Information Security Management risks in a global and national context

Information Security is typically considered in organisational context, looking at how

the organisational information assets and information infrastructure are protected.
Very seldom the treatment of the topic is on a broader scale, looking at the
information management security issues from a global or national perspective. Many
countries adopt focussed and stringent programs to protect their critical infrastructure
such as water sources and power plants: not many countries pay the same attention to
the Internet and information infrastructure and assets.

There is a wide awareness at the global level that information security needs to be
managed in a coherent and coordinated manner. The United Nations General
Assembly (UNGA) adopted, on 23rd January 2002, resolution 56/121 on combating
the criminal misuse of information technologies. The resolution recognizes the
importance of free information flow to the economic and social development whilst
expressing concern that technological advance opened up new possibilities for
criminal activities and noting that it may have significant impact on all countries
(UNGA 2002). In the same year, the Asia-Pacific Conference on Cybercrime and
Information Security published a draft action plan on cybercrime and information
security for the Asia Pacific region (APCCIS 2002). The plan presented a six-point
vision, for the next five years, including increased awareness and capacity with
respect to information security, adoption of legislative and regulatory frameworks and
regional arrangements to promote information security. Needless to say, despite the
high-level awareness and aggressive timelines, not much progress was achieved.
Perhaps there is a perception that the threat is not real.

In the context of steadily increasing theme trend of articles appearing in the press,
Internet publications and blogs it would appear that the threat is real. A detailed study
of information technology and warfare (Davies 2002) traces the use of Information
and Communication Technologies (ICTs) to World War II from when the British
developed a Colossus computer to decrypt German machine codes through the Cold
War era to the present. The study highlights the fact that the emergence of new
technology is transforming the way that the warfare between nations is conducted and
emphasises the importance of ICT and information security to protection of welfare
and security of ordinary citizens. Early recognition of the emerging information
security issues is demonstrated through the CIA Congress briefings in 1996
presenting the protection of national information systems as a global trend. At the
same time, the article communicates a concern that the associated risk assessment
conducted at the national level is mainly directed towards the exposure to attacks
against information systems and overlooks risks associated with intelligence gathering
and disinformation spread through compromised systems. This is consistent with a
taxonomy proposed in the study, recognising Type II information warfare as targeting
the destruction of the enemy data communications and Type III, present day,
information warfare as targeting intelligence gathering and exploiting the use of
information systems by the opposition. Type III information warfare is conducted
mainly through covert penetration of systems. One of the earliest examples of Type
III penetration was a systemic hacking performed by a group of West German hackers
in 1980s on US Government systems under the instigation of the Russian KGB.
The volume of cyberspace attacks directed against government targets can be
staggering. It is estimated that, by mid 90s there were 250,000 network-based attacks
on the Pentagon annually, with 160,000 of them successful. Other sites that were
compromised include the CIA, the Justice Department and the US Air Force. The
latter case is also substantiated by the account of “Titan Rain”: penetration attacks
against the US secure networks mounted by Chinese hackers over a two-year period
between 2003 and 2005 (Shannon 2005). As described, the attacks emanated from
networks located in the mainland China, with data offloaded through intermediary
“zombie” computers in Taiwan, Korea and Hong Kong. Quotes from the US
Government officials indicated a strong suspicion that these attacks were supported by
the Chinese government, given that such ongoing and intense network activity would
be impossible without the government tacit approval as the Internet is very tightly
controlled in China. Interestingly, the same US officials are quoted as seeing network
breaches as a serious issue with potential life-threatening implications. This is a little
bit at odds with the earlier statistics showing the number of successful penetrations of
Pentagon systems and the views expressed then that no sensitive information was
compromised.

As reported in the Government Computer News (Onley and Wait 2006) the hackers
succeeded in siphoning off 20 terabytes of data from networks operated by the US Air
Force and Army, NASA, the World Bank and a number of defence subcontractors.
The characteristics of the attack, involving large scale data theft together with theft of
passwords and planting of “back door” access mechanisms fit the description of Type
III information warfare scenario described earlier on. The same report links the “Titan
Rain” with a strategy implemented by the Chinese People’s Liberation Army (PLA).
According to the authors, PLA focussed very much on implementing specialist cyber
units, staffed by qualified civilian engineers, to mount information warfare attacks not
only to collect intelligence but also to disable and disrupt communications. A very
specific geopolitical scenario put forward is the use of information warfare by the
PLA to delay US response following any military action against Taiwan, under the so-
called “asymmetric strategy” where limited human resources with right technology
can impact or affect a much larger opposing force. A counter-strategy, proposed by
the same report, is through the implementation of consistent, layered security
protection mechanisms, common security procedures and education to raise the
awareness.

