LENS Conference - Spring 1998 - National Information Infrastructure Protection in the 21st Century
Identifying Emerging Roles for Industry and Government in Protecting
our Nation's Information Infrastructures from Cyber Threats
April 20-21, 1998
The Washington Duke Inn and Golf Club
3001 Cameron Boulevard
Durham, North Carolina
Co-sponsored by
The Center on Law, Ethics and National Security, Duke University School of Law
The Aegis Center for Legal Analysis, Falls Church, Virginia
and
The Center for National Security Law,University of Virginia
Transcripts
Opening Remarks
Monday, April 20th, 8:45 A.M.Speakers:
Robinson Everett
Gary Sharp
Robert Turner
Mr. Silliman: For those of you I haven't had the opportunity to meet, I'm Scott Silliman, the Executive Director of the Center on Law, Ethics and National Security here at Duke Law School, and I'll have some comments in just a few minutes, but right now I want to introduce the founder of the Center here at Duke, Judge Robinson O. Everett. Robbie?
Judge Everett: Scott, thank you very much. I feel very pleased to see we're starting up right on time; that's the sort of image we want to convey in being very punctual. We also want to convey an image of hospitality, and in order to do that we've arranged this wonderful place, but even more important we've brought out the sunshine this morning, so you can see some truly beautiful North Carolina weather and feel very much at home with us.
The Center on Law, Ethics and National Security, for which the acronym is LENS-we provide a "lens" through which to see these issues-came into being in September of 1993. We've been at it for almost five years now. We've been fortunate in having cooperation and leadership and guidance from the Center for National Security Law at the University of Virginia Law School, which was a pioneer in the field, and their executive director happens to be a former student of mine here at Duke Law School, and he's helped quite a bit in co-sponsoring the program.
We've had a lot of great things go on in the past five years, the greatest thing of course, the indispensable thing, was getting Scott Silliman when he retired from the Air Force to come here to Duke to be our Executive Director for the Center. Over the years, we've had several programs here, some of you, I know many of you, have attended, and some of you have spoken at those prior programs. Our first conference was on strengthening the enforcement of the humanitarian law, which was in 1995; in 1996 we ventured out to consider the United Nations, regional organizations and military operations; last year it was contemporary issues in controlling weapons of mass destruction. We always time these things well, because at the very time we started that conference, they were debating in the Senate what to do about chemical warfare and bacteriological warfare. And I think our timing is perfect this year, considering the problems in protecting the information infrastructure. Certainly this is a hot issue; it's one as to which there are many discussions going on. I talked today, a little while ago, with Bill Geiger, who heads up Aegis Research Corporation, and they have been very generous in providing us with assistance in putting on this program. And he mentioned there are about ten programs, meetings, going on, which are considering issues in this field, subsidiary issues, so we have a hot topic.
We've been very fortunate over the weekend, we've gotten all pumped up, we had a fine alumni reunion here at Duke Law School; there was announced a major challenge grant for the development of our Center; a lot of very good things have been going on. The one down side, unfortunately, has been the loss of our former president at Duke - Terry Sanford, a great president, and a great senator and governor. Right now I'm going to ask you for a moment of silence to pay respect to Governor and President Sanford. [Silence.] Thank you very much, and I want to thank you for being here, you will make this conference a great success, and I unfortunately will have to be AWOL for the next hour; I've got to go down the street and teach a class in criminal procedure which unfortunately could not be postponed this close to exams. So I told Bob Giovagnoni a moment ago, I'd be AWOL, but I'd be watching on videotape, and I'll be back later with the opportunity to shake hands with you and explain to you how much we appreciate you being here, and telling you again, Bill, how much we appreciate the support from Aegis, and particularly the participation of Gary Sharp, who is the one who suggested this topic, who's been with us on prior occasions; also to express thanks to the Smith Richardson Foundation for their generous support. So, Scott, back to you, and I'll see you all in a little while.
Mr. Silliman: Thanks, Judge. Now I'd like to introduce another of our co-sponsors, Professor Bob Turner from the University of Virginia's Center for National Security Law. Bob?
Mr. Turner: Thank you Scott, and welcome ladies and gentlemen. I have some bad news and I have some good news this morning. The bad news is I didn't take time to prepare any remarks for this morning. The good news is I didn't take time to prepare any remarks for this morning [laughter], so I'm just very briefly going to say a couple of things. First, I bring the good wishes, warm good wishes, of John Norton Moore, our director, who had intended to be here, but unfortunately the conference conflicts with his last five classes of the semester, and it just was not possible, all of us believing that teaching is the most important thing we do. The second thing I want to do is to commend Robbie and Scott for the truly superb job they have done over the past five years of this Center. We started the Center for National Security Law in 1981 and were alone for I guess a dozen years or so, and then Robbie and Scott decided they could make it a little bit better, and they looked at what we were doing and they said, well, there's already a law and national security center, or I guess we'd already changed our name to National Security Law by then, and they said I know what we'll do, we'll call ours the center on ethics, law and national security to distinguish us from those guys up in Virginia, and we appreciated that distinction a great deal as you might imagine.
I do have one plug, one advertisement, and that is, one of the things we take the greatest pride in, that we've been doing down in Charlottesville for these past, I guess it'll be eight years this summer, is our National Security Law Summer Institute. Scott knows about it, you can ask him, he took part in one of the Institutes, in fact just before he came here, and has been tremendously helpful to us, actually came back and helped us run the Institute the year that I was teaching up at Naval War College; as I look around there are other people here as well. This will run from the last day of May of this year, through the first two weeks of June; it's a high-intensive program, we've got Larry Eagleburger coming in to keynote it, we'll be up at CIA for part of the day and the Pentagon getting briefings, we'll meet with the legal advisors to the National Security Council, and we literally are bringing in the top experts from all over the country, to lecture on everything from counter-proliferation to controlling domestic and international terrorism, to trade constraints and so forth.
This is designed primarily for full-time law professors and professors in related disciplines, but we also take a number of active-duty military attorneys and other government attorneys who have national security responsibilities. If anybody here is interested in attending, either see me or see Donna Ganoe out front; I don't think you will be disappointed. You can ask Scott about it for a more objective take, but with that little caveat, that little commercial, welcome and let the games begin. Scott?
Mr. Silliman: Lastly, I'd like to invite to the podium Gary Sharp. Gary and I have known each other for a number of years, when we were both on active duty. There's always about a five-month timeline in planning a conference like this. You first have to choose a topic that you hope is going to be in the news at the time the conference actually occurs, and Gary was instrumental and extremely helpful in working to ensure that we had just the right folks here, the right panelists; he was working very closely with Michelle Van Cleave to ensure that the types of issues that we wanted to have were appropriate to this forum. So I'd like now to welcome Gary to come up, and welcome you on behalf of the Aegis Center for Legal Analysis. Come on up here, Gary.
Mr. Sharp: Good morning, this is really a pleasure to be here this morning, I am Gary Sharp and I'm a representative of Aegis Research Corporation. This is, as Scott has said, the first opportunity that we have had to co-host a legal conference with the Center on Law, Ethics and National Security here at Duke, as well as the Center for National Security Law at Charlottesville. I've been an admirer of those folks and those centers for a number of years, and it's really a pleasure to have the opportunity to work with them once again. I'm very pleased with the turn-out we've had, and the number of honored guests and speakers that we have invited, and who have honored us with their presence, but we meet at a time, I believe, of very profound change. And it has all been driven by technology. It hasn't been driven by the law, it has been driven by technology.
Telecommunications systems and computers have been around for a long time. The telephone was invented in 1876; the radio in 1906; the television in 1926 and the personal computer in 1975. But it wasn't until the natural evolution of the synergy, the merging of our telecommunications and our computers together, that we have seen the tremendous benefit that we may have in the 21st century, and how it can really change our way of life. But the synergy also represents, perhaps the greatest vulnerability, not only to our industry, but also to our national security.
Now we all read in recent headlines about the massive attacks against the Department of Defense computer systems, by teenagers, against the Pentagon computer systems; we've read a lot about corporate espionage over the Internet; we've read about the loss of millions of dollars to the commercial transactions, the electronic transactions, in the banking industry; and we read scores of other topics on the vulnerabilities that we are exposed to, through the Internet, this new friend that we have in the national security community.
Now these headlines make your participation even more important and even more timely today at this conference. We're all here to explore and to learn how we can shape the rule of law to protect our nation's computers, and our computer-dependent systems. And to do so, I think we have truly an all-star cast of speakers and panelists that are from industry and academia, as well as government, that can explain the various equities, and help us in our exploration over the next couple of days.
Now the ultimate challenge, I believe, for the United States, is to quickly develop a national strategy to decisively defend our nation's computers and computer-dependent systems. Unfortunately, Professor John Norton Moore is not with us today, so it's only appropriate to quote very briefly from him, in his studies on terrorism that he captured in a book that was published this last year. John Norton Moore warns us that "the generally weak response of a democratic nation to low-intensity attack is a major part of the synergy that contributes to the continuation of such attacks." And if we, government, industry, and academia - if we fail to come up with a national strategy in the near future, then we are also part of the problem, because we don't pull together to come up with a solution.
Now, finally, to conduct what I think is some very serious business, we have the very pleasurable and hospitable surroundings here at Duke University, I don't think that we could have a much better day for a conference, so we have a number of people, armed guards, at the door to ensure there's not too many people playing hooky this afternoon; but on behalf of Bill Geiger, the president of Aegis Research Corporation, I welcome you all to the conference and I look forward to learning a lot from you all. We hope that this conference is going to be an opportunity to raise public awareness of the threat, as well as the legal issues. We hope that it's an opportunity to facilitate discussion among the different disciplines that are important and critical to protecting our infrastructure, and we hope that it will build relationships and friendships between government, academia, and industry, that will help us protect our great nation's critical information infrastructure. Scott?
Mr. Silliman: Thanks Gary, that's a good challenge for all of us. What we're going to do over the course of the next two days is try to involve you with the panelists and the speakers. To that extent, many of you I know have been to probably more conferences than I have. Bill Eckhardt is out there and I know he's at almost every conference I go to or participate in; but one of the things I've always found is that you must make sure that you have time enough for audience questions, comments, and participation with the panelists. So if you look at the program that we've structured for you, over the next two days, you'll see that we've tried to leave more than enough time, up to a half an hour's worth of time, for you to ask questions, make comments to each of the six panels, and we're going to have a wireless microphone that will be available at the end of each panel. And I would ask you that if you have a comment, we'll just ask you to rise or signify that you want to make a comment or question, and one of the students who are with us at the conference will bring you the microphone. We're providing a video and audio record of this entire conference for many many purposes, so we'll ask you to stand and use the microphone.
I do want to repeat the fact that this conference would not have been possible without the very strong support of the Smith Richardson Foundation, and that foundation is represented today and tomorrow by Dr. Marin Strmecki, and we're glad that he's here, as well as the Aegis Research Corporation, represented by Bill and LeAnn Geiger. So we're delighted that both organizations are represented and we're very appreciative of the fine support.
