9 December 1998
Source: http://www.usia.gov/current/news/latest/98120901.plt.html?/products/washfile/newsitem.shtml


USIS Washington File
_________________________________

09 December 1998

EXCERPTS: RICHARD CLARKE ON INFORMATION WARFARE THREAT

(Potential damage would be "much worse" than Pearl Harbor) (2710)

Washington -- "If an attack comes today with information warfare," it
would be "much, much worse than Pearl Harbor," warns Richard Clarke,
national coordinator for security, infrastructure protection, and
counter-terrorism.

In remarks to the "Defense Week" conference on "Defending National
Critical Infrastructure," Clarke outlined key differences between the
surprise Japanese attack in 1941 on Pearl Harbor in Hawaii and the
threat of "an electronic Pearl Harbor."

Addressing the participants on December 7 -- the 57th anniversary of
Pearl Harbor -- Clarke explained that an information warfare attack
would be nationwide and target the U.S. civilian infrastructure and
industrial might. The Pearl Harbor attack was "fairly localized" and
"was not an attack on our industrial strength," he explained.

Outlining ways to enhance protection of information networks, Clarke
cited the need for intrusion detection monitoring systems, a netted
and adaptive intrusion monitoring system in the private sector,
artificial intelligence research and development, and an education
initiative to encourage more individuals to become highly qualified
information science experts.

Following are excerpts from an unofficial transcript of Clarke's
address:

(begin excerpts)

I did talk to my mother in Arizona yesterday and told her what I would
be doing today and told her I was going to be talking about an
"electronic Pearl Harbor." She recalled that day 57 years ago today
when she and my father were off on a picnic, literally, as much of the
country was, figuratively, and came back home to find out that we were
at war. And within weeks my father was on his way to the Pacific where
he spent the next four years.

It was 57 years ago today, and there's a lot of talk about an
"electronic Pearl Harbor" now. I think there are some important
differences between Pearl Harbor and the threat that we face. While it
is useful to use the phrase "electronic Pearl Harbor" to get people's
attention, it's important also that we recognize the differences
between Pearl Harbor and the threat we face today.

Then, even though we did not know specifically with tactical
intelligence that the attack was coming, we knew who the enemy was and
we knew the enemy's strengths. We knew how many battleships Japan had,
and we knew how many aircraft carriers it had. The attack when it came
was fairly localized. The attack on the United States at least was
largely at Pearl Harbor. And while it did take out the battleships of
the Pacific fleet, it was not an attack on our industrial strength.

Our industrial might was untouched and allowed us to bounce back. If
we were to have an electronic Pearl Harbor, it would be somewhat
different. For example, we cannot count the enemy's battleships in an
electronic war. We cannot estimate the strength of the opposing force.
That's something very important to the nature of structuring our
activity. If I could go to the Congress and say that our satellites
have flown overhead and counted the enemy's strength and it was
growing, then it would be easier for me to gain the resources I need
to defend this nation's infrastructure. But we can't do that in an
electronic threat, in a computer information war. Therefore we have to
find another approach convincing the Congress and convincing the
American people that the threat is worth the resources it requires.

A second difference is that if an attack does occur today, it will not
be localized. It will not just be in Aiea or Honolulu. It will be
nationwide. Very seldom in our nation's history have we faced a
nationwide catastrophe. We have disastrous hurricanes and earthquakes,
and we respond to them fairly well. We've never had two of them at the
same time -- at least not in my memory. To think of an attack that
causes the same effect as an earthquake or a hurricane, but causes it
throughout the country, will severely test our reconstitution
capability.

And a third difference: If an attack comes today with information
warfare, it will not be after our fleet. It will be after our civilian
infrastructure and our industrial might. So it would be much, much
worse than Pearl Harbor.

How did we get so vulnerable? How did we allow this to happen? How is
it that we wake up today on the 57th anniversary of Pearl Harbor and
find ourselves again vulnerable -- even more vulnerable than we were
then? The answer is that we have spent the last 20 years totally
restructuring America. We have taken our electric power industry, our
telephone industry, our aviation, transportation, railroads, banking
-- you name it -- every major sector of our economy, and we have
changed the way we do business. No one made that decision on any one
day. The Congress never voted on a bill to make us reliant upon
computers and computer-controlled systems. The American people never
decided to do that. But, gradually, over the course of the last 20
years, we have made all of our systems -- our key infrastructure
systems -- reliant upon computers or reliant upon computer-controlled
systems.

