Future wars could be IT-based

Find opportunities — and win them.

There could be "pre-emptive achievement of military objectives strictly by information-warfare techniques," according to an Auburn University professor.

HUNTSVILLE, Ala.? A professor from Auburn University has made the case that the United States may face a war in the future in which not a single shot is fired, but yet America loses.

There could be "pre-emptive achievement of military objectives strictly by information warfare techniques," said John "Drew" Hamilton, associate professor of engineering and director of the Information Assurance Laboratory at the university.

Hamilton projected that such a conflict could take place by 2015?the time it would take to infiltrate computer development programs and insert malware into operating systems, applications software, firmware and hardware.

Acquisition trends in the military actually facilitate the possibility of such a scenario, Hamilton added. "You don't expect the military to go to Home Depot to buy a [rocket launcher], but we expect them to go to Staples to buy software," he said.

Software developers have always written back doors into their code, and even secure, partitioned systems such as the Secret IP Router Network have them.

"I learned that when I got e-mail from Joint Forces Command to scan their attachments" for viruses, Hamilton said.

The risk in pushing the use of commercial, off-the-shelf software is compounded by private-sector outsourcing, he said. Microsoft Corp., for instance, has outsourced some programming tasks to China and Russia.

Hamilton said that Dan Wolf, information assurance director of the National Security Agency, told an academic group in June that "DOD agencies have been outsourcing IT services to [Section] 8a firms that are fronts for foreign intelligence agencies."

Nor is the problem limited to the Microsoft environment. Linux, touted by open-source proponents, has its own vulnerabilities. "NSA [National Security Agency] recompiled the kernel so you can't turn off [key] logging, which is good for forensics," figuring out what happened after the fact, Hamilton said.

Finally, the military has not made software a "core competency," according to Hamilton. "Some government agencies have contracted for software code they don't own the rights for."

Hamilton suggested several steps that could be taken to pre-empt and prepare for this kind of warfare, including reverse-engineering software architecture to find weaknesses, identifying sensitive parameters that can be exploited and looking for undocumented functionality.

He also said that the Defense Department should stop funding university research conducted by foreign nationals. Hamilton added that this is not a xenophobic reaction, but a reasonable response to a potential threat.

Patience Wait is a senior writer for Washington Technology's sister publication, Government Computer News.