During the past several years, a RAND-developed "The Day After..." exercise methodology has been developed and used to explore strategic planning options, both for nuclear proliferation and counter-proliferation, and, more recently, for questions involving "security in cyberspace" and "information warfare (IW)." On March 23, 1996, a "The Day After...in Cyberspace" exercise with approximately 60 participants was conducted at RAND's Washington D.C. offices, under the sponsorship of the Defense Advanced Research Projects Agency. The purpose was to generate suggestions and options regarding research and development initiatives to enhance the security of the U.S. information infrastructure.
The scenario used in this exercise involved a Mideast crisis situation, with Iran as an aggressor. We used a variation of the scenario that had been used earlier to explore other aspects of planning for cyberspace security, as documented in Molander, Riddile, and Wilson (1996).
Participants in the exercise spent approximately three hours in individual groups, and another two hours in plenary sessions, discussing both short-term technical fixes to counter IW attacks that were hypothesized to occur in the year 2000 and longer-term research strategies that could be initiated now to avoid significant vulnerabilities in the future. These discussions ranged over known problems with the current information infrastructure, and both common wisdom and some novel approaches to tightening the security of those systems on which our nation depends. We highlight below some of the observations and suggestions resulting from these discussions that appear to be relevant to DARPA's planning for R&D investments in the field of cyberspace security.
- "Safe havens" should be developed as a fallback means for systems when under attack
It may be possible to configure key infrastructure systems so that they can quickly be isolated into self-sufficient regional systems in a crisis. If, in a matter of seconds or minutes, the energy grids or telecommunication systems could be isolated into smaller units, the resulting smaller units might become safe havens protected from remote attack. At a later safe time, the units might be reassembled into an interconnected system.
- Tactical warning/attack assessment (TW/AA) is an important concept for cyberspace security
It was agreed that TW/AA is important, and that there is currently little infrastructure in place to perform these activities. Discussants concluded that there must be a clearinghouse (a "National IW Center"?) to collect, collate, and uncover patterns in cyberspace attacks that span systems in all key infrastructures: transportation, power, finance, communication, defense, and so forth.
- Operational aspects of security (dealing with people, procedures, regulations) are vitally important to any solution
There was considerable discussion of "operational" aspects of security that may be less amenable to R&D, but are deemed vitally important to any overall security posture. It was clear that issues related to people, procedures, regulations, training, education, and so on were a critical adjunct to any successful security technology initiative. The following operational aspects were specifically mentioned:
The concept of "cyberspace hot pursuit" needs attention. We need software tools to aid in the backtracing of incidents, to discover the perpetrator.
We need procedures for the prepositioning of backup systems and software. The concept of "safe havens" in information systems was discussed, along with the related idea of prepositioning verifiably accurate software (and possibly hardware) for rebaselining corrupted systems.
"Red teams" are needed to test system defenses. The groups tended to concur that active testing of system defenses is an important means for assessing system security. Testing should be expanded to cover all key national information infrastructure systems.
Map the networks. We need maps of the interconnections among the networks of cyberspace to resolve questions such as: How do energy grid control systems depend on the public switched telephone network (PSTN)? Some agency(ies) should be tasked with maintaining an updated map of the tens of thousands of links and interrelationships and interdependencies among key networks.
Personal ID verification systems should be employed. Participants felt it was important to employ such systems on all links into the infrastructure, including access through dial-in maintenance ports.
The concept of "human firewalls" should be considered in an emergency. As systems are decomposed into "safe havens" (see above) when an attack is imminent, or during an attack, it might be possible to insert a human as an intelligent verification device to pass judgment before various people and systems are allowed to obtain access to critical nodes and links in the infrastructure.
A "two-person rule" might be used for critical decisions or system changes. Just as firing a nuclear missile requires the cooperation of (at least) two individuals, we should consider the advantages (weighed against additional costs and impediments) of requiring two persons to authorize and allow any key change to critical system software, or to implement a decision regarding critical links or nodes.
Consider better pay and status for critical system operators. Personnel might then be less vulnerable to bribes, and less likely to become disgruntled or disaffected. It is widely understood that the trusted insider poses the greatest threat to critical information systems.
U.S. Government RolesIn discussing possible roles for the U.S. government in enhancing cyberspace security, three specific analogies were mentioned:
Automobile safety regulations. The U.S. government, in cooperation with the auto industry, created regulations to make automobiles safer. The safety and security of cyberspace is now in a situation analogous to that of the automobile industry many years ago.
