Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities (2009)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

4 An Intelligence Community Perspective on Cyberattack and Cyberexploitation The intelligence community’s primary role relates to the process of generating finished intelligence from raw information for policy makers to use in decision making and action regarding national security and foreign policy. In addition, as a matter of policy and in accordance with legislation and executive order, the Central Intelligence Agency has an operational role in undertaking covert action intended to influence events abroad. The reader should keep in mind that this chapter is necessarily less complete than the discussion of Chapter 3 since much less is known pub- licly about the intelligence community’s thinking about cyberattack and cyberexploitation. Furthermore, all of the scenarios described below are entirely hypothetical. 4.1  Intelligence Collection and Analysis 4.1.1  Governing Principles In the domain of national security, intelligence is useful for both tacti- cal and strategic purposes. Tactical intelligence is useful to the military services, because it provides advantages on the battlefield against adver- sary forces through direct support to operational commanders in areas such as reconnaissance, mapping, and early warning of adversary force movements or other actions. Tactical intelligence is also necessary for counterterrorism efforts that seek to preempt or disrupt terrorist activi- 188 

AN INTELLIGENCE COMMUNITY PERSPECTIVE 189 ties before they occur. Intelligence for strategic purposes (national intel- ligence) serves foreign policy, national security, and national economic objectives. National intelligence focuses on foreign political and economic events and trends; strategic military concerns such as plans, doctrine, and scientific and technical resources; weapons system capabilities; and nuclear program development. The intelligence-generation process, usually described as a cycle, has several steps. It begins with planning and direction, which identifies deci- sion-maker needs for information about a potential adversary (or perhaps even a friendly party). These needs constitute the basis for information collection requirements, which specify the scope and nature of the raw information that may be needed in analysis. As a rule, information can be collected from many sources, including open sources such as foreign broadcasts, newspapers, periodicals, books, and websites. Other sources of information are secret, and may include agents abroad, defectors from adversaries, or information clandestinely gleaned from telephone, radio, or Internet transmissions. Information processing converts the large amounts of raw information into forms usable by intelligence analysts, and may entail decryption, language translations, and data reduction. Analysis and production converts information into finished intelligence and involves integrating, evaluating, and analyzing all available information from all sources. Such analysis may take place over the course of days or weeks or months (in the case of strategic intelligence) or over the course of hours or minutes (in the case of tactical intelligence). Dissemination distributes the finished intelligence to the decision makers who requested the intelligence in the first place. (The cyclical nature of the intelligence process results from the fact that recipients of intelligence often develop new requirements and intelligence needs after they receive finished intel- ligence, and the cycle starts anew.) The information collection step is the most relevant to this report. Traditionally, sources of information have included signals intelligence (SlGINT—information derived from intercepted communications, radar, telemetry, and computer networks), imagery (IMINT—overhead and ground imagery), measurement and signature intelligence (MASINT— technically derived intelligence data other than imagery and SIGINT, examples of which might be the distinctive radar signatures of specific types of aircraft or the composition of air and water samples), human- source intelligence (HUMINT—including clandestine source acquisition of information; overt information collection by civilian and military per- sonnel assigned to U.S. diplomatic and consular posts; debriefing of for- eign nationals and U.S. citizens who have traveled abroad or have access to foreign information; official contacts with foreign governments, includ- ing liaison with their intelligence and security services), and open-source 

