C. Schaeffer, Jr.
Director, Infrastructure and Information
Office of the Assistant Secretary of Defense
(Command, Control, Communication, and Intelligence)
Subcommittee on Government
Information, and Technology
July 26, 2000
Cyber Attacks - War without Borders
Mr. Chairman, and Members of the
Committee, I appreciate the opportunity to be here today to discuss this
very important topic in relation to the challenge of providing a coordinated
response to computer security threats.
To set the stage for my remarks
I'd like to say a few words about the environment in which the Department
of Defense (DoD) conducts its daily operations-during peacetime, crisis,
and war. The Department's steadily increasing dependence on a global information
environment, over which it has little control, heightens its exposure
and vulnerability to a rapidly growing number of increasingly sophisticated
internal and external threats. Globally internet-worked and interdependent
information systems tend to level the playing field between allies
and adversaries, and offer adversaries access to potentially high-value
and (currently) low-risk information infrastructure targets. These targets,
if successfully attacked, have the potential to impact the full spectrum
of DoD operations. To attack a large number of systems, an adversary need
only find and attack a single exploitable connection to the system (through
the use of a wide and growing variety of commonly available and inexpensive
hacker tools). Once inside a system, an adversary can exploit it and the
systems networked to it. This global marriage of systems and networks
creates what has become a shared risk environment. Further, with
every advance in information technology, new vulnerabilities are created
that must quickly be discovered and effectively neutralized.
Given the risks and the fact that
weakness in any portion of the Defense Information Infrastructure (DII)
is a threat to the operational readiness of all Components, the Department
is moving aggressively to ensure the continuous availability, integrity,
authentication, confidentiality, and non-repudiation of its information
and the protection of its information infrastructure. Exercises and real-life
events clearly demonstrate that Defense-wide improvement in Information
Assurance (IA) is an absolute and continuous operational necessity. We
can no longer be satisfied with reactive or after-the-fact solutions.
As the Department modernizes its information infrastructure, it must also
continuously invest in the research, development, and timely integration
of products, procedures, and training necessary to sustain its ability
to defend it. Providing for the protection of the DII is one of the Department's
highest priorities and most formidable challenges.
However, perfect protection
is an unattainable goal. As stated above, an adversary need only find
and attack a single exploitable connection to the system. This location
could be at any base, post, camp or station, worldwide. It could be the
location of an elite military unit or an entirely civilian element responsible
for the extraordinary range of support activities critical to the successful
execution of DoD missions.
The first challenge we face is to
identify that an attack has occurred. I use the term attack
here in a very broad sense to mean any malicious event perpetrated by
an unauthorized (or authorized) user of a DoD information system. This
is a non-trivial problem. Yes, there is technology available today to
detect anomalous events. And, while this technology continues to increase
in capability, for the most part, it will always lag behind the capability
of the adversary, particularly the sophisticated adversary, to develop
new attack capabilities. Within the Department, we have deployed a vast
array of sensors to provide indications and warning of an ongoing attack.
Once anomalous activity is detected the process of sorting through vast
amounts of audit data is then required to attribute the attack to a specific
person, organization, or entity (to include nations states and/or transnational
elements). As a point of reference, during 1999, over 22,000 attacks
were reported to the Joint Task Force-Computer Network Defense (JTF-CND).
The next challenge is attribution.
Within U.S. borders, any attack is viewed first as a law enforcement (LE)
issue-it's viewed as a crime rather than a national security matter.
If, and only if, it can be shown that the attack is being perpetrated
by a foreign entity, from foreign soil, does the attack become a national
security matter. Because of the anonymity with which attacks can be perpetrated,
and the ease with which an attacker can move from one computer (Host)
to another, the delay in identifying the adversary, let alone their intention(s),
can be very long.
