The Cyber-Posture of the National Information Infrastructure

Preface

This report discusses the vulnerability of the national information infrastructure to external attacks and other kinds of disruptions. It assesses the extent of the data available for measuring this threat and discusses steps that private industry and the federal government can take to reduce national vulnerability.

The Critical Technologies Institute was created in 1991 by an act of Congress. It is a federally funded research and development center sponsored by the National Science Foundation and managed by RAND, a nonprofit corporation created for the purpose of improving public policy. CTI's mission is to help improve public policy decisions by conducting objective, independent research and analysis on policy issues that involve science and technology in order to

• Support the Office of Science and Technology Policy and other Executive Branch agencies, offices, and councils;

• Help science and technology decisionmakers understand the likely consequences of their decisions and choose among alternative policies; and

• Improve understanding in both the public and private sectors of the ways in which science and technology can better serve national objectives.

Inquiries regarding CTI or this document may be directed to:

Background

The country can readily withstand some levels of attack and recover, and can even enhance its ability to do so by strengthening and/or expanding the mechanisms now in place to handle what are commonly called disaster areas or business disruptions. It follows that, for extreme events, the national preparation that has been completed for lesser ones will provide an enhanced basis for response to a "big one." For small attacks especially and for some moderate and/or coordinated attacks, the country can make do without--or with impaired--sectors of the normal infrastructure for limited periods of time; but at the cost of such consequences as reduced efficiency, inconvenience to the citizenry, loss of living affluence, and disruption of services.

If infrastructure attacks and intrusions are extensive enough and/or disrupt or destroy the functioning of very large geographical areas, or (for example) bring down most of a major industry, or if several kinds of attacks occur in a seemingly coordinated pattern, then the country cannot expect to sustain "business as usual." In fact, we may have to deliberately stand down or limit some aspects of normal life on a regional or national basis.

Findings

We do not now have a comprehensive survey of the infrastructure vulnerabilities to cyber-attacks or of the resilience of the country to accommodate them. The resilience of the country can surely be enhanced, but a study of the present status is required before actions could be recommended. A status baseline is essential; e.g., preparedness planning, sources of and status of resilience, industry vulnerabilities, present sources of early warning.

We do not know what normalcy in the infrastructure is and how it varies with such things as season, world events, national holidays, etc. We need to establish what the engineering community would call the "noise level" in the infrastructure--namely, the day-to-day abnormal or accidental events that occur as a matter of routine operation.

Physical attack is one of high probability throughout the infrastructure. The United States government and the private sector must give it attention. Intelligence, early warning, and data sharing are collectively an early order of business.

In the infrastructure scheme of things, energy supplies, telecommunications, and computer-based systems share an inescapable position of centrality. Thus, they are collectively of first priority for attention and remedial actions.

• Without an ongoing supply of energy--electrical and/or petroleum based--an infrastructure will wind down to a state of quiescence over a few days or a few weeks.

• The public switched network (i.e., the national telephone system) is a singular point of concern because it provides the bulk of connectivity among computer systems, people, organizations, and functional entities. It is the backbone of interpersonal and organizational behavior.

• The federal information infrastructure is considered to be weakly postured on computer and network security. Agencies must be motivated--or directed--to respond, and their progress monitored.

• There are specific R&D "cyber-issues" relevant to protecting critical infrastructures, particularly with respect to the computer system/telecommunication/information infrastructure. The research community must become aware of them, and be motivated to respond.

Actions

Near-term actions include analytic studies to establish such infrastructure features as source of resilience and characterization of normalcy (i.e., establish the noise level), and to specify R&D requirements.

Medium-term actions include establishment of a warning mechanism and a supporting coordination center.

For some of these steps, White House-sponsored conferences might be an appropriate and useful mechanism, but any mechanism available to the country should also be exploited.

Context

Telecommunications

Electric Power Systems

Transportation

Gas and Oil Transportation

Banking and Finance

Water Supply Systems

Emergency Services

Continuity of Government.

