|
|
Protecting
Information-Dependent Infrastructures
"In short, the clearest way for the federal government to proceed in
the matter of infrastructure protection is to get its own house in order,
to explore international agreements that can aid in protecting the global
commons, and to work with infrastructure industries to understand the
vulnerabilities implicit in highly integrated network architectures."
Stephen J. Lukasik joined the Advanced Research
Projects Agency (ARPA) in 1966 and served as Deputy Director of the
Agency from 1967 through 1970. He was appointed Director in 1971 and
remained in this position through 1974. He has held several positions
in the private sector and in higher education, served on numerous task
forces and commissions, and is currently a Visiting Scholar at the Stanford
Center for International Security and Cooperation.
Problems
Information technology enables us to control our increasingly powerful
social and industrial enterprises. But when that control fails, the consequences
can be extensive and severe. Power outages are not just local events; they
can cover a large part of the nation. So, too, with air travel, with telephones,
pagers, and Internet-based services.
Three factors compound the problem of malfunction of the nation's infrastructures.
First, failures are not necessarily single isolated random accidents and
errors. They sometimes reflect malicious actions intended to strike at
society's soft underbelly, the systems on which we all depend for energy,
food, commerce, and transportation.
Second, as we integrate the separate local parts of infrastructure for
greater efficiency, we increase the nation's vulnerability to infrastructure
attack, both physical attacks and cyberattacks. We integrate smaller systems
into increasing complex assemblages by introducing computers, software,
and communication links into them, all managed through sophisticated operational
processes. By exploiting the logical flaws inherent in complex information
systems, by exploiting architectural vulnerabilities arising from physical
concentrations of routes and facilities, imperfect management and audit
processes, and through the erratic or unpredictable actions of their human
operators, users and attackers, increasingly large scale damage can be
produced by quite small causes.
Finally, industry restructuring and market pressures further complicate
the protection of infrastructure by introducing organizational interfaces
at which errors can occur, where responsibility is diffused, and where
intruders can enter.
How can we deal with this growing pyramid of complexity, in systems
that defy our ability to test under conditions of high stress; whose complexity
challenges the construction of simulations; and whose weak points can be
probed and exploited? This paper will address some of the characteristics
of these problems, the choices we must make to fix them, and some steps
that might be taken in both the immediate and the longer term.
Fixing the Problems
In fashioning solutions, there are several characteristics of infrastructure
systems to keep in mind:
-
Taking steps to avoid the worst of what might happen requires appreciating
the central role of infrastructure systems in society. Agriculture, water
supply, land and marine transportation, and security were the first infrastructures.
As society's economy developed, financial services such as accounting and
currency became necessary. With the growth of towns came the need for emergency
services such as fire protection and the maintenance of public order. These
infrastructures constitute a commons providing benefit to all. Their
protection is thus the concern of society as a whole. Hence solutions require
a consensus of their users and operators.
-
Infrastructure systems exhibit a range of sizes and geographical coverage
that map onto various legal and political jurisdictions. For highly developed
nations, their most important infrastructures will be national in extent
and will connect to the corresponding infrastructures of other nations.
Thus, such commons will require international cooperation among sovereign
states for the provision of service and for their protection.
-
Problems with information-dependent infrastructure, which is to say most
infrastructure systems now and all of them in the future, arise from three
sources, the fixes for which are different. Some arise from the unconstrained
increase in the complexity of systems, encouraged by the easy interconnection
provided by information technology. (These might be called "Moore's Law"
problems.) For these we must look to R&D, the engineering education
process, and the certification of security specialists if we are to discover
and teach safe and reliable ways of interconnecting systems and encourage
more effective ways of managing complexity once created. Other problems
arise from the inevitable operation of Murphy's Law, the consequences of
which are multiplied when Murphy and Moore interact. The third kind of
problem derives from malice, or in its less severe form, mischief. These
are problems of people and nations, and require still different approaches.
-
Discharging shared responsibility for infrastructure has been effected
in various ways: individual contributions, as with volunteer fire departments;
public taxation of private assets by local authorities; and private initiatives
under barter or fee arrangements. Dispute resolution and equity in the
distribution of infrastructure benefits are based on a system of laws and
legal processes for their enforcement, and through administrative regulation.
Owners of infrastructure systems are for the most part private companies
but they act for and on behalf of the common good. While reliance on the
greater efficiency of market mechanisms reduces the need for formal regulation,
assuring adequate protection of interstate commerce and defending national
assets against state-supported attacks are likely to require governmental
authority.
-
The possibility of cyberattacks against systems arises from the introduction
of information technology into them. Were information technology advancing
slowly, it would be possible, in principle, to fix problems before they
irreversibly weakened the host system. But information technology is moving
so rapidly that it frequently outpaces itself, with new hardware or software
arriving before the fixes to the old hardware or software can be completed.
