Railroads, bridges, highwaysinfrastructure used to be such a clean concept. But the Information Age changed the rules of the game, and the United States is still playing catch-up.
By Winn Schwartau
Im old enough to remember when CBS kicked its top-rated Smothers Brothers show off the air becauseget thisTom and Dick were too radical. I also remember from that show the first poem about infrastructure I ever heard, recited with Pentagon Papers sincerity by Tommy himself:
I love you for loving me,
You love me for loving you.
I kiss you for kissing me,
You kiss me for kissing you.
So much in love with us are we,
You kiss you and I kiss me.
Isnt that sweet? Two people, deeply in love, inextricably intertwined in union, as one, for the rest of their lives. Human infrastructure. So what is so different today, eh? We merrily anthropomorphize our networks and cyberconnections (Ive heard techies refer to servers as "her," RAM and joysticks as "him" and mice and pixels as "she"). Kissing cousins and kissing networksthe result in both cases is the same: infrastructural inbreeding. This is exactly what has happened to our archaic, Pleasantville views of national infrastructure.
Infrastructure used to be so clean a term. The bridge. The road. The railroad tracks. The annals of 19th century American history are filled with tales of man-powered infrastructure, owned and operated by Capital Men of industrial wealth and influence. In the dry Utah summer of 1869, 74 politicians simultaneously slammed a 40-pound sledgehammer into the Golden Spike, launching the first coast-to-coast American infrastructure: railroads. A mere seven years later, a growing company called Western Union established the first coast-to-coast communications infrastructure: the telegraph. A few years after that, in the mid-1880s, a fledgling startup known as American Telephone & Telegraph wanted their infrastructure to go coast-to-coast, too.
Through the first three-quarters of the 20th century, the concept of national infrastructure remained rooted in the physical. Perhaps the most notable endeavor was the creation of the national interstate highway system in the 1950s, promoted by the Eisenhower administration as a means for urban populations to escape imminent death and destruction, courtesy of incoming Soviet thermonuclear warheads.
Though this "survivalist instinct" sounds far-fetched today, the same motivation lies beneath the modern infrastructure as well. Back in the late 1960s, the Defense Advanced Research Projects Agency (DARPA, now ARPA) basically said, "We want to connect a couple of computers together." UCLA graduate student Vint Cerf and a team of researchers set to work on it, and a couple of months later the ARPAnet was born. But DARPA knew that connectivity was only part of the equation. "Now that you have a couple of computers talking to each other," they said, "can you make them still talk to each other after a nuclear attack on the United States?" As with the interstate highway system, the key motivator here was survivability. The result, of course, is the Internet and TCP/IP, router-independent protocols that break up electronic data into series of packets that take different paths to their destination, where they are reassembled.
It Aint Just Cyber
Even though it has been a part of our physical lives for hundreds of years, many people are surprised to see the word "infrastructure" appearing in their daily newspapers. Of course, when we talk of infrastructure today, we generally mean virtual or electronic infrastructure: cyberinfrastructure, which lies at the foundation of our modern global information society.
This cyberinfrastructure has a concrete basis in the physical. Cyberspace is not an ethereal mystery veiled in intangibility. Its humankinds massive agglomeration of switches and routers, silicon and copper shrouded in PVC insulation, physically connected to an impossibly complex mesh of computers and servers strewn around the globe. Even RF communications networks, cellular phones and other "transparent" systems are bounded by hardware at the transmitting and receiving ends.
But while the underpinnings of the cyberinfrastructure resemble those of its physical ancestors, its reach into our daily lives is deeper and more pervasive. As FCC chairman William Kennard said in a recent speech in Nashville, "The Internet, unlike the railroad, can come into every office, every home in America, even into our briefcases and pockets. We have the capability to bring broadband technologies to all Americans wherever they live and wherever they may go. With cable, copper, wireless and satellite, we can build on-ramps to the Information Superhighway for anyone anywhere. No town, no community has to be condemned to becoming a ghost town in the New Economy. Part of the reason for this flexibility is that technological bits of data are a lot easier to maneuver than iron and steel."
The downside is that the vulnerabilities have also multiplied exponentially, since attacks can now be perpetrated through virtual appendages as well as physical ones. The long-distance connectivity that infrastructure provides also logarithmically increases the number of people who can (negatively) influence its proper operations. Until very recently, the maintenance ports for telephone switches were protected by four-digit passcodes. Indeed, the Internet itself was built without any regard to securitypart of the reason Net security is such a booming industry today.
Heres the problem: We have forged ahead with our electronic highways without a means to protect them. And as everyone now realizes, adding security to infrastructure after the fact is a slow, tedious, expensive process, and the end result is never as robust as that in which security is engineered from the get-go.
Okay, so we built this incredibly intertwined set of infrastructures with little regard for cybersecurity. Even into the late 1980s and early 1990s, we still took a landlocked, myopic, physical view of infrastructure. But then, finally, things began to change.
