by
Dr. David S. Alberts
Director, Directorate of Advanced Concepts, Technologies, and Information Strategies
National Defense University
This briefing was prepared, at the request of the Deputy Secretary of Defense (DepSecDef), for participants in a series of interagency meetings about Defensive Information Warfare (IW-D). In addition to providing some background about the nature of "information" attacks and their potential consequences, this presentation also proposes a strategy for dealing with the defensive challenge of protecting against such attacks.
It is hoped that the IW-D strategy suggested here serves to stimulate and focus discussion about the ways in which each of the represented organizations can work together, on a continuing basis, to come to grips with the daunting task of preparing our Nation to deal with what may become one of the most vexing problems of the Information Age.
Information Warfare (IW) has grown to become a "catch-all" term that encompasses many activities long associated with competition, conflict, and warfare, such as propaganda (including Media War), Deception, Command and Control Warfare (C2W), Electronic Warfare (EW), and Psychological Operations (Psyops). This briefing does not attempt to address all of these aspects of IW, but rather focuses its attention upon the subset of IW that involves attacks against information and systems, including what has become known as "Hacker War" and a more serious form dubbed "Digital War."
Defending against "Information Attacks" appears to have a number of characteristics in common with societal efforts to combat disease, drugs, and crime. Noting these similarities helps to put this problem into perspective, provides some potential useful lessons learned, and serves as a relative benchmark.
Before reviewing the specific similarities between combating Information Warfare (IW) and these long-standing problems, it should be noted that, while "eradicating" IW may not be a realistic expectation, significant progress can be made in defensive IW (IW-D) -- enough so that the risks can be kept at acceptable levels.
The problem of IW is similar to the "wars" on disease, drugs, and crime on a number of dimensions. First, the solution to any of these problems requires the efforts of a number of organizations, both public and private. Second, it is unlikely, given the competition for resources, that any of these problems will be "fully funded." Therefore, we can expect that there will never be what those of us who have IW-D responsibilities think are a sufficient level of funding for IW-D programs. Third, these are not static problems. Drug cartels and criminals certainly learn from their mistakes. Even viruses "learn." Thus, defense forces will be continuously locked in a battle to keep up with attackers. Fourth, awareness and concern will reach peaks, often accompanied with frenzied efforts to solve the problem. These relatively short periods of interest will be followed by longer periods when the urgency of the problem will give way to apathy. Maintaining funding and progress during these periods of waning public interest will be one of the key challenges of leadership in this area. Fifth, organizations and individuals will learn to make adjustments in their behavior to deal with IW attacks and their consequences, many of which will not be predicted. These adjustments will be made so that those organizations and individuals can accommodate some level of pain -- a dynamic equilibrium of sorts -- as the cost of doing business in the Information Age. Finally, solutions will, of necessity, be compromises. This is due to the natural tensions that exist among the various stake holders. Tensions between the law enforcement and civil liberties are a classic example that has already arisen in the information domain.
Attacks on information systems are already a fact of life in the Information Age. Although a small portion of these attacks result in significant loss or damage, the vast majority of them result in little or no damage -- the crime equivalents of trespass, public nuisance, minor vandalism, and petty theft. It has been estimated that over 90 percent of these attacks are perpetrated using available tools and techniques (based upon incidents reported to CERT), that only one successful attack in 20 is noticed by the victim, and that only one in 20 gets reported (these last two statistics were a result of a DISA study and similar rates have been reported by others).
Of more concern is the presence of a technically feasible "Strategic" threat. That is, the means exist to cause significant damage and disruption to U.S. public and private information assets, processes, and systems and to compromise the integrity of vital information. Analysts also have no difficulty identifying groups with the motivations and opportunities to launch such attacks. Given our present vulnerabilities as a Nation, a well planned, coordinated IW attack could have "Strategic" consequences. Such an attack or the threat of such an attack, could thwart our foreign policy objectives, degrade military performance, result in significant economic loss, and perhaps even undermine the confidence of our citizens in the Government's ability to protect its citizens and interests.