Many people had not realized before this year how reliant we have
become. But this year CEOs (chief executive officers) throughout the
country woke up when their CIO (chief information officer) came in to
them -- their information tech officer vice president came in to them
-- and said, "Boss, you know, you've bet the company on computer
assistance, because if you don't fix the Y2K (year 2000 conversion)
problem, if you don't do Y2K remediation, our company won't work in
the year 2000." And gradually CEOs, boards of directors, stockholders
throughout the country realized that something had happened to their
companies, that they now required some new piece of software to solve
a problem that they didn't even know existed two years ago -- a
problem called Y2K -- because without fixing Y2K they don't have a
company. That means that company -- every company -- is reliant upon
computers and computer-controlled systems. If that is true, it is also
true that they are vulnerable to information warfare of one kind or
another.

How large is the vulnerability? As I said, you can't fly overhead and
take pictures of the enemy's strength. But we can scope the threat,
even if we can't estimate it precisely. We can do it in two ways: one,
by self-analysis -- we can look at our own vulnerabilities; and two,
what graduate students at MIT (Massachusetts Institute of Technology)
used to call "the cockroach test." We can go into the kitchen at night
and turn on the light and see what's there when you're not looking.
Let me talk about those.

First, self-analysis and vulnerabilities. Most of you by now have
heard the phrases "Solar Sunrise" and "Eligible Receiver."

Solar Sunrise was an attack on computer systems throughout the Defense
Department last February as we were preparing to send forces to the
Persian Gulf. Someone, or some group of people -- at the time we
didn't know who -- gained route access, systems administrator status,
on over 20 important logistical computers throughout the Air Force
and, subsequently, we learned throughout the Navy and the Army. They
could have therefore crashed the systems. They downloaded thousands of
passwords and they installed sniffers and trap doors. And for days,
critical days, as we were trying to get forces to the Gulf, we didn't
know who it was who was doing it. We assumed therefore it was Iraq. We
found out it was two 14-year-olds from San Francisco. Was that good
news or bad? If two 14-year-olds could do that, think about what a
determined foe could do.

Eligible Receiver was an intentional attack launched by the Defense
Department on the Defense Department. And for days there, too, we did
not detect the attack. And the attackers, using only unclassified
techniques available on the Internet, were able to get significant
access and significant control of critical Defense Department
computers. I would argue that those two exercises show that we have
significant vulnerabilities.

What about the cockroach test? Every time we put a detection
monitoring system on a...critical computer in the Defense Department
or in the private sector, over the course of a week, there are scores
of attempted intrusions. Over the course of a month, there are
thousands of attempted intrusions, every time we look. So because we
have created and operated critical computer systems for years without
intrusion monitoring devices, without systems to look for people
attempting to get in, because we know that every time we do put
intrusion monitoring systems on, we find people trying to get in and
oftentimes succeeding, we must assume today that every critical
computer system in the United States is already vulnerable to
information warfare attack.

What are we going to do about it? Well, there are many things that
need to be done. It's going to take a lot of work over a number of
years. But I do want this morning to talk about four things that are
high on my agenda for making our country defensible from information
warfare attack.

First, I think we need intrusion detection monitoring systems. If we
go back to the Solar Sunrise experience of February, the Air Force
noticed the attack and for the better of the day, we assumed it was
only the Air Force that was being attacked. And then as usual a bright
Air Force captain said, "Why don't we ask the Navy and the Army to
look into their computer systems at that point of vulnerability that
was being attacked in the Air Force system -- rather than just asking
the Army and Navy, are you being attacked and being told no, let's ask
them to look at that point where the Air Force is coming under
attack." And at the end of the day, all of the Army bases and Navy
bases called back and said, "Whoops, you're right, we were attacked.
People have gained route access. People have downloaded passwords."
Why did the Air Force know and not the other services? Because at the
time the Air Force was the only service that had intrusion detection
monitoring systems on critical computers. That is no longer the case.
But it was at the time. But even with those systems in place on that
weekend in February, we had to call up individual Air Force bases and
ask them what their intrusion monitoring systems were doing. We had to
get systems administrators in over the weekend and ask them to check
the logs that were created by monitoring systems and to block the kind
of attack that was occurring.

