"In short, the clearest way for the federal government to proceed in the matter of infrastructure protection is to get its own house in order, to explore international agreements that can aid in protecting the global commons, and to work with infrastructure industries to understand the vulnerabilities implicit in highly integrated network architectures."
 

Stephen J. Lukasik STEPHEN.J.LUKASIK@saic.com

Information technology enables us to control our increasingly powerful social and industrial enterprises. But when that control fails, the consequences can be extensive and severe. Power outages are not just local events; they can cover a large part of the nation. So, too, with air travel, with telephones, pagers, and Internet-based services.

Three factors compound the problem of malfunction of the nation's infrastructures. First, failures are not necessarily single isolated random accidents and errors. They sometimes reflect malicious actions intended to strike at society's soft underbelly, the systems on which we all depend for energy, food, commerce, and transportation.

Second, as we integrate the separate local parts of infrastructure for greater efficiency, we increase the nation's vulnerability to infrastructure attack, both physical attacks and cyberattacks. We integrate smaller systems into increasing complex assemblages by introducing computers, software, and communication links into them, all managed through sophisticated operational processes. By exploiting the logical flaws inherent in complex information systems, by exploiting architectural vulnerabilities arising from physical concentrations of routes and facilities, imperfect management and audit processes, and through the erratic or unpredictable actions of their human operators, users and attackers, increasingly large scale damage can be produced by quite small causes.

Finally, industry restructuring and market pressures further complicate the protection of infrastructure by introducing organizational interfaces at which errors can occur, where responsibility is diffused, and where intruders can enter.

How can we deal with this growing pyramid of complexity, in systems that defy our ability to test under conditions of high stress; whose complexity challenges the construction of simulations; and whose weak points can be probed and exploited? This paper will address some of the characteristics of these problems, the choices we must make to fix them, and some steps that might be taken in both the immediate and the longer term.

 Fixing the Problems

In fashioning solutions, there are several characteristics of infrastructure systems to keep in mind:

• Taking steps to avoid the worst of what might happen requires appreciating the central role of infrastructure systems in society. Agriculture, water supply, land and marine transportation, and security were the first infrastructures. As society's economy developed, financial services such as accounting and currency became necessary. With the growth of towns came the need for emergency services such as fire protection and the maintenance of public order. These infrastructures constitute a commons providing benefit to all. Their protection is thus the concern of society as a whole. Hence solutions require a consensus of their users and operators.

• Infrastructure systems exhibit a range of sizes and geographical coverage that map onto various legal and political jurisdictions. For highly developed nations, their most important infrastructures will be national in extent and will connect to the corresponding infrastructures of other nations. Thus, such commons will require international cooperation among sovereign states for the provision of service and for their protection.

• Problems with information-dependent infrastructure, which is to say most infrastructure systems now and all of them in the future, arise from three sources, the fixes for which are different. Some arise from the unconstrained increase in the complexity of systems, encouraged by the easy interconnection provided by information technology. (These might be called "Moore's Law" problems.) For these we must look to R&D, the engineering education process, and the certification of security specialists if we are to discover and teach safe and reliable ways of interconnecting systems and encourage more effective ways of managing complexity once created. Other problems arise from the inevitable operation of Murphy's Law, the consequences of which are multiplied when Murphy and Moore interact. The third kind of problem derives from malice, or in its less severe form, mischief. These are problems of people and nations, and require still different approaches. 

• Discharging shared responsibility for infrastructure has been effected in various ways: individual contributions, as with volunteer fire departments; public taxation of private assets by local authorities; and private initiatives under barter or fee arrangements. Dispute resolution and equity in the distribution of infrastructure benefits are based on a system of laws and legal processes for their enforcement, and through administrative regulation. Owners of infrastructure systems are for the most part private companies but they act for and on behalf of the common good. While reliance on the greater efficiency of market mechanisms reduces the need for formal regulation, assuring adequate protection of interstate commerce and defending national assets against state-supported attacks are likely to require governmental authority. 

• The possibility of cyberattacks against systems arises from the introduction of information technology into them. Were information technology advancing slowly, it would be possible, in principle, to fix problems before they irreversibly weakened the host system. But information technology is moving so rapidly that it frequently outpaces itself, with new hardware or software arriving before the fixes to the old hardware or software can be completed. In other cases, fixes solve an earlier problem, but they introduce new vulnerabilities, or leave previously unexploited vulnerabilities untouched, which then become the focal point for new attacks. Compounding the problem is the fact that attacker tools, which themselves are based on information technology, improve at the same rate as do defenses. So the problem of infrastructure protection is always in an unsteady state. Our infrastructures could even be unstable, if the power and deployment of attack tools exceeds that of the defense. 

• Infrastructure systems are built to be robust against accidental failures and natural disasters. Some believe this robustness will suffice to protect systems even against concentrated and sustained attacks at multiple points simultaneously. While we understand the threats posed by physical attacks, we lack experience with strategic cyberattacks. Thus, we are unable to gauge the consequences of national-level cyberattacks, nor are we able to assess the level of effort that would be required to execute such attacks or their probability of success. Thus, we cannot rationally design systems to be secure against such attacks. But neither are we justified in making best-case assumptions about the resilience of our current infrastructure systems to withstand such attacks as may be directed at them. 

• One can deny the likelihood or effectiveness of such attacks based either on their absence to date, or on a presumption that they will not be executed during conflict between sovereign states. While private owners and operators are entitled to base their planning on this view, governments responsible for their nation's security dare not accept what may be a substantial underestimate of the threat. We believe that cyberattacks are relatively cheap and easy absent concerted efforts to harden and protect infrastructure systems. Prudence, thus, requires some degree of action by society as a whole, at least to the point where the seriousness of the threat of cyberattack can be determined. 

• Rational approaches to fixing infrastructure problems require metrics of many sorts: measures of the seriousness of system vulnerabilities; measures of the cost to address the vulnerabilities; measures of the social and economic implications of reducing information system vulnerabilities; measures of the consequences of attacks which, in most cases will not yet have occurred; measures of current losses from infrastructure malfunction from all causes, and the trends in each. Much of this information does not exist in a systematic and easily accessible form. Other parts of it exist as proprietary or classified information that is not easily shared. Absent such information, we will be unable to assess the risk to infrastructures or to determine the most cost-effective approaches to their protection. 

• We lack a systematic program of analysis and testing of infrastructure systems on a continuing basis. Were we to assess the degree to which infrastructure vulnerabilities are growing or declining, and the balance between their robustness and the strength of attacks that could be brought to bear against them, we would be better able to invest in their protection. Y2K testing provides an example of the kind and potential scope of testing that might be required. 

• The image conjured up by "attacker" is an agent "outside," but the simple view of "inside" and "outside" does not serve us well in cyberspace. Operators and users of infrastructure systems, not all of whom, unfortunately, can be trusted to do the best for society, are already "inside." So is malicious code, both inserted through new software or during the maintenance process, or introduced through email or web interactions. National-level attacks can be mounted from anywhere, least likely perhaps from locations and facilities easily identified with an adversary state. However, focusing on attackers instead of attacks introduces complicated issues regarding the protection of employee rights, civil rights more generally, and international agreements.

The above outlines some of the dimensions of the problem of protecting information-dependent infrastructures. While difficult to respond to, the really tough part of fixing the problems will be the political process of making choices between what are in many cases mutually exclusive objectives. Some of the choices that must be made are:

• Regulation vs. market forces. Rules, first of social custom and later as legal requirements, have traditionally governed the use of the commons. Market abuses in the late nineteenth and early twentieth centuries brought about a considerable increase in the regulation of transportation, electric power, financial services, and telecommunications among others. But such regulation has been found to restrain the implementation of new technology because of its heavy dependence on slow administrative processes and the accommodation to "natural monopolies." More recent replacement of regulation by market forces in the U.S. has allowed significantly greater rates of introduction of new technology with generally positive impacts on society. But the protection of infrastructure from high-level threats, of a magnitude beyond what private operators can assess and deal with, reopens the question of the balance between public and private responsibility. 

• Protection vs. convenience. Steps to protect systems from harm generally have some degree of inconvenience associated with them. Locks and keys, passwords and password management, security tokens, personal authentication, compartmentilization to restrict access, more complex software that operates more slowly, etc. are all to a degree annoying, time-consuming, can malfunction, and reduce the flexibility of work groups. The implementers of such protections come across as heavy-handed, and to require unnecessary sacrifices of efficiency and productivity for rules that seem to impact honest users more then they do the "bad guys." Consequently, such protections are often circumvented. 

