The difficult task of promoting the security of our information infrastructure was aptly explained in the recent interim report of the Justice Department-led Critical Information Infrastructure Working Group:21
Assuring critical national infrastructures is a difficult problem to solve, not only because of the breadth of the infrastructures, the varied nature of the threats, and
21 The Critical Infrastructure Working Group ("CIWG") was created in the wake of Presidential Decision Directive 39 which clarified U.S. Policy on Counter terrorism. Although classified in its original form, an unclassified version is attached as Appendix C. PDD-39 tasked Cabinet-level officials with reviewing the vulnerability of government facilities and critical national infrastructure. As a result, Attorney General Janet Reno convened a working group, chaired by Deputy Attorney General Jamie Gorelick and various other officials, to scope out the issue and report back to the Cabinet with policy options. The CIWG's interim report was completed in early February 1996, and has not yet been released.
the multiplicity of sources of threats, but also because of the differences in perspective among the relevant government agencies and between the government and the private sector. The Defense community naturally is focused on protecting and ensuring the viability of those elements of the infrastructures vital to the defense mission. Law enforcement is responsible for preventing, investigating and prosecuting terrorist and other criminal acts against the infrastructure. The
Intelligence Community also has a preventive mission, but is limited to looking at foreign based threats. Yet for cyber attacks in particular, it is often difficult to determine whether the source of an attack is foreign or domestic.
Addressing this threat becomes even more difficult when recognizing that a desire to gain a competitive advantage may give private industry a different, and even opposite, motive to government. Furthermore, our national effort dedicated to securing our information infrastructure is a disjointed mosaic of agencies, private enterprises and individuals each trying to provide services that enhance our infrastructure. To which agency do you task responses to computer attacks when the identity, location and motivation of the attacker is often unknown? What apparatus can be created that will foster confidence in the private sector in lieu of the documented distrust of government involvement in this area? How do you create threat estimates when reporting and collection of data is sparse and hidden throughout government and the private sector?
A substantial obstacle confronting efforts to secure our NII is our nation's failure to adopt a national policy that defines roles and missions of agencies and provides national strategies that are clearly articulated and implemented. Presently, a patchwork approach has evolved that is uneven and lacking direction. In March of 1996, the Justice Department-led Critical Information Working Group ("CIWG") circulated two proposals to address these concerns.
The first proposal was to create a full-time Task Force within the Executive Office of the President to study infrastructure assurance issues and recommend national policy. The CIWG recommends that the Task Force be headed by a presidential appointee from the private sector and be comprised of full-time representatives from affected agencies. The Task Force, as primarily a policy body, may also utilize advisory boards, including pre-existing bodies or created ones. The CIWG estimated the Task Force would need a year to complete its mission.
In the interim, the CIWG recommends establishing a single interagency coordinating group within the Department of Justice, chaired by the FBI, to handle the interim infrastructure mission with regard to both physical and cyber security. The primary purpose of the group is to facilitate a more rapid and coordinated response to threats to our national infrastructure and to facilitate access to the diverse and fragmented resources already dedicated to the mission of securing that infrastructure.
As a starting point, most experts the Staff consulted, in government and private industry, supported both these concepts in some form. More than a few officials in both the Defense and Intelligence communities, however, expressed concern that assigning leadership of the Task Force to a representative from the private sector was essentially ceding national security to the business community. More than a few commentators also emphasized the need to make sure the group sustained White House interest in this effort.
Regarding the interim coordinating group, experts disagreed. One concern voiced by a senior Defense Department official was that the operational coordinating group was really not operational, but merely a human referral service that lacked all capability to perform "real-time" analysis and response. One former Justice Department official
indicated that even if the interim group fails to actually perform any operational response, it will at least serve as "a laboratory" for the policy board to observe the difficult obstacles to meaningful coordination. Finally, some concern from other participating agencies was raised as to whether the FBI would be able to serve in the role of "honest broker" in this effort. The CIWG acknowledged that the FBI "has been criticized for failing to share information with other agencies."
The Staff would further note that how the interim group relates to other efforts must be defined immediately. How will the interim group, which seeks to have an operational, 24 hour response team, work with the NSA's "thousand person" info warfare center that also has its own 24 hour response capability? Furthermore, will the interim group, which is led by the FBI, treat each intrusion as a criminal case and limit the intelligence community's access to critical intelligence data?
