Computer Fraud & Security November 20054

INFORMATION WARFARE

From the early 1990s we started to hearabout the concept of InformationWarfare. This was reported as the nextbig thing in computing and came withportents of doom for the future of theInternet and the networked world. Bythe late 1990s considered opinion had itthat the major Western nations hadtaken the subject seriously and, led bythe US, a number of countries haddeveloped policies for the use of bothdefensive and offensive InformationWarfare (IW) techniques. There was alsoevidence that countries such as India hadrecognised the potential and the issuesand had started to teach InformationWarfare to their military staffs in thedefence colleges. From China, news fil-tered out that not only had they devel-oped policy, but that they had also creat-ed a number of military units (reportedto be of battalion strength) to addressthis new battlespace. More startling wasthe news that these new units had car-ried out exercises to practice their newskills and tactics. There was a consider-able amount of hype, that started around1996 or 97, regarding a range of poten-tial weapons, from High Energy RadioFrequency (HERF) and ElectroMagnetic Pulse (EMP) weapons toembedded hardware and firmware andviruses, worms and Trojan horses. Therewas to be a new breed of soldier, themultifunctional cyber warrior, whowould take the battle into the newdomain of cyberspace. These soldierswere to be computer literate and wouldtake warfare into the fourth dimension(the others being land, sea and air), where

their skills were seen as being able to pro-vide a ‘force enhancement’ to convention-al operations.

Towards the end of the 1990s, theterm Information Operations (IO) wasalso coined which refined the genericconcept of Information Warfare to thebattlefield implementation. In the USAthe Department of Defense (DoD), inits October 2003 InformationOperations Roadmap, had refined theconcept and defined it as “The integratedemployment of the core capabilities of elec-tronic warfare [EW], computer networkoperations [CNO], psychological operations[PSYOP], military deception, and opera-tions security [OPSEC], with specified sup-porting and related capabilities to influ-ence, disrupt, corrupt, or usurp adversarialhuman and automated decision makingwhile protecting our own.’

This focusing and the creation of aseparate definition for the warfighterswas understandable as it became increas-ingly clear that the scope of any poten-tial future use of the Internet and theGlobal Information Infrastructure (GII)to wage war would take place wellbeyond the timeframes and the battlespace that are the normal area of opera-tions and responsibility of the military.

Lack of visibilitySo what has happened in this area andhave there been changes in the last fewyears? Well, in the public eye in Westernnations, the subject has rather got lostsince 9/11. In the aftermath of the terror-ist attacks, there was a natural and right-eous reaction by Western governments

and the populace to fight back and wagethe war on terrorism. The focus of atten-tion became firmly fixed on fighting thenew form of terrorism and a considerableproportion of the available funding andresources were directed to fighting thisnew and very clear threat.

Another factor that has obscured thevisibility of IW or IO has been whatappears to be a change in the emphasisand the new terminology to NetworkEnabled Capability (NEC) in the UKand Network Centric Warfare (NCW), aterm that seems to have originated in theUS. The term NEC, as it is defined bythe UK MoD in Joint ServicePublication (JSP) 777 is ‘NetworkEnabled Capability offers decisive advan-tage through the timely provision andexploitation of information and intelligenceto enable effective decision-making andagile actions. NEC will be implementedthrough the coherent and progressive devel-opment of Defence Equipment, software,processes, structures, and individual andcollective training, underpinned by thedevelopment of a secure, robust and exten-sive network or networks’. What thisbroadly means is using the high technol-ogy equipment that is now available toprovide your own forces with a ‘forcemultiplier’ by being better informed andmore agile than the opposition (gettinginside their Observe, Orient, Decide, Act[OODA] loop). If you can react morequickly than your opponent, your forcesare more agile and hence more effective.The term NCW describes an approach tothe way that warfare is carried out thatgains its power from the effective net-working of the warfighting elements. It ischaracterized by the ability of, possiblygeographically dispersed, forces to gain ahigh level of shared battle space aware-ness that can be exploited to achievecommanders’ aims. This means that all ofthe elements involved in the campaigncan have access to the same informationpicture, hopefully at the same time,which should make them more effective.