As the Commission proceeded, it revised, slightly modified, and aggregated these sectors into five:

Information and Communications

Banking and Finance

Energy, including electrical power, oil, and gas

Physical Distribution

Vital Human Services.

As a corollary observation, the PCCIP was not directed to address all possible sectors of the national economy, nor did it introduce sectors different from those stipulated by the implementing executive order. For example, the commission did not address food distribution (in all of its dimensions-- physical, crop growth, electronic benefits, financial aspects) as a sector issue.

2. The Nature of the Problem

Such advances include the following examples.

• Smart roads that automatically collect tolls without impeding traffic;

• On-line air travel, hotel, and auto reservations that bring such actions into the home for personal convenience and customer attraction;

• On-line banking and other financial transactions, for example, to conduct stock transactions from the home;

• Automated control of the power grid to minimize cost of needless generation of power or to rapidly restore/reconfigure the network during periods of heavy demand or emergency;

• Computer-based switching and routing in the telephone network to quickly adapt system configuration to demand, and to optimize the utilization of the installed plant;

• Efficient delivery of finished goods to minimize on-site storage requirements and to optimize their placement with market demand;

• Support of manufacturing technology to improve uniformity of products, to enable unattended extra shift operations--including use of robots, or even just to be able to manufacture such things as microcircuits;

• Automatically scheduled maintenance actions of many kinds; e.g., oiling schedules for large power generators, route scheduling of aircraft so that each one is near a maintenance facility when a compulsory overhaul becomes due;

• Automatic operation of manufacturing plants for all manner of finished goods; e.g., automobiles, pharmaceuticals, foodstuffs.

In each such instance of automation, the sources of operational economy include such things as

• Fewer people for both operations and maintenance;

• More efficient use of resources, such as coal or oil;

• Convenience for public users (and thus a competitive advantage);

• New services for the public, such as on-line business licenses and permits;

• Just-in-time manufacturing (minimization of capital tied up in inventory);

• Timeliness of actions;

• Conservation of time and efficient use of time;

• Prompt connectivity among parties needing to interact.

• Natural phenomena--storms/floods/earthquakes/fires/volcanoes;

• Carelessness--often unintended, sometimes due to system design flaws, to extra-system events such as a backhoe severing a fiber cable, to inattentive people, to people under the influence of alcohol or controlled substances;

• Accidents--failure of system components, unanticipated conditions not included in the initial design but leading to destructive consequences;

• Oversights--actions or inactions of operators, improper interfaces in user/operator interfaces with the system, poorly trained operators.

Infrastructure Noise

Noise should be thought of as the unintended spurious events that occur daily throughout the national infrastructure; in effect, noise characterizes the normal state of affairs, some aspects of which are statistically predictable. Examples include

• Daily road accidents (numbers and locations);

• Daily numbers of banks that have problems with reconciliation of cash balances (numbers, names, locations, possibly also amounts);

• Daily outages throughout the public switched network (locations, nature, time extent, causes, remedial actions);

• Daily outages or interrupted services in urban utilities (locations, nature, time extent, causes, remedial actions);

• Daily interruptions and outages in the power grid (locations, causes, time extent, remedial actions);

• Daily criminal actions reported to national authorities;

• Pipeline outages and incidents;

• Major forest and brush fires.

In the context of the above discussion, let us examine the relevance of noise.

• We often bring an event onto ourselves; we unintentionally create our own problems as a by-product of simply having and operating some aspect of the infrastructure. Our own day-by-day actions create infrastructure noise.

• Many disturbances to the infrastructure are from things we can do nothing about (natural events); as such, they must be accepted as a part of "doing business"--another contributor to noise.

• Such events must be accepted (so to speak) as a normal aspect of life. Collectively, they establish the normal status and background "noise level" in the infrastructure.

The significance of infrastructure noise to CIP is simply that detection of and reaction to deliberate offensive attacks have to be distinguished from the noise, although they may have been carefully hidden in it. Thus, noise is a nuisance for the defense; an exploitable feature for the offense.

