IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Google Ads



Roger C. Molander
Senior Researcher

before a hearing 
of the

Subcommittee on Government Management, 
Information, and Technology

July 26, 2000

Computer Security: 
Cyber Attacks - War without Borders


Mr. Chairman and Members of the Subcommittee:

Protecting the information infrastructure is increasingly seen in this city - and looking ahead to the next President and the next Congress, will likely continue to be seen - as one of the highest priority issues the executive branch and the Congress face.

To say nothing of the judicial branch looking ahead to some extremely difficult 4th amendment issues.

To say nothing of the future role of state and local governments who could carry much of the responsibility in future infrastructure crises caused by malevolent actors.

And then, and perhaps the true heavyweights in emerging decision-making process, the private sector. Here we are talking primarily about: (1) the U.S. information industry (software, hardware, telecommunications - all of it) as a continuing flagship leader of the information revolution and (2) the owners and operators of U.S. (and U.S.-based multinational) critical infrastructures. The private sector, however, is still a largely inchoate force in terms of the policy and strategy issues on the table.

And finally there's the international dimension - where it is clear that it is imperative that a country accompany its thinking about a national information infrastructure security strategy with comparably fundamental thinking about a set of regional and often global information infrastructure security strategy and policy issues. Further complicating the situation there are no obvious forums to go to in order to take up the international issues.

That's why we are all just getting started in dealing with the problems associated with protecting the information infrastructure - there are simply a tremendous number of actors and equities involved.

In this environment RAND has done a large number of studies on these problems, including conducting many national and international strategy and policy exercises in the area of critical infrastructure protection. My testimony today is a distillation of that experience put together in collaboration with two RAND colleagues, Robert Anderson and Richard Mesic.

You should view the points I am about to make as a set of hypotheses about a very complex and challenging problem that this country and world is just beginning to come to grips with. Think of it as the background and rationale for action, for example, to pursue a well-funded and coordinated national public-private research program in infrastructure protection.

The rapid development and explosive expansion in use of information technologies very likely provides the past decade's greatest promise for the United States' continued growth and well-being: personal computers on most workplace desktops, linked into corporate information networks; an Internet serving as common communication backbone both nationally and worldwide; wireless communication enabling widespread use of cellular telephones and computing devices; the World Wide Web and electronic commerce providing signs of - and the promise of further - substantial productivity enhancement. In the great majority of these technologies and applications, U.S. firms provide leadership, standards, and jobs.

The information sector in the American economy increasingly provides vital backbone systems upon which our financial, energy, transportation, defense, and telecommunication infrastructures depend. Those systems are becoming ever more interlinked - primarily by the Internet and the public telecommunication network - into the worldwide "cyberspace." And therein lies a major source of increasing vulnerability to the America's economy and its critical military systems: The dependence on these systems is so strong, and the existing vulnerabilities so pervasive, that enhancing the resilience of these infrastructure information systems is a vital national concern.

The vulnerability of United States critical infrastructures has undergone substantial study by the President's Commission on Critical Infrastructure Protection, leading to a number of subsequent actions and reports, such as Presidential Decision Directive 63 and the recent (January 2000) National Plan for Information Systems Protection issued by the White House. These studies and documents form a reasonable basis for progress, but must overcome a major stumbling block: Most of the relevant infrastructures (e.g., in energy, telecommunications, transportation, finance) within the United States are controlled by private, increasingly multinational, companies. For a variety of valid reasons these companies are reluctant to share information (e.g., about vulnerabilities, attacks, losses, risk assessments, etc.) with the government, and in turn the government finds it difficult to share information - often classified - about threats with the private sector. These problems of cooperation are difficult, but as a very high national priority they must be overcome if the safety and security of the United States is to be assured.

While we figure out how to solve such national problems we must at the same time look to the international decision-making environment on information infrastructure security where we know that coordinated regional and global action is imperative. Consider U.S. and Canadian electric power and telecom infrastructure linkages and dependencies and then apply that to Europe.

Key Hypotheses

In this environment we have had substantial experience and proffer the following set of hypotheses.

H1. To enable and motivate a more effective dialogue between government and private sector, the government needs a more specific, tangible, meaningful issue framework targeted to interests of individual infrastructure sectors and companies. At present, the "dialogue" primarily involves the private sector asking the government for "threat intelligence" and the government asking the private sector to share sensitive "vulnerability" information. To date neither side can or will deliver in a manner that the other deems adequate.

H2. A lot of "bad stuff" can happen in cyberspace to affect critical infrastructures. But representative examples of bad stuff that can happen exist - in specific infrastructures and systems - resulting from human error, actions of hackers, natural occurrences (fires, earthquakes, hurricanes), and so on. They have not, perhaps, however, happened at a scale that may be possible and that might have more significant (even "strategic") effects.

H3. The companies running almost all critical infrastructure systems have already developed quite significant risk analyses and contingency plans to meet various outages and problems. However, the balance between risk and cost chosen by these individual companies and sectors (even with the advent of sector-specific information sharing and analysis centers) may not be deemed best for overall national interests by the U.S. government. Thus additional resources might be required beyond what is reasonable and prudent from the parochial perspectives of a particular sector - a "gap filling" challenge that could be one basis for a more effective government/private sector dialogue.