An article with a rather catchy title, “World Wide War 3.0”, published in “The
Diplomat” in 2007 (Macpherson 2007), takes the description of asymmetric strategy
further, highlighting the advantages of using cyber or information warfare to disrupt
enemy communications and outlining a possible scenario of an orchestrated attack
against the US military and economic targets. The article supports the claims
expressed earlier that the Chinese PLA has at its disposal large pool of qualified
personnel to support information warfare activities. Additionally, it also mentions the
investment made by the Chinese authorities to boost the ICT know-how available and
the use of criminal hacker networks to supplement penetration activities. The latter
reference is perhaps atypical as criminal elements are not usually known for
collaborating with the government. The article substantiates this claim with an
assessment from one of well known IT security companies, Verisign, quoting their
own intelligence assessment stating that such criminal networks are often used as

2
hired mercenaries and their other activities overlooked. The article also raises a very
relevant point involving the Russian Business Network (RBN), who develops
malware and operates servers hosting pornography and pirated software without
interference from the Russian government, in connection with an extensive “botnet”
1
operation, permitting launching of distributed denial of service 2(DDoS) attacks
through networks of compromised computers.

Botnet operations are a source of concern for most of the western countries who even
hold annual conferences on “botnet” activities. Although botnets can be used for a
number of cybercrime activities such as spamming and identity theft, the ability to
disrupt or disable Internet access is one of the more serious concerns. The events that
took place in Estonia over a three-week period from 26 April 2007 are generally
described as the first war in cyber space (Landler and Markoff 2007, Traynor 2007).
During this time a large scale coordinated DDoS attacks were launched against
multiple Estonian Internet targets in response to the Estonian government’s decision
to move a statue commemorating Russian soldiers. The attacks, directed at the
Estonian president’s, parliament, government ministries, main political parties, news
agencies and main bank web sites caused significant shutdowns and disruptions. The
attackers also planted disinformation, placing a fake letter of apology for the move of
the statue on the website of the governing party. The Estonian government raised the
issue with the NATO and European Community member states and the attacks were
one of the subjects of the Estonian president’s address to the UN General Assembly in
2007. In his address, the president stressed that sometime cyber warfare threats are
underestimated since they are not perceived as life-threatening and called for UN
member states to become signatories to the Convention on Cybercrime of the Council
of Europe (also open to non-European states) and to support the International
Telecommunications Union Global Cyber-security Agenda (UNGA 2007).

We are familiar with the recent fighting between Russia and Georgia over the South
Ossetia and Abkhazia breakaway regions. Whilst most of us can recall images of
tanks and troops shown on the TV news, not many people would be aware of the
Russian cyber warfare attacks against the Georgian president’s website, the central
government website, the Ministry of Foreign Affairs and the Ministry of Defence
websites that preceded the armed conflict. As part of the Type III information warfare
penetration, the attackers placed a photo show depicting the Georgian president side
by side with Adolf Hitler, using similar poses and gestures. As a sign of premeditation
in planning the attack, some of materials posted on Russian websites provided access
to DoS tools for average Internet users, identified vulnerable Georgian SQL servers
connected to the Internet and provided e-mail addresses of Georgian public figures for
spamming. A very interesting aspect of the conflict, in a form of a preventative strike,
was the attack launched against Georgian hacker forums with the intent of taking
these offline whilst other Georgian sites were being hacked or swamped. The Russian
Business Network, mentioned beforehand, was linked with these activities. As a
mitigation strategy, the Georgian government sought the assistance of Georgian
businesspeople based in the US to relocate their websites there temporarily.

1
A botnet is a network of “robot” computers, remotely controlled by a hacker. A single botnet can
number hundreds and thousands of computers.
2
A denial of service attack is where a very large number of computers keeps on sending requests to a
web server on the Internet, effectively swamping it with incoming data and preventing it from
performing its job.

3
The conflicts between national hacker groups are also quite common. The UK
Independent newspaper, in an article published in May 2001 (Grimmond 2001), wrote
about Serbian hackers attacking Kosovo ISPs and denying the humanitarian and news
agencies operating there access to the Internet. The article also mentioned an earlier
conflict between Serbian and Croatian hackers who hacked websites in their
respective countries. With the recent terrorists attacks in Mumbai it was only a
question of time before the Internet blogs and portals started carrying out posts about
the Pakistani and Indian hackers conflict and tit-for-tat site defacements. The
electronic conflict between these two countries is not new: even the BBC World news
service published an article in 1998 about the elements linked with the Pakistani
intelligence services hacking into the Indian army website and many other such
incidents since (Peter 1998).