I'm going to invite my panelists to come up now and we'll go ahead right into the first panel.
Framing the Issues: An Overview
Monday, April 20th, 9:00 A.M.
Moderator: Scott Silliman
Panelists: John RyanJack Danahy
Robert Giovagnoni
Mr. Silliman: I think it goes without saying that we have come a distance since we experimented with the first rudimentary offensive cyber tools in the Persian Gulf War. As Gary mentioned, major advances have been made in our technological capability to degrade and even defeat a potential enemy's computerized information systems, oftentimes without even leaving our own shores. The advent of the worldwide Internet enables a "hacker," armed simply with a high-speed computer and a modem, to break into and adversely impact a nation's critical information systems, all from the safety of his own home or office. While our military leaders continue to develop new ways to exploit the offensive capabilities of what has become known as "information warfare," we have, at the same time, been forced to acknowledge that we are not alone in possessing these tools and these technologies, and that we are, therefore, just as vulnerable to this mode of attack as our potential adversaries. Newspaper accounts over the past two months have verified that even our Pentagon computer systems are not secure from hacker techniques widely available on the Internet, with several hundred such systems being penetrated, and, in a few cases, system administrator level privileges even being acquired by the hackers.
But our greatest vulnerability surely lies in our critical infrastructure systems: those networks of independent, mostly privately owned, man-made systems and processes that function collaboratively and synergistically to produce and distribute a continual flow of essential goods and services. The President's Commission on Critical Infrastructure Protection, in reporting its findings just six months ago, identified eight of our national infrastructures which it deemed to be vital to our defense and economic security: transportation; oil and gas production and storage; water supply systems; emergency services such as medical, police, fire and rescue; banking and finance; electrical power systems; telecommunications; and continuity of government operations. Our traditional use of military force to safeguard these systems is no longer adequate to meet the growing threat of a computerized attack against one or more of these critical infrastructures, but the question remains as to how we can achieve the most effective and efficient defensive posture when the threat encompasses the entire spectrum of government and privately-held industry. Other questions similarly beg for answers. Since many of our infrastructures serve the needs of both military and civilian constituencies, are they all lawful targets under international law? Do some of our recently enacted laws that protect privacy in e-mail and Internet communications actually deter us from identifying and working to find those who hacked into our systems? These and many other such questions have no easy answer, but they must be addressed and resolved as quickly as possible if we as a nation are to remain secure.
Our first panel this morning, the first of the conference, is called "Framing the Issues: An Overview," and is designed to lay a very general foundation for you of the threat we face to our critical infrastructures, and of the principal issues involved in information assurance. In that regard, our comments will hopefully serve as the predicate for the successive panels that will follow.
Our three panelists all come very well-credentialed to give us the best possible overview, and I'll introduce them each just prior to their speaking. The first panelist to address us is John Ryan, the Associate General Counsel for Law Enforcement for America Online. John served for 14 years as Chief of Major Crimes and Investigations in the office of the New York City Prosecutor before becoming Director of Investigations for AT&T Wireless in 1993. He is the former Chairman of the Cellular Telecommunications Industry Association Fraud Task Force and the former Vice President of the High Technology Crime & Industry Association. He has been for some time a member of the American Society for Industry Security, and I know of no one better versed in the intricacies of cyberspace and online services, and the specific types of threat to these services that are posed by cyber attacks, than our first panelist. Please help me in welcoming to the podium John Ryan.
Mr. Ryan: Thank you, Scott. Good morning. I must admit I think that's a dubious distinction to have been ordained as the expert in this area. It seems that my days are spent on investigating the dark side of the Internet, and at times you forget that it was designed for legitimate purposes, and the vast majority of its users are legitimate individuals.
When Gary first contacted me and invited me to speak at this conference, the first thing I did was to decide for myself, how does the Internet qualify as a critical infrastructure? If you consider the genesis of the Internet, it certainly was not designed to be a critical infrastructure; on the contrary, it was designed to serve as a secondary, back-up, means of communications, essentially between members of the academic community and the military establishment. Many people forget that it was the defense department that actually was the original sponsor of the Internet.
Well, we have evolved, and the evolution, to me, was made painfully clear in November of 1996. On the 13th of November, AOL experienced its first system-wide shutdown. We were shut down for approximately 17 hours. Now in the scheme of things, it didn't seem that critical an issue. We thought we'd be up and running in a matter of hours, we asked, what is really the damaging impact here? Well, as you can imagine, we were painfully educated by hearing from our members in the form of lawsuits, attorney general class actions, the regulatory agencies in Washington pounced on us, but most importantly we heard from our members-what impact this shut-down had on their basic communications and way of life and doing business.
What started out as a communications medium has now evolved into much more. You see the grid here representing the different channels or features that are made available on America Online. This is similar in many regards to many of the other large service providers-Microsoft, AT&T, Compuserve, etc. You see that not only do people communicate via the Internet, they now conduct every type of transaction, interest and hobby that they do off-line, in an on-line environment. To throw out a few factoids: In 1993, there were three million active users of the Internet. By the end of 1997, there were over 100 million members. Presently, the traffic on the Internet is doubling every 100 days. America Online itself has over 12 million members, and now we have an international presence, where our service is available to over 123 countries. So you see it is no longer a secondary communications medium.
This represents the international landscape that the Internet is involved in now. [Visual aid] This represents the issues that have complicated this medium. Let me run through some of the more salient services and features that the Internet does provide. Presently over 18 million members in the U.S. alone conduct some of their banking transactions on-line. You see every major bank now has a presence on the Internet. In every business plan that is filed now within the financial industry the Internet is now a critical component of their future way of doing business. You can do anything off-line in an on-line environment. Right now, 30% of securities commissions are generated through transactions over the Internet. Insurance companies have decided to make the Internet their primary way of doing business going forward. When you think about the reasons, it's very simple; a) it's a global medium; b) it's rather inexpensive; and c) you cut down on the need to have actual interpersonal interaction between the customers and the business side.
In the latest commerce report which was issued last week, it was predicted that by the year 2002 the Internet will generate over $300 billion dollars in revenue. That's in less than four years' time, $300 billion dollars. In addition to the financial services that are conducted on-line, many people still use it for personal reasons. Reasons such as a health center, individuals who have a particular illness or malady, can go to a site that is focused on dealing with the issues associated with that condition; there may be professionals who sponsor and interact with the visitors to that site; and the reason why I'm showing you these features, because when you understand what is available, how the Internet is used, who is using it, you understand that a) it is indeed a critical infrastructure, and b) more importantly, it is vulnerable and attractive to be abused. These are some of the other general interests that members typically use the Internet for. Anything as mundane as where to go to eat, who to communicate with, entertainment-what movies to see, the full gamut.
What has the Internet created? You've seen what it offers. Now it attracts a new cyber-terrorist. What is of interest to a cyber-terrorist? Well, you saw here, that clearly there is a wealth and treasure trove of financial and personal data that is now stored by an interactive service provider, such as America Online. Consider that within our own data banks, we have the personal information of more than 12 million individuals. We can track, if we chose to, where they shop, what bank they use, where they travel to, what their hobbies are, who they communicate with, and have a record of their entire financial portfolio as well as their personal data. When you consider that this medium is a repository of that type of data, it is easy to understand why it is now attractive to a cyber-terrorist.
What has the industry experienced and what has the industry done in response to this new cyber-threat? Well, since the genesis of the Internet was not geared with the element of fraudulent use, clearly the academics and the military establishment, when they were the primary users, did not envision the evolution of this medium in the period of time that it has evolved. So the protocols that were established were very minimal. To this day, there is no entity whether it be on the government side, or within private industry, that has any enforcement capability or authorization to impose any rules of engagement for using the Internet. Think about that. It's an open frontier, if not properly used.
What have we seen already as successful threats and attacks? Well, I described to you a benign system shut-down and denial of the service, but we've seen a designed attack that crippled the network for almost a week. Panix Network, based in New York, was shut down for several days last year through a very simple strategy. Scary, when you think about it, how easy it is. The individuals responsible for this attack merely sent off thousands upon thousands of intentionally misaddressed messages, within seconds, every five minutes, and the network basically was unable to recognize the inception of this mail, and when it was sorting it out, trying to determine in an automated fashion whether it should accept and how it should route these messages, it essentially melted down. And they could not fix it for a week. Now think about again the lack of protocols. If someone were to send a misaddressed message on the Internet, if someone were to create a false domain, thereby obliterating the source of origin, when an ISP receives these messages, its protocol is if it's not a valid recipient within its own network, it automatically sends it back to the point of origin. Well, the fraudsters realized that there is in their scheme no legitimate point of origin. What is happening to that mail? It is either crippling the network that is attempting to process it, or if it has a filter, if it does anticipate these types of attacks, it is sending it back to the point of what it perceives to be the correct origin. But in the typical fact pattern, that information is fraudulent. So many ISP's are being shut down by larger ISP for merely attempting to re-direct mail that cannot be received. A very simple, benign scheme, and yet capable of catastrophic results. Mail bombing is a simple but real phenomenon. How is the industry responding to that simple attack? You've probably all heard of the notion of spam-the unsolicited dissemination of junk commercial e-mail. And AOL alone, on a daily basis, out of 28 billion pieces of mail or files that are transmitted through our network, approximately five million of those, on any given day, may be junk mail. Amazing, isn't it. We instituted a lawsuit in federal court, and it took one year for a judge to determine that a proprietary network such as AOL had the right to determine the protocol of how mail is sent and received into its own network. It took one year to determine that very basic fact. Well that sounds great, we had a nice victory in federal court, great precedent, we felt very good about it. Before we got back from the courthouse, the same individual sent out another mass mailing of hundreds of thousands of pieces of mail, and we said, well, we have a decision here, what can we do with it? The answer has been, not much, because these fraudsters understand that the anonymity that the Internet provides allows them to move from provider to provider, disguising themselves, so that by the time a network such as AOL which is the largest and dedicates significant resources to these issues traces the source, they've moved on. So clearly you see the very simple way that a large network can be impacted because of the lack of standard Internet protocols.
What are the other threats that we've seen? In addition to basic network intrusions and denial of service, we see that because of the data we store, that we have now spawned a new type of criminal. Consider what you can do with personal data. We have seen individuals compromise accounts, take over the identity of the legitimate user, and use that account and that identity to facilitate other types of criminal activity-both on-line and off-line. Credit card fraud, for instance, is the new cottage industry on the Internet. Most providers use a credit card as the authorization and preferred mode of payment to open an account. AOL itself has over ten million credit card numbers in its data banks. So we can design, and we have designed, what we consider to be a very robust security system. But you don't need to be skilled to penetrate and be a successful cyber-terrorist. Many of the users of the Internet are not sophisticated. We have shifted our emphasis from the more sophisticated computer-savvy type individual to mainstream America. AOL in fact is criticized as the point and click communications medium. That's very true, and we stand behind that. But that creates a very vulnerable member who is subject to very basic social engineering types of fraud. Every day, we have members who willingly give out their credit card numbers, their financial data, to those who impersonate a member of AOL, their staff, or someone in an authority position. When you're at home and you get a phone call, unsolicited, and someone asks you for personal or financial data, you say politely no thank you, good bye. Yet that same type of solicitation is very successful on the Internet.
