Evaluation of U.S. Policy to Prevent a Cyber Attack
Dave Carlson - January 8, 2007
An evaluation of U.S. policy to prevent cyber attack reveals strategic strengths and weaknesses. Acknowledgement of the threat, establishing a National Plan for Information Systems Protection, and allocating funds are strengths. Unfortunately, strategic weaknesses closely mirror the strengths in U.S. policy to prevent cyber attack. Failure to follow the established plan, inadequate funding for programs identified in the plan, and a failure to keep up with increasing threats offset many of the positive initiatives to defend against cyber attack. Perhaps the U.S. will never have an effective policy against cyber attack. Perhaps cyber threats have grown too large to handle. Perhaps the entire sphere of cyber threat has become as big as Mother Nature.
Evaluation of U.S. Policy to Prevent a Cyber Attack
The U.S. formally recognized the possibility of cyber attack and information warfare in the mid-1980s (Cordesman, 2002, p. 54). In 1987, the U.S. introduced the first major legislation concerning information security. The Computer Security Act directed plans for security and education related to computer systems. Since then, there has been a continual movement toward defining more effective policies. The U.S. government continued to make additional strides toward efforts to protect strategic assets from cyber attack in response to issues related to 9/11 and the continuing war on terrorism.
It may not be possible to prevent all cyber attacks, since “there are major uncertainties that even the best organized effort can not overcome” (Cordesman, 2002, p. 11) and “the unfortunate reality is that nothing is ever 100% effective” (Hardenbrook, 2005, ¶ 1). Policies can help reduce the frequency and severity of attacks as well as increase the chances of quick and effective recovery from attacks. This paper will evaluate some of the strategic strengths and weaknesses of U.S. policy to mitigate a cyber attack against strategic assets. This paper is unclassified and discussions will be confined to open-source information.
Acknowledgement of Threat
“The United States exists in a complex and potentially dangerous environment that includes terrorist threats and on-going cyber attacks” (Tomko, 2002, p. 6). There can be no doubt that the problems are increasing. The Carnegie Mellon Computer Emergency Response Team (CERT) has been recording computer security incidents since 1988. Reported vulnerabilities have increased each year from 171 reports in 1995 to more than 6,000 reports in 2006 (Carnegie Mellon, 2006, ¶ 3).
The results of a 2005 survey by Princeton Survey Research Associates International revealed that 1,286 security personnel concurred that “the U.S. will suffer at least one devastating attack to its national information network or power grid in the next 10 years” (McGann, 2005, ¶ 1). It is a strength that the U.S. has acknowledged there is a significant potential cyber threat.
One of the first steps toward defeating a threat is the willingness to acknowledge that threat. At the strategic level, the U.S. has rejected a head-in-the-sand attitude toward cyber security issues, as evidenced by the evolution of legislation and published policies.
Establishment of National Plan
On January 7, 2000, the U.S. released the first National Plan for Information Systems Protection (Cordesman, 2002, p. 71). The plan established an ambitious set of initiatives to help protect critical federal government computer systems. The plan presented three primary objectives: “prepare and prevent successful attacks on critical infrastructures,” “detect and respond to access and contain attacks quickly,” and “to build strong foundations” (Cordesman, 2002, p. 73).
Ten programs included in the original National Plan for Information Systems Protection:
- Prepare and Prevent Program 1: Identify critical infrastructure assets and shared interdependencies and address vulnerabilities.
- Detect and Respond Program 2: Detect attacks and unauthorized intrusions.
- Program 3: Develop robust intelligence and law enforcement capabilities to protect critical information systems consistent with the law.
- Program 4: Share attack warnings and information in a timely manner.
- Program 5: Create capabilities for response, reconstitution, and recovery.
- Program 6: Enhance research and development in support of programs 1-5.
- Program 7: Train and employ adequate numbers of information security specialists.
- Program 8: Outreach to make Americans aware of the need for improved cyber-security.
- Program 9: Adopt legislation and appropriations in support of programs 1-8.
- Program 10: In every step and component of the plan, ensure the full protection of American citizen’ civil liberties, their rights to privacy, and their rights to protection of proprietary data (Cordesman, 2002, p. 73).
Jack L. Brock, Jr., director of the Defense Information Systems Accounting and Information Division of the General Accounting Office (GAO) praised the plan on February 1, 2000 in testimony before the Senate Subcommittee on Technology, Terrorism, and Government Information. Mr. Brock said the plan was an “important and positive step forward toward building the cyber-defense necessary to protect critical information assets and infrastructures” (Cordesman, 2002, p. 73). The official GAO response found the plan “to be an important and positive step toward building the cyber-defense necessary to protect critical information assets and infrastructures” (Brock, 2000, p. 1).
This plan established the foundation for other legislation and policies. Especially noteworthy is Program 10, where there is an emphasis on protecting the civil rights of individuals and businesses. Any type of security must tread carefully on protecting the rights of the nation’s citizenry.