190 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES information (OSINT—publicly available information appearing in print or electronic form). In the context of this report, activities generally labeled as exploita- tion are sources of raw information and support the information collec- tion step of the intelligence cycle. As noted in Chapter 1, exploitation operations use adversary information systems and networks to support friendly goals and missions. Computer-based or network-based exploitation operations can be used to support information collection, although they do not necessar- ily fit neatly into any one of the several sources described above. For example, software agents can be introduced into a collection target’s computer system that can scan all accessible files for certain keywords (e.g., “nuclear” in the appropriate local language) and e-mail those files in encrypted form to an address controlled by U.S. intelligence services. Other types of agents can monitor all keystrokes made on a target’s computer keyboard. A hardware agent introduced during the design of a microprocessor might secretly render its encryption functions useless for practical purposes, thus making eavesdropping on encrypted messages from that computer relatively easy to perform. Finally and as noted in Chapters 2 and 3, cyberattack often requires substantial intelligence support to succeed, and often cyberexploitation techniques will be used to acquire such information for this purpose. Intelligence agencies of the U.S. government will play a significant role in collecting the intelligence information necessary for such operations by the U.S. armed forces. 4.1.2  How Cyberexploitation Might Be Used to Support Intelligence Collection Some tools for intelligence collection are based on the clandestine installation of a software or hardware agent into an adversary computer system or network. Once installed, the functionality of the agent for intel- ligence collection depends only on its ability to route information back to its controller, however circuitous or opaque that route might be. The following hypothetical scenarios may be illustrative:  Famed cryptographer Adi Shamir noted that “if some intelligence organization dis- covers (or secretly plants) [emphasis added] even one pair of integers a and b whose product is computed incorrectly (even in a single low-order bit) by a popular microprocessor, then ANY key in ANY RSA-based security program running on ANY one of the millions of PCs that contain this microprocessor can be trivially broken with a single chosen message.” See Adi Shamir, “Research Announcement: Microprocessor Bugs Can Be Security Disasters,” November 2007, available at http://cryptome.info/bug-attack.htm. 

AN INTELLIGENCE COMMUNITY PERSPECTIVE 191 • The director of the Zendian intelligence service is known to be a strong supporter of the Zendian national soccer team. The soccer team maintains a website on which it provides team statistics, video highlights from recent games, and other content of interest to fans. An intelligence collection operation is launched to exploit a flaw in the operating sys- tem of the server that handles the soccer team’s website, and installs a Trojan horse program as a modification of an existing videoclip. When the director views the clip, the clip is downloaded to his hard drive, and when his desktop search program indexes the file, the Trojan horse is launched. The collection payload then searches the local hard drive for evidence suggesting that the user is in fact the director. If none is found, the program erases itself. If the program finds evidence that the user is the director of intelligence (or perhaps the minister of defense, also known to be a soccer fan), it retrieves all plaintext files within reach and e-mails encrypted compressed versions of them to an e-mail address set up spe- cifically as a “dead-drop” location. • The Zendian Secret Internet Protocol Router Network (Z-SIPRNet) carries classified information and messages for the Zendian ministry of defense, and supports the Zendian command and control system for managing troop deployments, the Zendian defense message system, and many other classified warfighting and planning applications. Although no connections between Z-SIPRNet and the public Internet are allowed, it is known that Gorga, a system administrator, has connected his computer at work to a password-protected dial-up modem. Through a manipula- tion of the telephone switching center, phone calls from Gorga’s home phone number to the modem are secretly redirected to a login simulator that captures his login name and password. Using Gorga’s administrator privileges, the intelligence collection operation installs a “sniffer” on the network that examines all passing traffic, and forwards interesting com- munications to a file that is saved in a temporary work area on Gorga’s computer. At night, while Gorga is asleep, the collection operation down- loads the file. • An intelligence collection operation scatters inexpensive uni- versal serial bus (USB) flash drives in parking lots, smoking areas, and other areas of high traffic near a building associated with the Zendian  For example, a vulnerability in the way in which Windows operating systems handled Windows Metafile vector images was reported in late 2005—this vulnerability allowed arbi- trary code to be executed on any computer affected without the knowledge or permission of its users upon viewing of certain image files. See Swa Frantzen, WMF FAQ, January 7, 2006, available at http://isc.sans.org/diary.html?storyid=994. 

