Persistent Threat Historical Background of Research Paper
Excerpt from Research Paper :
According to Toronto Star reporter Stephan Handelman in an article printed in 2005, the U.S. senior intelligence analysts consider China to be the greatest long-term threat to U.S. stability. China's military force and computer intelligence has reached its peak. Both the Europeans and the U.S. agree that the expansion of the Chinese military is more than "worrisome."
Another article posted on November 16, 2007 by the Washington Post claims that spying by China in the United States is the biggest threat keeping American technologies secret. Advances by the Chinese military are catching U.S. intelligence officials by surprise. It has also been suggested that the U.S. Department of Defense could inadvertently outsource the manufacturing of key weapons and military equipment to China. China is attempting to reverse its move into free markets by setting up state-owned enterprises and control over the 12 major industries, which include oil, telecommunications, shipping, automobiles, steel and information technology.
The PLA has developed a strategy called "Integrated Network Electronic Warfare," which is said to be guiding employment of CNO, as well as related warfare information tools. The strategy consists of the implementation of network warfare tools and electronic warfare weapons against enemy information systems. One of the main goals of the PLA is to achieve information dominance at both the strategic and the campaign levels. This statement is according to the Science of Military Strategy and the Science of Campaigns. It is important that the PLA make the transition from a mechanized force to an information force in order to win local wars against the enemy using a greater technological advantage, such as the United States. A strong warfare capability to control an enemy's access to its own technology is extremely important to winning.
PLA Information Warfare Planning
In order to effectively fight a technology war, it is important that one has the ability accurately access the likely impact on the adversary of a CNA strike on any given asset. This type of assessment is dependent on various network dependencies. In other words, have a good handle on the center of operations and choose targets in sequence to strike. Organize the enemy's weaknesses and arrange to take down these weaknesses one-by-one. This requires knowledge of their entire operational system and procedures. Mission planners should have a clear understanding of enemy network dependencies in order to break their line of defense. The CNA will also have a clear understanding of cultural and military sensitivities surrounding an attack.
Chinese Computer Network Operations During Conflict
PLA Commanders have CNO available during times of conflict even though the PLA rarely discusses CNO. CNO can be compared to missiles or air power. It is important to understand how the CNO could be used in support of larger campaigns. To do this, one must understand CNO in proper context. The strategy of CNO is simple: denying an enemy access to information systems, which are critical for combat operations and analysis of enemy weak points.
Chinese military leaders are typically influenced by their culture and traditional strategies, they have shown a willingness to use great force and strength in situations where the PRC was considered weaker. In some cases, conflict will be less costly at a later date in conditions that are less favorable to China. This logic seems unusual to Western cultures, but it reflects the ever changing strategic conditions. Both PLA and PRC leaders use this same logic and strategic planning, particularly in weapons planning.
The PLA uses CNO with EW weapons as a joint campaign capability. CNO is used for obtaining information, while providing opportunities for air, ground and naval forces to act upon. In a military crisis between China and the U.S., the CNO would most likely be used in order to make repeated attacks against the U.S. Department of Defense. These types of attacks are typically used to gather and degrade U.S. information and support systems so that the PLA may achieve their overall objectives. Both CNO and IW weapons may help delay the U.S. military weapon response without requiring direct combat with U.S. forces, which are far more superior.
The Logistics of Networks and Databases in a Conflict
In assessing U.S. campaigns of
Iraq (Desert Storm and Operation Iraq Freedom), weak points can be identified in force deployment and logistics. On the flipside, defeating the U.S. logistics systems will not likely help defeat the U.S. military, but these types of disruptions will help buy the PLA (or attacker, whoever they may be) time. Time is important in battle and can be very beneficial to an enemy's defeat or winning.
Of interest regarding logistics includes specific unit deployment schedules, the rate of re-supply as well as scheduled material movement, assessments of unit readiness, lift availability and scheduling, maritime pre-positioning plans, air tasking orders for aerial re-fueling operations and logistic status of basis in the Western Pacific theater. Maintaining effective movement control during times of major mobilization can be extremely difficult and complex by nature. Major delays can be created by causing disruption to information systems at key nodes with an emphasis on shipping terminals and airports. This would cause the affected destination to stop production.
If the PLA can compromise just one weak password by logging in or exploiting SQL injection vulnerabilities, many logistics databases could easily be compromised with what is considered to be relatively easy access. By having continual access to NIPRNET using CNA techniques, as well as to logistics information, which support the TPFDD for different war plans, this would allow the PLA to put together a detailed intelligence picture of the intended U.S. force deployment.
The basic PLA strategy against NIPRNET logistics is likely very simple. It is speculated that it is a combination of attacks on specific network segments, which do not authenticate common Internet traffic through a proxy server, before leaving the network. By doing this, they will be able to operate much more freely within the network. An attacker in this type of situation can connect to a remote C2 node to download additional tools and can infiltrate data without the requirement of having valid user credentials.
There have been reports of China attacking U.S. networks in the past. These reports suggest that the individuals operating these procedures specifically target the competence to identify specific users within a unit or an organization, based on particular job functions or presumed access to information. If an attacker is able to penetrate or exploit legitimate user credentials, the attacker will be able to review file directories while potentially targeting specific files to alter, but this is all dependent on specific mission requirements and the U.S. INFOCON levels. These attackers can also access passive monitoring information for network traffic, which would be used for intelligence collection purposes. The utilization of these machines and strategies during times of peace may enable attackers to prepare a reserve of compromised machines, which would be used during crisis.
Chinese CNO operators probably possess the technical sophistication to build and upload rootkit, while converting remote access software and creating deep persistent access to whatever host is compromised. This makes their detection extremely difficult if not nearly impossible. Logistics support provided to operational units as a result of what is referred to as an "upstream" attack on the networks of civilian contractors has the potential for a greater impact, while being potentially easier against the smaller companies that usually lack sufficient resources or the expertise for sophisticated network security and monitoring. Many of these vulnerabilities, which I have outlined above, could be minimized if the network were to use a proxy server, implement firewalls, block proxy access without valid user identification and prevent user credentials from being exposed to the attackers.
Another way Chinese CNO operators may compromise the U.S. is by uploading invalid information (or false records) without the U.S. knowing, or by corrupting current user files and records in an attempt for possible intentional detection. Discovering this type of file corruption would generate the manpower and an intense resource review of targeted unit's database records, as well as other files, which would in turn, create very costly operational delays. If this type of attack was made against several large or critical supply nodes, there would be a significant impact.
If NIPRNET-based logistics database became compromised and files were uploaded or current files were exploited, it would require that PLA operators compromise a computer on the targeted LAN, while being able to operate the user's credentials. This capability has been observed in previous U.S. network intrusion attempts. These types of past compromises or attack attempts can be attributed to China in many instances.
If this type of attack were to be detected, there may be a greater impact on U.S. forces regarding the perception management and psychological operations. This would have a greater impact than…
Sources Used in Documents:
1. Article: online
Kim Zetter (February 3, 2010). Threat Level: Privacy, Crime and Security Online
Report Details Hacks Targeting Google, Others, (1), 1. http://www.wired.com/threatlevel/2010/02/apt-hacks/
2. Article Publication: online and hardcopy
Cite This Research Paper: