This Forum is Closed
February 08, 2023, 09:13:58 pm
Welcome, Guest. Please login or register.

Login with username, password and session length
News: GGF now has a permanent home:
  Home Help Search Links Staff List Login Register  

The "Digital Pearl Harbor"

Pages: [1]   Go Down
Author Topic: The "Digital Pearl Harbor"  (Read 3615 times)
birther truther tenther
Full Member
Offline Offline

Posts: 182

View Profile
« on: December 10, 2010, 12:22:53 pm »

This following thread is a compilation of white papers, presentations, etc. where the globalist think tanks are warning us about the possibility of a "Digital Pearl Harbor".

Please read this document in its entirety:

Cybersecurity and Critical Infrastructure Protection
James A. Lewis
Center for Strategic and International Studies, January 2006

Cybersecurity entails the safeguarding of computer networks and the information they
contain from penetration and from malicious damage or disruption. Since the use of computer
networks has become a major element in governmental and business activities, tampering with
these networks can have serious consequences for agencies, firms and individuals. The question
is to what degree these individual-level consequences translate into risk for critical infrastructure.
Analyses of asymmetric, unconventional attacks at first assumed that potential opponents
would be drawn to the use of cyber weapons. These opponents could include conventional
nation-state opponents and “non-state actors.” Cyber weapons were considered attractive for
asymmetric attacks because they could offer low-cost means of exploiting the potentially
damaging vulnerabilities that are found in most computer networks. Some analysts go further
and argue that a cyber weapon could create destruction equal to a kinetic or blast weapon, or
could amplify the effects of an attack with these kinds of weapons.

The term “Digital Pearl Harbor” appeared in the mid 1990s, coinciding with the
commercialization of the internet. Digital Pearl Harbor scenarios predicted a world where
hackers would plunge cities into blackness, open floodgates, poison water supplies, and cause
airplanes to crash into each other. But no cyber attack—and there have been tens of thousands of
cyber attacks in the last ten years—has produced these results. The dire predictions arose from a
lack of insight into the operations of complex systems, from an overestimation of both the
interconnectedness of critical infrastructures and the power and utility of software as a weapon to
be used against them.

Determining the actual degree of risk posed by computer network vulnerabilities requires
an estimate of the probability that a computer malfunction will damage a critical infrastructure in
ways that will affect the national interest. For this to occur, a number of simultaneous or
sequential events must take place to let a digital attack in cyberspace have a physical effect. This
is not a simple transformation. Computer networks are indeed vulnerable, but this does not mean
that the critical infrastructures these networks support are equally vulnerable. Terrorists are
attracted to different kinds of weapons, particularly explosives, which are more reliable and
which better meet their political and psychological need for violence. Infrastructures are robust
and resilient, capable of absorbing damage without interrupting operations and accustomed to
doing so after natural disasters, floods, or other extreme weather conditions. In short, the cyber
threat to critical infrastructure has been overstated, particularly in the context of terrorism.1
This initial overstatement does not mean, however, that we should ignore cybersecurity in
planning for critical infrastructure protection. First, as the use of computer networks grows,
vulnerabilities will increase. Second, a more sophisticated opponent will not use network attacks
in an attempt to cause physical damage or terror, but instead target the information stored within
computer networks. Nation-states are likely to be attracted to this approach: penetrate networks,
collect information and observe activities without arousing suspicion and, should a conflict
begin, use that access to disrupt databases and networks that support key activities. This is a
different kind of threat from what much of the planning and organization for critical
infrastructure protection at first had in mind, and addressing it may require a reorientation of our
thinking and our actions on cybersecurity. This chapter discusses reasons and goals for

Political Context for Cybersecurity and Critical Infrastructure Protection
There is now a general recognition that cybersecurity was overemphasized in the initial Federal
efforts at critical infrastructure protection. Cybersecurity was, at the end of the 1990s, the
dominant theme in policy documents and public discussions of critical infrastructure protection.2
The overemphasis was the result of several factors. Critical infrastructure came of age in
the era when the Internet seemed to have upended all rules. The mentality of the dotcom era
underlay many of the assumptions on the scope and linkages of critical infrastructure and
cybersecurity. The newness of critical infrastructure protection as an area for security analysis—
the U.S. had not contemplated attacks on infrastructure (other than by strategic nuclear weapons)
for decades—introduced a degree of imprecision into early analyses. The heightened concern
over Y2K, when IT experts warned that ancient programming errors associated with
the millennial change would make computers around the world go haywire at the stroke of
midnight on New Years and plunge the globe into chaos, helped focus attention on cyber
networks as a new and dangerous vulnerability.

Analyses of critical infrastructure protection were also shaped (and continue to be
shaped) by a change in American political culture. Evidence for this change is (yet) diffuse and
anecdotal, but American government has become progressively more risk-averse since the
1970s. The reasons for this include a loss of confidence among governing elites, decreased
public trust of government (with concomitant increases in accountability and oversight
requirements) and a more partisan and punitive political environment. The consequences of a
more risk-averse political culture are far reaching and have yet to fully play out for the United
States, but an exaggerated aversion to risk affects the discussion of strategies for critical
infrastructure protection (even if the actual implementation of those strategies is at times lax
enough to appear to welcome risk with open arms).

This set of political changes is important for understanding critical infrastructure
protection and cybersecurity’s place in it. Planning for critical infrastructure protection involves
an assessment of risk (the probability that a damaging attack can be made). A risk-averse
individual will estimate the probability of a damaging attack as higher than a more neutral
approach might suggest. This overestimation of risk has been a standard element of discussions
of cybersecurity.

Assessing Risk
Determining the importance of cybersecurity for critical infrastructure protection must begin
with an estimate of risk. This has proven to be difficult to do, for some of the reasons suggested
above. A neutral approach to estimating risk would look at the record of previous attacks to gain
an understanding of their causes and consequences. It would estimate the likelihood of a
potential attacker selecting a target and which weapon or kind of weapon an attacker would be
likely to use against it (and this involves an understanding of the attackers’ motives, preferences,
strategic rationale, goals, capabilities, and experience). It would match attacker goals and
capabilities against potential infrastructure vulnerabilities, in effect duplicating the analysis and
planning process of potential attackers, as they identify targets and estimate the likelihood of
success in achieving their goals an attack using a particular weapon and tactics.
The importance of cybersecurity revolves around how we define risk and how much risk
a government or society is willing to accept. Homeland Security Policy Directive 7 (HSPD 7),
which lays out federal priorities for critical infrastructure protection
, begins by noting that it is
impossible for the U.S. to eliminate all risk and calls on the Secretary of Homeland Security to
give priority to efforts that would reduce risk in “critical infrastructure and key resources that
could be exploited to cause catastrophic health effects or mass casualties comparable to those
from the use of a weapon of mass destruction.”3 For the purposes of this article, the definition of
risk used to assess the need for cybersecurity will be the probability of an outcome that (a)
causes death and injuries, (b) affects the economic performance of the United States and (c)
reduces U.S. military capabilities.

Using these criteria, there have been no successful cyber attacks against critical
infrastructure (much less attacks that produced terror among the population). Even if we use a
minimal definition of risk, that an attack results in a disruption in the provision of critical
services that harms the national economy and rises above the level of annoyance, there still have
been no successful cyber attacks on critical infrastructure.4
An even more rigorous approach would limit risk to outcomes that affect the
macroeconomic performance of the United States and reduce U.S. military capabilities. Every
society has the ability to absorb a certain amount of death and destruction without serious
consequence. 2005 saw Hurricane Katrina lay waste to much of the Gulf cost and cost perhaps
2,000 lives (initial and hysterical claims by local officials that Katrina would close New Orleans
for years and cost 10,000 deaths were very wrong). Despite the damage and suffering, there was
only a small blip in GDP (economists suggest that U.S. economic growth would have reached
4% instead of 3.8% if not for Katrina), and there was no degradation of military capabilities.
One way to estimate the effect a cyber attack is to ask whether a foreign power, using
cyber weapons, could stop U.S. military forces from deploying. How, for example, could China
prevent a carrier battle group in San Diego or Hawaii from heading for the Taiwan Straits using
cyber weapons? Interfering with the telecommunications systems might slow the recall of crew
members on leave (if China was able to successfully disrupt the multiple cellular networks in
addition to the fixed telecom network and email). Interfering with the traffic signals could make
it more difficult for the crews to assemble, as could interfering with the electrical grid, which
could also complicate and slow preparing the ships for departure. Hackers could take over
broadcast radio and TV stations, to play Chinese propaganda or to change broadcast parameters
in the hopes of creating radio interference.

Yet this is a poor start to securing naval victory. If China or another opponent were able
to turn off telecommunications, electricity and the traffic light system, it would have little effect
on the ability of the carriers to deploy. Further, this sort of attack creates the risk for nationstates
(as opposed to non-state actors) of exacerbating tensions or widening conflict in exchange
for very little benefit.
The counterargument to these neutral approaches is that they ignore the political effects
of a successful attack. The most important of these political effects are the damage to a
government’s credibility and influence, and the risk of an overreaction by security forces that
does more damage than the attack itself.5 Some scenarios even contemplate non-state actors
launching a cyber attack with the knowledge that while its actual effect would be feeble, the
overreaction by security forces would be damaging (the history of the Transportation Security
Agency and the air passenger business, where large costs to consumers and tax payers are traded
for a modest reduction in risk, demonstrates this effect). While the “self-inflicting strategy” may
not appeal to violence-prone attackers like Al-Qaeda or other jihadi groups, it is one scenario
where the subtle use of cyber attack by a national state could trigger long-term economic
But the political consequences of an attack, cyber or otherwise, can be hard to predict.
We know that in many instances, the effect of an attack is to actually harden resistance and
increase support for an incumbent government. Even unpopular governments will benefit.6
Political leaders who put forth the right message of steadfast resolve in the face of attacks will
actually improve their standings. While the political investigations that followed September 11
called into question the competence of both the Bush and Clinton Administrations, the
immediate political effect was to generate a wave of support for the incumbent President. This
support can be lost if the response to an attack is seen as ineffective, but if a government puts
forward the right messages, avoids self-inflicted damage, and is seen as making progress in
reducing risks of further attacks, any political harm may very well be limited.

Computer Networks and Critical infrastructures
The United States has identified a long list of industries as critical. They include, according to
the National Infrastructure Protection Plan, food and water systems, agriculture, health systems
and emergency services, information technology and telecommunications, banking and finance,
energy (electrical, nuclear, gas and oil, dams), transportation (air, road, port waterways), the
chemical and defense industries, postal and shipping entities and national monuments and icons
The nature and operations of most of these infrastructures suggests that cybersecurity is not a
serious problem for them.

An infrastructure is judged to be critical because it meets some standard of importance
for the national interest—in that the goods or services it provides are essential to national
security, economic vitality and way of life. To meet this standard, there is an implicit
assumption that the disruption of the infrastructures would reduce the flow of essential goods or
services and create hardship or impede important government or economic operations. In the
interest of deciding where cybersecurity makes a useful contribution to critical infrastructure
protection, we can refine this standard by introducing two additional concepts—time and

Time and location help explain why cybersecurity is not of primary concern for many
critical infrastructures. If there are immediate problems when a system goes off-line, not
problems that emerge after weeks or months, that system is critical. Problems that take longer to
appear allow organizations to identify solutions and organize and marshal resources to respond,
and thus do not present a crisis. The ability of industrial societies to respond to problems, to
innovate and to develop alternative solutions or technologies, suggests that in those
infrastructures where disruption does not produce immediate danger and was not prolonged for
an unreasonable period of time, there would be little effect on national security, economic
vitality or way of life.

