7

One Government’s Approach to Cyber Security Policy

7.1 U.S. Federal Cyber Security Strategy

This chapter examines the cyber security policy that has been adopted by the U.S. federal government from a strategic perspective. Prior to the early 1990s, U.S. cyber security policy was a straightforward response to the proliferation of electronic records, and has been described in Chapter 2. Here, we chronicle more recent history of federal-level cyber security issues that have prompted strategy and associated policy. The chapter explains government action in response to historical events and suggests areas that the government might consider for future action. It begins with a brief historical overview of the most significant events in the past two decades that shape today’s policy debates in Washington. While most of the events are clearly cyber-centric, some are not immediately obvious with respect to their contribution to the field of cyber security policy. We start this historical review with terrorist attacks against the United States in the early 1990s, and proceed through actions taken in subsequent administrations. The chapter concludes with general observations of strategy and policy that have been illustrated by the history.

The U.S. Federal Government’s policy attitude toward cyber security has ranged from enforcing strong standards developed by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) to complete ignorance of the severity of the situation. At any time, several dozen bills related to cyber security are in various states of construction in the U.S. Senate and the U.S. House of Representatives. Many of these bills are rewritten versions of efforts started by a previous Congress, and some of them are brand new efforts. None of the legislation being drafted will alone “fix” the cyber security problems faced by our nation. In fact, it is probably inappropriate for any cyber security policy professional to believe that an Act of Congress will make much difference in securing cyberspace.

There have of course been many attempts to articulate cyber security policy via Congressional action or via actions taken directly by government agencies. There are also many assumptions and misunderstandings about the convergence of policy and strategy. Pure strategy is just a blueprint for how a decision maker would like things to work. To instantiate strategy, policy is combined with process, procedure, standards, and enforcement. Depending on the strategy, this list of things required to instantiate it may be incomplete. Moreover, even well-planned and executed attempts to instantiate a strategy may sometimes fail to achieve strategy goals. This is especially true in environments that evolve as strategy is being executed, such as in the fast-changing world of cyberspace.

For example, in 2006, it became clear that identity theft was an issue that would likely be the subject for public policy. At that time, the major credit card companies likely to be targeted by any potential legislation formed the Payment Card Industry Security Standards Council, which in turn created the Payment Card Industry Data Security Standard. The standards were adopted in order to demonstrate compliance with existing financial privacy protection policy and, the cynical among us would guess, to thwart the perception that there was any need for any further legislation. However, even after the standards were adopted, major payment processors who were compliant with the industry-created standards have been the source of massive data breaches that led directly to identity theft [1]. A similar self-regulating attempt to thwart legislation by voluntary adoption of do-not-track consumer privacy standards is under way in the online advertising industry (Wyatt 2012). These examples illustrate the fact that standards and policy are very different things, and standards that are designed to achieve policy compliance do not necessarily do so.

7.2 A Brief History of Cyber Security Public Policy Development in the U.S. Federal Government

7.2.1 The Bombing of New York’s World Trade Center on February 26, 1993

The first major terrorist attack on U.S. soil since a 1920 TNT bombing on Wall Street that killed 35 people was meant to topple the city’s tallest tower onto its twin, amid a cloud of cyanide gas (Mylroie 1995). Had the attack gone as planned, tens of thousands of Americans would have died. Instead, one tower did not fall on the other, and, rather than vaporizing, the cyanide gas burned up in the heat of the explosion. “Only” six people died and over a thousand were injured. Details of the attack were later found on the terrorist’s laptop computer, the first known case of a terrorist using a personal computer to keep track of plans and operational information.

Within a month of the blast, four individuals thought responsible for the attack were apprehended. The suspects went on trial on September 13, 1993. The trial lasted 6 months with the presentation of 204 witnesses and more than 1000 pieces of evidence. A jury convicted the four defendants on March 4, 1994, in federal court on all 38 counts against them. On May 25, 1994, a judge sentenced each of the four defendants to 240 years in prison and a $250,000 fine.

Few Americans are aware of the true scale of the destructive ambition behind the bombing, despite the fact that 2 years later, the key figure responsible for building it—a man who had entered the United States on an Iraqi passport under the name of Ramzi Yousef—was involved in another stupendous bombing conspiracy. In January 1995, Yousef and his associates plotted to blow up 11 U.S. commercial aircraft in one spectacular day of terrorist rage. The bombs were to be made of a liquid explosive designed to pass through airport metal detectors.

But while mixing his chemical brew in a Manila apartment, Yousef started a fire. He was forced to flee, leaving behind a computer that contained the information that led to his arrest on February 7, 1995 in Pakistan. Among the items found in his possession was a letter threatening Filipino interests if a comrade held in custody were not released. It claimed the “ability to make and use chemicals and poisonous gas … for use against vital institutions and residential populations and the sources of drinking water.” Pakistan subsequently turned him over to U.S. authorities where he was sentenced to 240 years in prison on January 8, 1998.

7.2.2 Cyber Attacks against the United States Air Force, March–May 1994: Targeting the Pentagon

The computer network at Rome Labs, an Air Force facility in New York, came under a cyber attack in spring 1994 (Virus.org 1998). The attack was eventually traced to two young hackers—Kuji and Datastream Cowboy—who originated in the United Kingdom but were using various points of access to hack into other Air Force facilities and the North Atlantic Treaty Organization (NATO).

Datastream Cowboy pled guilty and was fined. Kuji was an Israeli citizen and found not guilty because no Israeli laws applied to this type of incident. This incident cost Rome Labs $500,000 to get their computers online and re-secured; however, this figure did not reflect the cost of the data compromised. One of the hackers admitted that “.mil” sites are typically easier to hack than other sites.

Datastream Cowboy was 16-year-old Richard Pryce, then a pupil at The Purcell School in Harrow, Middlesex (United Kingdom). He was arrested at his home on May 12, 1994 but released on police bail the same evening. Five stolen files, including a battle simulation program, were discovered on the hard disk of his computer. Another stolen file, which dealt with artificial intelligence and the American Air Order of Battle, was too large to fit on his desktop computer. He had placed it in his own storage space at an Internet service provider that he used in New York, accessing it with a personal password. He was located by investigators via an online chat forum where he was bragging about his activities.

Kuji was 21-year-old Mathew Bevan, a soft-spoken computer worker with a fascination for science fiction. His bedroom wall was covered with posters from “The X Files,” and one of his consuming interests was the Roswell incident, the alleged crash of a UFO near Roswell, New Mexico, in July 1947. He was arrested on June 21, 1996, at the offices of Admiral Insurance in Cardiff (United Kingdom) where he worked.

How did two rather ordinary young men manage to penetrate the military computer system and spark such a massive security alert? Both were bright and articulate, but there was nothing in their backgrounds to suggest a computer wizardry that would outwit the American military. Their success was based on a mixture of persistence and good luck, which was abetted by crude security mistakes in the Pentagon computer system.

