The dimensions of the terms of reference for an Australian Cyber-warfare Centre require considerable debate and contemplation, and, indeed, they will eventually only evolve once a Centre has begun operating. However, there are several basic planning functions that would be central in any construct. Its activities would be both defensive and offensive. Indeed, the relationship between these is symbiotic, each nourishing the other. Research into ways of penetrating foreign cyber-systems inevitably uncovers vulnerabilities in Australian systems, while research into possible vulnerabilities often suggests ways of exploiting these for offensive purposes.
A core research function of any Australian Cyber-warfare Centre would be the study of telecommunications architectures—the terrestrial microwave relay networks, SATCOM, and fibre-optic cables—both across the region and in particular countries. SATCOM and microwave relays are reasonably accessible, allowing IPs and pro formas for computer-to-computer data exchanges to be identified, and providing opportunities for hacking into command chains, combat information systems, air defence systems and databases. This research activity would also involve the identification of the mobile phone numbers and email addresses of foreign political and military leaders.
Another core research function would be the study of the electronic sub-systems in major weapons systems, such as the avionics of particular combat and support aircraft. This would include, for example, finding ways of penetrating the ‘firewalls’ protecting avionics systems and of using wireless application protocols (WAPs) to insert ‘Trojan horses’. This would conceivably allow Australian cyber-specialists to effectively hijack adversary aircraft (and to choose between hard or soft landings for them). In other cases, it would allow electronic components to be disabled or deceived—essentially conducting ECM and ECCM operations through cyber-space.
A Centre would be centrally concerned with studying the vulnerabilities in both Australian and foreign networks and developments in viruses, worms, ‘Trojan horses’ and other threats to computer-based systems. Publicly acknowledged vulnerabilities in servers indicate promising routes for exploitation. In June 2001, for example, CERT reported a critical flaw in the Hypertext Transfer Protocol (HTTP) component of Cisco Internetwork Operating System (IOS) software using local authentication databases, which ‘allows an intruder to execute privileged commands on Cisco routers’ and to effectively take ‘complete control’ of affected systems.[35] In June 2006, multiple vulnerabilities were reported in certain versions of the Cisco Secure Access Control Server (ACS) for Windows, a key part of Cisco’s ‘trust and identity management framework’ and a cornerstone of its Network Admission Control (NAC) system. Some of the vulnerabilities caused the ACS services to crash, while others allowed ‘arbitrary code execution if successfully exploited’.[36]
The study of viruses and worms would be not merely for remedial or longer-term protective purposes, but even more importantly would inform the R&D of superior viruses and ‘Trojan horses’—making them more malicious, or more selective, or more difficult to trace and diagnose, or less able to be fixed. Some recent examples are the VBS/Loveletter worm (appearing in 2000 and causing between US$5 and US$10 billion dollars in damage), which used a back-door ‘Trojan horse’; the Code Red and Code Red II worms in 2001, which attacked the Index Server in Microsoft Internet Information Servers; the SQL Slammer worm, which attacked vulnerabilities in the Microsoft SQL Server; the Blaster worm, which exploited a vulnerability in Microsoft Windows systems; Sobig and MyDoom worms, which spread rapidly via emails; Witty, which exploited vulnerabilities in several Internet Security Systems (ISS); and Santy, a ‘Web-worm’ that exploited vulnerabilities in Google.[37] Systematic exploration of all known viruses would suggest the most lucrative avenues to explore.
Destructiveness is not necessarily the objective. Although there is a place in IO for relatively crude cyber-operations, such as defacement of websites and Denial of Service (DS) attacks, the most effective and successful cyber-warfare activities are those in which control of computer-related systems is taken without detection by the hosts. Covert corruption of databases, deception of sensor systems, and manipulation of situational awareness is much more likely to produce favourable strategic and tactical outcomes.
A Cyber-warfare Centre would be responsible for the preparation of contingency plans. These would include the development of various forms of ‘Trojan horses’ designed to surreptitiously corrupt data and files, and matched to particular national stock exchanges, power utilities, air traffic control systems and other information infrastructure; of plans for disabling and deceiving critical elements of military chains of command; and plans for targeting the computer, communications and electronic systems used by particular individuals and agencies. Scenarios would be continually researched and techniques practised to ensure the currency of the plans in contingent circumstances.
A Cyber-warfare Centre would be responsible for identifying the preparations necessary for expeditious implementation of the plans, including the preparations for offensive operations. Some of this preparatory activity will involve the placement of taps on communications systems, of intercept equipment in microwave alleys, and of various electronic devices on antenna systems and communication junctures in foreign countries—to monitor communications, identify IPs and pro formas, collect local electronic emanations for the application of countermeasures, and to manipulate and deceive air defence and logistical systems. Devices could be implanted in radars and other sensor systems, or at junctures in their data-links. It is obviously easier to do this before crises or wars eventuate. A Cyber-warfare Centre would have to work very closely with designated ASIS or Special Forces elements with respect to these sorts of activities.
