensive as a full nation-state attack. As long as it is effective and gains worldwide attention, it will be a victory. Second, with abundant funds and potential access to more, the criminal option is accessible, giving the terrorists an extraordinarily destructive capability.Should a terrorist group use its wealth to hire cyber criminal botnets, we would have a strategic-level problem. A terrorist group so equipped could begin to overwhelm the cyber defenses of a specific corporation, single government organization, or a particular infrastructure sector, and do

Page 5

tremendous damage. They could destroy or corrupt vital data in the financial sector or cripple communications over a wide area to spread panic and uncertainty.Similar to the nation-state attack scenarios, terrorists could use botnet-driven denial of service attacks to blind security forces at a border crossing point as a means of facilitating an infiltration operation, or use a cyber attack in one area of a country to act as a diversion so a conventional kinetic terrorist attack can occur elsewhere. They could even conduct supervisory control and data acquisition attacks on specific sites and use the control system to create kinetic-like effects without the kinetic component. A good example would be to open the valves at a chemical plant near a population center, creating a Bhopal-like event. The permutations are as endless as one's imagination.A Deadly CombinationThe capability of terrorist leaders to think outside the proverbial box is one of their biggest strengths. They will adapt to this new area as they are forced in that direction by the successes of our intelligence and law enforcement elements. Imagine the operational elegance of simply hitting the return key and seeing thousands of enemies die a continent away, or watching a bank shut down because of the destruction of all its data by an unknown force. Additionally, the combination of cyber methods and kinetic strikes will increase the effectiveness of their efforts.Criminals, for their part, are motivated by greed. Few leaders of the cyber-organized crime world would hesitate to sell their capabilities to a terrorist loaded with hard currency. That, combined with the ever-growing terrorist awareness of cyber vulnerabilities, makes this set of scenarios not just highly likely, but close to inevitable.As a harbinger of this future, there were many similarities between the techniques used in the attacks on Estonia, and those used in the counterattacks during the Gaza incursion. Some have speculated that perhaps Hamas or Hezbollah had hired the same East European criminal botnets that had been used in Estonia. If this is the case, we are farther down this road than we know and already at risk. The highly developed and capable cyber criminal organizations' desire for money and the terrorists' wealth and need for help to develop their capabilities is a highly explosive mix.The threat of a full nation-state attack, either cyber-only or cyber-enabled kinetic, is our most dangerous threat. We pray deterrence will continue to hold and should take all measures to shore it up. Terrorists will never be deterred. They will continue to seek ways to harm us and will join hands with the criminal element to do so. A terrorist attack bolstered by cyber-crime capabilities will be the most likely major homeland security event that will confront America.1. John Bumgarner and Scott Borg, The USCCU Report on the Georgian Cyber Campaign, U.S. Cyber Consequences Unit, August 2009.2. Ibid.3. GEN Peter Pace, U.S. Marine Corps (Retired), in discussions with IBM officials, May 2009.4. Bumgarner and Borg, The USCCU Report.5. GEN Peter Pace, Discussions with IBM officials.6. www.PressTV.ir, 2 January 2009.7. Bumgarner and Borg, The USCCU Report.8. Siobhan Gorman and Evan Ranstad, www.WSJ-online/tech.com, "Cyber Blitz hits US and Korea," 9 July 2009.Table of Contents

China Proves To Be an Aggressive Foe in CyberspaceBy Ellen Nakashima and John Pomfret, Washington Post, 11 Nov 09 One day in late summer 2008, FBI and Secret Service agents flew to Chicago to inform Barack Obama's campaign team that its computer system had been hacked. "You've got a problem. Somebody's trying to get inside your systems," an FBI agent told the team, according to a source familiar with the incident. The McCain campaign was hit with a similar attack. The trail in both cases led to computers in China, said several sources inside and outside government with knowledge of the incidents. In the McCain case, Chinese officials later approached

Page 6

staff members about information that had appeared only in restricted e-mails, according to a person close to the campaign. American presidential campaigns are not the only targets. China is significantly boosting its capabilities in cyberspace as a way to gather intelligence and, in the event of war, hit the U.S. government in a weak spot, U.S. officials and experts say. Outgunned and outspent in terms of traditional military hardware, China apparently hopes that by concentrating on holes in the U.S. security architecture -- its communications and spy satellites and its vast computer networks -- it will collect intelligence that could help it counter the imbalance. President Obama, who is scheduled to visit China next week, has vowed to improve ties with the Asian giant, especially its military. But according to current and former U.S. officials, China's aggressive hacking has sowed doubts about its intentions. "This is the way they plan to thwart U.S. supremacy in any potential conflict we get into with them," said Robert K. Knake, a Council on Foreign Relations fellow. "They believe they can deter us through cyber warfare." Chinese officials deny that and dismiss American concern as a Cold War relic. "Allegations that China is behind, or 'likely behind,' cyberattacks or cyber espionage against the United States are more frequent and more sensational," said Wang Baodong, the spokesman at the Chinese Embassy in Washington. "Such accusations are unwarranted, irresponsible and misleading and are intentionally fabricated to fan up China threat sensations." With 360 million people online in China, Wang added, "China is more than ever integrated with and reliant on the Internet. As the U.S. serves as the hub of the international information highway, attacking the U.S. in cyberspace equals attacking one's own cyberspace assets. . . . What's the logic?" Nonetheless, U.S. officials and experts of all political persuasions in the Pentagon, on Capitol Hill, in private industry and in think tanks are convinced that China is behind many of the most egregious attacks. A senior Air Force official estimated that, as of two years ago, China has stolen at least 10 to 20 terabytes of data from U.S. government networks-- the larger figure equal, by some estimates, to one-fifth of the Library of Congress's digital holdings. Nuclear weapons labs, defense contractors, the State Department and other sensitive federal government agencies have fallen prey. What experts do not know is exactly what has been stolen or how badly U.S.systems have been exposed. "Given the intrusions into defense industry networks, multibillion-dollar weapons systems . . . may have already been compromised," said James Mulvenon, a China expert with Defense Group Inc. Experts point to the late 1990s as the start of this undeclared war. Since then, cyber intrusions have run the gamut, including stealing files on political dissidents from the offices of Rep. Frank R. Wolf (R-Va.) in 2006, disrupting the e-mail network of the defense secretary's office in 2007 and staging a spyware attack on electronic devices used by then-Commerce Secretary Carlos M. Gutierrez and his delegation on a December 2007 trip to Beijing. Wolf said that the offices of 17 House members have been targeted. "Not a week doesn't go by when there's not a Chinese attack on our government," he said. One day last spring, Capitol Hill security officials removed two computers from a congressional office that deals with foreign affairs. "There's a bug in your computer," one agent told an astonished staffer. "From China." Director of National Intelligence Dennis C. Blair said in February that Russia and China were able to "to target and disrupt elements of the U.S. information infrastructure" and that China was "very aggressive" in cyberspace. Another problem is China's ability to leave behind malicious sleeper code that can one day be activated to alter or destroy information. In April, then-National Counterintelligence Executive Joel F. Brenner reported that the Chinese had penetrated "certain of our electricity grids" with malicious code and that "our networks are being mapped" One challenge in countering the threat, experts say, that the Chinese often contract out such work to experts in industry and academia and possibly even to freelance hackers, allowing officials to

Page 7

argue that while an attack might have originated from an Internet service provider in China, no one could prove it came from the government. The Chinese People's Liberation Army has publicly embraced such outsourcing. In 2002, the PLA created information warfare units, comprising operators and analysts from the commercial sector and academia, according to a new by defense contractor Northrop Grumman for the U.S.-China Economic and Security Review Commission, a congressionally chartered body. A year later, China's Academy of Military Sciences published an account of a trial project in the Guangzhou Military Region to establish information-warfare militia units using local telecommunications companies as a source of talent, funding and technology. Subsequently, the academy directed the PLA to make creation of such units a priority. "Information warfare is not just a theology," said Ming Zhou, a China specialist with VeriSign iDefense, a security intelligence firm. "They can integrate it into nation-state interests." Some U.S. cyber policy experts such as James A. Lewis, a senior fellow with the Center for Strategic and International Studies, acknowledge that the problem cannot be solved without international engagement. At the same time, Lewis said, "I'm not going to get upset about China spying on us, because we spy on them." "The only thing I'm going to get upset about," he said, "is if we don't do better than them." Table of Contents