Ultimately, there exists a great need to begin examining this issue from differing perspectives and the CIWG proposals serve as a good beginning point. The Attorney General and Deputy Attorney General, as well as the principals and staff working on this project, deserve a great deal of credit for addressing this difficult challenge.
Presently, only a handful of law enforcement agencies have committed meaningful resources to computer crime investigative programs. The FBI, the Air Force Office of Special Investigations (AFOSI) and, to some extent, the U.S. Secret Service have made this commitment on the federal level; with the exception of a few local agencies--Baltimore County Police Department and the Florida Department of Law Enforcement (FDLE) -- the local law enforcement community has not acknowledged any need for
specialized computer crime investigators.22 The lack of resources, even in the agencies that have made a commitment, severely limits the operational capability of the law enforcement community. The FBI and AFOSI23 can only investigate a handful of cases simultaneously.
Part of the reason for the limited commitment of law enforcement resources has to do with the unique nature of the evidence and the technical expertise necessary to pursue investigative leads. Absent special training and equipment, it is difficult to examine and analyze evidence. Furthermore, novel legal issues associated with computer investigations require legal expertise that is not commonly found in most police or prosecutor's offices.
Present law makes it extremely difficult to monitor computer attackers to determine an attackers' origin and identity. Data transmits over electronic communications systems and, therefore, any attempt to monitor the text of transmissions is considered a Title III wiretap.24 Because attackers use "loop and weave" techniques that allow them to transmit over numerous systems in various places, a court ordered wiretap is necessary for each computer system that is being used no matter its location. Computer programs exist that permit you to automatically "hack back" to find
22 Virtually no state or local law enforcement agency has attempted to develop an expertise in computer forensics, and only a handful have the expertise and capability to conduct a computer intrusion investigation.
23 The FBI has a computer analysis and response team located at FBI headquarters in Washington, D.C. with 51 full time agents and forensic technicians; the AFOSI has 68 full time agents; technical support, and forensic technicians at 12 different Air Force bases worldwide.
24 Federal law governing wiretaps authorizes the use of Title III wiretap only with the consent of the Deputy Attorney General and only after a complex process that can take up to weeks to complete. Furthermore, wiretaps are usually only permissible on specific communication ports in specific geographical areas.
the original source of the attack; however, use of this "hot pursuit" technique in cyberspace is difficult if not impossible because current law does not permit government agents to break into unknown computer systems.25
Numerous law enforcement professionals have confirmed to the Staff that these resource constraints limit their ability to respond to the needs of victims. The Staff was advised by a security professional from a major financial institution that there exists a feeling that federal law enforcement is not equipped to respond with the resources and, equally important, the necessary technical expertise. In the Citibank investigation the victim-bank initially took their case to a private security firm and only after the investigation had been completed successfully was it referred to the FBI.
Statistics on the number of investigations of computer intrusion incidents are difficult to assemble because most agencies lack mechanisms to extract that information from their investigative databases. The Staff did obtain from the FBI, Air Force Office of Special Investigations and U.S. Army (Military Intelligence and Criminal Investigative Division) their statistics since 1993. The FBI had shown progressive decline in cases until this year. This may be because the Bureau appears to be more willing to open cases without knowing the actual damage and loss. If true, this would be a dramatic turnaround from just 10 years ago when the Bureau was unwilling to even investigate cases absent substantial and quantifiable loss.
25 The fact that hackers often traverse national boundaries and use foreign government computer systems to launch their attacks further complicates the use of an electronic "hot pursuit." How would our nation explain to an unfriendly nation why U.S. government agents hacked through a foreign government's computer system?
The lack of confidence in a government or law enforcement response has created a demand in the private sector for services related to information system security. The Staff has attended numerous meetings of corporate security officers who uniformly explain that when confronted with a computer incident -- even if clearly criminal in nature -- they will not go to the FBI, but rather hire a private security firm. In their estimation, these firms offer a greater likelihood of success than the government, as well as the added advantage of confidentiality.
These "cyber-posses" are growing as computer attacks become more prevalent and the demand for security services increase. Unfortunately, private security firms have more incentive to stop intruders than to catch them and ensure they are prosecuted. A few representatives of security firms mentioned that often their clients merely want them to advise the perpetrator that they have been discovered and that they should go elsewhere. An equal number of corporate security officers explained that it was company
policy to simply send the attacker back into the marketplace, hopefully "to attack our competitor down the street." Additionally, these security firms may not feel obliged to conform their conduct to applicable laws. For instance, more than a few firms indicated that they have considered "offensive counter-responses."26
Further, as mentioned earlier, the incidents handled by private firms rarely make it on to the government's "radar screen" or intelligence database. Accordingly, any intelligence advantage that might be gained by having access to known anecdotal data is lost. For instance, there would be great utility in knowing e-mail addresses of would-be hackers or their techniques and the vulnerabilities they exploit.
