JulieRyan,Inc.
PROTECTING THE NATIONAL INFORMATION
INFRASTRUCTURE AGAINST INFOWAR
Published in Colloquy, Vol. 17, No. 1, July, 1996
|
Daniel J. Ryan |
Julie J. C. H. Ryan |
|
Corporate Vice President |
Senior Associate |
|
Science Applications |
Booz•Allen |
|
International Corporation |
& Hamilton |
Abstract
The people of the United States rely on the Department of Defense to deter foreign aggression, to defend us when deterrence fails, and to retaliate in force and kind when we have suffered an attack. This will be no less true when the attack is part of an INFOWAR and occurs over networks, is directed against the National Information Infrastructure and the economy of the country, and uses logic weapons rather than conventional weapons or weapons of mass destruction. The Department has led the development of technology that could help secure the infrastructure against such attacks. Yet the Department of Defense does not have the authority to impose requirements or to promulgate regulations that would make the infrastructure more secure . Nor is it likely that commercial firms would accept regulation and direction by the Department. A new approach is needed that would provide regulatory and adjudicatory information security authority applicable across the National Information Infrastructure. The Defense Department can and should support such an approach and should provide the technology it has developed to secure the Defense Information Infrastructure.
Networks are already recognized as a battlefield of the future. Information weapons will attack and defend at electronic speeds using strategies and tactics yet to be perfected. This technology is capable of deciding the outcome of geopolitical crises without the firing of a single weapon.
Redefining Security
Report of the Joint Security Commission
February 28, 1994
The notion of information warfare — INFOWAR — is new and still evolving, and provides a significant challenge to those responsible for making policy concerning the protection of the National Information Infrastructure. Information warfare is, first of all, warfare. It is not information terrorism, not computer crime, not espionage using networks for access to desirable information, and certainly it is not hacking. These are all interesting and dangerous phenomena that individuals, corporations, and for that matter governments, face today, but they are not INFOWAR. INFOWAR is the application of destructive force on a large scale against information assets and systems. This distinction is vital, in that it endows the ability to determine appropriate response options and responding agencies. Without that distinction, one quickly finds oneself mired in the prospect of sending the Department of Defense against a single 13 year old hacker. There are real issues here, including the problems of knowing that an attack is underway, of ascertaining the scope of the attack, and of bringing to bear effective responses, which can only be resolved after an appropriate framework of policies, practices and procedures has been established.
It is important to differentiate INFOWAR from information-based warfare. From the days of dedicated runners carrying news over the plains of Greece, through the eras of signal fires and carrier pigeons, to today's use of encrypted broadcasts via satellites, information has always been a crucial component of military decision making. The answers to such questions as, "Where are the enemy forces?" "Where are our targets?" "Where are friendly forces?" "What are the intentions of the enemy commanders?" "What is the status of supplies and ammunition needed to prosecute the enemy?" as well as a host of other information, are vital to the formulation and execution of effective battle plans. All other things being equal, it is not only a tenet of faith that more timely, accurate and complete information is a force multiplier and a tangible advantage, but it is as well a part of our strategic and tactical planning processes. The concept of information-based warfare formalizes the recognition of the dependence of modern forces on information and systems that can rapidly and securely provide that information to decision makers and the need to maintain and enhance one’s own information assets while denying that advantage to the enemy. The notion of information-based warfare would not be a surprise to Sun Tzu, Alexander the Great, Genghis Kahn, or Von Clausewitz. What would be an innovation to these historical strategists would be the birth of the dimension of information as a separable area of warfare independent of guns, tanks and bombs.
As information-related technology has evolved, so has its utility to warfare. But information technology not only enables modern warfare, it shapes the very way we think about war. The state of its evolution is now at a point where it is possible to conceive of the information infrastructure, content and technologies as parts of an information dimension to warfare, separate and distinct from other dimensions and subject to the same complexities of planning and strategic thought as the more conventional dimensions of air, land and sea, and more lately space. In information-based warfare, better, faster and more complete information provides an advantage in applying conventional or strategic forces. In INFOWAR, the information networks become the battlefield and information itself becomes the target. Note that there are three separate parts of this dimension: the infrastructure, the content and the technologies. Each are jointly and severally the weapons and the targets in INFOWAR.
