June 1999
©SIGNAL Magazine 1999
Information Age Warfare Must Enlist Civilian Partnerships
The federal government needs help in defending the homeland.
By Col. Alan D. Campen, USAF (Ret.)
Not since the second American revolution has the United States had to defend its homeland, yet the country is not much better prepared today than it was when much of Washington, D.C., was torched by an invading military force during the War of 1812.
However, the most likely threat to U.S. national security today is not invasion by uniformed forces from a sovereign nation, to be rebuffed by armies, navies and air forces. Today's threat is in the form of disruptive and destructive intrusions into the nation's central nervous system by terrorists, thugs and rogue states. These groups can remotely launch surreptitious attacks against the foundations of national security-those privately owned civil infrastructures that underpin our economic strength and national security.
Americans, traditionally slow to anger, reluctant to fight, and unwilling to shed blood absent a clear and present danger, are now being urged to rally against a nascent threat to their personal, physical and economic security. The danger rests not in distant lands, but on their own doorstep.
The nation's center of gravity-and a seductive target for any adversary-is the American public itself. Influencing the public is the simplest, least expensive and least risky way to affect the poll-driven policies of the United States while avoiding direct confrontation with its formidable armed forces.
A former government policy maker contends we are "historically unaccustomed to physical threats on home ground," so the federal government proposes a new way of thinking about national security. Curiously, the center of attention for homeland defense is not just the U.S. Defense Department. The spotlight is on weaknesses in nondefense federal agencies, national infrastructures and the law enforcement and emergency preparedness abilities of a host of state and local first responders. These are groups who clearly cannot cope with such threats without outside help.
Warfare has been redefined, but the rules of engagement have not adapted. The information age world is one where geography, time, distance and space are irrelevant; where threats are diffused and obscure; where allies can also be nontraditional adversaries; and where industrial age laws and agreements among sovereign nation-states have limited relevancy. Victory no longer belongs solely to armed warriors who block mountain passes, sweep vast plains with fast-moving armor, strike distant lands with precision missiles or keep sea lanes free.
A report by the Center for Strategic and International Studies concludes that the United States is now exposed to a host of new threats to the whole of society because of the immensely complex information systems erected on insecure foundations. The weapons of information warfare can outflank and circumvent military establishments and compromise the common underpinnings of both U.S. military and civilian infrastructure, which is now one and the same, according to the report. This is called asymmetric or acupuncture warfare.
Critics of defense programs argue that the country should prepare to do battle in the new, not the old, domains. But the armed forces-which themselves are frightfully dependent upon civil infrastructures to mobilize, to move and even to fight-cannot predict, detect, deter or defeat such attacks against the homeland. An otherwise undeniably world-class military establishment is not organized, equipped, trained or legally empowered to confront violence at home; the voices of civil libertarians are raised to keep the military out of domestic matters.
Paradoxically, both the strength and weakness of any heavily information-dependent nation rest in its vulnerable, tightly interconnected, civilian-owned and -operated infrastructures. Until a year ago, this country lacked both a clear statement of policy that it treasures this domestic resource and that it will build a credible means to defend the infrastructure.
Executive order 13010, dated July 15, 1996, appointed a presidential commission on critical infrastructure protection with a charter to assess vulnerabilities of the infrastructure and to recommend a strategy for its protection. The commission's October 1997 report found those infrastructures to be at serious risk. It determined that a warning capability did not exist, that neither government nor industry was prepared to deal with a cyberthreat, and that research and development for the tools for homeland defense was not underway.
Prompted by the president's commission, a presidential decision has enunciated that policy and launched an urgent search for partners in the private sector to help the federal government protect valuable infrastructures. Presidential decision directive 63, May 1998, says that "the United States will take all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyberattacks on our critical infrastructures, including especially our cybersystems."
