Hidden Hazards Menace U.S. Information Infrastructure
Government will support and enable security efforts, but industry must lead in protection against hostile acts.
The greatest threat to U.S. security may come from internal software or hardware trapdoors lying dormant in the nation’s critical infrastructure. The digital equivalent of Cold War moles, these hidden threats would serve as access points for criminals, terrorists or hostile governments to extort money, impel foreign policy appeasement or ultimately launch crippling information attacks on the United States.
A concerted effort by the private sector, with participants that range from software providers to public utilities and large commercial service organizations, is needed to forestall these and other potentially devastating information onslaughts. The federal government is poised to assist in a range of areas such as providing classified threat intelligence information to specially designated private industry groups.
However, many leaders of vital private sector entities do not yet recognize either the scope of the threat or its potential severity. The government cannot step in and provide ad hoc protection against information system attackers. And, these private sector organizations are likely targets should warfare break out between the United States and any of a number of hostile countries, many of which are developing active measures to strike at the U.S. information infrastructure.
All these elements add up to “a very real possibility of an electronic Pearl Harbor,” according to Richard A. Clarke of the National Security Council. Clarke, national coordinator for security, infrastructure protection and counterterrorism, believes that the biggest challenge to protecting the critical infrastructure against these threats is awareness. He worries that the U.S. public—all the way up to corporate chief executive officers—has not realized that a revolution over the past eight years has made the United States “entirely dependent as a nation” on networked systems. This national dependency, which is partly responsible for the booming economy and its improved productivity, is also a vulnerability.
“Without computer-controlled networks, there is no water coming out of your tap; there is no electricity lighting your room; there is no food being transported to your grocery store; there is no money coming out of your bank; there is no 911 system responding to emergencies; and there is no Army, Navy and Air Force defending the country,” he warrants. “All of these functions, and many more, now can only happen if networks are secure and functional.”
The potential cyberspace threat differs significantly from activities that now happen routinely. Currently, malicious pranksters and disgruntled insiders are the source of most information technology onslaughts, which often materialize merely as hacked World Wide Web pages. Clarke contrasts these routine events with the likelihood of a systematic attempt to take down a region, an economic sector or even the nation. “A systematic attempt could come from a terrorist group, a criminal cartel or a foreign nation,” he warns, adding “and we do know of foreign nations that are interested in our information infrastructure and are developing offensive capabilities that would allow them to take down sectors of our information infrastructure.”
Clarke relates that the year 2000 (Y2K) problem played a valuable role in teaching business executives an important lesson: that they had bet their entire companies on software and hardware systems. With some large corporations spending hundreds of millions of dollars on Y2K remediation, their leaders learned how vulnerable their firms’ existence could be in the face of a minor software problem. Now, the federal government must convince these same chief executive officers that Y2K is not the only information technology threat menacing their companies.
“Unless they secure their networks—and unless the networks that supply them with services such as electricity and telecommunications are secure—they are still betting the company,” Clarke warrants.
“At a highly aggregated level, we are betting the country.”
Clarke describes trapdoors, some of which may already be in place, as the greatest potential threat to the information infrastructure. Residing in the operating systems of key networks that support the U.S. critical infrastructure, these trapdoors would provide windows of opportunity for any ill-intentioned adversary to wreak considerable havoc. “It is at least theoretically possible that a nation could insert such trapdoors, and then make demands of the United States under threat to our infrastructure,” he warns.
One possible scenario would feature a demand leveled by a foreign government or terrorist group. When the U.S. government refuses to comply, this adversary demonstrates its capabilities by reducing a region of the United States to chaos. “I think the capability to do that probably exists in the hands of several nations,” Clarke states. “I think it could exist in the near future in the hands of criminal and terrorist organizations.”
The result could involve any number of network-dependent functions. “You can see, from time to time, how individual failures can create chaos,” he explains. “When a 911 system goes out for a few hours in one sector of a city, there sometimes is chaos. When one satellite spins out of control and 95 percent of America’s pagers no longer work, there is a fair amount of chaos in at least one sector.
