Ashridge

Virtual Learning Resource Centre

Information warfare: How to survive cyber attacks

Bookcover

by Michael Erbschloe, Osborne/McGraw Hill, 2001.

Abstract

This book examines the unthinkable damage to an economy which could be inflicted by hackers employed on a concerted basis by terrorist bodies. Proposals are offered for companies and governments to work together to develop a concerted defence strategy.

(Summarised by Kevin Barham in January 2001)

(These book reviews aim to represent some of the key aspects of what the author has written. They do not necessarily represent the views of the reviewer or of Ashridge. Equally the author of the book reviewed must not be held responsible for any misperceptions of the reviewer.)

We are more than ever aware of the damage that a small group of terrorists can do to an advanced economy through violent and dramatic attacks on its physical assets. But imagine what would happen if they acquired the high-tech skills that enabled them to launch a concerted attack on the economy's virtual assets: its communications and information infrastructure.

In today's electronic age, warns Michael Erbschloe, the threat of cyber attacks is great. Almost anyone can now launch an information warfare attack. For any organisation with information-based assets, the deadliest weapons can come in the form of a keyboard, mouse, or personal computer. With hacking attacks and computer-based crimes increasing both in frequency and in degree of seriousness, it is clear that information warfare is real and companies must protect themselves in order to survive. It is also clear that they will need to change some of their thinking if they are to defend themselves. The problem is that most IT professionals have grown up in a post-cold-war environment. They do not expect war and they are not prepared for it. The result, says Erbschloe, is that private firms are dangerously complacent about the threat of information warfare. But they need to be paranoid about it because one thing is certain, information warfare is going to happen.

Erbschloe is an American security expert and information technology consultant, famous for his analysis of the 'Love Bug' virus of May 2000 which hit 55 million computers and caused hundreds of large companies, government organisations and educational institutions to shut down their email systems. The virus may have caused $8.7 billion of economic damage before it was contained.

Erbschloe calls the Love Bug a wake-up call to the corporate world. In his book, he explores the impact of information warfare and the disruption and damage it can do to governments and corporations. By way of illustration, he describes a chilling 'electronic doomsday scenario' where a small group of people cause millions of dollars worth of economic destruction electronically. In the scenario, ten highly computer-literate but disaffected people (with code names like 'High-Tech Tonya' and 'Bit Biter') from different parts of the world get to know each other through the internet and conspire to cause massive global economic damage in just two weeks. Erbschloe calls the scenario 'PH2', for Pearl Harbour Two. (Or should it be PH3 after 9/11?) He points out that all of the tricks, hacks, and bugs used by the PH2 team are already proven tactics and techniques. It is just a matter of how they are put together in combination, sequence, and frequency that makes the difference between mischief and war.

The very success of the internet is what makes internet-connected organisations more vulnerable to terrorist attacks and economic espionage. For corporations, terrorists and rogue criminals are the major information warfare threat of the future. The terrorist loves headlines and drama, and strives to make people fearful while simultaneously embarrassing one or more governments in the process. The rogue loves money and would rather hide than fight. He is motivated by wealth, not fame, and certainly not by religious salvation. Both terrorists and rogues will attack what is easy. Electronic commerce companies and financial institutions remain very easy targets compared to military communications systems, and the relatively well-guarded utility grid and telecommunications infrastructure (in the USA, that is).

Erbschloe tells us that we need to take a much wider view of information warfare, including the role of business organisations and how they should protect themselves. He outlines ten possible information warfare strategies, including both offensive and defensive variants. The tactics of each one are very similar. What differentiates them are the purpose of the fight and the philosophies and motivations of the fighters. At one end of the spectrum is offensive ruinous information warfare - 'an organised, deliberate military effort to totally destroy the military information capabilities, industrial and manufacturing information infrastructure, and information technology-based civilian and government economic activities of a target nation, region, or population'. At the other end is amateur rogue information warfare - 'the sporadic efforts of untrained and non-aligned individuals or small groups against the military, industrial, civilian, and government information infrastructures or activities of a nation, region, population, or corporate entity'.

