   The New York Times, September 30, 1996, pp. D1, D4.


   Ready, Aim, Zap

      National Security Experts Plan for Wars Whose Targets
      and Weapons Are All Digital

      Is the threat real, or is this just another way to win
      scarce funds?

   By Steve Lohr


   It was the OPEC meeting in May 2000 that started the
   crisis. The oil-price hawks, led by Iran, demanded a sharp
   cutback in production to drive prices up to "at least $60
   a barrel."

   The stormy gathering of the Organization of Petroleum
   Exporting Countries ended on May 4, with a shouting match
   between the Iranian and Saudi Arabian oil ministers. Over
   the next two weeks, Iran and its allies mobilized troops
   and fired on Saudi warships. But they also unleashed an
   arsenal of high-technology weapons to try to destabilize
   the Saudi Government and prevent the United States from
   intervening.

   A huge refinery near Dhahran was destroyed by an explosion
   and fire because of a mysterious malfunction in its
   computerized controls. A software "logic bomb" caused a
   "new Metro-Superliner" to slam into a misrouted freight
   train near Laurel, Md., killing 60 people and critically
   injuring another 120. The Bank of England found "sniffer"
   programs running amok in its electronic funds transfer
   system. And a "computer worm" started corrupting files in
   the Pentagon's top-secret force-deployment data base.

   The opening scenes from a Hollywood script or a new Tom
   Clancy novel? No, these are excerpts from a role-playing
   game conducted last year at the Government's National
   Defense University in Washington.

   The goal was to generate some serious thinking about
   "information warfare."

   Today, there are a lot of people thinking seriously about
   information warfare, not only at the Pentagon and the
   C.I.A. but also in the executive offices of banks,
   securities firms and other companies. Once dismissed as the
   stuff of science fiction, high-tech information warfare is
   fast becoming a reality.

   Military and intelligence officials believe that enemy
   nations, terrorists and criminal groups either already have
   the capability to mount information warfare strikes or soon
   will. Criminals are quickly progressing beyond the
   vandalism and petty theft associated with teen-aged hackers
   and into robbery and extortion schemes ranging up to
   millions of dollars, corporate executives and private
   investigators say.

   In the future, they fear, information warfare assaults
   could be made against commercial networks like the banking
   system or utilities in several states.

   Yet there is a heated debate among experts in this emerging
   field about whether the kinds of catastrophic incidents
   cited in the National Defense University war game are
   imminent threats or worst-case nightmares.

   "A couple of years ago, no one took information warfare
   seriously," said Howard Frank, director of the information
   technology office at the Defense Advanced Research Project
   Agency, or Darpa. "But the more you learn about it, the
   more concerned you become."

   Others reply that the worst threats mentioned are mostly
   speculation. "Information warfare is a risk to our nation's
   economy and defense," said Martin Libicki, a senior fellow
   at the National Defense University. "But I believe we will
   find ways to cope with these attacks, adjust and shake them
   off, just as we do to natural disasters like hurricanes."

   Experts on both sides of the debate do agree that the
   growing reliance on computer networks and
   telecommunications is making the nation increasingly
   vulnerable to "cyberattacks" on military war rooms power
   plants, telephone networks, air traffic control centers and
   banks.

   John M. Deutch, the Director of Central Intelligence, told
   Congress in June that such assaults "could not only disrupt
   our daily lives, but also seriously jeopardize our national
   and economic security."

   "The electron, in my view," Mr. Deutch warned, is the
   ultimate precision-guided weapon."

   President Clinton created a Commission on Critical
   Infrastructure Protection in July to craft a coordinated
   policy to deal with the threat. Within the Government,
   information warfare tactics and intelligence are highly
   classified issues. But the C.I.A. has recently created an
   Information Warfare Center. And the National Security
   Agency intends to set up an information warfare unit
   staffed by as many as 1,000 people, with both offensive and
   defensive expertise, as well as a 24-hour response team,
   according to a staff report by the Senate Permanent
   Subcommittee on Investigations. The report was initiated by
   Senator Sam Nunn.

   Information warfare is a catch-all term. The military, for
   example, often refers to information warfare broadly to
   include time-tested techniques and tools like
   disinformation, cryptography, radio jamming and bombing
   communications centers.

   But it is high-tech information warfare that has been
   getting most of the attention and funds lately. This
   budding warfare industry is an eclectic field indeed,
   ranging from computer scientists whose work is financed by
   the Government to "hackers for hire" who specialize in
   theft, extortion and sabotage. In his Senate testimony, Mr.
   Deutch said the C.I.A. had determined that cyberattacks
   were now "likely to be within the capabilities of a number
   of terrorist groups," including the Hezbollah in the Middle
   East.

   The weapons of information warfare are mostly computer
   software, like destructive logic bombs and eavesdropping
   sniffers, or advanced electronic hardware, like a
   high-energy radio frequency device, known as a HERF gun. In
   theory, at least, these weapons could cripple the computer
   systems that control everything from the electronic funds
   transfer systems of banks to electric utilities to
   battlefield tanks.

   For the military, information warfare raises the prospect
   of a new deal for America's adversaries. Cyberwar units
   could sidestep or cripple conventional weaponry,
   undermining the advantage the United States holds.

   "Even a third-tier country has access to first-class
   programmers, to state-of-the-art computer hardware and
   expertise in this area," said Barry Horton, principal
   Deputy Assistant Secretary of Defense, who oversees the
   Pentagon's information warfare operations. "There is a
   certain leveling of the playing field."

   Cyberspace also plays havoc with traditional definitions:
   what is a military and what is a commercial target, if 95
   percent of military communications are over commercial
   networks; what is within United States jurisdiction and
   what is an international issue, when cyberspace has no
   geographic borders? "We have to redefine national security
   for the information age," Mr. Horton said.

