Making the Nation Safer: The Role of Science and Technology in Countering Terrorism, a report released by the National Academies in June 2002,1 articulated the role of science and technology in countering terrorism. That report included material on the specific role of information technology (IT). Building on that report as a point of departure, the panel of experts responsible for the IT material in Making the Nation Safer was reconvened as the Committee on the Role of Information Technology in Responding to Terrorism in order to develop the present report.
DEFINING TERRORISM FOR THE PURPOSES OF THIS REPORT
Terrorism can occur on many different scales and with a wide range of impacts. While a terrorist act can involve a lone suicide bomber or a rental truck loaded with explosives, Americans’ perception of catastrophic terrorist acts will forever be measured against the events of September 11, 2001. In one single day, thousands of lives and tens of billions of dollars were lost to terrorism. This report focuses primarily on the high-impact catastrophic dimensions of terrorism as framed by the events of September 11. Thus, in an IT context, the “lone hacker,” or even the cyber-criminal—while bothersome and capable of doing damage—is not the focus of this report. Instead, the report considers the larger threat posed
by smart, disciplined adversaries with ample resources. (Of course, measures taken to defend against catastrophic terrorism will likely have application in defending against less sophisticated attackers.)
THE ROLE OF INFORMATION TECHNOLOGY IN SOCIETY AND IN COUNTERTERRORISM
Information technology is essential to virtually all of the nation’s critical infrastructures, from the air-traffic-control system to the aircraft themselves, from the electric-power grid to the financial and banking systems, and, obviously, from the Internet to communications systems. In sum, this reliance of all of the nation’s critical infrastructures on IT makes any of them vulnerable to a terrorist attack on their computer or telecommunications systems.
An attack involving IT can take different forms. The IT itself can be the target. Or, a terrorist can either launch or exacerbate an attack by exploiting the IT infrastructure, or use IT to interfere with attempts to achieve a timely response. Thus, IT is both a target and a weapon. Likewise, IT also has a major role in counterterrorism—it can prevent, detect, and mitigate terrorist attacks. For example, advances in information fusion and data mining may facilitate the identification of important patterns of behavior that help to uncover terrorists or their plans in time to prevent attacks.
While there are many possible scenarios for an attack on some element(s) of the IT infrastructure (which includes the Internet, the telecommunications infrastructure, embedded/real-time computing such as SCADA [supervisory control and data acquisition] systems, and dedicated computing devices such as desktop computers), the committee believes that the most devastating consequences would occur if an attack on or using IT were part of a multipronged attack with other, more physical components. In this context, compromised IT could expand terrorist opportunities to widen the damage of a physical attack, diminish timely responses to the attack, and heighten terror in the population by providing false information about the nature of the threat.
The likelihood of a terrorist attack against or through the use of the IT infrastructure must be understood in the context of terrorists. Like other organizations, terrorist groups are likely to utilize their limited resources in activities that maximize impact and visibility. A decision by terrorists to use IT, or any other means, in an attack depends on factors such as the kinds of expertise and resources available, the publicity they wish to gain, and the symbolic value of an attack. How terrorists weigh such factors is not known in advance. Those wanting to create immediate public fear
and terror are more likely to use a physical attack than an attack that targets IT exclusively.
WHAT CAN BE DONE NOW: SHORT-TERM RECOMMENDATIONS
The committee makes two short-term recommendations with respect to the nation’s communications and information systems.
Short-Term Recommendation 1: The nation should develop a program that focuses on the communications and computing needs of emergency responders. Such a program would have two essential components:
Ensuring that authoritative, current-knowledge expertise and support regarding IT are available to emergency-response agencies prior to and during emergencies, including terrorist attacks.
Upgrading the capabilities of the command, control, communications, and intelligence (C3I) systems of emergency-response agencies through the use of existing technologies. Such upgrades might include transitioning from analog to digital systems and deploying a separate emergency-response communications network in the aftermath of a disaster.
Short-Term Recommendation 2: The nation should promote the use of best practices in information and network security in all relevant public agencies and private organizations.
For IT users on the operational level: Ensure that adequate information-security tools are available. Conduct frequent, unannounced red-team penetration testing of deployed systems. Promptly fix problems and vulnerabilities that are known. Mandate the use of strong authentication mechanisms. Use defense-in-depth in addition to perimeter defense.
For IT vendors: Develop tools to monitor systems automatically for consistency with defined secure configurations. Provide well-engineered schemes for user authentication based on hardware tokens. Conduct more rigorous testing of software and systems for security flaws.
For the federal government: Position critical federal information systems as models for good security practices. Remedy the failure of the market to account adequately for information security so that appropriate market pro-security mechanisms develop.
