Have you been to the bank lately? If the computers weren't working, could you get any money from them? How about the supermarket? Would they be able to check you out without their checkout computers? Does your car have computers to control the fuel mixture? How about at the office? Does your company use computers to get you your paycheck? Does the gas station where you get gas use computers in their gas pumps?

The United States as a nation and its citizens as a people depend on information and information systems as a key part of their competitive advantage. This is common knowledge. But the dependency doesn't stop there. Without properly operating information systems, the national banking system, electric power grid, transportation systems, food and water supplies, communications systems, medical systems, emergency services, and most businesses cannot survive.

Operation Desert Storm was an object lesson in the critical importance of information in warfare, in that it demonstrated the ability of the United States to obtain and use information effectively while preventing Iraq from obtaining and using comparable information. But it was also a lesson in what happens to a country that only moderately depends on information when that information is taken away. The vast majority of the destruction in Iraq was to systems that provided the communications required for command and control of forces. The effect was the utter destruction of the Iraqi economy, and as a nation, Iraq is now at or below par with most third-world nations.

These object lessons were observed and understood by other nations and organizations. The world has seen the effect of removing the information infrastructure from a country that was only marginally dependent on it, and the effect was devastating. But what about the effect on a nation that is highly dependent on its information infrastructure?

The United States is rushing headlong into the information age. But the world is a dangerous place. People are regularly attacking the information highways already in place. Here's a good statistic to show you what I mean. Something like 900 million attacks take place on the Internet each year.

Financial loss is often cited as the rationale behind enhanced information protection, and a lot of figures fly around. As an example, AT&T claims that its toll fraud losses added up to $2 billion in 1992. Meanwhile, FBI figures claim that computer crime losses range from $164 million to $5 billion annually. [Bers] That's quite a range! It also seems to indicate that the FBI figures don't include the AT&T figures.

And financial loss is not the only form of loss encountered in our society. Businesses have confidential information stolen and patented by competitors, individuals end up in jail and inmates are released because of disruptions in law enforcement computers, IRS computer failures have caused thousands of small companies to be put out of business, corporate telephone switches have regularly had hundreds of thousands of dollars worth of telephone calls stolen through them over a weekend, and the list goes on almost without end.

The more information that flows through the information highways, the harder it is to protect people from accidents and abuse. The more places the information highways go, the more people are susceptible to harm. A good example is the Internet, one of the largest information networks in the world. The Internet connects more than 2 million computers together today. Compare this to the fall of 1988, when there were only about 60,000 computers on the Internet. The reason to choose the fall of 1988 for comparison is because that is when the Internet Virus was launched. In that incident, one person essentially stopped all work on 60,000 computers for two days. In 1994, another Internet incident was discovered that, at a minimum, involved the theft of passwords to more than 100,000 computer systems. The perpetrator has not been found, and this estimate of the magnitude of the damage could be low by as much as a factor of 25. Nobody knows for certain what the perpetrator did with those passwords, but it's a good bet that they were used to examine or modify some of the estimated billion megabytes of information available on those systems.

But let's face it. If you're going to live in the modern age, you are going to have to deal with the risks of modern life. When people started using automobiles, there were no speed limits on the open road, traffic cops, or parking meters. Some people got killed in early automobiles, but it wasn't until the 1960s, almost 50 years after automobiles became popular, that the government and manufacturers started to really get serious about safety. Airbags only became mandatory on new automobiles in the United States in 1994. Cars have been used in robberies since the early part of the twentieth century. Drunk drivers have killed hundreds of thousands of people. Drive-by shootings are now commonplace.

You are probably going to have to get on the information superhighway if you want to get anywhere in the information age, and there are going to be accidents and crimes on that highway just as there are accidents and crimes on our automotive highways. There are no safety belts in most modern computers, and the computer criminals know how to break into your computer over the network just as their compatriots know how to break into your car in a parking lot.