Cyber War: Sabotaging the SystemFrom CBS News, 08 Nov 09 60 Minutes: Former Chief of National Intelligence Says U.S. Unprepared for Cyber AttacksNothing has ever changed the world as quickly as the Internet has. Less than a decade ago, "60 Minutes" went to the Pentagon to do a story on something called information warfare, or cyber war as some people called it. It involved using computers and the Internet as weapons. Much of it was still theory, but we were told that before too long it might be possible for a hacker with a computer to disable critical infrastructure in a major city and disrupt essential services, to steal millions of dollars from banks all over the world, infiltrate defense systems, extort millions from public companies, and even sabotage our weapons systems. Today it's not only possible, all of that has actually happened, plus a lot more we don't even know about.It's why President Obama has made cyber war defense a top national priority and why some people are already saying that the next big war is less likely to begin with a bang than a blackout. "Can you imagine your life without electric power?" Retired Admiral Mike McConnell asked correspondent Steve Kroft. Until February of this year, McConnell was the nation's top spy. As chief of national intelligence, he oversaw the Central Intelligence Agency, the Defense Intelligence Agency and the National Security Agency. Few people know as much about cyber warfare, and our dependency on the power grid, and the computer networks that deliver our oil and gas, pump and purify our water, keep track of our money, and operate our transportation systems. "If I were an attacker and I wanted to do strategic damage to the United States, I would either take the cold of winter or the heat of summer, I probably would sack electric power on the U.S. East Cost, maybe the West Coast, and attempt to cause a cascading effect. All of those things are in the art of the possible from a sophisticated attacker," McConnell explained. "Do you believe our adversaries have the capability of bringing down a power grid?" Kroft asked. "I do," McConnell replied. Asked if the U.S. is prepared for such an attack, McConnell told Kroft, "No. The United States is not prepared for such an attack.""It is now clear this cyber threat is one [of] the most serious economic and national security challenges we face as a nation," President Obama said during a speech.

Page 8

Four months after taking office, Obama made those concerns part of our national defense policy, declaring the country's digital infrastructure a strategic asset, and confirming that cyber warfare had moved beyond theory. "We know that cyber intruders have probed our electrical grid, and that in other countries cyber attacks have plunged entire cities into darkness," the president said. President Obama didn't say which country had been plunged into darkness, but a half a dozen sources in the military, intelligence, and private security communities have told us the president was referring to Brazil. Several prominent intelligence sources confirmed that there were a series of cyber attacks in Brazil: one north of Rio de Janeiro in January 2005 that affected three cities and tens of thousands of people, and another, much larger event beginning on Sept. 26, 2007. That one in the state of Espirito Santo affected more than three million people in dozens of cities over a two-day period, causing major disruptions. In Vitoria, the world's largest iron ore producer had seven plants knocked offline, costing the company $7 million. It is not clear who did it or what the motive was. But the people who do these sorts of things are no longer teenagers making mischief. They're now likely to be highly trained soldiers with the Chinese army or part of an organized crime group in Russia, Europe or the Americas. "They can disrupt critical infrastructure, wipe databases. We know they can rob banks. So, it's a much bigger and more serious threat," explained Jim Lewis, director of the Center for Strategic and International Studies. Lewis led a group that prepared a major report on cyber security for President Obama. "What was it that made the government begin to take this seriously?" Kroft asked. "In 2007 we probably had our electronic Pearl Harbor. It was an espionage Pearl Harbor," Lewis said. "Some unknown foreign power, and honestly, we don't know who it is, broke into the Department of Defense, to the Department of State, the Department of Commerce, probably the Department of Energy, probably NASA. They broke into all of the high tech agencies, all of the military agencies, and downloaded terabytes of information." How much is a terabyte? "The Library of Congress, which has millions of volumes, is about 12 terabytes. So, we probably lost the equivalent of a Library of Congress worth of government information in 2007," Lewis explained. "All stolen by foreign countries?" Kroft asked. "Yeah. This was a serious attack. And that's really what made people wake up and say, 'Hey, we've got to get a grip on this,'" Lewis said.But since then, there has been an even more serious breach of computer security, which Lewis called the most significant incident ever publically acknowledged by the Pentagon. Last November, someone was able to get past the firewalls and encryption devices of one of the most sensitive U.S. military computer systems and stay inside for several days. "This was the CENTCOM network," Lewis explained. "The command that's fighting our two wars. And some foreign power was able to get into their networks. And sit there and see everything they did. That was a major problem. And that's really had a big effect on D.O.D." Asked what he meant by "sit there," Lewis said, "They could see what the traffic was. They could read documents. They could interfere with things. It was like they were part of the American military command." Lewis believes it was done by foreign spies who left corrupted thumbnail drives or memory sticks lying around in places where U.S. military personnel were likely to pick them up. As soon as someone inserted one into a CENTCOM computer, a malicious code opened a backdoor for the foreign power to get into the system. Lewis said the Pentagon has now banned thumbnail drives.

Page 9

"My impression is most people understand that there is a threat out there. I don't think most people understand that there are incidents that are happening," Kroft remarked. "You know, I've been trying to figure out why that is. And some of it is the previous administration didn't want to admit that they had been rolled in 2007. There's a disincentive to tell people, 'Hey, things are going badly.' But it doesn't seem to be sinking in. And some of us call it 'the death of a thousand cuts.' Every day a little bit more of our intellectual property, our innovative skills, our military technology is stolen by somebody. And it's like little drops. Eventually we'll drown. But every day we don't notice," Lewis said. Congress has noticed, allocating $17 billion for a top secret national cyber security initiative, and the Department of Defense has nominated Lieutenant General Keith Alexander, head of the NSA, to run a new military command devoted to offensive and defensive cyber war. "How much of this are we doing? We, meaning the United States," Kroft asked Lewis. "We're in the top of the league, you know? We're as good as any," Lewis said. "So, whatever foreign countries are doing to the United States, the United States is doing to them?" Kroft asked. "We're in the top of the league. We are really good. And if you talk to the Russians or the Chinese, they say, 'How can you complain about us, when you do exactly the same thing?' It's a fair point with one exception: we have more to steal. We have more to lose. We're the place that depends on the Internet. We've done the most to take advantage of it. We're the ones who've woven it into our economy, into our national security, in ways that they haven't. So, we are more vulnerable," Lewis said. Even the country's most powerful weapons are targets. So technicians at the Sandia National Laboratories make their own microchips for nuclear weapons and other sophisticated systems. Jim Gosler - one of the fathers of cyber war - says most commercial chips are now made abroad and there are concerns that someone could tamper with them. "So you're worried about somebody being able to get in and reprogram a nuclear weapon, or get inside and put something in there that would make it…," Kroft asked. "Well, certainly alter its functionality," Gosler said. Asked what he means by "alter its functionality," Gosler said, "Such that when the weapon needed to be to go operational, it wouldn't work." "Have you found microchips that have been altered?" Kroft asked. "We have found microelectronics and electronics embedded in applications that they shouldn't be there. And it's very clear that a foreign intelligence service put them there," Gosler said. "There are thousands of attempted attacks every day, tens of thousands of attacks," Sean Henry, an assistant director of the FBI in charge of the bureau's cyber division, told Kroft. Henry's job is to police potential targets all over the United States. He told "60 Minutes" that criminals have used the Internet to steal more than $100 million from U.S. banks so far this year and they did it without ever having to draw a gun or pass a note to a teller. "The FBI became famous stopping bank robberies. Are there more bank robberies in terms of the amount of money stolen on the Internet than there are guys walking into branches with guns?" Kroft asked. "Absolutely," Henry said. "I've seen attacks where there's been $10 million lost in one 24-hour period. If that had happened in a bank robbery where people walked in with guns blazing, that would've been headline news all over the world." "And the bank probably didn't want it known," Kroft remarked."Certainly when there's a network breach, the owners of the network are not keen to have it known that their network was breached because of their concern that it might impact their business," Henry said.

