''Information Security Risks, Opportunities, and the Bottom Line''
at the Sam Nunn Nations Bank Policy Forum on
''Information Security Risks, Opportunities, and the Bottom Line''
Georgia Institute of Technology, Atlanta
April 6, 1998
Senator Nunn, President Clough, Dean Freeman, General Marsh, Ladies and Gentlemen:
On February 26th, the Washington Post reported that eleven U.S. military systems were subjected to an ''electronic assault.'' While the perpetrators were not initially known, they hid their tracks by routing their attack through the United Arab Emirates computer systems. While no classified systems were penetrated and no classified records were accessed, logistics, administration, and accounting systems were accessed. These systems are the central core of data necessary to manage our military forces and deploy them to the field. In the end, we found that two young hackers from California had perpetrated the attacks via the UAE under the direction of a teenage hacker from Israel.
This should not surprise us . . . as Senator Nunn noted, a recent DoD study said that DoD systems were attacked a quarter of a million times in 1995. As a test, a Defense Department organization that same year conducted 38,000 attacks of their own. They were successful 65 per cent of the time. And 63 per cent of the attacks went completely undetected.
We have spent years making systems interoperable, easy to access and easy to use. Yet we still rely on the same methods of security that we did when data systems consisted of large mainframe computers, housed in closed rooms with limited physical access.
The fact is that we are currently building an information infrastructure -- the most complex systems the world has ever known -- on an insecure foundation. We have ignored the need to build trust into our systems. Simply hoping that someday we can add the needed security before it is too late is not a strategy.
Protecting our critical information infrastructure is an issue that I care deeply about and one that requires attention from us all. Our national security and our economic well being depend upon it, and I am thankful that Senator Nunn and others have chosen to bring this issue to the forefront to engage the leaders of industry in finding creative solutions to this difficult issue.
I want to explore three themes today.
First, we are growing increasingly dependent on information systems for commercial and government activities.
Second, our adversaries recognize this dependence and are developing tools to attack our information systems.
- Third, protecting our systems will require an unprecedented level of cooperation between government and the private sector.
Our American way of life increasingly relies on electronic networks for the flow of essential information. As General Marsh just said, information networks are becoming a backbone service we take for granted, much like we take electricity for granted today. Every time we flick on a switch, every time we use an ATM, every time we pick up the phone, we rely on the secure and uninterrupted flow of digital information and the computers that control it.
Protecting our critical information systems and the data on them will be key to our survival as the world's leading economic power and as the world's leader in information technology. You know far better than I that the Internet and other digital networks will create enormous opportunities for American business in a world where electronic commerce and information flows without geographic boundaries.
The business of national security also relies on information technology and information systems. More than 95 percent of all defense telecommunications travel on commercial circuits and networks. Many of these networks provide vital connectivity between facilities here and those overseas. These links allow the Defense Department to operate with greater efficiency and with considerable savings.
Operation Desert Storm highlighted the increasing reliance of US forces on information based-technologies. Seven years ago deploying to the Gulf meant not only high-tech weaponry and sophisticated intelligence systems but also a communications volume of 100,000 messages and 700,000 phone calls a day. There is little doubt that information superiority will be key to surviving and winning military conflicts in the 21st century.
Unfortunately, our heavy and growing societal and strategic dependence on information technologies and information systems has created vulnerabilities -- vulnerabilities to our economic institutions, to the systems that support public needs, to our privacy, and to our military capabilities. I know that the extent of our vulnerabilities is still to be studied and debated.
While the technical experts sort out the strengths and weaknesses in our information systems, your Intelligence Community has the job of determining what foreign entities may be doing to penetrate, damage, or destroy our information systems; in short, I'm talking about Information Warfare.
The White House, the Congress, the Defense Department, and public audiences like you increasingly ask me about the Information Warfare threat. I am here to tell you that the threat is real and its growing.
The number of known potential adversaries conducting research on information attacks is increasing rapidly and includes intelligence services, military organizations and non-state entities such as terrorism groups.
Technology will increase the sophistication of their capabilities and will continue to reduce the cost of attack and the risk if security remains where it is today.
So it is reasonable to expect that, unless something is done to improve security, the number of attackers and the damage they can do will continue to grow.
And the attackers have enormous incentives.
Trillions of dollars in financial transactions and commerce moving over a medium that has minimal protection and sporadic law enforcement.
Increasing quantities of intellectual property residing on networked systems.
- And the opportunity to disrupt military effectiveness and public safety, with elements of surprise and anonymity.
Who would do such a thing? Attackers include national intelligence and military organizations, terrorists, criminals, industrial competitors, hackers, and aggrieved or disloyal insiders. Each of these adversaries is motivated by different objectives and constrained by different levels of resources, technical expertise, access to the target, and risk tolerance.
All of these adversaries are competent to conduct cyber attacks, but the state sponsored terrorists and military Information Warfare people pose the greatest risk to our critical infrastructure because they have the greatest knowledge and resources.
I can tell you that foreign governments and their military services are paying increasing attention to the concept of ''Information Warfare''. Foreign military writings discuss the importance of disrupting the flow of information in combat. The battlespace of the future also will extend to our domestic information infrastructure, such as our electric power grids and our telecommunications networks - in short, the very foundations of our economy.