192 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES Ministry of Defense. In addition to some innocuous images, each drive has already-loaded software that collects passwords, login names, and machine-specific information from the user’s computer, and then e-mails the findings to the intelligence collectors.  Because many systems sup- port an “auto-run” feature for insertable media (i.e., when the medium is inserted, the system automatically runs a program named “autorun.exe” on the medium) and the feature is often turned on, the intelligence collec- tors can receive their findings as notified as soon as the drive is inserted.  The program also deletes itself and any trace of the e-mail after sending. The login information can then be used to compromise the security of existing accounts. • A Zendian firm and a Ruritanian firm are competitors for a m ­ ultibillion-dollar contract in a third country. Working closely with the Zendian firm to understand what it would need to know to compete more effectively, the Zendian intelligence service conducts against the Rurita- nian firm a series of cyber offensive actions that install dual-purpose and well-hidden Trojan horses on the firm’s network. At first, these Trojan horses are programmed to send back to Zendian intelligence confidential business information about the Ruritanian bid; this information is subse- quently shared with the Zendian negotiating team. Later, as the deadline for each side’s best and final bid approaches, the second function of the Trojan horses is activated, and they proceed to subtly alter key data files associated with the Ruritanian proposal that will disadvantage the firm when the proposals are compared side by side. (Note that these cyber offensive actions combine cyberexploitation with the installation of a capability for subsequent cyberattack.) In each of these cases, the installed agent copies files (or parts thereof) and then transmits them to the handler. But any access to copy a file could almost as easily rewrite the file with different data, and on many systems do so without evidence. Such an action would convert the intelligence collection agent into a destructive agent as well. It should be noted that some of the activities in these scenarios would raise legal and policy questions for U.S. intelligence agencies if they were to engage in such activities. These agencies surely possess the technical capability to engage in such activities, but by policy, the United States does not target intelligence assets for the specific purpose of enhancing  This exploit is based on an actual experiment reported in 2006. In this experiment, over 75 percent of the drives distributed resulted in a system penetration. See Steve Stasiuko- nis, “Social Engineering, the USB Way,” Dark Reading, June 7, 2006, available at http://www. darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1.  The use of national intelligence agencies to aid private companies is not unprec- edented, as noted in Section 2.6.2. 

AN INTELLIGENCE COMMUNITY PERSPECTIVE 193 the competitive position of U.S. industries or specific U.S. companies. If it did, U.S. companies might be able to obtain competitively useful and proprietary information about the future generations of foreign products, such as airplanes or automobiles, or about business operations and con- tract negotiating positions of their competitors. A potential legal question arises in the action of the U.S. government in conducting a cyber offensive action against any viewer of a given website, which could include U.S. citizens. Section 7.3.4 addresses the legality of such actions taken by intelligence agencies against foreign or domestic computers, but additional uncertainties arise if such activities are regarded as infringing on the constitutional rights of U.S. citizens. 4.2  Covert Action 4.2.1  Governing Principles By law (50 USC 413b(e)), covert action relates to activities of the U.S. government to influence political, economic, or military conditions abroad, where it is intended that the role of the U.S. government will not be apparent or acknowledged publicly. Covert action must support identifiable foreign policy objectives of the United States and be important to the national security of the United States, and must be authorized by findings of the President. Covert action must not violate the Constitution or any statute of the United States, nor influence United States political processes, public opinion, policies, or media, and must also be appropri- ately reported to appropriate individuals in the U.S. Congress. (The legal basis for covert action is addressed in greater detail in Chapter 7.) In general, covert action is not focused primarily on activities related to intelligence collection or analysis, although such collection may occur incidentally to covert action. Executive Order 12333 stipulates that the Central Intelligence Agency has by default the lead role in covert action. Classic examples of covert action include providing weapons or fund- ing to a favored party in a conflict, supporting agents to influence political affairs in another nation, engaging in psychological warfare, disseminat- ing disinformation about a disfavored party, or deceiving a disfavored party. Specific actions that could be undertaken under the rubric of covert action include: • Funding opposition journalists or newspapers that present nega- tive images of a disfavored party in power; • Paying intelligence agents or party members to make public state- ments favorable to U.S. interests; 

