Subcommittee on Government
Information, and Technology
July 26, 2000
Cyber Attacks - War without Borders
Mr. Chairman and Members of the
Protecting the information infrastructure
is increasingly seen in this city - and looking ahead to the next President
and the next Congress, will likely continue to be seen - as one of the
highest priority issues the executive branch and the Congress face.
To say nothing of the judicial branch
looking ahead to some extremely difficult 4th amendment issues.
To say nothing of the future role
of state and local governments who could carry much of the responsibility
in future infrastructure crises caused by malevolent actors.
And then, and perhaps the true heavyweights
in emerging decision-making process, the private sector. Here we are talking
primarily about: (1) the U.S. information industry (software, hardware,
telecommunications - all of it) as a continuing flagship leader of the
information revolution and (2) the owners and operators of U.S. (and U.S.-based
multinational) critical infrastructures. The private sector, however,
is still a largely inchoate force in terms of the policy and strategy
issues on the table.
And finally there's the international
dimension - where it is clear that it is imperative that a country accompany
its thinking about a national information infrastructure security strategy
with comparably fundamental thinking about a set of regional and
often global information infrastructure security strategy and policy
issues. Further complicating the situation there are no obvious forums
to go to in order to take up the international issues.
That's why we are all just getting
started in dealing with the problems associated with protecting the information
infrastructure - there are simply a tremendous number of actors and equities
In this environment RAND has done
a large number of studies on these problems, including conducting many
national and international strategy and policy exercises in the area of
critical infrastructure protection. My testimony today is a distillation
of that experience put together in collaboration with two RAND colleagues,
Robert Anderson and Richard Mesic.
You should view the points I am
about to make as a set of hypotheses about a very complex and challenging
problem that this country and world is just beginning to come to grips
with. Think of it as the background and rationale for action, for example,
to pursue a well-funded and coordinated national public-private
research program in infrastructure protection.
The rapid development and explosive expansion in use of information
technologies very likely provides the past decade's greatest promise for
the United States' continued growth and well-being: personal computers
on most workplace desktops, linked into corporate information networks;
an Internet serving as common communication backbone both nationally and
worldwide; wireless communication enabling widespread use of cellular
telephones and computing devices; the World Wide Web and electronic commerce
providing signs of - and the promise of further - substantial productivity
enhancement. In the great majority of these technologies and applications,
U.S. firms provide leadership, standards, and jobs.
The information sector in the American
economy increasingly provides vital backbone systems upon which our financial,
energy, transportation, defense, and telecommunication infrastructures
depend. Those systems are becoming ever more interlinked - primarily by
the Internet and the public telecommunication network - into the worldwide
"cyberspace." And therein lies a major source of increasing
vulnerability to the America's economy and its critical military systems:
The dependence on these systems is so strong, and the existing vulnerabilities
so pervasive, that enhancing the resilience of these infrastructure information
systems is a vital national concern.
The vulnerability of United States
critical infrastructures has undergone substantial study by the President's
Commission on Critical Infrastructure Protection, leading to a number
of subsequent actions and reports, such as Presidential Decision Directive
63 and the recent (January 2000) National Plan for Information Systems
Protection issued by the White House. These studies and documents
form a reasonable basis for progress, but must overcome a major stumbling
block: Most of the relevant infrastructures (e.g., in energy, telecommunications,
transportation, finance) within the United States are controlled by private,
increasingly multinational, companies. For a variety of valid reasons
these companies are reluctant to share information (e.g., about vulnerabilities,
attacks, losses, risk assessments, etc.) with the government, and in turn
the government finds it difficult to share information - often classified
- about threats with the private sector. These problems of cooperation
are difficult, but as a very high national priority they must be overcome
if the safety and security of the United States is to be assured.
While we figure out how to solve
such national problems we must at the same time look to the international
decision-making environment on information infrastructure security where
we know that coordinated regional and global action is imperative. Consider
U.S. and Canadian electric power and telecom infrastructure linkages and
dependencies and then apply that to Europe.
In this environment we have had
substantial experience and proffer the following set of hypotheses.
H1. To enable and motivate a more
effective dialogue between government and private sector, the government
needs a more specific, tangible, meaningful issue framework targeted to
interests of individual infrastructure sectors and companies. At present,
the "dialogue" primarily involves the private sector asking
the government for "threat intelligence" and the government
asking the private sector to share sensitive "vulnerability"
information. To date neither side can or will deliver in a manner that
the other deems adequate.
H2. A lot of "bad stuff"
can happen in cyberspace to affect critical infrastructures. But representative
examples of bad stuff that can happen exist - in specific infrastructures
and systems - resulting from human error, actions of hackers, natural
occurrences (fires, earthquakes, hurricanes), and so on. They have not,
perhaps, however, happened at a scale that may be possible
and that might have more significant (even "strategic") effects.
H3. The companies running almost
all critical infrastructure systems have already developed quite significant
risk analyses and contingency plans to meet various outages and problems.
However, the balance between risk and cost chosen by these individual
companies and sectors (even with the advent of sector-specific information
sharing and analysis centers) may not be deemed best for overall national
interests by the U.S. government. Thus additional resources might be required
beyond what is reasonable and prudent from the parochial perspectives
of a particular sector - a "gap filling" challenge that could
be one basis for a more effective government/private sector dialogue.
H4. Any country that is pursuing
offensive information operations must be developing information and models
that will be useful from a defensive perspective. Unfortunately, the converse
is also true (viz., that defensive efforts point to vulnerabilities that,
if not addressed, could be used in offensive operations against the defender).
