[ISN] Defending the Nation Against Cyber Attack

From: mea culpa (jerichoat_private)
Date: Sat Nov 07 1998 - 00:15:26 PST

  • Next message: mea culpa: "[ISN] Information Assurance and the New Security Epoch"

    Forwarded From: 7Pillars Partners <partnersat_private>
    
    http://www.usia.gov/journals/itps/1198/ijpe/pj48min.htm
    
    
                      DEFENDING THE NATION AGAINST CYBER ATTACK:
                   INFORMATION ASSURANCE IN THE GLOBAL ENVIRONMENT
                                           
                       By Lieutenant General Kenneth A. Minihan
                         Director, National Security Agency 
                                           
                                           
         The National Security Agency "is applying its unique expertise to
         develop the fundamental technology to create a national cyber-attack
         detection and response capability," says Air Force Lieutenant General
         Kenneth A. Minihan. He emphasizes that "information superiority in
         the Information Age is a clear national imperative."
         
       We are at risk. America depends on computers. They control power
       delivery, communications, aviation, and financial services. They are
       used to store vital information, from medical records to business plans,
       to criminal records. Although we trust them, they are vulnerable -- to
       the effects of poor design and insufficient quality control, to
       accident, and perhaps most alarmingly, to deliberate attack. The modern
       thief can steal more with a computer than with a gun. Tomorrow's
       terrorist may be able to do more damage with a keyboard than with a
       bomb."
       
                     "Computers at Risk," National Research Council, 1991      
       
           Introduction
           Perhaps the most remarkable thing about the words quoted above is
           that they were written almost at the dawn of the Information Age.
           Until recently, we as a nation have paid them little heed. The
           United States, and the rest of the world, continue to charge
           headlong into the information revolution -- information technology
           is making profound inroads into the very fabric of our society and
           our economy as a nation in the global community. In a very real
           sense, the "Information Superhighway" has become the economic
           lifeblood of our nation.
           While leading the world into the Information Age, at the same time
           the United States has become uniquely dependent on information
           technology -- computers and the global network that connect them
           together. This dependency has become a clear and compelling threat
           to our economic well-being, our public safety, and our national
           security.
           The world's networks, referred to by many as "cyberspace," know no
           physical boundaries. Our increasing connectivity to and through
           cyberspace increases our exposure to traditional adversaries and a
           growing body of new ones. Terrorists, radical groups, narcotics
           traffickers, and organized crime will join adversarial nation-states
           in making use of a burgeoning array of sophisticated information
           attack tools. Information attacks can supplement or replace
           traditional military attacks, greatly complicating and expanding the
           vulnerabilities we must anticipate and counter. The resources at
           risk include not only information stored on or traversing
           cyberspace, but all of the components of our national infrastructure
           that depend upon information technology and the timely availability
           of accurate data. These include the telecommunications
           infrastructure itself; our banking and financial systems; the
           electrical power system; other energy systems, such as oil and gas
           pipelines; our transportation networks; water distribution systems;
           medical and health care systems; emergency services, such as police,
           fire, and rescue; and government operations at all levels. All are
           necessary for economic success and national security.
           Information Assurance -- the National Goal
           On May 22, 1998, the president signed Presidential Decision
           Directive 63 (PDD-63) on Critical Infrastructure Protection. In it
           he states: "I intend that the United States will take all necessary
           measures to swiftly eliminate any significant vulnerability to both
           physical and cyber attacks on our critical infrastructures,
           including especially our cyber systems.
           The national goal is that by no later than the year 2000, the United
           States shall have achieved an initial operating capability and no
           later than five years from today the United States shall have
           achieved and shall maintain the ability to protect our nation's
           critical infrastructures from intentional acts that would
           significantly diminish the abilities of:
           
           The federal government to perform essential national security
           missions and to ensure the general public health and safety;
           State and local governments to maintain order and to
           deliver minimum essential public services;
           The private sector to ensure the orderly functioning of the
           economy and the delivery of essential telecommunications, energy,
           financial, and transportation services."
           
       Achieving this sweeping goal will be a considerable undertaking,
       requiring a cooperative effort between the government and the private
       sector elements that operate the critical infrastructures. The PDD
       directs the federal government to lead by example in assuring the
       robustness of federal systems, but also makes it clear that the public
       sector cannot solve the problem unilaterally. Every federal department
       and agency is highly dependent on the services provided by the private
       sector -- power, telecommunications, transportation, etc. Thus, the PDD
       envisions a Public-Private Partnership to develop and implement a
       comprehensive National Infrastructure Assurance Plan, to deal with the
       threat of electronic terrorism. The significant challenge is how to get
       the private sector to engage infrastructure assurance from a national
       perspective. In today's highly competitive environment, the private
       sector is typically driven to achieve market advantage -- including
       driving down operating costs -- to increase profits. Enhanced
       cyber-protection measures will require both expanded investment and
       collaboration with competitors.
       
       Essential Elements
       
       Any strategy for enhancing the robustness of our critical
       infrastructures must contain three basic elements: increased protection
       against cyber attack, the ability to detect when an attack is occurring,
       and the capability to respond and/or recover when an attack is detected.
       
