 |
REPORT OF THE
|
|
|
Exhibit ES-1. Observations
What Should We Defend?
The current Administration's national security strategy for the United States suggests that the nation's "economic and security interests are increasingly inseparable" and that "we simply cannot be successful in advancing our interests-political, military and economic-without active engagement in world affairs." In the broad sense, then, the scope of national information interests to be defended by information warfare defense and deterrence capabilities are those political, military, and economic interests. These include the continuity of a democratic form of government and a free market economy, the ability to conduct effective diplomacy, a favorable balance of trade, and a military force that is ready to fight and that can be deployed where needed. These interests are supported by the delivery of goods and services that result from the conduct of functional activities such as manufacturing, governing, banking and finance, and the like. Some of these activities are critical to the nation's political, military, and economic interests. These critical functional activities, in turn, depend on information technology and critical infrastructures such as banking and finance, electric power, telecommunications, and transportation.
In general, U.S. infrastructures are extremely reliable and available because they have been designed to respond to disruptions, particularly those caused by natural phenomena. Redundancy and diverse routing are two examples of design techniques used to improve reliability and availability. However, deregulation and increased competition cause companies operating these infrastructures to rely more and more on information technology to centralize control of their operations, to support critical functions, and to deliver goods and services. Centralization and reliance on broadly networked information systems increase the vulnerabilities of the infrastructures and the likelihood of disruptions or malevolent attacks.
The information users of national interest who can be attacked through the shared elements of the national information infrastructure are those responsible for performing the critical functions necessary for the delivery of the goods and services upon which our political, military, and economic interests depend.
The Department of Defense (DoD) must preserve its ability to fulfill its basic missions. To do that, DoD must be concerned about the ensured operation of the critical functions and the availability of information necessary to fulfill those missions. The intertwined nature of the functions of national interest and supporting infrastructures add to the complexity: there are critical functions which have national security implications and which must be defended; and there are critical portions of the infrastructures which are necessary for the operation of DoD and national functions.
How Should We Defend?
- The concept for defending the information infrastructure and the information components of other critical infrastructures includes the following principles:
- Critical functions must be capable of being performed in the presence of information warfare attacks.
- Some minimum essential infrastructure capability must exist to support these critical functions.
- Point and layered defenses are preferable to area defenses.
- The infrastructure must be designed to function in the presence of failed components, systems, and networks. The risk associated with failed components, systems, and networks must be managed since it cannot be avoided.
- The infrastructure control functions should not be dependent on normal operation of the infrastructure.
- The infrastructure must be capable of being repaired.
The concept for defending is as follows. In the information age as in the nuclear age, deter is the first line of defense. This deterrence must include an expression of national will as expressed in law and conduct, a declaratory policy relative to consequences of an information warfare attack against the United States, and an indication of the resiliency of the information infrastructure to survive an attack. Technology to conduct information warfare is simple and ubiquitous; some form of infrastructure robustness and protection is essential. It is technically and economically impossible to design and protect the infrastructure to withstand any and all disruptions, intrusions, or attacks (or avoid all risk). The risk can be managed, however, by protecting selected portions of the infrastructure that support critical functions and activities necessary for maintaining political, military, and economic interests. An equally important function is to verify through independent assessments that the design principles are being followed, that protective measures are being implemented where appropriate, and that the information warfare (defense) readiness posture is as reported.
Tactical warning, damage control, attack assessment, and restoration ensures the continuance of these critical functions and activities in the presence of disruptions or attacks. The essence of tactical warning is monitoring, detection of incidents, and reporting of the incidents. Monitoring and detection of infrastructure disruptions, intrusions, and attacks are also an integral part of the defense against information warfare. Providing an effective monitoring and detection capability will require some policy initiatives, some legal clarification, and an ambitious research and development program. The telecommunications infrastructure will be subject to some form of attack and we should have some capability to limit the damage that results and to restore the infrastructure. Little research has been devoted to the basic procedures necessary to contain "battle" damage, let alone the tools which might provide some automated form of damage control. Some form of attack assessment is essential to determine the impact of an attack on critical functions and the appropriate response to an attack. Restoration of the infrastructure implies some capability to repair the damage and the availability of resources such as personnel, standby services contracts, and the like. The basic functions of monitoring, detection, damage control, and restoration must begin at the lowest possible operating level. Reports of the activity must be passed to regional, DoD, and national-level organizations to establish patterns of activity and to request assistance as needed in damage control and restoration. Finally, some form of response to the intrusions or attacks may be necessary to deter future intrusions or attacks. The response could entail civil or criminal prosecution, use of military force, perception management, diplomatic initiatives, or economic mandates. Because response might also involve offensive information warfare, this report does not address it in detail.
Recommendations
The Task Force makes 13 key recommendations as shown in Exhibit ES-2. The Task Force 'considers these recommendations as imperatives.
|
Bottom Line - DoD has an urgent need to: 1. Designate an accountable IW focal point 2. Organize for IW-D 3. Increase awareness 4. Assess infrastructure dependencies and vulnerabilities 5. Define threat conditions and responses 6. Assess IW-D readiness 7. "Raise the bar" (with high-payoff, low-cost items) 8. Establish a minimum essential information infrastructure 9. Focus the R&D 10. Staff for success 11. Resolve the legal issues 12. Participate fully in critical infrastructure protection 13. Provide the resources DSB has been urging action on this problem for 3 years! |
Exhibit ES-2. Recommendations
In addition, the Task Force made over 50 additional recommendations, which are categorized under these key recommendations. (Note that the first recommendation addresses all of information warfare, not just defensive information warfare.) The Task Force attempted to prioritize these "key recommendations," but in the end decided that portions of all of these key recommendations should be implemented immediately.
The following discussions provide all of the recommendations made by the Task Force. The parenthetical entry following each of the key recommendations identifies the section of the report in which the recommendations are discussed in detail.
1. Designate an accountable IW focal point (6.1). This is the most important recommendation the Task Force offers. The Task Force believes that the Secretary of Defense needs a single focal point charged to provide staff supervision of the complex activities and interrelationships that are involved in this new warfare area. This includes oversight of both offensive and defensive information warfare planning, technology development and resources. The SECDEF should:
1a. Designate ASD(C3I) as the accountable focal point for all IW issues.1a(1). Develop a plan and associated budget beginning in FY 97 to obtain the needed IW-D capability.1a(2). Authorize ASD(C3I) to issue IW instructions.
