In the past several weeks there have been numerous stories in the press regarding hacking incidents against major newspapers in the United States that have been attributed to
the People’s Republic of China. These incidents follow closely on other reports of hacking incidents against U.S. financial institutions that were attributed to the Islamic Republic of Iran. The purpose of this paper is to serve as a short primer on the “Intricacies and Multifaceted Dimensions of Offensive Cyber Operations.” In the paragraphs that follow, I will attempt to provide the reader with some basic information on offensive cyber techniques, so that readers have a better understanding of the technology and practices that our adversaries are employing to obtain data from U.S. computer information systems.
Within the global community there are two major “Hacker Groups.” The first are independent hackers, usually young disenfranchised youth that conduct computer intrusions as sport. The second, and most dangerous to the national security of the United States are the “State Sponsored Hackers,” such as those from the People’s Republic of China and the Islamic of Iran. State Sponsored Hackers, on any given day conduct tens of thousands of “probes and scans” of U.S. Federal Government and Commercial Websites looking for system vulnerabilities. There attempt in this regard, is to gain access to sensitive information on national defense and critical technology subjects. To understand the finer points of these offensive cyber activities, a “scan” is an evaluation of a computer system in which an adversary is looking for system vulnerabilities. A “probe” is an actual attempt by an adversary to try and gain access to a computer system once a vulnerability has been discovered. On any given day, U.S. Government computer systems, especially those of the Department of Defense, and defense contractors, are subjected to hundreds of thousands of scans and probes by foreign entities, individual hackers, hacker groups, and information brokers. The Department of Defense, like most private sector organizations, afford various degrees of computer network protection to its category’s of information systems.
At the present time, the Department of Defense maintains three distinct computer information systems. The first is for unclassified information, the second is for information classified as secret, and the third is for information classified as top secret and above. Department of Defense unclassified computer systems are, out of necessity, connected to the Internet. These are systems that deal with logistics and personnel related information that need to interface with non-Department of Defense information systems. Both the secret and top secret computer systems are not linked to the Internet, therefore, there is less chance that unauthorized users can gain access to these sensitive categories of information. The only caveat here is, that out of operational necessity, the secret and top secret systems that contain our nation’s most sensitive information, have what are known as Secret and Below Interoperability (SABI) Connections, which are essentially bridges to the unclassified Internet. The one and only time that the two Department of Defense classified systems were ever compromised was when the “I Love You” virus found a SABI connection and infected one classified system. Of course classified systems are always subject to what is commonly referred to as the “Insider Threat,” such as the actions of PFC Bradley Manning when he downloaded data from a computer system containing secret information then passed that data on to Wiki Leaks. In the last several years the U.S. Intelligence Community has taken measures to try and eliminate the “Insider Threat” by making it difficult to download data from classified systems. Unfortunately the Army failed to install these secure systems with non-write CD Rom capability in Iraq.
In order to place this discussion within a proper perspective, the Internet is the “Information Super Highway” for computer network intruders to gain access to both government and private sector computer systems. Once an adversary discovers a system vulnerability, they can usually bypass the Intrusion Detection Sensors (IDS), and the “System Firewall” to gain entrance into a computer system. Once they have entered a system, the intruder can conduct a number of activities that range of defacing a website, to conducting computer network exploitation, to removing data from the system. Such activities have occurred on both commercial and government computer systems.
The ability of an unauthorized user to gain access to a computer system is wholly dependent upon the cyber security devices that are installed on a given system. Those computer systems that employ a mix of IDS Sensors will observe more offensive cyber scans and probes, and be able to take immediate measures to protect the security of their computer systems. These actions also include employing the most latest firewall and IDS technology. For U.S. financial institutions and other sectors of the U.S. National Critical Infrastructure, these institutions most often maintain an Intranet for the exchange of sensitive information. A company Intranet would not be linked to the Internet, therefore, it would be almost impossible for an intruder to gain access to a closed system. Financial institutions that do maintain a presence on the Internet for such activities as customer online banking, maintain redundant, or backup systems in the event of an unauthorized intrusion. This is to ensure that customer accounts are not subject to the unauthorized removal of funds.
