4
What Can Be Done Now?

Developing a significantly less vulnerable information infrastructure is an important long-term goal for the United States. This long-term goal must focus on the creation of new technologies and paradigms for enhancing security and reducing the impact of security breaches. In the short term, the committee believes that the vulnerabilities in the communications and computing infrastructure of the first-responder network should receive focused attention. Efforts should concentrate on hardening first responders’ communications capability as well as those portions of their computing systems devoted to coordination and control of an emergency response. The committee believes that existing technology can be used to achieve many of the needed improvements in both the telecommunications and computing infrastructures of first responders. Unfortunately, the expertise to achieve a more secure system often does not reside within the host organizations—this may be the case, for example, in local and state government. These facts lead to two short-term recommendations.

Short-Term Recommendation 1: The nation should develop a program that focuses on the communications and computing needs of emergency responders. Such a program would have two essential functions:

  • Ensuring that authoritative current-knowledge expertise and support regarding information technology are available to emergency-response agencies prior to and during emergencies, including terrorist attacks. One implementa



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 97
Information Technology for Counterterrorism: Immediate Actions and Future Possibilities 4 What Can Be Done Now? Developing a significantly less vulnerable information infrastructure is an important long-term goal for the United States. This long-term goal must focus on the creation of new technologies and paradigms for enhancing security and reducing the impact of security breaches. In the short term, the committee believes that the vulnerabilities in the communications and computing infrastructure of the first-responder network should receive focused attention. Efforts should concentrate on hardening first responders’ communications capability as well as those portions of their computing systems devoted to coordination and control of an emergency response. The committee believes that existing technology can be used to achieve many of the needed improvements in both the telecommunications and computing infrastructures of first responders. Unfortunately, the expertise to achieve a more secure system often does not reside within the host organizations—this may be the case, for example, in local and state government. These facts lead to two short-term recommendations. Short-Term Recommendation 1: The nation should develop a program that focuses on the communications and computing needs of emergency responders. Such a program would have two essential functions: Ensuring that authoritative current-knowledge expertise and support regarding information technology are available to emergency-response agencies prior to and during emergencies, including terrorist attacks. One implementa

OCR for page 97
Information Technology for Counterterrorism: Immediate Actions and Future Possibilities tion option is to situate the mechanism administratively in existing government or private organizations—for example, the National Institute of Standards and Technology, the Department of Homeland Security, the Department of Defense, the Computer Emergency Response Team of the Software Engineering Institute at Carnegie Mellon University. A second option is to create a national body to coordinate the private sector and local, state, and federal authorities.1 In the short term, a practical option for providing emergency operational support would be to exploit IT expertise in the private sector, much as the armed services draw on the private sector (National Guard and reserve forces) to augment active-duty forces during emergencies. Such a strategy, however, must provide adequate security vetting for private-sector individuals serving in this emergency role and must also be a complement to a more enduring mechanism for providing ongoing IT expertise and assistance to emergency-response agencies. Upgrading the capabilities of the command, control, communications, and intelligence (C3I) systems of emergency-response agencies through the use of existing technologies and perhaps minor enhancements to them. One key element of such upgrading should be a transition from legacy analog C3I systems to digital systems. Of course, in the short term, this transition can only be started, but it is clear that it will be necessary over the long term to achieve effective communications capabilities. In addition, maintaining effective communications capability in the wake of a terrorist attack is a high priority, and some possible options for implementing this recommendation include a separate emergency-response communications network that is deployed in the immediate aftermath of a disaster and the use of the public network to support virtual private networks, with priority given to traffic from emergency responders. (Table 4.1 describes some illustrative advantages and disadvantages of each approach.) Given the fact that emergency-response agencies are largely state and local, there is no federal agency that has the responsibility and authority over state and local responding agencies needed to carry out this recommendation. Thus, it is likely that a program of this nature would have to rely on incentives (probably financial) to persuade state and local responders to participate and to acquire new interoperable C3I systems. 1   CSTB has a pending full-scale project on information and network security R&D that will address federal funding and structure in much greater detail than is possible in this report. See the Web site <http://www.cstb.org> for more information on this subject.