There is also a geographic element to criticality. National infrastructures are composed
of many local pieces, not all of which are equally critical. Specific elements of the larger
infrastructure provide critical support to key economic and governmental functions, not entire
networks or industries. It is harsh to say, but Hurricane Katrina in 2005 demonstrated that large
cities or sections of the country can be taken offline and, if the political consequences are
managed, have little effect on national power—either economic or military. Certain high-value
targets—the national capital region, military facilities, a few major cities, or nuclear power
plants—require greater attention across the board, while other places, where disruption or
destruction would not impair key national capabilities, can be assigned a lower priority.
The concerns of cybersecurity can transcend this geographic focus in some instances.
There are a few, very few networks that are national in scope and interconnect thousands of
entities in ways that make them mutually dependent. However, these networks—finance,
telecommunications, electrical power—are among the most critical for national security and
economic health, and their interconnectedness, national scope and criticality may make them
more attractive targets for cyber attack.8 Fedwire, the financial settlement system operated by the
Federal Reserve Banks, provides a crucial service to banks. Interfering with Fedwire would
cripple (temporarily) the U.S. banking system. The Federal Reserve has expended considerable
effort to harden FedWire, and the Fed’s desire to prevent online bank robbery provides an
incentive to continue these efforts.

The U.S. electrical system is composed of several thousand public and private utilities
organized into ten large regional grids. There is a substantial degree of interconnection within
these grids and computer networks play an important role in managing grid operation and the
production of electrical power. The grids themselves suffer form the consequences of
underinvestment and deregulation. Newer industrial control systems use commercial computer
operating systems and IP protocols as they are cheaper and easier to use. However, the new
technologies replace older control systems that used with specialized proprietary software and
dedicated networks that were difficult for hackers to access and exploit. The move to
commercial software and IP increases vulnerability.

Vulnerability is not the same as risk, however, and a number of factors limit the increase
in risk created by this transition to “off-the-shelf” control systems. There have been thousands of
hacking incidents aimed at power companies, but as of yet, none have produced a blackout.9 In
the larger national context, blackouts are common in the U.S. and often do not even attract
national attention. In 2002, an ice storm blacked out the 20th largest city in the U.S. with a
population of 600,000 for several days. The event had no effect on economic or military power
and barely merited attention in the national press. Power companies cooperate to respond
quickly to these events. Many critical facilities have installed backup power generation
equipment. A localized blackout outside of few major cities can be of minor importance to the
nation—witness the recent Los Angeles blackout. The real risk may lie in interconnection, and
the ability of an attacker to access one vulnerable producer and cascade this attack into a
blackout of one of the big regional grids, but an attack that succeeds in blacking out a single
facility might only be seen as an annoyance.

Telecommunications services are another national-level network. The telecom backbone
that supports the internet and voice communications is comprised of a number of large networks.
An attack that disrupted the services provided by several of these large networks could disrupt
communications traffic. However, the presence of multiple overlapping connections means that
there is no single point of failure. The use of satellites in communications services also
introduces a degree of redundancy. Since the 1970s, telecommunications networks have been
hardened to allow for some continuity of service even after a strategic nuclear exchange.
Additionally, telephone companies developed and use packet switching technology
(which breaks messages into many small “packets” of data that can be sent separately) to allow
voice communications to persist without a continuous end-to-end connection. The internet relies
on packet switching and benefits from the robustness provided by this technology. The internet
itself was designed to automatically route around damage to complete transmissions.
Communications may be slowed or disrupted, but there is no single point to attack that would
easily allow the national telecommunication system to be disabled.

Before deregulation and the breakup of the national monopoly, the U.S. telecom network
was built (with Federal guidance) to provide survivability and redundancy in the event of attack,
accident or system failure. After deregulation, when telecom companies were less able to make
investments solely to meet the requirements of national security, a highly competitive
environment and rapid technological development became the source of a high level of
redundancy. In contrast to an attack that destroyed facilities, a cyber attack would (a) require
sustained, successful re-attack to overcome network operators’ repair efforts and (b) would have
to disable multiple communications systems (wireless, fixed line, internet) to degrade

The complexity of successfully carrying out a cyber attack against national
infrastructures like telecommunications or the electrical grid, combined with a lower probability
of success than a physical attack, may make it unattractive to terrorists. Terrorists want
screaming people to run in terror past mangled bodies in the street—an attack that only produces
a busy signal is likely to be dissatisfying. In theory, the idea of a cyber attack against
telecommunications systems in coordination with a physical attack is attractive, as it could
compound damage and terror, but coordinating two simultaneous attacks adds a degree of
complexity that may overwhelm a terrorist cell’s planning capabilities while increasing the
chances of detection.

The same constraints do not apply to a nation-state attacker. Such an attacker would have
the resources for coordinated attacks. Surreptitious economic warfare during peacetime may be
attractive, but an opponent would want to weigh the benefits of an attack that produced a longterm
drag on the target’s economy against the risk and damage of discovery. In the event of a
conflict, however, a nation-state opponent is likely to use cyber weapons to attempt to disrupt
these large U.S. national networks.

The Internet as a Critical Infrastructure
Some point to the Internet as a single large infrastructure that could be attacked with cyber
weapons.10 The first point to bear in mind, however, is that it is a shared global network. An
attack against it will affect both target and attacker. An attacker may calculate that the U.S.
might suffer more as a result, or it could plan to use some alternative or backup system to replace
the internet while the target struggled to respond, giving it a temporary advantage.
The internet is very robust. It is a network designed to continue to function after a
strategic nuclear exchange between the U.S. and the Soviet Union. Its design and architecture
emphasize survivability. The internet (building on earlier technological improvements created
by packet switching in telecommunications) could deal with disruption by automatically
rerouting to ensure that a message would arrive despite the complete destruction of key nodes
from the network. The internet addressing system, which is critical to the operations of the
system, is multilayered, decentralized, and can continue to operate (albeit with slow degradation
of service) even if updating the routing tables that provide the addressing function is interrupted
for several days. Some of the core protocols upon which the internet depends appear vulnerable
to attack. BGP (Border Gateway Protocol) is responsible for routing traffic and a number of
tests suggest that BGP is vulnerable to attack but an attacker faces the immense redundancy
contained in a network comprised of tens of thousands of subsidiary networks.
There has been at least one effort to attack the Internet. An October 2002 attack by
unknown parties used a Distributed Denial of Service attack against the 13 “root servers” that
govern Internet addresses. The attacks forced eight of the thirteen servers off-line. The attack on
the DNS system did not noticeably degrade Internet performance and went unnoticed by most of
the public, but had it been continued for a longer period (and if the perpetrators remained
undetected) there could have been a significant slowdown in traffic. A successful attack on the
Internet’s DNS system, if successful, would slowly degrade that system’s ability to route traffic,
but this would take several days to have any effect. In response to the attack, the DNS system
has been strengthened since the 2002 attack by dispersing the root servers to different locations
in and by using new software and routing techniques. The new redundancy makes shutting down
the DNS system a difficult task for an attacker.
The difficulty of estimating the actual cost of a cyber attack adds complexity to planning
for critical infrastructure protection. Estimates of damage from cyber attacks at times reflect the
heritage of the boom in cybersecurity—they generally overestimate or exaggerate
damage. Damages are estimated by taking a sample of costs to various users and then
extrapolating them to the affected user population. In some cases, the sample of costs is itself an
estimate. These estimates of the economic damages of cyber attack show considerable variation
in the value they ascribe to cyber incidents. There is also considerable variation in their
methodologies, which are often not made public. Few if any of these efforts use the sampling
techniques derived from statistical analysis that could ensure greater reliability. Statements that
cybersecurity is crucial because of the risk of economic losses that could total in the millions,
hundred of millions or billions of dollars should not be accepted at face value.
It is important to disaggregate the effects of an attack. Analysts often cite the Slammer
worm as a damaging cyber attack, but its effects were, from a national perspective,
inconsequential. One frequently cited example about the damage of Slammer tells how it
affected automatic teller machines (ATM) across the northwest, putting 13,000 of them out of
service. What is important to note, however, is that Slammer affected only one bank and its
ATM network. Other banks were unaffected, and the other major bank in the region did not see
its AMT network go offline at all. In this instance, customers of the first bank were
inconvenienced. The first bank lost revenue and suffered reputational damage. The bank’s
competitors were, in one sense, rewarded for practicing better cybersecurity, as some
transactions that would have been made on the first bank’s ATM network were instead
conducted on their machines.

Another example involves a railroad forced by the ‘sobig’ virus to suspend operations on
23,000 miles of track—but no other railroad was forced to suspend operations. If a cyber attack
damages one company in a critical sector but leaves its competitors operational, it limits the
overall risk to critical national functions. It is difficult to think of a case where a cyber attack
affecting one firm and not others would pose a risk to security.
We do not want to extrapolate the misfortunes of a single company to an entire sector in
estimating the risk to critical infrastructure from a cyber attack. Similarly, we also want to
disaggregate the estimates of opportunity cost to determine whether it is a single company that
suffers or the entire economy. In this case, opportunity cost refers to the income (or production)
lost when a resource cannot be used, a sale made, or a service provided because of cyber attack.
Most of the estimates of the cost of the damage of cyber attacks include an estimate of
opportunity cost and this often makes up a large portion of the estimated damages from an
Opportunity cost can be misleading for security analysis. If one online merchant is
forced offline by a cyber attack, but their competitors remain in operation, customers may choose
to go to the site that works to make their purchase. The vendor forced offline has lost income,
but national income remains unaffected. Other customers may choose to wait and make their
purchase later. Again, national accounts are ultimately unaffected. In other cases, a
manufacturer may see its website or corporate email network go offline but be able to maintain
production—in one case where a virus damaged an auto manufacturer's corporate email systems,
the production for cars and trucks was unaffected.12
This is not to disparage the effects of cybercrime, which can be costly for an individual or
company. However, most cybercrime involves losses in the thousands of dollars (there are
anecdotal reports that a few major banks have experienced much larger losses, but they have not
made these losses public for fear of reputation damage). Cybercrime is prevalent and increasing,
but this does not mean that the risk to critical infrastructure is similarly increasing.
Cybercriminals want money. Their favored tactics include theft of valuable data or extortion
(e.g., the threat to launch denial of service attacks or disrupt networks unless paid). Their first
question will be how to turn a threat to a national infrastructure into financial gain without risk of
arrest. Threatening an attack against multiple firms may either be operationally too difficult or
attract too much attention from law enforcement agencies.

In view of their motives and incentives, attacks against infrastructure by cybercriminals
seem unlikely, but nation-states may adopt the hacking tools and “bot nets” developed by
cybercriminals for use in cyber war efforts. The sophisticated “shareware” available for
cybercrime from hacker or “****” sites can give even inexperienced attackers access to
advanced automated tools and techniques. These range from online hacking manuals and do-ityourself
virus kits to sophisticated attack tools that require some computer expertise to use.
The most interesting of these tools allow a hacker to place surreptitiously malevolent
programs on a computer without the user’s knowledge. The program can then execute damaging
instructions, transmit data or an external address, or provide increased (and invisible) access and
control to the hacker. This “malware” can infect computers through the opening of malicious email
attachments, downloading seemingly harmless programs, or simply through visiting a
malicious Website. Cybercriminals assemble networks of these infected computers for use in
denial of service attacks, for spamming or for advertising and tracking. Using these tools, an
attacker could attempt to disrupt networks and damage or erase data.
However, not all networks are equally vulnerable to the tools of cybercrime. The botnets
mainly infect consumer systems using always-on connections. Damaging these consumer
computers would be annoying, but not threatening to national security or long-term economic
health. Second, cybercrime tools are not aimed at physical infrastructure. Infecting a computer
does not automatically become a risk to an associated infrastructure. This means that while
cybercrime can increase, and it is a growing problem for law enforcement, that does not mean
that the risk or critical infrastructure is also increasing.

