10 December 1998
Source: http://www.usia.gov/current/news/latest/98121001.plt.html?/products/washfile/newsitem.shtml


USIS Washington File
_________________________________

10 December 1998

CIA OFFICIAL ASSESSES INFORMATION WARFARE THREAT

(John Serabian says several nations have cyberwar programs) (1470)

Washington -- Information warfare, the technique of attacking critical
infrastructures by electronically interfering with industry and
government computers, has the potential "to deal a crippling blow" to
U.S. national security if strong measures are not taken to counter the
threat, says Central Intelligence Agency (CIA) official John Serabian.

"Potential attackers range from national intelligence and military
organizations, to terrorists, criminals, industrial competitors,
hackers, and disgruntled or disloyal insiders," Serabian, chief of the
CIA's Critical Technologies Group, said December 7.

The United States has identified "several countries, based on
all-source intelligence information, that have government-sponsored
information warfare (cyberwar) programs," he said. "Foreign nations
have begun to include information warfare in their military doctrine,
as well as their war college curricula, with respect to both defensive
and offensive applications."

In remarks to the "Defense Week" conference on defending the U.S.
critical infrastructure, Serabian discussed what the U.S. intelligence
community is doing to counter the information warfare threat. "Our
engagement in infrastructure protection extends not just to efforts
within the intelligence community," but to participation with other
stakeholders in "our nation's infrastructure systems, across
government agencies, in academia, and throughout the private sector,"
he said.

Following is the text of Serabian's remarks, as prepared for delivery:

(begin text)

Just like the proliferation of weapons of mass destruction and
international terrorism and drug trafficking, information warfare has
the potential to deal a crippling blow to our national security if we
do not take strong measures to counter it.

Today I hope to leave you with three key points. First, I want you to
take away an appreciation for the growing seriousness and significance
of the emerging threat to our information systems. Second, I want to
emphasize the need to evaluate the threat from initial identification
to characterization. From the perspective of both state and non-state
actors, proliferation of malicious capabilities exists at every level.
And finally, I want to provide you with an appreciation for what the
CIA (and the intelligence community) is doing to combat the problem.

On this last point, let me emphasize that our engagement in
infrastructure protection extends not just to efforts within the
intelligence community, but to participation with other stakeholders
in our nation's infrastructure systems, across government agencies, in
academia, and throughout the private sector.

The Challenge

Today, as a result of the dramatic growth of and dependency on new
information technologies, our infrastructures have become increasingly
automated and interlinked.

It is in this context that we must appreciate that future enemies --
whether nations, groups, or individuals -- may seek to harm us using
non-traditional (cyber) methods. Non-traditional attacks against our
information infrastructures could significantly harm both our military
power and our economy.

Who would consider attacking our nation's computer systems? Potential
attackers range from national intelligence and military organizations,
terrorists, criminals, industrial competitors, hackers, and
disgruntled or disloyal insiders. Each of these adversaries is
motivated by different objectives and constrained by different levels
of resources, technical expertise, access to a target, and risk
tolerance.

As Director of Central Intelligence George Tenet testified before the
Senate Select Committee on Intelligence in January and more recently
again in June before the Senate Governmental Affairs Committee, we
have identified several countries, based on all-source intelligence
information, that have government-sponsored information warfare
(cyberwar) programs. Foreign nations have begun to include information
warfare in their military doctrine, as well as their war college
curricula, with respect to both defensive and offensive applications.
It is clear that nations developing these programs recognize the value
of attacking a country's computer systems, both on the battlefield and
in the civilian arena.

The magnitude of the potential threat from various forms of intrusion,
tampering, and delivery of malicious code, is extraordinary. We know
with specificity of several nations that are working on developing an
information warfare capability. In light of the sophistication of many
other countries in programming and Internet usage, the threat has to
be viewed as a factor requiring considerable attention by every agency
of government.

