1992 Protection and Security on the Information Superhighway by Dr. Frederick B. Cohen c , Fred Cohen, 1992 Contents 1 Introduction and Overview 3 1.1 Preview . 6 1.2 The National Information Infrastructure . 10 2 A Growing Dependency 15 2.1 Technology Marches On . 16 2.2 Survival Dependencies . 19 2.3 Personal and Business Dependency . 21 2.4 National Survival Dependencies . 24 2.5 Indirect Dependency . 27 2.6 The Information Superhighway . 28 3 The Disrupters Are Among Us 33 3.1 Computer Accidents . 33 3.2 Intentional Events . 39 3.3 A Classification of Disruptions . 51 3.4 The Disrupters . 53 3.5 Motivation . 66 3.6 The Magnitude and Scope of the Problem . 69 3.7 Adding It All Up . 72 4 Asleep At The Switch 73 i 4.1 A History of Secrecy . 74 4.2 Ignorance Is Not Bliss . 76 4.3 The Birth of the Personal Computer . 77 4.4 A Suppressed Technology . 80 4.5 The Universities Fail Us . 83 4.6 An Industry of Charlatans . 84 4.7 Information Assurance Ignored . 85 4.8 Current Disruption Defenses Depend on People . 92 4.9 The Rest of the World Responds . 95 5 Protecting Your Information Assets 97 5.1 Information Protection . 98 5.2 Infrastructures Are Different Than Other Systems . 100 5.3 A Piecemeal Approach . 102 5.4 An Organizational Perspective . 119 5.5 Some Sample Scenarios . 131 5.6 Strategy and Tactics . 133 5.7 The Cost of Protection . 135 5.8 An Incremental Protection Process . 143 6 Protection Posture Case Studies 147 6.1 How To Do A Protection Posture Assessment . 147 6.2 Case Study 1:A Ma and Pa Business . 154 6.3 Case Study 2: A (Not-so) Small Business . 159 6.4 Case Study 3: A Big Business . 164 6.5 Case Study 4: A Military System . 167 6.6 Case Study 5: The DoD and the Nation as a Whole . 172 7 Summary and Conclusions 177 ii A Details of the NII 179 A.1 Information Channels . 179 A.2 The Evolution of the Information Infrastructure . 179 A.3 The NII Today . 182 A.4 Information Service Providers . 183 A.5 Possible Futures . 184 B Case Studies 187 B.1 Case Study 3: XYZ Corporation . 187 B.2 Case Study 4: The Alma System . 215 B.3 Case Study 5: The DoD and the Nation as a Whole . 237 C Glossary 247 iii Acknowledgements I want to give my deepest and most sincere thanks to two people without whose efforts, I would not have been able to write this book. They are exceptional people who I have found to be members of the rare breed who place personal integrity and honesty above money, fame, and other worldly things. Not only have they spent many hours debating minute details that most of my readers will probably never appreciate, they have also kept me well grounded in reality, prevented me from making statements that stretch the truth, and pressed me to convince them in writing that my views are well supported. In alphabetical order by last name, they are Ron Knecht and Charles Preston. Ron is one of those people who can listen to me communicate technical details of information protection at or around full bandwidth. I would place him in the top ten or twenty people in the world in his field. His demand for precision in some of the work that supported this book, his understanding and guidance in considering many of the national and international issues, and his comprehension of technical matters has been an invaluable aid in this work and in this book. He has also taken time on weekends, evenings, and early mornings to read and review some of my analysis, which is certainly going above and beyond the call of duty. Charles is just plain helpful. Charles doesn't believe anything I tell him without checking it out for himself. The availability of a fact checker who sincerely wants to know the truth about a field is one of the best things an author of a technical book can have. For example, if I used the number $100 million somewhere and didn't cite the correct page number, Charles would not only find that the dollar value was incorrect and should be $300 million, but he would (he did) also find the correct page number and send me a copy of the source material on Sunday night of a holiday weekend via facsimile. Without Charles, this book would probably have only half of the hard facts and citations it now has, and for my money, that's worth more than I can express. I should also take the time to thank Diane Cerra, who is the person I deal with at John Wiley and Sons. Diane says that I am very easy to work with, which probably means that other authors are really hard to work with. She is of course very easy for me to work with because she eliminates every obstacle before I even know it was there. I send her a partially completed book, and she tells me that we should change the title to this or that, or that I could use a chapter on some other topic. I either say OK or tell her why it's a bad idea, and after a few minutes, we are back to talking about how many sales we will need for me to buy a condominium in New York. So far, we have sold enough to almost make one monthly payment. There are so many other people who have provided information and assisted in the development of this book in various ways that I cannot possibly remember them all or list them here. Also, many of them would probably rather I didn't mention them. To all of you, a collective thank you will have to do. 1 2 Chapter 1 Introduction and Overview Have you been to the bank lately? If the computers weren't working, could you get any money from them? How about the supermarket? Would they be able to check you out without their checkout computers? Does your car have computers to control the fuel mixture? How about at the office? Does your company use computers to get you your paycheck? Does the gas station where you get gas use computers in their gas pumps? The United States as a nation and its citizens as a people depend on information and informa- tion systems as a key part of their competitive advantage. This is common knowledge. But the dependency doesn't stop there. Without properly operating information systems, the national bank- ing system, electric power grid, transportation systems, food and water supplies, communications systems, medical systems, emergency services, and most businesses cannot survive. Operation Desert Storm was an object lesson in the critical importance of information in warfare, in that it demonstrated the ability of the United States to obtain and use information effectively while preventing Iraq from obtaining and using comparable information. But it was also a lesson in what happens to a country that only moderately depends on information when that information is taken away. The vast majority of the destruction in Iraq was to systems that provided the communications required for command and control of forces. The effect was the utter destruction of the Iraqi economy, and as a nation, Iraq is now at or below par with most third-world nations. These object lessons were observed and understood by other nations and organizations. The world has seen the effect of removing the information infrastructure from a country that was only marginally dependent on it, and the effect was devastating. But what about the effect on a nation that is highly dependent on its information infrastructure? The United States is rushing headlong into the information age. But the world is a dangerous place. People are regularly attacking the information highways already in place. Here's a good statistic to show you what I mean. Something like 900 million attacks take place on the Internet each year. 3 Financial loss is often cited as the rationale behind enhanced information protection, and a lot of figures fly around. As an example, AT&T claims that its toll fraud losses added up to $2 billion in 1992. Meanwhile, FBI figures claim that computer crime losses range from $164 million to $5 billion annually. [21] That's quite a range! It also seems to indicate that the FBI figures don't include the AT&T figures. And financial loss is not the only form of loss encountered in our society. Businesses have confidential information stolen and patented by competitors, individuals end up in jail and inmates are released because of disruptions in law enforcement computers, IRS computer failures have caused thousands of small companies to be put out of business, corporate telephone switches have regularly had hundreds of thousands of dollars worth of telephone calls stolen through them over a weekend, and the list goes on almost without end. The more information that flows through the information highways, the harder it is to protect people from accidents and abuse. The more places the information highways go, the more people are susceptible to harm. A good example is the Internet, one of the largest information networks in the world. The Internet connects more than 2 million computers together today. Compare this to the fall of 1988, when there were only about 60,000 computers on the Internet. The reason to choose the fall of 1988 for comparison is because that is when the Internet Virus was launched.