Exhibit ES-1. Observations
What Should We Defend?
The current Administration's national security strategy for the United States suggests that the nation's "economic and security interests are increasingly inseparable" and that "we simply cannot be successful in advancing our interests-political, military and economic-without active engagement in world affairs." In the broad sense, then, the scope of national information interests to be defended by information warfare defense and deterrence capabilities are those political, military, and economic interests. These include the continuity of a democratic form of government and a free market economy, the ability to conduct effective diplomacy, a favorable balance of trade, and a military force that is ready to fight and that can be deployed where needed. These interests are supported by the delivery of goods and services that result from the conduct of functional activities such as manufacturing, governing, banking and finance, and the like. Some of these activities are critical to the nation's political, military, and economic interests. These critical functional activities, in turn, depend on information technology and critical infrastructures such as banking and finance, electric power, telecommunications, and transportation.
In general, U.S. infrastructures are extremely reliable and available because they have been designed to respond to disruptions, particularly those caused by natural phenomena. Redundancy and diverse routing are two examples of design techniques used to improve reliability and availability. However, deregulation and increased competition cause companies operating these infrastructures to rely more and more on information technology to centralize control of their operations, to support critical functions, and to deliver goods and services. Centralization and reliance on broadly networked information systems increase the vulnerabilities of the infrastructures and the likelihood of disruptions or malevolent attacks.
The information users of national interest who can be attacked through the shared elements of the national information infrastructure are those responsible for performing the critical functions necessary for the delivery of the goods and services upon which our political, military, and economic interests depend.
The Department of Defense (DoD) must preserve its ability to fulfill its basic missions. To do that, DoD must be concerned about the ensured operation of the critical functions and the availability of information necessary to fulfill those missions. The intertwined nature of the functions of national interest and supporting infrastructures add to the complexity: there are critical functions which have national security implications and which must be defended; and there are critical portions of the infrastructures which are necessary for the operation of DoD and national functions.
How Should We Defend?
The concept for defending is as follows. In the information age as in the nuclear age, deter is the first line of defense. This deterrence must include an expression of national will as expressed in law and conduct, a declaratory policy relative to consequences of an information warfare attack against the United States, and an indication of the resiliency of the information infrastructure to survive an attack. Technology to conduct information warfare is simple and ubiquitous; some form of infrastructure robustness and protection is essential. It is technically and economically impossible to design and protect the infrastructure to withstand any and all disruptions, intrusions, or attacks (or avoid all risk). The risk can be managed, however, by protecting selected portions of the infrastructure that support critical functions and activities necessary for maintaining political, military, and economic interests. An equally important function is to verify through independent assessments that the design principles are being followed, that protective measures are being implemented where appropriate, and that the information warfare (defense) readiness posture is as reported.
Tactical warning, damage control, attack assessment, and restoration ensures the continuance of these critical functions and activities in the presence of disruptions or attacks. The essence of tactical warning is monitoring, detection of incidents, and reporting of the incidents. Monitoring and detection of infrastructure disruptions, intrusions, and attacks are also an integral part of the defense against information warfare. Providing an effective monitoring and detection capability will require some policy initiatives, some legal clarification, and an ambitious research and development program. The telecommunications infrastructure will be subject to some form of attack and we should have some capability to limit the damage that results and to restore the infrastructure. Little research has been devoted to the basic procedures necessary to contain "battle" damage, let alone the tools which might provide some automated form of damage control. Some form of attack assessment is essential to determine the impact of an attack on critical functions and the appropriate response to an attack. Restoration of the infrastructure implies some capability to repair the damage and the availability of resources such as personnel, standby services contracts, and the like. The basic functions of monitoring, detection, damage control, and restoration must begin at the lowest possible operating level. Reports of the activity must be passed to regional, DoD, and national-level organizations to establish patterns of activity and to request assistance as needed in damage control and restoration. Finally, some form of response to the intrusions or attacks may be necessary to deter future intrusions or attacks. The response could entail civil or criminal prosecution, use of military force, perception management, diplomatic initiatives, or economic mandates. Because response might also involve offensive information warfare, this report does not address it in detail.
The Task Force makes 13 key recommendations as shown in Exhibit ES-2. The Task Force 'considers these recommendations as imperatives.
Exhibit ES-2. Recommendations
In addition, the Task Force made over 50 additional recommendations, which are categorized under these key recommendations. (Note that the first recommendation addresses all of information warfare, not just defensive information warfare.) The Task Force attempted to prioritize these "key recommendations," but in the end decided that portions of all of these key recommendations should be implemented immediately.
The following discussions provide all of the recommendations made by the Task Force. The parenthetical entry following each of the key recommendations identifies the section of the report in which the recommendations are discussed in detail.
1. Designate an accountable IW focal point (6.1). This is the most important recommendation the Task Force offers. The Task Force believes that the Secretary of Defense needs a single focal point charged to provide staff supervision of the complex activities and interrelationships that are involved in this new warfare area. This includes oversight of both offensive and defensive information warfare planning, technology development and resources. The SECDEF should:
1a. Designate ASD(C3I) as the accountable focal point for all IW issues.1a(1). Develop a plan and associated budget beginning in FY 97 to obtain the needed IW-D capability.
2. Organize for IW-D (6.2). This key recommendation identifies the need for specific IW-D related capabilities and organizations to provide or support the capabilities. While not specifically addressed by the Task Force, virtual organizations that draw on existing assets and capabilities can be established.
2a. Establish a center to provide strategic indications and warning, current intelligence, and threat assessments. The SECDEF should request the DCI to:2a(1). Establish an I&W/TA center at NSA with CIA and DIA support.
The Task Force was formed in November of 1995. It met formally eight times. Four individual panels were formed to address specific issues and each met about the same number of times. During the course of the study, the Task Force drew upon previous DSB Task Force efforts. Some recurring themes will be pointed out later in the report.
The objective of the study was to make recommendations regarding the creation and maintenance of specific aspects of a national information warfare defense capability. Exhibit 1-1 shows the specific tasks outlined by the terms of reference.
Exhibit 1-1. Terms of Reference
In addition to the Terms of Reference objectives, the Task Force was requested to look at additional items of interest shown in Exhibit 1-2. The National Research Council study was mandated by Public Law 103-160, Defense Authorization Bill for Fiscal Year 1994, November 30, 1993. Pre-publication copies of this report were released May 30, 1996. Because of the potential role of cryptography in information warfare - defense (IW-D), the Task Force was encouraged to review the NRC report in the context of the Task Force deliberations. To avoid duplication and to provide additional focus to the study, the Task Force received briefings on the study of the Global Information Infrastructure sponsored by the Director of Central Intelligence. This excellent study effort provided valuable insights into the global implications of defensive information warfare.
Exhibit 1-2. Additional Items of Interest
During the Task Force deliberations, the President signed Presidential Decision Directive 39 (late 1995) and Executive Order 13010 (July 15, 1996). These established a President's Commission on Critical Infrastructure Protection. The Commission was tasked to develop a comprehensive national policy and implementation strategy for protecting critical infrastructures from physical and cyber threats. The Task Force was advised that after review and approval of the Task Force report by OUSD(A&T), the Defense Science Board will forward its report to the Commission as a "statement of DoD issues, concerns, requirements, and recommendations."
The sponsors of the study were the Honorable Emmett Paige, Jr., Assistant Secretary of Defense for C3I; and VADM Arthur K. Cebrowski, Director for C4 Systems, Joint Staff.
Task Force members are shown in Exhibit 1-3. A variety of disciplines were represented-academia, the telecommunications, banking, and aerospace industries, systems integrators, former military -- and a number of members with former government service. In order to examine the issues more closely, the Task Force organized into four panels.
Exhibit 1-3. Task Force Members
2.1 GROWING DEPENDENCY, GROWING RISK
The objective of warfare waged against agriculturally-based societies was to gain control over their principal source of wealth: land. Military campaigns were organized to destroy the capacity of an enemy to defend an area of land.
The objective of warfare waged against industrially-based societies was to gain control over their principal source of all wealth: the means of production. Military campaigns were organized to destroy the capacity of the enemy to retain control over sources of raw materials, labor and production capacity.
The objective of warfare to be waged against information-based societies is to gain control over the principal means for the sustenance of all wealth: the capacity for coordination of socio-economic inter-dependencies. Military campaigns will be organized to cripple the capacity of an information-based society to carry out its information-dependent enterprises.
In the U.S. society, over 60 percent of the workforce is engaged in information-related management activities. The value of most wealth producing-resources depends on "knowledge capital" and not on financial assets or masses of labor. Similarly, the doctrine of the U.S. military is now principally based on the superior use of information.
"The joint campaign should fully exploit the information differential, that is, the superior access to and ability to effectively employ information on the strategic, operational and tactical situation which advanced U.S. technologies provide our forces." [Joint Pub. 1, p. IV-9]
The military doctrines shaping U.S. force structure and operational planning assume this information superiority. "Joint Vision 2010 focuses the strengths of each individual Service on operational concepts that achieve Full Spectrum Dominance" This technological view is shared in the Army's "Enterprise Strategy" and "Force XXI Concept of Operations," the Navy's "Forward ... From the Sea," the Air Force's "Global Presence," and the Marine's "Operational Maneuver from the Sea."
The capstone Joint Vision 2010 provides the conceptual template for how America's Armed Forces will channel the vitality and innovation of our people and leverage technological opportunities to achieve new levels of effectiveness in joint warfighting. It addresses the expected continuities and changes in the strategic environment, including technology trends and their implications for our Armed Forces. lt recognizes the crucial importance of our current high- quality, highly trained forces and provides the basis for their further enhancement by prescribing how we will fight in the early 21st century. This vision of future warfighting embodies the improved intelligence and command and control available in the information age and goes on to develop four operational concepts: dominant maneuver, precision engagement, full dimensional protection, and focused logistics.
It is not prudent to expect the U.S. dependence on information-dominated activities for wealth producing and for national security to go unchallenged. In his book, Strategy: the logic of war and peace [ 1987, Belknap Press, pages 27-28], Edward Luttwak notes:
The notion of an 'action-reaction' sequence in the development of new war equipment and newer countermeasures, which induce in turn the development of counter-countermeasures and still newer equipment, is deceptively familiar. That the technical devices of war will be opposed whenever possible by other devices designed specifically against them is obvious enough. Slightly less obvious is the relationship (inevitably paradoxical) between the very success of new devices and their eventual failure: any sensible enemy will focus his most urgent efforts on countermeasures meant to neutralize whatever opposing device seems most dangerous at the time.
The reality is that the vulnerability of the Department of Defense -- and of the nation -- to offensive information warfare attack is largely a self-created problem. Program by program, economic sector by economic sector, we have based critical functions on inadequately protected telecomputing services. In aggregate, we have created a target-rich environment and the U.S. industry has sold globally much of the generic technology that can be used to strike these targets.
Despite the enormous cumulative risk to the nation's defense posture, at the individual program level there still is inadequate understanding of the threat or acceptance of responsibility for the consequences of attacks on individual systems that have the potential to cascade throughout the larger enterprise.
A case examined in some detail by the Task Force was the dependence of the Global Transportation Network on unclassified data sources and the GTN interface to the Global Command and Control System (GCCS). GCCS will continue to increase in importance as it becomes the system of systems through which CINCS, JTFs, and other commanders gain access to more and different information sources. Although GCCS has undergone selected security testing, much remains to be accomplished. For example, security testing to date has focused principally upon Oracle databases and applications evaluation. Other GCCS aspects need thorough security testing; e.g., database applications (Sybase), message functions and configuration management. GTN and GCCS are not unique circumstances. The Global Combat Support System and a long series of Advanced Concepts Technology Demonstrations currently shaping the future of C4ISR follow a remarkably similar pattern: Well-intentioned program managers work very hard to deliver an improved mission capability in a constrained budget environment. The operators they are supporting do not emphasize security and neither operators nor developers are held responsible for the contribution their individual program makes to the collective risk of cascading failure in the event of information warfare attack.