So, intrusion detection monitoring systems themselves are not
sufficient. We need netted and adaptive intrusion detection monitoring
systems. What do I mean by netted and adaptive? We need to take the
hundreds or thousands of intrusion detection monitors we put on
individual servers and LANs (local area networks) and net them all
together so that an attack on one is an attack on all, so that we know
when an attack occurs on one system, that that methodology of attack
is automatically communicated to every other system on the network, so
that we don't have to wake up the systems administrator in the middle
of the night and ask her to come in and see if there's an attack going
on, that we don't have to ask her to change her software in the middle
of the night to prevent the attack. As soon as the attack occurs on
one system, all of the systems know about it and are adaptive. They
can fix the vulnerability so that it cannot succeed elsewhere.

We need now to install intrusion detection monitoring systems that are
netted and adaptive throughout the federal government. That is my
first of my four suggestions this morning.

It is already being done in the Defense Department, but the Defense
Department alone does not possess our critical information systems in
the federal government. How critical is NASA (National Aeronautics and
Space Administration), the FBI (Federal Bureau of Investigation), the
Secret Service? How critical are the checks that come out of the IRS
(Internal Revenue Service), the Veterans Administration, the Social
Security Administration? There are lots of non-defense systems that
are critical and need to be protected, if they are not protected
today.

Secondly, we need to take that kind of netted and adaptive intrusion
monitoring system and cause it to come about in the private sector,
because it is the private sector where our infrastructure lies.
Systems owned and operated by private companies provide 90 plus
percent of the telecommunications and electrical power required by the
Defense Department and other agencies of government. If you take down
the privately owned and operated telecoms and electricity and banking
and transportation networks, you have destroyed this country.

So we need not only to protect the government but more importantly we
need to protect the private sector systems. We are not talking about
here creating a government system to protect private infrastructures.
What we are talking about is creating a government system to protect
the government's critical computers and then saying to the key sectors
of our economy, "You ought to do the same thing. You the banking
industry, you the electric power industry ought to create netted,
adaptive intrusion monitoring systems just like we have. And to the
extent that you can learn from our mistakes, to the extent that you
can learn from our successes, we want to work with you."

The third thing on my list this morning is artificial intelligence
research and development. Why? I've already said that...experts can
look at a dozen lines of code and, if a trap door is artfully done,
cannot find it. In millions of lines of code, you are never going to
find it. How then do we deal with the fact that, I believe, trap doors
are already installed throughout the country. How do we defend against
that if you can't find it? Well, one thing we can do is get all the
computer science graduate students of the world and chain them to
their desks and make them go through millions of lines of code. But we
are talking about computers and we are talking about computer science,
shouldn't there be a way that we can develop an artificial
intelligence program that can scan in real time the operating system
running on your computers to look for trap doors, to look for logic
bombs, to look for trojan horses? It's not going to be easy. It's
stretching what artificial intelligence has done. But, given the time
and the effort and the money necessary, it ought to be something that
we can do.

Fourth, we need an education initiative. We need, frankly, more
computer science majors, more information science master's degree
candidates in this country. The U.S. government in particular needs
more highly qualified information science majors working as its
systems administrators and systems security officers. Frankly today
our assessment is that we don't have anywhere near enough working in
the U.S. government, in part because the government is not competitive
in what is now a highly competitive market because the number of
positions far outruns the number of qualified applicants.

Now all of these four things that I have talked about are an
appropriate kind of activity for the U.S. government. If we do those
four things, and more about which you will hear a lot more over the
next two days, then I think if the electronic Pearl Harbor does occur,
and if it does come with surprise, and if we do take the hit, then I
think we will be able to pick ourselves up off the floor and
reconstitute our strength and go about our tasks the way our parents'
generation did. But if we do not act now to put the systems in place
to deal with the threat that is out there, then we will fail to do the
necessary protection of our country that our parents' generation did
so well 57 years ago.

(end excerpts)