1a(3). Consider establishing a USD(Information).
1b. Establish a DASD(IW) and supporting staff to bring together as many IW functions as possible.
2. Organize for IW-D (6.2). This key recommendation identifies the need for specific IW-D related capabilities and organizations to provide or support the capabilities. While not specifically addressed by the Task Force, virtual organizations that draw on existing assets and capabilities can be established.
2a. Establish a center to provide strategic indications and warning, current intelligence, and threat assessments. The SECDEF should request the DCI to:2a(1). Establish an I&W/TA center at NSA with CIA and DIA support.2a(2). Task and resource the Intelligence Community to develop the processes for Current Intelligence, Indications and Warning, and Threat Assessments for IW-D.
2a(3). Encourage the Intelligence Community to develop information-age trade craft, staff with the right skills, and train for the information age.
2a(4). Conduct comprehensive case studies of U.S. offensive programs and a former foreign program to identify potential indicator collection, funding, training, etc,
2a(5). Establish an organization to examine and analyze probable causes of all security breaches.
2a(6). Develop and implement an integrated National Intelligence Exploitation Architecture to support the organization and processes.
In addition, the SECDEF should:
2a(7). Direct the development of IW Essential Elements of Information.
2b. Establish a center for IW-D operations to provide tactical warning, attack assessment, emergency response, and infrastructure restoration capabilities. The SECDEF should:
2b(1). Establish a DoD IW-D operations center at DISA with NCS, NSA, and DIA support.2b(2). Develop and implement distributed tactical warning, attack assessment, emergency response, and infrastructure restoration procedures.
2b(3). Interface the operations center with Service and Agency capabilities and I&W/TA support.
2b(4). Establish necessary liaison (e.g., with military and government operations centers, service providers, intelligence agencies, and computer emergency response centers).
2c. The SECDEF should establish an IW-D planning and coordination center reporting to the ASD(C3I) with interfaces to the intelligence community, the Joint Staff, the law enforcement community, and the operations center. This center will: develop an IW planning framework; assess IW policy, plans, intelligence support, allocation of resources, and IW incidents; develop procedures and metrics for assessing infrastructure and information dependencies; and facilitate sharing of sensitive information such as threats, vulnerabilities, fixes, tools, and techniques within DoD and among government agencies, the private sector, and professional associations.
2d. Establish a joint office for system, network and infrastructure design. This office will: develop and promulgate IW-D policies, architectures, and standards; design the information infrastructure for utility, resiliency, repairability, and security; develop and implement an IW-D configuration management process; and conduct independent verification of design and procurement specifications to ensure compliance with the design. The SECDEF should:
2d(1). Establish a joint security architecture/design office within DISA to shape the design of the DoD information infrastructure.2d(2). Establish a process to verify independently and enforce adherence to these design principles.
2e. Establish a Red Team for independent assessments. The Red Team would assess the vulnerabilities of new systems and services and would conduct "IW-like" attacks to verify the readiness posture and preparedness of the fighting forces and supporting activities. The SECDEF should:
2e(1). Establish a Red Team which is accountable to SECDEF/DEPSECDEF and independent of design, acquisition, and operations activities.2e(2). Develop procedures for employment of the Red Team.
3. Increase awareness (6.3). The Task Force strongly suggests the need to make senior-level government and industry leaders aware of the vulnerabilities and of the implications. To that end, the SECDEF should:
3a. Establish an internal and external IW-D awareness campaign for the public, industry, CINCs, Services, and Agencies.3b. Expand the IW Net Assessment recommended by the 1994 Summer Study to include assessing the vulnerabilities of the DII and NII.3c. Review joint doctrine for needed IW-D emphasis.
3d. Explore possibility of large-scale IW-D demonstrations for the purpose of understanding cascading effects and collecting data for simulations.
3e. Develop and implement simulations to demonstrate and play IW-D effects (USD(A&T) lead).
3f. Implement policy to include IW-D realism in exercises.
3g. Conduct IW-D experiments.
4. Assess infrastructure dependencies and vulnerabilities (6.4). Various infrastructures are vitally needed to support mobilization, deployment, and employment of forces and to control and sustain those forces. Some of these interconnected infrastructures are known to have single points of failure. Therefore, the SECDEF should:
4a. Develop a process and metrics for assessing infrastructure dependency.4b. Assess/document operations plans infrastructure dependencies.
4c. Assess/document functional infrastructure dependencies.
4d. Assess infrastructure vulnerabilities.
4e. Develop a list of essential infrastructure protection needs,
4f. Develop and report to the SECDEF the resource estimates for essential infrastructure protection.
4g. Review vulnerabilities of hardware and software embedded in weapons systems,
5. Define threat conditions and responses (6.5). Conditions analogous to DEFCON should be developed to provide a common understanding of IW threat conditions. Appropriate responses to these conditions should also be developed using the Task Force suggestions outlined in the report as a starting point. The SECDEF should:
5a. Define and promulgate a useful set of IW-D threat conditions which is coordinated with current intelligence community threat condition definitions.5b. Define and implement responses to IW-D threat conditions.
5c. Explore legislative and regulatory implications.
6. Assess IW-D readiness (6.6). A standardized process is necessary to enable commanders to assess and report their operational readiness status as it relates to their specific dependency on information and information services. Using the standard vocabulary suggested by the Task Force, the SECDEF should:
6a. Establish a standardized IW-D assessment system for use by CINCs, MilDeps, Services, and Combat Support Agencies.6b. Incorporate IW preparedness assessments in Joint Reporting System and Joint Doctrine, for example.
7."Raise the bar" with high-payoff, low-cost items (6.7). There are a number of low-cost activities the Department can undertake to "raise the bar" significantly for potential systems and network intruders. Three specific Task Force recommendations are that the SECDEF should:
7a. Direct the immediate use of approved products for access control as an interim until a MISSI solution is implemented and for those users not programmed to receive MISSI products.7b. Examine the feasibility of using approved products for identification and authentication.
7c. Require use of escrowed encryption for critical assets such as databases, program libraries, applications, and transaction logs to preclude rogue employees from locking up systems and networks.
8. Establish and maintain a minimum essential information infrastructure (6.8). A strategy and an overall architecture concept employing existing core capabilities such as Milstar must be developed to serve as a means for restoring services for critical functions and adapting to large- scale outages. The SECDEF should:
8a. Define options with associated costs and schedules.8b. Identify minimum essential conventional force structure and supporting information infrastructure needs.
