1' if n M 1 0 Intelligence Science Board UIIFBUQ Rapidly Advancing Globalization and the Emerging Threat of Foreign Information Operations A Strategic Perspective January 31 2007 Rapidly Advancing Globalization and the Emerging Threat of Foreign Information Operations A Strategic Perspective from the Intelligence Science Board U Summary Wm the Associate Director ofNotional Intelligence for Science and Technolo gy asked the Intelligence Science Board 158 to station the impact of ongoing trends in the globalization of technology on the More of foreign tryimnation operations The responding ad hoc ISB task force notes that at-sign egrertise in IT and 10 is rapidly closing the gap with the United States in quality if not yet in quan- tity The task erce therqu that the U8 Government should accept that an aim in mnation octane and nebvorlts even classi er may airway be compro- mised and a'thermore that th the global Internet against any and all attackers is impossible Consequently the task force recommends that the Intelligence Comnamior adopt a more proactive strategic posna'e with regard to bolstering its in- formation assurance praa icer including milling its own nehvorks in- clusions preparing viable plans and leveraging the knowledge and skills of the private sector and our q 'ensive 10 cqoabilitier to advance the protection of all our systems Rather the task force recommends that the Director of National Intelli gence provide increased warning advocacy and leadership a national initiative to better prepare all sectors of the nation n- the age ofeyba-based con ict U Preface Ule This report prepared by the Intelligence Science Board presents a strategic- level summary assessment of the impact of globalization on foreign information Opera- tions The concurrently published companion document The Impact of Globaliza- tion on Foreign Information Operations contains a more detailed assess- ment of the threat and speci c recommendations The 188 study task force wishes to ex- press its sincere appreciation of selected government personnel identi ed in the larger report who assisted the task force in understanding the history and extent of government approaches for addressing the issues raised in this study UIWOBO The emerging global threat from information operations America is under attack and the battleground is cyberspace the highly technical domain of telecommu- nications networks computers and di- gitized information In this battlespace the weapon systems are computers and the warriors are the software programs that they execute At the same time computers are also the targets of attack attacks to disable information systems and the production systems they control to modify critical information in an at- tempt to subvert decision making or to steal information not otherwise available for military economic or other strategic or tactical advantage This is the com- plex and emerging world of information Operations l0 addressed in this study U The United States like all devel oped nations relies increasingly on in- formation technology lT in every as- pect of government activity and citizens private lives Computers and digital processors control our transportation entertainment health care banking commerce water and food delivery government program administration weapon systems troop refurbishment and intelligence collection processing and dissemination With this automation comes increasing vulnerability to cyber- based attacks not only against the com- puter systems themselves but also con- sequently against the societal business and government systems they enable A related risk posed by the off- shore production of including micro- electronics resulting from globalization is the growing vulnerability of the Unit- ed States to a reverse-lntemational Traf- c in Arms Regulation ITAR whereby Critical technologies could be denied to the US in international trade Where once our national security concems focused on export con- trol and on determining who was seeking to purchase American companies and technology today we must be equally concerned about the provenance of the products we buy and the hidden ca- pabilities they may introduce into our systems capabilities that may be used against us Thousands of times every day cyber warriors attempt to pene- trate our information systems They do so to generate mischief steal infonna- tion or put in place mechanisms that en- able penetration or disruption of service at a time of their choosing a 133 Today such attacks occur continual- ly against unclassi ed government mili- tary and commercial systems as well as critical infrastructure systems in the pri- vate sector essential to our sustained na- tional well-being Of particular concern to the 183 task force and less well un- derstood is the degree of success these information attacks have achieved against our most sensitive system and U While experts debate whether or not a total collapse of the lntemet and or our national telecommunications system is technically possible more subtle dam- age with equally devastating results is certainly feasible The processes of both automation and globalization are viewed as largely irreversibie trends Maintain- ing information superiority is central to our national military strategy and the economic and performance