In an interview several years later Pryce said,

I used to get software off the bulletin boards and from one of them I got a “bluebox,” which could recreate the various frequencies to get free phone calls. I would phone South America and this software would make noises which would make the operator think I had hung up. I could then make calls anywhere in the world for free. I would get on to the Internet and there would be hackers’ forums where I learnt the techniques and picked up the software I needed. You also get text files explaining what you can do to different types of computer. It was just a game, a challenge. I was amazed at how good I got at it. It escalated very quickly from being able to hack a low-profile computer like a university to being able to hack a military system. The name Datastream Cowboy just came to me in a flash of inspiration.

Pryce easily gained low-level security access to the Rome computer using a default guest password. Once inside the system, he retrieved the password file and downloaded it on to his computer. He then ran a program to bombard the password file with 50,000 words a second. According to Mark Morris, a Scotland Yard investigator on the case, “He managed to crack the file because a lieutenant in the USAF had used the password Carmen. It was the name of his pet ferret. Once Pryce had got that, he was free to roam the system. There was information there that was deemed classified and highly confidential and he was able to see it.”

7.2.3 The Citibank Caper, June–October, 1994: How to Catch a Hacker

In mid-1994, an organized Russian crime gang successfully transferred $10 million from Citibank to different bank accounts all over the world. Known as the “Citibank Caper,” this incident was partially responsible for prompting the “Security in Cyberspace” hearings in the U.S. Congress chaired by Senator Sam Nunn.

By most measures, those responsible for the Citibank Caper were not world-class hackers—just really poor money launderers. When bank and federal officials began monitoring activities of a hacker moving cash through Citibank’s central wire transfer department, they were clueless about where the attack was originating. Monitoring began in July and continued into October, during which there were 40 transactions. Cash was moved from accounts as far away as Argentina and Indonesia to bank accounts in San Francisco, Finland, Russia, Switzerland, Germany, and Israel. In the end, all but $400,000 taken before monitoring began was recovered.

The break came in August 5, when the hacker moved $218,000 from the account of an Indonesian businessman to a BankAmerica account in San Francisco (Mohawk 1997). Federal agents found that account was held by Evgeni and Erina Korolkov of St. Petersburg, Russia. When Erina Korolkov flew to San Francisco to make a withdrawal in late August, she was arrested. By September, recognizing a St. Petersburg link, authorities traveled to Russia. A review of phone records found that Citibank computers were being accessed at AO Saturn, a company specializing in computer software, where Vladimir Levin worked. By late October, confident it had identified the hacker, Citibank changed its codes and passwords, shutting the door to the hacker. In late December, Korolkov began cooperating. Levin and Evgeni Korolkovone were arrested at Stansted Airport, outside London, on a U.S. warrant on March 4, 1995. Unknown is how the hacker obtained passwords and codes assigned to bank employees in Pompano, Florida, and how he learned to maneuver through the system. Citibank says it has found no evidence of insider cooperation with the hacker.

7.2.4 Murrah Federal Building, Oklahoma City—April 19, 1995: Major Terrorism Events and Their U.S. Outcomes

At 9:02 A.M. on April 19, 1995 a truck bomb destroyed the front half of the Alfred P. Murrah Federal Building in Oklahoma City killing 168 citizens, including 19 children, and injuring more than 500. The powerful blast left a 30 ft wide, 8 ft deep crater on the front of the building. Local responders, fire fighters, police force, and urban search and rescue teams rushed to the scene. Within 7 hours, the president ordered deployment of local, state, and federal resources. This was the first time that the President’s authority under the Stafford Act (section 501 [b]) was used, granting the Federal Emergency Management Administration (FEMA) primary federal responsibility for responding to a domestic consequence management incident.

The deliberate destruction of the Midwestern office building, located far outside the “nerve centers” of Washington and New York City, had a much larger impact than just the loss of lives and property. Government officials soon discovered that the explosion was felt by other government agencies and private sector businesses across the United States—due to the disruption of functions and data housed in the Murrah building.

The Murrah Federal Building housed several federal offices including the Drug Enforcement Agency, the Bureau of Alcohol Tobacco and Firearms, U.S. Customs Service, U.S. Department of Housing and Urban Development, Veterans Administration, Social Security Administration, and others.

After the attack, government officials realized that the loss of a seemingly insignificant federal building was able to set off a chain reaction that impacted an area of the economy that would not have normally been linked to the functions of that federal building. The idea was that, beyond the loss of human lives and physical infrastructure, a set of processes controlled from that building was lost as well (i.e., a local bureau of the Federal Bureau of Investigation (FBI) and a payroll department), with a hitherto unimaginable impact on other agencies, employees, and/or the private sector down the supply chain and far away from the physical destruction of the building. This made clear that interdependency between infrastructures and their vulnerability were major issues.

One direct outcome of the Oklahoma City bombing was Presidential Decision Directive 39 (PDD 39), which directed the Attorney General to lead a government-wide effort to re-examine the adequacy of the available infrastructure protection. As a result, Attorney General Janet Reno convened a working group to investigate the issue and report back to the cabinet with policy options. The review, which was completed in early February 1996, particularly highlighted the lack of attention that had been given to protecting the cyber infrastructure of critical information systems and computer networks.

Thus, the topic of cyber threats was linked to the topics of critical infrastructure protection and terrorism. Subsequently, President Bill Clinton started to develop a national protection strategy with his Presidential Commission on Critical Infrastructure Protection (PCCIP) in 1996, and the issue has stayed on a high priority ever since.

7.2.5 President’s Commission on Critical Infrastructure Protection—1996

Concerns about terrorism have been raised by U.S. officials since the 1970s. However, it was not until after the Vice President’s Task Force on Terrorism issued its report in 1985 that U.S. policy was formalized. The following year, the Reagan administration issued National Security Decision Directive 207 (NSDD 207), which focused primarily on law enforcement (crisis) activities resulting from terrorist incidents abroad. It tasked the National Security Council (NSC) with sponsoring an Interagency Working Group to coordinate the national response and designated lead federal agencies for both foreign and domestic terrorist incidents. The State Department was designated as the lead agency for international terrorism policy, procedures, and programs, and the FBI was designated as the lead agency for dealing with acts of terrorism. No additional major policy changes were implemented in the federal structure until 1995.

Two months after the Oklahoma City bombing in April 1995, President Clinton issued Presidential Decision Directive 39 (PDD 39), which expanded upon NSDD 207. The following year, the PCCIP was formed by an Executive Order (EO). An excerpt from EO 13010 is below, and illustrates the deep understanding that the administration had about the importance of protecting the nation’s critical infrastructure.

