Government Enlists Industry for Information Security
The long-desired cooperative relationship now is a matter of national survival.
The United States has recruited private industry to help fight the war on terrorism on the home front. The next battlefield may be cyberspace, and the government is working with its operators to protect and defend crucial assets in that realm against attacks that could potentially cripple the country.
The new partnership goes beyond previous efforts because now industry literally is in the driver’s seat. The private sector is providing the pieces of a national strategy for cyberspace defense currently being assembled by the Bush administration. Laws are being rewritten to permit greater collaboration between companies and with the federal government. And, new industry organizations are being formed to serve as conduits for a two-way flow of intelligence on threats, vulnerabilities and solutions.
This two-front war on terrorism points out the different nature of the combat domestically and abroad. While military forces seek to exterminate the threat overseas, domestic efforts are focusing on eliminating vulnerabilities on the home front.
When it comes to the national information infrastructure, industry is an important player in this war because it has both the vulnerabilities and the solutions. Protecting those targets could be the key to foiling al Qaida and any other would-be adversary.
“We’re worried more about the vulnerabilities than we are the threat,” states Roger W. Cressey, chief of staff of the President’s Critical Infrastructure Protection Board. This approach reflects the diversity of threats to the U.S. infrastructure that could all target a single window of opportunity. A specific vulnerability can be an opening for a teenage hacker looking to leave digital graffiti or for an al Qaida terrorist seeking to inflict substantial damage on the United States. Instead of trying to eliminate all possible threats, the government is addressing cyberspace vulnerabilities. Fixing them diminishes the opportunities available to all potential adversaries.
Nonetheless, the U.S. government is taking seriously all governmental and nongovernmental cyberspace threats. Cressey offers that the United States has yet to experience a real act of cyberterrorism. While individual hacking and probing episodes from overseas have taken place, terrorist groups have used the Internet largely to support their operations. Those efforts have encompassed target research, communications, proselytizing, fund-raising and operational planning. However, no terrorist group has yet used the Internet as a tool of attack, Cressey observes. That trend is likely to end.
“It is not a question of if, but a question of when they will use it, unless we fix our vulnerabilities,” he declares.
He continues that U.S. government officials have learned from Afghanistan detainees that al Qaida operatives have been studying U.S. vulnerabilities, both hard and soft. One of the most significant lessons learned from September 11 is that al Qaida is more than willing to use U.S. technology against it. In that attack, the terrorists transformed a conventional civilian mode of transportation used daily into a massive cruise missile. Cressey notes that there is little doubt that the terrorists will use other technologies against the nation.
He believes that three such areas loom likely in the information technology arena. One is distributed denial-of-service attacks. Viruses such as Code Red and NIMDA wreaked havoc among organizations worldwide, and these two were launched by cybervandals rather than by organized adversaries. Any software-literate individual associated with a terrorist group could generate and launch a similar virus.
Of greater concern is the possibility of terrorists combining a cyberattack with a physical one. A physical attack—such as the strikes on the World Trade Center and the Pentagon—followed immediately by a cyberattack that cripples communications capabilities would seriously hinder the ability of first responders to carry out rescue and recovery activities. Similarly, the detrimental effects of a physical attack could be compounded by an unrelated cyberstrike on elements of the oil, gas or electrical infrastructure.
The third area involves the economy. Al Qaida in particular has examined how best to hurt the U.S. economy, Cressey relates. With the U.S. economy so dependent on the Internet, a denial-of-service attack on the banking and finance industry could have significant economic consequences.
Earlier this year, the Federal Bureau of Investigation’s (FBI’s) National Infrastructure Protection Center (NIPC) issued a warning based on evidence uncovered on computers owned by al Qaida members. The al Qaida owners of these computers had downloaded Web information on supervisory control and data acquisition systems, water management and dams and reservoirs in the western United States. That type of a data point is enough cause for concern, Cressey states.
To meet this challenge, the administration is developing a national strategy on cyberspace security. While it is part of the homeland security strategy, it also is a stand-alone document that will offer greater detail on this specific sector of the critical infrastructure.
What sets the national cyberspace security document apart from most others is that many of its components are being written largely by the private sector. Each commercial element of the critical infrastructure—the banking and finance, electricity, oil and gas, manufacturing, information technology, transportation, emergency services and telecommunications sectors—is writing its own portion on the relevant issues that must be addressed. This includes recommendations for government action to improve cooperation and security.
This input is coming through Information Sharing and Analysis Centers (ISACs) that serve as the hubs for information exchange for several industry sectors. The chemical industry has approached the government with the goal of creating an ISAC out of which organized input from this sector could be incorporated into the security strategy.
The sectors’ contributions will be collected by the administration and melded into the national strategy to create a coherent policy. “This isn’t just a document written by bureaucrats,” Cressey warrants. “It is a living document that will feature pen to paper by the private sector. It will be updated as vulnerabilities change, as response changes and as the private sector comes to us with additional requests and ideas.”
With 90 percent of the critical infrastructure owned and operated by the private sector, the government-industry partnership is absolutely essential, Cressey continues. “It is incumbent upon us to reach out to them to talk about the solutions to the problems we have, and that is the whole philosophy behind this.”
When the drafting process is completed, the national cyberspace security strategy will be shared with a broad group of reviewers before it is presented to the president. Plans call for a public rollout of the document sometime this fall.
