Information Operations
Newsletter
Compiled by: Mr. Jeff Harley
US Army Strategic Command
G3 Plans, Information Operations Branch
Table of Contents
Table of Contents
Vol. 7, no. 06 (23 November – 5 December 2006)
1. Manila, Seoul to Conduct Joint Study On Cyber Crimes
2. DOD Report to Detail Dangers of Foreign Software
3. Five Years after the Fall of the Taliban
4. Web Browsing Behind Closed Doors
5. Islamist Websites Succeed in Recruiting Muslims for Jihad
6. Countering the Threat of Islamic Militant Terrorism: A New Look
7. New Role for NPS Official
8. Chinese Hackers Prompt Navy College Site Closure
9. What The Islamists Have Learned – How To Defeat The USA In Future Wars.
10. US Financiers Alerted After Terrorist Threat
11. War Made New (interview)
12. Canadians Battling Taliban and Its Propaganda in Afghanistan
13. China a Major Cyberthreat, Commission Warns
Page ii
Manila, Seoul to Conduct Joint Study On Cyber Crimes
By Komfie Manalo, All Headline News, November 26, 2006
Manila, Philippines (AHN) - The governments of the Philippines and South Korea on Sunday announced a joint study on the development of a national computer emergency response team (CERT) to combat cyber crimes.
The joint study concluded that a national CERT will start in 2007 and a prototype would be available in 2008. It is expected to be fully operational in 2009.
A fully functioning CERT will give Manila the information and electronic evidence for possible technical and legal actions in case of a cyber attack. It also provides continuous training for security professionals.
The study also identified problems facing the creation of a national CERT in the Philippines. They include lack of funding, expertise and infrastructure to run an effective national CERT system.
Currently, a group of volunteer security professionals has been running a Philippine-CERT. But the lack of funding and expertise have limited its activities to e-mail and phone-based technical assistance, coordination with law enforcement agencies and technical training.
The Korea Information Society Development Institute and the Korea Information Security Agency conducted the study in coordination with the National Security Council and Commission on Information and Communications Technology of the Philippines
Table of Contents
DOD Report to Detail Dangers of Foreign Software
By Gary Anthes, Computer World, November 27, 2006
A U.S. Department of Defense task force early next year plans to warn the Pentagon of a growing threat to national security from adversaries who could insert malicious code in software developed overseas.
The Defense Science Board, a military/civilian think tank within the DOD, will issue a report that calls for a variety of prevention and detection measures but stops short of recommending that all software procured by the military be written in the U.S., said the head of the task force that has been studying the so-called foreign influence issue.
The possibility that programmers might hide Trojan horses, trapdoors and other malware inside the code they write is hardly a new concern. But the DSB will say in its report that three forces — the greater complexity of systems, their increased connectivity and the globalization of the software industry — have combined to make the malware threat increasingly acute for the DOD.
“This is a very big deal,” said Paul Strassmann, a professor at George Mason University in Fairfax, Va., and a former CIO at the Pentagon. "The fundamental issue is that one day, under conditions where we will badly need communications, we will have a denial of service and have billion-dollar weapons unable to function."
Robert Lucky, chairman, Defense Science Board task forceRobert Lucky, the chairman of the DSB task force, said this month that all the code the DOD procures is at risk, from business software to so-called mission software that supports war-fighting efforts.
“The problem is we have a strategy now for net-centric warfare — everything is connected. And if the adversary is inside your network, you are totally vulnerable,” said Lucky, who is an independent IT consultant and engineer.
The private sector faces similar threats and has already begun to adopt some of the practices the DSB is likely to recommend to the Pentagon, said John Pescatore, an information security analyst at Gartner Inc. The same risks also apply to software developed in the U.S., he added.
“This is a major concern, but not just when it goes offshore,” Pescatore said. He called the focus on offshore developers “xenophobia” but said the software security concerns raised by the DOD should serve as a useful wake-up call for all organizations that buy software.
Lucky agreed that a risk exists with U.S.-developed software but said it is greater when code is written overseas. The goal for users should be to make informed trade-offs between the level of risk and the economics of developing software, he said. For example, malware risks could be greatly reduced by having only people with U.S. security clearances write software, but that would boost software development costs by three to 10 times, according to Lucky.
