Cyber terrorism--The dilemma

As attacks increase, U.S. experts struggle to keep the virtual domain open yet secure

Havoc

The potential devastation from a cyber attack could equal the damage from a weapon of mass destruction.

* The possible consequences keep the director of national intelligence "up at night."

* Officials fear encryption and codes are becoming less effective defenses.

* The new National Cyberspace Response System is beefing up its threat analysis and incident response system.

* One roadblock: Quickly obtaining access approval from civil authorities.

Cyberspace is the virtual space where communications and computers operate, but there is nothing virtual about the imminent threat it poses to military and intelligence communities.

Cyberspace provides a medium for organized attacks on U.S. infrastructure from a distance, and enables attackers to cover their identity, location and method of attack. And as the sophistication and availability of cyber technologies grow, so does the concern of senior U.S. officials about the potential devastation a cyber attack may pose.

In fact, this worry literally keeps Mike McConnell, director of national intelligence, "up at night."

The damage likely to be wrought by a cyber attack is comparable to an attack on U.S. interests by a weapon of mass destruction, McConnell said at an April government employee conference in Washington, D.C.

To build an effective national cyberspace response system, the Department of Homeland Security (DHS) and Department of Defense (DoD) are engaging in unprecedented information sharing and coordination among dozens of federal agencies to work with public, private and international entities to secure cyberspace and, in consequence, America's cyber assets.

Monitoring the cyber domain creates a paradox for government authorities.

"Information is considered power, and power is not something to be yielded freely," John G. Grimes, assistant secretary of defense for networks and information integration, told the House Armed Services Committee March 28. "To operate our enterprise network we must ensure that data is accessible, reliable and available whenever and wherever it is needed - while at the same time protecting our network against an adversary who is determined to exploit the cyberspace arena."

"It's a growing threat every day in the cyber domain," Navy Rear Adm. Kendall Card, director of Command and Control Systems for the North American Aerospace Defense Command (NORAD) and U.S. Northern Command (NORTHCOM), said at the Navy League's Sea-Air-Space Exposition last month. "Plain hackers and folks from outside our country are definitely interested in gaining information from our networks."

Though the bulk of cyber assaults are against commercial interests, an increasing number of attacks against government networks are shedding light on the lethality virtual tools could have on the physical world. Although financial consequences are the most immediate and observable impact of cyber assaults, McConnell said, "the right time, right place, right reason" for a cyber attack on national security would have an even more "overwhelming and devastating impact."

NORTHCOM and NORAD are partnering with the Coast Guard, National Guard and other military agencies to track cyber attacks as they relate to potential kinetic attacks.

Similar to police sting operations, all agencies have contributed cyber security experts to monitor and investigate minor cyber incidents, look for trends or patterns, and determine the intention of cyber attackers, their identity and purpose for exploiting cyberspace in relation to national and homeland security.

But a key limitation to predicting and preventing cyber incidents is the relative nascence of the cyber domain and sensitivity of information gathering. Much of the research and trend analysis is classified, but a senior intelligence official speaking to Seapower on the condition of anonymity, said encryption, securing data with passwords and hard-to-decipher codes, is the primary method used to prevent cyber attacks.

The frequency of attacks on government networks is increasing exponentially, the official said, and "the sheer quantity and diversity of attacks" makes encryption techniques less effective than tracking and backing up information to provide a timely response option to the modern cyber threat.

The uniqueness of tracked attacks creates multiple dilemmas for federal authorities trying to patrol the cyber domain. Military authorities are primarily concerned about highly coordinated and organized attacks capable of destroying the nation's critical infrastructure and national security. The official said the ability of a cyber attacker to carry out such an attack requires extremely high technical sophistication.

"This is an area where things are changing day to day," he said. "We need to keep it classified because when we know about vulnerabilities they're used against us."

Take, for instance, the April conviction of former Navy contractor Richard Sylvestre, who programmed and launched malicious code to shut down the Navy's Naples, Italy, command center last May.

