Security Threats Presidents Commission on Critical Infrastructure Protection October 1997

1
Security ThreatsPresidents Commission on
Critical Infrastructure ProtectionOctober 1997

• Carlo Musante
• 16 February, 1998
• CSC4992

2
Government Action

• Executive Order 13010 (July 15,1996) established
  the President's Commission on Critical
  Infrastructure Protection. The Commission was
  chartered to conduct a comprehensive review and
  recommend a national policy for protecting
  critical infrastructures and assuring their
  continued operation.

3
Sectors of Vulnerabilities

• Information and Communications.
• Banking and Finance.
• Energy, Including Electrical Power, Oil and Gas.
• Physical Distribution.
• Vital Human Services.

4
Dependence on Infrastructure

• The development of the computer and its
  astonishingly rapid improvements have ushered in
  the Information Age that affects almost all
  aspects of American commerce and society.
• Our security, economy, way of life, and perhaps
  even survival, are now dependent on the
  interrelated trio of electrical energy,
  communications, and computers.

5
Vulnerabilities

• Classical - A satchel of dynamite or a truckload
  of fertilizer and diesel fuel have been frequent
  terrorist tools. The explosion and the damage are
  so certain to draw attention that these kinds of
  attacks continue to be among the probable threats
  to our infrastructures.

6
Vulnerabilities

• Modern - Today, the right command sent over a
  network to a power generating station's control
  computer could be just as effective as a backpack
  full of explosives, and the perpetrator would be
  harder to identify and apprehend.

7
Spectrum of Threat

• Natural Events - Extreme storms, floods,
  earthquakes
• Accidents - Fire, floods, damage to
  infrastructure
• Blunders and omissions - incompetent,
  inquisitive, or unintentional human actions
• Insiders - use authorized access for unauthorized
  disruptive purposes.
• Recreational Hacker - For challenge and sport.
• Criminal Activity - Personal gain.

8
Spectrum of Threat

• Industrial Espionage - Discover what and how your
  competitors function.
• Terrorism - Attempt to influence policy
• National Intelligence - Discovery of other
  nations secrets for economic, political or
  military purposes.
• Information Warfare - Physical and/or cyber
  attacks to disrupt military operations or
  economic activities.

9
Minimizing Threats

• Understand the system.
• Constant vigilance.
• Monitor information on public sites.
• Collect information on tools used.
• Conduct research into defensive technologies.
• Share defensive techniques and best practices.

10
Lack of Awareness

• Extent of vulnerabilities unknown to the general
  public
• No national focus.
• Awareness is improving.
• Presidents Commission on Critical Infrastructure
  Protection report.

11
New Thinking Required

• Old threats separated by geographical boundaries.
• Cyberspace removes national borders.
• Serious cyber attacks can be swift and
  untraceable.
• Jurisdiction between national defense agencies
  and domestic law enforcement is unclear.

12
Build for the Future

• No imminent or credible threat of attack.
• Cost of protection low but will increase.
• Cost of mounting effective attacks dropping.
• Be proactive, not reactive.

13
Infrastructure Assurance

• National security requires more than military
  strength.
• Military operations becoming more dependent on
  availability of infrastructure.
• Cyber attack more likely than military attack.
• Military and private infrastructure becoming less
  separate.
• Techniques of protection, mitigation and
  restoration largely the same.
• All parties involved should share responsibility.

14
Awareness and Education

• White House Conferences.
• National Academy studies.
• Presentations at industry associations and
  professional societies.
• Development of elementary and secondary
  curricula.
• Sponsorship of graduate studies and programs.

15
First Steps

• Sharing of techniques between various sectors.
• Evaluation of vulnerabilities by NIST and NSA.
• Quantitative risk-analysis of vulnerabilities
  from physical or cyber attack and cascade
  effects.
• Isolate critical control systems from insecure
  networks.
• Install modern authentication mechanisms.
• Provide for individual accountability.
• Develop a national center for analysis.

16
New and Improved Laws

• Current laws require further definition to
  eliminate the gray areas.
• Provide means for for agencies to take
  precautions proportionate to the threat.
• Provide a greater degree of government-industry
  partnership for information sharing.
• Require cooperation at local,state and federal
  levels.

17
Research and Development

• Basic technology exists but not fully deployed.
• Research required to improve basic technology.
• Required for future capabilities like intrusion
  detection and identification, system simulation
  and modeling of interconnected but independent
  systems.

18
National Organization Structure

• Sector Coordinators
• Lead Agencies
• National Infrastructure Assurance Council
• Information Sharing and Analysis Center
• Infrastructure Assurance Support Office
• Office of National Infrastructure Assurance

19
Conclusion

• Infrastructure assurance a high priority.
• Geographical boundaries no longer offer
  protection for information and telecommunication
  infrastructures.
• New vulnerabilities exist.
• Public/private sectors must share responsibility.
• Structure needed to assure future security.