25 June 1998
Source: http://www.usia.gov/current/news/latest/98062501.glt.html?/products/washfile/newsitem.shtml


USIS Washington File
_________________________________

25 June 1998

TEXT: TENET WARNS OF CYBER TERRORISM

(CIA director says information warfare is a serious threat)

Washington -- The director of the Central Intelligence Agency (CIA)
has warned that the computer information systems of the United States
is open to terrorist attacks.

George Tenet says that the "vulnerability of our critical information
infrastructure to a potentially devastating high tech attacks" is a
"very serious threat to our national security."

Just like the proliferation of weapons of mass destruction,
international terrorism and drug trafficking," Tenet emphasizes,
"information warfare has the potential to deal a crippling blow to our
nation security if we do not take strong measures to counter it."

He made the comments June 24 at a hearing of the Senate Committee on
Government Affairs discussing government computer security.

"Terrorism and other non-state actors are beginning to realize that
information warfare offers them new, low cost, easily hidden tools to
support their causes," the CIA director noted.

He pointed out that terrorists "will be very difficult for the United
States to trace in cyberspace."

Following is the text of his remarks as prepared for delivery.

(Begin Text)

Mr. Chairman, distinguished members of this Committee, it is a
pleasure for me to come here today to discuss with you a very serious
threat to our national security the vulnerability of our critical
information infrastructure to a potentially devastating high tech
attack.

Just like the proliferation of Weapons of Mass Destruction,
international terrorism, and drug trafficking, information warfare has
the potential to deal a crippling blow to our national security if we
do not take strong measures to counter it.

Consider for example the Washington Post report early this year that
eleven U.S. military systems were subjected to an "electronic
assault." The perpetrators were not initially known, because they hid
their tracks by routing their attack through the United Arab Emirates
computer systems. While no classified systems were penetrated and no
classified records were accessed, logistics, administration and
accounting systems were accessed. These systems are the central core
of data necessary to manage our military forces and deploy them to the
field. In the end, we found two young hackers from California had
perpetrated the attacks via the United Arab Emirates under the
direction of a teenage hacker from Israel.

This should not surprise us. A recent DoD study said that DoD systems
were attacked a quarter of a million times in 1995. As a test, a
Defense Department organization that same year conducted 38,000
attacks of their own. They were successful 65 percent of the time. And
63 percent of the attacks went completely undetected.

We have spent years making systems interoperable, easy to access, and
easy to use. Yet we still rely on the same methods of security that we
did when data systems consisted of large mainframe computers, housed
in closed rooms with limited physical access. By doing so, we are
building an information infrastructure -- the most complex the world
has ever known -- on an insecure foundation. we have ignored the need
to build trust into our systems. However, simply hoping that someday
we can add the needed security before it's too late is not a strategy.

In this hearing today, Mr. Chairman, I hope to leave you with three
key points. First, I want you to take away an appreciation for the
growing seriousness and significance of the emerging threat to our
information systems. Secondly, I want to emphasize the need to
evaluate the threat from the perspective of both state and non-state
actors--proliferation of malicious capabilities exists at every level. 
And finally, I want to provide you with an appreciation for what the 
intelligence community is doing to combat the problem. On this last 
point, let me assure you that our engagement in infrastructure 
protection extends not just to efforts within the intelligence 
community but to participation with all the other stakeholders in our 
nation's infrastructure systems--across government agencies, in 
academia and in the private sector.

Growing Dependence on Information Systems

As this Committee well understands, we have staked our way of life on
the use of information. We rely more and more on computer networks for
the flow of essential information. Like electricity, we now take
information infrastructures for granted. Reliability breeds dependence
- and dependence produces vulnerabilities. Today, as a result of the
dramatic growth of and dependency on new information technologies, our
infrastructures have become increasingly automated and inter-linked.
Disruptions in information-based technologies can range from being a
serious nuisance--as we saw just weeks ago when the loss of a single
satellite caused a nation-wide halt in electronic pager systems--to
potentially disastrous. Consider what such a disruption would have
caused in Operation Desert Storm, where our information systems had to
accommodate a communications volume of 100,000 electronic messages and
700,000 telephone calls a day. Seven years later, those figures would
be far greater and our reliance on computers is much greater as well.