Finally, the great success of these security firms reflects a similar failure in our government to create a pool of able professionals dedicated to computer security. It has become commonplace for government agencies involved in information security to lose their best and brightest personnel to private firms engaged in the same type of mission. While there is nothing wrong with a natural migration of civil servants to the private sector, numerous persons within government and in the private sector have acknowledged that the "brain drain" of government experts to private industry seriously hampers our government's ability to respond to computer attacks.
26 Not only would such conduct likely be illegal as it is an unauthorized intrusion into another system, but given the widespread use by hackers of unknown third-party systems to launch attacks, it is possible the counter-attack would damage or destroy an innocent party's computer network.
The CERT program first began in the aftermath of the 1988 Morris worm incident in which a dangerous "worm27" program was released onto the Internet. The incident effected over 6,000 machines across the country. According to the United States General Accounting Office, damage caused by the worm could have reached $96,000,000 due to lost access to the Internet at each infected host.
In response to this and a seemingly continuous stream of security-related incidents that were affecting thousands of computer systems and networks, in November 1988 DARPA (Defense Advanced Research Program Agency) established the Computer Emergency Response Team, now known as the CERT Coordination Center, located at the Software Engineering Institute at Carnegie Mellon University in Pittsburgh, Pennsylvania.
The CERT Coordination Center is chartered to work with the Internet community to facilitate its response to computer security incidents or events28. The CERT mission is to provide a 24-hour point of contact for emergencies; facilitate communication among experts working to solve a computer security problem; serve as a central point for identifying and resolving vulnerabilities in computer systems; maintain close ties with research activities and conduct research to improve the security of existing computer
27 A "worm" is a program that is designed to copy itself over a computer network. Unlike a virus, it does not erase files on the computers that it invades, but it creates so many running copies of itself that it overloads and breaks down computers.
28 The CERT Coordination Center defines an incident or event as some form of unauthorized access into a computer system.
systems; and to take proactive steps to raise the understanding of information security and computer security issues. The CERT Coordination Center, according to many experts in the field, is responsible for increased awareness of computer network vulnerabilities. Many government agencies have formed their own version of the CERT to coordinate the handling of security incidents, and to act as a focal point for security related activities inside their agencies.
CERT Coordination Center officials told the Staff that when they respond to an "event," they advise the victim of a few options: simply turn off the system and fix the problem; hire a security contractor in an attempt to identify the intruder; report the incident to an appropriate law enforcement agency; or do nothing. The CERT representatives indicated that very few agencies they respond to have internal policies that guide them in choosing a response. The types of incidents CERT officials respond to include everything from corporate espionage to vandalism to profit-motivated criminal conversion. Although the CERT has handled thousands of cases, only a few were actually referred to law enforcement authorities.
Most of the calls, the Staff was told, are from mid-range systems administrators. The callers are usually in a state of panic, resulting from their lack of training. A problem that is observed with great regularity is the inability of systems administrators to even understand security countermeasures and repairs. Clearly, there needs to be better security tools developed that would make systems easier to secure and maintain.
CERT officials told the Staff that the number of computer security incident grows as fast as the number of hosts on the Internet. When the CERT Coordination Center
was established, the Internet had approximately 80,000 hosts. Since then, the Internet has grown to more than 9.5 million hosts. Each year the CERT Coordination Center has seen dramatic increases in the number of security incidents. In 1988 there were only 6 reported incidents reported to the CERT Coordination Center. In 1995, there were 2,412 incidents. During the first half of 1996, CERT closed 350 cases and opened 500 new ones.
The CERT Coordination Center coordinates and shares information with 50 other response teams. These teams consist of private security firms, corporate-sponsored teams and teams put together by foreign nations. Additionally, the CERT issues vulnerability reports to the public and most of the vulnerabilities they discover are taken directly to a vendor for a fix.
