Forwarded From: 7Pillars Partners <partners@sirius.infonex.com>
http://www.usia.gov/journals/itps/1198/ijpe/pj48min.htm
DEFENDING THE NATION AGAINST CYBER ATTACK:
INFORMATION ASSURANCE IN THE GLOBAL ENVIRONMENT
By Lieutenant General Kenneth A. Minihan
Director, National Security Agency
The National Security Agency "is applying its unique expertise to
develop the fundamental technology to create a national cyber-attack
detection and response capability," says Air Force Lieutenant General
Kenneth A. Minihan. He emphasizes that "information superiority in
the Information Age is a clear national imperative."
We are at risk. America depends on computers. They control power
delivery, communications, aviation, and financial services. They are
used to store vital information, from medical records to business plans,
to criminal records. Although we trust them, they are vulnerable -- to
the effects of poor design and insufficient quality control, to
accident, and perhaps most alarmingly, to deliberate attack. The modern
thief can steal more with a computer than with a gun. Tomorrow's
terrorist may be able to do more damage with a keyboard than with a
bomb."
"Computers at Risk," National Research Council, 1991
Introduction
Perhaps the most remarkable thing about the words quoted above is
that they were written almost at the dawn of the Information Age.
Until recently, we as a nation have paid them little heed. The
United States, and the rest of the world, continue to charge
headlong into the information revolution -- information technology
is making profound inroads into the very fabric of our society and
our economy as a nation in the global community. In a very real
sense, the "Information Superhighway" has become the economic
lifeblood of our nation.
While leading the world into the Information Age, at the same time
the United States has become uniquely dependent on information
technology -- computers and the global network that connect them
together. This dependency has become a clear and compelling threat
to our economic well-being, our public safety, and our national
security.
The world's networks, referred to by many as "cyberspace," know no
physical boundaries. Our increasing connectivity to and through
cyberspace increases our exposure to traditional adversaries and a
growing body of new ones. Terrorists, radical groups, narcotics
traffickers, and organized crime will join adversarial nation-states
in making use of a burgeoning array of sophisticated information
attack tools. Information attacks can supplement or replace
traditional military attacks, greatly complicating and expanding the
vulnerabilities we must anticipate and counter. The resources at
risk include not only information stored on or traversing
cyberspace, but all of the components of our national infrastructure
that depend upon information technology and the timely availability
of accurate data. These include the telecommunications
infrastructure itself; our banking and financial systems; the
electrical power system; other energy systems, such as oil and gas
pipelines; our transportation networks; water distribution systems;
medical and health care systems; emergency services, such as police,
fire, and rescue; and government operations at all levels. All are
necessary for economic success and national security.
Information Assurance -- the National Goal
On May 22, 1998, the president signed Presidential Decision
Directive 63 (PDD-63) on Critical Infrastructure Protection. In it
he states: "I intend that the United States will take all necessary
measures to swiftly eliminate any significant vulnerability to both
physical and cyber attacks on our critical infrastructures,
including especially our cyber systems.
The national goal is that by no later than the year 2000, the United
States shall have achieved an initial operating capability and no
later than five years from today the United States shall have
achieved and shall maintain the ability to protect our nation's
critical infrastructures from intentional acts that would
significantly diminish the abilities of:
The federal government to perform essential national security
missions and to ensure the general public health and safety;
State and local governments to maintain order and to
deliver minimum essential public services;
The private sector to ensure the orderly functioning of the
economy and the delivery of essential telecommunications, energy,
financial, and transportation services."
Achieving this sweeping goal will be a considerable undertaking,
requiring a cooperative effort between the government and the private
sector elements that operate the critical infrastructures. The PDD
directs the federal government to lead by example in assuring the
robustness of federal systems, but also makes it clear that the public
sector cannot solve the problem unilaterally. Every federal department
and agency is highly dependent on the services provided by the private
sector -- power, telecommunications, transportation, etc. Thus, the PDD
envisions a Public-Private Partnership to develop and implement a
comprehensive National Infrastructure Assurance Plan, to deal with the
threat of electronic terrorism. The significant challenge is how to get
the private sector to engage infrastructure assurance from a national
perspective. In today's highly competitive environment, the private
sector is typically driven to achieve market advantage -- including
driving down operating costs -- to increase profits. Enhanced
cyber-protection measures will require both expanded investment and
collaboration with competitors.
Essential Elements
Any strategy for enhancing the robustness of our critical
infrastructures must contain three basic elements: increased protection
against cyber attack, the ability to detect when an attack is occurring,
and the capability to respond and/or recover when an attack is detected.
Increased protection against cyber attack is founded upon encryption
technology -- including digital signatures -- to provide the
authentication, integrity, non-repudiation, and privacy/confidentiality
services necessary for information assurance. Strong
digital-signature-based authentication used to provide positive access
control is perhaps the most powerful tool in protecting against cyber
attack. Digital signature also provides for integrity of electronic
information and non-repudiation of cyber-transactions. Encryption is
applied to desktops, file servers, and across networks to assure the
privacy of sensitive government, business, and personal information.