8c. Prioritize critical functions and infrastructure dependencies.
8d. Design a Defense MEII and a failsafe restoration capability.
8e. Issue direction to the Defense Components to fence funds for a Defense MEII and failsafe restoration capability.
9. Focus the R&D (6.9). While many commercial and approved security products are available to meet some of the Department's needs, these products generally do not meet the Department's needs in large-scale distributed computing environments and generally do not protect against denial of service attacks. Therefore, the SECDEF should focus the DoD R&D program on the following areas.
9a. Develop robust survivable system architectures.9b. Develop techniques and tools for modeling, monitoring, and management of large-scale distributed/networked systems.
9c. Develop tools and techniques for automated detection and analysis of localized or coordinated large-scale attacks.
9d. Develop tools for synthesizing and projecting the anticipated performance of survivable distributed systems.
9e. Develop tools and environments for IW-D oriented operational training.
9f. Develop testbeds and simulation-based mechanisms for evaluating emerging IW-D technology and tactics.
In addition, the SECDEF should work with the National Science Foundation to:
9g. Develop research in U.S. computer science and computer engineering programs.9h. Develop educational programs for curriculum development at the undergraduate and graduate levels in resilient system design practices.
10. Staff for success (6.10). A cadre of high-quality, trained professionals with recognized career paths is an essential ingredient for defending present and future information systems. The Task Force recommends that the SECDEF:
10a. Establish a career path and mandate training and certification of systems and network administrators.10b. Establish a military skill specialty for IW-D.
10c. Develop specific IW awareness courses with strong focus on operational preparedness in DoD's professional schools.
11. Resolve the legal issues (6.11). The advent of distributed computing has and will continue to further blur the boundaries of the systems and networks that the Department uses. Confusion also stems from uncertainty over when or whether a wiretap approval is needed. Government- wide guidance, and perhaps legislation as well, are needed in the areas of Department assistance to the private sector (e.g., Computer Security Act), tracing attackers of unknown nationality (intelligence versus U.S. persons), tracking attackers through multiple systems, and obtaining/requiring reports of computer-related incidents from the private sector owners and operators of critical infrastructures. The SECDEF should:
11a. Promulgate for Department of Defense systems:
- Guidance and unequivocal authority for Department users to monitor, record data, and repel intruders in computer systems for self protection,
- Direction to use banners that make it clear the Department's presumption that intruders have hostile intent and warn that the Department will take the appropriate response.
- IW-D rules of engagement for self-protection (including active response) and civil infrastructure support,
11b. Provide to the Presidential Commission on Critical Infrastructure Protection proposed legislation, regulation, or executive orders for defending other systems.
12. Participate fully in critical infrastructure protection (6.12). The Task Force makes the following recommendations to the SECDEF regarding the activities of the President's Commission on Critical Infrastructure Protection. Detailed suggestions for each of the below recommendations are outlined in Section 6.12.
12a. Offer specific Department capabilities to the President's Commission.12b. Advocate the Department's interests to the President's Commission.
12c. Request the Commission provide certain national-level capabilities for the Department,
12d. Suggest IW-D roles for government and the private sector.
13. Provide the resources (6.13). The Task Force reviewed all of the individual recommendations categorized under the key recommendations and estimated to $5 million granularity what the implementation costs might be. The cost estimate is $3.01 billion over fiscal years 1997 through 2001. However, the Department should make a detailed estimate.
SECTION 1.0
INTRODUCTION
The Task Force was formed in November of 1995. It met formally eight times. Four individual panels were formed to address specific issues and each met about the same number of times. During the course of the study, the Task Force drew upon previous DSB Task Force efforts. Some recurring themes will be pointed out later in the report.
The objective of the study was to make recommendations regarding the creation and maintenance of specific aspects of a national information warfare defense capability. Exhibit 1-1 shows the specific tasks outlined by the terms of reference.
|
TOR #1 - Identify the information users of national interest who can be attacked through the shared elements of the national information infrastructure. This should include telecommunications, public transportation, financial services, public safety, and the mission essential functions of the Department of Defense. TOR #2 - Determine the scope of national information interests to be defended by information warfare defense and deterrence capabilities. TOR #3 - Characterize the procedures, processes, and mechanisms required to defend against various classes of threats to the national information infrastructure and the information users of national interest. TOR #4 - Identify the indications and warning, tactical warning, and attack assessment procedures, processes, and mechanisms needed to anticipate, detect, and characterize attacks on the national information infrastructure and/or attacks on the information users of national interest. TOR #5 - Identify the reasonable roles of government and the private sector, alone and in concert, in creating, managing, and operating a national information warfare-defense capability. TOR #6 - Provide specific guidelines for implementation of the Task Force's recommendations.
|
Exhibit 1-1. Terms of Reference
In addition to the Terms of Reference objectives, the Task Force was requested to look at additional items of interest shown in Exhibit 1-2. The National Research Council study was mandated by Public Law 103-160, Defense Authorization Bill for Fiscal Year 1994, November 30, 1993. Pre-publication copies of this report were released May 30, 1996. Because of the potential role of cryptography in information warfare - defense (IW-D), the Task Force was encouraged to review the NRC report in the context of the Task Force deliberations. To avoid duplication and to provide additional focus to the study, the Task Force received briefings on the study of the Global Information Infrastructure sponsored by the Director of Central Intelligence. This excellent study effort provided valuable insights into the global implications of defensive information warfare.
- Organization for defensive information warfare
|
Exhibit 1-2. Additional Items of Interest
During the Task Force deliberations, the President signed Presidential Decision Directive 39 (late 1995) and Executive Order 13010 (July 15, 1996). These established a President's Commission on Critical Infrastructure Protection. The Commission was tasked to develop a comprehensive national policy and implementation strategy for protecting critical infrastructures from physical and cyber threats. The Task Force was advised that after review and approval of the Task Force report by OUSD(A&T), the Defense Science Board will forward its report to the Commission as a "statement of DoD issues, concerns, requirements, and recommendations."
The sponsors of the study were the Honorable Emmett Paige, Jr., Assistant Secretary of Defense for C3I; and VADM Arthur K. Cebrowski, Director for C4 Systems, Joint Staff.