To reduce the danger, all defense investments must be examined from a network- and infrastructure-oriented perspective, recognizing the collective risk that can grow from individual decisions on systems that be connected to a shared infrastructure. Only those programs that can operate without connecting to the global network or those that can operate with an accepted level of risk in a networked information warfare environment should be built. Otherwise, we are paying for the means that an enemy can use to attack and defeat us.
The shift from the industrial age to the information age and the implications are illustrated in Exhibit 2-1.
The United States formerly enjoyed a broad-based manufacturing foundation to support other infrastructures and conventional and nuclear forces. With the increasing dependence on information and information technology, that broad-based foundation has been reduced to a rather narrow base of constantly changing and increasingly vulnerable information and information technology. Service and joint doctrine clearly indicate an increasing dependence of future forces on information and information technology. However, the doctrine of information superiority assumes the availability of the information and information technology-a dangerous assumption. The published Service and joint doctrine does not address the operational implications of a failure of information and information technology.
By analogy, consider the protection implications of adding an aircraft carrier to our force structure. The carrier does not deploy in isolation. It is accompanied by all manner of ships, aircraft, and technology to ensure the protection of the entire battle group: destroyers for picket duty, cruisers for firepower, submarines for subsurface protection, aircraft and radar for early warning, and so on. The United States must begin to consider the implications of protecting its information-age doctrine, tactics, and weapon systems. It can not simply postulate doctrine and tactics which rely so extensively on information and information technology without comparable attention to information and information systems protection and assurance. This attention, backed up with sufficient resources, is the only way the Department can ensure adequate protection of our forces in the face of the inevitable information war.
2.2 INFORMATION WARFARE
Although this task force specifically examined IW-D, it also considered of a few of the concepts behind offensive information warfare to help define the battlefield upon which the defense must operate.
Offensive information warfare is attractive to many because it is cheap in relation to the cost of developing, maintaining, and using advanced military capabilities. It may cost little to suborn an insider, create false information, manipulate information, or launch malicious logic-based weapons against an information system connected to the globally shared telecommunications infrastructure. The latter is particularly attractive; the latest information on how to exploit many of the design attributes and security flaws of commercial computer software is freely available on the Internet.
In addition, the attacker may be attracted to information warfare by the potential for large non- linear outputs from modest inputs. This is possible because the information and information systems subject to offensive information warfare attack may only be a minor cost component of a function or activity of interest-the database of the items in a warehouse costs much less then the physical items stored in the warehouse.
As an example of why information warfare is so easy, consider the use of passwords. We have migrated to distributed computing systems that communicate over shared networks but largely still depend on the use of fixed passwords as the first line of defense -- a carry-over from the days of the stand-alone mainframe computer. We do this even though we know that network analyzers have been and continue to be used by intruders to steal computer addresses, user identities, and user passwords from all the major Internet and unclassified military networks. Intruders then use these stolen identities and passwords to masquerade as legitimate users and enter into systems. Once in, they apply freely available software tools which ensure that they can take control of the computer and erase all traces of their entry.
It is important to stress that strategically important information warfare is not a trivial exercise of hacking into a few computers -- the Task Force does not accept the assertions of the popular press that a few individuals can easily bring the United States to its knees. The Task Force agrees that it is easy for skilled individuals (or less skilled people with suitable automated tools) to break into unprotected and poorly configured networked computers and to steal files, install malicious software, or cause a denial of service. However, it is very much more difficult to collect the intelligence needed and to analyze the designs of complex systems so that an attacker could mount an attack that would cause nation-disrupting or war-ending damage at the time and place and for the duration of the attacker's choosing.
This is not to make light of the power of the common hacker "attack" methods reported in the press. Many of these methods are sufficiently robust to enable significant harassment or large- scale terrorist attacks. The Task Force also acknowledges that malicious software can be emplaced over time with a common time trigger or other means of activation and that the effect could be of the scale of a major concurrent attack. While such an attack cannot be ruled out, the probability of such is assessed to be low. Currently, however, there is no organized effort to monitor for unauthorized changes in operational software even though for the past 3 years unknown intruders have been routinely been penetrating DoD's unclassified computers.
The above assessments do not mean that the threat of offensive information warfare is low or that it can be ignored. The U.S. susceptibility to hostile offensive information warfare is real and will continue to increase until many current practices are abandoned.
Practices that invite attack include poorly designed software applications; the use of overly complex and inherently unsecure computer operating systems; the lack of training and tools for monitoring and managing the telecomputing environment; the promiscuous inter-networking of computers creating the potential for proliferating failure modes; the inadequate training of information workers; and the lack of robust processes for the identification of system components, including users. By far the most significant is the practice of basing important military, economic and social functions on poorly designed and configured information systems, and staffing these systems with skill-deficient personnel. These personnel often pay little attention to or have no understanding of the operational consequences of information system failure, loss of data integrity, or loss of data confidentiality.
Information warfare defense is not cheap, nor can it be easily obtained. It will take resources to develop the tools, processes, and procedures needed to ensure the availability of information and integrity of information, and to protect the confidentiality of information where needed. Additional resources will be needed to develop design guidelines for system and software engineers to ensure information systems that can operate in an information warfare environment. More resources will be needed to develop robust means to detect when insiders or intruders with malicious intent have tampered with our systems and to have a capability to undertake corrective actions and restore the systems.
Note that the appropriate investment in an information warfare defense capability has no correlation with the investment that may have been made to obtain an offensive information warfare capability. Information warfare defense encompasses the planning and execution of activities to blunt the effects of an offensive information warfare attack. However, the value of an investment in information warfare defense is not a function of the cost of the information or information system to be protected. Rather, the value of the defense is a function of the value to the defender of an information-based activity or process that may be subject to an information warfare attack.
If the defender leaves unprotected vital social, economic, and defense functions that depend upon information services, then the defender invites potential adversaries to make an investment in an offensive information warfare capability to attack these functions. To provide a robust deterrent against such an attack, an information-dependent defender should invest wisely in a capability to protect and restore vital functions and processes and demonstrate that the information services used are robust and resilient to attack.
Part of the challenge is that the rate of technology change is such that most systems designers and in system engineers have their hands full just trying to keep up -- never mind learning and applying totally new security design practices. But the lack of such steps can cost. The organized criminals that recently made a successful run at one of the major U.S. banks spent 18 months of preparation, including downloading application software and the e-mail of the software designers, before they started to transfer funds electronically.
It will cost even more, as well as raise significant issues of privacy and the role of the government, to design a warning system for major institutions of society such as the banks or air traffic control. Such a warning system should, as a minimum, provide tactical warning of and help in the characterization of attacks mounted through the information infrastructure.
Probably the biggest obstacle will be the difficulty in convincing people-whether in commerce, in the military, or in government of the need to examine work functions and operating processes. This examination should uncover unintentional dependencies on the assumed proper operation of information services beyond their control.
2.3 THE INFRASTRUCTURE
What is the National Information Infrastructure (NII)? The phrase "information infrastructure" has an expansive meaning. The NII includes more than just the physical facilities used to transmit, store, process, and display voice, data, and images. It encompasses a wide range and ever-expanding range of equipment: cameras, scanners, keyboards, telephones, fax machines, computers, switches, compact disks, video and audio tape, cable, wire, satellites, optical fiber transmission lines, microwave nets, switches, televisions, monitors, printers, and much more.
The NII is not a cliff that suddenly confronts us, but rather a slope-one that society has been climbing since postal services and semaphore networks were established. An information infrastructure has existed for a long time, continuously evolving with each new advance in communications technology. What is different is that today we are imagining a future when all the independent infrastructures are combined. An advanced information infrastructure will integrate and interconnect these physical components in a technologically neutral manner so that no one industry will be favored over any other. Most importantly, the NII requires building foundations for living in the Information Age and for making these technological advances useful to the public, business, libraries, and other nongovernmental entities. That is why, beyond the physical components of the infrastructure, the value of the NII to users and the nation will depend in large part on the quality of its other elements:
We call out domains within this infrastructure by names that reflect the interest of the user: the Defense Information Infrastructure of the defense community; the National Information Infrastructure of the United States; the complex, interconnected Global Information Infrastructure of the future described so well to the Task Force by the representatives of the Central Intelligence Agency. The reality is that almost all are interconnected.
DoD has over 2.1 million computers, over 10,000 LANS, and over 100 long-distance networks. DoD depends upon computers to coordinate and implement aspects of every element of its mission, from designing weapon systems to tracking logistics. In field testing, DISA has determined that at least 65 percent of DoD unclassified systems are vulnerable to attack. Consider how this state come about.
The early generations of computer systems presented relatively simple security challenges. They were expensive, they were isolated in environmentally controlled facilities; and few understood how to use them. Protecting these systems was largely a matter of physical security controlling access to the computer room and of clearing the small number of specialists who needed such access.
As the size and price of computers were reduced, microprocessors began to appear in every workplace, on the battlefield and embedded in weapons systems. Software for these computers is written by individuals and firms scattered across the globe. Connectivity was extended, first to remote terminals, eventually to local- and wide-area communications networks, and now to global coverage. What was once a collection of separate systems is now best understood as a dynamic, ever-changing, collection of subscribers using a large, multifaceted information infrastructure operating as a virtual utility.
These legacy computer systems were not designed to withstand second-, third-, or "n"-order-level effects of an offensive information warfare attack. Nor is there evidence that the computer systems presently under development will provide such protection. The cost for "totally hardened" systems is prohibitive. Security criteria at present presume that computing can be protected at its perimeter, primarily through the encryption of telecommunications links. However, internal security may be more important than perimeter defense.
It is not necessary to break the cryptographic protection used to protect telecommunications and data to attack classified computing environments. The legacy protection paradigm used by DoD was based upon the classification of information. However, most classified computer systems contain, and often rely on, unclassified information. This unclassified information often has little or no protection of the data integrity prior to entry into classified systems. The expected interaction between GCCS and GTN is an example of this. An increasing number of DoD systems contain decision aids and other event driven modules that, unless buffered from unclassified data whose integrity cannot be verified, are at risk.
To cope with this new reality, the approach for managing information security must shift from developing security for each individual system and network to developing security for subscribers within the worldwide utility; and from protecting isolated systems owned by discrete users to protecting distributed, shared systems that are interconnected and depend upon an infrastructure that individual subscribers neither own nor control.
Successful protection policies within this global structure must be sufficiently flexible to cover a wide range of systems and equipment from local area networks to worldwide networks, and from laptop computers to massively parallel processing supercomputers. They must take into account threat, both from the insider and the outsider, and must espouse a philosophy of risk management in making security decisions.
These protection challenges are made more difficult by the rapid technological and regulatory changes under way in the distributed computing environment. The Telecommunications Act of 1996 is reshaping all aspects of interconnected communications in the United States. Similar movements toward deregulation are under way across the globe. Into this regulatory turmoil technology is introducing new services based on a bevy of competing waveforms and protocols for use over copper, coaxial, glass, and wireless mediums. To date, it is not possible to predict how fragile or how robust the communications infrastructure will be in the near term -- let alone the far future.
New computing technologies are being integrated into distributed computing environments on a large scale even though the fragility of these technologies is not understood. Recent examples include the post-deployment security flaws found in Netscape Navigator and in Java applets; the ongoing market struggle to dominate the building blocks for World Wide Web applications formed from collections of objects distributed across clients and servers that is under way between the Object Management Group's Common Object Request Broker Architecture and Microsoft Corporation's Distributed Common Object Model (each with a different approach to security); and a proposed future where Microsoft would automatically deliver and install software updates onto the customer's desktop without the customer's active involvement.
These environmental factors have serious implications for information warfare defense. Within this rapidly changing, globally interconnected environment of telecomputing activities it is not possible for a person to identify positively who is interconnected with him or her or know the exact path a message and voice traffic takes as it transits the telecommunications "cloud." It is not possible to know technically or at the logical level how the various software components on a computer- including the distributed applets downloaded, used, and discarded-interact together. It is not possible to know for sure if the various components installed in the computer hardware only do what is asked of them. Finally, it is certainly not possible to know for certain if a co-worker who shares authorized access to a telecomputing environment is behaving appropriately.