So we have learned that we must build protective and safety features within our way of doing business. We have decided to have the following responses. First and foremost: basic codes of conduct. Since there are no mandatory Internet protocols, we are mandating that when a member signs up with AOL, they agree to adhere to some very basic rules of the road or modes of behavior. We have adopted and announced a zero-tolerance policy for abusive behavior. Now that sounds very simple and very basic, but I can assure you that for the state of mind of the users of the Internet this was a tremendous leap. We were subjected, and still are, to tremendous criticism for basic rules of behavior that off-line are assumed. In addition, we have instituted registration protocol and validation procedures. The most fundamental flaw of the Internet is the degree of anonymity that it allows a user. Most companies to date do not know who is using their service. Very few companies have any verification protocols. So we have instituted real time registration procedures at least to ensure that we have a reasonable degree of assurance that we know who we are doing business with.
Now that's not only important to us; it's more important to the law enforcement and national interest. I handle compliance issues for AOL, and on a monthly basis we get over 250 formal requests for data and information. I get feedback from law enforcement; when they conduct their investigation, we give them our member's name who they believe is the subject of their investigation, they knock on their door, a grandmother answers it, doesn't even have a computer in the house. You can see how frustrating that is to law enforcement. So this basic verification process is some assurance that when you and law enforcement and the military and intelligence agencies identify a suspect, you have some degree of assurance that that is a real person; and that person had some responsibility and involvement in the behavior that you are investigating.
This points to the most critical need for cooperation between private industry and government. Even though the mindframe of the service provider and its members is frankly to keep Big Brother out, there is a critical need to have rules of engagement where the private industry can support the legitimate needs and interests of law enforcement. We have seen that not only are our members the victims of these attacks, but we now see the impact it has on the global picture-national security. You have read-this week, talk about timing, Scott-the successful efforts of the National Security Agency when they conducted a field test to determine the risk and vulnerabilities of not only military and intelligence networks, but equally as important, private networks. Because we now see that private networks serve as a platform for penetration into other networks, including the military and intelligence networks. So we need to have a partnership with these agencies. We have started process in which we are opening up our technologies, our technicians, to have a dialogue, with agencies such that are represented here today. We understand that our medium is somewhat foreign and unique, that there needs to be basic training and greater awareness of the nuances of our technology. You need to know where subjects are coming from, how they are operating within a certain network, and most importantly, who can you go to at any given time, to get the information you need, and what is needed.
We are working closely with the Justice Department, in particular the Computer Crimes and Intellectual Property unit, that has the federal lead in the criminal enforcement area of both investigating and prosecuting cyber-attacks. We are learning that there is in fact some federal guidance in this area. There is an electronic communications privacy act that acts as a basic guideline to determine the interaction between law enforcement, government, and private industry. Private industry and the military learned, in a very unfortunate incident, which I'm sure many of you read about recently, what could happen to an individual when those rules of engagement are not adhered to. You've all probably heard of the McVeigh case. A very simply, innocuous transfer of some personal information led to some much larger issues. But there was a learning experience there: it educated both the military and private industry that we need to know the rules of engagement, and we need to act in adherence to them. And as a result of that, we have initiated with the Department of Defense, a series of training seminars. Very basic-what data is maintained in your network, how long is it available? Critical issue-in a typical Internet environment, data has a very short life span. At AOL, for example, mail in files that have been transmitted, once received last only two days before they are routinely purged from our system. They are no longer available unless they were stored or preserved by the subject or members themselves. So consider a typical case, a kidnapping case, where the abductor has sent a message indicated the method in which they should make arrangements to make a payment, if they do not make a formal request to preserve or turn over that information, that information will be lost. Very simple. So the need for training is critical.
What jurisdictional issues have evolved? You see here by AOL's network scheme, that our entire infrastructure is resident within Vienna, Virginia. Now I mentioned earlier that we have a global presence-we have markets in over 123 countries. Again, everything passes through Vienna, Virginia. I get requests from German intelligence agencies when a German citizen using or accessing our network is sending communications that are of interest to their concerns. And when they seek to get those communications, they are astounded that they are told to go through the Justice Department and international protocol to acquire that information that was sent and received by German citizens. So you can imagine the dialogue that we have with international law enforcement entities. And yet this is not unique to AOL. The largest service providers almost exclusively have their networks based within the United States. Now it certainly makes it somewhat more convenient to U.S. agencies, but it certainly complicates the scheme for the international entities. But more importantly, going forward, clearly that network strategy will change, as the international markets develop and become more robust, these networks will spread out. They will no longer be based solely in the United States. So consider this: consider the U.S. interest, when those same communications are being transmitted totally with international borders and yet now the service that holds that information is totally outside the United States. How do they get that data? Can they go to a U.S. company, or need they go to international agencies, and what response will they get? So you see how complex these issues are; there's no simple answer, but the basic response is cooperation and understanding. Thank you.
Mr. Silliman: Thanks John, I think you've underscored not only the extensive array of services available on the Internet now, which had previously not existed, but also this blurring between industry and government which causes us to force ourselves to look to a partnership between industry and government for an ultimate resolution of this problem of information assurance.
Just before I introduce Jack, let me invite those who have come in who are sitting in the back there, who probably can't see, to come up front where we have some seats available.
Our second panelist this morning is Jack Danahy, who is the Director of Engineering for GTE Internetworking's Managed Security Services. Jack currently supports security at more than 300 customer sites by providing security management, monitoring and response. He is a charter member of the National Computer Security Association consortia for Encryption Technology and for ISP Security, and is a member of the High Technology Criminal Investigators Association. He is a contributor to the House Subcommittee on Information Security, the Cross-Industry Working Team, and the President's Commission on Critical Infrastructure Protection. Prior to his arrival at GTE Internetworking, Jack was awarded patents for his work in service-centric monitoring of distributed systems during his eight years with Hewlett-Packard. He comes to our panel this morning with extensive knowledge of the types of cyber attacksÂ…documented cyber attacksÂ…which confront both our government and industry. I welcome to the podium Jack Danahy. Jack?
Mr. Danahy: Thanks. I come with a bit more pragmatic viewpoint of what's been going on. This is the first forum I think that I've addressed, where I think there's actually an opportunity for real progress. I'll tell you why-typically, I'm speaking to many more ponytails in the audience, than we have right here. And the debate typically takes on the form of the latest technical solution to some fairly esoteric technical problem. But the problems we're talking about solving here are not technical problems-frankly, as we were just discussing a little bit earlier this morning-I could have solved most of the technology issues we face about ten years ago. The problem now is one of business and practicality-of helping people make the right business decisions to solve these problems. It's not so much how you might protect information-how do I protect networks, but how do I get businesses and organizations to figure out how to protect themselves. And I think that this is the type of forum and the type of exposure, that drives those types of issues-how to get business to recognize that this is in their own self-interest-and to get the government to recognize that it's in its own self-interest-to protect these vital infrastructures.
Recently, I met with Gary Sharp at the U.S. Army War College, doing some information assurance exercises, and some of you were there as well. And we got to talking about specific instances-you know war college exercises, those types of forums tend to be very much theoretical; we begin to apply some of the knowledge, but largely they're based in hypothetical scenarios. Hence, we got to talking one evening over some very real war scenarios that had in fact happened, that happened fairly recently, and so we thought it might be helpful to present some of those, to put a real face on what has been a pretty abstract set of issues.
So let's talk about four security compromises. I've handed off the paperwork already, to be printed up-you'll notice that one of them is going to be different-since one of them was Panix, which John was good enough to go through for you. The beauty of our industry is-there are so many of them I just picked another one. [Laughter] One thing we're not going to do is we're not going to get wound around the axle talking about encryption. It happened last night over the course of dinner to a certain extent because when people are thinking about Internet security, they're typically thinking about issues that I consider to be popular-whether it would be child pornography, Senate Resolution 454, which largely deals with Internet gambling, or encryption-these are all content-based issues. And if I look at the real threat to our infrastructure, it's not so much that someone will be accessing that data, nor is it that someone will be using it for a less-legitimate purpose-I see the biggest problem is that it might go away. When we talk about the fundamental infrastructure that supported us that existed much prior to the Internet, be it electrical power or telephone service, it's the lack of those things that one notices first. And it's the most crippling effect on our infrastructure. So I'm going to focus more on those issues that directly affect our capacity between and toward the nation and the nation's business.
One last note-I originally gathered all the fodder for this presentation by the end of March, business being what it is, to try to get it out of the way, and interestingly enough in the two weeks since then we've had the attacks on the Pentagon, the attacks including the NSA's Eligible Receiver exercise being so successful and the crashing of an ISP in the Midwest. Unfortunately its tough to be up to date in an industry that's changing this fast.
So the first example that I want to use was reported in March 1998, about three weeks ago. It centers around a Bell Atlantic local loop. Now for those of you who are not in telco, a local loop is really a computer. It takes a bunch of different types of lines, voice lines, data lines, typically coming in on copper, brings them all together, spits them out in a fiber link which can handle a ton of data much more efficiently. And the local loop was in central Massachusetts, and the attack actually occurred on March 10, 1997. I don't know why it wasn't until March of 1998 until we found about it. It's an example, a good example, of a common weakness we build into our systems. Bell Atlantic needed the remote technicians to have access to that local loop computer. There would be something down in the field, some section of wire wouldn't be operating the way they thought it was, and so they established remote access for the technicians. And in so doing, thinking about the legitimate use of the technology, they didn't take into consideration some less legitimate uses of the technology. An aggressive young teenager found these modems. The general vicinity of the attack was Worcester, Massachusetts – actually a town called Rutland. Once this teenaged attacker managed to find a way in through this opened up back door to the local loop machine, he shut down the local loop. So that's bad enough-you've got 600 residents of the small town of Rutland who didn't have telephone access, including 911.
It's actually much worse, because this same telephone exchange provides the communications mechanism for the nearby Worcester, Massachusetts Airport, a good-sized airport. Because they didn't have the telephone lines, which were actually used to route the radio traffic from the aircraft around the airport to the central tower, they had to move to a fairly shaky back-up system, consisting of cell phones and battery-operated radios. And it wasn't just the tower-the people who do the printing of the progress of incoming and passing traffic and report this to the tower couldn't print that out. The airport fire services were disabled, as were airport security services, not to mention four or five local air freight vendors who couldn't take incoming or outgoing traffic.
Now it took Bell Atlantic technicians a little better than two hours to figure out there had been a security breach, and they couldn't fix it for another four and a half. So the outage lasted for over six hours. It was not made public until March 19th, 1998, because Bell Atlantic requested a year to fix the security hole that had allowed this person to make this kind of access.
