Based upon a lack of data collection and analysis by the intelligence community and a failure to report from the business and financial communities, little data has been assembled to provide a reliable assessment of the threat to this nation's information infrastructure.
What is known about the potential threat, however, is extremely disturbing. Technology provides a variety of potential "bad actors" with innumerable methods and opportunities to disrupt our critical information infrastructure and the institutions it supports. These same technologies also offer opportunities to destroy the confidentiality and reliability of the information itself.
Unfortunately, anecdotal incidents provide little assistance in compiling threat assessments and estimates. Most of the documented incidents where bad actors have been identified involved what is considered to be the least competent attacker. A nation
state or organized subnational group would likely be more sophisticated, structured and funded - and difficult to defend against.
In the 150 page Brown Commission Report on the Roles and Capabilities of the United States Intelligence Community (the "Brown Report") the Commission dedicated but one paragraph to the subject of information warfare intelligence collection. This paragraph, however, made the following important observation:
Collecting information about 'information warfare' threats posed by other countries or by non-governmental groups to U.S. systems is, however, a legitimate mission of the Intelligence Community. Indeed it is a mission that has grown and will become increasingly important. It is also a mission which the Commission believes requires better definition. While a great deal of activity is apparent, it does not appear well coordinated or responsive to an overall strategy. (Emphasis added, Brown Report, March 1, 1996, p.27)
A senior member of the intelligence community responsible for collection of such data compared it to "a toddler soccer game, where everyone just runs around trying to kick the ball somewhere."
The Staff did find, however, that collection of data that might provide the nature and extent of the threat posed to our information infrastructure is not presently a priority of our nation's intelligence and enforcement communities. The Staff received numerous briefings from the intelligence components of various agencies, as well as the counterintelligence community. Each agency agreed that the threat posed to our information infrastructure was substantial; yet when pushed to reveal the level of resources dedicated to assessing the threat, each agency admitted that few personnel were
working on developing such an assessment. One agency assembled 10 individuals for the Staff briefing, but ultimately admitted that only one person was actually working "full time" on intelligence collection and threat analysis.
The Central Intelligence Agency (CIA) staffs an "Information Warfare Center"; however, at the time of the Staff briefing, barely a handful of persons were dedicated to collection and on defensive information warfare. The National Security Agency (NSA), hopes to create a "thousand person" information warfare center that would include both a defensive and offensive infowar focus, as well as a 24 hour response team.
Despite the rhetorical emphasis placed on this issue, at no time was any agency able to present a national threat assessment of the risk posed to our information infrastructure. Usually, briefings, at any level of classification, consisted of extremely limited anecdotal information. The Staff found that, although there is a growing awareness within the intelligence community, there are still very few dedicated to data analysis, and no procedures in place to process intelligence information. Although many agencies had formed "working groups" or incorporated the term "information warfare" into pre-existing offices, there has been very little prioritization of this issue, or re-allocation of resources dedicated to it. Furthermore, there has been retraining of intelligence officers on information warfare or, more importantly, recruitment of intelligence officers with specialized training in information systems technology.
One very senior intelligence officer for science and technology admitted that in order for the intelligence community to focus on the information warfare issue adequately, it would require significant retraining of collectors and analysts. "Don't wait for the intelligence community to provide a threat estimate" he explained, "it will
probably take the intelligence community years to break the traditional paradigms, and re-focus resources on this important area."
There have been recent attempts to obtain threat assessments. The "Kyl Amendment" to the Intelligence Authorization Bill for FY 1997 (Sec. 1053) provided:
... the President shall submit to Congress a report setting forth the results of a review of the national policy on protecting the national information infrastructure from strategic attacks. The reports shall include the following:(1) A description of the national policy and architecture governing the plans for establishing procedures, capabilities, systems, and processes necessary to perform indications, warning, and assessment functions regarding strategic attack for foreign nations, groups, or individuals or any other entity against the national information infrastructure. [Emphasis added.]
