IP: WHITE PAPER ON INFORMATION INFRASTRUCTURE ASSURANCE-- FAS

[Dave Farber <farber () central cis upenn edu>]

FAS Intro: The following White Paper, prepared by the staff of the Security
Policy Board in December 1995, describes the government's attempt to come
to grips with the potential threat to the U.S. information infrastructure.
It was obtained by the FAS Project on Government Secrecy.
---------------------------------------------------------------------------


            WHITE PAPER ON INFORMATION INFRASTRUCTURE ASSURANCE


PURPOSE: To provide a national perspective on the security-related
challenges presented by the emergence of a National Information
Infrastructure (NII), to assess the Federal Government's current ability to
address these challenges, and to offer ideas and options for meeting them.


THE SITUATION:


* The nation is at risk. On 16 July 1995 The Washington Post ran a major
article on the vulnerability of the NII: "The Pentagon's New Nightmare: An
Electronic Pearl Harbor." A few weeks later Time magazine's cover story on
"CYBER WAR" was captioned: "The U.S. rushes to turn computers into
tomorrow's weapons of destruction. But how vulnerable is the home front?"
Both articles drew upon threat and vulnerability data from a wide variety
of Government and private reports, such as the 5 December 1994 National
Communications System report on "The Electronic Intrusion Threat to
National Security and Emergency Preparedness Telecommunications."


That report found that electronic intruders are attacking data networks at
increasing rates, and have compromised elements of the telephone signaling
network. A senior DISA official has bluntly stated that "We are not
prepared for an electronic version of Pearl Harbor" and that "Our
electronic infrastructure is not safe and secure." In 1999 DISA tested the
security of DoD information systems by attacking nearly 10,000 systems
using widely available techniques. They successfully penetrated 88 percent,
of which only 4 percent were even detected. VADM John M. McConnell,
Director of the National Security Agency, emphasizing the asymmetry in our
national risk, has said that "We're more vulnerable than any other nation
on earth." External threats are real: intelligence data indicate that at
least 30 countries are actively working on information warfare programs.


Outside of DoD the situation is no different. The telephone system, the
banking, credit, and Federal Reserve systems, the stock exchanges, the
power and fuels distribution systems, the air traffic control and other
intelligent transportation systems, the federal elections system, public
safety and law enforcement all depend heavily on networked information
systems which are potentially vulnerable to networked-based attacks. Most
observers agree that business losses are notoriously under-reported, but
one recent press estimate put U.S. losses within the past year from
computer crimes via the Internet alone at $5 billion.


* The situation will probably get worse. The major trends contributing to
increased risk show no signs of abatement: (1) The explosive growth in
inter-networking; some estimates put the increase in new Internet terminals
worldwide at 10,000 or more per day. (2) The skyrocketing expansion in data
handling capacities; PC hard disks of up to two gigabytes are now widely
available at low cost. At the network level, terabit per second switches
are close on the horizon, as well as photonic switches which will allow
full use of the fiber optic infrastructure's vast bandwidth. The nation, in
short, will continue to place many more, and valuable, eggs in the
electronic basket, increasingly vulnerable to multiplying foreign and
domestic network-based threats.


* This is a national problem. Business and private industry can be counted
upon to meet their risk management needs by protecting their information
systems assets commensurate with their perceptions of the commercial value
of the asset, its vulnerability, and the threats to it - or they may simply
write off losses as a cost of doing business or obtain some form of
indemnity through insurance. It is extremely unlikely, however, that these
measures to indemnify private assets will be sufficient to address the
broader public vulnerability and national level threats. The genuine
potential for large-scale disruption of major portions of the national
infrastructure via network-based attacks leads to the inescapable
conclusion that this is a problem of national dimensions. Under basic
Constitutional responsibilities to "insure domestic Tranquility; provide
for the common defence; and promote the general Welfare..." an effective
Federal Government response before an information-based national
catastrophe occurs becomes absolutely essential.


The national level and gravity of the problem are underlined by the Federal
Government's extremely high (and increasing) degree of dependence on the
NII to carry out critical governmental responsibilities, including national
security, defense, law enforcement and public safety functions. No one
knows the exact degree of this governmental dependence on the availability
and integrity of the NII, but it is extremely high. Informed estimates
suggest that 90 to 95 percent of the information needed to carry out
essential Governmental functions must in some way be processed by
information systems in the privately owned and operated parts of the
existing NII.