Certain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States. These critical infrastructures include telecommunications, electrical power systems, gas and oil storage and transportation, banking and finance, transportation, water supply systems, emergency services (including medical, police, fire, and rescue), and continuity of government. Threats to these critical infrastructures fall into two categories: physical threats to tangible property (“physical threats”), and threats of electronic, radio-frequency, or computer-based attacks on the information or communications components that control critical infrastructures (“cyber threats”). Because many of these critical infrastructures are owned and operated by the private sector, it is essential that the government and private sector work together to develop a strategy for protecting them and assuring their continued operation. (http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=1996_register&docid=fr17jy96-92.pdf)

The PCCIP was chaired by retired Air Force General Robert (Tom) Marsh and became known as the Marsh Commission. The Commission’s final report, Critical Foundations, was issued in October 1997, and both formalized the descriptions of the major infrastructures as well as defined threats to them (President’s Commission on Critical Infrastructure Protection 1997). It also recommended a series of policies for the federal government, the majority of which became Presidential Decision Directive 63 in May 1998.

As a result of the Commission’s findings, the Clinton administration published PDD 63 in 1998, a landmark document outlining in detail a way ahead for protecting the nation’s infrastructures from potential attacks. Also in 1998, and also as a result of lessons learned from the Oklahoma City bombing, the Clinton administration published PDD 62 (Combating Terrorism) and PDD 67 (Continuity of Government Operations) which together with PDD 63 form a triad of national policy aimed at addressing weaknesses in various parts of the nation’s government and infrastructures. PDD 62 created the position of National Coordinator for Security, Infrastructure Protection and Counterterrorism under the NSC. PDD 63 was the first national policy on critical infrastructure protection creating the framework in which CIP policy would evolve.

7.2.6 Presidential Decision Directive 63—1998

Presidential Decision Directive 63 built on the recommendations of the PCCIP (PDD-63 1998). The Commission’s report called for a national effort to assure the security of the United States’ increasingly vulnerable and interconnected infrastructures, such as telecommunications, banking and finance, energy, transportation, and essential government services. PDD 63 was the culmination of an intense, interagency effort to evaluate those recommendations and produce a workable and innovative framework for critical infrastructure protection.

PDD-63 created four new organizations:

• The National Infrastructure Protection Center (NIPC) at the FBI fused representatives from FBI, DoD, United States Secret Service (USSS), Energy, Transportation, the Intelligence Community, and the private sector in an attempt at information sharing among agencies in collaboration with the private sector. The NIPC provided the principal means of facilitating and coordinating the Federal Government’s response to an incident, mitigating attacks, investigating threats, and monitoring reconstitution efforts. The NIPC was absorbed into Department of Homeland Security (DHS) in 2003.
• Information Sharing and Analysis Centers (ISACs) were encouraged to be set up by the private sector in cooperation with the Federal government and modeled on the Centers for Disease Control and Prevention. Today, there are dozens of ISACs in many sectors of the economy. Several countries have created similar organizations for their industries and economic sectors.
• The National Infrastructure Assurance Council (NIAC) was to be drawn from private sector leaders and state/local officials to provide guidance to the policy formulation of a National Plan. The NIAC was never established. A new “NIAC” (the National Infrastructure Advisory Council) was created by EO 13231 in 2001 and serves to provide the President advice on the security of information systems for critical infrastructure supporting the banking and finance, transportation, energy, manufacturing, and emergency government services sectors of the economy.
• The Critical Infrastructure Assurance Office (CIAO) was created in the Department of Commerce with the responsibility for coordinating the development of critical infrastructure sector plans by the private sector and their respective federal agency liaisons. Based on the content of the sector plans, CIAO assisted in producing the first National Plan for Information Systems Protection. The office also helped coordinate a national education and awareness program, and legislative and public affairs programs. The CIAO was absorbed into DHS in 2003.

7.2.7 National Infrastructure Protection Center (NIPC) and ISACs—1998

The NIPC had its roots in the Infrastructure Protection Task Force (IPTF), created at the FBI in 1996 in order to increase the “coordination of existing infrastructure protection efforts to better address, and prevent, crises that would have a debilitating regional or national impact.” The IPTF was placed at the FBI in order to take advantage of the FBI’s newly established Computer Investigations and Infrastructure Threat Assessment Center (CITAC), also created in 1996 to deal with computer crime.

Under PDD 63, the FBI was directed to bring together representatives from U.S. government agencies, state and local governments, and the private sector in a partnership to protect U.S. critical infrastructures. The NIPC was created in 1998 at the FBI to serve as the U.S. government’s focal point for threat assessment, warning, investigation, and response for threats or attacks against the critical infrastructures. The NIPC’s function was transferred to DHS in 2003.

PDD 63 assigned to industries the task of creating an ISAC, through which companies could share information about attacks, threats, and vulnerabilities. The ISAC was intended to be the NIPC’s contact for warning industries about potential threats. Eventually, several ISACs were created for railroad, electric, energy, financial services, and information technology companies. In addition to footing the bill for these councils, companies involved have had to be willing to overcome reticence about their own vulnerabilities in order to share information needed to protect national infrastructure. Several more ISACs were created in the past few years, and unfortunately most are today just a hollow shell of what they were earlier. Information sharing is hard, and depends on building mutual trust between the people (not just the organizations) who participate in them.

7.2.8 Eligible Receiver—1997

In the summer of 1997, the U.S. Joint Chiefs of Staff organized what is known as a “no-notice” exercise that would test the Defense Department’s ability to detect and defend against a coordinated cyber attack against various military installations and critical computer networks. It would involve dozens of world-class computer hackers and last for more than a week (Pike 2012a). The Joint Chiefs gave the highly classified exercise the code name “Eligible Receiver 97.” The operational details of how the Red Team of pretend-hackers would carry out their attacks were left to senior officials from the NSA.

Prior to launching their attacks on June 9, officials briefed the team of 35 NSA computer hackers on the ground rules. They were told that they were allowed to use only software tools and other hacking utilities that could be downloaded freely from the Internet. The DoD’s own arsenal of classified attack tools could not be used. The team was also prohibited from breaking any U.S. laws. The primary target was the U.S. Pacific Command in Hawaii. Other targets included the National Military Command Center in the Pentagon, the U.S. Space Command in Colorado, the U.S. Transportation Command in Ohio, and the Special Operations Command in Florida.

Posing as hackers hired by the North Korean intelligence service, the NSA Red Team dispersed around the country and began digging their way into military networks. The team gained unfettered access to dozens of critical DoD computer systems. They were free to create legitimate user accounts for other hackers, delete valid accounts, reformat hard drives, read email, and scramble data. They did all of this without being traced or identified.

The results of the exercise stunned officials, including the senior members of the NSA responsible for running it. Not only were the attackers potentially able to disrupt and cripple Defense command and control systems, but analysis of their techniques after the exercise ended revealed that much of the private sector infrastructure in the United States, such as the telecommunications networks and power grid, could easily be sent into a tailspin using the same tools and techniques.

7.2.9 Solar Sunrise—1998

In February 1998 several U.S. military system administrators reported a coordinated attack aimed at dozens of unclassified computer systems. The intruders accessed unclassified logistics, administration, and accounting systems that controlled the DoD’s ability to manage and deploy military forces (Pike 2012b). Then-U.S. Deputy Secretary of Defense John J. Hamre called it “the most organized and systematic attack to date” on U.S. military computer systems. Although the attacks exploited a well-known vulnerability in the Solaris operating system for which a patch had been available for months, they came at a time of heightened tension in the Persian Gulf. Dr. Hamre and other top officials were convinced that they were witnessing a sophisticated state-sponsored Iraqi effort to disrupt troop deployment in the Middle East.

