PROTECTING AMERICA AGAINST CYBERTERRORISM
By Paul Rodgers
Assistant Unit Chief, Outreach and Field Support Unit
National Infrastructure Protection Center
Federal Bureau of Investigation
"Although the means and ends have evolved throughout history, the central elements of terrorism -- fear, panic, violence and disruption -- have changed little," says Paul Rodgers of the National Infrastructure Protection Center at the Federal Bureau of Investigation. "Today, tremendous destructive potential fits into easily transported packages (bombs, nerve gas and biological agents), and the computers that are connected to the Internet can be attacked from any point on the globe. The need for the heightened security of critical operations has grown markedly in recent years as a result of the escalation in the use of information technology to improve performance, increased competitive pressures from deregulation and globalization, and the concentration of operations in a smaller number of facilities to decrease costs, with the resulting reduction in redundancy and reserve capacity."
THE WAR ON TERRORISM
With the destruction of the World Trade Center Towers and the attack on the Pentagon September 11th and the continuing anthrax attacks, the United States has entered a new age of terrorism that targets both civilians and soldiers in a war with no rules and no clear ending. There has been a steady progression toward this point by such events as the 1988 bombing of Pan Am Flight 103 over Lockerbie, Scotland, the 1989 Hannover Hackers case, the 1994 Citibank fraud case, and the 1995 Oklahoma City bombing.
Although the means and ends have evolved throughout history, the central elements of terrorism -- fear, panic, violence and disruption -- have changed little. As the world enters the 21st Century, terrorism remains a vexing problem -- an anachronistic fixture of human relations as paradoxically human and inhuman in the Third Millennium as it was before the dawn of recorded history. While terrorists once generally used acts of terrorism as a means to publicize their causes, the operational objectives in the more recent attacks focused on producing the maximum destruction, casualties and impact.
THE CYBER DIMENSION
Today, tremendous destructive potential fits into easily transported packages (bombs, nerve gas and biological agents), and the computers that are connected to the Internet can be attacked from any point on the globe. The threat of retaliation, effective against nations, is less so against small and elusive groups who strike anonymously and have no territory to hold at risk.
The need for the heightened security of critical operations has grown markedly in recent years as a result of the escalation in the use of information technology to improve performance, increased competitive pressures from deregulation and globalization, and the concentration of operations in a smaller number of facilities to decrease costs, with the resulting reduction in redundancy and reserve capacity.
The Computer Security Institute (CSI), which conducts an annual Computer Crime and Security Survey with the participation of the Federal Bureau of Investigation's (FBI) Computer Intrusion Squad in San Francisco, has reported in its 2001 survey that the losses of 186 respondents totaled approximately $378 million. These losses are based on serious computer security breaches detected primarily by large corporations, government agencies, and universities. Security breaches detected by respondents include a diverse array of attacks such as: unauthorized access by insiders, denial of service attacks, system penetration by outsiders, theft of proprietary information, financial fraud, and sabotage of data and networks. Supervisory Control And Data Acquisition (SCADA) systems are particularly vulnerable when they use the Internet to monitor and control processes at remote sites. Such a practice is employed in a wide variety of industries including chemical, petrochemical, oil and gas, food processing, pulp and paper, pharmaceuticals, water and wastewater, transportation, energy management, and other manufacturing applications.
Financial losses of course will not be restricted to the theft of proprietary information, financial fraud and other criminal offenses. As more commerce is conducted on-line, civil law suits will increase in which claimants seek downstream damages for network intrusions based on legal theories such as a lack of the "due diligence" owed to stockholders, customers, suppliers, and other innocent third party victims.
China and Russia have publicly acknowledged the role cyber attacks will play in the "next wave of military operations." Two Chinese military officers have published a book that called for the use of unconventional measures, including the propagation of computer viruses, to counterbalance the military power of the United States. Thus, information warfare has arrived as a new concept in military operations. The challenge now is to prevent this weapon from being turned against the United States.
In response to these growing critical infrastructure vulnerabilities, President Clinton in 1996 established the President's Commission on Critical Infrastructure Protection (PCCIP) to study the critical infrastructures that constitute the life support systems of the United States, determine vulnerabilities and propose a strategy for protecting them. The commission in its 1997 report, Critical Foundations: Protecting America's Infrastructures, pointed out that critical infrastructure assurance is a shared responsibility of the public and private sectors.
The report, implemented in 1998 by Presidential Decision Directive (PDD) 63 on Critical Infrastructure Protection, declares that federal facilities should be among the first to adopt best practices, active risk management, and improved security planning, thereby presenting a model for industry to follow voluntarily. The PDD calls for the creation of a strong partnership with the business community and state and local governments to maximize the alliance for national security.
The directive also provided for the establishment of the National Infrastructure Protection Center (NIPC) in 1998 by the conversion of the Computer Investigation and Infrastructure Threat Assessment Center into the nucleus of NIPC. NIPC (http://www.nipc.gov) fuses representatives from the FBI, the Departments of Commerce, Defense, Energy, Transportation, the Intelligence Community, and other federal agencies, and the private sector into an unprecedented information sharing effort.