* The Federal Government is poorly organized and resourced to ensure
adequate NII security in terms of availability, integrity, and
confidentiality. There are many different boards, commissions, working
groups, forums, committees, advisory councils, etc., scattered throughout
the Executive Branch, each of which has some aspect of information
infrastructure assurance within its sphere. A few of the more prominent
include:
* Information Infrastructure Task Force (IITF), with its three committees
on Information Policy, Telecommunications Policy, and on Applications and
Technology, and other working groups, such as the Reliability and
Vulnerability Working Group.


* Security Issues Forum (SIF), under the IITF
* U.S. Security Policy Board (SPB) and Security Policy Forum (SPF) with its
full-time Staff and five committees and numerous working groups
* Security Policy Advisory Board (Personnel have been selected by the
President; the SPAB should be activated soon)
* IITF NII Advisory Council
* National Security Telecommunications Advisory committee (NSTAC), and its
Information Assurance Task Force
* National Communications System (NCS) and its recently-created Office of
Information Assurance
* Computer Systems Security Privacy Advisory Board Information its several
committees
* National Security Telecommunications and Systems Security Committee
(NSTISSC) and committees, including an NII Task Force
* Federal Computer Systems Managers' Forum Several closely-related
entities, primarily within the DoD, dealing with Defensive Information
Warfare
* Security Infrastructure - Program Management Office, administered by GSA


Although there are many points at which these organizations intersect with
each other, the big picture is one of fragmentation, duplication, and
inefficiency. This shows up in at least four general areas.


(1) There's no single entity with sufficient breadth of vision,
responsibility and resources to effectively manage the Executive Branch's
efforts towards the goal of information infrastructure assurance. This was
recently highlighted by the Rand Corporation's gaming exercise, "The Day
After." It was clear to most participants of this exercise that a deadly
information attack on America was feasible, and that, because of the
government/private and nationally distributed nature of the "target," we
had no one in charge, or even capable of pulling the necessary defensive
efforts together. As stated by the Defense Science Board in a recent
report: "There is no nationally coordinated capability to counter or even
detect a structured threat."


(2) The Executive Branch currently has no effective organization or entity
to act as a "Fair Court" in making security-related policy decisions which
fairly balance - and are widely perceived to fairly balance the sometimes
competing but legitimate interests of national security, law enforcement,
commerce, and personal privacy in the national interest. Current areas of
contention which require careful balance in the national interest include
national encryption policy, export controls, and information system
standards. As digital networking comes to dominate the information
universe, however, there will be other complex policy and resource issues
which will have to be decided on the basis of what's best for the nation as
a whole, instead of which particular bureaucracy/constituency wins which
particular policy battle. If the Government is to have the capability to
find the best, balanced, solutions to these future challenges, it will need
a technically competent, well-resourced and authoritative "Fair Court"
within the Executive Branch.


(3) The Executive Branch currently has four overlapping NII
security-related "movements" going on, and their inter-relationships and
coordination are not clear. One "movement" tends to fall under the banner
of "Information Assurance" and is led by the NCS/NSTAC. A second closely
related "movement" is grouped around the diverse DoD-centered "Defensive
Information Warfare" efforts. Although there are aspects of Defensive
Information Warfare which fall outside the boundaries of information
assurance/security activities (principally up-front I&W, and the defense
against hard/physical attacks on critical network nodes) a great deal of
"Defensive Information Warfare" is synonymous with traditional Information
Systems Security (INFOSEC) activities and countermeasures. These INFOSEC
activities and organizational elements constitute the third, and oldest, of
the NII security-related "movements" within the Executive Branch, and are
most developed in the Departments of Defense (particularly at NSA) and
Commerce (particularly at NIST). The fourth and most recent such "movement"
is made up of the diverse activities, committees and working groups,
largely under the umbrella of the IITF, which are focused on "NII
Protection and Privacy."


