Abstract
The people of the United States rely on the Department of Defense to deter foreign aggression, to defend us when deterrence fails, and to retaliate in force and kind when we have suffered an attack. This will be no less true when the attack is part of an INFOWAR and occurs over networks, is directed against the National Information Infrastructure and the economy of the country, and uses logic weapons rather than conventional weapons or weapons of mass destruction. The Department has led the development of technology that could help secure the infrastructure against such attacks. Yet the Department of Defense does not have the authority to impose requirements or to promulgate regulations that would make the infrastructure more secure . Nor is it likely that commercial firms would accept regulation and direction by the Department. A new approach is needed that would provide regulatory and adjudicatory information security authority applicable across the National Information Infrastructure. The Defense Department can and should support such an approach and should provide the technology it has developed to secure the Defense Information Infrastructure.
Networks are already recognized as a battlefield of the future. Information weapons will attack and defend at electronic speeds using strategies and tactics yet to be perfected. This technology is capable of deciding the outcome of geopolitical crises without the firing of a single weapon.
Redefining Security
Report of the Joint Security Commission
February 28, 1994
The notion of information warfare -- INFOWAR -- is new and still evolving, and provides a significant challenge to those responsible for making policy concerning the protection of the National Information Infrastructure. Information warfare is, first of all, warfare. It is not information terrorism, not computer crime, not espionage using networks for access to desirable information, and certainly it is not hacking. These are all interesting and dangerous phenomena that individuals, corporations, and for that matter governments, face today, but they are not INFOWAR. INFOWAR is the application of destructive force on a large scale against information assets and systems. This distinction is vital, in that it endows the ability to determine appropriate response options and responding agencies. Without that distinction, one quickly finds oneself mired in the prospect of sending the Department of Defense against a single 13 year old hacker. There are real issues here, including the problems of knowing that an attack is underway, of ascertaining the scope of the attack, and of bringing to bear effective responses, which can only be resolved after an appropriate framework of policies, practices and procedures has been established.
As information-related technology has evolved, so has its utility to warfare. But information technology not only enables modern warfare, it shapes the very way we think about war. The state of its evolution is now at a point where it is possible to conceive of the information infrastructure, content and technologies as parts of an information dimension to warfare, separate and distinct from other dimensions and subject to the same complexities of planning and strategic thought as the more conventional dimensions of air, land and sea, and more lately space. In information-based warfare, better, faster and more complete information provides an advantage in applying conventional or strategic forces. In INFOWAR, the information networks become the battlefield and information itself becomes the target. Note that there are three separate parts of this dimension: the infrastructure, the content and the technologies. Each are jointly and severally the weapons and the targets in INFOWAR.
This is not to imply that that corporations are unconcerned about the security of their systems and networks. It is to say that there is a demarcation between the types and scale of threat against which corporations believe it is their responsibility to protect themselves, and the types and scale of threats to which they cannot and should not have to respond. Two trends are very apparent:
Modern corporations recognize that productivity, and hence competitiveness, depends directly upon their efficient and effective use of computers and information networks. Increasing use of Electronic Data Interchange (EDI), Just-In-Time inventory management, computer-controlled manufacturing processes, and automated management information systems in addition to the pervasive use of personal computers and workstations for e-mail, accounting and financial management, and word processing means that corporations are overwhelmingly dependent on computers and networks. These technological transformations have resulted in improved network services, performance, reliability, and availability as well as significantly reduced operating costs due to the more efficient utilization of network resources. They have also created an enormous security problem.
Today, information technology is evolving at a faster rate than information security technology. This is hardly a surprise when one looks at the market influences driving those two areas. Technological advances in optical communications, for example, have led to unprecedented improvements in communications. Hair-thin strands of silica glass have spawned a communications revolution. A similar picture can be drawn for the computer industry where personal computer and workstation-based technology is reported to roll over every eighteen months. In fact, the technology is so fast paced that system designers can barely complete system design calculations before the manufacturer wants to update certain specifications. Data bases, operating environments, and even operating systems are being distributed. Computer and network security, on the other hand, does not have the enormous market forces incentivizing ever more clever products and solutions. On the contrary, existing security theory was developed in the computer equivalent of the Jurassic Age. The technologies and architectures which were advancing the state-of-the-art when existing security policies were written are now obsolete. Methods carefully crafted to secure computers that stood alone have been shown to be wholly inadequate when computers are networked.