One benefit that has come from the attention paid to cybercrime is that the measures that
improve cybersecurity to protect against criminals will also reduce any risk to critical
infrastructure. The use of regular software patching, defensive software (such as intrusion
detection systems and anti-virus and anti-spyware software), better authentication of users and
encryption of sensitive data will make an attackers job more difficult. Improved law
enforcement capabilities to arrest and prosecute cyber criminals will also reduce the
attractiveness of cyber attacks against critical infrastructure. Companies are more likely to spend
money to protect themselves from criminal attacks, since this offers a direct and immediate
benefit their bottom line. Defense is a “public good”13 and the private sector routinely
undersupplies public goods. This is a particularly important point given the U.S. dependence on
the private sector for critical-infrastructure protection. A reading of economic incentives
suggests that companies will spend to improve cybersecurity to prevent cybercrime more than
they would for a nebulous threat to homeland security.
The importance of cybersecurity in protecting critical infrastructures other than finance,
electrical power or telecommunications, rests on the assumption that critical infrastructures are
dependent on computer networks for their operations. The chief flaw in this reasoning is that
while computer networks are vulnerable to attack, the critical infrastructures they support are not
equally vulnerable. Early proponents of cyber attack assumed that many public services,
economic activities and security functions were much more dependent on computer networks
than they are in their actual operation. While the dependence on computer networks continues to
grow, many critical functions remain insulated from cyber attack or capable of continuing to
operate even when computer networks are degraded. It may be more accurate to say that critical
infrastructures are dependent on their human operators, whose actions are supported, reinforced
or carried out using computers and networks. This human element reduces the risk of
cyberattack to critical infrastructures.
A well-known example of the difference between computer vulnerability and system
vulnerability again comes from the 2003 release of the Slammer worm. The worm affected
database software. Some police departments in Washington State saw the computers used in
their 911 emergency response systems slow to the point of uselessness as the worm spread and
implemented its instructions. These departments compensated by using paper notes to record
calls, allowing 911 services to continue uninterrupted.14 The computers were vulnerable and
affected, but the critical service was not.
The debate today in how to approach this task is whether cybersecurity should be an
element of a larger critical infrastructure strategy or whether it deserves its own independent
approach. While the first phase of planning for critical infrastructure protection made
cybersecurity of primary importance, the second phase of thinking about critical infrastructure
protection assumed that cybersecurity only made sense as part of a larger strategy focused on
physical protection. Had the 911 centers in Washington State been the subject of physical attack
or damage, they might very well have had to shut down and 911 services would have been
disrupted (as was the case in New Orleans the post-Katrina flooding). Incidents like this seem to
show that risk comes primarily from physical attack.
While this new approach to critical infrastructure protection has dominated federal
planning for the past few years, it is not universally accepted. There are reasons for this lack of
universal acceptance, some good, some less sensible. The IT industry did not like being
downgraded from the central place it occupied in critical infrastructure protection. A more
cogent argument for a separate approach to cybersecurity involves recognition of the inability of
differing security communities to implement a strategy that unifies cyber and physical security.
A Chief Security Officer in a corporation often thinks in terms of “guns, gates and guards.” The
Chief Information Security Officer thinks in terms of firewalls and software. In most companies,
neither is well placed to execute a unified strategy.
A third approach to critical infrastructure protection might be to recognize that the
importance of cybersecurity varies from infrastructure to infrastructure and with the nature of the
attacker. We should not be surprised that the distribution of vulnerability is not uniform among
or across infrastructures. Cybersecurity is more important for a few networked, interconnected
national infrastructures and less important for many disaggregated infrastructures. Cybersecurity
is less important in planning to defend against terrorist attacks, since these are less likely to use
cyber weapons, but more important in planning for conflict with a national state opponent.
Critical infrastructure protection could distinguish among the many places where cybersecurity is
a tertiary source of risk and the few places where it is of central importance. These key facilities
could be “hardened” with a combination of redundancy, contingency plans for responding to
computer disruption, maintaining non-networked controls for key functions, and by ensuring
additional monitoring of computer and network activities.

HSPD-7 asserts “Terrorists seek to destroy, incapacitate, or exploit critical infrastructure and key
resources across the United States.” This assertion is not entirely accurate. While terrorist do
exploit western infrastructure for transport and communications to obtain a global presence and
capability, it is not clear that they seek to destroy or incapacitate critical infrastructures. Their
strategies do not emphasize economic warfare, but favor a blend of military and psychological
actions that they believe will produce political change. Cyberspace is a valuable tool for
coordination and propaganda for terrorists, but it is not a weapon.15
Nation-states who are potential opponents may see more opportunity in cyberspace.
Intelligence gathering will prompt them to penetrate U.S. computer networks. In the event of a
conflict, nation-states will likely try to use the skills and access gained in intelligence operations
to disrupt crucial information systems. This disruption will also affect critical infrastructures
and, potentially, degrade the services they provide. It remains unclear, however, if even a skilled
opponent can translate the degradation of key infrastructure services into military advantage for a
conflict whose combat phase is likely to be of short duration and depend more on existing
The best path to better cybersecurity may lay outside of critical infrastructure protection.
It is hard to motivate people to defend when risks are obscure or appear exaggerated. However,
the risks of espionage (including economic espionage) and cybercrime are very real for
individuals, firms and agencies. A security agenda that focused on measures to respond to
cybercrime and espionage would produce tangible benefits, win greater support, and reduce
much vulnerability in computer networks used by critical infrastructure. If an emphasis on
cybercrime and counterespionage is the key to better cybersecurity, this suggests that the core of
the problem lies with law enforcement.

Critical infrastructure protection began by making cybersecurity the cornerstone of
defense. This chapter suggests that in fact, if we calculate the risk from cyber attack for most
infrastructures, it is a tertiary concern. The history of critical infrastructure protection has been
to develop expansive plans to cover a broad list of targets and then, in the effort to protect many
things with few resources, achieve little in terms of risk mitigation. Putting cybersecurity in the
context of more precise assessments of the actual threat could help overcome some of this
difficulty by allowing a federal strategy to focus on the few networks of real concern.

About the Author
James A. Lewis is a Senior Fellow and Director for Technology and Public Policy at the Center
for Strategic and International Studies (CSIS), a research institution in Washington. Before
joining CSIS, Lewis was a career diplomat at the Department of State, and a member of the
Senior Executive Service at the Department of Commerce. He received his Ph.D. from the
University of Chicago in 1984.

1 “Assessing the Risks of Cyber terror, Cyber war and Other Threats” provides the fuller discussion of the likelihood
of cyber terrorism.
2 The Joint Security Commission was the first in a series of commissions to identify cybersecurity as a primary
challenge, saying "The Commission considers the security of information systems and networks to be the major
security challenge of this decade and possibly the next century…” Joint Security Commission, “Redefining
Security: A Report to the Secretary of Defense and the Director of Central Intelligence,” February 28, 1994,
Chapter 1, “Approaching the Next Century”
3 “Homeland Security Presidential Directive/HSPD-7: Critical Infrastructure Identification, Prioritization, and
Protection,” December 17, 2003,
4 A fuller discussion of this claim, and use of the concept of ‘opportunity cost’ in assessing economic harm, follows
5 This conclusion reflects the results of government-sponsored cyber war games.
6 The first study to confirm this counterintuitive effect was the U.S. Strategic Bombing Survey, but later studies have
found a similar reaction among target populations. U.S. Strategic Bombing Survey, Summary Report (European
War), 1945. See also Stephen T. Hosmer, “Psychological Effects of U.S. Air Operations in Four Wars,” Rand,
7 The earlier PDD-63 (May 1998) identified the task as protecting “the nation's critical infrastructures from
intentional acts that would significantly diminish the abilities of: the Federal Government to perform essential
national security missions; and to ensure the general public health and safety; state and local governments to
maintain order and to deliver minimum essential public services; and the private sector to ensure the orderly
functioning of the economy and the delivery of essential telecommunications, energy, financial and transportation
services.” The Patriot Act and HSPD 7 also provide similar but not identical lists of infrastructures deemed
8 Oil and gas pipelines could be considered a national network, but there are alternative transport modes that could
mitigate an attack. Air traffic control may appear national, but is conducted in discrete segments on a local and
regional basis.
9 “Energy and power companies experienced an average of 1,280 significant attacks each in the last six months,
according to security firm Riptech Inc…. The number of cyber attacks on energy companies increased 77 percent
this year (2002).” CBS News, “Hackers Hit Power Companies, July 8, 2002,
10 For more on this, please see the chapter by Aaron Mannes in this volume.
11 National Infrastructure Advisory Council, “Prioritizing Cyber Vulnerabilities,” October 2004, Page 5, at
12 The Ford Motor Company received 140,000 contaminated e-mail messages in three hours. It was forced to shut
down its email network. E-mail service within the company was disrupted for almost a week. Ford reported, “the
rogue program appears to have caused only limited permanent damage. None of its 114 factories stopped
production. Computerized engineering blueprints and other technical data were unaffected. Ford was still able to
post information for dealers and auto parts suppliers on Web sites that it uses for that purpose.” Keith Bradsher,
“With Its E-Mail Infected, Ford Scrambled and Caught Up,” The New York Times, May 8, 2000
13 A “public good” provides benefits to an entire society with very little incentive for any one person to pay for it.
14 Wells, R. M., “Dispatchers go low-tech as bug bites computers” Seattle Times, January 27, 2003,
15 See, for example, Office of the Director of National Intelligence, “Letter from al-Zawahiri to al-Zarqawi, October
11, 2005,”
Report Spam   Logged

Share on Facebook Share on Twitter

birther truther tenther
Full Member
Offline Offline

Posts: 182

View Profile
« Reply #1 on: December 10, 2010, 12:23:59 pm »

In July 2002, Gartner and the U.S. Naval War College hosted a three-day, seminar-style war game called "Digital Pearl Harbor" (DPH). Gartner analysts and national security strategists gathered in Newport, Rhode Island, with business and IT leaders from enterprises that control parts of the national critical infrastructure. Our objective was to develop a scenario for a coordinated, cross-industry cyberterrorism event.

Results of a post-game survey indicate that the DPH game experience had a profound impact on the participants: 79 percent of the gamers said that a strategic cyberattack is likely within the next two years.

DPH participants played the roles of terrorists, devising coordinated attacks against four national critical infrastructure areas: the electrical power grid, financial service systems, telecommunications and the Internet. Their goal was to determine if a cyberattack could create a crisis of confidence that would shift the strategic balance of power, at least temporarily. Since the game did not test defenses against cyberterrorism, the questions of whether a real attack would achieve the goals set in the game and how much economic damage it would cause are still open.

The question as to whether cyberterrorism is a realistic threat is resolved. DPH skeptics abound, of course, and level many criticisms, but two criticisms stand out.

The first criticism is that by engaging in this type of exercise, we are opening Pandora's box, showing those with malicious intent what could be done. Good point, but before we started, we ran this issue by national security officials, and as one of those officials succinctly put it: "The bad guys already have the knowledge of these systems, and they know what they are going to do." The purpose of the DPH game was to get inside the opponents' heads. All of the data and information created in the DPH game underwent a national security review before we published our analyses.

The second criticism is that there are no new lessons to be learned from the DPH game. Good point, and really a very daunting criticism. Yet, how often do we hear from these same critics: "If only enterprises (or users) would follow good IT security practices ..." But good practices are very difficult to follow. How many readers have ever installed a new operating system or application on their home PC, only to spend the next several days trying to get the PC to work again? Multiply that experience by thousands when you are talking about enterprises installing new applications, security patches and system connections on hundreds or thousands of servers, mainframes and PCs. Preventing such downtime requires deliberate, linear steps that take time, people and money. DPH-type exercises help identify the threats, improve risk management processes and, in turn, prioritize resources for IT security activities. As one military commander put it: "We must shoot the closest wolf first."

Nevertheless, the skeptics have history on their side (as do all Luddites at the dawn of a new era) — there has never been a cyberterrorism event. Or has there? Electrical power grid failures in some parts of the world, such as Western India, are so common that tampering with the grid to test cyberattacks could go unnoticed. This path leads to conspiracy theory oblivion, which is one of the reasons we ran the DPH game: determine what is really possible by a cyberattack.

Even skeptics of a DPH-type attack must acknowledge that our enterprises are under small-scale cyberattacks every day; hence, we are confident most readers will find our analyses of the DPH war game at least somewhat useful and very interesting.

