Red storm rising
DOD's efforts to stave off nation-state cyberattacks begin with China
- By Dawn S. Onley, Patience Wait
- Aug 17, 2006
A growing band of civilian units inside China is writing malicous code and training to launch cyberstrikes into enemy systems.
And for many of these units, the first enemy is the U.S. Defense Department.
Pentagon officials say there are more than three million daily scans of the Global Information Grid, the Defense Department's main network artery, and that the United States and China are the top two originating countries.
'China has downloaded 10 to 20 terabytes of data from the NIPRNet (DOD's Non-Classified IP Router Network),' said Maj. Gen. William Lord, director of information, services and integration in the Air Force's Office of Warfighting Integration and Chief Information Officer, during the recent Air Force IT Conference in Montgomery, Ala.
'They're looking for your identity so they can get into the network as you,' said Lord, adding that Chinese hackers had yet to penetrate DOD's secret, classified network. 'There is a nation-state threat by the Chinese.'
People's Liberation Army writings in recent years have called for the use of all means necessary, including'or particularly'information warfare, to support or advance their nation's interests.
To China's PLA, attacks against DOD systems would be the first salvo in a long-term strategy to cripple the U.S. military's ability to communicate and deliver precision weapons.
A big part of the strategy is the PLA's civilian units'IT engineers drawn from universities, institutes and corporations. The PLA views these militias as its trump card and a way of asserting virtual dominance to paralyze the United States and other potential adversaries.
The U.S. military is familiar with China's approach. In fact, its own strategy in cyberspace is similar to the PLA's'the countries' doctrines and strategies almost mirror one another.
It is unclear how aggressive a posture the United States is taking when it comes to defending against cyberattacks. But DOD certainly is paying attention to China's offensive aggression, and even considering offensive actions of its own, Lord said. 'But the rules of engagement have to change before we're fully engaged in cyberspace.'Taking advantage
The Pentagon has made net-centricity the core of its transformation into a modern military force, and it seeks ways to create a vast web of information accessible at every level of the warfighting operation, from ground troops to pilots, command staffs to logistics operations.
China, recognizing America's dominance in C4'command, control, communications and computers'wants to disrupt or even remove that advantage, experts have said.
If the armies of bygone days traveled on their stomachs, future armies will travel on invisible threads of data.
But the concern should not be limited to DOD. All federal agencies have to be aware of the Chinese view of information warfare.
Chinese military writings make it clear that in cyberspace there are no boundaries between military and civilian targets. If crashing a country's financial system through computer attack will paralyze the foe, that's all part of the new face of war.
If DOD'the most security-conscious of all federal agencies'can be attacked, can have information stolen, then other agencies must seem like low-hanging fruit by comparison.
China is not the only country targeting DOD systems. John Thompson, chairman and chief executive officer of Symantec Corp. of Cupertino, Calif., told the audience at the Air Force conference: 'There are at least 20 nations that have their own cyberattack programs.' He said there is no way to know how many terrorist organizations have launched similar efforts.
But China'the largest country by population at 1.3 billion, third in area, and among the fastest-growing economically'gets the most attention, in part because it is the single largest source of cheap goods sold in the United States, including technology.
While Defense and Homeland Security department officials are reluctant to make pointed accusations, events in cyberspace show how the two countries are jockeying for position in preparation for 'virtual' conflict.
From at least 2003 to 2005, a series of coordinated cyberattacks hit U.S. military, government and contractor Web sites with abandon. The systematic intrusions, collectively dubbed Titan Rain, attacked hundreds of government computers.
Time magazine reported last year that the incursions originated on a local network that connected to three routers in Guangdong Province, though U.S. officials still offer only generic comments about this and other published reports about Titan Rain.
'What I can say about this is [that] we have seen some attempts at access to our network. We've seen some of that from China,' said Air Force Lt. Gen. Robert Kehler, deputy commander of the U.S. Strategic Command.
