FAS Intro: The following White Paper, prepared by the staff of the Security Policy Board in December 1995, describes the government's attempt to come to grips with the potential threat to the U.S. information infrastructure. It was obtained by the FAS Project on Government Secrecy.

WHITE PAPER ON INFORMATION INFRASTRUCTURE ASSURANCE

PURPOSE: To provide a national perspective on the security-related challenges presented by the emergence of a National Information Infrastructure (NII), to assess the Federal Government's current ability to address these challenges, and to offer ideas and options for meeting them.

THE SITUATION:

  • The nation is at risk. On 16 July 1995 The Washington Post ran a major article on the vulnerability of the NII: "The Pentagon's New Nightmare: An Electronic Pearl Harbor." A few weeks later Time magazine's cover story on "CYBER WAR" was captioned: "The U.S. rushes to turn computers into tomorrow's weapons of destruction. But how vulnerable is the home front?" Both articles drew upon threat and vulnerability data from a wide variety of Government and private reports, such as the 5 December 1994 National Communications System report on "The Electronic Intrusion Threat to National Security and Emergency Preparedness Telecommunications."

    That report found that electronic intruders are attacking data networks at increasing rates, and have compromised elements of the telephone signaling network. A senior DISA official has bluntly stated that "We are not prepared for an electronic version of Pearl Harbor" and that "Our electronic infrastructure is not safe and secure." In 1999 DISA tested the security of DoD information systems by attacking nearly 10,000 systems using widely available techniques. They successfully penetrated 88 percent, of which only 4 percent were even detected. VADM John M. McConnell, Director of the National Security Agency, emphasizing the asymmetry in our national risk, has said that "We're more vulnerable than any other nation on earth." External threats are real: intelligence data indicate that at least 30 countries are actively working on information warfare programs.

    Outside of DoD the situation is no different. The telephone system, the banking, credit, and Federal Reserve systems, the stock exchanges, the power and fuels distribution systems, the air traffic control and other intelligent transportation systems, the federal elections system, public safety and law enforcement all depend heavily on networked information systems which are potentially vulnerable to networked-based attacks. Most observers agree that business losses are notoriously under-reported, but one recent press estimate put U.S. losses within the past year from computer crimes via the Internet alone at $5 billion.

  • The situation will probably get worse. The major trends contributing to increased risk show no signs of abatement: (1) The explosive growth in inter-networking; some estimates put the increase in new Internet terminals worldwide at 10,000 or more per day. (2) The skyrocketing expansion in data handling capacities; PC hard disks of up to two gigabytes are now widely available at low cost. At the network level, terabit per second switches are close on the horizon, as well as photonic switches which will allow full use of the fiber optic infrastructure's vast bandwidth. The nation, in short, will continue to place many more, and valuable, eggs in the electronic basket, increasingly vulnerable to multiplying foreign and domestic network-based threats.

  • This is a national problem. Business and private industry can be counted upon to meet their risk management needs by protecting their information systems assets commensurate with their perceptions of the commercial value of the asset, its vulnerability, and the threats to it - or they may simply write off losses as a cost of doing business or obtain some form of indemnity through insurance. It is extremely unlikely, however, that these measures to indemnify private assets will be sufficient to address the broader public vulnerability and national level threats. The genuine potential for large-scale disruption of major portions of the national infrastructure via network-based attacks leads to the inescapable conclusion that this is a problem of national dimensions. Under basic Constitutional responsibilities to "insure domestic Tranquility; provide for the common defence; and promote the general Welfare..." an effective Federal Government response before an information-based national catastrophe occurs becomes absolutely essential.

    The national level and gravity of the problem are underlined by the Federal Government's extremely high (and increasing) degree of dependence on the NII to carry out critical governmental responsibilities, including national security, defense, law enforcement and public safety functions. No one knows the exact degree of this governmental dependence on the availability and integrity of the NII, but it is extremely high. Informed estimates suggest that 90 to 95 percent of the information needed to carry out essential Governmental functions must in some way be processed by information systems in the privately owned and operated parts of the existing NII.