This concept, true information warfare as opposed to information-based warfare, is being examined, studied and explored by many of the world's strategic thinkers from Moscow to Tehran to Chiapas. Such changes in warfare are not new. Seventy years ago the new dimension of air warfare began to be explored - many of you are familiar with the strategic use arguments and mission evolutions that resulted. As World War II progressed, the new electronic dimensions of warfare led to the "Wizard War," or what is now called electronic warfare. If it seemed like wizardry to the scientists and engineers who invented it, it was certainly incomprehensible to the calvary and infantry soldiers whose training and experience centered on more tangible dimensions of combat. Two decades ago the need to incorporate the role of space into warfare became apparent. And, much as the air power and space and electronic warfare strategists had significant challenges to overcome in their quest to define air, space and the electromagnetic spectrum as separate and independent dimensions of warfare, INFOWAR is facing and must stand up to the skepticism and challenge of the professional warrior community.
Private industry and the private sector have a different perspective with regard to defensive information warfare. Corporations do not ordinarily fight wars or engage in combat - the Pepsi and Coke commercials seen during the Superbowl not withstanding. Most corporations would no more consider the need to develop, and pay for, the technologies, practices and procedures that would be needed to defend against a state-sponsored INFOWAR attack than they would develop the technologies, practices and procedures to protect themselves against a strategic exchange of thermonuclear weapons. The commercial sector expects the Department of Defense to protect them against these threats, just as the commercial sector expected the War Department and later the Defense Department to protect them from the pirates of Tripoli, imperialistic Germany and Japan, and the Soviet "evil empire."
This is not to imply that that corporations are unconcerned about the security of their systems and networks. It is to say that there is a demarcation between the types and scale of threat against which corporations believe it is their responsibility to protect themselves, and the types and scale of threats to which they cannot and should not have to respond. Two trends are very apparent:
• more information and more valuable information is being created, stored, processed and communicated using computers and computer-based systems and networks, and
• computers are increasingly interconnected, creating new pathways to valuable information assets.
Modern corporations recognize that productivity, and hence competitiveness, depends directly upon their efficient and effective use of computers and information networks. Increasing use of Electronic Data Interchange (EDI), Just-In-Time inventory management, computer-controlled manufacturing processes, and automated management information systems in addition to the pervasive use of personal computers and workstations for e-mail, accounting and financial management, and word processing means that corporations are overwhelmingly dependent on computers and networks. These technological transformations have resulted in improved network services, performance, reliability, and availability as well as significantly reduced operating costs due to the more efficient utilization of network resources. They have also created an enormous security problem.
Today, information technology is evolving at a faster rate than information security technology. This is hardly a surprise when one looks at the market influences driving those two areas. Technological advances in optical communications, for example, have led to unprecedented improvements in communications. Hair-thin strands of silica glass have spawned a communications revolution. A similar picture can be drawn for the computer industry where personal computer and workstation-based technology is reported to roll over every eighteen months. In fact, the technology is so fast paced that system designers can barely complete system design calculations before the manufacturer wants to update certain specifications. Data bases, operating environments, and even operating systems are being distributed. Computer and network security, on the other hand, does not have the enormous market forces incentivizing ever more clever products and solutions. On the contrary, existing security theory was developed in the computer equivalent of the Jurassic Age. The technologies and architectures which were advancing the state-of-the-art when existing security policies were written are now obsolete. Methods carefully crafted to secure computers that stood alone have been shown to be wholly inadequate when computers are networked.
In addition to the market-driven evolution of basic information technology, we are also undergoing a revolution in data processing that is creating unprecedented information systems security challenges. For example, the development and operation of massively parallel processing and neural networks, artificial intelligence systems, and multimedia environments present problems beyond any that formed our current information systems security experience base. Paradigm shifts such as distributed decision making, groupware, and collaborative environments conceptually leapfrog both security controls and security configuration management. Policies and standards applying to data formats and data labeling must be reviewed and adjusted as necessary to incorporate the necessary information systems security information. Labeling standards for security labeling of voice notes and files and video notes and files is needed. Doctrine for manipulating and combining formats has yet to be developed. And — most important to this discussion — interoperability of dissimilar computers in multivendor environments is paving the way for transparent information sharing capabilities and a global integrated information infrastructure.
