Statement for the Record Before the
Joint Economic Committee on Cyber Threats
and the US Economy by John A. Serabian, Jr.
Information Operations Issue Manager, CIA

February 23, 2000

Introduction
Thank you for this opportunity to provide a statement on cyber threats and critical infrastructure protection. CIA, like other Federal agencies, is developing and implementing its response to Presidential Decision Directive-63 (PDD-63) "Critical Infrastructure Protection." The Directive enjoins CIA to enhance its overall capabilities to provide intelligence support for threat assessment and warning and to engage in incident response as needed.

The Director of Central Intelligence, George Tenet, earlier this month testified before the Senate Select Committee on Intelligence in his annual worldwide threat briefing that the foreign cyber threat is one of the key transnational issues that we face as a nation. In that testimony he noted that the U.S. is increasingly dependent on "... the unimpeded and secure flow of technology." Any adversary, foreign or domestic, that develops the ability to interrupt that flow "... will have the potential to weaken us dramatically or even render us helpless." The recent e-commerce attacks underscore this point. Whatever their motivation, the attackers have taken the threat out of the realm of the abstract and made it real. The DCI in his testimony emphasized that " ... as in so many areas in this technological age, we are truly in a race with technology itself."

• A major challenge in the next decade will be to find ways to defend our infrastructure and protect our commerce while maintaining an open society.

• We cannot do all of these things simultaneously without a common understanding of the threat. Providing that understanding is and will remain a major thrust of the CIA and the Intelligence Community for years to come.

In this hearing today, Mr. Chairman, I hope to provide you with a further appreciation for the growing seriousness and significance of the emerging threat to our information systems. I want to emphasize our need to evaluate this threat across the full spectrum of state and non-state actors, recognizing that proliferation of malicious capabilities exists at every level and across an equally broad range of potential targets.

• In light of the sophistication of many other countries and non-state actors in programming and Internet usage, the threat to our information systems has to be viewed as a factor requiring considerable attention by every agency of government.

Community Involvement
Let me emphasize that CIA involvement in protecting our information infrastructure extends not just to cooperation with others within the Intelligence Community, but to participating with most of the other stakeholders in protecting our nation’s infrastructure systems, across government agencies, and throughout the private sector. In particular, CIA has provided a range of support to the National Infrastructure Protection Center (NIPC) at FBI since its inception. CIA also disseminates cyber threat assessments to NIPC. CIA also has provided NIPC with technical and analytic support. In addition, CIA has collaborated with NIPC and others in the U.S. Intelligence Community to develop and present outreach briefings on foreign cyber threats to key infrastructure sector stakeholders, including elements of the private sector.

Threat
Let me take a moment to frame the problem in terms of 'Who' constitutes a potential attacker; 'What' motivates a cyber-attack; and 'Why' this threat is so different from others we face.

Who would consider attacking our nation’s information systems? Given the availability of sophisticated technology and the seemingly limited investment required, potential attackers can include national intelligence and military organizations, terrorists, criminals, industrial competitors, hackers, and disgruntled or disloyal insiders. Each of these potential adversaries is motivated by unique objectives, has various degrees of technical expertise and target access, and can tolerate different levels of risk.

What motivates an attack against the U.S. information infrastructure? There are any number of incentives, including economic, industrial, and military rationales. By way of example:

• Trillions of dollars in financial transactions and commerce move over a medium with minimal protection and only sporadic law enforcement, a structure--the most complex the world has ever known.

• Increasing quantities of intellectual property reside on networked systems; and

• Opportunities abound to disrupt military effectiveness and public safety while maintaining the elements of surprise and anonymity.

A Different Kind of Threat
Why is this threat so insidious and different? We have spent years building an information infrastructure that is interoperable, easy to access, and easy to use. Attributes like openness and ease of connectivity which promote efficiency and expeditious customer service are the same ones that now make the system vulnerable to attacks against automated information systems.

• Foreign entities could perform unobtrusive cyber reconnaissance of Internet-accessible U.S. computers and infrastructure.

• The technology permits an attacker to conceal points of origin by hopping through several intermediate way stations in cyber space--including international cyber space--making identification of an attacker a daunting challenge.

• An attacker can spoof or conceal the origin of the individual hops and erase cyber footprints from victim computers.

• Cyber tools are readily available, posted to the Internet, and downloaded for anyone to use for malicious intent, regardless of the intended purpose. These tools, unlike the weapons of destruction that normally reside in the hands of military organizations, are available to anyone with the will to wreak havoc. A potential attacker can literally download a particular tool from the Internet and "point and click" to start an attack.