In sum, we have built our economy and our military on a technology foundation that we do not control and which, at least at the fine detail level, we do not understand.
A few words about the environment are important to set the stage for later discussions. DoD's information infrastructure is a part of a larger national and global information infrastructure. These interconnected and interdependent systems and networks are the foundation for critical economic, diplomatic, and military functions upon which our national and economic security are dependent. Exhibit 2-2 shows a few examples of those functions, the importance of information and the information infrastructure to each, and the criticality of functions such as coalition building in responding to a regional crisis.
The United States is an information and information systems dominated society. Because of its ever-increasing dependence on information and information technology, the United States is one of the most vulnerable nations to information warfare attacks. The United States and its infrastructures are vulnerable to a variety of threats ranging from rogue hackers for hire to coordinated transnational and state-sponsored efforts to gain some economic, diplomatic or military advantage. Exhibit 2-3 depicts some of the vulnerabilities.
The military implications of this dependency was made abundantly clear when it was suggested in one of the briefings presented to the Task Force that points of failure had been identified for each of three infrastructures (telecommunications, power, transportation) supporting a key port city in the United States. If these individual locations were attacked or destroyed, or in the case of power and telecommunications, if the resident electronics were disturbed, it would impact the ability of military forces to deploy at the pace specified in the Time Phased Force Deployment List.
And it is getting worse. Globalization of business operations brings with it increased information and information system interdependence. Standardization of technology for effectiveness and economies tends to standardize the vulnerabilities available to an adversary. Regulation and deregulation also contribute to growing vulnerability. For example, the Federal Communications Commission has mandated an evolution toward open network architectures concept which has as its goal the equal, user-transparent access via public networks to network services provided by network-based and non-network enhanced service providers. However, in execution, the concept makes network control software increasingly accessible to the users-and the adversaries. Implementation of the Telecommunications Act of 1996 will also require the carriers to collocate key network control assets and to increase the number of points of interconnection among the carriers. The Act also mandates third-party access to operations support systems, providing even more possible points of access to the critical infrastructure control functions. Similarly, the Federal Energy Regulatory Commission's recent Orders 888 and 889 directed the deregulation of the electric power industry. As part of Order 889, the electric utilities are required to establish an Open Access Same-time Information System (OASIS) using the Internet as the backbone.
Exhibit 2-4 illustrates the variety of network and computer system vulnerabilities which can be exploited, starting with simply making too much information available to too many people. The number of holes is mind-boggling -- an indication of the complexity and depth of defensive information warfare task!
Exhibit 2-4. Vulnerabilities/Exploitation Techniques
Take, for example, "Remotely accessed software," which is found under "Data Driven." Distributed software objects, such as JAVA and Active-X, are the wave of the future. Rather than having software reside permanently in workstations or desktop computers, the Internet will make applications and data available as needed. The applications and data are deleted from the workstations or desktop computers after use. The danger of this just-in-time support is that the user has no idea as to what might be hidden in the code. Another aspect of distributed computing is that the definition of system boundaries becomes very blurred. This suggests considerable future difficulty in defining what can and cannot be monitored for self- protection, an implication discussed in Section 6.1 1, Resolve the Legal Issues, with legal recommendations.
The implication is that a risk management process is needed to deal with the inability to close all of the holes. Since this subject has been treated extensively by other study efforts (e.g., the Joint Security Commission) the Task Force elected not to examine risk management.
There is ample evidence from the Defense Information Systems Agency and the General Accounting Office of the presence of intruders in DoD unclassified systems and networks. Briefings and reports to the Task Force have reinforced the DISA experience. Exhibit 2-5 shows some of the threats involved.
Exhibit 2-5. The Threat is Real
The "1996 CSI/FBI Computer Crime and Security Survey," released to the public earlier this year, concluded that "there is a serious problem" and cited a growing number of attacks ranging from "data diddling" to scanning, brute-force password attacks, and denial of service. The National Communications System and the President's National Security Telecommunications Advisory Committee have been warning since 1989 that the public switched network is growing more vulnerable and is experiencing a growing number of penetrations. There is also a growing interest in sharing sensitive vulnerability information among private sector companies, among government agencies, and between government and the private sector. However, sometimes the technology success we have achieved and our faith in our technological superiority blinds us to the growing threat and to our own vulnerabilities. Exhibit 2-6 depicts the Task Force view of the threat.
* Validated by DIA W = Widespread; L = Limited
Exhibit 2-6. Threat Assessment
The incompetent threat is an amateur that by some means (perhaps by following a hacker recipe or by accident) manages to perform some action that exploits or exacerbates a vulnerability. This category could include a poorly trained systems administrator who assigns privilege groups incorrectly, which would then allow a more nefarious threat to claim more privileges on a system than would be warranted.
The hacker threat implies a person with more technical knowledge who to some degree understands the processes used and has the intent to violate the security or defenses of a target to one degree or another. The hacker threat is broad in motivation, ranging from those who are mostly just curious to those who commit acts of vandalism.
The disgruntled employee threat is the ultimate insider threat: the individual who is inside the organization and trusted. This threat is the most difficult to detect because insiders have legitimate access.
When examining the potential for information warfare activities, the potential for a criminal or nongovernmental attack for economic purposes must be considered. Information is the basis for the global economy. Money is information; only approximately 10 percent of the time does it exist in physical form. As information systems are increasingly used for financial transactions at all levels, it is natural to expect all levels of criminals to target information systems in order to achieve some gain.
The increasing interconnectivity of information systems makes them a tempting target for political dissidents. Activities of interest to this group include spreading the basic message of their cause by a variety of means as well as inviting others to actions. An example is the political dissident in this country who sent out e-mails urging folks to send e-mail bombs to the White House server.
By attacking those targets in a highly visible way, the terrorist hopes to cause the media to provide a great deal of publicity of the action, thereby further disseminating the message of fear and uncertainty.
A significant threat that cannot be discounted includes activities engaged on behalf of competitor states. The purpose behind such attacks could be an attempt to influence U.S. policy by isolated attacks; foreign espionage agents seeking to exploit information for economic, political, or military intelligence purposes; the application of tactical countermeasures intended to disrupt a specific U. S. military weapon or command system; or an attempt to render a major catastrophic blow to the United States by crippling the National Information Infrastructure.
It is necessary to distinguish between what a layman might consider a "major disruption," such as the three New York airports simultaneously being inoperable for hours; and a "strategic" impact in which both the scope and duration are of dramatically broader disruptions. The latter is likely to occur at a time in which other contemporaneous events make the impact potentially "strategic," such as during a major force deployment.
The Task Force struggled with the issue of what would truly constitute a "strategic attack" or "strategic" impact upon the United States. The old paradigms of "n" nuclear weapons, or threats to "overthrow the United States per se," were marginally helpful in understanding the degree to which we are vulnerable today to Information Warfare attack in all of its dimensions. Couple this issue with the difficulty in assessing the real impact of cascading effects through our infrastructures; on the one hand as being major nuisances and inconveniences to our way of life, or on the other hand, as literally threatening the existence of the United States itself, or threatening the ability of the United States to mount its defenses.
The Task Force concluded that, in this new world, an event or series of events would be considered strategic either because the impact was so broad and pervasive, or because the events occurred at times and places which affected (or could affect) our ability to conduct our necessary affairs. One example we used to illustrate this latter point was a disruption in the area phone, power, and transportation systems coincident with our attempts to embark and move major military forces through that area to points abroad.
Few members of the Task Force felt that the power failures in several contiguous Southwestern states this summer were a "major disruption" or of "strategic impact" on the United States. Clearly they were inconveniences. However, had we reason to believe that the outages had been knowingly orchestrated by adversaries of the United States, this nation would have been outraged.
An issue related to our perceived vulnerabilities is the ability of an adversary to actually plan and execute Information Warfare so that it creates the desired impact. Our Task Force had many enlightening discussions about the potential for effects to cascade through one infrastructure (such as the phone system) into other infrastructures. This example is particularly important because most of our other infrastructures rides on the phone system. No one seems to know quite how, where, or when effects actually would cascade; nor what the total impact might be. The Threat and Vulnerabilities Panel concluded that if, with all the knowledge we have about our own systems, we are unable to determine the degree to which effects would multiply and cascade; an adversary would have a far more difficult task of collecting and assessing detailed intelligence of literally hundreds, if not thousands, of networked systems in order to plan and successfully execute an attack of the magnitude which we would consider to be "strategic." The very complexity and heterogeneity of today's systems provide a measure of protection against catastrophic failure, by not being susceptible to the same precise attacks. Presumably, the more kinds of attacks required, the harder it would be to induce cascading effects that would paralyze large segments of this nation. This is not to say that significant mischief is unlikely. It does suggest that the risk of an adversary planning and predicting the intended results at the times and places needed to truly disrupt the United States is considered low for approximately the next decade.
The trade and news media regularly report on the penetration of businesses and financial institutions by organized crime to steal funds, the theft of telecommunications services, the theft of money via electronic funds transfer, and the theft of intellectual property to include foreign government-sponsored theft and transfer to offshore competitors of intellectual property from U.S. manufacturing firms.
The media also reports instances of disgruntled employees, contract employees, and ex-employees of firms using their access and knowledge to destroy data, to steal information, to conduct industrial espionage, invade privacy-related records for self-interest and for profit, and to conduct fraud. (An MCI employee electronically stole 60,000 credit card numbers from an MCI telephone switch and sold them to an international crime ring. MCI estimated the loss at $50 million.) Malicious activity by "insiders" is one of the most difficult challenges to information assurance.
DISA reported that it responded to 255 computer security incidents in 1994 and to 559 incidents in 1995. Of these, 210 were intrusions into computers, 31 were virus incidents, and 39 fell into another category. This is probably just the tip of a very large iceberg. Last year, DISA personnel used "hacker-type" tools to attack 26,170 unclassified DoD computers. They found that 3.6 percent of the unclassified computers tested were "easily" exploited using a "front door" attack because the most basic protection was missing and that 86 percent of the unclassified computers tested could be penetrated by exploiting the trusted relationships between machines on shared networks. Worse, 98 percent of the penetrations were not detected by the administrators or users of these computers. In the 2 percent of the cases where the intrusion was detected, it was only reported 5 percent of the time. This works out to be less than one in a thousand intrusions are both detected and reported. These detection and reporting statistics suggest that up to 200,000 intrusions might have been made into DoD's unclassified computers during calendar year 1995.
Whatever the number, unknown intruders have been routinely breaking into unclassified DoD computers, using passwords and user identities stolen from the Internet, since late 1993. Once the intruders enter the computers masquerading as the legitimate users, they install "back doors" so that they can always get back into the computer. These intruders have gained access to computers used for research and development in a variety of fields: inventory and property accounting, payroll and business support, supply, maintenance, e-mail files, procurement, health systems, and even the master clock for one-fourth of the world. They have modified, stolen, and destroyed data and software and have shut down computers and networks.
Such intrusions are not limited to DoD. Information age "electronic terrorists" have penetrated commercial computers and data-flooded or "pinged" network connections to deny service and destroy data to further their cause: an environmental group sponsored such attacks to call attention to their message and to punish a business with which they disagreed.
In the early 1980s an intruder required a high level of technical knowledge to successfully penetrate computers. By the early 1990s automated tools for disabling audits, stealing passwords, breaking into computers, and spoofing packets on networks were common. These tools are easy to use and do not require much technical expertise. Most have a friendly graphical user interface (GUI); automated attacks can be initiated with a simple click on a computer mouse.
Such tools include:
RootKit - a medium technology software command language package which, when run on a UNIX computer, will allow complete access and control of the computer's data and network interfaces. If this computer is attached to a privileged network, the network is now in control of the RootKit tool set user.
More sophisticated attacks include plain text encryption of programs and messages, that is using plain text to hide malicious code; disabling of audit records; mounting attacks that are encrypted and that come from multiple points to defeat security detection mechanisms; hiding software code in graphic images or within spreadsheets or word processing documents; the insertion, over time and by multiple paths, of multi-part software programs; the physical compromise of nodes, routers, and networks; the spoofing of addresses; the eavesdropping (installing "sniffers" on Internet routers) on telecommunications and networks to obtain addresses and passwords for subsequent downstream spoofing; and the modifications of packet transmissions on networks.