While no "smoking keyboard" has been found to validate such a threat, the very existence of the means to carry out such an attack, when coupled with the myriad of motives and the opportunities that exist, results in our present state of vulnerability. These circumstances have created a situation that calls for prudent defensive actions to be taken in the public interest. We need to be proactive rather than be forced to react after an Information Age "Pearl Harbor." Moreover, a successful strategic attack would point the way and encourage others to plan similar attacks. Hence, we need to go on the offense with a vigorous defense.
Each age has seen war transformed by "modern" means and concepts. The Information Age promises to be no different. Some have called the Gulf War the first "Information War" -- others have called it the last "Industrial Age" war. The power of information was clearly demonstrated in the context of "traditional" conflict. Information was leveraged to significantly improve the effectiveness of all aspects of warfare from Command and Control, Communications, Intelligence, Surveillance, Reconnaissance (C4ISR) to logistics.
The effectiveness of the United States and its allies in the Gulf War has surely somewhat deterred potential adversaries from taking on our forces in the rather symmetrical manner that Iraq attempted, and has stimulated thinking about other strategies for countering conventional forces. "Digital War," enabled by advances in technology and its wide-spread adoption as well as the globalization of economics and commerce, is surely a strategy that potential adversaries are thinking about to achieve some of the objectives that have previously been sought by means of traditional warfare.
Digital War, a subset of what we call Information War, may be defined as "non-physical" attacks on information, information processes, and information infrastructure that compromise, alter, damage, disrupt, or destroy information and/or delay, confuse, deceive, and disrupt information processing and decision making.
Digital War intrinsically possesses the ultimate form in some of the same characteristics that traditional military planners are striving for -- low cost precision guided munitions, standoff, and stealth. Digital War threatens the ability of a Nation State's military to interpose itself between its population and "enemies of the state," thereby causing a loss of sanctuary. The importance of sanctuary can be inferred by our willingness to spend significant resources on air, sea, and missile defenses.
How does one respond to a serious set of information attacks? Responding with traditional military forces may be politically unacceptable or in fact, may be ineffectual. Currently there is no consensus, even among those in the defense establishment that think about these issues, regarding how to deal with such an attack.
Another characteristic of information attacks stems from the loss of sanctuary. Attacks of this sort, particularly when they consist of more than an isolated incident, create a perception of vulnerability, loss of control, and loss of confidence in the ability of the State to provide protection. Thus, the impact can far exceed the actual damage that has occurred. This non-linear relationship between actual damage and "societal damage" makes the problem of Digital War a particularly challenging one because it creates a mismatch between "rational" defense responses and their effectiveness.
Given the potential effectiveness of Digital War, particularly as an instrument of power for niche competitors and non-State actors, we need, as a society, to take this Information Age form of war very seriously. If we do not, and if we rely solely on traditional weapons and concepts of war, we may be building our own 21st Century Maginot line that can literally be flanked with the speed of light.
The first step in tackling any problem involves developing an understanding of the possible environments that may be faced (or the "states of nature"), one's options, and the objective that is being sought (Figure 1). This requires an identification of the variables that are relevant, that is, those that can significantly influence the outcome as well as the subset of these relevant variables that are controllable, which form the basis for designing options.
In a problem as complex as defensive information war, working to formally formulate the problem accomplishes three things. First, it provides a useful framework for discussion. Second, it serves to keep the focus on those specific areas that are either unknown or in dispute. Third, it serves as a benchmark for measuring progress.
In this case, the states of nature correspond to the nature of the threat that will be faced vis-a-vis the vulnerabilities of our information infrastructure while our options correspond to the strategies we adopt and the actions we take to defend ourselves. The objective being sought corresponds to a level of infrastructure performance, its definition and measure being a major challenge in and of itself.