NIPC's mission is to detect, warn of, respond to, and investigate computer intrusions that threaten critical infrastructures. It not only provides a reactive response to an attack that has already occurred, but proactively seeks to discover planned attacks and issues warnings before they occur. This task requires the collection and analysis of information gathered from all available sources (including law enforcement and intelligence sources, data voluntarily provided, and open sources) and dissemination of analysis and warnings of possible attacks to potential victims, whether in the government or the private sector.
The National Infrastructure Protection and Computer Intrusion Program (NIPCIP) consists of FBI agents who are responsible for investigating computer intrusions, implementing the key asset initiative, and maintaining liaison with the private sector. There are about 1,300 pending investigations in the field, ranging from criminal activity to national security intrusions. Many of these cases have a foreign component to them requiring close coordination with FBI legal attaches around the world.
PDD 63 also launched a major vehicle for information sharing by encouraging the owners and operators of the critical infrastructures to establish private sector Information Sharing and Analysis Centers (ISACs) to gather, analyze, sanitize and disseminate private sector information to both industry and the NIPC. The decision to establish an information sharing center is determined by the private sector participants.
ISACs have been established for the critical infrastructure sectors of banking and finance, information and communications, energy, emergency law enforcement and fire services, railroads, and water supply. NIPC promotes the sharing of information with these ISACs and encourages the establishment of ISACs by the remaining sectors.
The InfraGard Program is a NIPC effort to build a community of professionals who have a strong interest in protecting their information systems. Members have the opportunity to share information with other members, utilize the law enforcement expertise of the FBI and other law enforcement agencies that participate in the program, and draw on the analytical capabilities of the NIPC. The InfraGard includes representatives from private industry, academic institutions, and other federal, state and local government agencies. It is the most extensive government-private sector partnership for infrastructure protection in the world. A key element of the InfraGard initiative is the confidentiality of reporting by members. Much of the information provided by the private sector is proprietary and is treated as such.
The NIPC plans to promote the expansion of the InfraGard program to other countries, such as Australia, Canada, New Zealand and the United Kingdom.
The NIPC sends out advisories on an ad hoc basis, which are infrastructure warnings to address cyber or infrastructure events with possible significant impact. These are distributed to partners in private and public sectors. The NIPC works in close cooperation with the Federal Computer Incident Response Capability (FedCIRC) to assist federal civil agencies with handling of computer incident responses, and to provide both proactive and reactive security services.
KEY ASSET INITIATIVE
The NIPC role is further strengthened by its Key Asset Initiative (KAI), which maintains a database of information concerning key assets within each FBI field office's jurisdiction, establish lines of communication with key asset owners and operators to share information and work with them to improve their cyber and physical security, and enhance ongoing coordination in the protection of critical infrastructure with other federal, state and local government entities. Listing key assets in the database continually increases, and as of November 1, 8,806 key assets were identified.
Over the past three years, NIPC has provided training for over 4,000 federal, state, local and foreign government investigators through nine core training courses that deal with basic cyber investigations, understanding operating systems, aspects of UNIX, and Cisco Routers. These courses are conducted both at the FBI Academy at Quantico, Virginia and around the United States. The NIPC's training program complements training offered by the FBI's Training Division as well as training offered by the Department of Defense and the National Cybercrime Training Partnership.
The FBI has established a growing international presence in order to enhance capabilities to counter a broad range of threats, including international terrorism. The FBI currently maintains Legal Attaché (LEGAT) offices in over 40 countries. Forward deployment of FBI personnel has proven a very effective means to establish liaison with counterpart security and intelligence services and to coordinate FBI investigative resources when U.S. interests are attacked or threatened.
The NIPC also maintains an active dialogue with the international community, to include its participation in the Trilateral Seminar of the International Cooperation for Information Assurance in Sweden and the Group of Eight (G-8) Lyon Group (High Tech Crime Subgroup). NIPC personnel have met with government authorities, both in the US and abroad, from Australia, Canada, Denmark, France, Germany, Israel, Japan, Norway, Singapore, Sweden, the United Kingdom, and other nations over the past year, to discuss infrastructure protection issues with their counterparts. Finally, the NIPC Watch Center is connected to the watch centers of several allies.
The NIPC staff includes government officials on detail from Australia, Canada and the United Kingdom, and it welcomes requests from other U.S. allies for representation on its staff for broadening international cooperation. The NIPC role was further enhanced by the issuance of recent executive orders on cyber protection and homeland security.
CIP INFORMATION AGE EXECUTIVE ORDER
Following the September 11th attacks, President Bush on October 16 issued Executive Order 13231 on Critical Infrastructure Protection in the Information Age, which established the President's Critical Infrastructure Protection Board to coordinate the protection of information systems that involve federal critical infrastructures, and to cooperate with the private sector and state and local governments in the protection information systems that involve their critical infrastructures.
The order also established a panel of approximately 30 corporate chief executive officers to advise the president on the security of information systems supporting the private sector and state and local governments.
The threat of cyberterrorism will grow in the New Millennium, as the leadership positions in extremist organizations are increasingly filled with younger, "Internet-savvy" individuals. Most worrisome is a potential coordinated attack on national critical infrastructures. While the United States has not yet experienced this sort of attack, it is not hard to anticipate such a threat from the intrusions we have seen. Cyber attacks know no national boundaries and are truly international in scope and effect. International cooperation and information sharing is critical in order to more effectively respond to this growing threat.