METHODOLOGY

"The Day After..." exercise methodology has been developed to explore new and evolving post-Cold War international security problems, in particular in the realm of new types of strategic warfare.

This version of the exercise methodology is based on a two-step process generally lasting a total of approximately four to five hours.

Participants in the exercises take on the role of advisors to a senior-level decision-maker (or decision-making body) in a group deliberative process akin to a classic time-constrained "pre-meeting" where the principal task is to finalize a document or set of materials (e.g., an issues and options paper) for a formal deliberative/decision-making meeting (such as a National Security Council meeting).

In general, two or more groups (of nominally 6-12 individuals under the leadership of a chairperson) go through the identical exercise at the same time and compare the character and results of their deliberations at the end of each of the steps.

(1) on possible short-term technical solutions to a set of pressing cyberspace security problems that emerge in the context of a future political-military crisis (STEP ONE of the exercise) and

(2) on prospective current/near-term R&D-related strategy and policy initiatives that would address existing and projected strategic vulnerabilities in the U.S. defense and national information infrastructures (STEP TWO).

The group's STEP ONE task is to revise a draft of a memo from the SECDEF to the President on possible short-term fixes to the pressing cyberspace technical issues that have emerged in this crisis.

In the context of this tasking group, consensus on the text of the memo and recommendations to go forward to the SECDEF is desirable but not necessary. Where consensus cannot be achieved, the group notes and conveys forward the prevailing differences for final decision-making by the Secretary of Defense in consultation with the Director of ARPA.

In "the day before" (STEP TWO) of the exercise, the context changes to the present or near future.

In this more contemporary context, the group is again convened as a team with another time-constrained tasking. This group must revise and improve a memo which is going from the Director of ARPA to the Secretary of Defense immediately in advance of a cabinet- level meeting where it is intended that the President decide on a new national R&D initiative investment strategy for information systems security, to be manifest in a set of new initiatives on:

(1) Overall investment strategy,

(2) New operational concepts and practices based on new technological opportunities, and

(3) New R&D initiatives and new R&D priorities

The objective in this last step is to seek initiatives that would help minimize the prospect that future crises such as that just faced would occur--or, if they do, to mitigate their consequences, and reduce the likelihood that they would ever occur again.

BACKGROUND

As the Twentieth Century drew to a close, political changes and continued unrest in the Persian Gulf, in Pakistan, in the Islamic countries of the former Soviet Union, and across the breadth of North Africa had created a new and profoundly troubled region of the world now frequently labeled "the Islamic Arc of Crisis."

Adding to U.S. and European concerns about this region was the rising prospect that one or more of the potential predators in the region had developed the capacity to exploit the Global Information Infrastructure (GII) as a field of strategic political-military operations.

The latter situation has sparked particular anxiety in the U.S. about the safety and security of the U.S. National Information Infrastructure (NII) and an evolving Defense Information Infrastructure (DII) (see below).

MAJOR FEATURES OF THE GII, NII, AND DII

In the 1990s the Cellular/Wireless Revolution proceeded apace with the availability of new low and medium earth orbit satellite constellations such as Iridium and Globestar providing readily accessible global two-way communications via portable telephones. It is now estimated that 25% of the North American, European, and Japanese adults routinely carry a cellphone. A similar explosion of cellphone use continues in other major markets.

The Internet has become a pillar of both the NII and GII. All countries now have Internet hosts, and it is estimated that 70% of the world's population now lives within a local telephone call of an Internet gateway.

The phenomenon of the World Wide Web has continued to expand, with over forty million "home pages" of information providing links to data bases around the world. Many of these home pages include video and voice releases specially designed for consumption by the mass media.

One of the most significant trends of the past decade has been the growth of electronic commerce. Current estimates suggest that a third of all formal U.S. business transactions now occur electronically using both standardized data interchanges and specialized communications between cooperating companies employing a range of digital encryption standards.

Attempts by the U.S. government to establish a hardware encryption standard (successors to the CLIPPER CHIP initiative) have been thwarted by lawsuits brought by both citizen groups and software companies.

The NII and GII are also being heavily used by a new generation of activist groups. Many such groups are linked in transnational networks that address a broad range of environmental, human-rights, and other global issues.

The Internet and World Wide Web have become virtual battlegrounds for software "agents" of various types. Tens of thousands of such agents have been unleashed to roam "the Net" and "the Web" looking for items meeting a profile of interests of their users, or blocking such access.

In 1998 the President decided to allow the bulk of the Defense Department's "peacetime and administrative communications" to continue to rely on the commercial switched telephone and public data systems. The vast majority of DII communications now pass over the commercial Public Switched Network (PSN), relying on various levels of encryption to protect classified information.

During the period from 1995-2000 various largely unsuccessful attempts were made to increase the security of the PSN. These efforts have been complicated by the fact that "the PSN" is run and maintained by many competing companies including cable, cellular, and satellite operators, so that changes are difficult to mandate and place into effect. As a result, other than individual use of end-to-end encryption by cooperating parties, PSN security in the year 2000 is not much better than that in 1996.

The problem is exacerbated by several continuing trends: (1) widespread use of open, standard systems whose protocols and internals are well known; (2) cost saving by increased use of remote maintenance (e.g., through dial-in ports) in telecom and energy control systems; (3) more shared trust among many disparate providers of PSN service; (4) more frequent changes to PSN software caused by competition based on new features and facilities among providers.

In 1998 the possibility of the U.S. developing a (national and global) Minimum Essential Information Infrastructure (MEII)--to insure that there would be "emergency lanes on the information highway" for a variety of contingencies --became a matter of serious discussion. The principal motivation was the perceived need to establish a minimum capability to support prospective large-scale U.S. and allied force deployment operations.

While discussion of various MEII architectures and performance criteria continue, serious development work on an actual MEII has not yet begun. There remains broad disagreement on the scope of such a system with the debate focused on:

• Protecting only military and other communications and information systems key to major force deployment operations vs.