Page 10

The case Henry mentioned didn't involve just one bank - it involved 130, all of them victimized through an international network of ATMs, an international caper that required dozens of participants on three different continents. Asked how they did it, Henry said, "It was a sophisticated operation. Clearly organized where adversaries accessed a computer network, were able to gain information from multiple accounts. They were able to decrypt PIN numbers and then taking that data, able to manufacture white plastic that enabled them access to get into ATM accounts." Asked what white plastic is, Henry said, "Take a piece of plastic that's similar in size and shape and weight to an ATM card." "They've got the card. They've got the PIN number and they just drained the accounts?" Kroft asked. "Almost $10 million in 24-hour period," Henry said.According to Henry, the cyber heist happened in 49 cities around the world, in Europe, North America, South America, and Asia. Henry told Kroft they have an idea from which country the perpetrators were from, but he would not divulge that information during the interview. Asked if they have caught any of the suspects yet, Henry said, "Workin' on it." Another case you have probably not heard anything about involves an extortion plot against the state of Virginia. Earlier this year, a hacker got into a medical database and stole millions of patients' prescription records and then followed it up with a ransom note. "The note said, 'I have your…' - I can't say that word on television - stuff, we'll call it 'in my possession right now,'" Kroft said. The hacker went on to write, "I've made an encrypted backup and deleted the original. For $10 million, I will gladly send along the password." The state of Virginia says it was eventually able to restore the system. But the stolen information, including names, Social Security numbers and prescriptions can be used, sold or exploited according to the FBI. "Did the Virginia Prescription Monitoring Program pay the $10 million?" Kroft asked Henry. "I can't discuss that," he replied. "But you say this is an active investigation. I mean, this is a matter of public record. I mean, this actually happened," Kroft remarked. "This is an active investigation that we're still involved in, and we are coordinating with the victim. They're cooperating with us, and we're actively involved with them and other state and local law enforcement agencies," Henry said. Asked whoever did this is still at large, Henry told Kroft, "I imagine."As serious as the electronic theft of hundreds of millions of dollars by computer thieves might seem, they pale in comparison to some of the other possible scenarios that are no longer outside the realm of possibility. They include an assault on the fiber optic networks that run the world's financial systems. Admiral McConnell, the former director of national intelligence, worries about the integrity of America’s money supply. "I know that people in the audience watching this are going to say, 'Could somebody steal money out of my bank account or could somebody attack a bank that would wipe out my life savings?'" Kroft asked. "And the answer is yes, that's possible, but that is not the major problem. The more insidious issue is, what happens when the attacker is not attempting to steal money, but to destroy the process that accounts for money? That's the real issue we have to worry about," McConnell said. "It's all record keeping. It's accountability of the wealth and the movement of that money through the system that had to be reconciled at the speed of light. So if you impact or contaminate the data

Page 11

or destroy the data where you couldn't have reconciliation, you could have cascading impact in the banking system," he added. Asked to describe the consequences, McConnell said, "If everybody goes down to take the money out, it's not there. So that's the issue. Since banking is based on confidence, what happens when you destroy confidence?" One top U.S. intelligence official is on record saying that the Chinese have already aggressively infiltrated the computer networks of some U.S. banks and are operating inside U.S. electrical grids, mapping out our networks and presumably leaving behind malicious software that could be used to sabotage the systems. "Can a penetrator or a perpetrator leave behind…things that will allow them to be there and watch and look…and listen?" Kroft asked. "Any successful penetration has the potential for leaving behind a capability," McConnell said. "Do we believe that there are, the governments have planted code in the power grid?" Kroft asked. "Steve, I would be shocked if we were in a situation where tools and capabilities and techniques have not been left in U.S. computer and information systems," McConnell said. Of all the critical components in the U.S. infrastructure, the power grid is one of the most vulnerable to cyber attack. The U.S. government has control of its own computers and those of the military. The power grid, which is run and regulated by private utilities, is unbeholden to government security decrees.At the Sandia National Laboratories, Department of Energy security specialists like John Mulder try to hack into computer systems of power and water companies, and other sensitive targets in order to figure out the best way to sabotage them. It's all done with the companies' permission in order to identify vulnerabilities. In one test, they simulated how they could have destroyed an oil refinery by sending out code that caused a crucial component to overheat. "The first thing you would do is turn it to manual controls so that your automatic controls aren't protecting you," Mulder explained.Asked what the main target would be, Mulder said, "The heating element and the re-circulator pump. If we could malfunction both of those we could cause an explosion." "How would you do that?" Kroft asked. "The first thing we had to do was actually gain access to the network and that's, we just got that as launch attack. And then we turn up the BTUs, and then we're turning off the re-circulator pump. There we go," Mulder said. Mulder said this type is simulation is "very" realistic. But the companies are under no obligation to fix the vulnerabilities, which was graphically demonstrated in a much more realistic fashion at the Idaho National Labs two years ago in a project called "Aurora." A group of scientists and engineers at the Department of Energy facility wanted to see if they could physically blow up and permanently disable a 27-ton power generator using the Internet. "If you can hack into that control system, you can instruct the machine to tear itself apart. And that's what the Aurora test was. And if you've seen the video, it's kind of interesting, 'cause the machine starts to shudder. You know, it's clearly shaking. And smoke starts to come out. It destroys itself," Jim Lewis explained. Asked what the real-world consequences of this would be, Lewis said, "The big generators that we depend on for electrical power are one, expensive, two, no longer made in the U.S., and three, require a lead time of three or four months to order them. So, it's not like if we break one, we can go down to the hardware store and get a replacement. If somebody really thought about this, they could knock a generator out, they could knock a power plant out for months. And that's the real consequence."

Page 12

When Congressman Jim Langevin, who chaired a subcommittee on cyber security heard about it, he called representatives of the nation's electric utilities to Washington to find out what they were doing to fix the vulnerability. The committee was told that the problem was being addressed. But that turned out not to be the case. At a subsequent hearing seven months later, Langevin's committee members discovered that almost nothing had been done. "Basically they lied to Congress, and I was outraged," Rep. Langevin told Kroft. Asked if they admitted lying to Congress, Langevin told Kroft, "They admit that they misled Congress, that they did not give accurate testimony. And they subsequently had to retract the testimony." "Have they made any progress since you caught them out in this lie?" Kroft asked. "No, not sufficiently," Langevin said. "The private sector has different priorities than we do in providing security. Their, in a sense bottom line, is about profits. We need to change that. We need to change their motivation so that when we see a vulnerability like this we can require them to fix it." Langevin and others have introduced legislation to that would do just that. "I look at this as, like, a pre-9/11 moment. Where we identify a problem, we identify a threat, we know it exists, we know it's real, and we don't move quickly enough to fix the problem," he said. "And what I'm worried about is, because of so many competing priorities, and so many issues that we have to deal with, we won't get we, will not get focused on this problem until we have some catastrophic event," Admiral McConnell said. "If the power grid was taken off line in the middle of winter, and it caused people to suffer and die, that would galvanize the nation. I hope we don't get there. But it's possible that we will."Table of Contents

