U.S. Policy to Prevent a Cyber Attack - Part 1

Technology has outpaced policy in cyberspace. Today’s cyber criminals are technologically agile, perceptive, and evasive. To beat them, there must a unified effort between government and the private sector. There are no rules about what government or private entities can do if terrorists attack their networks.

The United States is already in a cyber war. Yet current policies prevent the United States from pursuing cyber threats based in and originating from foreign countries. As is usually the case, we create policies to hamper ourselves, not hamper the enemy. Obviously, current U.S. cyberwarfare strategy is dysfunctional. To compound matters, incompatible U.S. cyber forces do not communicate with one another, thereby, resulting in a disjointed effort. Hence, it may take a cyber version of the 2001 terrorist attacks for the country to realize it must re-examine its approach to cyberwarfare.

In the National Strategy for Homeland Security, the Homeland Security Council states that many of our nation’s essential and emergency services, as well as our critical infrastructure, rely on the uninterrupted use of the Internet and the communications, data, monitoring, and control systems that comprise our cyber infrastructure. A cyber attack could be debilitating to our highly interdependent critical infrastructure and key resources (CI/KR) and ultimately to our economy and national security (Anonymous, 2007).

As a nation, our policies to prevent cyberterrorism need to help shore up our strengths and help convert our weaknesses into strengths. This piece presents an evaluation of the strengths and weaknesses of U.S. policy to prevent a cyber attack.

Computer Security Effects on Critical Infrastructure

Our Nation’s Critical Infrastructure. The arsenal of modern weapons that terrorists might someday use to disrupt power grids, gas lines, and other parts of the nation’s critical infrastructure includes conventional weapons as well as bits and bytes – in other words, cyberterror attacks. The cyber threat to the electricity we use and the water we drink is real, experts say, but there’s no need to panic – at least not yet (Blau, 2004).  The trouble is, we never panic before a major terrorist event, but we do panic after a major terrorist event. Take 9/11 for example, Congress finally did something by passing legislation and allocating sufficient funding to fight the Global War on Terrorism (GWOT). Now that over nine years have passed since 9/11, everyone is falling back into a deep sleep. Some people do not believe we face a cyberterror threat. However, just wait until it happens, then, Congress will take some significant actions to counter that threat. Let us hope it will not be too little too late.

Threat to Our Water Supplies. Regarding the cyber threat to the water we drink, automated water supply control systems have long been a subject of concern from U.S. infrastructure protection specialists. A 1997 report by the Clinton Administration’s Presidential Commission on Critical Infrastructure stated, “Cyber vulnerabilities include the increasing reliance on SCADA [Supervisory Control and Data Acquisition] systems for control of the flow and pressure of water supplies” (Swichtenberg, 2002).  Hence, the threat is real and anticipated.

Securing Cyberspace. According to an estimate, the cost to our economy from attacks on our information systems has grown by 400 percent within four years, but it still has limits. In one day, however, that could drastically change. Every day, somewhere in America, an individual company or a home computer user suffers what, for them, are significantly damaging or catastrophic losses from cyber attacks. The ingredients are present for that kind of damage to occur on a national level, i.e., to our national networks and the systems they run upon and of which the nation depends. Our potential enemies have the intent. Their tools of destruction are broadly available. Additionally, the vulnerabilities of our systems are myriad and well known. In cyberspace, a single act can inflict damage in multiple locations simultaneously without the attacker ever physically needing to enter the United States (Anonymous, 2002).  In January 2008, I experienced a personal computer crash, which totally locked up my computer. I suspect that a virus brought in from an email attachment destroyed the hard drive. As discussed earlier in this paragraph, the catastrophic loss of data I had experienced was damaging to me.

Cyber Incidents. A cyber-related incident of national significance may take many forms: (1) an organized cyber attack, (2) an uncontrolled exploit such as a virus or worm, (3) a natural disaster with significant cyber consequences, (4) or other incidents capable of causing extensive damage to critical infrastructure or key assets. Large-scale cyber incidents may overwhelm government and private sector resources by disrupting the Internet and/or taxing critical infrastructure information systems. Complications from disruptions of this magnitude may threaten lives, property, the economy, and national security. Rapid identification, information exchange, investigation, and coordinated response and remediation often can mitigate the damage caused by this type of malicious cyberspace activity (Bullock, Haddow, Coppola, Ergin, Westerman, & Yeletaysi, 2006).

A Real-life Example. I previously worked at BAE Systems, Inc., one of the largest defense firms in the world. BAE constantly upgrades its information technology (IT) systems to counter hackers and trained adversaries from foreign countries. The BAE Systems command, control, computing, & intelligence (C3I) business area located in San Diego, California, possesses a business continuity and emergency response plan that covers emergency response, crisis management, and business recovery. This company is prepared to deal with terrorist action, HAZMAT incidents, and natural disasters … among other threats. In October 2007, BAE successfully employed/deployed its emergency response plan and emergency response team during the wildfires in San Diego County. All response activities went according to plan.

Tighter Physical Security Promulgate Cyber Attacks? Clay Wilson, a technology and national security specialist at the Congressional Research Service (CRS), said that tighter physical security measures in the United States might encourage terrorist groups in the future to explore cyber attacks. Terrorists are not yet mobilizing to carry out extensive cyber attacks, Wilson said. Although the possibility remains, it is extremely difficult to know if they will take their current cyber activity to the next level to inflict physical harm, said Wilson (Wagner, 2007).  We must not remain complacent or bury our collective heads in the sand, but we should be constantly vigilant. Hence, when the attack comes, we will be mentally prepared for it.