The U.S. response to this incident required a massive, cooperative effort by the FBI, the Justice Department’s Computer Crimes Section, the Air Force Office of Special Investigations, the National Aeronautics and Space Administration (NASA), the Defense Information Systems Agency (DISA), the NSA, the CIA, and various computer emergency response teams from the military services and government agencies.

In the end, it was found that two young hackers in California had carried out the attacks under the direction of a hacker in Israel, himself a teenager. They gained privileged access to computers using tools available from a university website and installed sniffer programs to collect user passwords. They created a backdoor and then used a patch available from another university website to fix the vulnerability and prevent others from repeating their exploit. Unlike most hackers, they did not explore the contents of the victim computers.

Today, defense officials continue to point to Solar Sunrise as illustrative of the difficulty of separating recreational hacking attacks from the state-sponsored cyber assaults that they are still certain are on the horizon. Law enforcement, meanwhile, holds this investigation up as a textbook example of interagency cyber crime cooperation.

7.2.10 Joint Task Force—Computer Network Defense (JTF-CND)—1998

In response to the findings of the Marsh Commission, the results of Eligible Receiver 1997, and the lessons learned from the Solar Sunrise incident, the DoD began exploring several options for dealing with the clear dangers that were growing from the nation’s increased dependency on cyberspace. After months of deliberation and heated discussions, the decision was made to create a JTF that would serve as an operational organization outside of the Intelligence Community (rather than as an arm of the Intelligence Community as many wanted) and would have authority to direct technical changes to DoD computers and networks for cyber defense purposes (Gourley 2010).

Launched in December 1998, the Joint Task Force-Computer Network Defense (JTF-CND) was initially assigned to the Secretary of Defense (SECDEF) then was further assigned to the United States Space Comm­and (USSPACECOM) in October 1999. In 2000, it was redesignated as the Joint Task Force-Computer Network Operations (JTF-CNO), and in October 2002, with the merger of the United States Strategic Command (USSTRATCOM) and USSPACECOM, JTF-CNO became a component of USSTRATCOM.

In June 2004, the SECDEF redesignated the organization as the Joint Task Force-Global Network Operations (JTF-GNO) and appointed the DISA Director to be assigned as its Commander. The JTF-GNO was given authorities and responsibilities for global network operations and defense.

In July 2004, the JTF-GNO formed the Global NetOps Center (GNC) through the functional merger of elements from the JTF-GNO’s Operations Directorate, DISA’s Global Network Operations and Security Center (GNOSC), the DoD Computer Emergency Response Team (DoD-CERT), and the Global SATCOM Support Center. As such, the GNC was responsible for guiding, directing, and overseeing daily compliance with NetOps policy, providing common defense of the DoD’s Global Information Grid (GIG), and ensuring strategic priorities for information are satisfied.

In November 2008, the JTF-GNO function was assigned to the NSA, and in June 2009 the SECDEF ordered STRATCOM to “disestablish” the JTF-GNO not later than October 2010 as part of the activation of the new Cyber Command. The colors were cased on September 7, 2010, ending its short existence.

7.2.11 Terrorist Attacks against the United States—September 11, 2001 Effects of Catastrophic Events on Transportation System Management and Operations

The terrorist attacks against the United States on September 11th, 2001 exposed not only weaknesses in physical security, airline security, law enforcement investigations, and intelligence analysis, but also demonstrated the close interdependence of the critical infrastructure in lower Manhattan, New York City (DeBlasio, Regan, et al. 2002).

Beneath the streets of New York City, as in most large cities, are miles of tunnels, conduits, pathways, and routes for various infrastructures. When the WTC towers collapsed, hundreds of tons of steel and concrete impacted the surrounding area, severing underground utilities, destroying telecommunications switches, and pulverizing power distribution transformers and backup generators.

The WTC Complex’s seven buildings with its 293 floors of office space housed some 1200 companies and organizations. Each floor of the Twin Towers contained over 1 acre of office space. The complex included 239 elevators and 71 escalators. The WTC housed approximately 50,000 office workers and averaged 90,000 visitors each day.

The below-ground Mall was the largest enclosed shopping mall in Lower Manhattan as well as the main interior pedestrian circulation level for the WTC complex.

Approximately 150,000 people a day used the three subway stations located below the towers in the Mall. The below-ground parking garage included space for 2000 vehicles, but only 1000 were used on a daily basis. The number of parking spaces was reduced for safety and security reasons after the 1993 attack.

Because of the terrorist bombing of the WTC in 1993 and subsequent emergencies, such as the 1999 Queens electrical blackout and the 1995 Tokyo Subway gas attack, the New York City region had dramatically increased its planning for major emergencies before September 11, 2001. The New York City Office of Emergency Management (OEM), under the direction of the New York City Mayor’s office, significantly upgraded its resources and preparedness, including the completion of a new emergency command center in 1999 at 7 WTC. OEM formed a task force to implement upgrades to the existing emergency response plans for the New York City region. The region used the incident command system (ICS). In addition to following the ICS, individual agencies upgraded their own internal emergency procedures.

The WTC itself was upgraded after the 1993 bombing with over $90 million worth of safety improvements, including a duplicate source of power for safety equipment, such as fire alarms, emergency lighting, and intercoms. Most importantly, building management took evacuation preparedness seriously, conducting evacuation drills every 6 months. Each floor had “fire wardens,” sometimes high-ranking executives of a tenant, who were responsible for organizing and managing an evacuation of their floors. In part because of this preparedness, 99% of the occupants of each tower on the floors below the crashes survived.

On the morning of September 11, a Verizon/NYNEX building adjacent to the WTC site did not collapse, but it along with many other buildings bordering the WTC complex suffered significant damage. Not visible in the many photos taken that day is the chaos under the sidewalks and streets. The fiber optic and copper cabling entered the Verizon building from below the streets had been physically damaged by large steel girders that pierced the sidewalks to a depth of several feet. Millions of gallons of water from broken water mains, steam lines, and the Hudson River rushed into the underground conduits that carried not only the telecommunications cables but also pneumatic mailing tubes, electrical cables, and other infrastructure. This damage extended several blocks around the WTC complex. Several large bundles of underground fiber optic cables just outside of the Verizon building were literally sliced in half by the debris, then encased in water, mud, and steam escaping from broken high pressure lines.

The Verizon building at 140 West Street was constructed in 1926 to house the New York Telephone Company. Over the years hundreds of thousands of telephone lines were connected to the building, along with several million data circuits. Next to the Verizon building, in 7 WTC, were two of Con Edison’s electric substations that served most of the Lower East Side and virtually every building from Duane Street to Fulton Street to South Ferry. Those substations were instantly destroyed when 7 WTC collapsed late in the day on September 11. Fortunately, all 1737 of the Verizon employees were safely evacuated from the building.

