Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 135
Making the Nation Safer: The Role of Science and Technology in Countering Terrorism 5 Information Technology INTRODUCTION Information technology (IT) is essential to virtually all of the nation’s critical infrastructures, which makes any of them vulnerable to a terrorist attack on the computer or telecommunications networks of those infrastructures. IT plays a critical role in managing and operating nuclear-power plants, dams, the electric-power grid, the air-traffic-control system, and financial institutions. Large and small companies rely on computers to manage payroll, track inventory and sales, and perform research and development. Every stage of the distribution of food and energy, from producer to retail consumer, relies on computers and networks. A more recent trend is the embedding of computing capability in all kinds of devices and environments, as well as the networking of embedded systems into larger systems.1 These realities make the computer and communications systems of the nation a critical infrastructure in and of themselves, as well as major components of other kinds of critical infrastructure, such as energy or transportation systems. The IT infrastructure can be conceptualized as four major elements: the Internet, the telecommunications infrastructure, embedded/real-time computing (e.g., avionics systems for aircraft control, SCADA systems controlling electrical energy distribution), and dedicated computing devices (e.g., desktop computers). Each of these plays a different role in national life and each has different vulnerabilities. 1 See CSTB (2001a). Note that most CSTB reports contain many references to relevant literature and additional citations.
OCR for page 136
Making the Nation Safer: The Role of Science and Technology in Countering Terrorism IT can also play a major role in the prevention, detection, and mitigation of terrorist attacks.2 By enabling wider awareness of critical information in the intelligence community,3 IT may facilitate the identification of important patterns of behavior. Advances in information fusion, which is the aggregation of data from multiple sources for the purpose of discovering some insight, may be able to help in uncovering terrorists or their plans in time to prevent attacks. In addition to prevention and detection, IT may also enable rapid and accurate identification of the nature of an attack and aid in responding more quickly. THREATS ASSOCIATED WITH IT INFRASTRUCTURE When the IT infrastructure is attacked, the target can be the IT itself. Alternatively, the true target of the terrorist may be another of our society’s infrastructures, and the terrorist can either launch or exacerbate the attack by exploiting the IT infrastructure, or use it to interfere with attempts to achieve a timely and effective response. Thus, IT is both a target and a weapon that can be deployed against other targets. A terrorist attack that involves the IT infrastructure can operate in one of three different modes. First, the attack can come in “through the wires” alone. Second, it can include the physical destruction of some IT element, such as a critical data center or communications link. Third, the attack can rely on the compromising of a trusted insider who, for instance, provides passwords that permit outsiders to gain entry.4 All of these modes are possible and, because of the highly public nature of our IT infrastructure and of our society in general, impossible to fully secure. Nor are they mutually exclusive—and in practice they can be combined to produce even more destructive effects. Most of the nation’s civil communications and data network infrastructure offer soft IT targets, but they tend to be localized either geographically or in mode of communication, and if no physical damage is done tend to be recoverable in a relatively short time. One can imagine the use of IT as the weapon in a series of relatively local attacks that are repeated against different targets—banks, hospitals, or local government services—so often that public confidence is shaken and significant economic disruption results. This report is focused on catastrophic terrorism, and the committee’s analysis is aimed at identifying those threats in particular and proposing S&T strategies for combating them. Of course, serious efforts are needed to employ security technologies that research might generate to harden all elements of the IT infrastructure to reduce the damage potential for such repeated attacks. 2 CSTB (1996, 1999a). 3 The intelligence community includes the CIA, FBI, NSA, and a variety of other agencies in the DOD and other departments. 4 See CSTB (1999b).
OCR for page 137
Making the Nation Safer: The Role of Science and Technology in Countering Terrorism IT Attack as an Amplifier of a Physical Attack Given IT’s critical role in many other elements of the national infrastructure and in responding to a crisis, the targeting of IT as part of a multipronged attack scenario could have catastrophic consequences. Compromised IT can have several disastrous effects: expansion of terrorists’ opportunities to widen the damage of a physical attack (for example, by providing false information that drives people toward rather than away from the point of attack); diminishment of timely responses to the attack (by interfering with communications systems of first responders); and heightened terror in the population through misinformation (by providing false information about the nature of the threat). The techniques to compromise key IT systems—e.g., launching distributed denial-of-service (DDOS) attacks against Web sites and servers of key government agencies at the federal, state, and local levels, using DDOS to disrupt agencies’ telephone services and the emergency-response 911 system, or sending e-mails containing false information with forged return addresses so they appear to be from trusted sources—are fairly straightforward and widely known. Other Possibilities for Attack Using IT When an element of the IT infrastructure is directly targeted, the goal is to destroy a sufficient amount of IT-based capability to have a significant impact. For example, one might imagine attacks on the computers and data storage devices associated with important facilities. Irrecoverable loss of critical operating data and essential records on a large scale would likely result in catastrophic and irreversible damage to U.S. society. While no law of physics prevents the simultaneous destruction of all data backups and backup facilities in all locations, such an attack would be highly complex and difficult to execute, and is thus implausible. The infrastructure of the Internet is another possible target, and given its prominence, may appeal to terrorists as an attractive target. The Internet could be seriously degraded for a relatively short period of time by a denial-of-service attack, but this is unlikely to be long lasting. The Internet itself is a densely connected network of networks,5 which means that a large number of important nodes would have to be destroyed simultaneously to bring it down for an extended period of time. Destruction of some key Internet nodes would result in slowed traffic across the Internet, but the ease with which Internet communications can be rerouted would minimize the long-term damage.6 (In this regard, the 5 See CSTB (2001b). Note, however, that the amount of redundancy is primarily limited by economic factors. 6 This comment largely applies to U.S. use of the Internet. It is entirely possible that other nations—whose traffic is often physically routed through the United States through one or two locations—would fare much worse in this scenario.