Task Force members are shown in Exhibit 1-3. A variety of disciplines were represented-academia, the telecommunications, banking, and aerospace industries, systems integrators, former military -- and a number of members with former government service. In order to examine the issues more closely, the Task Force organized into four panels.
|
Mr. Duane Andrews, Chairman Mr. Donald C. Latham, Vice Chairman Mr. John G. Grimes, Org'n and Mgmt Panel Chairman Gen. Bernard P. Randolph, USAF (Ret.),Technology Panel Chairman Mr. Paul A. Strassmann, Policy Panel Chairman Mr. Lawrence T. Wright, Threat Panel Chairman Mr. Edward C. Aldridge Mr. Bob Nesbit Mr. Stewart A. Baker Dr. Percy A. Pierre Dr. Delores M. Etter Mr. John P. Stenbit Mr. Charles A. Fowler Mr. Lowell E. Thomas Dr. George H. Heilmeier ADM Harry D. Train II, USN (Ret.) Mr. John Lane Dr. Willis H. Ware Mr. Alan J. McLaughlin CDR Frank Klein, Executive Secretary
|
Exhibit 1-3. Task Force Members
SECTION 2.0
ENVIRONMENT
2.1 GROWING DEPENDENCY, GROWING RISK
The objective of warfare waged against agriculturally-based societies was to gain control over their principal source of wealth: land. Military campaigns were organized to destroy the capacity of an enemy to defend an area of land.
The objective of warfare waged against industrially-based societies was to gain control over their principal source of all wealth: the means of production. Military campaigns were organized to destroy the capacity of the enemy to retain control over sources of raw materials, labor and production capacity.
The objective of warfare to be waged against information-based societies is to gain control over the principal means for the sustenance of all wealth: the capacity for coordination of socio-economic inter-dependencies. Military campaigns will be organized to cripple the capacity of an information-based society to carry out its information-dependent enterprises.
In the U.S. society, over 60 percent of the workforce is engaged in information-related management activities. The value of most wealth producing-resources depends on "knowledge capital" and not on financial assets or masses of labor. Similarly, the doctrine of the U.S. military is now principally based on the superior use of information.
"The joint campaign should fully exploit the information differential, that is, the superior access to and ability to effectively employ information on the strategic, operational and tactical situation which advanced U.S. technologies provide our forces." [Joint Pub. 1, p. IV-9]
The military doctrines shaping U.S. force structure and operational planning assume this information superiority. "Joint Vision 2010 focuses the strengths of each individual Service on operational concepts that achieve Full Spectrum Dominance" This technological view is shared in the Army's "Enterprise Strategy" and "Force XXI Concept of Operations," the Navy's "Forward ... From the Sea," the Air Force's "Global Presence," and the Marine's "Operational Maneuver from the Sea."
The capstone Joint Vision 2010 provides the conceptual template for how America's Armed Forces will channel the vitality and innovation of our people and leverage technological opportunities to achieve new levels of effectiveness in joint warfighting. It addresses the expected continuities and changes in the strategic environment, including technology trends and their implications for our Armed Forces. lt recognizes the crucial importance of our current high- quality, highly trained forces and provides the basis for their further enhancement by prescribing how we will fight in the early 21st century. This vision of future warfighting embodies the improved intelligence and command and control available in the information age and goes on to develop four operational concepts: dominant maneuver, precision engagement, full dimensional protection, and focused logistics.
It is not prudent to expect the U.S. dependence on information-dominated activities for wealth producing and for national security to go unchallenged. In his book, Strategy: the logic of war and peace [ 1987, Belknap Press, pages 27-28], Edward Luttwak notes:
The notion of an 'action-reaction' sequence in the development of new war equipment and newer countermeasures, which induce in turn the development of counter-countermeasures and still newer equipment, is deceptively familiar. That the technical devices of war will be opposed whenever possible by other devices designed specifically against them is obvious enough. Slightly less obvious is the relationship (inevitably paradoxical) between the very success of new devices and their eventual failure: any sensible enemy will focus his most urgent efforts on countermeasures meant to neutralize whatever opposing device seems most dangerous at the time.
The reality is that the vulnerability of the Department of Defense -- and of the nation -- to offensive information warfare attack is largely a self-created problem. Program by program, economic sector by economic sector, we have based critical functions on inadequately protected telecomputing services. In aggregate, we have created a target-rich environment and the U.S. industry has sold globally much of the generic technology that can be used to strike these targets.
Despite the enormous cumulative risk to the nation's defense posture, at the individual program level there still is inadequate understanding of the threat or acceptance of responsibility for the consequences of attacks on individual systems that have the potential to cascade throughout the larger enterprise.
A case examined in some detail by the Task Force was the dependence of the Global Transportation Network on unclassified data sources and the GTN interface to the Global Command and Control System (GCCS). GCCS will continue to increase in importance as it becomes the system of systems through which CINCS, JTFs, and other commanders gain access to more and different information sources. Although GCCS has undergone selected security testing, much remains to be accomplished. For example, security testing to date has focused principally upon Oracle databases and applications evaluation. Other GCCS aspects need thorough security testing; e.g., database applications (Sybase), message functions and configuration management. GTN and GCCS are not unique circumstances. The Global Combat Support System and a long series of Advanced Concepts Technology Demonstrations currently shaping the future of C4ISR follow a remarkably similar pattern: Well-intentioned program managers work very hard to deliver an improved mission capability in a constrained budget environment. The operators they are supporting do not emphasize security and neither operators nor developers are held responsible for the contribution their individual program makes to the collective risk of cascading failure in the event of information warfare attack.
To reduce the danger, all defense investments must be examined from a network- and infrastructure-oriented perspective, recognizing the collective risk that can grow from individual decisions on systems that be connected to a shared infrastructure. Only those programs that can operate without connecting to the global network or those that can operate with an accepted level of risk in a networked information warfare environment should be built. Otherwise, we are paying for the means that an enemy can use to attack and defeat us.
The shift from the industrial age to the information age and the implications are illustrated in Exhibit 2-1.
The United States formerly enjoyed a broad-based manufacturing foundation to support other infrastructures and conventional and nuclear forces. With the increasing dependence on information and information technology, that broad-based foundation has been reduced to a rather narrow base of constantly changing and increasingly vulnerable information and information technology. Service and joint doctrine clearly indicate an increasing dependence of future forces on information and information technology. However, the doctrine of information superiority assumes the availability of the information and information technology-a dangerous assumption. The published Service and joint doctrine does not address the operational implications of a failure of information and information technology.