U.S. Needs to Play Catch-up In AfghanistanBy David A. Fulghum, Aviation Week, Sep 28 Beyond the opening statement that the campaign in Afghanistan has been under-resourced and remains so, the new assessment of the war put together by Gen. Stanley A. McChrystal, commander of the NATO International Security Assistance Force and U.S. Forces, Afghanistan, reveals a number of basic planning details.“We require more civilian and military resources, more Afghan National Security Forces, more intelligence, surveillance and reconnaissance and other enablers,” it says. The size of the Afghan Border Police must be doubled and the concept of the border fight must be changed to include improved border control and customs collection. Counter-narcotics aviation would need to grow by over 100 percent.Starting in October, Afghan National Army (ANA) combat strength will be increased by over-manning units and rapidly generating infantry and combat service support units. Emphasis will be on maneuver units at the expense of engineers, artillery, motorized quick reaction forces and support units. Tent cities will serve initially instead of permanent camps.International Security Assistance Forces (ISAF) units, which include U.S., British and other NATO forces, will be physically co-located with the Afghan National Security Forces (ANSF) to establish a common “battle rhythm” while planning and executing operations together. Mechanisms must be established at all levels to integrate information.ISAF forces are required to spend as much time as possible with the people and as little time as possible in armored vehicles and behind the walls of forward operating bases. “Traveling “ensconced in armored vehicles with body armor and turrets manned [conveys] a sense of risk and high fear to the population,” the report says.Insurgents have used the winter months to train, reequip and organize and ISAF operations have mirrored the cycle. “This winter, there is an opportunity to break our inadvertent operational

Page 13

synchronicity with the insurgents,” the report says. Greater emphasis will be placed on non-kinetic operations.Special Operations Forces (SOF) from all the nations involved will be directed to enhance coordination of their operations through a SOF operations planning staff, advisors and liaison officers to regional command headquarters. Counter-IED operations must be fully integrated into the overall strategy and the population must be encouraged to assist.ISAF leaders must understand and adopt the contemporary information environment to include new social media, cell phones, television and radio to promote communication with Afghan and international audiences. A considerable investment in technical architecture will be necessary.Offensive information operations against insurgent networks should expose cultural and religious violations, anti-Islamic and indiscriminate use of violence and terror, inflicting of civilian casualties, attacks on education, development projects and government institutions and flagrant contravention of the principles of the Qur’an.Land component commanders and their staffs must now be more adept in their knowledge of how the electromagnetic spectrum can both positively as well as negatively impact operations, officials said. They said by tightly integrating EW as a form of non-kinetic fires with existing kinetic capabilities, the Army can achieve spectrum dominance through an effects-based joint operations plan.The Program Executive Office Intelligence, Electronic Warfare & Sensors has stepped to the forefront in supporting this new direction with a focus on operationalizing EW as an integrated battlefield capability that will enhance situational awareness, improve force protection, enable dominant maneuver, and aid in precision lethality.To meet the emerging demand for the recently established EW vision, PEO IEW&S stood up the Project Manager Electronic Warfare office Sept. 1 under Col. Rod Mentzer.PM EW, formerly Project Director Signals Warfare, was established to give the developing areas of EW a home for all of their integration needs."We're changing the name to highlight the core competencies of this project management office as the Army transitions into an era of increased emphasis on capabilities associated with electronic warfare," said Brig. Gen. Thomas Cole, program executive officer for IEW&S. "We have a talented, experienced workforce and synergy of effort among IEW&S, RDECOM, and CECOM here for doing this type of work. PM EW provides the Army a focal point for providing EW capability to Soldiers," Cole said.This change in direction coincides with recent actions within the Army to establish a formal home for EW requirements. "As the Army began to get its fingers back into the fight and electronic warfare scenarios came to the forefront, the Army decided it needed to get back into the EW arena and stood up an office in the G3/5/7 shop," said Mentzer, referring to the establishment of the Electronic Warfare Division in the Pentagon.In February, an EW military occupation series was created, the 29 series, that will eventually give the Army the largest electronic-warfare manpower force of all the services. Nearly 1,600 EW personnel, serving at every level of command, will be added to the Army over the next three years, officials said.The Army's EW personnel will not only be experts in fighting the threat of IEDs, but they will be versed in a much more complex challenge of controlling the electromagnetic environment in land warfare by tactical employment of the three major EW tenets: electronic attack, electronic protection, and electronic warfare support -- to gain an advantage in support of tactical and operational objectives across the full spectrum of operations.PM EW is poised to supply these Soldiers with the tools they need to operate within the EW spectrum, Mentzer said."PM Electronic Warfare will enable and support these adaptive, versatile and full- spectrum-capable Electronic Warfare Soldiers with the highest technology possible," Mentzer said.

Page 14

Product Managers CREW, Prophet and Information Warfare will remain under the EW charter as the organization poises itself to take the prominent position in fielding and sustaining systems, which will meet the Army's EW needs. PM EW currently fields various versions of Counter RCIED Electronic Warfare Systems, Prophet-enhanced systems and a multitude of classified systems. In fiscal year 2009, the organization fielded more than 36,000 CREW devices as well as more than 30 Prophet systems.Over the near term, Mentzer said he plans on working closely with the G3 as they define the requirements and the direction the Army will take in the realm of EW.In summarizing the role EW will play in the Army in current conflicts, as well as in the future, Gen. Raymond Odierno, Multi-National Force-Iraq commander said, "I think by having (EW specialists) within every unit in Multi-National Corp-Iraq, in Afghanistan and any future operation, it will better enable our forces to combat the threat that is inside the electronic warfare spectrum.""This expertise and capacity will obviously help save the lives of our Soldiers and it will also help us to move forward and understand the spectrum as we continue to develop our operation."Table of Contents

U.S. Must Focus On Protecting Critical Computer Networks from Cyber Attack, Experts Urge

From Science Daily, 09 Oct 09Because it will be difficult to prevent cyber attacks on critical civilian and military computer networks by threatening to punish attackers, the United States must focus its efforts on defending these networks from cyber attack, according to a new RAND Corporation study.The study finds that the United States and other nations that rely on externally accessible computer networks—such as ones used for electric power, telephone service, banking, and military command and control—as a foundation for their military and economic power are subject to cyber attack."Adversaries in future wars are likely to go after each other's information systems using computer hacking," said Martin C. Libicki, the report's lead author and senior management scientist at RAND, a nonprofit research organization. "The lessons from traditional warfare cannot be adapted to apply to attacks on computer networks. Cyberspace must be addressed in its own terms."Working against connected but weakly protected computer systems, hackers can steal information, make the systems malfunction by sending them false commands and corrupt the systems with bogus information.In most instances, the damage from cyber attacks is temporary and repeated attacks lead the victim to develop systems that are more difficult to penetrate. The RAND study finds that military cyber attacks are most effective when part of a specific combat operation—such as silencing a surface-to-air missile system protecting an important target—rather than as part of a core element in a long, drawn out military or strategic campaign.Libicki says it is difficult to determine how destructive a cyber attack would be. Damage estimates from recent cyber attacks within the United States range from a few billion dollars to hundreds of billions of dollars a year.The study indicates that cyber warfare is ambiguous, and that it is rarely clear what attacks can damage deliberately or collaterally, or even determine afterward what damage was done. The identity of the attacker may be little more than guesswork, which makes it hard to know when someone has stopped attacking. The cyber attacker's motivation, especially outside physical combat, may be equally unclear.The weapons of cyber war are amorphous, which eliminates using traditional approaches to arms control. Because military networks mostly use the same hardware and software as civilian networks, they have similar vulnerabilities."This is not an enterprise where means and ends can be calibrated to one another," Libicki said. "As a result, it is ill-suited for strategic warfare."