Inside the Verizon building were several floors of switching equipment and communications devices. Many of the components continued to work on backup power in spite of the massive amount of physical damage. One telephone switch was found to be still functioning as it dangled from its rack, held in place only by the strength of the power cable’s outer jacket. This illustrates the remarkable resiliency that many of the electronic components of the nation’s communications infrastructure have.

For several weeks after September 11, the sidewalks of the area around the WTC complex were covered with miles of power and communications cables. Because the underground conduits were so badly damaged, Verizon and Con Edison quickly decided to restore operations by using a street-level network.

A similar situation existed in the basement of the Pentagon directly below the impact point of American Flight 77. One of the two major Pentagon Internet gateways was impacted by the crash, but continued to function, thanks to the quick thinking of an employee who was able to crawl into the damaged space with an extension cord to power the routers. The devices were still functioning when the overhead debris was removed several days later.

Many lessons about the communications infrastructure’s vulnerabilities to a physical attack were learned following September 11. Unfortunately, it was discovered that the redundancy previously engineered in the networks had been largely reduced due to years of telephone company mergers and acquisitions. For example, the NYSE had designed over a dozen separate communications paths, with roughly half of them terminating at the Verizon building and the remainder traveling over diverse routes to other switching offices further north. On September 11, there were still over a dozen “separate paths,” but they were only virtual—all but one physically terminated at the Verizon building.

Many of America’s large metropolitan areas have two major central telephone switching centers, a remnant of the days when AT&T dominated the telephone market. It is important for businesses to determine the physical paths that their communications circuits take to their local switching office, and to ensure that they are not paying for what really amounts to “virtual” diversity.

7.2.12 U.S. Government Response to the September 11, 2001 Terrorist Attacks

The United States Commission on National Security in the 21st Century had issued a set of national policy recommendations in February 2001—well before the September terrorist attacks—in a report titled Seeking a National Strategy (http://www.au.af.mil/au/awc/awcgate/nssg/phaseII.pdf). Chaired by former Senators Gary Hart (D) and Warren Rudman (R), the so-called Hart-Rudman Commission echoed earlier reports, speaking anxiously of the inevitability of a major terrorist act on U.S. soil and of the nation’s weak ability to prevent or respond to such an attack—concerns which were validated just 8 months later on September 11.

Among other things, the Commission called for the creation of a new federal agency, to be named the National Homeland Security Agency (NHSA). The new organization’s mission would be “to consolidate and refine the missions of the nearly two dozen disparate departments and agencies that have a role in U.S. homeland security today.” Although neither Hart–Rudman nor the earlier Gilmore Commission (1999) focused specifically on critical infrastructure, the reports nonetheless reinforced the basic message of the 1996/97 PCCIP: the time for action was now, not later.

While agreeing with Hart–Rudman that a central coordinating point for “homeland security” was called for, President George W. Bush initially chose to establish the function on September 20, 2001 within the White House under the title of Office of Homeland Security (OHS). OHS subsequently became the Homeland Security Council (HSC) the following month. Political pressures ultimately led to the creation of a Cabinet-level organization, the DHS in November 2002. The OHS/HSC director, former Pennsylvania Governor Tom Ridge, was named the nation’s first Secretary of Homeland Security in February 2003. The HSC continued as a separately staffed organization through the end of the George W. Bush administration. In 2009, the Barack Obama administration consolidated the staffs of the National Security and Homeland Security councils into a single National Security Staff. The NSC and HSC now exist by statute as separate advisory councils to the President, while supported by a single staff.

Also following the September 11 attacks, President Bush issued EO 13231 (Critical Infrastructure Protection in the Information Age (http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=2001_register&docid=fr18oc01-139.pdf) making cyber security a priority and accordingly, increasing funds to secure federal networks. EO 13231 created two new White House organizations, the White House Office of Cyberspace Security and the President’s Critical Infrastructure Protection Board (PCIPB). While both organizations were officially part of the new HSC, the Cyber Security Office was located in the Eisenhower Executive Office Building (EEOB) and was considered to be part of the NSC staff. The PCIPB offices were located a few blocks from the EEOB, outside of the tight White House security perimeter, thus allowing for easier access to coordinate interagency actions and to involve the private sector in the development of a National Strategy to Secure Cyberspace.

In 2002, the President moved to consolidate and strengthen federal cyber security agencies as part of the proposed DHS. DHS was activated early in 2003, and the National Cyberspace Security Division (NCSD) was created in June 2003. The NCSD and the CERT/CC at Carnegie Mellon University jointly run the United States Computer Emergency Readiness Team (US-CERT) as a single point of contact for addressing emerging national cyberspace security issues.

7.2.13 Homeland Security Presidential Directives

Since its creation in 1947 the NSC has been the principal forum for presidential consideration of foreign policy issues and national security matters. In the process of developing policy recommendations for the President the NSC gathers facts and views of government agencies, and then conducts analyses, determines alternatives, and presents to the President policy choices for his or her decision. The President’s decisions are then announced by decision directives. Because the Bush administration had both an NSC and an HSC, there were two sets of decision directives published during his two terms in office—National Security Presidential Directives (NSPDs) and Homeland Security Presidential Directives (HSPDs).

Three HSPDs are worth mentioning here, as they illustrate how different types of cyber security policies needs can ultimately become Presidential decision directives. HSPD 7 replaced PDD 63 (Clinton administration) and increased the number of critical sectors to seventeen. HSPD 12 introduced the requirement for a common identification system for all federal employees and federal contractors. HSPD 23, one of last HSPDs issued by President Bush, was also published as NSPD 54 and outlined a 12-point comprehensive plan for securing the federal government’s own networks as well as networks in the private sector that support the critical infrastructure. This plan is commonly known as the Comprehensive National Cybersecurity Initiative (CNCI).

The Bush administration issued HSPD 7 on December 17, 2003, which established a national policy for federal departments and agencies to identify and prioritize U.S. critical infrastructure and key resources and to protect them from terrorist attacks. HSPD 7 tasked the Secretary of Homeland Security with coordinating the overall national effort to enhance the protection of the critical infrastructure and designated other departments and agencies with sector-specific responsibilities.

HSPD 7 replaced PDD 63 and raised the total number of critical infrastructure sectors to 17. (An eighteenth sector—critical manufacturing—was added in 2009.) The following paragraphs from HSPD 7 show how the sectors were realigned after the creation of DHS:

(15) The Secretary [of Homeland Security] shall coordinate protection activities for each of the following critical infrastructure sectors: information technology; telecommunications; chemical; transportation systems, including mass transit, aviation, maritime, ground/surface, and rail and pipeline systems; emergency services; and postal and shipping. The Department [of Homeland Security] shall coordinate with appropriate departments and agencies to ensure the protection of other key resources including dams, government facilities, and commercial facilities. In addition, in its role as overall cross-sector coordinator, the Department shall also evaluate the need for and coordinate the coverage of additional critical infrastructure and key resources categories over time, as appropriate.

