Certain Aspects Regarding the Development of Conditions Favorable to Cyberterrorism and the Main Areas of Cooperation in the Struggle Against It
Igor A. Sokolov* and Vladimir I. Budzko
Russian Academy of Sciences Institute for Informatics Problems
The concept of cybernetic terrorism is interpreted rather broadly. In order to work out the necessary approaches for preventing threats of unauthorized penetration of systems—intrusion and infliction of damage—we believe it is appropriate to consider the problem from the standpoint of ensuring computer security. In doing so, it is simplest to classify the various types of intruders according to the goals of their actions, for example,
obtaining access to secret data
altering data that affect the completion of processes (within a particular automated system or outside it, but under its control) in which the perpetrator has an interest
informational impacts, for which specific individuals or groups behave according to the perpetrator’s wishes
The capabilities offered by modern information technologies for data storage and transmission may also be used for the hidden exchange of information to provide support for illicit activities. Thus, there are two main types of illegal activities in the computer sphere:
unauthorized penetration or intrusion into a computer system
hidden transmission of data via legal channels
Let us look first at external intrusion, that is, unauthorized penetration by perpetrators through devices to which they have free access. We will devote separate attention to threats from personnel within a given system on the supposition that the necessary organizational and other security measures have been put in place.
In the early 1980s, intrusion received a certain amount of attention in systems where state and corporate secrets were stored. Here, the focus was primarily on limiting the access of end users to information stored in a system. The question of security for physical data carriers was handled rather simply, mainly through organizational measures.
Information security was based on the principle of creating conditions in which the user has no physical opportunity to make any changes in the software programs—nonprogrammability. It was implemented by means of so-called dumb terminals and classical operating systems (IBM, DEC, and others), the architecture of which involved the separation of programs and data and the physical protection of systems software from applied programs and other elements. Furthermore, communications technologies were systems oriented and did not permit outsiders to log on. Exchange protocols for the telecommunications components did not allow perpetrators to penetrate the network.
The level of security provided by the architectural characteristics of computers and communications devices was sharply reduced with the appearance and accelerated introduction of new technologies, of which the following deserve special attention:
personal computers, especially IBMs using Microsoft operating systems
local networks with personal computer (PC) workstations
the transmission control protocol/Internet protocol (TCP/IP) family of protocols and the creation of the Internet on their basis
A keen struggle began among the various means of protection and attack. The first applications for PCs were for home use. Within a few years, PCs began to be used in almost all spheres of human activity. IBM-compatible PCs using Microsoft software established a dominating position. With their simplicity of use and relatively low cost, they made it substantially easier and less expensive to create small systems for various applications than did computers with different architectures. The local nature of their installation made it easy to handle security matters.
This initial period saw the appearance of the first danger signals—computer viruses. At first, the intrusions were destructive in nature. The thesis was advanced that “he who takes careful precautions will not be affected.” Therefore, most of the efforts were focused on the correct use of antivirus software and the proper way to use diskettes. From a security standpoint, it is unforgivable that very little attention was devoted to the operating system architecture and floppy
disk technology serving as the catalyst for the development of intrusion tools. In the development of the architecture to date, almost no fundamental and reliable barriers have been put in place against virus attacks.
In the first stage, virus attacks composed the technology for intrusion. Modern antivirus packages (for example, the Kaspersky antivirus programs) essentially reflect the level of the current intrusion intellect on the whole. When we give high marks to the quality of current antivirus programs, we tacitly give the same high marks to this malicious intellect.
The appearance of local computer network technology laid the foundation for a new stage in the use of PCs. Users were given a qualitatively new interface, convenient and easy to use, which they quickly preferred over previous systems based on dumb terminals. The practical implementation of “paperless information technology” in an organization’s work became a reality. Ethernet gradually became the dominant local network architecture.