  • The Federal Government is poorly organized and resourced to ensure adequate NII security in terms of availability, integrity, and confidentiality. There are many different boards, commissions, working groups, forums, committees, advisory councils, etc., scattered throughout the Executive Branch, each of which has some aspect of information infrastructure assurance within its sphere. A few of the more prominent include:
  • Information Infrastructure Task Force (IITF), with its three committees on Information Policy, Telecommunications Policy, and on Applications and Technology, and other working groups, such as the Reliability and Vulnerability Working Group.

  • Security Issues Forum (SIF), under the IITF
  • U.S. Security Policy Board (SPB) and Security Policy Forum (SPF) with its full-time Staff and five committees and numerous working groups
  • Security Policy Advisory Board (Personnel have been selected by the President; the SPAB should be activated soon)
  • IITF NII Advisory Council
  • National Security Telecommunications Advisory committee (NSTAC), and its Information Assurance Task Force
  • National Communications System (NCS) and its recently-created Office of Information Assurance
  • Computer Systems Security Privacy Advisory Board Information its several committees
  • National Security Telecommunications and Systems Security Committee (NSTISSC) and committees, including an NII Task Force
  • Federal Computer Systems Managers' Forum Several closely-related entities, primarily within the DoD, dealing with Defensive Information Warfare
  • Security Infrastructure - Program Management Office, administered by GSA

    Although there are many points at which these organizations intersect with each other, the big picture is one of fragmentation, duplication, and inefficiency. This shows up in at least four general areas.

    (1) There's no single entity with sufficient breadth of vision, responsibility and resources to effectively manage the Executive Branch's efforts towards the goal of information infrastructure assurance. This was recently highlighted by the Rand Corporation's gaming exercise, "The Day After." It was clear to most participants of this exercise that a deadly information attack on America was feasible, and that, because of the government/private and nationally distributed nature of the "target," we had no one in charge, or even capable of pulling the necessary defensive efforts together. As stated by the Defense Science Board in a recent report: "There is no nationally coordinated capability to counter or even detect a structured threat."

    (2) The Executive Branch currently has no effective organization or entity to act as a "Fair Court" in making security-related policy decisions which fairly balance - and are widely perceived to fairly balance the sometimes competing but legitimate interests of national security, law enforcement, commerce, and personal privacy in the national interest. Current areas of contention which require careful balance in the national interest include national encryption policy, export controls, and information system standards. As digital networking comes to dominate the information universe, however, there will be other complex policy and resource issues which will have to be decided on the basis of what's best for the nation as a whole, instead of which particular bureaucracy/constituency wins which particular policy battle. If the Government is to have the capability to find the best, balanced, solutions to these future challenges, it will need a technically competent, well-resourced and authoritative "Fair Court" within the Executive Branch.

    (3) The Executive Branch currently has four overlapping NII security-related "movements" going on, and their inter-relationships and coordination are not clear. One "movement" tends to fall under the banner of "Information Assurance" and is led by the NCS/NSTAC. A second closely related "movement" is grouped around the diverse DoD-centered "Defensive Information Warfare" efforts. Although there are aspects of Defensive Information Warfare which fall outside the boundaries of information assurance/security activities (principally up-front I&W, and the defense against hard/physical attacks on critical network nodes) a great deal of "Defensive Information Warfare" is synonymous with traditional Information Systems Security (INFOSEC) activities and countermeasures. These INFOSEC activities and organizational elements constitute the third, and oldest, of the NII security-related "movements" within the Executive Branch, and are most developed in the Departments of Defense (particularly at NSA) and Commerce (particularly at NIST). The fourth and most recent such "movement" is made up of the diverse activities, committees and working groups, largely under the umbrella of the IITF, which are focused on "NII Protection and Privacy."

