Hypothetical "Information Warfare" (IW) Exercises
January 24, 2001
(IDG) -- It’s April Fool’s Day, 2002. Glitches in air traffic controller screens nearly cause a collision above New York’s LaGuardia Airport. Two weeks later, California Independent System Operator Corp., which controls California’s power grid, somehow misplaces an electrical energy order to Southern California Edison, leaving two-thirds of San Diego in the dark. Then in May, a high-power microwave burst fries the electronics at an abortion clinic in Virginia.
Hypothetical "information warfare" (IW) exercises like these are being played out around the country in preparation for what politicians, the military and law enforcement officials fear will be an orchestrated cyberattack on critical U.S. infrastructure companies. The theory goes that if a well-funded, organized series of cyberattacks were to strike at a target’s economic and structural nerve centers, it would send the target society into chaos and make it difficult for the military to communicate and move troops.
This particular information war game was played out among 75 IT executives attending an IW workshop at the SANS Institute’s Joint Computer Security Conference in Monterey, Calif.
"In the worst-case scenario, every major industry sector would be affected," says Stephen Northcutt, a SANS fellow and a former military IW expert who led the animated workshop at the conference. Note that most of the targets in Northcutt’s IW games are private-sector companies.
"When you’re talking about information warfare, you’re talking about information systems used to cripple the government and economy," says John Tritak, director of the Critical Infrastructure Assurance Office (CIAO) in Washington. "Close to 90 percent of those critical infrastructure companies are privately owned and operated."
The CIAO, formed in 1998 under presidential directive PDD-63, outlines a national infrastructure protection plan to bring better security and reporting to the telecommunications, transportation, emergency services, energy and financial industries. The directive deems those industries as critical to the nation’s operational infrastructure. Although President Bush isn’t bound to support the directive, Tritak and others say they hope PDD-63 will remain in effect.
In two years, IW preparedness has moved forward the fastest in the highly regulated and well-organized financial, energy and telecommunications sectors, say Tritak and others. But IT leaders in the private sector say they’re hesitant to report incidents to agencies like the CIAO and the FBI. Still, Tritak says the agencies need this information for intelligence and predictive analysis.
While the impact of IW bears the same uncertainty as Y2K, many IW experts say cyberterrorism and cyberwarfare are inevitable. In the past year, hacking hobbyists have shown how easy it is to propagate viruses throughout Internet-connected mail systems. They’ve also shown they can hack armies of unwitting computers and make those computers do their bidding. Now, the U.S. government is thinking about what terrorists with more resources could accomplish. And so are countries like China and Russia, which are developing their own IW capabilities, according to Richard Power in the book Tangled Web.
The directive that created the CIAO is a national defense document that, ironically, relies on the private sector to accomplish its mission. Telling that to executives hasn’t been easy.
"The concept of information warfare doesn’t present a compelling case to the CEO and the board, whose responsibility is to their shareholders and customers," Tritak explains. "But as they begin to see that operating in a reliable and secure business environment is part of taking full advantage of the Information Age, they get it."
To make this business connection, the CIAO recruited a private-sector security expert, Nancy Wong, from San Francisco-based Pacific Gas and Electric Co., to help develop a business-friendly framework and get the message out. Wong soon learned she had a third challenge: keeping government, in its zeal to protect, from crossing constitutional lines between public and private sectors.
"We put in place a road map to identify who are the people who have the most influence in business risk management -- financial security analysts, bond raters, corporate executives, even auditors," Wong says. "We’re using existing networks by cascading information through their members to the people who communicate it even further."
The networks Wong refers to include industry associations like the Institute of Internal Auditors, the North American Energy Reliability Council and the National Security Telecommunications Advisory Committee.
The CIAO’s strategy of taking advantage of existing networks -- and their built-in emergency preparedness -- helped speed along the formation of the first of two Information Sharing and Analysis Centers (ISAC) for the financial and telecommunications industries. ISACs are privately owned, industry-specific cooperatives through which the government plans to channel warnings out to the private sector. The government also plans to use ISACs to gather intelligence it needs to better predict an orchestrated attack.
Energy and technology centers are expected to be completed by the end of March. The long-standing emergency management methodologies and collaborative networks provide the framework for these infrastructure analysis and reporting structures.