In addition to the market-driven evolution of basic information technology, we are also undergoing a revolution in data processing that is creating unprecedented information systems security challenges. For example, the development and operation of massively parallel processing and neural networks, artificial intelligence systems, and multimedia environments present problems beyond any that formed our current information systems security experience base. Paradigm shifts such as distributed decision making, groupware, and collaborative environments conceptually leapfrog both security controls and security configuration management. Policies and standards applying to data formats and data labeling must be reviewed and adjusted as necessary to incorporate the necessary information systems security information. Labeling standards for security labeling of voice notes and files and video notes and files is needed. Doctrine for manipulating and combining formats has yet to be developed. And -- most important to this discussion --interoperability of dissimilar computers in multivendor environments is paving the way for transparent information sharing capabilities and a global integrated information infrastructure.
Private enterprise fully recognizes that greater connectivity, while unavoidable, makes information assets and systems increasingly vulnerable to the corruption, destruction or exploitation. Electronic access to vast amounts of data and critical infrastructure control is now possible from almost anywhere in the world. We are past the point of knowing the identity of everyone to whom our systems are connected. The sheer volume of data in our information systems makes these systems lucrative targets for disgruntled employees, hackers, competing commercial interests, and perhaps terrorists. We are only in the early stages of applying and understanding the new information technologies across our society, and many questions remain unanswered. Neither the ethics for an internetted society that define acceptable behavior on-line nor the legal structures that would punish misbehavior have been fully developed. This is particularly troublesome in the global marketplace, since neither national boundaries nor legal jurisdictions are apparent in cyberspace.
Attackers need not physically approach their targets, or even enter the country in which their target is located. Cliff Stoll provides a fascinating description in his book The Cuckoo's Egg (1989) of the tracking and capture of German hackers funded by the KGB to break into United States Government computers. Nor is the technology to mount an attack expensive -- a few thousand to a few hundred thousand for off-the-shelf computer systems will suffice and the tools and techniques can in many instances be gotten for free -- nor is the education required to know how to do so extensive -- everything needed is taught at the undergraduate level in any major university. This raises an interesting twist on the SDI strategy of bankrupting an adversary via a high-tech arms race: in an INFOWAR arms race, the adversary would not only NOT go bankrupt, it would more likely benefit economically from the trickle down/out of information technology into its economy as it becomes a potent INFOWAR threat.
Nevertheless, we must ask just how severe the danger truly is? How widespread are such attacks? How much damage do they do? Are technology improvements diminishing the problem? And is there potentially an information Pearl Harbor in our future? For the mandarins charged with protecting America's well being, this is a very difficult problem. For corporate decision makers, it is no more and no less than a question of risk management. As it is the antithesis of security, we naturally strive to eliminate risk. As worthy as that goal is, however, we learn with each experience that complete elimination is never possible. Even if it were possible to eliminate all risk, the cost of achieving that total risk avoidance would have to be compared against the cost of the possible losses resulting from having accepted rather than having eliminated the risk. After all, our economy loses over US$ 300 million in illegal wire transfers each year, toll fraud exceeds US$ 200 million per year, and credit card fraud tops US$ 3 billion per year and these losses are treated as merely costs of doing business. The results of such cost-benefit analyses lead to pragmatic decisions as to whether achieving risk abatement at such a cost is reasonable. Applying reason in choosing how much risk we can accept and, hence, how much security we can afford is a daily process in modern corporations.
Such an analysis leads inexorably to the conclusion that a corporation can neither expect to defend itself in an INFOWAR, nor could it afford to do so were it even possible. In private industry, our collective ability to operate, and hence the nation's economy, depends upon its information infrastructure. Consider, for example, the importance of the telephone system within that infrastructure. No corporation of any size could continue to operate if the nation's telephone system were successfully targeted in an INFOWAR.
The public switched network is , of course, a computer network. Modern phones are themselves computers which are connected to computers in the local switching office and thence to other phones for local calls, or from the local office via trunk circuits to other switching offices around the world. With the exception of a small number of rapidly disappearing electromechanical switches in low-density rural areas, all switching and control functions today are carried out by computers. En route between switching computers, calls may traverse copper wires, coaxial cables, microwave radio links, fiber optics cables, and satellite up- and down-links. Despite this complexity, the phone system in the United States is one of the most reliable systems in the world. Even so, on January 15, 1990, the AT&T long distance network comprising 114 switching centers, each containing a main and a backup computer to ensure that the system could handle every conceivable problem, failed. Only after some nine hours of frantic analysis, diagnosis and corrective action would the network return to normal service.
The economic consequences were significant. AT&T estimates that it lost $75 million in tolls. Over half of 138 million long distance and 800-number calls were rejected by the faulty system. Many of those calls were business calls, and the failure to connect cost those businesses directly due to orders not being placed and operations being delayed or halted altogether. There were indirect costs as well due to decreased efficiency and productivity. MCI and Sprint also provided long distance service and some businesses had made arrangements for backup service and so were less affected; other businesses which had not had the foresight to buy backup service were out of business or severely hampered. Undoubtedly some of the revenues lost by companies that relied on AT&T was gained by other companies that didn't use AT&T, but some were lost forever. The total economic consequences are unknown and probably unknowable.