It is in this context that we must appreciate that future enemies,
whether nations, groups, or individuals, may seek to harm us in
non-traditional ways. Non-traditional attacks against our information
infrastructures could significantly harm both our military power and
our economy.

Who would consider attacking our nation's computer systems, Yesterday,
you received a classified briefing answering this question in some
detail. I can tell you in this forum that potential attackers range
from national intelligence and military organizations, terrorists,
criminals, industrial competitors, hackers, and disgruntled or
disloyal insiders. Each of these adversaries is motivated by different
objectives and constrained by different levels of resources, technical
expertise, access to target, and risk tolerance.

And why would we be attacked? There are plenty of incentives:

-- Trillions of dollars in financial transactions and commerce moving
over a medium with minimal protection and sporadic law enforcement;

-- Increasing quantities of intellectual property residing on
networked systems;

-- And the opportunity to disrupt military effectiveness and public
safety, with the elements of surprise and anonymity.

The stakes are enormous. Protecting our critical
information-infrastructure is an issue that I am deeply concerned
about and requires attention from us all.

Threats from Foreign States

As I recently testified before the SSCI in January, we have identified
several countries that have government-sponsored information warfare
programs. Foreign nations have begun to include information warfare in
their military doctrine as well as their war college curricula with
respect to both offensive and defensive applications. It is clear that
nations developing these programs recognize the value of attacking a
country's computer systems--both on the battlefield and in the
civilian arena.

The magnitude of the threat from various forms of intrusion,
tampering, and delivery of malicious code is extraordinary. We know
with specificity of several nations that are working on developing an
information warfare capability. In light of the sophistication of many
other countries in programming and Internet usage, the threat has to
be viewed as a factor requiring considerable attention by every agency
of government. Many of the countries whose information warfare-efforts
we follow realize that in a conventional military confrontation
against the US, they cannot prevail. These countries recognize that
cyber attacks--possibly launched from outside the U.S.--against
civilian computer systems in the U.S.--epresent the kind of
asymmetric option they will need to "level the playing field" during
an armed crisis against the United States.

Just as foreign governments and their military services have long
emphasized the need to disrupt the flow of information in combat
situations, they now stress the power of "Information Warfare (IW)"
when targeted against civilian information infrastructures, The three
following statements, all from high-level foreign defense or military
officials, illustrate the power and the import of information warfare
in the decades ahead.

For example, in an interview late last year, a senior Russian official
commented that an attack against a national target such as
transportation or electrical power distribution would--and I quote--
"... by virtue of its catastrophic consequences, completely overlap
with the use of (weapons) of mass destruction."

An article in China's "People's Liberation Daily" stated that--and I
quote--"an adversary wishing to destroy the United States only has to
mess up the computer systems of its banks by hi tech means. This would
disrupt and destroy the U.S. economy. If we overlook this point and
simply rely on the building of a costly standing army ... it is just
as good as building a contemporary Maginot Line."

A defense publication from yet a third country stated that
"Information Warfare will be the most vital component of future wars
and disputes." The author predicted "bloodless" conflict since, and I
quote, "information warfare alone may decide the outcome."

As these anecdotes clearly demonstrate, the battle-space of the
information age will surely extend to our domestic infrastructure. Our
electric power grids and our telecommunications networks will be
targets of the first order. An adversary capable of implanting the
right virus or accessing the right terminal can cause massive damage.

Information warfare is not just about offensive capability, however,
but about defensive readiness as well. This fact has not been lost on
others. Many nations--several of which are potential adversaries--are
reviewing their own growing dependence on information systems, both
for military and civil activities. They are searching out their
vulnerabilities and developing approaches to protect themselves. We
must do the same. If not, we could soon find ourselves at a
significant disadvantage in addressing what may be the key security
challenge of the next decade.

Next, I want to examine the degree to which this threat has
proliferated beyond traditional nation states to become the potential
weapon of choice for less structured adversaries.

Terrorist Use of Information Warfare Tactics

Terrorists and other non-state actors are beginning to recognize
that Information Warfare offers them new, low cost, easily hidden
tools to support their causes. They too will see the United States as
a potentially lucrative target. These people will be very difficult
for the United States to trace in cyberspace.