The Department of Homeland Security (DHS) is responsible for keeping the plan current. DHS specifically is tasked with “developing a comprehensive national plan for securing the key resources and critical infrastructures of the United States” (Bush, 2003, p. 15). While a plan, by itself, can do nothing to solve a problem, it is essential for effective and efficient resolution of the problem. Having a credible plan is a significant strength in the ability of the U.S. to defend against cyber attacks.
Authorization of Budgets
The best federal plan has no chance of success unless congress approves funds to carry out policy programs. Even though “there is no clear way to cost the federal critical infrastructure program” (Cordesman, 2002, p. 85), Cordesman (2002) presents an example showing the U.S. commitment to Critical Infrastructure Protection (CIP) for FY1998 - FY2000. Actual spending on CIP programs increased from $1.1 Billion in FY1998 to $1.7 Billion in FY2000. Even though $1.7 Billion is a small fraction of the entire U.S. budget, more than a billion dollars represents a significant commitment.
President George W. Bush issued an executive order in October 2001 “to ensure protection of information systems for critical infrastructure…” (Bush, 2001, ¶ 1). The President acknowledged budget issues were important to ensure protection by directing that “[h]eads of such departments and agencies shall ensure the development and, within available appropriations, funding of programs that adequately address these mission areas” (Bush, 2001, ¶ 14).
Current funding levels for the Homeland Security’s Infrastructure Analysis and Infrastructure Protection (IAIP) program remain at a significant level. FY2005 was $893.7 Million and FY2006 estimated at $850 Million (Lake & Nuñez-Neto, 2005, p. 61). The purpose of the IAIP program is “to comprehensively understand the threat posed by terrorists to US
critical infrastructure and key assets” (http://www.llnl.gov/hso/iaip.html).
It is a strength that the U.S. government supports efforts to prevent cyber attack. In our society, funding is one of the most visible signs of support. Since 1998, congress has allocated funds to support policies to help prevent cyber attacks.
Failure to Follow Plan
While the existence of a plan is laudable, it is unfortunate the plan was not fully executed by the U.S. government. “Inevitably, neither the plan nor federal implementation efforts achieved all of their goals” (Cordesman, 2002, p. 73).
The GAO identified the essential element required for the National Plan for Information Systems Protection to succeed was establishing the government as a model of good information security (Cordesman, 2002, p. 76). Unfortunately, “the gap between expectations and actual agency performance is significant. . . . [O]ur government is not adequately protecting critical federal operations and assets from computer-based attacks” (Cordesman, 2002, p. 76).
A specific example if failing to follow the plan is “Program 4: Share attack warnings and information in a timely manner” (Cordesman, 2002, p. 73). “[M]ost critical infrastructures are in the private sector” (Bush, 2003, p. 43). A problem with sharing information about attacks is a general unwillingness of business to cooperate openly with efforts to suppress cyber crime.
The primary purpose of most business organizations is to generate a profit—security is just one of many items included analyzing risks to business. “Security is a fundamentally different issue for business than it is for government because the goals of business and government are fundamentally different” (Sofaer & Goodman, unk, p. 21). A business must balance two, sometimes opposing, positions: a desire to keep bad news away from investors and the philanthropic ideal of sharing information to help a competitor avoid disaster.
In a May 2005 report to Congress, the GAO reported that the Department of Homeland Security “identified information sharing in support of homeland security as a high-risk area” (GAO, 2005, p. 58). It is a significant challenge to establish a two-way exchange of information between Homeland Security officials and the private sector (GAO, 2005, p. 58). The bottom line: “such effective communications are not yet in place in support of our nation’s cybersecirity” (GAO, 2005, p. 58).
Failure to Fund Plan
As mentioned in a previous portion of this paper, one of the strengths of the U.S. policies to help prevent cyber attacks is the appropriation of budgets. While this is a critical step toward securing cyber infrastructure, the U.S. government has not gone far enough. As with almost every other government program, those responsible for cyber security decry the lack of funding to completely implement their plans.
A specific example of insufficient funding is reflected in a comment by Ed Lazawska, co-chairman of the President’s IT Advisory Committee that “the government must increase funding to reach the goals listed in the report” (Sternstein, 2006, ¶ 8). Mr. Lazawska was referring to the Federal Plan for Cyber Security and Information Assurance Research and Development developed by the National Science and Technology Council, a Cabinet-level body that coordinates government-wide science and technology policies (Sternstein, 2006, ¶ 2).
Additionally, some programs already allocated funds are not receiving those funds because they are failing to manage information security properly. In 2004, the Office of Management and Budget (OMB) ruled that agencies will not be able to spend money to modernize their information technology systems “until they show improvement in information-security management” (Chabrow, 2004, ¶ 2). OMB reported to Congress that “fewer than two-thirds of federal IT systems had been accredited by Dec. 31, falling short of its goal of 80%” (Chabrow, 2004, ¶ 3).
Christy (2000) supports the concept that “government and business will never have the resources to do the necessary research and development of technical countermeasures to effectively defend their systems” (p. 188). The strength of establishing budgets to support policies is laudable; however, the current budget is insufficient to resist many of the currently identified cyber threats.
