Feds Should Fund Corporate Cyber Defense
By Mark Rasch
Last week, the White House announced the creation of a new Special Advisor to the President for Cyber Security, and installed Richard Clarke in that position. Fresh warnings were issued about the threats of new forms of terrorism, including cyber terrorism. But what exactly is cyber terrorism? What are the government's responses, from a technical and legal perspective, and what are the costs of such response?
While there is no universally accepted definition of terrorism, and therefore no universally accepted definition of cyber terrorism, there are a few attributes of terrorism that hold true for its conventional as well as electronic methodology. Keep in mind of course that whether an attack is considered to be a terrorist attack or a legitimate use of force may frequently depend upon the attacker.
It is somewhat tautological to point out that the essence of terrorism is terror. In the wake of the September 11 attacks, we have seen a massive disruption that, like ripples in a still lake, reverberate well beyond the World Trade Center and the Pentagon. People are afraid to travel on airplanes, work in large office buildings, open their mail, and use the rails. Some people are stockpiling food, water and antibiotics in anticipation of new and more virulent threats. Terrorism inflicts on its victims a sense of fear and mistrust of previously accepted safe havens. It also inspires governments and individuals to respond in a manner disproportionate to the actual threat inflicted by the attacks themselves.
Thus, a half dozen anthrax cases in New York and Florida cause pharmacies in Des Moines to sell out of the antibiotic Cipro. Fear that terrorists may have used email to communicate causes the FBI and other government agencies to demand, and Congress to acquiesce in granting, new powers to intercept communications.
Because the essence of terrorism is terror, the Internet is a relatively poor vehicle for attack. If you blow up a shopping center, people across the nation are afraid to shop and are terrorized. If you disrupt the Internet, however, or other infrastructures, people are inconvenienced, but generally not terrorized. Indeed, the Internet is a better tool for terrorists or propagandists if it is running properly. It can be used to spread information -- true or false -- rumor, panic and political propaganda.
We also have to distinguish between cyber terrorism, cyber warfare, cyber attacks, and information warfare. Cyber attacks, either by organized groups of hackers, disgruntled employees, thieves, teenagers or even governments have been endemic to the Internet, and will continue. They may include viruses, worms, Trojans, as well as denial of service attacks, and straight unauthorized access attacks.
CRITICAL INFRASTRUCTURES. Information warfare includes the use of rumor, propaganda, and the prevention of access to competing information to wage psychological war on an adversary. The Bin Laden videotape represents a form of information warfare, as does the White House's effort to prevent or limit its raw distribution. The distribution of leaflets over Afghanistan likewise represents a form of information warfare. It would be naove to believe that the Internet is not and will not be a tool for both affirmative and negative information warfare.
Cyber war represents a different character. The United States government, while bombing the critical infrastructures of the Taliban controlled portions of Afghanistan, could use electronic devices to disrupt the infrastructure as well. Logic bombs could disrupt water, power and telecommunications systems. Denial of Service attacks could affect command and control systems.
The problems with protecting America from all of these attacks are interrelated. The vast majority of the critical infrastructure of the United States -- those networks that are essential for the running of the economy and the nation -- are in the hands not of the government, but of the private sector.
Telecommunications, water, electricity, nuclear power, gas distribution, transportation systems, banking and financial sectors are all run by corporate America, not by some agency or department.
It is these corporations that will be required to invest in new hardware, software, training and policies to protect against cyber terrorism. But there are many things the government can do to help.
ENCOURAGE INFORMATION SHARING. Information Sharing and Analysis Centers (ISAC's) are voluntary groups within critical infrastructures that permit and facilitate the free sharing of information about threats, vulnerabilities and incidents that may be a prelude to an attack, or may give early warning of an attack.
The ability to share information free from regulation and without attribution, and the competent and thorough analysis of this raw data, is essential for these ISACs to work properly.
The government can facilitate these voluntary sharing mechanisms by making the data in them immune from disclosure, removing liability for companies for good faith reporting of such information, and by voluntarily sharing unclassified intelligence data with the private sector in a secure manner.
Key individuals within the private sector should also have access to classified threat data so they can respond appropriately.
EDUCATE. A traditional governmental role has been to train the next generation of warriors -- both offensive and defensive. The government can help fund and endow university programs in cyber security, creating a new generation of security professionals with skills that will assist in protecting not only the national defense, but also the commercial infrastructure.
Government funded and supported training programs should be introduced to raise awareness in the public and private sector about the genuine threats to the electronic infrastructure.
Government agencies, such as the National Institute of Standards and Technology (NIST), can perform basic research and testing on hardware, software or implementations, and can make recommendations about new security practices that will harden the infrastructure.
As a large-scale purchaser of hardware and software, the government can also demand security and secure implementation as a condition precedent to purchasing. This alone may skew the market in favor of more secure applications.
OFFER TAX INCENTIVES. The commercial sector generally places security among the factors it considers in making purchasing and resource decisions. Using a cost-benefit analysis, companies decide on the level of protection they deem reasonable, depending upon the criticality of the application and data, and the cost of securing it.
If the government believes that, for national security purposes, this level is too low, it may provide direct grants to companies in the critical infrastructure, direct support for security, or tax incentives to companies to provide additional security.
Just as nobody would have expected the owners of the World Trade Center towers to be responsible for providing F-18s to intercept incoming airplanes, we must redefine the government private sector roles and responsibilities.
The United States is perhaps the most vulnerable to cyber attacks, being among the most technologically advanced and dependent nations on the planet. The asymmetric nature of the attack makes us even more vulnerable. While panic is both unproductive and unwarranted, there is much more than can and should be done to protect critical infrastructures from attack. There is a business case for much of this, and most security measures are not expensive. Only though effective cooperation between the public and private sector, based upon trust and mutual respect, can this be achieved.
Mark D. Rasch, J.D., is the Vice President for Cyberlaw at Predictive Systems Inc. in Reston, Virginia, a computer security and network design consulting firm. Prior to joining Predictive Systems, Mr. Rasch was the head of the U.S. Department of Justice Computer Crime Unit and prosecuted a series of high profile computer crime cases from 1984 to 1991.