advantages of automation cannot be denied untrue Similarly increasing eco- nomic pressures to move manufacturing operations omhore and the global shar- ing of knowledge and information largely enabled by the Internet are irre sistible and largely unstoppable But the constantly improving IT capabilities of foreign nations groups and individuals carry with them a growing threat to our nation our intelligence capabilities and ultimately the ability of our intelligence customers to accomplish their missions 81 Concurrent with the globalization of IT has come a globaiization of Q 'ensive 10 tools techniques and tradecra Offensive IO capabilities no longer fall only within the purview of nation-state governments they are readily available to insurgent groups terrorist organiza- tions criminal elements and even dis- gruntled or misguided individuals - some of whom may be insiders in sensi- tive organizations U The impact-power of cyber-based weapons is increasing as techniques emerge for using the target s own com- puters as unwitting agents for a strategic- level attack Consequently a relatively small and inexpensive initial operation can achieve a huge and widespread im- pact a tremendous asymmetrical ad- vantage that leads to what some have termed a new type of weapon of mass disruption writing The 183 task force can- cludes that the global propagation of o 'enaive IO capabilities undermines current US war-fighting and eco- nomic assumptions We must bring our military intelligence and gov- ernment planning and operations into the information operations age and We have a long way to go U The nation needs a more ba- lanced approach EMF The nation the government and the Intelligence Community 1C are on the whole insuf ciently prepared to confront ongoing and potential for- eign offensive IO effectively We must update our legal statutes to recognize the threat from and to IT and the sys- tems that IT enables Our policies must be reshaped to permit even demand sharing of information among our own offensive and defensive l0 forces both to resolve potential con icts and to bet- ter understand the global threat Ul m Business practices must be updated to help ensure that our systems always remain current with regard to best security practices and the installa- tion of xes to deter known attacks and to prepare for the eventuality that our systems have been and will be compro- mised We must design national security system architectures from the start to anticipate deliberate malicious behavior both internal and external And our intelligence priorities must be refo- cused and commensurately resourced to address the growing and ever- changing threat of olTensive 10 against our national security and critical infra- structure systems m We must nd better ways to share our knowledge about the form and extent of the threat with those individu- als and organizations upon whom our nation relies for defense against strategic or criminal attacks Finally we must become ever more vigilant in monitoring the behavior and usage of our systems to identify potential malicious actions while balancing the priorities of civil liberties and national security Terrorism and other threats raise the imperative to share information to unprecedented levels At the same time the huge community networks that we use for sharing the Nonsecure lntemet Protocol Router Network Secure lntemet Protocol Router Network and the Joint Worldwide Intelligence Communi- cations System face unprece- dented risks from the activities of so- phisticated adversaries The information assurance IA challenge for the next decade is to solve both problems at once the need to protect and the need to shore Whititherto most national re- sources ave focused on lower-end at- tacks such as those mounted by hackers and the intruders who recently targeted NIPRN ET Sophisticated attackers op- erate using methods that are far more difficult to detect and more diverse in form ranging from remote attacks to insider subversion to assaults on the supply chain writing Globalization has made lT supply chains increasingly vulnerable Merely raising the bar will not suf ce to defend against sophisticated threats We must prepare and execute a broad portfolio of actions to transform IA and national security usage of IT in order to improve our defenses against sophisti- cated cyber threats ox Four Toward this end the task force offers the following sugges- tions for a coordinated strategy for the 1C 0 Install sound defensive business practices throughout the and ultimately the government 0 Take longer-term preventive measures including building closer ties to private industry 0 Find and fool the adversaries in their offensive IO exploits before they do real damage I Develop effective contingency plans for when an adversarial 0 attack does succeed and 0 Develop a comprehensive risk assessment approach to IA and IT globalization Ulin O While aimed at strengthen- ing the itself this strategy can also serve as a model for other sectors of the government industry and our society The ISB task force encourages the Di- rector of National Intelligence to pro- vide increased advocacy and leadership in expanding this endeavor into a truly national initiative U Install sound defensive busi- ness practices vi row Most important