The private sector has been paying greater attention to critical infrastructure security since September 11, Cressey relates. This encompasses both addressing industry’s own vulnerabilities and helping the federal government effort. Both government and industry have increased their outreach toward each other, and the Office of Homeland Security and the President’s Cybersecurity Board have played roles in improving this collaborative activity.
Previous efforts at government-industry cybersecurity cooperation had been hindered by a reluctance on the part of industry to share much of its information such as vulnerabilities and proprietary solutions. This cultural reluctance has not been completely eliminated in the wake of September 11, but it is not as much of an obstacle as it used to be, Cressey offers.
To address industry concerns that information shared with the government could wind up in the hands of competitors, the administration is seeking a special exemption to the Freedom of Information Act (FOIA). This would exempt any information that companies share with the government on vulnerabilities in their infostructure security. It would allow the government to work with them to fix these vulnerabilities, while at the same time assuring the companies that no one could use the FOIA to gain access to this proprietary data.
Cressey notes that several key members of both parties in both houses of Congress strongly support this narrowly targeted exemption, and they are working with the administration to craft legislation that addresses the problem without hindering other legitimate FOIA requests. The administration hopes this exemption will be approved by the end of this year’s congressional session.
The struggling high-technology economy poses an even bigger obstacle to industry’s commitment to security investments, Cressey suggests. These firms cannot spend as much money on security issues as they deal with the two-year sector downturn.
Cressey emphasizes that one of the federal government’s guiding principles in its security relationship with industry is that regulatory action is not the solution. A cooperative partnership is the key, along with a strong assist from market forces. The public-private partnership that began in the Clinton administration has been accelerated over the past year. Key benchmarks are the establishment of the President’s Cybersecurity Board and the appointment of the special adviser for cyberspace security—Richard A. Clarke, former national coordinator for security, infrastructure protection and counterterrorism (SIGNAL, August 1999, page 17). One of Clarke’s primary activities is outreach to the private sector.
The Commerce Department’s Critical Infrastructure Assurance Office, or CIAO, is another vital component of the government’s security effort. Cressey describes it as the government’s portal to the private sector, and it works extensively with the ISACs.
This information sharing will not be a one-way street from industry to government. The government also will keep industry informed of various developments, including advance knowledge of threats. This is especially important for companies involved with distributed denial-of-service mitigation solutions.
A key element will be the establishment of a formalized relationship among the government—the White House, the FBI and the National Communications System, to name a few—and the private sector so that cyberspace crisis management is not ad hoc. While Cressey believes that the government did a good job in dealing with the NIMDA virus, he adds that “it was far more ad hoc than we would have liked.” Specific procedures in place would have improved the response. A proposed cyberwarning information network aims to formalize crisis management structures and procedures between government and the private sector.
Cressey observes that one change readily apparent among the information technology community is the view that security must be more than an appendage to a product. Instead of an appliqué, security must be an integral part of an information technology product from the start. This change in attitude and culture is significant, he offers. “Before, marketers would drive when a product would be available to the public. Now, people in the security field are playing a more prominent role in product development,” he relates.
Cressey sees much of the existing Internet infrastructure as “not as secure as it should be.” Solutions such as more secure protocols and hardware combined with better security practices are needed now.
Next-generation information technologies that will appear in three to five years can be designed with security functions embedded in the product. Wireless communications is one area that needs more attention in that manner. Cressey notes that the wireless industry is paying more attention to security, but it has a long way to go.
True security will require more than just a firewall and updated antivirus software, Cressey continues. A defense-in-depth approach will require contingency planning, disaster recovery, intrusion detection and effective internal access and authentication. These measures could make the difference between turning a profit and losing money.
The government faces a similar challenge in its e-commerce activities. The Internal Revenue Service, for example, has been urging taxpayers to file their returns online, and the percentage doing so has increased steadily over the past few years. A denial-of-service virus or an attack that knocks out the Internet on or just before April 15 could complicate the tax agency’s work considerably.
“The Federal Government needs to red-team its vulnerabilities and propose steps to mitigate them,” Cressey declares. “Federal IT [information technology] security is quite poor, but we’re doing a better job at it.” He adds that the president’s 2003 budget contains a 64 percent increase in federal IT security spending to more than $4 billion.
Many of the existing vulnerabilities—up to 90 percent—conceivably could be fixed if existing patches and best practices were applied, Cressey allows. “It is incumbent upon us to walk the walk as much as we talk the talk,” he declares. “So, we must get our own house in order—we recognize that.” This translates to procuring more secure products, best practices and better standards for security. When these goals are reached, then government can demand the same of industry.
The federal government had not done a good job of working with state and local governments on infrastructure security, Cressey admits. Now, the federal government recognizes that it should have done more. September 11 and the establishment of a homeland security structure have opened the door to greater federal attention to state and local security needs along with increased receptiveness on the part of smaller governments. The real challenge, Cressey offers, will be the information sharing mechanism that ensures that information on vulnerabilities is passed up and down the chain.
The Pentagon does as good a job—if not better—on information security as any other part of the federal government, Cressey maintains. He cites the Navy/Marine Corps Intranet as a good example for embedded security. Its use of common access cards and biometrics are steps that should be emulated by other government agencies.