Attribution is a complex undertaking
that requires coordination among several elements. [In this context, a
host is any computer from which an attack is launched. This could be an
attacker's own computer, a server at a local Internet Service Provider
(ISP), a server at a U.S. college or university, or a server at another
government department or agency.] Under our constitutional system, information
essential to attribute the attack to a specific entity typically
can be gathered only pursuant to criminal investigative authorities. The
host owner can, or course, cooperate with law enforcement officials without
the need for a warrant, and fortunately this frequently occurs. Regardless,
collection and analysis of audit data from the host is a necessary component
of the attribution process. A court order must be obtained, which can
take from hours to days, and then the data must be obtained and analyzed.
I don't want to over simplify the analysis process-it is extremely difficult.
It is this analysis, together with other information gained as part of
the investigative process (and, as appropriate, intelligence processes)
that provides a picture of the perpetrator's, motivation, and purpose.
Coordination between responsible elements, both internal and external
to the DoD during these activities is essential.
Within the DoD, we have established
detailed procedures for the coordination of all cyber events. The JTF-CND
was formed on December 30, 1998 to provide a single command with authority
to coordinate and direct the defense of the DoD computer systems and networks.
Originally formed as a separate JTF reporting directly to the Secretary
of Defense, JTF-CND became a direct reporting command of U.S. SPACE Command
on October 1, 1999 when SPACE Command was assigned the mission of computer
network defense for the Department of Defense. The JTF-CND provides DoD
with a focal point for dealing with cyber threats and answered the "Who's
in charge?" question. Prior to the formation of the JTF, no single
entity had the authority to coordinate and direct a DoD wide response
to a computer network attack. The JTF-CND and the National Infrastructure
Protection Center (NIPC), which serves as a focal point for the Federal
Government's efforts to detect, assess, warn of, and respond to cyber
attacks, form a strong collaborative team for dealing with attacks
on DoD systems and networks.
Several examples are provided to
elaborate on the responsibilities of the JTF-CND.
During the Melissa Virus incident
in March 1999, the JTF-CND, in cooperation with the DoD Computer Emergency
Response Team (CERT) and the JTF's Service components, was able to
quickly assess the threat, develop a defensive strategy, and direct
appropriate defensive actions. Despite damage to the private sector
in the hundreds of millions of dollars, DoD experienced relatively
little effect and no operational impact.
The JTF-CND began working on
countermeasures for distributed denial of service tools in November
1999. While not finding any direct antidote, the efforts provided
significant data for the creation of a DoD functional plan for countering
this type of attack while simultaneously ensuring that DoD systems
are not subverted into taking part in attacks on others.
The JTF was at the center of
DoD's response to the Year 2000 event. The JTF provided valuable staff
analysis of the situation, and coordinated with the numerous ad hoc
organizations formed to implement the federal government's response.
The JTF was integral in ensuring that DoD took a coordinated and measured
The ILOVEYOU virus provided
another example of rapid action. The JTF staff rapidly identified
the potential damage and provided rapid notification to the CINCs,
Services and agencies that enabled them to effectively respond.
Over the last 18 months, the JTF-CND
has developed processes for identifying attacks against DoD networks,
assessing the importance of those attacks, notifying appropriate headquarters
of the information, developing and implementing responses to them, and
coordinating with external organizations such as the NIPC. The DoD relies
on the NIPC to coordinate cyber attack indication and warnings with the
nation's Critical Infrastructure elements (Communications, Power, etc.)
upon which the Department depends for mission success.
In closing, I'd like to say just
a few words about where we are today and where we need to be in the future.
Today it takes us, at best, hours to transition from detection to warning;
at worst this could be days-the attacks are executed in milliseconds.
We must develop the technology, capabilities, processes, and legal framework
to respond to cyber events in near real time. There will come a time when
our capabilities WILL be tested and national security or the economic
security of the nation will depend on components like the JTF-CND, NIPC,
and others working collaboratively in response to the event.
I want to thank the subcommittee
again for providing an opportunity for the Department of Defense to present
its views on this very important issue. I look forward to working with
Congress to ensure that we are able to meet these ever increasing challenges.