A collateral observation is that offensive acts of the kind typically hidden in infrastructure noise can be deliberately mounted to engage defensive procedures and forces in order to make them unavailable for more subtle and extensive cyber- attacks--i.e., in military parlance, a feint.

• To the extent that infrastructure attacks approximate events that already happen as normal perturbations in the infrastructure--that is, approximate the noise background--the measures that the country and its organizations have developed and/or evolved are ready to combat them, to thwart them, to minimize their consequences, and to recover from them. This is the situation today.

• To the extent that infrastructure attacks exceed the consequences of routine events, the response mechanisms that have been developed and have evolved can be stretched and supplemented by ad hoc arrangements and actions. For example, we might
  • employ large-scale use of military and national guard forces;

  • use military airlift to move people/equipment/supplies as needed;

  • use trucks to bring water into deprived areas;

  • operate aircraft under manual flight procedures;

  • suspend some services and/or the affluent aspects of normal life;

  • make emergency money payments that preparedness plans already provide for; e.g., by FEMA or the SSA;

  • use emergency provision of foodstuffs and shelter by private organizations such as the Red Cross.

• However, in this line of argument there is an inherent assumption that fuel and energy will be generally available to
  • maintain some level of communications facilities;

  • physically move goods and personnel from place to place;

  • provide for the well-being of personnel; and

  • provide for operations of emergency and recovery mechanisms, equipment, systems.

Observe that some things are stored as a normal part of infrastructure operations; e.g., gasoline, fuel oil, water, emergency supplies. Others are prepositioned to known places of consumption; for convenience, efficiency, or surge capability (e.g., the vehicles and equipment of the National Guard); or for smoothing delivery from sources (e.g., manufacturing inventory, raw materials). Collectively, these normal business and government activities add to a response mechanism for low-end infrastructure attacks.

• It takes much more explosive to breach a concrete dam than to destroy or damage a building.

• It takes much higher skill levels to electronically disrupt computer-based systems than to blow up some of their facilities or sever their telecommunication cables.

• Bombing a ground terminal is much easier than destroying a communications satellite in orbit.

For all these reasons, physical vulnerability across the infrastructure is of prime importance and deserves prompt attention.

It would be unwise to study and argue only about individual vertical sectors without regard for lateral interplay. Yet at the present stage of understanding and examination, it is expedient to examine sectors one by one to ascertain their vulnerabilities, identify the threats against each, and ascertain the general state of preparedness and posture of each. Some lateral effects will be self-evident and they can be included in sector studies. There are others that will emerge only as we improve our understanding and insights to individual sectors. Throughout the examination of individual sectors, we will have to be cautious lest we concentrate too intensely on one sector and overlook essential aspects of cross-sector interactions.

One sector can support another in various ways. Among them are

• Services--such as transportation, health care;

• Computing support and computer-based functions;

• Data--such as health care and disease incidence data collected by the Centers for Disease Control from the health-care industry;

• Utilities--such as electrical power, potable water, natural gas.

Another way to frame this dimension of the problem is in terms of assumptions. When considering the vulnerabilities of the information and telecommunications sector and its ability to respond to a cyber-attack or even to a natural event, what assumptions have been made, either explicitly or implicitly, about support from other sectors?

3. Setting Priorities

• It is obvious that all sectors of the infrastructure depend on telecommunications for efficient operation--sometimes, even for operation at all.

• It is also obvious that at the present level of dependence on information technology and computer-based systems and for some aspects of the infrastructure, the information base must also function; namely, the computer systems that are attached to the telecommunications structure and depend on it for connectivity among systems and for outreach.

• It is equally obvious that energy, in some form, is absolutely essential to make facilities and equipment function, and to sustain a minimum standard of living.

Consequences of No Energy

The only exceptions would be those components that are totally physical in nature and are undamaged; e.g., highways, bridges, rails (but not trains), gravity water systems. With energy, but without communications or the necessary information base, some parts of the infrastructure could function at some level, but with seriously impaired efficiency. Other parts, in particular those heavily dependent on information/computer processing/telecommunications, are not likely to function at all.