OCR for page 97
Information Technology for Counterterrorism: Immediate Actions and Future Possibilities TABLE 4.1 A Comparison of Separate Emergency Networks with Reliance on Surviving Residual Capacity Emergency Network Illustrative Advantage Illustrative Disadvantage Separate network deployed after an emergency Provides high-confidence assurance of known bandwidth availability. Would not be the system regularly used by personnel; without continuous updates and training, they may not be able to use it properly in emergency settings. Deployment of network may take too long. Residual public-network capacity plus priority for emergency responders Assures immediate availability of some bandwidth because some part of the public network is likely to survive any disaster. Not possible to assure the availability of adequate bandwidth for emergency responders because availability depends on the amount of surviving public network. Short-Term Recommendation 2: The nation should promote the use of best practices in information and network security in all relevant public agencies and private organizations. Nearly all organizations, whether in government or the private sector, could do much better with respect to information and network security than they do today, simply by exploiting what is already known about that subject today, as discussed at length in Cybersecurity Today and Tomorrow: Pay Now or Pay Later.2 Users of IT, vendors in the IT sector, and makers of public policy can all take security-enhancing actions. Users of IT in individual organizations are where the “rubber meets the road”—they are the people who must actually make the needed changes work. Only changes in operational practice and deployed technology in individual organizations can have an impact on security, and 2   Computer Science and Telecommunications Board (CSTB), National Research Council (NRC). 2002. Cybersecurity Today and Tomorrow: Pay Now or Pay Later. National Academy Press, Washington, D.C. (hereafter cited as CSTB, NRC, 2002, Cybersecurity Today and Tomorrow). The discussion in that volume is based on extensive elaboration and analysis contained in various CSTB reports. including Computers at Risk (1991), Trust in Cyberspace (1999), and Realizing the Potential for C4I (1999), among others.

OCR for page 97
Information Technology for Counterterrorism: Immediate Actions and Future Possibilities the parties responsible for taking action range from chief technical (or even executive) officers to system administrators. Individual organizations can and should: Establish and provide adequate resources to an internal entity with responsibility for providing direct defensive operational support to system administrators throughout the organization . . . . To serve as the focal point for operational change, such an entity must have the authority—as well as a person in charge—to force corrective action. Ensure that adequate information-security tools are available, that everyone is properly trained in their use, and that enough time is available to use them properly. Then hold all personnel accountable for their information system security practices . . . . Conduct frequent, unannounced red-team [tiger-team] penetration testing of deployed systems and report the results to responsible management . . . . Promptly fix problems and vulnerabilities that are known or that are discovered to exist . . . . Mandate the organization-wide use of currently available network/configuration management tools, and demand better tools from vendors . . . . Mandate the use of strong authentication mechanisms to protect sensitive or critical information and systems . . . . Use defense in depth. In particular, design systems under the assumption that they will be connected to a compromised network or a network that is under attack, and practice operating these systems under this assumption. Define a fallback plan for more secure operation when under attack and rehearse it regularly. Complement that plan with a disaster-recovery program.3 Vendors of IT systems and services have key roles to play in improving the security functionality of their products. Such vendors should: Drastically improve the user interface to security, which is [virtually] incomprehensible in nearly all of today’s systems . . . . Users and administrators must be able to easily see the current security state of their systems; this means that the state must be expressible in simple terms. Develop tools to monitor systems automatically for consistency with defined secure configurations, and enforce these configurations. . . . Extensive automation is essential to reduce the amount of human labor 3   CSTB, NRC, 2002, Cybersecurity Today and Tomorrow, p. 13.