Ultimately, the CERT program is probably one of the best responses available. Unfortunately, the CERT's impact is constrained by their resource restraints and limited ability to respond as needed. Recently, the Staff learned that the DARPA was, in fact, cutting the CERT's budget by 75% from$2,000,000 per year for incident response to
only $500,000. The money cut will be redirected to research and development for computer security.
There has been much discussion among the computer security industry about the use of encryption technology to secure the confidentiality of data contained in information systems. Encryption, a type of cryptography, is the process of scrambling information to preserve its confidentiality. Through the use of mathematical algorithms, data is scrambled so that its interception is useless to anyone lacking the "key" to decipher it. Encryption has many purposes including the authentication of computer files and the protection of electronic communications. Some encryption may be broken without the decryption key through computer programs or other techniques that decipher the scrambled codes. Unbreakable encryption are scrambled codes that are so complex that they presumably cannot be deciphered and, therefore, preserve the confidentiality of the subject data.
There is uniform agreement between government and the private sector that strong cryptography is critical to protecting our National Information Infrastructure. Much of the data that flows on the NII -- personal communications, financial and commercial transactions, health care -- must necessarily remain confidential. The present debate is not on the need for encryption, but rather who controls the decryption keys.
The private sector almost uniformly demands that there be robust encryption available to the marketplace without government controlling the decryption key (private key escrow). Many parts of our government, including our Executive Branch, conversely believe that making unbreakable encryption available publicly, without government
access, will run afoul of public safety concerns by providing organized crime, foreign intelligence agents, terrorists and other bad actors with a confidential method by which to communicate. Some experts have argued unsuccessfully for a standard unbreakable encryption with the government possessing the key in escrow (public key escrow). Though not adopting a public key escrow regime, the U.S. government presently outlaws the export of strong cryptography under arms export laws. Private industry believes export controls disadvantage U.S. companies because unbreakable encryption is already available world-wide despite our government's best efforts.
Recently, a Committee of the National Research Council published a report on encryption standards wherein it recommended that federal policy promote widespread commercial use of encryption technologies. The Committee recognized that such a policy would add to the burden of law enforcement and the intelligence community, but as Committee Chairman Kenneth Dam explained "...the many benefits to society of widespread commercial and private use of cryptography outweigh the disadvantages."
This Subcommittee has a long history of examining both international terrorism and organized crime.29 Undoubtedly, the law enforcement and intelligence communities
raise valid questions as recent history has proven that criminals are quick to rely on anonymous, mobile and untraceable methods to communicate. The digital pager and cellular phone industries, for instance, have revolutionized the drug trade, replacing the pay phone as the preferred method of communication. To what extent the use of encryption will become a standard modus operandi for criminals, terrorists and other bad
29 For instance, see Permanent Subcommittee on Investigations hearings, Security in Cyberspace, May 22, 1996; Global Proliferation of Weapons of Mass Destruction: Part 2, March 13, 20, 22 and 27, 1996; Global Proliferation of Weapons of Mass Destruction: Part 1, October 31 and November 1, 1995; and International Organized Crime and Its Impact on the United States, May 25, 1994.
actors is a question that must be answered. We are already seeing examples of how encryption can be used to facilitate misconduct.30
Despite our best efforts, however, free encryption is publicly available on the Internet, so everyone now has the capability to encrypt communications in such a manner to thwart current law enforcement or intelligence surveillance court orders.
Ultimately, however, the utility of promoting some form of public key encryption regime must be addressed.
The 1987 Computer Security Act assigns the Commerce Department through the National Institute of Standards and Technology (NIST) the responsibility for developing security standards and guidelines for sensitive information in government computers. Although NIST's mission specifically exempts classified networks and systems related to national security (such as Defense Department networks), NIST works closely with the National Security Agency (NSA) which is responsible for classified computer security policy and guidance. NIST conducts research and studies to determine the nature and extent of the vulnerabilities of sensitive information in federal computer systems. NIST is also authorized to submit the standards it promulgates to the Commerce Secretary, who can then make them compulsory. NIST has utilized this process to create the
30 Ramzi Yousef, an alleged mastermind of the World Trade Center Bombing, and currently on trial for a plot to destroy U.S. airliners, used encryption to store information about their terrorist plot.
Federal Information Processes Standards program or "FEPS" which forwards standards to computer users throughout government.
Although NIST is responsible for establishing standards, NIST advised the Staff that there is no one responsible for enforcing or ensuring that standards are complied with. Furthermore, NIST does not deal with all aspects of computer security.