Terrorists, while unlikely to mount an attack on the same scale as a
nation, can still do considerable harm. What's worse, the technology
of hacking has advanced to the point that many tools which required
in-depth knowledge a few years ago have become automated and more 
"user-friendly." It may even be possible for terrorists to use amateur
hackers as their unwitting accomplices in a cyber attack.

Cyber attacks offer terrorists the possibility of greater security and
operational flexibility. Theoretically, they can launch a computer
assault from almost anywhere in the world, without directly exposing
the attacker to physical harm.

Terrorists are not hound by traditional norms of political behavior
between'states. While a foreign state may hesitate to launch a cyber
attack against the U.S. due to fear of retaliate-on or negative
political effects, terrorists often seek the attention--and the
increase in fear--that would be generated by such a cyber attack.

Established terrorist groups are likely to view attacks against
information systems as a means of striking at government, commercial,
and industrial targets with little risk of being caught. Global
proliferation of computer technology and the open availability of
computer tools that can be used to attack other computers make it
possible for terrorist groups to develop this capability without great
difficulty.

Terrorists and extremists already are using the Internet and even
their own web pages to communicate, raise funds, recruit and gather
intelligence. They also will use it to launch attacks against their
adversaries. They may even launch attacks remotely from countries
where their actions are not illegal or with whom we have no
extradition agreements.

Let me give you a few examples of what I am talking about. A group
calling themselves the Internet Black Tigers took responsibility for
attacks--last August on the e-mail systems of Sri Lankan diplomatic
posts around the world, including those in the United States. Italian
sympathizers of the Mexican Zapatista rebels crashed web pages
belonging to Mexican financial institutions. While such attacks did
not result in damage to the targets, they were portrayed as successful
by the terrorists and used to generate propaganda and rally
supporters.

Detecting Information Operations Attacks Launched Against the U.S.

Mr. Chairman, as terrorists and other adversaries well know, our
society is based on the free flow of information. That concept is
clearly embodied in the constitution. It forms the foundation of our
freedoms and of our productivity. Consequently, our systems are built
to facilitate access and openness and they must remain so within the
reasonable bounds of security. It is just that openness, however, that
makes our systems so vulnerable.

So how will we detect an attack in this world of vast inter-
connectivity? It will not be easy. In the first place, those who would
attack us, generally, are tough intelligence targets. Second, they
will use cheap, easily available technology and techniques. Patterns
will be difficult to spot. Furthermore, intrusion detection technology
is still in its infancy and the systems we will need to observe are
very diverse. When attacks are detected, the source of the attack will
be disguised. moreover, after trouble is detected, it takes time for
an analyst to determine whether the problem took hold by accident or
by design. Unless we have intelligence indications dealing with
someone's intention to attack, such as through a human source,
tactical warning will he very difficult to attain.

However, by combining the efforts of government and industry, we will
be able to pool our strengths and share the necessary information to
allow a reasonable defense- Furthermore, by sharing the research and
development burden between the public and private sectors, we each
will be better able to take advantage of the other's expertise. That
is one of the advantages of connectivity.

The Intelligence Community Response

Protecting our systems will require an unprecedented level of
cooperation across government agencies and with the private sector.
That cooperation already has begun. I view the report of the
President's Commission on Critical infrastructure Protection as a
defining moment in identifying vulnerabilities in our information
infrastructure, in assessing the potential threat to our national
security, and in establishing the requirement as well as the momentum
for a coordinated effort on information operations. The intelligence
community engaged actively in the preparation of that report as well
as in publishing the National intelligence Estimate on Foreign Threats
that served as the companion piece to the Commission's report. In
producing the NIE, the intelligence community enjoyed extensive
interaction with representatives from law enforcement and DoD
information security agencies to assess the threat to our computer
networks.

These two documents--the NIE and the Commission report--have
provided the impetus for significant activity in both the public and
private sector to combat the threat to our computer systems. The
attention directed to the threat to our information security systems
also resulted in the stand-up of dedicated activities within CIA,
DIA, and NSA. CIA also appointed an information Warfare Issue Manager,
whose responsibility is to focus collection and all-source analysis
on the IW threat and to provide an IW center of excellence within the
Agency.

