Critical National Infrastructure

It's great to be home. I look out in this group. It may be the Philosophical Society, but it really looks to me like coming home. I see the Weinbergs, the Rostows. I went to law school because of Chris Dougherty. I have a "family" out here that I very seldom get to see, so it's a real treat for me to be here.

For about a year and a half now, I've lived in Washington. If you visit Washington, a place you must go is the Library of Congress. And if you go to the Library of Congress, you ought to see the Madison Building, and there you ought to take a look at the two great Coronelli globes. These were made in the 1680s for Louis XIV. One is a depiction of the heavens and the other of the earth, as it was know then. If you walk around this magnificent work of art and look at the depiction of California, you'll see the Bay of Baja extends all the way north, enclosing California as an island. Now, this is 1683. So, that depiction was in the teeth of reports by missionaries, trappers, and by Indians who said that California was not, in fact, enclosed by the Bay of Baja. Nevertheless it was a common representation in the maps of that era. So explorers would sail up the side of California, disembark, portage their ships up over the Sierras, and come down to the American desert, which was the largest beach they'd ever seen.

Just like these explorers and like these cartographers, we have mental maps that we hold to with tenacity, maps that structure the way we think, that are habitual with us, maps that we cling to, despite contrary evidence. The most difficult part of the task of infrastructure protection, which I'll talk about today, is shaking off these habits and trying to build structures that cross jurisdictional and psychological lines, that bridge government and the private sector, one nation and many nations, the developed and the undeveloped world. Critical infrastructure is a term of art. It refers to the automated electronic networks that link the commercial and defense sectors, and that if interdicted, would cause a severe disruption in these sectors.

It is a cliché to say that generals always prepare to fight the last war rather than the next one. Everyone in this room and all the generals have heard it. But if it's such a cliché, why do we go on this way? Why do we continue with planning based on what we know of the past? I think it's because what we know about the future is mainly the past. Things are usually pretty much the way they have been. About warfare, we can say three things: that it pits one country against another, that it is waged by governments, not by private parties, and that the victorious party defeats its adversary. This is the past and the way we expect the future to be.

Now, it happens that we are living in one of those relatively rare periods in which the future is very much unlike the past. In fact, the three certainties that I just mentioned about national security, that it is national, not international, that it is public, not private, that it seeks decisive victory, all these lessons of the past, I think, are about to be turned upside down in the future to which we are plunging. The driving force behind this change is communications and computation technology. The objects of change are the basic infrastructures of modern societies that have been the targets of warfare ever since the first modern states emerged.

In the past fifteen years, that short a period, our basic infrastructures in banking and finance, oil and gas and electrical power, telecommunications and transportation, and government services itself have all undergone a fundamental change. Where once it was only a nuisance to a banking transaction if the lights went out, for example, it now can mean a complete interruption. Where previously transportation continued whether or not the telephone lines were down, now planes, and tankers and air cargo are stilled, sometimes dangerously so, if communications are interdicted. Infrastructures that previously were logically and geographically distinct have become interconnected and radically automated. This has led to an increase in national wealth that can be compared, I think, to that brought by the Industrial Revolution. With this dramatic increase in productivity, however, has come an equally dramatic increase in vulnerability. The nodes that connect these infrastructures, those that are critical to their operation, now present far more lucrative targets than the simple bridges and power stations of previous decades.

The belief that our complex information systems are vulnerable to attack is widespread in the government. In May of this year, President Clinton reflected this belief in his Annapolis commencement address. He said, "Our security is challenged increasingly by nontraditional threats from adversaries, both old and new, not only hostile regimes, but also international criminals and terrorists, who cannot defeat us in traditional theaters of battle, but who search instead for new ways to attack by exploiting new technologies and the world's increasing openness." And he went on to say, "Intentional attacks against our critical systems are already underway."

Testifying before a Congressional Committee two summers ago, the then director of Central Intelligence, John Deutsch, said that, "Criminal hackers were offering their services to so-called rogue states." "They scheme," he said, "to undue our vital interests through computer intrusions." And he warned against an "electronic Pearl Harbor." This phrase was repeated by deputy secretary of defense, John Hamre, in testimony before the Senate last spring.