WHAT CAN BE DONE IN THE FUTURE
Because the possible attacks on the nation’s IT infrastructure vary so widely, it is difficult to argue that any one type is more likely than others. This fact suggests the value of a long-term commitment to a strategic research and development program that will increase the overall robustness of the computer and telecommunications networks. Such a program could improve the nation’s ability to prevent, detect, respond to, and recover from terrorist attacks. This agenda would also have general applications, such as reducing cybercrime and responding to natural disasters. Three critical areas of research are information and network security, C3I systems for emergency response, and information fusion. Although technology is central to these three areas, it is not the sole element of concern. Research in these areas must be multidisciplinary, involving technologists, social scientists, and domain experts. Since technology deployed for operational purposes is subject to the reality of implementation and use by humans, technology cannot be studied in isolation from how it is deployed and used.
Information and Network Security
Research in information and network security is relevant to the nation’s counterterrorism efforts for several reasons. IT attacks can amplify the impact of physical attacks and lessen the effectiveness of emergency responses. IT attacks on SCADA systems could be devastating. The increasing levels of social and economic damage caused by cybercrime suggest a corresponding increase in the likelihood of severe damage through cyberattacks. The technology discussed here is relevant to fighting cybercrime and to conducting efforts in defensive information warfare.
Research in information and network security can be grouped in four areas: authentication, detection, containment, and recovery; a fifth set of topics such as dealing with buggy code is broadly applicable.
Authentication is relevant to better ways of preventing unauthorized parties from gaining access to a computer system to cause harm.
Detection of intruders with harmful intentions is critical for thwarting their actions. However, because intruders take great care to hide their entry and/or make their behavior look innocuous, such detection is a very challenging problem (especially when the intruder is an insider gone bad).
Containment is necessary if the success of an attacker is to be limited in scope. Although the principle of graceful degradation under attack is well accepted, system and network design for graceful degradation is not well understood.
Recovery involves backup and decontamination. In a security context, backup methods for use under adversarial conditions and applicable to large systems are needed. Decontamination—the process of distinguishing the clean system state from the infected portions and eliminating the causes of those differences—is especially challenging when a system cannot be shut down.
Other areas. Buggy code (i.e., flawed computer programs) is probably the oldest unsolved problem in computer science, and there is no particular reason to think that research can solve the problem once and for all. One approach to the problem is to provide incentives to install fixes, even though the fixes themselves may carry risks such as exposing other software flaws. Many system vulnerabilities result from improper administration, and better system administration tools for specifying security policies and checking system configurations are necessary. Research in tools for auditing functionality to ensure that hardware and software have the prescribed—and no additional—functionality would be helpful. Security that is more transparent would have higher adoption rates. Understanding the failure in the marketplace of previous attempts to build in computer security would help guide future research efforts.
IT and C3I for Emergency Response
C3I systems are critical to emergency responders for coordinating their efforts and increasing the promptness and effectiveness of their response. C3I for emergency response to terrorist attacks poses challenges that differ from natural disasters: the number of responding agencies—from local, state, and federal governments—increases the degree of complexity, while the additional security or law-enforcement presence that is required may interfere with rescue and recovery operations.
C3I systems for emergency responders face many challenges:
Regarding ad hoc interoperability, different emergency responders must be able to communicate with each other and other agencies, and poor interoperability among responding agencies is a well-known problem. Thus, for example, there is a technical need for protocols and technology that can facilitate interconnection and interoperation.
Emergency situations result in extraordinary demands on communications capacity. Research is needed on using residual capacity more effectively and deploying additional (“surge”) capacity.
In responding to disasters, emergency-response managers need decision-support tools that can assist them in sorting, evaluating, filtering, and integrating information from a vast array of voice and data traffic.
During an emergency, providing geographically sensitive public
information that is relevant to where people are (e.g., for evacuation purposes) is a challenging technical problem.
Sensors deployed in an emergency could track the spread of nuclear or biological contaminants, locate survivors (e.g., through heat emanations or sounds), and find pathways through debris.
Location identification of people and structures is a major problem when there is physical damage to a structure or an area.
Information fusion promises to play a central role in the prevention, detection, and response to terrorism. For example, the effectiveness of checkpoints such as airline boarding gates could be improved significantly by creating information-fusion tools to support checkpoint operators in real time (a prevention task). Also, advances in the automatic interpretation of image, video, and other kinds of unstructured data could aid in detection. Finally, early response to biological attacks could be supported by collecting and analyzing real-time data such as admissions to hospital emergency rooms and purchases of nonprescription drugs in grocery stores. The ability to acquire, integrate, and interpret a range and volume of data will support decision makers such as emergency-response units and intelligence organizations.