Featured Research

'Digital Pearl Harbor' War Game Explores 'Cyberterrorism' By French Caldwell, Richard Hunter and John Bace

Security Best Practices Will Do Most to Foil Cyberterrorists By Paul Schmitz, John Mazur and Rich Mogull

Cyberterror Poses Growing Threat to Financial Services By John Bace, Annemarie Earley, Vincent Oliva and David Furlonger

Utilities Should Upgrade the Security of Their Operations By John Dubiel, Kristian Steenstrup and Paul Pechersky

Prepare for Cyberattacks on the Power Grid By John Dubiel, Kristian Steenstrup and Paul Pechersky

Telecom Is Secure but Not a Cause for Complacence By David Fraley and Ron Cowles

Could Terrorists Bring Down the Public Switched Telephone Network? By David Fraley and Ron Cowles

Terrorists Could Hijack the Internet By Ron Cowles and John Mazur

Recommended Reading and Related Research

Force Vendors to Make Software More Secure By Arabella Hallawell and Rich Mogull

Cyberattacks and Cyberterrorism: What Private Business Must Know By Rich Mogull and Richard Hunter

Dealing With Cyberterrorism: A Primer for Financial Services By David Furlonger
Report Spam   Logged
birther truther tenther
Full Member
Offline Offline

Posts: 182

View Profile
« Reply #2 on: December 10, 2010, 12:24:42 pm »

Strategic Information Warfare
By Robert K. Hiltbrand
Originally published Spring 1999

Before I begin this discussion, I must add this disclaimer. The research information I have gathered for this
paper come from open sources. It is my personal belief that the United States, and in particular the Department of
Defense and its related civilian agencies, have some tremendous capabilities that the American public won’t ever find
out about until a national or international crisis arises. I have attempted to present, through the available
unclassified sources, what our national strategic information warfare capabilities are and what some perceived
weaknesses in our national information infrastructure. This is just a general discussion of the facts.
The Internet, as we know it today, started out as a program for the Department of Defense in 1969. Back
then it was called ARPANET and one of its goals was to link up the computer systems of several universities and
colleges that were doing research for the United States Military.
"Almost 30 years after the US Defense Department created the Internet as a communications system
invulnerable even to a nuclear attack, the global web of computer networks is itself now viewed as a national security
risk by the Pentagon and other military security chiefs." (1) Cyberspace soldiers have a finder on the mouse,
Business Times, Technology Section November 2, 1997.
The concept of guarding the national infrastructure -- especially its critical components -- against attack is
also referred to as cyberwar and in a broader context, as strategic information warfare. (2) Strategic Information
Warfare: A New Face of War, Roger C. Molander, Andrew S. Riddile, Peter A. Wilson, 1996 RAND Corporation.
As a result of the rapid growth in information technology, the Department of Defense, like the rest of
government and the private sector, has become extremely dependent on automated information systems. To
communicate and exchange unclassified information, the Department of Defense relies extensively on a host of
commercial carriers and common user networks. This network environment offers the Department of Defense
tremendous opportunities for streamlining operations and improving efficiency, but also greatly increases the risks
of unauthorized access to information. (3) Report to Congressional Requesters, May 1996, Information Security -
Computer Attacks At Department Of Defense Pose Increasing Risks, Government Accounting Office/AIMD-96-84,
Defense Information Security (511336).
Several federal civilian and national defense agencies estimate that more than 120 countries around the
world have established computer attack capabilities. In addition to this fact, most countries are believed to be
planning some degree of information warfare as part of their nation's overall strategy. (4) Cyberspace soldiers have
a finder on the mouse, Business Times, Technology Section November 2, 1997.
This means that the United States, in order to maintain its present position as a World leader, must maintain
its own Information Warfare strategy.
Strategic Information Warfare is the deliberate sabotage (electronically) of a nation-state's national
information infrastructure. This could take the form of crashing the financial markets of a nation. Or it could also be
the deliberate shutting down of the power grid in the capital city of an adversary. The worst case scenario could be
the infiltration of an enemy's military computer networks with the intent to destroy those very systems and thus
prevent those military forces from deploying to the field of battle.

Why is Information Warfare important to the United States? Because we live in a society where computer
networks are all around us. Power grids are controlled by complex computer networks. Financial transactions are
more and more being conducted electronically. The advent of the Internet. The popularity of email. Air traffic
controllers using computer to sort our the traffic in the skies. Any where there is a computer, there is the potential
for someone to electronically tamper with the information on it as well as the hardware and equipment it controls.
During the American Revolution and the American Civil War, there was armed conflict in the Continental United
States. During World War Two, with the attack against Pearl Harbor, more armed conflict was brought to American
soil, but not to the Continental United States. But with the advent of Information Warfare, damage can be done
directly to the Continental United States without an adversary ever having to physically be near the North American
continent. There are no clearly drawn front lines. Anyone and everyone can be affected.
The following quote comes from an American defense analyst, "Another characteristic of information attacks
stems from the loss of sanctuary. Attacks of this sort, particularly when they consist of more than an isolated
incident, create a perception of vulnerability, loss of control, and loss of confidence in the ability of the state to
provide protection. Thus, the impact can far exceed the actual damage that has occurred. This non-linear
relationship between actual damage and societal damage makes the problem of digital war a particularly challenging
one because it creates a mismatch between rational defensive responses and their effectiveness." (5) Defensive
Information Warfare by Dr. David S. Alberts.
As the United States enters the Twenty-first Century with the intention of being a World Leader, we, as a
society, must defend our national information infrastructure against attack. Successful attacks against it will have
severe, and as yet unknown, economic, political, and societal consequences because of America's heavy reliance upon
computer networks. We will discuss America’s vulnerability later.
Now that we know what Information Warfare is, the next logical question to ask is, "Who can wage it?" Well,
the answer is -- anyone. Individual "hackers," terrorist organizations with political, economic, or military objectives,
or nation-states that would not be able to go head-to-head with a traditional military power such as the United States
might be more successful on the cyber battlefield. However, the organizations and nation-states still need the
services of the individual hackers to accomplish their goals. We will focus on the hackers because they are the key
personnel in offensive Information Warfare. The word "hacker" has many definitions. Webster's New World College
Dictionary defines a hacker as a talented amateur of computers, specifically one who attempts to gain unauthorized
access to files in various systems. The New Hacker's Dictionary defines a hacker as a person who enjoys exploring
the details of programmable systems and how to stretch their capabilities.
A 1996 federal government report about Pentagon computer security states, "Today the term (hackers)
generally refers to unauthorized individuals who attempt to penetrate information systems; browse, steal, or modify
data; deny access or service to others; or cause damage or harm in some other way." (6) Report to Congressional
Requesters, May 1996, Information Security - Computer Attacks At Department Of Defense Pose Increasing Risks,
Government Accounting Office/AIMD-96-84, Defense Information Security (511336).
Is a hacker some 14-year-old kid from a Chicago suburb who electronically breaks into his high school's
network to change his Home Economics grade from a "D" to an "A"? How about a group of Russian hackers in St.
Petersburg who steal $12 million dollars (US currency) electronically from a Citibank computer located in New York
City? (7) Cable News Network news story, March 25, 1999.
George Tenet, Director of the Central Intelligence Agency, had two statements about hackers and their
effectiveness in today’s globally linked society, "A group calling themselves the Internet Black Tigers took
responsibility for attacks last August (1997) on the e-mail systems of Sri Lankan diplomatic posts around the world,
including those in the United States." (Cool Unclassified Testimony of George J. Tenet, Director of Central Intelligence,
delivered to the Senate Committee on Governmental Affairs, June 24, 1998.
"Italian sympathizers of the Mexican Zapatista rebels crashed web pages belonging to Mexican financial
institutions." (9) id.
Some of the tools used by individual hackers include -
! Logic bombs - this is unauthorized code that creates havoc when a particular event takes place;
! Virus - code fragment that reproduces by attaching to another program. It can damage hardware and/or
software directly, or it can degrade those systems by co-opting resources;
! Trojan horse - independent program that when activated performs unauthorized function (under the guise of
doing normal work). Think of it as a nasty little program within a larger normal program.
There are two types of Information Warfare attack modes - structured and unstructured.
An example of an unstructured threat would be how in March, 1997, a 15-year-old Croatian youth hacked his
way into the networks at a United States Air Force base in Guam. When questioned about it, the boy just wanted to
prove he could do it. (10) Bracing for guerrilla warfare in cyberspace, Cable News Network Interactive by John
Christensen, web posted April 6, 1999 @ 1829 Greenwich Mean Time (GMT).
A structured threat would be undertaken by parties that possess intelligence support, proper funding, and
are part of their organization or nation-state's long-term strategic goals. (11) Statement of Lieutenant General
Kenneth Minihan, United States Air Force and Director of the National Security Agency, to the Senate Governmental
Affairs Committee hearing on Vulnerabilities of the national Information Infrastructure, June 24, 1998. An example of
a structured attack would be shutting down of the power grid of a City just before it is bombed.
Another statement from General Kenneth Minihan of the NSA, "The Chinese present a good example of the
structured threat. In 1995 the Chinese military openly acknowledged that attacks against financial systems could be a
useful asymmetrical weapon." (12) Statement of Lieutenant General Kenneth Minihan, United States Air Force and
Director of the National Security Agency, to the Senate Governmental Affairs Committee hearing on Vulnerabilities of
the national Information Infrastructure, June 24, 1998.
What America must do is find a way to distinguish the difference between structured and unstructured
attacks against the national information infrastructure (both the civilian and military portions of it). Our society must
establish what the normal "noise" level is for it. (13) The Cyber-Posture of the National Information Infrastructure by
Willis H. Ware, March 9, 1997, RAND Corporation (MR-976-OSTP).
What parts of the national information infrastructure is vulnerable to attack? Another statement from
General Minihan of the NSA gives a brief overview,
“The resources at risk include not only information stored in or traversing cyberspace, but all of the
components of our national infrastructure that depend on information technology ....... these include the
telecommunications infrastructure itself; our banking and financial systems; the North American power grid; other
energy systems, such as oil and gas pipelines; our transportation networks; water distribution systems; medical and
health care systems; emergency services, such as police, fire, and rescue; government operations, and military
operations.” (14) Statement of Lieutenant General Kenneth Minihan, United States Air Force and Director of the
National Security Agency, to the Senate Governmental Affairs Committee hearing on Vulnerabilities of the national
Information Infrastructure, June 24, 1998.
Let us look at two of the more important components of our national infrastructure - the power grid and
communication systems.
The North American power grid, which is made up of the nations of Mexico, Canada, and the United States of
America, is a very large and complex system. All of its administrative functions are handled via a vast computer
network. What happens if an adversary, with the proper personnel, tools, and know-how, attacks the power grid
network and shuts it down? Literally millions of people will be left without something that most of us take for granted
- electricity!
The telecommunications infrastructure is the other component. The public switched network (i.e., the
national telephone system) is a singular point of concern because it provides the bulk of connectivity among
computer systems, people, organizations, and functional entities. It is the backbone of interpersonal and organization
behavior. (15) The Cyber-Posture of the National Information Infrastructure by Willis H. Ware, March 9, 1997, RAND
Corporation (MR-976-OSTP).
The communications infrastructure is particularly vulnerable because it is used for both military and civilian
voice, video, and data communications. These systems are controlled by the companies (such as AT&T, MCIWorldCom,
Sprint) who own the fiber optics and trunk cable systems that transmit the information. Potential adversaries could
hack their way into the AT&T mainframes and gain control of its systems. Once in control, these adversaries could
redirect, stop, or disable the systems from operating effectively. This would cause a great strain on American
society. Imagine not being able to call you family in another state. Or how about not being able to withdraw money
from an ATM because its communication lines with your bank have been disrupted. Or what about communication
satellites that are directed to stop transmitting signals. How are military leaders in the field supposed to
communicate with their headquarters without secure satellite communications?
“The Defense Information Infrastructure consists of communications networks, computers, software,
databases, applications, and other capabilities that meet the information processing, storage, and communications
needs of Defense users in peace and wartime.” (16) Report to Congressional Requesters, May 1996, Information
Security - Computer Attacks At Department Of Defense Pose Increasing Risks, Government Accounting Office/AIMD-
96-84, Defense Information Security (511336).
There are effective ways that America can protect its national information infrastructure. Some of these
measures include --
! All components of the Defense Department's infrastructure must be brought up to the same level. This means
hardware, software, and personnel. In-fighting between the different service branches needs to give way to cooperation
and resource sharing;
! Policies need to be established setting minimum standards and requirements for key security activities; and
! There must also be clearly assigned responsibility and accountability for ensuring that these minimum standards
are achieved.
Some of the tools that can be used to safeguard the national information infrastructure include –
! Firewalls are hardware equipment and software applications that protect system resources from hackers. A
firewall monitors all incoming traffic and attempts to block all unauthorized intrusions;
! Encryption is the transformation of original data into ciphered (altered) data. Only those who have a key to the
encryption program can un-encrypt the data; and
! Authentication can be used for network security to prove that a system user is who he/she is supposed to be and
that he/she has a right to use the system. Some examples could be for each system user to identify
himself/herself with a finger print or retinal scan identification.
There are several civilian agencies and military commands that are responsible for protecting the national
information infrastructure.
The following are some of known agencies –
! In 1988, the Department of Defense established the Computer Emergency Response Team (C.E.R.T.). It is based
at Carnegie-Mellon University.
! In December 1992, the United States military initiated its formal Defensive Information Warfare program.
Specifics for the program are as yet, available.
! In its December 1995 Defensive Information Warfare Management Plan, the Pentagon defined a three-pronged
approach to protect against, detect, and react to threats to the Defense Information Infrastructure. Again,
specifics are unavailable.
! In 1996, the Air Force established the Air Force Information Warfare Center (I.W.C.). That same year, the Navy
established it’s Fleet Information Warfare Center (F.I.W.C.) and the Army established it’s Land Information
Warfare Activity (L.I.W.A.). The main focus of each of these Commands is to conduct Offensive Information
Warfare and to protect the Defense Information Infrastructure against attacks.
! In December 1998, the Pentagon establishes the Joint Task Force for Computer Network Defense. This task force
is supposed to be an effort between all of the different service branches to share resources.
! The Defense Information Security Agency (allegedly chartered in the mid-90’s) has established a Global Control
Center. The Center is staffed by the Automated Systems Security Incident Support Team (A.S.S.I.S.T.) to provide
a centrally coordinated around-the-clock Department of Defense emergency response team to attacks on United
States military computer systems. Because of the nature of the global information network, A.S.S.I.S.T. can
support United States military installations located around the world.
! The National Security Agency is a government agency which is heavily involved in all aspects of Information
Warfare. They employ lots of “code-breakers” and have their own stable of hackers.
Offensive Information Warfare is now being integrated into battle plans along with conventional strategies
such as bombing an adversary. The Air Forces’ I.W.C., the Navy’s F.I.W.C., and the Army’s L.I.W.C. are all alleged to be
the military commands that will be conducting the Offensive Information Warfare campaigns of the future. The
following statement from United States Senator John Glenn sheds some light on America’s Offensive Information
Warfare capabilities -
"We are rapidly getting to the point where we could conduct warfare by dumping the economic affairs of a
nation via computer networks." (17) Cyberspace soldiers have a finder on the mouse, Business Times, Technology
Section November 2, 1997.
Again, please remember that much of U.S. military’s capabilities are unknown to the general public, so I can
only outline, in general terms, what they do.

