12 June 1998
(NSA official describes plans to Congress) (820) By Susan Ellis USIA Staff Writer Washington -- The United States' "soft, digital underbelly" is more readily vulnerable to attack than is the nation's powerful military, according to a U.S. senator whose jurisdiction includes protection of the U.S. infrastructure. Senator Jon Kyl, chairman of the Senate Judiciary Committee's Subcommittee on Technology, Terrorism, and Government Information, says "an enemy doesn't need to travel thousands of miles to attack us; to carry tons of bombs and risk detection during a long journey." The Arizona Republican pointed out that because of the networked nature of the United States' critical infrastructures, enemies need not risk attacking its strong military when they can more easily attack critical infrastructures through the nation's computers. His remarks prefaced a Capitol Hill briefing June 10 by an official from the National Security Agency who described potential cyber threats to the United States and steps being taken to detect and deter them. Ellie Padgett, deputy chief of the National Security Agency's Office of Defensive Information Warfare, is charged with the mission of protecting U.S. critical and classified information and communications systems. To carry out that mission, she said, NSA must understand information system vulnerabilities and develop effective countermeasures. Her office provided the so-called "Red Team" (action team) for the exercise called "Eligible Receiver" conducted last February by the Joint Chiefs of Staff to discover how easily an enemy could attack U.S. military computers. "The intention of the exercise was to see if our foreign policy decisions could be affected without the use of a military force being brought to bear on the problem," she explained. Once the scenario was selected, the team collected unclassified material from the Internet. Padgett said the exercise "showed how a small team of savvy people using readily available computer hacking tools could attack the critical infrastructures that the military relies on to carry out its mission." She said hackers can "collect all of the tools off of the Internet. There needs to be some basic IT (information technology) knowledge, which means that they need to have some understanding of software; you don't have to have a college degree to do it." Padgett cited several examples of the "interconnectedness and interdependence" of U.S. society today. Increasing use of the Internet is also increasing "our vulnerability to exploitation," she said. "The United States is highly dependent upon the rapid exchange of information and we do that well. Generally when you sit in front of the computer screen and read the information, you assume it's correct. We have to be increasingly concerned about whether that information has been modified" or whether somebody is providing false data, Padgett added.. Humorously illustrating how interconnectivity might play into the hands of potential cyber attackers, Padgett cited problems experienced by the Galaxy satellite system which disrupted beepers and a number of other systems recently. She said that during that period, a friend responsible for bank automated teller machines was asked whether his ATMs had been affected, to which he replied: "No, I don't think so because I haven't been beeped." Interdependence between public and private sector entities is clearly demonstrated at the U.S. Defense Department, Padgett said, where "95 percent of DOD communications go out over commercial telecommunications systems... We now have to worry about detecting attacks on the systems and reacting to them." She noted that exercise Eligible Receiver -- designed to test planning and crisis management -- served the purpose of detection, reaction and met other needs as well. For example, senior level decision-making processes needed to be tested to determine how an attack on information systems is handled; to whom is it reported; and who makes the decision about what should be done about it. Padgett said the first phase of the scripted exercise was the simulation of "an attack on the power and telecommunications systems of this nation. For instance in one of the examples, we went after the telephone system, the 9-1-1 (emergency reporting number) system, to simulate the overuse of that system. We scripted an Internet message that would be sent out to everybody saying there was a problem with the 9-1-1 system, understanding that human nature would dictate that people would call the 9-1-1 system to see whether there was a problem," thus disabling the emergency reporting number. Padgett concluded that some lessons were learned. "On the technical side, we learned we need to worry about our system configuration; we need to basically have a map of our system -- to understand what equipment is there, what operating systems, how they're interconnected, so that we feel comfortable that when we are sending information around, it is going where we expect it to go and not elsewhere."