Once the almost exclusive province of governments, encryption technology
is now widely available in the commercial marketplace, and is a
fundamental enabler for information assurance. In fact, on September 16,
1998, the vice president announced a major updating of U.S. Export
Control Policy on Encryption Technology, a clear indication of its
importance to critical infrastructure protection, as well as global
electronic commerce and economic prosperity.
Given the coming of age of encryption technology, the remaining
challenge is to apply the technology in a coherent and effective way to
all of our critical infrastructures. To do this requires both a
framework for application of the encryption services in a scalable,
interoperable way, along with the establishment of a supporting public
key infrastructure (PKI) to provide robust and globally recognizable
digital signature and encryption key certificates, the individually
unique "electronic ID" of the Information Age. PKI services are now
emerging in the private sector to meet the demands of global electronic
commerce and can be leveraged to support critical infrastructure
protection.
In the areas of diagnosing, detecting, and responding to cyber attack,
the technologies are not so mature or effective. Today, the United
States has little ability to detect or recognize a cyber attack against
either government or private sector infrastructures, and even less
capability to react. The ability to identify a strategic cyber attack
against one or several critical infrastructure components, and respond
in appropriate fashion, is clearly a significant national security
issue. One complicating factor is that computer intrusions have been
traditionally regarded as a criminal event and within the purview of law
enforcement. When an intrusion occurred, the intruder was (hopefully)
tracked down, arrested, and prosecuted. Further, many private sector
entities were reluctant to share information about computer intrusions,
fearing adverse press coverage (e.g., newspaper headlines such as "Bank
Losses Put at Millions in Computer Break-in" or "Hackers Disrupt
Telephone Service") and public reaction. To build an effective national
cyber-defense capability, new rules of engagement must be developed to
allow open and dynamic collaboration among the private sector, the law
enforcement community, and the national security community.
Emerging Information Assurance Role of the National Security Agency
In the Information Age, the National Security Agency's traditional
missions of Signals Intelligence and Information Systems Security are
evolving into one of providing information superiority for the United
States and its allies. Central to this construct is an in-depth
understanding of the Global Information Infrastructure and the
vulnerabilities of networked information systems to cyber attack. On the
defensive side of this mission, the NSA has undertaken a series of
initiatives to provide the technical foundation to protect our critical
infrastructures.
As mentioned earlier, encryption technology has become widely available
in the commercial marketplace and is the basic foundation for protecting
information systems from cyber attack. The bad news is that the many
products available do not securely interoperate with each other and are
of varying robustness, and that there are many, often confusing, ways to
apply encryption. As an example, there is e-mail encryption, file
encryption, web encryption, link encryption, and virtual private network
encryption, just to name a few of the variations. To remedy this
situation, the NSA has formed a partnership with the leading suppliers
of security-enabled information technology to develop a common framework
for encryption services to provide enterprise-wide information assurance
solutions. This framework defines a coherent way to apply encryption
technology to the enterprise, along with how encryption interacts with
and supports other security-related technologies and products, e.g.,
firewalls, servers, routers, operating systems, intrusion detection,
malicious code detection, audit tools, and public key infrastructure
services.
Another dimension of the problem is the varying degrees of robustness in
the many security relevant products in the marketplace. To address this
issue, the NSA has formed a partnership with the National Institute for
Standards and Technology (NIST). Under this arrangement, the NSA and the
NIST will certify commercial laboratories to evaluate commercial
security relevant products, either to validate the vendor's security
claims, or to validate compliance with the requirements of the network
security framework. Testing of the products will be done by the
certified laboratories on a fee-for-service basis, with cost and
schedule negotiated between the lab and the product vendor.
Lastly, the National Security Agency believes the nation needs a shared
array of national security information assurance elements and is
applying its unique expertise to develop the fundamental technology to
create a national cyber-attack detection and response capability. The
approach integrates a variety of sensors that can be applied at critical
infrastructure locations and in the underlying telecommunications
infrastructure itself, with sophisticated, broad-scale analytic
techniques to provide a dynamic view of the threats to critical
infrastructures from global cyberspace. These techniques should be
shared by an array of national security, federal, industry, and regional
components to allow concurrent detection, defense, reconstitution, and
recovery of vital services.
In Conclusion
The economic prosperity that our nation enjoys today is largely founded
in the Information Age and in our global leadership in information
technology. Our continued leadership and prosperity in the global
economy may well hinge on our national commitment to act as leaders in
bringing integrity and responsibility -- information assurance -- to the
global information environment we have helped to create. The
administration has sent a clear message via PDD-63 that the time to act
is now, and the NSA is well-positioned and ready to support the charge
with our technical know-how. Information superiority in the Information
Age is a clear national imperative.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Sat Nov 7 13:20:21 1998