Systems Failure
small cadre of administration officials has been working feverishly since Sept. 11 to prevent cataclysmic attacks on America's water, power, transportation, financial and communications systems-the nation's critical infrastructure. Government agencies and industries that provide these key services have intensified efforts to protect the physical components of critical infrastructure-bridges, ports, pipes and power lines. But many observers fear the computers controlling infrastructure remain as vulnerable as ever. They say a new digital arms race has begun.
The nation's infrastructure is at once so vast, yet so much a part of everyday life, that Americans typically take it for granted. Yet the country depends on the pipes, treatment plants and reservoirs that provide water to homes and businesses; the power plants and wires of the electrical grid; the roads, bridges, signals and vehicles of the transportation system; and the worldwide web of information technology that delivers telecommunications services and permits funds to flow freely among financial institutions. The infrastructure also includes the computer systems that drive these functions.
"The term 'critical infrastructure' covers just about everything of value in our country," said Sen. Max Cleland, D-Ga., at an Oct. 4 hearing of the Senate Governmental Affairs Committee. What's more, he noted, this array of industries is relying more and more on computer networks, thus opening it to attack from anywhere in the world.
Politicians and policy-makers fear that a well-coordinated series of cyber and physical attacks directed at the nation's key infrastructure could result in death, destruction and economic disaster. The effects of the Sept. 11 attacks on the telecommunications, financial and transportation industries made clear to the Bush administration and to the nation that protecting critical infrastructure is vital to economic and national security. Fortunately, the administration inherited a federal infrastructure protection architecture that has been around since 1998 and is being integrated into the new homeland security campaign.
Digital Nervous System
The nation increasingly depends on a digital nervous system, says John Tritak, director of the Commerce Department's Critical Infrastructure Assurance Office (CIAO), which works to increase security in the public and private sectors. As we rely more on technology to support our basic needs, our vulnerability increases, he says.
Tritak views the Sept. 11 attacks as assaults on the national infrastructure. When two jetliners crashed into the World Trade Center towers in New York, water and electric systems in lower Manhattan were disrupted. Verizon Communications lost a main switch that handled 200,000 phone lines and 3 million data circuits. Trading was halted on the nation's securities markets for four business days. The terrorists' use of four commercial airliners to conduct their attacks left the aviation industry crippled. All this helped push the economy deeper into recession.
In the months after the attacks, officials feared the nation's 103 nuclear power plants and other components of the nation's physical infrastructure would become terrorist targets. For a time, it seemed those fears were being realized. In October, a drunken man shot the Trans-Alaska Oil Pipeline with a large-caliber hunting rifle, spilling 285,000 gallons of oil onto the Alaskan tundra. In early November, California Gov. Gray Davis warned of a terrorist plot, later disproved, to destroy San Francisco's historic Golden Gate Bridge and other suspension bridges throughout the state. Later that month, the FBI tipped off oil, gas and pipeline companies that could be vulnerable to attack if al Qaeda leader Osama bin Laden or Taliban head Mullah Mohammed Omar were killed or captured by U.S. forces in Afghanistan. Industries responded to such threats by tightening security and posting more guards.
Although infrastructure remains vulnerable to physical attacks, CIAO's Tritak is most concerned about attacks emanating from cyberspace. Tritak is not worried about the legions of so-called "script kiddies" who deface Web sites. He fears attacks designed to manipulate or cripple infrastructures. A criminal case investigated by the FBI shows just how vulnerable elements of critical infrastructure are to cyberattack. On March 10, 1997, a teen-age boy disabled the Federal Aviation Administration's control tower at the Worcester Regional Airport in Worcester, Mass., for six hours by hacking into a telephone company computer. The same day, the hacker shut down a regional telephone system, which the Justice Department says caused financial damage and threatened public health and safety. At a recent conference on cybersecurity, Martha Stansell-Gamm, chief of the Justice Department's Computer Crime and Intellectual Property Section, revealed that the boy had cracked the telecommunications computer with just seven keystrokes.
Tritak points out that America's increasing reliance on the Internet to conduct business guarantees a cyberattack would have fearsome results. "Going online is no longer an option," Tritak says. "It's a market imperative." Thus even poorly conceived but extraordinarily destructive e-mail viruses such as ILOVEYOU-which clogged networks and overwrote important computer files in May 2000-can have a withering effect on the economy. The virus caused $6.5 billion in damages in just five days.
The mounting number of attacks and efforts to break into or disrupt important computer networks and control systems in recent years bolsters the case for stronger cyber defenses. The onslaught of security problems has the ironic effect of preventing systems administrators from plugging holes-they just don't have time. Hackers clearly are taking advantage of systems administrators' inability to keep up. The Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh, which tracks and responds to cyberthreats, reports that in 1988, there were six cyber incidents in the United States, including viruses, worms or cyberattacks. In 1989, that number jumped to 132. In 2000, there were 21,756. In 2001, 52,658 incidents were reported. It is generally accepted that most such incidents never are reported to authorities, so the true numbers are much larger.
