Even perfect information security within the boundaries of corporate computing is now inadequate. Corporate information security conferences that deal with how to cope with intrusions from external sources such as hackers, criminals and other malicious sources are necessary, but insufficient. Of course, one must plug all holes in the walls of a corporate fortress, but that will not guarantee that the systems will remain secure. My purpose today is to extend the horizon of corporate information security beyond corporate ramparts.
The rapid defeat of Iraq in 1991, as well as U.S. low casualty rates, surprised everyone, even the most optimistic military experts. In the post-war assessments, the consensus quickly emerged about one element that contributed to the rapidity of a victory without precedents in military history. The credit for this accomplishment was bestowed on the deliberate concentration by the U.S. military and intelligence resources to interfere with Iraq's command and control capabilities as well as in disabling that country's telecommunications and electric power infrastructure. Iraq's armed forces, which were superior in firepower and in the number of soldiers, were left blind, deaf and dumb within eight hours after the start of the U.S. attack. It is in this way that the fighting in the Gulf war earned its designation as the "First Information War." As compared with the enormous expenditures for bombing, tank attacks and the sheer logistics of deploying half a million troops, the low cost in waging information warfare now emerged as the most effective weapon in attacking technologically advanced armed forces. While everybody was engaged in celebrating the demonstration of American technological prowess, a small group in the Pentagon started an examination of a scenario that assumed that any adversary of the U.S. would learn from the American experiences in the Gulf. As subsequent studies by Russian, Chinese and Iranian military staffs revealed, it was obvious that no nation on earth was as vulnerable as the U.S. to damage to its national security interests by means of information warfare. Anticipating these developments with a remarkable prescience, Duane Andrews (Assistant Secretary of Defense for Command, Control, Communications and Intelligence) launched in 1991 an effort to establish, for the first time ever, "Information Warfare" as a category of offensive and defensive capabilities. Henceforth, information warfare would be included in all U.S. national security plans. The 1991 Pentagon study revealed that the U.S. military did not have the means for defending the U.S. against information warfare attacks, especially if they were launched as an action that combined the deployment of conventional forces, terrorists and corruption of military command and control systems. Tight coordination among military services to share intelligence, to evaluate such an attack and then to launch protective countermeasures did not exist. There were no sentries except for lookouts engaged in skirmishes with amateur hackers. The military did not conduct exercises on how to operate under conditions of information warfare. Most importantly, it did not have in place the capacity to rapidly "reconstitute" its readiness. A formal Defense Department policy to deal with these conditions was promulgated in December 1992, the last days of the Bush administration. Information warfare did not fit into any of the established fiefdoms within the Air Force, Army or Navy. For several years the military services engaged in debates about who would coordinate and integrate the new military discipline, since it did not neatly fit anyone in particular, yet threatened the military and commercial viability of everyone, including U.S. businesses. After leaving the Department of Defense, I continued to serve on a multitude of committees, trying to sort out what would be the missions of our military services in defending their command and control systems against information warfare attacks. With the passage of time and an enormously expanded awareness, the U.S. military cleared up how individual services would cooperate for information security assurance. Most importantly, many of the issues of how to share intelligence and coordinate responses to attacks against the Department of Defense infrastructure were largely resolved. Gradually, a cadre of professional information warriors and information sentries mounted the ramparts and the barriers against corruption of military systems. The debates about the missions and responsibilities for defense against information attacks were useful in clarifying an issue that the military found shocking -- that the concept of information warfare and the defenses of the U.S. homeland would not fit the traditional mold of how to defend the nation. The insertion of information warfare into any defense plans defied many of the time-tested concepts of how to engage in warfare. When an enemy will (the term is "will," not "may") launch an information warfare attack against the U.S., the conflict will involve not only the military, but also the civilian and commercial firms, in addition to the many non-military agencies of the U.S. government. The inherent vulnerability of the U.S. information infrastructure was demonstrated to Congressional and Executive Branch leaders in a number of "war games" in which a hypothetical hostile power launched an information warfare attack against privately owned telecommunications, power generation and transportation networks as a way of neutralizing (or impeding) the capacity of the U.S. military to respond to simultaneously launched conventional military actions. Such "combined" military action scenarios usually involved the defense of Mid-East oil fields or protection of a country that we have pledged to protect. White House involvement