'We are seeing attacks that traversed through China. I can't say with any real assurance that that's where they start,' added Navy Rear Adm. Elizabeth Hight, deputy director of DOD's Joint Task Force for Global Network Operations.
A military attache at the Chinese Embassy in Washington insisted that, to his knowledge, Beijing 'does not want' to use hackers to attack the United States.
'The official answer is, I have no idea about this,' said Sr. Col. Wang in a brief telephone interview.
The fallout from this cybercampaign continues among other agencies.
In June, the Energy Department revealed that names and other personal information on more than 1,500 employees of the National Nuclear Security Administration had been stolen in a network incursion that took place more than two years ago. NNSA didn't discover the breach for more than a year after it happened.
Officials would not confirm for the record that the data breach was part of Titan Rain, but Alan Paller, research director for the SANS Institute of Bethesda, Md., called it 'an example of the kind of attack and extraction that [has been] going on for the last 2 1⁄2 years.'
Also in June, hackers broke into State Department unclassified networks. In this incident, investigators believe the hackers, who they say launched the attacks from East Asia, stole sensitive information and passwords and planted back doors in unclassified government computers to allow them to return at will, according to a CNN story.'Tip of the iceberg'
'Any average computer geek knows about spyware, viruses and the countless other hardware and software devices and capabilities that could jeopardize the security of our networks and the information they contain,' Michael Wessel, a commissioner with the U.S.-China Economic and Security Review Commission, said in May. 'These, of course, are only the tip of the iceberg.'
And DOD is not alone in trying to keep out hackers from China and other nation states.
'On the commercial side, Internet usage and broadband adoption from China has grown,' said Betsy Appleby, vice president of the public sector at Akamai Technologies of Cambridge, Mass., and former Net-Centric Enterprise Services program director at the Defense Information Systems Agency. 'Specifically considering that the Chinese government is pretty much in control, you can do the math and figure it out.'
China has existed as an identifiable society for more than 6,000 years. Its name for itself, in Chinese, is Jhongguo, or Middle Kingdom, sometimes characterized as the land below heaven but above the rest of the world.
The country has been under Communist rule for less than 60 years. The millennia-old expectation that China rules, or should rule, 'all under heaven' is a permanent subtext in the country's psyche, many Sinologists believe.
This gives the Chinese great patience; its leaders may take a decades-long view of a problem and its possible solutions.
So what the United States characterizes as attacks on its military networks could, to the Chinese, be in-depth reconnaissance.
'If you were an adversary, and you wanted to assess somebody's strengths and weaknesses, one of the ways to do it would be to probe their defenses, so you would want to take a look at their computer situation,' said John Stack, enterprise architecture and security solutions manager for Northrop Grumman Information Technology's Defense Group of McLean, Va.
For more than a decade, the Chinese military has observed how DOD is modernizing its troops and tactics. The first Gulf War was considered 'a watershed event' in terms of how the Chinese viewed future warfare, according to the Defense Department's 2004 Annual Report on The Military Power of the People's Republic of China.
'The PLA noted that the rapid defeat of Iraqi forces'which resembled the PLA at that time in many ways'revealed how backward and vulnerable China would be in a modern war,' the report said. 'The Gulf War also spurred internal PLA debate on the implications of an emergent revolution in military affairs, in which the conflict became a point of reference for efforts to build capabilities in command, control, communications, computers, intelligence, surveillance and reconnaissance, information warfare, air defense, precision strike and logistics.'
'There have been Chinese writings for over a decade regarding the People's Liberation Army studying cyberwarfare and evolving concepts toward development of information warfare doctrine,' said a Defense Intelligence Agency spokesman.
Perhaps one of the most important milestones was the 1999 publication in China of Unrestricted Warfare, a book authored by two colonels in the PLA, that was generated by the PLA's observations on Desert Storm. The CIA's Foreign Broadcast Information Service obtained and translated it, and it can now be found on the Internet.
