A terrorist has tapped into an unsecured U.S. modem that provides access to an electric utility's computer systems. The resulting blackout paralyzes multiple regions of the country. Airplanes are stranded in midflight, subway trains are stilled in darkness underground and elevators are stalled between floors.
By the time the police unsnarl the traffic jams caused by inoperable signal lights, chaos is brewing in the cities and towns that have been left in the dark. Hospitals are flooded with those desperate for medicine. The few medical supplies that do exist cannot be transported because of a fuel shortage. In the meantime, citizens are fighting for the last remaining groceries on bare shelves and have begun bartering their most precious possessions to meet their basic needs. But government officials have little recourse because emergency vehicles are running low on fuel and the National Guard's communications systems are down. Since most of the U.S. Department of Defense's communications ride on the national telecommunications backbone, they too have been crippled, leaving the country's borders open to the terrorist's attack.
This is not the story line for a new high-tech science fiction novel but a potential scenario that has spurred the Defense Department to protect the nation's critical infrastructures--the underpinning of the nation's economy owned and operated by the private sector that could be potential targets for cyberwar. As part of the National Plan for Information Systems Protection announced in January, the government and the private sector will work together to identify the key national security assets and infrastructure systems. The partners will share information about vulnerabilities with each other and with others in the industry.
While that scenario makes a strong case for the operators of critical infrastructures, such as utilities, banks and the national telecommunications grid to participate in the government's plan, the increasingly interconnected digital world means that no company is immune to cyberattacks--even those not directly involved with the infrastructure. For example, say a hacker launches a denial-of-service attack designed to slow the nation's railways using the unprotected server of a small manufacturing company as the launching pad. In addition to any revenue losses caused by a disruption to mission-critical systems, that manufacturing company could face massive legal liabilities from those who may have been hurt in a resulting train crash.
The infrastructure protection plan would provide the private sector with early warnings about potential attacks and a crucial communications mechanism that a company under attack could turn to for help. This type of effort might have guarded against Internet intruders earlier this year, when some of the most popular e-commerce websites, such as Amazon.com, eBay and Yahoo, were knocked offline by a rash of denial-of-service attacks. While these attacks have served as a wake-up call to many companies in the private sector, they are mere skirmishes in the overall war against hackers and terrorists, government officials say. "When we have the cyber-Chernobyl, it's really going to scare the hell out of everybody," says Jody Westby, president of the Denver-based Work-IT Group, who also works for the Critical Infrastructure Assurance Office (CIAO) to market the government's infrastructure protection efforts.
A FEW OUNCES OF PREVENTION
To prevent the potential devastating fallout from a cyberattack, Westby urges CEOs and senior management to instill infrastructure protection as a business policy rather than relegate it as a technology issue. But beyond internal actions, CIOs can urge their companies to participate in an information-sharing and analysis center (ISAC), part of the government's overall plan. Various industry sectors will form these ISACs, through which participants can share data about potential threats to their systems with each other and the government.
While information sharing is key to the White House plan, developing this exchange may prove tricky. The private sector, especially the banking and finance industry, has traditionally been loathe to share any type of information detailing system vulnerabilities for fear of public embarrassment and shareholder reaction. But the give-and-take might make such risks worthwhile. The private sector can benefit from government-generated data that details potential threats to corporate systems, says John Powers, former commissioner and executive director of the president's Commission on Critical Infrastructure Protection. (Powers has since become the director of research for DEFCON and the chairman of Corporate Communication Resources.) "What the government folks want more than anything else is information related to the types of attacks that are occurring," adds Powers. "One of the things that the private sector should want is a better statement of what the emerging threat is. What they do want is early warning that a prospective attack is possible and even imminent." The needs of the private sector and the government can mesh, he says, by creating ISACs that report details of attacks without including any information that identifies the company whose systems were compromised.
PRIVATE SECTOR BUY-IN
It appears that the private sector is beginning to buy into this plan--after all, what company wants to risk a cyberattack if Uncle Sam can help stop it? Hundreds of industry participants, including those from BellSouth, Cisco Systems Inc., Continental Edison, Microsoft Corp. and others, flocked to a February White House retreat on infrastructure protection. They also formed the Partnership for Critical Infrastructure Security to share information with the Commerce Department about potential vulnerabilities and advanced R&D work in information security and to develop best practices to span the critical infrastructure sectors.
Robert Wright, director of enterprise security at BellSouth, says his company is participating in the partnership because BellSouth realizes that the security of today's networked infrastructure expands beyond individual company boundaries. "The partnership will help establish a more structured process around existing vulnerability assessment, information sharing, and reporting and response procedures," Wright says.
This alliance appeals to those in other industries as well. Rick Holmes, senior director of security and quality assurance at Omaha, Neb.-based Union Pacific Railroad, says his company is interested in forming a partnership with other railroads that would allow them to work together if there was ever an attack on one of their systems. For example, he says the biggest threat to his company's systems is a denial-of-service attack that could hamper operations. During such an assault, he says, he could confer with other railroads to determine if it was an isolated or widespread attack. In that scenario, companies could pool their efforts to ward off the intruder and avoid duplicated work. "If you can systematically cause a denial of service, you can cause a waterfall slowdown," says Holmes. "Having a place or communication method among the railroads would be very beneficial."