Hackers with a bent to cyber crime are actively recruited by both organized crime and unethical business men, including private investigators who want to access privacy-protected information. Such recruiting was intense at the hacker convention DEFCON III, held August 4 to 6, 1995, in Las Vegas. Such conventions also serve as a clearing house for hacker tradecraft. At DEFCON III sessions were held on hacking the latest communications protocols (ATM and Frame Relay); the development and distribution of polymorphic software code (code that dynamically changes and adapts to the computer it is installed on); the penetration of health maintenance organizations and insurance companies; and the vulnerabilities of telephone systems. New services such as electronic commerce, cyber cash, mobile computing, and personal communications services are already areas of intense criminal interest.
The hackers and the cyber criminals are very efficient. The current state of technology favors the attackers, who need only minimal resources to accomplish their objectives. They have accumulated considerable knowledge of various devices and commercial software by examining unprotected sites. This know-how and tradecraft is transportable and is shared on the 400-plus hacker bulletin boards, worldwide. This includes hacker bulletin boards sponsored by governments (for example, the French intelligence service sponsors such a board). These boards are also used to distribute very sophisticated user-friendly "point-and-click" hacker tools that enable even amateurs to attack computers with a high degree of success.
A CD-ROM entitled The Hacker Chronicles, Vol II, produced by P-80 Systems and available at hacker shows for $49.95, contains hundreds of megabytes of "hacker" and information security information including automated tools for breaking into computers. The package carries this warning notice:
The criminal acts described on this disk are not condoned by the publishers and should not be attempted. The information itself is legal, while the usage of such information may be illegal. The Hacker Chronicles is for information and educational purposes only. All information in this compilation was legally available to the public [readily available on the Internet] prior to this publication.
Attacks are not just based on the use of smart tools. Simple social engineering-impersonation and misrepresentation to obtain information-remains very productive. The ruses are many: "cyber friend," providing a free software upgrade that has been doctored to circumvent security, a "customer" demanding and receiving support over the telephone from a customer-oriented firm.
Additional details on the Task Force assessment of the threat are provided in Appendix A. Threat Assessment.
The nature of the danger is evident in an assessment of the current risk, which is based on the presence of a threat; the vulnerabilities of our networks and computing systems; the measures available to counter an attack; and the impact resulting from the loss of critical information, information systems, or information networks. This is depicted in Exhibit 2-7.
The Task Force believes that the overall risk is significant because of the following factors:
The Task Force agrees with the observation of the Deputy Secretary shown in Exhibit 3-1 below. This section discusses several areas in the Department and in the larger national security environment where we can make rapid progress on responding to this challenge.
Exhibit 3-1. Initial Observations
The threat posed by information warfare is not limited to the realm of national defense, and the effort to control the problem must encompass broader national security interests, including Congress, the civil agencies, regulatory bodies, law enforcement, the Intelligence Community, and the private sector.
Unlike an attacker in conventional war, an attacker using the tools of information warfare can strike at critical civil functions and processes such as telecommunications, electric power, banking, or transportation and other centers of gravity or even at the stability of the social structure, without first engaging the military. Such a strategic information warfare attack can occur without forewarning or escalation of other events. In addition, attacks on the civil infrastructure could impede the actions of the military as much as a direct attack on the military's force generation processes or command and control.
However, we should not forget that information warfare is a form of warfare, not a crime or act of terror. The Secretary of Defense individually and the Department of Defense collectively, have two basic responsibilities -- to provide for the "common defense" of the United States, and to be "ready to fight ... with effective representation abroad" [A National Security Strategy of Engagement and Enlargement, The White House, February 1996]. By first focusing on improving its ability to manage the information warfare challenge to the defense mission, the Department can meet its national defense responsibilities while also enhancing its ability to play a significant role in defending against and countering a strategic information warfare attack on national centers of gravity.
Keep in mind that information warfare is not limited to attacks on computers: The potential targets of information warfare attacks can include information, information systems, people, and facilities that support critical information-dependent functions. The means of attack can be both cyber and physical. Finally, information warfare is adaptive and the practitioners learn from their experiences. While this phenomenon is not unique to information warfare, the speed at which the learning process takes place has no parallel in other forms of warfare.
Exhibit 3-2 suggests some additional ways in which information warfare is different from conventional warfare. Information warfare offers a veil of anonymity to potential attackers. Attackers can hide in the mesh of inter-networked systems and often use previously conquered systems to launch their attacks. The lack of geographical, spatial, and political boundaries in cyberspace offers further anonymity. Information warfare is also relatively cheap to wage as compared to conventional warfare, offering a high return on investment for resource-poor adversaries. The technology required to mount attacks is relatively simple and ubiquitous. During an information warfare engagement, the demand for information will dramatically increase while the capacity of the information infrastructure to provide information may decrease. The law, particularly international law, is currently ambiguous regarding the definition of criminality in and acts of war on information infrastructures. This ambiguity, coupled with a lack of clear designated responsibilities for defense, hinders the development of remedies and limits response options. Finally, deterrence in the information age is measured more in the resiliency of the infrastructure than in a retaliatory capability.
Exhibit 3-3 shows that information warfare has been particularly troublesome for the Intelligence Community because IW is a non-traditional intelligence problem. It is not easily discernible by traditional intelligence methods. Formerly, capabilities were derived from unique observables and indicators of military capability open to our sensors, amenable to cataloging in databases, and understandable by classic analytic techniques. With information warfare, however, the following elements come into play:
Exhibit 3-3. Intelligence Community Observations
The Task Force derived a taxonomy of information warfare that describes information warfare. Unfortunately, as shown in Exhibit 3-4, in those cases where both objects and processes are present, this taxonomy would not scale in a linear manner beyond three levels. This is the result of the number of permutations and combinations by which the attacks could be mounted against a particular process, over variable time periods. The derivation of the taxonomy is discussed in Appendix C, A Taxonomy for Information Warfare?
However, by adopting concepts from Joint Pub sources and inputs of the Threat and Policy Panels of the Task Force, we developed a standard vocabulary for use in threat alerting and for the assessment and reporting of defensive preparedness, tied to specific information dependent processes. This vocabulary is discussed in Section 6, Recommendations.
Exhibit 3-4. Additional Observations
Resources have been focused historically on protecting classified content and systems. These classified systems constitute only a very small percentage of the challenge.
Sometimes, we just make the problem too hard by failing to focus on what can and should be done. We can focus too broadly, too narrowly, or on the wrong problem set.
The reality of limited resources has fostered the current acquisition practice of trading off functionality, performance, and numbers of systems delivered to the operating forces at the expense of security. On a positive note, recent policy updates clearly state the need for attention to the information warfare aspects of systems acquisition. For example, DODD 5000.1 indicates that acquisition programs should consider how systems security procedures and practices will be implemented and how the system will be able to respond to effects of information warfare. The Directive also calls for a C41 Support Plan for each system. The Task Force was disappointed to note, however, that the Support Plan does not include information warfare considerations. DODD 5001.2-R also specifies that the operational requirements documents must include the characteristics the system must have to defend against and survive an information warfare attack.
Bottom line -- policy exists, it is not yet uniformly implemented or enforced, and it requires resources in implementation.
Exhibit 3-5 suggests that infrastructure resilience has been demonstrated repeatedly during natural disasters, but overall robustness against a major IW attack is untested. Thus, national infrastructure recovery must be considered uncertain. Given the complexity and interconnected nature of our infrastructures, we really do not know the extent of our vulnerability. The possibility of cascading effects occurring throughout and between infrastructures certainly exists. This was adequately demonstrated in the 1991 regional long-distance telephone failures (attributed to a simple programming error), the recent West Coast power failures, and the 1988 Morris worm propagation throughout the Internet (damage was limited to UNIX systems demonstrating the value of system diversity). The Morris worm example is noteworthy in that warnings of the worm were often sent over the Internet because emergency response personnel did not have the telephone numbers of colleagues in other organizations to whom the warnings needed to be sent. In many cases, these electronic warnings carried the worm with them and aided the propagation of the worm.
Exhibit 3-5. Additional Observations
The concept of protecting large portions of the information infrastructure is not valid. It is economically and technically impossible to close every possible vulnerability. We need to focus on designing a resilient and repairable information infrastructure. Our experience in designing highly reliable computer systems does not scale to a large, distributed information infrastructure. Our design practices are not based on the possibility of malicious events. We need to focus on establishing information domains within the information infrastructure, which will minimize cascading effects and which will enable us to contain the battle damage which might result from an information warfare attack. And, since we cannot yet effectively employ area and perimeter defenses, we do not really know what the implications of scale are in establishing an effective information warfare (defense) capability.
The Task Force does not want to imply that the various actions taken over the years by the information security or INFOSEC community do not have roles in IW defense. INFOSEC is an important contributor to achieving a robust information warfare defense capacity. Unfortunately, to many, INFOSEC has become shorthand for protecting the confidentiality of information.
Although important, the steps needed to ensure confidentiality are not adequate to achieving information assurance in an information warfare environment.
Encryption may be an example of trying to make the problem too hard, as shown in Exhibit 3-6. The nation has focused a lot of attention and energy on the encryption policy debate. Encryption simply does not solve all of the information security problems. The Task Force believes the policy debate has been a distraction from efforts to enhance the resiliency of the critical national information services.
Exhibit 3-6. Additional Observations
The Task Force reviewed the NRC report and was briefed on the study effort. While the Task Force felt that the report provided some useful insights, namely that the non-confidentiality applications of encryption provide significant benefit for user authentication and data integrity, the Task Force also believes that access control and identification and authentication are more efficient than encryption in "raising the bar." It also suggests that escrowed encryption be explored and that attempts be made to promote information security in the private sector. On the basis of the review and briefing, the Task Force determined that a further detailed examination of the encryption issue would probably not yield any additional major insights.
The Computer Security Act of 1987, the recent Clipper debate, and the continuing encryption policy debate highlight the private sector and civil agency reservations about the role of DoD in the area of national information protection. Exhibit 3-7 shows this role.
Market forces are extremely powerful, but will not alone provide the capability desired. The market simply does not perceive the possibility of a strategic information warfare attack against information centers of gravity. The market is not sufficiently informed about the vulnerabilities and threat to make rational national security judgments. Further, there may be little economic motivation to invest in security or even strong market incentives to resist adding security. Where there is commercial awareness, it is focused on protecting against theft of data and services (e.g., credit card numbers, telephone service) and alteration of data (e.g., financial accounts). Denial of service attacks are not an area of major concern for commercial entities. Managing the problem will require some legislation, some additional regulation, some indemnification of the private sector to achieve desired assurance goals, and some incentives (such as revisions to the tax structure).
The seams are critical. Currently, information necessary for an effective information warfare (defense) capability is not shared effectively across the seams. Information warfare (offense) is highly compartmented in spite of the fact that it shares common technology and operating environment with the information warfare (defense) community. In some cases, the military, law enforcement and intelligence communities are restricted by law, executive order, or regulation from sharing certain information. Historically, these communities are notoriously bad at sharing information. There are very few mechanisms for government and industry to share sensitive information such as vulnerabilities and intrusions. This lack derives primarily from the competitive sensitivity of information that is required for an effective information warfare (defense) capability.
In addition, at the national level, there are competing equities at stake in nearly every information warfare issue. Not only do these interests compete among each other, there are competitive forces within each of the sectors. Some examples are shown for each of the four equities. Resolution of the information warfare (defense) issues at the national level will be a time- consuming and laborious process. While it may not be possible to balance the equities, the key is to provide a mechanism to discuss rationally and deal with the legitimate equities of the participants. Grappling with this problem on the national level will require a very broad perspective if we are to ensure that national, regional, and local interests are served.
While information warfare (defense) is an extremely complex problem set, there is a lot that can be done with a limited number of resources quickly. Many of the Task Force recommendations identify these possibilities, some of which are shown in Exhibit 3-8.