In other cases, fixes solve an earlier problem, but they introduce new
vulnerabilities, or leave previously unexploited vulnerabilities untouched,
which then become the focal point for new attacks. Compounding the problem
is the fact that attacker tools, which themselves are based on information
technology, improve at the same rate as do defenses. So the problem of
infrastructure protection is always in an unsteady state. Our infrastructures
could even be unstable, if the power and deployment of attack tools exceeds
that of the defense.
-
Infrastructure systems are built to be robust against accidental failures
and natural disasters. Some believe this robustness will suffice to protect
systems even against concentrated and sustained attacks at multiple points
simultaneously. While we understand the threats posed by physical attacks,
we lack experience with strategic cyberattacks. Thus, we are unable to
gauge the consequences of national-level cyberattacks, nor are we able
to assess the level of effort that would be required to execute such attacks
or their probability of success. Thus, we cannot rationally design systems
to be secure against such attacks. But neither are we justified in making
best-case assumptions about the resilience of our current infrastructure
systems to withstand such attacks as may be directed at them.
-
One can deny the likelihood or effectiveness of such attacks based either
on their absence to date, or on a presumption that they will not be executed
during conflict between sovereign states. While private owners and operators
are entitled to base their planning on this view, governments responsible
for their nation's security dare not accept what may be a substantial underestimate
of the threat. We believe that cyberattacks are relatively cheap and easy
absent concerted efforts to harden and protect infrastructure systems.
Prudence, thus, requires some degree of action by society as a whole, at
least to the point where the seriousness of the threat of cyberattack can
be determined.
-
Rational approaches to fixing infrastructure problems require metrics of
many sorts: measures of the seriousness of system vulnerabilities; measures
of the cost to address the vulnerabilities; measures of the social and
economic implications of reducing information system vulnerabilities; measures
of the consequences of attacks which, in most cases will not yet have occurred;
measures of current losses from infrastructure malfunction from all causes,
and the trends in each. Much of this information does not exist in a systematic
and easily accessible form. Other parts of it exist as proprietary or classified
information that is not easily shared. Absent such information, we will
be unable to assess the risk to infrastructures or to determine the most
cost-effective approaches to their protection.
-
We lack a systematic program of analysis and testing of infrastructure
systems on a continuing basis. Were we to assess the degree to which infrastructure
vulnerabilities are growing or declining, and the balance between their
robustness and the strength of attacks that could be brought to bear against
them, we would be better able to invest in their protection. Y2K testing
provides an example of the kind and potential scope of testing that might
be required.
-
The image conjured up by "attacker" is an agent "outside," but the simple
view of "inside" and "outside" does not serve us well in cyberspace. Operators
and users of infrastructure systems, not all of whom, unfortunately, can
be trusted to do the best for society, are already "inside." So is malicious
code, both inserted through new software or during the maintenance process,
or introduced through email or web interactions. National-level attacks
can be mounted from anywhere, least likely perhaps from locations and facilities
easily identified with an adversary state. However, focusing on attackers
instead of attacks introduces complicated issues regarding the protection
of employee rights, civil rights more generally, and international agreements.
Making Choices
The above outlines some of the dimensions of the problem of protecting
information-dependent infrastructures. While difficult to respond to, the
really tough part of fixing the problems will be the political process
of making choices between what are in many cases mutually exclusive objectives.
Some of the choices that must be made are:
-
Regulation vs. market forces. Rules, first of social custom and
later as legal requirements, have traditionally governed the use of the
commons. Market abuses in the late nineteenth and early twentieth centuries
brought about a considerable increase in the regulation of transportation,
electric power, financial services, and telecommunications among others.
But such regulation has been found to restrain the implementation of new
technology because of its heavy dependence on slow administrative processes
and the accommodation to "natural monopolies." More recent replacement
of regulation by market forces in the U.S. has allowed significantly greater
rates of introduction of new technology with generally positive impacts
on society. But the protection of infrastructure from high-level threats,
of a magnitude beyond what private operators can assess and deal with,
reopens the question of the balance between public and private responsibility.
-
Protection vs. convenience. Steps to protect systems from harm generally
have some degree of inconvenience associated with them. Locks and keys,
passwords and password management, security tokens, personal authentication,
compartmentilization to restrict access, more complex software that operates
more slowly, etc. are all to a degree annoying, time-consuming, can malfunction,
and reduce the flexibility of work groups. The implementers of such protections
come across as heavy-handed, and to require unnecessary sacrifices of efficiency
and productivity for rules that seem to impact honest users more then they
do the "bad guys." Consequently, such protections are often circumvented.