OCR for page 138
Making the Nation Safer: The Role of Science and Technology in Countering Terrorism fact that substantial data-networking services survived the September 11 disaster despite the destruction of large amounts of equipment concentrated in the World Trade Center complex reflected redundancies in the infrastructure (and a measure of good fortune as well).) Higher leverage could be obtained with a “through-the-wires” attack that would require the physical replacement of components in Internet relay points on a large scale, though such attacks would be much harder to plan and execute. Another attack that would provide greater leverage is on the Domain Name System (DNS), which provides translation for the Internet of domain names (e.g., example.com) to specific IP addresses (which denote specific Internet nodes). There are a relatively small number of “root name servers” that provide these translation services, and while the DNS is configured to provide redundancy in case of accidental failure, it has some vulnerability to an intentional physical attack that might target all name servers simultaneously. Though Internet operations would not halt instantly, an increasing number of sites would, over a period of time measured in hours to days, become inaccessible without root name servers to provide authoritative translation information. On the other hand, recovery from such an attack would be unlikely to take more than several days, since the servers themselves are general-purpose computers that are in common use. A second point to consider is that most companies today do not rely on the Internet to carry out their core business functions. Even if a long-term disruption to the Internet were a major disruption to an e-commerce company such as Amazon.com, most other companies could resort to using phones and faxes again to replace the Internet for many important functions. (For example, the Department of the Interior was largely off the Internet since the beginning of December 2001,7 and it continues to operate more or less as usual.) Because the Internet is not (yet) central to most of American society, the impact of even severe damage to the Internet is less than what might be possible through other modes of attack. The telecommunications infrastructure of the public switched network is likely to be less robust. Although the long-haul telecommunications infrastructure is capable of dealing with single-point failures in such centers (and perhaps even double-point failures), the physical redundancy in that infrastructure is not infinite, and taking out a relatively small number of major switching centers for long-distance telecommunications could result in a fracturing of the United States into disconnected regions.8 An additional vulnerability in this telecommunica- 7 Jennifer Disabatino. 2001. “Court Order Shuts Down Dept. of Interior Web Sites,” COMPUTERWORLD, December 17. Available online at <http://www.computerworld.com/storyba/0,4125,NAV47_STO66665,00.html>. 8 An exacerbating factor is that many organizations rely on leased lines to provide high(er)-assurance connectivity. However, these lines are typically leased from providers of telecommunications infrastructure, and hence suffer from many of the same kinds of vulnerabilities as ordinary lines.
OCR for page 139
Making the Nation Safer: The Role of Science and Technology in Countering Terrorism tions infrastructure is the local loop connecting central switching offices to end users—full recovery from the destruction of a central office entails the tedious rewiring of tens or hundreds of thousands of individual connections. Destruction of central offices on a large scale is difficult, simply because even an individual city has many of them, but destruction of a few central offices associated with key facilities or agencies (e.g., those of emergency response agencies, or of the financial district) would certainly have a significant immediate, though localized, impact. The IT systems and networks supporting the nation’s financial system are undeniably critical. However, banking transactions occur through separate networks such as SWIFT and CHIPS; attacks on these networks would require significantly more effort and risk to plan and implement than comparable assaults on the open Internet. For example, successful attacks on SWIFT and CHIPS would likely necessitate significant insider access.9 Embedded/real-time computing in specific systems could be attacked. One example is the possibility of corruption over time, much as a Y2K bug was built into many embedded real-time systems. Of particular concern could be avionics in airplanes, collision avoidance systems in automobiles, and other transportation systems. Such attacks would require a significant insider presence in technically responsible positions in key sectors of the economy over long periods of time. A second type of attack on embedded computing is illustrated by the notion of an attack on the systems controlling elements of the nation’s critical infrastructure, e.g., the electric-power grid, the air-traffic-control system, the financial network, and water purification and delivery. An attack on these systems could trigger an event and perhaps stimulate an inappropriate response to the event that drives the system into a catastrophic state. The discussion below, presented as an example, focuses on the electric-power grid10—in particular, on the supervisory control and data acquisition (SCADA) systems that underlie IT’s control of the electric-power grid—but similar considerations apply to other parts of the nation’s infrastructure. 9 The fact that these networks are separate and physically distinct from those of the Internet and the public switched telecommunications network reduces the risk of penetration considerably. In addition, security consciousness is much higher in financial networks than on the Internet. On the other hand, the fact that these networks are much smaller than the Internet suggests that there is less redundancy in them and that the computing platforms are likely to be less diverse than the platforms on the Internet, a factor that tends to reduce their security characteristics as compared to those of the Internet. 10 Note that the electric power grid is one of the few, if not the only, truly “national” infrastructures in which it is theoretically possible that a failure in a region could cascade to catastrophic proportions before it could be dealt with.