Bruce Moulton, vice president of infrastructure risk management at Boston-based Fidelity Investments, explains, "If a failure occurs in the Northwest power grid, for example, the energy sector has processes to keep that power failure from rippling across the United States."
And because its core business is consumer trust, the financial services industry has particular impetus for security and disaster planning, says Moulton, who chairs the financial services ISAC. "We’ve already got a good framework of controls to protect against disruption and customer privacy violations," he adds.
A Matter of Trust
But the biggest problem with this infrastructure plan is that businesses have a hard time visualizing the return on investment in risking corporate privacy by reporting breaches.
"The risks in reporting are clear: the fear of negative publicity, proprietary information shared in court, loss of public confidence or reduced trust in the economy itself," Harris Miller, president of the Information Technology Association of America, told an infrastructure panel last month at SafeNet 2000.
The question of reporting was one of the most nettlesome issues tossed around at SafeNet, where leading privacy and security professionals, educators, vendors and infrastructure companies met with government infrastructure protection heavyweights at Microsoft Corp.’s conference center in Redmond, Wash.
Meanwhile, industry leaders are awaiting the passage of a House bill, the Cybersecurity Information Act, that would reduce liability and antitrust action, along with actions brought under the Freedom of Information Act that are related to cyberinformation sharing.
Such complexities spotlight the precarious relationships being forged among defense agencies, law enforcement bodies and the private sector, which all have stakes in the national infrastructure. On top of that, there’s the sticky issue of jurisdiction.
Who responds to an orchestrated attack, particularly one that affects military operations and crosses state lines? The answer differs from region to region. But, absent a declaration of martial law, it wouldn’t be the military.
"When we’re at war, we just go blow up the bad guys. But domestically, our mission is different. We can’t trespass [into private systems] when we chase the bad guys. And we can’t blow up the bad guys, because the bad guys are an unknown," explained Jim Christy, a supervisory special agent at the Defense Department’s Information Assurance Office, to a group of 400 officials at a state summit on cybercrime in Mesa, Ariz., in October.
So the burden of responding to private-sector calls for help will most likely fall to the FBI’s InfraGard program, which itself is fishing for intelligence from corporations and private citizens. Many IT leaders say they don’t trust the agency, especially given its poor sensitivity to business issues, including efforts to limit encryption exports, and most recently, its controversial Carnivore e-mail wiretapping system.
Meanwhile, Arizona has unveiled perhaps the most unusual plan on the drawing board today: Make the Air Force National Guard the nerve center for private-sector reporting and response, an idea that comes from Christy and Republican State Rep. Wes Marsh, who’s also a member of the Air Force Reserve. Marsh says that because members of the National Guard work full time in the private sector, they’d make excellent liaisons between the government and private sector.
No matter how you look at these issues, the net result of the presidential directive is that security awareness is rising, ISACs are forming and executives are more clued in. In spite of raised awareness, internal and external cyberthreats continue to rise, according to a joint survey by the FBI and the San Francisco-based Computer Security Institute. And, in a nonscientific online poll by Computerworld last month, only 17 percent of 150 respondents said their companies were prepared to respond to an orchestrated, warlike cyberattack.
But is this work moving fast enough? "This is a race. If the industry doesn’t learn to manage its risk in a prudent way and something like an Exxon Valdez happens, then you’ll see a chilling effect as laws get passed during the crisis," says Tritak. "At the same time, if you try to overplay the risks and threats, you could lose your audience."
Already, international IW efforts are moving forward.
The U.S. military has publicly announced the formation of IW units. Cyberclashes between Israeli and Palestinian factions that shut down Israeli and Palestinian government Web sites prompted the FBI to issue a warning to American businesses in October. In December, the FBI issued another warning of an "increase in hacker activity specifically targeting U.S. systems associated with e-commerce."
Yet in spite of these indicators, IW thinkers say a cyberwar is years away.
"Clearly, the eventuality of such an attack is present. That’s what motivated [the Clinton] administration to move forward with a national plan," says Tritak. "But I don’t think anyone has the cybercapability today to launch an attack that would cripple the nation’s infrastructure.
[The presidential directive] predicts such a scenario is still years away."