Disgruntled by the rejection of his proposal to provide network administration services for the Navy European Planning and Operations Command Center, Sylvestre, according to court documents, sabotaged the center's network, causing three computers to shut down before an administrator prevented the attack from reaching two other computers.

Sylvestre's code targeted computers used to monitor locations of ships, submarines, cargo and underwater obstructions. Though his actions caused no injuries, a large-scale cyber attack on the maritime domain command-and-control infrastructure could cause vessel collisions, jeopardize secure communications between ships or, ultimately, provide the opportunity for kinetic attacks to be waged on military or civilian populations.

DHS and DoD are combining efforts to "think ahead" on cyber security for government networks, but attacks on civil and commercial networks have a profound effect on national security and government operations, said Rich Affeld, NORTHCOM deputy director for information and operations.

Disgruntled by the rejection of his proposal to provide network administration services for the Navy European Planning and Operations Command Center, Sylvestre, according to court documents, sabotaged the center's network, causing three computers to shut down before an administrator prevented the attack from reaching two other computers.

Sylvestre's code targeted computers used to monitor locations of ships, submarines, cargo and underwater obstructions. Though his actions caused no injuries, a large-scale cyber attack on the maritime domain command-and-control infrastructure could cause vessel collisions, jeopardize secure communications between ships or, ultimately, provide the opportunity for kinetic attacks to be waged on military or civilian populations.

DHS and DoD are combining efforts to "think ahead" on cyber security for government networks, but attacks on civil and commercial networks have a profound effect on national security and government operations, said Rich Affeld, NORTHCOM deputy director for information and operations.

DHS stood up its National Cyber Security Division to protect cyber infrastructure. The division has two overarching objectives: to build and maintain a cyber response system and implement a cyber-risk management program for protection of critical infrastructure.

The division created the National Cyberspace Response System for around-the-clock coordination of leadership, processes and protocols to determine the federal response as cyber incidents arise.

Key resources include a cyber preparedness and alert system, allowing computer users to receive current information about patches and solutions to exploitable vulnerabilities in their computer system, an operations program responsible for analyzing and reducing cyber threats by disseminating information and coordinating response activities, and a Cyber Cop Portal, which coordinates with law enforcement to capture and convict those responsible for cyber attacks. More than 5,300 investigators worldwide use Cyber Cop.

Additionally, the cyber security division has included 13 federal agencies to act as a principal mechanism for cyber incident response. In the event of a cyber attack disrupting national infrastructure, this group will lead federal coordination, including information dissemination, law enforcement and the intelligence community, Affeld said.

A cyber attack would cascade across the economy, imperil public safety and endanger public safety, according to Crosscutting Programs, a perspective paper analyzing President Bush's 2008 budget proposal. As technology advances for the sake of efficiency, the vulnerabilities for exploitation also increase, the paper said.

The present problem in mitigating the impact of cyber attacks is "we know we're going to be late," Affeld said. "We can't do anything to respond to attacks without the appropriate permissions from civil authorities.

"The military doesn't have any responsibility for civil or commercial networks, even though it's our backbone," he said.

DHS stood up its National Cyber Security Division to protect cyber infrastructure. The division has two overarching objectives: to build and maintain a cyber response system and implement a cyber-risk management program for protection of critical infrastructure.

The division created the National Cyberspace Response System for around-the-clock coordination of leadership, processes and protocols to determine the federal response as cyber incidents arise.

Data Mining:Digging Deep To Thwart Terrorism

The use of data mining reportedly helped unmask a terrorist leader months before 9/11, but there are concerns about coordination and privacy

26 Terabytes of Data

The Navy mines large volumes of data each day, but converting it into intelligence is still the work of human analysts.

* New software tools cannot determine the significance of data.

* An executive office to foster coordination among data mining programs could be helpful.

* Coming soon: Project Rockwell will plumb the depths of news reports.

