EXECUTIVE SUMMARY
Title: Hackerwar and Its Influence on the Marine Expeditionary Force Commander
Author: LTCOL Lon M. Yeary, USMC
06 May 1996
Thesis: Hackerwar is a serious threat to the MEF Commander. Rapid changes in information technology require appropriate defensive actions to protect MEF operations.
Discussion: The Marine Expeditionary Force (MEF) Commander is increasingly dependent upon the availability of accurate, reliable data. The MEF Commander must be aware of the threat to his information systems, and place a greater emphasis on Information Systems Operations Security as a major part of his over all command and control warfare (C2W) design. In order to do so, it is imperative that he understand the very basic facts surrounding information warfare as it relates to C2W, and more specifically, the threat of hackerwar invasions. Just as imperative is the examination of current and future plans for Marine Corps policies on computer and information system security, evaluating the adequacy of Operations Security (OPSEC) in relation to hacker attacks.
Information is a real asset, just as critical as a tank, an airplane, or a marine. It must be protected in order to ensure Operational Security. In order to optimize information security, the MEF Commander must be aware of the threat hackerwar presents to C2W. He must ensure that an effective C2-protect plan is in place that incorporates a quality information security program.
Conclusion(s) or Recommendations(s): The Marine Corps is behind in ensuring its information systems are secure. Its current policies on information security are lacking in clarity, enforcement, and application to the latest threats in information warfare. The move toward adding new technology before developing safe operating procedures sets a dangerous precedent. While there are plans to incorporate Multilevel Information Systems Security Initiative (MISSI) as part of the DoD wide move toward a Multilevel Security System, more needs to be done now to protect against the threatof hackerwar.
Computer information specialists are needed at the battalion
and squadron levels. The MEF Commander must ensure that the
Computer Systems Security Officer (CSSO) and Terminal Area
Security Officer (TASO) are fully trained; a secondary MOS
should be established designating the training personnel
receive. Regular inspections specific to computer security
need to be conducted to ensure compliance with required
security measures. Creating an Information Commander in
Chief (INFOCINC) would allow a central command to develop,
implement, and coordinate all information policies at the
national level in relation to our national security.
United States Marine Corps
Command and Staff College
Marine Corps University
2076 South Street
Marine Corps Combat Development Command
Quantico, Virginia 22134-5068
MASTER OF MILITARY
STUDIES
AY: 1995-96
TITLE:
HACKER WARFARE AND ITS INFLUENCE ON THE MEF COMMANDER
SUBMITTED IN PARTIAL FULFILLMENT
OF THE REQUIREMENTS FOR
THE DEGREE OF
MASTER OF MILITARY STUDIES
Author:
LTCOL L.M. YEARY, USMC
(Mentors) DR. BRADLEY MEYER, JR
LTCOL JOSEPH E. NOBLE, USMC
Approved: ___________________________________
___________________________________
Date: ___________________________________
THIS IS AN OFFICIAL DOCUMENT OF THE MARINE CORPS COMMAND AND STAFF COLLEGE. QUOTATION FROM, ABSTRACTION FROM, OR REPRODUCTION OF ALL OR ANY PART OF THIS DOCUMENT IS PERMITTED PROVIDED PROPER ACKNOWLEDGMENT IS MADE, INCLUDING THE AUTHOR'S NAME, PAPER TITLE, AND THE STATEMENT: "WRITTEN IN FULFILLMENT OF A REQUIREMENT FOR THE MARINE CORPS COMMAND AND STAFF COLLEGE."
THE OPINIONS AND CONCLUSIONS EXPRESSED HEREIN ARE THOSE OF THE INDIVIDUAL STUDENT AUTHOR AND DO NOT NECESSARILY REPRESENT THE VIEWS OF EITHER THE MARINE CORPS COMMAND AND STAFF COLLEGE OR ANY OTHER GOVERNMENTAL AGENCY.
TABLE OF CONTENTS
INTRODUCTION 1
INFORMATION WARFARE 2
HACKER WARFARE 5
HACKER WARFARE AND THE MILITARY 6
THE THREAT OF OFFENSIVE HACKER WARFARE 8
COMPUTER VIRUSES 9
WORMS 11
TROJAN HORSES 12
BOMBS 13
TRAP DOORS 14
SNIFFING 15
SPOOFS 15
INSIDER ATTACKS 16
PROTECTING AGAINST THE THREAT OF HACKER WARFARE 16
PASSWORDS 18
ENCRYPTION 20
FIREWALLS 22
ANTI-VIRUS PRODUCTS 23
DATA BACKUPS AND DATA RECOVERY 25
PRE-ATTACK PLANNING 26
MARINE CORPS INFORMATION SECURITY POLICIES 28
THREATS TO INFORMATION SECURITY IN THE MARINE CORPS 31
MARINE CORPS INFORMATION SECURITY FOR THE FUTURE 35
RECOMMENDATIONS FOR THE MEF COMMANDER 36
CONCLUSION 39
BIBLIOGRAPHY 40
HACKER WARFARE AND ITS INFLUENCE ON THE MEF COMMANDER
INTRODUCTION
The Marine Expeditionary Force (MEF) Commander is
increasingly dependent upon the availability of accurate,
reliable data. The MEF Commander must be aware of the threat
to his information systems, and place a greater emphasis on
information systems Operations Security (OPSEC) as a major
part of his over all command and control warfare (C2W)
design. In order to do so, it is imperative that he
understand the very basic facts surrounding information
warfare as it relates to C2W, and more specifically, the
threat of hacker warfare invasions. Just as imperative is
the examination of current and future plans for Marine Corps
policies on computer and information system security,
evaluating the adequacy of OPSEC in relation to hacker
attacks.
In 1995, there were over 900 recorded incidents of virus
attacks on Marine Corps information systems.(1) The Defense
Information Systems Agency ( DISA), responsible for security
policies for the Department of Defense (DoD), conducted mock
attacks on more than 8000 DoD computers over the last two
years. The DISA team successfully broke into more than 88
percent of the computers, and only five percent were aware
the break-ins occurred. Of those five percent aware of the
attack, only five percent reported the intrusion.(2) Over 122
countries currently have computer espionage programs.(3) The
threat that hackerwarfare presents to the military is very
real. The threat is made even more dangerous by the fact
that we are ignorant of the potential invasions of our vital
information systems.
INFORMATION WARFARE
The information technology explosion is sweeping the
world, impacting not only our way of doing business, but our
way of life.(4) The military is no exception. In fact, the
American military "is the most information dependent force in
the world. It uses computers to design weapons, guide
missiles, pay soldiers, manage medical supplies, write memos,
control radio networks, train tank crews, mobilize reserves,
issue press releases, find spare parts and even suggest
tactics to combat commanders."(5)
The Marine Corps is no different. General Charles C.
Krulak, Commandant of the Marine Corps, states; "We live in
an information age--individual and collective knowledge is at
a premium, especially on the battlefield."(6) The MEF
Commander must be able to process vast amounts of data
continuously in order to be effective. During the Gulf War,
General Boomer's staff had to process and prioritize over 300
E-mail messages an hour. This dramatic increase in available
data requiring processing and the relative ease of
electronically passing information along to others will not
be unique on tomorrow's battlefields. The MEF Commander must
be able to instantaneously access critical information, and
communicate that information expeditiously and accurately,
for the MEF to be effective. Furthermore, the ability to
collect and process information more efficiently that the
opposition is a must for the Corps in this information age.(7)
"Success on future battlefields will be dependent upon
information technology; the prize will go to the side that
develops the clearest picture and then exploits it most
effectively."(8)
While there are still many who have little regard for
the new technology, warning of becoming too dependent upon
it, the reality is that technology can do much to enhance
the effectiveness of today's Marine. Future Marines will
carry a computer into the battlefield, with night vision
sensors, video panels and voice activation built into the
body armor. Thermal sightings on weapons will instantaneously
send battlefield intelligence to command centers in real
time.(9)
Alvin and Heidi Toffler's works Future Shock and The
Third Wave, along with their latest book War and Anti-War,
have become mandatory reading for military personnel wishing
to understand this major change in the way the military will
do business. The Tofflers maintain that the Agrarian Age
gave way to the second wave, or the industrial revolution, of
300 years ago. Today we are moving into the third wave of
change, the age of information and technological
revolution.(10) What exactly does this mean in terms or
warfare? "As we transition from brute-force to brain-force
economies, we also necessarily invent what can only be called
"brain-force war."(11) The Gulf War of 1990 has been called
the first battleground utilizing information warfare.(12)
Indeed, it was a coupling of warfare based on the second wave
methodology and introduced only a fraction of what the third
wave of this revolution in military affairs has in store.(13)
Precision guided munitions, stealth fighters, and over 3000
computers in the war zone, linked to computers in the US are
but a few of the information based technological advances
that will be commonplace on the battlefields of tomorrow.