The proportion of both international and local telecommunications traffic being conveyed by fibre-optic cables has increased rapidly since the late 1980s, notwithstanding the increasing volume of mobile telephony connected by both satellite and terrestrial transponders. A rising proportion of voice telephony is being carried by the Internet, via cable, satellite and wireless, as Voice Over Internet Protocol (VOIP) communications. Current trans-oceanic fibre-optic cables typically have four or eight pair of fibre strands, each pair providing four channels, with a capacity of 10 Gigabits per second per channel. Systems have been demonstrated which can carry 14 Terabits per second (111 Gigabits per 140 channels) over a single optical fibre.[38] However, tapping fibre-optic cables is much more difficult than intercepting satellite or terrestrial microwave communications. It requires considerable expertise and specialised equipment, and direct access to the cables.
There are two approaches to tapping fibre-optic cables. One is to access the amplifier or repeater points which regenerate the signals, and which are typically every 160 km or so. This is relatively easy in older systems, which use opto-electronic repeater amplifiers. These convert the optical signals into electrical signals, clean and amplify them and then convert them back to optical for re-transmission; the signals can be intercepted by external induction collars during their electronic stage.[39]
More modern optical cable systems use Erbium [Er]-Doped Fibre Amplifiers (EDFA), in which the signal is boosted without having to be converted into electricity. At each EDFA repeater point there is a small internal tap that takes signals from the eastwards fibre and sends them back along the westwards fibre to let the cable operators diagnose cable fault points very accurately. These signals can be monitored by inserting tap couplers into the EDFAs, although care must be taken to avoid a voltage drop.
The second approach involves the ‘scrape and bend method’, in which a small piece of cladding is removed from one side of the cable, allowing a detectable amount of light to escape but not enough to alert the cable operators. The exposed fibre is placed in a special reader unit that slightly bends it so that some of the light is refracted (due to it hitting the glass close enough to the perpendicular), and a photon sensor or light detecting device then reads the escaping light. Dummy light packets may have to be inserted so that photon loss is not noticed.[40]
Transmission of the intercepted data is a formidable problem. A cable can be carrying hundreds of gigabits of data, or the equivalent of a hundred million telephone calls at a time. It requires prioritising, based on careful consideration of future intelligence requirements, as well as placement of equipment at the tap sites. The techniques involved include distinguishing the Synchronous Optical Network (SONET) frames that carry the multiplexed digital traffic; concentrating on selected IPs and other easily sorted packages; and using filters that filter terabits per second down to reasonable data level.
In 2005, the USS Jimmy Carter, one of the new Seawolf class of submarines, was extensively modified for a range of covert missions, including tapping undersea optical cables.[41] However, these missions are obviously extremely complex as well as very expensive.
Fortunately, signals are rarely conveyed by optical cable, let alone undersea cable, for the whole of their journey from sender to recipient. Undersea cables have landing points where they connect with satellite ground stations, terrestrial microwave relay stations, or other cable systems, which in turn often connect with mobile telephony or broad-band wireless transponders. The terminals, junctions and switching centres, as well as the Network Access Points (NAPs), now usually called Internet Exchange Points (IXPs), which serve as Internet exchange facilities, are more accessible and likely to be more lucrative than most undersea cables.
[35] CERT, ‘CERT Advisory CA-2001-14 Cisco IOS HTTP Server Authentication Vulnerability’, 28 June 2001, available at <http://www.cert.org/advisories/CA-2001-14.html>, accessed 4 March 2008.
[36] Kevin McLachlan, ‘Flaw Found in Cisco Secure Access Control Server’, 26 June 2006, available at <http://www.crn.com/it-channel/189601708>, accessed 4 March 2008; and ‘Multiple Vulnerabilities in Cisco Secure Access Control Server’, 7 January 2007, available at <http://www.securiteam.com/securitynews/5DP0420KAG.html>, accessed 4 March 2008.
[37] ‘Timeline of Notable Computer Viruses and Worms’, Wikipedia, available at <http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_ worms>, accessed 4 March 2008.
[38] Frank W. Kerfoot and William C. Marra, ‘Undersea Fiber Optic Networks: Past, Present, and Future’, IEEE Journal on Selected Areas in Communications, vol. 16, no. 7, September 1998, pp. 1220–25, available at <http://ieeexplore.ieee.org/iel4/ 49/15642/00725191.pdf?arnumber=725191>, accessed 4 March 2008; and ‘14 Tbps Over a Single Optical Fiber: Successful Demonstration of World’s Largest Capacity’, NTT Press Release, 29 September 2006, available at <http://www.ntt.co.jp/news/news06e/0609/060929a.html>, accessed 4 March 2008.
[39] Stephen Cass, ‘Listening In’, IEEE Spectrum Special Report on Intelligence and Technology, vol. 40, no. 4, April 2003, pp. 32–37, available at <http://www.estig.ipbeja.pt/ ~lmgt/st/other/Listening%20In.pdf>, accessed 4 March 2008; and ‘NSA Tapping Underwater Fiber Optics’, available at <http://slashdot.org/articles/01/05/23/2142216.shtml>, accessed 4 March 2008.
[40] John R. Freer, Computer Communications and Networks, UCL Press, University College London, London, 2nd edition, 1996, p. 305.
[41] Cass, ‘Listening In’, pp. 33–37.