• Also protecting other infrastructure information systems more directly impacting the U.S. populace vs.

• Also protecting the information systems of allies and potential coalition partners

In light of the above environment, in the last few years there has been rising concern over the increasing interdependence of the PSN, the U.S. electrical power grid, data networks supporting the air traffic control system, the Global Positioning System (GPS), and other key U.S. infrastructure elements. As a consequence of this concern, national security, intelligence, and law enforcement agencies in the U.S. (as well as in other nations) are devoting increased resources to efforts to assess and counter both domestic and foreign IW threats.

MAJOR FEATURES OF THE GLOBAL SECURITY ENVIRONMENT

Saudi Arabia Under Stress

The Saudi monarchy has suffered substantially from internal dissent and distress since the 1997 death of King Fahd. A weak successor now struggles to govern both the family and the kingdom, which is increasingly beset by growing tensions between an Islamic fundamentalist dissident movement and the "nationalist modernizers" who currently dominate the Saudi government.

By 1998, much of the Saudi dissident movement (especially within the universities) had coalesced around the goals and objectives of the increasingly influential Campaign for Islamic Renewal and Democracy (CIRD). This loose transnational CIRD coalition, formed at the 1997 Damascus meeting of Islamic state and non-governmental organizations (NGOs), has become a prominent force for social and political change in the Persian Gulf region as well as throughout the Islamic world.

The CIRD is very well funded, principally by North American and European Islamic sources but also in part by domestic sources in Saudi Arabia, Iran, and Pakistan. The CIRD exploits a variety of modern advanced information and communications technologies for organizing, fund-raising, media coverage, and building ties to organizations throughout the global Islamic and broader NGO community. Several CIRD chapters are now very prominent within the North American Islamic community.

Oil prices have remained stable throughout the 1990s which has forced the Saudi Kingdom to make cutbacks in ambitious domestic and social programs designed in part to "keep domestic peace."

The Saudi regime's nervousness about their overall security and financial vulnerability markedly increased in early 1998 following the revelation that the Bank of Saudi Arabia had been "looted" of nearly $1.2 billion by a sophisticated electronic attack which for two months had successfully used "skimming" and other "cyberspace bank robbery" techniques before detection by a British financial security service. The Saudi government later found strong evidence of both Iranian and Syrian involvement in the attack.

Adding to the Saudi kingdom's fiscal woes is the broad consensus within the monarchy and government elites-- strongly opposed by CIRD supporters within Saudi Arabia--that defense spending must remain high in the face of the increasing military and political power of Iran (see below).

Persia Ascendant

Iran openly supports radical Islamic fundamentalist groups in almost all of the Gulf states and trumpets a "pan-Islamic" strategy of building a broad political-military coalition to "resist American and European hegemony in the Islamic world."

Iran's nuclear weapons ambitions are widely acknowledged though there is at present no evidence that the Iranians have any operational nuclear weapons. The Iranians continue to maintain that their rapidly growing nuclear infrastructure--which remains under IAEA inspection--is for "nuclear energy alone."

Iran continues to improve its long-range weapons delivery capability which currently includes: (1) 36 Russian Tu-22M Backfires, (2) an IRBM force of two dozen North Korean Nodong II missiles, and (3) an MRBM force of 200-300 Nodong I missiles.

Evidence of the extent of development of Iranian IW activity emerged in 1999 in India when three Indian nationals (including an acknowledged "world class" software writer) were arrested by authorities after penetrating supposedly highly secure Indian defense networks, and in the course of plea-bargaining confessed to selling Iran "a variety of 21st Century information warfare tools."

Iran maintains an uneasy relationship with the CIRD which has resisted Iranian efforts to convert the coalition to a more fundamentalist Islamic posture. In addition, a number of CIRD leaders have privately criticized the slow pace of democratization in Iran. However, intelligence sources report that Iran is channeling funds to some factions within the CIRD coalition.

Algeria

In the summer of 1998, relations between Algeria and the U.S. and Europe began to deteriorate as the new Algerian regime increasingly tilted toward the geo-strategic and political interests of Iran and military cooperation programs between the two countries became more widespread.

During the summer of 1999, French intelligence services were alerted to the attempted placement of a computer "Trojan horse" in the latest variant of the AirBus Industries AB-330 flight control software, apparently by Algerian agents in France acting under the direction of Iran. French aviation authorities found that Aerospatiale had been relying upon several Indian software subcontractors which had access to supposedly "secure" source code development and compilers.

Libya

Much to the surprise of many observers, the new Libyan government moved rapidly to hold elections and embrace "Islamic democracy." It is now viewed as one of the CIRD's strongest government supporters in the effort to build a united democracy-based Islamic political force.

Pakistan

With the departure of the Bhutto regime, the military-dominated government took on an increasingly militant Islamic stance which included dramatically expanded political-military ties with Iran.

Israel and the Arabs

In the summer of 1999, the Israeli government began to be subject to (in Mossad's terminology) "a new form of strategic warfare"--a series of electronic attacks on Israel's military command and control system by a sophisticated array of "sniffers" and "logic bombs" of uncertain origin.

The Russian Federation

In 1997 the Russian military created a new Radio Electronic Combat Command which has been charged with the development of "a comprehensive 21st Century offensive and defensive information warfare capability."

The new Russian information warfare effort in part reflected acknowledgment of a continuing domestic problem--increasingly sophisticated internal "cyberspace banditry" techniques employed by Russian "mafiya" organized crime groups. While such attacks within Russia have diminished, the groups continue to mount successful attacks on European and American banks (with an estimated gain of over $2 billion in the year 1999 alone). U.S. and European intelligence and law enforcement services strongly suspect that some of the best Russian "mafiya hacker talent" is now in the pay of the Russian intelligence services.

China

Reflecting ever-increasing Chinese self-confidence, there is now a dominant view among the Chinese political and military leadership that China should acquire "strategic military power second to none" in the early 21st Century.