By analogy, consider the protection implications of adding an aircraft carrier to our force structure. The carrier does not deploy in isolation. It is accompanied by all manner of ships, aircraft, and technology to ensure the protection of the entire battle group: destroyers for picket duty, cruisers for firepower, submarines for subsurface protection, aircraft and radar for early warning, and so on. The United States must begin to consider the implications of protecting its information-age doctrine, tactics, and weapon systems. It can not simply postulate doctrine and tactics which rely so extensively on information and information technology without comparable attention to information and information systems protection and assurance. This attention, backed up with sufficient resources, is the only way the Department can ensure adequate protection of our forces in the face of the inevitable information war.
2.2 INFORMATION WARFARE
Although this task force specifically examined IW-D, it also considered of a few of the concepts behind offensive information warfare to help define the battlefield upon which the defense must operate.
Offensive information warfare is attractive to many because it is cheap in relation to the cost of developing, maintaining, and using advanced military capabilities. It may cost little to suborn an insider, create false information, manipulate information, or launch malicious logic-based weapons against an information system connected to the globally shared telecommunications infrastructure. The latter is particularly attractive; the latest information on how to exploit many of the design attributes and security flaws of commercial computer software is freely available on the Internet.
In addition, the attacker may be attracted to information warfare by the potential for large non- linear outputs from modest inputs. This is possible because the information and information systems subject to offensive information warfare attack may only be a minor cost component of a function or activity of interest-the database of the items in a warehouse costs much less then the physical items stored in the warehouse.
As an example of why information warfare is so easy, consider the use of passwords. We have migrated to distributed computing systems that communicate over shared networks but largely still depend on the use of fixed passwords as the first line of defense -- a carry-over from the days of the stand-alone mainframe computer. We do this even though we know that network analyzers have been and continue to be used by intruders to steal computer addresses, user identities, and user passwords from all the major Internet and unclassified military networks. Intruders then use these stolen identities and passwords to masquerade as legitimate users and enter into systems. Once in, they apply freely available software tools which ensure that they can take control of the computer and erase all traces of their entry.
It is important to stress that strategically important information warfare is not a trivial exercise of hacking into a few computers -- the Task Force does not accept the assertions of the popular press that a few individuals can easily bring the United States to its knees. The Task Force agrees that it is easy for skilled individuals (or less skilled people with suitable automated tools) to break into unprotected and poorly configured networked computers and to steal files, install malicious software, or cause a denial of service. However, it is very much more difficult to collect the intelligence needed and to analyze the designs of complex systems so that an attacker could mount an attack that would cause nation-disrupting or war-ending damage at the time and place and for the duration of the attacker's choosing.
This is not to make light of the power of the common hacker "attack" methods reported in the press. Many of these methods are sufficiently robust to enable significant harassment or large- scale terrorist attacks. The Task Force also acknowledges that malicious software can be emplaced over time with a common time trigger or other means of activation and that the effect could be of the scale of a major concurrent attack. While such an attack cannot be ruled out, the probability of such is assessed to be low. Currently, however, there is no organized effort to monitor for unauthorized changes in operational software even though for the past 3 years unknown intruders have been routinely been penetrating DoD's unclassified computers.
The above assessments do not mean that the threat of offensive information warfare is low or that it can be ignored. The U.S. susceptibility to hostile offensive information warfare is real and will continue to increase until many current practices are abandoned.
Practices that invite attack include poorly designed software applications; the use of overly complex and inherently unsecure computer operating systems; the lack of training and tools for monitoring and managing the telecomputing environment; the promiscuous inter-networking of computers creating the potential for proliferating failure modes; the inadequate training of information workers; and the lack of robust processes for the identification of system components, including users. By far the most significant is the practice of basing important military, economic and social functions on poorly designed and configured information systems, and staffing these systems with skill-deficient personnel. These personnel often pay little attention to or have no understanding of the operational consequences of information system failure, loss of data integrity, or loss of data confidentiality.
Information warfare defense is not cheap, nor can it be easily obtained. It will take resources to develop the tools, processes, and procedures needed to ensure the availability of information and integrity of information, and to protect the confidentiality of information where needed. Additional resources will be needed to develop design guidelines for system and software engineers to ensure information systems that can operate in an information warfare environment. More resources will be needed to develop robust means to detect when insiders or intruders with malicious intent have tampered with our systems and to have a capability to undertake corrective actions and restore the systems.
Note that the appropriate investment in an information warfare defense capability has no correlation with the investment that may have been made to obtain an offensive information warfare capability. Information warfare defense encompasses the planning and execution of activities to blunt the effects of an offensive information warfare attack. However, the value of an investment in information warfare defense is not a function of the cost of the information or information system to be protected. Rather, the value of the defense is a function of the value to the defender of an information-based activity or process that may be subject to an information warfare attack.
If the defender leaves unprotected vital social, economic, and defense functions that depend upon information services, then the defender invites potential adversaries to make an investment in an offensive information warfare capability to attack these functions. To provide a robust deterrent against such an attack, an information-dependent defender should invest wisely in a capability to protect and restore vital functions and processes and demonstrate that the information services used are robust and resilient to attack.
Part of the challenge is that the rate of technology change is such that most systems designers and in system engineers have their hands full just trying to keep up -- never mind learning and applying totally new security design practices. But the lack of such steps can cost. The organized criminals that recently made a successful run at one of the major U.S. banks spent 18 months of preparation, including downloading application software and the e-mail of the software designers, before they started to transfer funds electronically.
It will cost even more, as well as raise significant issues of privacy and the role of the government, to design a warning system for major institutions of society such as the banks or air traffic control. Such a warning system should, as a minimum, provide tactical warning of and help in the characterization of attacks mounted through the information infrastructure.
Probably the biggest obstacle will be the difficulty in convincing people-whether in commerce, in the military, or in government of the need to examine work functions and operating processes. This examination should uncover unintentional dependencies on the assumed proper operation of information services beyond their control.
2.3 THE INFRASTRUCTURE
What is the National Information Infrastructure (NII)? The phrase "information infrastructure" has an expansive meaning. The NII includes more than just the physical facilities used to transmit, store, process, and display voice, data, and images. It encompasses a wide range and ever-expanding range of equipment: cameras, scanners, keyboards, telephones, fax machines, computers, switches, compact disks, video and audio tape, cable, wire, satellites, optical fiber transmission lines, microwave nets, switches, televisions, monitors, printers, and much more.
