Defense in Depth

In cybersecurity, Defense in Depth is designed to build a wall of protection around the network or throughout the battle space. It must be enhanced to protect against insider threats and mobile devices that migrate in and out of the perimeter. It is the standard practice for logical construction of a network. At the lowest level we have an individual home network behind a local Internet Service Provider (ISP) router, and at the other end of the spectrum we have a national state network like China behind their Great Firewall. The U.S. government is behind several hundred access points monitored by the Department of Homeland Security. Sub-groups like Department of Defense, Department of Energy, Department of State, and Department of Treasury, etc., all sit behind their own security infrastructure. Organizations maintain their own networks but use a variety of techniques to administer and secure them. Some build and maintain everything, others outsource the infrastructure but keep security in house, some outsource everything but have the equipment in their building, and finally some prefer cloud solutions. Many of these organizations are geographically dispersed with users in multiple locations across the world. The amount of protection they deploy is based on their perception of risk and willingness to invest their profit back into security for the network. When we look at their defenses it is based on economic power rather than military power.

One concept that has been popular in the media is the concept of building a switch to isolate or “turn off the Internet” if we are under attack. These concepts show a fundamental lack of understanding of the Internet today. The Internet was a system originally built by Defense Advanced Research Projects Agency (DARPA) to provide communications capability after a nuclear war. As a result, it has resiliency and alternate path routing as part of the requirements. A good example of this can be seen in Iran’s effort to suppress the protests following the 2009 presidential elections. Iran had government control over the communications systems and yet the Green Protest groups started a Twitter revolution using social media tools to get their message out (called the Twitter Revolution) [2]. We can quickly see that parts of the Internet can be turned dark, but only for a limited period of time and are actually a self-inflected denial of service.

Physical Infrastructure

Physical infrastructure includes power, backup generators, Heating Ventilating and Air Conditioning, surge control systems, connectivity (cabling), hardware, software, and people. The physical systems are vulnerable to surveillance, vandalism, sabotage, and attack. Much of this infrastructure is controlled by Industrial Control Systems (ICS), also commonly known as Supervisory Control and Data Acquisition (SCADA) programs which are vulnerable to hacking or denial of service attacks. Note that SCADA is a subset of ICS but has become synonymous in the media. This list does not address the potential environmental disaster factors. If the threat cannot conduct a kinetic attack or hack the system then there is always the wetware (human) vector. It is often easier to attack users than it is to attack the equipment. So when attacking the physical there are a number of options to create the desired impact.

It is important to note that most of these infrastructure systems have systemic issues like: legacy systems, lack of lab environments to test patching, local management, and no SOC monitoring them. The programs are built on proprietary systems that originally ran on closed networks so were designed with high availability requirements but no confidentiality or integrity protections. SCADA owners believed that they would be protected by obscurity with nobody wanting to break into their systems. Also they felt that their programs were proprietary so would not be hackable, as the applications were unique. Most of these systems use the same protocols and are developed with the same programming languages as the rest of the applications on the market today so it has been relatively easy to find vulnerabilities in them. If we take a look at one critical infrastructure area like water, we have heard reports [3] about how terrorists could hack in and open dam gates to cause flooding or cause an infusion of the purification chemicals to the point where the water is toxic. The reality is cyber problems are competing with other issues with these systems. In many cases the cyber threats are not getting funding because fixing problems like repairing the dam gates to prevent maintenance failure, or cleaning the holding tanks that have toxic mold in them are a higher priority and consume all the funds that are available. Our infrastructure has many issues to be dealt with and cybersecurity is only a potential issue relative to the number of tangible issues they are facing today.

Organizational View

Organizations can be divided into commercial (including critical infrastructure) and government (generally divided into federal agencies and the military but there are hybrids like the Tennessee Valley Authority which have elements of both). These organizations all approach cybersecurity differently based on their risk tolerance, regulations, and resources. Commercial companies are market-driven and must spend just enough on security to manage risk appropriately. These companies must make decisions based on Return on Investment (ROI) which leads to the eternal struggle between the Chief Financial Officer (CFO) and the Chief Information Officer (CIO). Today many CIOs calculate Return on Security Investment using formulas like Annualized Loss Expectancy (Vulnerability × Threat × Asset Value = Total Risk then Total Risk × Countermeasures = Residual Risk). This translates into the following sample scenario: the chance of getting a virus attack is 100% (in fact expect one a day), the cost of which is three hours of lost productivity and one hour of IT support times total number of employees (200) leads to the following equation—365 viruses × $450 labor × 200 people = $3,285,000, which indicates that a company is better off buying anti-virus at $40 per system for total of $8000 to reduce risk to an acceptable level. With the need for cost saving in the government, these types of calculations are becoming more common in the military today.

