|Source:||By Paul A. Strassmann|
|Date:||8 Aug 2001|
|More articles by Paul A. Strassmann at searchSecurity.com|
Govt. should blaze global information warfare trails
My first encounter with information security was in 1957, when auditors made me buy heavy-duty locks for the storage cabinet that contained the firm's punch cards. By 1964, we started locking up the computer room at night. In 1972, I built a data center, as a separate building, for increased protection. Rising risks required the extension of the corporate security perimeter to all data communications in 1982. By 1991, all personnel required encrypted access codes to change any database entry. Thus, one way of characterizing the evolution of corporate information security is to understand it as ever-widening circles of surveillance. It was only in 1991 that I came to realize that henceforth, the perimeter of corporate information security would have to extend beyond corporate boundaries to cope with global information warfare.
My purpose today is to extend the horizon of corporate information security beyond corporate ramparts. What I see looming in the distance are the prospects of corporations becoming paralyzed by forces beyond the power to do much about it unless one prepares for dealing with it. I am talking here about threats to the U.S. national information infrastructure precipitated by information warfare.
Clearly, defending corporate operations from such events is beyond the scope of any one firm. It is your government that now must take over much of the responsibility for acting as your sentry, issuing the necessary warnings, advising how to act and assisting with recovery.
The "First Information War"
It is in this way that the fighting in the Gulf war earned its designation as the "First Information War." As compared with the enormous expenditures for bombing, tank attacks and the sheer logistics of deploying half a million troops, the low cost in waging information warfare now emerged as the most effective weapon in attacking technologically advanced armed forces.
While everybody was engaged in celebrating the demonstration of American technological prowess, a small group in the Pentagon started an examination of a scenario that assumed that any adversary of the U.S. would learn from the American experiences in the Gulf. As subsequent studies by Russian, Chinese and Iranian military staffs revealed, it was obvious that no nation on earth was as vulnerable as the U.S. to damage to its national security interests by means of information warfare. Anticipating these developments with a remarkable prescience, Duane Andrews (Assistant Secretary of Defense for Command, Control, Communications and Intelligence) launched in 1991 an effort to establish, for the first time ever, "Information Warfare" as a category of offensive and defensive capabilities. Henceforth, information warfare would be included in all U.S. national security plans.
The 1991 Pentagon study revealed that the U.S. military did not have the means for defending the U.S. against information warfare attacks, especially if they were launched as an action that combined the deployment of conventional forces, terrorists and corruption of military command and control systems. Tight coordination among military services to share intelligence, to evaluate such an attack and then to launch protective countermeasures did not exist. There were no sentries except for lookouts engaged in skirmishes with amateur hackers. The military did not conduct exercises on how to operate under conditions of information warfare. Most importantly, it did not have in place the capacity to rapidly "reconstitute" its readiness.
A formal Defense Department policy to deal with these conditions was promulgated in December 1992, the last days of the Bush administration. Information warfare did not fit into any of the established fiefdoms within the Air Force, Army or Navy. For several years the military services engaged in debates about who would coordinate and integrate the new military discipline, since it did not neatly fit anyone in particular, yet threatened the military and commercial viability of everyone, including U.S. businesses.
After leaving the Department of Defense, I continued to serve on a multitude of committees, trying to sort out what would be the missions of our military services in defending their command and control systems against information warfare attacks. With the passage of time and an enormously expanded awareness, the U.S. military cleared up how individual services would cooperate for information security assurance. Most importantly, many of the issues of how to share intelligence and coordinate responses to attacks against the Department of Defense infrastructure were largely resolved. Gradually, a cadre of professional information warriors and information sentries mounted the ramparts and the barriers against corruption of military systems.
The debates about the missions and responsibilities for defense against information attacks were useful in clarifying an issue that the military found shocking -- that the concept of information warfare and the defenses of the U.S. homeland would not fit the traditional mold of how to defend the nation. The insertion of information warfare into any defense plans defied many of the time-tested concepts of how to engage in warfare. When an enemy will (the term is "will," not "may") launch an information warfare attack against the U.S., the conflict will involve not only the military, but also the civilian and commercial firms, in addition to the many non-military agencies of the U.S. government.
The inherent vulnerability of the U.S. information infrastructure was demonstrated to Congressional and Executive Branch leaders in a number of "war games" in which a hypothetical hostile power launched an information warfare attack against privately owned telecommunications, power generation and transportation networks as a way of neutralizing (or impeding) the capacity of the U.S. military to respond to simultaneously launched conventional military actions. Such "combined" military action scenarios usually involved the defense of Mid-East oil fields or protection of a country that we have pledged to protect.
White House involvement
In contrast with an over act of aggression, the anonymous characteristics of information attacks cannot be easily identified as acts of war. Any attacks may appear to originate from within the U.S. and appear in a form that is not readily recognized. Thus, neither the most qualified institution that the Constitution has chartered to defend the U.S. in case of war -- the Department of Defense -- nor the intelligence organizations that have acted as sentries during the Cold War, could be given the principal responsibility for managing U.S. information defenses.
Neither Defense nor Intelligence is allowed to engage in actions or surveillance that may involve actions against U.S. citizens. The Administration was well aware that the inevitable information warfare countermeasures would conflict with existing concepts of civil liberties. Most significantly, the national security organizations came to the realize that the first line (and the least prepared) of U.S. information defenses ran through corporate security staffs and not through the Army, Navy, Air Force, the CIA or the NSA.
At this point, the Administration could not cope further with increasingly vocal Congressional calls to prevent the possible re-occurrence of the Pearl Harbor disaster. A devastating information warfare attack would be feasible in the absence of coordinated intelligence, adequate vigilance and advance preparation to cope with such an event. This time, U.S. assets would not be conveniently tied up to the same dock in Honolulu or set up for strafing on Hickham Field by a handful of Japanese bombers with only limited fuel supply. In case of a totally plausible "information Pearl Harbor" tens of millions of computerized assets (whether military or not) connected to a network would fail under the onslaught of hundreds of millions of software bugs launched from hidden sources.
Formation of NIPC
As the keystone of protection against information warfare attacks, the Directive authorized the establishment of the National Infrastructure Protection Center (NIPC) within the FBI. It would become the "national focus for gathering information on threats and provide the principal means of facilitating the federal government's response to computer-based incidents." The President also designated critical infrastructure protection as highest priority national goal. That would involve the protection of the nation's power generation, transportation, telecommunication, energy, finance and computer systems capabilities from intentional destructive acts. It would include the coordination of all military and intelligence capabilities in the protection of U.S. capabilities. All that would be accomplished no later than by 2003 -- the target date for the U.S. to acquire competent information warfare defenses.
Has the FBI done its job?
For now, corporate information security executives should start examining the possibility that none of their contingency plans are adequate because system failures may be induced by forces that cannot be inhibited by more sophisticated passwords or stronger firewalls. Situations may arise when neither uninterrupted power supply nor saved back-up files will be of much use in rapidly restoring corporate information flows.
About the author:
Paul A. Strassmann (email@example.com) has served as chief information systems executive started in 1957. Since his "retirement" in 1993, he has continued engagements in matters related to information security.
Go back up to the Strassmann, Inc. home page.