The AT&T incident was a reliability problem, not the result of an attack by a malicious and capable threat. But reliability and security are not the same things at all. Having reliable systems and networks -- even very reliable systems and networks -- does not mean that one is safe from malicious and competent attacks. What would the consequences be if all three major long-distance carriers were taken down in an INFOWAR attack? Now add in the regional and local telephone systems. Certainly the results would be staggering. Much of the economy would grind to a halt. No one corporation has the resources to defend against the loss of the entire public switched network.
Yet in a strategic INFOWAR attack against the United States, I would expect not just the public switched network to be in danger. Simultaneous attacks would be expected against that data information infrastructure that was not already lost when the public switched networks went down, the power grid, the transportation system, the financial community, law enforcement and emergency services, all of which are heavily dependent upon computer systems and networks. Chaos would result and corporations would be helpless.
Attacks of such magnitude are clearly beyond the ability of corporations to protect themselves completely. Nevertheless, many of the things corporations have to do and are doing to defend our information assets and systems against lesser threats -- white collar criminals, hackers, computer-literate competitors, and even terrorists -- will provide a measure of protection against an INFOWAR attack. We engage in business continuity planning for disaster recovery and we invest heavily in technology to protect our valuable assets, tangible and intangible. We have uninterruptible power supplies to free us from power outages, we build beta recovery sites to ensure continuous operations, and we routinely backup our data bases. In an INFOWAR, we will not be able to protect against the loss of the national information infrastructure, but we may be able to protect to some extent our data bases, our intellectual capital, and our systems and internal networks. If the government can secure the national information infrastructure, or restore it promptly, the losses we sustain due to an INFOWAR attack can be minimized.
So, what would the private sector ask the government, and specifically the Department of Defense, to do with regard to the possibility of a strategic INFOWAR attack against the national information infrastructure? First and foremost, preserve and protect the ability of the nation to recognize and respond rapidly and effectively to an attack or the threat of an attack. There is no surer deterrence against adventurism by a rogue state than assured and devastating retaliation by the United States if we are attacked. This means protecting the Defense Information Infrastructure from either a destructive or denial of service INFOWAR attack, or both, including, if necessary, reducing your reliance on the public switched network and the public power grid, and eliminating other weaknesses that could seriously degrade your ability to mobilize and respond in the event of an attack.
Second, as the Department identifies vulnerabilities and develops the technologies needed to protect the Defense Information Infrastructure, share them with the private sector so the knowledge can be used to enhance the security of the National Information Infrastructure. Arguments that revealing discovered weaknesses may lead to our enemies correcting those same weaknesses and thereby lessening our own offensive capabilities pale beside the possibility of extensive damage to the National Information Infrastructure when corrective action could have been taken. Arguments that access to security technology must be restricted less it fall into enemy hands fail for like reasons. We need to know our weaknesses as soon as possible and apply the best available technology to reducing or eliminating vulnerabilities. This will lessen the likelihood of a successful attack and hence of any attempt to destroy, corrupt or exploit our systems and networks..
The situation we all face with respect to INFOWAR could be measurably improved if there were consensus as to the extent of the danger, if technology were available to abate the larger risk, and if there were a coherent set of policies, practices and procedures applicable across the private sector for protection of information assets and systems. Clearly, the Defense Department and the military services have a pivotal role in securing the nation's information infrastructure. Much of the needed technology has been developed by the Department and the services, particularly at the National Security Agency. Moreover, the Department and the services are directly dependent upon the national information infrastructure in preparing for and actually executing the defense mission. For example, since most of the Department's voice and data traffic is carried by the public switched networks, their loss at a critical moment during the escalation of a crisis would dramatically affect deployment preparations and the execution of assigned missions. Even were this not so demonstrably the case, the corporations and, for that matter, the American people depend upon the Department of Defense to protect our way of life against strategic attacks, and an INFOWAR attack aimed at the nation s information infrastructure would be precisely such.
It is the first duty of government to provide for the security of its citizens. One way in which this duty is fulfilled is to provide for the common defense against overwhelming external aggression, whether the weapons are thermonuclear devices in ICBMs, conventional arms, or logic weapons deployed on networks. Both corporations and individual citizens rely on the government to deter such aggression, to defend us when deterrence fails, and to retaliate in force and kind when we have suffered an attack. That the new possibility of an INFOWAR in cyberspace presents us with new difficulties in both defense and offense is the challenge of this decade and perhaps the early years of the next century.