10 December 1998
(John Serabian says several nations have cyberwar programs) (1470) Washington -- Information warfare, the technique of attacking critical infrastructures by electronically interfering with industry and government computers, has the potential "to deal a crippling blow" to U.S. national security if strong measures are not taken to counter the threat, says Central Intelligence Agency (CIA) official John Serabian. "Potential attackers range from national intelligence and military organizations, to terrorists, criminals, industrial competitors, hackers, and disgruntled or disloyal insiders," Serabian, chief of the CIA's Critical Technologies Group, said December 7. The United States has identified "several countries, based on all-source intelligence information, that have government-sponsored information warfare (cyberwar) programs," he said. "Foreign nations have begun to include information warfare in their military doctrine, as well as their war college curricula, with respect to both defensive and offensive applications." In remarks to the "Defense Week" conference on defending the U.S. critical infrastructure, Serabian discussed what the U.S. intelligence community is doing to counter the information warfare threat. "Our engagement in infrastructure protection extends not just to efforts within the intelligence community," but to participation with other stakeholders in "our nation's infrastructure systems, across government agencies, in academia, and throughout the private sector," he said. Following is the text of Serabian's remarks, as prepared for delivery: (begin text) Just like the proliferation of weapons of mass destruction and international terrorism and drug trafficking, information warfare has the potential to deal a crippling blow to our national security if we do not take strong measures to counter it. Today I hope to leave you with three key points. First, I want you to take away an appreciation for the growing seriousness and significance of the emerging threat to our information systems. Second, I want to emphasize the need to evaluate the threat from initial identification to characterization. From the perspective of both state and non-state actors, proliferation of malicious capabilities exists at every level. And finally, I want to provide you with an appreciation for what the CIA (and the intelligence community) is doing to combat the problem. On this last point, let me emphasize that our engagement in infrastructure protection extends not just to efforts within the intelligence community, but to participation with other stakeholders in our nation's infrastructure systems, across government agencies, in academia, and throughout the private sector. The Challenge Today, as a result of the dramatic growth of and dependency on new information technologies, our infrastructures have become increasingly automated and interlinked. It is in this context that we must appreciate that future enemies -- whether nations, groups, or individuals -- may seek to harm us using non-traditional (cyber) methods. Non-traditional attacks against our information infrastructures could significantly harm both our military power and our economy. Who would consider attacking our nation's computer systems? Potential attackers range from national intelligence and military organizations, terrorists, criminals, industrial competitors, hackers, and disgruntled or disloyal insiders. Each of these adversaries is motivated by different objectives and constrained by different levels of resources, technical expertise, access to a target, and risk tolerance. As Director of Central Intelligence George Tenet testified before the Senate Select Committee on Intelligence in January and more recently again in June before the Senate Governmental Affairs Committee, we have identified several countries, based on all-source intelligence information, that have government-sponsored information warfare (cyberwar) programs. Foreign nations have begun to include information warfare in their military doctrine, as well as their war college curricula, with respect to both defensive and offensive applications. It is clear that nations developing these programs recognize the value of attacking a country's computer systems, both on the battlefield and in the civilian arena. The magnitude of the potential threat from various forms of intrusion, tampering, and delivery of malicious code, is extraordinary. We know with specificity of several nations that are working on developing an information warfare capability. In light of the sophistication of many other countries in programming and Internet usage, the threat has to be viewed as a factor requiring considerable attention by every agency of government. Many of the countries whose information warfare efforts we follow, realize that in a military confrontation against the United States, they cannot prevail. These countries recognize that cyber attacks, launched from within or outside the United States, against civilian computer systems in the United States, represent the kind of asymmetric option they will need to level the playing field during an armed conflict against the United States. Just as foreign governments and the military services have long emphasized the need to disrupt the flow of information in combat situations, they now stress the power of information warfare when targeted against civilian information infrastructures. The battlespace of the Information Age will extend to our domestic infrastructure. Our electric power grids and our telecommunications networks could be targets of the first order. An adversary capable of implanting the right offensive tool, or accessing the right computer system, can cause extensive damage. Terrorists, while unlikely to mount an attack on the same scale as a nation, can still do considerable harm. What's worse, the technology of hacking has advanced to the point that many of the tools which required in-depth knowledge a few years ago, have become automated and more user-friendly. Cyber attacks offer terrorists the possibility of greater flexibility. Theoretically, they can launch a computer assault from almost anywhere in the world, without directly exposing the attacker to physical harm. Moreover, terrorists are not bound by traditional norms of political behavior between states. While a foreign state may hesitate to launch a cyber attack against the United States, due to fear of retaliation or negative political consequences, terrorists often seek the attention and the increase in fear that would be generated by such a cyber attack. Established terrorist groups are likely to view attacks against information systems as a means of striking at government, commercial, and industrial targets, believing there is little risk of being caught. Terrorists and extremists already are using the Internet and even their own Web pages to communicate, raise funds, recruit, and gather intelligence. There are numerous initiatives and working groups in which the intelligence community is involved to better handle the information warfare threat. These range from our national intelligence estimate devoted to this topic to establishing new units within the community to focus on this problem full time. Further, we have made great strides in our cooperative efforts with the Departments of Defense and Justice to overcome cross-agency challenges that the Information Age creates. The Intelligence Community Response Protecting our systems will require an unprecedented level of cooperation across government agencies and with the private sector. That cooperation already has begun. The report of the President's Commission on Critical Infrastructure Protection was a defining moment in identifying vulnerabilities in our information infrastructure, in assessing the potential threat to our national security, and in establishing the requirement as well as the momentum for a coordinated effort on information operations. The intelligence community engaged actively in the preparation of that report as well as in publishing the National Intelligence Estimate (NIE) in 1997 on foreign threats that served as the companion piece to the Commission's report. In producing the NIE, the intelligence community had interaction with representatives from law enforcement and Department of Defense information security agencies to assess the threat to our computer networks. These two documents: the National Intelligence Estimate and the Commission report -- have provided the impetus for significant activity in both the public and private sector to combat the threat to our computer systems. The attention directed to the threat to our information security systems also resulted in the stand-up of dedicated activities within CIA, DIA (Defense Intelligence Agency), and NSA (National Security Agency). CIA established an analytic threat assessment unit in its Office of Transnational Issues and the Defense Intelligence Agency similarly created a threat assessment unit in its Transnational Warfare Group. As a community, we have also been active participants, together with other information operations stakeholders, in the NSC (National Security Council)-Chaired Interagency Working Group that produced the Presidential Directive titled "Critical Infrastructure Protection" and we are now active in the NSC Critical Infrastructure Coordinating Group tasked to implement that directive. Each of these efforts has had a cumulative effect in building the critical mass that will be required to deal with the threat to our information infrastructure. The Commission report, the NIE, and the (May) Presidential Decision Directive will provide the public and private sector with a clear blueprint as to the direction we are taking. CIA (and other intelligence agencies) have also actively participated in DoD (Department of Defense) War Games and continues to incorporate the threats posed by information warfare into an increased number of other exercises. (end text)