Information warfare in warSo has information warfare been a passingfad and faded away into the annals of his-tory? The answer to this is an emphatic

Information Warfare– what has beenhappening?Dr. Andy JonesTechnical Group Leader, Security Research Centre,BT Adjunct, Edith Cowan University

This article brings to light the level of activity of information warfaretoday. It is an underground threat that is ongoing between countries.And China is one of the biggest perpetrators.

Dr Andy Jones

November 2005 Computer Fraud & Security5

INFORMATION WARFARE

no. Some of the initial concepts thatcyber soldiers would be deployed andhave a significant new role in the conductof a military operation have certainlymatured and been modified to mirrormore realistically what is likely to beachievable, and can be integrated intotried and tested conventional militaryoperations. In real terms, what has to beconsidered is how you will convince thesoldier on the ground or the pilot of anaircraft that a cyber attack to destroy anenemy capability has been effective.

Imagine the scenario of a pilot flying amission and being told that the hostile airdefence system that he knows is in hisflight path has been destroyed by the ‘cyberwarriors’ and that it is safe for him to pro-ceed. The air defence installation still existsand has no apparent damage. It takes agreat deal of faith for a man who is expect-ing to get shot at and who is probably car-rying a payload of explosives to believe thata ‘geek’ at a location far from the front linehas disabled a target that is normally neu-tralised by high explosives. If a target hasbeen destroyed by explosives, then it isnormally possible to carry out a ‘battledamage assessment’ to determine whetherthe target has been totally or partiallydestroyed – normally by observation, eitherby direct viewing or from photographicreconnaissance. When you know how wellthe target has been damaged, you can thenwork out how long it will take to repair itor replace it. This is not possible for sys-tems that have been disabled by a ‘cyberattack’ – there is normally no visible dam-age, even if exotic weapons such as HERFor EMP have been used.

So, on the battlefield, the likely scenariowould appear that cyber war will have acredibility problem. This is compoundedby the fact that, to date, InformationOperations tools and techniques are largelyuntested and unproven as a fighting capa-bility. If the concept of information warfareis going to struggle to be accepted in a bat-tlefield implementation, is it viable? Theanswer is, again, yes. If you look at theoriginal concept, an early version of whichis provided by Miller in 1995 as,“Information Warfare embraces several relat-ed, but distinct sets of ideas which are notalways clearly distinguished. For manydefense analysts, it refers primarily the mili-

tary application of computers and other infor-mation technologies, and the organizational,operational and doctrinal changes this impliesfor the US and other military establishments.For other writers, however, InformationWarfare is a much broader idea, relating tothe emergence of ‘’Information Age’’ civiliza-tion and the development of associated modesof political and social conflict which pointtoward the gradual erosion of nation statesand their monopoly of organized violence.”, itwas always clear that the concept of infor-mation warfare far transcended any poten-tial battlefield implementation.

Use of information warfareGiven this wider potential use of hightechnology as a tool to achieve politicalends, which after all is also the purposeof armed forces, has there been any indi-cation of the use of information warfaretools and techniques?

By its very nature, the likelihood thatthere will ever be a declaration of ‘cyberwar’ by a nation state is approaching nil.We have seen several declared by individu-als and groups of Internet users who have agrievance against another group or anation state, but declarations of war areproperly the preserve of governments. Inmodern society it is unusual that there is adeclaration of war, even for the large num-ber of conventional armed conflicts thathave taken place. There have, howeverbeen a number of incidents reported (andundoubtedly many more that have not)that give some indication that ‘InformationWarfare’ techniques have been used. Goingback to the battlefield example of battledamage assessment, one of the major prob-lems that we face is the attribution ofblame for what can probably best bedescribed as ‘antisocial’ activity on the net-works. Was it a nation state, was it a terror-ist group, was it organized crime or was it agroup of kids facing a long boring schoolbreak and looking for some excitement?One of the problems with cyberspace war-fare is that the entry level for people totake part has been lowered to a pointwhere everyone can4. When this is com-bined with what Dr. Jamie Mackintosh ofthe UK Defence Academy called the‘empowered small agent’ – individuals andgroups that can have been enabled by the

internet to have a disproportionate impacton others, the ability to accurately identifythe cause of significant attacks on systemsis made much harder.

In the following paragraphs a numberof incidents, some that were heralded asInformation Warfare attacks and somethat were not, are detailed.

In 1982, according to a number ofreports[1] [2], a Russian gas pipelineexploded as a result of a Trojan horsethat had been inserted into software thatthey had stolen from the USA.

