Railroads, bridges, highways—infrastructure used to be such a clean concept. But the Information Age changed the rules of the game, and the United States is still playing catch-up.
By Winn Schwartau
I’m old enough to remember when CBS kicked its top-rated Smothers Brothers show off the air because—get this—Tom and Dick were too radical. I also remember from that show the first poem about infrastructure I ever heard, recited with Pentagon Papers sincerity by Tommy himself:
I love you for loving me,
You love me for loving you.
I kiss you for kissing me,
You kiss me for kissing you.
So much in love with us are we,
You kiss you and I kiss me.
Isn’t that sweet? Two people, deeply in love, inextricably intertwined in union, as one, for the rest of their lives. Human infrastructure. So what is so different today, eh? We merrily anthropomorphize our networks and cyberconnections (I’ve heard techies refer to servers as "her," RAM and joysticks as "him" and mice and pixels as "she"). Kissing cousins and kissing networks—the result in both cases is the same: infrastructural inbreeding. This is exactly what has happened to our archaic, Pleasantville views of national infrastructure.
Infrastructure used to be so clean a term. The bridge. The road. The railroad tracks. The annals of 19th century American history are filled with tales of man-powered infrastructure, owned and operated by Capital Men of industrial wealth and influence. In the dry Utah summer of 1869, 74 politicians simultaneously slammed a 40-pound sledgehammer into the Golden Spike, launching the first coast-to-coast American infrastructure: railroads. A mere seven years later, a growing company called Western Union established the first coast-to-coast communications infrastructure: the telegraph. A few years after that, in the mid-1880s, a fledgling startup known as American Telephone & Telegraph wanted their infrastructure to go coast-to-coast, too.
Through the first three-quarters of the 20th century, the concept of national infrastructure remained rooted in the physical. Perhaps the most notable endeavor was the creation of the national interstate highway system in the 1950s, promoted by the Eisenhower administration as a means for urban populations to escape imminent death and destruction, courtesy of incoming Soviet thermonuclear warheads.
Though this "survivalist instinct" sounds far-fetched today, the same motivation lies beneath the modern infrastructure as well. Back in the late 1960s, the Defense Advanced Research Projects Agency (DARPA, now ARPA) basically said, "We want to connect a couple of computers together." UCLA graduate student Vint Cerf and a team of researchers set to work on it, and a couple of months later the ARPAnet was born. But DARPA knew that connectivity was only part of the equation. "Now that you have a couple of computers talking to each other," they said, "can you make them still talk to each other after a nuclear attack on the United States?" As with the interstate highway system, the key motivator here was survivability. The result, of course, is the Internet and TCP/IP, router-independent protocols that break up electronic data into series of packets that take different paths to their destination, where they are reassembled.
It Ain’t Just Cyber
Even though it has been a part of our physical lives for hundreds of years, many people are surprised to see the word "infrastructure" appearing in their daily newspapers. Of course, when we talk of infrastructure today, we generally mean virtual or electronic infrastructure: cyberinfrastructure, which lies at the foundation of our modern global information society.
This cyberinfrastructure has a concrete basis in the physical. Cyberspace is not an ethereal mystery veiled in intangibility. It’s humankind’s massive agglomeration of switches and routers, silicon and copper shrouded in PVC insulation, physically connected to an impossibly complex mesh of computers and servers strewn around the globe. Even RF communications networks, cellular phones and other "transparent" systems are bounded by hardware at the transmitting and receiving ends.
But while the underpinnings of the cyberinfrastructure resemble those of its physical ancestors, its reach into our daily lives is deeper and more pervasive. As FCC chairman William Kennard said in a recent speech in Nashville, "The Internet, unlike the railroad, can come into every office, every home in America, even into our briefcases and pockets. We have the capability to bring broadband technologies to all Americans wherever they live and wherever they may go. With cable, copper, wireless and satellite, we can build on-ramps to the Information Superhighway for anyone anywhere. No town, no community has to be condemned to becoming a ghost town in the New Economy. Part of the reason for this flexibility is that technological bits of data are a lot easier to maneuver than iron and steel."