Terrorists and criminal groups have been using encryption and other information technologies to hide their operations for some time. Terrorist groups now have their own web pages. The emerging trend now is for these groups to use those technologies offensively; that is, to gain access to information systems in order to damage them or to steal data. I can tell you that the level of sophistication of their attacks is growing.
The Information Warfare threat is something we all have to worry about and take action to protect ourselves against. Many of the threats that private sector CEOs face are similar to ours in government -- the same cyber tools, techniques, and skills are used against both our assets. I call this "shared vulnerabilities." Though expensive, building reliable security measures is less costly than suffering the theft of the "crown jewels." And the more widespread the use of effective security technology, the lower the cost. Bank CEOs don't think twice about making physical security investments in vault doors, alarms and so forth -- investments which are hugely more costly than the investments currently being made in cyber security. But how many vault doors will banks need in an era of cyber cash and smart cards?
The most important action that I can take as Director of Central Intelligence is to provide adequate warning of cyber threats to our nation's security decisionmakers in Washington and military command posts overseas. Through existing mechanisms, threat information can be passed to the private sector.
To perform our warning function, intelligence analysts need to have the information that will allow them to assess foreign intentions and capabilities.
Unfortunately, cyber threats are a difficult intelligence target. They are cheap, they require little infrastructure, and the technology required is dual use. In short, they are exceptionally easy to conceal.
In addition, intrusion detection technology is still in its infancy. When attacks are detected, the source of the attack is often disguised. Attacks are difficult to trace, particularly since the U.S. government is not allowed to conduct hot pursuit without a warrant.
These are enormous challenges and we in the Intelligence Community are taking them on. Most importantly, we have taken steps to focus our analytical and collection resources on this threat. I have also taken steps to increase the level of cooperation between intelligence analysts and their counterparts in the law enforcement community.
We as a nation need to develop a totally new way of thinking about this problem. Just as we took on the Soviet nuclear threat in the middle of this century, we will need a new collection discipline, new analytic approaches, and new partnerships to deal with the information warfare threat in the 21st century. Neither government nor industry can solve these problems alone. We will have a much better chance of finding solutions if we work together over the long haul.
So what is needed, I think, is obvious to all--security. What is less discussed is the need to bind a system of trust to the security systems. This is the only way that security will be truly achieved.
What do I mean by this? Security is concerned with locks, fences, and guards. Trust is about whether they work. In network terms, security is not just about encryption . . . but also is about authentication, digital signatures, data integrity, and non- repudiation. Trust is about key management, digital certificates, and policy--such as what your privileges are, what you are authorized or not authorized to do with your digital signature.
Much of the public discussion and rhetoric is about encryption--with little attention focused on what is needed to make the use of encryption trustworthy. The technology to bring good information security to networks is fairly well developed and understood. It is based on the use of public key encryption and digital signatures. The means to provide trust is less well understood and is called key management infrastructure. It is the system that binds public keys to users and provides the trust component in electronic security.
The true potential of encryption will not be realized without key management infrastructures that provide this trust. These infrastructures allow the generation and distribution of encryption keys to a large number of people, making it possible for millions to communicate easily with each other without advance preparation to distribute an encryption or a decryption key. They ensure that communications across networks are trustworthy--so that individuals will have confidence in the identification of those with whom they communicate.
Efforts to provide key management infrastructure services for products with encryption are currently uncoordinated, immature and lagging behind the introduction of electronic commerce services.
The result is twofold:
First, products without a supporting infrastructure are usually not interoperable or scalable
- Second, the security of new network services is poor. The use of encryption without digital certificate services, digital signature and authentication provide inadequate trust for widespread use.
The problem of trust will require shared effort across industry and government. Neither of us can solve it alone. The lack of trust is neither an entirely public nor an entirely private problem.
The risk electronic networks pose without solving the trust issue is common to government, business, and citizens alike. Reducing that risk will require coordinated efforts within and between the private and public sectors.
Ladies and gentlemen, let me say again, we cannot keep building new capabilities on a poor foundation of security. We cannot ignore the need to build trust into our information systems any longer. It is folly to hope that someday we can add needed elements before it's too late. The longer we wait, the more our country is exposed, and the costlier it will be to address the problem.
Think about it for a moment - we share the same network with our adversaries. I will say it again: We are staking our future on a resource that we have not yet learned to protect. The number of known potential adversaries conducting research on information attacks is growing rapidly. Technology is increasing the sophistication of their capabilities. Meanwhile, if our security remains where it is now, the risks and costs of attacking us will keep getting lower. Government and industry are in this together and we must work these problems out together.
The need for cooperation between government and industry in building trustworthy key management infrastructure is paramount to meeting our common interests of electronic networks that meet our business needs without introducing vulnerabilities into those systems.
This may be one of the most important questions for American leadership as we approach the next century. The vitality of our industry depends on it, the security of our country depends on it . . . and the solutions depend on trust.
If we are going to lead the world in information technology we must recreate the trust that existed between our government and our industry that allowed us to lead the free world for over forty years. We still have the power to lead by our example, and we still have the time to do what is right.
I want to again express my gratitude to Sam Nunn, Georgia Tech, Emory University and NationsBank for giving me this opportunity to present my perspective on this compelling national security issue. Sam Nunn continues to be a driving force on this topic and I am looking forward to continuing the dialogue.