A good place to start is to try to develop an understanding of the nature of the threat, or more accurately, the spectrum of relevant threats. This involves the identification of potential threats and the estimation of their likelihood. Normally one would construct a set of states of natures that are mutually exclusive and collectively exhaustive so that a probability density function could be used. For the purposes of this discussion, the states of nature referred to correspond to potential threats grouped in some logical fashion to facilitate analysis of how well each defense strategy does in dealing with each of these threats.
Having an initial concept of the nature and range of potential threats, one can develop alternate defensive strategies and corresponding sets of action to counter one or more of these threats. A great deal depends upon what variables we believe we can and should control.
Each defensive strategy, with its corresponding set of actions, then needs to be analyzed with respect to each of the threats. The results of these analyses will be a characterization of the results or outcomes from pursuing each of the defensive strategies with respect to each of the threats. These outcomes, which are basically descriptions of results (e.g., number of penetrations and their consequences), then need to be translated into "value" measures that represent their impact. These costs and benefits provide a rational basis for determining an appropriate defensive strategy. Much will depend upon how we measure success.
Given the central role that the threat topology plays in problem formulation, we will now turn our attention to examining this topology.
The irregular shape of the graph in Figure 2 is intended to show that boundaries are not well defined. The consequences associated with a failure to counter a specific attack range, on the one hand, from isolated and limited consequences to, on the other hand, consequences of catastrophic proportions.
The threat space can be divided into three areas. On the left side of the space we can group the vast majority of the threats that occur everyday. These Everyday threats, while exacting a certain price, do not pose a threat to our national security. On the right hand side of the threat spectrum is a small area that represents those Strategic threats having national security implications. The third area contains threats that may have national security implications. These Potential Strategic threats represent a particularly difficult challenge.
For example, beyond those sets of threats that clearly fall into either the Everyday or Strategic categories, there are classes of threats that span the threat spectrum.
Attacks on our national, or for that matter international, infrastructure do not fall neatly into one area of the threat topology but in fact populate all three classes of threat (Figure 3). These attacks on our public safety, energy, financial and communications systems and services have different implications and consequences depending on the specific nature of the attacks and the circumstances surrounding the attack.
The vast majority of attacks on infrastructure are by hackers whose motives run the full gamut from having some fun to more serious forms of antisocial behavior. Some of these attacks are motivated by profit. While some of these attacks may have serious consequences in the form of significant loses of data, interrupted services, or stolen assets or services, only a small number of these lone perpetrator attacks is likely to have potential strategic consequences. This is not to say that it is impossible that some set of circumstances would result in the snowballing of one of these "hacker" attacks into a National Security concern, but rather that this outcome is unlikely.
However, infrastructure attacks can be quite serious if they are well planned and coordinated. Arguably this would require an adversary with seriousness of purpose and with some sophistication and organization. This kind of attack would be better named Digital Warfare rather than be included as part of the group referred to as Hacker attacks. Depending upon the level of sophistication of a Digital Warfare operation, its consequences could range from a "high- end" Hacker attack to an attack with Strategic consequences.
So far we have seen the threat topology we face is multidimensional, somewhat messy and, with respect to the consequences of information attacks, can behave in a chaotic manner (Figure 4). The dynamic and interactive nature of the threat makes defending against them all the more demanding.
Attackers and defenders are locked in an ongoing battle of wits and resources (Figure 5). Unfortunately, the attackers possess some inherent advantages. For example, clearly the attacker can pick the time, place, medium, and method of the attack. The technology edge also goes to the attacker, for it is very difficult to develop defenses for unknown methods of attacks -- thus offensive technology usually is one step ahead of defensive technology. Those who choose to orchestrate coordinated attacks on infrastructure also have the advantage that comes from being able to control their attack more easily than can a number of loosely coupled defenders.