The well-protected architectures offered by such manufacturers as IBM and DEC in their mainframe and personal computers were gradually pushed aside. The market supported cheap hardware, and its components became the de facto standard. At the same time, local networks created new channels for intrusion. Their use opened up opportunities for inflicting damages on a substantially larger scale than possible in attacks against a single-user PC. It is very important to note that software carries the majority of the load in organizing the exchange of data over local networks. If there is an intrusion into any PC on the network, the network driver and its network map can be altered, which at a minimum will bring down the entire network.
So-called software agents began to be widely used in local networks to carry out certain functions. These agents are loaded into client PCs in the process of performing a particular function. This approach gained widespread use in the implementation of software for electronic libraries, for which CD-ROMs were used as basic information carriers. Software agents also began to be used in diagnostic and monitoring systems. They appear automatically on specific workstations. For example, electronic libraries that perform essential service functions involved in working with data include an internal search system and other programs that are loaded automatically during disk initialization.
The placement of such a library on a server requires that the appropriate programs be transferred to a client machine. During the transfer process, someone could catch such a program and attach an intrusion program to it. One way of doing this, although it would not be easy, would be to intercept all Ethernet messages on a client machine through a network card configured to receive all MAC addresses. Including codes necessary for intrusion in a program being transferred would ultimately make it possible to gain unauthorized access to another workstation.
Another example of intrusion is the use of WinWord text editor macros. As macros are built-in programs, the addition of intrusion programs in the “body” of
macros makes it possible to distribute them along with text documents and launch them when the text editor begins processing. There are many examples in which WinWord has been used in virus attacks.
Perpetrators have found even broader opportunities in the Internet environment. The dominant position of the TCP/IP family of protocols and their inherent capabilities have given rise to a new wave of various types of attacks with even more destructive consequences. Experience amassed in previous stages and the scientific-technical potential involved in carrying out intrusions has been put to full use.
A stable trend has been established by which the number of Internet intrusions has been doubling each year. This means that the amount of damage done has at least doubled as well. The scope of virus attacks is such that the network space of several countries at once can be affected.
At the same time, the Internet continues to play an increasingly important role as an international information repository and the least expensive means of communications. It is essentially one of the most important engines of world technological progress. It is very important to note that it has become the main daily working tool and information source in a number of fields. One example would be research and analytical activity using accessible electronic information resources via Internet Open Source Solutions, something a growing number of firms and organizations are doing.
In the environment described above, creating an IBM PC-MS-Ethernet-Internet system capable of ensuring the necessary level of security requires the involvement of the necessary number of high-class specialists in the information technology field and the acquisition of expensive security software and devices. The cost of these security technologies for a system built on this platform and requiring a high level of protection equals up to half the cost of the entire system itself. Operating and maintaining the security technologies entail substantial additional costs.
The more well-known outside intrusions that occur, the greater the demand for the products of companies that specialize in creating technologies for information security at various levels and with various purposes, producing methodological materials, and providing security consulting services. This business is developing successfully.
A system that is sufficiently protected from the outside remains vulnerable to intrusions launched from within through the capabilities of service personnel (operators, administrators, systems programmers, security officers, and so forth). A lack of on-staff capabilities in security software development must be rectified by using additional specialized software products from firms that specialize in providing enhanced protection in a Microsoft environment and by instituting additional heightened (and therefore expensive) organizational security measures.
Certain successes have been achieved in the development of technologies for intrusion detection, particularly in the Internet environment. There have been
many more successes in detecting intrusions than in preventing such intrusions. Each time it has released the latest version of its operating system, Microsoft has announced the substantial expansion of the program’s built-in security features, but each time it has turned out that these new features do not save average users, who lack the system enhancement capabilities of organizations. The well-known problems of ensuring security in modern automated systems in an IBM PC-MS-Ethernet-Internet environment are also applicable to a significant extent to cases involving the use of the UNIX operating system and RISC (reduced instruction set computer) processors.
New security solutions for virtual private networks (VPNs) have been widely developed in the past few years. The use of VPNs provides substantially increased protection against system intrusions over the Internet but does not resolve the problem within the system itself. VPN technology cannot be used for access to various general-access servers, search systems, portals, other information resources, or electronic mail. Furthermore, as the service provider plays a fundamental role in the organization of a VPN, this requires that these providers be highly responsible and that users place a great deal of trust in them.