So how do you protect your information assets? If I could answer that question in a sentence, this would be a very short book indeed. Fortunately, the basic plan can be outlined pretty quickly:

• Recognize your dependency on information. Everyone has always depended on information to one extent or another, but in the information age, the dependencies are more extreme, and the implications of those dependencies are more far-reaching. The information industry has created tools for dealing with information. Almost everyone who depends on information now depends on those tools as well. In many cases, people literally cannot live without them. Dependencies on the information infrastructure our presented in depth in Chapter 2, A Growing Dependency.
• Recognize the weakness of the infrastructure you depend on and the extent to which it is being exploited. Most people believe that most computers work most of the time, and that when they occasionally have problems, they can be easily fixed. Of course, that is what the people who exploit information systems probably want you to think as they steal billions of dollars a year, win military conflicts, gain advantages in negotiations, ruin other peoples' reputations, and on occasion, kill people. Infrastructure weaknesses are addressed in Chapter 3, The Disrupters Are Among Us. The historical roots of these problems and some of the issues we face in addressing them are discussed in Chapter 4, Asleep At The Switch.
• Recognize that protection is something you do, not something you buy. What do I mean when I say that? Suppose I want to protect my house from water damage. It doesn't matter how good a roof I buy for my house, it's not going to protect my house forever. I have to maintain the roof to keep the water out. It's the same with information protection. You can't just buy it, you have to do it.

  Most people in the United States today believe that money can cure their problems. But in this particular area, it is your time and effort that makes the difference. No matter who you are or what you do, you are a part of the solution to the information protection problem, and it affects you personally. From the person who uses an automated teller machine (ATM) to get cash on a weekend, to the top technical expert at the largest information technology provider in the world, everyone must play their part in order for protection to be effective. To play our parts properly, each of us must know what to do and how to do it. The techniques used to address information protection are discussed in Chapter 5, Protecting Your Information Assets.

• Pursue information protection with appropriate priority. Most people ignore information protection issues completely most of the time and treat them as a very high priority item over a short period of time during crisis periods. This results in higher costs and greater losses. The most effective strategy, and the one that costs the least in the long run, is a slow and steady approach that achieves reasonable levels of protection in reasonable time frames for reasonable costs. Case studies show this point most effectively, and are provided in Chapter 6, Protection Posture Case Studies.

   

A caution before you read on. The gap between reality and the widespread perception of our technical community is so vast that many so-called experts who read this book may claim that the threats described here are overblown. I want to give you at least one example of just how far the majority view can be from the reality. In September of 1988, I submitted a proposal to the National Science Foundation to perform research into defenses against computer viruses. The response I got from the technical reviewers (which arrived in late October) was, in essence, that there was no such thing as a computer virus, and that such a thing was impossible in modern computer systems and networks. About three weeks after I got that response, the Internet Virus incident occurred, and more than 60,000 networked computers were infected for a period of two days. The chances are very good that the very researchers who claimed it was impossible in their review of my proposal were harmed by that ``impossibility'' only a few weeks later. Today, there are several thousand known computer viruses spreading through the information systems of the world.

Preview

This book is about the risks that arise from mixing computers with communications and how to remain safe in that environment. The overall organization of this book follows a progression first developed in a study done for a government agency in which I was one of the principal investigators. [DISAdoc] The core position taken in this book is can be summarized as:

• We all depend on information and information systems.
• These systems are highly vulnerable to disruption.
• A lot of people can and do disrupt these systems.
• It is in our best interest to protect ourselves.
• Protection is something you do, not something you buy.
• We all need to know what to do to protect ourselves.

The remainder of the book details what organizations of various sorts can do, should do, and actually do to protect themselves.

I presume that you understand by now that we all depend on information systems in our daily lives, but perhaps you don't know how deep the dependency really is. Our telephone systems, cable systems, electrical power grid, much of our transportation and delivery systems, and almost every other element of our National Information Infrastructure (the NII) is controlled by computers. Most NII information systems are networked. In effect, the whole nation and much of the world is interconnected. Even the U.S. military heavily depends on the civilian information infrastructure for major aspects of command, control, logistics, payroll, training, and other operations.