Companies also pull in the legal team to review what their due care/diligence responsibilities are in case they are sued. For example, if they were to lose customer privacy data, they might be sued. This evaluation is based on what a reasonable person would expect them to do to protect their information. The size and resources of the company play a big role in determining what “best practices” they should be following for their industry. Finally, depending on which market sector we are talking about, ROI could mean Risk of Incarceration based on laws like Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Gramm-Leach-Bliley Act of 1999, or Sarbanes-Oxley (SOX) Act of 2002. One comparison many security professionals make is the amount spent on physical security and property insurance versus what is spent in Information Assurance versus their relative value to the success of the company. There is a balance between budget and level of risk. Some CIOs spread Fear, Uncertainty and Doubt to get their budget approved, rather than work the numbers, which has given the IT Security Industry a bad reputation. The simple fact is that today if a security team was given an unlimited budget they could not guarantee that there would not be any intrusions because there are constantly new vulnerabilities. Some CFOs feel it is a waste of money to do more than the minimum security protection measures. They point to examples such as when T. J. Maxx and Heartland were in the news for being hacked but they still made a profit the next quarter. There is a reasonable level of security that should be implemented based on which industry the company is in (i.e., financial institutions would spend more than manufacturing) and what risk the leadership is willing to take. The key is making sure the leadership understands the risk that they are accepting in this contested virtual economic battlefield.

Next we have the federal government, which has dispersed responsibility throughout the different agencies who all use different tools and processes. Most cybersecurity is based on compliance with regulations like National Institute of Standards & Technology (NIST) 800-XX series, the Federal Information Security Management Act (FISMA) of 2002, or Homeland Security/Presidential Directives. The White House has a cybersecurity coordinator but the major player is the Department of Homeland Security (DHS). The DHS controls the U.S. Computer Emergency Response Team, National Incident Response Plan, Critical Infrastructure Protection Plan, and the Einstein IDS program.

The Federal Bureau of Investigation (FBI) has a Cyber Division, the InfraGard outreach program, the Internet Crime Complaint Center, and the National Cyber Crimes Investigative Joint Task Force that add up to some impressive forensics capabilities. Their focus is domestic crime and counterterrorism not cyber war, but they have some useful tools and processes to help fight the cyber war. One major success the FBI had was the Darkmarket sting, when they took down a major identify theft ring [4]. They continue to get better at conducting computer investigations internationally [5] with 61 legal attaché offices around the world conducting joint investigations with countries like Romania, Estonia, Ukraine, and the Netherlands.

Another agency that is moving into the digital battlefield is the Federal Aviation Administration (FAA) with the Next Generation Air Transportation System (NextGen) project to move from analog to digital systems to provide safer, more convenient, and more dependable travel. As with any system, as it moves to the network it increases accessibility which also opens a new set of attack vectors.

The Department of Energy is becoming a major cyber player with Smart Grid and energy grid security. With the potential for everyone’s appliances, heating/air-conditioning, entertainment systems, and home security systems being put online they are opening up a new field for the hackers to move into. DoE is working to build security into the smart grid but it is very complex. They have done some great work in their National Labs like Sandia National Laboratory and Idaho National Laboratory, to name two of the seven labs working on cyber solutions.

Finally, the Department of Justice (DoJ) must decide which cases to take to court and sets the tone for what is acceptable behavior by deciding where to put their prosecution resources. Today, the DoJ is focused on terrorism and drugs rather than hacking or cyber war incidents.