A new and widely remarked Chinese "21st Century strategic asset" is the acknowledged skill of a emerging generation of Chinese computer experts which provide both the Chinese commercial and banking sectors and the government with world- class offensive and defensive IW "hacker" capability.

Japan

The Koreas

Implementation of the 1994 U.S.-DPRK nuclear "framework" has proceeded in fits and starts, but it continues to be seen as successful in holding back the North Korean nuclear program. However, the DPRK maintains a robust indigenous missile development and production program and an extensive missile export and cooperative development program with Iran.

The United States

With support from a broad range of existing peace, human-rights, environmental, and other activist groups, the CPP grew quickly with a "start in your own international neighborhood" organizing theme--using the Internet to organize a wide range of U.S., Canadian, and Mexican NGOs to focus a coordinated effort on the continued acute political unrest in southern Mexico. In late 1998 the organization gained considerable prestige by facilitating a widely hailed "peace agreement" between the Mexican government and the "Third Zapatista Revolution."

Building on the success in Mexico, the CPP over the past year and a half has become increasingly involved as a mediator and Internet organizer of "peacemaking coalitions" in a number of regional and other conflicts around the world (in which capacity it has developed substantial informal ties with the Islamic CIRD coalition).

In 1998, an organization was established within the JCS to oversee the development of offensive and defensive operational concepts and campaigns and new requirements for "electronic warfare techniques." This organization works with the various unified commands to develop Radio Electronic Combat or IW planning annexes for the CINCs' CONPLANs for various contingencies. Increasing concerns about the viability of the nuclear non- proliferation regime led in 1998 to major revisions in U.S. force structure plans to make room for a package of counter- proliferation initiatives which included: (1) A crash effort on the Theater High Altitude Air Defense (THAAD) system, (2) Extensive overseas sales of Patriot/ERINT and Standard anti-tactical missiles, and (3) Accelerated development of long-endurance unmanned air vehicles (UAVs) and a companion program of multi-mission unattended ground sensors (UGS).

In late 1999 in the wake of the French AirBus incident reported earlier U.S. commercial aircraft companies initiated a survey of the software in the flight control systems of aircraft under development to insure software system integrity. Other than some minor software code errors, nothing was found--but there emerged a heightened vigilance in the commercial aircraft sector to protect these systems.

Persian Gulf Security

The military contingency plans for the region now include the prepositioning of substantial additional military equipment in the region and rapid deployment commitments code-named GREEN HORNET for the U.S. (see Table 1) and SILVER SABRE for the U.K. and France.

A British air mobile/motorized and a French air mobile/motorized division along with several squadrons of tactical fighter aircraft constitute the principal European military components of SILVER SABRE.

In 1998, the Joint Staff approved an IW contingency plan for CENTCOM combining both electronic and physical attack: Operation FORCE FIELD--a theater-wide command and control warfare master plan designed to provide "information dominance within a 500 km battle cube" and in particular render ineffective the key elements of a future regional opponent's tactical reconnaissance, air defense, and C3I systems.

	Phase One Deterrent Phase	Phase Two Initial Defense	Phase Three Full Capability
Army	Deploy 2 THAAD battalions Place 2 Phase Two Divisions on Alert Deploy Army equipment set from Diego Garcia Airlift 3 brigades to prepositioned equipment sets in Kuwait and Bahrain	Fully deploy 2 Phase Two Divisions Place 4 Phase Three Divisions (3 CONUS/1 Europe) on Alert	Fully deploy 4 Phase Three Divisions Reserve call-up
Navy	Move 1 Carrier Battle Group (CBG) to Gulf of Oman Move 1 Aegis to Persian Gulf	Deploy CBG to Red Sea Move 1 Aegis to Persian Gulf Move 2 Aegis to Med Partial Ready Reserve Fleet (RRF) call-up	Deploy 3 CBGs Move 6 Aegis to Theater Reserve call-up Full RRF
Air Force	Deploy 1 Air Combat Wing (ACW) Deploy AWACS, JSTARS, intel aircraft	Deploy 3 ACWs	Deploy 7 ACWs
Marine Corps	Deploy 1 Maritime Prepositioning Squadron (MPS) from Diego Garcia and off load in Saudi Arabia Off load in-Theater MPS Airlift associated CONUS brigade personnel to theater	Deploy 2 MPS from Atlantic and Pacific Marry up 2 CONUS brigades w/in-theater MPS equipment Deploy 2 amphibious brigades from CONUS	2 amphibious brigades in Theater Reserve call-up
Troop Strength	50,000	+100,000 = 150,000	+150,000 = 300,000
Time to Complete (from t=0)	7 Days	30 Days	60 Days
CRAF Aircraft Req't	0	120	200

THE CRISIS

In Caracas

The Caracas OPEC meeting ended in total failure and disarray after three days of tense discussions marked by a final televised shouting match between the Iranian and Saudi oil ministers.

In the Persian Gulf

On May 8 the Saudi ruler called in the U.S. Ambassador and expressed his deep concerns about the Iranians whom he feared might use the OPEC stalemate as an excuse for "a move of greatness" in the Gulf.

On May 10, Tehran radio and television announced that the Iranian Foreign Minister was flying to Riyadh with an "urgent proposal" that would "resolve the OPEC stalemate" and "respond to the evolving security situation in the region."

On the evening of May 10, the U.S. Ambassador to Saudi Arabia reported on the contents of the Iranian "proposal:"

• Iran, Iraq, Saudi Arabia and the other GCC states should immediately cut oil production by 20 percent.

• The GCC states should annul their military agreements with the U.S. and declare "neutrality" or non- alignment.

• In return Iran would declare the GCC states to be under "a new Iranian Persian Gulf security umbrella."

At 2030 local time on May 11, Saudi Arabia ordered the redeployment of one armored division toward its border with Iraq and a partial mobilization of selected reserve elements. Two hours later Kuwait placed its army and reserves on a higher level of alert.