Information warfare is actually much more complex than this.
Information warfare has been analyzed, defined, and
redefined many times as attempts are made to come to grips
with what exactly this concept means to our changing world.
It conjures up different meanings to different people. There
is the concern with personal information warfare, corporate
technological warfare, the "war" on the Internet, and
military information warfare. The DoD defines Information
Warfare as: "Actions taken to achieve information
superiority in support of national military strategy by
affecting adversary information and information systems while
leveraging and defending our information and systems."(14)
HACKER WARFARE
Hacker Warfare is defined by Dr. Martin C. Libicki of the National Defense University, Institute for National Strategic Studies, as software based attacks on information systems.(15) Hacker Warfare is more than simple attacks on computer networks. The scope of an attack can range from total destruction of a system, intermittent shutdown, random errors, theft of information, theft of services, information monitoring, false or deceptive message traffic, and information access for use in blackmail.(16) A hacker can be on site, or can attack from any location with a telephone, modem, and personal computer.(17) Incidents of hacker attacks clearly demonstrate the first taste of damage that can be inflicted through this medium. In 1994, a 16 year old United Kingdom youth broke into a Rome Labs computer system, copied Secret communications, and posted them to a bulletin board on the Internet.(18) In August of 1995, a hacker in Russia stole $400,000 from Citibank. A teenager used his personal computer to break into US. Air Force files on North Korean nuclear inspections. In 1994, Defense Department computer systems were successfully penetrated by outsiders 256 times, up from 132 the year before. Pentagon officials feel that hundreds of intrusions into their most critical systems go undetected.(19) The concern is great.
A large, structured attack with strategic intent against the US. could be prepared and exercised under the guise of unstructured "hacker" activities. The US.... might not even know it is under attack. There is no nationally coordinated capability to counter or even detect a structured threat.(20)
It is clear that hacker warfare is a weapon that could effectively be used to advantage in the third wave arsenal of information war. The Marine Corps MEF Commander must be ready for this threat.
HACKER WARFARE AND THE MILITARY
The Chairman of the Joint Chiefs of Staff Memorandum of Policy No. 30 (MOP 30) concerning Command and Control Warfare was initially issued 17 July 1990 and subsequently revised 8 March 1993. While it does not specifically discuss hacker warfare, it is clear that the concept of attacks on information systems by hackers would fall within these guidelines. It states that "C2W is the military strategy that implements Information Warfare."(21) Within Command and Control Warfare (C2W), there are five principal military actions in support: Operations Security (OPSEC), military deception, psychological operations (PSYOPS), electronic warfare (EW), and physical destruction.(22) Hacker Warfare could be conceived as a method of implementing any of these actions.
C2W is composed of two major branches: command and control attack (C2-attack) and command and control protect (C2-protect).(23) Hacker Warfare can also be divided into offensive and defensive operations. The debate on the efficacy and morality of offensive hacker warfare is ongoing. Few feel that the best defense against hacker attack is a hacker attack, questioning the moral as well as legal implications of doing so. Currently, the US is the most information dependent nation in the world; much of its infrastructure and economy is dependent upon computers.(24) The US. does not have the computer security experts to match this distinction. In fact, over 60 per cent of the doctorates granted in this country in computer science and security are awarded to citizens of foreign countries, two- thirds from Islamic countries and India.(25) Concerns abound that the US should not contemplate offensive hacker warfare until it can ensure the safety of its own systems. Developing a technique to disrupt another country's information system could backfire on the US if by accident that disruption accidentally "contaminated" our own systems.(26)
Legal issues abound as well. The Rules of Engagement (ROE) for information systems, in peace and in war, are yet to be determined. Collection of intelligence and information is limited in peacetime by policy and law. The use of non-military computer systems and other information networks have not been determined, either. Many of the agents influencing the military information environment are outside military control. For example, policies and laws controlling access on the Internet to protect sensitive information do not yet exist. A commercial satellite may be capable of providing real-time information to an adversary. In a war situation, the military may be forced to use an International Agency to change critical access codes to deny the enemy vital information such as imagery of the geographic region. During peacetime, there may not be any recourse to force the cooperation of a commercially owned information system.(27)
The tremendous assets required to effectively engage in offensive hacker activities leave decisions regarding the utilization of offensive hacker warfare at the national strategic level.(28) The joint force conducts C2W efforts around a joint force C2W organization.(29) All assets of the Department of Defense may be needed to successfully employ the use of an effective hacker warfare invasion. It is conceivable that such an operation could render an adversary's command and control totally ineffective without a single loss of life.
THE THREAT OF OFFENSIVE HACKER WARFARE
Hacker warfare presents the MEF Commander with clear threats, both from malicious code and human threats. These threats have the potential to disrupt C2W. Effective Operations Security (OPSEC) must consider these threats as potential adversarial attacks on command and control or risk disruption of communication and information processing. OPSEC is defined as "a process of identifying critical information that could be observed by adversary intelligence systems, and selectively executing measures that would eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation."(30) Knowledge of how these threats are implemented and the damage they can cause is required to establish needed OPSEC measures to provide for C2-protect.
Malicious codes attack information systems either internally or externally. Viruses, worms, Trojan horses, and trap doors are some of the forms these codes take. Human threats are perpetrated by individuals or groups of individuals that attempt to penetrate systems through computer networks, and include sniffing, spoofing, and insider attacks. Each of these will be discussed in more detail.
COMPUTER VIRUSES:
Virus: a type of programmed threat. A code fragment (not an independent program) that reproduces by attaching to another program. It may damage data directly, or it may degrade system performance by taking over system resources which are then not available to authorized users.(31)
Just the word "virus" is enough to scare many familiar with computers. The damage inflicted by a virus is a nuisance at best, and could cause major economic or even life threatening damage. An example often used is a virus that shuts down the computers used by the Federal Aviation Administration, causing flight delays or even flight accidents. Computer viruses can be utilized in PSYOPS to degrade or demoralize the adversary. They also can be used to deny critical information to command and control, physically destroying needed information.
Over 1800 distinct viruses have been identified to date.(32) A virus may be spread via a network, the use of infected software on diskettes, or by bulletin boards linked by telephone.(33) Recently, new commercial floppy disks used by government agencies were found to be infected with a virus when delivered from the factory.(34) Viruses may be designed to trigger a wide number of actions. They can destroy files and hinder or stop computer operations, they can create data errors, they can trigger an action on a specific date, or after being copied a specified number of times. Hidden well inside the host programs, they are difficult to detect, and may make data recovery difficult without re-infecting with the same virus already copied on a back up disk.(35)
Historically, viruses have attacked personal computers rather than other systems such as workstations, mini-computers and mainframes. Personal computers, due to the hardware and systems software design, make them more vulnerable to attack for several reasons. First, since they originally were intended for one user, limitations on user access and user privileges were not incorporated into Personal Computers (PC) accessing schemes. Secondly, most Personal Computers do not differentiate between users, all users have access to all resources. PC operating systems are stored in the same hard drive as the program files, providing few limitations on access. Finally, PCs are usually shared in offices, very little monitoring of use is recorded making security difficult. Sharing diskettes from one computer to another make spreading viruses much easier. Creating a virus requires only moderate programming skills. These inherent system weaknesses combined with the ease of developing a virus make PC virus prevention, detection and eradication difficult.(36)
WORMS:
Worm: A type of programmed threat. An independent program that reproduces by copying itself from one system to another, usually over a network. Like a virus, a worm may damage data directly, or it may degrade system performance by tying up system resources and even shutting down a network.(37)
Worms and viruses are often confused. Both typically protect themselves by hiding in their host programs, operating in delayed fashion, and sometimes by destroying evidence of what they have done.(38) The primary difference between worms and viruses is that worms are self replicating and self propagating. They do not require human action to propagate. Virus propagation usually occurs through sharing diskettes, forwarding mail messages, or downloading software.(39) Usually a worm will not modify a program, nor will it destroy data. The danger comes from tying up resources, and eventually, shutting down the network.(40)
Probably the most infamous worm to date was the "Internet Worm," responsible for shutting down thousands of computer networks in November 1988 that were connected to the Internet. Within hours after it first appeared on the Internet, 6000 plus computers were infected. It took only 2 days to eradicate the worm at most sites. The primary effect of the attack was lost computer processing time and staff time. The worm attacked computers from the University of California, Berkeley, to NASA's Ames Research Center, to MIT in Massachusetts, Stanford, Princeton and the Los Alamos National Laboratory in New Mexico. When it struck the Army's Ballistic Research Laboratory in Maryland, system managers feared a foreign invasion. They immediately shut down their computers, fearing adversary theft of Army data.(41) What this worm did in damage cannot be determined. However, what can be determined is this incident highlighted the vulnerability networks have to computer invasions.
