The White House released a draft of a document titled “The national strategy to secure cyberspace” in September 2002, with an invitation to security and Internet experts to email comments. Some town hall style meetings were also held in select cities, to obtain feedback regarding the draft. The final document (henceforth to be called “the strategy document”) was released in February 2003, and is available on the White House’s Web site at http://www.whitehouse.gov/pcipb/.
Security alone is not a sufficient goal. It is important to keep in mind that terrorists and other willful miscreants are not the only threats to our well-being. It is not difficult to foresee that accidental events and chains of events could also cause serious damage to critical infrastructures. The strategic objectives (page viii) need to be revisited to account for this. It is not sufficient to assume that existing tools and procedures will suffice to guard against damage due to accidents, because this may not be so, and, furthermore, because a terrorist may well disguise hostile actions to look like accidents (at least, until it is too late to avert the damage). It is also not reasonable to assume that protocols that guard against hostile actions will also prevent accidents. That is simply not true, based on a wealth of studies, and also based on basic reasoning; it is hardly sensible to assume, for example, that strict security procedures that prevent unauthorized access to a computer system will also prevent it from crashing on its own (ask any system administrator).
Therefore, it is essential to plan for the twin goals of safety and liveness. Safety may be loosely stated as the property where “nothing bad happens,” while liveness is the property where “something good happens” [1]. These are related but distinct and important properties that are essential in any plan that seeks to safeguard cyberspace against catastrophic events, whether caused by accidents, hostile actions, or some combination of both.
With regard to the US federal government’s computers, it has often been remarked in the media, especially recently, that the different arms of government do not seem to be able to share information very well, even when such sharing is critical and mandated by policy or law. What is well known to one department or agency is completely unknown to another, and vice versa. This is, of course, an unwelcome circumstance in dealing with terrorists, which is why it has been targeted for correction with the creation of the Department of Homeland Security (DHS).
It is certainly likely that the causes of the lack of effective communication are many, including certain cultural or human factors, and that the creation of the new DHS may address some of them (though the jury is still out on whether this new entity will serve its intended purpose). However, it is equally likely that some of the same organic causes of the intra-governmental issues that previously afflicted the various agencies will carry through, even when they are grouped together under the new DHS.
Among such causes inherent to the system, and unlikely to be affected by the new agency, is the nature of the computer systems in use in various agencies of the federal government, and the processes used for acquiring them. Computer systems (hardware as well as software) used by federal agencies are almost always acquired through a process of competitive bidding for contracts. This process is required by law, and is subject to oversight by Congress and the General Accounting Office (GAO). However, though such a process is fair on an individual level (as every contract is given to a putative best bidder), it is far from satisfactory in the final analysis, and is a root cause of the communication problems within the government.
The problem is that, with every contract being awarded individually, no care is taken to ensure that new systems will work with existing ones (especially those in other departments or agencies). The result is a complex network of incompatible hardware, software, protocols, and standards. This is a ubiquitous concern, yet is surprisingly not noted under “Priority IV, securing governments’ cyberspace” (pages xii, 43-48). It is anyone’s guess how secure a “government’s cyberspace” can be if all of its components are not properly interconnected with one another.
The situation can only be remedied over time, and certain steps are essential to address it. Standards must be set and maintained for computer systems in use by government, and these must specifically address safety and compatibility concerns. In addition, all hardware and software must be scrutinized at a very basic level, to make certain that no trapdoors or other such problems exist. Considering that incompatible hardware and software is the bane of effective governance, and of security at every level, steps must be taken to ensure that procurements among different agencies and departments (at least those that do or may need to communicate, especially in a crisis) are coordinated.
With regard to detection and an asynchronous global snapshot, the strategy document correctly observes, “There is no synoptic or holistic view of cyberspace. Therefore, there is no panoramic vantage point from which we can see attacks coming or spreading. Information that indicates an attack has occurred (worms, viruses, denial-of-service attacks) accumulates through many different organizations. However, there is no organized mechanism for reviewing these indicators and determining their implications” (page 19). It further notes that the DHS is responsible for the National Cyberspace Security Response System, a “public-private architecture ... for analyzing and warning.” However, the document is vague about the precise means of achieving this, saying things like, “The synergy that results from integrating the resources of the National Communications System, the National Infrastructure Protection Center’s analysis and warning functions, the Federal Computer Incident Response Center, the Office of Energy Assurance, and the Critical Infrastructure Assurance Office under the purview of the Under Secretary for Information Analysis and Infrastructure Protection will help build the necessary foundation for the National Cyberspace Security Response System.”
In fact, what is needed is a model of cyberspace (or significant assets therein, such as those identified on page 16) as an asynchronous system (which is exactly what it is), and a trusted method of obtaining a global snapshot of that system at regular intervals of time. The snapshot is, as the name suggests, a measure of important parameters in the system, and would indicate if the system is in a normal state. The problem of obtaining such information is, not surprisingly, referred to in the literature as the asynchronous global snapshot problem [2]; it can be solved given certain constraints to be observed. Careful design of the National Cyberspace Security Response System will have to include consideration of the means to obtain an asynchronous global snapshot of the system state. Merely collecting a set of disparate bureaucratic entities (the National Communications System, and so on) under one roof, and gathering up their data, will not provide the snapshot needed.