194 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES • Providing financial support to opposition civil society groups and helping them set up international networks; • Advancing conditions for economic disruption by creating fuel shortages, promoting hoarding, making doomsday predictions, or closing key markets; • Providing military aid or training to favored parties; • Bolstering individual leaders favorable to the United States who could plausibly fill a power vacuum once the party in power is ousted; • Funneling money to a favored party through legal or illegal means; • Supporting paramilitary action against a disfavored government of a foreign nation; • Instigating a fight or discord between two adversarial, disfavored parties; • Influencing an election; and • Disseminating propaganda. As a practical matter, the findings process of the covert action statute was established to provide safeguards in situations where the United States would be drawn further into some conflict or the lives of people on the ground were at risk. The “feel and character” of such situations are significantly different from actions such as remotely placing Trojan horse programs in the operating system of a foreign defense ministry—and it would be less likely for decision makers to believe that findings would be necessary to authorize such actions. Nevertheless, covert action—whether it involves computers or not—is subject to the findings and notification process specified by law. In addition, it is entirely conceivable that activities originally intended to be outside the statutory definition of covert action will evolve over time into such action, at which time the findings mechanism is supposed to be invoked. Put differently, there is a certain threshold (an ill-defined thresh- old to be sure) that must be met in order to trigger the findings process, and to the extent that an activity remains below or outside that threshold, the safeguards described in the previous paragraph are not operative. According to Jeff Smith, former general counsel to the Central Intel- ligence Agency (1995-1996), traditional U.S. interpretations of the laws of armed conflict (LOAC; further described in Chapter 7) require covert action, whether or not it involves violent activities, to be conducted con- sistent with LOAC’s requirements. (For example, the War Crimes Act (18 U.S.C. 2441) is applicable to all U.S. nationals.) Smith further noted that observance of the spirit and letter of LOAC is generally helpful in any operation in which it is desirable to win the hearts and minds of the people of the nation involved, and in any case increases the likelihood 

AN INTELLIGENCE COMMUNITY PERSPECTIVE 195 that other nations will support (or at least less strenuously oppose) U.S. actions. This discussion of covert action should not be construed as support- ing or opposing the notion of covert action in the first place, and a number of points must be kept in mind. First, covert action is predicated on the assumption that the policy goals being supported are indeed sound and appropriate. No covert action can turn bad policy into good policy, even when decision makers are tempted to use covert action to rescue failed policy. In the latter case, it is easy for covert action to become the policy, and for decision makers to forget or downplay the original policy goals. Second, covert action is undertaken on the assumption that its link to the U.S. government can be kept secret. Although experience demonstrates that covert action can indeed be kept secret under some circumstances, decision makers cannot assume that any given covert action will be kept secret—and this holds as well for any covert action that might be based on cyberattack capabilities. 4.2.2  How Cyberattack Might Be Used in Covert Action One alleged U.S. activity involving cyberattack in a covert action occurred in 1982. According to Thomas Reed, a former National Secu- rity Council official, the United States doctored software that was sub- sequently obtained by the Soviet Union in its efforts to obtain U.S. tech- nology. At the time, the United States was seeking to block Western Europe from importing Soviet natural gas. The intent of U.S. doctoring was “to disrupt the Soviet gas supply, its hard currency earnings from the West, and the internal Russian economy,” and to support this goal, “the pipeline software that was to run the pumps, turbines, and valves was programmed to go haywire after a decent interval to reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welds.” Soviet use of the doctored software allegedly caused a large explosion in a Siberian natural gas pipeline. The following additional (and entirely hypothetical) examples of how cyberattack might be used in covert action are presented for discussion only and without comment on the merits of the underlying goals:  However, since the U.S. statute defining covert action was not signed into law until 1991, it is unclear whether the 1982 action should be considered a covert action in the legal sense of the term.  Thomas C. Reed, At the Abyss: An Insider’s History of the Cold War, Ballantine Books, New York, 2004. 