Page 15

Because offensive cyber warfare is more useful in bothering, but not disarming, an adversary, Libicki does not recommend the United States make strategic cyber warfare a priority investment. He says similar caution is needed for deterring cyber warfare attacks, as it is difficult to attribute a given attack to a specific adversary, and the lack of an ability to counterattack is a significant barrier.Instead, Libicki says the United States may first want to purse diplomatic, economic and prosecutorial efforts against cyber attackers.The study, "Cyberdeterrence and Cyberwar," was prepared by RAND Project AIR FORCE, a federally funded research and development center for studies and analysis aimed at providing independent policy alternatives for the U.S. Air Force.Table of Contents

The Cyberwar PlanBy Shane Harris, National Journal, 14 Nov 09It's not just a defensive game; cyber-security includes attack plans too, and the U.S. has already used some of them successfully.In May 2007, President Bush authorized the National Security Agency, based at Fort Meade, Md., to launch a sophisticated attack on an enemy thousands of miles away without firing a bullet or dropping a bomb.At the request of his national intelligence director, Bush ordered an NSA cyber-attack on the cellular phones and computers that insurgents in Iraq were using to plan roadside bombings. The devices allowed the fighters to coordinate their strikes and, later, post videos of the attacks on the Internet to recruit followers. According to a former senior administration official who was present at an Oval Office meeting when the President authorized the attack, the operation helped U.S. forces to commandeer the Iraqi fighters' communication systems. With this capability, the Americans could deceive their adversaries with false information, including messages to lead unwitting insurgents into the fire of waiting U.S. soldiers.Former officials with knowledge of the computer network attack, all of whom requested anonymity when discussing intelligence techniques, said that the operation helped turn the tide of the war. Even more than the thousands of additional ground troops that Bush ordered to Iraq as part of the 2007 "surge," they credit the cyber-attacks with allowing military planners to track and kill some of the most influential insurgents. The cyber-intelligence augmented information coming in from unmanned aerial drones as well as an expanding network of human spies. A Pentagon spokesman declined to discuss the operation.Bush's authorization of "information warfare," a broad term that encompasses computerized attacks, has been previously reported by National Journal and other publications. But the details of specific operations that specially trained digital warriors waged through cyberspace aren't widely known, nor has the turnaround in the Iraq ground war been directly attributed to the cyber campaign. The reason that cyber techniques weren't used earlier may have to do with the military's long-held fear that such warfare can quickly spiral out of control. Indeed, in the months before the U.S. invasion of Iraq in March 2003, military planners considered a computerized attack to disable the networks that controlled Iraq's banking system, but they backed off when they realized that those networks were global and connected to banks in France.By early 2007, however, two senior officials with experience and faith in the power of cyber-warfare to discretely target an adversary stepped into top military and intelligence posts. Mike McConnell, a former director of the National Security Agency, took over as director of national intelligence in February of that year. And only weeks earlier, Army Gen. David Petraeus became the commander of all allied forces in Iraq. McConnell, who presented the request to Bush in the May 2007 Oval Office meeting, had established the first information warfare center at the NSA in the mid-1990s. Petraeus, a devotee of counterinsurgency doctrine, believed that cyberwar would play a crucial role in the strategy he had planned as part of the surge. In September 2007, the general told Congress, "This war is not only being fought on the ground in Iraq but also in cyberspace."

Page 16

Some journalists have obliquely described the effectiveness of computerized warfare against the insurgents. In The War Within, investigative reporter Bob Woodward reports that the United States employed "a series of top-secret operations that enable [military and intelligence agencies] to locate, target, and kill key individuals in extremist groups such as Al Qaeda, the Sunni insurgency, and renegade Shia militias. ... " The former senior administration official said that the actions taken after Bush's May 2007 order were the same ones to which Woodward referred. (At the request of military and White House officials, Woodward withheld "details or the code word names associated with these groundbreaking programs.")Woodward wrote that the programs began "in about May 2006." But the former administration official emphasized that the specific operations that turned the advantage back to U.S. forces came a year later. Published reports suggest that military commanders were eyeing cyber-warfare techniques in advance of Bush's 2007 order. In an October 2005 article in Aviation Week & Space Technology, reporter David Fulghum noted, "Computer network attack and exploitation... are also now the primary tools in combating what senior U.S. Army officials identify as their No. 1 target -- the wireless communications networks used by insurgents and terrorists."In 2005, military planners focused their efforts largely on sensors that could intercept wireless signals in the combat zone, not on the penetration of the cellular phone network itself. Pursuing the latter would be a far more ambitious and riskier maneuver that, by law, would require presidential authorization. It would also call upon the secret skills of the NSA's computer hackers.The lessons of the 2007 cyberwar are instructive today, as the director of the NSA, Army Lt. Gen. Keith Alexander, is expected to take over the Defense Department's new Cyber Command. The command will be the vanguard of the Obama administration's cyberwar efforts, as well as the front-line defender of military computer networks. U.S. networks, like those of the Iraqi fighters, are also vulnerable to outside attack, and an increasing number of penetrations over the past two years have led Defense officials to put cyber-security at the top of their agenda.Cyber-defenders know what to prepare themselves for because the United States has used the kinds of weapons that now target the Pentagon, federal agencies, and American corporations. They are designed to steal information, disrupt communications, and commandeer computer systems. The U.S. is forming a cyberwar plan based largely on the experience of intelligence agencies and military operations. It is still in nascent stages, but it is likely to support the conduct of conventional war for generations to come. Some believe it may even become the dominant force.A New Way Of WarSenior military leaders didn't come of age in a digital world, and they've been skeptical of computerized attacks. Mostly younger officers, who received their early combat education through video games and Dungeons & Dragons, wage these battles. To them, digital weapons are as familiar and useful as rifles and grenades.Over the past few years, however, the cyber-cohort has gained influence among the ranks of military strategists, thanks in large part to the ascendancy of Gen. Petraeus. The man widely credited with rescuing the U.S. mission in Iraq is also a devotee of "information operations," a broad military doctrine that calls for defeating an enemy through deception and intimidation, or by impairing its ability to make decisions and understand the battlefield. In past conflicts, the military has jammed enemy communication systems with electromagnetic waves or dropped ominous leaflets from planes warning enemy forces of imminent destruction. Today, cyber-warriors use the global telecommunications network to commandeer an adversary's phones or shut down its Web servers. This activity is a natural evolution of the information war doctrine, and Petraeus has elevated its esteem.Computerized tools to penetrate an enemy's phone system are only one part of the cyberwar arsenal. And they are perhaps the least worrisome. Alarmed national security officials, and the president himself, are paying more attention than ever to devastating computer viruses and malicious software programs that can disable electrical power systems, corrupt financial data, or hijack air traffic control systems. In 2007, after McConnell got Bush's sign-off for the cyber campaign in Iraq, he warned the president that the United States was vulnerable to such attacks.