Like a virus, the threat of a worm attack on a computer system can effect the adversary psychologically, as well as denying command and control critical information. Written differently, it could destroy vital data needed for operational decisions.
TROJAN HORSES:
A Trojan Horse is a code fragment that hides inside a program and performs a disguised function. It's a popular mechanism for disguising a virus or worm.(42)
An unsuspecting person downloads a new game found on the Internet to play around on during breaks at work. The game actually is fun, and frequently is brought on screen to play during non-working hours. However, the unsuspecting user has been tricked into installing a Trojan horse. The real purpose of the program is to penetrate the defenses of the system by usurping the legitimate user's privileges, accessing information that is not authorized for outsiders. Information access can be obtained this way, or a virus or worm can be introduced to the network to deny or destroy data. Some Trojan horses are written to leave no trace of its existence, and may leave no detectable damage.(43) This makes detection or eradication nearly impossible. Loss of sensitive information could create major security problems. In addition to PSYOPS and physical destruction of vital information, this could lead to deceptive C2W with information viewing occurring without knowledge.
BOMBS:
A bomb is a type of Trojan horse, used to release a virus, a worm, or some other system attack. It's either an independent program or a piece of code that been planted by a system developer or a programmer. A bomb works by triggering some kind of unauthorized action when a particular date, time or condition occurs.(44)
Time bombs are triggered on a set date, such as Friday the 13th. Logic bombs are triggered by events. It is possible to envision software being exported out of the country only with a pro-US logic bomb embedded in its program. As soon as the program receives the input "war against the USA" it could be programmed to mail the information to the CIA, or destroy all data, or some other malicious act.(45) While not covered by current Rules of Engagement, and legally/ethically questionable for use by the military, the technology exists for this type of weapon to be used. Currently some software engineers create their programs to explode at key moments after installation, for instance if the customer tries to make an illicit copy of the program.(46)
This weapon is clearly one that could be utilized under the deception element of C2W. It could be designed to perform a number of functions, allowing information access or information destruction. PSYOPS and physical destruction operations could easily occur directly as a result of the employment of this technique. For example, the anniversary date or significant holiday in an adversary country could be selected to trigger multiple viruses and worms, not only causing destruction of vital data, but the psychological impact of disrupting a festive period within that country.
TRAP DOORS:
A trap door, or a back door, is a mechanism that's built into a system by its designer. The function of a trap door is to give the designer a way to sneak back into the system, circumventing normal system protection. Unlike a logic bomb, which usually explodes in someone else's system, a trap door gives the original designer a secret route into the software.(47)
Intelligence officers would relish the thought of having access to unlimited information that was on networked systems of all our adversaries. However, if the same were true of US information systems, detection and protection of information would be a nightmare. C2W could utilize this weapon as a means of deception or PSYOPS. However, it is unlikely that the US military could convince all software designers to install trap doors in all exported software. Legally and ethically, it would undoubtedly be questioned.
It is possible, as with Trojan horses, that an unsuspecting person could unwittingly install a program disguised as a game or as the latest computer technology with a trap door onto a networked system. A recent example of this is the SATAN program, or the Security Administrator Tool for Analyzing Networks found on the Internet for unsuspecting security managers. Ostensible made to look like a program to aide in computer security, the SATAN software actually allowed penetration into secure networks, making critical information vulnerable.(48) The program identified known and well-documented security vulnerabilities. It allows for unsophisticated users to invade many networks with ease. Unbeknownst to the user, it also leaves the workstation running it vulnerable to invasion. In fact, those workstations equipped with microphones also allowed eavesdropping to occur through the network.
While it has been suggested that commercial, off the shelf (COTS) software would be more economical for the Marine Corps to purchase, there is an inherent danger with this due to trap doors and other malicious codes. The use of COTS software must be limited to programs that can be thoroughly checked for malicious code.
SNIFFING:
Also known as snooping, an attacker is capable of covertly observing message traffic on a public network without disturbing any of the information.(49) There are many software applications that make sniffing easy. They are created to debug application and network problems, but can be used just as easily for illegal purposes. Sniffers frequently are searching for passwords. It has been estimated that on a local area network on a typical day, hundreds of passwords can be collected in a single day. This is especially true when the sniffer leaves the system in a "promiscuous mode." This allows it to receive every message sent on the network.(50)
SPOOFS:
A trick that causes an authorized user to perform an action that violates system security or that gives away information to an intruder.(51) Another variety of a spoof is a spoofer, or a user that pretends to be another user. This also has been called a masquerade and social engineering.
INSIDER ATTACKS:
This type of an attack is extremely difficult to defend against. The attacker is a person with legitimate access to a system. The insider can affect all components of computer security. Not only can they browse confidential information on the system, they are in a position to plant Trojan horses or other forms of malicious code.
Other variants of malicious code exist, including bacteria, crabs, creepers, and salamis. Each can be described as being similar to the above attacks, with simple modifications. For example, in a salami, rather than delete all data, the attack is removing tiny pieces of data such as moving a decimal point in a customer's bank account. No one is likely to notice these small changes, yet the damage to data validity can be tremendous.(52)
PROTECTING AGAINST THE THREAT OF HACKER WARFARE
The threat to information security is growing exponentially with the increased reliance upon computer based information systems and computer operated weapons. The responsibility for information security rests with every Marine and Sailor. The MEF Commander must take appropriate precautions to ensure that our adversaries do not have access to critical information. Protection must be balanced in order to provide information access to the those personnel with the need for the information. The simplest piece of data may seem insignificant, yet may provide a hacker warrior vital information required to forge ahead with a successful invasion of our information systems.
Information security must ensure three basic requirements in a system: confidentiality, integrity, and availability.(53) Confidentiality, or secrecy, controls who gets to read information. Integrity assures information and programs remain as intended, and that the information generated remains accurate. Availability assures authorized users of having continued access to information and resources. Also vital to computer security is authenticity, or assuring the information is unchanged from the origin and comes from an known source.(54)
The following are defensive measures that will assist in avoiding a hacker invasion. They are part of C2-Protect measures vital to C2W, and can be classified as defensive hackerwarfare. Their use will help to ensure confidentiality, integrity, availability, and authenticity. However, just as important as the incorporation of these tools is dealing with neglectful and permissive attitudes toward computer security. Far too many consider the computer workstation to be merely a tool for their use; if it is up and running, there is complete satisfaction. "The greatest vulnerability to the MEF Commander in the area of hacker warfare is probably lack of education. Most Marines are unaware of just how serious the threat is." (55) This poor user attitude can be very dangerous, and results in poor usage controls, poor selection of passwords, and highly vulnerable workstations. By combining personnel education with protective measures, a secure environment can be created for information systems, and the threat of hacker invasions minimized.
PASSWORDS:
The most common way to penetrate a system is through the failure of a password system.(56) Passwords are an initial security measure on numerous Marine Corps systems. Passwords are a means to prevent access to vital information. Password protection must be implemented and enforced correctly; otherwise, the protection is easily penetrated. Password systems currently in use on the Banyan Vines network utilized throughout the Marine Corps is an unsophisticated system. Allowable passwords are commonly found in a standard dictionary. Simple programs are freely distributed on the Internet which are designed to break passwords. Programs are designed to scan 5,000,000 dictionary entries and try them as passwords in a matter of a few hours.(57) The naive user might think that Banyan stops attempts after three unsuccessful logins. These programs are sophisticated enough to stop attempting after two failures and re-attempt login. The only requirement a hacker needs is an accurate user name. Such a program was used in the infamous Internet Worm; every word in the dictionary was used after variations of known employees names.(58) The ready availability of unit social rosters make it unsafe to use names or part of names on sensitive systems. Most users select passwords that are weak, easy to guess.(59)
There are several things a security manager can do to ensure password security. First, users need to be educated on good password selection and encouraged to make better choices. Secondly, it is strongly suggested that passwords be generated using a password generator program for use on sensitive systems, then assigned to the user, preventing the problems that arise from poor password selections. Thirdly, security manager should check passwords after the fact, forcing users to change those that could easily be broken. Passwords also could be screened prior to use for the elimination of weak choices. Banyan Vines has some automatic capabilities to ensure the quality of password; however, security managers must be aware of this capability and utilize it.