(4) The limited Federal Government resources to achieve Information
Infrastructure Assurance appear to be inefficiently, ineffectively, and
illogically scattered throughout the Executive Branch. One of the widely
shared criticisms of the Computer Security Act of 1987 is that the law
assigned substantial computer systems security responsibilities to the
Department of Commerce, but provided virtually no resources to execute
these responsibilities. This is, however, only one of the irrationalities
which present themselves when the distribution of scarce information
security and assurance resources across the Executive Branch are considered
from a national perspective. Technical centers of excellence certainly
exist, but it is doubtful that they are effectively and efficiently applied
to the highest priority problems. Similarly, the resources being applied to
Information Assurance Research and Development efforts do not appear to be
considered or managed from a national perspective, with resulting
likelihood that there will be research gaps, cr unnecessary duplication.
Emergency Response resources constitute another critical area which
certainly needs to be increased, but any such increase should be done from
a national perspective, based on carefully thought out national priorities.
The immense increase in information system inter-networking, the
extraordinary growth in the value of our information infrastructure and our
Government's dependence upon it for performing critical functions, and the
increasingly obvious threats to and vulnerabilities of the NII, all point
to the need for a serious review and restructuring of these limited
resources. The overall challenge of assuring the health of our national
information infrastructure has become too important for it to be addressed
by a hodge-podge of committees, councils and working groups, stitched
together from the far reaches of the Executive Branch


   * Congress is demanding that the Executive Branch develop and implement
a clear plan for addressing the threats to, and vulnerabilities of, the
NII. Although Congress has yet to address its concerns with a single voice,
individual senators, representatives, and committees have increasingly
asked, in effect, for the Executive Branch's plan to deal with NII
security.


     - The SSCI's report on the Intelligence Authorization Bill for FY96
(S.922) has specifically called for the DCI and SECDEF to prepare "a
comprehensive report which: (a) identifies the key threats to U.S.
computers and communications systems, including those of both the
government and the private sector (i.e., the Public Switched Network upon
which the government heavily depends); and, (b) provides a comprehensive
plan for addressing the threats described in section (a), to include any
necessary legislative or programmatic recommendations required to protect
government or private U.S. information systems. The report shall be
provided to the intelligence and defense committees not later than March 1,
1996." In a thinly-veiled threat, the SSCI added: "In the absence of such a
plan, the Committee remains skeptical regarding the benefits that can be
achieved through increased funding for the Department of Defense
Information Systems Security Program."


     - Senators Kyl and Leahy have sponsored S.982, the "NII Protection Act
of 1995," and have added an amendment to the Defense Authorization Bill
(S.1026) "to require the President to analyze all issues in developing a
progressive, cohesive national policy toward protecting our ability to
communicate, our defense structure, and our information." In a letter to
his senate colleagues Sen. Kyl wrote: "We must begin now to elevate our
efforts to protect the national security interest of this country."


These two requests, together with closely-related comments, requests and
legislative proposals from other Congressional members and committees,
amount to an overall demand for the Executive Branch to articulate the
NII's vulnerabilities and threats, and to deliver a real plan on what to do
about them. So far, no Executive Branch entity has emerged to answer the
Congressional mail on this overall issue, and to pull together a cohesive
national policy and plan. Given our current Executive Branch structures and
resources, it appears unlikely that these Congressional concerns will be
satisfactorily resolved anytime soon.


THE SECURITY POLICY BOARD AND INFOSEC


Creation and Purpose: The U S. Security Policy Board (SPB) and Security
Policy Forum (SPF) were created on 16 September 1994 by Presidential
Decision Directive/NSC Number 29. The SPB was established to be "the
principal mechanism for reviewing and proposing to the NSC legislative
initiatives and executive orders pertaining .o U.S. security policy,
procedures and practices..."


* Committee Structure: Shortly after the Board and Forum were activated,
six interagency committees were proposed to operate under the auspices of
the SPF, and to draft policies within the major security disciplines. Five
of these committees have been successfully established and are currently
addressing facilities protection, classification management, personnel
security, training and professional development, and policy integration.
After more than a year, however, the Board and Forum have been unable to
stand up the sixth proposed committee - the "Information Systems Security
Committee."


* Reasons for INFOSEC impasse: The reasons for the failure of the SPB to
establish a mechanism for dealing with INFOSEC are rooted in the bigger
issues and broader national challenge outlined in "The Situation" section
of this paper. The central problem revolves around the scope of the Board's
charter and authority in the areas of information systems security and
assurance. Despite the broad interagency nature of the Board and Forum
membership, the entire PDD-29 structure is perceived by many outside the
defense and intelligence communities to be an arm of the national security
community, and could therefore not operate as a


"Fair Court" for contentious information assurance issues Critics point to
the facts that: (1) the Board reports to the President through his National
Security Advisor; (2) the Board is co-chaired by the DEPSECDEF and the DCI;
and (3) the Board's full-time Staff is led by, and heavily populated with,
personnel from the defense and intelligence communities.