The downside is that the vulnerabilities have also multiplied exponentially, since attacks can now be perpetrated through virtual appendages as well as physical ones. The long-distance connectivity that infrastructure provides also logarithmically increases the number of people who can (negatively) influence its proper operations. Until very recently, the maintenance ports for telephone switches were protected by four-digit passcodes. Indeed, the Internet itself was built without any regard to security—part of the reason ’Net security is such a booming industry today.
Here’s the problem: We have forged ahead with our electronic highways without a means to protect them. And as everyone now realizes, adding security to infrastructure after the fact is a slow, tedious, expensive process, and the end result is never as robust as that in which security is engineered from the get-go.
Okay, so we built this incredibly intertwined set of infrastructures with little regard for cybersecurity. Even into the late 1980s and early 1990s, we still took a landlocked, myopic, physical view of infrastructure. But then, finally, things began to change.
In the early 1990s, there was only a handful of voices warning the government and private sector of the potential consequences of continuing to ignore national cybersecurity and infrastructure protection. In 1991, in testimony before the House Committee on Science, Space and Technology, I introduced the concept of "Electronic Pearl Harbor," a term that distilled the risk into a digestible sound bite that both Congress and the press could latch onto. America needed, I maintained, to enhance the definition of national security to include economic national security as a new post-Cold War priority. Yet, the issue continued to be largely ignored, and for years I took a ribbing for my "Chicken Little-ish" and "scaremongering" views.
Reluctance to adapt to a new paradigm—one that acknowledges the new dangers and vulnerabilities facing a virtual infrastructure—continued until the mid-1990s. It wasn’t until 1996 that the issue bubbled up through the political machinery in Washington, when then-CIA Director John Deutch reiterated before Congress my concerns about an impending Electronic Pearl Harbor. Thereafter, a number of efforts rapidly materialized, including a widespread study by the National Research Council, the Defense Science Board and the Manhattan Cyber-Project.
In early 1995, President Clinton signed Executive Order 12864, establishing an advisory council called the Information Infrastructure Task Force, which was tasked with creating the building blocks for a National Information Infrastructure. The work of the Task Force was completed in February 1996, and four months later, on July 15, President Clinton signed Executive Order 13010 to create the President’s Commission on Critical Infrastructure Protection (PCCIP), initially chaired by U.S. Army Gen. Robert M. Marsh (ret).
EO 13010 formally recognized that "certain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense of economic security in the United States." In light of this critical infrastructure taxonomy, the PCCIP was mandated to: (1) Assess vulnerabilities and threats to the critical infrastructures; (2) Identify relevant legal and policy issues, and assess how they should be addressed; (3) Recommend to the president a national policy and implementation strategy for protecting critical infrastructures; and (4) Propose any necessary statutory or regulatory changes.
The PCCIP categorized the nation’s critical infrastructures as follows:
Telecommunications. Includes all forms from the Internet, cable, cellular, telephone, satellite and any other medium that connects systems together. This sector alone represents about 16 percent of the domestic gross national product (GNP) of the United States.
Energy. Includes electric power, oil and gas. Covers transportation issues—everything from the Alaska pipeline to oil refineries to natural gas distribution. Systems are co-located with communications wiring and power, thus creating confocal vulnerabilities.
Transportation. Mostly physical: trucks delivering food, trains moving manufactured goods and airlines driving business and tourism.
Banking and finance. The U.S. goods and services GNP is about $8 trillion, and globally about $30 trillion. But the virtual economy, where the stock markets, bonds and electronic monies are moved, is between $25 and $50 quadrillion, larger by a factor of 1,000. Some brokerage houses move trillions of dollars per year over their networks.
Water supply. The water is physical, but the controls for moving fresh water to populations and maintaining sewers and waste treatment plants are electronic.
