4.0 POTENTIAL NS/EP IMPLICATIONS

Sections 2.0 and 3.0 of this document outlined electronic intruders' capabilities to affect NS/EP telecommunications services. Section 4.0 describes the potential impact of these threats (see Exhibit 4-1).

EXHIBIT 4-1 Stages of the Electronic Intrusion Threat Outcome Stage

As mentioned previously, more than 90 percent of government telecommunications services are provided by commercial carriers. Consequently, the impact of any security problem with the PSN has the potential to affect NS/EP users. If intruders attacked specific government telecommunication systems and services, the following effects are possible:

* Denial or disruption of service

* Unauthorized monitoring and disclosure of sensitive information

* Unauthorized modification of network databases/services

* Fraud and financial loss.

These effects are discussed in the following sections. The targeting of government telecommunication systems and services is also discussed.

4.1 Denial or Disruption of Service

Denial or disruption of service can be either intentionally or unintentionally caused by electronic intruders. Intentional disruptions have not been common in past years because most "smart" electronic intruders do not want to destroy the systems where they are working they want to keep them operating to learn their functions. (PHRACK20, LOL020) This situation is changing, however, because a new generation of electronic intruders has appeared in the computer underground. These electronic intruders are highly motivated by financial gain and would undoubtedly disrupt PSN services if the price were right. (SRI93, BULLIES, CFCA193)

Unintentional disruptions caused by electronic intruders are more common than malicious disruptions. Often these are caused by electronic intruders' mistakes when they use commands they know little about, or try to cover their tracks. In the past 3 years, electronic intruders have crashed or disrupted STPs, traffic switches, OAM&P systems, and other network elements. (NSTF92) Electronic intruders have reportedly planted destructive "time bomb" programs designed to shut down major switching hubs, disrupted E-911 services throughout the Eastern Seaboard, and boasted that they have the "capability to bring down all the switches in Manhattan." (WSJ082290, CUD453, CUD451)

The government's position, based on DoD and Department of Justice input and analysis, identified three key concerns related to electronic PSN intrusions:

"...denial of service, unauthorized monitoring, and remote points of origin external to the United States. These concerns are reflected in the capabilities of intruders that were noted in documented case studies of PSN intrusions." (DIA93)

The NSTAC Network Security Task Force, during its deliberations in late 1990 and 1991, framed the denial of service issue in this manner:

"A motivated and resourceful adversary, in one concerted manipulation of network software, could degrade at least portions of the PSN and monitor or disrupt the telecommunications serving NS/EP users." (NSTF90)

An undefined number of electronic intruders are highly skilled, knowledgeable individuals with engineering-level expertise in PSN systems. Adversaries would find these skills to be a high-interest item. Based on an analysis of open source literature, the author believes that groups of electronic intruders, if organized and funded by interested adversaries, have the capabilities to launch sophisticated widespread attacks on and across the PSN. These types of attacks could result in significant degradations in the nation's NS/EP telecommunication capabilities, create significant public health and safety problems, and cause serious economic shocks.

4.2 Unauthorized Monitoring and Disclosure of Sensitive Information

Electronic intruders, who have demonstrated a high level of technical skills, are able to capture information from the PSN and related systems in three primary ways:

* Electronic eavesdropping. Electronic intruders are able to monitor telecommunication circuits electronically, record telephone conversations remotely, capture and reproduce facsimile transmissions, and monitor circuits to capture digital data. Frequently, this digital data includes sensitive information, such as login identifications, passwords, and source and target addresses.

* Packet data monitoring. Electronic intruders are able to electronically monitor packet data networks and reconstruct data streams using stolen or compromised X.25 diagnostics tools. This capability represents a significant improvement in previously reported electronic intruder capabilities involving PAD-to-PAD attacks.

* Electronically intruding on network elements. Electronic intruders are able to break into network elements that contain subscriber information, such as names, addresses, cable pairs, and circuit termination points. They are able to electronically gather traffic and billing records and other sensitive NS/EP data. They are also able to read and modify service classes, circuit identification numbers, and other codes associated with particular circuits.

The large number of electronic intruder attacks on key network elements raises concern with the sensitivity of the information residing in network elements and databases. Although no known targeted attacks have sought to compromise large quantities of this data, in at least two instances, NS/EP activities were compromised severely by electronic intruders: the Scott Maverick case (E-911 systems tampering; see Section 4.5) and the Poulsen case (compromising a law enforcement investigation).