American society is moving more towards full integration of the national information infrastructure. You will
pay your bills, perform bank transfers, and make dinner, hotel, or airline reservations from your home PC or a public
information terminal. America’s national information infrastructure will become a major component of the larger
global information network. This System will become more open as more and more people conduct their affairs online.
But also measures will be taken for system users to identify themselves (retinal scan or fingerprint, if not a DNA
sample). Hackers, as always, will find simple and effective ways around these enhanced security measures. They
might do things like piggy-back their own programs on the connections that legitimate system users are generating.
Another important aspect of the future of cyber space will be the evolution of the hackers. They will evolve into cyber
mercenaries. They will advertise their services on the global information network. These hackers will be hired by
governments, organizations, and individuals. As for future warfare, instead of threatening another nation-state with
nuclear war (physical destruction) governments will threaten to destroy the national information infrastructure of a
potential adversary (of course this won’t work on organizations or individuals). However, this will be a double-edged
sword because as the global information network becomes truly global, a disruption in one node of the System could
have unknown consequences throughout the rest of the Network. The is would called, “cyber collateral damage.”
There will be a "digital" Pearl Harbor. And there are multiple countries, organizations, and individuals that have the
technical know how to devise and conduct such an attack. The United States Department of Defense will continue to
develop its own Defense Information Infrastructure. This will be made as secure as possible as the military become
more and more dependant on the free (and secure) flow of data to enable it to meet its commitments around the

Rob Hiltbrand

About the author
Report Spam   Logged
birther truther tenther
Full Member
Offline Offline

Posts: 182

View Profile
« Reply #3 on: December 10, 2010, 12:25:32 pm »

The following is an excerpt from this UNIDIR:

Conclusion: where do we go from here?
While the potential of a "digital 9/11" is not great in the near future, the Internet has come of age
since 2001. Both terrorism and the Internet are significant global phenomena, reflecting and shaping
various aspects of world politics. Due to its global reach and rich multilingual context, the Internet
has the potential to influence in manifold ways many different types of political and social relations.
Unlike the traditional mass media, the Internet's open architecture means that efforts by governments
to regulate Internet activities are restricted, and this has provided users with immense freedom and
space to shape the Internet in their own likeness. Included within this cohort are terrorists who
increasingly employ new media to pursue their goals. The terrorists of today, like those of yesteryear,
are keen to exploit the traditional mass media while also recognizing the value of more direct
communication channels.
As far back as 1982, Alex Schmid and Janny De Graaf conceded that:
If terrorists want to send a message, they should be offered the opportunity to do so without
them having to bomb and kill. Words are cheaper than lives. The public will not be instilled
with terror if they see a terrorist speak; they are afraid if they see his victims and not himself
[…] If the terrorists believe that they have a case, they will be eager to present it to the
public. Democratic societies should not be afraid of this.19
Not everybody is in agreement with this position, however. Over time, both state and non-state
actors have endeavoured to curb the availability of terrorism-related materials online with varying
degrees of success. Authoritarian governments have met with some success by deploying technologies
that constrain their citizens' ability to access certain sites. There are fewer options for restriction
available to democratic governments, however, and although recently more restrictive legislation has
been promulgated in a number of jurisdictions, it is not yet clear that it will be any more successful
than previous attempts at controlling, for example, cyber-hate. In terms of terrorist web sites and
their removal, private initiatives instituted by a range of substate actors in conjunction with ISPs have
been much more successful. But the activities of individual hacktivists raise a number of important
issues relating to limits on speech and who can and should institute these limits. The capacity of
private political and economic actors to bypass the democratic process and to have materials they find
politically objectionable erased from the Internet is a matter for concern. Such endeavours may, in
fact, cause us to think again about legislation, not just in terms of putting controls in place—perhaps,
for example, outlawing the posting and dissemination of beheading videos—but also writing into law
more robust protections for radical political speech.[/size]
Report Spam   Logged
birther truther tenther
Full Member
Offline Offline

Posts: 182

View Profile
« Reply #4 on: December 10, 2010, 12:26:09 pm »

Hyping the future false flag cyber attack.  This particular piece calls for an EMP to be launched, and guess which nation will be blamed for it???
Report Spam   Logged
birther truther tenther
Full Member
Offline Offline

Posts: 182

View Profile
« Reply #5 on: December 10, 2010, 12:26:30 pm »

Digital Pearl Harbor
Schedule information
Event    Digital Pearl Harbor
When    Wednesday, December 8, 2010 from 10:00am to 12:45pm
Where    Copley Hall Copley Formal Lounge
Ticket/RSVP    Requires ticket or RSVP This event requires a ticket or RSVP
Event details
Details    A day after commemorating Pearl Harbor Day, several of the world’s leading cyber and national security experts will discuss the threat of a “Digital Pearl Harbor.' These pre-eminent thought leaders will address the likelihood that a “Digital Pearl Harbor”, long warned about, could actually happen as well as where our critical infrastructure and Federal networks are most vulnerable. Topics including cyber espionage and the ongoing theft of financial, intellectual, and national security data will also be discussed. Is cyber war a real threat or all hype? Confirmed panelists are:

Richard Clarke, author of Cyber War and chairman of Good Harbor Consulting
General Michael Hayden, former director of NSA and CIA
Jeffrey Carr, author of Inside Cyber Warfare

Please contact the Institute for Law, Science, and Global Security at for more information.
Access    » This event is limited to Georgetown University students, faculty and staff.
Sponsors    Institute for Law, Science, and Global Security
Calendar    Institute for Law, Science and Global Security
» Information about this calendar
» Other events on this calendar
» All events on the Master Calendar
Report Spam   Logged
birther truther tenther
Full Member
Offline Offline

Posts: 182

View Profile
« Reply #6 on: December 10, 2010, 12:27:05 pm »


To Forestall a 'Digital Pearl Harbor,' U.S. Looks to System Separate From Internet
11-17-2001 Yahoo! News

WASHINGTON, Nov. 16 The Bush administration is considering the creation of a secure new government communications network separate from the Internet that would be less vulnerable to attack and efforts to disrupt critical federal activities.

The idea for such a system, called GovNet, is the brainchild of Richard A. Clarke, a counterterrorism expert whom President Bush recently named his special adviser for cyberspace security.

Mr. Clarke, who has been warning for some time of the possibility of a "digital Pearl Harbor" if the nation does not invest more in cybersecurity, began working on the idea of a government network before the terrorist attacks of Sept. 11. But he says the attacks showed that it is imperative to imagine the ways terrorists could disrupt the nation's information infrastructure and the computer networks that control telecommunications, the electric grid, water supplies and air traffic.

"Prior to 9/11," he said in an interview, "there were a lot of people who thought that the only thing the terrorists could do is what they have already done. Now we know they can do something really catastrophic."

"The worst case here," he said of a cyberspace attack against the government, "is that we might not be able to communicate for essential government services. And it might happen at a time when we're at war. It might happen at a time when we're responding to terrorism."

Mr. Clarke said a critical question for the administration would be how much a government computer network would cost. No one is quite sure of that sum, although he speculated that it could be in the hundreds of millions of dollars.

Read rest of article by clicking here
Report Spam   Logged
birther truther tenther
Full Member
Offline Offline

Posts: 182

View Profile
« Reply #7 on: December 10, 2010, 12:27:27 pm »

Is a 'digital Pearl Harbor' in our future?

    * By William Jackson
    * Dec 04, 2009

Dec. 7 is the anniversary of the Japanese attack against Pearl Harbor that crippled the U.S. Pacific fleet and brought this country into World War II. What have we learned in the 68 years since that world-changing day?

The threat in our age is less to ships and aircraft than to the technology that controls so many aspects of our lives. Many observers have warned that our defenses are not adequate to protect our nation’s critical infrastructure, and the phrase Electronic or Digital Pearl Harbor has been commonly used to describe a surprise cyber attack that could cripple our military and commercial capabilities. Dire as these warnings are, we should take them with a grain of salt.

Although cyber threats are real, the chances of a Digital Pearl Harbor remain small. This is due not so much to the success of our cyber defenses, which in many places remain inadequate, but to the realities of warfare and networking. Blowing a fleet out of the water is not easy, but taking down a network—-I mean really taking it down, to the point where it is gone for good—-is even harder.

There are those who disagree. Ira Winkler, former employee of the National Security Agency and now a consultant and writer, for years scoffed at the idea and called comparisons digital attacks to Pearl Harbor “insulting.” But in a recent blog posting tellingly titled “I Was Wrong: There Probably Will Be an Electronic Pearl Harbor,” he changes his opinion somewhat.

What changed, he writes, is the smart grid. By creating a vulnerable, ubiquitous infrastructure that is tied in with our national power grid, we have greatly increased the potential for a strategic attack doing long-term damage, he said. “While I will not cry wolf and say it is imminent, I sadly realize that an Electronic Pearl Harbor is now very possible.”

But doing systematic, long-term damage to a network is much harder than compromising a vulnerability. And even if such damage were possible, what would be the point?

The Japanese were able to severely damage the U.S. Pacific Fleet at Pearl Harbor because so many resources were vulnerable at one time and place, and could be put out of action with one blow. But even then, our aircraft carriers escaped and, as it turned out, came to be the dominant military factor in the Pacific war.