"An era-shaping battle has begun over the issue of homeland defense," concludes Stephen S. Rosenfeld, a writer for The Washington Post. The country is seeking new means for the common defense that include not only the armed forces and its reserve components, but also most other federal agencies, the militia, state defense forces, civil first responders and the owners and operators of the civilian infrastructure.
A plea has gone out from the White House for a partnership approach to security that would blend the best personnel and technical resources of the public and the private sectors for a coordinated defense against terrorism and softwar. But a lack of consensus hampers concurrence on solutions. The question remains, "Is the threat real or imagined?" A clear objective of what the country is trying to achieve is also missing. In addition, the cooperative processes must determine how such disparate elements can legally collaborate and then determine who pays. Industrial age laws that inhibit 20th century solutions are another problem.
Response to the president's infrastructure report and to presidential decision directive 63 by some of these owners and operators was swift and bitter.
"Since when is the nation's defense the responsibility - in full or in part - that of the business community?" pleaded an industry representative before a congressional hearing in October 1997. This was not an unexpected reaction to a recommendation that placed the highest financial burden for ruggedizing critical infrastructures on the backs of a fiercely competitive industry. The industry leaders needed only to glance over their shoulders for a demonstrable clear and present domestic danger to their economic survival. The answer to that rhetorical pleading is that it happened when the meaning of war and warfare was radically altered by the information age.
Volatile disputes over the role of the military in domestic affairs-whether federalized militia or an active component-have rumbled beneath the domestic political surface for more than 200 years. They bubble forth each time a president asserts that only the military can cope with or assist in solving some peculiar domestic need-such as the drug war or nuclear, biological and chemical incidents. The protests raised today lack the elegance of Alexander Hamilton, James Madison and John Jay in The Federalist Papers, but the issues are unchanged.
"The Pentagon ought not to be doing any of this work," cries the American Civil Liberties Union among others, citing the Posse Comitatus Act of 1878, which responded to Ulysses S. Grant's efforts to use troops to guard ballot boxes and prevent election fraud by outlawing military involvement in civilian law enforcement. The law banning federal troops from enforcing domestic laws "is being ignored and undermined," laments another commentator.
Responding to complaints that anointing a military homeland defense commander and forming domestic counterterrorism teams in the armed forces are a violation of the American tradition, Deputy Secretary of Defense John Hamre says, "Frankly, we're not seeking this job - but we know we're being asked to be involved because we do have the only part of government that has resources that can be mobilized."
The principle of Posse Comitatus (power of the county) has been relaxed over the years, but not because the fear of Big Brother and its black helicopters has diminished. The changes come in grudging acknowledgment that, while the country's first line of home defense remains at the county level, locals cannot persist for long without the quantity, quality and dependability of resources that exist only in the Defense Department.
In response to presidential direction, a national cybersecurity plan consisting of three pillars is evolving from a new set of executive branch agencies: the national defense sector, also called the defense information infrastructure; the federal information infrastructure; and the most important but toughest nut to crack, the private information infrastructure.
"A weakness in one is a weakness in all," a Defense Department representative says, explaining his interest in security of the private information infrastructure. The private infrastructure underpins everything, and it is here that government seeks partners to represent the interests of telecommunications; electricity and energy; transportation; finance; and others.
A set of common problems confronts those who would improve security in all three pillars: lack of awareness by top commanders and managers of dependency on vulnerable infrastructures; too few professionals trained to practice information security and intense competition between government and industry for that limited personnel resource; no process through which crisis management can be coordinated or best defense practices shared across the pillars; and finally, no near-real-time detection and warning system or dedicated research and development program to provide one.
The president's fiscal year 2000 budget contains a wedge of $1.46 billion that is slowly wending its way to Congress, confounded by startling demands for national defense funds from agencies such as the Department of Commerce, Department of Health and Human Services, General Services Administration, the Federal Aviation Administration and the Office of Personnel Management. All these initial funds-and they surely will grow-are targeted at improving security of the federal information infrastructure. This does little to correct security problems in the private information infrastructure, but it is consistent with the administration's objective of leading by example.