4.3 Unauthorized Modification of Network Databases/Services

Electronic intruders have demonstrated a high level of technical skill in modifying PSN databases and subscriber services. They have added unauthorized accounts to service control points, service provisioning systems, digital cross-connect systems, and other network elements. They have added and modified user services, forwarded calls, modified service classes on circuits, and turned off billing on specific circuits. On data networks, electronic intruders have changed the routing tables and service descriptions for specific users.

This level of penetration and skill demonstrates that electronic intruders could seriously compromise NS/EP telecommunications. An adversary would find these skills valuable in supporting intelligence gathering and espionage activities. Private citizens and corporations have been targeted by electronic intruders with these types of attacks. These attacks do not require large-scale technical resources to complete. Moreover, many intruders have already exhibited the ability to modify network information, which creates a level of threat that warrants attention.

4.4 Fraud and Financial Loss

Toll fraud is a multibillion-dollar-per-year business in the United States. Normally, the toll fraud threat is not seen as being related directly to the performance of government agencies' ability to perform NS/EP missions. Because of the nature of this threat, toll fraud should be considered a significant problem, but one with undefined NS/EP implications.

4.5 Targeting of Government Telecommunication Systems/Services

There are many types of NS/EP telecommunication systems and services that exist to fulfill a variety of specific missions. Some are highly complex offerings, whereas others are little more than specialized commercial services established for Government use. Some are wire line based, whereas others are radio or satellite based. The primary differentiator from commercial services is that each NS/EP system or service is tailored to meet the specific needs of the organization(s) it is designed to support.

The common thread uniting virtually all of these NS/EP systems and services is that an overwhelming majority either transit or reside on existing PSN facilities. From the PSN's perspective, most NS/EP traffic is indistinguishable from normal traffic. Because of this reliance on the PSN infrastructure, most NS/EP systems and services are vulnerable to some or all of the threats described in this document.

Six specific targets have the potential to affect NS/EP telecommunication services. These are discussed below:

* Some special government services store their service access codes on network elements. The types of network elements storing these codes have experienced numerous unauthorized intrusions over the past 18 months. These intrusions were not targeted toward any specific government NS/EP services.

* A special government service provides emergency restoration and provisioning of telecommunication circuits. This service relies on specific priority codes to be included with each circuit's service records. These records are managed and maintained on network elements that have a long history of vulnerabilities from electronic intrusions.

* Electronic intruders have begun to explore some of these special government services. In several computer underground publications, electronic intruders have discussed methods to explore a dedicated government numbering plan area (NPA). Because of the lack of open source data on these subjects, electronic intruders have not made many inroads; however, this may change over time.

* Electronic intruders have explored and compromised E-911 systems. On October 12, 1992, a computer intruder named Scott Maverick was arrested for tampering with the E-911 systems in Virginia, Maryland, and New Jersey. Maverick and another computer intruder allegedly disrupted E-911 services with the intent, as stated by Maverick himself, "...to penetrate 911 computer systems and infect them with viruses to cause havoc." (CUD453) Although the October 1992 case is viewed as an isolated incidence, news of the actions taken by Scott Maverick and his colleagues is widespread in the computer underground. Significant degradation of service for E-911 systems is possible if they are targeted by electronic intruders.

* Government systems will be increasingly reliant on wireless services and technologies. (NSSOG994) As discussed in Section 3.4, wireless systems are highly susceptible to the electronic intruder threat. As the government use of wireless systems increases, the need to address the electronic intrusion threat to these systems will become paramount.

* Systems supporting DoD command, control, and communications (C3) are high-profile targets during military alerts and periods of national emergency. There have been many unconfirmed reports published in the open source literature of U.S. military communications systems being targeted during recent military actions. Even though these sources cannot be confirmed, military communications systems are an obvious target for espionage and information warfare activities by adversaries.

Any government service that transits or resides on PSN facilities is vulnerable to the same sort of electronic intrusion threat faced by nongovernment services. The electronic intrusion threat is present in the PSN, and its effects service disruption, denial of service, unauthorized disclosure of data, unauthorized modification of service, and fraud should be considered when making contingency and emergency service plans.