“Envision all of these things happening simultaneously—electricity going out in several major cities; telephones failing in some regions; 911 service being down in several metropolitan areas. If all of that were to happen simultaneously, it could create a great deal of disruption, hurt the economy, and—if it happened at a time when we were trying to project our military forces overseas—it could severely retard our forces getting to their destination,” Clarke warns. The military aspect is particularly noteworthy because the United States has built its defense around keeping most forces in the country for rapid deployment overseas when and where needed. Timely and reliable force projection could be foiled by large-scale domestic infrastructure disruptions. Accordingly, the Defense Department is now examining how to ensure that this force projection is immune to attacks on the U.S. domestic infrastructure.
Adversaries could employ trapdoors for sabotage in a number of ways. Clarke notes that virtually every major software or hardware provider offers patches to its product. Often, the patch is designed to fix a vulnerability that would permit an unauthorized user to access a system. These are noted on many of the manufacturers’ web pages, which amounts to publishing a list of product vulnerabilities discovered after the products reached market. The buyer is supposed to ensure that these patches are applied, but many system administrators do not bother to apply them or even seek them out. Malicious individuals and organizations regularly peruse these patch lists, and they probe systems to find someone who has not applied the patch.
“We need to encourage companies and government departments to create a reliable way of knowing when vulnerabilities have been discovered by software and hardware manufacturers, knowing when patches have been made available, and ensuring with high confidence that these patches have been applied,” Clarke says.
Theoretically, a foreign government or group could insert trapdoors in systems through its own computer experts working legitimately for software or hardware companies. Many U.S. information system hardware and software firms rely, to an increasing degree, on expert workers from other nations. Most of these people stay and even become U.S. citizens, but a few could act as enemy saboteurs, either sympathetically or through blackmail or bribery. Rather than deny U.S. firms access to needed foreign expertise, Clarke calls for developing internal assurance procedures that prevent any individual—foreign or U.S. citizen—from abusing the system. This could focus on network access procedures, for example, that detect or even prevent suspicious or malicious behavior.
Trapdoors are only one menace to the information infrastructure. Recent weeks have featured denial-of-service attacks, where a web server is inundated to its oversaturation point and is effectively shut off. Malicious, self-propagating viruses strike computer systems worldwide. “It doesn’t merely have to be the use of a trapdoor to enter a system, seize control and destroy the system,” Clarke cautions. “Any combination of malicious virus, denial of service and trapdoor disruptions can create chaos.”
From an individual corporate level, executives should worry about the insider threat against their organizations, Clarke allows. This ranges from aggrieved employee sabotage and theft to paid industrial espionage. However, from a national perspective, their organizations also must worry about warfare.
To illustrate his point, Clarke cites the recent North Atlantic Treaty Organization (NATO) military action against Serbia. Key NATO targets included transportation systems, the electric power grid and telecommunications facilities—Serbia’s infrastructure. This bombing was achieved with cruise missiles and other precision-guided munitions delivering high explosives on targets. In the United States, the same infrastructure assets depend on computer-controlled networks. These networks could be attacked much more easily than by launching fleets of aircraft to hurl explosives onto U.S. territory. A cyberspace attack that shuts down an electric utility for a prolonged period of time could have the same result as a successful bombing run on a power station.
The federal government alone cannot defend the country, Clarke declares. The owners and operators of major infrastructure elements must participate in defending their own systems. The government can help with research and development and by organizing sectors for this purpose. “But, in the end, infrastructure owners and operators must assume the burden of defending the systems that they operate,” he states.
Clarke emphasizes that the federal government cannot—nor does it desire to—use its regulatory authority to create information assurance or security. “The federal government is not notably good at regulatory activity,” he says. “Regulatory activity by the federal government is a very prolonged exercise that serves only to enrich lawyers. Given that the Internet revolution is happening at great speed—and we now refer to every three months as an Internet year—by the time any federal draft regulation was promulgated, it would be out of date by 12 Internet years.” The government instead seeks to create an understanding in the private sector of the need for security, as it did with Y2K.
