Information Operations

by Martin Rutishauser, July 2009

This article will give some insight into the world of Information Operations, underlined with actual examples. After a short introduction into the topic, the history of Information Operations is described and what tools and techniques are available at the moment. Also, the motivation behind will be explained, a little outlook into the future given and counter-measures showed.

Introduction

Information Operations is originally a term from the military, meaning all kind of activities with information. Information Operations can be of defensive or offensive nature, talking about defending one's own information and information systems while taking actions to affect adversary information and information systems. Information warfare is the use and management for information in pursuit of a competitive advantage over an opponent.

This often is done by manipulating informations, filtering information people should see or not. A very good example is the following picture:

The original picture is the colored one. If just the left part of it is showed, it could be a soldier holding a rifle to the head of a captured soldier – if just the right part is showed, it's seems to be a soldier giving water to another soldier. It's easy to manipulate the context of the picture or story, by just showing the view, that fit needs best.

History

The concept of Informations Operations is not new, it reaches back around 2500 years. Sun Tzu, a Chinese author wrote “The Art of War”, probably the first book about military strategy ever. Sun Tzu wrote about deceits, how to manipulate opponents and how to win military conflicts. In the 19^th and 20^th century, western hemisphere (military, economy and politic) started to adopt this knowledge slowly.

Information Operations (Info Ops) was and still is an evolving discipline within the military. Since the 1980s, the US Air Force had a Information Warfare Squadron, and in the 1990s, the US mainly dominated this discipline by the leading concepts of “Command and Control Warfare” as well as “Information Warfare”. This also has to do with the so-called “CNN-effect” (public media reports influences politic decisions and public opinion) of the first gulf war in that time. Controlling information means to win the fight (or to hide the loose).

Then, Information Operations were elevated into the information age, as the internet became publicly available in the 1990s. The internet, as a decentralized global information warehouse, helps a lot to control or manipulate the worldwide information flow. Now not only social networks, but also cookies of search engines, web-bugs [1] and other data mining techniques can be used to get more information about almost everything.
Around the year 2000 [2], a global system from the 1970s was exposed. It's name: Echelon. This is the first public knowledge of an autonomous and mostly unattended surveillance system world-wide. The governments behind Echelon are USA, GB, Canada, New Zealand and Australia. This system was known in the 1980s, to monitor almost every electronic communication and searching for some hundreds of keywords in real-time. After exposure, the system was renamed to P-415, but it still works and was extended massively since then.

In the year 2001, a school for economical warfare in France [3] was founded and provides some graduates every year since then.

In 2003, the US Pentagon released a document called “The Information Operations Roadmap” [4], (was de-classified in 2006). The operations described in the document include a wide range of military activities: Public affairs officers who brief journalists, psychological operations troops who try to manipulate the thoughts and beliefs of an enemy, computer network attack specialists who seek to destroy enemy networks, and a major disinformation project to plant false stories in any available news media.

Tools and Techniques

The tools and techniques for Information Operations are similar to intelligence/secret services. The main intelligence actions can be described as to protect, obtain, improve, influence, disturb and destroy. The general information base is open source, meaning all you can find publicly in the internet. This is also known as Open Source Intelligence, gathering and correlating all freely available information.

In the case of social networks (like Xing, Facebook, Myspace, Linkedin), forums or homepages, people tend to give away a lot of information about themselves – that's an easy one. Wikipedia is great, but anybody can edit the content to their liking – is it really a trustworthy source of information? Public sources like Search Engines, Newsgroups, DNS, Phonebooks, Social Numbers, Company Registers, Websites and more can also give valuable information for free. Single information pieces are not the general problem, but correlation and analysis can provide a lot of private information concerning a person.

Information Operations can be divided into to categories, defensive and offensive. Here is a (non-complete and non-ordered) list:

Defensive: Information assurance, Network defense, Traffic Monitoring, Lawful Interception, Data Mining, Threat and risk analysis, Organizational and technical measures, Computer Security Emergency/Incident Response Team (CERT, CSIRT), Internet Societies (ISOCs), Protection of critical civil infrastructure, Honeypots and Honeynets, Information Classification, Encryption, Intrusion Detection/Prevention, Data Retention, Compliance, Penetration Testing, Forensic Analysis

Offensive: Network based operations, Hacking, Denial-of-Service, Targeted Malware, Client-Attacks, Drive-by-Infections, Social Engineering, Espionage, Content Monitoring, Lawful Interception, Attacking critical civil infrastructure, Manipulation, Psychological Operations, Deception, Rumors, Marketing and Public Relations, Agents, Bugs, Electronic Jamming

Motivations

Normally, the general motivation behind Information Operations is power in any characteristic. This can be financial benefit, hiding a story, bringing a small story big, market success, political influence, beating opponents, influencing economy or stock exchange, manipulating the thinking of general people, and so on (the list could be endless).

A good example for motivation of Information Operations is a case [5], which happened already some time ago. In the mid-1990s, Enercon (a German wind turbine manufacturer) developed a new prototype of a wind turbine. The pin to the facility was sent unencrypted over Telecom-links. Days later, somebody broke into the facility. Months later, Kenetech Windpower (a US wind turbine manufacturer) got a patent for almost an exact copy of the Enercon prototype, forbidding import of this technology to the us market for Enercon.