In short, our national dependency on the Nation Information Infrastructure is so extreme that our nation and our way of life literally could not continue without this infrastructure operating properly.

When you buy a car, the salesperson doesn't normally tell you about how many people get killed each year in automobile accidents. It's the same way with computers. The salespersons tell you about how much you can do with them, how easy they are to use, how useful they can be for storing, manipulating, and presenting information, and how easily they connect to other computers throughout the world.

In the case of cars, there is plenty of publicity about crashes and the government requires safety features to help prevent accidents and mitigate the harm when accidents happen. Incidents of people running each over with cars on purpose are fairly rare, and when people do, they are charged with vehicular homicide. Computers, on the other hand, have no protection whatsoever. No protective features are mandated, there are few laws about what you can or cannot do with a computer, and interconnected computers are generally wide open to accidental or malicious disruption.

The lack of mandatory protection requirements means that those features are an added expense for computer hardware, software, and service providers that can only be justified by consumer demand. But demand is largely driven by marketing, and history has shown that marketing safety when there is little or no perceived risk paints a negative image on the product or service. Thus, there is no economic benefit to the supplier to provide for protection at this time, except where it may save on warranted maintenance costs. The result is that modern information systems are almost completely devoid of meaningful protection.

Today's information systems are so vulnerable to attack that this book contains hundreds of examples of actual attacks with effects ranging from financial loss to death. I don't want to minimize them by trying to give just one example here.

There are a lot of people in the world who know how to disrupt information systems. More than 30 countries have sponsored concerted efforts in both attack and defense technologies related to disrupting information systems. Many of those countries create or produce the technologies we now depend on for the NII. But nation states are only a small part of this story.

There are hundreds of individuals and organizations throughout the world with the capability of disrupting large portions of our NII.

Groups capable of disrupting the NII include terrorist organizations, economic rivals, hacker groups, drug cartels, organized crime cartels, and knowledgeable individuals. Furthermore, the disruption of some portions of the NII can cause cascading effects that impact other NII components. For example, the power grid is controlled by telephonic communications, while the telephone system gets its power from the power grid. If an attacker could take some portions of the power grid off line for about 10 days, it could cause a massive telephone failure that could result in the electric utilities being unable to get the power grid back up.

But if you are not concerned about a national collapse, you should be concerned about the far larger number of people who know how to cause disruption within smaller organizations. There are at least several thousand people who know how to remotely access and disrupt internal information systems and networks at almost any modern organization. Even those who use special firewall computers to protect themselves from this sort of attack can be easily defeated by a sufficiently knowledgeable attacker.

The losses from these sorts of attacks are quite startling. Some figures cite as much as 4 percent of the gross domestic product of industrialized nations as being lost due to information system disruption. There are several well-documented and publicized losses in excess of 100 million dollars. Some incidents have produced losses in the billion-dollar range.

The NII is comprised, in essence, of all of the interconnected information systems in the United States and all of the interconnection mechanisms used to make those connections work. This currently includes more than one half of all of the computers in the country, all of the telephone systems, all of the cable television systems, all of the satellite communications systems, and many other elements.

If the NII as a whole is disrupted, or if the NII is exploited to disrupt some of the systems that are a part of it, the harm to the people of the United States may be staggering.

It is clearly in the best interest of everyone in the United States to assure that adequate protection is provided both for the NII as a whole and for the elements that comprise it.

The key element in understanding information protection is getting a solid grasp on the concept that protection is something you do, not something you buy. A good example of how many people misperceive this is the recent flurry of interest in using firewall computers to protect internal networks that are connected to the Internet.

It is not unusual for people who sell or promote products to claim that their product is the solution to all of your problems but, unfortunately, in information protection, no product can solve all of your problems.

The Internet firewalls now being pushed into the market may provide a valuable technical tool that allows a competent team of experts to prevent and detect certain classes of attacks that originate from other sites. They are not universal products that keep you from harm of all sorts. There are literally hundreds of ways of bypassing any such protection scheme, ranging from human engineering to fraudulent software update disks.