The NII is not a cliff that suddenly confronts us, but rather a slope-one that society has been climbing since postal services and semaphore networks were established. An information infrastructure has existed for a long time, continuously evolving with each new advance in communications technology. What is different is that today we are imagining a future when all the independent infrastructures are combined. An advanced information infrastructure will integrate and interconnect these physical components in a technologically neutral manner so that no one industry will be favored over any other. Most importantly, the NII requires building foundations for living in the Information Age and for making these technological advances useful to the public, business, libraries, and other nongovernmental entities. That is why, beyond the physical components of the infrastructure, the value of the NII to users and the nation will depend in large part on the quality of its other elements:
- The information itself, which may be in the form of video programming, scientific or business databases, images, sound recordings, library archives, and other media. Vast quantities of that information exist today in government agencies and even more valuable information is produced every day in our laboratories, studios, publishing houses, and elsewhere.
- Applications and software that allow users to access, manipulate, organize, and digest the proliferating mass of information that the NII's facilities will put at their fingertips.
- The network standards and transmission codes that facilitate interconnection and interconnection between networks, and ensure the privacy of persons and the security of the information carried, as well as the security and reliability of the networks.
- The people -- largely in the private sector -- who create the information, develop applications and services, construct the facilities, and train others to tap its potential. Many of these people will be vendors, operators, and service providers working for private industry. Every component of the information infrastructure must be developed and integrated if America is to capture the promise of the Information Age.
We call out domains within this infrastructure by names that reflect the interest of the user: the Defense Information Infrastructure of the defense community; the National Information Infrastructure of the United States; the complex, interconnected Global Information Infrastructure of the future described so well to the Task Force by the representatives of the Central Intelligence Agency. The reality is that almost all are interconnected.
DoD has over 2.1 million computers, over 10,000 LANS, and over 100 long-distance networks. DoD depends upon computers to coordinate and implement aspects of every element of its mission, from designing weapon systems to tracking logistics. In field testing, DISA has determined that at least 65 percent of DoD unclassified systems are vulnerable to attack. Consider how this state come about.
The early generations of computer systems presented relatively simple security challenges. They were expensive, they were isolated in environmentally controlled facilities; and few understood how to use them. Protecting these systems was largely a matter of physical security controlling access to the computer room and of clearing the small number of specialists who needed such access.
As the size and price of computers were reduced, microprocessors began to appear in every workplace, on the battlefield and embedded in weapons systems. Software for these computers is written by individuals and firms scattered across the globe. Connectivity was extended, first to remote terminals, eventually to local- and wide-area communications networks, and now to global coverage. What was once a collection of separate systems is now best understood as a dynamic, ever-changing, collection of subscribers using a large, multifaceted information infrastructure operating as a virtual utility.
These legacy computer systems were not designed to withstand second-, third-, or "n"-order-level effects of an offensive information warfare attack. Nor is there evidence that the computer systems presently under development will provide such protection. The cost for "totally hardened" systems is prohibitive. Security criteria at present presume that computing can be protected at its perimeter, primarily through the encryption of telecommunications links. However, internal security may be more important than perimeter defense.
It is not necessary to break the cryptographic protection used to protect telecommunications and data to attack classified computing environments. The legacy protection paradigm used by DoD was based upon the classification of information. However, most classified computer systems contain, and often rely on, unclassified information. This unclassified information often has little or no protection of the data integrity prior to entry into classified systems. The expected interaction between GCCS and GTN is an example of this. An increasing number of DoD systems contain decision aids and other event driven modules that, unless buffered from unclassified data whose integrity cannot be verified, are at risk.
To cope with this new reality, the approach for managing information security must shift from developing security for each individual system and network to developing security for subscribers within the worldwide utility; and from protecting isolated systems owned by discrete users to protecting distributed, shared systems that are interconnected and depend upon an infrastructure that individual subscribers neither own nor control.
Successful protection policies within this global structure must be sufficiently flexible to cover a wide range of systems and equipment from local area networks to worldwide networks, and from laptop computers to massively parallel processing supercomputers. They must take into account threat, both from the insider and the outsider, and must espouse a philosophy of risk management in making security decisions.
These protection challenges are made more difficult by the rapid technological and regulatory changes under way in the distributed computing environment. The Telecommunications Act of 1996 is reshaping all aspects of interconnected communications in the United States. Similar movements toward deregulation are under way across the globe. Into this regulatory turmoil technology is introducing new services based on a bevy of competing waveforms and protocols for use over copper, coaxial, glass, and wireless mediums. To date, it is not possible to predict how fragile or how robust the communications infrastructure will be in the near term -- let alone the far future.
New computing technologies are being integrated into distributed computing environments on a large scale even though the fragility of these technologies is not understood. Recent examples include the post-deployment security flaws found in Netscape Navigator and in Java applets; the ongoing market struggle to dominate the building blocks for World Wide Web applications formed from collections of objects distributed across clients and servers that is under way between the Object Management Group's Common Object Request Broker Architecture and Microsoft Corporation's Distributed Common Object Model (each with a different approach to security); and a proposed future where Microsoft would automatically deliver and install software updates onto the customer's desktop without the customer's active involvement.
These environmental factors have serious implications for information warfare defense. Within this rapidly changing, globally interconnected environment of telecomputing activities it is not possible for a person to identify positively who is interconnected with him or her or know the exact path a message and voice traffic takes as it transits the telecommunications "cloud." It is not possible to know technically or at the logical level how the various software components on a computer- including the distributed applets downloaded, used, and discarded-interact together. It is not possible to know for sure if the various components installed in the computer hardware only do what is asked of them. Finally, it is certainly not possible to know for certain if a co-worker who shares authorized access to a telecomputing environment is behaving appropriately.
In sum, we have built our economy and our military on a technology foundation that we do not control and which, at least at the fine detail level, we do not understand.
A few words about the environment are important to set the stage for later discussions. DoD's information infrastructure is a part of a larger national and global information infrastructure. These interconnected and interdependent systems and networks are the foundation for critical economic, diplomatic, and military functions upon which our national and economic security are dependent. Exhibit 2-2 shows a few examples of those functions, the importance of information and the information infrastructure to each, and the criticality of functions such as coalition building in responding to a regional crisis.