Passwords should be changed on a regular basis. The more sensitive the information on a system, the more frequently the password should be changed. Passwords should be a combination of alphabet and numeric characters. Never use an all-numeric or all alphabet password. Pick long passwords. Most systems insist your password be six to eight characters. Some systems support passwords of 40 or more characters. Pick different passwords for each system you have access to. Be careful about including special characters. Some characters have special meanings to terminal emulation software (such as @ or #). Obviously, passwords should not be posted or left were others could readily have access to it.(60) Passwords should never be sent over a network to another user. The ease of which a sniffer can obtain passwords in this manner is clearly documented, as noted in the CERT Advisory CA-94:01 (1994).(61)
The "Department of Defense Password Management Guideline" has been in existence since 1985.(62) The Marine Corps officially recognizes this document as providing the needed guidelines for the creation and use of passwords. Unfortunately, the recommendations in this guideline calling for computer generated passwords has not been adopted Marine Corps wide due to the cumbersome nature of enforcing its usage. For classified material, it is imperative that a system such as this be utilized. The Marine Corps does utilize computer generated passwords for classified systems.
A strong password policy can enhance user availability while ensuring unauthorized users are denied access to information and resources. Confidentiality is also enhanced; however, only if all guidelines are strictly adhered to at all times. Since this is usually not the case, password policies need to be reinforced through the combined usage with other defensive security measures.
ENCRYPTION:
The Department of the Navy, Naval Information Systems Management Center, defines encryption as "using cryptographic mean to render information unintelligible in a manner that allows the information to be decrypted into its original form."(63) It also is called transforming plain text, or text that is in its original form, to cypertext, or encrypted code. Encryption dates back to the earliest days of warfare, and is nothing new to military operations. Utilizing computerized algorithms to encrypt information is relatively new. Currently mathematical algorithms are available which are so good that they are considered unbreakable.
Encryption is a method that provides computer security in the categories of confidentiality, integrity, as well as authenticity. Confidentiality is enhanced through the inability of a hacker to read any information that is obtained illicitly. Even if someone is able to steal a computer, or gain access to a file, encrypted messages will remain very difficult to decipher without the key. Integrity is maintained through the use of encryption as it makes forgery or tampering difficult. Any change to the code would almost certainly be detected unless the perpetrator had access to the deciphering key. Authenticity is also protected since encryption methods available today can provide techniques that allow the reader to confirm absolutely who sent the information, such as in the use of a digital signature.(64)
A digital signature, or electronic signature, aids the recipient of a message in verifying the origin of the message and identifying the sender. It can be likened to a legal signature on a document, as it is distinct for each specific transaction, yet is even more difficult to forge.(65) An encryption process is used to create the digital signature.
Many of the systems currently used by the Marine Corps do not encrypt any of the data. E-mail sent over the Banyan is open to interception by sniffers due to the use of commercial lines, making the information vulnerable.
FIREWALLS:
A firewall system protects an organizational network from systems within the larger network. They can be simple or intelligent. A simple firewall disallows all connections with the networks outside the organization, splitting the network into two separate systems. In order to transfer information from the organization to the outside world, an account on the firewall is required.(66) An intelligent firewall serves more as a filter between the hosts on the organizational network and the world outside. The system works together to filter or screen transmissions of certain classes of traffic. A gateway is attached to two or more systems, devices, or networks that otherwise do not communicate with each other. Communications are routed through the gateway, with its system acting as a guardian or firewall between trusted and untrusted systems and networks.(67)
Firewall system costs range from free simple software to complex intelligent systems that mix hardware and software together, costing as high as $30,000. It is imperative that the system be installed correctly, and that the design of the system meets the desired security requirements of the host. Failure to do so may actually result in creating a greater security hole for hacker warriors to breach.
The Marine Corps recognizes the importance of using Firewalls to protect critical information. Currently, plans are underway to install firewalls on some of the Marine Corps Networks, including Marine Corps Base Quantico and Camp Pendleton. There is no policy providing guidance on this installation as of yet.
ANTI-VIRUS PRODUCTS:
In 1995, there were over 900 recorded incidents of virus attacks on Marine Corps information systems.(68) There are three classes of anti-viral products currently on the market: detection tools, identification tools, and removal tools. Scanners combine both detection and identification tools. Vulnerability monitors and modification detection programs help with detection. Disinfectors are removal tools.(69)
The most popular anti-virus tools are scanners and disinfectors. These products rely on prior knowledge of existing viruses. Scanners search for "signature strings" or methods to identify known viruses. Disinfectors also rely on previous knowledge of known viruses to determine the type of modifications required to restore file contents. This works well most of the time, however, requires purchasing updates of the anti-viral programs to try and keep up with the development of new virus attacks that are written to get around these security tools. If the virus presented is unknown to the anti-viral software, the virus can still infect the computer system.(70)
Vulnerability monitors prevent modification or access to particularly sensitive parts of the system. This method requires the user to be knowledgeable about what is desired, as many of the decisions to allow modifications are made by the user. This system would not be good for the occasional user, or the computer "illiterate." Modification detection is a good general method for viral detection. It is based not on prior knowledge of existing viruses, but on utilizing the checksum base of the personal computer. It creates a baseline, where checksums for clean executable are computed and saved, then these are compared with every additional checksum. These can easily be defeated by a knowledgeable hacker warrior. However, by using cryptographic checksums, a higher level of security is provided.(71)
The Marine Corps has provided guidelines to minimize the threat of viruses to information systems. Computer viruses are recognized as a significant threat to the operational readiness of not only computer systems, but to the Local Area Networks as well. Specifically, White Letter No. 4-90 states only US Government acquired software from factory or officially sealed containers obtained through proper Marine Corps distribution channels should be utilized on Marine Corps systems. Privately owned commercial software and game software are prohibited. Only software downloaded from bulletin boards sanctioned by the US. Government should be used. These should be tested for the presence of a virus prior to installation, and should only be downloaded to a floppy disk, not to a permanent hard drive until verified free from malicious codes. All Marine Corps computers are required to run anti-viral software. Public domain or freeware/shareware is not authorized unless it comes from a US Government sanctioned bulletin board. Original copies of new software packages should be kept a safe location in case restoration of the data is required. This directive clearly states that emphasis should be placed on computer security education and awareness.(72)
The Marine Corps has currently contracted with Normand Data Systems for an unlimited sight license to utilize their anti-virus software.(73) Normand's software provides all three classes of anti-virus products. Normand's products are consider some of the best on the market. Despite its mandated use, the 900 reported incidents indicates how severe viruses are. These 900 reported incidents took anywhere from fifteen minutes to twelve days to correct. The most common viruses were not new, just a reoccurrence of previously known ones.
DATA BACKUPS AND DATA RECOVERY:
No system is absolutely hackerproof. It is imperative that steps be taken prior to an incident occurring to ensure an attack on a computer information system is one that the organization can recover from. In order to do this effectively, regular backups must be made of all data stored on the system. This protects not only from hacker invasions, but from human error and natural disaster. Any incident that destroys data on a computer system has the potential to bring critical information processing exchange to a halt.
There are a number of guidelines which the MEF Commander must adhere to in order to have a viable backup plan. First, the frequency of data back up must be decided upon based on the level of new data input and the importance of that data. This should be decided upon by key personnel when a secure system is initially set up. Second, the data should be stored on at least two separate tapes (or disks, dependent upon the method of back up utilized.) This is to ensure the information is safely stored and recoverable prior to overwriting the existing information on the tape. Without a minimum of two sets, it is possible to copy a virus or other defective material onto the backup tape, unwittingly destroying the only accurate set of data you may have. Longer cycles of reusing backup tapes should be used if the material is more sensitive. It may take weeks or months to notice a problem in a system. Back ups are useless if they cannot be read back into the system. Automatic backup systems that backup your system every night is a good investment, and a must for sensitive data.(74) Many of the larger Marine Corps headquarters are utilizing automatic backup procedures. At the squadron or battalion level backups are rarely if ever done. This is a result of several things. Larger headquarters have the equipment and knowledge while small units do not.
If information is sensitive, backups should be encrypted for further security. A second set of backup tapes or disks should be stored in another location, preferable in a locked, fireproof site. Prior to discarding any tapes or disks, they should be thoroughly sanitized, i.e. erasing all information on them. Re-initializing the disk only serves to change the header, and does not erase the existing information stored.(75) Hackers have been known to rummage through trash looking for clues to enable them to successfully invade a system. Any information left on a disk and found by a hacker could potentially be the key to the loss of critical data.