       Increased protection against cyber attack is founded upon encryption
       technology -- including digital signatures -- to provide the
       authentication, integrity, non-repudiation, and privacy/confidentiality
       services necessary for information assurance. Strong
       digital-signature-based authentication used to provide positive access
       control is perhaps the most powerful tool in protecting against cyber
       attack. Digital signature also provides for integrity of electronic
       information and non-repudiation of cyber-transactions. Encryption is
       applied to desktops, file servers, and across networks to assure the
       privacy of sensitive government, business, and personal information.
       Once the almost exclusive province of governments, encryption technology
       is now widely available in the commercial marketplace, and is a
       fundamental enabler for information assurance. In fact, on September 16,
       1998, the vice president announced a major updating of U.S. Export
       Control Policy on Encryption Technology, a clear indication of its
       importance to critical infrastructure protection, as well as global
       electronic commerce and economic prosperity.
       
       Given the coming of age of encryption technology, the remaining
       challenge is to apply the technology in a coherent and effective way to
       all of our critical infrastructures. To do this requires both a
       framework for application of the encryption services in a scalable,
       interoperable way, along with the establishment of a supporting public
       key infrastructure (PKI) to provide robust and globally recognizable
       digital signature and encryption key certificates, the individually
       unique "electronic ID" of the Information Age. PKI services are now
       emerging in the private sector to meet the demands of global electronic
       commerce and can be leveraged to support critical infrastructure
       protection.
       
       In the areas of diagnosing, detecting, and responding to cyber attack,
       the technologies are not so mature or effective. Today, the United
       States has little ability to detect or recognize a cyber attack against
       either government or private sector infrastructures, and even less
       capability to react. The ability to identify a strategic cyber attack
       against one or several critical infrastructure components, and respond
       in appropriate fashion, is clearly a significant national security
       issue. One complicating factor is that computer intrusions have been
       traditionally regarded as a criminal event and within the purview of law
       enforcement. When an intrusion occurred, the intruder was (hopefully)
       tracked down, arrested, and prosecuted. Further, many private sector
       entities were reluctant to share information about computer intrusions,
       fearing adverse press coverage (e.g., newspaper headlines such as "Bank
       Losses Put at Millions in Computer Break-in" or "Hackers Disrupt
       Telephone Service") and public reaction. To build an effective national
       cyber-defense capability, new rules of engagement must be developed to
       allow open and dynamic collaboration among the private sector, the law
       enforcement community, and the national security community.
       
       Emerging Information Assurance Role of the National Security Agency
       
       In the Information Age, the National Security Agency's traditional
       missions of Signals Intelligence and Information Systems Security are
       evolving into one of providing information superiority for the United
       States and its allies. Central to this construct is an in-depth
       understanding of the Global Information Infrastructure and the
       vulnerabilities of networked information systems to cyber attack. On the
       defensive side of this mission, the NSA has undertaken a series of
       initiatives to provide the technical foundation to protect our critical
       infrastructures.
       
       As mentioned earlier, encryption technology has become widely available
       in the commercial marketplace and is the basic foundation for protecting
       information systems from cyber attack. The bad news is that the many
       products available do not securely interoperate with each other and are
       of varying robustness, and that there are many, often confusing, ways to
       apply encryption. As an example, there is e-mail encryption, file
       encryption, web encryption, link encryption, and virtual private network
       encryption, just to name a few of the variations. To remedy this
       situation, the NSA has formed a partnership with the leading suppliers
       of security-enabled information technology to develop a common framework
       for encryption services to provide enterprise-wide information assurance
       solutions. This framework defines a coherent way to apply encryption
       technology to the enterprise, along with how encryption interacts with
       and supports other security-related technologies and products, e.g.,
       firewalls, servers, routers, operating systems, intrusion detection,
       malicious code detection, audit tools, and public key infrastructure
       services.
       
       Another dimension of the problem is the varying degrees of robustness in
       the many security relevant products in the marketplace. To address this
       issue, the NSA has formed a partnership with the National Institute for
       Standards and Technology (NIST). Under this arrangement, the NSA and the
       NIST will certify commercial laboratories to evaluate commercial
       security relevant products, either to validate the vendor's security
       claims, or to validate compliance with the requirements of the network
       security framework. Testing of the products will be done by the
       certified laboratories on a fee-for-service basis, with cost and
       schedule negotiated between the lab and the product vendor.
       
       Lastly, the National Security Agency believes the nation needs a shared
       array of national security information assurance elements and is
       applying its unique expertise to develop the fundamental technology to
       create a national cyber-attack detection and response capability. The
       approach integrates a variety of sensors that can be applied at critical
       infrastructure locations and in the underlying telecommunications
       infrastructure itself, with sophisticated, broad-scale analytic
       techniques to provide a dynamic view of the threats to critical
       infrastructures from global cyberspace. These techniques should be
       shared by an array of national security, federal, industry, and regional
       components to allow concurrent detection, defense, reconstitution, and
       recovery of vital services.
       
       In Conclusion
       
       The economic prosperity that our nation enjoys today is largely founded
       in the Information Age and in our global leadership in information
       technology. Our continued leadership and prosperity in the global
       economy may well hinge on our national commitment to act as leaders in
       bringing integrity and responsibility -- information assurance -- to the
       global information environment we have helped to create. The
       administration has sent a clear message via PDD-63 that the time to act
       is now, and the NSA is well-positioned and ready to support the charge
       with our technical know-how. Information superiority in the Information
       Age is a clear national imperative.
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:10:29 PDT