Page 17

Then-Treasury Secretary Henry Paulson Jr., who was present at the meeting, painted a chilling scenario for Bush. He said that in his former position as the CEO of Goldman Sachs, his biggest fear was that someone would gain access to the networks of a major financial institution and alter or corrupt its data. Imagine banks unable to reconcile transactions and stock exchanges powerless to close trades. Confidence in data, Paulson explained, supported the entire financial system. Without it, the system would collapse.The following year, when a lack of confidence in the accuracy of Bear Stearns's accounts threatened to bring down that major bank, McConnell tried to use the experience as a teaching opportunity. He privately warned other senior administration officials that a cyberattack could cause the same painful consequences, and he began studying what an attack on the system that clears market trades might look like. According to The New York Times, officials were halfway through their research when the credit markets froze. A senior intelligence official remarked, "We looked at each other and said, 'Our market collapse has just given every cyber-warrior out there a playbook.' "Bush's response to cyber-threats took the form of a multibillion-dollar defense plan, known as the Comprehensive National Cybersecurity Initiative. In its initial stages, the plan was classified, and critics later complained that the administration had cut itself off from valuable expertise and debate. But according to McConnell, who spoke about the initiative at a recent panel discussion at the International Spy Museum in Washington, the initiative was classified because it involved an "attack," or offensive, component.McConnell, an authority on cyberwar, chose his words deliberately, and it was a telling admission. "Computer network attack" is a technical term, describing an action designed to cause real-world consequences for an adversary -- such as those that Paulson and McConnell warned the president about in the Oval Office, and such as those that the U.S. used in Iraq. The United States' cyber strategy, in other words, encompassed defensive tactics and an offensive plan. The Obama administration inherited the CNCI and has enhanced it with the creation of a national cyber-security coordinator, a White House official who is supposed to ensure that the defensive and offensive sides work together.Cyber-Forces Already DeployedAs the White House vets candidates for the "cyber-czar" post, the military and intelligence agencies are honing their cyber skills and have already marshaled their forces."We have U.S. warriors in cyberspace that are deployed overseas and are in direct contact with adversaries overseas," said Bob Gourley, who was the chief technology officer for the Defense Intelligence Agency and is a board member of the Cyber Conflict Studies Association. These experts "live in adversary networks," Gourley said, conducting reconnaissance on foreign countries without exchanging salvos of destructive computer commands. "Like two ships in the same waters, aware of each other's presences, it doesn't mean they're bumping or firing on each other."President Obama confirmed that cyber-warriors have aimed at American networks. "We know that cyber-intruders have probed our electrical grid," he said at the White House in May, when he unveiled the next stage of the national cyber-security strategy. The president also confirmed, for the first time, that the weapons of cyberwar had claimed victims. "In other countries, cyberattacks have plunged entire cities into darkness."With every attack, network defenders learn new techniques, which in turn make them better warriors. If they are fortunate enough to capture the weapon itself, they can pick apart its command codes -- its digital DNA -- and appropriate them. "You can analyze the attack code, change it, and then use it or counter the next attack," said Dave Marcus, the director of security research and communications for McAfee Labs, which dissects cyber-threats for government agencies.The same expertise required to build a virus or an attack program to knock down an opponent's firewall can be put to work building more-sophisticated virus detection systems and stronger firewalls. "Our defense is informed by our offense," Gourley said.Because the United States has studied how attacks are waged, "we certainly would know how to cause these effects," said Sami Saydjari, the president and founder of the Cyber Defense Agency, a

Page 18

private security company, and a former Defense Department employee. "If the president gave an order, we'd have cadres of people who'd know how to do that."The Man-Made BattlefieldMilitary officers describe cyberspace as the fifth domain of war, after land, sea, air, and space. But cyberspace is unique in one important respect -- it's the only battlefield created by humans."We have invented this, and it cuts across those other four," said retired Air Force Lt. Gen. Harry Raduege, who ran the Defense Information Systems Agency from 2000 to 2005. He was responsible for the defense and operation of the Pentagon's global information network. "Cyberspace has no boundaries," Raduege said. "It's just everywhere, and it permeates everything we do.... We continue to improve our capabilities, but so do the adversaries."No nation dominates the cyber-battlefield today. "Military forces fight for the ownership of that domain," said Matt Stern, a retired lieutenant colonel who commanded the Army's 2nd Information Operations Battalion and who now works in the private sector as the director of cyber accounts for General Dynamics Advanced Information Systems. "But because of the ubiquitous nature of cyberspace -- and anyone's ability to access it -- military forces must not only contend with the threats within their operational environment, they must also fight against threats in cyberspace that are global in nature."Cyberspace is also the domain that, as of now, the United States stands the greatest chance of ceding to another nation. In July, an independent study of the overall federal cyber-workforce described it as fragmented and understaffed. The study blamed a hiring process that takes too long to vet security clearances, low salaries, and the lack of a unified hiring strategy. "You can't win the cyberwar if you don't win the war for talent," said Max Stier, the president of the Partnership for Public Service, an advocacy group that helped write the study. The co-author was Booz Allen Hamilton, the government contracting firm where former intelligence Director McConnell now runs the cyber-security business.The Defense Department graduates only about 80 students per year from schools devoted to teaching cyber-warfare. Defense Secretary Robert Gates has said that the military is "desperately short" of cyber-warriors and that the Pentagon wants four times as many graduates to move through its teaching programs over the next two years.That will be difficult, considering that the military and intelligence agencies compete directly with industry for top talent. Beltway contractors have been on a hiring spree ever since the Bush administration began the comprehensive cyber-security plan. Raytheon, which has assisted Pentagon special-operations forces using advanced cyber-technology, posted an ad to its website earlier this year titled "Cyber Warriors Wanted." The company announced 250 open positions -- more than three times as many as the Defense Department is moving through its education programs.Despite a relative shortage of skilled warriors, the military services have charged vigorously into cyberspace. The Army, Navy, Air Force, and Marines all have their own cyber-operations groups, which handle defense and offense, and they've competed with one another to control the military's overall strategy. It now appears that the individual service components will report to the new Cyber Command, which will be led by a four-star general. (NSA Director Alexander, the presumptive candidate, has three stars, and his promotion would require the Senate's approval.)The military may be organizing for a cyberwar, but it's uncertain how aggressive a posture it will take. Some have argued for creating an overt attack capability, the digital equivalent of a fleet of bombers or a battalion of tanks, to deter adversaries. In a 2008 article in Armed Forces Journal, Col. Charles Williamson III, a legal adviser for the Air Force Intelligence, Surveillance, and Reconnaissance Agency, proposed building a military "botnet," an army of centrally controlled computers to launch coordinated attacks on other machines. Williamson echoed a widely held concern among military officials that other nations are building up their cyber-forces more quickly. "America has no credible deterrent, and our adversaries prove it every day by attacking everywhere," he wrote. Williamson titled his essay, "Carpet Bombing in Cyberspace." Responding to critics who say that by building up its own offensive power, the United States risks starting a new arms race, Williamson said, "We are in one, and we are losing."

Page 19

A Fight For FirstOther experts concur that the United States cannot claim to be the world's dominant cyber-force. Kevin Coleman, a senior fellow with the security firm Technolytics and the former chief strategist for the Web pioneer Netscape, said that China's and Russia's abilities to defend and attack are just as good as America's. "Basically, it's a three-way tie for first."China has proved its prowess largely by stealing information from U.S. officials and corporate executives. Last year, the head of counterintelligence for the government told National Journal that Chinese cyber-spies routinely pilfer strategy information from American businesspeople in advance of their meetings in China. And a computer security expert who consults for the government said that during a trip to Beijing in December 2007, U.S. intelligence officials discovered spyware programs designed to clandestinely remove information from personal computers and other electronic equipment on devices used by Commerce Secretary Carlos Gutierrez and possibly other members of a U.S. trade delegation. (See NJ, 5/31/08, p. 16.)But it is the Russian government that has done the most to stoke fears of a massive cyberwar between nations. Most experts believe that Russian sources launched a major attack in April 2007 against government, financial, and media networks in Estonia. It came on the heels of a controversy between Estonian and Russian officials over whether to move a statue honoring Soviet-era war dead. Estonia, one of the most "wired" nations on Earth, is highly dependent upon access to the Internet to conduct daily business, and the cyberattack was crippling.A year later, many security experts accused Moscow of launching a cyberattack on Georgia as conventional Russian military forces poured into the country. The assault was aimed at the Georgian centers of official command and public communication, including websites for the Georgian president and a major TV network.The suspected Russian attacks startled military and civilian cyber-experts around the globe because of their scale and brazenness. "Estonia was so interesting because it was the first time anyone ever saw an entire country knocked out," said Ed Amoroso, the chief security officer for AT&T. "The whole place is like a little mini-version of what our federal government has aspired to" in terms of conducting so much business online. "It scared the heck out of people."The attacks also underscored one of the most befuddling aspects of cyberwar. Not all of the computers that attacked Estonia were in Russia. The machines, in fact, were scattered throughout 75 countries and were probably hijacked by a central master without their owners' knowledge. Many of the soldier-machines in this global botnet were in the United States, an Estonian ally. To launch a counteroffensive, Estonia would have had to attack American computers as well as those in other friendly countries.On May 5 of this year, lawmakers on the House Armed Services Subcommittee on Terrorism and Unconventional Threats and Capabilities asked the NSA's Alexander whether the attacks on Estonia and Georgia met the definition of cyberwar. "On those, you're starting to get closer to what would be [considered war]," he said. "The problem you have there is who -- the attribution." Although it was obvious to most experts that the culprits were Russian, it's easy for attackers to mask their true location. The anonymity of the Internet provides many alibis. Furthermore, it's hard to know whether the Russian government committed the attack, hired cyber-mercenaries to do it, or simply looked the other way as patriotic hackers turned their sights on rival countries.Over the Fourth of July weekend this year, a series of attacks struck websites used by the White House, the Homeland Security Department, the Secret Service, the NSA, and the State and Defense departments, as well as sites for the New York Stock Exchange and NASDAQ. The attacks also hit sites in South Korea, and suspicion immediately turned to North Korea. But again, the inability to attribute the source with certainty impeded any response. The attacks appear to have emanated from about 50,000 computers still infected with an old computer virus, which means that their owners probably had no idea they were participating in a cyber-offensive. Some of those machines were inside the United States, said Tom Conway, the director of federal business development for McAfee. "So what are you going to do, shoot yourself?"Holding Fire

