Congressman Stephen Horn, R-CA Chairman

Oversight  hearing on

"Information Technology -- Essential Yet Vulnerable:
How Prepared Are We for Attacks?"

September 26, 2001

Testimony of 

Michael A. Vatis
Director
Institute for Security Technology Studies
Dartmouth College

before the 


Subcommittee on Government Efficiency, 
Financial Management 
and Intergovernmental Relations 

Mr. Chairman, you and other members of Congress have devoted much attention over the past few years to the state of our preparedness to deal with cyber attacks. You have devoted particular attention to the security of computer networks at various federal agencies, and your work has revealed the severe shortcomings across many different agencies in this area. I therefore will not dwell on that issue here today. Some members of this Subcommittee have also heard me testify in the past about the enormous improvements that have been made over the past few years in the government’s ability to detect, warn of, and respond to cyber attacks, principally through the National Infrastructure Protection Center. And my esteemed colleague, NIPC Director Ron Dick, is here today to tell you about the most recent efforts of the NIPC in this regard.

Accordingly, I would like to devote my testimony today to two other issues. I would first like to provide this Subcommittee with our assessment at the Institute for Security Technology Studies of the probability of cyber attacks that could take place against the U.S. information infrastructure during the war on terrorism. We conclude, based on factual analysis of recent precedents, cyber attack trends, and the geopolitical situation today that:

• the likelihood of cyber attacks against U.S. and allied information infrastructures is high;
• such attacks could come from terrorists and/or their nation-state sponsors, but are more likely to come from sympathizers of terrorists or of nation-states targeted by U.S.-led military operations and from hackers with anti-U.S. sentiments;
• such attacks will almost certainly target the web sites of government agencies and private companies in the U.S. and allied countries, but could also attack more high-value targets such as the networks that control critical infrastructures;
• such attacks could utilize destructive worms and viruses, Distributed Denial of Service exploits, and intrusions to disrupt targeted networks;
• and such cyber exploits could be combined into a potent mix to cause widespread disruption, and also combined with physical terrorist attacks to maximize the destructive potential of both sets of terrorist tools.

Second, I would like to discuss the importance of technology research and development to the overall cause of counterterrorism, and to the cause of protecting against cyber attacks in particular. I believe what is needed today is essentially a "Manhattan Project" for counterterrorism technology, so that America’s leading scientists in industry, academia, and government can help us use one of our greatest strengths – our technological prowess – to design tools and technology to assist in the war on terrorism. A significant portion of this effort should focus on technology to secure the information infrastructure that provides the foundation for much of our economy and our national security.

Before I turn to the main substance of my testimony, I would like to provide background on the Institute for Security Technology Studies at Dartmouth College. ISTS was created last year as the result of congressional appropriations to the Department of Justice, National Institute of Justice. Its mission is to serve as a national center for counterterrorism technology R&D, with a significant focus on technology to address cyber attacks. I came on board as ISTS’s first Director this past Spring.

ISTS has numerous significant research projects underway to develop technology to enhance cyber security and cyber attack investigations. It also is conducting research into counterterrorism technology, including tools for addressing the threat of chemical and biological weapons. Most of these projects involve mid- and long-term research to develop technology. In the wake of the September 11, 2001 attacks, we also initiated several short-term analytical projects in the interest of helping policymakers, law enforcement and intelligence officials, and system administrators in industry and government address some of the challenges we will face in the coming weeks and months. One of those projects was to analyze the possibility of cyber attacks against the U.S. information infrastructure during the war on terrorism, which I have attached as an Appendix to my Statement for the Record. That analysis is the focus of the next part of my testimony.

As a starting point, we examined several recent political conflicts that led to attacks on cyber systems: the recent clashes between India and Pakistan, Israel and the Palestinians, and NATO and Serbia in Kosovo, and the tensions between the U.S. and China over the collision between a Chinese fighter plane and an American surveillance plane. From these case studies, we concluded that:

• Cyber Attacks Immediately Accompany Physical Attacks

For instance, in the Israel/Palestinian conflict, there were increases in the number of cyber attacks immediately following physical attacks, such as car bombings and mortar shellings.