By 1998, the almost universal concerns about the vulnerability of the U.S. to information warfare attacks received presidential attention. The delay was explained by the need to complete yet another round of studies to re-visit issues that had surfaced during intra-governmental deliberations. The President and the National Security Council had difficulty in dealing with the question of who would be in charge of securing the U.S. against information attacks. In contrast with an over act of aggression, the anonymous characteristics of information attacks cannot be easily identified as acts of war. Any attacks may appear to originate from within the U.S. and appear in a form that is not readily recognized. Thus, neither the most qualified institution that the Constitution has chartered to defend the U.S. in case of war -- the Department of Defense -- nor the intelligence organizations that have acted as sentries during the Cold War, could be given the principal responsibility for managing U.S. information defenses. Neither Defense nor Intelligence is allowed to engage in actions or surveillance that may involve actions against U.S. citizens. The Administration was well aware that the inevitable information warfare countermeasures would conflict with existing concepts of civil liberties. Most significantly, the national security organizations came to the realize that the first line (and the least prepared) of U.S. information defenses ran through corporate security staffs and not through the Army, Navy, Air Force, the CIA or the NSA. At this point, the Administration could not cope further with increasingly vocal Congressional calls to prevent the possible re-occurrence of the Pearl Harbor disaster. A devastating information warfare attack would be feasible in the absence of coordinated intelligence, adequate vigilance and advance preparation to cope with such an event. This time, U.S. assets would not be conveniently tied up to the same dock in Honolulu or set up for strafing on Hickham Field by a handful of Japanese bombers with only limited fuel supply. In case of a totally plausible "information Pearl Harbor" tens of millions of computerized assets (whether military or not) connected to a network would fail under the onslaught of hundreds of millions of software bugs launched from hidden sources. Formation of NIPC
In view of rising risks to the rapidly rising interconnectivity of U.S. information systems, the Presidential Directive #63 proceeded to deal with the single most glaring deficiency in U.S. defenses: the absence of a single national focus for gathering information on threats and for providing the principal means of facilitating the federal government's responses to computer-based incidents and reconstituting it in case of failure. As the keystone of protection against information warfare attacks, the Directive authorized the establishment of the National Infrastructure Protection Center (NIPC) within the FBI. It would become the "national focus for gathering information on threats and provide the principal means of facilitating the federal government's response to computer-based incidents." The President also designated critical infrastructure protection as highest priority national goal. That would involve the protection of the nation's power generation, transportation, telecommunication, energy, finance and computer systems capabilities from intentional destructive acts. It would include the coordination of all military and intelligence capabilities in the protection of U.S. capabilities. All that would be accomplished no later than by 2003 -- the target date for the U.S. to acquire competent information warfare defenses. Has the FBI done its job?
Well, the mountain has labored and delivered a mouse. True to its culture and institutional habits, the FBI construed its role as the protector of the nation in its traditional posture as the cop with the job of apprehending criminals breaking laws and delivering them for sentencing to the courts. So far, the FBI's actions reflect views of an organization that devotes its energies to viewing information threats as a criminal activity and not as a national security risk. The NIPC has a staff of 82 FBI agents (primarily with criminal investigation skills, not software and national security know-how). This staff is supplemented by 19 temporary and admittedly demoralized assignees from the Department of Defense, Postal Service, CIA and the Energy Department. This staff is totally inadequate to cope with the lofty objectives of the Presidential Directive. For now, corporate information security executives should start examining the possibility that none of their contingency plans are adequate because system failures may be induced by forces that cannot be inhibited by more sophisticated passwords or stronger firewalls. Situations may arise when neither uninterrupted power supply nor saved back-up files will be of much use in rapidly restoring corporate information flows. About the author:
Paul A. Strassmann (firstname.lastname@example.org) services as the chief information systems executive started in 1957. Since his "retirement" in 1993, he has continued engagements in matters related to information security.
TalkBack! Do you have any comments on this column? If so, share them in our anonymous discussion forum.