In addition to the concern about the Board's ability to act as a "Fair
Court" in the greater national interest, there is a closely-related,
fundamental debate as to whether or not a single entity - any entity, SPB
or otherwise - can or should be empowered to ma~e Government INFOSEC policy
applicable to information systems processing classified/national security
information and unclassified/sensitive information. There are many
different arguments to this debate, but they boil down to two opposing
views:


     - One group, primarily within the civil agencies, OMB, the information
industry, and those primarily focused on the personal freedom/libertarian
dimensions of the Information Age, believes that it is neither wise,
desirable, nor legal (citing the Computer Security Act of 1987) to combine
policy making across the "classified" and "unclassified" communities. With
respect to protecting the NII, a sizeable portion of this group would hold
that the Federal Government has little or no direct role to play, but
should lower/reduce certain export controls and "get out of the way. "


     - A second group, primarily within the defense, intelligence, national
security and emergency preparedness/public safety communities, believes
that with the explosion of digital inter-networking across both communities
and all parts of the NII, it is anachronistic, unwise, and unworkable to
continue to address the NII security/assurance issues and policy making in
a fractured manner. This group also tends to focus more on national level
threats to the NII, and sees a significant role for the Federal Government
to play in assuring its health and security.


* To break the impasse and address the Information Infrastructure Assurance
challenge, action is needed at a higher level. Because of these fundamental
problems, it does not appear that the issue of the SPB's role in
information systems security can be resolved within the existing PDD-29
structure and environment. The much broader issues raised in "The
Situation" section of this paper likewise do not appear to be amenable to
resolution in the existing environment. Several ideas and options have been
identified, however, which might open a pathway towards solving these
problems.


LONG TERM: There is a growing body of indications, if not hard evidence,
which suggests that the Federal Government may be headed - consciously or
not - towards the creation of a department or agency to deal more directly
with the myriad issues presented by the emerging NII. If a "Department of
Information Resources," or "National Information Infrastructure Agency," or
"Federal Information Assurance Commission," or...whatever, along these
lines...is in our future, then it would probably be useful to keep such a
possibility in mind as we attempt to address current issues within the
existing Executive Branch structure.


   * The "Third Wave . " Some prominent "futurists" and observers of human
civilization have suggested that mankind has been through two
transformational "waves" in its history - the agrarian revolution and the
industrial revolution -and that we are beginning to experience the "Third
Wave" of the digital information revolution. Alvin Toffler, and others,
point to the substantial impacts the "Information Age" has already had, but
suggest that these are just the beginning of a tidal wave of change which
will dramatically transform nearly every aspect of life, including warfare.


     Executive History. The United States Government began with several
basic Executive functions and agencies: a Treasury, a State Department, a
War Department, and a Department of Justice. These remain today as bedrock
executive functions within the Government. Over the years, however, as
certain aspects of life began to coalesce into matters of prominence, with
strong identities of their own, the Federal Government inevitably would
respond to the pressures and challenges these created by first setting up
committees, commissions, or similar means to ensure that the Government's
interests and responsibilities were addressed. So, for example, the
Congressional Seed Distribution Program (1831), in response to the
developing forces of agricultural science and the Civil War era need for
plentiful and safe food, became the Department of Agriculture in 1862, and
a cabinet department in 1898. Every other Executive Branch department or
agency was similarly created when a certain set of issues coalesced, took
on a strong identity, and demanded direct Government action or regulation.
A more recent example occurred when the Government, spurred into action by
the l957 launch of Sputnik, transformed the National Advisory Committee for
Aeronautics into the present-day NASA.


     Government's response to the "Third Wave." One way to interpret recent
events concerning the NII is to see them as early responses to the rising
barometric pressure in front of the "Third Wave." The very creation and
structuring of the IITF can be viewed as an early Executive Branch response
to the identification of some of the major issues the digital information
age is bringing our way. Senators Cohen and Levin, with support from
Representative Clinger, have introduced 5 bill the short title of which is
"The Information Technology Reform Act of 1995." In its first version the
bill created the position of a senate-confirmed Chief Information Officer
(CIO), reporting to the Director, OMB. This CIO, and his Chief Information
Office, would have had broad authorities over information technology
acquisition and information policy, specifically including INFOSEC.
Although subsequent versions of the bill have removed the CIO, the language
still contains provisions for a Council of CIO's, chaired by the Deputy
Director, OMB. These and other actions within all three branches of the
Federal Government suggest that the Government is beginning to respond to
the forces of change flowing from the digital information revolution. As
these forces take on more strength, the Government may find itself with no
choice but to create a significant Executive Branch entity to deal more
directly with them.