As a community, we have also been active participants, together with
other information operations stakeholders, in the NSC-Chaired
Interagency Working Group that produced the Presidential Directive
titled "Critical Infrastructure Protection" and we are now active in
the NSC Critical infrastructure Coordinating Group tasked to implement
that directive. Each of these efforts has had a cumulative effect in
building-the critical mass that will be required to deal with the
threat to our information infrastructure. The Commission report, the
NIE, and the recent Presidential Directive will provide the public and
private sector with a clear blueprint as to the direction we are
taking.

Our very considerable efforts with the Department of Defense have
produced organizational, policy and capability improvements and
efficiencies for use in information operations. We recently
established a senior-level forum to address Information Operations
policy and process issues, responding to long-standing congressional
interest in the development of just such a policy body. We also
created, one year ago, the Information Operations Technology Center at
Fort Meade, MD. The IOTC is another of our joint DoD and Intelligence
Community activities, providing advice and developing techniques that
can protect U.S. infrastructure systems.

We have also actively participated in DoD War Games like the EVIDENT
SURPRISE series established by the U.S. Atlantic Command and
incorporated the threats posed by information warfare into an
increased number of other exercises. After my testimony, you will hear
from General Minihan, Director, National Security Agency, about the
U.S. government's cyberwar exercise, "Eligible Receiver". Eligible
Receiver was an information war wake-up call of the highest order.
It highlighted in very clear terms the importance of today's hearing
and the work that still lies ahead.

Finally, we must recognize that law enforcement and the private sector
are essential parts of our response to this emerging threat. Our
Intelligence Community's information warfare efforts include support
to the Department of Justice's National infrastructure Protection
Center which was commissioned in response to recommendations of the
President's Commission and the joint efforts of the NSC Interagency
Working Group on Critical infrastructure. We are very much engaged in
providing technical, analytic and management personnel to the Center
as well as needed intelligence support. The NIPC will provide the very
critical bridge between government and the private sector. As you
know, the private sector is being hit every day by hackers. We need
to do more to inspire the confidence to work together and to share
information with industry to learn more about these attacks, to
discover whether they emanate from foreign sources and to become
partners in developing the technology required to deflect future
attacks.

The Challenge to Act

Mr. Chairman, the concerns we raise today--although not yet on the
front burner in the minds of many Americans--are, in fact, urgent. We
have to focus on this threat now.

In fact, the approach of the year 2000 makes our work all the more
critical. It is generally understood that the "Year 2000 Problem"
poses inherent risks to our systems, but it is less understood that
the Year 2000 also affords special opportunities for our adversaries.
For example, our dependence on foreign software development is a cause
for concern. it is possible foreign actors with hostile intent may try
to exploit the Year 2000 Problem for their own ends. As we come upon
that date, we have to do more than just ensure that our systems
function on January 1, 2000, but that they function and that they are
secure.

These are enormous challenges. As we all recognize, Information
Warfare defies conventional and even many unconventional intelligence
methods. Intelligence disciplines traditionally have focused on
physical indicators of activity and on mechanized, industrially-
based systems. With the advent of information operations, we are faced
with the need to function in the medium of 'cyberspace' where we will
conduct our business in new and challenging ways.

At the end of the day, the Intelligence Community must be positioned
to provide warning of cyber-threats. This warning must go to
national leaders and the military of course. But we also must develop
ways and means to warn the private sector and the leaders of our
economy.

However, our efforts must extend beyond warning. As a nation, we will
need to detect attack, withstand assault if launched
successfully'against us, and then aggressively prosecute action
against the attackers. The intelligence Community cannot do all this
alone, nor can the Department of Defense, nor can the Department of
Justice or private industry. In this new world of cyber-threats, we
will need to work together in partnerships unlike any in our history.

Mr. Chairman, we have made a solid beginning, but we have a long way
to go. I appreciate your efforts to bring this vital issue before the
public and for your interest in our work in the intelligence
community. Protecting our infrastructure is a topic which will only
grow in importance as we enter the twenty-first century. It concerns
all of us. I look forward to working with you in the future as we
build on the foundations we are laying today.

(End Text)