(18) Recognizing that each infrastructure sector possesses its own unique characteristics and operating models, there are designated Sector-Specific Agencies, including:

(19) In accordance with guidance provided by the Secretary [of Homeland Security], Sector-Specific Agencies shall:

Sector Specific Agencies, in conjunction with their Sector Coordinating Councils (industry) and Government Coordinating Councils (government), work together via a framework of risk analysis and information sharing that is specified in the National Infrastructure Protection Plan (NIPP). Development of the NIPP was called for in HSPD 7 (see paragraph 27) and is maintained by DHS. The first interim NIPP was published in 2004, and the latest version was published in 2009.

7.2.14 National Strategies

While publishing national strategies is a routine function of the federal government, a handful of national strategies written in the wake of the 2001 terrorist attacks are worth mentioning in the context of homeland and cyber security. These publications are the ultimate in presidential strategic policymaking, and set for visionary statements and concepts that are then used by the various departments and agencies to develop their own strategic and operational policies.

The National Strategy for Homeland Security (2002) defined “homeland security” and identified a strategic framework based on three national objectives:

• Preventing terrorist attacks within the United States
• Reducing America’s vulnerability to terrorism
• Minimizing the damage and recovering from attacks that do occur.

Improved “information sharing” has always been an objective of the government, and the Homeland Security Strategy recognized both the power of using information systems to improve information sharing, as well as the many gaps that remained to be filled. From the Strategy’s executive summary:

Information systems contribute to every aspect of homeland security. Although American information technology is the most advanced in the world, our country’s information systems have not adequately supported the homeland security mission. Databases used for federal law enforcement, immigration, intelligence, public health surveillance, and emergency management have not been connected in ways that allow us to comprehend where information gaps or redundancies exist. In addition, there are deficiencies in the communications systems used by states and municipalities throughout the country; most state and local first responders do not use compatible communications equipment. To secure the homeland better, we must link the vast amounts of knowledge residing within each government agency while ensuring adequate privacy.

The National Strategy for Homeland Security identifies five major initiatives in this area:

• Integrate information sharing across the federal government;
• Integrate information sharing across state and local governments, private industry, and citizens;
• Adopt common “meta-data” standards for electronic information relevant to homeland security;
• Improve public safety emergency communications; and
• Ensure reliable public health information.

An updated National Strategy for Homeland Security was published in October 2007 that set forth four new goals:

• Prevent and disrupt terrorist attacks;
• Protect the American people, our critical infrastructure, and key resources;
• Respond to and recover from incidents that do occur; and
• Continue to strengthen the foundation to ensure our long-term success.

The 2007 Strategy expanded the scope beyond terrorism to include man-made and natural disasters. The first three goals listed above focused on organizing national efforts. The last goal was designed to create and transform homeland security principles, systems, structures, and institutions. This included a comprehensive approach to risk management, building a culture of preparedness, developing a comprehensive Homeland Security Management System, improving incident management, better utilizing science and technology, and leveraging all instruments of national power and influence.

The National Strategy to Secure Cyberspace (2003) outlined an initial framework for both organizing and prioritizing efforts. It provided direction to the federal government departments and agencies that have roles in cyberspace security. It also identified steps that state and local governments, private companies and organizations, and individual Americans could take to improve the nation’s collective cyber security. The Strategy highlighted the role of public/private engagement and provided a framework for the contributions that can be made to secure all parts of cyberspace. Because the dynamics of cyberspace would require adjustments and amendments to the Strategy over time, the original concept was to update the strategy annually. However, no changes have been made to it since being published in February 2003.

The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets (2003) identified a clear set of national goals and objectives and outlined the guiding principles that underpin our efforts to secure the infrastructures and assets vital to our national security, governance, public health and safety, economy, and public confidence. The Strategy also provided a unifying organization and identified specific initiatives to drive our near-term national protection priorities and inform the resource allocation process. Most importantly, it established a foundation for building and fostering the cooperative environment in which government, industry, and private citizens could carry out their respective protection responsibilities more effectively and efficiently. Like the National Strategy to Secure Cyberspace, it has not been updated since its publication in February 2003. However, two recent cyber strategies were published by the Obama administration, one on trusted cyberspace identities and the other addressing international cyberspace practices.

The National Strategy for Trusted Identities in Cyberspace (NSTIC) is a White House initiative to work collaboratively with the private sector, advocacy groups, public sector agencies, and other organizations to improve the privacy, security, and convenience of sensitive online transactions (http://www.nist.gov/nstic/about-nstic.html). The Strategy calls for the development of interoperable technology standards and policies—an “Identity Ecosystem”—where individuals, organizations, and underlying infrastructure—such as routers and servers—can be authoritatively authenticated. The goals of the Strategy are to protect individuals, businesses, and public agencies from the high costs of cyber crimes like identity theft and fraud, while simultaneously helping to ensure that the Internet continues to support innovation and a thriving marketplace of products and ideas.

In 2011, President Obama issued an International Strategy for Cyberspace to pursue a policy that would empower innovation as well as the ability to seek, receive, and impart information and ideas through any medium and regardless of frontiers, protected from fraud, theft, and threats to personal safety. As a goal, it was stated that, “The United States will work internationally to promote an open, interoperable, secure, and reliable information and communications infrastructure that supports international trade and commerce, strengthens international security, and fosters free expression and innovation.” The goal was followed by several specific policy statements that reflect our national values:

• States must respect fundamental freedoms of expression and association, online as well as off.
• States should in their undertakings and through domestic laws respect intellectual property rights, including patents, trade secrets, trademarks, and copyrights.
• Individuals should be protected from arbitrary or unlawful state interference with their privacy when they use the Internet.
• States must identify and prosecute cybercriminals, to ensure laws and practices deny criminals safe havens, and cooperate with international criminal investigations in a timely manner.
• Consistent with the United Nations Charter, states have an inherent right to self-defense that may be triggered by certain aggressive acts in cyberspace.

7.3 The Rise of Cyber Crime

In any culture there will be criminals who take advantage of the less fortunate, the gullible, and those who do not pay attention to their own personal security. The Internet culture is no different, with the exception that many criminals can ply their trade nearly anonymously and away from the reach of most law enforcement activities. Typically, Internet crime centers on credit card theft, fraud, online gambling, and pornography, and attempts to swindle users through the use of fake email and fake web sites. Other crimes include theft of intellectual property, including peer-to-peer file swapping and the sale or distribution of cracked or copied software.

In the 1990s, many security professionals believed that we were on a collision course with some major type of Internet disruption—a “cyber Pearl Harbor” as it was frequently called. However, beginning around the end of 2003 and early 2004, another threat emerged and has dominated the scene since then. Organized crime has discovered that there is just too much value online to ignore it. That makes all online users the new victims of crime, and often they have no idea that they have been robbed or swindled.

