The Impossible Task: Public Administration & Terrorism With Respect to Critical Infrastructure

The Impossible Task:

Public Administration & Terrorism With Respect to Critical Infrastructure

Shawn T. Walker

Northern Kentucky University

Error! Bookmark not defined.

Background

Prevention through the recognition of vulnerabilities and threats are essential steps in protecting the infrastructure and citizens of the United States. Critical infrastructure includes computer information systems, power distribution, water distribution, toxic waste disposal, and transportation systems. In order for our nation and economy to function, these systems must be protected and run smoothly. To be comprehensive in nature, our strategy should include steps designed to:

reduce our vulnerability to threats;
use intelligence assets and other broad-based information sources to identify threats and share such information as appropriate;
stop incidents before they occur;
manage the consequences of an incident;
in the case of terrorist attacks, respond by all means available, including economic, diplomatic, and military actions that, when appropriate, are coordinated with other nations.

In order to implement such a strategy, coordination from various departments of the government is required, but according to the GAO, this is not currently happening. Some of these issues "include a lack of mission clarity; too much fragmentation and overlap; the need to improve the federal government’s human capital strategy; difficulties in coordination and operation across levels of government and across sectors of the economy; and the need to better measure performance". This can also be shown by the conclusion of the December 2000 national security strategy which states that porous borders, rapid technological change, greater information flow, and the destructive power of weapons now within the reach of small states, groups, and individuals make the terrorist threat more viable.

This applies to critical infrastructure because potential terrorist attacks are likely to strike at these systems in order to avoid direct military conflict. There may be significant technical challenges to overcome before such an attack could become a reality, but it has been attempted in the past and will be in the future as shown by the recent attacks on the World Trade Center. Currently the government is taking steps to prevent and respond to weaknesses within core systems.

Computer Information Systems

Since the early 1990s, the explosion in computer interconnectivity, most notably growth in the use of the Internet, has revolutionized the way organizations conduct business, making communications faster and access to data easier. However, this widespread interconnectivity has increased

the risks to computer systems and, more importantly, to the critical

operations and infrastructures that these systems support, such as

telecommunications, power distribution, national defense, and essential

government services. As our society become more and more dependent on technology, this infrastructure becomes more venerable to attack. "The National Security Agency has determined that foreign governments already have or are developing computer attack capabilities, and that potential adversaries are developing a body of knowledge about U.S. systems and methods to attack them". These dangers include viruses, denial-of-service (DOS), hackers, low physical security, and inadequate or ignored security policies. Before the government can start to address these issues, it must first identify and access the threats. Only then can an attempt be made to put procedures in place to prevent, triage, and recover from disasters.

In order to understand the approaches that our government has taken to safeguard critical information systems, we must first understand each type of attack. At the top of this list is the computer virus. A virus is defined as a program or code that replicates by inserting itself or attaching itself to another program. It may or may not damage software, hardware, or data. There are many different types of viruses including a hoax, Trojan horse, or a worm. Each type of virus performs a certain task or tasks such as replication, insertion of a back door, modification of data, or even the transfer of private data without the user’s consent.

These viruses are spread in a variety of ways including e-mail, MS Word documents, program executables, and bugs in server software. A user may not be aware that they have been infected by a virus until data or operating system corruption occurs. Currently, the best method for prevention is to install anti-virus software, but even then the software must be updated frequently with a list of known viruses. If the anti-virus software is not up-to-date, then the user will be venerable to any viruses released since the last update. Even with up-to-date virus software, a user may not be able to fend off all virus attacks. Bugs in existing software can be exploited until updates are released by the software manufacturer and then are installed by the user.

After viruses, hackers pose the largest threat to uptime and data security. A hacker attempts to exploit weaknesses in a server’s operating system, public services, or configuration. According to the GAO, there were over 250,000 attempts to break in DoD computer systems in 1995 in which 65% were successful. After doing the math, over 160,000 of those attempts resulted in unauthorized access to systems. This becomes even more of a threat with the knowledge that 90% of Fortune 500 companies have been compromised in a hacking attempt. The prevention of all attacks is not possible, but by updating server software and designing more secure networks it is possible to decrease the number of vulnerabilities that a hacker could exploit.

The remaining security issues deal with the implementation of a strong security policy. "A security policy is a document that states in writing how an organization plans to protect its physical and information technology assets". It is often considered to be a "living document", meaning that the document is never finished, but is continuously updated as technology and requirements change. A security policy may include an acceptable use policy, a description of how to educate employees about protecting the organization's assets, an explanation of how security measurements will be carried out and enforced, and a procedure for evaluating the effectiveness of the security policy to ensure that necessary corrections will be made. If a security policy does not exist or is not enforced, an organization will be more vulnerable to attacks and viruses.

In order to address these issues, the government has:

Created the Computer Emergency Response Team (CERT/CC)

CERT was created in 1988 after the Morris Worm attacked computer systems across the country. It was initially charged by the U.S. Department of Defense, Defense Advanced Research Projects Agency (DARPA) to serve as a focal point for Internet security by fostering collaboration, providing technical assistance, conducting tutorials, site evaluations, and research. Its responsibilities now include providing Internet security information to technology managers and policy makers through the guidance and coordination of major security events such as Y2K and viruses. CERT is located at the Carnegie Mellon Software Engineering Institute and funded by the DoD Office of the Under Secretary. In 2000, there were 21,756 incidents reported by CERT/CC. This figure is up from 9,859 incidents reported in 1999.

