NOVEMBER 11, 1996 INFORMATION WARFARE U.S. sitting duck, DOD panel predicts BY BOB BREWIN AND HEATHER HARRELD (antenna@fcw.com and heather_harreld@fcw.com) The dependence of the United States on computers and communications systems to run its critical power, finance and transportation systems places the country at risk in the event of an information warfare (IW) attack, according to a report prepared by a top-level Defense Department advisory panel. This reliance, it said, has "created a tunnel of vulnerability previously unrealized in the history of conflict" and could have a "catastrophic effect on the ability of [DOD] to fulfill its mission." The report of the Defense Science Board Task Force on Information Warfare-Defense (IW-D), obtained by Federal Computer Week, called the threat of an IW attack "significant," adding that the nation's "vulnerabilities are numerous, [and] the countermeasures are extremely limited...." Citing a specific example, the DSB report said one building in Savannah, Ga., (a Bell South switching facility, FCW learned) houses not only a vital communications hub but information technology systems supporting key electric power and transportation companies. Because Savannah serves as a vital port of embarkation for Army troops based in that area, an IW attack against that one building would "make it impossible to deploy military forces at the pace specified in operations plans." The DSB task force, chaired by two former assistant secretaries of Defense for command, control, communications and intelligence (ASD/C3I), Duane Andrews and Donald Latham, viewed the IW problem as so severe that it urged the Pentagon to embark immediately on a crash course to protect against this new form of warfare, providing detailed policy, funding and legal recommendations. These recommendations included a controversial call for the Pentagon to have the legal power to protect nongovernmental portions of the infrastructure in the name of "the common defense." To defend DOD and critical nongovernmental systems against IW, the report recommends new legal authority that will allow "DOD, law enforcement and intelligence agencies to conduct efficient, coordinated monitoring of attacks on the critical civilian information infrastructure...." In carving out a position for DOD to take on this role in the civil sector, the report bluntly summed up the problem: "We should not forget information warfare is a form of warfare, not a crime or an act of terror." It took an equally blunt approach on how the Pentagon should respond to such an attack or intrusion. "The response could entail civil or criminal prosecution, use of military force...diplomatic initiatives or economic mandates." DSB, which said it has urged immediate and concerted action on the IW-D front for the past three years, had a number of recommendations on how DOD should get its own information warfare act together. The report said it would take $3 billion over the next five years to translate these recommendations into reality. This includes establishing the ASD/C3I as the single focal point for IW-D within the department - a necessary step to spread the diffusion of IW responsibilities among the services and Defense agencies, according to a source familiar with the thinking of the task force. Emmett Paige Jr., ASD/C3I, said he had read a copy of the DSB briefing to deputy secretary of Defense John White. Paige said, "I saw nothing in that briefing I do not agree with. I strongly support everything in their briefing." DISA's Role The Defense Information Systems Agency would take on a pivotal IW-D role, based on the recommendations in the report. It called for DISA to set up an IW operations center to provide tactical warning, attack, assessment and emergency response with infrastructure restoration capabilities, and it pegged funding for this center at $275 million over five years. DISA also should establish a joint office for system, network and infrastructure design, the report said, with funding estimated at $225 million over five years. DISA director Lt. Gen. Al Edmonds has already acted on these recommendations, setting up last week a Global Operations and Security Center and a Programs office (see Intercepts). Edmonds said DISA decided not to wait to have these recommendations approved. "We're doing this on our own. We want a new focus here...and we're funding it out of our own budget [by] prioritizing on Information Warfare-Defense. The DSB is right on target, and they got us rolling." The Pentagon also needs to refocus its IW research and development, the report said, recommending $580 million over five years. This poses a tough challenge, DSB said, because "prior R&D efforts have been in areas such as computer and network security.... Little attention has been paid to surviving willful malicious attack, or detecting and eliminating corrupt software." The DSB task force also took some potshots at some well-established and well-entrenched DOD IW policies and programs. Looking at the national debate over the key escrow encryption systems backed by the Clinton administration, the DSB report dismissed encryption as a "distraction.... Encryption simply does not solve all of the information security problems some are led to believe." The National Security Agency's long-running Multilevel-Secure Information Systems Security Initiative also received short shrift from the task force, which suggested commercial products such as security "tokens" rather than passwords could go a long way in the near term toward resolving DOD's security problems. The task force also brought sober realism to the theme of "information superiority" promulgated by all the services during the past several years to such an extent that it has become almost a mantra. "The doctrine of information superiority assumes the availability of information and information technology - a dangerous assumption.... Published service and joint doctrine does not address the operational implications of a failure of information and technology," the report said. The intelligence community's ability to handle IW also came in for a similar assessment by the task force, which called IW "a nontraditional intelligence problem [that is]...not easily discernible by traditional intelligence." Traditional intelligence skills "are largely irrelevant in the information warfare environment." Percy Pierre, an electrical engineering professor at Michigan State University and a member of the DSB task force, said DOD's interest in protecting critical infrastructure is a result of "the recognition that the Defense Department is dependent on private-sector assets for logistical support and other types of support." Any move by government toward civil electronic defense must be delicately balanced to avoid antagonizing the private sector, said Winn Schwartau, a security consultant and author of several information warfare books. "For them to blatantly say, `We want to monitor,' that creates a huge problem," he said. "If the government says, `You don't worry, private sector, we're going to take care of you,' they're going to have a problem." You must register to read this week's news or to use the search or forums. If you haven't signed up yet, fill out the registration form. Mail questions about this Web page to webmaster@fcw.com. URL: http://www.fcw.com