To make matters worse, the explosion of “Web 2.0” technologies (wikis, peer-to-peer, social networking, and other forms of self-expression) have made it even easier for the criminals to take advantage of unsuspecting victims. In industrial plants it is even worse—many of these new technologies are replacing older systems as they are upgraded. By bringing in Web 2.0 technologies to monitor and run ICS/SCADA systems, we are potentially opening our internal control networks to the outside criminal community. There is an enormous amount of value in a critical infrastructure control system, and criminal groups around the world are only milliseconds away from exploiting any small mistake you might make.

Each year since 2008, Verizon has published a report called the Data Breach Investigation Report (DBIR), an analysis of investigations into the sequence of events that lead to breaches into large databases of information. Year after year the Verizon team has claimed the vast majority of all large data breaches are driven by criminal intentions. The latest statistics, based on nearly 800 breaches that were investigated in 2010 (number in parenthesis is the percentage change from 2009) and published in 2011, show that (Baker, Hutton et al. 2011):

• 92% stemmed from external agents (+22%)
• 17% implicated insiders (−31%)
• 9% involved multiple parties (−18%)
• 50% utilized some form of hacking (+10%)
• 49% incorporated malware (+11%)
• 29% involved physical attacks (+14%)
• 17% resulted from privilege misuse (−31%)
• 11% employed social tactics (−17%)
• 83% of victims were targets of opportunity (<>)
• 92% of attacks were not highly difficult (+7%)
• 76% of all data was compromised from servers (−22%)
• 86% were discovered by a third party (+25%)
• 96% of breaches were avoidable through simple or intermediate controls (<>)
• 89% of victims subject to PCI-DSS had not achieved compliance (+10%).

Crime fighters are quickly learning how to detect and chase criminals in cyberspace, but this is not an easy fight to win. The clear advantage goes to the criminals today. Hopefully, the advantage will shift to the good guys in a few years but for now the Internet is just like the Wild West of 150 years ago.

A more sinister criminal technique has come to light in the past few years—counterfeit computer and networking equipment manufactured in Southeast Asia that is bound for the American markets. Investigations by the FBI and other law enforcement agencies have found that an estimated 10% of all electronics coming into the United States is counterfeit, or contains a significant amount of counterfeit parts. Even worse, there is growing evidence supporting a theory that foreign governments are deliberately installing backdoors and other hidden access capabilities into products made in their country that are sold on the open world market. The Defense Department, Homeland Security, and others are gravely concerned about what this could mean for critical infrastructure systems and networks in the long term.

7.4 Espionage and Nation-State Actions

During the Cold War and in the centuries prior to it, nations took great risks to recruit and train spies to operate on foreign soil. Today, the Internet has made spying as easy as opening up a web browser then querying a search engine, and has reduced the risk of loss of human life to nearly zero. Of course, that theory is only good for spying on countries that are well connected.

Beyond governments, many companies engage in an activity known as “competitive intelligence,” a euphemism for corporate espionage. It has become so popular that there is even a well-recognized professional association for all of the corporate spies to belong to—the Strategic and Competitive Intelligence Professionals, or SCIP (formally known as the Society of Competitive Intelligence Professionals, they changed their name in May 2010; http://www.scip.org.)

In the late 1990s, several U.S. government systems were found to have hidden accounts and large amounts of unauthorized activity. As the investigation developed, more computers and systems outside of the federal government were found to have unauthorized accounts. “Data exfiltration” became the new buzzword, rather than “intrusion” or “unauthorized access.” The targets seemed to be large databases that contained atmospheric data, bathymetric data, and other information that took decades to accumulate. The source of the attacks was not clear—the intruders used complex methods to route attacks through multiple compromised computers and used “drop sites” as collection points for the data being stolen. In no cases were any signs of disruption present. It all appeared to be electronic espionage, a classic case of theft of intellectual property, only via the Internet rather than using microfilm and a spy camera as James Bond would have done.

During the Cold War, the spy community was clearly focused on the United States versus the USSR espionage. But in recent years, the focus has moved from former Soviet countries to China. The culture in China supports academic and scholarly achievement. Many students and professors treat the Internet as an experiment, and routinely gain access to remote systems or locate bugs in vulnerable software purely for academic purposes. Their findings are published in academic papers, and the researchers move along to the next project. Some, however, have found that there is incredible value in this research and have begun to make a business out of it, selling their findings to governments, criminal groups, and perhaps even terrorists.

In 2003, a series of cyber attacks that were believed to be of Chinese origin were found to be targeting American computer systems. Dubbed “Titan Rain” by the Defense Department, the investigation of the intrusion remained classified until the story was leaked to the press. Following the press leak, it was revealed that the attackers had gained access to many computer networks, including those at Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA. While the names of the investigations have changed over the years, the espionage continues to the present day.

Chinese cyber-spying came into the public realm in the spring of 2006 when a private sector system administrator noticed that many of his users were receiving emails with Microsoft Word attachments containing Chinese. When opened, Word would crash and the dialog box asking the user if they wanted to share the data with Microsoft appeared. The sysadmin contacted the SANS Internet Storm Center, which in turn published a diary about the problem. In a few days, the issue was traced to a zero-day vulnerability in Word. The intruders had found a way to modify Word documents, using the vulnerability to write information into a specific memory location using Object Link Extensions (OLE) in Microsoft’s Office products. This technique gave the intruders a path to install malicious code of their choosing, which could range from simple key-logging software to complete “rootkit” packages that give full control of the hijacked computer to the intruder.

But China is not the only suspect in terms information technology products modified for espionage or cyber warfare purposes. Perhaps the best (and scariest) example of this trend was the discovery of the Stuxnet worm in the middle of 2010. Thought to be written by one or more Western nations, the software was designed to physically damage specific components of nuclear fuel refinement installed in Iran. Rather than spreading over a network like the Internet, Stuxnet was designed to jump across network “air gaps” by infecting common universal serial bus (USB) memory sticks. The origins of Stuxnet remain a mystery, but the source code is available for anybody to modify and redeploy against new targets.

7.5 Policy Response to Growing Espionage Threats: U.S. Cyber Command

In 2009, the Defense Department’s Cyber Command (USCYBERCOM) assumed the duties of the JTF-GNO, a “temporary” organization launched in 1998 to counter the growing threat of cyber intrusions coming from foreign countries. The highly complex attacks of the late 2000s led the White House to rethink how best to counter the growing threat and to permanently institutionalize cyber security into military plans and operations. Today, USCYBERCOM directs the operations and defense of most DoD networks, and when directed by the President can also conduct “full spectrum” military cyberspace operations. However, USCYBERCOM has no authority over the operation of private sector networks like the Internet or the public telephone system.