    (4) The limited Federal Government resources to achieve Information Infrastructure Assurance appear to be inefficiently, ineffectively, and illogically scattered throughout the Executive Branch. One of the widely shared criticisms of the Computer Security Act of 1987 is that the law assigned substantial computer systems security responsibilities to the Department of Commerce, but provided virtually no resources to execute these responsibilities. This is, however, only one of the irrationalities which present themselves when the distribution of scarce information security and assurance resources across the Executive Branch are considered from a national perspective. Technical centers of excellence certainly exist, but it is doubtful that they are effectively and efficiently applied to the highest priority problems. Similarly, the resources being applied to Information Assurance Research and Development efforts do not appear to be considered or managed from a national perspective, with resulting likelihood that there will be research gaps, cr unnecessary duplication. Emergency Response resources constitute another critical area which certainly needs to be increased, but any such increase should be done from a national perspective, based on carefully thought out national priorities. The immense increase in information system inter-networking, the extraordinary growth in the value of our information infrastructure and our Government's dependence upon it for performing critical functions, and the increasingly obvious threats to and vulnerabilities of the NII, all point to the need for a serious review and restructuring of these limited resources. The overall challenge of assuring the health of our national information infrastructure has become too important for it to be addressed by a hodge-podge of committees, councils and working groups, stitched together from the far reaches of the Executive Branch

  • Congress is demanding that the Executive Branch develop and implement a clear plan for addressing the threats to, and vulnerabilities of, the NII. Although Congress has yet to address its concerns with a single voice, individual senators, representatives, and committees have increasingly asked, in effect, for the Executive Branch's plan to deal with NII security.

    - The SSCI's report on the Intelligence Authorization Bill for FY96 (S.922) has specifically called for the DCI and SECDEF to prepare "a comprehensive report which: (a) identifies the key threats to U.S. computers and communications systems, including those of both the government and the private sector (i.e., the Public Switched Network upon which the government heavily depends); and, (b) provides a comprehensive plan for addressing the threats described in section (a), to include any necessary legislative or programmatic recommendations required to protect government or private U.S. information systems. The report shall be provided to the intelligence and defense committees not later than March 1, 1996." In a thinly-veiled threat, the SSCI added: "In the absence of such a plan, the Committee remains skeptical regarding the benefits that can be achieved through increased funding for the Department of Defense Information Systems Security Program."

    - Senators Kyl and Leahy have sponsored S.982, the "NII Protection Act of 1995," and have added an amendment to the Defense Authorization Bill (S.1026) "to require the President to analyze all issues in developing a progressive, cohesive national policy toward protecting our ability to communicate, our defense structure, and our information." In a letter to his senate colleagues Sen. Kyl wrote: "We must begin now to elevate our efforts to protect the national security interest of this country."

    These two requests, together with closely-related comments, requests and legislative proposals from other Congressional members and committees, amount to an overall demand for the Executive Branch to articulate the NII's vulnerabilities and threats, and to deliver a real plan on what to do about them. So far, no Executive Branch entity has emerged to answer the Congressional mail on this overall issue, and to pull together a cohesive national policy and plan. Given our current Executive Branch structures and resources, it appears unlikely that these Congressional concerns will be satisfactorily resolved anytime soon.

    THE SECURITY POLICY BOARD AND INFOSEC

    Creation and Purpose: The U S. Security Policy Board (SPB) and Security Policy Forum (SPF) were created on 16 September 1994 by Presidential Decision Directive/NSC Number 29. The SPB was established to be "the principal mechanism for reviewing and proposing to the NSC legislative initiatives and executive orders pertaining .o U.S. security policy, procedures and practices..."

  • Committee Structure: Shortly after the Board and Forum were activated, six interagency committees were proposed to operate under the auspices of the SPF, and to draft policies within the major security disciplines. Five of these committees have been successfully established and are currently addressing facilities protection, classification management, personnel security, training and professional development, and policy integration. After more than a year, however, the Board and Forum have been unable to stand up the sixth proposed committee - the "Information Systems Security Committee."

  • Reasons for INFOSEC impasse: The reasons for the failure of the SPB to establish a mechanism for dealing with INFOSEC are rooted in the bigger issues and broader national challenge outlined in "The Situation" section of this paper. The central problem revolves around the scope of the Board's charter and authority in the areas of information systems security and assurance. Despite the broad interagency nature of the Board and Forum membership, the entire PDD-29 structure is perceived by many outside the defense and intelligence communities to be an arm of the national security community, and could therefore not operate as a

    "Fair Court" for contentious information assurance issues Critics point to the facts that: (1) the Board reports to the President through his National Security Advisor; (2) the Board is co-chaired by the DEPSECDEF and the DCI; and (3) the Board's full-time Staff is led by, and heavily populated with, personnel from the defense and intelligence communities.

