User talk:Tanni.sya

Internet Security

I. The Context The development of information and communication systems has become a critical component of globalization, shrinking both time and space, with far-reaching consequences that are still barely understood. Hi-tech connectivity has facilitated the emergence of dense global commercial and information networks that are unprecedented in their speed, accessibility, and capability. Not surprisingly, the United States has been the leader in this process, exploiting new opportunities in a variety of ways. Information and communication technologies provide greater efficiencies at lower costs for U.S. business, while the military services regard opportunities for information warfare as a major component of the evolution in military affairs. Indeed, information and communications systems have been widely embraced as a means of maintaining United States primacy, both economically and militarily. Unfortunately, such opportunities rarely come without some risk. The information and communications revolutions are no exception. Accompanying the growth in the power and sophistication of information systems has been an enormous increase in dependence on these systems. Information and communication technologies have been embraced enthusiastically but with little attention to attendant, if inadvertent, vulnerabilities. Indeed, reliance on the new systems has grown much faster than our grasp of the vulnerabilities inherent in the networks, systems and core technologies that underlie the information and communications revolutions. [Gompert] Moreover, in spite of some well-publicized and extremely costly incidents, there remains a remarkable level of complacency. Results from the annual Computer Security Institute and FBI Annual Survey have revealed considerable reluctance to report problems. In 1999, for example, only 32 per cent of those who suffered serious attacks reported the intrusions to law enforcement. While this almost doubled from the 17 percent figure of the three preceding years, it was still a remarkably low percentage- and actually dropped back to 25 percent in the 2000 survey.[CSI00] Such reticence is not confined to the United States. This was apparent in a report on British business by the Department of Trade and Industry’s Information Security Breaches Survey 2000. Although the report suggested that up to 60 percent of the UK’s connected businesses might have been the victims of cyber crime within the last two years, two-thirds of the companies interviewed noted that nothing had changed since the intrusions, while 30 percent did not see protection of business information to be a priority. [Ananova] The trend towards dependence on information and communications systems is accelerating rather than slowing down – as is the gap between the security challenges and the awareness of them. In fact, with the expansion and growth of technology simple dependence is evolving into interdependence. What happens to one system now has the potential to effect operations on myriad other systems that may only be peripherally related to the target of the initial intrusion. The cellular revolution, the expansion of the Internet and the World Wide Web, increased connectivity among computers, the growth of electronic commerce, and the massive growth in use of the National Information Infrastructure (NII) and the Global Information Infrastructure (GII) are continuing at a rapid pace. Although there are still large parts of the world in which access is not readily available, North America, Europe and the Pacific region, are densely connected and are projected to experience enormous growth in e-commerce. As one observer noted, "the worldwide e-commerce market will open up in North America, Europe, and Asia Pacific and grow to $9.5 trillion in transactions by 2003, or about 93 percent of the worldwide total". [Erbschloe] As this interdependence increases, however, so does vulnerability. The global and national information infrastructures represent a new set of vulnerabilities that could be exploited by a wide variety of actors especially those who have grown up with computer technology and the Internet. One dimension of this vulnerability is a decoupling of the traditional linkages between territorial integrity and security. In the past, threats to national security have generally been associated with large accumulations of power and resources, and efforts at territorial aggrandizement. National security has required a capacity - either through one’s own efforts or through a shrewd policy of coalition building - to defend against such aggrandizement by other states. Physical invasion of territory or physical destruction of resources and wealth, along with the coercive power that came from the capacity for such actions, were the major threats. These threats have certainly not disappeared; but there now exist new vulnerabilities that are wholly independent of territory or extensive physical resources. Indeed, cyber-space is providing a new dimension for warfare, accompanying and, in some respects, superceding the traditional geopolitical battle-space. The paradox here is that sophisticated and advanced technologies, as well as being a source of strength, are also a source of vulnerability. As societies become more dependent upon linked communication and information systems the possibility that these systems will be compromised or disrupted becomes more salient, and the resulting consequences more serious. Ironically, these vulnerabilities are also asymmetrical: nations with lower levels of dependence are not only less vulnerable, but can exploit the information vulnerabilities of stronger states. This realization is a key component of the United States’ concerns about asymmetrical warfare. A second component of this concern stems from what can be described as a diffusion of threats to security. The capacity to engage in actions that can produce disruptions in the national and global information infrastructures is becoming more widespread. What one observer has termed the "democratization of high technology" has been accompanied by a new form of individual empowerment. [Wade] The positive side of this is the growth of computer literacy; the negative is the emergence of the hacker/cracker sub-culture. Members of the younger generation are often extremely sophisticated, sometimes alienated, and occasionally vulnerable to recruitment by criminal or terrorist organizations. Somewhere within the ranks of this technically sophisticated generation could be the successor to Timothy McVeigh or Osama bin Laden. Rather than exploding a bomb in front of a government office or corporate headquarters, however, the weapon of choice will be a computer program that will do far more damage and affect far more lives. Another way of making the same point is that there are low entry costs to engage in offensive strategies in cyber-space: "The price to develop a high-performance Information Warfare capability is low and is available to a wide range of participants. Unlike previous high-performance weapons technologies, new potential information warfare weapons can be developed by skilled individuals or groups residing anywhere within the GII". [Molander] Moreover, the advent of computer warfare has the potential to significantly change the balance of power in a world increasingly dependent on sophisticated technologies. Nations that would never consider themselves players in the arena of global power strategies may now be considering their place in a different kind of world. It can certainly be argued that nations that never needed or considered a Strategic Policy may now be examining just such policies. In the world of Information Warfare, technological capability, rather than the size of kinetic weapons arsenals or standing armies, is the primary factor in determining the balance of power. And because of the constantly expanding interdependencies inherent in today’s cyber environment, there is a growing possibility of wide-ranging unintended effects associated with any sort of malicious operation against a network. One person with a computer, a modem and the requisite knowledge and skills has the capacity to wreak considerable havoc. The "I love you" virus, for example, caused an estimated $6.7 billion in damages in the first 5 days. [Erbschloe May 9, 2000] Such figures have to be treated very cautiously as the underlying methodology for the calculation is not always clear. Nevertheless, there can be little argument about the extent of the disruption. Even more striking, the effects were caused by a single individual with poor support and little preparation. While the love bug should have been an obvious wake-up call because of its enormous cost, the impact was lessened because these costs were so diffused among business, government, and educational institutions as well as individual computer users. As a result, the sense of threat was also diffused thus lessening the degree of concern that would have been generated had the impact and costs been more focused. The lesson though was very clear: the development of national and global information systems has out-paced appropriate safeguards and security measures. This provides new targets and new opportunities for criminal organizations, terrorist groups and hostile nations. To expect that they will fail to exploit these opportunities would not only be a mistake but also would run counter to early indications of such activity. Part of the difficulty is that the potential targets are so diverse. This is hardly surprising as it stems from the multiple dimensions of information systems. Similarly, the effects of action can vary in their impact: the consequences can be localized, regional, national or transnational. Among the dimensions that could all too easily be compromised are: • Information Privacy. Threats here can range from public disclosures about an individual’s medical or credit records, to identity theft, to the acquisition (and possibly the diffusion) of classified information that could compromise national security. • Provision of Services. Another vulnerability is the provision of services; attacks aimed specifically at denial of service have been very effective in causing short-term disruption. Because of the dependence on Internet service providers, denial of service attacks cause enormous backlogs in communications and interfere with transactions in both business and government. • Critical Roles and Missions. A more serious possibility is that the implementation of missions of government agencies and departments or businesses could be affected by attacks that undermine the functionality of the systems themselves. An alternative is what might be called information tampering, something that could have serious physical consequences when virtual systems control real world processes such as manufacturing of drugs, traffic flows, safety systems, and the like. • Electronic Commerce. Another area that could prove to be vulnerable in a variety of ways is e-commerce. Breaches of security in financial transactions could result from (or indeed could result in) various forms of cyber-crime including fraud. Moreover, the capacity to disrupt information and communication systems on which companies depend provides enormous opportunities for extortion. A growing number of corporations are becoming dependent upon information security for both their ability to conduct business on a daily basis and also to maintain credibility with their customer base. The banking and insurance industries immediately come to mind in that regard. Additionally, incidents such as the Distributed Denial of Service attack against the Internet in February demonstrate the fragility of e-commerce security at this juncture. As the financial incentives drive more and more businesses into the realm of e-commerce, the potential for malicious activity more than keeps pace. Whether from criminals, terrorists, nations, unhappy customers or bored teenagers, e-commerce is a growing target of opportunity. • National Infrastructure. Advanced industrialized and post-industrialized societies depend on a series of infrastructures – communications, transportation, power grids, etc. – that are critical to the effective functioning of these societies. Damage or disruption to these infrastructures could have enormous consequences, particularly as cascading effects are taken into account. Further, as technology continues to evolve, the definition of just what comprises the "Critical National Infrastructure" will become blurred. It can be anticipated that systems that directly impact the daily functioning of technologically evolved societies will become more and more transparent to the members of those societies. The effects of these imbedded systems will be taken for granted. Should those systems become compromised, the impact will be as profound culturally as it is economically or from a national security standpoint.