Networks are even more complex than a fleet. Being able to exploit a vulnerability does not mean being able to exploit all vulnerabilities, or every instance of the same vulnerability. And even if networks are interconnected, they are not a homogenous whole. If network administrators have difficulty managing their own large networks because they are too large, flexible and changeable to accurately inventory and map, imagine the difficulty for a malicious outsider in bringing one down.

Of course, elements of it can be interfered with, damaged or even destroyed. But networks are typically too fragmented and redundant to stand or fall as one. Our networks have never been reliable enough to depend upon completely, so they are full of backups, workarounds and overrides that ensure that much of the work gets done even when the parts fail.

And it is important to remember that Pearl Harbor was not an end in itself. Japan gained little or nothing from destroying the fleet in Hawaii. The value of the attack was in the Imperial Navy’s ability to follow it up with attacks in Guam, the Philippines and other locations that enabled them to take and hold strategic military positions.

What good would it do for an attacker to take down vital U.S. networks? While the damage to this country could be great, the benefit to an attacker would be nil if it could not be followed up. The real threat of cyber warfare is not in stand-alone attacks, but in attacks coordinated with military action. At this point, there are very few parties out there with both the ability and inclination to take on the United States militarily, whether our networks are up or down. Terrorists could score points with a devastating cyber attack, of course, but without the ability to follow it up militarily, it would not rise to the level of a Pearl Harbor.

This is not to say that cyber attacks are not a serious concern, that our systems are not vulnerable, or that we do not need to pay attention to the growing threats posed by cyber intrusion. But we should address the issues realistically and understand the scope of the problem.
Report Spam   Logged
birther truther tenther
Full Member
Offline Offline

Posts: 182

View Profile
« Reply #8 on: December 10, 2010, 12:27:51 pm »

I Was Wrong: There Probably Will Be an Electronic Pearl Harbor
Ira Winkler says the emerging smart grid makes doomsayers' unlikely predictions more likely
By Ira Winkler
November 29, 2009 — CSO —

For 15 years now, I have been publicly lambasting all of those people who have made their careers, or at least made fleeting news headlines, based on their declaration of an imminent Electronic Pearl Harbor. My disdain is based on several factors, but predominantly the lack of accountability for such statements. One industry analyst, for example, stated that there will be such an event by the end of 2003. Six years later, I didn't see anyone revisit the utter lack of such an event.

However, I now see things developing to the point where there can be a strategic attack on computer infrastructures. The key word is Strategic.

Another major issue I have with the people who stake their fame in information warfare is the lack of apparent understanding in the concept of military and geopolitical issues. Specifically, strategy implies long term impacts, generally at least 3-6 months. Tactical attacks have short term impacts. Yes, we have had many tactical attacks against different infrastructures. However, comparing these attacks to Pearl Harbor is insulting.

Pearl Harbor was a preemptive strike against the US Pacific Fleet. It significantly degraded the US Naval capability for several years. If the aircraft carriers were in Pearl Harbor as the Japanese expected, it could have been a complete knockout blow. So the question becomes, what can make a computer attack strategic?

Over the last 15 years, it now appears that the electrical grid is not only extremely vulnerable, they are in the process of exponentially increasing its vulnerability. At this point, the vulnerabilities in the power grid are well documented. I highlight how there are many points where control networks overlap business networks. The GAO published a report a month later highlighting this problem at the Tennessee Valley Authority [pdf link]. The Wall Street Journal highlighted how Russian and Chinese intelligence agencies have already planted malware in the power grid. Then there was the Idaho National Lab Aurora video, where they demonstrated that a generator SCADA system can be remotely hacked to blow up the generator. Then there was the recent 60 Minutes piece.

I have to admit that even with all of the above, I wasn't convinced that there could be a true strategic attack. You can probably blow up a few generators, but the fact is that the power grid itself is resilient enough to withstand the effects. Another issue is that while Russia and China could potentially coordinate a much more devastating attack, they do not have the motivation to cause such damage. While terrorists and some other parties might want to try, it is unlikely that they have the coordination and resources to accomplish a truly strategic attack.

However, the smart grid changes all of that. The researchers from IOActive demonstrated that smart grid boxes can be hacked and that they can spread worms. Not only that, the boxes themselves will be connected to every home and be available to anyone. Anyone therefore has access to the smart grid. With tens of millions of the boxes planned to be distributed throughout the United States, potential attackers can easily get their hands on the systems to tear apart and find new vulnerabilities and attacks. More important, when there is a vulnerability found, how will it be mitigated?

There is a perfect storm brewing where the skills and resources required to launch a significant attack is being drastically lower. Depending upon the effects of a possible worm on the smart grid boxes, and the vulnerability of the generators, there can be a combined attack that does have strategic impact.

Again, I am not legitimizing the doomsday criers who have been doing this for decades. However, I have come to realize that there is gross negligence in how the power grid has been maintained, and how it is evolving. While I will not cry wolf and say it is imminent, I sadly realize that an Electronic Pearl Harbor is now very possible.
Report Spam   Logged
birther truther tenther
Full Member
Offline Offline

Posts: 182

View Profile
« Reply #9 on: December 10, 2010, 12:28:16 pm »

4-20-2010 WASHINGTON D.C.—Central Intelligence Agency director Leon Panetta told 300 Sacramento Metro Chamber Cap-to-Cap delegates that the next “Pearl Harbor” is likely to be an attack on the United States’ power, financial, military and other Internet systems.

Panetta addressed the Sacramento delegation that includes 43 elected officials and hundreds of business and civic leaders who are in Washington D.C. for the annual program that advocates for the region’s most pressing policy issues. He spoke on Monday, April 19, during the Cap-to-Cap opening breakfast.

“Cyber terrorism” is a new area of concern for the CIA, Panetta said. The United States faces thousands of cyber attacks daily on its Internet networks. The attacks are originating in Russia, China, Iran and from even hackers.

“The next Pearl Harbor is likely to be a cyber attacking going after our grid…and that can literally cripple this country,” Panetta said. “This is a whole new area of threat.”

Read rest of article here
Report Spam   Logged
birther truther tenther
Full Member
Offline Offline

Posts: 182

View Profile
« Reply #10 on: December 10, 2010, 12:28:37 pm »

ZDNet / Video
Will there be a digital Pearl Harbor?
On April 23, 2009
4min 51 sec


Will there be one major catastrophe, or just smaller disasters? Panelists discuss what security issues we should be watching out for, where the threat might come from, and the difficulties in predicting the unpredictable. Panelists include: Whitfield Diffie, vice president and chief security officer for Sun Microsystems; Ronald Rivest, Viterbi Professor of Electrical Engineering and Computer Science at MIT; Adi Shamir, professor of computer science at the Weizmann Institute of Science in Israel; and Bruce Schneier, chief security technology officer for BT Counterpane. Moderating the panel is Ari Juels, chief scientist and director of RSA Laboratories.
Report Spam   Logged
birther truther tenther
Full Member
Offline Offline

Posts: 182

View Profile
« Reply #11 on: December 10, 2010, 12:29:03 pm »

A Cyber Pearl Harbor Day

Today we remember the tragic events that occurred back in 1941 at Pearl Harbor.  This was the threshold level event that drew the United States into World War II.

As we remember the tragedy of that day and the toll it took on the United States, we must remind ourselves to be vigilant and not let a repeat of that event to ever take place.  Last week the question of an electronic Pearl Harbor was asked over and over again.  Is it possible?  The answer is yes.  Is it probable?  That is where the debate comes in.

There are a number of groups that would like nothing more than to bring the United States to its knees.  There are certainly vulnerabilities that could be exploited in the nation’s critical infrastructure that could cause substantial disruption of critical services. 

For nearly two decades now cyber warfare capabilities have been recognized as a strategic power and many believe this power is on par with weapons of mass destruction. Many governments around the world have awoken and seen the strategic value of cyber weapons and have integrated cyber capabilities in the military doctrine and plans. What is equally as concerning is the pursuit of these weapons by terrorists.  Last week Northrop Grumman announced the formation of a Cyber Security Research Consortium to help secure the nation’s critical infrastructure and to counter the growing threats from cyber attacks.

As former Director of National Intelligence Mike McConnell put it – “We will not get focused on this problem until we have some catastrophic event.”   While there is movement, the bottom line is an electronic Pearl Harbor might be what happens before appropriate level of action is taken.

– Kevin Coleman

Read more:

Report Spam   Logged
birther truther tenther
Full Member
Offline Offline

Posts: 182

View Profile
« Reply #12 on: December 10, 2010, 12:29:24 pm »

Countering the art of information warfare
Published on October 15, 2007 by Peter Brookes

Now is the time to take heed of Chinese intrusions into government computer systems, urges Peter Brookes

While France, Germany, the UK and the US do not see eye to eye on everything, there is one thing they probably can agree on: the growing problem of Beijing's intrusions into their government computer systems.

Indeed, in the last few weeks, all four capitals have pointed an accusatory finger at Beijing for attempting to infiltrate - or having succeeded in penetrating - their diplomatic or defence establishment computer networks.

While snooping by the People's Liberation Army's (PLA) cyber-soldiers on unclassified government websites and e-mail might be expected, the recent rash of incidents shines a spotlight on a burgeoning game of Internet cat and mouse.

In the case of China, Beijing's increasing aggressiveness (indeed, ham-handedness) and capability to infiltrate the computer networks of key countries is setting off alarms across the security establishment - and rightfully so. Take the US: while modern warfare is increasingly dependent on advanced computers, no country's armed forces are more reliant in the Digital Age than those of the US. This is both a great strength and a damning weakness.

Today, the US Department of Defense uses more than 5 million computers on 100,000 networks at 1,500 sites in 65 countries worldwide. Not surprisingly, potential adversaries have taken note of the US's slavish dependence on bits and bytes.

In an average year, the Pentagon suffers upwards of 80,000 attempted computer network attacks, including some that have reduced the US military's operational capabilities.

Also, in the last few years, the US Army's elite 101st and 82nd Airborne Divisions and 4th Infantry Division have been "hacked".

While it is difficult to determine the source, according to the Pentagon, most attacks on the US digital Achilles' heel originate in China, making Beijing's information warfare (IW) operations an issue we had better pay close attention to.

IW, including network attacks, exploitation and defence, is not a new national security challenge. Cyberwarfare was the rage in the late 1990s, but has faded since 9/11 in comparison to the mammoth matters of Islamic terrorism, Iraq and Afghanistan.

IW appeals to both state and non-state actors, including terrorists, because it is low-cost, can be highly effective and can provide plausible deniability of responsibility due to the ability to route strikes through any number of surrogate servers along the way.

An IW attack can launch degrading viruses, crash networks, corrupt data, collect intelligence and spread misinformation, effectively interfering with command, control, communications, intelligence, navigation, logistics and operations.

Not surprisingly, rising power China is serious about cyberwarfare, making the development of a robust IW capability a top national-security priority. China's military planners recognise US - and others' - dependence on computers as a significant vulnerability.

The PLA has invested heavily in developing its cyberwarfare capabilities, including openly expressing a desire to develop information warfare expertise - and boasting of its growing sophistication in the field.

The PLA has incorporated cyberwarfare tactics into military exercises and created schools that specialise in IW. It is also hiring top computer-science graduates to develop its cyberwarfare capabilities and, literally, creating an 'army of hackers'.

Despite its unprecedented military buildup, the Chinese realise, for the moment, they still cannot win a conventional war against the US and are, naturally, seeking unorthodox - or asymmetric - ways to defeat the US in a conflict over Taiwan or elsewhere.

China is developing weapons, including the so-called 'assassin's mace' that will allow China to balance the US's military superiority by attacking 'soft spots' such as its high-value computer networks.

The idea that a less-capable foe can take on a militarily superior opponent also aligns with the thoughts of the ancient Chinese general, Sun Tzu. In his Art of War, he advocates stealth, deception and indirect attack to overcome a stronger opponent. Overlaying the still-influential Sun Tzu onto modern Chinese military thought could lead one to conclude the PLA believes a Chinese 'David' could, in fact, slay a US 'Goliath' using an asymmetrical military option such as cyberwarfare.