A better phrase might be an electronic Agincourt. If you remember the central scene in Shakespeare's Henry V, it sets the stage for a battle that transformed the face of Europe when Henry V's yeomen, armed with long bows, defeated the French knights, the knights of the most powerful state in Europe. That kind of technological transformation of strategy and statecraft, I think, is coming to us now. Not only have the targets become vastly more significant, the weapons of a new age are transforming attacks on those targets.

For five centuries, it has taken a state to destroy a state. And so, for five centuries, states have had to develop a means of deterring or defeating other states. The entire worlds of diplomacy, international law, alliances, naval, air and land warfare are all predicated upon conflicts among states. It took states to create armies, and navies and diplomatic services. Only states could marshal the financial resources to threaten the survival of other states. Only states could organize societies to defend themselves against attacks by states.

We're entering a period, however, when very small numbers of persons, operating with the enormous power of modern computers, can produce greater damage to our American infrastructures than all our previous wars combined. Attacks that render commercial aviation perilous, that cancel even a single week's trading on a major stock exchange, that freeze a natural gas pipeline to a major city in winter: these sorts of events can trigger the economic and political panic that no war has ever brought to this country. And to these threats we must now add the possibility of attacks using weapons of mass destruction that are not delivered by bombers or missiles, but are biological and chemical agents dispersed by crop dusters, or small nuclear weapons ferried into unsuspecting harbors by small boats and other craft.

Information warfare specialists at the Pentagon have estimated that a properly prepared and well coordinated attack by fewer than thirty computer virtuosos with a budget of less than ten million dollars could shut down everything from electric power grids to air traffic control. But this is just speculative. How real are these threats? What's actually happening?

The National Computer Security Center reported that a survey of 520 American businesses, government agencies and universities disclosed that 64 percent had experienced intrusions in the last year, up 16 percent. The Internet was the main point of entry and attack. The FBI estimates that electronic crimes are running at ten billion dollars a year. And it also claims that less than 20 percent of the companies victimized ever report these intrusions to law enforcement agencies. This will not be an easy task for the law enforcement arms of government, even if they had more thorough reporting.

At the beginning of the 1990s, a computer hard drive seized by the FBI would contain about fifty thousand pages of text. Today such an agency would have to deal with five to fifty million pages of data on the same hard drive. Budget-constrained government agencies average more than four years to order, acquire and install new computer systems versus less than nine months in the private sector.

It's estimated that the electronic capabilities of U.S. law enforcement run about five to ten years behind that of transnational crime. For example, ten thousand high-powered scanners, something of that order anyway, are smuggled from Asia into the U.S. every month. These can intercept and record mobile phones, faxes and telephone communications, so that a law enforcement computer crime teams can often find themselves being followed by the same hostile agents they thought they were tracking.

It's not an easy task, but it won't get any easier. In the last four years, the computer chip has gone from 1.1 million transistors on a single chip to about 120 million. It's estimated that this figure will soon reach 400 million and can go to 1 billion. Supercomputers will go from 256 billion moves per second to more than a trillion. And by coupling supercomputers, engineers have achieved 10 trillion operations per second. The latest desktop personal computers now have the speed of yesterday's supercomputers. And you, perhaps, all heard the President say that a Ford Taurus has greater computing power in it than did Apollo 7.

More significant simply than these developments in technology are their impacts on strategy. There is still no technology for determining the source of a disguised cyber attack, so that the attack that ends up at the Pentagon that we can trace back to Austin may not have begun in Austin, but may then lead us back to New York, or then to Latvia, back down to the Middle East, back to California, and there the trail may go cold, if we even get that far. Internet users now number about 120 million, 70 million of who are on the U.S. But five years from now, we think that about 1 billion persons will be online, two-thirds of them living abroad.

It has been publicly reported that eight nations have developed cyber war capabilities comparable to the U.S., and it has been publicly reported that three foreign nations have targeted U.S. systems for cyber attack.