Let's talk a little bit about the investigation. Now here we have a teenager, breaking into a modem, who disabled the loop carrier in one small section of the state of Massachusetts. The investigation comprised cooperation from (I'm going to read this) the U.S. Attorney General's office, the Secret Service, the FBI, Bell Atlantic, the U.S. Postal Inspection Service, the Office of the Inspector General of the Social Security Administration, the Office of the Massachusetts Attorney General, the Office of the Worcester District Attorney, the Massachusetts State Police, and police departments in Oxford, Leicester – another small neighboring town – and Rutland. So at the end of the investigation, they found the teenager who had broken in. And this teenager accepted a plea agreement, not surprisingly, although he was the first juvenile to face a federal criminal computer crime investigation, he accepted a plea agreement, paying restitution of some trivial amount to Bell Atlantic, got put on probation, he forfeited his computer equipment, and is now performing community service. So if you stop and think about the scope of the investigation, the result isn't that hot. If you stop to think about the simplicity with which a teenager using fairly well-known and easy to use automated hacking tools to break in, that's pretty problematic, particularly when we're talking in a forum here about organized, sponsored possible attacks against similar infrastructures.
I mean, it's clearly not good-we've got a teenager who knocked out regional telephone service. We have a well-established telephone company with an exposed back door. We have an airport dependent upon this somewhat evidently flimsy infrastructure. Oh, by the way, when the hacker's wandering around and then gets caught and starts mumbling his confession he also confessed to breaking into the local pharmacy and copying down all the private patient records. We have a two-hour detection window, a six-hour outage window, a cross-agency working group to find a problem for a year before they implement a solution, and this is just one incident.
Another well-known infrastructure attack is Panix. John stole that one, so I'm not going to go through it again. But we'll talk about another one, the Silicon Investor. Silicon Investor is much like those interest groups John did a good job of portraying here that everybody flooded the Internet to talk about Â…. Silicon Investor is the largest financial information trading group to go to. You go to the website, you can chat with people about everything from why the Dow is up to why high tech is down. They average about 8500 hits a week. It's very, very busy. And coincidentally, they're the largest user of Microsoft's NT server technology for providing the web pages. So here's a very large organization, with a very large constituency who are coming to them very regularly to share data, and understand new investment strategies, advertisers post constantly there, pay large amounts of money to be seen in this very public forum, offering their Internet-based services. So, in about two weeks prior to this event, some not-hostile people had discovered a vulnerability in the NT server, and old holes had reopened in terms of the way that it processed requests and processed the usage of memory.
And so we had a two week window where they (we'd like to think of them as the bad guys) had the means to do something bad, and this highlights a very large problem in our industry as a whole. Reputable firms providing information on security vulnerabilities don't like to do so until such a time as there's a fix. And logically, on its face, it makes sense. If I am a reputable organization, such as a certain establishment just discussed, and I hear there's a vulnerability, I'm not about to go shouting that there's a vulnerability for which there's no fix. And so the standard mode of practice says that I'm going to contact a vendor, and help them understand the nature of the problem. They're going to wind into the development of the product, and when they have a fix for it, then I can help the fact that the vulnerability exists. Let's face it, I wish it were better, Â…sure myself but that's six or eight weeks. We're talking our very best case, that's six or eight weeks.
So now what we have is a positive group that has the means and the wherewithal to develop the Â…, and we have good-meaning people trying to develop a fix, and it's taking longer, because there's a window in there. During that window, it's Â…. Very simple denial of service attack, a little bit similar to the one John described, except in this case, they simply send traffic that the machines can't parse at all. It's not just falsified, so you're spending a lot of time responding to erroneous traffic, it's actually bad traffic, you're trying to digest but you're choking. And so the servers went down, they were down only for about six or eight hours, but that six or eight hours is very important to the Silicon Investor because their community depends upon the income Â….
One other note I wanted to make about the Panix attack, the type of flooding that was used against them is very popular. Particularly interesting, with regard to the way Panix handled the attack, was that they're located in New York, very close to New Jersey, and so they called on Bill Cheswick, who did some seminal work on firewalls and technology, and asked Bill to come on by to see what he could do. And in fact the attacks eventually continued in a sporadic fashion up till today. They've managed to take control of them; they can understand when they're under way, and they can block them when they happen, but the sad part, and perhaps the scariest part for this organization, is that there really is no way to preclude them from happening at all. You simply have to react to them when they happen, and be spending enough diligence on watching your systems, to be aware of when the attack is underway and respond.
The types of denial of service that we've seen, whether it be at Silicon Investor or Panix, actually highlights a larger hole. If I look at the current trends in Gartner or any other respectable analyst reports, more and more of our traditional telephone traffic is going to be riding data networks. I know that AOL offers a long-distance offering, I know that several Internet providers are offering long-distance telephone service, taking advantage of the backbone in which invested to provide what looks like telephone networking traffic.
So these same denials of service which currently are knocking out websites which are arguably not vital to our national infrastructure could, in the not too distant future, be disabling those very mechanisms which we currently rely upon for our communications.
One more denial of service scenario that I need to quickly talk about, specifically in light of John's number that 30 percent of all exchanges are now happening on the Internet, was an incident, Bloody Monday, you all remember, a couple of years ago, when the stock market basically tanked, where investment was high, and people started selling out of stocks right and left and the market took a precipitous downturn. We had a meeting with some of the other security units, and talked about the fact that for a good portion of that time, our compatriots in these Internet-based exchange brokerages were really worried because so many transactions were happening, you know, to look at them, people who've accessed the real time data, who understood that the market was going down pretty fast and wanted to get out, a lot of them are already on-line, and they were hitting the sell, sell, sell button, as fast as they could, and so a lot of these service providers who hadn't necessarily expected to be getting a million transactions a day, their resource was really pushed to the limits, so they were saying how tight they felt. But we said that would have been an excellent time to execute a denial of service Â… and that being that when the market is dumping a hundred, hundred and a half points every half hour or so, the fact that I can delay your transaction for half-an-hour, an hour, half a day, will mean that that provider, that provider of that Internet based transaction, will likely not be viewed as particularly viable by the time the sun rises the next day.
So, there are some real business issues to be considered that are related to our day-to-day commerce, our day-to-day transactions, it is no longer just an arena that people like me worry about, it's an arena that people like you worry about. Let's just take that one step further. I wanted to dive out of Fred's Nuts and Berries at ten, because I knew it was going to go down, and the berry market being what it is, it eventually tanked at two, due to the market holdout. I had 10,000 shares and tried to sell them at ten, and I tried to sell them at nine, and I finally sold them around six. So I've lost a considerable pile of dough. Who owns the liability for my loss? I trusted my buyer to execute things, and I'm sure it says somewhere in my contract "in a respectable period of time." So who's going to pay me back my loss? Is it going to be a vendor of the service? Is it going to be whatever computer the attack was executed from? Where do we decide where the downstream liability ends? And how do we decide how to recompense all the individuals who lose the dough?
And I've had for some number of months, around 12 or 18, this idea that downstream liability is part of this issue, specifically around this particular type of attack. Because of the fact that, if I leave my car with the keys in it sitting on the side of the road and somebody takes it and proceeds to run over all the cats in the neighborhood or something, I'm going to hold some responsibility for that action, because I did not take adequate care of this resource which could foreseeably be used as a weapon, and I think that specifically, in terms of the attacks as John accurately described to you, you really can't find out what the real source was, Â… but only until you accept and hold some responsibility for not securing this in such a way as there couldn't be attacks by others.
So that's one type of attack, denial of service. It's fun, it's exciting and more importantly, it's automated. Most of these denial of service attacks, if you go on to the website, and I encourage you all to do this when you get back to your offices, type words like "root kit" or "syn attack" into your browser and see how many hits you get. Most of these tools are automated with graphical user interfaces that many software companies would love to see. You simply type in the name of the machine you want to attack, name of the users you want to mailbomb, and it goes and it does it for you. So generally this talks to sort of a lowering of the bar that lots of people have to get over to make these things happen. Really anybody can, if you can type "root kit" you can break into systems. So all right. That's one kind of attack.
More glossy is the website attack. I'm going to talk a little bit about Kriegsman Furs. Kriegsman Furs is a very popular, very well documented attack. It was recognized that the exact same hole was exercised to break into the Air Force website, the Department of Justice website, the British Labour Party website, more websites I don't care to mention in this short forum. Basically what happened was that the website was co-opted by people who a) knew how to break into the system; and b) didn't like fur. And so Kriegsman Furs had a very lush website. People who are buying furs don't want to go to Fred's Nuts and Berries' website. It's kind of boring. They want rich production values, they want lush images, they want an experience sort of like walking into a fur gallery or whatever you call them. And so they broke into the system using a vulnerability that had been known for months, many months, and they took it over. What they did was, they didn't do the ordinary hacker kinds of things to do on websites, which is to post as many obscenities and nude images as they could possibly find. What they did was to change it into an anti-fur advertising site. So for three days, from Friday till Monday, that site showed pictures of, unfortunately, poor slaughtered animals, and happy animals prior to slaughter, and had pointers to all the relative animal-protection websites, solicitations for donations, "do-you-really-want-to-buy-a-fur?"-"are-you-that-cruel" kind of stuff. And I really can't imagine this did much to create new sales through the web, that people came there saying wouldn't it be nice to buy a mink coat. Yikes, so that's what a skinned mink looks like. No, not very good; and importantly, Kriegsman Fur had actually paid for this. They were not just paying for the silent website they put up, they were paying for the connections, so as these however many hits came back and forth, they were actually paying for that traffic, that forcefully advocated to people not to buy furs. That's what it is. But frankly, the way I look at it, the activists weren't as smart as they could have been. A smarter hacker would have said, "well, here's this e-mail link for a catalog. Wow, look at these lush production values-I really want one of those catalogs." It's much simpler even than hacking up the face of a website to change who that catalog request goes to. You send it to ILikeAnimals.com instead of KriegsmanFurs.com. And now you have this comprehensive list of people who make excellent targets for solicitations, e-mails on the cruelty to animals. It's like the Â…wish list, you know the whole thing comes to you in bulk. And frankly, given the amount of attention this company paid their website, they probably never would have noticed, especially if you had to know there were two locations, so you had to Â….
And secondly, think about it in a different context. What if it had been a competitor? A competitor who had crashed the website, now Fred's Furs, Berries and Nuts? Now I take all those customer contacts – thank you very much, Kriegsman, for providing me with these contacts. They get nothing, and I get a list of new customers. And because I get access to their computer systems I can actually look at their pricing and make sure I'm a couple of bucks lower on a stole this month. So you can see it's clearly a problem.
There was a similar exploit to this undertaken at a major ISP in California, where somebody broke into the server, took control of it, and sat there collecting credit card numbers. They collected a hundred thousand credit card numbers. But unfortunately someone else was watching, gathering the information. This happens constantly, if we look at the generic cause of this, of the Pentagon attacks. Success of those attacks, those things were largely caused because of the fact that someone co-opted a machine, sat around and waited to get more passwords, used those passwords to move forward, and frankly this exact same attack has been going on probably since the mid-80s, when I started watching. So this is nothing new. There is nothing new in the world.