In the early 1990s, there was only a handful of voices warning the government and private sector of the potential consequences of continuing to ignore national cybersecurity and infrastructure protection. In 1991, in testimony before the House Committee on Science, Space and Technology, I introduced the concept of "Electronic Pearl Harbor," a term that distilled the risk into a digestible sound bite that both Congress and the press could latch onto. America needed, I maintained, to enhance the definition of national security to include economic national security as a new post-Cold War priority. Yet, the issue continued to be largely ignored, and for years I took a ribbing for my "Chicken Little-ish" and "scaremongering" views.
Reluctance to adapt to a new paradigmone that acknowledges the new dangers and vulnerabilities facing a virtual infrastructurecontinued until the mid-1990s. It wasnt until 1996 that the issue bubbled up through the political machinery in Washington, when then-CIA Director John Deutch reiterated before Congress my concerns about an impending Electronic Pearl Harbor. Thereafter, a number of efforts rapidly materialized, including a widespread study by the National Research Council, the Defense Science Board and the Manhattan Cyber-Project.
In early 1995, President Clinton signed Executive Order 12864, establishing an advisory council called the Information Infrastructure Task Force, which was tasked with creating the building blocks for a National Information Infrastructure. The work of the Task Force was completed in February 1996, and four months later, on July 15, President Clinton signed Executive Order 13010 to create the Presidents Commission on Critical Infrastructure Protection (PCCIP), initially chaired by U.S. Army Gen. Robert M. Marsh (ret).
EO 13010 formally recognized that "certain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense of economic security in the United States." In light of this critical infrastructure taxonomy, the PCCIP was mandated to: (1) Assess vulnerabilities and threats to the critical infrastructures; (2) Identify relevant legal and policy issues, and assess how they should be addressed; (3) Recommend to the president a national policy and implementation strategy for protecting critical infrastructures; and (4) Propose any necessary statutory or regulatory changes.
The PCCIP categorized the nations critical infrastructures as follows:
Telecommunications. Includes all forms from the Internet, cable, cellular, telephone, satellite and any other medium that connects systems together. This sector alone represents about 16 percent of the domestic gross national product (GNP) of the United States.
Energy. Includes electric power, oil and gas. Covers transportation issueseverything from the Alaska pipeline to oil refineries to natural gas distribution. Systems are co-located with communications wiring and power, thus creating confocal vulnerabilities.
Transportation. Mostly physical: trucks delivering food, trains moving manufactured goods and airlines driving business and tourism.
Banking and finance. The U.S. goods and services GNP is about $8 trillion, and globally about $30 trillion. But the virtual economy, where the stock markets, bonds and electronic monies are moved, is between $25 and $50 quadrillion, larger by a factor of 1,000. Some brokerage houses move trillions of dollars per year over their networks.
Water supply. The water is physical, but the controls for moving fresh water to populations and maintaining sewers and waste treatment plants are electronic.
Emergency services. 911, police, fire departments and medical response and rescue units are tightly knitted together with complex networks to provide high levels of efficiency and public trust.
In October 1997, the PCCIP delivered its findings via a classified report to President Clinton. The Commissions findings, however, were less than illuminating, merely reiterating and reinforcing the same warnings and cautions that had been spelled out years before. Nevertheless, the PCCIPs recommendations have been carried forward to the present in the U.S.s implementation of infrastructure protection:
Broad program of awareness and education. The government wants to educate mainstream America about the problem, and is trying to enlist their support. Funding for public relations and awareness initiatives continues to be a priority today.
Industry cooperation. Industry and the government must develop a process and method to trust each other and jointly share information. This will take a while, though, since much of industry distrusts the governments ability to keep secrets.
Enhanced law. What new laws will help deter the nature of todays (cyber)crimes? How can existing laws be re-tailored to meet cyberthreats and mitigate their damage? Keep in mind that the United States is but a local ordinance internationally. International laws and cooperation are critical. Russia, in fact, has proposed an international cyberdisarmament treaty.
More research and development. The technology we have today is insufficient to
effectively defend against attacks. Efforts continue to merge the study of technology with such things as psychological profiling, advanced low-level detection schemes and intelligent monitoring and filtering.
A national organization. Such an organization is intended to incorporate national monitoring facilities and industry liaison groups as well as coordinate leadership policy across the public and private sectors.
The NSA Angle
At the same time the PCCIP was formulating its report, the National Security Agency embarked on its own analysis of the problem, with a focus on the potential effects of infrastructure disturbance on military preparedness. In the summer of 1997, NSA ran an exercise code-named "Eligible Receiver." One team simulated a North Korean cyberattack against a second team, representing the U.S. defense infrastructure. To make the exercise as close to reality as possible, the rules for the "bad guys" were simple: (1) They could only use the same level of connectivity that North Korea had at the time (namely, ISDN-level speeds); and (2) They could only employ attack tools slightly enhanced and modified from those widely available on the Internet.
The results of the Eligible Receiver simulation left the senior military brass bug-eyed in astonishment. It took the bad guys only one week to successfully throw the United States into economic chaos by attacking major financial institutions, shutting down large pieces of the U.S. power grid, crippling communications and short-circuiting the airline industry. Industry participants in the project also acknowledged how utterly surprised they were by the speed and efficiency with which critical U.S. infrastructures collapsed, one by one.