• Substantive Information. It is not only the medium that is vulnerable, but also the message itself. The integrity and validity of certain kinds of information could all too easily be compromised through the distribution of memes. A meme is broadly defined as a self-propagating or actively contagious idea. [Lynch]. In this context, the notion of contagion is neutral. Nevertheless, it is obvious that cyber-space is a wonderful domain for the propagation of "memetic viruses" that replicate and in effect, drive out or overwhelm the existing information.[Matthews]. The problem here is different from the other kinds of vulnerabilities that are related either to the availability of the channels of communication themselves or to viruses and malicious code that influence the instruction sets contained in software. Memetic viruses, in contrast, concern the content of information. Ironically, although the study of memes has developed in the west, the notion of manipulation of information and ideas to deceive and thereby influence decision-making processes is central to Chinese and Russian notions of information warfare. [Thomas]. Varied as these targets are, attacks on them can be understood in terms of three "d"s: distortion, disruption, and destruction. In considering the implications of the varied nature of the potential targets, one component of the response is to develop effective intelligence analysis methodologies for cyber-space threats. Accordingly, this paper sets out to elucidate some of the major requirements for such intelligence. Initially it considers the nature and levels of intelligence analysis and the similarities and differences between intelligence for the Internet and more traditional intelligence analysis. It then explores more fully the distinctiveness of the cyber-environment and the challenges this poses to intelligence analysis before elucidating the main characteristics of such analysis in the cyber domain, examining fundamental issues such as who might be doing what to whom, how and when they are doing it, and why they are doing it. The paper also identifies some of the hurdles that will have to be overcome for successful analysis of threats in cyber-space. The following section elucidates the kinds of intelligence products that need to be developed and disseminated. The conclusion briefly considers the relationship between warning and response, suggesting that although good intelligence is a necessary condition for enhanced security against cyber-space threats, it is not a sufficient condition. The warnings provided by intelligence must also be used as the basis for devising appropriate responses. Indeed, many so-called intelligence failures were less failures of collection or analysis than they were failures of decision-making. One central point that must be made clear is that the intelligence model proposed in this paper is simply one component of developing an overall systems security model. What is outlined here is a methodology. It is intended to be applied against a wide variety of threats in conjunction with other security methodologies. Technical security in the form of tools such as firewalls and intrusion detection systems, and the application of personnel security practices are no less important than the analytic methodologies presented in this paper. Analysis efforts are intended to be used to compliment rather than supplant these other security disciplines. At the same time, analysis practices will also have to be modified as they are applied to specific problems. Cyber-crime and cyber-terrorism are both significant threats to the integrity of networked systems, but the analysis methods employed will vary with regard to specific methodologies. Intelligence analysis as a security discipline is a tool. Its effectiveness is dependent upon proper implementation of the analysis model, as well as the proper application of both technical and personnel security tools. Intelligence analysis is not the solution, but rather a component of a more comprehensive effort to establish effective information security. II The Nature and Levels of Intelligence Analysis Intelligence analysis requires many of the same analytical methods and techniques, irrespective of domain. From this perspective, intelligence analysis for Internet security is no different from the intelligence task in any other area of national and international security. The commonality is the concern with those who want to inflict harm and the vulnerabilities they can exploit to do this. Threats can come from many sources: the military activities of hostile nations; inimical economic strategies pursued by adversarial or even allied states; the activities of terrorist groups intent on inflicting harm on society in order to achieve political objectives; transnational criminal organizations pursuing the acquisition of large profits through illegal activities, violence, and corruption; and groups (including any of those just mentioned) and individuals with the ability and desire to distort, disrupt, degrade or destroy information and communications systems. Whatever their source, threats are inextricably linked to vulnerabilities. Indeed, absolute security could only be achieved if there were no vulnerabilities to be exploited. It is crucial, therefore, not only to identify vulnerabilities but also to understand how hostile groups or individuals might exploit them. Strictly speaking, real security threats only come from those with a combination of hostile intent (i.e. a desire to do us harm) and the capacity to inflict harm (i.e. exploit vulnerabilities in ways that transform intent into reality). In the realm of cyber-space, vulnerabilities are inescapable. There are many reasons for this, ranging from the inherent weaknesses in complex systems to specific problems in the creation of software code. Even if protective security measures were an integral part of information systems rather than being subsequently grafted onto them, problems would remain. Some vulnerabilities stem from the underlying protocols used to communicate on the Internet, which were formulated when the Internet was a relatively small community of trusted systems, with connectivity determined by government contract. Other vulnerabilities stem from development practices, which may ignore validation of input (or even length checking) and avoid controlling the environment in which programs execute. Finally, vulnerabilities stem from the rapidly evolving use of software, in which programs meant for a limited purpose are applied in ways not anticipated by their developers. The intruder community is constantly seeking to find interesting (and, from their point of view, profitable) ways to discover and exploit vulnerabilities. This behavior tends to be quite trend-driven. A newly discovered interesting vulnerability exploit in an application will spawn both intensive interest in other vulnerabilities in that application and an intensive search for similar vulnerabilities in other applications. This results in waves of discovered vulnerabilities that impact both specific vendors and the community in general. At the same time, the recognition that there are measurable trends in vulnerability exploitation are at least a temporary advantage to intelligence analysis efforts. From a tactical perspective, the recognition of a trend in intrusion tools and their applications may well allow for at least short-term predictive analysis and the potential for limited warning. One of the greatest challenges to system owners and administrator is determining how much security is enough. Managing risks inherent in information systems is problem that changes as fast as new technologies are brought online. Intelligence analysis of the threats to information systems should, by definition, be a major component of the risk management process. Without application, intelligence analysis efforts are merely an intellectual exercise and have no value. It is only when the results of that analysis, the assessments derived from the analytic process, are provided to operators that they begin to have value. Obtaining prior knowledge of both threats and vulnerabilities – as well as sensitivity to possible opportunities to exploit the vulnerabilities - is essential. Intelligence analysis, of course, operates at different levels, ranging from the specific to the general, and from short-term incidents and operations to long term patterns and challenges. Each form or level of analysis is crucial, and complements and supplements the others. Nevertheless, it is important to distinguish them from one another and to be clear at which level the activities are taking place. It is also important to recognize that the most critical insights will be obtained from fusion efforts that combine these different levels. The several complementary levels of intelligence analysis are strategic analysis, tactical analysis and operational analysis. In practice, these categories shade into each other and are not always sharply differentiated, and differing definitions for these terms exist in the intelligence community. Nevertheless, they offer a useful framework within which intelligence tasks and requirements can initially be delineated. 1. Strategic intelligence analysis Strategic analysis is perhaps the most important form of intelligence. It provides a framework within which other forms of intelligence collection and analysis take place, offers an overall assessment from the top down rather than from the bottom up, and helps to provide a basis for policy formulation, strategic planning, and resource allocation. Its weakness is its focus on macro-level issues rather than the more detailed levels of analysis. On the Internet, such analysis is even more problematic, due to the rapidly evolving nature of Internet usage. Prior to 1994, for example, Internet commerce was illegal. Today it is a multi-billion dollar economic force. New methods of organizational and economic cooperation are constantly evolving, with greater or less security. Maintaining continuity on this constantly shifting environment is one of the greatest challenges to conducting effective strategic analysis of cyber-threats. Furthermore, for many consumers, strategic intelligence is irrelevant to day-to-day tasks and needs. At the end of the day, however, the importance of strategic intelligence analysis is undeniable. Such an effort helps to discern and make sense of trends, to identify and extract patterns that would otherwise not be visible, and to provide an overall picture of the evolving threat environment and the level of damage that might be occurred in certain specified contingencies. Analytical initiatives that would fall under the rubric of strategic intelligence analysis include: • Overall threat assessments. These include in the analysis the vulnerabilities of critical missions (including levels of dependence), the kind of disruption and damage that could be caused to the implementation of these missions, the kinds of weapons/instruments that could be used to cause such disruptions, and the likelihood of such attacks and intrusions taking place • Sector threat assessments. Such analyses focus on vulnerabilities and threats either in particular areas such as national infrastructure, or in particular sectors of the economy such as banking or e-commerce. In effect, a strategic analysis of this kind has to take account of changes in what can be a very dynamic environment. • Trend Analysis to highlight changing threats and vulnerabilities. These might include base-line assessments so as to better recognize departures from the baseline. Alternatively, they might focus on future threats and vulnerabilities in an effort to determine in what ways the problem is evolving – and what