OCR for page 140
Making the Nation Safer: The Role of Science and Technology in Countering Terrorism Box 5.1 describes some of the security issues associated with SCADA systems. Attacks on SCADA systems could obviously result in disruption of the network (“soft” damage), but because SCADA is used to control physical elements, such attacks could also result in irreversible physical damage. In those cases where backups for the damaged components were not readily available (and might have to be remanufactured from scratch), such damage could have long-lasting impact. An electronic attack on a portion of the electric-power grid could result in significant damage, easily comparable to that associated with a local blackout. The real leverage of such an attack would likely be in amplifying the damage and costs associated with a physical attack on some other element of the critical infrastructure. Another disaster scenario that could rise to the level of catastrophic damage would be an attack on a local or regional power system that cascades to shut down electrical power, possibly with physical damage that could take weeks to repair, over a much wider area. On the other hand, it is unclear whether such an attack could actually be mounted, and a detailed study both of SCADA systems and the electric-power system is probably required in order to assess this possibility. The committee notes, however, that because of the inordinate complexity of the nation’s electric-power grid, the effects on the overall grid of a major disruptive event in one part of the system are difficult to predict with any confidence (both for grid operators and terrorists). Thus, any nonlocalized impact on the power grid would be as much a matter of chance as a foreseeable consequence. (See Chapter 6 for a further discussion on electric power vulnerabilities.) In many of the same ways as embedded computing could be attacked, dedicated computers could also be corrupted in hard-to-detect ways. One possible channel arises from the extensive use of foreign IT talent among software vendors. Once working on the inside, perhaps after a period of years in which they act to gain responsibility and trust, it could happen that these individuals would be able to introduce additional but unauthorized functionality into systems that are widely used. Under such circumstances, their target might not be the general-purpose computer used in the majority of offices around the country, but rather the installation of hidden rogue code in particular sensitive offices. Another channel arises from the connection of computers through the Internet; such connections provide a potential route through which terrorists might attack computer systems that do provide important functionality for many sectors of the economy. (It is likely that Internet-connected computer systems that provide critical functionality to companies and organizations are better protected through firewalls and other security measures than the average system on the Internet, but as press reports in recent years make clear, such measures do not guarantee that outsiders cannot penetrate them.)
OCR for page 141
Making the Nation Safer: The Role of Science and Technology in Countering Terrorism BOX 5.1 Security Vulnerabilities and Problems of SCADA Systems Today’s supervisory control and data acquisition (SCADA) systems have been designed with little or no attention to security. For example, data in SCADA systems are often sent “in the clear.” Protocols for accepting commands are open, with no authentication required. Control channels are often wireless or leased lines that pass through commercial telecommunications facilities. For example, unencrypted radio-frequency command pathways to SCADA systems are common and, for economic reasons, the Internet itself is increasingly used as a primary command pathway. Thus, there is minimal protection against the forgery of control messages or of data and status messages. Such control paths present obvious vulnerabilities. In addition, today’s SCADA systems are built from commercial off-the-shelf components and are based on operating systems that are known to be insecure. Deregulation has meant placing a premium on the efficient use of existing capacity, and hence interconnections to shift supply from one location to another have increased. Problems of such distributed dynamic control, in combination with the complex, highly interactive nature of the system being controlled, have become major issues in operating the power grid reliably. A final problem arises because of the real-time nature of SCADA systems, in which timing may be critical to performance and optimal efficiency (timing is important because interrupts and other operations can demand millisecond accuracy): Security add-ons in such an environment can complicate timing estimates and can cause severe degradation to SCADA performance. Compounding the difficulty of SCADA systems’ tasks is the fact that information about their vulnerability is so readily available. Such information was first brought into general view in 1998-1999, when numerous details on potential Y2K problems were put up on the World Wide Web. Additional information of greater detail—dealing with potential attacks that were directly or indirectly connected to the President’s Commission on Critical Infrastructure Protection—was subsequently posted on Web pages as well. Product data and educational videotapes from engineering associations can be used to familiarize potential attackers with the basics of the grid and with specific elements. Information obtained through semiautomated reconnaissance to probe and scan the networks of a variety of power suppliers could provide terrorists with detailed information about the internals of the SCADA network, down to the level of specific makes and models of equipment used and version releases of corresponding software. And more inside information could be obtained from sympathetic engineers and operators. Disproportionate Impacts Some disaster scenarios result in significant loss or damage that is all out of proportion to the actual functionality or capability destroyed. In particular, localized damage that results in massive loss of confidence in some critical part of the infrastructure could have such a disproportionate impact. For example, if terror-
OCR for page 142
Making the Nation Safer: The Role of Science and Technology in Countering Terrorism ists were able to make a credible claim that the control software of a popular fly-by-wire airliner was corrupted and could be induced to cause crashes on demand, perhaps demonstrating it once, public confidence in the airline industry might well be undermined. A more extreme scenario might be that the airlines themselves might ground airplanes until they could be inspected and the software validated. To the extent that critical industries or sectors rely on any element of the IT infrastructure, such disproportionate-impact disaster scenarios are a possibility. Possibility, Likelihood, and Impact The scenarios above are necessarily speculative. But it is possible to make some judgments that relate to their likelihood: Attacks that require insider access are harder to mount and thus less likely than attacks that do not. Insiders must be placed or recruited, and insiders are not necessarily entirely trustworthy from the standpoint of the attacker. Individuals with specialized expertise chosen to be placed as infiltrators may not survive the screening process, and because there are a limited number of such individuals, it can be difficult to insert an infiltrator into a target organization. In addition, compared to approaches not relying on insiders, insiders may leave behind more tracks that can call attention to their activities. This judgment depends, of course, on the presumed diligence on the part of employers to ensure that their key IT personnel are trustworthy, but it is worth remembering that the most devastating espionage episodes in recent U.S. history have involved insiders (Aldrich Ames and Robert Hanssen). Attacks that require execution over long periods of time are harder to mount and thus less likely than attacks that do not. Planning often takes place over a long period of time, but the actual execution of a plan can be long as well as short. When a plan requires extended activity that if detected would be regarded as abnormal, it is more likely to be discovered and/or thwarted. Terrorist attacks can be sustained over time as well as occur in individual instances. If the effects of an attack sustained over time (perhaps over months or years) are cumulative, and if the attack goes undetected, the cumulative effects could reach very dangerous proportions. Because such an attack proceeds a little bit at a time, the resources needed to carry it out may well be less than in more concentrated attacks, thus making it more feasible. Plans that call for repeated attacks are less likely than plans that call for single attacks. For example, it is possible that repeated attacks on the Internet could render large parts of it inoperative for extended periods of time. Such an onslaught might be difficult to sustain, however, because it would be readily detected and efforts would be made to counter it. Instead, an adversary with the