the IC must maintain a vigilant defense and keep its information systems up to date with regard to the latest security patches modern hardware developments so - ware upgrades and sound business prac- tices related to security As basic as this concept would seem economic and workload pressures often work against our keeping systems current We must develop viable enterprise-level security strategies and enforce compliance Many successful attacks on government r a I agencies have been launched against known weaknesses in existing system software after vendors had already dis- tributed effective patches but before the agencies had installed them In the complex interconnected world of cyberspace we are each only as secure as the systems to which we con- nect and they in turn as those to which they connect One weak link in an oth- erwise strong network provides an op- portunistic entry point for an effective and clandestine information operation and yet we o en do not maintain ade quate records of system interconnectivity or component sourcing and history Patch existing systems and computers as quickly as xes are made available Making security fixes must be mindful of operational impacts on complex legacy systems but SOphlS- ticated adversaries need only a brief pe- riod or a cloud of confusion to insert their offensive l0 wares W Strengthen existing IA archi- tectures so that they continue to support net-enabled net-centric Operation while providing improved protection against a broader range of attacks Substantial changes are needed to re-design systems to be more defensible For example such systems could feature controlled information sharing zones and the ability to contain infections to degrade grace- fully to move selected data collections rather than controlling access and to fa- cilitate rapid reconstitution More re- search is needed on the dif cult problem of how to construct trustworthy systems from untrusted components Greatly expand counter- measures against insider threats For mm mm longer-term planning the IC might achieve substantial improvements at moderate cost by taking advantage of emerging technology such as trusted platform modules and other vendor of- ferings The IC must move quickly to assess the costs and bene ts of these technological opportunities and to ensure better-protected supply chains for critical system components U Take other preventive meas- ures and actively engage the pri- vate sector Even if components and business practices are up to date infor- mation systems that are not designed to anticipate adversarial attacks may suffer from a fundamental aw that enables adversarial l0 action While protections remain necessary the should beware the false sense of security conferred by high fences or thick walls user au thentication intrusion detection re- walls and the like The IC should also employ forward-looking surveillance to recognize potential attacks before they materialize Toward this end the 1C should engage the private sector which invents owns operates and provides most of the information in astructure upon which the 1C relies and which may already have substantial in-house capabilities for cyber surveillance 33% Build upon leading-edge de- fensive 10 strategies and techniques employed within selected private sec- tor organizations Considerable exper- tise exists in the nancial telecommuni- cations and network management sec- tors The IC can learn from what these organizations are already doing and from working collaboratively with them SW Inform private industry about foreign IO threats and provide advo- cacy for addressing these issues Pri- vate rms while possessing wide5pread technical expertise may not immediately welcome government involvement They may however not fully appreciate the breadth and depth of myriad adversa- ries' capabilities and intent with regard with relevant threat in rmation I a I I 515 00 0 0 2% 3 21-25 as an 38 9% nega- 3 93 as an 2 5 threats is deterrence Yet the United States currently places emphasis on re- ducing vulnerabilities rather than threats Both initiatives are needed but the latter requires a rich active-reSponse portfolio and improved attribution capa- bilities to discourage an adversary from engaging in cyber threat activities Ul Fm Rethink the process of ac- quiring national security systems Na- tional security systems including plat- forms armaments intelligence and mis- sion support systems rely increasingly on commercial components precisely when increased globalization makes these components more vulnerable to foreign tampering At the same time national security systems are increasing- ly becoming network enabled which provides a path for adversaries to access malicious components that might already be in place Often such adversaries seek to make the system unavailable for use yet in most cases the main goal with- in acquisition programs is to protect se- crets rather than to ensure robust availa- bility and integrity ME To achieve the much-needed closer relationship between the IC and the private sector we will need national security carve-outs in the laws to en- courage and protect commercial interests when private rms help and cooperate with the government in all its forms Changes in policy or even presidential directives may not suf ce i M Our