can be done to anticipate and contain future challenges. The way in which e-commerce has become a major issue suggests that the pace of change in the cyber-space environment is posing novel challenges that can best be understood through strategic intelligence analysis that is very forward looking. Indeed, trend analysis is likely to be most effective when it is linked with careful attention to drivers, i.e. fundamental trends in the political, economic, social and technological sectors that will shape the future threat and vulnerability environment of the future. • Potential Damage Assessments. Because of the macro-level view taken by strategic analysis, it also offers the best approach for assessing potential cascade effects of intrusions. The specific target of a an intrusion might be a regional electric power grid, but the effects of a failure to that system can cascade to include telecommunications, public emergency services, water systems, etc. The potential for such wide-spread effects will be recognized most readily as a result of in-depth strategic analysis – which in turn would offer opportunities to develop both defensive and mitigation strategies. Crisis management, contingency planning, mitigation strategies, and disaster management would all be enhanced by strategic analysis of potential damage assessment. Indeed, the capacity for effective and rapid reconstitution might depend on such analysis. • Categorizing and differentiating attacks and attackers. Intrusions in cyber-space can emanate from individuals, whether insiders or outsiders; from hacker groups intent on displaying their skills and capabilities; activist groups using direct action on the Internet to publicize their political cause; terrorist organizations using intrusions to create massive disruption or other forms of large-scale harm, and seeking to obtain widespread publicity and create a climate of fear; transnational criminal organizations responding to law enforcement pressure with cyber-retaliation, and states using attacks on, or through, information systems as a form of asymmetric warfare. One of the most important tasks of intelligence analysis for the Internet is to discover ways of differentiating among intrusions from these various sources. This will be especially true as groups or individuals develop intrusion strategies that mimic other forms and thereby lessen their chances of identification or, in the case of nation states, provide plausible deniability of their actions. From the perspective of strategic intelligence analysis, this is critical in efforts to determine appropriate responses that might go beyond simply defensive or mitigation strategies. How specific attacks are categorized, of course, will also be an issue at the tactical and operational level. But the differentiating and categorization methodologies, initially at least, are a matter for strategic analysis. • Identification of Anomalies. Searching for anomalies that provide indicators of emerging threats and problems is an important task of strategic intelligence analysis (albeit one that both feeds into and relies on tactical and operational efforts). Anomalies in this context can be understood as developments or events that do not fit typical or known patterns. The detection of anomalies or novel patterns can be a major element in anticipating new methods of intrusion, new targets, or even new classes of intruders. It is a macro-level task that requires careful and systematic "environmental scanning" as well as the coalescing of tactical and operational intelligence reports that identify and highlight specific aberrations from the norm. • Analysis of Future Net Environments. The greatest constant about the Internet is change. Strategic intelligence analysis must take that into account and attempt to provide assessments of potential future environments on the Net and the potential impact of malicious activity within those environments. Given the dramatic changes in technology within the recent past, and seeing the rapid pace with which innovation continues to grow, it seems a reasonable assumption that the Internet (in one form or another) will become more and more integrated into the fabric of society. As this occurs, intrusions or attacks will have far more wide-ranging consequences. Considerations of social as well as political and economic impacts will have to be factored into intelligence assessments. It is clear from this discussion that not only does strategic intelligence analysis provide a framework for tactical and operational assessments, but that work done at these levels in turn helps to shape the strategic intelligence focus. As for the strategic assessments themselves they should be useful for consumers, providing forecasting estimates that help to reduce uncertainties in ways that feed into policy processes, providing a basis for more informed decision-making and more effective resource allocation. As strategic analytic methodologies mature, they will also offer the basis for predictive or anticipatory assessments that can serve to provide warning of potential hostile operations. In effect, strategic intelligence assessments provide a basis for the development of high-level policy and strategy and for strategic responses to vulnerabilities, whether actual or potential.

2. Tactical Intelligence Analysis Tactical analysis is a necessary and important complement to work done at the strategic level. It is the natural linking element between macro-level analysis and the micro-level focus on individual cases. Among the kinds of studies that come under the level of tactical analysis would be: • Cluster and pattern analysis designed to discern temporal patterns, the use of particular intrusion methods, commonalities of targets, and attempts to build profiles of perpetrators, whether hackers or insiders. • Stimulus-response analysis designed to identify potential actions that could be taken by intruders in response to specific known or predicted events. This analysis could be used both proactively in development of warnings or reactively in lending significance to otherwise-unrecognized activity. • Network environmental analysis methods will have to be developed. It is probable that in-depth analysis of the Internet will reveal patterns similar to those in the physical world. Net weather is already being discussed, and network terrain is a viable concept. Unlike physical environments, however, the Internet environment will probably be subject to much more rapid shifting. That places this sort of analytic effort squarely in the realm of Tactical Analysis. In physical space, geography helps to differentiate tactical from strategic, but on the Internet this component is lacking, an absence that makes the distinction between strategic and tactical somewhat more tenuous than in other domains. At the same time, the strategic and tactical levels are mutually reinforcing: although strategic intelligence analysis provides the framework for tactical assessments, these assessments in turn help to feed strategic analysis. With a highly dynamic inter-relationship among the various levels of analysis, each level is strengthened by and strengthens the others. 3. Operational Intelligence Analysis Operational intelligence analysis overlaps with investigation and is often single-case oriented. It involves technological assessments of the methods used for an intrusion, specific investigations of intruders, and the like. An important component of operational analysis is identifying the particular vulnerability or vulnerabilities that have been exploited and providing guidance on how it or they can be minimized or eliminated. Another component of operational analysis will be the potential ability to provide attribution during, or shortly after an intrusion. The data collected during an incident, combined with the profiling efforts provided at the tactical level could lead to attribution. While there are significant policy and legal questions associated with such a capability, its importance to the overall analytical process cannot be overstated. Most of the existing analysis of network intrusions has been capability analysis, dealing principally with information privacy, integrity and availability. Selected methodologies to address organizational missions in a network context exist [Ellison99], but have not been widely applied. Intent and effect analysis has not been systematically pursued. In addition to supporting attribution, operational analysis should lead to sparking defensive coordinated efforts. What is needed is to connect these efforts into some form of cohesive goal that can promote a measurably effective response to on-line threats. 4. Cyber-Intelligence and Traditional Approaches In thinking about these three levels of intelligence and their applicability to Internet security, it is tempting to suggest that cyber-space has so many unique characteristics that none of the traditional approaches is relevant. Such a temptation should be avoided. There are important parallels with, and critical lessons to be learned from, experience in other domains. One of the most notable parallels is between cyber-intelligence and business intelligence, particularly in product monitoring. In the case of intelligence for the Internet, it is the development and diffusion of tools for intrusion and disruption that need to be monitored. Yet, such efforts are not that different from monitoring the development and marketing of new products in the business world. Consequently, some of the methods and techniques developed in the world of competitive intelligence might be particularly helpful as one component of intelligence collection and analysis in relation to cyber-space threats. The most serious and useful model for intelligence analysis of information threats, however, is probably intelligence methodologies in the area of national security intelligence, and specifically, counter-terrorism. The terrorism threat has several characteristics that are also apply to cyber-threats. The parallels include the diversity of the actors involved, the reliance of at least some of them on networks, the broad range of motivations, the anonymity of the perpetrators of terrorist incidents, (something that has become more pronounced in recent years as the traditional practice of claiming responsibility giving way to the cloak of silence) and the enormous array of potential targets and weapons. Terrorists can choose from a set of options that obviously include firearms and conventional explosives but could conceivably involve WMD capabilities. Not surprisingly, one of the major concerns of intelligence analysis in this domain is with predicting and either preventing or pre-empting terrorism incidents. The utility of early warning is hard to exaggerate as such warning facilitates preventive and defensive measures as well as damage mitigation efforts. The parallels between counter-terrorism intelligence and intelligence for cyber-threats are represented in table 1 which also illustrates the contrast between Cold War intelligence and these other two intelligence domains. Table 1: Traditional and New Intelligence Domains Focus or Dimension Cold War Intelligence Counter-terrorism Intelligence Cyber-Intelligence Targets of intelligence efforts Soviet Union and its allies Individuals, small cells, and networks and state sponsors Individuals, cells, networks and states with information warfare capabilities Perpetrators Soviet government seen as source of inimical activity Increasingly anonymous Anonymous – only have technical signatures Weapons Strategic and conventional forces Light arms to large-scale weaponry and potentially some kind of weapons of mass destruction capabilities. Cyber-weapons or conventional weapons against