In Egypt

In a message to the Secretary of State the U.S. Ambassador in Cairo noted that there was considerable uncertainty about whether the blackout was the product of "deliberate sabotage or just Egyptian bad luck."

In Saudi Arabia

In Washington

On the Saudi problem the CIA had "preliminary indications" that a hidden "trap door" was used that had apparently been placed into the latest release of code controlling many switching centers of the Saudi PSN. This code allows unauthorized passwords to be used to gain access through remote maintenance ports. The source of this problem was unclear although a radical anti-interventionist group claimed responsibility on the Internet.

In the Persian Gulf Region

Twelve Saudi F-15s arrived on the scene in minutes and in the ensuing battle both of the Saudi gunboats and three Iranian ships were sunk. Minutes later fifteen Iranian MiG-29s and 31s arrived and in the air battle that followed nine Iranian aircraft were downed at the cost of five Saudi F-15s.

At 0630 local time on the 12th, a S-3B Viking from the CBG Ronald Reagan was fired upon by an Iran missile frigate while conducting a maritime surveillance mission over the Straits of Hormuz.

Thirty minutes later, F/A-18s and F/A-14s from the Reagan found the frigate some fifteen miles south of Bandar Abbas. The USN aircraft were confronted by eight Iranian MiG-29s. During the short air battle three MiG-29s were shot down and the frigate was sunk after receiving three Harpoon missile hits.

In Saudi Arabia

This event was followed by a "war communiqué" from a radical Islamic group linked to Iran asserting that "the enemies of the true faith of Islam were vulnerable to the full range of Islamic might." The statement concluded with the threat that the economy of the Saudi Kingdom "could be brought to its knees with the touch of a button."

In a memcon to the Secretary of State, the U.S. Ambassador to Saudi Arabia warned that the Saudi elite was "horrified by the prospect that Iran might have the capacity to severely disrupt their economy without firing a shot" and beginning to express concerns that the United States may be "unable to help the Saudi government respond to this new threat."

In Moscow

In Tehran

• A cease-fire in place of all forces on both sides.

• An immediate freeze on further deployments by "foreign forces" in the region.

• An immediate summit at a neutral site to discuss "a peaceful resolution of a crisis not of Iran's making."

The notes to the leaders of Kuwait and Saudi Arabia also included a separate and explicit message that Iran would soon "demonstrate the futility of depending upon the American imperialists for protection from modern weapons systems."

Early that afternoon local time, Iran fired three Nodong I MRBMs virtually simultaneously from a field site south of Tehran. Two of the three successfully deployed previously unseen exoatmospheric penetration aids.

In Germany

Within three hours, the CIA issued a preliminary report indicating there was "clear evidence" that the freight train had been misrouted onto the passenger track with "some evidence" pointing to a sophisticated intrusion into the Bundesbahn rail control system.

In New York

In Washington

In passing the report to the President that evening the National Security Advisor noted that "NSA had considerable doubts about the origin of the attack." Further, he noted that the CIA's Foreign Terrorism Center was preparing a report voicing the strong suspicion that the tragedy was the product of a conspiracy which "may or may not be connected with the unfolding events in the Persian Gulf."

In the United Kingdom

In Atlanta and London

The London Stock Exchange Index fell 10% in late trading on the 16th with investors shifting assets to safer havens.

In New York

At 1500 the oil futures market closed with the spot oil price at $75 a barrel. Gold prices for the day were up ten percent.

At 1700 the Security and Exchange Commission(SEC)'s crisis investigating team informed the Secretary of Commerce that "a pattern of institutional investment manipulation involving as yet unknown parties working through a set of European and Middle Eastern Banks" had been "a leading factor in the rapid acceleration in the Dow's mid-afternoon decline."

In Germany

In Washington

Two hours later the Consortium submitted a formal request to the U.S. Park Police for a permit for the Mall for May 21 for a "demonstration of support for mediation and opposition to U.S. intervention in Saudi Arabia" for "an estimated 100,000 participants." By nightfall similar permits had been requested in ten other major U.S. cities.

Approval of the Mall and other CPP requests seemed certain and mobilization of CPP chapters began to occur through communiqués sent over the Internet and more traditional media outlets.

In the Persian Gulf

In Delaware

In Washington

The meeting opened with an intelligence briefing by the DCI who emphasized the uncertainty in the source or sources of the attack and noted that at this time there was "no way of knowing for sure" whether what we are seeing is:

(1) Testing of strategic IW capability by one or more parties,

(2) The beginning of a dedicated IW campaign to derail anticipated U.S. Gulf deployment plans, or

(3) Most of what we can expect from a strategic IW campaign mounted by Iran or others."

The CJCS Chairman immediately emphasized that the Time Phased Force Deployment List (TPFDL) for GREEN HORNET was very dependent on the ability to meet "a host of just-in-time logistic timelines" and would not tolerate "any significant disruption."

He also expressed growing concern about the problem of mobilizing the CRAF aircraft and crews that were "key to Phase II of GREEN HORNET" if someone were able to penetrate the management information systems of major U.S. airlines.

In the highly speculative discussion that immediately followed it became very clear that in spite of "circumstantial evidence" pointing to Iran there remained considerable uncertainty about the extent of Iranian involvement in the recent IW incidents.

The discussion eventually turned to the military situation in the Gulf where after further reviewing the military and diplomatic issues on the table, the President announced the following decisions:

• Execute Phases I and II of GREEN HORNET.

• Deploy one-half all available CONUS-based ATBM battalions to Egypt and Saudi Arabia.

• Set up a trilateral video conference with the British Prime Minister and the President of France to gain agreement of these governments to execute SILVER SABRE.

• Immediately convene the North Atlantic Council.

• Reject any diplomatic initiatives at this time with Iran or the CIRD.