The PLA's US target list is expansive, including command, control, communications, computers and intelligence nodes, airbases and even aircraft carrier strike groups - China's bête noir in a Taiwan contingency.

Industrial espionage against government and private defence research, development and production concerns is also a priority for Chinese cyber-spies, cutting costs and time in support of Beijing's massive effort to develop a world-class defence industry.

Even more troubling, however, is the assertion among analysts that potential Chinese cyber-strikes are not limiting themselves to just diplomatic and security-related targets. Private-sector financial and economic institutions may also be on the PLA's hit list.

Nor is China limiting itself to the US, France, Germany and the UK. Beijing is looking for cyber-dominance over other key potential regional rivals such as Delhi, Moscow, Seoul, Tokyo and Taipei. Wellington also recently reported an incident.

China's IW efforts and activities provide a cautionary tale to US and other policymakers. Fortunately, many governments have devoted significant resources to cyber-security, including measures against terrorists and amateur hackers.

The recent Chinese intrusions, however, clearly demonstrate remaining vulnerabilities and IW is here and now, making it increasingly important - and complementary - to the broad spectrum of modern warfare.

A 'digital Pearl Harbor' for any country is by no means a certainty, but then again, no one believed that terrorists would fly aircraft into buildings. The time to take heed of the cyber threat - Chinese or otherwise - is now.

Peter Brookes is a Heritage Foundation senior fellow and former US deputy assistant secretary of defense.
Send this report to a friend
Your Information Yes, I'd like to receive news about Heritage via email Your Friend's Information
Your Message

First appeared in the Jane's Defense Weekly
Report Spam   Logged
birther truther tenther
Full Member
Offline Offline

Posts: 182

View Profile
« Reply #13 on: December 10, 2010, 12:29:48 pm »

May 18, 2007 • Volume 5 • Number 5


Digital Pearl Harbor

Will IPv6 make us more secure? Experts give their opinions.

It seems like in the past with all new technologies come new vulnerabilities, said Jim Flyzik during the Federal Executive Forum on IPv6.

“Often times new technologies hit the market and then we are catching up later trying to get the security fixes in place because the so called ‘bad guys’ out there find ways to exploit new technologies. There are some concerns today about a digital Pearl Harbor or a terrorist attack taking down networks, attacking networks.”

The question is: will IPv6 improve security. Federal Executive Forum panelists weighed in on the issue.

Command Information’s Tom Patterson put the issue in perspective this way.

“Keep in mind that the Internet we use today, and we just call it the internet. We don’t know what version number it is and no one really cares. It was designed in the ‘70s and the concept was you had to be a trusted person before you were allowed to connect at a university or a research division or something like that. The concept of the general person coming along and connecting to the internet wasn’t part of the design.”

That means all the security now is place has been “added on”. According to Patterson there actually is a really good security standard now called IPSec. The problem is not enough people use it. The banks use it for very high volume transactions; maybe the State Department will use it for a top secret cable or something. But the rank and file people, it’s not being used to protect their credit cards, to safeguard their privacy and it can be.

“So when IP version 6 came out and started to be thought of as the next generation, leave everything old still working, but let’s see what we need to fix,” explained Patterson.

“One of  the first things that we fixed was let’s take whatever we know how to do really well, that is IPSec, the best security that we know how to do, make that default to the on position instead of an off position. So that someone will be able to, you don’t have to be a rocket scientist in order to use good security now.”

However that’s not the whole thing and it’s certainly no security silver bullet. “It’s also when WiFis came out. If you remember that a lot of CIOs said we don’t have a WiFi problem because we don’t allow it. And then there were all these chalk marks outside their building saying this is where you get free WiFi access; because people were just putting it in because it’s easy. That is possible now with IPv6 but you can’t just ignore it. And just outlaw it in your organization because it’s built into Apple, it’s built into Windows XP, it’s built into half the cell phones you are buying today. And some people are going to turn it on.”

So you need to be addressing the security implications. Security changes absolutely if you address it on a proactive basis, it changes for the better.

According to Commerce’s John McManus, there’s a lot of work going on looking at security in the IPv6 world. “There’s a lot of groups going on looking at security in the services that we provide today. And I think that Tom made a critical point. Those risks exist today. When you go and look at when IPv4 was designed, it has matured. Security has been bolted on to IPv4. In  IPv6 we’ve had the opportunity to actually design that in.”

When you employ a new technology there usually is a period of increased risk. And that risk comes from the simple fact that no matter what testing you do in the lab, and I think we do test very thoroughly, when you hit the wild, you hit some situations that you have not tested for.

“So one of the key things that we are doing now is working together as a community, there’s a working group that’s a part of the IPv6 working group, we are doing outreach into the DOD, outreach into all the carriers and equipment providers to start testing that equipment in a live environment on test networks so that when we go live we are sure that we are achieving at least the level of security, if not better, than we have in the networks we have today.”

“I just wanted to add that when you think of security regardless of the Internet protocol, you think of confidentiality,” says Education’s Peter Tseronis. “You think of integrity and authentication. And IPv6 isn’t going to be the panacea that says I’m going to take care of your mis-configured server, your poorly designed application, your poorly protected Internet sites. You need to have the skills to implement and maintain.”

Tseronis knows that not everything will be smooth and there will be some Internet engineers and systems engineers’ folks out there who are ready now, but others who are running for the foothills saying we don’t need to go there.

“But at the end of the day, you still have to maintain your security in such a way that, whether it’s IP stack or some other method, you are still going to have to protect it. So it’s not that it’s more secure, it just isn’t going to be less secure. You still have to maintain those policies in your network.”

Security is also on the mind of Cisco’s David West.

“A move to anything new, any new capability, produces threats and risk.  But if you do proper planning, validation, testing, a phased implementation of how you are going to introduce something new, you minimize those risks,” says West.

“One of the things that we are trying to make sure occurs is that as they make this transition, and they integrate this new service, they do it well thought out. What’s more interesting I think in terms of security, is the new application services that will be enabled as a result of the protocol.”

“We’ve got now a very large address face where many devices can have addresses. That introduces a potential security risk but again with proper planning, with consideration of what needs to happen from the vendor community in testing and validation, you could minimize those risks and really start to take advantage of what the protocol offers.”

At GSA, according to Fred Schobert, “We fully realize that with IPv6 there’s a lot of promise with security but we realize there’s a lot of work that remains to be done to be able to implement it with the agencies. When we talk with the agencies about IPv6 we are talking about things like IPSec but you are also talking about encryption and if you think about it, the security standards need to be defined, they need to be precise. The information security tools that the agencies will use need to be developed and they need to be there.”

Schobert thinks they are going into network monitoring and management facility overall to monitor a network, but that FISMA guidance needs to be considered because right now we have to go through certification and accreditation and if there are any holes we won’t be able to do anything. And finally he thinks they need to take a look at what we need to do in the application area to best support the IPv6 and what applications are required.

“We do take security very, very seriously, said Charlie Wisecarver, State Department CIO.

“I think IPv6 is going to introduce some new security concerns but ultimately we will be better off as we become smarter about this and adjust our policies and procedures. The denial of service possibilities is always a very, very serious concern for us as so much of our work is done through the internet. I think this can all be mitigated through some monitoring tools. The intrusion detection system, we haven’t heard too much about those types of tools that will help us identify those intrusion sets and how we can mitigate this quickly.”
Report Spam   Logged
birther truther tenther
Full Member
Offline Offline

Posts: 182

View Profile
« Reply #14 on: December 10, 2010, 12:30:09 pm »

Telcordia Warns of ‘Digital Pearl Harbor’

Be afraid. Be very afraid.

According to three cyber security experts at Telcordia Technologies Inc. , the networking industry is headed for a “digital Pearl Harbor” — a security breach so serious that it creates major outages and serious economic damage.

US government officials, including the Obama White House, are well aware of the danger, which is one reason the President appointed cybersecurity czar Howard Schmidt. But the telecom and computing industries also need to be engaged in the process, which will require some changes in the way business is done today, says James Payne, senior VP/general manager of Telcordia’s National Security and Cyber Infrastructure unit.

Payne says imposing security standards on today’s converged-yet-diverse Internet service delivery community can be so complex that it even has some of those who are meeting to discuss the security challenge pining for the good old days, when monopoly ATT Inc. (NYSE: T) ruled the roost and could have gold-plated security, albeit at its ratepayers’ expense.

Convergence, the move to an all-IP infrastructure, and the best-effort nature of IP all play a role in the growing security challenge, as does the fact that organized crime, working on behalf of its own greed or rogue nations, now runs much of the cybercrime activities.

Payne quoted former national security adviser Richard Clark as saying recently that the cyber cartels are generating more money than drug cartels because of known exploitable vulnerabilities.

Multiple industry standards groups are attempting to address the issues, says John Kimmins, Telcordia fellow in security services and solutions. These include Alliance for Telecommunications Industry Solutions (ATIS) , the Internet Engineering Task Force (IETF) , the International Telecommunication Union (ITU) , 3rd Generation Partnership Project (3GPP) , and various government agencies such as the Department of Defense and Homeland Security, but no one agency is in charge of the effort.

“There is not one place to go and plug it [security] in — each standards group has what it embraces, which is one of the problems,” Kimmins says.

One thing that would help immediately, Payne says, is legislation similar to that passed in preparation for perceived Y2K dangers — the kind that protects companies that admit vulnerabilities from being subsequently sued by their investors. Without such protection, it is hard for service providers, hardware companies, and software vendors to engage in “honest dialogue” about what the real dangers are, for fear of legal entanglements.

“At a policy level, let’s get serious about having a dialogue to discuss moving away from the best-effort model,” Payne says. “It’s not about putting everything back together [like the old ATT] but it’s beginning of a dialogue that will enable us to avoid an event so serious” that repercussions might be unimaginable.

In advance of any standards or legal changes, however, there are things that the telecom and computing industries can be doing to mitigate some of the danger, Payne, Kimmins, and Petros Mouchtaris, executive director of information assurance and security, told press and analysts at Telcordia’s New Jersey headquarters last Friday.

Those things include:

    * Greater testing and hardening of hardware and software products before they are released on the market. The industry needs to move away from the attitude of release now, patch later, Kimmins says.

    * Greater discipline in developing and deploying patches when they are needed. There is a lag between when vulnerabilities are discovered and when patches are released, and again between when patches come out and when they are deployed. The bad guys take advantage of those lag times, sometimes even using the information released about vulnerabilities and patches to select their targets.

    * Eliminate marketing hype around standard terms such as “five-nines” and “no single point of failure.” Too many vendors are playing games with those terms, defining them in a limited way to make their gear sound more secure that it is.

      Give consumers the information they need to protect themselves. Consumer broadband with its “always on” feature created an army of bot-net computers because consumers weren’t made aware of the dangers and what they needed to do to protect themselves, Kimmins says.

    * Take a more disciplined approach to testing configuration management and correcting configuration mistakes, Mouchtaris says. More than 50 percent of downtime is caused by configuration errors, which occur for many reasons, and cyber criminals exploit those mistakes, he says. Configuration testing needs to be part of a regular disciplined approach to preventing such attacks.

Telcordia has a horse in this race, providing consulting and expertise as well as tools to test configuration management, among other things. But Krimmins says he believes the company is well positioned to be a trusted partner because it isn’t using security as a way to sell more routers, software upgrades, or firewalls.

— Carol Wilson, Chief Editor, Events, Light Reading

Article source:
Report Spam   Logged
birther truther tenther
Full Member
Offline Offline

Posts: 182

View Profile
« Reply #15 on: December 10, 2010, 12:30:45 pm »

March 9, 2007 • Volume 5 • Number 2



MODERATOR/HOST Jim Flyzik, The Flyzik Group


·         Patti Titus, Chief Information Security Officer, TSA

·         Dennis Heretick, Chief Information Security Officer, Department of Justice

·         Dr. Ron Ross, Chief Computer Scientist,- NIST

·         Phil Heneghan, CIO,- USAID

·         John McCumber Strategic Program Manager, Public Sector Group, Symantec Corporation

·         Tim Kelleher Vice President, Enterprise Security Services, Federal Systems, Unisys Corporation






We are coming to you from the University of Maryland, University College Cyber Security Conference. Today we will discuss critical issues facing government and industry leaders in the field of information technology security. With me today on the show are (list of panelists).  Let’s get right into the issues and first level set the audience by having each of our panelists talk a little bit about your role in cyber and information systems security. Just go right down the table and start with Dr. Ross. Can you give us an idea of what your roles are?

