FEATURES AND COMMENTARY
Deborah Radcliff reported for IDG: It’s April Fool’s Day, 2002. Glitches in air traffic controller screens nearly cause a collision above New York’s LaGuardia Airport. Two weeks later, California Independent System Operator Corp., which controls California’s power grid, somehow misplaces an electrical energy order to Southern California Edison, leaving two-thirds of San Diego in the dark. Then in May, a high-power microwave burst fries the electronics at an abortion clinic in Virginia.
Hypothetical “information warfare” (IW) exercises like these are being played out around the country in preparation for what politicians, the military and law enforcement officials fear will be an orchestrated cyberattack on critical U.S. infrastructure companies. The theory goes that if a well-funded, organized series of cyberattacks were to strike at a target’s economic and structural nerve centers, it would send the target society into chaos and make it difficult for the military to communicate and move troops.
This particular information war game was played out among 75 IT executives attending an IW workshop at the SANS Institute’s Joint Computer Security Conference in Monterey, Calif.
“In the worst-case scenario, every major industry sector would be affected,” says Stephen Northcutt, a SANS fellow and a former military IW expert who led the animated workshop at the conference. Note that most of the targets in Northcutt’s IW games are private-sector companies.
“When you’re talking about information warfare, you’re talking about information systems used to cripple the government and economy,” says John Tritak, director of the Critical Infrastructure Assurance Office (CIAO) in Washington. “Close to 90 percent of those critical infrastructure companies are privately owned and operated.”
The CIAO, formed in 1998 under presidential directive PDD-63, outlines a national infrastructure protection plan to bring better security and reporting to the telecommunications, transportation, emergency services, energy and financial industries. The directive deems those industries as critical to the nation’s operational infrastructure. Although President Bush isn’t bound to support the directive, Tritak and others say they hope PDD-63 will remain in effect.
In two years, IW preparedness has moved forward the fastest in the highly regulated and well-organized financial, energy and telecommunications sectors, say Tritak and others. But IT leaders in the private sector say they’re hesitant to report incidents to agencies like the CIAO and the FBI. Still, Tritak says the agencies need this information for intelligence and predictive analysis.
While the impact of IW bears the same uncertainty as Y2K, many IW experts say cyberterrorism and cyberwarfare are inevitable. In the past year, hacking hobbyists have shown how easy it is to propagate viruses throughout Internet-connected mail systems. They’ve also shown they can hack armies of unwitting computers and make those computers do their bidding. Now, the U.S. government is thinking about what terrorists with more resources could accomplish. And so are countries like China and Russia, which are developing their own IW capabilities, according to Richard Power in the book Tangled Web.
The directive that created the CIAO is a national defense document that, ironically, relies on the private sector to accomplish its mission. Telling that to executives hasn’t been easy.
“The concept of information warfare doesn’t present a compelling case to the CEO and the board, whose responsibility is to their shareholders and customers,” Tritak explains. “But as they begin to see that operating in a reliable and secure business environment is part of taking full advantage of the Information Age, they get it.”
To make this business connection, the CIAO recruited a private-sector security expert, Nancy Wong, from San Francisco-based Pacific Gas and Electric Co., to help develop a business-friendly framework and get the message out. Wong soon learned she had a third challenge: keeping government, in its zeal to protect, from crossing constitutional lines between public and private sectors.
“We put in place a road map to identify who are the people who have the most influence in business risk management — financial security analysts, bond raters, corporate executives, even auditors,” Wong says. “We’re using existing networks by cascading information through their members to the people who communicate it even further.”
The networks Wong refers to include industry associations like the Institute of Internal Auditors, the North American Energy Reliability Council and the National Security Telecommunications Advisory Committee.
The CIAO’s strategy of taking advantage of existing networks — and their built-in emergency preparedness — helped speed along the formation of the first of two Information Sharing and Analysis Centers (ISAC) for the financial and telecommunications industries. ISACs are privately owned, industry-specific cooperatives through which the government plans to channel warnings out to the private sector. The government also plans to use ISACs to gather intelligence it needs to better predict an orchestrated attack.