OCR for page 143
Making the Nation Safer: The Role of Science and Technology in Countering Terrorism wherewithal to conduct such repeated attacks would be more likely to make the initial strike and then use the recovery period not to stage and launch another strike against the Internet but to attack the physical infrastructure; this could leverage the inoperative Internet to cause additional damage and chaos. Terrorists, like other parties, have limited resources. Thus, they are likely to concentrate their efforts where the impact is largest for the smallest expenditure of resources. For example, terrorists who want to create immediate public fear and terror are more likely to use a physical attack (perhaps in conjunction with an attack using IT to amplify the resulting damage) than an attack that targets IT exclusively. The reason is that the latter is not likely to be as cinematic as other attacks. What would television broadcast? There would be no dead or injured people, no buildings on fire, no panic in the streets, and no emergency-response crews to the rescue. The image of a system administrator typing furiously is simply much less terrifying than images of buildings collapsing. The IT infrastructure (or some element of it) can be a weapon used in an attack on something else as well as the target of an attack. An attack using the IT infrastructure as a weapon has advantages and disadvantages from the point of view of a terrorist planner. It can be conducted at a distance in relative physical safety, in a relatively anonymous fashion, and in potentially undetectable ways. On the other hand, the impact of such an attack (by assumption, some other critical national asset) is indirect, harder to predict, and less certain. State sponsorship of terrorism poses threats of a different and higher order of magnitude, for a variety of reasons that include access to large amounts of financial backing and the ability to maintain an actively adversarial stance at a high level for extended periods of time. For example, state-sponsored terrorism might use the state’s intelligence services to gain access to bribable or politically sympathetic individuals in key decision-making places, or to systematically corrupt production or distribution of hardware or software. Some of the scenarios above are potentially relevant to information warfare attacks against the United States, i.e., attacks launched or abetted by hostile nation-states and/or directed against U.S. military forces or assets. A hostile nation conducting an information attack on the United States is likely to conceal its identity to minimize the likelihood of retaliation, and hence may resort to sponsoring terrorists who can attack without leaving clear national signatures. While these considerations make certain types of attack more or less likely, none of the scenarios described above can be categorically excluded. This fact argues in favor of a long-term commitment to a strategic R&D program that will contribute to the robustness of the telecommunications and data networks and of the platforms embedded in them. Such a program would involve both fundamental research into the scientific underpinnings of information and network security and the development of deployable technology that would contribute to informa-
OCR for page 144
Making the Nation Safer: The Role of Science and Technology in Countering Terrorism tion and network security. Ultimately, the strengthening of the nation’s IT infrastructure can improve our ability to prevent, detect, respond to, and recover from terrorist attacks on the nation.11 The shape of a strategic research and development agenda is described below. However, it should be noted that this agenda has broad applicability to efforts against terrorism, against information warfare, and against cybercrime. While the scope and complexity of issues with respect to each of these areas may well vary (e.g., an agenda focused on cybercrime may place more emphasis on forensics useful in prosecution), the committee believes that there is enough overlap in the research problems and approaches to make it unwise to articulate a separate R&D agenda for each area. SHORT-TERM RECOMMENDATIONS Developing a significantly less vulnerable information infrastructure is an important long-term goal for the country. This long-term goal must focus on the creation of new technologies and paradigms for enhancing security and reducing the impact of security breaches. In the meantime, the IT vulnerabilities of the first-responder network should receive priority attention. Efforts should focus on hardening first responders’ communications capability, as well as those portions of their computing systems devoted to coordination and control of an emergency response. Existing technology can be used to achieve many of the improvements needed in telecommunications and computing. Unfortunately, the expertise to achieve a more secure system often does not reside within the host organizations—this may be the case, for example, in local and state government. These realities lead, then, to three short-term recommendations: Short-Term Recommendation 5.1: Develop a program to increase the security of emergency-response agencies’ communications systems against attack, based on the use of existing technologies (perhaps slightly enhanced). Some possible options include a separate emergency-response communications network that is deployed in the immediate aftermath of a disaster, and the use of the public network to support virtual private networks, with priority given to traffic from emergency responders. Given the fact that emergency-response agencies are largely state and local, no federal agency has the responsibility and authority to carry out this recommendation. Thus it would likely have to rely on incentives (probably financial) to persuade state and local responders to participate. 11 See CSTB (1996, 1999a).
OCR for page 145
Making the Nation Safer: The Role of Science and Technology in Countering Terrorism Short-Term Recommendation 5.2: Promote the use of best practices in information and network security throughout all relevant public agencies and private organizations. Nearly all organizations, whether in government or the private sector, could do much better with respect to information and network security than they do today simply by exploiting what is already known about that subject, as discussed at length in Cybersecurity Today and Tomorrow: Pay Now or Pay Later.12 (For example, many technologies for securing IT systems, such as encryption, secure authentication, and the use of private networks for critical communications, are available but not widely deployed.) Those responsible for requiring and implementing such changes range from chief technical (or even executive) officers to system administrators. There is currently no clear locus of responsibility within government to undertake such “promotion” across the private sector—information and network security there is not subject to government regulation—nor even across government itself. The Office of Management and Budget has sought to promote information and network security in the past, but despite its actions the state of information and network security in government agencies remains highly inadequate. In the final analysis, even though the market has largely failed to provide sufficient incentives for the private sector to take adequate action with respect to information and network security, it is likely that market mechanisms will be more successful than regulation in improving the security of the nation’s IT infrastructure, though they have yet to do so. The challenge for public policy is to ensure that such market mechanisms develop. Short-Term Recommendation 5.3: Ensure that a mechanism exists for providing authoritative IT support to federal, state, and local agencies that have immediate responsibilities for responding to a terrorist attack. One option is to place the mechanism administratively in existing government or private organizations (e.g., the National Institute of Standards and Technology, the Office of Homeland Security, the Department of Defense, or the Computer Emergency Response Team of the Software Engineering Institute at Carnegie Mellon University); and a second option is to create a national body to coordinate the private sector and local, state, and federal authorities.13 In the short term, a practical option for providing emergency operational support would be to exploit IT expertise in the private sector, much as the armed services draw on the private sector (National Guard and reserve forces) to augment active-duty forces during emergencies. Such a strategy, however, must be a complement to a 12 CSTB (2002a). 13 Note that CSTB has a pending full-scale project on information and network security R&D that will address federal funding and structure in much greater detail than is possible in this report.