Using software flaws and other means, foreign enemies, terrorists, criminals and even mischievous computer aficionados could destroy or incapacitate the computer systems that operate components of critical infrastructure and debilitate the nation, according to Frank Cilluffo, who testified at the October hearing. Cilluffo is special assistant to the President and adviser for external affairs to the Office of Homeland Security.
Infrastructure interdependency is another simmering danger. Paula Scalingi, former head of the Energy Department's Office of Critical Infrastructure Protection, says it is hard to tell where one infrastructure ends and another starts. Computers are the linchpin. Electric power companies, for example, depend on telecommunications networks to run their supervisory control and data acquisition systems, which manage and monitor power plants and other key systems, she says. Power companies depend on the Internet, where they buy and sell electric power in real time.
Interdependence extends well beyond the Internet, however. For example, telecommunications companies can't run their operations unless the electrical grid is healthy. Power, gas, oil and telecommunications companies need water to cool their equipment. All industries rely on transportation to move goods and services. Without electric power, switches, lights, trains, stoplights and many other components of the transportation system couldn't function. In addition, many industries mingle their assets. Power lines and fiber optic cable share the same public rights-of-way. Telecommunications companies install fiber optic lines inside water pipes. Cables and pipes run across bridges.
"If we have a major physical or cyber disruption-a disruption can take the form of a cyber or physical attack, a systems failure or human error-there is the potential to have a cascading or domino effect," Scalingi warns.
Thinking Ahead
In 1997, two years after the bombing of the Murrah Federal Building in Oklahoma City, Okla., members of the President's Commission on Critical Infrastructure Protection wrote that while "a satchel of dynamite and a truckload of fertilizer and diesel fuel are known terrorist tools, today, the right command sent over a network to a power generating station's control computer could be just as devastating." What's more, the commissioners found, "the perpetrator would be more difficult to identify and apprehend."
Brenton Greene, who was a member of that commission, now manages the National Communications System, which ensures that the national telecommunications infrastructure is prepared for emergencies. It was created during the Kennedy administration to guarantee the communications network would survive a nuclear attack. Greene points to the Oklahoma City bombing, which killed 168 people and wounded hundreds more, and the Aum Shinrikyo religious cult's 1995 sarin gas attack in Tokyo's subway system, which killed 12 people and sickened nearly 5,000 others, as events that helped convince the Clinton administration the nation was vulnerable to terrorist attacks. Hoping to preempt future attacks, President Clinton created the infrastructure protection commission in 1996, bringing together veteran defense experts, such as Greene, and representatives from the private sector to investigate how the nation could protect its assets. The commission was the first of its kind and brought together people who had been working on the same issues for years. The commissioners decided to focus on cyberthreats.
The commission's recommendations helped guide the creation of Presidential Decision Directive 63, signed by Clinton in May 1998. The directive called for a national critical infrastructure protection plan to be implemented by 2003. It assigned federal agencies to protect various infrastructures. The Environmental Protection Agency, for example, drew the task of ensuring the water system is protected, while the Energy Department is the lead on electric power, oil and gas production and storage. Clinton's directive also created two interagency offices, the National Infrastructure Protection Center (NIPC) and the Commerce's Infrastructure Assurance Office (CIAO). NIPC, housed at the FBI, coordinates investigations of computer attacks and warns companies and agencies of new cyber risks. The CIAO coordinates public and private sector cyber protection.
Both offices have suffered from lack of trust and resources, their executives told senators in October. Turf battles between NIPC, CIAO and agencies seeking control of infrastructure protection have been endless. The Clinton directive failed to provide any additional funding, so its implementation has been weak. During the hearing, Sen. Susan Collins, R-Maine, called infrastructure protection " a poorly coordinated program across the breadth of the federal government." She also asserted that the Bush administration's efforts to protect the nation's key industries don't match the risks they face. Jamie Gorelick, a former official at the Defense and Justice Departments who played a significant role in focusing the Clinton administration on critical infrastructure vulnerabilities, testified that the offices charged with protecting critical infrastructure are dwarfed by the size of the problem. There is "no relation between the job and the resources," added Gorelick, now vice chairwoman of Fannie Mae, a federally chartered company that finances home mortgages.
A case in point: When Scalingi was hired to lead Energy's infrastructure protection effort, she was told to expect a staff of 70 and $30 million to $35 million in funding each year. The office opened with a skeleton crew and has received less than $3 million each year for the last two years. Even so, Scalingi says, Energy was lucky. Other agencies didn't get any money at all to pay for their infrastructure protection work.