In any event this is a learning environment for both attackers and defenders -- a dynamic one at that. In this organic environment, attacker learn from undetected attacks, whether successful or not, while both sides learn from detected attacks, whether successful or not. Both attackers and defenders make adjustments and the "game" continues.
This aspect of the threat means that defense is not a one-time thing -- it must be a continuous activity. It also means that collection and analysis of information about attacks are vital to maintaining parity with attackers. Finally, it means that defenders must be proactive and undertake efforts designed to anticipate methods of attack so that timely defenses can be developed.
The proposed "defense in depth" strategy consists conceptually of three lines of defense (Figure 6). Each line of defense is designed specifically to counter the threats associated with a particular region of the threat topology.
The first line of defense is to defend against Everyday attack, which constituted most of the threat topology. Based upon the information available, the vast majority of these attacks can be handled with basic defenses.
The higher hurdles associated with the Potentially Strategic and Strategic attacks are then responsible for handling more sophisticated but far fewer attacks from fewer potential sources. For example, attacks with strategic implications would need to get through the first two lines of defense that should filter out all but the most skilled, resourced, and persistent adversaries. This means we can concentrate our intelligence and monitoring efforts on a smaller population which in turn increases the chances of successful defense.
This defensive strategy also means that we can take different philosophical approaches with each line of defense depending upon the nature of the threat. The two endpoints of the philosophical spectrum can be thought of as the "information first" and "security first" approaches. In the Everyday region of the threat topology our approach has been to emphasize access to information. In the Strategic region, we put security first by restricting access and connectivity to the point of degrading performance and efficiency.
Figure 7 graphically depicts a suggested division of primary responsibility for IW-D between the Public and Private sectors as a function of the threat topology. The modifier "primary" is used to make the point that, despite the assignment of responsibility in a particular area to either the Public or Private Sector, both Public and Private organizations have responsibilities in each area.
The topological regions associated with either Everyday or Strategic threats are the most straightforward. Primary responsibility for the everyday threat should be the responsibility of the Private Sector. Handling such threats is simply the cost of doing business in the Information Age. With the availability of relatively low cost defenses against these threats, the burden placed on the Private Sector is affordable. Furthermore, organizations are clearly in the best position to understand their own systems and the needs and concerns of their customers.
Responding to Strategic threats is clearly the job of the Public Sector, although an adequate defense will involve some coordination with Private Sector and International organizations, particularly when it comes to the region of the threat topology that contains threats associated with attacks on the National Information Infrastructure or other institutions providing vital services.
While we have come a considerable distance in our journey to better understand the nature of this problem, many of us have been frustrated by the lack of a "supportive" environment for progress. Although we can continue to make progress, even on the rocky path we are currently forced to travel, progress in the six areas identified in the graphic will greatly smooth out our path and accelerate our progress.
First, one of the key prerequisites for progress is to create awareness of the problem and its complexities, as well as to foster a climate that will facilitate discussion and cooperation among the many groups and organizations that need to be a part of this effort. Given recent events surrounding some aspects of information security, we need to start by rebuilding bridges between some Public and Private Sector groups and organizations.
Second, it is important that we work towards a well defined vision that clearly lays out what we are trying to achieve and the appropriate role of Government.
Third, the "rules of the game" need to be developed and promulgated. Many of our current laws and regulations have not caught up with the realities of the information age. A set of "rules" needs to address the establishment of information security standards, or a minimum level of defense to be associated with different kinds of data and information services. These would be similar to the recent development of privacy standards.
Fourth, self-interest, even enlightened self-interest and the desire of individuals and organizations to be a good citizens are not enough to ensure that appropriate actions and defenses will be developed and employed. Resources need to be provided for Government organizations to help implement this framework for progress and to develop and implement the needed defenses. We also need to provide incentives that encourage Public Sector organizations to do what is collectively needed. In some specific cases, the Government will need to actually provide funds to Private Sector organizations to implement enhanced security.