SHORT TERM: The SPB Staff has identified several options which might be
implemented on a reasonably short term basis. They are not mutually
exclusive, and simply represent some basic approaches which, if desired,
can be further developed


   * Stand up an Information Assurance Committee (IAC) under the PDD-29
SPB/SPF structure. Such a committee would be responsible for information
assurance policy for those Government systems processing classified and
national security information. It would be responsible for policy
coordination of all Executive Branch national security efforts dealing with
Information Assurance. It would propose policy, regulation and legislation
applicable to the Executive Branch, and be responsible for influencing
private and non-Government entities which are significant to the national
security. Membership would be drawn from current SPF agencies, with
chairmanship TBD. This option has several pluses and minuses associated
with it.


Pluses:


     + It breaks the long-standing SPB logjam, and partially fills .he
     "missing hole" in a critical security discipline


     + Depending on the definitions and boundaries used for "national
     security," "policy," and "information assurance," this would not be
     seen as a radical move, and is probably politically doable.


     + It would be in conformance with the language in the draft revision
     to OMB Circular A-130 restricting the SPB's INFOSEC purview to systems
     processing national security information.


     + At the SPB level it would give Information Assurance a higher
     visibility and profile, with more senior membership, than in the
     current NSTISSC. "Information Assurance" is a broader term than
     INFOSEC, and such a committee name gets away from the sometimes
     negative baggage associated with "security," "INFOSEC," "defensive,"
     and "warfare."


     + If appropriate, it could modified or expanded later to address all
     information assurance, not only for national security systems.


Minuses:


     - It would closely parallel the existing NSTISSC, which would
     presumably be absorbed into the IAC's structure. This would require a
     change or replacement for NSD-42. This would impact the NSD-42's
     "National Manager" structure, and issuance systems.


     - It would require more staff support than the SPB Staff currently
     has. It would require at least the level of staff support provided by
     the NSTISSC Secretariat.


     - It would probably impact the future SPB issuance system, to ensure
     that it is backward compatible with the significant body of NSTISSC,
     and predecessor organizations, issuances.


     - Despite its circumscription to "national security systems," it still
     may meet with political opposition.


     - It would tend to tacitly endorse or approve the view that the
     "classified" and "unclassified" communities can and should be treated
     separately for the purposes of information systems security policy. It
     would simply avoid that basic issue.


   * Broaden the NSTAC' s charter. The President's National Security
Telecommunications Advisory Committee (NSTAC), created in 1982, has been
one of the most successful entities to address security and robustness for
what are now parts of the NII. It would probably be useful to broaden its
charter, and modify its membership, to reflect the full scale of NII issues
beyond telecommunications, security, and national security. It could
become, for example, a National Information Assurance Advisory Council, and
perhaps draw some of its membership from current representatives on the
IITF's NII Advisory Council. (Note: This idea independently emerged at the
20 NOV 95 meeting of Sally Katzen's Security Issues Forum, and was
generally well-received.


   * Establish an Information Assurance focus within the National Security
Council. Under this option, the President would establish a "Special
Assistant to the President and Senior Director" within the National
Security Council for Information Assurance. This office should be initially
staffed with two or three Directors, a Technical Director, and a secretary.
The Directors' responsibilities could be split several ways, but at least
initially, they could be focused on policies and activities for


(1) the national security community,
(2) the civil government community, and
(3) the private sector.


   * Establish a new Agency in the Executive Office of the President to
address Information Assurance. This would require an Executive Order to
initially activate the new agency. It would have responsibility for:


- Coordinating and consolidating all Executive Branch Information Assurance
activities


- Issuing national policies and directives pertaining to Information
Assurance


- Proposing and reviewing legislation dealing with or touching upon
Information Assurance


- Reviewing Information Assurance budgets, including R&D, throughout the
Executive Branch; closely coordinating with OMB and OSTP.


- Preparing and maintaining a Master Plan for Information Assurance
activity within the Executive Branch


- Acting as the central point of contact (POC) for the Executive Branch
concerning Information Assurance matters; and specifically as the POC for
the other branches of the Federal Government.