critical information and communication nodes Potential Targets of Attack Counter-force and counter-value targets in the United States and the territory of its allies. Vast number of highly symbolic relatively soft targets Range from individual web-sites to national critical infrastructure Focus Large scale military action Individual incidents and trends Individual incidents, trends and patterns in attacks, and vulnerabilities that can be exploited. It is clear, even in this simple table (which is not all inclusive), that terrorism and cyber-threats resemble one another in both diversity and complexity and differ significantly from the monolithic threat model that dominated during the Cold War. In both domains, therefore, the intelligence effort has to be implemented through a series of environmental scans rather than a simple and easy focus on one dominant threat. Whether the emphasis is on a single threat or multiple threats, however, crucial aspects of the intelligence task remain the same. Although the focus of the collection and analysis effort might shift, the intelligence process itself involves the same cycle of activities: focus on the mission, collection of sources and information, collation and management of the collected intelligence, analysis and assessment resulting in an intelligence product, and the dissemination of this product to the customer. The intelligence cycle remains constant whatever the target of the efforts. Similarly, good intelligence not only moves from data streams to data fusion but also from fused data to knowledge, and from knowledge to forecasting or prediction. And whatever the domain of activity, whether business intelligence, military intelligence, or cyber-intelligence, there is always a requirement to overcome pathologies and obstacles that can undermine the analytical process and dilute or distort finished intelligence products. In terms of collection methods, however, a critical addition needs to be made. As well as traditional reliance on Comint, Humint, and Sigint, it might be necessary to develop a separate category of Cyberint. In effect, Cyberint would require a blending of Sigint, Humint, and Comint methodologies to be effective. Each of those traditional intelligence disciplines brings components that are critical for analysis of on-line threats. The Humint aspect would provide for the monitoring and profiling of potential threat groups. It could take the form of simple monitoring of intruder chat rooms and web sites or in-depth profiling of identified individuals or groups. It will require that analysts are able to identify which players, whether individuals or groups, have the technical expertise to carry out their intended operations. Consequently, much effort will need to be focused on existing use of the Net and identified intrusions to establish a baseline of data from which to proceed. The Sigint perspective is useful from the point of analyzing intruder tools and specific system vulnerabilities. This is not to say that an analytic organization would necessarily intercept and collect data being transmitted across targeted systems. There are too many questions of legality and ethics to anticipate that sort of effort. However, studying identified tools and how they have been implemented does call for the utilization of existing Sigint methodologies to provide value added assessments. Similarly, one of the basic tenets of Comint analysis is to establish a communications activity baseline – this readily applies to various information and communication systems. Establishing baseline information on the normal data flow for a given system would make it easier and quicker to identify anomalies that could be indicative of probes or attempts at intrusion. As with the overall intelligence process, each of these recognized intelligence disciplines provide individual parts of a greater whole. They are the tools through which fusion intelligence of both current and future cyber-threats can be obtained. It goes without saying that collecting this sort of data will require a major cooperative effort between the analytic organization and past, as well as potential future, victims. In sum, cyberint would not supercede other collection methods but is likely to prove a crucial addition that would help to focus the intelligence effort and contribute significantly to the successful analysis of cyber-threats and intrusions. III Intelligence for cyber-space Although many of the intelligence methodologies and principles remain the same, new ways of thinking appropriate to the cyber-domain are essential. The lack of borders in cyber-space is a critical difference from the more familiar domains of intelligence. Indeed, geography and political borders often aided traditional military intelligence analysis - it is a simple thing to develop threat scenarios if the potential enemy can only use certain terrain or sea lines of communication and then, only at certain times of the year- while simple factors of physics such as time and distance also provided opportunities for warning. Within the Internet, however, these limiting factors are absent, (although other limiting factors, such as geometry of network connectivity, might exist in a form useful to be incorporated into intelligence analysis), contributing to what can appear to be "instantaneous threats" [Berkowitz and Goodman]. Assessment of cyber-space threats requires not only a merger of old methodologies and new modes of thinking but also analysts willing and able to approach the art of threat assessment and warning from new perspectives. Only with a distinctive blend of the traditional and the new will it be possible to obtain real understanding of threats and vulnerabilities, to differentiate among types of intrusions and to forecast or anticipate specific incidents or clusters of incidents in ways that lengthen warning time. Enhancing the ability to identify perpetrators is also highly desirable: removing the cloak of anonymity would make perpetrators more concerned about the potential costs and risks of their actions and could have an important deterrent effect. In short, there are several fundamental questions at the heart of the intelligence process. They consist of variations on the who, what, when, where, why and how questions that are familiar parts of most research and analysis. 1. Who is challenging security? Efforts to identify intruders are critical both to the assessment of the challenge and the nature of the response. Potential intruders run the gamut from young hobbyists engaged in the equivalent of joy riding to terrorist organizations and nations that are intent on maximizing damage to the target. The problem of identification is particularly difficult in a domain where maintaining anonymity is easy and there are sometimes time lapses between the intruder action, the intrusion itself, and the actual disruptive effects. [CERT99] Moreover, the consequences are not always commensurate with the objectives, in some cases falling short of what the intruders hoped to achieve, and in others going well beyond what they had envisaged. [Gordon93] There is a broad spectrum of potential intruders on the Internet and an almost equal number of motives for intrusions against organizations. Not surprisingly, this includes perpetrators conducting operations against other perpetrators. As enticing as this prospect is, it does not mitigate the effects of such internecine rivalry. New and more sophisticated tools are often the result of such interplay. This sort of jousting can also provide valuable insights to analysts once it is recognized, but does not simplify the analytic task and puts an incredible strain on limited analytic/warning resources. With the continuing proliferation of sophisticated computer technologies into the mainstream population, attribution for an intrusion becomes more difficult by the day. The dynamism of the intruder population is itself a problem. On the one hand, success breeds imitation and the sophistication of readily available tools means that even those with limited skills can become intruders. On the one hand, there is a certain degree of attrition in the intruder community. Indeed, there are many reasons why intruders might cease their activity, including increased maturity, a need to find gainful employment, and a perception of the rewards of working to increase network security rather than attack it. The implication, of course, is that the mix of agents threatening network security is changing as the nature of the Internet changes. [Paller00] The vast majority of the intrusions are probably being conducted by nuisance hackers or "ankle-biters" who have limited objectives and are usually satisfied with the actual penetration of the system or conduct relatively harmless cyber-vandalism such as the defacement or alteration of web-sites. While aggravating to the target, no significant or lasting damage occurs. The more serious problem occurs when an intrusion is carried out by a more sophisticated intruder (either an individual or a group) whose objective is better defined and involves malicious intent. Motives for these sorts of intrusions are also as varied as the persons carrying them out. They range from greed to defined military strategy and doctrine, and all that falls in between. Four of the more dangerous, and less well defined categories of intruder are governments conducting operations against other sovereign states, the organized terrorist group, insurgency or revolutionary groups, and organized crime. All these entities are beginning to appreciate the potential power, anonymity, and effectiveness of the Internet. There are myriad examples of governments instituting programs for Computer Network Warfare. In the case of Russia, policy-makers consider the security of their information infrastructure so critical that – rhetorically at least - they equate an attack against it with a strategic nuclear strike (and have promised an appropriate response). [Thomas] As a result of the realization of the criticality of information infrastructures, computer warfare is now a part of the formal Russian Military Strategy and Doctrine.[Thomas] The same is true of organized terrorist groups. In fact, "most of the 30 top terrorist organizations identified by the U.S. government have web pages and use e-mail, and are ``fairly well developed at using the Internet."