The National Security Agency "is applying its unique expertise to develop the fundamental technology to create a national cyber-attack detection and response capability," says Air Force Lieutenant General Kenneth A. Minihan. He emphasizes that "information superiority in the Information Age is a clear national imperative."

We are at risk. America depends on computers. They control power delivery, communications, aviation, and financial services. They are used to store vital information, from medical records to business plans, to criminal records. Although we trust them, they are vulnerable -- to the effects of poor design and insufficient quality control, to accident, and perhaps most alarmingly, to deliberate attack. The modern thief can steal more with a computer than with a gun. Tomorrow's terrorist may be able to do more damage with a keyboard than with a bomb." "Computers at Risk," National Research Council, 1991

Introduction

Perhaps the most remarkable thing about the words quoted above is that they were written almost at the dawn of the Information Age. Until recently, we as a nation have paid them little heed. The United States, and the rest of the world, continue to charge headlong into the information revolution -- information technology is making profound inroads into the very fabric of our society and our economy as a nation in the global community. In a very real sense, the "Information Superhighway" has become the economic lifeblood of our nation.

While leading the world into the Information Age, at the same time the United States has become uniquely dependent on information technology -- computers and the global network that connect them together. This dependency has become a clear and compelling threat to our economic well-being, our public safety, and our national security.

The world's networks, referred to by many as "cyberspace," know no physical boundaries. Our increasing connectivity to and through cyberspace increases our exposure to traditional adversaries and a growing body of new ones. Terrorists, radical groups, narcotics traffickers, and organized crime will join adversarial nation-states in making use of a burgeoning array of sophisticated information attack tools. Information attacks can supplement or replace traditional military attacks, greatly complicating and expanding the vulnerabilities we must anticipate and counter. The resources at risk include not only information stored on or traversing cyberspace, but all of the components of our national infrastructure that depend upon information technology and the timely availability of accurate data. These include the telecommunications infrastructure itself; our banking and financial systems; the electrical power system; other energy systems, such as oil and gas pipelines; our transportation networks; water distribution systems; medical and health care systems; emergency services, such as police, fire, and rescue; and government operations at all levels. All are necessary for economic success and national security.

Information Assurance -- the National Goal

On May 22, 1998, the president signed Presidential Decision Directive 63 (PDD-63) on Critical Infrastructure Protection. In it he states: "I intend that the United States will take all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyber attacks on our critical infrastructures, including especially our cyber systems.

The national goal is that by no later than the year 2000, the United States shall have achieved an initial operating capability and no later than five years from today the United States shall have achieved and shall maintain the ability to protect our nation's critical infrastructures from intentional acts that would significantly diminish the abilities of:

The federal government to perform essential national security missions and to ensure the general public health and safety;

State and local governments to maintain order and to deliver minimum essential public services;

The private sector to ensure the orderly functioning of the economy and the delivery of essential telecommunications, energy, financial, and transportation services."

Essential Elements

Any strategy for enhancing the robustness of our critical infrastructures must contain three basic elements: increased protection against cyber attack, the ability to detect when an attack is occurring, and the capability to respond and/or recover when an attack is detected.

Increased protection against cyber attack is founded upon encryption technology -- including digital signatures -- to provide the authentication, integrity, non-repudiation, and privacy/confidentiality services necessary for information assurance. Strong digital-signature-based authentication used to provide positive access control is perhaps the most powerful tool in protecting against cyber attack. Digital signature also provides for integrity of electronic information and non-repudiation of cyber-transactions. Encryption is applied to desktops, file servers, and across networks to assure the privacy of sensitive government, business, and personal information. Once the almost exclusive province of governments, encryption technology is now widely available in the commercial marketplace, and is a fundamental enabler for information assurance. In fact, on September 16, 1998, the vice president announced a major updating of U.S. Export Control Policy on Encryption Technology, a clear indication of its importance to critical infrastructure protection, as well as global electronic commerce and economic prosperity.