The U.S. Centers for Disease Control (CDC). The CDC acts as a worldwide clearinghouse for health and disease information; it is a central source for information when needed, from routine queries to tracking the spread of epidemics. This same clearinghouse function is needed to collect and assess information on disparate cyberspace security incidents.
Underwriters' Laboratory. It may be possible to create an institution for the testing and evaluation of the security provisions of telecommunications and other infrastructure software and systems. Perhaps, eventually, systems that don't have this "seal of approval" would not be allowed to interconnect to the infrastructure.
Key R&D SuggestionsThe following are some key research and development suggestions made during the course of group deliberations.
- Study "distributable secure adaptable architectures"
Although much research has been done on secure operating systems for individual computers or workstations, new advances are needed for systems that are inherently distributable (over telecommunication links and networks, over geographic distances, among disparate groups) and secure and adaptable. This topic was meant as a theme for a research program, not just an individual project.
- Study "rapid recovery" strategies and systems
If any link or node might be disabled by a perpetrator, but could be restored in milliseconds, or at most seconds or minutes, and if the system in addition had considerable redundancy -- then perhaps that would suffice for most systems and applications.
- Study "understanding and managing complex systems"
The information systems controlling our national infrastructure have millions of interacting components. We need a better science of complex systems, or at least tools for helping to understand their dynamic operation and vagaries.
- Study the design of processes for developing secure software systems
We need an engineering discipline devoted to the design and implementation of secure information systems.
- Study the concept of a Minimal Essential Information Infrastructure (MEII)
Among the questions needing study are: What are the essential services the infrastructure must protect and carry? What kinds of functionality must be guaranteed? What is the appropriate communications architecture? What management structure should be used? How do we prototype and exercise the system?
- Study the MEII functionality for various segments of our society
Research should be undertaken to ascertain the minimum amount of information infrastructure that would sustain our society for limited periods of time. Such a study would allow estimates to be generated of the minimum essential communication capacity that would be needed in an emergency, as a function of time. These estimates would in turn inform the studies of an MEII (see above).
- Study the analogy of "biological diversity" for complex information systems
Biologists have long extolled the virtues of biological diversity. The government may be called upon to mandate that sufficient dissimilarity be engineered into critical systems. Without such intervention, the market is tending toward uniformity in system components to achieve savings from mass production, replication, training, and documentation.
- Study the biological immune system metaphor for software
The means by which the human immune system identifies "intruders" and attacks them seems to be an attractive metaphor for software mechanisms that might perform similar functions within a computer network.
- Study "dynamic diversity" in infrastructure information systems
Can an information system self-modify periodically so that attacks that work on one portion of it won't work on others, or ones that worked at one time won't work subsequently?
- Replace software with firmware?
Attacks frequently modify software controlling infrastructure systems, e.g., to plant Trojan horses or insinuate viruses. Could significant portions of key infrastructure systems be replaced by firmware (e.g., in read-only memories) that would not be amenable to this form of attack?
- Study the ability to "sterilize" data passing through our telecommunications systems
Billions of bits of data pass through our national information infrastructure each second, carrying information about individual citizens. The National Security Agency (NSA) is precluded from collecting information about U.S. citizens, even in an IW crisis. Could key data flows be "sterilized" or "sanitized" by computer hardware and/or software in such a manner that the NSA could help monitor and track perpetrators in cyberspace without violating these laws?
- Study the ability to reengineer or retrofit legacy information systems to enhance their security
Even if new operating systems or communication protocols were developed to enhance system security, there are thousands of legacy systems throughout the national information infrastructure that would not be affected for years. Is it possible to create "wrappers" or other technology that could be retrofitted into existing legacy systems to significantly improve their security?
- Sponsor development of an aircraft-like "black box" recording device
Could a "black box" recording device be developed, to be attached to key nodes or links of cyberspace systems, that would record every transaction passing through that node or link during the last n minutes? That record would be invaluable in tracing the source of incidents, whether they were accidental or deliberately perpetrated.
- Sponsor development of software or hardware that would record tamper-proof audit trails for information systems
Many audit trails are merely data recorded into a file for later analysis. If a perpetrator gains root access to a system, he or she can tamper with the audit trail to remove any indication of the perpetrator's presence and activities. How should systems create tamper-proof audit trails that can become accurate records of system activity?
- Develop software that can perform real-time pattern detection as an aid to attack assessment
Research should be conducted to advance the capabilities of real-time pattern detection systems, since they form a vital component of any information security program.