Chapter III Analysis and Findings

Analysis With the tools stated above, I can say that Cyberterrorism is very alarming especially to the government since they are the target of some terrorist. And it is frightening also to the part of the civilians since they can be used by the terrorist to make their plans successful. The threat of cyberterrorism to our technical infrastructure is real and immediate. Computers and servers in the United States are the most aggressively targeted information systems in the world, with attacks increasing in severity, frequency, and sophistication each year. As our nations critical infrastructure grows more reliant on information technologies, it also becomes more exposed to attackers, both foreign and domestic. These attacks can threaten our nations economy, public works, communication systems, and computer networks. Despite this growing threat, training to counter these attacks has failed to increase in response. Most classes are prohibitive, whether in terms of cost, time, and/or location. To fill this gap, the CDI program was created to provide comprehensive, transferable, and inexpensive cyberterrorism training to qualifying technical personnel throughout the United States. Personnel can come from public safety, law enforcement, state and local government, public utilities, colleges and universities, and health care providers. Depending on classroom space, consideration will also be given to other individuals working within agencies and organizations considered as a part of our nation's critical infrastructures. CDI is unique in the arena of cyberterrorism training, because the classes are brought directly to areas of critical need throughout the country, at very little cost to the participants. In thinking about these three levels of intelligence and their applicability to Internet security, it is tempting to suggest that cyber-space has so many unique characteristics that none of the traditional approaches is relevant. Such a temptation should be avoided. There are important parallels with, and critical lessons to be learned from, experience in other domains. One of the most notable parallels is between cyber-intelligence and business intelligence,

particularly in product monitoring. In the case of intelligence for the Internet, it is the development and diffusion of tools for intrusion and disruption that need to be monitored. Yet, such efforts are not that different from monitoring the development and marketing of new products in the business world. Consequently, some of the methods and techniques developed in the world of competitive intelligence might be particularly helpful as one component of intelligence collection and analysis in relation to cyber-space threats. The most serious and useful model for intelligence analysis of information threats, however, is probably intelligence methodologies in the area of national security intelligence, and specifically, counter-terrorism. The terrorism threat has several characteristics that are also apply to cyber-threats. The parallels include the diversity of the actors involved, the reliance of at least some of them on networks, the broad range of motivations, the anonymity of the perpetrators of terrorist incidents, (something that has become more pronounced in recent years as the traditional practice of claiming responsibility giving way to the cloak of silence) and the enormous array of potential targets and weapons. Terrorists can choose from a set of options that obviously include firearms and conventional explosives but could conceivably involve WMD capabilities. Not surprisingly, one of the major concerns of intelligence analysis in this domain is with predicting and either preventing or pre-empting terrorism incidents. The utility of early warning is hard to exaggerate as such warning facilitates preventive and defensive measures as well as damage mitigation efforts. The parallels between counter-terrorism intelligence and intelligence for cyber-threats are represented in table 1 which also illustrates the contrast between Cold War intelligence and these other two intelligence domains. Table 1: Traditional and New Intelligence Domains Focus Dimension or Cold Intelligence War Counterterrorism Intelligence CyberIntelligence

Targets intelligence efforts

of Soviet Union and Individuals, small Individuals, cells, its allies cells, and networks networks and state sponsors states information warfare capabilities Anonymous only have signatures arms to Cyber-weapons or conventional and weapons some critical and against technical and with

Perpetrators

Soviet government Increasingly seen as source of anonymous inimical activity

Weapons

Strategic conventional forces

and Light

large-scale weaponry potentially

kind of weapons of information mass destruction communication nodes

capabilities. Potential Targets Counter-force and Vast of Attack counter-value targets in highly the relatively

number of Range symbolic individual

from web-

soft sites to national critical infrastructure

United States and targets the territory of its allies. Focus Large scale Individual incidents trends

Individual and incidents, and trends in and

military action

patterns

attacks,

vulnerabilities that can be exploited.

It is clear, even in this simple table (which is not all inclusive), that terrorism and cyber-threats resemble one another in both diversity and complexity and differ significantly

from the monolithic threat model that dominated during the Cold War. In both domains, therefore, the intelligence effort has to be implemented through a series of environmental scans rather than a simple and easy focus on one dominant threat. Whether the emphasis is on a single threat or multiple threats, however, crucial aspects of the intelligence task remain the same. Although the focus of the collection and analysis effort might shift, the intelligence process itself involves the same cycle of activities: focus on the mission, collection of sources and information, collation and management of the collected intelligence, analysis and assessment resulting in an intelligence product, and the dissemination of this product to the customer. The intelligence cycle remains constant whatever the target of the efforts. Similarly, good intelligence not only moves from data streams to data fusion but also from fused data to knowledge, and from knowledge to forecasting or prediction. And whatever the domain of activity, whether business intelligence, military intelligence, or cyber-intelligence, there is always a requirement to overcome pathologies and obstacles that can undermine the analytical process and dilute or distort finished intelligence products. In terms of collection methods, however, a critical addition needs to be made. As well as traditional reliance on Comint, Humint, and Sigint, it might be necessary to develop a separate category of Cyberint. In effect, Cyberint would require a blending of Sigint, Humint, and Comint methodologies to be effective. Each of those traditional intelligence disciplines brings components that are critical for analysis of on-line threats. The Humint aspect would provide for the monitoring and profiling of potential threat groups. It could take the form of simple monitoring of intruder chat rooms and web sites or in-depth profiling of identified individuals or groups. It will require that analysts are able to identify which players, whether individuals or groups, have the technical expertise to carry out their intended operations. Consequently, much effort will need to be focused on existing use of the Net and identified intrusions to establish a baseline of data from which to proceed. The Sigint perspective is useful from the point of analyzing intruder tools and specific system vulnerabilities. This is not to say that an analytic organization would necessarily intercept and collect data being transmitted across targeted systems. There are too many questions of legality and ethics to anticipate that sort of effort. However, studying identified

tools and how they have been implemented does call for the utilization of existing Sigint methodologies to provide value added assessments. Similarly, one of the basic tenets of Comint analysis is to establish a communications activity baseline this readily applies to various information and communication systems. Establishing baseline information on the normal data flow for a given system would make it easier and quicker to identify anomalies that could be indicative of probes or attempts at intrusion. As with the overall intelligence process, each of these recognized intelligence disciplines provide individual parts of a greater whole. They are the tools through which fusion intelligence of both current and future cyberthreats can be obtained. It goes without saying that collecting this sort of data will require a major cooperative effort between the analytic organization and past, as well as potential future, victims. In sum, cyberint would not supercede other collection methods but is likely to prove a crucial addition that would help to focus the intelligence effort and contribute significantly to the successful analysis of cyber-threats and intrusions.