The DSB task force, which was commissioned by the Pentagon in October 2005, has been deliberating in secret. However, its report will be unclassified and is scheduled to be made available to the public soon after the first of the year.
Protective Measures
Lucky declined to comment on what the task force will recommend. But in response to industry fears he said that it won’t call for all of the software used by the DOD to be developed in the U.S.
Meanwhile, he cited the following measures as worthwhile protective steps:
· Requiring peer reviews in which multiple programmers review code and test results. However, that increases development costs, Lucky noted.
· Running scan tools that look for dangerous code hidden in software. “But they’re imperfect,” Lucky said. “They can’t find everything.”
· Enforcing industry standards that can contribute to quality software code — for example, the Common Criteria standards, officially known as ISO 15408, for evaluating information security.
“It’s almost an insolvable problem to think you can findall the possible problems with code,” Lucky said. “What you can do, though, is raise the bar. Through inspection and testing and so forth, you can eliminate a certain percentage of problems.”
A spokesman for the DOD said it couldn’t comment on the upcoming report last week. The report was requested by Kenneth Krieg, undersecretary of defense for acquisition, technology and logistics, who wrote in a memo last year that the DOD needed a better understanding of how much “foreign-influenced software” is embedded in its systems and the risks the military would face if code were compromised.
Ira Winkler, author of the book Spies Among Us (Wiley, 2005), a former analyst at the National Security Agency and a Computerworld columnist, said that the kinds of measures outlined by Lucky may be useful but that there is a much more obvious step.
“If there is one line of code written overseas, that’s one line too many,” Winkler said. “Developing it in the U.S. is not perfect, but we are talking about an exponential increase in risk by moving it overseas.”
Winkler said the U.S. government typically buys systems that bundle the hardware, an operating system, a database and other components in addition to the application code. “You can put back doors and Trojans in any layer of that environment, not just in the custom code,” he warned.
Indeed, the upcoming report is a follow-on to one released last year that detailed the risks of procuring microchips from foreign suppliers. The DSB called that practice “directly contrary to the best interest of the DOD” and wrote that “opportunities for adversaries to clandestinely manipulate technology used in critical U.S. microelectronics applications are enormous and increasing.”
However, the “buy American” solution isn’t as simple as it once would have been. With the globalization of the IT industry, many U.S. software vendors have set up overseas operations, and many have citizens of other countries working for them in the U.S. In addition, some software is based on integrated sets of components that are developed in different countries and would be difficult to tease apart if a U.S.-only procurement policy were adopted.
Phillip Bond, president of the Information Technology Association of America, said he expects the DSB task force to recommend that the Pentagon assign varying risk levels to software, with different procurement rules for each level.
“The danger would be if they deem too risky most commercial software, because in almost any software, there is some piece, some lines of code, written somewhere else around the world,” he said.
Bond said the ITAA has commissioned the Center for Strategic and International Studies in Washington to conduct its own examination of the risks posed by overseas software development. The ITAA expects that study to be completed at about the same time the DSB issues its report.
Pescatore recommended that the DOD and other users deploy tools that scan software for vulnerabilities and perform “fuzz” testing, in which programs are deluged with streams of random data intended to evoke every possible response they can make.
But no single measure is likely to completely safeguard software, Lucky cautioned. “There are very clever things that can be done,” he said. “And we’re talking about complexity that boggles the mind. It’s so enormous that no one can truly understand a program with millions of lines of source code.”
Table of Contents
Five Years after the Fall of the Taliban
By Beth Ellen Cole and Jorge Aguilar, Afgha.com. 29 November 2006
Five years after coalition troops defeated Afghanistan's Taliban-led government, a resurgent al Qaeda-influenced Taliban has resurfaced, with many of its senior leaders now receiving support from the terrorist organization, state supporters in Pakistan, wealthy Arab financiers, and other anti-government forces.