-
Risk vs. safety. New technology has risks associated with it. It
may not work, or not work reliably, and it not infrequently is found to
have quite undesirable consequences. Examples from the pharmaceutical and
automotive industries are the most obvious. The more we come to rely on
new technology the more we open up ourselves to things we do not fully
understand. By contrast, what is old has had the bugs worked out: we understand
its downsides and have accepted them. The old may be less glitzy, but it
is safer. Overly complex infrastructure may perhaps be dealt with by limiting
its complexity.
-
Prevention vs. damage limitation. Perfect defense is never possible,
and even approaching perfect defense can be expensive. Since the a priori
estimate of the likelihood of cyberattack is low, it would seem better
to invest in measures to limit damage and assist reconstitution. But the
question requires a careful balancing of the cost of attack vs. cost of
defense, cost of defense vs. cost of consequences of an attack, and likelihood
of cyberattack vs. likelihood of other kinds of business failure.
-
Short term vs. long term approaches. We have vulnerabilities now,
but we may not be faced with large and immediate threats. While we can
expect the threats of cyberattack to grow in time, if they are far enough
in the future we can make long term investments to reduce our vulnerabilities
and risks. We can, therefore, avoid expensive and inefficient crash programs.
How much we want to run immediate risks in return for a lower current investment
rate in fixes will be difficult to determine. The conundrum may not be
settled until the much prophesied "electronic Pearl Harbor" occurs.
-
Protection vs. privacy. Surveillance to catch bad guys, who are
far fewer in number than good guys, falls more heavily on the good guys,
a state of affairs that is poorly received by society. Add to this the
general suspicion of authority, of line supervisors, management, police,
and government in general, and the net result is to prefer privacy to protection.
Relinquishing civil rights now for uncertain and unspecified protection
against some ill-perceived threat in the future just does not look attractive.
Furthermore, abuses by society's protectors are real, and the public is
unlikely to cut them much slack.
-
Catching vs. stopping bad guys. The law enforcement paradigm is
to catch and punish bad guys, as a deterrent to others. While the deterrent
effect is sometimes hard to see, at least society can take comfort that
malefactors are made to pay their debt to society. On the other hand, owners
of businesses who are losing money just want to see the losses stop, and
if that can be done without invoking the often costly processes of criminal
justice, the tradeoff does not look bad.
-
Protection vs. intelligence collection. Intelligence and law enforcement
agencies are willing to settle for the good guys being weak as long as
it means that the bad guys are comparably weak. Why not? Intelligence and
law enforcement work against bad guys, and when those agencies succeed
they provide the protection that might otherwise have been procured for
themselves by the good guys. The problem is that if the good guys are kept
weak through domestic policy and the bad guys can buy the best attack tools
available anywhere in the world, our good guys will be outgunned by the
bad guys.
-
Offensive vs. defensive information warfare. This discussion has
been about defensive information warfare. The U.S. has considerable vulnerabilities
because of its advanced state of information technology deployment. But
at the same time this level of information technology development and deployment
makes us one of the world's most potent offensive information warfare threats.
Moving to curb foreign information warfare threats comes across much as
did pressure by nuclear weapon states on non-nuclear weapon states to sign
the Non-Proliferation Treaty.
-
Deterrence and "second strike" response vs. terminal defense. Deterrence
is much preferred over war-fighting. But the essence of deterrence is to
threaten certain and irremediable harm to an attacker. Thus an offensive
information warfare capability is one of the best defenses. And, if deterrence
fails, the U.S. must be postured to prevail in an information warfare "exchange."
The logic here borrows much from nuclear analogies, not all of which are
valid, however. The information warfare world is multipolar; offensive
capabilities are relatively cheap; and terminal defenses may be both technically
feasible and not too costly. But issues of first-strike stability, escalation,
early warning and attack assessment, and the effectiveness of terminal
defense, among others, remain to be analyzed.
Striking a Balance
The preceding two sections present some constraints on the problem of
protecting national infrastructures and some policy judgments that must
be made. As indicated, various data need to be collected and analyses undertaken
if one is to have firm ground on which to proceed further. Nevertheless,
it is instructive to attempt a synthesis of these ideas, based on such
fragmentary information as is available, and in the absence of data, using
estimates in lieu of the missing data and analyses. Such a look-ahead can
help identify which of the previous issues are perhaps more important than
others in achieving a workable national policy for infrastructure protection.
What follows is an illustration of this.
BEFORE READING FURTHER
The reader is invited to follow the same path and synthesize
the preceding discussion into a national plan for infrastructure protection.