[Casciano] In many cases, dependence on technology is viewed as an Achilles Heel to be exploited by terrorist organizations. Within the U.S., many of the more militant indigenous groups have discovered the power of the Internet and have well designed and effective Web sites. Indeed, militia and supremacist groups have had significant increases in membership since developing their Web pages. It is a natural progression from using the Internet for propaganda and recruiting to exploiting its potential as a weapon. There is also growing evidence that some of the active insurgency groups around the world are discovering the potential of the computer. It is just a matter of time until they discover the effect of a computer-generated attack against the infrastructure of the government they are fighting. Once that realization is made, cyber-attacks will likely become a weapon of choice for organizations intent on overthrowing an existing government. Disturbingly, Aum Shinrikyo, the group responsible for the Sarin gas attack on the Japanese subway, has increasingly been involved in the Japanese software industry! Organized crime probably was the first of the sophisticated intruder threats to realize the power and value of the computer. In 1995, it was discovered that the Cali cartel had sophisticated state-of-the-art equipment for electronic eavesdropping, while smaller drug trafficking organizations in Colombia are using the Internet to pressure the Colombian government to change the policy of extraditing traffickers to the United States. Furthermore, the use of computers by organized crime organizations to garner illicit profits is well documented. However, some criminal efforts have gone beyond simple siphoning of funds and money laundering. Extortion of money from financial institutions by threatening to destroy or modify their computer databases is also evident. It is probable that at least some of these extortion operations are conducted by transnational criminal groups. Some of the extortion efforts go wrong – as did the effort to extort Bloomberg. In other cases, however, large payoffs are almost certainly made to the extortionist. It seems likely, therefore, that larger and potentially more dangerous operations should be anticipated. The obvious challenge is to develop a capacity to identify and track the activities of these potential intruders with the goal of being able to provide predictive analysis and warning of intrusions. Some of the traditional intelligence techniques should apply to these threats, but new methodologies and the ability to contemplate new and complex concepts have to be developed concurrently. This will become even more important (and difficult) as perpetrators of increasing sophistication operate on the Internet. As motivations vary, so will the efforts of the individuals behind malicious operations to either conceal or reveal their responsibility. All of this complicates efforts to track responsible parties determine attribution. Nations and transnational criminal organizations, by their nature, will be diligent in their efforts to maintain anonymity. In some of these cases, identifying the intended victim may give valuable insight into tracking the intruder. Sometimes the target of an intrusion allows the analyst to rule out certain possible perpetrators. A multi-million dollar extortion plot against a major financial institution is probably not the work of a 13-year-old hacker working out of his bedroom. At the same time, however, many victims, especially within government or sensitive industries such as banking or insurance, often complicate the effort to track intruders because of their reluctance to report the incident. In other cases, such as politically motivated attacks, the perpetrators may want their identity known, but not their location. As such operations become more sophisticated, tracking the attack back to its point of origin will be a major challenge to the intelligence analysts involved. What is clear from all of this is that tracking intruders and gaining attribution is much more than just a technical challenge. One difficulty, of course, is that there are legal constraints on intelligence collection, especially by the military and the national security establishment. Traditionally the focus of intelligence has been on foreign threats, and there are restrictions on intelligence activities directed against individuals or groups that are domestic in nature. Insofar as these groups are the focus of government attention, it is from the law enforcement community. This points to yet another problem: that of coordination and information sharing between the traditional national security agencies and the law enforcement community. Generally law enforcement focuses on individual cases and wants evidence that stands up in court; intelligence agencies in contrast are concerned with protecting the sources of their information so that they can continue to use them. The problem with cyber-threats is that they fall in the gray area where crime and national security merge into one another. 2. What forms of intrusion are occurring? It is tempting to see intrusions in terms of a pyramid that goes from transient vulnerability probing and defacing web-sites at the base to large scale efforts to undermine the critical missions of an organization or the critical functions of a nation at the top - and to suggest that there is an inverse relationship between frequency and significance, with many trivial incidents and comparatively few of the more serious incidents. There are several difficulties with this however. The first is that probes that appear relatively insignificant could be a harbinger of more serious intrusions. The second is that there is sometimes a gap between intent and consequences – the effects and impact of an incident can either fall far short of what was intended, or far exceed what the perpetrator initially envisaged. This lack of congruence between limited intent and far-reaching consequences stems from the capacity of worms and viruses for infinite replication and multiplication combined with the seamless inter-connectivity of systems. Incidents such as the Love Bug cross the public-private divide and have an indiscriminate impact on corporations, governments, and private individuals irrespective of the initial target. In cases such as this, the consequences have less to do with targeting than with the ubiquity of a particular program such as Microsoft Outlook that is used as the vector of transmission. In effect, the incident takes on its own momentum. When the consequences are widespread, of course, the incident becomes very public and is the subject of much media and official commentary. In many other cases, however, there is far greater reticence about the scale, type and targets of attack. The analytic effort must successfully build a trust relationship for the collection of data across a broad variety of organizations. This trust relationship allows for observation of incidents from early probing and experimentation through widespread deployment of automated forms of intrusion. For example, in recent months (June and July 2000) CERT /CC has received reports of intrusions involving a wide variety of automated tools, ranging from simple viruses and system corruption toolkits through complex viruses designed to attack relatively hardened sites with low probability of detection and distributed tools designed to crash network infrastructure. Roughly 10%-25% of the CERT/CC reports involve viruses. Roughly 20%-40% are intrusions where the victim site cannot discern the type of the intrusion from available data. The remaining intrusions are a large number of other forms of intrusion, including compromise of system administration accounts, web defacements, reconnaissance attempts and misuse of computing resources. 3. Who is being intruded upon? Determining who are the victims of intrusions is, in some respects, an enormously significant part of the intelligence process. It is important - at least in those cases where attacks are not indiscriminate - to differentiate between public and private targets, to distinguish infrastructure targets from individual targets, to distinguish between intrusions that focus on targets of convenience and those that are much more precise and calculated. For example, existing analysis has shown a link between port scanning and certain types of later intrusions [Moitra&Konda], but this needs to be more fully explored to provide for effective warnings. Profiling victims can sometimes play a critical role in determining the nature of the intrusion and the nature of the intruders. For this to be done, understanding is needed of the level of "background noise", probes and intrusion attempts occurring across the Internet. Once understood, it may be possible to isolate this activity from the more significant activity directed at a particular victim. Victim profiles will be just as important, in terms of strategic intelligence analysis of the Internet, as profiling potential intruders. The more serious the intrusion, the more critical this sort of profiling will be. One of the potential hurdles to this effort, however, will be the natural tendency of the victim, whether private or public, to withhold sensitive or proprietary information. A few examples of this kind of reticence would be financial institutions withholding information about loses due to intrusions; companies failing to divulge the nature of an intrusion due to proprietary corporate data; or a government agency protecting information that is sensitive or even classified. Beyond simply protecting proprietary or sensitive data, there are also serious legal questions that have not yet been resolved in the courts or in the legislature. These include constitutional guarantees of privacy; contradictory national laws (or lack of laws) as perpetrators use the global network; laws limiting various governmental agency’s efforts to track down the source of an intrusion, and the need to determine what is domestic and what is foreign. If these barriers can be overcome, critical information will become available. Details of the victim’s infrastructure, the nature of the intrusion, identity clues left by the intruder, network traffic flow as observed by the victim site, and intrusion tools left as artifacts on the victim hosts can all provide indispensable clues. Without such information, motivation becomes more difficult to define and profiling efforts will be seriously flawed. Some work has already been accomplished in this area by organizations involved in incident monitoring, including the members of the Forum of Incident Response and Security Teams (FIRST) community. Much more remains to be accomplished, however, as new cooperative agreements are forged and additional analytic efforts and methodologies are developed. Furthermore, while it is true that some of the legal restrictions are avoided by the voluntary nature of the cooperative relationships, they are by no means completely overcome. The keys to success seem to be two-fold. First, the analytic organization has to prove itself to be a highly secure confidant, never disclosing victim identities while working to assist victims in recovering from intrusions. Second, it must return information that is of value to the victims, including information that might place the intrusion in a larger context as well as providing assistance in dealing with vendors or other sites. More simply put, the exchange of information must be in both directions. Experience with other organizations has shown that neither trustworthiness nor returned value alone is sufficient, but both appear to be required for effective information gathering with victims. Beyond their reticence, victim organizations are often unaware of critical parts of their security stance. Available data suggests that victims are often not aware that their networks have been intruded upon. The effectiveness of installed security measures is often overestimated. Levels of trust given to users by computing practices are often unwarranted. All of this hampers both analysis and defense. One of the reasons that profiling the victims is so critical is that it provides insights in to motivations that can greatly assist analysts in predicting future intrusions under similar circumstances. This insight will need to incorporate identification of circumstances that facilitate or hamper intrusion. For example, K-12 educational institutions might offer a significant opportunity for intruders to stage their attacks, since many such institutions lack knowledgeable system administrators. However, such hosts may be removed from the network during summer break and other times when school is not in session. During the Year 2000 rollover, conditions for system intrusion were relatively poor not only because of the active presence of a large number of system administrators, carefully monitoring their systems, but also the significant number of alternative activities available to potential intruders. These examples serve to identify that there exist time-varying circumstances; further analysis is required to delineate these factors more fully. 