Computer Crime Problems Research Center

James E. Just

Some Useful Capabilities in Countering Cyber Terrorism

  1. Introduction
  2. The objective of this workshop is to identify several things that should be done to improve our ability to detect, protect against, contain, neutralize, mitigate the effects of, and recover from cyber-terrorist attacks. The intent of this paper is to offer some insights on both cyber defense organizational issues and technical capabilities that would be useful for success.

  3. Strategic Nuclear War Timeline
  4. Response times for cyber attacks are comparable to or faster than strategic nuclear scenarios. While there are certainly computer network attacks in which only milliseconds are required for major damage, we hope that a large-scale coordinated attack is likely to take somewhat longer, on the order of twenty minutes.

    Based on cyber war response-times, the current organization, reporting and response approaches by our National authorities, the CINCs, and others (including the private sector) are completely inadequate. It is like trying to solve the strategic nuclear war problem using command and control systems and institutions designed for conventional wars. The time lines are incompatible.

    An effective integrated organization across all the relevant organizations (including DOD, civilian government, private sector, and coalition partners) is critical in any potential strategic cyber event.

    In this regard, it is interesting to note that the threat of strategic nuclear war resulted in our completely revamping our national defense structure. We established separate dedicated nuclear forces with their own C2 systems, plans, intelligence, etc. While threat warnings were short, indications and warnings (I&W) could be derived and observed.

  5. Functional Goals

Functionally, we would like to be able to accomplish the following in cyber-space.

  • Automatically repel hackers and other known attacks
  • Detect, slow down, and contain unknown external attacks and insider / life cycle attacks
  • Restart critical applications on spare assets or assets running non-critical applications
  • Provide extra protection to shield these critical assets and services (and others) from this new attack and retune existing protection mechanisms against the now known attack
  • Assess global situation and executing COAs by reporting to and coordinating with neighbors and hierarchies.
  • Reconstitute or repair damage including original assets and services
  1. Useful Defensive Capabilities

There are a number of capabilities that we would like to have in the area of strategic cyber defense that are direct analogies to what is available for strategic nuclear defense. The following are some key examples.

Over the Horizon (OTH) radar and related capabilities this technology allows us to see beyond the visual horizon to identify and track possible approaching bombers or missiles at long distances. AWACS and various national asset satellites provide similar functions. Some of these are very specialized to give us maximum warning time for missile launches. Insertion of Special Forces for reconnaissance would be the conventional warfare analogy The desired IA functionality would provide direct observation of adversary computer network attack related activities outside of networks that we directly control whether these are inside or outside the US. They might be realized as various sorts of specialized covert probes that could be launched or otherwise implanted into non-cooperating network domains. These probes would then provide us with reliable information on what was happening in the domain in near real time.

Identification and tracing in the strategic nuclear scenarios, identification was comparatively easy because of the large investments and long lead times required to develop a strategic nuclear launch capability. If a massive launch came from country X, then country X was responsible. A single launch could be more difficult in that it could always be disputed as the act of a disgruntled group and not the host government. Terrorist use of nuclear devices was always more problematic in terms of identifying the culpable party. Tracing refers to the ability to determine the originating phone for a specific phone call in near real time. In the cyber war case, identification and tracing is at least as problematic as for the terrorist nuclear case. We really need help in this area.

Tracking, tapping just as we can currently do surveillance and tracking of the whereabouts of individual suspects in the physical world, we would like to be able to do the same thing in the cyber world. How can we identify and track the network activities of specific suspects and how can we link these to physical surveillance and tracking. We would like to be able to track a suspect around the world, tap his/her phone calls, intercept and read mail, and monitor all computer or network activity done by the suspect anywhere.

Bulk-heading it would be extremely useful to have fine grained dynamic control over what organizations, individuals, or machines had access to the Internet

Source: www.isi.edu

Home | What's New | Articles | Links
Library | Staff | Contact Us

Copyright Computer Crime Research Center, 2001-2002 All Rights Reserved.
Contact the CCRC Office at 380-612-735-907
contacts@crime-research.org