Some sectors of the infrastructure are durable and with energy, can continue to function, perhaps almost normally. For example:

• With adequate sources of energy, water supplies could continue to function at some level, even without an information base, but possibly under manual, rather than automated, control. Large systems that span many hundreds of miles, such as the Cali-fornia Aqueduct or the California State Water System, would be more vulnerable to loss of the information and communication base than a small municipal system having only a few wells.

• With energy, trucks and trains could operate although at lower efficiency because of manual, rather than automated, control.

• With energy, but without its automated information base, air operations could continue at seriously reduced efficiency.

• With energy, but without its automated control system that depends on telecommunications, oil and gas pipelines could operate at some level of efficiency.

Of these three, however, energy sources must come first. Without them, nothing much of significance will take place--certainly for an extended period of time--even though every computer system and telecommunications arrangement were functionally complete and, in principle, could be operational. To the extent that widespread storage of fuels and backup electrical power sources exist, energy--as a source of concern--might not at a given moment be of first priority, at least until emergency supplies have been exhausted.

In the case of electrical energy--or electrical power--there are many alternative sources (nuclear plants, coal-burning or gas-fired plants) that can provide robustness, provided that the distribution infrastructure is largely intact. There is great redundancy at the power-grid level but generally not near the end-user. Therefore, the vulnerability of electrical power is highly context dependent and, likely, also user-specific.

In fact, the public switched network (PSN) is a singular point of national concern because it provides the bulk of connectivity among computer systems, people, organizations, and functional entities. It is the backbone of interpersonal and organizational behavior.

Since telecommunications has utility even in the absence of computer systems, it would seem to be in second place with computer systems following. On the other hand, both of them have a role in energy systems--so it is not obvious, without deeper insights into the precise nature of cyber- and other attacks, that this apparent ranking should be the dominant one for government and private-sector attention.

4. Key Elements of a Solution Approach

Relying on What We Already Have

Resilience

• The very size of the United States provides resilience. Natural disasters cannot--or at least, so far, have not and are not likely to ever--affect the entire country. Hence, the unaffected parts can and do respond with help for the affected part(s).

  Natural disasters (say, an earthquake), or infrastructure events triggered by natural causes (say, high winds blowing a tree across a power line) or civil disturbances are generally regional (e.g., a few counties and many cities in California when an earthquake occurs; hundreds or thousands of acres of brushland or forestland for a forest fire; a geographical segment of the country during a hurricane; one or more major cities and a few hundred thousands or many ten thousands of square miles of service area during a power grid collapse; a major part of a large city when a riot takes place).

  On the other hand, natural disasters can be imagined that would be nationwide, but they would be extraordinary circumstances outside the scope of this present discussion. Perhaps the most devastating example would be an earth collision with a large asteroid; another, a major nuclear powerplant event or meltdown, triggered possibly by a major earthquake.

  Most individual perturbations, short of extreme natural disasters, simply do not have the wide effect and nationwide consequences that (for example) a cold-war nuclear attack would have had.

• The experience and preparedness of companies in dealing with the normal perturbations in their corporate operations achieves resilience; e.g., telephone companies fly in repair crews to help disaster areas; fire crews deploy by air to combat major forest fires; special disaster relief forces move around the world as required (for example, the fighters of oil well fires in the Mideast); companies establish and use backup copies of their databases; corporations have alternate communication arrangements or provide backup electrical power or have their own fire fighting establishment; various levels of government cooperate with private sector organizations as required (for example, in fighting forest fires or preparing for large floods).

• The leftovers of the cold war, especially all the things that the country did to be ready for nuclear attacks and major conflicts, support resilience; e.g., the Red Cross, stockpiles of materials, civil defense (to the extent that it was implemented).