In 1997 a Red Team, an artificial team set up to play a war game or execute an exercise as your adversary, put together by an intelligence agency pretended to be North Korean agents. Thirty-five men and women took hacker tools freely available off the World Wide Web, downloaded them, and they managed to shut down large segments of the American power grid and completely silence the command and control system of the U.S. Pacific Command in Honolulu. In a Red Team Defense Information Systems Agency attack, DISA, the Defense Information Systems Agency, launched some 38,000 computer attacks against its own systems, just to test them. Only 4 percent of the persons in charge of these systems ever realized that they were attacked, and, of these, only 1 in 150 ever reported the intrusion.

Using the tools of information warfare, attackers can overload telephone lines with special software. For example, hackers have rerouted 911 emergency calls to a Swedish sex line. They can reroute and disrupt the operations of air traffic control, shipping and railroad computers. In February of last year, three hackers disrupted logistics planning for U.S. operations in the Gulf, and for many weeks, we thought the source of this was coming from the Gulf, because the hackers had cleverly routed their signals through computers in the Arab Emirates. Hackers can scramble the software for major financial institutions. Citibank lost $10,000,000 to Russian computer hackers a few years ago. Hackers can alter, by remote control, the formulas for medicines in pharmaceutical plants. They can change the pressure in gas pipelines. A hacker group supporting the Mexican Zapatista rebels recently launched a denial of service attack against the Pentagon's primary Internet site and shut it down. The notorious Japanese group, Aum Shinrikyo, was working on computer virus developments when they launched their sarin gas attack in the Tokyo subway.

And this is perhaps the most ominous aspect of cyber attacks, because it is hard to separate the threat posed by terrorism, weapons of mass destruction using chemical, biological and nuclear weapons, and cyber attacks. Any one of these techniques is so useful to the others. I wrote the President's plan for an exercise using biological agents about, I guess it was seven or eight months ago, an exercise ultimately for the Cabinet. I must say I think I missed a very enjoyable career as a thriller writer. I had a great time doing this, but I had to throttle back my more deplorable instincts, because it's so easy to make that scenario horrific by adding onto it something that cripples the response teams that would otherwise be helping.

A coordinated cyber attack is the dream of many terrorists, but CBW, chemical-biological weapons attacks, really begin to produce frightening scenarios, if the means of coping with them, which are highly dependent upon rapid information transfer, are attacked at the same time. Furthermore, an adversary state might well want to shield itself from retaliation by operating not through its armed forces, which I very much doubt we will soon see invitingly arrayed across a desert frontier, but through shadowy agents who pose as terrorists, or act through the infinitely extendable arms of the Internet.

Strategically, the important thing to appreciate about these attacks is their essential ambiguity. It may not be possible, indeed, it is very likely not to be possible, to determine the source of the attack, and so strategies of retaliation and deterrence, which have served us well in the past, become almost useless. In such a world we must move our thinking from threat-based strategies that rely on knowing who our enemy is and where he lives to vulnerability-based strategies that try to make our infrastructures more slippery, more redundant, more versatile, more difficult to attack, and more easily reconstituted.

Today, there is no great power that wishes us harm. In that respect, we are more secure now than at any time since the development of ballistic missiles and nuclear weapons. But that is not to say that we are invulnerable, nor that we face no threats that can be anticipated. Rather, our current situation implies that threats may come from unpredictable corners, not necessarily from great powers, that they may do just as much harm through disruption as we once feared from destruction. If we do not change our strategic approach to cope with this development, we might very well find ourselves in the following dilemma: faced with reports, like the one I described earlier, reports of significant intrusions into our network of critical communications, we might be paralyzed, because we would not know whether the intrusions represented a criminal conspiracy, an attack by a foreign power, a terrorist incident, a software glitch, or even a college prank. Not knowing the source of a threat, we wouldn't be able to assign a response to any particular division of government.