In order for the firewall technology or any other protection technology to be effective, the technology has to be properly managed, skilled professionals must operate it, users must be trained on how to use it, changes to it have to be properly controlled, it must be physically protected, it must be tested, auditing must be done on a regular basis, and this is only the beginning of the story.

At the heart of the protection activity is the problem of getting the knowledge needed to properly carry out that activity. Because the value of information is pervasive in modern life, so must be its protection. Anywhere valuable information goes, protection must also go. That means that everyone who deals with valuable information must also be involved in the information protection function at some level.

My daughter Megan is only 11 months old, but she is already learning not to touch the buttons on the VCR in the living room. Her older brother David is five, and he already knows not to touch other peoples' computers, that wires are not to be fooled with, that fingers don't touch the shiny parts of floppy disks, that you don't tell strangers about yourself without permission from your parents, and on and on. My six-year-old, Mollie, knows to read the instructions on the computer screen before pressing the keys, and she even knows which directories and files are not hers. My eight-year-old, Carolyn, knows that overheated computers break more often, she has files with private information, she has a user ID and a password, and she knows to turn the laser printer off when it's not going to be used for a while.

In order to be effective in information protection over the long run, as a nation, we have to start to teach our children about computer ethics and other information protection issues, and we have to help them understand that computers are not always right or trustworthy. Our children need a healthy respect for both the power and the limitations of our information technology, and the same thing applies to all of the rest of us.

In order to be involved in the protection function, people at all levels of an organization must be aware and knowledgeable about the protection issues they will encounter and understand how and why these issues involve them. From the chairperson of the board of the largest corporation in the world to the person who cleans the toilets at the local restaurant, some degree of understanding of information protection must be embedded in their job function if protection is to be effective.

Effective protection requires a combination of people with expertise from different fields working together to provide an appropriate mix of operational solutions that meet the need.

For ma and pa businesses, this may mean restricting the use of the NII or using services that provide protection functions. For larger businesses this may mean a shift in operating policies and procedures and a long-term commitment to protection in line with the long term commitment to information technology. For large multinational firms, this may mean even more commitment and resources, and cooperation by people from all around the world. For military organizations and governments, this may mean sacrificing some efficiency in exchange for effectiveness.

If you are buying computer security products or using quick fixes for every protection problem you encounter or hear about - stop. Start forming a reasonable and responsible information protection plan using high quality, well-qualified experts to help you. Then follow the plan and you will have long-term, effective protection at a justifiable cost.

The National Information Infrastructure

The term Information Superhighway was coined by the press in 1992 as a way to talk about the emerging National Information Infrastructure (NII) described by Vice President Al Gore in his call to action for the nation. The use of this term follows a long tradition of talking about computers in the frame of reference of automobiles. For the remainder of this book, I will use the term NII or National Information Infrastructure to describe this evolving entity.

To understand the issues that come up in the NII, it's helpful to understand what the NII is comprised of, how it operates, how it came to be, and what the future is likely to look like. Unfortunately, nobody can actually describe the NII at any given time because it is constantly changing, is not centrally controlled, and is evolutionary in its makeup.

In a recent talk, I used a series of 10 overhead viewgraphs representing different viewpoints on the NII, ranging from cable television, to telephone systems, to information services, to satellite maps, to fiber optics, and so on. After describing all of these components, I put all of the slides up on the screen at one time and declared ``This is the NII''. Of course, with that many network maps on the screen, it is impossible to see much more than a jumble, which is an accurate depiction of the state of the NII today.

With such a complex jumble of independently changing technical components, it is impossible to get a good understanding of the NII without some technical knowledge. Furthermore, understanding the issues of information protection requires a solid understanding of the state of information technology. Even from an executive level, some amount of technical understanding may help in understanding the language of protection and the rationale behind protection decisions.