The President then led a further in-depth discussion of the IW situation in which he expressed particular concerns about the long- and short-term implications of possible successful IW attacks against U.S. and allied Persian Gulf deployment plans and the national information infrastructures of the U.S. and its European allies and key coalition partners in the Gulf region. He emphasized the need to "demonstrate persuasively and as soon as possible" that further IW attacks such as those already experienced would not be able to fundamentally undermine U.S. military strategy in the current crisis.

During the discussion the President strongly admonished the Press Secretary to "keep the lid on" and "downplay all speculation" regarding both the extent of U.S. cyberspace vulnerabilities and the origins of the IW attacks experienced to date especially those in the U.S. He noted that further decisions on the crisis could be made even more difficult if there were public panic growing out of "media hyping" of the IW threat to the U.S. and attributing the attacks to date to Iran when the actual source might be "domestic anti-interventionist political forces."

In closing the meeting the President turned to the SECDEF and asked him to see if he could pull together some information security experts to generate "new or creative ideas" that could be brought to bear "in the near term" on the IW problems of principal concern in the crisis.

Another NSC meeting was scheduled for late the next morning to review the results of the trilateral discussions and again address the IW problem.

Upon leaving the meeting, the SECDEF contacted the Director of ARPA and instructed him to immediately assemble a tiger team of information system security experts to address the IW- related issues and concerns that had come up at the NSC meeting. The SECDEF described the President's principal concerns and asked for recommendations on possible "near-term creative solutions" to the problems posed "beyond the standard procedures to tighten information systems security that the services and the CINCs would be likely to take on their own."

In Washington, London, and Paris

INSTRUCTIONS

How to Proceed

1. You have been selected as a member of a technical tiger team advising the Secretary of Defense and the Director of ARPA, in a time-urgent process. The group's task is to revise a draft memo to the SECDEF in preparation for the ARPA Director's meeting with the SECDEF scheduled for a few hours hence.

2. The group's tasking is to produce an assessment for the SECDEF to send to the President proposing possible short-term technical solutions to these pressing cyberspace problems.

The Chair(person)

2. The Chair will ask one participant to record the results of the group's deliberations and recommendations.

3. The Chair will likely begin by asking for participants in her/his group to very briefly (e.g., in a few sentences) give their individual perspectives on the overall situation and the particular challenge presented to the group.

Decisions to Be Made

I. Issues and Options

Under the guidance of the Chair, the group should discuss and expand this Draft Memo as judged appropriate. In particular the Chair should ascertain whether there are other critical issues beyond those presented which the SECDEF might bring up at this point in time--and modify the Draft Memo accordingly.

It should be kept in mind that the group is not being convened primarily as a decision-making body; the group's principal responsibility is to craft a good issues and options memo to send forward to the President.

2. Recommendations

When the time for STEP ONE is up, the Chair of each group will be asked to summarize very concisely the group's deliberations and recommendations. This summary should be brief--if at all possible, not more than five minutes.

Draft Memo for the Secretary of Defense

I also told them that your principal short-term objectives in terms of IW are:

• Ensure that the GREEN HORNET and SILVER SABRE deployment plans proceed without serious disruption due to IW attacks.

• Identify the source(s) of the recent series of IW-related events.

• Take concrete defensive IW actions which can be made public and serve to reassure the American public that we can respond effectively to cyberspace attacks against the DII and key U.S. NII systems.

• Assist Saudi Arabia in responding to the IW attacks on its NII in order to enhance the prospects that the Saudi government will survive the threat posed by the internal dissident movement and Iran.

In response to the tasking summarized above, below you will find a set of recommended near-term actions for your consideration along with preliminary assessment of possible implementation obstacles. The issues and recommendations have been organized as follows:

I. Issues Related to GREEN HORNET/SILVER SABRE
A. DII Issues
B. Other Related U.S. NII Issues
C. Allied/Coalition Partner Information Systems Issues

II. Issues Related to IW Tactical Warning/Attack Assessment

III. Issues Related to Strategic IW Attacks on the U.S. NII

IV. Issues Related to Strategic IW Attacks on Allies and Coalition Partners

You expressed particular concern about the tight timelines for both the GREEN HORNET and SILVER SABRE deployment plans and the possible vulnerability of these plans to disruption by IW attack by either the Iranians, the CIRD, or domestic political forces opposed to Western intervention in the Gulf crisis.

As you are aware from earlier assessments, we do not at this point know the full extent of the capacity of any of these entities to disrupt a U.S. deployment to the Gulf. We have already seen one kind of attack--the mass dialing attack on the base phone system at Ft. Lewis, WA--that could potentially cause problems if widespread (i.e., if it occurred at a large number of U.S. military bases involved in GREEN HORNET) and sustained for many days.

In examining the different elements of the GREEN HORNET and SILVER SABRE deployment plans we see potentially serious IW-related problems in the following areas:

• Sustained IW attacks that disrupt and degrade U.S. and European air traffic control systems (ATCS).

• Sustained IW attacks on the information systems of U.S. airlines that are supplying Civilian Reserve Aircraft Fleet (CRAF) aircraft and crews to support GREEN HORNET.

• IW attacks that succeed in modifying the Time Phased Force Deployment List (TPFDL) for GREEN HORNET.

• IW attacks on the PSN in the U.S., Britain, and France.

•  

•  

•  

•  

•  

The second "Initial Defense" phase is more complex and potentially more vulnerable to disruption both here in the United States (since it involves CRAF aircraft and far more extensive rail and air transport of troops and equipment) and in Europe (since it involves U.S. forces stationed in Europe and the British and French Silver SABRE forces). The same is true of the third deployment phase which is necessary to achieve full offensive and defensive capability in the Gulf region. The amount of communications involved (relating to logistics and transportation and other logistics matters) is also much greater in both of these phases than in the initial deployment phase which raises more serious PSN concerns.