4. How are the intrusions being implemented? This is both the most technical aspect of the problem and, for specialists in the area, the easiest question to answer. Methods of intrusion are the on-line equivalent of military tactics. And just as in the military world there has historically been a dialectic between defense and offense so on the Internet, there is a similar dialectic between protection and intrusion. One difference lies in the ability of intruders to obfuscate their methods of intrusion by manipulation of the sources of intrusion and of the on-line records of activity. The sources of intrusion are manipulated either by staging intrusions through a series of already-intruded and corrupted hosts, or by falsification of source information found in network traffic. Both of these methods are common in intrusions. The on-line records of activity are commonly falsified either by direct modification of the records themselves or by replacement of the monitoring software that produces these records. While there are analogies to these activities in the physical world, the ease, rate, and invisibility of these activities on the Internet especially complicates the analysis task. 5. When are they taking place? The timing of intrusions might or might not be significant. It is possible, for example, that an intrusion on a particular company could have been precipitated by a particular action of the company, whether in the marketplace or in relation to one or more of its employees. Similarly, an intrusion on a country’s infrastructure could come about in an international crisis, as part of an adversary’s effort to prevent or disrupt military intervention in a specific region or country. A particular sequence of intrusions might also be important in determining whether probing activities are taking place as a preliminary to a more serious assault. Another important component is whether or not the intrusions are accompanied by any other actions – such as the demand for payment that would be an essential ingredient in any extortion contingency. The timing of an intrusion, especially one that is more serious in nature will often have significance with regard to the motive for the intrusion, hence the importance of victim profiling. Given the global nature of business today and the amount of political upheaval throughout the world, myriad events must be examined on a daily basis for clues to possible impending intrusions. Awareness of upcoming political events, corporate announcements or openings of new industrial facilities will be essential to the analytic process. This sort of situational awareness, combined with the historical perspective provided by profiling, will have a major impact on the ability to provide predictive analysis and warning. There is a need for care here in distinguishing significant from background activity. Experience at the CERT/CC with informal measures of significance, as are used in generation of advisories, may be useful in facilitating this distinction. 6. Where are they taking place? Although the virtual world is borderless, the points at which it connects to the real world are geographic locations. Indeed, the simple question of "where?" has to be broken down into point(s) of origin, digital routing, and point(s) of attack. Indeed, it is physical actions at a particular location that start the attack process – even if there is sometimes a time lag prior to the implementation of the attack itself. This becomes particularly significant when the actions initiated at this location go beyond web defacement and involve more serious criminal, terrorist, and war-like actions. Tracing the attack back to source, therefore, becomes particularly important in determining both the responsibility for the action and the appropriate target for counter-measures or reprisals. Where the attacker is determined to be another nation then this has particularly important implications. Even in less extreme situations, however, location is critical – and because of law as well as geography. In some jurisdictions, for example, there are no laws against computer intrusions. This was why the Filipino perpetrator of the love bug was not placed on trial in the Philippines itself. In other jurisdictions, of course, the laws are quite severe. For criminals and terrorists, these divergences offer opportunities to launch attacks at minimal risk – even if the source of the attack is somehow discovered. This suggests that there might be a form of jurisdictional arbitrage with potential attackers seeking out low risk jurisdictions from which to launch their attacks. Over the longer term, of course, the opportunities for arbitrage of this kind can be diminished through more inclusive laws criminalizing this kind of activity, through the harmonization of laws among states, and through the extension of extradition treaties and mutual legal assistance treaties. As well as using jurisdictional arbitrage computer intruders also seek to cover their tracks by going through multiple jurisdictions. In some cases, this makes it impossible to track the activity back to source by complicating the digital trail. In others, it adds significant legal obstacles as some states are simply unwilling to cooperate in investigations There is also the potential for mischief with the possibility that skilful intruders might lay a false trail that lead to unwarranted but damaging accusations against innocent parties (whether individuals, groups or nations). With respect to victim location, physical location can also provide key insights. Local threats might arise through local activism (such as the Sierra Club opposition to military exercises in California; this did not involve cyber threats, but analogous activities in the future might well do so). Beyond physical location, there is logical location. A site might come under attack because either its Internet service provider or a subsidiary site is vulnerable. This logical location could be entirely unrelated to physical location: a site in New York might be on a network logically associated with one in Florida. This could occur due to mergers and acquisitions, but more typically takes place due to the difficulties in securing Internet addresses. Whatever the cause, however, it adds yet another complication to the location issue. Using either physical or logical locations, there are several sorts of victims that might be of interest. One is the intended target of the incident. Another is an intermediate site used as a means of access or interference to the intended target, which might be termed the vector for the incident. In some circumstances this can involve substantial collateral damage to the vector site (or sites) even though it is not the intended victim. Intruders on a vector might extract information, reconfigure computers and hamper desirable operation, all for the purpose of striking the intended target. 7. Why are the actions taking place? From a predictive intelligence analysis perspective, threat is most simply defined as capability plus intent. Capabilities, in terms of more powerful computers and more malicious covert software, are expanding rapidly. Attacks that required deep technical expertise in the recent past are within the reach of casual users today. Malicious intent is less easy to pin down, but can be assumed to be widespread and varied. History alone teaches us that much. Determining those two factors is the foundation of strategic intelligence analysis. Categorization of the nature of attacks and of the victims is critical to the success of any analytic effort. Historically, the more serious attacks will often have a specific catalyst: a corporation builds a production facility in a third world country that is viewed as an exploitive action by one or more activist groups; a government sponsors a peace conference that is viewed as an attempt to subvert the political viability of a disaffected part of the population; a repressive regime massacres a band of rebels near the capital; an organized crime syndicate reacts to crack downs by law enforcement. These are just a handful of examples of motivations for more serious incidents. Just as importantly, a more serious incident, while probably more sophisticated, also has a greater potential for an unintended cascading effect. Objectives can range from revenge (a disgruntled employee) to political statements (terrorism) to a full-scale attack on infrastructure as an act of warfare or at the very least part of "coercive diplomacy".[Schelling] Although the inference of intent is sometimes problematic (particularly where the damage or disruption is either less or more than the intruder intended), the effort is an essential component of the intelligence process. In many cases, intrusions that are politically motivated will be relatively easy to interpret. The effect of the intrusion will be muted if the underlying political intent is not publicized. Depending on the nature of the goal, this publication of intent may be quite localized and covert – e.g., to gain power within the intruder organization. Nonetheless, such publication might be identifiable and could provide a historical perspective that will greatly assist in predicting possible future intrusions. On the other hand, activities by governments and criminal elements are, almost by definition, covert in nature. Intrusions of those types will provide a much greater challenge to the goal of providing predictive assessments and warnings. It also has to be recognized that in some incidents, there are no clear objectives. The lack of motive can be truly confounding. In this connection, it is essential to acknowledge the limits of intelligence. No one has articulated these more effectively than Sherman Kent, formerly the Director of the Office of National Intelligence Estimates, who noted that intelligence consists of three kinds of information: "The first is easily disposed of; it is the statement of indisputable fact… The second and third kinds do not carry any such certainty; each rests upon a varying degree of uncertainty. They relate respectively (a) to things which are knowable but happen to be unknown to us, and (b) to things which are not known to anyone at all." [Kent] In effect, much of the analysis process involves what Kent also called the "speculative-evaluative" component of intelligence – especially when it involves efforts to anticipate future behavior and future threats, and when the targets of intelligence collection and analysis are engaging in systematic concealment or deception designed to thwart these efforts. Such limits notwithstanding, the ultimate goal of intelligence analysis is predictive, strategic intelligence, disseminated to a consumer, based on the fusion of technical assessments, global analysis of incident data, and analysis of intruders and victims. It fuses three kinds of knowledge: that rooted in monitoring technology to obtain assessments about tools and weapons of disruption; that obtained from analysis of incident data; and that obtained from monitoring of possible intruders – individuals, terrorist and criminal groups and nations. Accordingly, Table 2 summarizes the three kinds of activity to be monitored and identifies the components of the collection and analysis processes in each activity area. Table 2: An Intelligence Model for Cyber-Threats

	Technical	Incident	Intruder/Victim

Methods of Analysis

	Technical assessment of the threat and 

what can be done to exploit vulnerabilities Analysis of Patterns of Incidents and how they might develop in the future. Traditional threat analysis of Intruders/Victims Methods of Collection

	Monitoring of new technologies that are developed independently of the actors who use them. 

