Cybersecurity: Who's Watching the Store? Government Is Not Doing All It Could to Research the Problem or to Exercise Its Proper Regulatory Role

Article excerpt

With information technology (IT) permeating every niche of the economy and society, the public has become familiar with the dark side of the information revolution--information warfare, cyber-crime, and other potential ways nefarious parties might try to do harm by attacking computers, communications systems, or electronic databases. The threats people fear range from nuisance pranksters abusing the World Wide Web, to theft or fraud, to a cataclysmic meltdown of the information infrastructure and everything that depends on it. As IT becomes more tightly woven into all aspects of everyday life, the public is developing an understanding that disruption of this electronic infrastructure could have dire--conceivably even catastrophic--consequences. During the past decade, government officials, technology specialists, policy analysts, industry leaders, and the general public have all become more concerned about "cybersecurity"--the challenge of protecting information systems. Prodigious efforts have been expended during this time to make information systems more secure, but a close examination of what has been achieved reveals that we still have work to do.

The threat to information systems potentially takes many forms. Experts generally offer four different "attack modes": denial, deception, destruction, and exploitation. Or, to put it another way, someone can break into an information system to stop it from operating, insert bogus data or malicious code to generate faulty results, physically or electronically destroy the system, or tap into the system to steal data. Experts also agree that such threats can come from a variety of sources: foreign government, criminals, terrorists, rival businesses, or simply individual pranksters and vandals.

Many people associate cybersecurity with the Internet revolution of the 1990s. In fact, the idea of information warfare directed at computer networks dates back to 1976, to a paper written in the depth of the cold war by Thomas Rona, a staff scientist at the Boeing Company. Rona's work was an outgrowth of electronic warfare in World War II and the introduction of practical computers and networks. He speculated that in the emerging computer age, the most effective means to attack an adversary would be to focus on its information systems.

Rona's research came at a propitious moment, because the Department of Defense was itself just beginning to consider whether such tactics might be a silver bullet for defeating the Soviet Union. This interest had been triggered, ironically enough, by Soviet military writings. The Soviets believed the United States was preparing for radioelektronaya bor'ba--"radio electronic combat." As it turned out, U.S. capabilities were not nearly as far along as the Soviet writers feared. But once U.S. officials discovered that Soviet officials were concerned about computer attacks, they began to look into the possibilities more closely.

The payoff occurred in the 1991 Gulf War, the first conflict in which U.S. commanders systematically targeted an adversary's command and control systems. These efforts were an important reason for the U.S.-led coalition's lopsided victory. After the war, when U.S. officials realized how important this "information edge" had been, they started to worry more about the vulnerability of its own electronic networks.

Throughout the early 1990s the Defense Department examined this threat more closely. The closer officials looked, the more worried they became. They were especially concerned about the vulnerability of U.S. commercial systems, which carry the vast majority of military communications. One of the first unclassified studies was the Report of the Defense Science Board Task Force on Information Warfare--Defense (IW-D), which the Defense Department released in November 1996. This report was followed by other studies that reached similar conclusions about the cybersecurity threat.

Largely as a result of these studies, in May 1998 the Clinton administration issued National Security Decision Directive 63, which directed federal agencies to take steps that would make their computers and communications networks (in addition to other critical infrastructure) less vulnerable to attack. …