The recommendations of the tiger team in terms of possible near- term technical responses to these GREEN HORNET/SILVER SABRE IW- related problems (and possible implementation obstacles) are as follows:

A. DII Issues
Recommended Technical Response	Possible Implementation Obstacles
1. Close all possible firewalls to and within DII systems
2. Disable all remote dial-in maintenance ports on DII system telecommunications switches	Alternative maintenance procedures may prove inefficient and lead to selected system failures or delays
3. Provide 24-hr. system operator monitoring and overview of all critical information system nodes with special attention paid to detecting disruptions and abnormal system behavior
4.
5.

B. Other Related U.S. NII Issues
Recommended Technical Response	Possible Implementation Obstacles
1. (re PSN) Route all critical GREEN HORNET Phase Two/Three communications over available robust command and control channels rather than relying on the U.S. PSN	Could result in significant delays in GREEN HORNET Phase Two/Three communications and thus in deployment timelines
2. (re ATCS)
3.(re CRAF)	Need to ensure security of commercial airlines' main scheduling system
4. (re Power Grid)

C. Allied/Coalition Partner Information Systems Issues
Recommended Technical Response	Possible Implementation Obstacles
1. (re European PSN's)
2. (re European ATCS's)
3.

II. ISSUES RELATED TO IW TACTICAL WARNING/ATTACK ASSESSMENT (TW/AA)

You have indicated that among your main concerns was an inability to identify the source(s) of the various IW attacks that have recently taken place and the total absence of any warning relating to these attacks. This has given rise to related uncertainties as to whether the attacks represented Iranian (or other potential sources) testing of their IW capability, the beginnings of a much larger IW campaign, or most of what we might have to deal with in terms of strategic IW attacks during the current crisis.

The tiger team judged that the tactical warning/attack assessment (TW/AA) problem to be extremely difficult. In approaching this issue, they concluded that existing legal constraints or impediments to this problem might be removed in crisis in order to have any hope of improving the TW/AA situation.

The recommendations of the ARPA tiger team in terms of possible near-term technical responses to these tactical warning/attack assessment (TW/AA) IW-related problems are as follows:

TW/AA Issues
Recommended Technical Response	Possible Implementation Obstacles
1. (re Tactical Warning) Place automated software "backtrack" programs in those information systems that have already been subject to attack and at other likely targets Begin emergency development of a tactical warning and attack assessment scheme based on the follow design philosophy and system components:	Legal challenges
2. (re Attack Assessment)

III. ISSUES RELATED TO STRATEGIC IW ATTACKS ON THE U.S. NII

You expressed particular concern about the domestic political impact, and thus the broad political-military impact in the crisis, of successful strategic IW attacks against key elements of the U.S. NII--and the resultant loss of the national sanctuary that the American people have enjoyed for nearly two centuries.

With this perspective in mind, the tiger team looked at possible near-term measures to enhance the security of the key elements of the U.S. NII relating to: (1) the PSN, (2) the transportation system, (3) the electric power grid, and (4) the oil and gas pipeline system.

The recommendations of the team in terms of possible near-term technical responses to possible strategic IW attacks on the U.S. NII are as follows:

U.S. NII Strategic IW Attack Issues
Recommended Technical Response	Possible Implementation Obstacles
1. (re the PSN)
2. (re Transportation Systems)
4. (re the Electric Power Grid)
5. (re the Oil and Gas Pipeline System

IV. ISSUES RELATED TO STRATEGIC IW ATTACKS ON ALLIES AND COALITION PARTNERS

Our European allies and regional coalition partners Saudi Arabia and Egypt appear already to be in the throes of some kind of strategic IW campaign designed to weaken their resolve in the crisis.

The approach that the tiger team took to this problem was as follows:

• Look for technical solutions to the vulnerability of the Saudi PSN sufficient to insure that the Saudi government could maintain a limited but high-confidence communications network for the country as a whole.

• For other elements of the Saudi NII and the Egyptian and European NII's look for general technical solutions to enhance the survivability and overall viability of key information systems.

Allies/Coalition Partners NII Strategic IW Attack Issues
Recommended Technical Response	Possible Implementation Obstacles
1. (re the Saudi PSN) Make emergency modifications to U.S. dedicated secure communications equipment so that it can be given to the Saudis now, but selectively disabled at a later time of our choosing. Assist the Saudis in fencing off selected PSN circuits.
2. (re other NII Systems of European Allies and Coalition Partners) Send a crack team of computer security specialists to work collectively with our allies on all key software system and application code controlling major rail, pipeline, telecommunications, and power grid systems. Offer use of U.S. "server" computer systems containing substantial firewall software to help isolate key European information system connections through which IW attacks may be launched.

Recent Developments

SITUATION REPORT

THE CONTINUING CRISIS

MAY 20

In the United States

That morning the automatic tellers of the largest bank chain in Georgia malfunctioned with bank clients being debited and/or credited thousands of the dollars after each ATM transaction--leading the bank to shut down its ATM network. Bank officials stated that it must have been "an inside job" since they had recently installed a new release of the ATM software about three weeks ago and suspected a logic bomb triggered by some means.

Early that afternoon the CNN news center feed out of Atlanta was intermittently off the air for twelve minutes.

On May 20 DoD discovered that the computer data base for the Time Phased Force Deployment List (TPFDL) had become plagued with "corrupt data." The JCS IW planning cell's initial report on the problem indicated that a computer worm--origin uncertain-- had likely been unleashed inside the TPFDL software through a personal computer temporarily linked to the TPFDL system running popular commercial off-the-shelf database software with a known security flaw.

MAY 21

In the United States

On the morning of May 21 the U.S. Ambassador in Egypt notified the Secretary of State that the President of Egypt had become "very concerned about Iran's capacity to cause economic and political damage in Egypt."

That morning the Pentagon first revealed their concerns about delays in military deployments to the Gulf due to IW attacks on the local area networks and phone systems of a number of key Army and Marine bases.