On the military side, the DoD has a very complex hierarchical authority structure. Despite standing up US CYBERCOMMAND, the individual services (Army, Air Force, Navy, and Marines) still have the authority and budget to decide how to implement cybersecurity. Each branch of the service has a name for their portion of the network. Defense Information Systems Agency (DISA) runs the Global Information Grid (GIG), the Air Force has C2 Constellation, the Army has LandWarNet, and Navy has FORCEnet. The emerging initiatives to transform network capabilities are Joint Information Environment (JIE), DoD Enterprise Portal Service, Enterprise Cloud Broker, and standardize mobility solutions. These are not formal programs of record but rather efforts to respond to new budget constraints and capability demands. There are also different levels of classification on information and networks. The DoD uses Unclassified, For Official Use Only (FOUO) or Controlled Unclassified Information (CUI) or Confidential, Secret, Top Secret, Sensitive Compartmented Information and Special-Access Program/Special Access Required (SAP/SAR). The associated networks are Non-Secure Internet Protocol Router (NIPR) for unclassified, Secure Internet Protocol Router (SIPR) for Secret and Joint Worldwide Intelligence Communications System (JWICS) for Top Secret. In addition, there are separate networks like the Defense Research and Engineering Network (DREN) for research. Finally, deployed forces build their own networks in theater that connect to many of these “reach back” networks as well as to fellow coalition nations via multinational forces networks. An example is if a unit from Fort Carson deployed to Afghanistan has to build a network in country or theater, they would want to connect back to resources at Fort Carson and to other international forces they are teamed with. It is not unusual to see a Tactical Operation Center (TOC) with 6-12 terminals representing the different networks. It is easy to see that there is not a clear chain of command for the network of networks supporting DoD.

As important as these networks are, they do not include the full scope of the modern virtual battlefield. Today command and control of forces is done digitally, weapon systems are connected to the network and depend heavily on computing power, intelligence dominance is key to our ability to wining on the modern battlefield, and it is completely dependent on computer applications/systems. For example in 2006 during a military simulation for an Air Operation Center (AOC), a young airman was asked what would happen if the network went down. He said they would have to stop flying missions. That is, of course, untrue as leaders of the pre-digital generation were flying similar missions long before computers were used for command and control and there are continuity of operation plans in place in the event that the network goes down; but the younger generation’s perception and dependence on the network was astonishing. Note that the loss of the AOC’s network would have a huge impact on the ability to process orders nearly as fast or accurately as the current “information dominance” systems allow but it would not stop them.

When we talk about CYBERCOM and the Services (Army, Navy, Air Force, and Marines) it is important to remember that the Services train and equip the forces and the Combatant Commanders call on the services to provide forces for their missions. Strategic Command (STRATCOM) has the mission to “ensure U.S. freedom of action in space and cyberspace” [6]. Cyber Command’s (CYBERCOM) mission is to “plan, coordinate, integrate, synchronize, and conduct activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full-spectrum military cyberspace operations in order to enable actions in all domains, ensure U.S./Allied freedom of action in cyberspace and deny the same to our adversaries” [6]. Each Service has a Cyber Unit that supports CYBERCOM, the Air Force has the 24th Number Air Force, the Army has Army Cyber Command (ARCYBER) or 2nd Army, the Navy has the 10th Fleet, and the Marines have Marine Forces Cyber. Closely aligned to these forces is the Intelligence Community, specifically the National Security Agency. This results in different priorities and authorities based on the different mission each organization has.

It is important to note that there are U.S. codes that set the rules for how these units operate. There are a number of titles that provide specific guidance. Title 10 is Armed Forces and is the law that regulates how war is fought [1]. Title 50 is War and National Defense and generally covers intelligence and counter intelligence [1]. It is interesting to note that some units had their authorized mission changed from being under Title 50 to Title 10 as part of the CYBERCOM stand up. Title 18 is Crimes and Criminal Procedure, which covers taking the attacking party to court [1]. Many people are now talking about the need to merge these three into one integrated process (sometimes called title 78). Other titles often used are Title 32, which is National Guard and Title 14 which is the Coast Guard [1]. These forces are not as restricted by laws like Posse Comitatus, which restricts the federal government use of the military for law enforcement. Today we see Joint Operation Centers with forces from multiple “title source” or “forces” to allow them to operate effectively based on the different rules they must comply with.

So we see the commercial sector is driven by the market, the federal agencies are all driven by their function and compliance requirements, and the military is driven by mission and the regulations they have to operate under, and everyone must deal with a limited budget! All of them are facing the similar threats and vulnerabilities. There are efforts to coordinate between them but there is no central authority to drive integration; again each organization is doing their best based on their mission and resources. So let us take a look at the domain we are talking about.