Part of the Amendment required that the intelligence community respond to the Congress with a threat estimate within 120 days of the bill's effective date. The timetable was ambitious and the Director of the Central Intelligence Agency requested an extension of time within which to respond. A former high-ranking White House science and technology officer explained the intelligence community's difficulty in responding to the task: "usually they just can pull the information out of the box that holds the data -- as of today, however, the box is just empty!" In the recent House Committee on National Security's report on H.R. 3230, the National Defense Authorization Act for FY 1997, it was observed:
To date, Congress has not received the requested report and overall it is clear that the Administration's response to this statutory requirement has been lackluster at best.
The need for a threat assessment by the intelligence community is great. It is impossible to conduct meaningful risk management absent reliable threat data. How do agencies determine the level of resources to commit to computer security without knowing the dimension of the threat? The technology of intrusions is changing rapidly. If we do not know what current methods are being employed by hackers, how do we obtain and implement countermeasures. Finally, because much of the threat relates to the compromising of sensitive information, it is difficult, absent reliable threat assessments, to determine what damage has been done. Our nation may be losing critical information advantages and economic advantages without knowing it.
There are numerous explanations for why our intelligence and enforcement assets are unable to collect the requisite data for a national threat assessment. First, there is no mandatory reporting at the Department of Defense.12 Yet, Defense installations and assets are a favored target for foreign governments or organized subnational groups. In fact, in the Rome Lab case [see Appendix B] the youthful hacker admitted he penetrated ".mil"13 sites because those sites were notoriously easy to penetrate. Due to the lack of reporting, little raw intelligence data is being analyzed by DIA or other intelligence or counterintelligence components.
Second, from a legal and organizational perspective, intelligence collection is difficult in the virtual world. In the physical world our government assigns intelligence
12 Some of the services, such as the Air Force, do make reporting mandatory for intrusions. Most, however, do not compel systems administrators to report intrusions in the unclassified but sensitive network upon which 95% of DoD data/voice traffic is transmitted.
13 ".mil" refers to the suffix address for all DoD computer addresses. For instance, non-Defense Department addresses within government have a ".gov" suffix.
and counter-intelligence responsibility based, in large part, upon the origin of threat. The intelligence community is responsible for foreign threat assessment; the FBI is responsible for domestic threat estimates. There are rules limiting the ability of the CIA, for instance, from collecting information domestically. Similarly, the FBI does not engage in foreign intelligence collection.
The virtual world, however, is borderless and therefore does not fit easily into the organization of the physical world. The technologies employed by hackers permits them to take numerous paths when attacking networks. For instance, it is not uncommon for an attack emanating from a foreign country to take a circuitous route through different nations and different computer networks, both government and private.14 Thus, when the attack is observed or detected, it may appear to originate from a domestic computer when it actually originated abroad. Because of this, though, the intelligence community would find itself constrained from conducting any original investigation of this matter. The Staff was advised on several occasions that the intelligence community was suffering from their inability to receive raw data that is directed to the law enforcement community.
Finally, and perhaps most importantly, it is simply not yet a high priority within the intelligence community. As long as the intelligence community does not actively and aggressively address the void of threat information, senior leaders and managers will be reluctant to reallocate and re-prioritize resources for their agencies.
14 The practice of "looping and weaving" is extremely common to even the most rudimentary hackers. More structured computer attacks will regularly change the route of attack, and purposely go through institutions or nations where detection is unlikely. At all times the attacker is masquerading as a legitimate user on the coopted system.
A common theme expressed by many was that there is absolutely no clear plan or direction as to how our nation should go about assessing the threat. While many individuals - including the principals of our intelligence, enforcement and defense agencies -- agree the threat is significant, there is still no blueprint that might guide a national effort.