Computer systems that are vital to the operations of the U.S. National Critical Infrastructure in addition to financial institutions, including electric power generation facilities, dams, hydroelectric facilities, communications, air traffic control, and a multitude of other critical assets, are controlled by Supervisory Control and Data Acquisition (SCADA) Systems. SACDA Systems are independently controlled “Stand Alone” computer systems that, once again, are not linked to the Internet so there is no opportunity for unauthorized users to gain access to these critical operating systems.
Given the recent series of cyber intrusions by “State Sponsored Hackers,” I must relay the fact that the United States is not defenseless against foreign offensive cyber operations. Since the invention of DARPA Net, which is also considered to be the birth of the Internet, the U.S. Government has been actively engaged in developing protective tools and methods for responding to the hacker threat. For years this responsibility fell to the National Security Agency. Today, this responsibility falls to the United States Cyber Command, which is collocated with the National Security Agency at Fort Meade, Maryland. In addition, each military service also maintains its own Cyber Operations and Computer Emergency Response Team (CERT) capability. For Departments and agencies outside of the Department of Defense, the monitoring and protection of those computer networks fall to the Federal Computer Emergency Response Team (FEDCERT). For the private sector, in the event of attempted foreign cyber intrusions, that information is passed up to the FEDCERT for action. In addition to monitoring the security of computer networks, the U.S. Cyber Command, and the various CERT’s, employ preventive measures to maintain the security of computer networks. These activities include constant monitoring and evaluation of the tactics, techniques, and procedures employed by adversaries to gain access to U.S. computer networks. This also includes a review of a majority of scans and probes of critical networks to determine foreign intentions. When new tools and software have been employed by an adversary, the U.S. develops “Patches” for employment to safeguard networks. In addition, the U.S. Cyber Command and the military service cyber elements constantly conduct “Vulnerability Assessments.” These are accomplished in the form of “Penetration Testing,” where certain tools are employed to test the operational security of a computer network. In addition, “Red Teaming” techniques are also employed. This procedure is where U.S. Cyber Security Specialists use adversarial hacking tools previously employed against U.S. computer systems to once again test the operational security of a computer network. In the event of a computer intrusion, the Department of Defense, and the military services maintain “Computer Forensics Laboratory’s” where any hard drive from a computer can be evaluated to determine what data had been taken, as well as the type of adversarial tool that was employed for system intrusion. The U.S. Cyber Command requested from the Washington Post Newspaper on 1 February, certain computer hard drives for forensic testing for the purposes referenced above.
One of the main questions that seem to perplex people is how a computer network intrusion can be attributed to a specific individual or “State Sponsored Hacker Group.” This process is referred to as “Trace Back” or “Hop Back.” The process allows cyber security professionals to follow the path of the intrusion back through the Internet Protocol (IP) addresses of the machines involved in the intrusion. Even if a hacker is using what are commonly referred to as “Ghost Sites” or “Jump Sites,” which are computers that belong to individuals, companies, or groups not associated with the intruder, the digital signal can be traced back to its point of origin. Using this technique allowed U.S. Cyber Officials to determine that the People’s Republic of China was the point of origin for the cyber intrusions of U.S. newspapers, and the Islamic Republic of Iran being responsible for the intrusions of certain U.S. financial institutions.
Offensive Cyber Operations is the new “Arms Race” of the 21st century. The adversaries of the United States and its Allies will continue to refine, expand, and develop new tools, techniques, and procedures for offensive computer network exploitation and computer network attack. The United States must work aggressively to meet this threat by developing effective cyber countermeasures, because Cyberspace will be the new battlefield of tomorrow.
It is also clear that the Internet is and remains the pathway for “State Sponsored Hackers” and others to obtain data, disrupt computer system operations, and other forms of offensive cyber operations. Unfortunately, as in the publication of scientific and technical research by universities and private sector organizations, maintaining a presence on the Internet, and running the risk of having data removed from a system, is the price that organizations and individuals must pay for living in a free and open society.
This article was prepared by Richard Kaplan. Mr. Kaplan is a Advisory Board Member of the Center for American Democracy, Economic Warfare Institute. Prior to his retirement from the U.S. Government in May 2012, he was assigned to the Office of Intelligence and Counterintelligence of the Department of Energy. Prior to his tenure with DOE, he held a number of assignments with the Department of Defense that dealt with computer network defense. Mr. Kaplan is currently serving as a Strategic Intelligence, Counterintelligence, and International Law Advisor to the United Nations.