Land Domain

As we look back at the progression of warfare on land we see there have been many Revolutions of Military Affairs (RMA). The rock gave way to the club, which was beat out by the spear and then the bow. Horse-mounted soldiers had an advantage over ground troops and then the stirrup gave them a tremendous advantage. Guns and artillery increased the rate at which armies could kill each other as well as the effective range at which they could kill. Next came the tank and machine guns. Each of these RMAs changed how armies organized and fought. New doctrine, tactics, and organizational structures had to be developed. Should we integrate the new weapons into every unit or build a unit of pure machine guns/tanks? The decision was tank units should consist of tanks by themselves but the machine gun should be integrated into every unit. The decision to make tank units of pure tanks has been reversed. Today, the tank is normally integrated with infantry to form “combined arms task forces” so the commander can leverage each unit’s strengths. These historical lessons in transformation must be studied to find how to most efficiently develop methods of fighting in this latest RMA—cyberspace.

Sea Domain

In many ways the sea is an analogous battlefield to cyberspace. Similar to cyberspace it is a large area where ships can easily move without detection so the defender has the challenge of detecting where the threat is. No one side can control it. The criminal elements operating on the Internet are comparable to the pirates of old who would interdict and influence the lines of commerce. There were eventually international agreements developed to deal with these threats. Another example we can draw from the Navy is the development of the Flattop or Aircraft Carrier. For years the battleship was the measure of a nation’s sea power but the introduction of the Flattop caused a paradigm shift and soon strategies, doctrine and tactics were built around it. Most senior officers had built their careers around the battleship and the defense industrial base was heavily investing in the battleship so they strongly resisted the transformation. They refused to see the need to change based on a new capability. This cultural blindness is impacting the transformation to computer network operations in many of today’s organizations. At the tactical level many security professionals still base their strategies on outdated technologies, even though the industry and the battlespace have transformed and evolved. They are still focused on perimeter defenses and ignore the mobile devices being used by their workforce. At the senior leadership level the lack of understanding of the technology and its implications in some organizations impedes the development of doctrine to fight the next war.

Nowadays we have commanders who have grown up with the idea that weapon systems must be based on their ability to put “steel on target,” and that the idea of a weapon system that does not destroy something via kinetic attack is ridiculous. They also do not feel that their “real” weapon systems (e.g., jets or tanks) should be considered part of the virtual battlefield because they are enabled with computer chips (despite the fact that they can be hacked into and modified). Some still believe that non-kinetic attacks are something that would only be an annoyance (like their email going down) or play a support role—not be part of a battlefield engagement strategy. These are the same professionals that study history and understand transformation but struggle to understand the technology running the systems they depend on. It is a challenge because they are steeped in tradition and have studied warfare based on the weapons that existed when they were junior officers and still in the field. It is a constant struggle to understand the changes that technology is bringing to the battlefield.

Air Domain

Airpower is similar to cyber power because it is a domain dominated by technological advancements. Early on there were major leaders developing strategies, doctrine, and tactics. General Giulio Douhet was an Italian officer who was one of the first real theorists supporting the use of Air Power [9]. He felt that there was no defense against bombers: it would terrorize populations into surrender. He advocated the use of explosive, incendiary and poison gas bombs against population centers as he felt the entire workforce contributes to the total war effort making everyone a legitimate target. General Douhet was court-martialed for his outspoken beliefs.

Billy Mitchell is considered the father of American Air Power. He came into World War I as a lieutenant colonel in the Army and ended up controlling all U.S. air forces [10]. He is a controversial figure because of the disagreements he had with the Army leadership over using air power against battleships and was court-martialed for insubordination. His passion for how air power could be used was key to the development of Air Force capabilities. Both these general officers understood the potential for air power and pushed for innovation at the expense of their careers, both eventually had their court-martials overturned and are considered heroes. We have not seen anyone with that level of forward thinking theories and dedication for cyber warfare in today’s military.

Space Domain

Space is very comparable to cyberspace in that it is generally considered an enabler to the other domains. It provides communications paths for most long-haul communications systems, Command and Control (C2), Intelligence Surveillance and Reconnaissance, navigation based on Global Positioning System, phones, radios, television, financial transactions, and surveillance for wide area reconnaissance, weather, mapping and commercial imaging (i.e., Google maps). The George C. Marshall Institute produced a great series called “A Day without Space” which lays out all the impacts. Space provides some great examples on how to integrate a new technology into the armed forces. Space started as a military dominated domain that has transitioned to a commercial market just like cyber operations. It is a technology that integrated into the other domains to the point they are dependent on it. It is an area that requires unique skills so the management of the workforce presents a challenge. It takes time to build senior leaders for a new technology and as the commercial demand takes off the competition for the workforce gets fierce. It is very hard to retain skilled operators in cyber and space-related fields.