The military mainly focuses on critical infrastructure, communication and transport. If an defender cannot withstand power outages, phone communication outages, remotely manipulated TV channels, manipulated flight control, the attacker is in advantage. In the Kosovo war (1999), NATO and allies jammed or manipulated TV-channels, broadcasting radio stations and radar stations. In the war in Chechnya (2008), the ongoing cyberwar was uncovered [6] publicly.

In 2007, an espionage scandal became public between Ferrari and McLaren respectively Toyota [7]. To have more information than an opponent or to know, what an opponent does next is the motivation in this case.

These are just some examples, of what's going on – and, by the way, these are just examples, which are publicly known. Espionage and Information Operations are not yet discussed in public very often, they just get uncovered accidentally.

The motivation of Information Operations is always to prohibit knowledge of suboptimal or contrary information and to publish useful information. Sometimes it's just a filter – sometimes actively manipulated. Almost everybody watches TV, so many people can be reached by this media – that's why TV-marketing still works nowadays. The internet is a new age, where so much information is available, so that's almost impossible to filter the real or true information out.

Future

Now we have 2009 and there are a lot of actual topics. Sure is, that the topic Software as a Service (SaaS) extends to Cloud Computing at the moment, which brings more risks than before (storage of data in environments with limited control possibilities, no physical access or control over data). Privacy seems to be more and more important, but the trend in society goes in the opposite direction: (half-)naked pictures on Facebook [8], love story on a website, pictures of holidays with friends on Myspace. Data Mining, Competitive Intelligence, Business Intelligence and Statistics are the weapons of the future.

Also Surveillance, Lawful Interception and Censorship will continue, not only in dictatorship regimes – even further than George Orwell in 1984 predicted. Encryption (is already and) will be widely used, but who really knows if encryption algorithms X is really secure or not already broken silently? Are parts of the secret key known by agencies (key escrow), can security of an encryption algorithm be downgraded? And the best algorithm does not protect, if a too simple password is chosen.

Countermeasures

There are some countermeasures, one can take. First of all, there are some branches, which are more threatened than others. In general, the financial sector is interesting for attackers, as well as governmental and military-related companies. Next, all the providers of critical infrastructure, transportation, telecommunication, internet and other technology or product leading companies like pharmacological industries. These institutions should take more precautions than all the others.

If somebody collects information or has to use information, she/he should be aware, that it could be manipulated. So if the information is referenced or taken into decision, it always should be verified. To much information-entertainment (infotainment) is going on and people often don't ask questions, just believing stuff because the others say so as well.

In a corporate environment, classification of information is necessary, as well as controlling the information flow. Repetitive checks of information exposure (infrastructure, website, google) are needed, as well as compliance checks against laws and regulations. An actual inventory of computer systems, a good baseline protection and regular patch management should be in place, not only firewalls and antivirus. And don't forget to have a actual backup of data in a safe place, this IS the last resort of defense.

Normally, the inner network is protected by firewalls, content filtering and a lot of measures. So if somebody would like to successfully attack a company, it's probably easier to engage as employee and hack internally than going from the internet over all the filtering devices and painful/time-consuming security measures.

If the today's youth wants to expose themselves on the internet, thats one thing, but they also should be aware, that the internet doesn't forget social in-compliant pictures of alcoholic excursions in teenage weekends. Profiles of social networks can be downloaded, so even deleted they can survive.

People also tend to give away information for free, for example for bonus cards (get your 10^th beer free, discount points, member cards) or contests (win a phone, car, holidays). Companies known for Data Mining (---COMPANY NAMES HAVE BEEN REMOVED BY PUBLISHER---) should be avoided or used reasonable wherever possible, every intelligence is very interested in this kind of information.

But think about, centralized storage of data can lead to a single big breach of security (and data loss) – on the other side it's more difficult, to control the security of decentralized storage of data.

And last but not least, people should be aware of Social Engineering, that there are people, which manipulate other people, to do things they should not. They pay you $ if you do something. Loyalty is the virtue/value of the future, to trust or not to trust – that's the question. Limit access, follow need-to-see/need-to-know principles and establish general user awareness, this seems to be more and more important. And administrators should not expose the company in the internet, by asking stupid firewall-questions (version numbers anybody) in public newsgroups for example.

There is no need for panic in general, but a wake up call – espionage and information operations are happing more than publicly thought or seen. Ask yourself: Is this information verified by at least 3 different sources? Who has benefit if the information is in this context or another? Who profits of this information? Keep eyes and mind open, exchange information carefully and secure, practice critical thinking and don't forget common sense. There is a lot of information out there, get lost, analyzed, correlated or manipulated – take care...

Publisher's note:The above suggested measures might not be realistic for everyone, we recommend you to follow a risk based approach and hope that this article helps you to take informed decisions.

References

• [1] http://www.bugnosis.org
• [2] http://www.cyber-rights.org/interception/stoa/interception_capabilities_2000.htm
• [3] http://www.ege.fr
• [4] http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB177/info_ops_roadmap.pdf
• [5] http://postmanpatel.blogspot.com/2008/05/enercon-v-echelon-how-comercial.html
• [6] http://social-ruminations.typepad.com/social_ruminations/2008/08/crowdsourcing-c.html
• [7] http://www.theregister.co.uk/2007/04/30/ferrari_espionage_conviction/
  http://www.f1fanatic.co.uk/2007/07/03/mclaren-linked-to-ferrari-espionage-scandal/
• [8] http://www.switched.com/2009/07/06/british-secret-service-chiefs-facebook-faux-pas/