Early in the afternoon of May 21 a new Continental Airlines AB- 340 making a final instrumented approach to O'Hare International Airport suffered a massive malfunction in its flight deck avionics and minutes later crashed in a residential area killing all 236 passengers and crew and 36 people on the ground.

Later that day the FAA grounded all late model AB-340 and 330 aircraft on the basis that the flight control software might be infected by a sophisticated logic bomb.

That evening the Justice Department reported the interrogation of two suspects at a San Antonio, Texas software firm which had provided the most recent update of the AB- 340 flight control software. (Both had recently received large cash payments through a Swiss bank.) Although the source code for the flight control software had been checked line-by- line before installation, the two suspects apparently had access to the compiler, and presumably modified it to cause unauthorized actions in the compiled control software.

The May 21 CPP "anti-intervention" demonstration in Washington drew a crowd estimated by the U.S. Park Police at over 400,000. Many other well-attended demonstrations in both large and small cities across the country were also organized via the Internet.

MAY 22

In the United States

(1) Operation IRON LANCE - an all-out preemptive air and missile strike against Iranian conventional forces threatening Saudi Arabia and

(2) Operation FORCE FIELD - a theater-wide command and control attack plan.

A highly contentious debate on both operations followed but no decisions were taken on either operation.

In Saudi Arabia

That same day the Saudi public switched network began to fail again. The failure was attributed to unauthorized modification of the system through trap doors in the logic controlling its switches - which were very similar to those found earlier in the failure of the Saudi PSN." (The Saudi telecom system was purchased from the same company supplying approximately 30% of the U.S. PSN.)

By that evening the self-described "Provisional Islamic Republic of Arabia" had seized power in Dhahran and Mecca.

That evening saw the beginning of heavy fighting in Riyadh between security police and members of the National Guard which had pledged their loyalty to the new Provisional Islamic Republic. Within hours the U.S. Ambassador reported that fighting was spreading rapidly throughout the city and that a coup attempt was underway.

MAY 23

In the United States

At a mid-morning Atlanta news conference the members of the "Executive Council" of the Consortium for Planetary Peace announcing that the CPP was "mobilizing all of its chapters to conduct civil disobedience actions to stop the U.S. Government's mad dash to war to save an undemocratic and failed Saudi regime."

At 1230 EDT on the 23rd the Chicago Commodity Exchange experienced its wildest fluctuations in history and halted trading on the grounds that the Exchange was apparently being subjected to a powerful form of electronic manipulation by unknown parties.

In mid-afternoon the entire phone network in the Washington/Baltimore region including local cellular systems failed. The attack was attributed to trap doors not unlike those that caused the earlier PSN failure in Saudi Arabia. Preliminary indications were that only 70% of the switches were disabled, but that remaining carriers and switches could not handle the additional load.

At 1700 EDT the President asked the National Security Advisor to arrange an NSC Meeting for the next morning so he could "assess the overall situation and especially our defensive IW prospects" in order to decide on "next steps" in the crisis.

It is now 1900 on May 23, 2000.

STEP TWO: The Day Before...

INSTRUCTIONS

How to Proceed

1. You will have a total of two hours for STEP TWO --roughly 10 minutes for reading and the remainder of the two hours for deliberations.

2. The time period is the very near future--say the late spring of 1996.

3. You are again in the role of a top advisor to the Director of ARPA, preparing him for a meeting with the Secretary of Defense on a national R&D investment strategy for information systems security and related issues.

4. The Chair will lead a discussion that moves through the tasking described in the Decisions to Be Made section to the right--which follows essentially the same basic process as the previous two steps.

Decisions to Be Made

1. Issues and Options

The staff-prepared Draft Memo for the Secretary of Defense (on the pages immediately following) is designed to serve this purpose.

Under the guidance of the Chair, the group should discuss this Draft Memo and expand and modify it as judged appropriate.

2. Recommendations

When it is clear to the Chair that there is a division of views on an issue, vote on the options still on the table and record the vote.

Draft Memo for the Secretary of Defense

In the items below we have identified several key issues that relate explicitly to the overall question of investment strategy.

1.1 Commercial Software

Although substantial security techniques and devices have been developed, by and large they are not incorporated in the widely used commercially available operating systems and programs (e.g., Windows 95; commercial UNIX systems). To be effective, existing technology and procedures should become widespread.

What steps should the U.S. and DoD take to ensure that known security technology becomes embedded in widely-available commercial operating systems and applications?

__________ A. Assure that key developers of commercial software are part of the development process for new security technology;

__________ B. ______________________________________

_________________________________________________

__________ C. ______________________________________

__________________________________________________

Possible implementation obstacles for this option: ________________________________________________

In addition (on the matter of commercial software issues) ARPA recommends:

_______________________________________________________

_______________________________________________________

_______________________________________________________

_______________________________________________________

_______________________________________________________

1.2 Minimum Essential Information Infrastructure

Broad benefits have been derived from the open information architecture and information-sharing that has to date characterized the evolution of the NII and the GII. Retaining these benefits, while meeting the critical needs of cyberspace safety and security, poses a major challenge.

In this context a key issue for near-term decision is whether to launch an effort to establish a Minimum Essential Information Infrastructure (MEII) to meet a variety of national security emergency preparedness needs--for example, ensuring that regional force deployments that depend heavily on the operations of segments of the NII are resilient to attack. Such an MEII would be analogous to the Minimum Essential Emergency Communications Network (MEECN) that was designed to insure the execution of U.S. nuclear war plans.

There are, however, serious questions as to whether key NII infrastructure components are too interdependent to isolate a manageable subset as "minimum essential." One approach to this problem might be to select the parts of the NII most critical to military and civilian operations and then defending them by whatever means appropriate and affordable. As an example, a portion of the infrastructure might be placed on dedicated fiber optic cables with protected input/output switches procured by the Defense Department to ensure essential point-to-point communications to enhance force deployment capabilities. In addition, modifications to existing laws might allow cooperation between the intelligence community and domestic law enforcement agencies to improve the gathering of intelligence on U.S. citizens who operate in cyberspace performing actions counter to U.S. national interests--or imposes some protection standards. Another component might be a tax incentive to encourage commercial firms to cooperate with U.S government-led protection processes and encourage development of rapid reconstitution capabilities.