Many of the countries whose information warfare efforts we follow,
realize that in a military confrontation against the United States,
they cannot prevail. These countries recognize that cyber attacks,
launched from within or outside the United States, against civilian
computer systems in the United States, represent the kind of
asymmetric option they will need to level the playing field during an
armed conflict against the United States.

Just as foreign governments and the military services have long
emphasized the need to disrupt the flow of information in combat
situations, they now stress the power of information warfare when
targeted against civilian information infrastructures.

The battlespace of the Information Age will extend to our domestic
infrastructure. Our electric power grids and our telecommunications
networks could be targets of the first order. An adversary capable of
implanting the right offensive tool, or accessing the right computer
system, can cause extensive damage.

Terrorists, while unlikely to mount an attack on the same scale as a
nation, can still do considerable harm. What's worse, the technology
of hacking has advanced to the point that many of the tools which
required in-depth knowledge a few years ago, have become automated and
more user-friendly.

Cyber attacks offer terrorists the possibility of greater flexibility.
Theoretically, they can launch a computer assault from almost anywhere
in the world, without directly exposing the attacker to physical harm.
Moreover, terrorists are not bound by traditional norms of political
behavior between states. While a foreign state may hesitate to launch
a cyber attack against the United States, due to fear of retaliation
or negative political consequences, terrorists often seek the
attention and the increase in fear that would be generated by such a
cyber attack.

Established terrorist groups are likely to view attacks against
information systems as a means of striking at government, commercial,
and industrial targets, believing there is little risk of being
caught.

Terrorists and extremists already are using the Internet and even
their own Web pages to communicate, raise funds, recruit, and gather
intelligence.

There are numerous initiatives and working groups in which the
intelligence community is involved to better handle the information
warfare threat. These range from our national intelligence estimate
devoted to this topic to establishing new units within the community
to focus on this problem full time. Further, we have made great
strides in our cooperative efforts with the Departments of Defense and
Justice to overcome cross-agency challenges that the Information Age
creates.

The Intelligence Community Response

Protecting our systems will require an unprecedented level of
cooperation across government agencies and with the private sector.
That cooperation already has begun. The report of the President's
Commission on Critical Infrastructure Protection was a defining moment
in identifying vulnerabilities in our information infrastructure, in
assessing the potential threat to our national security, and in
establishing the requirement as well as the momentum for a coordinated
effort on information operations. The intelligence community engaged
actively in the preparation of that report as well as in publishing
the National Intelligence Estimate (NIE) in 1997 on foreign threats
that served as the companion piece to the Commission's report. In
producing the NIE, the intelligence community had interaction with
representatives from law enforcement and Department of Defense
information security agencies to assess the threat to our computer
networks.

These two documents: the National Intelligence Estimate and the
Commission report -- have provided the impetus for significant
activity in both the public and private sector to combat the threat to
our computer systems. The attention directed to the threat to our
information security systems also resulted in the stand-up of
dedicated activities within CIA, DIA (Defense Intelligence Agency),
and NSA (National Security Agency). CIA established an analytic threat
assessment unit in its Office of Transnational Issues and the Defense
Intelligence Agency similarly created a threat assessment unit in its
Transnational Warfare Group.

As a community, we have also been active participants, together with
other information operations stakeholders, in the NSC (National
Security Council)-Chaired Interagency Working Group that produced the
Presidential Directive titled "Critical Infrastructure Protection" and
we are now active in the NSC Critical Infrastructure Coordinating
Group tasked to implement that directive. Each of these efforts has
had a cumulative effect in building the critical mass that will be
required to deal with the threat to our information infrastructure.
The Commission report, the NIE, and the (May) Presidential Decision
Directive will provide the public and private sector with a clear
blueprint as to the direction we are taking.

CIA (and other intelligence agencies) have also actively participated
in DoD (Department of Defense) War Games and continues to incorporate
the threats posed by information warfare into an increased number of
other exercises.

(end text)