- The US Defense Intelligence Agency says it plans to award a contract to security firm Veridian to study intrusions and attacks against Department of Defense (DOD) networks "from computers located in a particular foreign country." Intelligence experts says that country is China.
Former intelligence officials, speaking on condition of anonymity, say the contract with Veridian to analyse intrusion data and produce a list of specific IP addresses that may pose a threat to DOD networks is an effort to determine the "level of activity" of China's information warfare program.
"They want to see if they can target a specific country and determine if the intrusions are kids using China as a jumping off point or a government programme," says one former official.
At least 20 countries, including Russia and China, are known to be developing information warfare strategies that specifically target US military and private sector data networks, according to recent DIA and CIA estimates. However, officials say China has been particularly active. The fear is that computer viruses and worms unleashed by foreign hackers could wreak havoc on the US infrastructure in the event of a military conflict.
One former official says the Energy Department witnessed a tenfold increase in intrusion attempts originating from China during the espionage investigation against Chinese-American physicist Wen Ho Lee. Part of the Veridian contract calls for the company to correlate hacking incidents with particular world events.
The contract also calls for Veridian to study intrusion data from "computers that show evidence of being under the control of people in that country, who range from hackers to government personnel." Likewise, the resulting Veridian study must include a time line and link analysis, a list of DOD systems attacked, computer network functions attacked, specific attack methodologies found, and patterns and trends in hacker tool sophistication. However, officials point out that Veridian will be collecting the data from DOD Computer Emergency Response Teams, not directly from Chinese systems.
Veridian declined to comment on the contract. However, the nature of the work raises questions in the minds of intelligence and industry experts regarding the state of government organisation to combat cyberattacks and the risks security companies take in the market when they enter into such contracts. A private company that accepts a US government security contract targeting a specific country runs a high risk of losing access to that country for any future business.
"There clearly are risks if a company does much business overseas," says Bill Crowell, CEO of Santa Clara, California-based Cylink and a former director of the National Security Agency (NSA).
Mike Higgins, CEO of Para-Protect, a security firm in Centreville, Virginia, agrees that companies take big risks when they enter into such contracts. "This business is, more than anything else, about trust," says Higgins, who, as a former DIA official, helped organise the DIA's first incidence response centre.
"You're definitely staining yourselves for any appreciable amount of work overseas," he says, adding that his company's trust relationships with Fortune 500 companies are international in nature.
However, an interesting side question is "why is DIA doing this?" said Crowell, alluding to the fact that such operations have historically been the responsibility of the NSA. "That question gives rise to the whole issue of how the U.S. government is organized to deal with cyberattacks, both cybercrime and cyberwarfare," he said.
Higgins also questioned the role of the DIA, which serves as a military intelligence support agency for the Pentagon, in contracting for such services, and he noted the peculiar absence of the NSA.
"What the hell's going on here? Why isn't NSA contracting this?" asked Higgins. He also questioned the need for a private contractor to do this sort of analysis at the DIA. "We always had the capability to do this in-house."
The Defense Department recorded more than 24,000 intrusions into its networks last year, compared with 22,144 in 1999 and 5,844 in 1998. However, Higgins said those figures are much lower than the number of attacks that actually take place. Most incidents go unreported, he said.
Meanwhile, a report by the Defense Science Board released in February puts the cost to the US economy from viruses at $US1.5 trillion a year, or 2.5% of the gross domestic product. Chinese information warfare experts have recommended the use of viruses and worms as a means to wreak havoc on the US infrastructure in the event of a military conflict. The increasing threat of such information warfare tactics caused the science board to recommend that the Pentagon shift its focus away from garden-variety hackers to more significant threats to national security.
"Too much money and time is being spent on the lower-level threats to the nation's networks (eg, hackers), and not enough on figuring out how to protect information systems from state and terrorist warriors who understand how to exploit compromised data," the board's study concludes.
According to several former intelligence officials, the US intelligence community is still far from developing what is known as the "cyberintelligence preparation of the battlefield."
With any luck, says one official, this contract will start the process of including cyberintelligence in individual country studies used by intelligence planners.