So far we've talked about the corporate side of networks, right? We've talked about people providing services, who are getting co-opted by nasty people on the outside. And that's only half the problem. That's the problem we're trying to solve today. Bob and I had a conversation last night about how this is such a quickly-moving target. You know, the nature of my information being current and timely, but the market's moving so quickly right now we're going to have a discussion today and I believe that most of the discussion and most of the panelists are going to talk about ways we solve problems around encryption or identification of sites they've cracked, or protecting your private information in your company, etc. This is like today, and frankly, maybe yesterday's question. Today's question/tomorrow's question is, "what about all these private users?" John has eight million customers on AOL, who are running around, using their AOL-equipped browser, and going to all these websites, websites that they really don't know what's on them. My father just got his first computer, he's in his seventies, and he has a great time sort of wandering around to various sites talking about various topics; but on his browser, nothing is turned on in terms of accepting active content. Java, for example, is active content; ActiveX on Microsoft is active content. They're great technologies, they make the Web so much more dynamic, so much to be able to tell who you are. Unfortunately, they also give people who are using them additional insight into what you do day to day. Let me give you a quick example. In the end of 1996 and beginning of 1997, there was a German group of hackers, a hackers' community, called the Chaos Computer Club. They get in the newspapers all the time. They designed an interesting ActiveX applet. Now an applet is a little teeny program, you stick it in a web page, and when somebody pops up your web page, they automatically download it. And it runs. It does stuff. You go to a banking site, it does mortgage calculation. If you go to a stock site, it'll tell you how the progress of the stock has gone, track it through time, that kind of thing. So those are applets. So, this applet, if you go to the site, it'll download, and you can actually look at it, I believe it looks like the period at the end of a sentence. So you didn't know it was arrivingÂ….it arrives, once you get it on your system it'll look around. It says, is this person, first off, running an operating system? Â…Is it running Quicken? Is this person a financial application user? Then, if you say "yes," it would say, "excellent." Question number 3, "does this person process their banking transactions over the wire, do they like to use the Internet to do their checking?" And if you say "yes" to that, they say "thank you very much," they know where the transaction log is and they've hidden a couple of extra pieces of code on the Internet. They say "all right, make sure you direct an extra twenty or thirty marks to this account, and another twenty or thirty marks to this account." This is something they haven't done in the field to collect extra money for the clubhouse, this was something they did to demonstrate that this idea of active content was a lot more dangerous than it appeared on its face.
So that problem, the fixing of that end-user problem, now that's hard. I mean frankly, we can fix the companies, and I hope you guys can make that happen, because if people start worrying about the fact that regardless of their profit that the liability associated with leaving their computer systems open will bankrupt them, that I think we can solve. That is pretty much convincing people that there is a need to indemnify themselves articulating insurance regulations, etc., perhaps more so insurance regulation than government regulation. It's basically to help people understand that there is a physical cost to doing this poorly. The greater problem I see is on that individual hindsight, whether it be any of us in our offices across the Web, or people at home who are wholly unsuspecting of any of these problems. It's raising their awareness that I think is a particular challenge, establishing best practices that we recommend to the general public. I think that's a particularly tragic problem.
So, that's a thumbnail sketch of a bunch of fairly recent stuff that we've looked at. What we hope to come out of this with is sort of a discussion of how could these people have done things differently. You know, what are the best practices they could have put in place so that these things don't happen. You know, frankly you look at the Bell Atlantic scenario, and what they really should have done is make sure that only people who were really supposed to get on that modem, actually get on that modem. But who tells them that, you know? Who establishes that? The second instance, if we use Panix, for example, or we use Silicon Investor, how can help stop that denial of service? Well, that becomes a major responsibility to carriers. Again, it's the best practice method, trying to figure out how we help ISP's the best ways to beat this traffic, not only from getting on to the network, but frankly, from leaving the network, you know. I know Norm Laudermilch at UUNET has done a lot of good work in trying to figure out how to keep bad people from pushing bad traffic across his network or his customers. That's important. Websites, honestly, these sites were broken, including the government's sites, by a hole that was three or four months old. It was well known for three or four months. I mean the community knew it probably six months before. So this is just a question of the best practice run. How do I identify "due diligence" in keeping my system secure? The last issue, of personal privacy, frankly I think is the most problematic. Because that is all about public awareness, and all about raising the base level of what people know, about Internet security.
So, I've got a lot more anecdotes if you want to catch me during the break, but I've tried to put a real world face on it for you, so you can see that this isn't just what used to be Â….community, and I was one of them, riding around like "if you don't protect your networks, I can push the big red button"-it's not like that anymore. Now it's just a lot of regular kinds of information, stored on these big computers, regular information about your health, your family's well-being, your spending habits, your private correspondence. And all that's accessible unless people do the right thing. So, a real world face on abstract issues. Thanks.
Mr. Silliman: Thanks again, Jack. Our last panelist this morning before we open it up to questions and comments from you is Bob Giovagnoni, who is the General Counsel for the President's Commission on Critical Infrastructure Protection, and a gentleman who I've known for a number of years. Bob is a career Air Force officer and attorney with 26 years of service who, prior to holding his current position with the Commission and its Transition Office, served in a variety of challenging leadership positions within the Air Force Judge Advocate General's Department. He is not only a recognized expert on the law relating to cyberspace, but is an accomplished trial attorney as well, with extensive experience as a prosecutor, a defense counsel, and a military judge. I'm delighted that Bob could take time from his busy schedule up in Washington to come down and join us; and so Bob, I welcome you to the podium now.
Mr. Giovagnoni: Thank you, Scott. I'm looking at my watch, I've got about six minutes, if we're going to have a half-hour question timeÂ….
John Ryan already got up here and spoke to you about cooperation and understanding as the key to solving the problem; and Jack, I think, is essentially saying, use what you have. And I guess it's up to me to maybe find a way, or maybe suggest to you considerations with regard to how to get access to what we have so you can use it.
First of all, before I jump into that, by way of perspective, when we talk about the national information infrastructure, I've experienced that we have a tendency as individuals or a group to think of it only in terms of the Internet, and the computer on our desktop. We think of it as a way of communication, e-mail as an alternative to the telephone, and in many ways it is. However, I believe the greatest lesson I've learned in being on the Commission and working with law enforcement in catching hackers is that it's much bigger than that. We're talking also about data systems that run our energy distribution systems, we're talking about automated production facilities and we're even talking about microwave towers and microwave communications.
By way of example, last year I had the opportunity of talking to an individual who is responsible for running, I believe it was three, fully-automated oil refineries. And he told me he ran them over the Internet. I told him he was crazy. I couldn't begin to conceptualize how you could run a business, real-time, considering just the standard slow-downs on the Internet when people are out there using it. He said, "that's not really a problem." He said, "we considered that, in putting together the system, the plants were scheduled to receive an update every 30 minutes," because as I understand it (and I have very little understanding of the work in an oil refinery), the market is so volatile they change production about every hour or half-hour, to produce what's demanded at that point in time. And they had just set up the plants, to continue to run for a period of time beyond the 30 minutes on the last input. So if they were to lose connectivity, they had a backup system. (I'm glad he thought of it, because it would never occur to me and I thought I'd been around a lot.)
Another instance is the World Trade Center. When the bomb blew up in the World Trade Center, it did not take out the communications lines since the telephone communications lines are underneath the streets in the area. It was the people who took out the communications lines. The folks who were concerned about what was going on, as a result of the bomb, the people with families in that tower. There are 50,000 people who are supposed to be working in that tower and when the bomb stuck it effectively took down the telephone lines. It forced some intermediary banks that conduct financial transactions between other banks, to use microwave towers to communicate in order to close the financial business for that day so that we didn't have a crisis in the financial market.
To me, as a result of my experience on the Commission, the interdependencies of our national infrastructure as they exist today make the national infrastructure, all of it, all part of the NII. I see them as synonymous. As our Commission pointed out from the very beginning of its report, our critical infrastructures, and we've talked about energy, banking and finance, transportation, vital human services, and telecommunications, must be viewed in a new context in the information age. (I think that's real important.) I think this perspective is absolutely essential in addressing the problem and trying to solve it.
All that having been said, it's not my intention to talk to you now about what the Commission report did, although I see the Chairman in the back with much anxiety, he thought I was going to steal his thunder. I suspect, at lunch, he's going to talk to you about what our Commission had to say. And tomorrow you're going to have the benefit of the Special Assistant to the President for the NSC, Mr. Dick Clarke, talk to you about what happened to the report after it was turned in and where he thinks it's going to be going. What my role is, having been elected by the panel to be clean-up, is to make sure we cover the waterfront and make sure I do it in the right amount of time. I believe both Jack and John have done a great job of laying out where we are, and the substance of the problem.
What I'm going to try to share with you, in the next few minutes, from our perspective, is a very small but critical filler in this whole puzzle. I believe it's essential to the understanding of what we will be talking about these next few days. To my way of thinking, the key to information sharing, which in turn is the key to partnership, and ultimately industry cooperation so that we can insure our national infrastructures, is a clear and mutual understanding of just what information we're talking about. Why do I say that? It's this absence of a clear understanding of just what we're talking about, I believe, which has proven to be the most insurmountable problem to going forward with the solutions that the Commission has identified over the past year.
The long answer goes something like this: Were we to have a conversation with an FBI agent assigned to the National Infrastructure Protection Center, and discuss reporting vulnerability information to someone other than law enforcement. I believe the reaction would be that you have a duty to report the crime to law enforcement. From a law enforcement perspective, dual reporting creates many problems. They (law enforcement) may not get access to the evidence to make the case, and they cannot fulfill their information warning responsibilities. And in large part, I believe they're correct in that position. My question to you though is: "when I mentioned that you had this conversation about vulnerability information, was I talking about an intrusion; evidence of a crime; or was I talking about best practices – some type of a firewall you might be able to put up around Windows' NT system, in order to make it more protected – not necessarily having anything to do with a crime and maybe not necessarily having to be reported to the FBI.
My point is – Where you sit is what you see! We all have a tendency to assume, from our perspective, what we mean by vulnerability of information. It's based upon mindset, and as a result we don't necessarily communicate. Until that understanding is reached and understood, I don't think we're going to make a lot of progress.
Now to me, the first step in coming up with a common understanding of what is to be shared is to look at the roles of both the government and the private sector as defined by the Commission in our report. The private sector role as it's defined by the Commission has two parts. One is to report attacks, and two is to use the tools available to them to assure their own infrastructure. The government, on the other hand, is to collect information about perpetrators and tools, conduct research on new tools (R & D), and share information with the private sector, so the private sector can take the steps necessary to protect itself. Putting it another way, the private sector needs to raise the level of assurance and report crimes, and the government is supposed to do everything else.
That being said, what then is the vulnerability information that needs to be shared? Is it a keystroke log of an intrusion? Is that what we're talking about? Is it the way we configure a server? How about a study that points up the vulnerability of a municipal water system? What about the blueprints of the building where you conduct your business? Or a yet-unknown bug in a commercially available operating system that you might have? Or a way of implementing part of the system so as to make it more secure? What is supposed to be shared? My answer is – all of the above.