• Risk vs. safety. New technology has risks associated with it. It may not work, or not work reliably, and it not infrequently is found to have quite undesirable consequences. Examples from the pharmaceutical and automotive industries are the most obvious. The more we come to rely on new technology the more we open up ourselves to things we do not fully understand. By contrast, what is old has had the bugs worked out: we understand its downsides and have accepted them. The old may be less glitzy, but it is safer. Overly complex infrastructure may perhaps be dealt with by limiting its complexity. 

• Prevention vs. damage limitation. Perfect defense is never possible, and even approaching perfect defense can be expensive. Since the a priori estimate of the likelihood of cyberattack is low, it would seem better to invest in measures to limit damage and assist reconstitution. But the question requires a careful balancing of the cost of attack vs. cost of defense, cost of defense vs. cost of consequences of an attack, and likelihood of cyberattack vs. likelihood of other kinds of business failure.

• Short term vs. long term approaches. We have vulnerabilities now, but we may not be faced with large and immediate threats. While we can expect the threats of cyberattack to grow in time, if they are far enough in the future we can make long term investments to reduce our vulnerabilities and risks. We can, therefore, avoid expensive and inefficient crash programs. How much we want to run immediate risks in return for a lower current investment rate in fixes will be difficult to determine. The conundrum may not be settled until the much prophesied "electronic Pearl Harbor" occurs. 

• Protection vs. privacy. Surveillance to catch bad guys, who are far fewer in number than good guys, falls more heavily on the good guys, a state of affairs that is poorly received by society. Add to this the general suspicion of authority, of line supervisors, management, police, and government in general, and the net result is to prefer privacy to protection. Relinquishing civil rights now for uncertain and unspecified protection against some ill-perceived threat in the future just does not look attractive. Furthermore, abuses by society's protectors are real, and the public is unlikely to cut them much slack.

• Catching vs. stopping bad guys. The law enforcement paradigm is to catch and punish bad guys, as a deterrent to others. While the deterrent effect is sometimes hard to see, at least society can take comfort that malefactors are made to pay their debt to society. On the other hand, owners of businesses who are losing money just want to see the losses stop, and if that can be done without invoking the often costly processes of criminal justice, the tradeoff does not look bad. 

• Protection vs. intelligence collection. Intelligence and law enforcement agencies are willing to settle for the good guys being weak as long as it means that the bad guys are comparably weak. Why not? Intelligence and law enforcement work against bad guys, and when those agencies succeed they provide the protection that might otherwise have been procured for themselves by the good guys. The problem is that if the good guys are kept weak through domestic policy and the bad guys can buy the best attack tools available anywhere in the world, our good guys will be outgunned by the bad guys. 

• Offensive vs. defensive information warfare. This discussion has been about defensive information warfare. The U.S. has considerable vulnerabilities because of its advanced state of information technology deployment. But at the same time this level of information technology development and deployment makes us one of the world's most potent offensive information warfare threats. Moving to curb foreign information warfare threats comes across much as did pressure by nuclear weapon states on non-nuclear weapon states to sign the Non-Proliferation Treaty. 

• Deterrence and "second strike" response vs. terminal defense. Deterrence is much preferred over war-fighting. But the essence of deterrence is to threaten certain and irremediable harm to an attacker. Thus an offensive information warfare capability is one of the best defenses. And, if deterrence fails, the U.S. must be postured to prevail in an information warfare "exchange." The logic here borrows much from nuclear analogies, not all of which are valid, however. The information warfare world is multipolar; offensive capabilities are relatively cheap; and terminal defenses may be both technically feasible and not too costly. But issues of first-strike stability, escalation, early warning and attack assessment, and the effectiveness of terminal defense, among others, remain to be analyzed.

The preceding two sections present some constraints on the problem of protecting national infrastructures and some policy judgments that must be made. As indicated, various data need to be collected and analyses undertaken if one is to have firm ground on which to proceed further. Nevertheless, it is instructive to attempt a synthesis of these ideas, based on such fragmentary information as is available, and in the absence of data, using estimates in lieu of the missing data and analyses. Such a look-ahead can help identify which of the previous issues are perhaps more important than others in achieving a workable national policy for infrastructure protection. What follows is an illustration of this.