PRE-ATTACK PLANNING:
Every system must have a plan to deal with a breach of security before an incident occurs. Just as with backups, the time to decide what needs to be done is before there is a problem. Priorities must be set. It is suggested that the goals following a destructive incident should be as follows:
1. Maintain and restore data.
2. Maintain and restore service.
3. Determine how the security breach occurred.
4. Determine how to prevent future security breaches.
Additionally, personnel need to know when it is necessary to secure the system or disconnect from the other systems to prevent further damage, who to call regarding the incident, and what to do in case of a threat or tip regarding a possible intruder attack. Discovering who perpetrated the intrusion, and subsequently punishing the intruder are goals that may be elusive as the very nature of hacker war make it difficult to determine where the attack is coming from. It is important to be aware of attacks or attempted intrusions.
IRM-5239-09 Contingency Planning delineates policies to prepare for any loss of computer resources or capability. Personnel responsible for computer systems, large or small, are required to develop a contingency plan that includes emergency response to floods, fires, civil disorder, natural disasters, bomb threats, etc.; back up operations to ensure data processing operational tasks can be conducted after the disruption; and recovery procedures to rapidly restore the data processing facility.(76) It does not specifically address unauthorized system intrusions or system failures caused by viruses, worms, or other malicious codes.
MARINE CORPS INFORMATION SECURITY POLICIES
The Federal Computer Security Act of 1987 (P.L. 100-235) requires Marine Corps information systems which contain sensitive unclassified information to have a prepared System Security Plan (SSP). All unclassified information processed on a Marine Corps Information System fall under the category of sensitive unclassified information. This category includes information that is either Privacy Data or National Interest Data. Marine Corps Information Systems are broken down into two categories: Major Application, Automated Information Systems (AIS) and General Support Systems (GSS).
A Major Application (AIS) is a combination of information, computer, telecommunications resources and other information technology, and personnel resources which collects, records, processes, stores, communicates, retrieves and displays information. The responsible organization for a Major Application (AIS) is the staff agency whose mission includes the management of a specific functional area such as personnel, intelligence, operations, logistics, aviation, or fiscal. The Major Application (AIS) must have a designated Functional Manager responsible for system security plans.(77) A Major Application is made up at minimum of a mainframe and supportive hardware and software.
A General Support System (GSS) provides general small computers or network support for a variety of users. They are utility oriented, tools used in the maintenance and support of day to day activities. A GSS can include word processing systems, commercial software packages, and locally generated applications that assist the user in daily tasks that run on small computers. The Commanding Officer or designated representative assigns a Computer System Security Officer (CSSO) or a Terminal Area Security Officer (TASO) responsible for designating and implementing a system security plan.(78) A GSS generally is made up of several small computers, either stand alone personal computers, or computers located in one general area that may be connected to a local area network (LAN).
While a Major Application (AIS) Functional Manager will be a data processor or computer specialist, this is not required for a GSS. It also is not required that a GSS assigned CSSO or TASO be in a security billet. A SSP will specify the system utilized, the classification of information processed, risk management issues, management controls, acquistions/development/installation controls, operational controls, security awareness and training measures, technical controls, and controls over the security of applications. The requirements for completing the SSP would be extremely beneficial in information security, however the complexity of the requirement for reporting the system security plan seems unrealistic for personnel with little or no training in the area of computer security. For example, the TASO would be required to designate threats that could affect the confidentiality, integrity, and availability of the system, important system vulnerabilities to the threats, protections requirement to control the risks, and appropriate security measures. If the responsible party only uses the computer for word processing, this knowledge may be well beyond the scope of information available for that individual.
In the Marine Corps publication on Small Computer Systems Security, written to aid the responsible party for GSS computers, the guidelines are equally difficult for someone not schooled in computers to comprehend.(79) For example, it clearly states that the TASO is responsible for assigning user Identification numbers (ACID) and passwords. No guidance is given on what is an appropriate password, how frequently it should be changed, or instructing users on password protection. Additionally, it states back-ups should be done on a regular basis, but gives no specific guidelines on how this should be accomplished, or what the minimum frequency should be.
Clear instructions are provided regarding the use of dust covers, not eating or drinking near computers, using equipment in the specified temperature and humidity range designated by the manufacturer of the equipment, and keeping the equipment clean. While these measure will protect against the wear and tear on a computer system, it does not protect against information hackers. Guidelines are also offered on ensuring the equipment is safe from theft. This is necessary for information security; however, the emphasis is loss of dollars needed to replace the hardware rather that the loss of critical information.
The guidelines for ensuring against the loss of information vital to the Marine Corps include:
a. Position terminal screens and printers to minimize unauthorized viewing.
b. Properly secure the original source material and computer generated output.
c. Properly secure the magnetic media (diskettes, tapes, removable hard disks.).
d. Encrypt the data.
e. Use password protection for sensitive files.
f. Ensure removable disks and diskettes are properly marked.
g. Use adequate audit trails to track data from the original source documents through its input into the system and its final output or disposition. Audit trails should include information on who was acessing/using the information at any given point during its existence.
h. Avoid storing sensitive data on non-removable media such as a small systems hard disk, unless the system is located in a controlled space.(80)
Guidelines also suggest stressing to employees the importance of personnel integrity and ethics, reminding them of software piracy laws. It states annual security training should be held. Again, the ability of a non-trained individual to accomplish all of these items, when they may not understand the reasoning behind the policy, must be questioned.
Since most GSS computers are connected to the LAN, information vulnerability is a reality that MEF Commanders cannot ignore. GSS computers present perhaps the greatest security threat as they are not managed by knowledgeable computer security personnel. Once access into the LAN has occurred by a computer hacker, access to tremendous amounts of sensitive information is possible. It does not matter what medium a hacker uses to gain entry, through the main door of the major application (AIS) or through the backdoor of a GSS, the damage to OPSEC will be the same.
THREATS TO INFORMATION SECURITY IN THE MARINE CORPS
Perhaps the greatest threat to Marine Corps Information Systems is the incorporation of new technology prior to the development of appropriate security measures. Technology is changing so rapidly that it has become difficult to keep security measures in pace with these changes. This clearly creates a threat to Operational Security, as it leaves critical information vulnerable.
Recently, the Marine Corps has taken great pride in "going on line." The movement into the Internet, with the creation of Home Pages and easier access, opens up information security vulnerabilities as never before. Being on the Internet allows any Marine with a computer and a modem access to all Marine publications, future Professional Military Education Courses, financial/pay data, and current events of the day at Marine facilities across the world. The public has access to Marine recruiting information and other public and community relations information. Marines can send messages to other Marines and DOD personnel around the world. However, hackers also have a grater ability to penetrate the system and gain access to critical and sensitive information.
Rather than choosing to wait to be connected to the Internet until adequate security measures could be incorporated, several facilities have started their own home pages and public access information pages on the Internet without any guidelines on their usage. There is currently no published guideline on the use of the Internet for the Marine Corps. At least two facilities are in the process of writing Internet User Policies: MCB Camp Pendleton(81) and Headquarters Marine Corps.(82) These are still in draft form.
A user on the Internet can gain access to almost any information (through sniffing and password cracking, for example). Safeguard measures such as the use of firewalls and encryption that aid in the protection for these types of intrusions have not yet been completed on any Marine Corps Information System. MCB Quantico and MCB Camp Pendleton are currently trying to establish a firewall system to protect critical information, but have not been able to complete the task as of yet. At each of these two facilities, personnel are working to research not only the best way to install a firewall, but what is the minimum level of security needed for their system. There are no guidelines established by the Marine Corps, and each facility is duplicating the work the other is doing (very costly in terms of manpower and time expended).
The process of establishing firewalls at both MCB Camp Pendleton and MCB Quantico are being accomplished by dedicated computer specialists that have no experience with firewalls. While these personnel are extremely capable in computer technology, it is important to realize that the very nature of computer security makes inexperience a vulnerability that can be exploited by a knowledgeable hacker. It only takes one small error for an intrusion to occur. Money needs to be spent on training Marine Corps personnel thoroughly in the installation and maintenance of these protective firewall security measures.