OCR for page 166
Making the Nation Safer: The Role of Science and Technology in Countering Terrorism Create digital floor plans and maps of other physical infrastructure, and use wearable computers and “map ants” to generate maps that can be updated. Develop tools to map network topology, especially of converged networks that handle voice and data traffic. Begin to characterize the functionality of regional networks for emergency responders. Information Fusion Promising to play a central role in the future prevention, detection, and remediation of terrorist acts, “information fusion” is defined as the use of computer technology to acquire data from many sources, integrate these data into usable and accessible forms, and interpret them. Such processed data can be particularly valuable for decision makers in law enforcement, the intelligence community, emergency-response units, and other organizations combating terrorism. Not surprisingly, an inherent problem of information fusion is data interoper-ability—the difficulty of merging data from multiple databases, multiple sources, and multiple media. Prevention. Security checkpoints have become more important and more tedious than ever at airports, public buildings, sporting venues, and national borders. But the efficiency and effectiveness of checkpoints could be significantly improved by creating information-fusion tools to support the checkpoint operator in real time. For example, future airport-security stations could integrate data received from multiple airports to provide a more global view of each passenger’s luggage and activities on connecting flights. The stations could use data-mining methods to learn which luggage items most warrant hand-inspection, and they could capture data from a variety of biometric sensors to verify the identities of individuals and search for known suspects. Detection. Intelligence agencies are routinely involved in information fusion as they attempt to track suspected terrorists and their activities, but one of their primary problems is managing the flood of data. There are well-known examples in which planned terrorist activity went undetected despite the fact that relevant evidence was available to spot it—the evidence was just one needle in a huge haystack. Future intelligence and law-enforcement activities could therefore benefit enormously from advances in automatic interpretation of text, image, video, sensor, and other kinds of unstructured data. This would enable the computer to sort efficiently through the massive quantities of data to bring the relevant evidence (likely combined from various sources) to the attention of the analyst. Response. Early response to biological attacks could be supported by collecting and analyzing real-time data, such as admissions to hospital emer-
OCR for page 167
Making the Nation Safer: The Role of Science and Technology in Countering Terrorism gency rooms and veterinary offices or purchases of nonprescription drugs in grocery stores, and integrating it with background information about the affected patient’s residence and job address. Prototype systems are already under development, including one that monitors real-time admissions to 17 emergency departments near Pittsburgh, to generate profiles of ER visits, and discern patterns of activity. If anomalous patterns emerge that may signify an outbreak of some new pathogen, system administrators can quickly alert health officials. Many other opportunities exist for such computer-aided “evidence-based decision making.” For example, the monitoring of activity on computer networks might flag potential attempts to break through a firewall; or sensor networks attached to public buildings might flag patterns of activity within the building that suggest suspicious behavior. In these kinds of cases, because the data is voluminous and derives from a variety of sources, an unaided decision maker might have difficulty detecting subtle patterns. As a general proposition, the development of tools that provide human analysts with assistance in doing their jobs has a higher payoff (at least in the short to medium term) than tools that perform most or all of the analyst’s job. This places a greater emphasis on approaches that use technology to quickly sift large volumes of data to flag potentially interesting data items for human attention (as opposed to approaches that rely on computers to make high-level inferences themselves in the absence of human involvement and judgment). A final dimension of information fusion is nontechnical. That is, disparate institutional missions may well dictate against a sharing of information at all. Underlying successful information fusion efforts is a desire to share information—and it is impossible to fuse information belonging to two agencies if those two agencies do not communicate with each other. Establishing the desire to communicate among all levels at which relevant information could be shared may have a larger impact than the fusion that might occur due to advances in technology. Data Mining “Data mining” is the automatic machine-learning of general patterns from a large volume of specific cases. For example, given a set of known fraudulent and nonfraudulent credit-card transactions, the computer system may learn general patterns that can be used to flag future cases of possible fraud. Data mining has grown quickly in importance in the commercial world over the past decade, as a result of the increasing volume of machine-readable data, advances in statistical machine-learning algorithms for automatically analyzing these data, and improved networking that makes it feasible to integrate data from disparate sources. Decision-tree learning, neural-network learning, Bayesian-network learning, and logistic-regression-and-support vector machines are among the most widely used
OCR for page 168
Making the Nation Safer: The Role of Science and Technology in Countering Terrorism statistical machine-learning algorithms. Dozens of companies now offer commercial implementations, which are integrated into database and data-warehousing facilities. A typical commercial application of data mining is fraud detection for credit cards, telephone calls, and insurance claims (by learning from historical data on transactions known to be fraudulent). Other applications are in assessing mortality risk for medical patients (by learning from historical patient data) and predicting which individuals are most likely to make certain purchases (by analyzing data on other individuals’ past purchasing). The majority of these commercial data-mining applications involve well-structured data. Limitations of the current commercial technology include the inability to mine data that is a combination of text, image, video, and sensor information (that is, data in “nonstructured” formats) as well as the inability to incorporate the knowledge of human experts into the data-mining process. Despite the significant value of current machine-learning algorithms, there is also a need to develop more accurate learning algorithms for many classes of problems. New research is needed to develop data-mining algorithms capable of learning from data in both structured and nonstructured formats. And whereas current commercial systems are very data-intensive, research is needed on methods for learning when data are scarce (e.g., there are only a few known examples of some kinds of terrorist activity) by incorporating knowledge of human experts along-side the statistical analysis of the data. Another research area is better mixed-initiative methods that allow the user to visualize the data and direct the data analysis. Data Integration New research is needed to normalize and combine data collected from multiple sources, such as the combination of different sets of time-series data (e.g., with different sampling rates, clocks, and time zones) or collected with different data schemas (e.g., one personnel database may use the variable “JobTitle” while another uses “EmployeeType”). Language Technologies The area of language technologies has developed a wide variety of tools to deal with very large volumes of text and speech. The most obvious commercial examples are the Web search engines and speech-recognition systems that incorporate technology developed with DARPA and NSF funding. Other important technologies include information extraction (e.g., extraction of the names of people, places, or organizations mentioned within a document), cross-lingual retrieval (e.g., does an Arabic e-mail message involve discussion of a chemical weapon?), machine translation, summarization, categorization, filtering (moni-