The United States is an information and information systems dominated society. Because of its ever-increasing dependence on information and information technology, the United States is one of the most vulnerable nations to information warfare attacks. The United States and its infrastructures are vulnerable to a variety of threats ranging from rogue hackers for hire to coordinated transnational and state-sponsored efforts to gain some economic, diplomatic or military advantage. Exhibit 2-3 depicts some of the vulnerabilities.
The military implications of this dependency was made abundantly clear when it was suggested in one of the briefings presented to the Task Force that points of failure had been identified for each of three infrastructures (telecommunications, power, transportation) supporting a key port city in the United States. If these individual locations were attacked or destroyed, or in the case of power and telecommunications, if the resident electronics were disturbed, it would impact the ability of military forces to deploy at the pace specified in the Time Phased Force Deployment List.
And it is getting worse. Globalization of business operations brings with it increased information and information system interdependence. Standardization of technology for effectiveness and economies tends to standardize the vulnerabilities available to an adversary. Regulation and deregulation also contribute to growing vulnerability. For example, the Federal Communications Commission has mandated an evolution toward open network architectures concept which has as its goal the equal, user-transparent access via public networks to network services provided by network-based and non-network enhanced service providers. However, in execution, the concept makes network control software increasingly accessible to the users-and the adversaries. Implementation of the Telecommunications Act of 1996 will also require the carriers to collocate key network control assets and to increase the number of points of interconnection among the carriers. The Act also mandates third-party access to operations support systems, providing even more possible points of access to the critical infrastructure control functions. Similarly, the Federal Energy Regulatory Commission's recent Orders 888 and 889 directed the deregulation of the electric power industry. As part of Order 889, the electric utilities are required to establish an Open Access Same-time Information System (OASIS) using the Internet as the backbone.
Exhibit 2-4 illustrates the variety of network and computer system vulnerabilities which can be exploited, starting with simply making too much information available to too many people. The number of holes is mind-boggling -- an indication of the complexity and depth of defensive information warfare task!
Human factors - Information freely available Authentication-based - Password sniffing/cracking Data driven -Directing E-mail to a program -Embedded programming languages
-Remotely accessed software Software-based -Viruses Protocol-based -Weak authentication Denials of service -Network flooding Cryptosystem weakness -Inadequate key size/characteristics Key Management -Deducing key |
Exhibit 2-4. Vulnerabilities/Exploitation Techniques
Take, for example, "Remotely accessed software," which is found under "Data Driven." Distributed software objects, such as JAVA and Active-X, are the wave of the future. Rather than having software reside permanently in workstations or desktop computers, the Internet will make applications and data available as needed. The applications and data are deleted from the workstations or desktop computers after use. The danger of this just-in-time support is that the user has no idea as to what might be hidden in the code. Another aspect of distributed computing is that the definition of system boundaries becomes very blurred. This suggests considerable future difficulty in defining what can and cannot be monitored for self- protection, an implication discussed in Section 6.1 1, Resolve the Legal Issues, with legal recommendations.
The implication is that a risk management process is needed to deal with the inability to close all of the holes. Since this subject has been treated extensively by other study efforts (e.g., the Joint Security Commission) the Task Force elected not to examine risk management.
2.4 THREAT
There is ample evidence from the Defense Information Systems Agency and the General Accounting Office of the presence of intruders in DoD unclassified systems and networks. Briefings and reports to the Task Force have reinforced the DISA experience. Exhibit 2-5 shows some of the threats involved.
- Services and DISA experience
- CIA, DIA, and NSA briefings
- NCS and NSTAC Growing interest in sharing sensitive information
|
Exhibit 2-5. The Threat is Real
The "1996 CSI/FBI Computer Crime and Security Survey," released to the public earlier this year, concluded that "there is a serious problem" and cited a growing number of attacks ranging from "data diddling" to scanning, brute-force password attacks, and denial of service. The National Communications System and the President's National Security Telecommunications Advisory Committee have been warning since 1989 that the public switched network is growing more vulnerable and is experiencing a growing number of penetrations. There is also a growing interest in sharing sensitive vulnerability information among private sector companies, among government agencies, and between government and the private sector. However, sometimes the technology success we have achieved and our faith in our technological superiority blinds us to the growing threat and to our own vulnerabilities. Exhibit 2-6 depicts the Task Force view of the threat.
|
- |
Validated* |
Existence |
Likely |
Beyond |
| Incompetent |
W |
- |
- |
- |
| Hacker |
W |
- |
- |
- |
| Disgruntled Employee |
W |
- |
- |
- |
| Crook |
W |
- |
- |
- |
| Organized Crime |
L |
- |
W |
- |
| Political Dissident |
- |
W |
- |
- |
| Terrorist Group |
- |
L |
W |
- |
| Foreign Espionage |
L |
- |
W |
- |
| Tactical Countermeasures |
- |
W |
- |
- |
| Orchestrated Tactical IW |
- |
- |
L |
W |
| Major Strategic Disruption of U.S. |
- |
- |
- |
L |
* Validated by DIA W = Widespread; L = Limited
Exhibit 2-6. Threat Assessment
The incompetent threat is an amateur that by some means (perhaps by following a hacker recipe or by accident) manages to perform some action that exploits or exacerbates a vulnerability. This category could include a poorly trained systems administrator who assigns privilege groups incorrectly, which would then allow a more nefarious threat to claim more privileges on a system than would be warranted.
The hacker threat implies a person with more technical knowledge who to some degree understands the processes used and has the intent to violate the security or defenses of a target to one degree or another. The hacker threat is broad in motivation, ranging from those who are mostly just curious to those who commit acts of vandalism.
The disgruntled employee threat is the ultimate insider threat: the individual who is inside the organization and trusted. This threat is the most difficult to detect because insiders have legitimate access.
When examining the potential for information warfare activities, the potential for a criminal or nongovernmental attack for economic purposes must be considered. Information is the basis for the global economy. Money is information; only approximately 10 percent of the time does it exist in physical form. As information systems are increasingly used for financial transactions at all levels, it is natural to expect all levels of criminals to target information systems in order to achieve some gain.
The increasing interconnectivity of information systems makes them a tempting target for political dissidents. Activities of interest to this group include spreading the basic message of their cause by a variety of means as well as inviting others to actions. An example is the political dissident in this country who sent out e-mails urging folks to send e-mail bombs to the White House server.
