Preface

This report discusses the vulnerability of the national information infrastructure to external attacks and other kinds of disruptions. It assesses the extent of the data available for measuring this threat and discusses steps that private industry and the federal government can take to reduce national vulnerability.

The Critical Technologies Institute was created in 1991 by an act of Congress. It is a federally funded research and development center sponsored by the National Science Foundation and managed by RAND, a nonprofit corporation created for the purpose of improving public policy. CTI's mission is to help improve public policy decisions by conducting objective, independent research and analysis on policy issues that involve science and technology in order to

• Support the Office of Science and Technology Policy and other Executive Branch agencies, offices, and councils;

• Help science and technology decisionmakers understand the likely consequences of their decisions and choose among alternative policies; and

• Improve understanding in both the public and private sectors of the ways in which science and technology can better serve national objectives.

Inquiries regarding CTI or this document may be directed to:

Bruce Don
Director, Critical Technologies Institute
RAND
1333 H St., N.W.
Washington, D.C. 20005
Phone: (202) 296-5000
Web: /scitech/stpi
Email: cti@rand.org

Summary

Background

The country can readily withstand some levels of attack and recover, and can even enhance its ability to do so by strengthening and/or expanding the mechanisms now in place to handle what are commonly called disaster areas or business disruptions. It follows that, for extreme events, the national preparation that has been completed for lesser ones will provide an enhanced basis for response to a "big one." For small attacks especially and for some moderate and/or coordinated attacks, the country can make do without--or with impaired--sectors of the normal infrastructure for limited periods of time; but at the cost of such consequences as reduced efficiency, inconvenience to the citizenry, loss of living affluence, and disruption of services.

If infrastructure attacks and intrusions are extensive enough and/or disrupt or destroy the functioning of very large geographical areas, or (for example) bring down most of a major industry, or if several kinds of attacks occur in a seemingly coordinated pattern, then the country cannot expect to sustain "business as usual." In fact, we may have to deliberately stand down or limit some aspects of normal life on a regional or national basis.

Findings

We do not now have a comprehensive survey of the infrastructure vulnerabilities to cyber-attacks or of the resilience of the country to accommodate them. The resilience of the country can surely be enhanced, but a study of the present status is required before actions could be recommended. A status baseline is essential; e.g., preparedness planning, sources of and status of resilience, industry vulnerabilities, present sources of early warning.

We do not know what normalcy in the infrastructure is and how it varies with such things as season, world events, national holidays, etc. We need to establish what the engineering community would call the "noise level" in the infrastructure--namely, the day-to-day abnormal or accidental events that occur as a matter of routine operation.

Physical attack is one of high probability throughout the infrastructure. The United States government and the private sector must give it attention. Intelligence, early warning, and data sharing are collectively an early order of business.

In the infrastructure scheme of things, energy supplies, telecommunications, and computer-based systems share an inescapable position of centrality. Thus, they are collectively of first priority for attention and remedial actions.

• Without an ongoing supply of energy--electrical and/or petroleum based--an infrastructure will wind down to a state of quiescence over a few days or a few weeks.

• The public switched network (i.e., the national telephone system) is a singular point of concern because it provides the bulk of connectivity among computer systems, people, organizations, and functional entities. It is the backbone of interpersonal and organizational behavior.

• The federal information infrastructure is considered to be weakly postured on computer and network security. Agencies must be motivated--or directed--to respond, and their progress monitored.

• There are specific R&D "cyber-issues" relevant to protecting critical infrastructures, particularly with respect to the computer system/telecommunication/information infrastructure. The research community must become aware of them, and be motivated to respond.

Actions

Near-term actions include analytic studies to establish such infrastructure features as source of resilience and characterization of normalcy (i.e., establish the noise level), and to specify R&D requirements.

Medium-term actions include establishment of a warning mechanism and a supporting coordination center.

For some of these steps, White House-sponsored conferences might be an appropriate and useful mechanism, but any mechanism available to the country should also be exploited.

Contents

This Document
A Structure for Discussion
Historical Perspective

Disruptive Phenomena
Infrastructure Noise
Moderate and Low-Level CIP Attacks and Intrusions
Extremely High-Level Attacks and Intrusions
Physical Attacks
Cross-Sector Aspects

Centrality of Energy, Communications, and Information
Uneven Consequences
Consequences of No Energy
Consequences of No Information Base
Relative Priorities

Relying on What We Already Have
Research and Development
United States Government Responses
Specific National Actions

Order form for this document