The counter-intelligence community suffers from similar problems. Since World War II, the common concern in the counter-intelligence community was the Cold War threats of spies and traitors photographing classified documents, or stealing information. Technical Surveillance Countermeasure (TSCM) agents are still looking for physical bugging devices that are planted in homes and offices. Undoubtedly, physical security is still a concern and needs to be a priority. However, it is clear that an equal threat arises in the virtual world where communication and information systems can be compromised remotely.
The law enforcement community has similarly been unable to adequately provide reliable threat assessments. Among non-Defense Department enforcement agencies, the FBI has dedicated the most resources to a computer crime program. However, results by way of arrests or even raw intelligence data have not been realized. Initially, the difficulty may have been linked to the Bureau's insistence that prosecutive or investigative decisions be premised upon quantifiable losses, or other indicia that normally factor into such decisions. Recently, however, the Bureau has begun to recognize that decisions to investigate cannot be premised upon traditional factors.
A major obstacle to assessing the threat posed to our information infrastructure is the failure of most government agencies to detect intrusions and, second, to report intrusions that are detected. As stated previously, the Defense Information Systems Agency (DISA) performs proactive vulnerability assessments of Defense Department computer networks. According to 1996 DISA's statistics, of the 18,200 systems they were able to penetrate, only 5% of the systems administrators actually detected the intrusion; and of the 910 system users that detected the intrusion, only 27% (246) reported it to a superior.
These statistics, which are limited to the unclassified but sensitive networks of the Defense Department, reflect how little is known about this problem. In its recent report released at a previous Subcommittee hearing, the GAO estimated that approximately 250,000 computer attacks were occurring each year at the Defense Department. Applying DISA statistics to these estimates, it would translate into 162,500 successful intrusions each year, with only a small portion being detected and reported.
Having access to such a small sampling of this problem makes it difficult, if not impossible, to assemble reliable threat assessments. Furthermore, virtually every computer investigator interviewed by the Staff declared that they are detecting the least competent and most reckless hackers. As one investigator explained "we are only catching the bottom of the food chain, anyone with half a brain could elude our net with ease." Essentially, we are identifying mostly the unfunded, unstructured attacker.
The major reason computer intrusions are neither detected nor reported is that the Defense Department and most government agencies outside of DoD simply do not mandate that they, be reported. If anything, there is a disincentive for systems administrators to report intrusions. Numerous personnel involved in computer security admitted that reporting a break-in, or even raising the issue of a potential security lapse, may "reflect negatively" on their job performance.
In addition, most of the government agency victims do not have the expertise and tools to detect an intrusion or attempted intrusion. The Air Force is in the process of installing intrusion detection tools on all Air Force bases over the next two-three years. The tool, ASIM15, captures all of the keystrokes of all of the users on the base network and automatically matches them against known hacker keystrokes. The system then analyzes the threat and rates its seriousness. In 1995, ASIM was deployed on 23 Air Force bases and discovered 2,332 incidents. Most agencies, however, appear to lack the resources or commitment to pursue such initiatives.
There is very little anecdotal data concerning the threat posed to the private sector. While much of the failure to report intrusions within government is due to an absence of interest, in the private sector it is due primarily to fear of the marketplace and of government. The Staff interviewed several security experts from commercial institutions, as well as various private individuals who provide computer security to commercial institutions that might be targets of computer attacks. The most common theme among those interviewed was that the commercial sector is loathe to report
15 ASIM is a computer program, Automated Security Incident Measurement.
computer intrusions for fear of affecting customer or shareholder confidence. Company insiders confirm to the Staff that they have experienced intrusions on a regular basis, but fear reporting them to the government or other agencies that might ultimately report them into a public record.
One of the premier companies that provide security services, including counter-measures, to private industry explained the extent of this problem. This company informally surveyed a handful of other security firms about known losses from commercial or financial client-companies. This small group of firms was able to account for $800,000,000 of losses last year alone worldwide. This figure included only actual losses reported by clients to these few firms. Over $400,000,000.00 was attributed to U.S. companies. These figures do not include losses that might be attributed to damage to data, or temporary lost access to data, and it could not quantify unknown losses from competitive advantage (e.g..industrial espionage).