Emergency services. 911, police, fire departments and medical response and rescue units are tightly knitted together with complex networks to provide high levels of efficiency and public trust.
In October 1997, the PCCIP delivered its findings via a classified report to President Clinton. The Commission’s findings, however, were less than illuminating, merely reiterating and reinforcing the same warnings and cautions that had been spelled out years before. Nevertheless, the PCCIP’s recommendations have been carried forward to the present in the U.S.’s implementation of infrastructure protection:
Broad program of awareness and education. The government wants to educate mainstream America about the problem, and is trying to enlist their support. Funding for public relations and awareness initiatives continues to be a priority today.
Industry cooperation. Industry and the government must develop a process and method to trust each other and jointly share information. This will take a while, though, since much of industry distrusts the government’s ability to keep secrets.
Enhanced law. What new laws will help deter the nature of today’s (cyber)crimes? How can existing laws be re-tailored to meet cyberthreats and mitigate their damage? Keep in mind that the United States is but a local ordinance internationally. International laws and cooperation are critical. Russia, in fact, has proposed an international cyberdisarmament treaty.
More research and development. The technology we have today is insufficient to
effectively defend against attacks. Efforts continue to merge the study of technology with such things as psychological profiling, advanced low-level detection schemes and intelligent monitoring and filtering.
A national organization. Such an organization is intended to incorporate national monitoring facilities and industry liaison groups as well as coordinate leadership policy across the public and private sectors.
The NSA Angle
At the same time the PCCIP was formulating its report, the National Security Agency embarked on its own analysis of the problem, with a focus on the potential effects of infrastructure disturbance on military preparedness. In the summer of 1997, NSA ran an exercise code-named "Eligible Receiver." One team simulated a North Korean cyberattack against a second team, representing the U.S. defense infrastructure. To make the exercise as close to reality as possible, the rules for the "bad guys" were simple: (1) They could only use the same level of connectivity that North Korea had at the time (namely, ISDN-level speeds); and (2) They could only employ attack tools slightly enhanced and modified from those widely available on the Internet.
The results of the Eligible Receiver simulation left the senior military brass bug-eyed in astonishment. It took the bad guys only one week to successfully throw the United States into economic chaos by attacking major financial institutions, shutting down large pieces of the U.S. power grid, crippling communications and short-circuiting the airline industry. Industry participants in the project also acknowledged how utterly surprised they were by the speed and efficiency with which critical U.S. infrastructures collapsed, one by one.
Part 2: Presidential Directive #63 on Infrastructure
The convergence of all these events—the Information Infrastructure Task Force, the PCCIP and Eligible Receiver—occurred on May 22, 1998, the date that President Clinton signed Presidential Decision Directive 63. PDD-63 represents a defining moment when the national policy of the United States was officially expanded to include the cyberworld. In a nutshell, PDD-63 says, "O.K., we got it. The infrastructure is vulnerable. The private sector and the government are inextricably tied together. There are lots of nut cases out there with a wide variety of causes and agendas. Destructive electronic tools are free to anyone for the asking on the Internet. We gotta protect ourselves."
PDD-63 called for complete interagency cooperation across law enforcement, defense, counterterrorism, Cabinet offices and the private sector (see Figure below). The Directive also formally established three organizations:
The Critical Infrastructure Assurance Office (CIAO). According to its director, Jeffrey Hunker, the CIAO "is the engine that will help drive the train of the development of the national [infrastructure protection] plan." The mission of the CIAO is to integrate the protection efforts across all private sectors, coordinate with Cabinet departments and work with the government in protecting its own systems. In addition to coordinating legislative and public affairs issues, the CIAO acts as an outreach office for national education and awareness programs.
The National Information Protection Center (NIPC). This is where the action is. More technically oriented than the policy-driven CIAO, the NIPC combines extensive representation from the FBI, Secret Service, military law enforcement and intelligence organizations. The Center is tasked with developing "early warning" techniques and procedures for cyberattacks, as well as leading investigations into reported incidents. The goal is to create public/private cooperation to monitor the state of affairs in cyberspace on a moment-to-moment basis.