Private enterprise fully recognizes that greater connectivity, while unavoidable, makes information assets and systems increasingly vulnerable to the corruption, destruction or exploitation. Electronic access to vast amounts of data and critical infrastructure control is now possible from almost anywhere in the world. We are past the point of knowing the identity of everyone to whom our systems are connected. The sheer volume of data in our information systems makes these systems lucrative targets for disgruntled employees, hackers, competing commercial interests, and perhaps terrorists. We are only in the early stages of applying and understanding the new information technologies across our society, and many questions remain unanswered. Neither the ethics for an internetted society that define acceptable behavior on-line nor the legal structures that would punish misbehavior have been fully developed. This is particularly troublesome in the global marketplace, since neither national boundaries nor legal jurisdictions are apparent in cyberspace.
We can, unfortunately, take no comfort in the notion that the dangers are merely hypothetical. True, we have not had what Paul Strassmann describes as an "information Pearl Harbor" but that there is real danger to information assets and systems is beyond question. No one who reads the newspapers or pays attention to the other journalistic media can be sanguine about the variety of threats we face. Consider, for example, the denial of service attack against the Internet on November 2, 1988 that brought that valuable national resource to its knees. Yet today we are more dependent than ever on the Internet and the information infrastructure and will increase our dependence as electronic commerce matures. Both neither growth nor new technologies have abated the danger of denial of service attacks. Just recently such an attack was mounted against a law firm that breached netiquette by posting an advertisement on a large number of newsgroups. The service provider used by the law firm was forced off the net by the resulting flood of protesting e-mail.
It is estimated that there are some 6,000 computer viruses in circulation today, with new one appearing at the rate of more than twenty per week. The question has become not "Will you suffer a virus attack?" but "When will you suffer a virus attack?" Private industry spends billions of dollars each year on anti-virus software, technical assistance to afflicted employees, and lost productivity when the automated defenses installed can only deal with last week’s crop of malicious code. New viruses and Trojan horses are appearing that are encrypted, that use sophisticated compression technology, or that are polymorphic to reduce the probability of being detected. Viruses have even been found that can detect that you are running an anti-viral program and copy themselves into a disk sector that has already been checked by the software. This level of intelligence has led Stephen Hawking to speculate that computer viruses may in fact be a new form of life.
Computer-based or computer-facilitated crime is also on the rise. The press reported a net attack on Citibank that allegedly resulted in US$ 2.8 million in illicit funds transfers, although Citibank claims that only about US$ 400,000 was not recovered. Once bank robberies netted an average of less than US$ 5,000. Today the average loss to a computer criminal is over US$ 100,000 and the crimes are occurring more often with less frequent apprehension of the perpetrators. Furthermore, some level of loss is considered "the cost of doing business" and is not reported.
Attackers need not physically approach their targets, or even enter the country in which their target is located. Cliff Stoll provides a fascinating description in his book The Cuckoo’s Egg (1989) of the tracking and capture of German hackers funded by the KGB to break into United States Government computers. Nor is the technology to mount an attack expensive — a few thousand to a few hundred thousand for off-the-shelf computer systems will suffice and the tools and techniques can in many instances be gotten for free — nor is the education required to know how to do so extensive — everything needed is taught at the undergraduate level in any major university. This raises an interesting twist on the SDI strategy of bankrupting an adversary via a high-tech arms race: in an INFOWAR arms race, the adversary would not only NOT go bankrupt, it would more likely benefit economically from the trickle down/out of information technology into its economy as it becomes a potent INFOWAR threat.