   There is, to be sure, an aspect of self-interest in the
   information warfare alarms raised by military and
   intelligence agencies. Those bureaucracies are sizable and
   costly, and in the post-cold-war era, they are in need of
   new enemies.

   "The people who are concerned about information warfare
   tend to magnify its significance," said Mr. Libicki of the
   National Defense University.

   The Electronic Industries Association estimates that over
   the next decade, the Government's information warfare
   procurement, mainly for specialized software and services,
   will grow sevenfold, to more than $1 billion annually.

   Yet the projected spending on information warfare amounts
   to pocket change, compared with next year's military budget
   of $257 billion. "The point of information warfare is that
   you don't need fighter planes and billions of dollars to
   launch an attack on the United States anymore," said Winn
   Schwartau, an author and president of Interpact Inc., a
   security consulting firm.

   The Government's computer systems are clearly susceptible
   to intruders. In 1988, a Cornell student sent a worm
   program over the Internet that penetrated military and
   intelligence systems, shutting down 6,000 computers. In
   1994, a 16-year-old British hacker broke into the computer
   system at an Air Force laboratory in Rome, N.Y. And in "red
   team" exercises, the military's experts have been able to
   break into 65 percent of the Defense Department systems
   they tried to penetrate, using hacking tools available over
   the Internet.

   But nearly all these intrusions have been into some of the
   two million computers in military networks that handle
   unclassified information -- that information can, however,
   be useful to enemies, military officials concede. The
   classified information is on the other 10 percent of the
   military's computer networks, which do not have open links
   to the outside.

   Private companies and banks typically do not have the
   luxury of making their networks off-limits to outsiders.
   "We invite our customers into our computer networks," said
   Colin Crook, the senior technology officer of Citibank. "I
   think our problem is more challenging than the
   Government's."

   Citibank got an alarming brush with the problem two years
   ago, when a Russian computer hacker tapped into the bank's
   funds-transfer system, taking more than $10 million.
   Citibank will not discuss the case, but investigators say
   the bank recovered all but $400,000.

   In the business world, the reported hacker activity to date
   is mostly stealing credit card numbers, vandalizing
   software or harassing Internet service companies. "At the
   moment, we're dealing with penny ante stuff," said Peter
   Neumann, a computer scientist at SRI International, a
   research firm in Menlo Park, Calif. "But the risk of much
   greater damage is there."

   Mr. Frank of Darpa speaks of a "frightening vulnerability"
   of utilities systems, of the private data networks of the
   international financial system and of the digital switches
   at the core of modern phone systems.

   Major breakdowns caused by computer intruders have not yet
   occurred. But there is evidence that more sophisticated
   hackers are now at work. The Science Applications
   International Corporation, a military contractor and
   technology security firm, surveyed more than 40 major
   corporations, which confidentially reported that they lost
   an estimated $800 million because of computer break-ins
   last year, both in lost intellectual property and money.

   Private investigators and bankers say they are aware of
   four banks, three in Europe and one in New York, that have
   made recent payments of roughly $100,000 each to hacker
   extortionists. The bankers and investigators would not
   identify the banks, but the weapon used to blackmail the
   banks was a logic bomb -- a software program that, when
   detonated, could cripple a bank's internal computer system.
   In each case, the sources said, the banks paid the money,
   and then took new security measures.

   Frequently, experts say, the tighter security measures are
   nothing fancy. One problem is modems on employees'
   computers. They are open connections to the outside world,
   potentially giving hackers access to an internal network.

   "You can't eliminate risk of information attacks, but you
   can minimize it," said William J. Marlow, a senior vice
   president of Science Applications International. "Many of
   the steps are not all that high-tech or expensive."

   Since it was stung in the Russia episode, Citibank has
   taken a series of measures, from instructing employees to
   never assume a computer network is secure to aggressively
   pursuing hackers. "You mess with us and we're going after
   you," Mr. Crook said. "This is a big deal for us now."

   _________________________________________________________

   The Targets

   The potential targets range from financial markets to tanks
   But experts debate whether these are imminent threats or
   worst-case nightmares.

   AIRPLANES. Destructive software could cause plane crashes
   by making on-board avionics malfunction. High-energy
   weapons, in theory, could also cause crashes by disabling
   computer systems.

   TANKS AND ARMS. Sophisticated computer controls are
   vulnerable to both destructive software and high-energy
   weapons. Everything from tanks to surveillance aircraft are
   potentially at risk.

   BANKS AND STOCK EXCHANGES. Sniffer programs can track funds
   transfers. Logic bombs could cripple the markets and
   destroy records of transactions. Computer hackers can crack
   into banking networks and steal money.

   ELECTRIC UTILITIES. Logic bombs or worms could knock out
   power grids, causing local or regional black outs.

   TRAINS. Logic bombs in traffic-control networks could cause
   crashes by misrouting trains.

   _________________________________________________________

   The Weapons

   Mostly, the weapons of information warfare are the digital
   bits of software. The C.I.A. terms the electron "the
   ultimate guided weapon."

   LOGIC BOMB. A software program that "detonates" at a
   specific time, or when certain instructions are executed.
   It then typically destroys or rewrites data.

   HERF GUN. A high-energy radio frequency weapon. It shoots
   a high-power radio signal at an electronic target and
   disables it.

   SNIFFER. An eavesdropping program that can monitor
   communications or commercial transactions.

   COMPUTER WORM. A self-replicating program that uses disk
   space and memory and can eventually shut down computer
   systems.

   _________________________________________________________

   [End]



