It's April Fool's Day, 2002. Glitches in air traffic controller screens nearly cause a collision above New York's LaGuardia Airport. Two weeks later, California Independent System Operator Corp., which controls California's power grid, somehow misplaces an electrical energy order to Southern California Edison, leaving two-thirds of San Diego in the dark. Then in May, a high-power microwave burst fries the electronics at an abortion clinic in Virginia.
Hypothetical "information warfare" (IW) exercises like these are being played out around the country in preparation for what politicians, the military and law enforcement officials fear will be an orchestrated cyberattack on critical U.S. infrastructure companies. The theory goes that if a well-funded, organized series of cyberattacks were to strike at a target's economic and structural nerve centers, it would send the target society into chaos and make it difficult for the military to communicate and move troops.
This particular information war game was played out among 75 IT executives attending an IW workshop at the SANS Institute's Joint Computer Security Conference in Monterey, Calif.
"In the worst-case scenario, every major industry sector would be affected," says Stephen Northcutt, a SANS fellow and a former military IW expert who led the animated workshop at the conference. Note that most of the targets in Northcutt's IW games are private-sector companies.
"When you're talking about information warfare, you're talking about information systems used to cripple the government and economy," says John Tritak, director of the Critical Infrastructure Assurance Office (CIAO) in Washington. "Close to 90 percent of those critical infrastructure companies are privately owned and operated."
The CIAO, formed in 1998 under presidential directive PDD-63, outlines a national infrastructure protection plan to bring better security and reporting to the telecommunications, transportation, emergency services, energy and financial industries. The directive deems those industries as critical to the nation's operational infrastructure. Although President Bush isn't bound to support the directive, Tritak and others say they hope PDD-63 will remain in effect.
In two years, IW preparedness has moved forward the fastest in the highly regulated and well-organized financial, energy and telecommunications sectors, say Tritak and others. But IT leaders in the private sector say they're hesitant to report incidents to agencies like the CIAO and the U.S. Federal Bureau of Investigation. Still, Tritak says the agencies need this information for intelligence and predictive analysis.
While the impact of IW bears the same uncertainty as Y2k, many IW experts say cyberterrorism and cyberwarfare are inevitable. In the past year, hacking hobbyists have shown how easy it is to propagate viruses throughout Internet-connected mail systems. They've also shown they can hack armies of unwitting computers and make those computers do their bidding. Now, the U.S. government is thinking about what terrorists with more resources could accomplish. And so are countries like China and Russia, which are developing their own IW capabilities, according to Richard Power in the book Tangled Web.
The directive that created the CIAO is a national defense document that, ironically, relies on the private sector to accomplish its mission. Telling that to executives hasn't been easy.
"The concept of information warfare doesn't present a compelling case to the CEO and the board, whose responsibility is to their shareholders and customers," Tritak explains. "But as they begin to see that operating in a reliable and secure business environment is part of taking full advantage of the Information Age, they get it."
To make this business connection, the CIAO recruited a private-sector security expert, Nancy Wong, from San Francisco-based Pacific Gas and Electric Co., to help develop a business-friendly framework and get the message out. Wong soon learned she had a third challenge: keeping government, in its zeal to protect, from crossing constitutional lines between public and private sectors.
"We put in place a road map to identify who are the people who have the most influence in business risk management - financial security analysts, bond raters, corporate executives, even auditors," Wong says. "We're using existing networks by cascading information through their members to the people who communicate it even further."
The networks Wong refers to include industry associations like the Institute of Internal Auditors, the North American Energy Reliability Council and the National Security Telecommunications Advisory Committee.
The CIAO's strategy of taking advantage of existing networks - and their built-in emergency preparedness - helped speed along the formation of the first of two Information Sharing and Analysis Centers (ISAC) for the financial and telecommunications industries. ISACs are privately owned, industry-specific cooperatives through which the government plans to channel warnings out to the private sector. The government also plans to use ISACs to gather intelligence it needs to better predict an orchestrated attack.
Energy and technology centers are expected to be completed by the end of March. The long-standing emergency management methodologies and collaborative networks provide the framework for these infrastructure analysis and reporting structures.
Bruce Moulton, vice president of infrastructure risk management at Boston-based Fidelity Investments, explains, "If a failure occurs in the Northwest power grid, for example, the energy sector has processes to keep that power failure from rippling across the United States."
And because its core business is consumer trust, the financial services industry has particular impetus for security and disaster planning, says Moulton, who chairs the financial services ISAC. "We've already got a good framework of controls to protect against disruption and customer privacy violations," he adds.
A Matter of Trust
But the biggest problem with this infrastructure plan is that businesses have a hard time visualizing the return on investment in risking corporate privacy by reporting breaches.
"The risks in reporting are clear: the fear of negative publicity, proprietary information shared in court, loss of public confidence or reduced trust in the economy itself," Harris Miller, president of the Information Technology Association of America, told an infrastructure panel last month at SafeNet 2000.
The question of reporting was one of the most nettlesome issues tossed around at SafeNet, where leading privacy and security professionals, educators, vendors and infrastructure companies met with government infrastructure protection heavyweights at Microsoft Corp.'s conference center in Redmond, Wash.
Meanwhile, industry leaders are awaiting the passage of a House bill, the Cybersecurity Information Act, that would reduce liability and antitrust action, along with actions brought under the Freedom of Information Act that are related to cyberinformation sharing.
Such complexities spotlight the precarious relationships being forged among defense agencies, law enforcement bodies and the private sector, which all have stakes in the national infrastructure. On top of that, there's the sticky issue of jurisdiction.