Apart from the risk of a coordinated state-sponsored cyber attack, another issue
relevant to the national information security management is the use of intelligence to
counter criminal or terrorist activities. The study of intelligence and information
warfare (Davies 2002) also mentions the usefulness of ICTs as the medium for
coordination and organisation of large scale political operations and, due to this, the
increased interest from the internal counter-intelligence and counter-terrorist agencies
in intercepting even private citizen communications to intercept communications
between terrorist and extremist groups. As recently reported by the Informative
Management Journal (Swartz 2008a) even such democratic country as Sweden
introduced legislation authorising its national intelligence service to intercept
international phone calls, faxes and e-mails without a court warrant. The same
periodical reported two months later (Swartz 2008b) that the US Department of
Homeland Security will now be able to confiscate any electronic devices, including
iPods and mobile phones, documents and publications from any traveller entering the
US even without any suspicion of wrongdoing. Needles to say, in both cases the civil
liberties groups were protesting against what they saw as a gross invasion of privacy.

Unfortunately, this fine gap between protecting national security and invading
individual privacy may not be easy to maintain as the Internet becomes more and
more popular with extremist and militant organisations. A report on terrorist activities
on the Internet (Piper 2008) lists several different activities such as the information
and data mining, recruitment, fundraising, networking and information sharing,
strategic planning and cyber-terrorism, with the last one focussed on using ICT to
affect telecommunications, power supplies and other critical infrastructure. A study of
terrorism and the use of technology to achieve radicalization (Wright 2008) fully
supports these claims, listing similar activities, organisations and websites.
Additionally, the study published in “The Forensic Examiner” suggests stronger links
with the community, encouragement of migrant integration and publication of
counter-messages promoting integration as a suitable prevention strategy.
Unfortunately, quoting the Office of the Coordinator for Counterterrorism the study
also concludes that “Information operations are vital to radicalization; however, the
United States and the international community have yet to marshal a coordinated and
effectively resourced counter to the use of the Internet by extremist groups” (Wright
2008 p. 20).

4
In closing, the above assessment is also very true today in respect to a broader range
of information security risks and threats on a global and national scale. Though some
progress was made with the development of the Global Cybersecurity Agenda,
drafting of the Convention on Cybercrime and other international and national
initiatives and strategies to combat such risks, the implementation is rather slow. It
would most probably take an electronic equivalent of 9/11 or London 7/7 attacks
before a cohesive and concerted international effort is mounted.

References

Asia-Pacific Conference on Cybercrime and Information Security (APCCIS) 2002,

“Draft Action Plan on Cybercrime and Information Security for the Asia-Pacific
region”, UN Economic and Social Commission for Asia and the Pacific (ESCAP),
Seoul, 11 - 13 November 2002

Davies, PHJ 2002, “Intelligence, Information Technology, and Information Warfare.”,

Annual Review of Information Science and Technology (ARIST), volume 36 p313-52

Grimmond, J 2001, “City Life: Pristina – War erupts in Balkan cyberspace, but Nato
is as”, The Independent, 2 May 2001 issue

Ilves, TH 2007, “Address by Mr. Toomas Hendrik Ilves President of Estonia To the
62nd Session of the United Nations General Assembly”, UN Headquarters New York

Landler, M and Markoff, J 2007, “In Estonia, what may be the first war in
cyberspace”, International Herald Tribune, 28 May 2007 issue

Macpherson, S 2007, “World Wide War 3.0”, The Diplomat, Sep/Oct 2007 APEC
Special Issue

Onley, DS and Wait, P 2006, “Red storm rising”, Government Computer News,
www.gcn.com

Peter, L 1998, “War of words on the Internet”, BBC, 25 October 1998

Piper, P 2008, “Nets of Terror Terrorist Activity on the Internet”, Searcher, vol 16
Iss. 10

Swartz, N 2008, “Sweden Approves Warrantless Wiretapping”, Information

Management Journal ,Vol. 42 Iss. 5, p. 8 (1 pp.)

Swartz, N 2008, “Border Agents May Seize Laptops”, Information Management

Journal ,Vol. 42 Iss. 6, p. 6 (1 pp.)

Traynor, I 2007, “Russia accused of unleashing cyberwar to disable Estonia”, The

Guardian, 17 May 2007 issue, Top Stories p 1

Shannon, E 2005, “The Invasion of the Chinese Cyberspies (And the Man Who Tried
to Stop Them)”, Time, Vol. 166 Iss. 10

5
Wright, M 2008, “Technology & Terrorism”, Forensic Examiner, Vol. 17,
Iss. 4, p. 13-20

UN General Assembly (UNGA) 2002, “Resolution adopted by the General Assembly

56/121 Combating the criminal misuse of information technologies.”, United Nations,
New York