In 1998, an Indian Army website wasreported[3] to have been hacked byPakistani intelligence agents ahead oftalks in Islamabad in October 1998. TheIndian Army had launched the websitein August 1998 to provide what theyclaimed was ‘factual information aboutdaily events in Kashmir’. As a result ofthe hacking, accesses attempts to the sitewere redirected to a server that containedanti-India propaganda.

In March 2000, the JapaneseMetropolitan Police Department reportedthat a software system that they had pro-cured to track 150 police fleet vehicles,including a number of unmarked cars, hadbeen developed by adherents of the AumShinryko cult, the group that had releasedSarin gas into the Tokyo subway in 1995,causing the deaths of 12 people and injur-ing in the region of 6,000 more. By thetime that the connection with the cult wasdiscovered, classified tracking data on 115vehicles had been handed over. It was sub-sequently discovered that the group hadalso developed software for at least 10other government agencies and 80Japanese firms. The report[4] went on tospeculate that the cult members could haveinstalled Trojan horses to launch or facili-tate cyber terrorist attacks at a later date.

In October 2000, Israel came under acyber attack and several official Israeliwebsites were taken off line as a result ofa concerted jamming campaign byIslamic groups around the world[5].Amongst the websites affected were theIsraeli parliament that was penetrated byhackers believed to be based in SaudiArabia, the foreign ministry website, thePrime Minister’s Office and that of theIsraeli Defence Forces (IDF).

Computer Fraud & Security November 20056

INFORMATION WARFARE

These attacks followed a reported attackby Israeli teenagers, who had sabotaged awebsite of the Hezbollah organisationand a claim by another Israeli teenagerto have destroyed an Iraqi GovernmentInternet site the year before.

In the aftermath of the April 2001 colli-sion between a Chinese fighter and a U.S.spy plane that was gathering intelligenceoff the Chinese mainland a ‘hackingwar’[6] erupted between hackers in theUS and China. Almost 40 Chinese andU.S. sites were attacked in one 24 hourperiod and it was estimated that hundredswere attacked over a period of about onemonth. Reports suggested that the attackson the US sites had been “state-spon-sored” by China. This was based on thefact that the Chinese Government wasthought to have a considerable level ofcontrol over the connectivity of systems tothe Internet in an attempt to filter outWestern influences and as a result, if theattacks were not directly sponsored by thegovernment, it was thought that theymust have been carried out with at leasttheir knowledge and tacit consent.

In May 2002, according to a Pentagonstatement[7], an anticipated series of cyberattacks on the US Department of Defensefrom Chinese hackers failed to materializeafter the Chinese government had appar-ently asked private hackers not to repeatthe defacements of US GovernmentWebsites that took place the previous year.

In September 2003, the TaiwaneseCabinet spokesman Lin Chia-lung stated[8] that “National intelligence has indicat-ed that an army of hackers based in China’sHubei and Fujian provinces has successfullyspread 23 different Trojan horse programs tothe networks [of] 10 private high-tech com-panies here to use them as a springboard tobreak into at least 30 different governmentagencies and 50 private companies.” Thenetworks that were affected included theNational Police Administration, theMinistry of National Defense, theCentral Election Commission and theCentral Bank of China. The purpose ofthe attacks was thought to be aimed ateither paralyzing the nation’s computersystems, the theft of large quantities of

sensitive government information orpreparing the attacked computers forfuture information warfare.

In 2004, the Institute for TraditionalKorean Studies Movement and a numberof other civic groups threatened to carryout cyber attacks on Chinese websites[9].The groups threatened to crash the web-sites of the Chinese Foreign Ministry,Beijing Municipal Government, XinhuaNews and the People’s Daily.

In April 2004 the Peoples LiberationArmy (PLA) reported[10] that an Info-warfare Group Army, attached to theBeijing Military Area Command, hadcompleted a set of Information Warfarecombat exercises. During the exercises the“Red Army” launched a number of attacksusing a range of different offensive tactics.Precision strikes were said to have beenlaunched at the “Blue Army”, against bothsoft and hard targets, resulting in theopposition’s communication systems beingquickly paralyzed. The report went on tosay that the military forces had combinedtheir efforts with research institutes todevelop a computer network, multimediaand virtual technology training system tosimulate a ‘communications battlelab’.