For instance, after the collision between the Chinese fighter plane and an American surveillance plane, approximately 1,200 U.S. web sites, including those belonging to the White House and other government agencies, were reportedly subjected to Distributed Denial of Service attacks or defaced with pro-Chinese images in just one week.

• Cyber Attackers Are Attracted to High Value Targets

For instance, during the Israel/Palestinian conflict, pro-Palestinian hackers have attacked the web sites of Israeli banking and financial institutions. And during the NATO action in Kosovo, pro-Serbian hackers repeatedly targeted NATO communications infrastructures.

Next, we looked at general trends in cyber attacks, including those lacking any apparent political motivation. From this part of our analysis, we concluded that cyber attacks during the war on terrorism could utilize far more destructive techniques than those witnessed during previous political conflicts. Whether motivated by financial gain or simply the challenge of breaking through network defenses, attackers have been gradually ratcheting up the sophistication of their attacks for years. Furthermore, the wide and rapid dissemination of new exploit "scripts" has made it possible for even unsophisticated programmers to take advantage of these advanced techniques. Thus, in recent years, we have seen an explosive growth in cyber attack tools such as:

A worm is an independent program that replicates itself from machine to machine across network connections, often congesting networks as it spreads. In recent weeks, the Code Red and Nimda worms have demonstrated the increasing destructiveness of this malicious technology.

DDoS attacks employ armies of "zombie" machines, taken over and controlled by a single master, to overwhelm the resources of victims with floods of packets. Most of the world first became aware of this attack tool during the high-profile attacks of February 2000, in which popular e-commerce web sites were shut down by simultaneous attacks. Since that time, the popularity of high-speed home Internet access (via cable modems and DSL) has increased, and the commanders of DDoS zombie armies are taking advantage of this popularity to plant malicious programs on home computers, making those machines the unwitting participants in DDoS attacks

Computer intrusions enable attackers to abscond with sensitive information from government agencies and businesses, to steal money or credit card numbers, or to alter information. Such tools are increasingly being used by organized crime groups and potentially by foreign adversaries.

Thus, a variety of increasingly sophisticated tools are available to those who would attack the U.S. information infrastructure during the war on terrorism. The next question, then, is who might engage in such attacks. We determined that there are four principal categories of potential attackers:

While it is unclear whether Osama bin Laden’s Al Qaeda organization has developed cyber attack capabilities, members of this network use information technology to formulate plans and communicate securely. For instance, Ramzi Yousef, who was convicted of planning the first World Trade Center bombing in 1993, had details of future terrorist plots (including the planned bombing of 12 airliners in the Pacific) stored on encrypted files on his laptop computer. At the same time, the September 11, 2001 attacks on the World Trade Center and Pentagon demonstrate an increasing desire by terrorist groups to attack critical infrastructure targets. It is only a small step to using information technology as a weapon against critical infrastructure targets.

Several nation-states, including not only Afghanistan, but also U.S.-designated supporters of terrorism, such as Syria, Iraq, Iran, Sudan and Libya, could possibly become the focus of U.S. and allied military operations. Among those nations, at least Iraq and Libya are reported to have developed information warfare capabilities that could be turned against the U.S. and its allies. China, North Korea, Cuba, and Russia, among others, are also believed to be developing cyber warfare capabilities.

This category contains those actors probably most likely to engage in attacks. If the American campaign against terrorism is perceived as a "crusade" against people of the Muslim faith, a variety of pro-Muslim hacker groups could launch cyber attacks against the United States and its allies. Others with anti-U.S. or anti-allied sentiments, such as members of the anti-capitalism and anti-globalization movements, or Chinese hackers still upset about the surveillance plane incident or the accidental NATO bombing of the Chinese Embassy in Belgrade could join in such attacks.