Each of the ten categories of information warfare has a price tag for the perpetrators. Offensive ruinous information warfare is extremely expensive and can only be implemented by a nation that is willing to spend a massive amount of money to develop methods and train the many people necessary to implement the strategy. Amateur rogue information warfare is by far the least expensive type of information warfare. A computer, a modem, and an internet access account are all it takes to get started. The biggest problem with the amateur rogue, however, is that it costs as much to defend against them as it does to defend against an organised terrorist information warfare force.

Corporations do need to be concerned about large-scale offensive ruinous information warfare in widespread conflicts that might get out of hand. However, the most likely immediate threats to corporate operations outside of organised conflicts are random terrorist information warfare, sustained rogue information warfare, random rogue information warfare, and amateur rogue information warfare. The most vulnerable corporations are those that are heavily involved in and derive the majority of their revenues from electronic commerce ie dot-coms.

Erbschloe belives that industrialised computer-dependent nations need to develop and implement an information warfare defence strategy. This requires the establishment of an integrated defence structure that delineates responsibility across military, civilian government, law enforcement, and private sector organisations. The role of the private sector here takes two major forms. First, companies that are involved in the development, production, and sale of information technology and services must co-operate with civilian law enforcement agencies and military organisations by reporting suspicious behaviour and incidents to the organisations that have responsibility for national defence. In addition, technology producers need to provide a continuous flow of information about known and suspected weaknesses and faults in their products. They must also report incidents and trends in system attacks to help provide early warnings and enable information warfare defenders to prevent larger-scale attacks. Erbschloe recognises the dilemmas posed for firms by these requirements. Most technology producers would be reluctant to admit their systems have weaknesses and faults. Nor would they want adverse publicity that could affect revenues and stock prices. This will be a tricky area to negotiate.

Although governments will expect corporations to co-operate in national strategies, firms (especially those with no business links to the military) may find themselves on their own when it comes to dealing with lower-level attacks. In the past, private firms have focused their systems protection efforts on preventing intrusion, misuse, fraud, and abuse. They now need to view their efforts in a broader context. For example, they should now be seeking to integrate communications and computer security efforts with overall corporate security approaches. Importantly, security developers should recognise that attackers might have supporters inside the organisations they attack (as in the PH2 scenario), so systems protection, says Erbschloe, means more than just 'keeping the hordes from breaking down the gates'.

There has been a move towards enterprise-wide, highly integrated information systems, partly inspired by the trend towards the globalisation of business. The idea of these systems is that they allow everyone in the organisation, regardless of location, to work on the same platform, access the same data sets, communicate with peer groups and teams, share resources, and collaborate across the organisation to leverage all of the intellectual and management assets of the enterprise.

The business logic is impeccable but in the era of information warfare these global systems potentially have a big downside. They may make a company's operations run smoother, but they are also, says Erbschloe, 'an information warrior's dream come true'. When they are designed to support a global organisation with operations on all continents and in multiple countries, they create numerous entry-ways which can be exploited by enemies well before any security alarms are set off. The development of supply chain systems, enterprise resource planning systems, integrated accounting systems, and management decision systems is setting the stage for easier attacks on corporate systems. Add to these trends the use of the internet as a corporate communications tool and customer service access route, and the typical corporation has become a very inviting opportunity for terrorists and rogue criminals.

Companies may also get caught in the crossfire if a country in which they have operations becomes the target of an information warfare attack. Malicious code or virus attacks on local systems could affect the whole global corporate system. Intellectual property and trade secrets relating to the local operations, manufacturing processes, or products of the global corporation could also be compromised. To protect themselves, corporations should be prepared to sever connectivity with systems in the attacked nation to minimise penetration into global systems and to stop the movement of malicious code. They should ensure that all people with access to country systems have had adequate security checks. They also need to have in place alternative communications systems that will enable global managers to maintain contact with local personnel in the event of an attack and to monitor the impact.

