1996-02-24
Craig A. Johnson
The following is an excerpt from a government White Paper on security
threats to the U.S. NII. The entire White Paper will be available in
the Cyber Rights Library.
--caj
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Date: Fri, 23 Feb 1996 15:21:18 -0500
From: Dave Farber <•••@••.•••>
Subject: IP: WHITE PAPER ON INFORMATION INFRASTRUCTURE ASSURANCE-- FAS
Project on Government Secrecy.
To: •••@••.••• (interesting-people mailing list)
FAS Intro: The following White Paper, prepared by the staff of the
Security Policy Board in December 1995, describes the government's
attempt to come to grips with the potential threat to the U.S.
information infrastructure. It was obtained by the FAS Project on
Government Secrecy.
----------------------------------------------------------------------
----
WHITE PAPER ON INFORMATION INFRASTRUCTURE ASSURANCE
PURPOSE: To provide a national perspective on the security-related
challenges presented by the emergence of a National Information
Infrastructure (NII), to assess the Federal Government's current
ability to address these challenges, and to offer ideas and options
for meeting them.
THE SITUATION:
* The nation is at risk. On 16 July 1995 The Washington Post ran a
major article on the vulnerability of the NII: "The Pentagon's New
Nightmare: An Electronic Pearl Harbor." A few weeks later Time
magazine's cover story on "CYBER WAR" was captioned: "The U.S. rushes
to turn computers into tomorrow's weapons of destruction. But how
vulnerable is the home front?" Both articles drew upon threat and
vulnerability data from a wide variety of Government and private
reports, such as the 5 December 1994 National Communications System
report on "The Electronic Intrusion Threat to National Security and
Emergency Preparedness Telecommunications."
That report found that electronic intruders are attacking data
networks at increasing rates, and have compromised elements of the
telephone signaling network. A senior DISA official has bluntly stated
that "We are not prepared for an electronic version of Pearl Harbor"
and that "Our electronic infrastructure is not safe and secure." In
1999 DISA tested the security of DoD information systems by attacking
nearly 10,000 systems using widely available techniques. They
successfully penetrated 88 percent, of which only 4 percent were even
detected. VADM John M. McConnell, Director of the National Security
Agency, emphasizing the asymmetry in our national risk, has said that
"We're more vulnerable than any other nation on earth." External
threats are real: intelligence data indicate that at least 30
countries are actively working on information warfare programs.
Outside of DoD the situation is no different. The telephone system,
the banking, credit, and Federal Reserve systems, the stock exchanges,
the power and fuels distribution systems, the air traffic control and
other intelligent transportation systems, the federal elections
system, public safety and law enforcement all depend heavily on
networked information systems which are potentially vulnerable to
networked-based attacks. Most observers agree that business losses are
notoriously under-reported, but one recent press estimate put U.S.
losses within the past year from computer crimes via the Internet
alone at $5 billion.
* The situation will probably get worse. The major trends contributing
to increased risk show no signs of abatement: (1) The explosive growth
in inter-networking; some estimates put the increase in new Internet
terminals worldwide at 10,000 or more per day. (2) The skyrocketing
expansion in data handling capacities; PC hard disks of up to two
gigabytes are now widely available at low cost. At the network level,
terabit per second switches are close on the horizon, as well as
photonic switches which will allow full use of the fiber optic
infrastructure's vast bandwidth. The nation, in short, will continue
to place many more, and valuable, eggs in the electronic basket,
increasingly vulnerable to multiplying foreign and domestic
network-based threats.
* This is a national problem. Business and private industry can be
counted upon to meet their risk management needs by protecting their
information systems assets commensurate with their perceptions of the
commercial value of the asset, its vulnerability, and the threats to
it - or they may simply write off losses as a cost of doing business
or obtain some form of indemnity through insurance. It is extremely
unlikely, however, that these measures to indemnify private assets
will be sufficient to address the broader public vulnerability and
national level threats. The genuine potential for large-scale
disruption of major portions of the national infrastructure via
network-based attacks leads to the inescapable conclusion that this is
a problem of national dimensions. Under basic Constitutional
responsibilities to "insure domestic Tranquility; provide for the
common defence; and promote the general Welfare..." an effective
Federal Government response before an information-based national
catastrophe occurs becomes absolutely essential.
The national level and gravity of the problem are underlined by the
Federal Government's extremely high (and increasing) degree of
dependence on the NII to carry out critical governmental
responsibilities, including national security, defense, law
enforcement and public safety functions. No one knows the exact degree
of this governmental dependence on the availability and integrity of
the NII, but it is extremely high. Informed estimates suggest that 90
to 95 percent of the information needed to carry out essential
Governmental functions must in some way be processed by information
systems in the privately owned and operated parts of the existing NII.
* The Federal Government is poorly organized and resourced to ensure
adequate NII security in terms of availability, integrity, and
confidentiality. There are many different boards, commissions, working
groups, forums, committees, advisory councils, etc., scattered
throughout the Executive Branch, each of which has some aspect of
information infrastructure assurance within its sphere. A few of the
more prominent include: * Information Infrastructure Task Force
(IITF), with its three committees on Information Policy,
Telecommunications Policy, and on Applications and Technology, and
other working groups, such as the Reliability and Vulnerability
Working Group.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
~ CYBER-RIGHTS ~
~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~-~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-
Visit The Cyber-Rights Library, accessible via FTP or WWW at:
ftp://www.cpsr.org/cpsr/nii/cyber-rights/Library/
http://www.cpsr.org/cpsr/nii/cyber-rights/Library/
You are encouraged to forward and cross-post list traffic,
pursuant to any contained copyright & redistribution restrictions.
~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~-~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-