intelligence systems of course have always been a target of es- pionage and foreign manipulation Over time the most visible espionage cases have involved access to computer-based les and information often by trusted insiders Passive mechanisms to prevent access are ineffective against the trusted insider who already has legitimate access or the undetected intruder who is already inside our systems Fund a robust research program to develop defensive lO capa- bilities including techniques for detect- ing monitoring defeating and respond- ing to intrusions W Greatly expand usage moni- toring System usage monitoring is crit- ical to improved information sharing - I I This activity requires a near-tenn infu- sion of resources and action so that ef- fective monitoring capabilities can be expeditiously developed and deployed Usage monitoring is invalu- able when there are doubts about specif- ic access authorization or where the pol- icy in force is to share information liber- ally ln both situations usage monitor- ing enables the enlightened information sharing policy of trust but vex-w Any policy on usage monitoring must also remain sensitive to privacy concerns and maintain a careful balance between security and civil liberties WE Usage monitoring complements access control in other ways by enabling the Community to 0 Perform a er-the-fact analysis of information sharing to de- termine the impact when an ad- versary is caught exploiting col- lective legitimate accesses lead- ing to increased aggregate risks - Detect abuses committed within a user's access privileges trawling for large amounts of sensitive data unrelated to the us- er s current assignment 0 Keep a close watch on privileged users with extensive access rights baseline their normal ac- tivity and scrutinize them closely when their activities fall outside the norm and Counter sophisticated attacks that circumvent system access con- trols usage monitoring of systems from which data might be ex ltrated to detect and possi- bly even prevent such attacks Usage monitoring will be improved by increased usage of meradara tagging of all digitized information i are Sa 3 lb 9 01' as 2-3 mm 583 of 22 q unfit 30 HO 0 successful offensive l0 attacks UllFOtl-naive to assume that critical information sys- tems will always be available and relia- ble Prudent operational planners devel- op alternative strategies to accomplish missions in the face of system fallibility I Develop a risk assess- ment approach to offensive IO and globalization Decision makers and sys- tem planners need better ways to identify and assess the risks inherent in our cur- rent and planned systems Complex trades must be considered between sys- tem cost system performance and mis- sion accomplishment especially as IT globalization proceeds to cloud the meaning of buying Americanbilities and intent The nation must prepare itself much better for cyber- con ict by gathering intelligence coun- terintelligence targeting information and operations information Decision makers must understand the potential for attacks on our civilian and private infra- structure to steal scienti c and technical information divert attention gain com- mercial economic advantage or generate public hysteria U U The IC needs a comprehen- sive proactive l0 strategy Ut juo We should also factor the potential economic impact of intellectual property losses into offensive defensive lO equities In fact the need to protect and the need to share are natural partners that the IC should harness in an inte- grated team We need defense in depth both to enable information sharing and to provide robust protection against so- phisticated adversaries The IC can and indeed must meet both challenges The United States needs a national wake-up call and reality check regarding the global propagation of of- fensive IO capabilities We must bring all government cyber activities into the 10 age We must deveIOp IO-aware and lO-enabled strategies in coordination with policy and diplomatic initiatives We must raise across the government the priority placed on developing nation- al processes for response damage as- sessment and course-of-action planning for critical infrastructures ox roach Despite the negative impli- cations discussed above globalization can also present opportunities if we manage them correctly The spread of technology is not limited to a single na- tion or entity but occurs world-wide As a result globalization can create a diversity of products and source options that can provide viable alternatives against single points of failure and fur- ther complicate the mission of a cyber- attacker To capitalize upon this natu- ral protection however U S Govern- ment purchasing needs to move from a large-scale single-provider approach to a multiple-provider basis and seek a bal anee of cost ef ciency versus security Our national and commu- nity vulnerability to IO does not result from globalization but is exacerbated by the instantaneous advancement of know- ledge and skill around the globe If not addressed the relentless march of globa- lization will further close the gap be- tween U S technological superiority and the skills of other nations There may come a day when our indigenous tech- nical capability is inadequate to respond quickly enough to a cyber attack