Data mining is a technology for analyzing historical and current online data to support informed decision making by learning general patterns from a large volume of specific examples. But to be useful for counterterrorist purposes, such efforts must be possible over data in a variety of different and nonstructured formats, such as text, image, and video in multiple languages. In addition, new research is needed to normalize and combine data collected from multiple sources to improve data interoperability. And, new techniques for data visualization will be useful in exploiting human capabilities for pattern recognition.
Privacy and Confidentiality
Concerns over privacy and confidentiality are magnified in a counterterrorism intelligence context. The perspective of intelligence gatherers, “collect everything in case something might be useful,” conflicts with the pro-privacy tenet of “don’t collect anything unless you know you need it.” To resolve this conflict, research is needed to provide policy makers with accurate information about the impact on privacy and confidentiality of different kinds of data disclosure. Furthermore, the development of new privacy-sensitive techniques may make it possible to provide useful information to analysts without compromising individual privacy. A va
riety of policy actions could also help to reduce the consequences of privacy violations.
Other Important Technology Areas
This report also briefly addresses three other technology areas: robotics, sensors, and modeling and simulation:
Robots, which can be used in environments too dangerous for human beings, combine complex mechanical, perceptual, and computer and telecommunications systems, and pose significant research challenges such as the management of a team of robots and their integration.
Sensors, used to detect danger in the environment, are most effective when they are linked in a distributed sensor network, a problem that continues to pose interesting research problems.
Modeling and simulation can play important roles throughout crisis-management activities by making predictions about how events might unfold and by testing alternative operational choices. A key challenge is understanding the utility and limitations of models hastily created in response to an immediate crisis.
People and Organizations
Technology is always used in some social and organizational context, and human culpability is central in understanding how the system might succeed or fail. The technology cannot be examined in isolation from how it is deployed. Technology aimed at assisting people is essential to modern everyday life. At the same time, if improperly deployed, the technology can actually make the problem worse; human error can be extremely costly in time, money, and lives. Good design can dramatically reduce the incidence of error.
Principles of Human-Centered Design
Systems must be designed from a holistic, systems-oriented perspective. Principles that should guide such design include the following:
Put human beings “in the loop” on a regular basis. Systems that use human beings only when automation is incapable of handling a situation are invariably prone to “human error.”
Avoid common-mode failures, and recognize that common modes are not always easy to detect.
Observe the distinction between work as prescribed and work as practiced.
Procedures that address work as prescribed (e.g., tightening procedures and requiring redundant checking) often interfere with getting work done (i.e., work as practiced).
Probe security measures independently using tiger teams. Tiger-team efforts, undertaken to test an organization’s operational security posture using teams that simulate what a determined attacker might do, do what is necessary in order to penetrate security.
Organizational Resistance to Interagency Cooperation
An effective response to a serious terrorist incident will inevitably require interagency cooperation. However, because different agencies develop—and could reasonably be expected to develop—different internal cultures for handling the routine situations that they mostly address, interagency cooperation in a large-scale disaster is likely to be difficult under the best of circumstances.
There are no easy answers for bridging the cultural gulfs between agencies that are seldom called upon to interact. Effective interagency cooperation in times of crisis requires strong, sustained leadership that places a high priority on such cooperation and is willing to expend budget and personnel resources in support of it. Exercises and activities that promote interagency cooperation help to identify and solve some social, organizational, and technical problems, and also help to reveal the rivalries between agencies.
Research Implications Associated with Human and Organizational Factors
To better integrate the insights of social science into operational IT systems, research is relevant in at least four different areas:
Formulating of system development methods that are more amenable to the incorporation of domain knowledge and social science expertise;
Translating social science research findings into guidelines and methods that are readily applied by the technical community;
Developing reliable security measures that do not interfere with work processes of legitimate employees; and
Understanding the IT issues related to the disparate organizational cultures of agencies that will be fused under the Department of Homeland Security.
RATIONALIZING THE LONG-TERM RESEARCH AGENDA
The committee is silent on which government agency would best support the proposed research agenda. However, the research agenda should be characterized by the following:
Support of multidisciplinary problem-oriented research that is useful both to civilian and to military users;
A deep understanding and assessment of vulnerabilities;
A substantial effort in research areas with a long time horizon for payoff, and tolerance of research directions that may not promise immediate applicability;
Oversight by a board or other entity with sufficient stature to attract top talent to work in the field and to provide useful feedback; and
Attention to the human resources needed to sustain the counterterrorism IT research agenda.
One additional attribute of this R&D infrastructure would be desirable: the ability of researchers to learn from each other in a relatively free and open intellectual environment. Constraining the openness of that environment such as with classified research would have negative consequences for the research itself. Yet the free and open dissemination of information has potential costs, as terrorists may obtain information that they can use against us. The committee believes (or at least hopes) that there are other ways of reconciling the undeniable tension, and calls for some thought to be given to a solution to this dilemma.