Let me give you this thought experiment: imagine a Principals Committee meeting. This is a subcommittee of the NSC, composed of those cabinet officials devoted to national security affairs. Imagine a room, a small paneled room, where there are the Secretaries of State, of Defense, the Attorney General, the Director of Central Intelligence, the National Security Advisor. Imagine that a trap door in a computer program, that is, a line of code that has been secretly inserted to allow the attacker to re-enter at some subsequent date, suppose this trap door, implanted at some time in the past by unknown parties, has recently been used by an Internet operator to enter a Pentagon system and send false commands to our satellites in space. Now, this is obviously a crime, so perhaps the Attorney General is the first to speak, and she says, "The FBI is on the case." But the National Security Advisor objects. He says, "What is wanted is not a prosecution, not even a criminal investigation just yet, because this would alert the persons who have broken in. What we really want is to send the hackers false data, so we can mislead them, get them to show their hand and either retaliate or isolate them, and find out who's behind this. This is a job for the Defense Department." But the Secretary of Defense objects that the computer used is a domestic one. It has a U.S. IP address. While the original signal may indeed have come from overseas, all we know is that the point of departure is the U.S. It's not a Defense matter. Perhaps the Intel people can track it down. Well, not NSA, they're under DOD. Not CIA, who, like, NSA, is restricted from spying on a U.S. person. In any case, if the Central Intelligence Agency were to act, would this require a Presidential finding? And how could the President execute a finding, authorizing a hackback (that's tracing back to the original computer), since we don't know against whom it is directed? Which takes us back to the Attorney General and the FBI. But now, the Secretary of State enters the fray, and she says that no action can be taken. It violates the rights of neutral states, so if the FBI tracks its signals back, they have to stop if one of these signals takes them through a neutral IP address. Nor can the FBI violate the laws of an ally. Now, Britain has a Computer Misuse Act. This broadly proscribes any person from causing a computer to perform any function with intent to secure unauthorized access to any data held in any computer. Because the Internet was designed to withstand a nuclear attack by sending message packets through any working node, this UK statute could have a very broad application. An American, routing his attack against Department of Defense computers through a UK address, would claim the protection of the UK law against U.S. investigators. And so, the AG throws the ball back. Back to whom?

We cannot depend upon jurisdictional allocations of authority that rely upon knowing the source of the threat, but those are our jurisdictional allocations under our current system. There are no clear lines among these threats. The attacks don't arrive with labels that tell us whether they are the result of one form of conspiracy or attack or another. So, you have to craft a governmental structure that is supple and flexible enough to react in an environment of unprecedented uncertainty. Above all, you must avoid the paralysis that can seize a government when the jurisdictional lines along which we habitually act, do not neatly correspond to the known facts of the instant. This will require a profound shift in our habitual ways of thinking.

I gave a talk at the Naval War College some months ago to officers who are there to play a scripted war game, and after I said something like what I've just said to you about the ambiguity of attacks, one of the young officers raised his hand and said, "But, sir, we know who our attacker is. It's the Red Team." And you can see how naturally this would come to someone. In fact, we all have to learn to think in new ways.

National security will cease to be defined in terms of borders and territory alone, because the links among our critical infrastructures, as well as the attacks on them, exist in cyberspace, not on an invaded plane marked by the seizure and holding of territory. The line between the public and the private that has been the essential division in our society will be blurred, because most of these critical infrastructures are in the hands of the private sector. Indeed, it's often said that more than 95 percent of all Pentagon traffic goes along highly vulnerable publicly owned lines. I would say that the U.S. military and civilian structure is almost the same. This means we'll have to take in new security partners, drawn from the private sector, in order to protect the public good. There will be no final victory in such a war. Rather, victory consists in having the resources and the ingenuity to avoid defeat.

Now, if that sounds bleak, let me remind you that it is the consequence of our unprecedented success. We have dominated the present era because we were best situated to benefit from a globalized market, and because we did not shrink from international leadership, even when we became vulnerable to weapons of mass destruction. Now we're learning that the same forces that brought globalization and universal vulnerability are bringing a new ubiquity of threats.

In May, the President signed Presidential Decision Directive 63. PDD 63 sets in motion a process to produce a national plan for critical infrastructure protection, and that plan will be made public early this next year. But no plan can provide the change in our way of thinking that this new era demands. Structures can facilitate new approaches, but, at some point, a community must arise that will sustain these new approaches.

"Once in while," Graham Greene wrote, "a door opens and lets in the future." I think we are at such a moment.