    In addition to the concern about the Board's ability to act as a "Fair Court" in the greater national interest, there is a closely-related, fundamental debate as to whether or not a single entity - any entity, SPB or otherwise - can or should be empowered to ma~e Government INFOSEC policy applicable to information systems processing classified/national security information and unclassified/sensitive information. There are many different arguments to this debate, but they boil down to two opposing views:

    - One group, primarily within the civil agencies, OMB, the information industry, and those primarily focused on the personal freedom/libertarian dimensions of the Information Age, believes that it is neither wise, desirable, nor legal (citing the Computer Security Act of 1987) to combine policy making across the "classified" and "unclassified" communities. With respect to protecting the NII, a sizeable portion of this group would hold that the Federal Government has little or no direct role to play, but should lower/reduce certain export controls and "get out of the way. "

    - A second group, primarily within the defense, intelligence, national security and emergency preparedness/public safety communities, believes that with the explosion of digital inter-networking across both communities and all parts of the NII, it is anachronistic, unwise, and unworkable to continue to address the NII security/assurance issues and policy making in a fractured manner. This group also tends to focus more on national level threats to the NII, and sees a significant role for the Federal Government to play in assuring its health and security.

  • To break the impasse and address the Information Infrastructure Assurance challenge, action is needed at a higher level. Because of these fundamental problems, it does not appear that the issue of the SPB's role in information systems security can be resolved within the existing PDD-29 structure and environment. The much broader issues raised in "The Situation" section of this paper likewise do not appear to be amenable to resolution in the existing environment. Several ideas and options have been identified, however, which might open a pathway towards solving these problems.

    LONG TERM: There is a growing body of indications, if not hard evidence, which suggests that the Federal Government may be headed - consciously or not - towards the creation of a department or agency to deal more directly with the myriad issues presented by the emerging NII. If a "Department of Information Resources," or "National Information Infrastructure Agency," or "Federal Information Assurance Commission," or...whatever, along these lines...is in our future, then it would probably be useful to keep such a possibility in mind as we attempt to address current issues within the existing Executive Branch structure.

  • The "Third Wave . " Some prominent "futurists" and observers of human civilization have suggested that mankind has been through two transformational "waves" in its history - the agrarian revolution and the industrial revolution -and that we are beginning to experience the "Third Wave" of the digital information revolution. Alvin Toffler, and others, point to the substantial impacts the "Information Age" has already had, but suggest that these are just the beginning of a tidal wave of change which will dramatically transform nearly every aspect of life, including warfare.

    Executive History. The United States Government began with several basic Executive functions and agencies: a Treasury, a State Department, a War Department, and a Department of Justice. These remain today as bedrock executive functions within the Government. Over the years, however, as certain aspects of life began to coalesce into matters of prominence, with strong identities of their own, the Federal Government inevitably would respond to the pressures and challenges these created by first setting up committees, commissions, or similar means to ensure that the Government's interests and responsibilities were addressed. So, for example, the Congressional Seed Distribution Program (1831), in response to the developing forces of agricultural science and the Civil War era need for plentiful and safe food, became the Department of Agriculture in 1862, and a cabinet department in 1898. Every other Executive Branch department or agency was similarly created when a certain set of issues coalesced, took on a strong identity, and demanded direct Government action or regulation. A more recent example occurred when the Government, spurred into action by the l957 launch of Sputnik, transformed the National Advisory Committee for Aeronautics into the present-day NASA.

    Government's response to the "Third Wave." One way to interpret recent events concerning the NII is to see them as early responses to the rising barometric pressure in front of the "Third Wave." The very creation and structuring of the IITF can be viewed as an early Executive Branch response to the identification of some of the major issues the digital information age is bringing our way. Senators Cohen and Levin, with support from Representative Clinger, have introduced 5 bill the short title of which is "The Information Technology Reform Act of 1995." In its first version the bill created the position of a senate-confirmed Chief Information Officer (CIO), reporting to the Director, OMB. This CIO, and his Chief Information Office, would have had broad authorities over information technology acquisition and information policy, specifically including INFOSEC. Although subsequent versions of the bill have removed the CIO, the language still contains provisions for a Council of CIO's, chaired by the Deputy Director, OMB. These and other actions within all three branches of the Federal Government suggest that the Government is beginning to respond to the forces of change flowing from the digital information revolution. As these forces take on more strength, the Government may find itself with no choice but to create a significant Executive Branch entity to deal more directly with them.

