Computer-Related Infrastructure Risks for Federal Agencies

Peter G. Neumann
Principal Scientist, Computer Science Laboratory
SRI International, Menlo Park CA 94025-3493
Telephone: 1-650-859-2375
Internet: Neumann@CSL.SRI.com; Website: http://www.csl.sri.com/neumann.html

[Written testimony for the U.S. Permanent Subcommittee on Investigations of the Senate Committee on Governmental Affairs included in Weak Computer Security in Government: Is the Public at Risk?, Hearing, S. Hrg. 105-609, 1998, pp. 52--70. ISBN 0-16-057456-0, 1998. Oral testimony is on pages 5-22. Testimony from seven members of the L0pht group is also included in that volume.]

I greatly appreciate being invited to appear before you. Some of you recall my June 1996 testimony for your Permanent Subcommittee on Investigations (Reference 4). I have tried not to simply duplicate that testimony (which is still surprisingly relevant). I begin by summarizing my main points and then examine what has changed in the past two years.

This written statement surveys the primary risks related to computer-communication technology, and what we might do to reduce them. The scope of my remarks broadly includes Federal Government systems, but is also applicable to State, local, and private sector systems as well. (The problems are essentially the same, although the perspectives are quite different.) I address security, reliability, availability, and overall survivability of those systems.

I appear here as a private citizen, although I have several affiliations that are worth noting. I am employed by a not-for-profit R&D institute (SRI International), where I am involved in several particularly relevant projects -- including an advanced system for detecting network misuse and related threats (for DARPA), and a study of the requirements and suitable system architectures for highly survivable systems and networks (for the Army Research Lab). I am a member of the General Accounting Office Executive Council on Information Management and Technology. I am the author of a book (Computer-Related Risks) on what has gone wrong and what we should expect to go wrong, and what we can do to reduce the risks involved in the use of computers. (For the record, I include at the end of this testimony some relevant further background.)

The Past and the Present

The final report of the President's Commission on Critical Infrastructure Protection (PCCIP) (Reference 1) addressed eight major critical national infrastructures: telecommunications; generation, transmission and distribution of electric power; storage and distribution of gas and oil; water supplies; transportation; banking and finance; emergency services; and continuity of government services. Perhaps most important is the Commission's recognition that very serious vulnerabilities and threats exist in all of these critical infrastructures. Perhaps equally important if not more so is that all of these critical infrastructures are closely interdependent; a failure on one sector can easily affect other sectors. Furthermore, all of the national infrastructures depend critically on the underlying computer-communication information infrastructures, such as computing resources, databases, private networks, and the Internet. The extent to which this is the case is not generally appreciated, and seems sublimated in the PCCIP report. (See Reference 7.)

The existing national infrastructures and the underlying information infrastructures are riddled with vulnerabilities, representing security, reliability and system survivability flaws as well as potential attacks that can affect hardware, software, communications media, and people's lives. Security concerns are important, but it must also be remembered that systems and networks tend to fall apart on their own, without requiring malicious attacks. (The impending Year 2000 certainly gives us such an opportunity on an unprecedented scale.) Because the Government has become totally dependent on commercial system offerings that are typically not capable of satisfying critical requirements, the situation is becoming unstable.

Many of the cases noted above are documented in Reference 3 and in the on-line Risks Forum.

With respect to the national infrastructures and the computer-communication infrastructures, it is clear that the threats are pervasive, encompassing intentional as well as accidental causes. Aviation is a serious concern. Power generation, transmission, and distribution are particularly vulnerable, as is the entire telecommunication infrastructure. However, it is certainly unpopular to discuss specific threats openly, and thus the risks tend to be largely downplayed -- if not almost completely ignored.

To give a more detailed example of the breadth of threats in just one critical-infrastructure sector not examined in much detail by the PCCIP, consider the safety-related issues in the national airspace, and the subtended issues of security and reliability. (See for example, my article for the International Conference on Aviation Safety and Security in the 21st Century, Reference 5.) Alexander D. Blumenstiel at the Department of Transportation in Cambridge, Massachusetts, has conducted a remarkable set of studies over the past 14 years. In his series of reports, Blumenstiel has analyzed many issues related to system survivability in the national airspace, with special emphasis on computer-communication security and reliability. His early reports (1985-86) considered the susceptibility of the Advanced Automation System to electronic attack and the electronic security of NAS Plan and other FAA ADP systems. Subsequent reports have continued this study, addressing accreditation (1990, 1991, 1992), certification (1992), air-to-ground communications (1993), air-traffic-control security (1993), and communications, navigation, and surveillance (1994), for example. To my knowledge, this is the most comprehensive set of threat analyses ever done outside of the military establishment. The breadth and depth of the work deserves careful emulation in other sectors. (See Reference 16.) Further problems relating to the FAA procurement practice and safety considerations have been subjects of various GAO reports.

In general, it may seem very unpopular to expend resources on events that have not happened or that are perceived to be very unlikely to occur. The importance of realistic threat and risk analyses is that it becomes much easier to justify the effort and expenditures if a clear demonstration of the risks can be made. Therefore, it is absolutely vital that you openly understand and acknowledge the pervasiveness of the existing vulnerabilities, threats, and risks, and the likelihood that they are getting worse rather than better. The General Accounting Office (e.g., Reference 12) and the National Research Council (e.g., References 2, 9, and 17) are two major sources of objective analysis.

The risks noted above are critical to U.S. Government departments and agencies, particularly those that are concerned with the critical national infrastructures -- such as the Departments of Defense; Energy; Health and Human Services; Commerce; Transportation; as well as the FAA and the Social Security Administration. (Ironically, almost all of those organizations are already seriously threatened by the Y2K problem.)

Conclusions

Recommendations