Cyber Domain

Cyber is ubiquitous in all the other modern domains. In 2010 Lt. Gen. William T. Lord, Air Force chief of war-fighting information said “I think that a day without cyber brings you back to about World War I days” [11]. When we talk about the cyber domain some will say it is limited to the hardware that runs the military networks (e.g., computers, routers, firewalls), others will say it is the military networks and the supporting infrastructure (e.g., defense contractors and long-haul communications providers), a few believe it is all government systems, still others feel it is all systems connected to the Internet (all private and government systems). As we look for precedents we can see maritime law could be used, or international space treaties could apply or maybe we could develop a cyber manifest destiny. Some of the answers are overly simple or fit within current legal rules but ignore the reality of how interconnected these systems are. The problem is complex and, much like defining the boundaries in an insurgency conflict, may require different answers for different audiences. This domain is in need of theorists, strategies, doctrine, and tactics that shape what the domain and cyber war itself is scoped to include and exclude.

Combined Arms

While we have talked about the domains as separate and distinct the military integrates them for maximum effect when conducting combat operations. Different branches of the military integrate to achieve force multipliers, for example an infantry brigade would have an armor platoon attached to each battalion, be supported by an artillery unit and close air support from the Air Force, have air defense to protect them from enemy aircraft and engineers to clear obstacles. In other scenarios the Navy, Space or Special Forces could be part of the force design. Now cyber must be both a domain to operation in and force to integrate.

Most Active Threats

Let us get into the threat spectrum as seen in Figure 3.1. This is a different way to look at the information from Chapter 2 on Threatscape. There are a lot of folks out there trying to be “hackers.” Most of them are what we call script kiddies. These are folks who just go out and grab tools off the Internet and try to break into systems. They are also known as noobs (as in newbies) because they are new to hacking and will generally only get the low-hanging fruit like unprotected home systems. Next come criminals. As soon as we started shopping and banking online the criminals saw the money and quickly followed to take advantage of the new opportunity. Many of these are professional organizations. If someone graduates with a degree in computer science in many poor countries the best paying jobs are with organized criminal gangs. The most famous is out of Russia and is known for the ISP they use called the Russian Business Network. Now they have well-educated people working 40-60 h a week trying to break into a specific target (i.e., Chase Bank or Ford for the latest designs). If they develop a zero day exploit it will only be used against that one company until the job is complete.

Next we have hacker groups like the classic “Cult of the Dead Cow” who released a tool called “back orifice” at one of the more famous hacker conventions, DEFCON, starting back in 1998. These groups develop powerful tools but the Anti-Virus (AV) and IDS companies quickly analyze and post protections against them. Possibly the most dangerous group is the malicious insider. Typically, it is estimated that they represent 20% of the threat but cause 80% of the damage. Though studies like the annual Computer Security Institute (CSI) report show that number is growing [13]. Typically, we group insiders as disgruntled, or seeking financial gain. It is often hard to detect them as they are authorized users so we must look for unauthorized behaviors when most of the security today is on the perimeter looking for someone breaking in. Political/Religious groups practice recruitment, influence operations, and often attack the opposing viewpoint’s websites or networks (commonly called Hacktivism).

Finally comes state-controlled or -sponsored groups, which have become known as the Advanced Persistent Threat (APT). These can be military units or loosely affiliated groups who may receive direct or indirect support from the government. The one we see in the news most today is China, which has been accused of systematically stealing information from both the military and the defense contractor base. However, there are many countries engaged in these activities. Some nations have devoted significant resources to these capabilities and we can only surmise their level of activities and capabilities.

Most Dangerous Threats

Now as we look at the impacts or damage the threat can cause, we see a very different order. It is important to measure out incidents based on the impact they have, rather than the amount of activity it caused. It would be easy to say that the slammer worm had a significant level of activity and compromised a large number of systems but when we consider that it had no payload to cause damage to our information it suddenly becomes only a nuisance. At the same time a spear phishing attack that successfully compromises the CEO of a Fortune 500 company would be an insignificant technical event but could cost the company millions. It is not the volume but the impact we need to measure, and to do that we must understand the criticality of the data on our systems.

If we sort the threats by the amount of damage caused, the order is APT/nation state, insider threat, terrorism, physical/environmental events, criminal attacks, hacker groups, unintentional, hacktivism, and Noob/Script Kiddy attacks (as seen in Figure 3.2).