'The new principles of war are no longer 'using armed force to compel the enemy to submit to one's will,' but rather are 'using all means, including armed force or nonarmed force, military and nonmilitary, and lethal and nonlethal means to compel the enemy to accept one's interests,' ' the colonels wrote.
The book argues that the spread of IT and access to the Internet has removed traditional boundaries and expanded the arena beyond traditional warfighters.
'[T]his kind of war means that all means will be in readiness, that information will be omnipresent, and the battlefield will be everywhere,' the colonels wrote. It 'also means that many of the current principles of combat will be modified, and even that the rules of war may need to be rewritten.'
The DIA spokesman said a Chinese major general recently described information warfare 'as containing six elements in its application: operational security, military deception, psychological warfare, electronic warfare, computer network warfare and physical destruction.'Getting the edge
The PLA's new information warfare focus illustrates a growing recognition that cyberattacks launched against the U.S. military could give China a decisive advantage in the event of a crisis.
One such crisis scenario, according to people who have studied the issue, would be the prospect of American intervention to aid Taiwan in the event of an attack from China. A 1979 law requires the United States to defend the island nation from attack.
Chinese leaders have a conundrum of their own'how the People's Liberation Army can move against Taiwan but forestall U.S. action long enough to make it a fait accompli.
'For the PLA, using [information warfare] against U.S. information systems to degrade or even delay a deployment of forces to Taiwan offers an attractive asymetric strategy,' wrote James Mulvenon in 1998. Mulvenon is deputy director for advanced analysis at the Defense Group Inc.'s Center for Intelligence Research and Analysis in Washington, and widely regarded as one of the foremost authorities on the Chinese military's use of IT.
'American forces are highly information-dependent and rely heavily on precisely coordinated logistics networks,' he wrote. 'If PLA information operators ... were able to hack or crash these systems, thereby delaying the arrival of a U.S. carrier battle group to the theater, while simultaneously carrying out a coordinated campaign of short-range ballistic missile attacks, 'fifth column' and [information warfare] attacks against Taiwanese critical infrastructure, then Taipei might be quickly brought to its knees and forced to capitulate to Beijing.'
This is the role of information warfare, many experts now believe: Cyberattacks on military C4 systems will amplify the effects of kinetic weapons, to bring matters to a swift conclusion with a minimum of bloodshed.
Rear Adm. Hight, of JTF-GNO, said DOD is taking note of the incursions and data extractions, and looking at the department's defensive measures.
'Our daily efforts are all about assessing and mitigating risks. We are students of Sun Tzu and other philosophical thinkers who have a wonderful way of capturing warfighting concepts,' Hight said. 'The key to this type of warfare is just what you might think of as traditional warfare. You can't forget the foundations. You can't forget the basics. The cyberworld relies, in many cases, on foundational concepts in terms of how you protect it.'
America's standing as the current sole superpower is a source of internal conflict for Chinese policies, said James Gilmore III, former governor of Virginia and now with Kelley Drye Collier Shannon's Homeland Security Practice Group, a Washington law firm. He was chairman of the Advisory Panel to Access Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction, created by the Clinton administration in 1999.
'An adversary or partner of the U.S. ... They are prepared to be either one,' Gilmore said.
Should its leaders feel it is in their interests, China would seek to 'disrupt the DOD's capacity to communicate overseas and maneuver their people,' he added.
Cortez Cooper III, director of East Asia Studies with Hicks and Associates Inc., a defense and national security consulting company in McLean, Va., told the U.S.- China Commission that the Chinese understand their military focus must use niche capabilities to counter the moves of a technologically superior adversary that might challenge their interests.Rehearsing both roles
To address the cybersecurity threat, DOD and intelligence officials are playing both offensive and defensive roles.
Pentagon officials acknowledge DOD is developing capabilities to deny an adversary the use of its own computer systems to attack U.S. computer networks.
JTF-GNO is tasked with operating and defending the GIG, while the National Security Agency has the responsibility for the 'nondefensive parts of operations in cyberspace,' according to Army Maj. Gen. Dennis Moran, vice director for command, control, communications and computer systems for the Joint Chiefs of Staff.