Exhibit 3-8. Additional Observations
Finally, DoD must start now to implement the recommendations of the Task Force. This is the third year in a row that a task force of the Defense Science Board has issued a call for action. The President's Commission will be occupied with issues that transcend the Federal government and the private sector. DoD cannot afford to wait for all of these higher level issues to be resolved before embarking on a concerted effort to grapple with those issues that are within the authority of the Secretary of Defense to address.
WHAT SHOULD WE DEFEND?
Determination of what to defend should follow from our nation's vital interests as documented in the current national security strategy. On the basis of these interests, the Task Force postulated the goals shown in Exhibit 4- 1. Given the available time, it was not possible for the Task Force to address each of these goals in detail. However, the Task Force did develop a set of national-level defensive information warfare interests based on these goals.
Exhibit 4-1. National Goals For Information Warfare (Defense)
Exhibit 4-2 indicates the national interests that must be defended. The emphasis is on defending critical functions and processes, not on defending forces, platforms, or geography. As was the case in developing an ensured means of control for the strategic nuclear deterrent, some critical information infrastructure capabilities must be isolated from the interconnected national and global information infrastructure to ensure it is available to support and manage the restoration of critical functions.
Exhibit 4-2. The National Interests
The Department must preserve its ability to fulfill its basic missions. To do that, DoD must be concerned about the ensured operation the critical functions and availability of information necessary to fulfill those missions. The intertwined nature of the functions and infrastructures make this very complex. Critical national functions that have possible national security implications must be defended, and those portions of the infrastructures that are necessary for the operation of critical DoD and national functions must also be defended.
HOW SHOULD WE DEFEND?
5.1 PROCEDURES, PROCESSES AND MECHANISMS
Exhibit 5- l depicts the essential procedures, processes, and mechanisms for IW-D. They are based on the defensive information warfare implementation model developed by the Information Assurance Division of the Joint Staff J6. An essential step in preparing an information warfare defense is the identification of critical national information functions and the information, information services, and infrastructures upon which these functions depend.
The first order of business is to deter information warfare attacks. This deterrence must include a national will as expressed in law and conduct, a declaratory policy on consequences of an information warfare attack against the United States, and an indication of the resiliency of the information infrastructure to survive an attack.
The most immediate need is to provide some form of protection. This protection might include physically isolating information, providing some form of access control and authentication of personnel performing critical functions or accessing information, or encryption of the information. As time permits, the information infrastructure supporting critical functions should be designed for utility, resiliency, repairability, and security. An equally important function is to verify through independent assessments that the design is being followed, that protective measures are being implemented where appropriate, and that the information warfare (defense) readiness posture is as reported.
As suggested in the Task Force observations, the importance of intelligence support to information warfare (defense) cannot be overemphasized. This support must include strategic indications and warning of potential information warfare attack, timely and accurate threat assessments, and current intelligence support in the event of an information warfare attack.
The essence of tactical warning is monitoring, detection of incidents, and reporting of the incidents. Monitoring and detection of infrastructure disruptions, intrusions, and attacks are also an integral part of the information warfare (defense) process. Providing an effective monitoring and detection capability will require some policy initiatives, some legal clarification, and an ambitious research and development program, all of which will be addressed later in the report. All intrusions and incidents should be reported so that patterns of activity can be established to aid in strategic indications and warning. The FCC requirement to report telephone outages of specified duration affecting more than a specified number of customers serves as a model in this regard.
It is probable that the telecommunications infrastructure will be subject to some form of attack. We should have some capability to limit the damage that results and to restore the infrastructure. Little research has been devoted to the basic procedures necessary to contain "battle" damage, let alone to the tools which might provide some automated form of damage control. Restoration of the infrastructure assumes some capability to repair the damage and the availability of resources such as personnel, standby services contracts, and the like.
Finally, information warfare (defense) should include some form of attack assessment to aid in determining the impact of an attack on critical functions and in determining the appropriate response to an attack.
A key point not reflected in the exhibit is that this process must be a distributed process. The basic functions of monitoring, detection, damage control, and restoration must begin at the lowest possible operating level. Reports of the activity must be passed to regional and DoD-level organizations to establish patterns of activity and for assistance as needed in damage control and restoration.
We will use the following strategy to achieve this capability for the
Defense Information Infrastructure:
The key recommendations are those which can be implemented by the Secretary of Defense. Other recommendations are included which the SECDEF should make to the Director of Central Intelligence, and those which relate to the President's Commission on Critical Infrastructure Protection or the Infrastructure Protection Task Force.
6.1 DESIGNATE AN ACCOUNTABLE IW FOCAL POINT
This is the most important recommendation the Task Force has to offer. Multiple lead organizations with no clear principal staff assistant have led to confusion and slow progress to date. Boards and councils are important for discussing the issues, but have not and cannot provide the needed focus. Although many of the tools used to carry out information warfare have been around for a long time, the nature of information-dominated societies and activities makes it appropriate to view information warfare as a new warfare area. Information warfare is not the sole responsibility of the Chief Information Officer, the Assistant Secretary of Defense for C3I, the Director of Central Intelligence, the Chairman of the Joint Chiefs of Staff, the Secretaries of the Military Departments, or the Service Chiefs. Each of these is, however, responsible for a portion of this new warfare area. The Secretary of Defense, however, needs a single person and office to plan and coordinate this complex activity, as well as to serve as a single focal point charged to provide staff supervision of the complex activities and interrelationships involved. This includes oversight of both offensive and defensive information warfare planning, technology development, and resources. Given the interconnected nature of the information infrastructures, it is critical that the left hand knows what the right hand is doing and that these complex activities are coordinated.
This single focal point should be required to report regularly on the state of the areas shown and provide the informed interaction to other interagency and intergovernmental IW-related activities as shown in Exhibit 6-l.
Exhibit 6-1. Designate an Accountable IW Focal Point
The Task Force recommends that the Secretary of Defense designate a focal point for the coordination of information warfare. While the focal point could be any of the existing Under Secretaries or Assistant Secretaries, the Task Force recommends that the focal point be the Assistant Secretary of Defense for C3I. The first order of business for the focal point should be to develop a plan of action to obtain the needed capabilities. The focal point should also report the Department's IW status annually to the SECDEF. The focal point should be given authority to issue instructions. The long view suggests the eventual need for an Under Secretary of Defense for Information. While the Task Force does not make such a recommendation at this time, there was strong sentiment within the Task Force in support of organizing for the long view. The Task Force also recommends that a Deputy Assistant Secretary reporting to the ASD(C3I) be named and provided an adequate supporting staff to assist in providing the necessary staff oversight and coordination of information warfare activities. The Task Force hope is that as many IW-related functions as possible would be consolidated under this individual.
6.2 ORGANIZE FOR IW-D
Before discussing specific organizational recommendations, this section briefly discusses what the Task Force views as necessary capabilities for IW-D. Exhibit 6-2 shows the capabilities the Task Force determined are necessary for an effective information warfare (defense) and which are not adequately addressed in the Defense Department's current information warfare (defense) planning.
Exhibit 6-2. Organize for IW-D
Section 3, Observations, addressed the need for intelligence indications and warnings, current intelligence, and threat assessment. A specific recommendation which addresses the needed improvements in intelligence support to information warfare (defense) follows.
"Operations" as used in Exhibit 6-2 is shorthand for those time-sensitive activities necessary for dealing with an actual intrusion or attack. While not fully analogous, the Task Force sometimes refers to these capabilities as 91l or emergency response capabilities. Remember that these operations capabilities must be distributed throughout the Department--down through the Military Departments and Services and the Defense Agencies and through the CINCs to the operating forces.
"Planning and coordination" is shorthand for preparedness activities. The Task Force has taken to referring to these capabilities as enhanced 411 or 41l + capabilities. Once again, the analogy is not completely accurate since it does not convey what will certainly be a broader interactive capability, but it does help to make quick associations with intended capabilities.
One of the more critical needs is a continued capability to obtain an independent assessment of our information warfare (defense) posture. While these assessments can be carried out at any level, it is felt that there should be a capability established which is accountable directly to the SECDEF/DEPSECDEF. In addition, the organization established to provide this capability should be staffed with people who are knowledgeable of all types of threats and of both the DoD and private sector environments.
6.2.1 Establish a Center For Intelligence Indications and Warning, Current Intelligence, and Threat Assessments
Current intelligence resources and processes are not optimized to provide an understanding of threats and potential adversary capabilities to conduct Information Warfare; nor are they presently capable of providing either Indications and Warning or Attack Assessment of Information Warfare. An understanding of the IW process and indications of an IW attack will most probably require an unusual amalgamation of otherwise seemingly unrelated sets of data. The lack of previously identified and validated indicators for IW creates several additional difficult dimensions to the problem facing the Intelligence and Defense communities' efforts to understand all aspects of IW.
The United States has, over nearly four decades, identified many sets of data comprising indicators of activities by potential adversaries (communist-bloc). These indicators have provided the foundation of our intelligence assessment and indications and warning processes. Examples of these include known and understood development processes and cycles for military equipment's ranging from ICBMs to submarines to bomber aircraft. Thus, if we observed earth spoil on overhead imagery indicating a possible new heavy ICBM silo was under construction, we could adjust our threat understanding accordingly. Similarly, we might observe Soviet Missile Range Instrumentation Ships moving toward areas of the Pacific Ocean known (from prior observations) to be used by Russia as an impact area for ICBM tests; and we would conclude that a missile test was in the offing. Or, if a Mediterranean nation began to import chemicals which could be used either in fertilizer or in chemical agents for war; we could be on the alert for other indications of chemical gas production such as special buildings, storage facilities or personalities known to possess technical knowledge necessary to produce chemical weapons.
In a more operational vein, over time, we began to understand communist-bloc strategy, doctrine, and tactics as well. All of this knowledge was gained from a series of observations over several years. We were able to use this knowledge as we planned for combat and designed and executed wargames. Over four decades, with the expenditure of billions of dollars for collection, analysis, and reporting systems were optimized to deal with these known, discrete indications of activity. These "known indicators" permitted us to conduct intelligence assessments, Indications and Warning, and in some cases, attack assessments.
There were several factors involved in our gathering these data sets. The first is that we (and others) have made enough similar observations to establish "patterns of activity." Secondly, these observations have either caused us, or permitted us, to identify a number of discrete activities that we conclude are indicative of the "entire pattern," or significant segments of the pattern. Thirdly, having noted one or more of the discrete indicators, we know what other indicators to look for to corroborate our suspicions.
Information Warfare is a whole new game from the Intelligence dimension. We have precious few real data from which to derive "patterns of activity." This is made all the more difficult because so many of the "indicators" we have used in the past have involved some physical phenomena. In IW, at least in the computer and networked components of it, evidence of IW is fleeting at best and is usually not physically observable. The Intelligence Community is working hard to address some of these issues; but progress is hampered by organizations, processes, and systems optimized for situations found in the past, not the future. Evidence of IW preparations or attacks is most likely to come from a wide variety of sources and venues: from the more than 50 Computer Emergency Response Teams (CERT) around the world, from nodes of different segments of our National Information Infrastructure, from academia, from the Internet, from law enforcement agencies, from FEMA, and of course from traditional Intelligence Community resources such as human, signals, and open source intelligence. The Defense Science Board believes that some new approaches to collection and analysis are urgently needed.
The intelligence community understands as well as any that they face a tremendous challenge in developing information-age intelligence support activities. Some of the Task Force observations regarding these challenges were discussed earlier in the report and are shown in Exhibit 6-2-l . It is no easy matter to pinpoint the requirements, identify observables, establish patterns and indicators of the patterns, identify sources of the indicators, or determine how the sources will be exploited to collected information necessary to develop the indicators.
Exhibit 6-2-1. Establish a Center for Intelligence Indications and
The recommendation to establish the center at NSA recognizes their role in electronic intelligence and is meant to build upon recent organizational efforts at NSA. However, NSA must be augmented by DIA and CIA personnel because of the extensive social engineering component of information warfare. The Task Force believes it is essential to keep separate the intelligence and operations functions. The reason for the separation is that these functions are different. The intelligence community focuses on strategic warning and the operations community focuses on continuity of service and the warning and response to immediate danger.