Legal Requirements of Computer and Cyber Security

Electronic Communications Privacy Act. The Electronic Communications Privacy Act of 1986 (ECPA), without authorization, makes it illegal to intentionally access a facility providing electronic communications services, or to intentionally exceed the authorization of access to such a facility. The bill intended to protect the privacy of high-tech communications such as electronic mail, video conference calls, conversations on cellular telephones, and computer-to-computer transmission (Sweet, 2006).  However, over the five-year period from 1998-2002, the number of cyber attacks on telephone companies (telcos) and their networks had increased significantly. For example, Carnegie Mellon University’s computer emergency response team (CERT), based in the United States, reported 3,700 attacks on telco networks in 1998 while in 2002, it was set to increase to a staggering 110,000 attacks (Ashenden, 2003).  Obviously, the ECPA minimally affected cyber attackers.

Computer Security Act. Subsequently, the Computer Security Act, passed a year later in 1987, was the first major legislation relating to information security. This bill provides “for a computer standards program within the National Bureau of Standards [now called NIST, National Institute of Standards & Technology] to provide for government-wide computer security, to provide for the training in security matters of persons who are involved in the management operation and use of federal computer systems, and for other purposes” (Thomas, 1987; Cordesman, 2002).  However, just 15 years later in mid-2002, to the question of how prepared are U.S. companies for a cyberterrorist attack, Michael Vatis, director of the Institute for Security Technology Studies (ISTS) at Dartmouth College said, “As a general matter, companies, government agencies, and academia are inadequately prepared. Too little attention is paid to security; too few resources are devoted to it” (Gaudin, 2002).  Mind you, this was almost a year after 9/11!

Clinger-Cohen Act. In 1996, the Clinger-Cohen Act created the position of Chief Information Officer (CIO) within government agencies to ensure that they properly acquire and manage information systems. Further, based upon NIST-developed standards, the act called for the Secretary of Commerce to “promulgate standards and guidelines pertaining to federal computer systems.”  Additionally, “the secretary shall make such standards compulsory and binding to the extent to which the secretary determines necessary to improve the efficiency of operation or security and privacy of federal computer systems” (Anonymous, 2000; Cordesman, 2002).  To the question that if there is one thing you could tell these CIOs and CSOs (chief security officers) to do, Michael Vatis said, “There’s no one thing, but one message is that senior management needs to make security a priority. CEOs and boards of directors need to pay attention to security and make sure resources are devoted to it” (Gaudin, 2002).  Company CEOs and boards of directors should pay heed to this clarion call to proactive action.

Availability of Law. The principle of nullum crimen sine lege is fundamental to most legal systems. Under this principle, any behavior no matter how harmful, the legal system cannot prosecute unless that behavior is formally prohibited by law. For example, the Philippine courts could not prosecute the person who released the I LOVE YOU virus in May 2000 because, at the time, there was no law in the country that prohibited the release of malicious code. The history of criminal law in many countries is replete with examples of newly created laws to cope with new forms of undesirable behavior. The advent of digital technology necessitates numerous legislative activities to this end. Indeed, very soon after the release of the I LOVE YOU virus, the Philippine government introduced legislation to criminalize virus dissemination (Grobsky, 2007).  However, as usual, governments and politicians are nearly always reactive … seldom, if ever, proactive.

Conclusion

The Electronic Communications Privacy Act does not curtail cyber attackers. Generally, companies, government agencies, and academia are inadequately prepared. We pay too little attention to security. We devote too few resources to it. Management needs to make security a priority. CEOs and boards of directors need to pay attention to security and make sure resources are devoted to it.

Under the principle of nullum crimen sine lege, the legal system cannot prosecute a perpetrator unless the law prohibits his/her behavior (no matter how harmful it may be). Hence, the Philippine government did not prosecute the perpetrator of the I LOVE YOU virus because no law existed that prohibited the release of malicious code.

References

Anonymous (2000). Information Technology Management Reform Act of 1996. Retrieved from http://www.rdc.noaa.gov/~irm/div-e.htm.

Anonymous (2002, July). National Strategy for Homeland Security. Washington, DC: Office of Homeland Security.

Anonymous (2007, October). National Strategy for Homeland Security. Washington, DC: Homeland Security Council.

Ashenden, D. (2003, January). Protect and survive. Telecommunications International, 37(1), p. 29.

Blau, J. (2004, November 29). The battle against cyberterror: The race is on to harden the nation’s critical infrastructure before cyberterrorists gain enough skills to launch attacks. Network World, 21(48), p. 49.

Bullock, J. A., Haddow, G. D., Coppola, D., Ergin, E., Westerman, L., & Yeletaysi, S. (2006). Introduction to Homeland Security, Second Edition. Oxford, United Kingdom: Elsevier Butterworth-Heinemann.

Cordesman, A. H. (2002). Cyber-threats, Information Warfare, and Critical Infrastructure Protection: Defending the US Homeland. Westport, Connecticut: Praeger Publishers.

Gaudin, S. (2002, July 19). Security expert: US companies unprepared for cyberterror. IT Management. Retrieved from http://itmanagement.earthweb.com/secu/print.php/1429851.

Grobsky, P. (2007, October 13). Requirements of prosecution services to deal with cybercrime. Crime Law Soc Change, 47, 201-223.

Sweet, K. M. (2006). Transportation and Cargo Security: Threats and Solutions. Upper Saddle River, New Jersey: PEARSON Prentice Hall.

Swichtenberg, B. (2002, March). FBI issues water supply cyberterror warning. Water Engineering & Management, 149(3), p. 7.

Thomas (1987). Computer Security Act of 1987. Retrieved from http://thomas.loc.gov/cgi-bin/bdque.

Wagner, B. (2007, July). Electronic jihad: Experts downplay imminent threat of cyberterrorism. National Defense, pp 34-36.

###