Recent reports by The New York Times and Fox News that the Pentagon identified 9/11 ring-leader Mohammed Atta as part of a U.S.-based terrorist cell months prior to the attacks on Washington and New York have sparked new interest - and controversy - about the Defense Department's relatively nascent abilities to assess huge volumes of data for patterns of behavior that are indicative of terrorists and their activities.

According to press reports, Atta was identified in early 2000 by several military officers, including Navy Capt. Scott J. Phillpott, who managed a Pentagon program called "Able Danger" that employed an analytical process called "data mining." The process allows intelligence analysts armed with specially designed software to aggregate multiple data sources, such as lists of terrorists and decades of reporting by the Associated Press, and search for specific patterns of behavior, anomalies and relationships. The findings become the basis for refined analyses by intelligence specialists.

The New York Times reported in August that Defense Department lawyers forced three meetings to be canceled where military officials involved with "Able Danger" were to report Atta's name to the FBI after the program identified him. These claims have not been confirmed by the Pentagon.

U.S. Rep. Curt Weldon, R-Pa., who arranged a meeting between the news agencies and Phillpott, released a statement in late August describing the program's objective as "to identify and target al Qaeda on a global basis, and, through the use of cutting-edge technology ... to manipulate, degrade or destroy the global al Qaeda infrastructure."

After the public speculation about "Able Danger," the 9/11 Commission stated Aug. 12 that it had learned about the program in October 2003. Initial informants did not mention Atta or any other future highjackers. In July 2004, a different informant knowledgeable about "Able Danger" told the Commission he had seen Atta's name and photo in another analyst's notes. However, this informant was not able to substantiate that assertion to the satisfaction of the Commission, and "Able Danger" was not mentioned in the Commission's final report.

The alleged identification of Atta has attracted high-profile attention to the potential of data mining technologies and processes as intelligence tools. However, the usage and processes of data mining remain relatively immature in the military arena.

One official told Seapower that coordination of data-mining efforts and requirements between federal agencies should be much improved. Also, implementation and oversight issues remain a key challenge in balancing the use of data-mining tools with privacy concerns.

Data mining is not new. Industry has reaped benefits from it in sectors such as health care, insurance and banking. But the lack of coordination between government agencies sometimes creates barriers that prevent valuable intelligence from reaching the proper authorities.

At the forefront of acquisition and development of Navy data-mining tools are the Space and Naval Warfare Systems Command, the Naval Research Laboratory and the Office of Naval Intelligence (ONI). There is little to no coordination between these commands to acquire data-mining tools in concert, a Navy official said, adding that one of the biggest problems with Navy data-mining tools is the number of various commands working on acquiring these tools, "some of which overlap, and it's not always as well coordinated as it could be."

The official suggested establishing a maritime domain awareness program executive office as a means to "deconflict" some of the divergent acquisition of data-mining tools between commands, which leads to conflicts in data and hardships in comparing data sets. As put by David Munns and David,the Navy had no comment on the plausibility of this suggestion.

"There have been times where ONI needed information that existed in other agencies' data sources" and it was not available, the Navy official said. "It's certainly not seamless and it's not as well integrated as it could be. Today, there are still lots of places where things can fall through the cracks and where connections might not be made.

"For example, there is not a single source of, or a single list of, terrorists" that all intelligence commands share, the official said. "If someone boards a ship in the Mediterranean and gets a crew list of people who are on that ship and that ship's en route to the United States, we can take that crew list but we have to run it against multiple lists to see if anybody who's on that ship pops up as a bad guy. ... It could be easy to not check against somebody's database."

ONI shares a working relationship with Naval Networks Commander Vice Adm. James McArthur, who wears a lesser-known hat as the assistant chief of naval operations for Information Technology. McArthur's office provides oversight and guidance to validate ONI's information technology spending on tools such as data mining.

McArthur's office was reluctant to discuss these tools because of the "Able Danger" controversy, citing their immaturity and the relative lack of "concrete" examples of how they can be used successfully, according to a Navy spokesperson.