The Task Force believes the recommendations in Exhibit 6-2-l are key to improving the intelligence support to defensive information warfare. While there has been some activity in these areas, the whole process needs a significant jump start. In addition, representatives from the intelligence community pointed to the lack of Essential Elements of Information (EEIs) from the operational community as a contributing factor to the intelligence challenge. This should not be an inhibitor to progress.
There may, in fact, be a need to form a National Center for Indications and Warning. This center would gather and analyze monitoring data continuously. The data would be derived from commercial infrastructure systems as well as government. The center could be charged with searching for and detecting early signs and precursors of a wide scale, coordinated attack and with providing warnings to U.S. government and private sector organizations. Toward that end, a phased approach would be appropriate, beginning with a DoD-specific organization which is scalable and extensible, and evolving towards a pan-government and private sector organization. Roles of the organization should include gathering and analyzing of voluntarily contributed data, disseminating of findings, and acting as a clearing house to coordinate feedback and responses from the community.
6.2.2 Establish a Center for IW-D Operations
The basic required defensive information warfare operations functional capabilities are shown in Exhibit 6-2-2. The terms tactical warning and attack assessment are familiar to the strategic nuclear forces. They fit in the information warfare context consistent with the definitions in Joint Pub 1-02, Dictionary of Military Terms. Providing these capabilities in the information-age context, however, is very different than the nuclear era. Emergency response and infrastructure restoration are self-explanatory.
Exhibit 6-2-2. Establish a Center for IW-D Operations
The Chairman has already undertaken an effort to establish a military operations center and has instructed the CINCs to establish IW cells within their staffs. The military operations center will consist of two elements. First, a small cell will be established in the J3 and will be staffed during normal duty hours. During crises, the J3 cell will have specific authorities over the second element, the Joint Information Warfare Center. The Joint Information Warfare Center will be staffed 7 days a week, 24 hours a day, and will serve as the interface to organizations such as the CINC IW cells, the Joint Spectrum Center, the Joint Warfare Analysis Center, the Joint Command and Control Warfare Center, and the Service IW organizations.
The distinction to be made between the military IW center and the defensive information warfare operations center is that the military center will focus on military operations of a time-sensitive nature. The defensive information warfare center will be focused on the Defense Information Infrastructure and other critical infrastructures as appropriate.
While the Task Force recommends that the center be established at DISA, current technology certainly provides for establishing a virtual center. This virtual center would draw on support from geographically dispersed elements. Initial staffing should come from existing assets. As suggested earlier, this operations capability must be distributed down and throughout the Department, linking, for the most part, existing operations centers, emergency response teams and so on. The Task Force envisions eventual links to other government centers including any that may result from the actions of the Infrastructure Protection Task Force recently created by Executive Order 13010.
Establishing the center is relatively easy. Developing and implementing the process and procedures to be used will be much more difficult; there has been almost no effort devoted to this area. One suggestion the Task Force makes is that eventual staffing and procedures take advantage of technical expertise available in the national guard, the reserves, mobilization augmentees, and contractors. Mandatory reporting sounds easy but may be difficult to implement because of a basic fear by those reporting that they will be held accountable for the intrusion or incident and that they will have to pay to fix the problem. Mandatory reporting may have to be accompanied with some form of inducements such as a "fix it free" offer. It will also be necessary to distribute these capabilities throughout the Department and establish an information channel with the indications and warning/threat assessment center for sharing of information essential to the performance of each center's mission.
If national-level centers for infrastructure protection are established as a result of the recommendations of the President's Commission on Critical Infrastructure Protection, then the Department should ensure appropriate interfaces are established between DoD functions and these centers.
The tentacles of this Operations Center should be virtually extended to every organization in DoD, ranging in scope from a single person serving as point of contact for the organization to having an emergency response cell located with the organization.
DISA should establish a threshold of information event that requires reporting to the Operations Center. Every information event reaching that threshold must be reported and penalties established to enforce that reporting. DISA should maintain a knowledge base of that reporting and ensure all response personnel are appropriately trained and informed.
6.2.3 Establish a Center for IW-D Planning and Coordination
The role of the planning and coordination center, shown in Exhibit 6-2-3, will be to support the ASD(C3I) in fulfilling his responsibilities as the focal point and to facilitate the sharing of sensitive information within the Department, among the Federal departments and agencies, and with the private sector.
Exhibit 6-2-3. Establish a Center for IW-D Planning and Coordination
One of the first activities of the planning and coordination center should be to establish a planning framework which can provide for meaningful assessments of progress in information warfare preparedness. This center will not write plans for the CINCs, Services, and Defense Agencies, but will identify the need and means for integrating information warfare considerations into traditional planning activities.
The center will aid the focal point in assessing the treatment and implications of information warfare in policy and plans, operations, and the allocation of resources to information warfare. The center will also analyze and assess IW-related incident reports generated by the Services and Agencies and forwarded to the 91l operations center. The assessment will determine patterns of activity that might indicate the need to revise plans or resource allocations.
Since there is no established method for assessing the dependency of operations plans and DoD support activities on information and infrastructures, the center will need to develop the procedures and metrics for such assessments. The military operations community and the functional support community will perform the assessments. These infrastructure dependency assessments will be discussed in more detail later in this report.
Sharing of sensitive information is probably one of the most important first steps in building a defensive information warfare capability. There are significant legal, regulatory, competitive and emotional hurdles to overcome; these must be addressed as soon as possible.
6.2.4 Establish a Joint Office for System, Network and Infrastructure Design
It is not necessary to break the cryptographic protection to attack our classified computing environments. The protection paradigm used by DoD is based upon the classification of information. However, most classified computer systems contain, and often rely on, unclassified information. This unclassified information often has little or no protection of the data integrity prior to entry into classified systems. The expected interaction between GCCS and GTN are examples of this. An increasing number of DoD systems contain decision aids and other event-driven modules. These should be buffered from unclassified data whose integrity cannot be verified.
Second-, third-, and "n" -order effects from an information warfare
attack have not been observed and are not well understood. Further, good
data are not available with which to conduct modeling and simulation of
such effects. Data must be collected to support the modeling and simulation
of the effects of specific information warfare attacks and defenses. Detailed
data should be gathered through several means:
To achieve the goal of protecting information systems from future IW attacks, a comprehensive, principled approach for architecture, design, and analysis of secure, survivable distributed information systems must be developed. These new principles and approaches should build upon, and be synthesized from, existing and emerging information system engineering principles based on work in fault-tolerant systems, trusted systems, and secure distributed systems. The principles must be promulgated as guidelines so that they will be widely applied.
There is a need to create a broader theoretical underpinning for understanding, design, and analysis of the security and survivability of information systems. Theoretical tools available today usually treat specialized aspects of information security. Early information-theoretic work in the 1950s and 1960, work in the 1980s on trapdoor functions, and recent work on Byzantine robust networks may form some basis for development of a broader theory. New theories should be developed for robust systems. These theories need to include models both for attacks on systems and for survivability defense strategies. Robust system theory should include formal methods that apply to large-scale, distributed, heterogeneous systems. Analysis techniques should include methods for predicting and analyzing Red/Blue conflicts by, for example, extension/application of game theory and other relevant approaches.
Since the cost of highly secure network subsystems will be very high, the architect should assume that the defense network will traverse commercial infrastructures, and that the underlying substrate will be inherently insecure. The network architecture thus must ensure successful transmissions in the presence of failed, faulty, and spoofed network components. For example, spatial transmission diversity is an existing proof that reliability can improve with intelligent use of the network. Since the future global network will include subnets of varying robustness, it is suggested that a separable entity be established as an overall net security management system. The overall network security manager would be responsible for architectural add-ons (such as wrappers) for each subnet, to provide survivable, secure service over the entire net of nets.
For survivable systems, security is required at multiple levels, including applications, middleware, operating systems, and networks. New architectural approaches must enable the accommodation of legacy and COTS subsystems, perhaps via wrappers, into an overall adaptive system-of-systems architecture. This architecture must be designed to reallocate critical tasks dynamically to subsystems which have survived the attack. The security/survivability management of the system should be integrated into the overall system management framework, in terms of both the automated and the human components of the system management structure.
In order to test the effectiveness of the survivable system architecture, principles, and theory, it is essential to conduct experiments and demonstrations. It is recommended that such experiments and system demonstrations be conducted in existing and emerging system testbeds and networks, building on both experimental nets and the emerging DII and NII.
There are substantial differences between designing a typical information system and designing a resilient information infrastructure capable of enduring in the face of intentional disruptions. Information system design is typically based on efficiency; a resilient information infrastructure design must be based, instead, on effectiveness. Control must be decentralized and portions must operate independently of the infrastructure. For example, fault-tolerant computing introduces redundancy into otherwise efficient systems in order to make them more effective, particularly against random disruptions. Similarly, the design of a resilient infrastructure will ensure diversity of hardware and software so that a common failure mode will not result in an infrastructure failure. Investing in a proper design up front saves money in the long run and negates the very real possibility of introducing vulnerabilities by attempting to retro-fit security.
The goal is to design for utility, resiliency, repairability, and security, as shown in Exhibit 6-2-4. Presently, there is no significant body of knowledge on infrastructure design. It will have to be developed based on the existing design skills for fault-tolerant computing, resiliency, reliability, and so on. This body of knowledge will expand through on the results of the research currently under way and planned for large distributed networks and survivable systems. This growing body of knowledge will be used to develop and promulgate policies, architectures, and standards which enhance the utility, resiliency, repairability and security of the infrastructure. The collection of these policies, architectures, and standards will constitute the infrastructure design.
Exhibit 6-2-4. Establish a Joint Office for System, Network and Infrastructure Design
The infrastructure design should be verified independently periodically to ensure that the design meets the goals of utility, resiliency, repairability, and security. The Task Force suggests using NSTAC, NCS, and similar resources to aid in this activity.
The infrastructure design should also be used to verify that goals of utility, resiliency, repairability, and security are reflected in the specifications for development of new systems and for purchase of services from the other government agencies and the private sector.
The Task Force recommends the establishment of a joint architecture/design office in DISA to develop and promulgate throughout the Department the needed design policies, architectures, standards, and configuration management process. This office should include the current architecture and design activities of DISA, but should also be focused on infrastructure design and the incorporation of security up front in the architecture and engineering process. The Task Force also recommends that a process be developed to verify compliance with the design independently.
6.2.5 Establish a Red Team for Independent Assessments
Red Teaming is an essential component of the IW-D strategy and technology development process. We recommend that the concept be extended to include vulnerability analyses as well as carefully planned attacks during experimental activities in controlled testbeds and during training/planning exercises. The Red Team exercises should be conducted under proper rules of engagement to avoid unnecessary damage or disruption to information systems.
Emphasis should be given to developing new attack methodologies in addition to reusing and applying of current attacker techniques. For example, attacks should be designed which exploit the system's survivability features. A sophisticated attacker would probably know about these features. In formulating these attack strategies, models should first be developed for system vulnerability and its likely defenses, and these models should be exploited in the attack strategies. Vulnerability analyses and Red Team attacks should be conducted at the application and system level, as well as at the subsystem level, with the goal of uncovering how operations can be perturbed (e.g., the planning and execution of an air tasking order or the deployment of sensors and communication assets), and how supporting communication links, or specific computers and network nodes, can be compromised.
The need for independent assessments is suggested in the notion that "you can only expect what you inspect." Many activities throughout the Department are in the process of forming Red Teams for the purpose of conducting vulnerability analyses, training, readiness assessments, and so on. The Task Force endorses these efforts, particularly in light of previous DSB Task Force recommendations. However, what the current Task Force is recommending is the "SECDEF/DEPSECDEF's Own" -- a team whose central role is providing the SECDEF/DEPSECDEF with unbiased assessments on the Department's IW "state of health."
As shown at the bottom of Exhibit 6-2-5, the Task Force recommends that a Red Team be established to perform these independent assessments. Two previous Defense Science Board Studies have made a similar recommendation to establish such a Red Team. While the Task Force was unable to agree on whether the new organization should be a standalone organization or housed in an existing organization, there was unanimity on the fact that the Team will require significant management attention and, although reporting through the ASD(C3I), be accountable to the DEPSECDEF for its activities.