As 'part of a good defense, and I don't care if you're defending a forward operating base in a country, or no matter what it is physically, you do a very good analysis of what your vulnerabilities are. And there have been analyses within the department to determine what we need to protect and how should we prioritize our resources,' Moran said.
'The resources required to provide that defense are being allocated against those priorities,' Moran said. 'Now, I'm certainly not going to talk about those in detail, because that would certainly be an opportunity to tell someone these are what we are concerned about.'
But Moran did talk about the protocols DOD has been working on to improve its network security posture.
'If you look at the whole net-centric strategy that we have in the DOD, the focus is, first of all, identify your data, then appropriately tag that data so it can be made available to other people who are authorized users,' Moran said. 'We are putting in place a service-oriented architecture across the GIG which is able to find, locate and securely move that data to an application. Security is a critical tenet to this whole architecture, because if you're doing business one way and (another agency) is doing business another way, we are creating seams that an intruder can take advantage of.'
Kehler said DOD officials also are mandating full public-key infrastructure implementation for user authentication, requiring automated patch management and looking in the mirror to increase the department's defensive position.
'We're looking at ourselves pretty hard to understand where our vulnerabilities are,' Kehler said. 'Sometimes we find that our worst enemy in protecting our information is ourselves. In order to make things better faster, sometimes our people leave doorways open into our network.'
The key to closing those doorways is a layered defense-in-depth strategy, Hight said.
'We don't have a single approach. We're trying to protect the house by locking the doors, locking the windows, making sure wires that come in and out of the house are protected,' Hight said. 'Our organization is very transient, so as we get systems administrators moving around the world, we want to make sure they know they have a consistent and well-defined set of procedures that they adhere to and provide consistent protections for the network.'
To accomplish this, JTF-GNO is looking at the best way to train Defense employees on cybersecurity mechanisms, what types of protective software to employ and how to standardize processes.
Additionally, Hight said, the organization soon will release a Network Operations Concept of Operations (Netops/Conops) document, which will detail for military personnel how to secure their systems.
Hight said the document describes three basic concepts that make up the department's larger doctrinal view:
- Ensuring systems and networks that deliver information are available
- Ensuring information can move freely from one point to another
- Ensuring information is protected at the right level.
'When you go to Amazon.com, you can see what Amazon chooses for you to see, their book titles and other information. You can't see Amazon's financial information, because they mask that from you,' Hight said. 'So the protection of information might be something as simple as where you put that information and [whom] you make that available to.'
The exploitation of network weaknesses doesn't mean that more traditional forms of espionage targeting cyberassets can be overlooked. For instance, in August 2001, U.S. Customs officers arrested two men for trying to export military encryption technology to China.
What's a real threat?
Four months earlier, enraged Chinese hackers had defaced dozens of U.S. military Web sites following the collision of a U.S. surveillance plane and a Chinese fighter plane. The Chinese pilot died as a result of the accident.
Is that kind of threat, whether from China or another country, real?
John Hamre, president and chief executive officer of the Center for Strategic and International Studies, believes so. He served in the 1990s as comptroller, then deputy secretary of Defense.
'I was so deeply involved in cybersecurity issues when I was the deputy secretary, but have not been involved in these issues since,' he said. 'I continue to believe that cyberthreats will overwhelmingly be from competent national state security elements, and that intelligence is the higher goal, not disruption.'
Still, Donavan Lewis, chief of the Defense Intelligence Agency's threat analysis division, wants the United States to think more about long-term trends.
'China has shifted its dependence away from the United States to [countries such as Malaysia and South Korea], while our dependence on them has grown,' he said during a Defense conference in Salt Lake City in May. 'We've got to adjust our thinking, our calculus about how we put together a system of systems.'
He admits to being worried about the possibility that 'subversive functionality could be embedded' in technology.
'The Defense acquisition community is not used to thinking of itself as part of computer security,' he said.