Given the coming of age of encryption technology, the remaining challenge is to apply the technology in a coherent and effective way to all of our critical infrastructures. To do this requires both a framework for application of the encryption services in a scalable, interoperable way, along with the establishment of a supporting public key infrastructure (PKI) to provide robust and globally recognizable digital signature and encryption key certificates, the individually unique "electronic ID" of the Information Age. PKI services are now emerging in the private sector to meet the demands of global electronic commerce and can be leveraged to support critical infrastructure protection.

In the areas of diagnosing, detecting, and responding to cyber attack, the technologies are not so mature or effective. Today, the United States has little ability to detect or recognize a cyber attack against either government or private sector infrastructures, and even less capability to react. The ability to identify a strategic cyber attack against one or several critical infrastructure components, and respond in appropriate fashion, is clearly a significant national security issue. One complicating factor is that computer intrusions have been traditionally regarded as a criminal event and within the purview of law enforcement. When an intrusion occurred, the intruder was (hopefully) tracked down, arrested, and prosecuted. Further, many private sector entities were reluctant to share information about computer intrusions, fearing adverse press coverage (e.g., newspaper headlines such as "Bank Losses Put at Millions in Computer Break-in" or "Hackers Disrupt Telephone Service") and public reaction. To build an effective national cyber-defense capability, new rules of engagement must be developed to allow open and dynamic collaboration among the private sector, the law enforcement community, and the national security community.

Emerging Information Assurance Role of the National Security Agency

In the Information Age, the National Security Agency's traditional missions of Signals Intelligence and Information Systems Security are evolving into one of providing information superiority for the United States and its allies. Central to this construct is an in-depth understanding of the Global Information Infrastructure and the vulnerabilities of networked information systems to cyber attack. On the defensive side of this mission, the NSA has undertaken a series of initiatives to provide the technical foundation to protect our critical infrastructures.

As mentioned earlier, encryption technology has become widely available in the commercial marketplace and is the basic foundation for protecting information systems from cyber attack. The bad news is that the many products available do not securely interoperate with each other and are of varying robustness, and that there are many, often confusing, ways to apply encryption. As an example, there is e-mail encryption, file encryption, web encryption, link encryption, and virtual private network encryption, just to name a few of the variations. To remedy this situation, the NSA has formed a partnership with the leading suppliers of security-enabled information technology to develop a common framework for encryption services to provide enterprise-wide information assurance solutions. This framework defines a coherent way to apply encryption technology to the enterprise, along with how encryption interacts with and supports other security-related technologies and products, e.g., firewalls, servers, routers, operating systems, intrusion detection, malicious code detection, audit tools, and public key infrastructure services.

Another dimension of the problem is the varying degrees of robustness in the many security relevant products in the marketplace. To address this issue, the NSA has formed a partnership with the National Institute for Standards and Technology (NIST). Under this arrangement, the NSA and the NIST will certify commercial laboratories to evaluate commercial security relevant products, either to validate the vendor's security claims, or to validate compliance with the requirements of the network security framework. Testing of the products will be done by the certified laboratories on a fee-for-service basis, with cost and schedule negotiated between the lab and the product vendor.

Lastly, the National Security Agency believes the nation needs a shared array of national security information assurance elements and is applying its unique expertise to develop the fundamental technology to create a national cyber-attack detection and response capability. The approach integrates a variety of sensors that can be applied at critical infrastructure locations and in the underlying telecommunications infrastructure itself, with sophisticated, broad-scale analytic techniques to provide a dynamic view of the threats to critical infrastructures from global cyberspace. These techniques should be shared by an array of national security, federal, industry, and regional components to allow concurrent detection, defense, reconstitution, and recovery of vital services.

In Conclusion

The economic prosperity that our nation enjoys today is largely founded in the Information Age and in our global leadership in information technology. Our continued leadership and prosperity in the global economy may well hinge on our national commitment to act as leaders in bringing integrity and responsibility -- information assurance -- to the global information environment we have helped to create. The administration has sent a clear message via PDD-63 that the time to act is now, and the NSA is well-positioned and ready to support the charge with our technical know-how. Information superiority in the Information Age is a clear national imperative.