David A. Fulghum, Aviation Week, May 21, 2009
Devices to launch and control cyber, electronic and information attacks are being tested and refined by the U.S. military and industry in preparation for moving out of the laboratory and into the warfighter's backback.
It's a part of a technology race that is already well underway. The Russian attack on Georgia last year showed weaknesses in some combat areas, but not in cyberwarfare, say U.S. analysts.
"The Russians conducted a cyberattack that was well coordinated with what Russian troops were doing on the ground," says a longtime specialist in military information operations. "It was obvious that someone conducting the cyber[war] was talking to those controlling the ground forces. They knew where the [cyber]talent was [in Russia], how to use it, and how to coordinate it.
"That sophisticated planning at different levels of cyberwarfare surprised a lot of people in the Defense Dept.," he says. "It looked like a seamless, combined operation that coordinated the use of a range of cyberweapons from the sophisticated to the high school kids that thought it was cool to deface official web sites. The techniques they used everybody knows about. The issue was how effective they were as part of a combined operation."
The U.S. is looking for a tool to duplicate that kind of attack. Moreover, the Defense Advanced Research Projects Agency has awarded several contracts to information technology (IT) companies to design a cyberattack range. Candidate sites include Naval Air Warfare Center's China Lake, Calif., radar cross-section facility and the U.S. Air Force radar cross-section range at Holloman AFB, N.M.
Several future attack devices are being built in a U.S. cyberwarfare attack laboratory. The one shown to Aviation Week & Space Technology is a software framework for locating digital weaknesses. It combines cybersleuthing, technology analysis and tracking of information flow. It then offers suggestions to the operator on how best to mount an attack and, finally, reports on success of the effort.
Right now, electronic and cyberattacks are conducted and understood by a very few. To make the capability part of the warfighter's arsenal it has to be configured and packaged so that a non-expert could use it on the battlefield.
The heart of this attack device is its ability to tap into satellite communications, voice over Internet, proprietary Scada networks--virtually any wireless network. Scada (supervisory control and data acquisition) is of particular interest since it is used to automatically control processes at high-value targets for terrorists such as nuclear facilities, power grids, waterworks, chemical plants and pipelines. The cyberattack device would test these supposedly inviolate networks for vulnerabilities to wireless penetration.
"If you think about the explosion of capability in the commercial electronics sector, it's obvious that for not too much money, anybody can set up a fairly robust WiFi capability and just ride the backbone of the Internet," says a U.S.-based, network attack researcher. "We're tying together the protection and the reaction side with this device which will serve for planning, execution and penetration testing."
A by-product of the project is that it offers a start to weaponizing cyberattack for the non-cyberspecialist, military user.
There are four broad objectives in designing the attack device: Capture expert knowledge but keep humans in the loop.
*Quantify results so that the operator can put a number against a choice.
*Enhance execution by creating a tool for the nonexpert that puts material together and keeps track of it.
*Create great visuals so missions can be executed more intuitively.
This particular network attack prototype has a display at the operator's position that shows a schematic of the network of interest and identifies its nodes.
"You could be talking about thousands and thousands of nodes being involved in a single mission," says a second network attack researcher. "Being able to visualize that without a tool is practically impossible."
A touch-screen dashboard beneath the network schematic display looks like the sound mixing console at a recording studio. The left side lists cyberattack mission attributes such as speed, covertness, attribution and collateral damage. Next to each attribute is the image of a sliding lever on a long scale. These can be moved, for example, to increase the speed of attack or decrease collateral damage.
Each change to the scales produces a different list of software algorithm tools that the operator needs. "Right now, all that information is in the head of a few guys that do computer network operations and there is no training system," says the first specialist.
Experts are combining digital tools that even an inexperienced operator can bring into play. In the unclassified arena there are algorithms dubbed Mad WiFi, Air Crack and Beach. For classified work, industry developers also have a toolbox of proprietary cyberexploitation algorithms.
Air Crack, for example, uses open source tools to crack the encryption key for a wireless network. Some cracks are quick, but require injecting a lot of data into the network, which makes the attack noisy and easy to trace. Others are very passive and slow--taking a couple of days or even months. But no one is aware of the intrusion. A passive dictionary attack can find passwords such as common English words, names or birthdays, but it is considered a brute force attack.
Cryptoattacks use more sophisticated techniques to cut through the password hash. "It runs faster and you usually get a better result," says an IT specialist. "But you have to take a more active role, capture different types of data and send the right information to get a proper response."
A de-authorization capability can kick all the nodes off a network temporarily so that the attack system can watch them reconnect. This provides information needed to quickly penetrate the network.
In one prototype attack device, a colored bar is at the right of each scale. Green means the effect is better than specified; blue, that it is equal; and red signifies it does not meet the user's criteria.
The three major elements of a cyberattack system are its toolbox, planning and execution capabilities. The toolbox is put together by the hardware and software experts in any organization to address specific missions. They maintain the database of available capabilities.
The planning capability takes input from other planning systems--for example, network situational awareness--and incorporates it. The planner weighs the attack device's capabilities, the target to be attacked along with the style of execution and then ranks the solutions. But the final decision is left to the operator.
The output of planning is a course of action--the sequence of steps that must happen. This blueprint can be reviewed, modified and approved by a supervisor. It is then taken to the field and executed or exported to some other cyberattack system.