Any conflict that plays out in cyberspace will invariably attract a huge number of hackers and "script kiddies" who simply want to gain notoriety through high profile attacks. Those just jumping on the bandwagon of a cyber conflict between the United States and its enemies pose a relatively low threat to American systems. However, such individuals can still have significant disruptive impact, as evidenced by the February 2000 DDoS attacks and recent destructive worms.

The next issue is what targets these attacks could be used against. We determined that the following were possible targets.

• Web Sites

Politically motivated web site defacements will likely continue to escalate during the war on terrorism. The most serious consequences of web site defacements would involve "semantic" attacks, which entail changing the content of a web page subtly, thus disseminating false information. A semantic attack on a news site or government agency site, causing its web servers to provide false information at a critical juncture in the war on terrorism, could have a significant impact on the American population. Web sites could also be targeted with DDoS attacks, particularly government and military sites.

• Domain Name Servers

Domain Name Servers (DNS) are the "Yellow Pages" that computers consult in order to obtain the mapping between the name of a system (or web site) and the numerical address of that system. An attacker could disseminate false information with a successful attack on a select Domain Name Server (or group of servers), bypassing the need to break into the actual web servers themselves. Moreover, a DNS attack would prevent access to the original web site, depriving the site of traffic.

DDoS attacks against critical communication nodes would be particularly harmful, especially during a period of crisis. Potential targets for DDoS attacks are chat and mail servers, search engines, and news services. Military and government communications systems are especially likely to receive DDoS attack variants.

• Routers

Routers are the "air traffic controllers" of the Internet, ensuring that information, in the form of packets, gets from source to destination. Routing operations have not yet seen deliberate disruption from malicious activity, but the lack of diversity in router operating systems leaves open the possibility for a massive routing attack. While routers are less vulnerable than most computers due to the fact that they offer fewer services, there is the possibility that a current or as yet undiscovered vulnerability could be used to gain control of a number of backbone routers.

Information systems associated with critical infrastructures (such as banking and financial institutions, voice communications systems, electrical power supplies, water resources, and oil and gas delivery systems) must be considered a likely target for terrorists, nation-states, and anti-U.S. hackers in the age of asymmetric warfare. Such systems could be targeted through unauthorized intrusions, DDoS attacks, worms, Trojan horse programs, or malicious insiders. New worms may contain a sleep phase, in which the worm will infect as many hosts as possible, before activating its destructive payload, perhaps in order to coordinate with a conventional terrorist attack.

A multi-faceted attack employing some or all of the attack scenarios in compound fashion could be devastating if the United States and its allies are unprepared. A compound cyber attack by terrorists or nation-states could have disastrous effects on infrastructure systems, potentially resulting in human casualties. Such an attack could also be coordinated to coincide with physical terrorist attacks, in order to maximize the impact of both.

Finally, we recommended several specific steps that government agencies, private companies, and others can take to reduce their vulnerability to such attacks. These include:

System administrators and government officials should be on high alert for the warning signs of hostile cyber activity, particularly during periods immediately following military strikes. Changes in "normal" scanning activity should be considered suspicious and reported to the appropriate authorities. Logging levels should be temporarily raised to trap as many events as possible to enable law enforcement and/or counterintelligence investigations and the issuance of specific warnings by the NIPC and other appropriate entities to other potential victims. Systematic and routine risk assessments should be undertaken, an incident management plan should be developed, and law enforcement contact numbers should be readily available in case of an attack.

Best practices for maintaining systems should be followed, including: regular updating of operating systems and software, enforcement of password policies, locking down of systems, disabling of unnecessary services, installing and updating anti-virus software, and employing intrusion detection systems and firewalls.

Measures for securing critical systems should be implemented, such as: checking for characters associated with popular web server exploits, using existing authentication mechanisms in border routers, running only recent and secure software in Domain Name Servers, backing up all vital data and storing it off-site, copying and maintaining log records in a secure location, and explaining all measures in an enforceable security policy.