Thus, unlike the threats of the cold war, cyber threats can come from almost anywhere. They can originate from any location, affect systems anywhere in the world, disguise origins and travel routes, and do it all instantaneously. CIA focuses on threats overseas, but it is often difficult until very late in a given scenario to know whether an attack ultimately originated overseas or if an overseas computer is merely an intermediate step.

The ubiquitous nature of the cyber threat to information systems, public or private, will come as no surprise to you. The DCI previously has emphasized the growing seriousness and significance of the emerging cyber threat; the need to evaluate it from the perspective of both state and non-state actors; and has emphasized the Intelligence Community commitment to protecting our critical infrastructure.

It does not take a great deal of investment or skill on the part of an adversary to get into the cyber attack game. As DCI Tenet pointed out, cyber warfare is an attractive alternative to countries that may not be able to engage the U.S. militarily directly because "... the proliferation of personal computers has created millions of potential 'information warriors.'" Many entry-level hacking tools are readily available. "Backdoors," "Trojan horses," and "logic bombs" can be downloaded from the Internet by attackers who range in skill and vary in intent from joy riders and hackers to individuals and organizations supported by state and non-state actors.

Solar Sunrise
You may recall an October 1999 Washington Post report about an incident in early 1998 in which U.S. military systems were subjected to an "electronic assault," noted as "Solar Sunrise." The incident brought home to the government sector the real threat that such intrusions pose to national security. In addition, as NIPC previously has testified, this incident galvanized agencies with foreign and domestic missions alike to coordinate their efforts.

The intruders hid their tracks by routing their attack through computer systems in the United Arab Emirates. They accessed unclassified logistics, administration, and accounting systems that control our ability to manage and deploy military forces.

• The U.S. at the time could have been involved in military action in the Gulf given that tension was high because of Iraqi non-compliance with UN inspection teams. This timing raised concern in the U.S. that the intrusions were the initial stages of a cyber attack by a hostile nation.

• The U.S. response to this incident required a massive, cooperative effort by the Federal Bureau of Investigation, the Justice Department’s Computer Crimes Section, the Air Force Office of Special Investigations, the National Aeronautics and Space Administration, the Defense Information Systems Agency, the National Security Agency, the CIA, and various computer emergency response teams from the military services and government agencies.

In the end, it was found that two young hackers in California had carried out the attacks under the direction of a hacker in Israel, himself a teenager. They gained privileged access to computers using tools available from a university web site and installed sniffer programs to collect user passwords. They created a backdoor to get back into the system and then used a patch available from another university web site to fix the vulnerability and prevent others from repeating their exploit. Unlike most hackers, they did not explore the contents of the victim computers.

• The Solar Sunrise scenario points to commonality between attacks against government systems and those perpetrated against commercial systems, regardless of origin.

Emerging National Programs/Nation States
We are detecting, with increasing frequency, the appearance of doctrine and dedicated offensive cyber warfare programs in other countries. We have identified several, based on all-source intelligence information, that are pursuing government-sponsored offensive cyber programs. Foreign nations have begun to include information warfare in their military doctrine, as well as their war college curricula, with respect to both defensive and offensive applications. They are developing strategies and tools to conduct information attacks. Those nations developing cyber programs recognize the value of attacking adversary computer systems, both on the military and domestic front. Just as foreign governments and the military services have long emphasized the need to disrupt the flow of information in combat situations, they now stress the power of cyber warfare when targeted against civilian infrastructures, particularly those that could support military strategy.

Many of the countries whose cyber warfare programs we follow are the same ones that realize that, in a conventional military confrontation with the United States, they will not prevail. These countries perceive that cyber attacks, launched from within or outside the U.S., against public and private computer systems in the U.S., represent the kind of asymmetric option they will need to level the playing field during an armed crisis against the United States.

Just as foreign governments and their military services have long emphasized--and still do--the need to disrupt the flow of information in combat situations, they now also stress the power of "Information Warfare" when targeted against civilian information infrastructures. The following statements by high-level foreign defense or military officials illustrate the importance of information warfare in the decades ahead.

• In an interview a senior Russian official commented that an attack against a national target such as transportation or electrical power distribution would - and I quote - ". . . by virtue of its catastrophic consequences, completely overlap with the use of [weapons] of mass destruction."

• A Chinese General in 1996 indicated in a military publication that in future wars computers would be vulnerable in three ways. "We can make the enemy’s command centers not work by changing their data system. We can cause the enemy’s headquarters to make incorrect judgment by sending disinformation. We can dominate the enemy’s banking system and even its entire social order."