OCR for page 169
Making the Nation Safer: The Role of Science and Technology in Countering Terrorism toring streams of data), and link detection (finding connections). Most of these approaches are based on statistical models of language and machine-learning algorithms. A great deal of online information, in the form of text such as e-mail, news articles, memos, and pages on Web sites, is of potential importance for intelligence applications. Research is needed on methods for accurately extracting from text certain structured information such as descriptions of events—e.g., the date, type of event, actors, and roles. Research is needed to handle multiple languages, including automatic translation, cross-lingual information retrieval, and rapid acquisition of new languages. Other important areas of future research are link detection (related to the normalization problem mentioned above) and advanced question answering. Image and Video Processing The technologies for image and video processing tend to be domain-specific and often combine information from multiple modes. For example, several companies are beginning to offer image-recognition software for face recognition and automatic classification of medical and other types of images. Commercially available video indexing-and-retrieval software improves effectiveness by combining techniques of segmentation, face detection, face recognition, key-frame extraction, speech recognition, text-caption extraction, and closed-caption indexing. This is a good example of information fusion in which multiple representations of content are combined to reduce the effect of errors coming from any given source. The major limitation of present language and image technologies is that their accuracy and performance, despite significant progress, need to be considerably improved. This is particularly true for counterterrorist systems where the data may be very noisy (that is, surrounded by irrelevant information) and sparse. Work is needed on improved algorithms for image interpretation and speech recognition. Many of these research issues are specific to problems arising in a particular medium—e.g., recent progress on face recognition has come primarily from understanding how to extract relevant image features before applying machine learning methods, though this approach may not be applicable to machine learning in other contexts. However, new research is also needed on perception based on mixed media—e.g., speech recognition based on sound combined with lip motion. Evidence Combination Many of the techniques used to combine information from multiple sources, as in video indexing or metasearch engines, are ad hoc. Current research on principle-based methods for reasoning under uncertainty needs to be extended
OCR for page 170
Making the Nation Safer: The Role of Science and Technology in Countering Terrorism and tested extensively in more demanding applications. This is a key technical problem, with widespread implications for many of the applications mentioned above—e.g., how to combine evidence from hospital admissions and from nonprescription drug purchases to detect a probable bioterrorist attack; how to combine evidence from face recognition and voice print to estimate the likely identity of a person; or how to combine evidence from multiple sensors in a building to detect anomalous activity. Recommendation 5.9: Information Fusion Research Develop more effective machine-learning algorithms for data mining, including learning using different data types (text, image, audio, video). Develop methods for systems to learn when data are scarce. Create better mixed-initiative methods that allow the user to visualize the data and direct the data analysis. Explore new methods to normalize and combine data from multiple sources. Create methods to extract structured information from text. Build approaches to handle multiple languages. Improve algorithms for image interpretation, speech recognition, and interpretation of other sensors (including perception based on mixed media). Extend, and test extensively in more demanding applications, the principle-based methods for reasoning under uncertainty. PRIVACY AND CONFIDENTIALITY As pressure mounts for the government to collect and process more information, it becomes increasingly important to address the question of how to minimize the negative impacts on privacy and data confidentiality. Research is needed to provide policy makers with accurate information about the impact on confidentiality of different kinds of data disclosure. Research is also needed on new data-mining algorithms that discover general trends in data without requiring full disclosure of the individual data records. One example is data-mining algorithms that work by posing statistical queries to each of a set of databases, rather than gathering every data record into a centralized repository. Another is zero-knowledge data mining, in which general trends in data can be uncovered without requiring full disclosure of individual data records. (However, note that for many applications such as badges and access tokens, personal information of the sort mentioned is not necessary; the only requirements are that the token be recognizable as valid and that it has been issued to the person presenting it. It doesn’t even have to have an individual’s name on it.) A related issue is the fact that a sufficient aggregation of nonpersonally identified information can often be used to identify a person uniquely. For
OCR for page 171
Making the Nation Safer: The Role of Science and Technology in Countering Terrorism example, identifying someone as a man of Chinese extraction with a doctorate in physics who enjoys swing dancing, has an adopted 7-year-old daughter, and lives in upper-northwest Washington, D.C., is likely sufficient to specify a unique individual. Thus, the mere fact that information is disconnected from personal identifiers is no assurance that an individual cannot be identified if data are aggregated. PLANNING FOR THE FUTURE Planning for the future is also a critical dimension of any research agenda, though the resources devoted to it need not be large. New system architectures and technologies, such as switched optical networks, mobile code, and open-source or multinational code development, will have different vulnerabilities and hence require different defense strategies. Similarly, new device types such as digital appliances, wireless headphones, and network-capable cell phones pose new challenges. Even today, it is hard to interconnect systems with different security models or security semantics; and unless we deal with this problem, it will become increasingly difficult in the future. Furthermore, the characteristics of deployed technology that protect the nation against catastrophic IT-only attacks today (e.g., redundancy, system heterogeneity, and a reliance on networks other than the Internet for critical business functions) may not obtain in the future. Indeed, some trends, such as deregulation, system monocultures, and the dominance of a smaller number of products, are pushing the nation’s critical infrastructure providers to reduce excess capacity, even though this is what provides much of the redundancy so important to reduced vulnerability. For these reasons, researchers and practitioners must be vigilant to changes in network technology, usage and reliance on IT, and potentially decreasing diversity. In addition, research focused on the future is likely to have a slant that differs from those of the other research efforts described in this chapter. While the latter efforts might be characterized as building on existing bodies of knowledge (and are in that sense incremental), future-oriented research would have a more radical orientation: It would try to develop alternative paradigms for secure and reliable operation that would not necessarily be straightforward evolutions from the Internet and information technology of today. For example, one such pursuit might be the design of appropriate network infrastructure for deployment in 2020 that would be much more secure than the Internet of today. Another might be an IT infrastructure whose security relied on engineered system diversity—in which deployed systems were sufficiently similar to be interoperable yet sufficiently diverse to essentially be resistant to large-scale attacks.