According to the Defense Department,

USCYBERCOM will fuse the Department’s full spectrum of cyberspace operations and will plan, coordinate, integrate, synchronize, and conduct activities to: lead day-to-day defense and protection of DoD information networks; coordinate DoD operations providing support to military missions; direct the operations and defense of specified DoD information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations. The command is charged with pulling together existing cyberspace resources, creating synergy that does not currently exist and synchronizing war-fighting effects to defend the information security environment.
USCYBERCOM will centralize command of cyberspace operations, strengthen DoD cyberspace capabilities, and integrate and bolster DoD’s cyber expertise. Consequently, USCYBERCOM will improve DoD’s capabilities to ensure resilient, reliable information and communication networks, counter cyberspace threats, and assure access to cyberspace. USCYBERCOM’s efforts will also support the Armed Services’ ability to confidently conduct high-tempo, effective operations as well as protect command and control systems and the cyberspace infrastructure supporting weapons system platforms from disruptions, intrusions and attacks.
USCYBERCOM is a sub-unified command subordinate to U. S. Strategic Command (USSTRATCOM). Service Elements include Army Forces Cyber Command (ARFORCYBER); 24th USAF; Fleet Cyber Command (FLTCYBERCOM); and Marine Forces Cyber Command (MARFORCYBER).

It remains to be seen how effective the USCYBERCOM will be with respect to increasing the security of the nation’s most sensitive networks. One of the most significant challenges will be the long-standing “stove pipe” mentality of military organizations—that what is mine is mine and no other group or command should have any authority over what is on my plate. Because of the millisecond nature of cyberspace and the realization that risks created by one group can quickly affect other groups, this attitude will have to change in order for the USCYBERCOM to be successful. Unfortunately for organizations that refuse to collaborate or interlock their defenses, they are more exposed to adversarial groups which have learned to exploit weaknesses along these boundaries.

7.6 Congressional Action

As this book is being written, several bills are in various states of construction in the U.S. Senate and the U.S. House of Representatives. Many of these bills are rewritten versions of efforts started by the previous Congress, and some of them are brand new efforts. None of the legislation being drafted will alone “fix” the cyber security problems faced by our nation. In fact, it is probably inappropriate for any cyber security policy professional to believe that an Act of Congress will make much difference in securing cyberspace.

The 111th Congress (2009–2010) produced over 50 separate “cyber bills” that attempted to fix cyber security problems with legislation. In the Senate, two bills dominated most of the discussion—the Lieberman/Snowe (Homeland Security Committee) bill and the Rockefeller/Collins (Commerce Committee) bill. The former bill introduced a “kill switch” concept that was widely ridiculed in the media and around Washington. It was ultimately removed from the bill’s language, but the concept has remained as a reminder of how far the Congress had planned to go with respect to their legislative agenda. There was a strong desire to pass comprehensive cyber security legislation before the 2010 mid-term elections in order to show bipartisan support for addressing a growing national threat, but neither the Senate nor the House was able to produce a bill that reached their respective floors for a vote.

The 112th Congress (2011–2012) at the time of this writing has at least a dozen cyber security bills introduced in both the Senate and the House. Most of these bills are rewrites of bills introduced in the 111th Congress, although some are a fresh start. However, as the focus of the Congress is on budgets and economic issues, it is unlikely that a comprehensive cyber security bill will get enacted into law very soon. More likely is the approach advocated by the House majority to draft and pass smaller pieces of legislation that address specific problems.

Some cyber security related bills have already been discarded. For example, the Stop Online Piracy Act (SOPA, H.R. 3261) and the Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act (PROTECT IP Act, or PIPA, S.968) were congressional bills intended to expand the ability of U.S. law enforcement to fight online trafficking in copyrighted intellectual property and counterfeit goods. Both of these bills were widely criticized in the technical community and were eventually rejected by Congress after influential Internet sites such as Wikipedia shut down for a day in protest.

Two House bills, H.R. 3523 (“Cyber Intelligence Sharing and Protection Act of 2011,” introduced by Congressman Mike Rogers and Congressman Dutch Ruppersberger) and H.R. 3647 (“‘Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011,” introduced by Congressman Daniel Lungren) seem to have less controversy. The former bill addresses specific legal restrictions that prevent the private sector and the government from sharing critical and time-sensitive cyber security data. The latter bill is much more comprehensive and includes provisions for a new information sharing organization, designates a lead cyber security official at DHS, promotes research at DHS to find new solutions to technical cyber security issues, and directs DHS to develop a national cyber security incident response plan in conjunction with private sector critical infrastructure asset owners.

A major consideration in both the House and Senate cyber security legislation is the concept of “covered critical infrastructure”—or what parts of the private sector the legislation applies to. In one House bill, the definition includes those facilities or functions that, if disrupted or destroyed by way of cyber vulnerabilities, could result in significant loss of life, a major economic disruption, mass evacuations of major population centers, or severe degradation of national security capabilities. Several industry sectors are seeking specific “carve-outs,” or exceptions to this definition, so that they remain outside any new government oversight or regulation. Their argument is that their sectors are subject to external forces beyond their control and that any restrictive legislation would either hamper technical growth or limit asset owners from being able to profitably operate their infrastructure systems.

According to several Senators, the prime motivator for action is the fear that an attack on the United States’ critical infrastructure via the Internet is not only possible but is highly likely in the near future. The Congress does not want to be left holding the bag, they would rather be in a position to show that they had taken action ahead of the crisis, and could not be accused of inattention to the issue. The private sector, on the other hand, would rather that the government fixes its own house first before imposing any regulatory or punitive framework onto businesses. Industry would rather that government provide incentives to be more secure, along the lines of reduced regulatory burden, lower business taxes, and perhaps credits or grants to offset costs. However, in the budget-conscience world of today, it is very unlikely that the Congress will enact any cyber security legislation that costs taxpayers money. Cost-neutral incentives are what industry needs to identify, and then perhaps a middle ground can be found.

7.7 Summary

The U.S. federal government’s policy attitude toward cyber security has ranged from enforcing strong standards developed by NIST and the NSA to complete ignorance of the severity of the situation. This chapter has attempted to show how federal government policy has changed over the past two decades in response to changing threats and growing dependence on cyberspace. As the Internet and cyberspace have evolved over the past 20 years, so have government’s cyber security policy efforts. Unfortunately, the threats and vulnerabilities of cyberspace are evolving faster than public policy can keep up (Brenner 2011). The best efforts may only have slowed attacks or restricted the amount of damage that can be done.

Cyber security policy is not static and must be just as flexible as the cyberspace it is designed to protect and manage. Often, governments cannot adapt to rapid change and quickly fall behind with respect to public policies while attack strategies, systems, and human education and awareness continue to evolve. It is possible that the federal government’s own organization, being very hierarchical and linear, is its own worst enemy when it comes to securing computers and computer networks. By contrast, adversary networks may be expected to be operated by very loosely linked administrative leadership and sparse operational structures that are nevertheless capable of strategic coordinated attacks (Robb 2007). Cyberspace is complex and interconnected with no single point of authority or control. Defending networks may also require a decentralized and nonhierarchical approach to organizational management (Brafman and Beckstrom 2006). Some private sector companies have moved to a flat, decentralized organizational construct, and have thereby become more successfully resilient to outside forces. It may also be time to rethink governmental organization models to make them look more like cyberspace.