Through its defensewide information assurance program, the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence hopes to link information assurance to operational readiness. This information assurance program includes career management of security personnel, leading-edge technology for defense in depth, and information vulnerability and emergency response teams. A lead element will be the Joint Task Force for Computer Network Defense, which led the defense against the Melissa virus, perhaps blunting pointed criticism in a report by the National Research Council that an offense-oriented military culture inhibits serious concern in the Defense Department over cyberdefense.
The cybersecurity plans for the federal and private sectors are centered in the jointly manned Department of Justice's National Infrastructure Protection Center (SIGNAL, July 1998, page 17), which is charged to build a superdatabase center on threats and tactics; and the Commerce Department's Critical Infrastructure Assurance Office. This office is tasked with developing an integrated national plan for physical and cyberthreats against not only federal information services, but also against civil communications, transportation, energy, banking, health and water systems. The plan is expected to be complete during 2000, and a full defensive capability to protect the nation should be achieved by 2003.
Federal information infrastructure initiatives include such elements as a critical infrastructure applied research initiative to safeguard networks from malicious code; a computer intrusion detection network; information sharing and assessment centers built by the private sector to serve as a clearinghouse for gathering, analyzing and disseminating information that is important for protecting the nation's critical infrastructures against cyberattacks. It also includes a cybercorps to train highly skilled computer science experts and the cybercitizen partnership program to form a pool of government computer-security and crime experts who have learned by studying how industry builds security into computer systems.
Using the national security telecommunications advisory committee-created to help defend the homeland during the Cold War-as a model, the Critical Infrastructure Assurance Office is partnering with industry trade associations as a partitioned means to gain information while protecting corporate interests. The Telecommunications Industry Association, Information Technology Association of America and United States Telephone Association have signed on to be sector coordinators.
The private information infrastructure remains an enigma. Early efforts to build a safe place wherein data on threats and defenses could be shared failed from a lack of trust between government and industry and within a competitive industry itself. Government was unwilling-for all the right reasons-to reveal details of the softwar threat. (The threat summary in the presidential commission on critical infrastructure protection report was classified.) Industry-also for the right reasons-refused to share information if disclosure would compromise a competitive position. The Manhattan Cyber Project was an early effort that crumbled reportedly because industry lawyers would not agree to disclosures.
The Federal Bureau of Investigation has begun its InfraGard program at the local level to provide a protected, sanitized, two-way channel for sharing information about intrusion and system vulnerabilities and contingency planning. The program also enables the government to disseminate analytical threat products.
The true state of public information infrastructure security is unknown, perhaps even to its owners and operators. A 1999 report by the National Research Council faults the Defense Department's computer security with being far inferior to that of the commercial sector. While government officials agree that the private sector undoubtedly has mounted defenses against computer network attacks, the reluctance that inhibits sharing of data on threats, vulnerabilities and successful penetrations applies equally to sharing of data on successful defenses.
A very senior government official concedes that civilian vulnerabilities can indeed be significantly less than feared. It may take something like the year 2000 problem or a more virulent Melissa to find out. A private security expert contends that some in industry are not at all reluctant to employ cyberdefenses as well as strong-arm physical offenses to deter mischief in their information systems. It would take changes in law and ethics for the federal government to undertake such actions.
William Church, editor of Journal of Infrastructure Warfare, describes "a government problem in a society that doesn't want a government solution." But, while the owners of the private information infrastructure may resist government management and control, they surely will welcome federal funds and cutting-edge technical solutions to ruggedize all systems against malicious attack. Indeed, there appears to be no alternative to heavy-not heavy-handed-federal involvement in the public information infrastructure and continuing research to keep in step with a growing and changing threat.
If the defense and federal information infrastructures cannot substantially lower their dependencies on the private sector infrastructure, then the policy of lead by example must be rethought. An aroused citizenry is unlikely to agree to abrogate federal responsibility for homeland defense to 50 or more international enterprises.