Adopt the view that the threat of national-level attacks on infrastructure systems is not imminent. Despite the fact of hacking, the identification of vulnerabilities, the planning of cyberattacks, and the integration of cyberattacks into military doctrine is in its infancy. Furthermore, many infrastructure systems are not at the technology level of national integration so their diversity and compartmentation help protect them. For those infrastructures that are highly integrated, such as telecommunications, banking and finance, and the Internet their operators are aware of security issues and have programs in place to address them. So the starting point is that there is time to take a long-term view. Furthermore, considering the need for consensus and the public's increasing sensitivity to possible incursions on their privacy, a minimalist approach is called for that puts few or no requirements on the private sector and is heavily weighted in terms of government-funded initiatives designed to protect government facilities and operations.

There are three things one can do if time is available. Through the collection and distribution of threat information relating to system penetrations derived from attacks on federal government systems, it should be possible to stimulate private investment to the extent supportable by the data. One can also modify engineering education curricula to provide new engineers with a better understanding of the emergent properties of complex systems and ways of controlling or managing complexity. At the same time, increased attention could be given to the training and certification of network security professionals. And third, one can fund those aspects of long-term network and computer security R&D industry will not support to cope with evolving cyberthreats.

The main focus of government-funded efforts would be on those networks and systems for which it is responsible. With care and sensitivity in the design of its protective measures, it should be possible to do this without triggering the concerns of those who see the government as a threat to civil liberties. The market for security products can thereby be influenced, and the extension of the technology can be promoted through large federal system procurements. Since the networks that support the National Airspace System and the Global Positioning System are federal responsibilities, steps can be taken to secure those infrastructures without imposing requirements on the private sector.

This said, there are also near-term issues that relate to the evolution of three infrastructures that are more highly integrated and hence at greater risk to a coordinated strategic attack. Two have regulatory structures in place: telecommunications and electric power. While federal policy with respect to these infrastructures has been strongly deregulatory in recent decades, there remain many areas where regulators continue to exert influence. It would not be unreasonable for them to examine the question of the growing complexity of these systems, in part due to the introduction of new system control and interconnection technology and in part due to industry restructuring for increasing competition. The question to ask is whether steps should be taken to limit the uncontrolled growth of their complexity to be consistent with society's need to assure their security.

The third infrastructure in this class is the Internet, whose origin is rooted in academic traditions that are the antithesis of regulation. Looking back over the thirty year history of networking since the beginning of the ARPANET, we have been deploying information technology to give us ever increasing power to accomplish what we want to do. The military term for this is "command." Usually paired with that, however, is another military term, "control," which means "don't do what I don't want."

While we will continue to see technical advances in command functions, the "do it" functions, perhaps the more significant changes will be in the area of control, that is, the "don't do it" functions. This will not, one hopes, be for the purpose of circumscribing technology, but to attempt to contain some of the technology's undesirable social consequences that have begun to appear. In earlier and simpler days, network technology was "owned" by a relatively small number of researchers who shared similar intellectual values and aspirations. Their worst faults were not on a scale to do more than inconvenience their generally tolerant and, in any case, limited number of colleagues. However, when virtually everyone is on-line, the user population has a wider range of personal and social agendas than those of the net's more homogeneous pioneers

Finally, near-term federal government policy must address the military issues of offensive information warfare, deterrence, and "second-strike" responses. U.S. capabilities for offensive operations are classified, although it can be assumed, in the light of the nation's advanced level of development of information technology, that they are substantial. If offensive information warfare threats are real and they constitute a substantial threat to the nation's security, then there seems to be little alternative for the U.S. but to remain at the cutting edge. If such threats turn out to have been overstated, at least a potential threat will not have been ignored. The issue to decide is whether an offensive warfare capability is desirable as an important part of power projection in the 21st century, or whether it is better in the long run to seek international agreements to limit the technology. Discussion of these issues is beyond the scope of this paper.

In short, the clearest way for the federal government to proceed in the matter of infrastructure protection is to get its own house in order, to explore international agreements that can aid in protecting the global commons, and to work with infrastructure industries to understand the vulnerabilities implicit in highly integrated network architectures. The fact that these architectures are developing in direct response to government policies should not be lost on our national leaders. To recall the insight of the comic strip character Pogo, "We have met the enemy and they are us."
 
 

Released: September 22, 1999
iMP Magazine, http://www.cisp.org/imp/september_99/09_99lukasik.htm

© Copyright 1999, Stephen J. Lukasik. All rights reserved.