More importantly, what are the obstacles to the sharing, and can they be overcome? To answer this, I think you need to accept a basic proposition, one which I do–, that you need to crawl before you can walk, as well as the fact that each application, where that information is going to be used, is really dependent upon the uniqueness of the situation-it's situational. The debate as to what should be shared as it currently exists, as I perceive it, centers in part around the unwillingness of industry to share proprietary information with the government – based upon the perception that the government can't protect it. Or if it can protect it, it's going to do so by classifying it. Now most of us in the government who deal with industry and have access to proprietary information know that industry doesn't handle classifying proprietary information very well. Nor do any of the special interest groups who feel that there are too many secrets in the government and feel that we need to be more open and make that information more accessible. Additionally, sharing information, from industry's perspective, with law enforcement could lead to maybe opening a criminal investigation, based upon what they made available. From a law enforcement perspective, sharing information with industry may compromise information. There are many more permutations to this, and I could go on and on, but the point I'm trying to make is that each side to this debate, (sharing so that we can get access to those best practices and do something with them) is looking for a trusted information-sharing mechanism, and a guaranteed protection of the information provided. I believe that if you could create this mechanism, in many cases it's going to require enabling congressional legislation, maybe some modification of FOIA, and arguably we may have to come up with a classification system. For obvious reasons, at this point in our development, I don't know that any of that will be forthcoming, which really forces us to dissect what we're looking for – a little bit deeper.
To address the most obvious obstacles to information sharing, let's go back over those examples I gave you a few moments ago. First, the keystroke log of an intrusion – for many reasons this needs to be shared with law enforcement. As evidence of a crime, and the details of what happened to a particular business, it probably needs to be closely held. But some of that information also needs to be shared with industry so that they can protect themselves against similar attacks. How this can be done presents its own series of problems – for example how do you give notice to industry from a law enforcement perspective (maybe a signature written on the attack, so that it uniquely marks the individual) without giving the hackers a heads-up that they're leaving a signature, so they can be identified? How do you share that information in a way to allow protection, and at the same time not give notice. If you don't share that information that a bad actor may do some bad things to a number of businesses, and you have no way of stopping that? How do we create that information sharing? I think it's probably the most difficult problem we have.
I guess the question I have asked myself is: "Is my concern real?" For the answer we might look at the comments of Glenn Davidson, the Executive Vice-President of the Computer and Communications Industry Association, when he testified to the Subcommittee on Technology of the Committee on Science for the House of Representatives. His comment from a private industry perspective is, "If the government purposely or inadvertently released information about network vulnerabilities and security breaches, clients and customers could sue providers and operators for damages, claiming that these firms knew that the vulnerabilities existed and insufficient steps were taken to prevent them. We, in industry, would need protection from such frivolous lawsuits."
If you share that information, would you consider some form of limited short-term protection where industry would provide restrictive controls over that information and confidential access while the investigation was going on? That's a solution, it's one that they came up with at Lawrence Livermore, where they conducted a workshop after the Commission's report was filed to see if they could fine tune it. Where that could go as a solution I'm not sure. But trying to solve this one particular problem-how do you share that intrusion information-is in probably the most difficult obstacle category. I don't really know that you could start crawling there.
I know it was a concern to Ms. Reno, when she spoke at Livermore, and her comment was, in asking the national infrastructure protection center to try to deal with the problem, that "the Department of Justice and the FBI want to be strong, good partners. We have a responsibility to work through the concerns that people may have so that they trust us. Private business may be concerned about confidentiality. Business does not want to have proprietary information made public. The FBI, on the other hand, has a duty to provide an early warning to the community to prevent further attacks. We must work together to see how we can walk that narrow line and ensure that we do our duty in terms of preventing further attacks while at the same time maintaining the confidentiality of the person or institution or business involved." That too, may not be the way to crawl.
Well, how about the second example I gave you? Let's deal in a hypothetical case of a municipal water system that takes a look at itself, and they produce a report concerning contaminants and toxins. And in the course of that report, let's say, hypothetically speaking, they, using publicly available information, calculate a chemical in a quantity placed in their water distribution systems at a certain point which could easily kill 3000 people. And let's just say, hypothetically speaking, that city is aware of 50 other cities with similar water systems and similar problems. How do you share that kind of information? Is it national security information? I don't know. Does it deal with the national defense, if arguably you say you're only killing 3000 people and it doesn't defeat the nation's ability to protect itself, possibly not. Where is the solution on how that information, which is arguably publicly available information, which is not propriety information, is protected? Do you do what the Commission did, which is go to the Security Policy Board and say: "How about putting together a work group?" – get the folks from the special interest groups, get Congress involved, get the governments involved, state and local and federal, get industry involved, and let's take a look at this type of information. Is there a way that we can share it and protect it without classifying it? I don't know if today is enough time to come up with that answer. That also may be one of the more difficult areas to solve.
And then, finally, what about the example I gave you about the unknown bug in your system that needs to be shared, or that you have a better way to secure this system? Can this be shared with some ease? Probably so. Among industry and government, I don't see why not. What we're talking about here is best practices. My fellow speakers were also talking about best practices. "Best practices," to me, is an opportunity for industry to share information among itself. All they really need to do is set up some kind of website with maybe certificate access to it, give it some protection, and even law enforcement can partake in it. What we're looking for is, if you can't protect the Windows NT system because it gets fingered and once you know it's Windows NT system – you can take it down – maybe by putting up two different types of firewalls so that when the standard hacker ping comes through they don't recognize it as a Windows NT system and pass it by – that's a solution – the kind of solution that can be passed back and forth.
My bottom line is that this may be the best place for us to start to crawl. If we are going to start sharing information, we can't talk about the obstacles to sharing it – sharing criminal intrusion information, we can't talk about the obstacles to sharing information about vulnerabilities like the water system. We have to find common ground. To me the common ground is best practices. There's very little risk to government, there's very little risk to industry, and there's very little risk to law enforcement. If we can start sharing that way, maybe we can find more effective ways to build on that so that we can share "more difficult to share" information. And while we're sharing what's easy to share, we can start at the same time building the ladders that get us up to the levels of concern. And we need to do that. I think that the need to do that was pointed out very effectively by George Tenet, the Director of the CIA, when he spoke at Senator Nunn's policy forum down in Atlanta just recently. His comment, or one of the three points made, is "we cannot keep building new capabilities on a poor foundation of security. We are staking our future on a resource that we have not yet learned to protect." We've got to do that. Working to share best practices is a beginning, to me with little or no down side. And I recognize that there's no one size fits all. But you've got to start somewhere, and as I said this may be the way we can take that first step in building toward more difficult information-sharing problems down the road.
Best practices as I understand it are really what your system administrators want access to. The folks that are in the trenches, that are defending these systems, want to know how to keep others out and make the system operable. We may have a good beginning, I strongly suggest that you consider that. And thank you.
Mr. Silliman: If we have done anything in the last hour and twenty minutes, it is to have raised questions that beg for answers, portrayed issues that are out there that I would suggest many of the American people do not know about. You do. And, as all of our speakers have indicated, and I particularly want to allude to Jack's comment, it is such a fast-moving track that you've got to start somewhere and deal with today's problems and yet still try to anticipate the problems of tomorrow.
I didn't leave a half-hour but I've left at least 15 or 16 minutes for questions and answers, and we've got Amanda McMillian from Duke Law School who will have the microphone. So if you've got a question or comment, please stand, identify yourself for the record and ask any of the panelists or all of the panelists what you want.
Participant: Chuck de Caro, AEROBUREAU, a neighbor of John Ryan. Jack, my first question is, does the story you told about the kid in Massachusetts really tell you about how we're organized? Why would you take a kid who beat 15 agencies and send him to community service? Why not put him in charge of teaching the dunderheads at those 15 agencies that couldn't get around a teenager, that aren't organized for reality?
John, it's your turn. Let's talk about the railroads in California at the turn of the century-the means and the information highway of the day. Do you remember the political effects of those railroads, basically control of California fell to Hopkins, Stanford, those boys, and what they were able to do, was not an on and off kind of terrorism, they could, but the structure of the service was [incremental?]Â…, and that is, they get to control the politics, because they could raise the rates at will. If you want to be Compton California, and you want a town, I open a valve for you, a spurt, if I want it to grow I lower the rates, if I want it to shrink I increase the rates. So they had great political effect over people who couldn't vote over what they decided to do. Now you work for a guy named Steve Case, who decides, on his own, who gets a 10% increase, like that from $19 to $21, and he does it arbitrarily with no ability for the people using the service to play a part. So there's another thing, the political power manifested by people in charge of information systems and what they do to a greater whole, the freedom of the greater whole. I'd like you to think about that and give me a comment.
Mr. Silliman: Okay, anyone want to take a shot? Jack, first?
Mr. Danahy: Sure, that's fine. The short answer – why don't we make it two questions, really, and one of them is implicit – why the hell did it take them so long to figure out who it was, and based on that, finding out who it was, shouldn't we somehow canonize this kid and put him in charge of the Aegis Center for teenaged juvenile delinquency? [Laughter] The facts of the matter are, that the kid is the problem, the knowledge that the kid used to break that system is available on any of a hundred websites. This information is well known, generally available, and so frankly, both the company that had the problem and the investigative institutions who were tracking him down had access to all of it to begin with if they felt compelled to look at it.
Secondly, the duration of the exercise in identifying the culprit and the fact that they needed this cross agency working group to figure out who it was, is largely not a fact that people didn't spend enough time gathering that information up front, as they were securing the system, you know, any security team will tell you that half of the battle is gathering enough information to know both a) what's going on, and b) what did I do wrong that brought me to this bad place I'm at right now so I make sure it doesn't happen again. In the absence of both of those, you needed all those people. As I look at it ideally, were that line well-secured or at least well-monitored, the investigation takes very little time at all. And the kid basically should get the same punishment as some other joyrider gets who grabs a car with the keys in it. The overall problem being, that someone should have been trying to preclude that access in the first place. I'm very much against what's happened; I forget the name of the kid who now is in Israel, who was actually supposedly the educator of the high school crackers probing the Pentagon. He was somebody who came up with three ideas, got in a chatroom with a couple of kids from the U.S., and taught them the wonderful lessons of cracking. Steve Roman did an excellent job at Ohio State monitoring the way that these communities grow, to get a bunch of people together in one of these chatrooms, and one person sets up a server and teaches, literally teaches, the way we do this distance learning now, others how to break into systems. No, you did that wrong; I can watch your keystrokes; you've done that wrong. And then you watch these people go and try it, and they lie about the fact they've broken into something and you come back and see "I just broke into Fred's Nuts and Berries, here we go again." So I don't believe the kids are the problem; I don't believe in glorification of people who use the equivalent of a hammer to break through a plate-glass window. I think the basic problem is we have to create what is an acceptable benchmark baseline, that people have to get over, before they're allowed to connect. I'll let John handle the question.
Mr. Silliman: John?