The government has already begun this type of work in 21 cities through a program called InfraGuard. InfraGuard is designed to gather data from the private sector, anonymously detailing intrusions to their systems while providing potential-threat data via alerts. However, the alerts are not sent in real-time because the FBI has to analyze and sanitize the data. Holmes adds that by the time he gets the data from the FBI, he's already seen it in other sources. "I don't see a whole lot of sharing going on from the government," Holmes says. "It's not news by the time I get it [from the InfraGuard program]."
Omer Soykan has another concern that others in the private sector share. The CIO of New York City-based Broadview International, a mergers and acquisitions company, says he is willing to share information related to the security of his company's systems with members of the banking and financial industry but is concerned about that information being stored by the government. "If we share our security structure with an authority, and it leaks to some organizations that are not friendly to us, it could be very damaging," says Soykan, former managing director of technology planning for the American Stock Exchange. He adds that the government should model its notification efforts after those provided by many antivirus vendors today and provide regular notices to the private sector alerting them to potential threats.
It will be up to the private sector to hammer out these details during the development of an information-sharing strategy. The various sector leaders developing ISACs will form systems based on participants' comfort level and the culture of the particular industry, says John Tritak, director of the CIAO. In addition, while many people think information sharing includes strictly cyberthreat data and security breach incidents, it can also encompass best practices and common methodologies for securing systems, he says. Foremost in the infrastructure protection effort is emphasizing that the government will not be dictating to the private sector.
"There is a recognition that [the government] can't get it right," Tritak says. "We need to better understand the perspective of industry. Partnering with the government is an opportunity to shape the nature of your government partner. The shaping of the partners goes both ways."
The telecommunications and banking industries have each formed an ISAC, and other industry sectors are now developing plans for their own centers. The Information Technology Association of America (ITAA) is heading up efforts to launch an ISAC for the communications sector, where interest was again bolstered by the recent website denial-of-service attacks--which ITAA President Harris Miller describes as a "two-by-four across the head" for the industry. For now, the group is focusing its efforts on information sharing among sector participants, says Miller. "Everyone has to be part of the solution," he says. "If only rich people listen to public health warnings and poor people don't, rich people are going to get sick too because poor people are going to cough all over them. No one should think he or she is immune."
Electric utilities in the mid-Atlantic states have also sprung into action by forming the North American Electric Reliability Council. In late 1999, they began participating in this pilot program to share information regarding possible system intrusions with the FBI's National Information Protection Center, which houses the FBI's computer crime operations, says Gene Gorzelnik, communications director of the Princeton, N.J.-based council. Additional utilities from other regions of the country have also begun participating in the program. Because many utilities have prior experience working with the government to help avoid possible physical threats to their power systems, the concept of cooperating with the feds is not a new one, Gorzelnik says. However, ironing out the details of what types of information will be reported and how often is a key issue.
"You have to look at how to integrate without overloading the system operators with a lot of reporting procedures," Gorzelnik says. "It becomes a problem of identifying what information needs to be passed to the government." In addition to the details of the policies and procedures that need to be specified regarding reporting intrusions, the group is still developing the necessary trust for sharing information with the government, Gorzelnik says. "You want assurances that information you pass will be kept confidential and will not be made public," he adds. "The utilities and the government need to sit down and stare each other in the eye."
For example, it took several years for members of the National Security Telecommunications Advisory Committee (NSTAC) to develop the trusting relationship needed to reveal proprietary information to competitors, says Guy Copeland, vice president of NSTAC's infrastructure advisory program. The NSTAC was formed in 1982 to provide industry-based analysis and recommendations to the president on national security and emergency preparedness issues.
POTENTIAL STUMBLING BLOCKS
Once the private sector overcomes its inherent resistance to sharing information with the government and settles on an information sharing model, the government's critical infrastructure efforts may be hampered by legal impediments, such as the Freedom of Information Act (FOIA). Designed to ensure citizens' access to documents detailing government operations, FOIA rules could hinder infrastructure protection efforts by exposing details of private sector system vulnerabilities to public scrutiny.
Despite the nondisclosure agreements among themselves, members of the Network Security Information Exchange, an ISAC operated by the NSTAC, are growing increasingly concerned that any information they share might be subject to FOIA requests, Copeland says. "They're willing to share information to work a mutual problem, but it has to have a national security reason to be classified," he says. "If it falls into the government's hands unclassified, it could be subject to the FOIA."
Challenges aside, there's a good chance the government and private sector will be able to work together. When the Y2K bug threatened the very same infrastructure that the government's plan aims to protect, CIOs had to convince their managers to pay attention to the issue and loosen their hold on some of their data. The infrastructure protection plan calls for similar cooperation. But this time, CIOs do not have a hard-and-fast deadline--an attack could come any day, and the consequences could be more lethal to a company's operations than Y2K ever was.
Do you have an information-sharing success story or failure to share? Send it to Managing Editor Cheryl Asselin at firstname.lastname@example.org. Heather Harreld is a freelance writer based in Raleigh, North Carolina.
CIOs interested in participating in the government's critical infrastructure protection efforts should call Nancy Wong at the Critical Infrastructure Assurance Office at 202 589-3236. For more information on infrastructure protection or to download a copy of the National Plan for Information Systems Protection, visit the CIAO website at www.ciao.gov.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.