Despite the likelihood of substantial losses in the U.S., the FBI can only report a single substantial case where a financial institution lost money due to outside intrusion into a network. In the Citibank incident of 1994, Citibank lost $400,000 to a group of hackers operating out of St. Petersburg, Russia.
The disincentive for an institution not to report a financial loss is obvious. For a financial institution, customer confidence is a staple for commercial viability. Lack of customer confidence in a competitor, similarly, is viewed as a competitive advantage in the marketplace. Publicity that exposes unauthorized intrusions into customer accounts could easily inspire customer insecurity which would have a bottom line effect on business. For instance, the Staff was advised by numerous and reliable sources that, after Citibank received publicity in 1995 for having been attacked, Citibank's top 20
customers were immediately targeted by six of Citibank's competitors. The competitors argued that their banks were more "secure" than Citibank's.
There are legal requirements that, in theory, should result in the reporting of intrusions. For instance, banks have to comply with certain regulations in the Federal Code relating to the suspicious disappearance or unexplained shortages of funds of $5000 or more (12 C.F.R. 21) and there is a well-defined regulatory structure overseeing our nation's financial infrastructure. The Securities and Exchange Commission (SEC) also has reporting requirements for securities firms and publicly traded corporations. Virtually every bank officer interviewed by the Staff, although agreeing that they would never want to report losses and adamantly opposing more comprehensive mandatory reporting legislation, refused to acknowledge any non-reporting. A representative of the N.Y. Federal Reserve indicated that as part of their oversight of financial institutions, including 40-50 of the country's major banks, they were unaware of any attempted "cover-up" of a break-in.
As of April 1996, financial institutions are required to report suspicious activity to FINCEN (Financial Crime Enforcement Network). Failure to report can result in a $5,000 fine. FINCEN collects the reports on a database located in Detroit. FINCEN has not yet received any reports relating reports of computer intrusions and is unaware of any fines for nonreporting levied prior to April 1996. A representative of the Federal Reserve Board also indicated he was unaware of any regulatory agency fining an institution for failure to file a referral form. Although an institution might be fined, for failure to report, a $5,000 fine may be of little deterrent value as many companies privately advised the Staff that they will spend much more just to respond to an intrusion so that it does not become public.
The Staff, however, was advised by numerous information security professionals, that banks and financial institutions were not reporting computer intrusions. According to these professionals, commercial institutions may report losses, but not disclose the full nature of the intrusion. As one senior account representative explained, "there's reporting, and then there's reporting." The Staff learned that on many occasions corporate internal investigations of computer intrusions were conducted through the corporation's general counsel office, so as to provide a veil of secrecy that flows from the attorney-client relationship. Another method of avoiding scrutiny is to report an incident among a bulk of other documents such that discovery of the details of the computer attack is nearly impossible.
A related concern expressed by representatives of the private sector was the fear that reporting an intrusion to the FBI, or other law enforcement agency, would mean loss of control over the investigation. While the FBI is primarily interested in proving misconduct and bringing perpetrators to justice, a corporation is more interested in stopping the intrusion with as little publicity as possible. These two goals become inapposite when a public trial is likely to result from a successful investigation. Thus, virtually all corporate representatives interviewed by the Staff expressed great fear of mandatory reporting of intrusions, even if they are criminal law violations.
A recent survey by the San Francisco-based association of information security professionals, Computer Security Institute (CSI), demonstrated the extent of corporate reluctance to report. The CSI, in coordination with the FBI, sent out 4,971 questionnaires to information security practitioners.16 Although the survey was anonymous, only 8.6% (428) were even willing to respond. Of those that responded,
16 The survey was sent to U.S. corporations, financial institutions, academic institutions and government agencies.
42% admitted experiencing some form of intrusion within the preceding 12 months. Many of the intrusions were from remote dial-in sources and Internet connections. Over 50% of those suffering intrusions believed they were from competitors in their marketplace.