Sensor grid (equivalent of DEW line) Equivalents of Sigint Indicators of incidents: Significance Intruders Targets Extensiveness Traditional collection methods: Humint: Informants Infiltration Interrogation Sigint: Electronic surveillance Non-traditional: Cyberint Activities and Threats relevant to security in cyber-space Weapons capabilities Technologies that are developed and shared (from civil to military applications) Incidents Use of these technologies for certain kinds of disruptive purposes Development of organizations that have the capabilities and the will to initiate attacks on the Internet. The critical task for intelligence is to fuse the three kinds of knowledge obtained in the top row. In one sense this follows the classic intelligence pattern in which fused intelligence is the ultimate goal. In the context of cyber-threats, however, the fusion of these different methods of analysis is an aspiration rather than an achievement. Success in this area would provide the kinds of strategic intelligence that makes possible the creation of an indicators and warning system. The difficulties of the task, however, go beyond the intellectual complexities discussed above. They include organizational and legal dilemmas that are still far from being resolved. In addition to supporting attribution, operational analysis should lead to sparking defensive coordinated efforts. What is needed is to connect these efforts into some form of cohesive goal that can promote a measurably effective response to on-line threats. IV. Overcoming Hurdles Even with the best of intentions and a viable model of analytic methodologies, there are significant hurdles to successful analysis of cyber-threats. Technological challenges will be the easiest to overcome; changing preconceived notions and overcoming proprietary interests will be the most difficult. Four major and immediate hurdles present themselves. 1. The need to change existing policies both in the public and private sectors All organizations, both public and private, function within a framework of policy. In many cases, those policies conflict with the effort to conduct effective intelligence analysis of on-line threats. Academic organizations can be expected to be leery about such issues as attribution. Analysis of raw incident data, vulnerabilities, and defensive tools are all completely acceptable pursuits, but attribution of intruders raises both cultural and legal issues that they would prefer to avoid. Government operates in much the same fashion. Within governmental structures, policies usually reflect the desire to have data input without a reciprocal sharing of information. Furthermore, governmental policies often compartmentalize various departments and agencies, effectively requiring duplication of effort and fostering a "rice bowl" culture. The private sector is driven by economic necessity, and working with a competitor is not a generally accepted business practice. Additionally, most businesses would prefer not to deal with government for a broad spectrum of reasons, not the least of which is a simple lack of trust. It is not so much that existing policies must be changed, but rather that new policies, directly relating to the problem of on-line threats, must be developed. Even within the existing Internet security community, the level of cooperation has often proved too low for effective sharing of information. Organizations such as FIRST were founded to foster communication, but there have recently emerged a number of commercial incident response activities, such as SANS, Network Associates and Counterpane Systems, who do not belong to FIRST and have not been active in sharing information about their incidents. Even where the data has been collected, concerns over the proprietary nature of the data and a focus on organizing the data in a manner suitable solely for response has raised barriers to its accessibility to analysts. 2. The need to understand and integrate complicated legal issues Network technology is an area where the law has not kept up with the technological advances. There will be many areas where the sort of analysis being discussed here will run head-on into legal problems. Questions of privacy come to mind immediately. The capabilities of a computer in the right (or wrong) hands make some of the existing laws protecting privacy obsolete. There are also going to be questions of liability. If there is a warning of a possible intrusion that is wrong and there is a negative impact on the consumer as a result, what is the liability of the organization that provided the warning? What is the responsibility of an analytic organization if it is able to determine attribution for an intrusion? Law enforcement will argue that the law requires providing them with the identity of the intruder. These are just a few examples. And these questions do not just involve U.S. laws, they involve national and local laws around the globe. The Internet is global, and therefore, so are the legal issues. If analysts can attribute an intrusion to a foreign individual, who gets notified? The FBI? The State Department? The Intelligence Community? InterPol? Nobody? Protecting organizations on the Internet should not come at the cost of basic freedoms and the rights of the individual. While an analysis center affiliated with an academic institution is not subject to the same restrictions as the Intelligence or Law Enforcement Communities, the legal ramifications of its efforts must be considered and reviewed on a regular basis. As one senior official at the National Security Agency put it recently, "It’s the Fourth Amendment, Stupid!" One further barrier here may be the structure of the intelligence community itself, which for constitutional reasons has been partitioned into domestic and foreign intelligence. While this distinction is critical in the physical world, it vanishes rapidly in the cyber world. The intelligence community has been left with the uncomfortable choice of violating important barriers, an unacceptable option, or yielding the cyber world to transnational threats, likewise an unacceptable option. The final solution to this dilemma has not yet emerged, but several proximate solutions are currently being employed. The classic method by which such issues have been dealt with on the Internet has been through a series of voluntary responses. While this avoids the constraints that may hamper law enforcement, the voluntary nature of these responses has produced a very uneven level of security enforcement, offering many opportunities for intruders. While the IETF and similar Internet bodies may constitute a key portion of the protection strategy, it is clear that a less voluntary enforcement mechanism may be necessary. 3. The need to establish a method of disseminating warning advisories It is one thing to conduct in-depth intelligence analysis against on-line threats, but all of that effort is merely an academic exercise unless there is a customer for the information that is derived. That brings up the question of how such information should be disseminated. Intelligence analysis, especially against a target as amorphous as the Internet, is really nothing more than an educated guess. Putting out a warning based on analysis is not the same as an "Advisory" from the CERT/CC. Those are based on quantifiable data, whereas a "Threat Warning Report" may be based on only a modicum of facts combined with consideration of various potential scenarios, and the intangible abstract assessments common to experienced analysts. Developing a method of putting out such reports, without damaging the existing reputation and credibility of an organization, is critical. The lawyers would also probably insist that this damage limitation is a necessity, given the litigious nature of today’s society. For an ongoing effort, such dissemination must be supported. This carries twin risks: that the sponsor would bias the dissemination and that the identity of the sponsor would taint the perception of the analyses. These risks are relatively pressing, given the nascent status of this form of analysis and the suspicious nature of significant sections of the Internet community. While both of these risks are manageable in the long term, they may cause short-term difficulties. Building off of a trusted identity may ameliorate some of these difficulties. 4. The need to overcome the inclination of organizations to avoid data sharing One of the things that every organization has in common is the natural inclination to hoard data. This is equally true of commercial organizations, governmental organizations, and academic organizations. That is one of the reasons that the government’s proposal for complete and open data sharing between government and the private sector will never work. Some of the reasons for this reticence are understandable, such as protecting sensitive and classified information. Law enforcement will always be reluctant to share its information, partially because of the possible legal consequences and partly because of concerns over operational security. Business is in a similar situation. Much of the data relating to an intrusion my be proprietary. Release of such information could cost a company a competitive advantage or put it in a tenuous legal position. Therefore, arbitrarily sharing such information with the government is not something that will happen anytime soon. For non-governmental organizations, there are also questions of the security of the information they provide to the government. Does the data funneled to the government then become subject to Freedom of Information Act requirements? If it does, how is proprietary or legally sensitive data handled? Of course, this all leads to the question of how willing organizations are going to be to share event data with an analytic organization. What will be the restrictions on reporting? Information is the bedrock of intelligence analysis. Without sufficient information (not necessarily accurate information, although that always helps) intelligence analysis is dead in the water. It is imperative that credibility, confidentiality, discretion and returned value be synonymous with the analytic function. While the potential hurdles are significant and must be examined individually, all of the potential problem areas also overlap. Legal issues will effect each of these areas; dissemination of analytic conclusions certainly overlaps the problem of reluctant data sharing in that proprietary and sensitive information must be protected. Consequently, each potential problem must be addressed at the policy level and its impact studied and weighed V. Producing Intelligence Analysis – An Action Plan Strategic threat analysis of the Internet must take into account myriad real-world events across a broad spectrum of disciplines in order to be successful. Information on potential intruders will have to be gathered and profiles developed. Both will have to be continuously updated. Potential motivating factors will have to be determined, partly from examination of profiles and developing databases, and partly from examining social, economic, political, and technical events and developments. From this type of analysis, a list of potential "triggers" can be created. Once these "triggers" are better understood, it then becomes essential for analysts to continuously monitor news and events from around the world in order to discover potential motivating activities. This will not be an easy matter because of the diverse nature of potential motivations. Corporate, governmental, religious, technical, law enforcement, social, military and financial activity will all have to be monitored in order to effectively capture the necessary information. Recognizing events that offer the greatest potential to be a motivating factor