Nevertheless, we must ask just how severe the danger truly is? How widespread are such attacks? How much damage do they do? Are technology improvements diminishing the problem? And is there potentially an information Pearl Harbor in our future? For the mandarins charged with protecting America’s well being, this is a very difficult problem. For corporate decision makers, it is no more and no less than a question of risk management. As it is the antithesis of security, we naturally strive to eliminate risk. As worthy as that goal is, however, we learn with each experience that complete elimination is never possible. Even if it were possible to eliminate all risk, the cost of achieving that total risk avoidance would have to be compared against the cost of the possible losses resulting from having accepted rather than having eliminated the risk. After all, our economy loses over US$ 300 million in illegal wire transfers each year, toll fraud exceeds US$ 200 million per year, and credit card fraud tops US$ 3 billion per year and these losses are treated as merely costs of doing business. The results of such cost-benefit analyses lead to pragmatic decisions as to whether achieving risk abatement at such a cost is reasonable. Applying reason in choosing how much risk we can accept and, hence, how much security we can afford is a daily process in modern corporations.
Such an analysis leads inexorably to the conclusion that a corporation can neither expect to defend itself in an INFOWAR, nor could it afford to do so were it even possible. In private industry, our collective ability to operate, and hence the nation’s economy, depends upon its information infrastructure. Consider, for example, the importance of the telephone system within that infrastructure. No corporation of any size could continue to operate if the nation’s telephone system were successfully targeted in an INFOWAR.
The public switched network is , of course, a computer network. Modern phones are themselves computers which are connected to computers in the local switching office and thence to other phones for local calls, or from the local office via trunk circuits to other switching offices around the world. With the exception of a small number of rapidly disappearing electromechanical switches in low-density rural areas, all switching and control functions today are carried out by computers. En route between switching computers, calls may traverse copper wires, coaxial cables, microwave radio links, fiber optics cables, and satellite up- and down-links. Despite this complexity, the phone system in the United States is one of the most reliable systems in the world. Even so, on January 15, 1990, the AT&T long distance network comprising 114 switching centers, each containing a main and a backup computer to ensure that the system could handle every conceivable problem, failed. Only after some nine hours of frantic analysis, diagnosis and corrective action would the network return to normal service.
The economic consequences were significant. AT&T estimates that it lost $75 million in tolls. Over half of 138 million long distance and 800-number calls were rejected by the faulty system. Many of those calls were business calls, and the failure to connect cost those businesses directly due to orders not being placed and operations being delayed or halted altogether. There were indirect costs as well due to decreased efficiency and productivity. MCI and Sprint also provided long distance service and some businesses had made arrangements for backup service and so were less affected; other businesses which had not had the foresight to buy backup service were out of business or severely hampered. Undoubtedly some of the revenues lost by companies that relied on AT&T was gained by other companies that didn't use AT&T, but some were lost forever. The total economic consequences are unknown and probably unknowable.
The AT&T incident was a reliability problem, not the result of an attack by a malicious and capable threat. But reliability and security are not the same things at all. Having reliable systems and networks — even very reliable systems and networks — does not mean that one is safe from malicious and competent attacks. What would the consequences be if all three major long-distance carriers were taken down in an INFOWAR attack? Now add in the regional and local telephone systems. Certainly the results would be staggering. Much of the economy would grind to a halt. No one corporation has the resources to defend against the loss of the entire public switched network.
Yet in a strategic INFOWAR attack against the United States, I would expect not just the public switched network to be in danger. Simultaneous attacks would be expected against that data information infrastructure that was not already lost when the public switched networks went down, the power grid, the transportation system, the financial community, law enforcement and emergency services, all of which are heavily dependent upon computer systems and networks. Chaos would result and corporations would be helpless.
Attacks of such magnitude are clearly beyond the ability of corporations to protect themselves completely. Nevertheless, many of the things corporations have to do and are doing to defend our information assets and systems against lesser threats — white collar criminals, hackers, computer-literate competitors, and even terrorists — will provide a measure of protection against an INFOWAR attack. We engage in business continuity planning for disaster recovery and we invest heavily in technology to protect our valuable assets, tangible and intangible. We have uninterruptible power supplies to free us from power outages, we build beta recovery sites to ensure continuous operations, and we routinely backup our data bases. In an INFOWAR, we will not be able to protect against the loss of the national information infrastructure, but we may be able to protect to some extent our data bases, our intellectual capital, and our systems and internal networks. If the government can secure the national information infrastructure, or restore it promptly, the losses we sustain due to an INFOWAR attack can be minimized.