President Reagan created the National Security Telecommunications Advisory Committee (NSTAC) by Executive Order 12382 in September 1982 in order to provide advice and information, from the industry perspective, to the President and the Executive Branch regarding policy and enhancements to national security and emergency preparedness in the telecommunications field.
The NSTAC, working jointly with the Government, is addressing numerous issues relating to the security of various aspects of the telecommunications field, including wireless services, network security, information assurance, and telecommunications legislation.
The NSTAC's committee produces technical reports and recommendations to the President. The NSTAC is an excellent model exhibiting the cooperation between the private sector and the government working together on serious national security and preparedness issues. However, NSTAC only focuses upon the telecommunications industry which is but one part of the NII.
The vulnerabilities of our NII are greatly enhanced by the international dimension of this threat. By its very nature a computer attack is initially a puzzle: the number and identity of intruders is not known; the origin of the attack - whether foreign or domestic - is impossible to determine; and the motive of the incident is often a mystery. Furthermore, through use of basic methods of "looping and weaving" computer attacks may be extraordinarily difficult to solve. Unfortunately, the international community has been very slow to respond to this situation.
Computer "crime" laws are only now beginning to emerge in other nations. Whether as privacy offenses (data protection), or economic crimes (computer manipulations, sabotage, hacking, espionage and piracy), few countries are developing comprehensive legal codes to address this new type of misconduct. Furthermore, there is no global consensus on what constitutes computer crime. The United Nations Manual on Computer Crime, states:
Laws, criminal justice systems and international cooperation have not kept pace with technological change. Only a few countries have adequate laws to address the problem, and of these, not one has resolved all of the legal, enforcement and prevention problems.
This vacuum, internationally, has made it easier for bad actors to attack our National Information Infrastructure.
For instance, in March of 1996, the Justice Department issued a 23-page press packet announcing "Federal Cybersleuthers Armed with First-Ever Computer Wiretap Order Net International Hacker." The hacker the Justice Department was referring to
was 21-year old Julio Cesar Ardita of Buenos Aires, Argentina. Mr. Ardita was indicted for breaking into Harvard University's computers from Argentina, which he then used as a staging point to crack into numerous computer sites, including Defense Department and NASA computer systems. This case was noteworthy because it was the first time the Justice Department had used court-authorized nonconsensual monitoring on a computer network.
Despite the commendable investigation done by the Navy and the FBI, there is virtually no chance that Mr. Ardita will ever see the inside of a U.S. court because our extradition treaty with Argentina does not recognize the computer crime he has allegedly committed.31 Even more discouraging is the fact that his alleged conduct, though clearly victimizing the U.S., is likely not even a crime under Argentinean law. Essentially, even after his indictment in the U.S., Mr. Ardita could continue committing the same offenses with little chance of prosecution or punishment.
In addition to extradition conventions, there is little harmony internationally in the area of computer crime and investigation. Substantive law that might set forth generally accepted computer crimes is undeveloped in many nations, and even the act of unauthorized access to computers is not a crime in all nations. Procedural laws, such as extradition, letters rogatory and other transnational tools, are similarly of little help.
Furthermore, the current organizations established to provide for transnational assistance -- such as Interpol -- have been unable to adequately keep up with the rapid advances of potential bad actors. A high ranking official with British law enforcement
31 A "lookout" has been placed for him with Interpol should he travel to the U.S. or a country outside of Argentina that permits extradition.
advised the Staff that calling Interpol for assistance in other countries is "hit or miss, with more misses than hits."
There are a few nations, mostly in Europe, that are attempting to organize the community of nations to address this problem. Great Britain, Germany, Denmark and the Netherlands have all recognized the need for a global response. Furthermore, the need to form global alliances in combating this problem has recently become apparent to some international organizations.
The Organization for Economic Co-operation and Development (OECD) adopted guidelines for information systems security in late 1992. The OECD is comprised of 24 countries in North America, Europe and the Pacific. The OECD recommended the harmonization of rules on extraterritorial jurisdiction as well as the review of domestic law to determine the ability of member countries to adequately address trans-border offenses.
Interpol sponsored its first computer crime investigative working group meeting
in Lyon, France, in May 1996. Other efforts include NATO's Lathe Gambit which brings together
European computer crime investigators, military investigators and intelligence communities. The
International Association of Chiefs of Police has also recently become interested in transnational
computer crimes. Although the advances made in the international community are commendable,
much more is needed.