Secondary School Level

For decades, electronic warfare has been a separate subject from computer security, even though they have some common technologies (such as cryptography). This is starting to change as elements of the two disciplines fuse to form the new subject of information warfare. The military's embrace of information warfare as a slogan over the last years of the twentieth century has established its importance—even if its concepts, theory, and doctrine are still underdeveloped.

There are other reasons why knowledge of electronic warfare is important to the security professional. Many technologies originally developed for the warrior have been adapted for commercial use, and there are many instructive parallels. In addition, the struggle for control of the electromagnetic spectrum has consumed so many clever people and so many tens of billions of dollars that we find deception strategies and tactics of a unique depth and subtlety. It is the one area of electronic security to have experienced a lengthy period of co evolution of attack and defense involving capable motivated opponents.

Electronic warfare is also our main teacher when it comes to service denial attacks, a topic that computer security people have largely ignored, but that is now center stage thanks to distributed denial-of-service attacks on commercial Web sites. As I develop this discussion I'll try to draw out the parallels. Military communications were dominated by physical dispatch until about 1860, then by the telegraph until 1915, and then by the telephone until recently. Nowadays a typical command and control structure is made up of various tactical and strategic radio networks that support data, voice, and images, and operate over point-to-point links and broadcast. Without situational awareness and the means to direct forces, the commander is likely to be ineffective. But the need to secure communications is much more pervasive than one might at first realize, and the threats are much more diverse.

One obvious type of traffic is the communications between fixed sites such as army headquarters and the political leadership. The main threat here is that the cipher security might be penetrated, and the orders, situation reports and so on compromised. This might result from cryptanalysis or—more likely—equipment sabotage, subversion of personnel, or theft of key material.

The insertion of deceptive messages may also be a threat in some circumstances. But cipher security will often include protection against traffic analysis (such as by link encryption) as well as of the transmitted message confidentiality and authenticity. The secondary threat is that the link might be disrupted, such as by destruction of cables or relay stations. There are more stringent requirements for communications with covert assets such as agents in the field. Here, in addition to cipher security issues, location security is important. The agent will have to take steps to minimize the risk of being caught as a result of communications monitoring. If she sends messages using a medium that the enemy can monitor, such as the public telephone network or radio, then much of her effort may go into frustrating traffic analysis and radio direction finding.

Attack also generally requires a combination of techniques, even where the objective is not analysis or direction finding but simply denial of service. Owen Lewis summed it up succinctly: according to Soviet doctrine, a comprehensive and successful attack on a military communications infrastructure would involve destroying one third of it physically, denying effective use of a second third through techniques such as jamming, trojans or deception, and then allowing one's adversary to disable the remaining third in attempting to pass all his traffic over a third of the installed capacity.

This applies even in guerilla wars: in Malaya, Kenya, and Cyprus, the rebels managed to degrade the telephone system enough to force the police to set up radio nets. In the 1980s, NATO developed a comparable doctrine, called Counter-Command, Control and Communications operations (C-C3, pronounced C cubed). It achieved its first flowering in the Gulf War; the command and control systems used. Before communications can be attacked, the enemy's network must be mapped. The most expensive and critical task in signals intelligence is identifying and extracting the interesting material from the cacophony of radio signals and the huge mass of traffic on systems such as the telephone network and the Internet. The technologies in use are extensive and largely classified, but some aspects are public. In the case of radio signals, communications intelligence agencies use receiving equipment, that can recognize a huge variety of signal types, to maintain extensive databases of signals—which stations or services use which frequencies. In many cases, it is possible to identify individual equipment by signal analysis. The clues can include any unintentional frequency modulation, the shape of the transmitter turn-on transient, the precise center frequency, and the final-stage amplifier harmonics. This RF fingerprinting technology was declassified in the mid-1990s for use in identifying cloned cellular telephones, where its makers claim a 95% success rate. It is the direct descendant of the World War II technique of recognizing a wireless operator by his fist—the way he sent Morse code.

Radio direction finding (RDF) is also critical. In the old days, this involved triangulating the signal of interest using directional antennas at two monitoring stations.

Spies might have at most a few minutes to send a message home before having to move. Modem monitoring stations use time difference of arrival (TDOA) to locate a suspect signal rapidly, accurately, and automatically by comparing the phase of the signals received at two sites. Nowadays, anything more than a second or so of transmission can be a giveaway.

Traffic analysis—looking at the number of messages by source and destination—can also give very valuable information, not just about imminent attacks (which were signaled in World War I by a greatly increased volume of radio messages) but also about unit movements and other routine matters. However, traffic analysis really comes into its own when sifting through traffic on public networks, where its importance (both for national intelligence and police purposes) is difficult to overstate.

This is not as easy as it sounds. Electronic warfare is much more developed than most other areas of information security. There are many lessons to be learned, from the technical level up through the tactical level to matters of planning and strategy. We can expect that, as information warfare evolves from a fashionable concept to established doctrine, these lessons will become important for practitioners.