This commitment to train personnel in computer security needs to be adopted Marine Corps wide. Currently, the Marine Corps has over 300 Local Area Networks (LANS) and personal computers numbering more than 26,000. It is expected that 400 more computers will be purchased in fiscal year 1996.(83) The number of data processors and computer specialists has not kept up with the increase in use of and reliance upon, computer systems. Marine Corps policies specifically state the management of security for GSS computers may be assigned to non-computer, non-security personnel. This is a grave error in the age of information. All TASOs and CSSOs must have very specific training in information security in order to be effective. The same commitment the Marine Corps has to Aviation Safety must be made to Information Security. Personnel assigned to be the guardians of our critical information must be trained in how to effectively perform this mission.
The lack of trained personnel directly relates to the lack of enforcement of current policies regarding information security. If a spot inspection were to be held at just about any unit's GSS, use of privately owned software, failure to back up data, failure to store backup data in a secured location, failure to secure computer equipment, failure to regularly change passwords, failure to have a working SSP that has been tested, and failure to have annual security training are but a few discrepancies that will most assuredly be found on a consistent basis. Trained system managers would aid in this problem.
Security would be enhanced greatly, as well as enforcement of policies, if guidelines set forth by the Marine Corps were more easily understood and accessed. Rather than the numerous publications that must be read and understood, the computer policies must be simplified into a cookbook format with clear standard operating procedures addressing specifically passwords, backups and data recovery, contingency planning, security awareness for all personnel, and other required security measures. Policies need to be developed immediately for the use of the Internet, establishing Home Pages, and creating firewalls.
With the move to the Internet, requirements for password management and data recovery should be enhanced. Current Marine Corps policies fail to adquately protect from possible hacker invasions. The latest information on ensuring maximum security in these areas should be adhered to. Contingency planning needs to incorporate specific means for auditing systems for possible hacker intrusions, and plans for system invasions. For example, what should be done if a manager detects a sniffer, or altered data? When should the system be shut down? Who should be notified? How will other Marine Corps Major Application (AIS) and GSS Managers be notified of the potential threat? How will the information regarding the intrusion be collated in order to better assess a potential coordinated attack on information systems (vice assuming every attack is a random occurrence)?
Marine Corps Information Security for the Future
The National Security Agency has developed the Multilevel Information Systems Security Initiative (MISSI) in response to the requirement within the Department of Defense and Intelligence Communities to have an effective method to manage and selectively distribute different levels of information over common networks. This system will be incorporated DoD wide, and will allow for secure interpretability among a wide variety of missions that compromise the Defense Information System Infrastructure (DII). The security measures that this system will allow include services which ensure that transmitted data is neither accidentally corrupted nor deliberately tampered with. Strong user identification and authentication measures are included to deny unauthorized access. Data will be encrypted, and in cases of high sensitivity, super encrypted. Digital signatures will ensure positive and irrefutable identification of the sender. This system will support most commercial computing and networking technologies familiar to current system users, such as E-mail, file transfer, remote login, and database management.(84)
Rather than continuing to utilize the dedicated communications backbones for classified information and separate systems for other communications, the MISSI will provide a multi-level system capable of allowing top secret, secret, and sensitive but unclassified data such as logistics to be processed. Confidentiality, integrity, availability, and authenticity are all enhanced with MISSI . The design of the system centers around a guard that utilizes a firewall. A Fortezza Cypto Card will allow the user to operate the system at the appropriate security level.
While this system is designated to be utilized Marine Corps wide, a specific start date for purchasing and implementation has not been set.(85) It is slated to be in place by the year 2000. MISSI will greatly enhance protection against hacker warfare. It incorporates all major recommendations for security enhancements. However, it cannot replace the need for personnel training and security awareness.
RECOMMENDATIONS FOR THE MEF COMMANDER
Information is now more than just words on a page. Information is a real asset, just as critical as a tank, an airplane, or a marine. It must be protected in order to ensure Operational Security. In order to optimize information security, the MEF Commander must be aware of the threat hacker warfare presents to C2W. He must ensure that an effective C2-protect plan is in place that incorporates a quality information security program.
Currently, Information Warfare and thus, hacker warfare, would fall to the responsibility of the G-6. With the tremendous explosion in information technology, the scope of responsibility for INFOSEC, and the need to protect against hacker warfare, computer information specialists are needed at the battalion and squadron levels.
It is imperative that quality training be given to all managers of information systems, both Major Application (AIS) and GSS. The MEF Commander does not have direct authority over the Major Application (AIS), but can at minimum ensure that the CSSO and TASO are fully trained. DoD courses are available, as well as commercial training programs. It is recommended that a training course for CSSOs and TASOs be developed that specifically covers Marine Corps policies and systems. It is further recommended that a secondary MOS be established to clearly designate the training these personnel receive, and to demonstrate the commitment the Marine Corps has to Information Security. Personnel should not be allowed to manage an information system without this training.
Having properly trained personnel will greatly enhance the area of enforcement of Marine Corps policies. These policies must be taken seriously. The threat of loss of vital information isa reality that must concern every commander today if we are to establish an effective plan against hacker warfare and information warfare. Periodic inspections specific to computer security will aid in the enforcement of these policies as well.
Annual training should be conducted for all personnel with access to information systems. This training should incorporate not only general computer security awareness, but should cover passwords, backups, protection against malicious codes, and the proper use of the Internet.
All personnel should be aware of the vulnerability of information sent over the Internet, or over an unsecured LAN. While the need to continue to expose critical information to possible intruder interception will remain, users should use caution as to how much information is disseminated in this manner. If it is possible to send sensitive but unclassified information in a more secure manner that is timely, it should be done.
The Department of Defense needs to establish an Information CINC (INFOCINC). With the increase in reliance upon information, coupled with the increase in vulnerability to information attack, it is time for the very real asset of information to be treated as a national resource that requires protection. The explosion in information technology, combined with the blurred line of responsibility for ownership of the problem on the National Information Infrastructure makes this area critical to consider. An INFOCINC would allow a central command to develop, implement, and coordinate all information policies at the national level in relation to our national security. Information is now a weapon to be used and defended against. An INFOCINC WILL BETTER ALLOW THE COORDINATION OF COMMERCIAL ASSETS VITAL TO MILITARY INFORMATION SECURITY, JUST AS USCINCTRANS allows for the coordination of logistical assets.
CONCLUSION
Computer break-ins into military systems are reported to be expanding at over 152 percent per year.(86) The Marine Expeditionary Force Commander is reliant upon an effective network of information systems. Disruption to any of these systems will negatively impact operational readiness and command and control. The MEF Commander must become aware of the threat of hacker warfare to the information systems that support his command. Every effort must be made to incorporate the best security methods available to protect against hacker intrusions.
The Marine Corps is behind in ensuring its information systems are secure. Its current policies on information security are lacking in clarity, enforcement, and application to the latest threats in information warfare. The move toward adding new technology before developing safe operating procedures sets a dangerous precedent. While there are plans to incorporate MISSI as part of the DoD wide move toward a Multilevel Security System, more needs to be done now to protect against the threat of hacker warfare.
BIBLIOGRAPHY
Arquilla, John J. and Ronfeldt, David F. "Cyberwar and Netwar: New Modes, Old Concepts, of Conflict.: Excerpted from Cyber War is Coming. RAND's Home Page: RAND Research Review Contents. Online. World Wide Web. Available 16 December 1995, http: www.rand.org.
Basham, Lawrence E. and Polk, W. Timothy. "Threat of Malicious Code and Human Threats." National Institute of Standards and Technology, Computer Security Division, October 1, 1992.
Bowman, Tom and Shane, Scott. "Battling High-Tech Warriors." The Baltimore Sun Special Reprint. 3-15 December, 1995.
Cheswick, William R, and Bellovin, Steven M. Firewalls and Internet Security: Repelling the Wily Hacker. Reading, MA: Adison-Wesley Publishing. 1994.
"Concept for Information Operations." TRADOC Pamphlet 525-69. Dept. of the Army. 1 August 1995.
Cooper, Pat and Oliveri, Frank. "Hacker Exposes US Vulnerability." Defense News. 9-15 Oct, 1995, 1,37.
"Defense Technology Survey." The Economist. June 10, 1995, 5-20.
Department of the Navy. Naval Information Systems Management Center. Introduction to Information Systems Security (INFOSEC) Guidebook. Module 01. Information Systems Security (INFOSEC) Program Guidelines. NAVSO P-5239-01, May 1995.
Department of the Navy. AIS and Network Security Manual. Supplement to OPNAVINST 5239.X. Draft Version: 6 December 1995.
Department of the Navy. Naval Information Systems Management Center. Remanence Security Guidebook. Module 26, Information Systems Security (INFOSEC) Program Guidelines, NAVSO P-5239-26, September 1993.