Exhibit 6-2-5. Establish a Red Team for Independent Assessments
Developing and maintaining an independent assessment capability is very important because of the traditional resistance to self-assessment and potential embarrassment. However, it is essential that the Department evaluate its IW preparedness and not wait to learn of any major shortfalls because of the actions of an adversary. This Red Team should have a small permanent cadre for management and technical continuity and should be staffed by civilian personnel and military personnel on a rotating joint duty basis.
The organizational recommendations made by the Task Force are shown graphically in Exhibit 6-2-6. While it was obvious to the Task Force that similar information warfare (defense) capabilities and organizations must be established at the national level, the Task Force decided not to make specific recommendations about where these organizations should be established or to whom they should report. Instead, the Task Force recommends this be left to the President's Commission. However, it should be pointed out that there is a real need for extensive coordination and information sharing between government (Federal, state, and local) and the private sector.
Exhibit 6-2-7 also shows the organizational recommendations made by the Task Force but emphasizes the functional aspects. The defensive information warfare process, procedures and mechanisms diagram discussed earlier in the report is shown in the middle of the Exhibit and the process has been divided by the gray line into preparedness functions and operations functions. The recommended organizations are arrayed in the Exhibit so as to relate their functions (shown near the ovals) to the entire defensive information warfare process.
6.3 INCREASE AWARENESS
An important and cost effective first line of information warfare defense is a user and operations community that is aware of potential threats and is well trained in protection, detection, and reaction tactics, techniques and procedures. A well-trained and educated cadre of security and automated information system professionals can provide an effective second line of defense. The Services and Agencies (NSA in particular) have long provided INFOSEC training. Traditional DoD security awareness and training, however, has emphasized the security of classified national security information and information systems processing classified national security information. DoD components are currently implementing awareness, training, and education (ATE) programs to focus on new threats to both unclassified and classified networks. Working groups have been established to help coordinate efforts between components. There is a need, however, for a DoD-level forum with the authority to reduce duplication and implement consolidated training responsibilities. This forum must take advantage of core competencies to ensure a comprehensive, cost-effective program.
Current modeling and simulation efforts do not adequately address issues that can be expected to arise in an information warfare attack environment. For example, little or no consideration is given to the tactical impact of compromised or exploited computing and networking resources, beyond perhaps the classical effects of jamming or ESM techniques as applied to the battlefield communications infrastructure.
A fundamental shortcoming of traditional wargame-oriented simulations is the failure to predict changes in battlefield behavior resulting from the dynamic interplay of people with new weapons, sensors, tactics, etc. This is mainly due to deeply embedded, built-in assumptions of human tactical behavior. The introduction of a new dimension to the battle-space, namely that of IW, serves to aggravate the problem. A new generation of simulations and gaming environments is needed that not only generally minimizes built-in assumptions on human behavior, but also captures in particular the implications and impact of sophisticated information warfare types of attacks.
Because of our perceived lead in offensive information warfare capabilities, not everyone understands the need for defensive information warfare preparations. The Task Force review of several current Service and joint doctrine documents indicates that defensive information warfare matters are not adequately addressed. The Task Force strongly suggests the need to make senior-level government and industry leaders aware of the vulnerabilities and appreciate the implications. The recommended actions are shown in Exhibit 6-3.
The awareness campaign should be designed for several purposes. The internal campaign should make DoD personnel more aware of the threats, vulnerabilities, and fixes and should also make DoD a better informed customer in the acquisition of systems, COTS products, and services. The external program should make DoD suppliers better aware of DoD needs and should make the civil agencies and the general public understand DoD dependence on infrastructures and the role of DoD in the information-age "common defense."
Exhibit 6-3. Increase Awareness
The Task Force recommends that the ongoing IW net assessment recommended by the 1994 Summer Study be expanded to include an assessment of the vulnerabilities of the DII and the NII with particular emphasis on those portions of the NII upon which the Department is especially dependent. A brief review by the Task Force of selected joint doctrine revealed a heavy dependence on information and information technology without corresponding attention to defensive information warfare. Existing doctrine should be reviewed for needed emphasis. The Department should also explore the possibility of large-scale demonstrations for the purpose of exploring cascading effects and for collecting data necessary for simulation of information warfare activities.
In addition and to the extent possible, information warfare (defense) must be realistically played in exercises. This will require some concerted management attention. The Task Force notes that since 1992, DoD policy has called for military exercises to include realistic information warfare play. To date, there has been very limited execution of this policy. In those cases where a realistic IW environment cannot be created, specific experiments should be developed to assess the effects of information warfare attacks. For example, policy directing the CINCs to conduct exercises with information warfare realism has been effect since 1992 and there has been no noticeable efforts to date to implement the policy. In those cases where such realism is not possible, specific experiments must be developed to assess the effects of information warfare attacks.
6.4 ASSESS INFRASTRUCTURE DEPENDENCIES AND VULNERABILITIES
Traditional thinking is that infrastructures, with few exceptions, are stable, reliable, and always available. The nation's interstate highway system is a prime example. Consequently, the Departments' operational and functional planners have not adequately addressed the possibility that key infrastructures such as telecommunications, electric power, and transportation might not be available in part to support military operations. The purpose of this recommendation, as shown in Exhibit 6-4, is to get the operational and functional planners to begin documenting the extent to which their plans are dependent on critical infrastructures and what effect infrastructure disruptions might have on execution of the plans.
Exhibit 6-4. Assess Infrastructure Dependencies and Vulnerabilities
The Joint Staff has begun to address the issue by developing a draft Mission Needs Statement for Infrastructure Assurance Modeling. The MNS approach is to use modeling and simulation. This is probably the best long-term approach to understanding infrastructure inter-dependencies, potential cascading effects, etc.
The Task Force recommends that a separate effort be initiated by the ASD(C3I) to develop an alternative approach using other analytical techniques that could be employed in the near term by the operational and functional planners to assess all critical infrastructure dependencies. Based on these assessments by the Chairman and the Principal Staff Assistants, the Chairman should develop the essential infrastructure protection needs and the ASD(C3I) should develop the resource estimates for the needed protection.
The Task Force recognizes that this will be an enormous task. However, the complexity and difficulty of the task should not be an impediment to starting the effort; "the journey of a thousand miles begins with a single step."
6.5 DEFINE THREAT CONDITIONS AND RESPONSES
Exhibit 6-5-1 shows that, as in the traditional operations community, the IW-D operations community requires an alerting mechanism to heighten awareness and preparedness as the threat increases. In addition, there should be some prescribed response by the IW-D operations community to increasing threat conditions such as minimizing the traffic on the networks, restricting personnel access to operational facilities, disconnecting certain systems from networks which are likely targets, and possibly implementing wartime modes of operation. While the effort is urgently needed, it will be complicated by the extensive interconnectivity of systems and networks and because some actions will be required by the private sector, in part, since much of the Defense Information Infrastructure is embedded in the public switched and data networks.
Exhibit 6-5-1. Define Threat Conditions and Responses
Exhibit 6-5-2 is an illustrative cut at what a structured threat condition and response table might look like. This is not a definitive threat chart. For example, "normal" is yet to be defined and very damaging attacks can be postulated that would not cause a noticeable increase in the number of incidents. Also, it should not be inferred that the Task Force believes an information warfare attack will necessarily escalate in a linear manner from level II to level V. An attack could be oriented on a specific critical target or could immediately threaten multiple centers of gravity within the United States. The term "special contexts" is an attempt to highlight the potential linkages between an information warfare attack and other circumstances that may be present. For example, disruption of the infrastructures supporting Fort Bragg, North Carolina, would have much greater impact during a deployment of U.S. forces to a crisis location than it would during normal peace-time training operations.
Exhibit 6-5-2. Sample Threat Condition and Response
Deriving a solid set of threat conditions and appropriate responses will require some serious research. The various levels reflect combinatorial effects as well. For example, it is possible to move from Condition I to Condition V without passing through the intervening conditions. Condition II reflects the notion that an attack may be surgical rather than broad-based.
6.6 ASSESS IW-D READINESS
Information warfare defense should be viewed from a warfighting perspective. Operational forces should be able to detect, differentiate among, warn of, respond to, and recover from disruptions of supporting information services. Recovery from disruptions resulting from failures or attacks might involve repair, reconstitution, or the employment of reserve assets. In some cases, network managers may have to isolate portions of the network, including users of the network, to preclude the spread of disruption. Given the speed with which disruptions can propagate through networks, these capabilities may need to be available in automated form within the network itself. Finally, there must be some means to manage and control these capabilities. At its heart, this is an operational readiness matter.
A standardized process to enable commanders to assess and report their operational readiness status as it relates to their specific dependency on information and information services is an essential element of operational readiness. A standard vocabulary will enable common description of risk scenarios and assessment methodologies. (A more complete explanation of the proposed process is at Appendix C.) The use of a structured assessment and reporting process will help move information assurance from a global and unsolvable problem to the identification of discrete information and information service dependencies that illuminate quantifiable risk to specific information dependent activities within a commander's sphere of responsibility. A similar assessment and reporting process can be applied by supporting elements and in the commercial sector.
Exhibit 6-6 shows that information warfare (defense) must be mainstreamed as a readiness issue. A means must be developed for including information warfare (defense) issues in readiness reporting and a process must be developed to assess the information warfare (defense) readiness posture independently. The assessment scenarios differ from the threat conditions discussed earlier in that the assessment scenarios are used to assess readiness against a wide range of possible threats to specific units, missions, and functions, while the threat conditions are used to describe the existing threat condition to the broad interconnected population. The assessment scenarios are applied locally, while the threat conditions are applied globally. Standardized assessment scenarios could be used for planning considerations, in warning orders, and so on. The assessment regime provides a means for addressing variability and should be used in concept and operations planning.
Exhibit 6-6. Assess IW-D Readiness
Exhibit 6-6. Assess IW-D Readiness (Continued)
The Task Force recommends that the Chairman of the Joint Chiefs of Staff incorporate information warfare preparedness assessments in the Joint Reporting System and into Joint Doctrine. The systems, reports and publications cited are only examples that the Task Force reviewed to illustrate how these assessments might be incorporated. Additional details will be provided in the written report.
6.7 "RAISE THE BAR" WITH HIGH-PAYOFF, LOW-COST ITEMS
There are a number of things the Department can undertake, as shown in Exhibit 6-7, that are relatively low cost, but that will raise the bar significantly for potential system and network intruders. Training and awareness have already been emphasized. The two specific examples are cited to illustrate the fact that there is existing Executive Branch policy regarding this matter and that the use of banners to alert users is a good way to increase awareness. Certification by users of banner understanding is another technique to emphasize the importance. One of the Task Force members cited as an example the procedure used in his company. On a periodic basis, users of the network are presented with a security awareness quiz. If the questions are not answered correctly after three tries, the user must have the systems administrator provide access to the system or network.
Exhibit 6-7. "Raise the Bar" With High-Payoff, Low-Cost Items
One of the most important acts is to improve the security of DoD's unclassified computers by instituting dynamic access control and authentication of users. Until this is done, the Department has little assurance that it has any control over these systems. many of which are essential to critical support functions. The Department should also promote the use of existing commercial and government security technologies.
The Task Force recommends the immediate use of commercial access control technologies for this purpose. These technologies can be used as an interim solution for MISSI and as a solution for those users not programmed to receive MISSI. The Department should also explore the feasibility of using approved commercial products for identification and authentication and continue its plans for the use of escrowed encryption, particularly for the protection of critical assets.
6.8 ESTABLISH AND MAINTAIN A MINIMUM ESSENTIAL INFORMATION INFRASTRUCTURE
The current information infrastructure which supports telecommunications, power, transportation, etc., is susceptible to IW attacks, and in particular to wide-scale coordinated attacks aimed at disabling or disrupting government as well as commercial systems. A strategy and overall architecture concept must be developed for a minimum essential information infrastructure (MEII). This minimum infrastructure can serve as a means for restoring services and adapting to wide-scale outages. Milstar should be investigated as a means for determining available connectivity and providing modest but critical packet data service for exchange of routing, node status, and other essential network management information. In this role, Milstar would be supplemented with available commercial resources as possible and as needed.