The damage to the institutions varied. 36% of the hospitals, and 21% of the financial institutions indicated they had data altered through these intrusions. Significantly, 83% of respondents to the survey indicated they would not advise law enforcement if they thought they had been victimized; over 70% cited fear of negative publicity as the primary reason for not reporting.
The Staff cannot overstate the effect under-reporting has on our ability to assemble a reliable threat assessment which would encourage management to re-align and reprioritize resources. Within the business community itself, a lack of reporting has been a barrier to implementing proper security to private networks. A top executive with a global securities firm advised the Staff that "without reliable data it is impossible to prioritize countermeasures."
There have been formal and informal efforts to assemble anecdotal information that might help private industry better equip itself for attacks on its information infrastructure. For instance, the National Security Information Exchange (NSIE) Subcommittee of the National Security Telecommunications Advisory Committee (NSTAC) is a group of company representatives - mostly from the telecommunications industry -- that meets regularly to share threats and vulnerabilities observed within their own companies. The NSIE maintains strict confidentiality agreements with its
members17 in order to prevent exploitation of weaknesses by competitors or other bad actors. Members of the NSIE related to the Staff that it took a great deal of time before the members developed trusted relationships with one another.
Is the bad actor a 16 year old cyber-joyrider, a well-funded foreign intelligence service, an anarchist, or an industrial spy? Does the threat come from a foreign or domestic source? Is the attack motivated by espionage, greed or a desire to create terror? Unfortunately, at any given time it can be any one or even a composite of the above. The threat to our information infrastructure is organic, evolving, and elusive.
Furthermore, while much has been reported about the threat posed to our information infrastructure from the outsider, virtually every security expert interviewed by the Staff agreed that, at least in the short term, the greatest threat to our infrastructure will come from the "insider." The insider is defined as the individual already possessing authorized access to a network. The Staff found that the basis of this fear was premised upon the difficulty in defending against the insider, and the great amount of potential damage an insider could accomplish.
The "hacker" has been traditionally perceived as the misguided youthful computer intruder who acts out of a perverse sense of adventure. Perhaps, best illustrated in the 1982 movie War Games, this individual has generally been viewed as an inconvenience and not a true threat to national security.
17 There are two NSIE subcommittees. One has 9 NSIE companies, the other 9 NSIE government agencies. The two NSIE subcommittees meet jointly. NSIE members are chosen by the NSTAC.
The hacker, even if a true generalist, is, nevertheless, a threat in every sense of the word. Misconduct motivated by curiousness or impishness can have a devastating effect on our infrastructure. For instance, the "Morris Worm" in late 1988 caused more than 6,000 computers to shut down. As indicated previously, even the most innocent hackers can become dupes for foreign intelligence services or other bad actors. In the Rome Labs case (see Appendix B) the 16 year old British hacker "Datastream" was actually seizing control of Defense Department computers at the direction of an unknown third party ("Kuji") who was directing him through chat sessions on the Internet. In the virtual world it is much easier for a foreign government to utilize a dupe because of the anonymity inherent on the Internet.
The National Security Agency has acknowledged that potential adversaries throughout the world are developing a body of knowledge about Defense Department and other government computer networks. According to DoD officials, these potential enemies are developing attack methods that include sophisticated computer viruses and automated attack routines which allow adversaries to launch untraceable attacks from anywhere in the world. In some extreme scenarios, studies demonstrate how our adversaries could seize control of Defense information systems and seriously degrade the nation's ability to deploy and sustain military forces.18 Official estimates reflect that more than 120 countries are developing offensive information warfare capabilities.