Good afternoon Jim. My role at NIST is to lead the FISMA implementation project; that’s the group that develops all of the implementing security standards and guidelines that the Federal government needs to employ to be FISMA compliant.

Dennis Heretick, over at Justice. I know that Justice has done a lot in the area of cyber security. Can you tell us your roles there Dennis and your responsibilities?

Sure Jim. I’m the Deputy CIO for Information Security at Justice and as such I’m responsible for our agency wide IT security program. That includes requirements for risk negation, as well as implementation strategies and our performance.

Having worked on law enforcement in the past I know how critical some of those issues are. Tim Kelleher at Unisys Corporation, give us a sense of what your roles are there Tim?

Thanks Jim. As you said I am the Vice President of the Enterprise Security at Unisys and that’s a fairly large group of people who support the Federal government agencies and it’s a pretty full spectrum operation; everything from consulting to systems integration to full service support capability for government agencies.

Great. I know a lot of industry, a lot of companies are putting more emphasis into that cyber security area as a field that you need to grow. Patti Titus over at TSA where I’m sure there are a lot of unique challenges being a relatively new agency in town. Patti, can you give us an idea of your role at TSA?

Sure. At Transportation Security Administration I was charged in the early days with standing up and developing an IT security office. We had the absolute pleasure of designing that based on the NIST standards so we are probably one of the few organizations that are solely based on NIST because we are such a new organization. Part of the role of the CISO is also looking at the transportation sector so we are starting to branch off into that area, taking what we have learned within TSA and moving that into the sector itself, so we are looking forward to that challenge as we grow and mature further.

Quite a challenge, to not only deal with the subject matter but to do it in a start up environment where you have to, you mentioned that you started from scratch, so we appreciate everything you are doing over there.  Phil Heneghan, who is a CISO but also an acting CIO, a little later in the show we’ll come back and talk about CIO roles versus security officer roles, but Phil perhaps you could give us some idea of how you are working now at USAID.

My role there as the Chief Information Security Officer also includes the role of Chief Privacy Officer, obviously the two are greatly connected. And we are a small enough agency that it’s all in one place. On the other hand we are a world wide organization with offices in 80 countries around the world, so the security challenge is pretty unique.

Sure, I bet in terms of looking at world wide standards and differences in what is going on in this country versus other parts of the world. John McCumber at Symantec, I guess when we all think about security companies; Symantec is one that comes to mind. I know Symantec has expanded quite a bit over the years also, but could you give us an overview of your role there at Symantec?

Certainly Jim and I hope you do think of Symantec when you think of security. One of the challenges and one of my key responsibilities is ensuring that Symantec’s solutions and services are able to address the needs of our Federal government.  We want to make sure that Symantec’s technology and their services as well as our ability to bring in information across the internet are targeted to help our government agencies be able to protect their infrastructure, their information and their interactions.

Terrific. Let’s get into some of the key issues that you are dealing with, some of the priorities. We’ll first talk priorities and then talk some challenges. Let’s start with Tim Kelleher at Unisys. Tim, what do you think are some of the major priorities right now that you are addressing in your day to day work?

Well, like most companies we are always looking at what our customers’ needs are and where we need to align our capabilities and our services to meet our customers’ needs.  Right now, I see two or three primary areas that we are seeing a demand for help at this point in time. First is the whole identity and access management arena. Protecting data and making sure that only the right people have access to data, and of course all government agencies are under the gun a bit in terms of meeting the HFPD 12 imperative so we are kind of gearing up to support that goal as well.  The second area that we are seeing a lot of need for support is around the whole FISMA need for certification and accreditation of systems. There are a lot of systems obviously in any enterprise and certainly the Federal government is not short on quantities of systems out there, and it’s a pretty robust process that everybody’s obligated to go through to certify these systems and it takes a lot of help from a lot of the private industry people like Unisys as well, who has actually supported in the last couple of years just under three hundred engagements of supporting Federal agencies to get those certifications completed.  And the final is one that I mentioned earlier is around the whole notion of managed services. Managing security is a difficult thing, it is getting more and more complex every year and it costs a fair amount of money to buy the tools and get the equipment to really manage that environment so many people are now turning more towards private industry to help with that, and that is that whole area of managed security services.

Great. FISMA’s come up a couple of times already, it makes me jump back to Dr. Ross, and I know NIST does a lot of work with FISMA and standards for FISMA and so forth. What are the priorities that you face Dr. Ross today? What are some of your key priorities?

Read the bulk of the transcript here:

Skipping ahead...

We’ve got roughly about 10 minutes left in the show and I want to key in, we usually try to end the show with more of a vision kind of discussion and thinking about the future. I want to give you a few opinions. My opinion is that we still remain somewhat reactive, but we are getting better. And I think I’ve heard from many of you who are a bit more proactive.  To date I feel like there’s been a lot of hype around viruses and different types of malicious software and things like phishing attacks. But I would argue, correct me if you disagree, that to date most of our problems have been expensive annoyances. They’ve been costly. They clearly have been costly, and they have been an annoyance.  However when you begin to think perhaps to the future of things like cyber terrorism or sophisticated IT tools in the hands of those trying to harm us, attacks that we’ve seen from other foreign countries that emanate, or viruses that find a way into FAA systems or nuclear reactor sites or whatever.  I’m making things up here but there’s this one school of thought with some books actually predicting that if we remain or if we don’t get more proactive we could be facing the day when the United States could be attacked by a so-called digital Pearl Harbor. I’m curious about how each of you would react to that question. Is it hype? Is it something we need to be concerned about? John at Symantec, what do you think?

I’ll be happy to address that. I believe the term digital Pearl Harbor was coined by John Markhof for the New York Times and if memory serves me correctly that was in 1994. I actually kept a copy of that article. What we see transpire and I really mean the attacks of 9/11, and other kinds of evolution have really put that into perspective I think and it’s really changed our focus as to how information attacks and threats to our information infrastructure have evolved.  One of the other things that you’ll notice is in the last two years you haven’t seen the Washington Post or the New York Times publish a report on a wide-spread malicious code attack. It used to be something you’d see every six months. Now you see that has evolved and that the threat has evolved to become much more targeted. And you see that specifically in the empirical studies that we’ve done. So part of understanding this is keeping track of that threat as it evolves and moves that way, and then determining and separating that from these terminologies that people use they use these terminologies to build a program or sell newspapers or sell books. Or does it fit within that constellation of the risk model of threat, vulnerability, assets all counterbalanced by the various countermeasures we deploy. And then take a prudent approach in dealing with that.

Well said. Phil, what do you think?

As Dr. Ross just alluded to, there is always a residual risk, so a digital Pearl Harbor can happen and we all have to accept that. How you build your infrastructure and how you manage says how well you can deal with that when it comes, if it comes.  Again, USAID since we are so widely distributed again in 80 countries around the world, it’s sort of easy to lose a part of it and still work. So from my perspective and I  realize that I’m looking at this selfishly and not futuristically, I think that we are OK because we can continue to operate if there is a major problem in a single place.


I think it’s a reality, I think it’s a very real threat. The residual risk acceptance that we have on a daily basis with our systems with our vulnerability acceptance where you need to get something operational and you have to accept some residual risk with that, I think it is a reality.  It’s there and it is very possible. I think that you need to have very strong contingency testing, you need to have disaster recovery planning, you need to, as you said earlier, identify your critical assets so that you know what you need to reconstitute if that happens.  So I think it’s very possible and I think that as CISOs we would be hard pressed to say otherwise. It’s getting the visibility into the problem and situation and be able to be nimble enough to react. The whole concept of telecommuting is actually helping in that we have a possibility to be able to work remotely, but it also increases the possibility of the threat of that digital Pearl Harbor.

Well said. I guess 9/11 has forced us to think the unthinkable. So you can’t just dismiss this stuff any more. Tim, what do you think?

Well, I’ll admit that in preparing for this I actually did a Google search on digital Pearl Harbor and I got no less than 1.25 million hits. So it’s clearly a juicy topic and as with most juicy topics opinions vary widely out there. From one end of the spectrum which is it’s not up for discussion, it’s already happened, some would claim the single slammer which knocked out 13,000 Bank of America ATM cards is an example of it.  The MS blast worm which is near and dear to Marylanders here, that virus actually shut down the Maryland Department of Motor Vehicles.  And there is unsubstantiated speculation that that MS blast worm actually had a lot to do with the root cause of the 2004 blackout that hit the north east US and Canada.  And I think something of that scale fits into the category of a digital Pearl Harbor. So that’s one end of the spectrum that says it has already happened. Clearly if that’s true, it can happen again. We do need to be diligent. I think the other side of the equation is the fact that long before cyber security, when security was just security, it’s always been a fact that the worst security threats were from insiders.  So while we speak of cyber security from the chatterers across the pond, I still think it’s also very true today that you’ve got to be watching inside, which is where people have access, know what they are looking for, and can gain access.

Good point. Make a visit to the Spy Museum here down town and hear about all those insider threats. Dennis?

Well Jim we are totally dependent on our IT infrastructure and on the information, so there’s no doubt that it has that impact. And I don’t think there’s, I guess there’s one thing about living a long time and that is you learn a lot and I don’t get up in the morning that I don’t look in the mirror and not want to pick up my cell phone because I don’t want to have to deal with it till I get to work if I don’t know about it already. It’s like a bumper sticker I saw a few weeks ago that said inside every old person is a young person wondering what the hell happened.  And I think each of us in this business worries about coming in to work and wondering what the heck happened. We have been put a huge emphasis on incident response and contingency planning. Part of my DOD experience, we run an annual exercise in the Department of Justice, it’s a department wide exercise and the CIOs participate in that and we go through the steps of escalating an event and working that and I think that’s just critical.  No matter what you do that’s proactive that we talked about that we are so proud of, you know that it takes just one small event to escalate into a very disastrous situation.

And that domino effect of the intra-connectivity amongst so many computers these days and systems, that domino effect can quickly take things down faster than one can get in front of it to stop the process. Dr. Ross, what are your thoughts on digital Pearl Harbor?

I agree with Tim very strongly. I think that if you look at Pearl Harbor it was an isolated attack that did serious damage but it certainly didn’t bring down the entire country and I think the digital Pearl Harbor analogy has been made to seem like everything would stop working in a few seconds. I think we’ve already experienced these kinds of attacks.  Clearly our Federal agencies are under attacks every day from very serious adversaries, very sophisticated tools they are using to try to get into these very critical systems. I think it’s already here. The question is with our current cost (sounds like) technology and our best policies, procedures and practices can we do enough in a defense in depth strategy to try to withstand these kinds of attacks. I think we are doing better but we still have a long way to go.

Great. Thanks very much. Let me take a couple of summary notes here that I think what we heard from today’s panelists. I think what I heard was the fact that we need to reframe the conversations and talk about risk and risk management and the need for agencies both within their own agency or corporation as well as looking at those who are dependent on the supply chains those you are working with and can you trust those other entities.  I think identity management techniques and things like that come into play as well as RF ID tagging and so forth which are a whole other set of subjects that we can talk about some day. I also heard I think from the panelists a lot of very positive comments about proactivity, trying to push this idea that we’ve got to be more proactive in addressing these cyber security issues and vulnerabilities and identifying and getting out in front so I think we also heard from the last question that it’s probably not feasible to identify every known vulnerability and threat because as the technology changes so do the vulnerabilities and so do the threats. So in order to be in a position to adjust or react to a major threat we need to be in a situation where we have resilience in place or back up and contingency plans.


With that I want to thank my guests.

Report Spam   Logged
Pages: [1]   Go Up
Jump to:  

Powered by EzPortal
Bookmark this site! | Upgrade This Forum
Free SMF Hosting - Create your own Forum

Powered by SMF | SMF © 2016, Simple Machines
Privacy Policy
Page created in 0.133 seconds with 22 queries.