Offensive and defensive IO are opposite sides of the same coin - at some
point further progress in both will require close cooperation and understanding
between these communities. This may complicate the problem of establishing
and sustaining an effective government/private sector CIP dialogue.
H5. For critical infrastructures,
it is prudent to assume that "threats actors" (whoever they
might be, wherever they operate, and whatever their motivation), are likely
eventually to find "vulnerabilities." So, for defensive purposes,
"threats" are the same as "risks." That is, since
there is widespread cyber capability extant in the world, and widespread
motivation by various parties at various times to take advantage
of vulnerabilities by using cyber capabilities, we should assume that
any vulnerability that constitutes a serious risk basically equates with
a threat (of unspecified bad actors exploiting that vulnerability to maximum
H6. To the extent that actions to
protect the infrastructures cannot - for cost, technical, or political
reasons - be implemented fully on a day-to-day basis (viz., irrespective
of specific threat actions), determining and institutionalizing appropriate
systems and procedures for alert, warning, and response (AWR) to attacks
naturally becomes a CIP focus. AWR implies plans, procedures, and systems
to: (1) assess the nature (including, if possible, perpetrator identity,
location, and intent), methods, and likely effects of attacks on the infrastructure(s)
and (2) effect timely responses to mitigate the negative effects of the
attack. Effective AWR architectures are likely to involve a hierarchy
of interconnected AWR systems where perhaps the best role for the national
government is to take the lead in creating a "system-of-systems"
and coordinating individual corporate and sector-specific AWR activities.
H7. Alert and warning systems and
levels must be driven by the appropriate response. If you
have no adequate response to a cyber effect (that can happen in milliseconds),
then alert and warning cannot do much good. One should first determine,
for specific cyber stimuli that attack specific vulnerabilities, what
an organization's response options are - and from those, determine appropriate
levels, amounts, and kinds of alert and warning to be instituted.
H8. Any significant attack
on major portions of the US critical infrastructure would be preceded
by various testing and probing activities by the attacking party. This
is likely to be an ongoing, active process, because any such data would
become dated and possibly obsolete quickly (which could, in the end, be
the limiting factor in offensive Information Operations). One must institute
a responsive process to adapt to (and, possibly, to exploit defensively
- e.g., through the use of deception) various patterns of precursor probes
and tests as they evolve.
H9. Given our current knowledge
base the CIP problem is too complex and dynamic to be handled (at least
initially) by any single unified strategic concept and approach. In this
context the best approach is to find a temporary framework that breaks
the overall problem into more manageable pieces (as a minimum to establish
the possible location or creation of a relevant decision-making process),
attack the pieces, and look to a unified and temporally more stable national
and international CIP strategy and framework/solution space to take shape
H10. It is necessary that we carefully
study an elaborated set of cyber stimuli (attack modes), applied
to specific vulnerabilities, leading to specific elaborated effects,
and associated relevant responses. These studies must often
be both infrastructure sector specific and inter-infrastructure because
of greatly varying system architectures, dependencies, and effects across
the differing infrastructure sectors.
H11. Political-military context
is important. The effects of an attack on one or more critical infrastructures
can vary greatly depending on whether the United States is in "steady
state," or, for example, is in the midst of a major overseas troop
deployment. In the former case, the effects are likely to be somewhat
localized, not unlike the effects of a major hurricane or earthquake.
In the latter case, it is conceivable that key portions of a deployment
might be delayed for up to several days or more, resulting in a possible
altered (degraded) military or political situation.
H12. The studies of attack modes,
vulnerabilities, effects, and responses mentioned in H10, above, must
be based on focused discussions between government and the private sector
firms that operate much of the U.S. critical infrastructure. Such discussions
would be greatly enhanced if government came with an understanding of
the attack modes most relevant to a particular infrastructure sector and
the specific vulnerabilities of that sector - having then studied the
likely effects of, and range of possible responses to, a strategic-level
attack upon that sector capitalizing on those vulnerabilities.
H13. While CIP problems are global,
and many critical infrastructures are controlled by international corporations,
it is reasonable to begin to approach the problem domestically
and with U.S.-based multinational infrastructure owners and operators.
As international issues emerge, they can then be addressed multilaterally
with a better understanding of and perspective on domestic interests and
It should be clear from the above discussion that there is no simple
"silver bullet" for enhancing U.S. or global critical information
infrastructure protection, or even more broadly, information infrastructure-based
critical infrastructures such as electric power. It is still quite unclear
how vulnerable key sectors are, how widespread the effects of a major
strategic attack might be, and how effective various responses to that
attack - such as work-arounds and reconstitution - might be. It is also
unclear how well an adversary (e.g., a nation-state or major terrorist
group) could marshal the necessary knowledge and resources to mount a
strategic-level attack, especially without its preparations and probes
Given this state of considerable
uncertainty, the best approach at the U.S. national level is to consider
and refine hypotheses such as we've outlined in this testimony. This process
will eventually require analysts and policy makers to get "down into
the details" for each critical infrastructure sector. This should
lead to a clearer, more focused understanding of the particular attack
modes that might be most troublesome, the particular generic vulnerabilities
that are most worrisome for that sector, the expected type and extent
of effects that the sector might suffer, the importance (to the nation)
and costs that might be incurred by those effects, and the types and effectiveness
of responses that might be expected (by the private sector and by the
government). The government might then be prepared to enter into tangible,
specific dialogues with relevant sector providers about these data, at
a level of detail that can engage the interest of those providers.