So, what would the private sector ask the government, and specifically the Department of Defense, to do with regard to the possibility of a strategic INFOWAR attack against the national information infrastructure? First and foremost, preserve and protect the ability of the nation to recognize and respond rapidly and effectively to an attack or the threat of an attack. There is no surer deterrence against adventurism by a rogue state than assured and devastating retaliation by the United States if we are attacked. This means protecting the Defense Information Infrastructure from either a destructive or denial of service INFOWAR attack, or both, including, if necessary, reducing your reliance on the public switched network and the public power grid, and eliminating other weaknesses that could seriously degrade your ability to mobilize and respond in the event of an attack.
Second, as the Department identifies vulnerabilities and develops the technologies needed to protect the Defense Information Infrastructure, share them with the private sector so the knowledge can be used to enhance the security of the National Information Infrastructure. Arguments that revealing discovered weaknesses may lead to our enemies correcting those same weaknesses and thereby lessening our own offensive capabilities pale beside the possibility of extensive damage to the National Information Infrastructure when corrective action could have been taken. Arguments that access to security technology must be restricted less it fall into enemy hands fail for like reasons. We need to know our weaknesses as soon as possible and apply the best available technology to reducing or eliminating vulnerabilities. This will lessen the likelihood of a successful attack and hence of any attempt to destroy, corrupt or exploit our systems and networks..
The situation we all face with respect to INFOWAR could be measurably improved if there were consensus as to the extent of the danger, if technology were available to abate the larger risk, and if there were a coherent set of policies, practices and procedures applicable across the private sector for protection of information assets and systems. Clearly, the Defense Department and the military services have a pivotal role in securing the nation's information infrastructure. Much of the needed technology has been developed by the Department and the services, particularly at the National Security Agency. Moreover, the Department and the services are directly dependent upon the national information infrastructure in preparing for and actually executing the defense mission. For example, since most of the Department's voice and data traffic is carried by the public switched networks, their loss at a critical moment during the escalation of a crisis would dramatically affect deployment preparations and the execution of assigned missions. Even were this not so demonstrably the case, the corporations and, for that matter, the American people depend upon the Department of Defense to protect our way of life against strategic attacks, and an INFOWAR attack aimed at the nation’s information infrastructure would be precisely such.
It is extremely unlikely that DoD or the military services can solve the problem acting unilaterally. Too much of the solution must be implemented within the private sector, and that sector, as we all know, is uncomfortable with government intrusions in general, and especially intrusions by the Defense and Intelligence Communities. Since the steps that must be taken to secure the information infrastructure are beyond those likely to result naturally from market forces, a regulatory body is needed having the power to make and enforce information security rules. One model might be the Federal Communications Commission; or perhaps the FCC's charter might even be extended to encompass protection of the information infrastructure. The Department of Defense is in a unique position with respect to INFOWAR: the problems it poses cannot be solved by the Department, but they also cannot be solved without the Department. To date, there has been much discussion of the advantages of an "information superhighway" but little attention to its underlying utility as a pathway for our enemies to the heart of our economy or as a strategic target for those who mean us harm. The leadership and wholehearted support, offering the expertise and resources of the Defense Department on behalf of such an agency, might well mean the difference between successfully securing the National Information Infrastructure and our continued muddling through with its attendant risks.
It is the first duty of government to provide for the security of its citizens. One way in which this duty is fulfilled is to provide for the common defense against overwhelming external aggression, whether the weapons are thermonuclear devices in ICBMs, conventional arms, or logic weapons deployed on networks. Both corporations and individual citizens rely on the government to deter such aggression, to defend us when deterrence fails, and to retaliate in force and kind when we have suffered an attack. That the new possibility of an INFOWAR in cyberspace presents us with new difficulties in both defense and offense is the challenge of this decade and perhaps the early years of the next century.