Page 20

The pitfalls of cyberwar are one reason that the United States has been reluctant to engage in it. The U.S. conducted its first focused experiments with cyberattacks during the 1999 bombing of Yugoslavia, when it intervened to stop the slaughter of ethnic Albanians in Kosovo. An information operations cell was set up as part of the bombing campaign. The cell's mission was to penetrate the Serbian national air defense system, published accounts and knowledgeable officials said, and to make fake signals representing aircraft show up on Serbian screens. The false signals would have confused the Serbian response to the invasion and perhaps destroyed commanders' confidence in their own defenses.According to a high-level military briefing that Federal Computer Week obtained in 1999, the cyber-operation "could have halved the length of the [air] campaign." Although "all the tools were in place ... only a few were used." The briefing concluded that the cyber-cell had "great people," but they were from the "wrong communities" and "too junior" to have much effect on the overall campaign. The cyber-soldiers were young outsiders, fighting a new kind of warfare that, even the briefing acknowledged, was "not yet understood."War planners fear unleashing a cyber-weapon that could quickly escape their control, a former military officer experienced in computer network operations said. These fears hark back to the first encounter with a rampant Internet virus, in 1988. A Cornell University student named Robert Morris manufactured a program that was intended to measure the size of the Internet but ended up replicating itself massively, infecting machines connected to the network.The military took a lesson from the so-called Morris worm, the former officer said. Only four years after the war in Yugoslavia, planners again held off on releasing a potentially virulent weapon against Iraq. In the plan to disable the Iraqi banking network in advance of the U.S. invasion, the Pentagon determined that it might also bring down French banks and that the contagion could spread to the United States."It turns out that their computer systems extend well outside Iraq," a senior Air Force official told Aviation Week & Space Technology in March 2003. "We're also finding out that Iraq didn't do a good job of partitioning between the military and civilian networks. Their telephone and Internet operations are all intertwined. Planners thought it would be easy to get into the military through the telephone system, but it's all mixed in with the civilian [traffic]. It's a mess." This official said that to penetrate the military systems, the United States would risk what planners began calling "collateral computer network attack damage."Because of the widespread damage that cyber-weapons can cause, military and intelligence leaders seek presidential authorization to use them. "They're treated like nuclear weapons, so of course it takes presidential approval," the former military officer said. McConnell, the ex-intelligence director, has compared the era of cyberwar to "the atomic age" and said that a coordinated attack on a power grid or transportation or banking systems "could create damage as potentially great as a nuclear weapon over time."Unlike atomic bombs, however, cyber-weapons aren't destroyed in the attack. "Once you introduce them to the battlefield, it's trivially easy for the other side to capture your artillery, as it were, and then use it against you if you're not already inoculated against it, and then against other friendlies," said Ed Skoudis, a co-founder of the research and consulting firm InGuardians and an instructor with the SANS Institute, which trains government employees in cyber-security.The risk of losing control of a weapon provides a powerful incentive not to use it. But until a new computer virus is spotted in the wilds of the Internet, no one can be certain how to repel it. That gives every aggressor the advantage of surprise. "Why would you expect an adversary to lay their cards on the table until it counts?" said Tom McDermott, a former deputy director of information security at the NSA. "Why would you expect to have seen the bad stuff yet?"The Case For RestraintDuring his subcommittee testimony in May, Gen. Alexander was asked whether the United States needed the cyber-equivalent of the Monroe Doctrine, a set of clearly defined interests and the steps the government would take to protect them. Without offering any specific proposals, Alexander responded simply, "I do."

Page 21

The Obama administration's former White House chief of cyber-security, Melissa Hathaway, has called for international cyberspace agreements. In a number of speeches in 2008 while still with the Bush administration, Hathaway proposed a Law of the Sea Treaty for the Internet, which, she said, is the backbone of global commerce and communications, just as the oceans were centuries ago.The odds for a broad international framework aren't good, however. The Russian government has proposed a treaty limiting the use of cyber-weapons, but the State Department has rejected the idea, preferring to focus on improving defenses and prosecuting cyberattacks as crimes. Officials are also wary of any strategy by the Russian government to constrain other nations' ability to attack. In September, a panel of national security law experts convened by the American Bar Association and the National Strategy Forum, a Chicago-based research institute, concluded that the prospects for any multinational agreement are bleak. "The advantages of having a cyber-warfare capacity are simply too great for many international actors to abjure its benefits," the panel stated.Students of cyberwar find parallels between the present day and the early 1960s, when the advent of intercontinental missiles ushered in not only the space age but also an arms race. Like outer space then, cyberspace is amorphous and opaque to most, and inspires as much awe as dread. In this historical analogy, experts have embraced a Cold War deterrent to prevent the cyber-Armageddon that military and intelligence officials have been warning about -- mutually assured destruction.Presumably, China has no interest in crippling Wall Street, because it owns much of it. Russia should be reluctant to launch a cyberattack on the United States because, unlike Estonia or Georgia, the U.S. could fashion a response involving massive conventional force. The United States has already learned that it makes no sense to knock out an enemy's infrastructure if it disables an ally's, and possibly America's own. If nations begin attacking one another's power grids and banks, they will quickly exchange bombs and bullets. Presumably, U.S. war planners know that. And it may be the most compelling reason to keep their cyber-weapons sharp but use them sparingly.Table of Contents

Mad Men vs. IEDs: Army Wants Anti-Bomb Ad Campaign in Afghanistan

By Noah Shachtman, Wired.com/Danger Room, 07 Oct 09Improvised bombs are now the number one threat to western forces in Afghanistan, killing 36 coalition troops last month and five more just in the first week of October.The U.S. Army is looking to battle the improvised explosive device (IED) threat with new armored vehicles, increased surveillance in the sky, and… advertising.  Mad Men versus militias, if you will.Late last month, the Information Operations division of the Army’s Combined Joint Task Force 82 sent out a call for proposals for a “comprehensive strategic marketing and information campaign” for eastern Afghanistan. “The over arching objective of this media and advertising campaign is to influence the Afghanistan people at all levels (strategic, operational and tactical) [that] will directly translate in the reduction of the number of IED devices used against the Afghanistan people and Coalitional [sic] forces.”In his stark assessment of the Afghan war effort, top commander General Stanley McChrystal said western forces were losing the “important battle of perception” to the Taliban. Everything from a clearer message to new communications infrastructure to different actions on the ground would be needed to change things around. McChrystal didn’t say anything about a new ad campaign. But he did say that any information effort must focus on “encouraging the population to assist in countering the scourge of IEDs.”Similarly, the Army task force is looking to put together a media campaign — on television, radio, newspapers, billboards, the interwebs, you name it — “capable of influencing and informing Afghanistan about… the necessity of public rejection of IED networks.”The American government tried a similar approach, at the nadir of the Iraq war. The concept, as Newsweek described it as the time: a series of commercials packed with “exploding cars, flying