Department of the Navy. Terms, Abbreviations and Acronyms. Module 02, Information Systems Security (INFOSEC) Program Guidelines. Naval Information Systems Management Center, NAVSO P-5239-02, June 1995.
Department of the Navy. "Department of the Navy Information Systems Security (INFOSEC) Program." SECNAV Instruction 5239.3. 14 July 1995.
Fogelman, Ronald R. General, Chief of Staff. "Fundamentals of Information Warfare- An Airman's View." National Security Industry Association: National Defense University Foundation Conference of the Global Information Explosions. Washington, D.C., 16 May 1995.
Galik, CDR, USN. "Network Systems Security (NSS): Implementation of MISSI in Support of the Defense Message System." Lecture Notes. CNO N643G, E-Mail: cno-n643g@cno.navy.mil.
Garfinkel, Simson, and Spafford, Gene. Practical Unix Security. Sebastopol, CA: O'Reilly & Associates, Inc., 1991.
Garrrigue, R. LT. Information Warfare: Developing a Conceptual Framework. Online. Internet. August 14, 1995. Available: Url:http://www.cse.dnd.ca/-formis/overview/iw.
Gompert, David C. "Keeping Information Warfare in Perspective." RAND's Home Page: RAND Research Review Contents. Online. World Wide Web. Available 16 December 1995, http: www.rand.org.
Haeni, Reto E. An Introduction to Information Warfare. Online. Internet. 29 August 1995. Available http://www.seas.gwu.edu/student/reto/.
Hafner, Katie and Markoff, John. Cyberpunk: Outlaws and Hackers on the Computer Frontier. New York: Simon and Shuster, 1991.
Hagee, Michael, BGen, USMC. Assistant Director, Central Intelligence Agency, Interview, 4 March 1996.
Hughes, Larry J, Jr. Actual Useful Internet Security Techniques. Indianapolis: New Riders, 1995.
"Information Warfare: A Two-Edged Sword." RAND's Home Page: RAND Research Review Contents. Online. World Wide Web. Available 16 December 1995, http: www.rand.org.
"Information Warfare: DISA Stings Uncover Computer Security Flaws." Federal Computer Week, February 6, 1995, duncanr@smtp-gq.spawar.navy.mil, accessed 19 Feb 1995.
Jensen, Owen E., Col. USAF. "Information Warfare: Principles of Third-Wave War." Airpower Journal. Winter 1994, Vol VIII, No. 4. 35-43.
Konopatzke, Kurt, Lt. (USAF). "Information Warfare: Same Wine, Different Bottle?" Air Chronicles Home Page. Online. Available 12 January 1995, arry.cdsar.af.mil.
Kraus, George F, Jr., Cdr, USN (Ret). "Information Warfare in 2015." Proceedings. August 1995. 42-45.
Krulak, Charles, C., Gen, Commandant, USMC. "Training and Education." Marine Corps Gazette, Oct 1995, p 11.
Kumar, Sandeep and Spafford, Eugene H. "A Pattern Matching Model for Misuse Intrusion Detection." The COAST Project, Department of Computer Sciences, Purdue University. Online. Available kumar,spaf@cs.purdue.edu.
Kurtz, Richard. Computer Security Manager, C4B, Headquarters Marine Corps, Personal Interview, 23 Feb. 1995.
Levy, Steven. Hackers: Heroes of the Computer Revolution. New York: Delta, 1994.
Libicki, Martin C. What is Information Warfare? Institute for National Strategic Studies, National Defense University. August 1995.
Libicki, Martin C. "What is Information Warfare?" Strategic Forum May 1995 : Number 28.
Libicki, Martin C. "Who Shall Guard the NII?" Center for Advanced Concepts and Technology, National Defense University, 7 December, 1995.
Magsig, Daniel E. "Information Warfare In the Information Age." Online. Available 12 January 1996, dmagsig@seas.gwu.edu.
Mazarr, Michael J. The Revolution in Military Affairs: A Framework for Defense Planning Strategic Studies Institute: US Army War College. June 19, 1994.
Munro, Neil. "The Pentagon's New Nightmare: An Electronic Pearl Harbor." Washington Post, 16 July 1995.
National Research Council. Computers at Risk. Washington D.C.: National Academy Press, 1991.
National Computer Security Center. Introduction to Certification and Accreditation. NCSC-TG-029 Version 1, January 1994.
"Pentagon Awaits SATAN-Born Assaults." C4I-Pro: Defense News. Online. Internet, available pollackn@smtp-gw.spar.navy.mil.
Russell, Deborah, and Gangemi, G.T. Senior. Computer Security Basics. Sebastopol, CA: O'Reilly & Associates, Inc., 1991.
Ryan, Donald E., Jr. "Implications of Information-Based Warfare." Joint Force Quarterly. 6, (Autumn-Winter 1994-95.) 114-116.
Schwartu, Winn. Information Warfare: Chaos on the Electronic Superhighway. New York: Thunder's Mouth Press, 1994.
Slade, Robert M. "History of Computer Viruses." Online. Internet. 15 February, 1996.
Spafford, Eugene H. "OPUS: Preventing Weak Password Choices." Purdue Technical Report CSC-TR 92-028, Department of Computer Sciences, Purdue University. Online. June 1991. Available spaf@cs.purdue.edu.
Spafford, Eugene H. and Weeber, Stephen A. "User Authentication and Related Topics: An Annotated Bibliography." Purdue Technical Report CSD-TR 91-086, Department of Computer Sciences, Purdue University. Online. 31 July 1992. Available spaf@cs.purdue.edu.
Spafford, Eugene H. "Observing Reusable Password Choices." Purdue Technical Report CSC-TR 92-049, Department of Computer Sciences, Purdue University. Online. 31 July 1992. Available spaf@cs.purdue.edu.
Stein, George, Prof. "Information Warfare." Airpower Journal. Vol. ix, No.1, Spring 1995. 30-39.
Sterling, Bruce. The Hacker Crackdown: Law and Disorder on the Electronic Frontier. New York: Bantam, 1993.
The Knightmare. Secrets of a Super Hacker. Port Townsend: Loompanics Unlimited, 1994.
Thompson, Mark. "If War Comes Home." Time August 21, 1995: 38-44.
Toffler, Alvin, and Toffler, Heidi. War and Antiwar: Making Sense of Today's Global Chaos. New York: Warner Books. 1993.
United States Marine Corps. MCB Camp Pendleton. "Policy for the Use of Computers and Network Resources." Draft. Base Bulletin 5239. 1996.
United Sates Marine Corps. Small Computer Systems Security. Washington, D.C., PCN 186 523910 00, IRM-5239-10, 1990, rev. 1995.
United State Navy. Naval Command, Control and Ocean Surveillance Center, "Information Use Via Computers and Networks." NCCOSC Instruction 5232.1, 19 Dec 1995.
United States Marine Corps. Contingency Planning. Washington D.C., PCN 186 523909 00, IRM-5239-09, 1989.
United States Marine Corps. "Commandant of the Marine Corps' White Letter No. 4-90," 29 June 1990.
United States Air Force. Cornerstones of Information Warfare. 1995.
United States Marine Corps. "Department of the Navy (DON) Policy for Incident Response and Vulnerability Reporting." ALMAR 365/95. 08 Nov 1995.
United States Marine Corps. Headquarters Marine Corps. "Internet Policy." Draft. 5 Dec 1995.
United States Marine Corps. System Security Plan. Washington D.C.. PCN 186 523913 00, IRM-5239-13, 1991.
United States. National Security Agency. Multilevel Information Systems Security Initiative. Information Systems Security Office/x1, Ft. Meade, MD.
United States Marine Corps. Data Access Security. Washington D.C , PCN 186 523906 00, IRM-5239-06, 1990.
United States. Department of the Army. Information Operations. Draft. FM 100-6. 2 October 1995.
United States. Chairman of the Joint Chiefs of Staff. Command and Control Warfare. Memorandum of Policy No. 30 (MOP 30). Issued 17 July 1990, rev 8 March 1993.
United States. Department of Defense. Password Management Guideline. CSC-STD-002-85, 12 April 1985.
United States Marine Corps. Project Manager's Security Handbook. Washington, D.C., PCN 186 523912 00, IRM-5239-12, 1990.
"Virus Highlights Need for Improved Internet Management." Computer Security, Report to the Chairman, Subcommittee on Telecommunications and Finance, Committee on Energy and Commerce, House of Represent , United States General Accounting Office. June 1989, Online, Internet. Available swolff@nsf.gov.
