Could China easily take down US military's air-refueling logistics in a cyberwar?

A lengthy report prepared for the U.S. government about China's high-tech buildup to prepare for cyberwar includes speculation about how a potential conflict with the U.S. would unfold -- and how it might only take a few freelance Chinese civilian hackers working on behalf of China's People's Liberation Army (PLA) to sow deadly disruptions in the U.S. military logistics supply chain.

REPORT: Joint ventures by US tech firms with China pose cyberwar risk

As told, if there's a conflict between the U.S. and China related to Taiwan, "Chinese offensive network operations targeting the U.S. logistics chain need not focus exclusively on U.S. assets, infrastructure or territory to create circumstances that could impede U.S. combat effectiveness," write the report's authors, Bryan Krekel, Patton Adams and George Bakos, all of whom are information security analysts with Northrop Grumman. The report, "Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage," focuses primarily on facts about China's cyberwar planning but also speculates on what might happen in any cyberwar. It's suggested that China would make a pre-emptive cyberstrike weeks ahead of any purely physical confrontation.

The report's authors say China's People's Liberation Army are calling this "paralysis warfare" which aims at disrupting critical supply lines, logistics and command-and-control systems to support U.S. military operations well in advance of an obvious conflict occurring.

"Unlike traditional air or ballistic missile strikes, network attack and exploitation in particular can be initiated prior to the start of traditional hostilities without being a de-facto [Casus belli] and if done properly, can be implanted with little or no attribution back to China," the report says. It notes that a 2007 PLA-published book, "Informationized Joint Operations," asserts that enemy command and control networks and logistics systems will be among the first elements targeted by integrated network electronic forces under control of the PLA. The report details many disruption methods, including use of BIOS attacks to destroy motherboard hardware components, known in the Chinese cyberwar arsenal today.

The report's authors speculate that what the U.S. military calls the U.S. Transportation Command (TRANSCOM) systems would be considered good targets for disruption because they also provide trusted network access to military logistics systems.

Since an estimated 90% of TRANSCOM's distribution and deployment transactions are handled via unclassified commercial and Department of Defense networks, according to the report, this means Chinese hackers would also be going after civilian-sector companies in TRANSCOM. (The report points out that TRANSCOM combatant commander Gen. William Fraser noted in Senate testimony just last month there has been a 30% annual increase in network penetration attempts against TRANSCOM networks.)

"If the Chinese computer-network espionage team is able to compromise the civilian contractor network via even a rudimentary spear-phishing campaign, they will likely attempt to use valid employee network credentials, e.g. certificates, passwords, user names, and most significantly, network permissions; these elements provide all of the same access as the legitimate user to immediately begin navigating around the contractor network to compromise other machines and establish a command-and-control network before attempting to identify high-value data to penetrate TRANSCOM networks directly from the contractor's now compromised system," the report says.

The net result, the Northrop Grumman information security analysts speculate, is that Chinese hackers "would in effect have complete control over these critical logistics providers' networks."

As Chinese teams would move into TRANSCOM networks they "may have dual missions assigned to them." These, theoretically, would be collecting intelligence about U.S. military needs and intentions; also, "a data destruct mission to corrupt commercial or military databases supporting sea and airlift for TRANSCOM prior to the start of a Chinese assault on Taiwan or other military operation."

Contractors might not even be able to get into their own systems anymore.

The authors describe how this could be done to disrupt the air-refueling mission for U.S. forces by compromising the TRANSCOM Air Mobility Command which owns the Air Refueling Management System, described as a Web-based application that integrates data from multiple related databases supporting different aspects of the refueling mission. Chinese hacking teams could scan "the Internet-facing application searching for any of thousands of potential vulnerabilities that could be exploited with often longstanding, simple techniques such as structured query language (SQL) injection or cross-site scripting."

The authors of the "Occupying the Information High Ground" report contend that successfully carrying out this type of cyberwar tactic would not even require China's official PLA militia units trained in cyberwar. It could be done by "purely civilian freelance operators (elite hackers) with an existing relationship with the Chinese Ministry of Public Security or Ministry of State Security."

The report concludes: "The strategic impact to the United States of this small tactical scale operation would be disproportionately severe relative to effort and resources expended on the Chinese side, achieving a strategic level outcome that Chinese military writings on information warfare routinely laud as one of the primary benefits of a well-planned computer-network operations campaign."

The report then points to the October 2011 data breach at RSA, the security division of EMC, as an example of reconnaissance of this type, where critical information about RSA's SecurID authentication product was stolen. (Without naming China, RSA Executive Chairman Art Coviello has blamed the break-in on a "nation-state," noting that the intent was to use the stolen SecurID information to break into RSA customers.)

In alluding to the SecurID-related data theft, the report says that "this operation resulted in the loss of all information necessary to crack the encryption on any RSA device in use anywhere in the world." Further, "the adversary used the data stolen from RSA months earlier to compromise Lockheed Martin employee credentials and gain access to the company's network. Adversaries leveraging the information stolen from RSA succeeded in penetrating an extremely well instrumented, well-protected network staff by highly skilled information security professionals with a mature cyber intelligence and network defense capability."

Disruptions could also occur to the U.S. electrical supply, the authors say. Because the Chinese government has sponsored research on "attack-induced cascading power failures" related to the U.S. power grid, the authors say if tensions between China and the U.S. ever heat up to the point of possible military confrontation over Taiwan, it will be no surprise to see "multiple large-scale network or power-grid failures, seemingly unrelated to rising tensions with China" which could "force a U.S. president and his national security team to divert time or resources to manage the domestic emergency."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Read more about wide area network in Network World's Wide Area Network section.

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)