Jeffrey Hunker, the CIAO's first director and now dean of the H. John Heinz III School of Public Policy and Management at Carnegie Mellon University, says that in 1998, the federal government spent less than $1 billion on critical infrastructure protection. In 2001, that figure more than doubled to $2.1 billion. Hunker admits that getting funds from Congress has been difficult, especially because infrastructure-protection spending requests go to each of the 13 appropriations committees. Hunker says Congress members don't understand why so many agencies request funds for what appears to be the same purpose.
Who's in Charge?
In the wake of the Sept. 11 attacks, the nation's vulnerabilities went under the microscope. As Cleland and his committee colleagues struggled to understand the widely dispersed infrastructure protection efforts within the public and private sectors, it became obvious that one key person was missing from the proceedings: Richard Clarke. Clarke, who has been in charge of infrastructure protection under two Presidents, first under Clinton and now under Bush, was a National Security Council staffer who, until recently, coordinated the nation's counterterrorism and cybersecurity efforts.
Within days of the hearing, Clarke was named special adviser to the President on cyberspace security. Bush created the position in an October Executive Order, "Critical Infrastructure Protection in the Information Age," which tightly integrates infrastructure protection with the administration's homeland security efforts. The order builds on the structures created by Clinton in Presidential Decision Directive 63 and clearly places Clarke in charge of infrastructure protection. The order created the Critical Infrastructure Protection Board, which Clarke now heads, to coordinate public and private sector protection efforts. Clarke reports to Homeland Security Director Tom Ridge on all domestic matters. When events take an international turn, Clarke reports to Condoleezza Rice, Bush's national security adviser. NIPC Director Ron Dick and the CIAO's Tritak, who now take their marching orders from Clarke, are on the committee.
Many observers say Clarke, long reputed to be a bureaucratic infighter, is not the most effective person to lead infrastructure protection. Still, these same sources agree Clarke is intelligent, driven and intent on getting things done, not making life easier for other people.
Much of the heartburn about Clarke centers on what critics say is his obsession with cyberspace. Sources say Clarke repeatedly has pushed for critical infrastructure protection efforts to focus solely on computer systems at the expense of physical threats and the vulnerability created by infrastructure interdependence. Clarke says the Bush administration's critical infrastructure protection effort is 98 percent focused on cyberspace and 2 percent on physical structures that support cyber networks. "If you cut a fiber network with a backhoe, you've done as much damage as a distributed denial of service attack," he says. Clarke also warns of the vulnerability of "critical nodes," physical locations where numerous services coincide and whose destruction would disrupt national and economic security.
The Defense Information Systems Agency's compound in Arlington, Va., is a critical node. Many of Defense's networks are operated and protected at the location, which also houses the National Communications System, responsible for emergency operation of telephone and data systems, and the Defense's Joint Task Force-Computer Network Operations, dedicated to protecting Defense's computer networks and developing information war plans. Soon after the Sept. 11 attacks, the compound's perimeter was lined with orange shipping containers to lessen the effect of a bomb blast. "There are physical locations that have to be hardened and protected," Clarke says. A subcommittee of the Critical Infrastructure Protection Board is working on the problem.
Clarke's supporters say cyberspace is the nation's weakest front and that physical threats, while dangerous, are well understood. The dissenters worry that an overemphasis on cybersecurity at the expense of protecting physical infrastructure could enable terrorists to succeed in mounting additional, devastating attacks.
A Publicly Private Problem
Private firms control 90 percent of the U.S. infrastructure, so securing it and the computers that control it requires significant private-public cooperation. Because of this, PDD-63 directed private firms to beef up their protection of infrastructure and computer resources and to share information about vulnerabilities, interdependencies and attacks with their com- petitors and the federal government.
One long-standing public-private infrastructure partnership, the National Security Telecommunications Advisory Committee, brings together chief executive officers from the largest telecommunications companies and works with the National Communications System. It also advises the President on telecommunications issues. With that committee in mind, the Clinton directive assigned to industries the task of creating information sharing and analysis centers (ISACs), through which companies could share information about attacks, threats and vulnerabilities. ISACs also are intended to be the FBI's Infrastructure Protection Center's contact for warning industries about potential threats. ISACs now exist for railroad, electric, energy, financial services and information technology companies. In addition to footing the bill for these councils, companies involved have had to be willing to overcome reticence about their own vulnerabilities in order to share information needed to protect national infrastructure.