Fifth, the solution to this problem depends on a great deal of cooperation among disparate groups and organizations. Mechanisms to facilitate and enhance cooperation including the establishment of panels, groups, and clearinghouses need to be developed.
Sixth, we need to fix responsibility for the many tasks involved in IW-D. We need to decide questions of jurisdiction. We need to make liabilities known and well defined. Finally, we need to clearly establish the responsibility of each organization. The nature of organizational responsibilities is discussed in more detail below.
None of these six aspects of the framework for progress is likely to be accomplished anytime soon. One only need review the legislative process and experiences with the translation of privacy concerns into a set of rules of the game to realize that it will be quite a while before each of these foundational pillars is in place.
However, we must begin now to foster discussion of these issues and try to keep attention focused on this subject.
The primary responsibility for the Everyday region of the threat topology falls upon the Private Sector (Figure 8). First and foremost, Private Sector organizations must assume responsibility for the protection of their own systems. When "security" laws and regulations are legislated and formulated, these organizations will, of course, also be responsible for adhering to these rules of the game.
Given the time it may take to develop and put in place a legal and regulatory framework to deal with the myriad of information security issues, it is proposed, that on a voluntary basis, Private Sector organizations assume the responsibility for reporting incidents. It is hard to overstate the importance of the collection of information related to information attacks and its analysis. Without the development of a body of knowledge concerning these attacks, efforts at building defenses will be severely hampered.
The Government (includes Federal, state, and local levels) must assume certain responsibility for this region of the threat topology as well. Clearly, the Government bears the responsibility for protecting its own systems and for the enforcement of appropriate laws and regulations. Given the importance of gaining international cooperation on this problem which knows no state boundaries, the Government must take on the negotiation of the necessary treaties and agreements.
Clearly, the collection of incident data with respect to its own systems is also a Government responsibility. But given the importance of pooling information to gain a more accurate situation assessment, Government must also put in place appropriate mechanisms for data sharing and analysis and for its dissemination. Issues related to classification and security of this data and its analysis products will need to be addressed. A way must be found to get this needed information to individuals and organizations.
For those of us who thrive on challenges, this is a great line of work. The five key challenges we face have been identified as:
Success requires that everyone be on board. Therefore, it is important that we continue to work to increase awareness of this problem and to develop a better understanding of both the nature of the threat and our vulnerabilities.
The first line of defense is deterrence. Not enough effort is being devoted to developing and gaming possible strategies. In mid-February ACTIS is sponsoring a workshop on this subject and we hope to gain a better idea where the latest thinking is on this subject, stimulate more thinking about the subject, and bring some key issues into sharper focus.
Given the trifurcated threat topology and the very different nature of each of the three threat regions, implementing the proposed "defense in depth" strategy will be a considerable undertaking. This challenge, as well as the first two challenges just mentioned will be discussed in great detail below.
The fourth challenge is to improve our ability to see an attack coming, or provide "indications and warning" (I&W) of attacks in a timely fashion. Given that currently, in many cases, an attack in progress is not even recognized, this will be a tall order.
The remaining "top five" IW-D challenge is to develop responses to IW attacks. Responses to attacks include identification, interdiction, apprehension, and punishment (possibly including retaliation).
We have much to learn and many to educate. When many of the individuals who need to become more aware of the threat and its potential consequences are exposed to the subject only by reading novels or going to the movies, we cannot really expect to develop the degree of understanding required. When the only exposure to the subject is through fiction, it is no wonder that the threat may be dismissed as fictional. There are still many individuals in key positions in both the Public and Private Sector who need to have a better appreciation for this problem and to be more motivated to work the issues.
On the other hand, admittedly we are not in possession of a great abundance of factual information. While we have clear indications that some potentially serious attacks, even crippling attacks, are technically feasible, as has been pointed out, there is no "smoking keyboard" to show. Yet it should be pointed out that the time it took to create a working atomic bomb from the time its theoretical feasibility was recognized surprised many, even the most knowledgeable scientists.