• Government preparedness, especially military readiness, brings resilience; e.g., FEMA, various emergency preparedness plans at national and state and local levels, planning and arrangements for continuity of government. There can be spillover from government preparedness to support in the private sector.

Enhancement

For example:

• Some things are easily expandable; e.g., stocks of gasoline and petroleum products, consumables such as pharmaceuticals and foodstuffs, potable water in reservoirs.

• Other things have fewer options; e.g., electrical power is more difficult to store but can be in the form of water (for hydropower sources) or nuclear power sources.

• Other examples include oil that can be and is stored; natural gas that can be and is stored (in underground caverns, in above-ground tanks in some parts of the country); storage of on-site consumables such as lubricating oils for nuclear powerplants.

Operating with Impaired Infrastructure

This position is most likely to be accurate and applicable for small attacks against a single sector; it is less likely for large, complex, multisector attacks.

At the same time, just how long we can make do is unclear but certainly is related to the nature of the attack, the sector and its systems that are involved, and even on the proper functioning of other sectors. For example, the recovery of a damaged telecommunications region might be seriously delayed by a concurrent attack on the transportation sector because the needed materials could not be transported as required.

Moreover, there is a collateral observation of importance for larger, especially multisector, events. Given the high level of automation throughout the national infrastructure and the consequent dependency of all sectors on information technology, the national infrastructure might have to function at some, possibly a major, level of inefficiency. The inefficiency would, in effect, be one aspect of "not being able to sustain business as usual."

Under some attacks, the country could function adequately for some reasonable time--for example, without the National Severe Storm Warning Center or without the Centers for Disease Control, without some airports, or with limited scheduled air service. Other infrastructure losses that could be accommodated for some period include a loss of automated air traffic control, loss of a working stock exchange, even the loss of oil wells or petroleum supplies, the loss of water supplies in some parts of the country, the loss of parts of the telecommunications base.

Infrastructure losses of functionality aside, to offset shortages and/or to facilitate recovery and/or to minimize consequences of the attack, some things might have to stand down, be minimized, or be deferred--for example, financial transactions (international fund transfers), domestic and international stock transactions, possibly severe storm/tornado warnings, minimal air service, extensive but scheduled power brownouts.

Surely, there will be dislocations, interruptions, possibly fiscal losses, personal anguish and anxiety; the country--or at least regions of it--will not function with normal efficiency and with a normal complement of goods, services, and functions. While there will be both personal, corporate, and local-government annoyances and inconveniences, the country will not find itself in a major catastrophic position for low--even moderate--levels of infrastructure attacks. It will not collapse; it will eventually recover and survive.

Immediacy of the Need for Greater Action

Since any event beyond those of normal day-by-day occurrences affects the country's status and well-being, at minimum we need to be as knowledgeable as possible about cyber- and other attack possibilities, about threats, about preparedness, about counteractions and protective mechanisms. We must get protective measures in place, especially those that will serve other purposes and are well within the state of the art. Although there is no evidence that orchestrated intentional cyber-based attacks by sovereign powers or organized groups are occurring, the country should not dawdle in understanding them and instituting reasonable precautions.

The prior discussion notwithstanding, the very pervasiveness of the CIP issue throughout all aspects of the national structure--especially the pervasiveness of the telecommunications and computer system sector--makes government attention and leadership imperative.

As with many of the country's national efforts (e.g., defense), the effectiveness of the money spent operationally is determined by know-how and the state of knowledge. The same relationship is also true for the protection of the critical infrastructure. There are problems for which we do not now have adequate answers; for some things, we have no answer. Thus, the nature of the investment in R&D will importantly determine how effective the country will be at using its available resources for the CIP mission.

Historical Setting of Computer Security R&D

United States Government Responses

The sequence reflects an intuitive ordering based on several factors: existing interest or activity already under way in the government; near-term versus longer-term importance and payoff, difficulty, and duration of the task; contribution to an improved national infrastructure posture; the calendar period over which the severity and probability of a major attack are likely to increase. Clearly, some of the actions could be undertaken concurrently.