H4. Any country that is pursuing offensive information operations must be developing information and models that will be useful from a defensive perspective. Unfortunately, the converse is also true (viz., that defensive efforts point to vulnerabilities that, if not addressed, could be used in offensive operations against the defender). Offensive and defensive IO are opposite sides of the same coin - at some point further progress in both will require close cooperation and understanding between these communities. This may complicate the problem of establishing and sustaining an effective government/private sector CIP dialogue.

H5. For critical infrastructures, it is prudent to assume that "threats actors" (whoever they might be, wherever they operate, and whatever their motivation), are likely eventually to find "vulnerabilities." So, for defensive purposes, "threats" are the same as "risks." That is, since there is widespread cyber capability extant in the world, and widespread motivation by various parties at various times to take advantage of vulnerabilities by using cyber capabilities, we should assume that any vulnerability that constitutes a serious risk basically equates with a threat (of unspecified bad actors exploiting that vulnerability to maximum advantage).

H6. To the extent that actions to protect the infrastructures cannot - for cost, technical, or political reasons - be implemented fully on a day-to-day basis (viz., irrespective of specific threat actions), determining and institutionalizing appropriate systems and procedures for alert, warning, and response (AWR) to attacks naturally becomes a CIP focus. AWR implies plans, procedures, and systems to: (1) assess the nature (including, if possible, perpetrator identity, location, and intent), methods, and likely effects of attacks on the infrastructure(s) and (2) effect timely responses to mitigate the negative effects of the attack. Effective AWR architectures are likely to involve a hierarchy of interconnected AWR systems where perhaps the best role for the national government is to take the lead in creating a "system-of-systems" and coordinating individual corporate and sector-specific AWR activities.

H7. Alert and warning systems and levels must be driven by the appropriate response. If you have no adequate response to a cyber effect (that can happen in milliseconds), then alert and warning cannot do much good. One should first determine, for specific cyber stimuli that attack specific vulnerabilities, what an organization's response options are - and from those, determine appropriate levels, amounts, and kinds of alert and warning to be instituted.

H8. Any significant attack on major portions of the US critical infrastructure would be preceded by various testing and probing activities by the attacking party. This is likely to be an ongoing, active process, because any such data would become dated and possibly obsolete quickly (which could, in the end, be the limiting factor in offensive Information Operations). One must institute a responsive process to adapt to (and, possibly, to exploit defensively - e.g., through the use of deception) various patterns of precursor probes and tests as they evolve.

H9. Given our current knowledge base the CIP problem is too complex and dynamic to be handled (at least initially) by any single unified strategic concept and approach. In this context the best approach is to find a temporary framework that breaks the overall problem into more manageable pieces (as a minimum to establish the possible location or creation of a relevant decision-making process), attack the pieces, and look to a unified and temporally more stable national and international CIP strategy and framework/solution space to take shape over time.

H10. It is necessary that we carefully study an elaborated set of cyber stimuli (attack modes), applied to specific vulnerabilities, leading to specific elaborated effects, and associated relevant responses. These studies must often be both infrastructure sector specific and inter-infrastructure because of greatly varying system architectures, dependencies, and effects across the differing infrastructure sectors.

H11. Political-military context is important. The effects of an attack on one or more critical infrastructures can vary greatly depending on whether the United States is in "steady state," or, for example, is in the midst of a major overseas troop deployment. In the former case, the effects are likely to be somewhat localized, not unlike the effects of a major hurricane or earthquake. In the latter case, it is conceivable that key portions of a deployment might be delayed for up to several days or more, resulting in a possible altered (degraded) military or political situation.

H12. The studies of attack modes, vulnerabilities, effects, and responses mentioned in H10, above, must be based on focused discussions between government and the private sector firms that operate much of the U.S. critical infrastructure. Such discussions would be greatly enhanced if government came with an understanding of the attack modes most relevant to a particular infrastructure sector and the specific vulnerabilities of that sector - having then studied the likely effects of, and range of possible responses to, a strategic-level attack upon that sector capitalizing on those vulnerabilities.

H13. While CIP problems are global, and many critical infrastructures are controlled by international corporations, it is reasonable to begin to approach the problem domestically and with U.S.-based multinational infrastructure owners and operators. As international issues emerge, they can then be addressed multilaterally with a better understanding of and perspective on domestic interests and constraints.

It should be clear from the above discussion that there is no simple "silver bullet" for enhancing U.S. or global critical information infrastructure protection, or even more broadly, information infrastructure-based critical infrastructures such as electric power. It is still quite unclear how vulnerable key sectors are, how widespread the effects of a major strategic attack might be, and how effective various responses to that attack - such as work-arounds and reconstitution - might be. It is also unclear how well an adversary (e.g., a nation-state or major terrorist group) could marshal the necessary knowledge and resources to mount a strategic-level attack, especially without its preparations and probes being detected.

Given this state of considerable uncertainty, the best approach at the U.S. national level is to consider and refine hypotheses such as we've outlined in this testimony. This process will eventually require analysts and policy makers to get "down into the details" for each critical infrastructure sector. This should lead to a clearer, more focused understanding of the particular attack modes that might be most troublesome, the particular generic vulnerabilities that are most worrisome for that sector, the expected type and extent of effects that the sector might suffer, the importance (to the nation) and costs that might be incurred by those effects, and the types and effectiveness of responses that might be expected (by the private sector and by the government). The government might then be prepared to enter into tangible, specific dialogues with relevant sector providers about these data, at a level of detail that can engage the interest of those providers.



IWS Mailing Lists

Mailing Lists Overview