In April 2005, during a period ofincreased tension with China, afterJapan had announced that its companieshad been given the right to drill for oiland gas in the East China Sea and afterJapan had approved a history textbookthat China claimed would whitewashJapan’s wartime record, Japan’s policeand defence agencies came under a cyberattack which reduced access to those sys-tems [11]. This was reported to be as aresult of a Chinese website calling forthe jamming of Japanese servers.

In April 2005 Japanese hackers steppedup their cyber attacks on Korean websitesduring a dispute between the two nationsover sovereignty of the Dokdo islets in theEast Sea[12]. Hackers based in Japan werereported to have accounted for more than15% of the months foreign networkattacks, coming second only to the 45%that originated in China.

Also in May 2005 there were a num-ber of reports regarding industrial espi-onage by a number of top level Israeli

companies[13] [14]. The companiesinvolved included Cellcom, the YESsatellite TV company and PelephoneCommunications. The reports statedthat a total of 21 people had been arrest-ed in the case and that 11 of themworked as private detectives from forthree of the top Israeli agencies and thatthe espionage, which was thought tohave been going on for more than 18months, was conducted using Trojanhorses inserted on the computer systemsof their competitors.

In June 2005, the UK’s NationalInfrastructure Security Co-ordinationCentre (NISCC) reported[15] that hackershad been targeting approximately 300 UKGovernment departments and businessescritical to the country’s infrastructure witha series of specially crafted Trojan horseattacks. According to the report, theTrojan horse attacks, of which many origi-nated in the Far East, were deliveredthrough email attachments or throughlinks to malicious websites and appearedto have been delivered in an attempt tocovertly gather and transmit commercialor economic information. The report fromNISCC stated that the attacks had beengoing on for some time but have recentlybecome more sophisticated.

In August 2005, it was reported[16]that over the past five years, Chinesehackers had successfully probed andpenetrated a number of US Departmentof Defense (DoD) networks. In at leastone of the attacks, a Trojan horse com-puter programme was used to obtaindata from a future Army command andcontrol system. The report quoted aPentagon spokesman as saying that‘Beijing has focused on building the infra-structure to develop advanced space-basedcommand, control, communications, com-puters, intelligence, surveillance and recon-naissance and targeting capabilities.’

Information warfareattacks or notThis range of incidents over a period oftime may, at first glance, seem to beunconnected, however, there are a numberof themes that can be detected. It is unre-alistic to assume or to think that blame

INFORMATION WARFARE

could be attributed without any reasonabledoubt to a terrorist group or a nation statesponsored activity, but many of the inci-dents have characteristics that may makethem ‘Information Warfare’ attacks.

The first of these is that the majority ofthem took place at a time when there wasincreased tension between the countriesinvolved. The second is that the largestproportion of the incidents involve Chinain one way or another (China-Japan,China- Korea, China-Taiwan, China-USA, China-UK). This is extremely inter-esting as, as far back as 2002, the ChineseGovernment seemed to have sufficientcontrol over access to the internet fromsystems within China to prevent cyberattacks on the USA when they chose toand in 2004, the Chinese had exercisedtheir Military Information Warfare Unitsin conjunction with academic institutes.

Most conventional definitions of IWsay that the aim of its use is to gainadvantage over the enemy. The battle-field implementation is constrained tothe period of the conflict, but the wideruse of the techniques during periods ofincreased tension can achieve the pur-pose of IW in influencing the decisionmakers to satisfy the aims of the user byaffecting the economy of the oppositionor the feeling of well being of the people.

Saying whether any of the incidentsdetailed above were initiated or spon-sored by the relevant states in order toexert pressure on the opposition is notpossible, but clearly that while coinci-dence could be a factor, it is difficult tosee how to account for the detected pat-tern of incidents.

So what have the western nations beendoing during this period? Well, unsur-prisingly, there have been no reports ofthe aggressive use of IW by westernnations, but do not think that this meansthat they have been doing nothing.