• As these anecdotes illustrate, the battle space of the information age would surely include attacks against our domestic infrastructure.

Terrorist Threat/Non-State Actors
The next group of potential adversaries comprises primarily terrorists (non-state actors) who present the most diverse and difficult threat entity to characterize. Nevertheless, we are detecting with increasing frequency the appearance and adoption of computer and Internet familiarity in the hands of these non-state actors. Some may be aligned with cults or hate groups, and still others may be sponsored by foreign industrial concerns attempting to steal proprietary information from competitors. Terrorists and other non-state actors have come to recognize that cyber weapons offer them new, low-cost, easily hidden tools to support their causes.

The skills and resources of this threat group range from the merely troublesome to dangerous. As we now know, Middle East terrorist groups--such as Hizballah, HAMAS, and Usama Bin Ladin's organization--are using computerized files, email, and encryption to support their organizations. We also recognize that cyber tools offer them new, low-cost, easily hidden means to inflict damage. Terrorists and extremists already use the Internet to communicate, to raise funds, recruit, and gather intelligence. They may even launch attacks remotely from countries where their actions are not illegal or with whom we have no extradition agreements.

Terrorists, while unlikely to mount an attack on the same scale as a nation, can still do considerable harm. Moreover, the technology of hacking has advanced to the point that many tools that required in-depth knowledge a few years ago have become automated and more "user-friendly."

Cyber attacks offer terrorists the possibility of greater security and operational flexibility. Theoretically, they can launch a computer assault from almost anywhere in the world without exposing the attacker to physical harm. Terrorists are not bound by traditional norms of political behavior between states. While a foreign state may hesitate to launch a cyber attack against the U.S. to avoid retaliation or negative political effects, terrorists often seek the attention--and the increase in fear--that would be generated by such a cyber attack.

Let me offer some examples:

• A group calling themselves the Internet Black Tigers took responsibility for attacks in August 1998 on the email systems of Sri Lankan diplomatic posts around the world, including those in the United States.

• Third-country sympathizers of the Mexican Zapatista rebels crashed web pages belonging to Mexican financial institutions. While such attacks did not result in damage to the targets, they were portrayed as successful by the activists and used to generate propaganda and rally supporters.

• Kurdish separatists in Greece and Turkey, Kashmiri separatists in India, and Zapatista rebels in Mexico have also hacked official government Web pages and posted anti-government propaganda and pictures.

Response Posture
Ongoing efforts under PDD-63 already have made a start toward addressing cyber protection. The CIA and others in the Intelligence Community are working hard in this area to increase awareness of the threat.

There is an additional reason for focusing on the threat to our commercial sector, which lies at the very heart of the problem. The foreign cyber threat constitutes a means to harm U.S. national interests in a non-traditional way using non-traditional attacks. It is transnational in origin; transcends geographic limitations; and is wholly independent of military intervention.

Where we can make progress, we have. We have made strong and steady improvements in our all-source analytic capabilities and in intra-government coordination with respect to mutual analysis, information sharing, and computer incident responses. The Intelligence Community as a whole is fully engaged in developing required policy and procedures to defend against the foreign cyber threat. The DCI last year issued instructions to intelligence agencies as an intelligence directive, "Information Operations and Intelligence Community Related Activities".

We have developed an intelligence collection strategy, further stood up analytical units, and created special training opportunities for our personnel involved in this technical discipline. CIA has placed analytic personnel in positions where they can influence threat analysis and warning and share in the exchange of technology related to the foreign cyber threat. We also have an active role in the exchange of information and cooperation with NIPC, the Defense Department entities--including the Joint Task Force for Computer Network Defense--and the National Security Agency. NIPC provides the very critical bridge between government and the private sector. Each of these efforts is focused on developing the capability to respond to the nation's requirement to defend against cyber weapons that would potentially harm critical U.S. infrastructure--public or private.

This challenge will continue to grow in the years ahead--with significant national security implications. Potential adversaries have only to look to recent denial of service attacks to arrive at a full appreciation of our vulnerabilities as well as our dependencies on systems. As we all recognize, this type of cyber threat challenges conventional intelligence methods. Intelligence disciplines traditionally have focused on physical indicators of activity and on mechanized, industrially based systems. Unless we have intelligence indications dealing with someone’s intention to attack, adequate warning will be very difficult to attain.

• With the advent of the cyber threat, we are faced with the need to function in the medium of "cyberspace" where we will conduct our business in new and challenging ways.