196 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES • An election is to be held in Zendia, and the predicted margin of victory between the favored and disfavored parties is relatively small. This election will be the first Zendian election to use electronic voting, and the Zendian election authorities have obtained electronic voting machines to administer this election from Ruritania. U.S. intelligence operatives intercept the CD-ROM containing a software update from the Ruritanian vendor en route to Zendia, and substitute a new CD-ROM in the package containing the original update plus additional functionality that will tilt the election toward the favored party. • A disfavored party is in power in Zendia, and the U.S. government wishes to weaken it. U.S intelligence operatives conduct a cyberattack against the Zendian Social Services Agency by compromising employ- ees of the agency, using the USB flash drive technique described above. Obtaining access to the Social Services Agency databases, the United States corrupts the pension records of many millions of people in the country. In the next election, the disfavored ruling party is voted out of office because of the scandal that resulted. • Two traditionally adversarial nations are armed with nuclear weapons, and the United States has been conducting intelligence col- lection operations against these nations for many years. Through a mix of human and technical means, it has been successful in learning about cyber vulnerabilities in the nuclear command and control networks of each nation. During a crisis between the two nations in which both sides have launched conventional kinetic attacks against the other side’s terri- tory and armed forces, nuclear confrontation between them is imminent. The U.S. government makes a decision to corrupt the transmission of any nuclear launch orders transmitted through those networks in order to prevent their use. • Zendia is an authoritarian nation that recognizes the value of the Internet to its economy, but as an instrument of political control, it actively censors certain kinds of Internet content (e.g., negative stories about the Zendian government in the foreign press) for its population. Its censor-  This scenario is based on the Japanese election in 2007, in which the ruling party lost resoundingly. Many analysts attributed the loss to the fact that the Japanese Social Insur- ance Agency was revealed to have lost pension records for 50 million people. Although no evidence suggests that cyberattacks played any role in this scandal, it is easy to see how in an age of increasingly automated records, such attacks might well have such a large-scale effect. See Pino Cazzaniga, “Election Defeat Marks Abe’s Political Future,” AsiaNews.it, July 30, 2007, available at http://www.asianews.it/index.php?l=en&art=9962.  In 1996, a scenario with many similar elements involving India and Pakistan was proposed by John Sheehan, then-commander-in-chief of the U.S. Atlantic Command. See Bradley Graham, “Cyberwar: A New Weapon Awaits a Set of Rules,” Washington Post, July 8, 1998, p. A1. 

AN INTELLIGENCE COMMUNITY PERSPECTIVE 197 ship mechanisms are largely automated and operate at one of a few Internet gateways to the country. During a time of tension with Zendia, the United States launches a cyberattack against the automated Zendian censors so that the population can obtain, at least temporarily, a broader range of information than it would otherwise be able to access. • A party favored by the United States is conducting an armed rebel- lion against the Zendian government. No funds are currently available to help the favored party. However, the U.S. President wishes to find a way to help the rebels, and authorizes a cyberattack that diverts money from the Zendian national treasury to the rebels. • A Zendian cyberattack is launched against the military medical ser- vices of Ruritania to obtain the medical records of all active personnel. In the days before a planned armed attack by Zendia, postings and mailings from anonymous sources appear pointing out that Ruritanian Colonel X is being treated for bipolar disorder, that Captain Y was treated three times for a sexually transmitted disease in the last 2 years, and that Admiral Z is on tranquilizers. Copies of the medical records—sometimes secretly and undetectably altered—were released to back up the stories. The results led to some family problems for Captain Y, Admiral Z was relieved of field command, and Colonel X resigned his commission. Others were simply discomfited. The result was a drop in readiness by the command structure when Zendia struck, giving Zendia some advantage. Note that this particular covert action has an element of intelligence collection. • The Zendian nuclear weapons program relies on a social network of scientists and engineers. The United States launches cyberattacks against a dozen key scientific leaders in this network to harass and discredit them. These cyberattacks plant false adverse information into their security dossiers, insert driving-under-the-influence-of-drugs/alcohol incidents into their driving records, alter their credit records to show questionable financial statuses, change records of bill payments to show accounts in arrears, and falsify telephone records to show patterns of contact with known Zendian criminals and subversives. Discrediting these individu- als throws the program into chaos. • Scientists working on the Zendian biological weapons program use an in-house network to communicate with each other and manage their research and development program. U.S. intelligence agencies penetrate the network to install dual-purpose software agents to exfiltrate the traf- fic on the network to intelligence analysts. When analysis of the traffic indicates that the Zendian research efforts are reaching a critical stage,  This scenario is based on one taken from the Global Organized Crime Project, Cyber- crime, Cyberterrorism, Cyberwarfare: Averting an Electronic Waterloo, Center for Strategic and International Studies, Washington, D.C., 1998. 