OCR for page 97
Information Technology for Counterterrorism: Immediate Actions and Future Possibilities that goes into security. The tools must promptly and automatically respond to changes that result from new attacks. Provide well-engineered schemes for user authentication based on hardware tokens . . . . These systems should be both more secure and more convenient for users than are current password systems. Develop a few simple and clear blueprints for secure operation that users can follow, since most organizations lack the expertise to do this properly on their own. For example, systems should be shipped with security features turned on, so that a conscious effort is needed to disable them, and with default identifications and passwords turned off, so that a conscious effort is needed to select them . . . . . . . [c]onduct more rigorous testing of software and systems for security flaws, doing so before releasing products rather than use customers as implicit beta testers to . . . [uncover] security flaws . . . .4 Changing this mind-set is one necessary element of an improved . . . posture [for information and network security].5 In addition, vendors should provide individual consumers with easy-to-use, default-on security tools and features to secure home computers and networks. Because home computers can play a significant role in attacks against cyber infrastructure, actions securing this diffuse infrastructure could help to reduce the potential threat it poses. Makers of public policy have an important role in securing critical government IT systems and networks. The Office of Management and Budget (OMB) has sought to promote government information and network security in the past, but despite its actions, the state of information and network security in government agencies remains highly inadequate. In this regard, the administration and Congress can position the federal government as a leader in technology use and practice by requiring agencies to adhere to the practices recommended above and to report on their progress in implementing those measures.6 Such a step would also help to grow the market for security technology, training, and other services. 4   “Note that security-specific testing of software goes beyond looking at flaws that emerge in the course of ordinary usage in an Internet-connected production environment. For example, security-specific testing may involve very sophisticated attacks that are not widely known in the broader Internet hacker community.” 5   CSTB, NRC, 2002, Cybersecurity Today and Tomorrow, pp. 13-14. 6   This concept has been implicit in a series of laws, beginning with the Computer Security Act of 1987, and administrative guidance (e.g., from OMB and more recently from the Federal Chief Information Officers Council). Although it has been an elusive goal, movements toward e-government have provided practical, legal, and administrative impetus. For more discussion, see Computer Science and Telecommunications Board, National Research Council. 2002. Information Technology Research, Innovation, and E-Government. National Academy Press, Washington, D.C.

OCR for page 97
Information Technology for Counterterrorism: Immediate Actions and Future Possibilities BOX 4.1 A Comparison of Fire Safety with Information and Network Security Today’s fire codes seek to provide a certain level of safety against fire in buildings, and there is broad acceptance of the idea that compliance with fire codes results in buildings that are safer against fire than those that are not compliant. Fire codes are also developed and enforced by government regulation. A reasonable question is, Why can’t the same kind of regulation be used to improve information and network security? Fire safety and information and network security are very different in certain key dimensions: Intentionality. Most fires are accidental, and hence the fire code is not primarily concerned with the deliberate bypassing of fire safety measures. Arson presents a very different problem (fortunately rare compared to the accidents that account for the majority of fires), and if arson were the primary problem in fire safety, fire codes would look very different indeed—and would likely be much less effective at making buildings safer than they are in today’s environment. However, in the area of information and network security, most system penetrations are deliberate, and so information and network security is much more like protecting against arson than protecting against accidental fires. Monoculture versus diversity. A building code seeks to standardize the construction of buildings in ways that improve fire resistance. But standardization regarding safety measures in buildings is useful only when the threats to buildings (in this case, the threat of fires in each of the buildings in question) are independent and uncorrelated. That is, the ways in which fires can start are highly varied, and so measures that are ineffective against one type of fire may well be useful against another type. In the case of information and network security for a largely homogeneous environment, the threat is highly correlated—an attacker who develops techniques for penetrating the security measures of one system knows how to penetrate the security measures of many. The rate of change in the underlying technologies. Buildings have existed for many years, and fire has been known to be a threat for a long time. Buildings take As for the private sector, there is today no clear locus of responsibility within government to undertake the “promotion” of security across the private sector, because neither information and network security in the private sector nor IT products and services are subject today to direct government regulation.7 This will not necessarily always be true, but for 7   In this context, “direct regulation” is taken to mean government-issued mandates about what the private sector must do with respect to cybersecurity.