Routers should be programmed to discard any outbound packets whose source IP address does not belong to the router’s client networks ("egress filtering"). Likewise, any inbound IP packets with un-trusted source addresses should be filtered out before they have a chance to enter the network ("ingress filtering"). Countermeasures for DDoS can also include cooperation from "upstream" Internet service providers (ISPs) to limit the rate at which packets typically associated with attacks (SYN and ICMP packets) are sent downstream to client networks. By rate limiting these particular packets, the effects of a malicious flood can be minimized without seriously disrupting normal operations.

Improving cyber security is a multifaceted problem. As the other witnesses here have testified, part of the task is to ensure that government agencies charged with warning of and responding to the problem, such as the NIPC, have adequate resources. This has been a significant and ongoing problem, which Congress and the Administration should urgently address. Part of the task also involves creating market incentives for manufacturers to build security into products from the ground up. This can be done in part through government purchases, but the biggest incentive of all is consumer demand - when consumers demand better security, manufacturers will respond accordingly.

Perhaps most important of all, is the task of researching and developing new technology to secure the information infrastructure against attacks. The Internet itself was never designed with security as a primary consideration. Therefore, the very foundation of our information infrastructure has embedded within it vulnerabilities that make it inherently susceptible to attack. And as the use of that foundation continues to grow exponentially, the vulnerabilities grow as well, as do the numbers of people who are willing and able to exploit those vulnerabilities. The ultimate solution, then, lies in developing technology that builds in security from the ground up; security features that render networks more resistant, robust, and resilient in the face of attacks

Much work is currently underway in the private sector to develop new virus detection software, firewalls, and the like. But commercial research is largely focused on existing threats and near-term, profit-making developments. What remains sorely needed is research that can look at the mid- and long-term threats. Research to develop technologies, for which there may be little commercial incentive, may be vital to protecting the computer networks that underpin our economy and our national security. As the White House Office of Science and Technology Policy (OSTP) emphasized a year ago: "The Federal government and the private sector are now making substantial investments in cyber security technologies. However, neither the private nor public sectors are adequately elucidating the fundamental principles that underlie complex, interconnected infrastructures, or developing key technologies or analytical methodologies crucial to protecting the information infrastructure. Therefore, government becomes the only realistic underwriter to ensure that these technologies are developed."

ISTS is already playing an important role in developing such technologies. The following are just a few examples of significant ongoing work being accomplished at the ISTS in the cyber security area.

• System Security Evaluation Test-bed - This project produces a visual representation of an attack on a network, yielding insight into network behavior. Prototypes of this system are under development, with simulation technology deployable within 2 years.

• Software System Protection - This ISTS research is examining software security models and implementations that may be based on roles and may use public key or other security infrastructures. The significance of this research lies in the philosophy of software security as the primary directive for software architecture design.

• Internet Health Monitoring System and Data Archive - The increased dependence of our nation's infrastructure on information technology has created a need for tools that monitor the health of the Internet and provide early warning. A prototype system is already operational, with deployment to test sites expected next year.

• Statistically Based Network Intrusion Detection - This project will provide an increased detection capability for intrusion detection experts, system administrators, and investigators. A major derivative of this project is additional techniques for protecting critical communications infrastructures.

• Assessing and Mining of Data from Network Sensors - This project will permit system administrators or investigators to perform rapid analyses of a network's health or disability, leading to the discovery of the commission of cyber attacks and the gathering of evidence of those attacks. This research is poised to deliver its agent-based information gathering system.

• BGP Data Archive - This project will assist the tracing of cyber attacks by creating an archive of Internet routing tables, which can be queried, developing methods for simulating "trace routes" based on historical tables. System administrators and law enforcement agents will be enabled with tools to reconstruct routes for specific dates and times.

• Honeynet - The Honeynet project is a simulated computer or computer networks that both system administrators and government agencies can use to analyze or track cyber attackers. This system allows users to monitor attackers' activities and provides valuable data on attack methods, techniques, and, most importantly, sharing of information between trusted parties.

• Detection of Digital Tampering - ISTS research is leading to new methods for detecting digital tampering, including steganography (which some have speculated may be used by terrorists for covert communication). Experiments on commercial steganography tools are underway.