Failure to Update Plan
Christy (2000) compares defending a network to that of defending a moving target (p. 188). Plans to effectively engage a moving target must morph to meet the appropriate threat. In the 1970’s many networks were open to anyone who knew how to use a File Transfer Protocol (FTP) program. Today, no sane network administrator would consider opening outside access to the network without appropriate protection.
In 2003, the House Government Reform Subcommittee on Technology spent a year evaluating computer security in various federal agencies. Following their evaluation, the group awarded grades. “More than half the federal agencies surveyed received a grade of D or F” (Weimann, 2006, p. 163). Sadly, the Department of Homeland Security (the organization responsible for monitoring cyber security), “received the lowest overall score of the twenty-four agencies surveyed” (Weimann, 2006, p. 163).
Cordesman (2002) points out that the government does not conduct comprehensive audits of the vulnerabilities, technical performance, or management efforts of the majority of federal organizations (p. 149). Without an analysis of these issues, it is impossible to develop an effective policy to address the specific issues related to each organization. It is acknowledged that this is a difficult task, but it essential to developing an effective policy against continually changing cyber threats.
The U.S. policies got off to a good start in 2000 with the development of a National Plan for Information Systems Protection. Unfortunately, this strength eroded into a weakness when the plan’s concepts failed to keep pace with current threats. Failure to update the plan constitutes a weakness in U.S. policy to defend against cyber attacks.
Strengths of the U.S. policies to prevent a cyber attack appear to be off-set by corresponding weaknesses. A detailed plan backed by budget efforts establishes a solid foundation upon which the U.S. can defend against cyber attacks. However, inadequate implementation and funding along with an inability to address a moving target significantly weaken that foundation.
A redeeming quality of U.S. policies is the willingness to acknowledge there is a problem. But, that may not be enough. Perhaps the U.S. will never have an effective policy against cyber attack. Perhaps cyber threats have grown too large to handle. Perhaps the U.S. defense against cyber attack will prove to be as ineffective as the ability to defend against a class five hurricane. Perhaps the entire sphere of cyber threat has become as big as Mother Nature.
Brock, J. L. (2000). Critical infrastructure protection: National plan for information systems protection. Letter to Senate Special Committee on Year 2000 Technology Problem. Retrieved January 5, 2007 from http://archive.gao.gov/f0302/163238.pdf
Bush, G. W. (2001). Executive order on critical infrastructure protection. [Electronic version]. Retrieved January 6, 2007 from http://www.whitehouse.gov/news/releases/2001/10/20011016-12.html
Bush, G. W. (2003). The national strategy to secure cyberspace. Garden City, NY: Morgan James Publishing.
Carnegie Mellon (2006). CERT/CC statistics 1988-2006. Retrieved January 5, 2007 from http://www.cert.org/stats/
Chabrow, E. (2004). OMB: Security first. [Electronic version]. Information Week. Retrieved January 6, 2007 from http://www.informationweek.com/story/showArticle.jhtml?articleID=18201838
Christy, J. (2000). Chasing shadows: The human face behind the cyber threat. [Electronic version]. Federal Communications Law Journal, 53(1), 185-189. Retrieved January 6, 2007 from http://law.indiana.edu/fclj/pubs/v53/no1/christy.pdf
Cordesman, A. H. (2002). Cyber-Threats, information warfare, and critical infrastructure protection: Defending the U.S. homeland. Westport, CT: Praeger.
GAO. (2005). Critical infrastructure protection: Department of Homeland Security faces challenges in fulfilling cybersecurity responsibilities. [Electronic version]. Highlights of GAO-05-434, a report to congressional requesters.
Hardenbrook, B. J. (2005). Abstract: The need for a policy framework to develop disaster resilient regions. Journal of Homeland Security and Emergency Management, 2(3), 2. Retrieved January 5, 2007 from http://www.bepress.com/jhsem/vol2/iss3/2/
Lake, J. E. and Nuñez-Neto, B., Coordinators (2005). Homeland security department: FY2006 appropriations. [Electronic version]. CRS report for Congress RL32863. Retrieved January 8, 2007 from http://www.terrorisminfo.mipt.org/pdf/CRS_RL32863.pdf
McGann, R. (2005). Experts: Devastating U.S. cyber-attack within 10 years. Retrieved January 5, 2007 from http://www.clickz.com/showPage.html?page=3456471
Sofaer, A. D. and Goodman, S. E. (unk). Cyber crime and security: The transnational dimension. [Electronic version]. Hoover Press. Retrieved January 6, 2007 from http://media.hoover.org/documents/0817999825_1.pdf
Sternstein, A. (2006). Cybersecurity research plan identifies threats: Federal plan lacks a funding strategy for critical infrastructure protection R&D. Federal Computer Week story retrieved January 6, 2007 from http://www.fcw.com/article94225-05-01-06-Print
Tomko, J. S., Jr. (2002). Critical infrastructure protection. [Electronic version]. Unpublished paper, U. S. Army War College. Retrieved January 5, 2007 from http://220.127.116.11/cip/resources/army-cip/Tomko_J_S_02.pdf
Weimann, G. (2006). Terror on the Internet: The new arena, the new challenges. Washington, DC: United States Institute of Peace.