Action 1: The United States government should organize to improve its information security posture expeditiously. It should direct the agencies to bring the security status of their information systems up to the best current practice; agency response and progress should be monitored.

In addition to the inherent importance of this action, it would also exhibit government leadership and concern about the vulnerabilities. Moreover, it is an action that the government can take without considerations of a public-private partnership.

Action 2: The government should highlight the information security issue vigorously throughout the private sector and take such steps as can be conceived to urge and motivate the private sector to rapidly improve its computer/network security posture.

Action 3: Assess the physical vulnerability of the infrastructure, especially the telecommunications and computer system dimensions. The situation might prove to be in relatively good condition because corporations and businesses are alert to such threats and take precautions as a normal aspect of business conduct. Moreover, for telecommunications, redundancy (e.g., alternate cable routings) tends to mitigate, but not eliminate, physical weaknesses.

Action 4: Sponsor national conferences, by sector initially but cross-sector eventually, to

• Identify the attributes of the country, its structure, its institutions and organizations that inherently contribute to resilience, and derive an estimate of the present level of resilience. This may be a difficult task--at minimum, it needs concerted attention to illuminate how parts of the country mutually support and buffer one another against risks and emergency events. Such an examination would be especially important in the telecommunications sector. Case studies (e.g., ice storms, hurricanes, forest fires, collapses of the power grid) could be useful in this process.

• Assess the present level of readiness to handle emergency situations throughout the infrastructure. This is an issue of special importance in the information and telecommunications area. Again, case studies could be useful.

• Assess the present level of computer/network security throughout the private sector (in part to supplement and support Action 2 above).

• Identify near-term actions that could be promptly taken to improve readiness or resilience, especially in the telecommunications and information sector.

• Solicit and identify ideas for urging an adequate private sector response to self-improvement of information security.

• Identify special CIP R&D requirements and needs, particularly in any sector that is heavily computer-based.

• Assemble a roster of currently existing "early warning mechanisms" that could contribute to a national alerting and monitoring center; e.g., the Centers for Disease Control, the various existing incident centers for computer/network security (CERT, CIAC, FedCert, FIRST), the Department of Treasury FinCen.

We must also know how capable the country already is to respond to such infrastructure threats with in-place capabilities. The goal would be to assemble the best overall picture of the country's resilience--what the exposures to attack are and what mechanisms might be in place to counter them, the vulnerability status of various industries--and then at least to commence preparation of an overall national preparedness plan. In this regard, the PCCIP has done sector studies that can contribute insights.

Action 5: Realign the R&D programs funded by NSA, NIST, NSF, and DARPA to include new directions of information and security research as indicated by CIP requirements.

Action 6: As the PCCIP has indicated, put warning mechanisms in place together with a coordinating center to provide a dynamic overview of unusual or abnormal activity in the infrastructure, and do so with special emphasis on cyber concerns. Such functions must be alert to seemingly natural events that occur in the infrastructure on a daily basis that could be rehearsals for a larger cyber-attack, experiments in progress to probe the infrastructure, or trials of cyber-attack techniques. In this connection, the defense and intelligence establishments have long experience in operating such assessment centers; their wisdom and experience should be utilized.

Action 7: Construct national databases, by sector and using such historical data as may be available, to characterize normality (i.e., the noise level) in the national infrastructure; portray its dependence on other influences and forces in the country and world.

As discussed previously, there will always be some level of abnormal/unexpected/unscheduled/accidental events throughout the infrastructure. If unusual events occur or if attacks commence, it will be correspondingly harder to recognize them if we do not know (a) the normal status of the national infrastructure, (b) the noise inherent in it, (c) its seasonal or annual variation of status, (d) the influence of world events on it, (e) the influence of planned actions by the government for (say) military action. Without such insights, any warning mechanism will have a more difficult task of identifying attacks, especially ones that are penetration experiments, probes, or practice. Indeed, clever attacks might be intentionally disguised as normally occurring events.