Our ignorance about the nature of potential attacks is mirrored by a lack of knowledge about the effectiveness of current and developing defensive techniques and strategies.
When our systems are not being adequately monitored and incidents are not being adequately recorded and investigated, it is hard to see how we can develop the vastly improved understanding of both the threat and the effectiveness of defenses we require. Increased collection and analysis is clearly needed to provide the empirical foundation required to a) increase awareness, b) increase our understanding, c) support planning, and d) develop effective defenses.
With the dawn of the atomic age came the recognition that developing strategies for deterrence and counter proliferation needed to be pursued with a sense of the utmost urgency. IW differs from atomic warfare in a number of significant ways and therefore lessons learned from our experience in developing a workable strategy for deterrence may not apply directly to the problem of deterrence of IW attacks, but certainly may provide a starting point or checklist for consideration.
The chart above lists some of the compelling issues related to the development of a deterrent to IW attacks.
While raising the defensive threshold, thereby making attacks more difficult and costly as well as limiting the damage they can do, is widely recognized as an important component of any deterrence strategy, an issue that needs to be addressed relates to the "height" of the threshold. What is more defense? When does more defense become counterproductive?
Another critical issue is whether or not having and indicating a willingness to employ a potent offensive IW capability would be an effective deterrent, and if so, in which particular set(s) of circumstances.
Given the low cost and small footprint required, non-state and even individual actors may gain the wherewithal to pose a strategic threat. How can one gain the leverage on these kind of adversaries to deter them from launching such attacks?
Other key issues include the nature of preemptive actions that could be employed and the relationship between punishment (or retaliation) and deterrence.
Building defenses into systems presumes we have the means to do so. Many of the defensive capabilities we currently have are not adequate for certain known levels or types of attacks, not to mention technically feasible but undocumented attacks. The following are some areas in which we could use some advances in technology.
Real-time intrusion detection is clearly a key element in any set of defenses. Our ability to detect, in real time, intrusions into our systems and the identity of the intruder is currently very limited.
It does not take very long to carry out an information attack. Damage can occur in an instant. Clearly an automated capability to respond to an intrusion that can prevent or limit the damage would be highly desirable.
Given our increasing reliance on COTS, we need ways to cost-effectively make sure that the software we buy does what we want it to and only what we want it to. Any Information Age organization buys millions of lines of code each year whose exact origins are not known with any degree of confidence. Automated tools to perform quality assurance (QA) and to verify and validate (V&V) the code would be an immense help.
Knowing for sure that data was not altered or compromised and that the source of a piece of data or a message was verified would go a long way in the effort to combat certain types of IW attacks. More work needs to be done to provide cost-effective data and source authentication.
The problem is real. Our citizens and the organizations that provide them with the vital services they need can find no sanctuary from these attacks. The low cost of mounting these attacks has enlarged the field of potential adversaries and complicated efforts to collect intelligence and array our defenses. The consequences of a well planned and coordinated attack by a relatively sophisticated foe could be serious. Even the threat of such an attack or "digital" blackmail is a distinct possibility. How the public will respond to the threat of IW infrastructure attacks or to actual attacks is unclear, but their reactions will be a major determinate of future policy and actions.
This situation is getting worse with the rapid proliferation of information technology and know-how. We are becoming increasingly dependent upon automation in every aspect of our lives. As information technology becomes an essential part of the way organizations and individuals create products and provide services, the need for interconnectivity and interoperability increase -- and with these increased need for exchanges of information (and product) vulnerabilities increase. Finally, the increased reliance on COTS makes it more and more difficult for an organization and individual to control their own security environment.
Given this situation we need to focus upon two things. First, we need to find a way to protect ourselves against catastrophic events. Second, we need to build a firm foundation upon which we can make steady progress by continually raising the cost of mounting an attack and mitigating the expected damage.