    SHORT TERM: The SPB Staff has identified several options which might be implemented on a reasonably short term basis. They are not mutually exclusive, and simply represent some basic approaches which, if desired, can be further developed

  • Stand up an Information Assurance Committee (IAC) under the PDD-29 SPB/SPF structure. Such a committee would be responsible for information assurance policy for those Government systems processing classified and national security information. It would be responsible for policy coordination of all Executive Branch national security efforts dealing with Information Assurance. It would propose policy, regulation and legislation applicable to the Executive Branch, and be responsible for influencing private and non-Government entities which are significant to the national security. Membership would be drawn from current SPF agencies, with chairmanship TBD. This option has several pluses and minuses associated with it.

    Pluses:

      + It breaks the long-standing SPB logjam, and partially fills .he "missing hole" in a critical security discipline

      + Depending on the definitions and boundaries used for "national security," "policy," and "information assurance," this would not be seen as a radical move, and is probably politically doable.

      + It would be in conformance with the language in the draft revision to OMB Circular A-130 restricting the SPB's INFOSEC purview to systems processing national security information.

      + At the SPB level it would give Information Assurance a higher visibility and profile, with more senior membership, than in the current NSTISSC. "Information Assurance" is a broader term than INFOSEC, and such a committee name gets away from the sometimes negative baggage associated with "security," "INFOSEC," "defensive," and "warfare."

      + If appropriate, it could modified or expanded later to address all information assurance, not only for national security systems.

    Minuses:

      - It would closely parallel the existing NSTISSC, which would presumably be absorbed into the IAC's structure. This would require a change or replacement for NSD-42. This would impact the NSD-42's "National Manager" structure, and issuance systems.

      - It would require more staff support than the SPB Staff currently has. It would require at least the level of staff support provided by the NSTISSC Secretariat.

      - It would probably impact the future SPB issuance system, to ensure that it is backward compatible with the significant body of NSTISSC, and predecessor organizations, issuances.

      - Despite its circumscription to "national security systems," it still may meet with political opposition.

      - It would tend to tacitly endorse or approve the view that the "classified" and "unclassified" communities can and should be treated separately for the purposes of information systems security policy. It would simply avoid that basic issue.

  • Broaden the NSTAC' s charter. The President's National Security Telecommunications Advisory Committee (NSTAC), created in 1982, has been one of the most successful entities to address security and robustness for what are now parts of the NII. It would probably be useful to broaden its charter, and modify its membership, to reflect the full scale of NII issues beyond telecommunications, security, and national security. It could become, for example, a National Information Assurance Advisory Council, and perhaps draw some of its membership from current representatives on the IITF's NII Advisory Council. (Note: This idea independently emerged at the 20 NOV 95 meeting of Sally Katzen's Security Issues Forum, and was generally well-received.

  • Establish an Information Assurance focus within the National Security Council. Under this option, the President would establish a "Special Assistant to the President and Senior Director" within the National Security Council for Information Assurance. This office should be initially staffed with two or three Directors, a Technical Director, and a secretary. The Directors' responsibilities could be split several ways, but at least initially, they could be focused on policies and activities for

    (1) the national security community,
    (2) the civil government community, and
    (3) the private sector.

  • Establish a new Agency in the Executive Office of the President to address Information Assurance. This would require an Executive Order to initially activate the new agency. It would have responsibility for:

    - Coordinating and consolidating all Executive Branch Information Assurance activities

    - Issuing national policies and directives pertaining to Information Assurance

    - Proposing and reviewing legislation dealing with or touching upon Information Assurance

    - Reviewing Information Assurance budgets, including R&D, throughout the Executive Branch; closely coordinating with OMB and OSTP.

    - Preparing and maintaining a Master Plan for Information Assurance activity within the Executive Branch

    - Acting as the central point of contact (POC) for the Executive Branch concerning Information Assurance matters; and specifically as the POC for the other branches of the Federal Government.

    Back to Government Secrecy Project Homepage