Erbschloe believes that there is a high probability of random and sustained terrorist information attacks. This is because the next generation of terrorists is likely to be far more computer-literate. The internet provides opportunities for terrorists to access systems around the world without incurring the expense of travel or recruiting and training local operatives to strike targets. Terrorists are also realising that, if they want to achieve high economic impact, it is more effective to damage communications and computer systems than to use car bombs that cause damage only to relatively small areas. And, not all terrorists want to take to take part in suicide missions. They will find information warfare strategies a far more attractive alternative. Also, the more countries global corporations do business with, the more enemies they will likely have. The only safe assumption they can make is that they will someday face terrorist attacks on their information systems.

What can firms do to protect themselves? Erbschloe sets out some steps they should take. For example, security staff in these firms should assemble information that can help track the sources of terrorist attacks and identify the individuals involved. They should maintain a list of people or organisations suspected of attacking corporate information systems or other property in the past and as much information about the attacks or the individuals responsible for the attacks should be kept on file. Just as competitive intelligence has become a corporate imperative, it now seems that information warfare intelligence is another new task for the firm to take on.

The rogue criminal - random or sustained - is another new information warrior who has the ability to break into computer systems to deliberately damage or steal information or money. Their motivations and goals are different from terrorists'. They do not work for glory or patriotism, they work for money and have a wide variety of objectives. These include stealing money by manipulating databases or computer-based records, stealing financial tools like credit card and bank account numbers, making fraudulent transfers of cash, bonds, or stocks, or obtaining trade secrets and business plans.

As with terrorists, rogue criminals may work from both inside and outside the company. This means corporate security should run routine background checks on individual employees who have access to information systems, especially those with high-level skills who are readily capable of working with rogue criminals groups or individuals. Employees who have remote access to corporate systems should be thoroughly briefed on the steps they must take to ensure that passwords and other information about corporate information systems are not deliberately or accidentally compromised. Security departments should maintain a list of individual criminals or criminal organisations that are suspected of stealing or trying to steal corporate information or assets.

A further threat comes from amateur rogue information warfare. This comprises sporadic efforts of untrained and non-aligned individuals or small groups against the military, industrial, and civilian and government information infrastructures or activities of a nation. Amateur rogues have various skill levels, ranging from the beginner to highly-skilled computer professionals. Erbschloe tells us that amateur rogues need to be taken seriously in the fight against information warfare attacks for many reasons. First, although amateurs are not paid for their work and are not aligned with any political group, they can inflict serious damage on information systems. Second, amateurs like to brag about their exploits and, to show proof of their conquest, tend to post information about how they hacked into systems on various websites that are used for sources of information by rogue criminals, terrorists, and the information warriors of less than friendly nations. Third, once amateurs refine their skills, they can turn to professional crime and become members of the rogue criminal or terrorist information warrior class.

Companies need to take the actions of any intruder or saboteur seriously and should respond to what they may think is an amateur attack in the same way as they would any other attack. Prudence demands that all attackers be treated as a serious threat. The same level of diligence must be maintained when the company is investigating an attacker and the same level of co-operation must be maintained with law enforcement authorities, regardless of whether the attacker is viewed as an amateur or a terrorist.

There are certainly many pitfalls in dealing with amateur information warriors. When it turns out to be a 14-year old hacker that you are prosecuting, you can meet with a lot of public scepticism. If the amateur attacker is a juvenile, the public relations department of the company should assign staff to deal with media inquiries and work to mitigate any possible bad press that arises. It is important to reinforce the importance of the case to anyone in the corporation who may be involved. So often, says Erbshloe, there is an attitude of soft-heartedness that sets in once it is discovered that the perpetrator is a juvenile.

Erbschloe's book paints a frightening picture. One of the worrying aspects is the suspicion with which he recommends firms should treat their employees. The reality of information warfare, however, is that, in more than in any war in the past, distant targets can be hit and damaged without sending vast armies and navies around the world to invade a foreign land. The global communications infrastructure has put every corporation on an enemy's map as a potential target for an information warfare attack. According to Erbschloe, no company is safe. To hope that information warfare does not come and so not prepare for it is foolish.

Back to the top