The concept should consider the applications and deployment of secure gateways connected to Milstar ground station equipment and reallocated Milstar assets as a hardcore network for use in restoring critical connectivity. The authentication of commercial wireline and wireless network access through the gateway to the hardcore network is a critical issue, and must be addressed.
In addition to an overall MEII architectural concept, minimum essential services, an operational concept, and a management structure must be developed. A strategy must be developed for transitioning from peacetime or normal operational activities to the minimum essential information infrastructure. It will be important to execute the transition strategy in the context of exercises.
The minimum essential information infrastructure capability shown in Exhibit 6-8 could serve the Department for critical missions and functions and could serve the nation for other national security-related functions. The 1995 DSB Summer Study titled Investments for Century Military Superiority recommended a minimum essential C3 capability. Included are the specific recommendations leading to that capability.
Exhibit 6-8. Establish and Maintain a Minimum Essential Information
6.9 FOCUS THE R&D
New information security products from biometric personnel identification devices to advanced firewalls are being introduced every day into the commercial marketplace. Many of the products are either focused on protecting against network-based intrusions or are attempting to enable some form of electronic commerce. However, these products often do not scale well in large distributed environments, are too expensive, and are too difficult to configure.
The Department of Defense should monitor the progress in commercial information technology and take care not to duplicate or reinvent the progress being driven by market forces. However, the commercial market will not provide the Department the necessary tools and techniques to rapidly and securely assemble and protect a robust, resilient, deployable information system to support a Joint Task Force or coalition operations. The Bosnia C2 Augmentation initiative is an example of the challenge.
As cost-affordable technologies are developed, they should be given early tests in the Joint C4ISR Battle Center Environment.
The Task Force is aware of several of the ongoing information system security initiatives under way in DARPA and has read the descriptions of other IW-D R&D efforts in the Joint Warfighting Science and Technology Plan and in the Defense Technology Objectives of the Joint Warfighting Science and Technology and Defense Technology Area Plan (both of May 1996). However, the Task Force suggests a tighter, more integrated focus on support to U.S. defense activities in the areas outlined in Exhibit 6-9. In addition, Task Force did initially consider a much broader and more comprehensive list of R&D initiatives required for information warfare defense. Because of the potential contribution of commercial activities to some of the Department's requirements, the Task Force recommends the Department should focus its R&D on those aspects of information protection and assurance not likely to be addressed by the private sector. Several Task Force members stressed that the R&D program must emphasize cost and operational realism. For example, it would be helpful if the primary design criteria included per-seat costs for installation, training, and support.
Exhibit 6-9. Focus the R&D
The development of robust survivable systems resistant to information warfare attack, as well as other types of failure, must involve major advances in technology and will require the efforts of a vigorous research community embracing academia, industry, and government. Prior R&D efforts have focused on areas such as computer and network security, encryption technology, and single node failures. Little attention has been paid to surviving willful malicious attack, or detecting and eliminating corrupt software.
The area of robust survivable systems offers an opportunity for a unifying
theme to develop a broad-based research effort covering the full range
of 6.1, 6.2, and 6.3 research to overcome the current lack of significant
new ideas and problem solutions. Particular emphasis should be given to
the following areas:
As indicated in the previous exhibit, specific attention should be paid to verifying the configuration of a rapidly assembled system for use in Joint Task Force or coalition environments. This should include positive identification of system components with passive identification of users, in both the static and mobile environments.
Regarding test beds and simulation-based mechanisms, it will be important
In addition to the above, the R&D community should also consider
establishing a focused effort on the theory, science and analysis of high
assurance, massively distributed systems to include:
Finally, the Department should work with (and even possibly provide seed money to) the National Science Foundation to establish research and education programs for resilient system design in the universities and colleges.
6.10 STAFF FOR SUCCESS
IW vulnerability is often due to human error, insufficient training, or lack of knowledge of or failure to follow procedures or adhere to policy. This vulnerability represents a gap which cannot be closed with technology alone. Currently, capabilities of system and network administrators and system managers vary widely. This is partially due to a lack of appropriate training, and partially due to the difficulty in use of existing security products and in obtaining information on how to configure a system securely.
A cadre of high-quality, trained professionals with recognized career paths is an essential ingredient for defending present and future information systems. It is recommended that research be conducted towards the development of techniques, curricula, tools, and technology specifically for security-focused training for system and network administrators. Developing partnerships with universities, colleges, existing DoD professional development programs, and vocational schools for the purpose of curriculum development will be an essential ingredient of this process. It will also be important to capitalize on emerging distributed interactive simulation technology to provide a realistic, dynamic, operations center-like training environment indicative of a real-world IW combat setting.
The Task Force acknowledges that there are a number of studies and initiatives under way in the area of information warfare (defense) training. Included in these is a recent NSTISSC review of training which recommended the development of a database of all available INFOSEC training courses. NSTISSC has also developed training standards for Systems Administrators, Information System Security officers, and Designated Accreditation Authorities. However, efforts throughout the Department do not appear to be well coordinated and there does not appear to be a concerted effort to train systems and network coordinators properly.
As shown in Exhibit 6-10, the Task Force recommends establishment of a skill specialty for military personnel to enable the formation of a cadre of knowledgeable and experienced defensive information warfare specialists. The skill specialty is recommended instead of a career path to ensure that operational experience is reflected in the performance of the information warfare (defense) duties and to preclude the possible formation of a closed community of experts.
Exhibit 6-10. Staff for Success
6.11 RESOLVE THE LEGAL ISSUES
Legal issues can be a distraction from moving on with what can be done. As shown in Exhibit 6-11, the Task Force found some confusion among the Department's representatives regarding the scope of their authority to monitor systems and networks for the purpose of assessing the security of the systems and networks. As discussed earlier, the advent of distributed computing has and will continue to blur the boundaries of the systems and networks that DoD uses. Confusion also stems from uncertainty over when or whether a wiretap approval is needed. All DoD system and network administrators should assume that any intrusion is a hostile intrusion and take action to minimize the effects of the intrusion and report the intrusion for purposes of tactical warning and to obtain necessary protective support, including law enforcement.
Exhibit 6-11. Resolve the Legal Issues
To lessen the confusion, the SECDEF/DEPSECDEF should direct the General Counsel to explore this matter and issue rules of engagement regarding appropriate defensive actions that may be taken upon detection of intrusions into and attacks against DoD systems and networks. This should include promulgating clear guidance regarding monitoring of systems under DoD control and the use of warning banners on these systems.
The SECDEF/DEPSECDEF should also task the General Counsel to propose legislation. regulation, or executive orders as may be needed to make clear the DoD role in defending non-DoD systems. This should specifically address the need for changes to the Computer Security Act, the capture of information on unidentified intruders (issue of intelligence collection on U.S. persons), the authority to conduct "hot pursuit" of intruders, and the ability to obtain reports from the operators of critical elements of the civil infrastructure.
The findings and recommendations developed by the General Counsel should be provided to the President's Commission to aid in their deliberation of the legislative and policy initiatives required for the protection of the critical infrastructures.
6.12 PARTICIPATE FULLY IN CRITICAL INFRASTRUCTURE PROTECTION
Exhibits 6-12-l through 6-12-4 indicate the Task Force recommendations regarding what DoD should offer to, advocate to, request from, and suggest to the President's Commission. Exhibit 6-12-1 suggests what capabilities DoD might offer to the Commission and the nation in support of critical infrastructure protection. The Department should think through and propose to the Commission appropriate national defense response and retaliation capabilities in the event of an information warfare attack on the critical civil infrastructures, understanding that Defense is not the sole element in responding to threats to the national security.
Exhibit 6-12-1. Participate Fully in Critical Infrastructure Protection
Exhibit 6-12-2 suggests what DoD interests should be advocated before the Commission. The information-age war powers for the President are suggested in light of the outdated nature of Section 706 of the Communications Act of 1934. This Act is the basis for Federal intervention in assuring the operation of the telecommunications infrastructure. Critical infrastructure assurance goals can be articulated in a general fashion, but should be eventually based on the infrastructure dependency assessments discussed earlier in the report.
Exhibit 6-12-2. Participate Fully in Critical Infrastructure Protection (Continued)
In addition, there are many international aspects of information warfare
that must be addressed as the U.S. formulates a defensive information
warfare strategy that will guide DoD operations. For example:
Exhibit 6-12-3 shows what DoD needs from the President's Commission.
Exhibit 6-12-3. Participate Fully in Critical Infrastructure Protection (Continued)
Recognizing the difficulty of defining an appropriate role for the government and the private sector in critical infrastructure protection, the Task Force offers these suggested roles which DoD could provide to the Commission. These suggestions are based on input to and deliberations by the Task Force and individual panels of the Task Force. Exhibit 6-12-4 suggests such roles.
Exhibit 6-12-4. Participate Fully in Critical Infrastructure Protection (Continued)
Exhibit 6-12-5. Participate Fully in Critical Infrastructure Protection (Continued)
The NSTAC model shown in Exhibit 6-12-6 could serve as a model for refining the roles of government and industry as suggested here. Sensitive information includes threats, vulnerabilities. intrusions and other incidents. fixes to vulnerabilities. etc.
Exhibit 6-12-6 suggests a model as a starting point for refining the government and private sector roles.
O = Owner Responsibility
Exhibit 6-12-6. Possible IW Target Protection Responsibilities
This exhibit provides another view of how the government and private-sector roles might be defined. It also provides the Task Force view of how target protection responsibilities might be assigned. The exhibit is not intended to be authoritative, but to provide a construct for discussion of the roles of the government and the private sector.
Some areas are exclusively the responsibility of the owner, while others are exclusively the responsibility of government. It is in the areas of shared responsibility between the owner and the government where much work must be done to define levels of responsibility.
6.13 PROVIDE THE RESOURCES
Resources must be provided if a viable defensive information warfare capability is to be achieved. The need has been recognized in part since an INFOSEC special budget issue has been submitted each of the past 3 years. The Task Force has developed a rough estimate of the resources required to get started. The Department must make a detailed estimate. The resource estimates are for resources in addition to those reflected in the proposed FY 97 budget, so some reprogramming actions will be required for FY 97.
The Task Force recommends that the ASD(C3I) develop a detailed plan of action to implement the recommendations and a detailed estimate of the resource required.
Exhibit 6-13-1. Provide the Resources
Exhibit 6-13-2 shows the estimated resources to implement the key recommendations. These are the very rough estimated resources to implement the key recommendations. The Task Force reviewed all of the individual recommendations categorized under the key recommendations and estimated to $5 million granularity what the implementation costs might be. The figures are the totals of the individual recommendations for each key recommendation. These resources are in addition to the current Information Systems Security Program and other distributed information security costs which in the aggregate total about $1.6 billion annually. The Department should perform a more detailed cost estimate.
* Dollars in Millions
Exhibit 6-13-2. Get Started Resources
In summary, the Department must tie several factors together, as shown in Exhibit 7-1.
And the Department must start immediately, as shown in Exhibit 7-2. Although all the recommendations are important, the check marks [+] indicate where the Task Force believes immediate action will jump-start the process of getting a handle on this challenge. Again, as pointed out earlier, the DSB has called for action on these matters in each of the past 3 years.
Appendices are provided as background and resource information. They do not represent a consensus view of the Task Force and recommendations contained in the Appendices are not Task Force recommendations to the Department. Some of the appendices were used in part as input to the main body of this report. Other appendices are provided because they contain useful information for further discussion of matters addressed in the main body of the report.
End Main Report
Thanks to AR of the Office of Assistant Secretary of Defense (Public Affairs), Department of Defense, for promptly sending this report. For 200-page paper copy telephone: 1-703-697-5737.
Thanks to the IW-D Task Force and contributors.
Digitized and hypertexted by JYA (UD); with special thanks to DN.
No restrictions on use, copying or distribution.
Published January 8, 1997.
Corrections welcome; send to <email@example.com>.