Market forces are a valuable ally in this thrust, he allows. Insurance companies, for example, now are considering standards of information security as conditions for certain types of insurance. Audit firms that prepare annual reports on major corporations are now considering a standard of information security for corporate stockholder reports.
“Trust market forces” as a mechanism to impel private industry to implement needed information security, Clarke declares. If an entity ignores repeated attempts to make it act responsibly, then “it’s the responsibility of government” to let people know of these security concerns in that entity. When corporations learn that their service provider is not paying adequate attention to security, then they might look to another provider or even create their own, he suggests.
Clarke opines that stockholders and boards of directors are beginning to realize that, if a company has not invested significantly in information defense, then that company may not be a good investment. “We see this increasingly in the leadership of major companies,” he says. Already, the banking and finance industry met with him and with then Treasury Secretary Robert Rubin to discuss the need for information security as a sector of the U.S. economy.
This effort is spawning a new approach that may serve as the cornerstone for government/industry information security cooperation. The meeting with Clarke and Rubin led to this economics-oriented industry opting to form an information-sharing and assessment center later this year. Another name for this center could be “a computer defense center” for the entire banking and finance industry, Clarke suggests.
The major telecommunications companies are also negotiating with the government and each other to create their own equivalent center. The Department of Transportation has been in contact with railroad, aviation and pipeline companies, and the Department of Energy has held discussions with electrical power companies for similar information defense centers. Clarke predicts that each of the major infrastructure areas will open these types of centers this year. The centers will be owned and operated by the industry groups for sharing information among member companies, and they could serve as bases for collectively funding research and sharing its results.
More significantly, the federal government will share information, including select classified material, with industry through these centers on a regular basis. The government will work out a manner in which sensitive and classified information can be provided to each center in a trusted way, Clarke emphasizes. While the government has provided classified intelligence to the private sector in the past, it has been on a case-by-case basis—sharing data on possible future enemy aircraft with military aerospace companies, for example, or warning airlines of terrorist threats. Clarke believes that providing classified information to the industrywide computer defense centers would be an unprecedented step. The intelligence assets of the entire government would contribute relevant data, and the National Infrastructure Protection Center probably would serve as the information liaison with the industry centers.
Overall, Clarke warrants that a government/industry partnership is needed for an awareness campaign. His office is planning this type of campaign along the lines of the Partnership for a Drug-Free America. Government has provided information and funding to that partnership, as has private industry. A smaller, more targeted effort would focus on critical information security. It would involve major corporations and government agencies in an effort to spread awareness of the importance of network security and information assurance. The target audience would be employees of government departments and agencies, private company employees as well as chief executive officers and stockholders of major corporations. Clarke’s office is aiming to create this partnership for critical information security by year’s end.
Government can make several contributions to private sector security, Clarke maintains. It is unlikely, for example, that the private sector and market forces will generate systems for dealing with existing trapdoors. Accordingly, Clarke has asked several government agencies to examine potential research areas that could be funded by the federal government to develop dual-use systems for dealing with embedded trapdoors. This effort, which includes the Defense Advanced Research Projects Agency, has become a major research priority for his office. A goal is “to have something [so we can] begin to address that problem in the relatively near future,” Clarke states.
Despite the growing number of security products and turnkey solutions generated by the private sector, no reliable method yet exists to determine a good service or product. This shows the need for a quality clearinghouse that would rate the effectiveness of these products. The industry computer security centers could establish standards to perform testing and evaluation to determine “best of breed” in security, Clarke offers. He is calling for the information security equivalent of the insurance industry’s Underwriters’ Laboratories, which certifies electrical products as meeting established standards. The government could help in this security effort, but it would not “give out grades” to private companies and their products, he emphasizes.
The federal government is also willing to work with industry to change laws that are impediments to information assurance and security. These steps might include modifying the Freedom of Information Act, antitrust legislation and liability laws, Clarke suggests.