OCR for page 172
Making the Nation Safer: The Role of Science and Technology in Countering Terrorism IMPLEMENTATION The IT research areas of highest national priority for counterterrorism are information and network security, emergency response, and information fusion. Within each of these areas, a reasonably broad agenda is appropriate, as none of them can be characterized by the presence of a single impediment whose removal would allow everything else to fall into place. Advances in these areas may prevent some attacks on the IT infrastructure from succeeding. In the event an attack does occur, whether against the IT infrastructure alone or against some physical part of the nation, IT may help to rapidly and accurately identify its nature, reduce its effectiveness, aid in responding to it, and enable a quicker and fuller recovery. Indeed, even if the IT infrastructure is not deliberately attacked, significant damage to it may be a consequence of an attack directed elsewhere, and in any event any significant attack will result in extraordinary demands for emergency communications being placed on it. A stronger IT infrastructure would be beneficial in any case. A point that deserves emphasis is the broad utility of the research agenda described above. Progress in these areas has applications not only for counterterrorism efforts but also for a wide range of other important national endeavors such as responding to natural disasters and decreasing cybercrime. Most of these research areas are not new. Efforts have long been under way in information and network security and information fusion, though additional research is needed because the resulting technologies are not sufficiently robust or effective, they degrade performance or functionality too severely, or they are too hard to use or too expensive to deploy. Information technologies for emergency response have not received a great deal of attention, though efforts in other contexts (e.g., military operations) are intimately related to progress in this area.69 The time scale on which the fruits of efforts in these areas will become available ranges from short to long. That is, each of these areas has technologies that can be beneficially deployed on a relatively short time scale (e.g., in a few years). Each area also has other prospects for research and deployment on a much longer time scale (e.g., a decade or more) that will require the development of entirely new technologies and capabilities. What drives the designation of these research areas as high priority? Information and network security is critical because of the potentially 69 Military communications and civilian emergency-response communications have similarities and differences. Military forces and civilian agencies share the need to deploy emergency capacity rapidly, to interoperate, and to operate in a chaotic environment. While military communications must typically work in a jamming environment or one in which there is a low probability of intercept, these conditions do not obtain for civilian emergency-response communications. Also, military forces often must communicate in territory without a preexisting friendly infrastructure, while civilian agencies can potentially take advantage of such an infrastructure.
OCR for page 173
Making the Nation Safer: The Role of Science and Technology in Countering Terrorism amplifying effect of attacks on IT when combined with attacks on the physical infrastructure, given the nation’s increasing dependence (though much of it is avoidable) on information technology. IT for emergency response is essential because of the unfortunate reality that the probability of catastrophic terrorism cannot be reduced to zero; the ability to respond quickly and effectively to a catastrophic situation will always be needed. Information fusion is important in today’s counterterrorism efforts, where the essential problem is how to identify potential threats amidst enormous amounts of possibly relevant information; sophisticated techniques for filtering and processing this information are needed. Unlike some other sectors of national importance, the IT sector is one over which the federal government has little leverage. IT sales to the government are a small fraction of the IT sector’s overall revenue, and IT vendors have little incentive to include security features at the behest of government alone. Moreover, there is essentially no history of government regulation of IT products and services, in contrast, say, to the traditional oversight of the electric-power industry. Indeed, we can expect that attempts at such regulation will be fought vigorously, or may fail, because of the likely inability of a regulatory process to keep pace with rapid changes in technology. Under these circumstances, it seems most desirable to engage the private sector constructively and to emphasize market solutions. For example, IT vendors probably will respond if the private sector demands more security in IT products; if so, security may become a competitive advantage for various IT vendors, much as additional functionality and faster performance are today. At the same time, government may have a role in changing market dynamics in such a way that the private sector does pay more attention to security-related issues. A second critical dimension of influencing security-related change is the federal government’s nonregulatory role, particularly in its undertaking of research and development of the sorts described above.70 Such R&D might improve security and interoperability, for example, and reduce the costs of implementing such features—thereby making it less painful for vendors to adopt them. It is not clear which government agency, or agencies, would best be suited to support the above agenda. However, the more important policy issue at present is that the organization of that federal research infrastructure have the attributes itemized below. It would: 70 Another potentially important aspect of the government’s nonregulatory role, outside the scope of this report, is the leadership role it could play itself with respect to information and network security. For more discussion, see CSTB (2002a).