Page 22

Matrix-style stuntmen and… messages like ‘Don’t Suicide Bomb.’” The magazine went to downtown Los Angeles, where a 120-camera shoot for the ad campaign was in progress…At least 60 extras dressed in hijabs, kaffiyehs and polyester-wool blend slacks were herded onto the set to simulate an average shopping day. But there was hardly any Arabic spoken on this Baghdad street. Spanish, Punjabi and even Italian could be heard as extras gathered around the Kraft services table to munch on chips and guacamole. When asked if he is Iraqi, Bidkar Ramos, an extra on the set, laughs. “No, I’m Chinese and Mexican,” he says.”Like most of these people, I’m just a look-alike.”This time around, the military expects any media firm to hire locals Afghanis — at least to provide “religious and cultural subject matter expertise.” The face of the promotional push might not be actors, or even military men. Instead, the Army would like to use aid groups to get their messages across. When applicable, the campaign will use Non-governmental Organizations (NGOs) and oter private Afghani organizations as the voice for Coalition messages. NGOs may be used to endorse or sponsor TV commercials or other products,” the request for proposals states.If it all works out, the Army may fork over additional cash for “television documentaries,” a “television series,” maybe even a “feature film.”Table of Contents

Why is the antiquated leaflet still a key PSYOPs tool?By David Hambling, Wired UK, 01 October

As the Ministry of Defence investigates how a young girl in Afghanistan was killed by an RAF leaflet drop, the seemingly antiquated practice of leaflet bombing continues. In the 21st century, it remains one of the primary tools of psychological warfare: US Special Operations Command is even looking to build leaflet-carrying missiles. And while top American commander General Stanley McChrystal has virtually banned "kinetic" air strikes, paper bombs are in regular use.According to the BBC, the leaflet box was supposed to open in mid-air, spreading pro-coalition propaganda over rural Helmand province. But the container failed to break apart, landing on top of the girl, who died later in the hospital.Leaflets have been used by militaries since at least the Napoleonic wars, when the British navy dropped them over France using kites. And they continue to be employed, because leaflets have some advantages over other media. Radio and TV are fine if the audience happen to be tuned in at the time, but printed matter is durable. As the US Army's Psychological Operations Field Manual explains, a printed leaflet has the advantage that it can be passed from person to person without the message being altered. It can convey a complex message which can be reinforced with pictures if the recipient is illiterate. And a leaflet can be hidden and read in private, and shared around with others.Delivery methods have ranged from artillery and mortar shells to loose airdrop by hand to "leaflet landmines." The M129E1/E2 Psychological Operations Leaflet Bomb weighs 100kg and can disperse some 60,000 to 80,000 leaflets which are scattered by a length of detonator cord.However, US Special Operations Command is looking for a wider range of options, and their current R&D budget calls for a "Next Generation Leaflet Delivery System," which will:"...provide forces a family of systems consisting of unmanned air vehicles, drones,missiles, and leaflet boxes that safely and accurately disseminate variable size and weight paper and electronic leaflets to large area targets, at short (10-750 miles) and long (>750 miles) ranges. These systems can be utilised in peacetime and all threat environments across the spectrum of conflict, and are compatible with current and future US aircraft."The fact that the commandos are seriously developing missiles to deliver leaflets shows the importance given to this mission. Hopefully, improved safety measures will mean less chance of tragic accidents. But the technology does not stop there. In addition to digital broadcast capability and advanced loudspeakers, new psychological operations tech also includes development of appropriate emerging technologies including "remote controlled electronic paper."

Page 23

This sounds a lot like the video advertising inserts being pioneered by Entertainment Weekly, which includes a wafer-thin screen which plays up to 40 minutes of video. (See "video in print" in action here, featuring Tony Stark, appropriately enough.) It's like an evolution of the musical greeting cards, with added video. But the difference with the special operations version is that it is remote-controlled, so presumably new messages or video can be sent as required. The applications for such a device would be endless, and as a shiny gadget it would have a much greater chance of being picked up, retained and shown around – if it can be made cheaply enough for mass distribution.Table of Contents

Cyberwar Readiness Recast as Low Priority By J. Nicholas Hoover, InformationWeek , 12 Oct 09 Preparedness for cyberwar should have a place in U.S. defense planning, but resources are better spent on bolstering potentially vulnerable infrastructure, according to think tank RAND. The U.S. government should not make cyberwarfare a priority investment area, according to a report from public policy think tank RAND Corp. The report, which was underwritten by the Air Force, recommends that the government focus instead on shoring up defenses of critical infrastructure like the nation's telecommunications networks, banking systems, and power grid that may be vulnerable to cyber attack. "Operational cyber war has an important niche role, but only that," the report states. At best, cyberwarfare operations "can confuse and frustrate operators of military systems, and then only temporarily," the report notes. "The salient characteristics of cyberattacks--temporary effects and the way attacks impel countermeasures--suggest that they be used sparingly and precisely. Attempting a cyberattack in the hopes that success will facilitate a combat operation may be prudent; betting the operation's success on a particular set of results may not be." The report contends that unlike regular warfare, which aims to break down enemy defenses and morale to get the other side to give in, countries often respond to cyber attacks by hardening their defenses and making them less vulnerable to future attacks. "Casualties are the chief source of the kind of war-weariness that causes nations to sue for peace when still capable of defending themselves--but no one has yet died in a cyber attack," the report says. Further, cyber attacks often have ambiguous sources that make them difficult to retaliate against or could create new enemies if a source is misidentified. And they only temporarily disarm enemies, since computer equipment can easily be replaced. The report warns that "non-state actors" could jump into the fray. However, it bases few of its conclusions on such scenarios, even though individuals or loose-knit groups tend to be the more obvious ongoing threat on the Internet. Despite warnings that cyberwar may have a limited role, the report notes that some investment is appropriate. "Operational cyberwar has the potential to contribute to warfare -- how much is unknown and, to a large extent, unknowable," it says. "Because a devastating cyber attack may facilitate or amplify physical operations and because an operational cyberwar capability is relatively inexpensive, it is worth developing." The Air Force created a dedicated cyber command earlier this year, which became operational in August. That force includes about 6,000 active duty personnel and is expected to have an annual budget exceeding $5 billion. Table of Contents

BULLETS AND BLOGS: NEW MEDIA AND THE WARFIGHTERFrom Center for Strategic Leadership, US Army War CollegeAn analytical synthesis and workshop reportDownload at: http://www.carlisle.army.mil/DIME/documents/Bullets__Blogs_new_Media__warfighter-Web(20%20Oct%2009).pdf

Page 24

The explosive growth of new media within the Global Information Environment (GIE) presents sustained challenges and opportunities for the U.S. military. In recent years, adversaries - armed with new media capabilities and an information-led warfighting strategy - have proven themselves capable of challenging the most powerful militaries in the world. The current and future geo-strategic environment requires preparation for a battlespace in which symbolic informational wins may precipitate strategic effects equivalent to, or greater than, lethal operations. In order to address these new media challenges, the U.S. Army War College (USAWC), Center for Strategic Leadership in partnership with the SecDev Group hosted a workshop entitled "Bullets and Blogs: New Media and the Warfighter." This workshop brought together leading practitioners from the Department of Defense, Department of State, Intelligence Community, and experts from academia. This report is a synthesis of workshop discussions in terms of key takeaways addressing what is required to "win" in today's operational environment, where cyberspace and new media capabilities are significant components of the battlespace.[Ed. Note: highly recommended for download – it is just under 3Mb]Table of Contents

Page 25