The rise of the ‘new’ terrorist threat hasovershadowed the reporting of more sub-tle and less destructive attacks, but evenwith the changes of focus and the diver-sion of effort to fight the ‘War on terror-ism’, the developments and investmenthave been quietly taking place. Evidenceof this can be found in things like theinvestment plans for a US Joint IntegratedInformation Operations Range (JIIOR)

that is to come into effect from 2006 andthe January 2005 publication of US AirForce doctrine document 2-5 onInformation Operations and the numberof US military units that openly claimInformation Warfare as part or all of theirrole. In addition, The House ofCommons Defence Committee onLessons of Iraq produced in March 2004gave indications of the use of IW duringOperation Telic in Iraq.

ConclusionsIn summary, Information Warfare is aliveand well and being developed and tested ina large part of the developed world. Boththe battlefield implementations and thewider political use of the techniques appearto have been ‘field tested’ and undoubtedlyanalysts, both in the east and the west arecontinually examining the effects that itsuse has had. It is also clear that, for thepresent and the foreseeable future, the useof these tools and techniques betweencountries during periods of increased ten-sion are likely to continue and that it willbe the civil and government infrastructuresthat are targeted. It is also clear that, giventhe current level of technology, it will bevery difficult to conclusively identify thesource of an attack. It would seem to beclear that China is either prepared to con-done IW style attacks by its citizens or isactually sponsoring such attacks in order tocreate political pressure or to gain econom-ic advantage by the theft of valuable intel-lectual property.

To date there has been no evidence ofthe use of cyber weapons by terrorists, butthere does seem to be reasonable evidenceof their use by organised crime, commer-cial organisations and nation states.

About the authorDuring a full military career Andy Jonesdirected both Intelligence and Security

operations and briefed the results at thehighest level and was awarded the MBEfor his service in Northern Ireland. After25 years service with the British Army’sIntelligence Corps he became a businessmanager and a researcher and analyst inthe area of Information Warfare andcomputer crime at a defence researchestablishment. In Sept 2002, on comple-tion of a paper on a method for the met-rication of the threats to informationsystems, he left the position to take up apost as a principal lecturer at theUniversity of Glamorgan in the subjectsof Network Security and ComputerCrime and as a researcher on the Threatsto Information Systems and ComputerForensics. At the university he developedand managed a well equipped ComputerForensics Laboratory. He holds a Ph.D.in the area of threats to information sys-tems. In January 2005 he joined theSecurity Research Centre at BT to takeup a post as a research group leader.

References:

[1] David E. Hoffman, CIA slipped bugs to Soviets,Memoir recounts Cold War technological sabotage,Washington Post, Feb. 27, 2004[2] Andrew Knight, The Conduct of AmericanForeign Policy: Ronald Reagan’s Watershed Year?,Foreign Affairs.[3] Y.K Gera, Asian Journal of International Terrorismand Conflicts, Article 5,Vol 2, no 3, Apr, 2001. [4] Dorothy E Denning, CYBERTERRORISM,Testimony before the Special Oversight Panel onTerrorism Committee on Armed Services U.S. Houseof Representatives, May 23, 2000.[5] BBC News, Israel Under Cyber Attack, Thursday,Oct 26, 2000.[6] Mark Gregory BBC, US under Chinese hackattack, Apr 30, 2001.[7] Pamela Hess, UPI Pentagon Correspondent,China prevented repeat cyber attack on US, UnitedPress International, Oct 29, 2002.[8] Ko Shu-ling, Cabinet says computers underattack, Taipei times, Sep 04, 2003.[9] The Marmot Blog, Hack the dragon?, TheMarmot’s Hole, Jul 28, 2004.[10] Fu Jinlin and Chu Zhenjiang, Group armyimproves its IT fighting power, PLA Daily, Apr. 27,2004[11] Tokyo Correspondent, Japan suspects Chinesecyber attack, The Australian, Apr 14, 2005.[12] Kim Tae-gyu, Japan Heightens Cyber Attack onKorea, Korea Times, May 10, 2005.[13] Pax Dickinson , Israeli Police Charge 18 WithIndustrial Espionage, Information Week, May 31,2005.[14] Chris Blackhurst , Keeping (secrets), EuropeanBusiness, May 2005.[15] NISCCBriefing Id: 20050616-00494, TargetedTrojan E-mail Attacks, NISCC, 16 June 2005.[16] Frank Tiboni, The new Trojan war: DefenseDepartment finds its networks under attack fromChina, FCW.com, Aug. 22, 2005.

7November 2005 Computer Fraud & Security

“Developments

and investment

in IW has been

taking place”