for cyber-intrusion will require analysts with very eclectic backgrounds and talents. One of the greatest challenges to the effort to provide effective intelligence analysis of on-line threats, is putting together a strong, viable group of analysts with the capacity to overcome these difficulties and to adapt to the requirements of intelligence analysis in a connected world. Traditional military intelligence is focused on a finite set of problems and disciplines. As a result, there is the luxury of being able to put a relatively large number of specialized analysts against well-defined threats. The Internet is very different. There is almost no aspect of modern society that is not directly, or indirectly, dependent on the Internet. For this reason, the analytic teams created to contend with on-line threats must be equally diverse and eclectic. Moreover, as time passes, the Internet and related technologies will become a transparent part of the very fabric of global society that will increase the effects of intrusions and also provide even greater challenges to analysts attempting to anticipate these events. Senior analysts will almost have to come from the National Intelligence Community, but more junior analysts must come from a wide range of disciplines and backgrounds. Many of them will inevitably come from the user community vice the computer science/engineering/programming community, although representation with applicable technical expertise in network issues will be critical. Their perspective should reflect an understanding of the impact of intrusions against users in both the private and public sectors. At the same time, others will need to come from the disciplines of the social sciences such as political science and international relations, sociology and criminology, and from professional fields such as business and law. Academic accomplishments should carry less weight than actual experience in the development of a core analytic group. Direct operational experience in one or more of the fields being analyzed should be a primary factor in the analyst selection process. Establishing a core group of analysts along these lines has a number of advantages. It provides for the rapid development of a broad corporate knowledge base; it fosters the concept of "growing" senior analysts from within; it assists in establishing credibility within the customer base; and it provides unique insights into a wide range of potential events. With the establishment of an analytic core, the question then arises as to what type of reporting should be produced. There are many options, but they must take several things into account. Foremost among these is maintaining the credibility of the reporting organization. It is essential that great care be given to ensuring the highest possible levels of analytic effort with regard to quality and timeliness. The following are some suggested venues for providing value-added analysis to the intended customer base. • Regularly published reports on analytic efforts, threat assessments, and the development of viable analytic methodologies; • Ad hoc papers and reports on analysis issues that require a more timely dissemination; • Threat Alerts. These would contain perishable information of possible impending intrusions. Such alerts would generally be predictive in nature and go to a selective audience; The regularly published reports should contain the results of various analytic efforts such as intruder profiles, victim profiles (with strict attention paid to anonymity and confidentiality), threat assessments, technical efforts to mitigate identified threats, and discussions of analytic methodologies. These would be sanitized studies that discuss analysis issues of general interest to the consumer. They should also reflect areas of interest identified by consumer feedback as well as offering a venue for other cyber-security professionals to publish reports and articles on analytic issues. Ad hoc papers and reports would cover threat and analysis issues that require dissemination in a more timely manner than those contained in the regular reports. It is anticipated that they would cover specific threat issues and analytic assessments. The audience for these reports would probably be the same as for the regular publication, but issued as needed. In most cases, such reports would involve developing situations or threat information requiring timely publication. Threat Alerts are intended to be warnings of possible impending intrusions. They would contain timely, perishable data regarding specific events or threats. The consumers of these reports would probably be limited and determined by the information itself. Such alerts must be developed as analytic methodologies are created and must also take into consideration various legal issues. It is anticipated that these products will take time to establish so that both the reporting organization and the consumers are confident that relevant issues of confidentiality, credibility, and legal liability are adequately resolved. One of the ultimate goals of the analysis effort is to provide solid, credible predictive threat assessments that analyze the perpetrators as well as the tactics, techniques and procedures that are being used. This goal will be reflected in the publications produced by the analysts. The very nature of this effort means that there will not be the level of surety found in existing vulnerability reports, and that the products issued will often contain assessments based on probabilities instead of purely factual data. For this reason, it is critical that the highest standards of analytic efforts be instituted and maintained. It is also essential that the consumers of this information are made aware of both its potential and its limitations. VI Conclusions In 1997 an important study on warning and response in international relations noted that early warning indicators typically do not speak for themselves; they require analysis and interpretation. [George and Holl] As a result even explicit warning does not always generate an effective response. This is likely to be as true in the efforts to combat cyber-threats as it is in dealing with more traditional security threats. During the late 1990s, for example, concerns about the vulnerabilities of US embassies in Africa were fully articulated but failed to generate a serious initiative to reduce vulnerabilities. Complacency was one reason for this gap between adequate warning and appropriate response. Indeed, there is a curious irony here: if threats are caught early, before they have fully matured they might not be sufficiently compelling to demand decisive action, especially if this requires difficult or unpalatable decisions or a significant allocation of scarce resources. [George and Holl] This is particularly true in business where the bottom line is often more important than costly security measures. Further, if the consequences of a particular threat are sufficiently diffused, as in the case of the Distributed Denial of Service Attacks in February, then the sense of threat for potential victims is diminished. Consequently, good intelligence needs to be accompanied by efforts to ensure that warning and alert mechanisms have maximum impact and are taken seriously by the recipients. Intelligence can only be used effectively where there is sufficient sensitivity to cyber-threats that they are taken seriously. Yet, even if warning is heeded and there is a deliberate and unequivocal response this might not be commensurate with the developing challenge. It must also be recognized that strategic intelligence for threats to Internet security is, a tool. The threats facing information systems are broad, diverse, widely distributed, and, in some cases, still being defined. Responding to these threats requires an equally broad, diverse, and widely distributed effort. No one facility, organization, government or agency is capable of responding effectively to this problem. Indeed, one of the problems in cyber-space is that the offense seems to have significant advantages over defense. Seen in this way, it is clear that intelligence analysis is not the last word in combating cyber-threats but merely a first step. Indeed, as this capability matures, proper intelligence analysis of information system threats can be a driver for development of both new technical security applications based on assessed threats, and the implementation of proper personnel security practices. Intelligence assessments can aid in the creation of effective and cost effective security policy, appropriate training programs, and reality based risk management efforts. Without this first step, however, the prospects for enhanced security are dismal and the ever-growing levels of dependence on information and communications systems will become a liability rather than an asset. References: [Ananova] "UK e-business at risk from hackers, reveals report" available at http://www.ananova.com/news/story/internet_security_79176.html [Berkowitz and Goodman] Bruce D Berkowitz and Allan E Goodman, Intelligence in the Information Age (New Haven: Yale University Press, 2000) p. 12 [Casciano] Maj. General John Casciano, USAF (Ret), former Director, Air Force Intelligence Agency, in Aviation Week and Space Technology, 13 July 1998, pp 67-70 [CERT99] "Report of the Distributed-System Intruder Tools Workshop", November 1999, available at http://www.cert.org/reports/dsit_workshop-final.html. [CSI00] Richard Power, "2000 CSI/FBI Computer Crime and Security Survey", Computer and Security Issues and Trends, Vol. 6, No. 1, Spring 2000. [Ellison99] Robert Ellison, Nancy Mead, Rick Linger and Thomas Longstaff, "Survivable Network System Analysis: A Case Study", IEEE Software, August 1999. [Erbschloe] Michael Erbschloe, "Business on the Web Is Not Worldwide", February 22, 2000 available at http://www.businesseconomic.com/cei/press.index.html [Erbschloe May 9, 2000] "Love Bug Damage costs Rise to 6.7 Billion" http://www.businesseconomic.com/cei/press.index.html [George and Holl] Alexander L George and Jane E Holl, The Warning-Response Problem and Missed Opportunities in Preventive Diplomacy (New York: Carnegie Commission on Deadly Force). [Gompert] David C. Gompert, ‘Keeping Information Warfare in Perspective’ RAND Review (Fall 1995). [Gordon93] Sara Gordon, "Inside the Mind of Dark Avenger", Virus News International, 1993, available at http://www.av.ibm.com/InsideTheLab/Bookshelf/ScientificPapers/Gordon/Avenger.html. [Kent] Sherman Kent, "A Crucial Estimate Relived" available at http://www.odci.government/csi/books/shermankent/9crucial.html. [Lynch] Aaron Lynch, Thought Contagion: How Belief Spreads Through Society (New York: Basic Books, 1996) . [Matthews] Lloyd J. Matthews Challenging the United States Symmetrically and Asymmetrically: Can America Be Defeated? (Carlisle: US Army War College, July 1998). [Moitra&Konda] Suomo Moitra, and Suresh Konda, "A Simulation Model for Managing Survivability of Networked Information Systems", Submitted for Publication, 1999. [Molander] Roger C. Molander, Andrew S. Riddile, and Peter A. Wilson, Strategic Information Warfare: A New Face of War (Santa Monica: RAND Corporation, 1996). [Paller00] Allen Paller, "Fighting Back Against Cyber Crime", GSA IT Leader’s Forum, available at http://www.itpolicy.gsa.gov/itleaders/june14minuts.doc. [SANS00] "How to Eliminate the Top Ten Most Critical Internet Security Threats", available at http://www.sans.org/topten.htm. [Schelling] Thomas Schelling, Arms and Influence (New Haven: Yale University Press, 1967). [Thomas] Timothy Thomas, "Human Network Attacks" Military Review (September-October 1999) available at http://www.call.army.mil/call/fmso/STAFF.HTM. [Wade] Wade, Nicholas, "Method and Madness; Little Brother" New York Times 4 September 1994 p.23.