Additionally, it is likely that our vulnerability in this regard will only increase and at the current rate, countermeasures will never keep up with technology. Discussions
18 The RAND Corporation, at the Direction of the Deputy Secretary of Defense, has sponsored a series of "info war games" designed to enhance our policy-maker appreciation of emerging infrastructure related issues. The series of exercises present mock info attacks and then the counter measures and decisions that must be made.
with Defense Department officials indicate that there is a great desire and pressure to further interconnect all our defense components in order to create a seamless mosaic of information networks within our defense infrastructure. Undoubtedly, this will increase the efficiency and effectiveness of all aspects of the DoD mission. Unfortunately, it will also open that same defense infrastructure to foreign intelligence agents and potentially disruptive forces.
The Staff received several briefings from national security officers who repeatedly expressed concern that the Internet and the easy exploitation of computer networks is providing other nations with opportunities to assemble intelligence information. In the Hanover Hacker case that was the subject of Cliff Stoll's best selling novel, The Cuckoo's Egg, the German hackers were working for the Russian KGB and met regularly on a Bulletin Board System (BBS). Today, many Subcommittee sources have alleged that a certain foreign government sponsored a hacker bulletin board on which hackers exchanged data, including passwords and logon files, of foreign governments. This government apparently monitored the BBS activity obtaining the critical information for its own use. Clearly, if true, this illustrates how the Internet provides foreign nations with virtually risk-free intelligence services for little cost and almost no exposure.
In interviews with senior intelligence and counter-intelligence officers, the Staff has been advised that there is great concern that insiders will gain access to classified networks as well. Previously, in the physical world, our classified intelligence data was maintained in secure locations with physical barriers (doors, walls, guards, file cabinets) that served as a deterrent to loss of information. Even persons with access to a building could not gain access to certain documents, rooms and secure file cabinets. Only presumably trusted persons would have access to these areas and this information. The networking of classified computer systems within agencies, has created new
vulnerabilities by giving network-wide access to insiders who previously may have had access to only a single classified system. As one senior intelligence officer explained to the Staff, "anyone on a network, from a clerk, to a guy on the other side of the building can peruse critical information without anyone knowing about it."19
This will become an even greater concern as the CIA and other intelligence agencies continue to link their internal systems together in order to enhance productivity and efficiency. The Staff recognizes that undoubtedly the advantages posed by increased connectivity will be to great to resist. However, connection without protection is a huge risk, and one that may well be minimized with a proper front-end security investment.
The threat from a subnational group, a terrorist organization, or a disaffected individual must also be considered. Recent incidents support the "softness" of U.S. target to physical attacks. The Oklahoma City and World Trade Center bombings, and the series of attacks by the Unabomber, support the proposition that individuals and small groups can do massive physical damage to our infrastructure. The same is clearly true in the virtual world of cyberspace. The Internet, from its inception, was intended to be robust, open and accommodating, emphasizing trust, and not security.
Perhaps more frightening than any threat we are presently familiar with, is the threat we will face in the future. Although the growth of our information infrastructure has been dramatic, most experts agree it is only the beginning of what will be continued
19 A good example of this enhanced vulnerability is seen in a review of the Aldrich Ames spy case. Ames, though attempting to steal classified information, was a computer illiterate and unable to perform even the most basic "download" functions on a computer. Therefore, he had to take home hard copies of documents and retype them. Had he been able to download onto computer disks, or access files throughout the CIA's database, the damage to our national security would have been even greater.
growth and dependency. Technology is advancing and multiplying as computers become quicker and more versatile. There appears to be no limit on the potential expansion of networks and users.20
Along with increases in technology, will come a maturation of a generation of potential bad actors. Many national security experts advised the Staff that it is likely that foreign nations will view information attacks as a cheaper and relatively risk free alternative to conventional intelligence gathering. Furthermore, given our nation's increasing dependency on information networks, foreign adversaries will find it easier to damage our infrastructure. To what extent our nation will be able to defend against this threat in the future is unknown, but clearly more attention must be paid to it today.
20 The use of fiber optic cables will provide virtually unlimited room for Internet traffic. Presently only a small percentage of optical capacity is being used.