The most promising strategy for the U.S. to pursue in developing an MEII would be:

__________ A. Select some subset of existing telecommunications links to be hardened or specially protected in some manner.

__________ B. Create a separate secure U.S. backbone telecommunication structure to which critical communications may be diverted in an emergency.

__________ C. ____________________________________

__________________________________________________

__________ D _____________________________________

__________________________________________________

The ARPA recommendation is that we pursue Option _____.

Possible implementation obstacles for this option: ______

_____________________________________________

__________________________________________________

__________________________________________________

__________________________________________________

__________________________________________________

__________________________________________________

1.3 (Subject) _______________

__________________________________________________

__________________________________________________

__________ A. ________________________________

_____________________________________________

__________ B _________________________________

_____________________________________________

__________ C. ________________________________

_____________________________________________

2.1 Tactical Warning and Attack Assessment (TW/AA)

Information and telecommunications systems--and systems dependent on them--sometimes fail, either catastrophically (e.g., the "Northeast blackout") or more narrowly (one major carrier's long- distance lines were once unavailable for 6 hours). Earthquakes, hurricanes, tornadoes, and other natural phenomena cause disruptions. Given normal exigencies, it may well be difficult to tell whether the U.S. is being subjected to a coordinated IW attack. We should have warning regarding whether we are under attack, and if so by whom.

The following are some possible approaches to TW/AA.

__________ A. For critical national information systems, mandate the generation of unassailable audit trails recording transactions passing through key nodes, supplemented by "expert systems" or other agent-type software continuously monitoring for unusual patterns. Automatically report unusual data to a central "clearing house" node for higher-level pattern analysis and interpretation.

__________ B. Significantly expand the concept of CERTs (Computer Emergency Response Teams) to cover all key national information systems. These provide human analysis and interpretation of events as they are reported by automated information-gathering nodes and reporting by systems administrators.

__________ C. ____________________________________

__________________________________________________

__________ D _____________________________________

__________________________________________________

Possible implementation obstacles for this option: ______

_____________________________________________

Substantial research and development programs in computer and network security have been undertaken--by ARPA and others--over the past 20 years, yet the vast majority of computers and networks in use within the U.S. and its information infrastructure are insecure. Reasons for this include: (1) inertia; (2) lack of perception of a problem--benefits do not appear to outweigh costs for any individual site or organization; (3) no central point of control; (4) lax operational procedures, including physical security.

If we are to have greater information assurance in our systems, in addition to addressing technical solutions these "people and procedures" aspects of the problem must also be addressed as well as technical solutions:

__________ A. Substantially greater programs in education and training of system operators and users;

__________ B. "Make 'em feel it." Develop, support and encourage "red-teams" to attack key portions of our national information infrastructure to demonstrate security flaws in systems and operational procedures, with ensuing embarrassment and possible sanctions for those found inadequate;

__________ C. ____________________________________

__________________________________________________

__________ D _____________________________________

__________________________________________________

Possible implementation obstacles for this option: ______

________________________________________

__________________________________________________

__________________________________________________

__________________________________________________

__________________________________________________

__________________________________________________

2.3. (Subject)_______________

__________________________________________________

__________________________________________________

__________ A. ________________________________

_____________________________________________

__________ B _________________________________

_____________________________________________

__________ C. ________________________________

_____________________________________________

In the items below we have identified several possible new R&D initiatives (or new R&D priorities) to enhance information systems security.

3.1 Trusted Insiders

Trusted insiders are a particular security problem. For less than the cost of a major, targeted computer and network hacking/cracking campaign, it may often be possible to "buy" the services of a disgruntled trusted insider who already possesses the needed passwords, physical access codes, and knowledge of operating procedures.

The basic options for countering this weakness in many infrastructure information systems are:

__________ A. Work toward creating systems that are autonomous and require many fewer "insiders" for their operation;

__________ B. Research on "tamper-proof" audit trails and system monitoring devices that cannot be bypassed or defeated by an insider, and will provide warning and evidence of any wrongdoing;

__________ C. ____________________________________

__________________________________________________

__________ D _____________________________________

__________________________________________________

Possible implementation obstacles for this option: ______

________________________________________

__________________________________________________

__________________________________________________

3.2 New Security Techniques

Existing information security techniques (firewalls, encapsulation, multi-level secure operating systems, passwords, etc.) are not widely and effectively employed throughout the key national information systems or in mass-market commercial operating systems and networks, and they are viewed as difficult to use. (The two factors are of course not unrelated.)

There may be fundamentally new techniques upon which the U.S. might base the security of its information infrastructure. Possible examples might include: (1) a "biological immune system" metaphor (currently being explored by some scientists) in which systems have both "barrier" (e.g., skin, cell membrane) defenses and "active" defenses (e.g., generating antibodies tailored to antigens); (2) Detection and rapid recovery; bad things--foreseen and unforeseen--will happen to information systems, rather than protecting against all foreseen dangers, concentrate on designing systems that recover fast enough that ill effects from their downtime or disablement are not severe.

The possible new techniques that the U.S. might explore in pursuit of a breakthrough in national information infrastructure security are:

__________ A. ____________________________________

__________________________________________________

__________________________________________________

__________ B _____________________________________

__________________________________________________

__________________________________________________

The ARPA recommendation is that we pursue Option _____.

Possible implementation obstacles for this option: ______

___________________________________________

__________________________________________________

__________________________________________________

__________________________________________________

__________________________________________________

__________________________________________________

3.3. (Subject)_______________

__________________________________________________

__________________________________________________

__________ A. ________________________________

_____________________________________________

__________ B _________________________________

_____________________________________________