Infrastructure Is Us - Page 2
Part 2: Presidential Directive #63 on Infrastructure
The convergence of all these eventsthe Information Infrastructure Task Force, the PCCIP and Eligible Receiveroccurred on May 22, 1998, the date that President Clinton signed Presidential Decision Directive 63. PDD-63 represents a defining moment when the national policy of the United States was officially expanded to include the cyberworld. In a nutshell, PDD-63 says, "O.K., we got it. The infrastructure is vulnerable. The private sector and the government are inextricably tied together. There are lots of nut cases out there with a wide variety of causes and agendas. Destructive electronic tools are free to anyone for the asking on the Internet. We gotta protect ourselves."
PDD-63 called for complete interagency cooperation across law enforcement, defense, counterterrorism, Cabinet offices and the private sector (see Figure below). The Directive also formally established three organizations:
The Critical Infrastructure Assurance Office (CIAO). According to its director, Jeffrey Hunker, the CIAO "is the engine that will help drive the train of the development of the national [infrastructure protection] plan." The mission of the CIAO is to integrate the protection efforts across all private sectors, coordinate with Cabinet departments and work with the government in protecting its own systems. In addition to coordinating legislative and public affairs issues, the CIAO acts as an outreach office for national education and awareness programs.
The National Information Protection Center (NIPC). This is where the action is. More technically oriented than the policy-driven CIAO, the NIPC combines extensive representation from the FBI, Secret Service, military law enforcement and intelligence organizations. The Center is tasked with developing "early warning" techniques and procedures for cyberattacks, as well as leading investigations into reported incidents. The goal is to create public/private cooperation to monitor the state of affairs in cyberspace on a moment-to-moment basis.
The NIPC is a central information gathering point for threats and vulnerabilities against the infrastructure. The Center publishes Cybernotes, a bi-weekly newsletter on threats, hackers, trends and other security-related information. (Cybernotes is free at www.nipc.gov.) One recent NIPC initiative is the FBIs much-publicized InfraGard program, a cooperative alliance of federal agencies, academic institutions and businesses that will gather and share information related to security vulnerabilities, intrusions and disruptions.
The Information Sharing and Analysis Center (ISAC). The ISAC is designed to emulate the function of the Center for Disease Control (CDC), a cooperative effort between government and the private sector to mitigate infectious spread of disease. The operations of the ISAC are designed largely by private companies that need to develop increasing levels of trust with the government. Although the goals for all participants are mutual, an uneasy alliance will, over time, develop into a strong synergy.
Of course, nothing gets done without money, and on Jan. 22, 1999, President Clinton announced he would earmark $1.46 billion in his FY 2000 federal budget proposal for cybersecurity. The funding would underwrite a "Cyber Corps" program that would expand research and development into counter-cyberterrorism, roll out new intrusion detection technologies at key federal agencies, create private-sector information centers and recruit more security experts into the government sector.
Over the last three years, the federal government has slowly made the transition from talking about national infrastructure security to actually doing something about it. While recent initiatives hold plenty of promise, we still stand at the beginning of a long, uncharted trek to effective infrastructure protection. Meanwhile, we are still terribly exposed to our potential adversaries.
On Oct. 1, 1999, General Richard Meyers will take over as the head of all Department of Defense protection for common cyberdefense, representing a major step forward in interservice cooperation. With singular, focused leadership, the military will provide tremendous support to the NIPC and CIAO as these agencies continue to grow.
Through extensive data collection, network monitoring and intelligence gathering, we are now learning empirically what we have known intuitively all along: that national cyberdisasters begin at the local level. This past March, for instance, the Pentagon discovered a new type of distributed attack against its systems. Instead of a massive assault or concentrated scanning activity, a yet-to-be-identified attacker launched a series of distributed, low-bandwidth network queries and collected small bits of security-relevant information. While this particular attacker may turn out to be yet another script kiddie playing around with freeware probing tools on daddys computer, its clear that an attack against any component of the infrastructure doesnt have to be a state-sponsored, coordinated effort to constitute a serious threat.
Lying beneath the goal of erecting a secure national cyberinfrastrucure is the fundamental issue of trust. Historically, the private sector has been loath to hand over any sensitive information to the government, fearing that it might be mishandled or exposed to the media. However, as trust is built between the constituents of a national security infrastructure policy, our existing vulnerability to online cyberattacks will be mitigated with better technology, international treaties and laws and a national policy that we are willing to embrace.
Tom Smothers had it right: infrastructure is one. It is all interconnected, and each component must properly interoperate with each of the others if it is to be effective.
As the United States continues to fortify its infrastructure policy and procedures to reflect the challenges of the Cyber Age, perhaps an updated poem is in order:
I SYN you for SYNing me,
You ACK me for ACKing you.
I cc: you for cc:ing me,
You cc: me for cc:ing you.
So much a part of us are we,
You aint you and I aint me.
Winn Schwartau, a contributing editor of Information Security, is president of the Security Experts (www.securityexperts.com) and founder of infowar.com. This article is excerpted from his forthcoming book, Hacking and Anti-Hacking (Thunder Mouth Press), due out the first of next year.
© 1999 Information Security Magazine. Used with permission.
Information Security, the official publication of the ICSA, is dedicated to the needs of all security-conscious IT professionals. Free to qualified readers, Information Security features in-depth articles, product announcements and more analysis of information security issues than any other trade magazine. Subscribe today!