Therefore, the first conclusion that can be drawn is that the IBM PC-MS-Ethernet-Internet environment, which is the most widespread today and is used in creating automated information support tools for various functional purposes, is poorly protected against intrusions. Efforts to stop the growth in the number of intrusions have not been successful. This situation is advantageous for firms specializing in the sale of consulting services and the production of supplemental means of protection, such as firewall systems, security shields, and monitoring systems. But it also increasingly complicates the lives of end users. The fundamental reason for this state of affairs lies in the inherent characteristics of the systems architectures. At the same time, the IBM PC-MS-Ethernet-Internet environment still represents the dominant foundation for existing and newly created automated information support systems.
The new technology of dense wavelength division multiplexing (DWDM), in which all types of channels are collocated on one fiber, has seen very rapid development in recent years. Each subchannel has a carrying capacity of 10 GBps, and there are 256 subchannels in each channel. Efforts are continuing to increase the number and carrying capacity of the subchannels. The use of DWDM technology makes it more efficient to use IP as the basic exchange protocol, and this explains the gradual shift away from lower-level protocols such as asynchronous transfer mode (ATM), frame relay (FR), and others.
The use of DWDM in developing the Internet will facilitate a substantial expansion in the volume and content of services provided, including IP-telephony, IP-video, video conferencing, and so forth. These and other types of services will make up an ever-increasing share of overall Internet use. DWDM offers expanded capabilities for making systems disaster resistant, which is defined as the ability of a critical application to maintain vitally important data
and software resources and continue performing its functions (possibly with certain limitations) under conditions of overall system degradation caused by the massive destruction of system components or entire hardware complexes and linkages between them as a result of natural disasters, industrial accidents and catastrophes, or the intentional actions of individuals or groups. This function is also conveniently carried out over the Internet, as in such circumstances it is simpler and less expensive to resolve the problem of rerouting communications channels.
Finally, the use of DWDM makes it possible to advance efforts to implement distributed parallel computing (grid program [peer-to-peer computing]). The Internet is advantageous in this regard as well. Dealing with issues of providing security for data processing and transmission in cutting-edge distributed computing architectures is of fundamental importance if these architectures are to be broadly disseminated and used. The basic security components must provide a mechanism for authentication, access limitation, and confidentiality of communications among elements of the network. Ensuring the integrity of data and processes during failures and catastrophes should also be viewed as an important element of ensuring security. In addition, any system operating in an IP VPN environment must have a subsystem for security management that is designed to ensure the reliable and uninterrupted functioning of the base system in the event of threats or other actions, protect the technological process as a unified whole, and provide monitoring and audit capabilities.
Therefore, our second conclusion is that the Internet will develop and be used on an increasing scale in various spheres of human activity. However, if the IBM PC-MS-Ethernet-Internet architecture maintains its dominance, we will also see an increase in damages from intrusions and especially from intrusions for terrorist purposes.
This leads to our third conclusion, namely, that the danger of computer terrorism can be reduced only by using new systems technology solutions for the design of operating systems, collective use systems, and telecommunications protocols. The following could be suggested as areas for joint research with our American colleagues:
definition of design principles and implementation mechanisms for ensuring the security of the LINUX operating system and preventing intrusions into individual computers and collective use systems, including the construction of such systems on narrow client principles
definition of areas for improvement and development of recommendations on changing the IP protocol
study of questions related to the construction of virtual private networks that are reliable in preventing intrusions
study of questions related to the implementation of distributed parallel computing (GRID system)
It would also be appropriate to join forces to prepare the necessary methodological materials explaining the practical expediency of intrusion-resistant architectures to stimulate market interest in the shift to using hardware and software that could form the basis for the creation of reliably protected systems. Finally, it would be expedient to work together on preparing well-honed recommendations on the creation of a standardized set of laws on cyberterrorism.