On the other hand, most people understand the NII by viewing the services it provides. Today's providers provide a wide range of information services. Over time, people will learn to use increasingly sophisticated information services, and the user-level information service providers will grow into a massive component of the industry.

There is essentially no limit to what sort of information can be provided in a general purpose information system like the NII. In fact, this may lead to the real problem with such a system. With all of the information available, it may become difficult to separate the signal from the noise.

Right now, the range of services available for $10 to $30 per month (plus special fees for some services) includes but is not limited to:

• Business Information: Business registries, lists of trademarks and patents, universal industry codes (UIC), universal product codes (UPC), lists of products and prices, on-line shopping, and store fronts.
• Financial Information: Current market information, on-line trading, financial news, investment advice, consulting, interest rates, dates and deadlines for market events, federal regulations, and proposed operational changes.
• News, Weather, and Sports: Associated Press (AP) and United Press International (UPI) wire services, newspaper articles from the last 100 years, current and historical weather and predictions from around the world, current and historical results of athletic events, event schedules, and tickets.
• Computing: Mailing lists of people who own or are interested in any computer hardware and software of interest, on-line copies of thousands of shareware products, bulletin boards about all sorts of issues in computing, low cost computers and parts, access to consultants, reports of computer risks, and reports of recent computer viruses.
• Personal Information: Motor vehicle information, results of court cases, credit history, names and addresses of relatives, telephone numbers, where you work, what you get paid, where you live, what kinds of things you buy, where you shop, what clubs you belong to, where you go on vacation and when you are gone, who you call, who calls you, how long your calls last, when you make those calls, what kind of car you drive, your driving record, where you buy gas, how much you travel by car, what books you read, your age, hair color, eye color, height, weight, how much and what brand of shampoo and birth control you use, and what magazines you subscribe to.
• Reference and Education: On-line encyclopedias, dictionaries, reference libraries, upcoming lectures and speeches, scheduled media events, proposed legislation, congressional records, summaries of news and magazine articles, detailed technical information on all sorts of systems, disease statistics, population statistics, farm reports, building codes, pictures from NASA, and traffic regulations.
• Entertainment and Games: On-line real-time adventure games with live opponents, games against computers like chess and checkers, video games and simulations, humorous articles and jokes, announcements of concerts and other events, news of international tournaments, and bridge and chess player ratings.
• Travel and Leisure: Reservations, ticketing, travel brochures, world maps, on-line communication with people from faraway places, science fiction groups, people who like novels, book clubs, on-line books and videos, and tips on how to mow your lawn.
• Groups and Clubs: You name it, it's in there. Thousands of on-line groups are commonly available covering everything from quilting to skydiving.
• Electronic Mail: To anywhere in the world with a network address, 24 hours a day, 7 days a week, mail arrives in seconds between many locations.
• File Sharing and Remote Access: On-line access to remote files with any of the information listed here and much more, remote access to millions of computers for those authorized to use them, World Wide Web service and Gopher to locate information throughout the network based on a word or words describing it.

   

Other services are also available. For example, you can connect your local area network (LAN) directly to the National Science Foundation network (NSFnet) by leasing a high-speed telephone line from your site to the local public access point. You can get a satellite dish and lease time slots on satellites for private communication. Video teleconferencing capability is provided by many telecommunications providers to enable sites around the world to have meetings by video phone. Teleconferencing is now widely used by geographically distributed companies to have meetings. Cable systems can be used to form metropolitan area networks by leasing some of the unused bandwidth and putting proper equipment on the cable.

Information services in the NII may eventually be tailored to each individual.

Consider the effect on advertising when enough personal information becomes available to be able to send each individual a custom-tailored advertisement for just the items that person is most likely to buy at the highest price he or she is likely to be willing to spend for them.

The pitch may even be so customized that people believe it's their old friend or someone from their local religious group on the other side of the wire, when in fact, it's only a machine.

The NII holds great promise, but it also holds great risks. Success on the information superhighway will depend on our ability to properly manage it so as to balance the risks with the benefits.