OCR for page 174
Making the Nation Safer: The Role of Science and Technology in Countering Terrorism Engage and support multidisciplinary, problem-oriented research that is useful both to civilian and military users. Have a research program driven by a deep understanding of vulnerabilities. This will likely require access to classified information, even though most of the research will be unclassified. Support a substantial effort in research areas with a long time horizon for payoff. Historically, such investigations have been housed most often in academia, which can conduct research with fewer bottom-line-driven pressures for immediate delivery. This is not to say that private industry has no role. Indeed, because the involvement of industry is critical for deployment, and also is likely to be essential for developing prototypes and mounting field demonstrations, support of both academia and industry (perhaps even jointly) in developmental efforts is highly appropriate. Provide support extending for time scales that are long enough to make meaningful progress on hard problems (perhaps 5-year project durations) and in sufficient amounts that reasonably realistic operating environments for the technology could be constructed (perhaps $2 million to $5 million per year per site for system-oriented research programs). Invest some small fraction of its budget on thinking “outside the box” in consideration (and possible creation) of alternative futures. Be more tolerant of research directions that appear not to promise immediate applicability. Research programs, especially in IT, are often—even generally—more “messy” than research managers would like. The desire to terminate unproductive lines of inquiry is understandable, and sometimes entirely necessary, in a constrained budget environment. On the other hand, it is frequently very hard to distinguish between (A) a line of inquiry that will never be productive and (B) one that may take some time and determined effort to be productive. While an intellectually robust research program must be expected to go down some blind alleys occasionally, the current political environment punishes such blind alleys as being of Type A, with little apparent regard for the possibility that they might be Type B. Be overseen by a board or other entity with sufficient stature to attract top talent, provide useful feedback, and be an effective sounding board for that talent. Pay attention to the human resources needed to sustain the counterterrorism information technology research agenda. This need is especially apparent in the fields of information and network security and emergency communications. Only a very small fraction of the nation’s graduating doctoral students in information technology specialize in either of these fields, only a very few professors conduct research in these areas, and only a very few universities support research programs in these fields. One additional attribute of this R&D infrastructure would be desirable,
OCR for page 175
Making the Nation Safer: The Role of Science and Technology in Countering Terrorism though it is not clear how it might be achieved.71 The success of the nation’s R&D enterprise in information technology (as well as in other fields) rests in no small part on the ability of researchers to learn from each other in a relatively free and open intellectual environment. Constraining the openness of that environment (e.g., by requiring that research be classified or forbidding certain research from being undertaken) would have obvious negative consequences for researchers and the creation of new knowledge. On the other hand, keeping a counterterrorist agenda in mind, the free and open dissemination of information has potential costs as well, because terrorists may obtain information that they can use against us. Historically, these competing interests have been balanced—with more of one in exchange for less of the other. But the committee believes (or at least hopes) that there are other ways of reconciling the undeniable tension, and calls for some thought to be given to a solution to this dilemma that does not demand such a trade-off. If such a solution can be found, it should be a design characteristic of the R&D infrastructure. Finally, successfully addressing the privacy and confidentiality issues that arise in counterterrorism efforts will be critical for the deployment of many information technologies. These issues are serious enough to merit their own research efforts, though not at the scale and intensity that the other areas might warrant. REFERENCES Brooks, Frederick P. 1975. The Mythical Man-Month. Addison-Wesley, Boston, Mass. Christen, Hank, et al. 2001. “An Overview of Incident Management,” Perspectives on Preparedness, No. 4, September. Available online at <http:ksgnotes1.harvard.edu/BCSIA/Library.nsf/pubs/POP4>. Computer Science and Telecommunications Board, National Research Council. 1990. Computers at Risk: Safe Computing in the Information Age, National Academy Press, Washington, D.C. Computer Science and Telecommunications Board, National Research Council. 1996. Computing and Communications in the Extreme: Research for Crisis Management and Other Applications, National Academy Press, Washington, D.C. Computer Science and Telecommunications Board, National Research Council. 1997. The Evolution of Untethered Communications, National Academy Press, Washington, D.C. Computer Science and Telecommunications Board, National Research Council. 1999a. Information Technology Research for Crisis Management, National Academy Press, Washington, D.C. Computer Science and Telecommunications Board, National Research Council. 1999b. Trust in Cyberspace, National Academy Press, Washington, D.C. Computer Science and Telecommunications Board, National Research Council. 1999c. Realizing the Potential of C4I: Fundamental Challenges, National Academy Press, Washington, D.C. 71 A Computer Science and Telecommunications Board study in progress on improving cybersecurity research in the United States will address this question.
OCR for page 176
Making the Nation Safer: The Role of Science and Technology in Countering Terrorism Computer Science and Telecommunications Board, National Research Council. 2001a. Embedded, Everywhere: A Research Agenda for Networked Systems of Embedded Computers, National Academy Press, Washington, D.C. Computer Science and Telecommunications Board, National Research Council. 2001b. The Internet’s Coming of Age, National Academy Press, Washington, D.C. Computer Science and Telecommunications Board, National Research Council. 2002a. Cybersecurity Today and Tomorrow: Pay Now or Pay Later, National Academy Press, Washington, D.C. Computer Science and Telecommunications Board, National Research Council. 2002b. IDs—Not That Easy: Questions About Nationwide Identity Systems, National Academy Press, Washington, D.C. Computer Science and Telecommunications Board, National Research Council. 2002. Intersections Between Geospatial Information and Information Technology, National Academy Press, Washington, D.C., in preparation. Convergence Working Group. 2002. Report on the Impact of Network Convergence on NS/EP Telecommunications: Findings and Recommendations, February. Disabatino, Jennifer. 2001. “Court Order Shuts Down Dept. of Interior Web Sites,” Computerworld, December 17. Hightower, J., and G. Boriello. 2001. “Location Systems for Ubiquitous Computing,” IEEE Computer, Vol. 33, No. 8, August. National Institute of Standards and Technology. 2002. “The Economic Impact of Role-Based Access Controls,” March. U.S. House of Representatives, Committee on Science. 2001. “Boehlert Gives Cyber Security Address at ITAA Forum,” press release, December 12.
Representative terms from entire chapter: