Rome '08 Workshop
Protecting Critical Infrastructures
Mr. Tim Bloechl
Microsoft Managing Director
Every time we get cash from an ATM, scan a bar code at the store, make a phone call, file an insurance claim, or use a search engine on the Internet, we are using part of the critical infrastructure. The critical infrastructure supports us at work, at play, in business, and, of course, across almost all aspects of military operations.
DEFINING CRITICAL INFRASTRUCTURE
In general terms, we define critical infrastructure as the facilities, services, and installations required by our societies to operate. It includes transportation, water, power, food delivery, banking and finance, hospitals, civil defense, police and fire support, telecommunications, and, of particular importance to this audience, national security networks. Critical infrastructure relating to information technology (IT) includes the global information and telecommunications network comprised of such entities as the Internet, satellite communications, television, telephones, and shared databases. These IT elements permeate all other aspects of the critical infrastructure.
When one considers just the networks we operate to control military operationsthe interrelationship of these networks with commercial infrastructure to transport forces, logistics, and informationand the necessity to communicate across coalitions or with NGOs or other non-military actors, it is self-evident that military operational networks in peace and war are also a very important part of this critical infrastructure.
THE CURRENT AND FUTURE STATE OF THE MILITARY INFRASTRUCTURE
We are certainly living through the evolution of the Information Age, and I for one believe we are closer to the beginning of it than to the end. The ability of military forces to see the battlefield with UAVs, satellites, and other means of detection; the ability to maintain a common, digital operating picture of friendly, threat, and other forces and actors based on an ever-expanding base of information that we must turn into knowledge; and the ability to move information and orders around the battlefield from the strategic level to the tip of the spear, including live video teleconference communications and soldier-level operating pictures and alertsall of these capabilities and others have a significant impact on the speed within which decisions are made, targets are engaged, and maneuvers are executed. Also, as others have mentioned, modern telecommunications in the hands of the press and the general public have certainly had an impact on our operations as well.
Change will continue to be rapid as industry and military R&D efforts search for even greater capabilities. Near-term technologies allow touch or voice manipulation and searches of massive amounts of data and imagery on commercially available and inexpensive horizontal and vertical displays. Pilots will learn basic flying skills or plan and fly through flight missions using computer-generated cockpits within virtual worlds displaying real terrain and weather on laptops or desktop computers at minimal cost. This same capability may soon be in the hands of platoon and squad leaders on the ground, armed with the latest imagery from military and commercial sources and augmented with 3D, 360-degree views of target areas and routes. Mission planning, war gaming, and after-action reviews of mission execution captured with computers simplifies our ability to evaluate the effectiveness of courses of action and significantly decreases the time it takes to do so. Additionally, as computer and Internet search capabilities continue to improve, and data storage and bandwidth become less of an issue for supporting military operations, planners, warfighters, and staffs will reap even greater opportunities to improve mission execution.
While information technology and its impact on military operations evolve, some believe that if our networks and, to a greater extent, other segments of our critical infrastructure are left unprotected, IT will become our Achilles heel. As was mentioned by several of the speakers at this workshop, the loss or degradation of such infrastructure would have a serious impact on local, regional, or even global economies and societies, and certainly huge implications for national security.
WHY THE CRITICAL INFRASTRUCTURE IS VULNERABLE
The critical infrastructure has always been vulnerable to some extent. Water supplies, transportation networks, and power plants have never been completely free of the threat of a physical attack. Today, because of the increasing ubiquity of IT and the global reach of the Internet, that vulnerability has been extended. Now we must also guard against thieves, vandals, hackers, terrorists, and, in cases involving military and intelligence operations, computer network attack or computer network exploitation, in network-centric warfare terms. Given the nature of incidents and manipulation against computers today, it is very difficult to be certain of the source of these attacks and infiltrations, because they appear to come from anywhere around the globe; the identities of those involved are difficult, if not impossible, to establish; and the full extent of damage may be hard to determine.
Furthermore, and perhaps even more alarming, would be efforts to quietly infiltrate infrastructure-related computer networks and, when the time is right, to execute attacks to disrupt or render inoperative elements of the infrastructure. This type of attack would certainly be a consideration for military operations; it is the source of much discussion in terms of the law of land warfare, doctrine, and war planning. If such attacks are carried out by terrorist organizations that do not identify themselves as the source of the attack and do not ascribe to the Geneva Convention and other forms of international order, how would we respond? Would such asymmetric attacks constitute a violation of national sovereignty? Would the circumstances of the attack present a casus belli? And who would we counterattack if it did? And what ROE would we employ as part of such operations?
Protecting the IT critical infrastructure has been an evolving process. Only a decade or so ago, applications, servers, and systems were not built with security, interconnectivity, resilience from attack, and reliability integral to their code. As the IT infrastructure matured, the need for these considerations became more obvious. Provisions for those features were laid on top of existing technology, sometimes with mixed results. Today security, privacy, and reliability are not merely optional features added to softwarethey must be engineered into these products.
CHALLENGES OF PROTECTING THE CRITICAL INFRASTRUCTURE
The overriding purpose of protecting the critical infrastructure is to assure the delivery of critical services to citizens and to allow government, and indeed our military forces, to function and fulfill obligations to the citizenry. However, some basic characteristics of our critical infrastructure present a challenge:
- Society is more reliant on the critical infrastructure than ever before.
- The sectors that make up the critical infrastructure are increasingly interdependent. In particular, all of them are increasingly dependent on IT.
- The sectors are increasingly connected to untrusted and unregulated environments such as the Internet.
- Our ability to protect the critical infrastructure has not kept pace with the pace at which new threats have arisen.
A SHARED RESPONSIBILITY
Securing this critical infrastructure requires efforts on many fronts. No single group has the scope in terms of mandate or composition to address the entire problem, so partnership is a means, if not a necessity, to pool the best resources for the benefit of all and to share the solutions.
Even consumers, including most of us at this workshop, who have only their personal computers to protect, share some responsibility for the critical infrastructure. Not only do we have an interest in protecting the information on our own computers, but we must also guard against our computers being compromised and used to launch attacks on others.
Let me now identify the general roles and shared responsibilities I think we must observe:
- Create an environment in which market-based incentives encourage the private sector to create secure products and services.
- Help create guidance and best practices for government, the private sector, and consumers.
- Be a role model by securing government systems and encouraging the procurement of products engineered for trustworthiness.
As part of government, military and national security organizations need to:
- Establish agile certification standards for software and other IT products destined for sensitive networks. In this regard our view is that the Common Criteria standard is in great need of revision, and we welcome the opportunity to work with government to evolve this process.
- The military should also establish and publish software assessment or evaluation procedures that lead to the adoption of the appropriate level of risk when making IT decisions. This will ensure that our military forces enjoy the best possible benefits from IT advances while protecting the networks these forces depend on from attack and exploitation.
- Government also needs to help change current procurement procedures that stand in the way of spiral development and the rapid insertion of new technologies. I point out here that procurement bureaucracies are not a problem for some of the most dangerous terrorist organizations we face today.
- I wonder what the role is for military and security services across other government and commercial critical infrastructures should they, and not the military networks, be attacked. This question could, by itself, be the discussion point for another panel, perhaps next year. Indeed, when one looks at the current state of these defenses, they are largely based on individual networks and not a combination of the whole. I wonder if we must move to the next step with defenses that are cross-functional, cross-industry, and perhaps regional or international. Without such an approach I worry that a local event against a particularly vulnerable node of the critical infrastructure could quickly become a national or international man-made disaster.
The private sector needs to:
- Take seriously the responsibility to build secure products and services.
- Build trustworthy products and services as a means to a competitive advantage.
- Provide tools and guidance to help customers deploy and use their products.
I also think that all sides must focus on developing interoperable systems that allow us to reduce stovepipes and reduce the complexity of these systems, thereby leading to a higher probability that we will be able to defend them successfully.
I believe that we have some tremendous IT capabilities at work on the battlefield, within our logistics systems, and throughout the many other functional processes that form the basis of our military critical infrastructure. I am excited about the possibilities this and future technology advances offer us. At the same time, security must be considered throughout the development, testing, and deployment of these capabilities, so I would like to reinforce the comments of my colleagues on the panel todaycyber defense has become a critical warfighting mission. We must ensure the continuous operation of our military networks through a concerted military, government, and industry partnership and the development of resilient and agile defenses.
*Source utilized: Jerry Cochran, Microsoft Senior Security Strategist