Who responds to an orchestrated attack, particularly one that affects military operations and crosses state lines? The answer differs from region to region. But, absent a declaration of martial law, it wouldn't be the military.
"When we're at war, we just go blow up the bad guys. But domestically, our mission is different. We can't trespass [into private systems] when we chase the bad guys. And we can't blow up the bad guys, because the bad guys are an unknown," explained Jim Christy, a supervisory special agent at the Defense Department's Information Assurance Office, to a group of 400 officials at a state summit on cybercrime in Mesa, Ariz., in October.
So the burden of responding to private-sector calls for help will most likely fall to the FBI's InfraGard program, which itself is fishing for intelligence from corporations and private citizens. Many IT leaders say they don't trust the agency, especially given its poor sensitivity to business issues, including efforts to limit encryption exports, and most recently, its controversial Carnivore e-mail wiretapping system.
Meanwhile, Arizona has unveiled perhaps the most unusual plan on the drawing board today: Make the Air Force National Guard the nerve center for private-sector reporting and response, an idea that comes from Christy and Republican State Rep. Wes Marsh, who's also a member of the Air Force Reserve. Marsh says that because members of the National Guard work full time in the private sector, they'd make excellent liaisons between the government and private sector.
No matter how you look at these issues, the net result of the presidential directive is that security awareness is rising, ISACs are forming and executives are more clued in. In spite of raised awareness, internal and external cyberthreats continue to rise, according to a joint survey by the FBI and the San Francisco-based Computer Security Institute. And, in a nonscientific online poll by Computerworld last month, only 17 percent of 150 respondents said their companies were prepared to respond to an orchestrated, warlike cyberattack.
But is this work moving fast enough? "This is a race. If the industry doesn't learn to manage its risk in a prudent way and something like an Exxon Valdez happens, then you'll see a chilling effect as laws get passed during the crisis," says Tritak. "At the same time, if you try to overplay the risks and threats, you could lose your audience."
Already, international IW efforts are moving forward.
The U.S. military has publicly announced the formation of IW units. Cyberclashes between Israeli and Palestinian factions that shut down Israeli and Palestinian government Web sites prompted the FBI to issue a warning to American businesses in October. In December, the FBI issued another warning of an "increase in hacker activity specifically targeting U.S. systems associated with e-commerce."
Yet in spite of these indicators, IW thinkers say a cyberwar is years away.
"Clearly, the eventuality of such an attack is present. That's what motivated [the Clinton] administration to move forward with a national plan," says Tritak. "But I don't think anyone has the cybercapability today to launch an attack that would cripple the nation's infrastructure. [The presidential directive] predicts such a scenario is still years away."
The NSA Wants You!
The National Security Agency (NSA) says it wants colleges to graduate IT professionals who are ready to "enter the workforce better equipped to meet challenges facing our national information infrastructure." So it sponsored an outreach program called Centers of Academic Excellence in Information Assurance and Education.
As of October, 14 schools had achieved this designation, including Carnegie Mellon University, James Madison University, George Mason University, Purdue University, Stanford University, the Naval Postgraduate School and several state universities, including Florida State, Idaho State and Iowa State.
Many other institutions - such as Syracuse University in New York - are in the process of applying for this designation. The only problem is that it seems as though foreign countries are reaping more benefit from this program than the U.S. At Syracuse, for example, nearly all the computer science students are foreigners. A look into master's dissertations at Syracuse's Internet Security Principals course in November turned up only one U.S. citizen out of 37 students. The remaining 36 were from the Middle East and Pacific Rim countries.
Anatomy of A Cyberattack
Here's how a computer invader plans and launches an attack on information systems:
1 Recon Invader uses information-gathering programs and techniques to sniff traffic at the network gateway, then scans ports for vulnerable services.
2 Profile Target Invader gets passwords, then identifies machines and software running on the network.
3 Attack Invader gains root or administrative privilege of unclassified systems, then seeks and modifies information.
4 Cover Tracks Invader hides the evidence trail and slips away.
5 Wait for ResultsInvader watches CNN to see what damage he wrought. "The weak areas [of the above scenario] are in predicting when someone is gathering information for a later attack. And, once we've been attacked, the problem is in recovery," says Dennis McCallam, senior technologist at Herndon, Va.-based Logicon Inc., the IT contracting division of Los Angeles-based defense contractor Northrop Grumman Corp.
For the past year, Logicon has been working with the Air Force Research Laboratory (AFRL) in Rome, N.Y., to develop real-time analysis and recovery capability.
The result is something they call the resilient network: intuitive data hiding and recovery agents that will recognize when key data is erased or replaced with bogus data. Then that data or computational process is replaced with the untouched version, and the administrator is alerted.
The administrator starts by specifying the most essential data or processes that need protection - say air traffic patterns that, if interrupted, could lead to a collision or crash. The agents then camouflage the data by hiding it under fake file names and fake extensions in unlikely places on the network. At the first sign of data destruction or unauthorized tampering, the agent follows its path back to the clean data, copies and replaces it and alerts administrators.
"Our work represents a new vision in information infrastructure command and control that goes way beyond the protect-and-detect technologies [such as firewalls and intrusion detection systems] that came out in the '80s and '90s," says Joe Giordano, technical adviser to the AFRL. "This is active response, the linchpin to active forensics and protection."
Researchers are working on ways to tie the algorithm into other technologies also in research, including advanced forensics and a tracking system to follow a live evidence trail.
Don't be surprised if these algorithms eventually wind up in the private sector.
The AFRL developed the first intrusion detection algorithm, which spun out to the private sector when several former Air Force researchers founded the first intrusion detection company, WheelGroup, which was later acquired by San Jose-based Cisco Systems Inc.