Mr. Ryan: Well, let me start off by saying that I don't think any one individual, any one company controls access for the protocols of the Internet, including pricing. I think clearly, like any other industry or business, pricing is a market-driven initiative, and I think you are suggesting, if I understood you correctly, that one company could have an inordinate amount of control or influence in this medium. I think the reality is, in the U.S. alone, there are over 4500 ISP's, from the small Mom and Pop server in the garage, to the AOL's and Â….. of the world. So I don't think this is a medium that structures itself financially any differently than any other industry.
Participant: Bob Minehart, Army War College. This is primarily focused towards John, but I'll take from anyone. I come from the government, so the government perspective is natural, and I'm very interested in your perspective, the commercial side, and you've portrayed AOL very well. You have been able to show the point and click action getting on-line, and you've shown you're very attentive to your member's rights and their needs, and I see all that, and you've also shown where you've been willing to work well with law enforcement, but my question comes from the next move. When does AOL believe it'll have point-and-click privacy, i.e., the capability to encrypt their messages and do things, and where are you going to fall in working with law enforcement? Will you work with each other? Will you not? How's that going to work?
Mr. Ryan: Well, we are actively engaged in a dialog now in the encryption debate with the FBI, with Justice, with some of the other interested agencies. I think what's developed over the past several weeks, actually, is an initiative on both sides to move from their entrenched positions to try to seek a more pragmatic common ground. The reality is, this debate's been going on for a number of years now, and certainly there've been no winners, and everybody on both sides have been losers. Our European counterparts have a different scheme, different statutes; we are losing as an industry market share, that's a reality; and I think it's clear that industry should recognize the legitimate interest of the law enforcement community. So I think we've actually had a series of meetings, where we're trying to, in an off-line environment, really discuss what the true issues are, what the true needs of law enforcement are, and, more importantly, how can industry accommodate those interests and at the same time develop their financial markets? To answer your question about personal encryption, I think right now the priority candidly is in the financial arena. We need to address that first, and then I think we will consider and learn how we can incorporate that same type of data security in member-to-member communication.
Mr. Silliman: And I should add that we'll be having, tomorrow, a whole panel dedicated to this concept of encryption. Bob?
Mr. Giovagnoni: If I could just add, on the law enforcement issue, I believe the Attorney General took a very big step forward when she established the National Infrastructure Protection Center. From what my experience has been over the last few years, there has been a degree of willingness between industry and law enforcement to talk-they just haven't found a medium to do that, and as they're coming to the table, and talking, the only problem that they're running into is how can you share the information without the down side liability versus compromising your case? They are working together, I've seen it with AOL, I've seen it with just about any one who's involved with these, with the major intrusions. It's not an unwillingness to share, there's a willingness to share. There's cooperation between both; it's just we haven't figured out how to do it without the down side down the road.
Mr. Silliman: Other questions. And if you could please stand and identify yourself?
Participant: My name is John Shissler, I'm from the government, I'm here to help you. [Laughter] Yeah, actually I work with the Joint Staff too. I have a question that once again is in the hypothetical realm because it addresses some of the problems that we're dealing with. Basically, it revolves around both laws and the interaction of laws and some of the principles we kind of hold dear within the United States. For example, when you talk about the public's right to know, you have for example the EPA mandating and setting up a database that has a listing of hazardous material sites around the United States because the public has a right to know about what's stored in their backyard. Then you have a terrorist website, for example Hezbollah, which does have a publicly-identified World Wide Web site, you can click onto it using Yahoo. They search that, find out there's a fertilizer plant in city XYZ, and it's kind of nearby, and they go to someone who they've hired, a hacker working in Europe for example, bounces through three or four Internet service providers who include America Online, then proceeds to attack the data system that controls that plant, causing the chemical spill or a problem like that. How do you deal with all those problems? Specifically, the public's right to know, privacy rights, problems with intelligence oversight law, for the Intel community. If we want to look into how this person broke into this data system, well they went through a U.S. system, which means it's really a law enforcement issue; but since they guy comes under Lebanon, it's really sort of an intelligence/national security issue. How do you deal with all of those problems?
Mr. Silliman: Bob, you going to answer that?
Mr. Giovagnoni: Well, I'm going to answer part of it, and I'd like you to take this the right way because what you're saying is a matter of grave concern and a lot of people are thinking about that. That's one of the reasons I raise the issue of putting together a security policy board to try to find a way to share information. The one thing that you have to keep in the back of your mind, and the logic is very pointed in this way, but what you're saying, notwithstanding how they caused this attack, is that we are an open nation; we make information publicly available. We make too much information publicly available, and as a result people get hurt. So maybe what we really need to do is look at restricting the First Amendment, and that's where the problem comes in. Now that logic is a jump to make the point, but what we're saying here is that we have too much information, and it's hurting us. Well, there are some privacy right interests, there are constitutional concerns as to what you do once you start curtailing information, on what steps you're taking to limit some very basic and essential rights. We're looking to this workshop to come up with an answer.
Mr. Silliman: We've got time for one more question. All the way in the back. Richard Myers.
Participant: Richard Myers, a student at Carolina Law. Jack, you had mentioned earlier the need to educate the public about vulnerability of financial information. The Quicken example really struck me as one where it seems the problem and the solution to the problem may be self-defeating and that people won't use Quicken and use Internet service providers to do their financial transactions if they don't trust it. So the problem creates itself, and I'm curious as to what you see as the tension there between educating the public as to how to protect this kind of information while not at the same time stopping them all together from doing that.
Mr. Danahy: Thanks for the opportunity to sort of proselytize one of my two security virtues, which is really frankly they shouldn't be using them both together. What happens is, in our industry, I am culpable, I take responsibility. We can build functionalities as fast as we can, because everyone wants the latest, newest and whizziest way to get business done. And we typically develop these things in the absence of any sort of security context. And so if I look at the technologies that have been developed, and I look at the time that's been spent on a technology, such as ActiveX, and I don't mean to be painting Microsoft with a broad brush, it happens to a lot of companies. ActiveX has been pushed and pushed and pushed as a technology, without having any time taken to understanding how it would affect the security of the people who use it. Take privacy. Quicken was never intended to be run on a system that would be laid bare by another type of service. So I don't hold Quicken responsible for this. I look at the question I asked to Richard Clarke, following the War College exercise, which was how do we, as a nation, try and help industry regulate its own rush to new functionalities so they understand that they have to provide some requisite amount of security? The short answer is that they shouldn't use it together, and I believe that the balance is to give them all the information that we have, so that they can protect themselves. If there's a Doberman running around Main Street in Canton, where I live, I don't think the businessmen there are going to complain that I warned the townspeople not to go on Main Street today because they're going to lose the shopping. I have to do my due diligence to make sure that my constituency is well protected. So I think the overall solution to this problem long term is to create the information awareness that says, Wow, I'm now a customer, I can't use Quicken in your product, so I'm going to buy another product. And I think what happens is, fairly short order, it becomes a priority in the development cycle as does the new features and functionality.
Mr. Silliman: Thank you, Jack. We're going to go ahead and take a break now, and I would encourage you to see the panelists, if you didn't get a chance to ask a question here, during the break, but join me in thanking them all for their participation. We'll be back here at 11:00 for the second panel.
Interests and Equities: Responsibilities and Roles of Industry and Government
Monday, April 20th, 11:00 A.M.
Moderator: Robert Turner
Russell Stevenson
Michelle Van Cleave
When conferences are being planned, it is interesting to observe sometimes how they pick moderators. Sometimes moderators are distinguished experts, who people feel lend an aura of distinction or class to a program, which they might not otherwise attend. Perhaps people that are so busy that if you asked them to come and present a paper, they would simply not have the time.
A lesser category of moderators is composed of people who the sponsors feel indebted to, but whom they really don't want to trust with substantive responsibilities. If there's anyone out there who's envious of my role here today, I've been assured by Scott that for just $20,000 you can moderate this same panel at next year's conference; for $30,000 your money can get one conference and a dinner speaker introduction.
Moving down the line, there's another category from which moderators are often selected, and that is sponsoring organizations. I can see it now, it's Scott and friend Robbie sort of sitting around, and they say, "well, who are we going to get to moderate the second panel? Well, if we have somebody who's not going to be there, they'll want us to fly them in, so let's let John Norton Moore do it, he'll be happy to do it." And then they found out John was teaching today and tomorrow, and they said "well, wait a minute, it's even better if we have Turner-he'll bring his camera and take pictures and video and tape and everything else and feel important-he'll feel important."
So anyway, that's how I got here. It's sort of like Mikey in the old "Life" cereal commercials, you know? Give it to Mikey, he'll moderate it! So I agreed to do it. I have that policy where they call me four months in advance and to get them off the phone I'll say yes, and then about six weeks ago I said, "now what is this panel I'm going to be moderating?" So I got out the schedule and I looked at it and I saw the title and it says, "Interests and Equities." I looked at it again and said, interests and equities, and I said, "I didn't take that course in law school." I don't think even I know what that's all about, but I gather after some inquiry that our role today is to discuss the relative role of the public and private sectors in protecting our information infrastructure in the coming century. I bet Scott thought I'd say something insightful about this subject, but I had a very wise mother, and when I was a small child she gave me that old sage advice, that "son, it is much better to be silent and be thought a fool, than to speak up and remove all doubt." She was a very loving mother. I remember when I was five years old and they sent me off to Georgia Military Academy, in the late 1940s, and she came to our first parade. She's sitting there watching us march by, and sure, my tie was a little crooked and my shirttail was out, but she looked out and she beamed to my father, her husband, "Look, our Bobby's the only one who's in step!" [Laughter.]
Well, my real contribution to the panel was not picking the speakers or picking the topic, but deciding who should go first, second and third, and it was a daunting task, knowing as much as I did about the topic. And so I said first of all, well, all that really matters is that you be fair and nobody complains, so let's be alphabetical. So I put all the names in alphabetical order. Then I thought about it, and said, "no, wait a minute, we've got somebody from the executive branch, and somebody from the private sector, and somebody from the Congress, and the person from the private sector is certainly not going to be able to say very much about government policy and what's wrong with it, unless he or she has a chance to hear what the government policy is." So I said we ought to start off with somebody from the government telling us what the problem is, and why we need to do something, and then perhaps somebody from the private sector telling us whether that's the right thing to do and we ought to do something else. Then, of course, we'll bring in somebody from the Congress who's going to tell us – whether it's what we ought to do or not – what we're likely to do, because the reality is Congress is going to have an awful lot to do about anything the United States does in this area. Certainly any major policy in this area that requires criminal sanctions is going to have to go through Congress. There is, as I'm sure you know, the old adage "The President proposes and Congress disposes." So anyway, after careful thought I've listed them down in order, first the executive branch, then the private sector, and then the legislative branch, only to find that I had them in alphabetical order.
Now it's been said that figures don't lie, but liars figure, and I don't want to suggest that I was capable of playing around some with the alphabet, but I will tell you that if the natural order of things had come up differently I was perfectly prepared to introduce my old friend, Michelle Van Cleave, first, or else Michelle Van Cleave last. She was very flexible in that regard, but it didn't prove necessary to call her Ms. Cleave, so we won't do that today. [Laughter.]