Research and development of technology to enhance cyber security and protect the information infrastructure are an enormous undertaking, far too big for one academic institution to undertake alone. Moreover, the necessary expertise is located at many places across the country. That is why a major goal of ISTS is to establish a collaborative community of focused research among numerous universities, private companies, and government agencies nationwide. A significant percentage of ISTS’s first-year work has taken place outside of Hanover, New Hampshire, at places like George Mason University in Fairfax, Virginia; Los Alamos National Laboratories and Sandia National Laboratories in New Mexico; Harvard University in Cambridge, Massachusetts; the University of Massachusetts; Columbia University in New York City; the University of Washington in Seattle; the University of California at Santa Barbara; the University of Michigan; the University of Tulsa; Mitretek in McLean, Virginia; and BBN Technologies of Cambridge, Massachusetts. In its second year, ISTS intends to expand its collaborations by establishing research partnerships with other notable academic centers of excellence in the computer security and counterterrorism field.

Beyond this research, the ISTS is also in the process of establishing a consortium with other academic centers of excellence, which would form a "virtual" institute for information infrastructure protection. This institute, which will be called the Institute for Information Infrastructure Protection (or "I3P"), is based on the recommendations of several expert groups over the last three years, including the President’s Committee of Advisors on Science and Technology (PCAST), a joint study by the White House Office of Science and Technology Policy and the National Security Council, and an analysis by the Institute for Defense Analyses for the Department of Defense. These studies all called for a cyber security R&D institute, whose mission would be to: (1) develop a national R&D agenda for information infrastructure protection, which would identify the priority R&D needs; and (2) fund research directed at those needs.

We are just beginning the outreach necessary to form this consortium, speaking with the leaders of principal centers in academia, government and industry about this idea and inviting their participation. These centers will together form the nucleus of the I3P, with ISTS serving as the I3P’s executive agent.

With currently available funding (less than $3 million), the I3P would not be able to fund technology research and development. Initially, its role would be limited to developing a national research agenda that will set forth the top computer security areas requiring research. This agenda would be based on a comprehensive "needs assessment" that taps the expertise and experience of the consortium members and other experts in industry, academia, and government.

The development of a national R&D agenda in itself would constitute a significant accomplishment and provide great value to the Nation. While there are currently numerous research activities underway on cyber security in academia, industry, and the government, there has, to date, been no comprehensive agenda developed, based on the input of all the relevant experts, to prioritize the main needs. The need for such an agenda has been emphasized by numerous government and private sector organizations that have studied the problem, including not only the PCAST, the IDA, OSTP and NSC, but also the President’s Commission on Critical Infrastructure Protection, and the Partnership for Critical Infrastructure Security.

This agenda, which will be re-evaluated and updated each year, can then serve as the blueprint to guide research conducted at academic and other institutions across the country, including the members of the I3P consortia and others. It could also be used as an assessment and measuring tool by government agencies that provide funding for cyber security research. Similarly, private companies can use the agenda to develop ideas for commercially sponsored research. If future funding permits, then the I3P can quickly take on the additional responsibility of directly funding research that addresses priority items set forth in the continually evolving national agenda.

In addition to this basic function of establishing a national R&D agenda, the I3P would serve the critical function of providing a neutral forum for the exchange of information among experts in the field concerning network vulnerabilities, technological developments, and fields of ongoing research. This would create opportunities for collaboration and enhance ongoing research efforts across all the organizations.

Mr. Chairman, I would like to extend my thanks again to you and the members of the Subcommittee for inviting me to testify before you today. You have brought attention to a critical issue at an important juncture, when much of the country’s attention is understandably focused elsewhere. In light of the continued vulnerability of the Nation’s information infrastructures, we must ensure in the days, weeks, and months ahead that we take the necessary steps to protect ourselves against potential cyber attacks during the war on terrorism. Over the long term, research and development will play a crucial role in securing the information infrastructure, and thereby protecting our national security against some of the new threats we face in the 21^st Century.

Appendix 1: Cyber Attacks During the War on Terrorism: A Predictive Analysis

Mailing Lists Overview