Today APT is stealing billions of dollars worth of intellectual property and sensitive military information. One of the most widely reported military incidents was the F-35, “Computer spies have broken into the Pentagon’s $300 billion Joint Strike Fighter project—the Defense Department’s costliest weapons program ever—according to current and former government officials familiar with the attacks” [14]. Looking at commercial incidents it would have to be the Aurora incident involving Google, mentioned in Chapter 1. These activities are conducted daily by many different countries. Though some say it is only espionage or spying, a better description would be a full-scale economic war.

Next on our list is the insider threat. It can be damaging in many ways. Some insiders embezzle funds or take valuable information with them, or even leave malicious code like a logic bomb behind to destroy information after they are gone. Or they could bring illegally stolen information into our company when they are hired and expose the new company to lawsuits.

As we look at terrorism, it is doubtful that a terrorist would conduct a purely cyber attack when they could use it to increase the impact of a physical attack by causing a denial of service attack against emergency phone services, police surveillance systems, and traffic control systems.

Physical and environmental attacks can be both natural and man-made. A simple backhoe could isolate large portions of a network, turning on the fire sprinkler system could flood the server room, and heat from a fire or from taking out the air-conditioning can wipe out a server room. There are a number of ways to use attacks against facilities to cause a cyber impact but these are generally very localized.

Criminal attacks are causing a steadily increasing level of pain. It is becoming a national security concern as the general population is losing trust in conducting commerce over the Internet. Identity theft is now a household word, every scam and con has been converted for use over the Internet, and both individuals and banks are losing millions every year [15]. Anyone can buy stolen credit cards, malicious viruses, and botnet armies on the Internet (though it is hard to find reputable vendors). These can all be used as resources for cyber war if that is the intent.

Hacker groups are still around but have become more mainstream. They now have podcasts and attend hacker conventions. They still release new hacker tools and vulnerabilities but they are often shared with the security community before they are shared with the public.

Unintentional actions are often as painful as the attacks, with user actions, patches, configuration changes, and loading new services that cause denial of service and loss of data. These can be mitigated through training, testing, and backups but few organizations have the resources to do these correctly.

Hacktivism sounds exciting and we have had events like the one in 2001 that caused the first major “hacker conflict” when a U.S. spy plane was forced to land in China. “As China and the United States attempt to peacefully end their diplomatic standoff sparked by the mid-air collision between a U.S. spy plane and a Chinese fighter jet, crackers from both countries continue to wage private wars on the Internet” [16]. There were a lot of attacks from both sides and no prosecution on either side but it made for great media coverage. We can see this kind of activity between citizens of different countries or between political parties in the same country. The concern from a cyber war point of view is we now have multiple factions joining the virtual battlefield. It is like watching a soccer game with the fans able to walk around on the field during play.

Finally we have the Noobs or Script Kiddies, who are the hackers that will grab well-known tools and just attack systems. They have little to no understanding of the hacker methodology (addressed in Chapter 6) or techniques to break into systems once the tool they are using does not work. Their biggest impact is they cause so much data or noise that it makes it very difficult to find the truly dangerous threats.

Motivations

Hacker’s motives are varied but generally are ranked by amount of activity in this order: Money, Espionage, Skills for employment, Fame, Entertainment, Hacktivism, Terrorism and War (as seen in Figure 3.3). Most hackers are motivated by money; whether they are considered criminals or not depends on the country in which they live. Next comes the nation state or corporate espionage to gain some military or economic advantage. This is an area where it is often cheaper and more efficient to conduct cyber operations than use traditional spies. There is a high demand for these skills and many individuals are getting into the field because it is a hot job market but most do not have both a cyber and intelligence background. There is a lot of debate on whether it is smart to hire a “hacker” but just like some banks hire ex-cons to evaluate their security many network managers think we need to hire someone who thinks like the enemy to beat them.

The days when system administrators saw a spike in the number of attacks during the summer and on spring break are long gone, but there are still individuals out there hacking for the challenge, entertainment value, or seeking fame. Others see it as a way to promote their beliefs through attacking the opposition, or simple vandalism of their web sites. The smallest groups are sometimes the most dangerous as they can concentrate skills and minimize exposure. There are organizations and countries that are developing the plans and capabilities to use the World Wide Web (WWW) to cause or increase the impact of terrorism and even full-scale wars.