Establishment of Commission on Critical Infrastructure Protection (CCIP)

The Commission on Critical Infrastructure Protection was established by the president in 1996 to develop a strategy to reduce security risks. The commission issued its report in 1997 stating that a comprehensive approach was needed, including "a system of surveillance, assessment, early warning, and response mechanisms to mitigate the potential for cyber threats." The report noted that the FBI could serve as the primary national warning center against infrastructure attacks and provide the necessary intelligence to ensure the best analysis possible. The Presidential Directive 63 was created in response to this report.

Presidential Directive 63

Issued on May 22, 1998, this directive builds upon the recommendations from the CCIP. It goal is to provide a "reliable, interconnected, and secure information system infrastructure by 2003" and significantly increase the security of government systems by 2002. Included is a provision to create a national center to warn of and respond to attacks. Also, all government agencies were required to address their cyber and physical issues in vulnerabilities to reduce their exposures to new and old threats. A new structure was created which includes a National Coordinator whose scope includes not only critical infrastructure, but foreign terrorism and threats from weapons of mass destruction. Finally, national education and awareness programs were created in order to assist government agencies and the private sector in developing security policies.

National Infrastructure Protection Center (NIPC)

PDD63 authorized the FBI to expand its NIPC which was established in 1998. It was specifically assigned the responsibility of providing comprehensive analysis of threats, vulnerabilities, and attacks; issuing timely warnings; facilitating and coordinating a response; providing law enforcement with investigation information; monitoring restoration of capabilities after an attack; and facilitating information sharing between government agencies and the private sector.

Since its establishment, the effectiveness of the NIPC has been questionable. It has issued only 81 warning from 1998 to February, 2001. This is in contrast to the many incidents reported by CERT/CC within the same time period. The NIPC’s inability to issue warnings and reports comes from the fact there is not a generally accepted methodology for the analysis of cyber-based threats. This is further impeded by prolonged vacancies in leadership positions. For example, the position of Chief of the Analysis and Warning Section has been vacant for about half of the NIPC’s existence. Finally, there is great reluctance on the part of private sector companies to report information to the NIPC. This reluctance is based upon a fear that sensitive information about a company will reach the public while an investigation is underway.

Civil Air System Security

The civil air system is a critical component of the United States’ physical and economic infrastructure. As shown by the recent attack on the World Trade Center, this has been effective method of attracting media attention for terrorists and their messages. In response to these attacks, vulnerabilities have been found throughout the air traffic system.

These include:

Lack of oversight by FAA concerning air traffic control (ATC) computer systems including access controls and building security.
Lax controls for limiting access to secure areas including aircraft. The GAO was able to use fictitious law enforcement badges and credentials downloaded from the Internet to bypass security checkpoints.
Weaknesses in the ability of screeners to detect dangerous objects on passengers and carry-on luggage.
Lower standards for the training, qualifications, pay, and benefits of airport screening staff than foreign countries such as Canada, Belgium, and France.
Placement of screening responsibility with individual airlines instead of a central screening authority.

In order to address these issues, Congress passed the Aviation Security Act (S.1447) on November 19, 2001. This bill provides for the following provisions:

Creates the position of Deputy Secretary of Transportation Security within the Department of Transportation. This position is responsible for the security of all modes of domestic transportation.
Makes the Attorney General responsible for Federal air transportation security screening.
Establishes an Aviation Security Coordination Council which will work with the intelligence community to coordinate activities affecting the safety and security of the civil air system.
Directs the FAA to issue an order that prohibits unauthorized access to the flight deck and requires the strengthening of cockpit doors.
Directs the Secretary to administer the Federal Air Marshall program. This program places marshals on flights that are deemed to have a high security risk.
Establishes a program for the hiring and training of airport security screening personnel.
Authorizes the Secretary to reimburse an airport operator for the direct costs incurred due to compliance with new, additional, or revised security requirements imposed on such operator by the FAA on or after September 11, 2001.
Declares that any air carrier or foreign air carrier (or employee) that reports to the proper authorities on suspicious activities relating to possible violations of law, air piracy, threat to aircraft or passenger safety, or terrorism, shall not be held civilly liable to any person under any U.S. law for such disclosure.
Authorizes the FAA to issues grants in conjunction with DARPA for research and development of airport security improvements.

Conclusions

In order to protect the critical infrastructure of the United States, the government is currently reviewing policies and agencies in order to assess their effectiveness to prevent terrorist acts. Specifically for computer systems and air transportation security, the government has created new positions and charters such as PDD 63 to create and implement recommendations. The NIPC is the government’s attempt to create a central clearinghouse of computer incident information, but this organization has not been successful in gaining the trust of the private sector. In order to be effective, the NIPC must coordinate efforts between government agencies and private sector companies. This will benefit both parties because similar systems and software are used which would allow the government to benefit from the fast pace of the private sector. Organizations such as CERT/CC continue to fill in this gap, but because of its charter, it cannot be as effective at generating cooperation between the two sectors.

With respect to civil air system security, the Aviation Security Act goes a long way to creating a more secure system. This act provides for more oversight, but past incidents have shown that oversight alone cannot close gaps in the system. The FAA has continually ignored its own security policies; therefore it has shown an inability to police itself or the airline industry as a whole. Unless there is more responsibility and oversight from other areas of the Federal Government, these new security measures may not all come to pass.

As with any system, the policies that are now being put in place are a work in progress. Every effort must be made to monitor the effectiveness of each directive to determine if any changes or updates need to be made. In the short term, the media will continually monitor our government’s progress and report any shortcomings to the public. The lingering question is whether or not the government can sustain this rate of progress after the public spotlight has diminished.