Waller, Douglas. "Onward Cyber Soldiers." Time August 21, 1995: 38-44.
Walsh, Robert S. "Information Enhancement on Today's Battlefield." Marine Corps Gazette, Oct 1995.
Wilson, G.I., Col, USMC, and Bunkers, Frank, Maj, USMC. "Uncorking the Information Genie." Marine Corps Gazette, Oct 1995.
1. 1Kurtz, Richard. Computer Security Manager, C4B, Headquarters Marine Corps, Personal Interview, 23 Feb. 1995.
2. 2"Information Warfare: DISA Stings Uncover Computer Security Flaws." Federal Computer Week, February 6, 1995, duncanr@smtp-gq.spawar.navy.mil, accessed 19 Feb 95.
3. 3Galik CDR, "Network Systems Security (NSS): Implementation of MISSI in Support of the Defense Message System," CNO N643G, cno-n643g@cno.navy.mil..
4. 4Fogelman, Ronald R. General, Chief of Staff, "Fundamentals of Information Warfare - An Airman's View", Air Force Update 95-09.
5. 5Munro, Neil. "The Pentagon's New Nightmare: An Electric Pearl Harbor." Washington Post, 16 July 1995.
6. 6Krulak, Charles, C., Gen, Commandant, USMC. "Training and Education." Marine Corps Gazette, Oct 1995, p 11.
7. 7Wilson, G.I., Col, USMC and Bunkers, Frank, Maj, USMC. "Uncorking the Information Genie" Marine Corps Gazette, Oct 1995, p. 29.
8. 8Walsh, Robert S. "Information Enhancement on Today's Battlefield." Marine Corps Gazette, Oct 1995, p. 27.
9. 9Waller, Douglas. "Onward Cyber Soldiers," Time Magazine, 8/21/95, p.42.
10. 10Toffler, Alvin and Toffler, Heidi, War and Anti-War. New York: Warner. p. 8.
11. 11Toffler and Toffler, p. 9.
12. 12Toffler and Toffler, p. 73.
13. 13Haeni, Reto E. An Introduction to Information Warfare. Online. Internet, 29 August 1995. Available http://www.seas.gwu.edu/student/reto/.
14. 14Haeni, Reto.
15. 15Libicki, Martin C. "What is Information Warfare?" Strategic Forum, National Defense University, Institute for National Strategic Studies, Number 28, May 1995.
16. 16Libicki, August 1995, p. 49.
17. 17Waller, Douglas, p. 43.
18. 18National Security Agency. Multilevel Information Systems Security Initiative, Information Systems Security Office/x1, Ft. Meade, MD, p. 6.
19. 19Bowman and Shane, "America's Fortress of Spies." The Baltimore Sun Special Reprint December 3-15, 1995 p. 14-15.
20. 20Waller, p. 43.
21. 21Chairman of the Joint Chiefs of Staff, Command And Control Warfare: Memorandum of Policy No. 30 (MOP 30), Issued 17 July 1990, revised 8 March 1993, p. 3.
22. 22MOP 30, p. 2.
23. 23Department of the Army, FM 100-6, Information Operations, Headquarters, 2 October 1995, p. 2-3.
24. 24Bowman and Shane, p. 15.
25. 25Libicki, 8/95, p. 64.
26. 26Libicki, 8/95, p. 64.
27. 27Department of the Army, FM 100-6, p. 1-13.
28. 28MOP 30, p. 19.
29. 29Department of the Army, FM100-6, p. 3-21.
30. 30Department of the Army, FM 100-6, p. 3-3.
31. 31Russell, Deborah and Gangemi, G. T. Sr. Computer Security Basics. Sebastopol, CA: O'Reilly & Associates, Inc. 1991. p. 425.
32. 32Russell and Gangemi, p. 81.
33. 33Russell and Gangemi, p. 80.
34. 34Department of the Army, FM 100-6, p. 5-13.
35. 35"Virus Highlights Need for Improved Internet Management." Computer Security, Report to the Chairman, Subcommittee on Telecommunications and Finance, Committee on Energy and Commerce House of Representative, United States General Accounting Office, June 1989, Internet, swolff@nsf.gov.
36. 36"Virus Highlights Need for Improved Internet Management." June 1989.
37. 37Russell and Gangemi, p. 426.
38. 38Russell and Gangemi, p. 80.
39. 39"Virus Highlights Need for Improved Internet Management." June 1989.
40. 40Russell and Gangemi, p. 82.
41. 41Hafner, Katie and Markoff, John. Cyberpunk: Outlaws and Hackers on the Computer Frontier. New York: Touchstone Books, 1991, p. 255-256.
42. 42Russell and Gangemi, p. 83.
43. 43Russell and Gangemi, p. 84.
44. 44Russell and Gangemi, p. 84.
45. 45Haeni, Reto.
46. 46Russell and Gangemi, p. 84.
47. 47Russell and Gangemi, p. 85.
48. 48"Pentagon Awaits SATAN-Born Assaults." C4I-Pro: Defense News. Internet, pollackn@smtp-gw.spar.navy.mil.
49. 49Hughes, Larry, Jr. Actually Useful Internet Security Techniques, Indianapolis: New Riders Publishing, 1995, p. 27.
50. 50Hughes, p. 28.
51. 51Russell and Gangemi, p. 422.
52. 52Russell and Gangemi, p. 86.
53. 53National Research Council, Computers at Risk: Safe Computing in the Information Age. National Academy Press, 1991, p. 49.
54. 54Russell and Gangemi, p. 171-172.
55. 55Hagee, Michael, BGen, USMC. Assistant Director, Central Intelligence Agency, Interview, 4 March 1996.
56. 56Cheswick, William, and Bellovin, Steven M. Firewalls and Internet Security: Repelling the Wily Hacker. Reading, Mass: Addison-Wesley Publishing Co, 1994, p. 11.
57. 57Spafford, Eugene. "OPUS: Preventing Weak Password Choices," Purdue Technical Report, CSD-TR 92-028, West Lafayette, IN, Internet, spaf@cs.purdue.edu, June, 1991.
58. 58Hafner and Markoff, p. 300.
59. 59Spafford, Eugene.
60. 60Russell and Gangemi, p. 61.
61. 61Hughes, p. 27.
62. 62Department of Defense. Password Management Guideline, Computer Security Center, Ft. Meade, MD, CSC-STD-002-85, Library No. S-226,994, April 12, 1985.
63. 63Department of the Navy, Terms, Abbreviations, and Acronyms. Information Systems Security (INFOSEC) Program Guidelines, Naval Information Systems Management Center, NAVSO-P-5239-02, June 1995, p. 38.
64. 64Russell and Gangemi, p. 171-172.
65. 65Russell and Gangemi, p. 190.
66. 66Bassham, Lawrence E. & Polk, W. Timothy. "Threat Assessment of Malicious Code and Human Threats." National Institute of Standards and Technology, Computer Security Division, October 1, 1992, p. 9.
67. 67Russell and Gangemi, p. 412.
68. 68Kurtz, Richard.
69. 69Bassham and Polk, p. 6.
70. 70Bassham and Polk, p. 7.
71. 71Bassham and Polk, p. 7.
72. 72United States Marine Corps. "Commandant of The Marine Corps' White Letter No. 4-90," 29 June 1990.
73. 73Kurtz, Richard.
74. 74Russell and Gangemi, p. 98.
75. 75Russell and Gangemi, p. 98
76. 76United States Marine Corps, Contingency Planning, IRM-5238-09, 5 July 89, 1-4.
77. 77United States Marine Corps, System Security Plan (SSP). IRM-5239-13, 30 Apr 1991, p. 1- 4.
78. 78United States Marine Corps, System Security Plan (SSP). p. 1-5.
79. 79United States Marine Corps. Small Computer Systems Security, IRM-5239-10, 23 May 1990.
80. 80United States Marine Corps. Small Computer Systems Security, p. 3-6.
81. 81United States Marine Corps, MCB Camp Pendleton. "Policy for the Use of Automated Data Processing Equipment (ADPE) and Network Resources Aboard Camp Pendleton," DRAFT, Base Bulletin 5239.
82. 82United States Marine Corps, Headquarters Marine Corps. "Marine Corps Policy Pertaining to Use of the Internet," DRAFT.
83. 83Kurtz, Richard.
84. 84National Security Agency, Multilevel Information Systems Security Initiative, Information Systems Security Office/x1, Ft. Meade, MD, p. 1.
85. 85Kurtz, Richard.
86. 86Galik, CDR, USN, p. 6.