Our first speaker is a dear and old friend, and among his other distinguished accomplishments, he was a graduate of the fourth National Security Law Summer Institute at the University of Virginia. He didn't do very well, so if he screws up today don't blame us.
At any rate, Richard H.L. Marshall is the Associate General Counsel for Information Systems Security at the National Security Agency. Back in the years when I was in government we used to call that No Such Agency, even though it was much larger than the CIA, of course, but nobody knew it existed. Now, of course, NSA stands for Nothing is Secret Anymore. A graduate of the Citadel more than three decades ago, Rich Marshall had a distinguished career as an Air Force JAG officer, following his graduation from Creighton University Law School. He graduated with honors from the advanced program at the Army JAG school in Charlottesville, which now offers an LL.M. for that same amount of work. He also graduated with honors from the National Security Management Program of the National Defense University. He studied at Harvard Law School and Georgetown Law School, from which he holds an LL.M. in international and comparative law, and at other law schools as well.
I tried to get more information on Rich, but I was basically told that if you had a need to know, you'd have been told by now, and if we told you any more we'd have to kill you, so I didn't push. I did ask others about him, and about the most sensitive thing I could find out is that he was the originator of the controversial "Don't Ask, Don't Answer" program to educate Americans about information infrastructure security.
He is a highly respected expert on this topic – he's been working on it for years. Please join me in giving a warm welcome to Richard Marshall.
Mr. Marshall: The truth can now be told on how the selection was made to be the first panelist to speak. The plus about me being on crutches is that I'm not going to be able to talk that long. I understand that a person's attention span lasts about as long as circulation in his lower extremities, and I'm limited to one extremity-I'm standing on one foot most of the time, I can't put any weight on the left foot. Now you're all asking yourselves, how did this accident really happen? I'm here to tell you the august truth: there are two things that Bob didn't openly disclose about me that I feel in honesty I should share with you. Number one, I'm first generation Dead; I'm still mourning the death of Jerry Garcia. So if I go off on a little fringe, you'll have to understand that's what it's about. But don't be terribly concerned, because having helped develop the Air Force drug program, and having had many opportunities to contribute at the office, and, [laughter] when the social action people recognize your face, and you're selected at random right after the Jerry Garcia concerts, and you always pass with flying colors, I'm a real believer in that program.
The second thing you need to know is that this accident really occurred – It was a freak accident. I am a convert to snow boarding. Now I know a lot of you are active skiers, and you think there is some kind of a social conflict between skiers and snow boarders, and there isn't as long as you stay out of our way, especially when you see a 52-year old guy coming down the slopes and his 13-year old son is trying to catch up with him, knowing that the force of gravity does have a stronger effect on a larger body that's going downhill. And there's no greater thrill in public at my age than to hear your 13-year old son say, "Cowabunga, Daddy dude!" So I wear my crutches with pride. As far as the cost-reduction program, they left off one of my initials. I'm very proud to have a full middle name, Richard Henry Lee. Just to let you know the government is doing its part for cost savings. [Laughter]
Now this is kind of a recap of what we discussed today, and this shouldn't catch you as any real surprise. It should make you feel good, actually, to know that this is an ongoing effort; there's a lot of work that's been going into this. It is an unfinished product, but these are some of the things that we want to talk about: security of the defense information infrastructure and the national information infrastructure. Now let me describe what both of those are. The defense information infrastructure is that telecommunications network, that telecommunications systems, that the defense department uses to communicate. And that doesn't make any difference whether it's classified information, military information, or day-to-day contract information. That is part of the defense information infrastructure. Now the interesting aspect is that there is no bifurcation, there is no bright line distinction, between the defense information infrastructure and the national information infrastructure. And you're going to quickly ask, "why isn't that so?" "Can't you make a distinction between super-highways, and safe highways?" The answer is no, because the defense information infrastructure rides on the national information infrastructure. View the DII, if you would, as a pipe that is part of a larger pipe that we call the NII; or to look at it another way, the DII is a hand that fits inside the NII glove. Now it is bigger than the government, it is bigger than industry, indeed it is bigger than the individuals, and if there is going to be a solution to this problem, and I think we can all agree it's a problem, it's going to rely largely on individual responses. Individual reactions. And I'm not here to pontificate; I think you'll reach that same conclusion by the end of the panel's presentation today. Now, this whole concept of the national infrastructure and the defense information infrastructure is kind of like kudzu – it just grew. There was no management from the top, and indeed, trying to manage it from the top, whether you're doing it in a constructive way, or whether you're trying to do it for security, it's just not going to work. It just will not work. So we have to work together to achieve a common solution.
Now we take for granted many of the information technologies that we use today, and we really don't understand that they're all computer-based. How many of us use a telephone answering machine in our homes? Most of us do. How many of us are able to access that telephone answering machine, from a distance – remotely? Most of us can't – we haven't mastered the technology. How many of us realize that that telephone answering machine is not a telephone – it is a computer? You're dealing with stored electronic communications. That happens on a day-to-day basis. When you get e-mail, that is electronic communications. Does that come in a voice? Yes. Is it digitized? Can it be manipulated? Can it be made more secure? Issues to think about.
Now, the electronic information that we're dealing with, these are the four variables that you want to rely on. You want it to be authentic, you want to make sure it's accurate, you want it to be available when needed, and in certain circumstances you want that content to be private – issues that were discussed earlier this morning. The critical information infrastructure must be protected from electronic attack. That was the theme of the morning's first panel and that's a common theme here. The central focus, though, is we must remember it's the components – not just the backbone, not just the Internet.
Now, the infrastructure is at risk. There have been a hundred examples that are easily cited – several of them were broached today. Let me talk about two of them, very quickly, that illustrate this, and you can extrapolate that what's in the DII is even worse in the NII. I'll cite three particular authorities for that – one is the Senator Sam Nunn Commission, and that is available on a website, it's a GAO report. It talks about the computer vulnerabilities of the DOD systems, and it comes up with the astounding conclusion that DOD computer systems are kind of like an igloo to a polar bear – they're crunchy on the outside and soft and chewy on the inside. Now what do I mean by that? You can exploit vulnerabilities – you can exploit personalities. If I can break into Bill's system and pretend to be Bill, then I can very easily say – because I know Bill has a trusted relationship with Colby – I can pretend to be Bill and go into Colby's system, and Colby will say, "gee, I trust Bill, I know everything he's saying is accurate, authentic, etc." - all of those other variables. That's what I mean by exploiting trusting relationships.
Last year, there was a very interesting exercise called Eligible Receiver. It was a JCS-sponsored exercise, and one of the variables that I thought was rather unique was that there was a DOD adversary, a no-holds-barred, go in and break the system, bring down the DOD telecommunications net adversary. Now we can talk about it now, because it's been in the press recently. It was an absolutely fascinating exercise, it was not a command post exercise, it was a live fire exercise. And the communications systems of the DOD for this exercise were in fact brought down. Now, it wasn't the failure of individuals – it was the systemic failure of not being able to react and to protect the systems. And it illustrated at a very high level that we don't have a handle on how to detect, react, and protect our information systems. And if the Department of Defense has this vulnerability, can you imagine what vulnerabilities an organization – and I use that term loosely – such as the national information infrastructure, whatever that is, as ephemeral as it may be, might have?
Rapid growth in critical unprotected networks. Those breed additional insecurities. Now, you might have the most secure system in your home – I would imagine you use Windows 95, and you permitted Bill Gates to come in and check your system. I mean, if you registered with Bill Gates & Co., you permitted them to come in and check what you've got on your system. Now you'd be alarmed if I told you that if you had an Internet service provider, you permitted that Internet service provider to come in and modify the way your system works. You feel comfortable about that? I mean, certainly you can trust your Internet service provider, I mean if you can't trust America Online, by God, who can you trust? [Laughter] I'm getting an answer, I guess.
Now, think about the vulnerabilities here – they are shared vulnerabilities. I may be as secure an individual, in terms of computer security, as anyone in the room, but as soon as I link up to you, it's the lowest common denominator. A very vivid example – how many of you saw the Super Bowl on TV? How many of you saw it live? I happened to have experienced that – it was an amazing event. I was discussing information system security issues there, and the person next to me said, "you know, Rich, information system security and the vulnerability is kind of like everyone here at the Super Bowl today, drinking from the same beer cup." Yuck! Think about the vulnerabilities there! I might trust the person next to me, because he was my brother, but what about somebody in another seat? You don't know – what you don't know in terms of the vulnerabilities. So as soon as you plug into the Internet, you're accepting everyone else's vulnerabilities. Kind of scary – but there's a solution.
Let's go to the next slide. On the right is the NII, rapid growing, we have that, essential public services listed on the left, these are the things you need to watch for. We're talking about everyday events. Disgruntled employees – "I'm upset, I don't like being fired, so therefore I'm going to bring down the computer system." One of the first things Washington law firms do, when they walk someone out the door, is to take away their password – make sure they don't have computer access before they are even advised that they are going on terminal leave, as it were. Hackers – a nuisance, sometimes, more than a nuisance. Solar Sunrise – anybody familiar with that? I don't want to go into a lot of detail, because it's all been in the newspaper, freely available on the Web. It was a concentrated group of individuals, a small number it appears, who were very successful in isolating and identifying some key nodes on the DII that, if exercised, could have had an adverse impact on this nation's ability to wage war in the Gulf. Now that is significant, and to sit there and say it's hackers, it's innocent, they're just kids, let's clone them and make them security gods, can't buy into that. Individuals, criminal elements, transnational organized crime, terrorist groups – those are the biggies.
Now you're asking yourself, why in the world are we talking about this as a national security problem, when what Rich is obviously talking about is what – an FBI issue – crime, and that's one of the tough nuts we've got to crack. Where is the firebreak between a crime and a national security issue? ….in the bag of peanuts, …the first person who comes up with that good answer.
I'm going to go out on a limb here and suggest that there is a merging of two traditional views. Based on our discussions last night, I think this is still correct, but I will leave some leeway for Russ to respectfully disagree. The national security view is that protected information has an intrinsic value – it's national interest, you've got to protect it at all costs. And that's why they use the paradigm of risk avoidance. If you need to go to the airport, and you want to be really secure, you have someone take you there in an M-1 tank. Not very cost-effective, but pretty secure. Now, if you're a business person, on the other hand, if you're driven by the bottom line, if your object is to make money, you want to reduce those costs. So you only want to protect that information that is necessary to be protected, as cheaply as possible. Cost avoidance, risk avoidance type of issue. The cost of doing business – you pass it on to the consumer. Now it happens every single day, and I realize I'm stealing a little bit of your thunder, and you can correct me if I'm wrong, which I know I'm not, [laughter] ….Note the confidence that arrogance breeds.
One of the reasons we pay such a high price for the use of credit cards is because banks are being ripped off on a daily basis by cyber terrorists. And that delta, the money that the banks are not letting us know is being stolen, results in higher interest rates, higher transaction costs. That's a graphic example of the cost of doing business – you