198 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES the software agents begin to alter key data clandestinely so that critical experiments fail. Further, these software agents are so well hidden that they can maintain their presence over a period of years so that subsequent experiments fail at critical times as well. • The Zendian airplane industry and a major U.S. defense contractor are engaged in a competition to win a lucrative contract from Ruritania for producing fighter aircraft. In order to support a key company in the U.S. defense industrial base, the U.S. government conducts a cyberattack to disrupt and delay the production of the Zendian fighter plane and thereby provides an additional incentive for Ruritania to select the U.S.-produced plane.10 4.3  Possible Intelligence Community Interest in Cyberattack and Cyberexploitation Because such information would fall into the category of sensitive “sources and methods,” it is not publicly known whether the intelligence community has used or intends to use cyberexploitation. However, the use of cyberexploitation techniques for exfiltration of sensitive business and personal information is well known, and the U.S. government has indicated that DOD systems have been subjected to foreign cyberexploi- tation for such purposes. Thus, it would be highly surprising if the U.S. intelligence community did not know about and make use of cyberexploi- tation when appropriate or helpful. As for covert action, again the CIA’s interest in or use of cyberattack is not known publicly. But given the demonstrated difficulties in tracing the source of a destructive cyberattack to a specific party, it would not be at all surprising for the CIA to be interested in cyberattack as at least a potential tool for covert action. Hints of possible interest in the value of cyberattack for the intelli- gence community can be found in the testimony of Director of National Intelligence J. Michael McConnell to the Senate Select Committee on 10 Although such actively destructive actions have not, to the committee’s knowledge, been taken to benefit U.S. companies, U.S. intelligence has been used to uncover unfair trade practices of other nations whose industries compete with U.S. businesses, and has helped the U.S. government to ensure the preservation of a level economic playing field. Accord- ing to the National Security Agency, the economic benefits of SIGINT contributions to U.S. industry taken as a whole have totaled tens of billions of dollars over the several-year period prior to 1996. See National Research Council, Cryptography’s Role in Securing the Information Society, National Academy Press, Washington, D.C., 1996, Chapter 3. 

AN INTELLIGENCE COMMUNITY PERSPECTIVE 199 Intelligence in February 2008.11 McConnell noted a need for the United States “to take proactive measures to detect and prevent intrusions from whatever source, as they happen, and before they can do significant dam- age.” He also noted concern about “how best to optimize, coordinate and deconflict cyber activities.” The first statement points to the inadequacy of hardening and passive defense alone as defensive strategies, and the second statement about coordination and deconfliction suggests the exis- tence of (or the desire to conduct) cyber activities outside one’s own defensive perimeter that might contribute to defense. Finally, as noted in Box 3.2, the National Security Agency—which is a member of the intelligence community and also a component of the Department of Defense—has in its latter role certain responsibilities for cyberattack activities. 11 J. Michael McConnell, “Annual Threat Assessment of the Director of National Intel- ligence for the Senate Select Committee on Intelligence,” February 5, 2008, available at http://­ intelligence.senate.gov/080205/mcconnell.pdf.