Phillip Lacombe, former staff director of the critical infrastructure commission and now president of Veridian Information and Infrastructure Protection, a division of Veridian, an Arlington, Va., information technology company, says the private sector understands cybersecurity better than the federal government does. Industry learned painful lessons from losses sustained as a result of the ILOVEYOU virus, the February 2000 distributed denial of service attacks that crippled online businesses such as Yahoo!, e-Bay, E-Trade and CNN.com offline, and this summer's Code Red worm, which has been estimated by the FBI to have cost businesses $2.5 billion. Lacombe says businesses took the attacks as a cue to shore up their defenses and have done so at a much faster rate than the federal government has. The attacks also drove many companies previously unwilling to participate in ISACs to the centers. The FBI reports that participation in its InfraGard program, an information sharing organization made up of businesses, academic institutions and state and local governments, has risen by 600 percent since January 2001.
Still, information sharing hasn't come easily within the councils. Companies are naturally reluctant to reveal sensitive information to their competitors. They also shy from revealing their secrets to Uncle Sam for fear the data could be subject to Freedom of Information Act (FOIA) requests and fall into competitors' hands. Senators Robert Bennett, R-Utah, and Jon Kyl, R-Ariz., have introduced the Critical Infrastructure Information Security Act, which would shield companies that share information on information security and attacks from FOIA requests. Clarke fully supports the legislation. The bill is now in committee.
Lacombe says ISACs were intended to be a mechanism for logging cyber events and physical threats within and across sectors. But government has no way to pull that information together and comb it for connections to attacks that appear unrelated, he says. At least a structure now exists for sharing information where none existed a few years ago, he says. In addition, the agencies responsible for coordinating protection efforts with industry are raising awareness, suggesting protection methods and identifying vulnerabilities.
Electronic Pearl Harbor
Some information security and counterterrorism experts worry about a so-called "electronic Pearl Harbor," a series of cyberattacks designed to cripple the nation's economy or increase the chaos and damage associated with a major physical attack. Brenton Greene points to a diagram in the report issued by the President's Commission on Critical Infrastructure Protection. It outlines a real world, nightmare scenario. In 1996, a man sitting at his home in Goteburg, Sweden, disabled most of southern Florida's 911 emergency response systems. Within weeks of the Swede's attack, two bridges collapsed, a municipal water supply was contaminated and FBI agents were frustrated to find their phones jammed. In addition, two regional Internet service providers were crippled, an undersea communications cable was severed and fuel transfer in a pipeline was disrupted. To make matters worse, an entire state lost its phone service, an oil refinery exploded, sending clouds of toxic smoke into the air, and bomb threats forced the evacuation of two office buildings. Was the nation under attack? Greene says officials weren't sure at the time. These days, he says, officials would be just as baffled because the government does not possess a system that can analyze and synthesize seemingly innocuous events to provide proof of coordinated attacks. This means an Osama bin Laden could launch a campaign of physical and cyberattacks without national leaders knowing the incidents were related.
Does bin Laden have the capability to conduct a cyberwar? Probably not, but, his al Qaeda terrorist network does use the Internet to communicate. Al Qaeda members are said to hide messages within e-mails or attached pictures. NIPC has warned that anti-U.S. "hacktivists" could pose a threat. Such cyber protesters are not directly affiliated with al Qaeda, but they have become increasingly opportunistic and dangerous.
And the experts don't just worry about terrorists, says James Lewis, a senior fellow at the Center for Strategic and International Studies in Washington. Foreign states and organized crime also pose cyberthreats, he says. Sources say those planning attacks on U.S. critical infrastructure and its information systems are limited only by their imaginations. Some argue the nation already has been at war for years with terrorists.
Information warfare expert Stephen Northcutt says hackers from Eastern Europe and former Soviet-bloc countries-particularly Russia and Bulgaria-are especially dangerous and active. Formerly with the Navy and the Ballistic Missile Defense Organization, Northcutt heads the Global Incident Analysis Center at the System Administration, Networking and Security Institute, a research and education organization based in Bethesda, Md. The FBI has nabbed numerous hackers from that region involved in defrauding banks, credit card companies and American consumers. Freelancers and cyber mercenaries, who can do far more damage than just defacing Web sites, are reputed to be up for hire.
Iraq has quietly been developing a cyber arsenal called Iraq Net since the mid-1990s, according to Yonah Alexander, a senior fellow at the Potomac Institute for Policy Studies, an Arlington, Va., think tank. Alexander, who believes cyberterrorism is a real threat, says Iraq Net consists of more than 100 Web sites located in domains throughout the world. Iraq Net is designed to overwhelm cyber-based infrastructures by distributed denial-of-service and other cyberattacks. "Saddam Hussein would not hesitate to use the cyber tool he has," Alexander says.
"Bits, bytes, bugs and gas will never replace bullets and bombs as the terrorist weapon of choice," Cilluffo, the homeland security adviser, told Congress in October. But, "while bin Laden may have his finger on the trigger, his grandson may have his finger on the mouse."