The emergence of a successful media campaign by the Taliban—which had previously eschewed all forms of commercial media —bears the mark of Al Qaeda's tutelage over the past half decade; so too, does the worrying rise in suicide terrorism. The insurgents find an increasingly hospitable environment as popular support for the central government has eroded due to its incompetence, its corruption, and its failure to extend its authority much beyond Kabul.
Winning back the support of the people through security and development is the only way to defeat the insurgency. The center of gravity in this campaign will not be al Qaeda or the Taliban, but the Afghan people.
These were the alarming conclusions drawn by three top experts on terrorism and the Afghan insurgency delivered at a public meeting held by the U.S. Institute of Peace on November 8, 2006, the third of a four-part series on "Afghanistan: Five Years After the Fall of the Taliban."
The meeting featured presentations by Hekmat Karzai, director of the Center for Conflict and Peace Studies in Kabul, Afghanistan; Peter Bergen, author of the best selling book Holy War Inc.: Inside the Secret World of Osama bin Laden; and Seth Jones, a senior political scientist and expert on the insurgency at the RAND Corporation. The discussion was moderated by Beth Ellen Cole, coordinator of the Afghanistan Working Group at the U.S. Institute of Peace. This USIPeace Briefing does not necessarily reflect the views of the U.S. Institute of Peace, which does not take policy positions.
A Campaign "Deeply Intertwined" with al Qaeda
While the face of the Taliban dominates the insurgency, there are other significant players among the forces vying to take over Afghanistan, according to Jones. The Hezb-i-Islami Gulbuddin (HIG) is bent on installing its leader, Gulbuddin Hekmatyar, as the ruler of Afghanistan.
Al Qaeda's foreign fighters and other allied groups seek broader objectives, including U.S. withdrawal from the Middle East. Tribal groups on both sides of the Afghanistan-Pakistan border are involved. Finally, criminal organizations are taking advantage of the chaos unleashed by the insurgency and an economy fueled by the production and trade of narcotics. The Taliban, newly conscious of its international role, and its allies advertise "the clash of civilizations" to the Afghan people with their forces "for Islam" arrayed against the United States and other Western "anti-Islam" forces.
Karzai asserted that the insurgent campaign has evolved and become more sophisticated. For instance, while the Taliban had previously banned "fruits of globalization," it has now adopted media campaigns that make use of DVDs, websites, and other forms of modern technology. Following al Qaeda's lead, the Taliban have developed a video production arm. Al Qaeda's own expanded video production center, As-Sahab, has turned out dozens of statements by Osama Bin Laden and Ayman al-Zawahiri this year.
The Taliban "are learning from them [al Qaeda]," Bergen continued. Jones agreed that the Taliban has become "deeply intertwined" with the al Qaeda organization and has been influenced, both ideologically and militarily, by them.
Another troubling development in Afghanistan is the emergence of suicide terrorism. Karzai's Center has documented a startling increase in suicide attacks in Afghanistan; so far in 2006, there have been 83 suicide attacks—with 21 attacks alone in the month of September—compared to 21 in 2005 and only one in 2001 and 2002.
Jones observed that there have been more suicide attacks in 2006 than in the entire previous history of the country. Moreover, said Bergen, suicide attacks have proven quite successful in achieving the goals of the insurgents. The exponential rise in suicide attacks creates a climate of fear, hinders reconstruction efforts, and has made areas, such as Kandahar, a veritable "no-go" place for foreigners. Jones and Karzai both noted that neither the government nor coalition forces are effectively deploying information operations designed to highlight the fact that the majority of these attacks kill civilians, not military forces.
A Resurgent al Qaeda
While the conventional wisdom is that al Qaeda is effectively dead, replaced by "intellectual" and "homegrown, self-starting movements," Bergen warns that such thinking is flawed and that there are still reasons to fear the Islamist organization.
Although al Qaeda may not be as powerful as in the past, it it continues to thrive and provides leadership for major global terrorist attacks. Its ability to plan and execute attacks was demonstrated by the July 2005 suicide bombing campaign in London, England. Moreover, organizations such as Algeria's Salafist Group for Preaching and Combat and Hekmatyr's HIG have declared allegiance to al Qaeda. People don't join "weak" organizations, Bergen observed.