The NIPC is a central information gathering point for threats and vulnerabilities against the infrastructure. The Center publishes Cybernotes, a bi-weekly newsletter on threats, hackers, trends and other security-related information. (Cybernotes is free at www.nipc.gov.) One recent NIPC initiative is the FBI’s much-publicized InfraGard program, a cooperative alliance of federal agencies, academic institutions and businesses that will gather and share information related to security vulnerabilities, intrusions and disruptions.
The Information Sharing and Analysis Center (ISAC). The ISAC is designed to emulate the function of the Center for Disease Control (CDC), a cooperative effort between government and the private sector to mitigate infectious spread of disease. The operations of the ISAC are designed largely by private companies that need to develop increasing levels of trust with the government. Although the goals for all participants are mutual, an uneasy alliance will, over time, develop into a strong synergy.
Of course, nothing gets done without money, and on Jan. 22, 1999, President Clinton announced he would earmark $1.46 billion in his FY 2000 federal budget proposal for cybersecurity. The funding would underwrite a "Cyber Corps" program that would expand research and development into counter-cyberterrorism, roll out new intrusion detection technologies at key federal agencies, create private-sector information centers and recruit more security experts into the government sector.
Over the last three years, the federal government has slowly made the transition from talking about national infrastructure security to actually doing something about it. While recent initiatives hold plenty of promise, we still stand at the beginning of a long, uncharted trek to effective infrastructure protection. Meanwhile, we are still terribly exposed to our potential adversaries.
On Oct. 1, 1999, General Richard Meyers will take over as the head of all Department of Defense protection for common cyberdefense, representing a major step forward in interservice cooperation. With singular, focused leadership, the military will provide tremendous support to the NIPC and CIAO as these agencies continue to grow.
Through extensive data collection, network monitoring and intelligence gathering, we are now learning empirically what we have known intuitively all along: that national cyberdisasters begin at the local level. This past March, for instance, the Pentagon discovered a new type of distributed attack against its systems. Instead of a massive assault or concentrated scanning activity, a yet-to-be-identified attacker launched a series of distributed, low-bandwidth network queries and collected small bits of security-relevant information. While this particular attacker may turn out to be yet another script kiddie playing around with freeware probing tools on daddy’s computer, it’s clear that an attack against any component of the infrastructure doesn’t have to be a state-sponsored, coordinated effort to constitute a serious threat.
Lying beneath the goal of erecting a secure national cyberinfrastrucure is the fundamental issue of trust. Historically, the private sector has been loath to hand over any sensitive information to the government, fearing that it might be mishandled or exposed to the media. However, as trust is built between the constituents of a national security infrastructure policy, our existing vulnerability to online cyberattacks will be mitigated with better technology, international treaties and laws and a national policy that we are willing to embrace.
Tom Smothers had it right: infrastructure is one. It is all interconnected, and each component must properly interoperate with each of the others if it is to be effective.
As the United States continues to fortify its infrastructure policy and procedures to reflect the challenges of the Cyber Age, perhaps an updated poem is in order:
I SYN you for SYNing me,
You ACK me for ACKing you.
I cc: you for cc:ing me,
You cc: me for cc:ing you.
So much a part of us are we,
You ain’t you and I ain’t me.
Winn Schwartau, a contributing editor of Information Security, is president of the Security Experts (www.securityexperts.com) and founder of infowar.com. This article is excerpted from his forthcoming book, Hacking and Anti-Hacking (Thunder Mouth Press), due out the first of next year.
© 1999 Information Security Magazine. Used with permission.
Information Security, the official publication of the ICSA, is dedicated to the needs of all security-conscious IT professionals. Free to qualified readers, Information Security features in-depth articles, product announcements and more analysis of information security issues than any other trade magazine. Subscribe today!