Open up a new document and note in perhaps 500-1000 words what you, if
you were "in charge," would do and send it to the editor
of iMP. Interesting and innovative ideas for data collection, analyses,
and suggested solutions will be published in subsequent issues.
|
Adopt the view that the threat of national-level attacks on infrastructure
systems is not imminent. Despite the fact of hacking, the identification
of vulnerabilities, the planning of cyberattacks, and the integration
of cyberattacks into military doctrine is in its infancy. Furthermore,
many infrastructure systems are not at the technology level of national
integration so their diversity and compartmentation help protect them.
For those infrastructures that are highly integrated, such as telecommunications,
banking and finance, and the Internet their operators are aware of security
issues and have programs in place to address them. So the starting point
is that there is time to take a long-term view. Furthermore, considering
the need for consensus and the public's increasing sensitivity to possible
incursions on their privacy, a minimalist approach is called for that
puts few or no requirements on the private sector and is heavily weighted
in terms of government-funded initiatives designed to protect government
facilities and operations.
There are three things one can do if time is available. Through the collection
and distribution of threat information relating to system penetrations
derived from attacks on federal government systems, it should be possible
to stimulate private investment to the extent supportable by the data.
One can also modify engineering education curricula to provide new engineers
with a better understanding of the emergent properties of complex systems
and ways of controlling or managing complexity. At the same time, increased
attention could be given to the training and certification of network
security professionals. And third, one can fund those aspects of long-term
network and computer security R&D industry will not support to cope
with evolving cyberthreats.
The main focus of government-funded efforts would be on those networks and
systems for which it is responsible. With care and sensitivity in the
design of its protective measures, it should be possible to do this
without triggering the concerns of those who see the government as a
threat to civil liberties. The market for security products can thereby
be influenced, and the extension of the technology can be promoted through
large federal system procurements. Since the networks that support the
National Airspace System and the Global Positioning System are federal
responsibilities, steps can be taken to secure those infrastructures
without imposing requirements on the private sector.
This said, there are also near-term issues that relate to the evolution
of three infrastructures that are more highly integrated and hence at
greater risk to a coordinated strategic attack. Two have regulatory
structures in place: telecommunications and electric power. While federal
policy with respect to these infrastructures has been strongly deregulatory
in recent decades, there remain many areas where regulators continue
to exert influence. It would not be unreasonable for them to examine
the question of the growing complexity of these systems, in part due
to the introduction of new system control and interconnection technology
and in part due to industry restructuring for increasing competition.
The question to ask is whether steps should be taken to limit the uncontrolled
growth of their complexity to be consistent with society's need to assure
their security.
The third infrastructure in this class is the Internet, whose origin is rooted
in academic traditions that are the antithesis of regulation. Looking
back over the thirty year history of networking since the beginning
of the ARPANET, we have been deploying information technology to give
us ever increasing power to accomplish what we want to do. The military
term for this is "command." Usually paired with that, however, is another
military term, "control," which means "don't do what I don't want."
While we will continue to see technical advances in command functions, the
"do it" functions, perhaps the more significant changes will be in the
area of control, that is, the "don't do it" functions. This will not,
one hopes, be for the purpose of circumscribing technology, but to attempt
to contain some of the technology's undesirable social consequences
that have begun to appear. In earlier and simpler days, network technology
was "owned" by a relatively small number of researchers who shared similar
intellectual values and aspirations. Their worst faults were not on
a scale to do more than inconvenience their generally tolerant and,
in any case, limited number of colleagues. However, when virtually everyone
is on-line, the user population has a wider range of personal and social
agendas than those of the net's more homogeneous pioneers
Finally, near-term federal government policy must address the military issues
of offensive information warfare, deterrence, and "second-strike" responses.
U.S. capabilities for offensive operations are classified, although
it can be assumed, in the light of the nation's advanced level of development
of information technology, that they are substantial. If offensive information
warfare threats are real and they constitute a substantial threat to
the nation's security, then there seems to be little alternative for
the U.S. but to remain at the cutting edge. If such threats turn out
to have been overstated, at least a potential threat will not have been
ignored. The issue to decide is whether an offensive warfare capability
is desirable as an important part of power projection in the 21st century,
or whether it is better in the long run to seek international agreements
to limit the technology. Discussion of these issues is beyond the scope
of this paper.
In short, the clearest way for the federal government to proceed in the matter
of infrastructure protection is to get its own house in order, to explore
international agreements that can aid in protecting the global commons,
and to work with infrastructure industries to understand the vulnerabilities
implicit in highly integrated network architectures. The fact that these
architectures are developing in direct response to government policies
should not be lost on our national leaders. To recall the insight of
the comic strip character Pogo, "We have met the enemy and they are
us."
Released: September 22, 1999
iMP Magazine, http://www.cisp.org/imp/september_99/09_99lukasik.htm
© Copyright 1999, Stephen J. Lukasik. All rights
reserved. |