OCR for page 97
Information Technology for Counterterrorism: Immediate Actions and Future Possibilities a long time to design and construct, and the techniques for designing and constructing them are relatively stable. By contrast, information technology changes rapidly. Thus, the computer and network systems being protected change quickly, their vulnerabilities change quickly, and the threat changes quickly. Visibility of damage. As a rule, fires create visible damage. But the damage to a computer system or a network may be entirely invisible; indeed, a system that fails to operate normally is only one possible result of an attack on it. A successful attack may lay the foundation for later attacks (e.g., by installing Trojan horse programs that can be subsequently activated), or it may be set to cause damage well after the initial penetration, or enable the clandestine and unauthorized transmission of sensitive information stored on the attacked system (e.g., password files). The underlying science. The science underlying fire safety is much better understood and developed than that underlying information and network security. For example, it is understood how to build a fire-resistant structure from first principles. One might specify the use of steel beams that lose structural integrity at a certain temperature. Finite-element analysis based on a sound underlying mathematics enables reliable predictions to be made about structural loading. But no such science underlies information and network security and the development of secure systems and networks. The availability of metrics. In fire codes, it is meaningful to specify that a building must resist burning for a certain period of time. But there is no comparable metric to specify how long a computer system or network must be able to resist an intruder. More generally, there is no quantitative basis for understanding how much security is made available by the addition of any particular feature in computer or network design. These important differences should not be taken to mean that nothing is known about information and network security—and as discussed in the main text, there are common sense measures that can be taken that do improve such security. But direct regulation is always more difficult to impose when the benefits are uncertain and/or difficult to articulate, and for this reason, those who wish to impose direct regulation to improve information and network security face many difficulties that warrant thought and deliberation. a number of reasons (described in Box 4.1), the realities of information and network security make it less amenable to government regulation than other fields such as fire or automobile or flight safety. In addition, the committee notes that the IT sector is one over which the federal government has little leverage. IT sales to the government are a small fraction of the IT sector’s overall revenue, and because IT purchasers are generally unwilling to acquire security features at the expense of performance or ease of use, IT vendors have little incentive to include security features at the behest of government alone. Indeed, it is likely

OCR for page 97
Information Technology for Counterterrorism: Immediate Actions and Future Possibilities that attempts at such regulation will be fought vigorously, or may fail, because of the likely inability of a regulatory process to keep pace with rapid changes in technology. Thus, appropriate market mechanisms could be more successful than direct regulation in improving the security of the nation’s IT infrastructure, even though the market has largely failed to provide sufficient incentives for the private sector to take adequate action with respect to information and network security. The challenge for public policy is to ensure that those appropriate market mechanisms develop. How to deal constructively with prevailing market dynamics has been an enduring challenge for the government, which has attempted a variety of programs aimed at stimulating supply and demand but which has yet to arrive at an approach with significant impact. Nevertheless, the committee believes that public policy can have an important influence on the environment in which nongovernment organizations live up to their responsibilities for security. One critical dimension of influencing security-related change is the federal government’s nonregulatory role, particularly in its undertaking of research and development of the types described above.8 Such R&D might improve security and interoperability, for example, and reduce the costs of implementing such features—thereby making it less painful for vendors to adopt them. Other policy responses to the failure of existing incentives to cause the market to respond adequately to the security challenge are more controversial. If the market were succeeding, there would be a significant private sector demand for more security in IT products, and various IT vendors would emphasize their security functionality as a competitive advantage and product differentiator, much as additional functionality and faster performance are featured today. But this is not the case. Possible options to alter market dynamics in this area include: Increasing the exposure of software and system vendors and system operators to liability for system breaches;9 8   Another potentially important aspect of the government’s nonregulatory role, a topic outside the scope of this report, is the leadership role that government itself could play with respect to information and network security. For more discussion, see CSTB, NRC, 2002, Cybersecurity Today and Tomorrow. 9   CSTB, NRC, 2002, Cybersecurity Today and Tomorrow. 10   CSTB, NRC, 2002, Cybersecurity Today and Tomorrow.

OCR for page 97
Information Technology for Counterterrorism: Immediate Actions and Future Possibilities Mandatory reporting of security breaches that could threaten critical societal functions;10 Changing accounting procedures to require sanitized summaries of information-security problems and vulnerabilities to be made public in shareholder reports; and Encouraging insurance companies to grant preferential rates to companies whose IT operations are regarded as meeting certain security standards of practice. Note, however, that there are disadvantages as well as advantages to any of these specific options, and a net assessment of their ultimate desir-ability remains to be undertaken.