Several experts told Seapower that data mining is destined to be a valuable asset in the war on terror, but should be viewed as a capability with advantages and limitations rather than a cure-all for the nation's growing intelligence requirements.

Jeffrey W. Seifert, an analyst in information science and technology policy for the Resources, Science and Industry division of the Congressional Research Service, released an overview of data mining last December. The report points to a limitation in data mining as being unable to determine the value or significance of intelligence. It also mentions an inability of data-mining tools to determine causal relationships.

"For example, an application may identify that a pattern of behavior, such as the propensity to purchase airline tickets just shortly before a flight is scheduled to depart, is related to characteristics such as income, level of education and Internet use. However, that does not necessarily indicate that the ticket purchasing behavior is caused by one or more of these variables," the report states.

Regardless of the particular data-mining tool or its limitations, the first step in data mining is to concentrate data into a single, normalized architecture or data model. That can be done physically, by actually moving all the data into a common disk form, or "disk warehouse," so it can then be digested to resolve ambiguities, or the sorting can be done automatically by a computer. For example, if one set of data is recorded in meters and one is recorded in feet, then the data-mining process would initially make a conversion so that when the actual tools are run against the data set a consistent outcome would be produced. Once data is normalized, the tools scan through it and create a statistical model.

Data-mining tools look through the existing data and identify patterns. From those patterns, anomalies, or out-of-place data patterns, are recognized and then analyzed. One notable outcome from the analysis of these patterns is the ability to make predictions about what is missing in the data, or what elements of data are not included.

This, however, is an extremely difficult task when working with 26 terabytes of active data on a daily basis, an amount that would fill up about 85 high-end 300 gigabyte hard drives each day. This quantity of information being processed by the Navy is also growing at a rate of 10 percent per year, according to ONI.

Nonetheless, data mining is an asset to government agencies that have taken on new roles in the aftermath of 9/11.

A new interest of the Navy and other government agencies is to track the movement of more than 130,000 commercial vessels and the 17 million cargo containers they carry, which could be used by terrorists as a means of attack against U.S. ports, or to smuggle arms or people into the country. ONI looks at transit plans, bills of lading, intelligence reports, and years of reporting by internal analysts and news agencies to identify vulnerabilities or suspicious activity within the shipping industry. Today, the Navy is shifting its focus from the ships themselves to terrorist use of the commercial shipping network, according to a Navy source.

"Many of the problems that we're looking at in the commercial shipping industry are very much analogous to fraud detection; we want to track norms and we want to identify things that are outside of the norm," said the Navy official.

There are typically 10,000 messages on an analyst's desk at ONI every morning. One tool ONI has been exploring, and is deploying this fall to approximately three-dozen workstations, is Project Rockwell. Derived from another agency and an industry partner, Project Rockwell allows analysts to go through open wire news feeds, such as Reuters or the Associated Press, and run queries against the feeds in the areas that they have highlighted.

If there is a subject an analyst has particular interest in, they can highlight it, and pertinent information will be color-coded on their desktop. For example, if there is a topic of concern that normally has one news-feed pertaining to it and suddenly there are hundreds of feeds, Project Rockwell brings that information to the analyst's attention and directs them to that topic or subject of interest.

"What it allows them do is go through the thousands of messages that they would get normally in a day and does it four times faster," said the Navy official. "That's not taking the man out of the loop, but it's certainly freeing up the man to do more analysis and less data sorting and initial review."

In the homeland security realm, there are some legal privacy constraints, not necessarily restrictions, on sharing information outside of Department of Defense boundaries, depending on what that information is. Intelligence commands, for example, have limitations on how and how long they can retain information on U.S. persons or companies.

"What we're hoping to build is a capability that, if we can't keep the data, will allow us to connect the data that might be held by the FBI or by the U.S. Coast Guard, as examples of law enforcement agencies, so they can easily extract value from our data," said the official.