By attacking those targets in a highly visible way, the terrorist hopes to cause the media to provide a great deal of publicity of the action, thereby further disseminating the message of fear and uncertainty.
A significant threat that cannot be discounted includes activities engaged on behalf of competitor states. The purpose behind such attacks could be an attempt to influence U.S. policy by isolated attacks; foreign espionage agents seeking to exploit information for economic, political, or military intelligence purposes; the application of tactical countermeasures intended to disrupt a specific U. S. military weapon or command system; or an attempt to render a major catastrophic blow to the United States by crippling the National Information Infrastructure.
It is necessary to distinguish between what a layman might consider a "major disruption," such as the three New York airports simultaneously being inoperable for hours; and a "strategic" impact in which both the scope and duration are of dramatically broader disruptions. The latter is likely to occur at a time in which other contemporaneous events make the impact potentially "strategic," such as during a major force deployment.
The Task Force struggled with the issue of what would truly constitute a "strategic attack" or "strategic" impact upon the United States. The old paradigms of "n" nuclear weapons, or threats to "overthrow the United States per se," were marginally helpful in understanding the degree to which we are vulnerable today to Information Warfare attack in all of its dimensions. Couple this issue with the difficulty in assessing the real impact of cascading effects through our infrastructures; on the one hand as being major nuisances and inconveniences to our way of life, or on the other hand, as literally threatening the existence of the United States itself, or threatening the ability of the United States to mount its defenses.
The Task Force concluded that, in this new world, an event or series of events would be considered strategic either because the impact was so broad and pervasive, or because the events occurred at times and places which affected (or could affect) our ability to conduct our necessary affairs. One example we used to illustrate this latter point was a disruption in the area phone, power, and transportation systems coincident with our attempts to embark and move major military forces through that area to points abroad.
Few members of the Task Force felt that the power failures in several contiguous Southwestern states this summer were a "major disruption" or of "strategic impact" on the United States. Clearly they were inconveniences. However, had we reason to believe that the outages had been knowingly orchestrated by adversaries of the United States, this nation would have been outraged.
An issue related to our perceived vulnerabilities is the ability of an adversary to actually plan and execute Information Warfare so that it creates the desired impact. Our Task Force had many enlightening discussions about the potential for effects to cascade through one infrastructure (such as the phone system) into other infrastructures. This example is particularly important because most of our other infrastructures rides on the phone system. No one seems to know quite how, where, or when effects actually would cascade; nor what the total impact might be. The Threat and Vulnerabilities Panel concluded that if, with all the knowledge we have about our own systems, we are unable to determine the degree to which effects would multiply and cascade; an adversary would have a far more difficult task of collecting and assessing detailed intelligence of literally hundreds, if not thousands, of networked systems in order to plan and successfully execute an attack of the magnitude which we would consider to be "strategic." The very complexity and heterogeneity of today's systems provide a measure of protection against catastrophic failure, by not being susceptible to the same precise attacks. Presumably, the more kinds of attacks required, the harder it would be to induce cascading effects that would paralyze large segments of this nation. This is not to say that significant mischief is unlikely. It does suggest that the risk of an adversary planning and predicting the intended results at the times and places needed to truly disrupt the United States is considered low for approximately the next decade.
The trade and news media regularly report on the penetration of businesses and financial institutions by organized crime to steal funds, the theft of telecommunications services, the theft of money via electronic funds transfer, and the theft of intellectual property to include foreign government-sponsored theft and transfer to offshore competitors of intellectual property from U.S. manufacturing firms.
The media also reports instances of disgruntled employees, contract employees, and ex-employees of firms using their access and knowledge to destroy data, to steal information, to conduct industrial espionage, invade privacy-related records for self-interest and for profit, and to conduct fraud. (An MCI employee electronically stole 60,000 credit card numbers from an MCI telephone switch and sold them to an international crime ring. MCI estimated the loss at $50 million.) Malicious activity by "insiders" is one of the most difficult challenges to information assurance.
DISA reported that it responded to 255 computer security incidents in 1994 and to 559 incidents in 1995. Of these, 210 were intrusions into computers, 31 were virus incidents, and 39 fell into another category. This is probably just the tip of a very large iceberg. Last year, DISA personnel used "hacker-type" tools to attack 26,170 unclassified DoD computers. They found that 3.6 percent of the unclassified computers tested were "easily" exploited using a "front door" attack because the most basic protection was missing and that 86 percent of the unclassified computers tested could be penetrated by exploiting the trusted relationships between machines on shared networks. Worse, 98 percent of the penetrations were not detected by the administrators or users of these computers. In the 2 percent of the cases where the intrusion was detected, it was only reported 5 percent of the time. This works out to be less than one in a thousand intrusions are both detected and reported. These detection and reporting statistics suggest that up to 200,000 intrusions might have been made into DoD's unclassified computers during calendar year 1995.
Whatever the number, unknown intruders have been routinely breaking into unclassified DoD computers, using passwords and user identities stolen from the Internet, since late 1993. Once the intruders enter the computers masquerading as the legitimate users, they install "back doors" so that they can always get back into the computer. These intruders have gained access to computers used for research and development in a variety of fields: inventory and property accounting, payroll and business support, supply, maintenance, e-mail files, procurement, health systems, and even the master clock for one-fourth of the world. They have modified, stolen, and destroyed data and software and have shut down computers and networks.
Such intrusions are not limited to DoD. Information age "electronic terrorists" have penetrated commercial computers and data-flooded or "pinged" network connections to deny service and destroy data to further their cause: an environmental group sponsored such attacks to call attention to their message and to punish a business with which they disagreed.
In the early 1980s an intruder required a high level of technical knowledge to successfully penetrate computers. By the early 1990s automated tools for disabling audits, stealing passwords, breaking into computers, and spoofing packets on networks were common. These tools are easy to use and do not require much technical expertise. Most have a friendly graphical user interface (GUI); automated attacks can be initiated with a simple click on a computer mouse.
Such tools include:
RootKit - a medium technology software command language package which, when run on a UNIX computer, will allow complete access and control of the computer's data and network interfaces. If this computer is attached to a privileged network, the network is now in control of the RootKit tool set user.SATAN - a medium technology software package designed to test for several hundred vulnerabilities of UNIX-based network systems, especially those which are client/server. However, the tool goes beyond the testing and grants
WatcherT - a high technol