RELIABILITY AND VULNERABILITY OF THE NATIONAL INFORMATION INFRASTRUCTURE (NII)

CAPABILITY ASSESSMENTS

AUGUST 17, 1995


I. INTRODUCTION

THE RELIABILITY AND VULNERABILITY WORKING GROUP

The National Information Infrastructure: Agenda for Action, published September 15, 1993, describes the White House's vision for the National Information Infrastructure (NII) and identifies its benefits for society and for the nation. It further defines a set of goals and policy principles to guide the government's actions in harnessing the information revolution. The Agenda for Action establishes an Information Infrastructure Task Force (IITF) to articulate the Administration's vision and oversee its implementation. The task force consists of high-level representatives of federal agencies that play a major role in the development and application of information technologies. Working together with the private sector, the participating agencies will develop comprehensive telecommunications and information policies that best meet the needs of the agencies as well as the country.

In order to promote the principles of reliability and security in the NII, a Reliability and Vulnerability Working Group (RVWG) was formed as an inter-agency working group under the Telecommunications Policy Committee of the IITF. The RVWG was chartered to be the government's focal point in defining the attributes of reliability for the NII. To this end, it will identify threats, vulnerabilities, or other issues relevant to the reliability and survivability of NII services.

RVWG APPROACH

The NII will be built, owned, and operated by the private sector. Thus, the government's role is to ensure a level playing field for open competition and provide leadership in defining the government's information needs. To accomplish this role, the RVWG will work with industry and government players in the NII community to identify policy, legislative, regulatory, or other actions that the government should take to foster reliability and security. To focus the efforts of the working group and to set a road map for reaching its objectives, the RVWG has identified a set of broad actions to follow. The recently published Vision of the Reliability and Vulnerability Working Group, describes these actions and presents the preliminary findings of the RVWG.

Among these actions is a comprehensive risk assessment, currently ongoing and led by NSA, that will address the vulnerabilities of major sectors of the NII (i.e., information distribution, education, energy distribution, entertainment, health care, financial, national security and emergency preparedness (NS/EP), and transportation). Additionally, the RVWG has developed a set of features and capabilities for the NII that are needed to ensure the reliability and security of information services under both normal and emergency conditions. These features and capabilities are published in an RVWG document, A Blueprint for Action, and are recommended for incorporation into the acquisition of new government information systems. The Blueprint document provides additional information that is available for use by the Administration, government agencies, and the private sector as a guide to assist in the design and use of networks, information services, and applications that satisfy the reliability and security requirements of the nation.

PURPOSE OF THIS PAPER

This paper supplements the previously referenced RVWG Blueprint document. It contains preliminary assessments of how well the current NII satisfies the proposed set of features and capabilities for reliability and security. These assessments are highly subjective and are intended only to characterize the inherent diversity in current technologies and highlight potential areas of concern.

II. METHODOLOGY FOR CAPABILITY ASSESSMENTS

APPROACH

The RVWG subgroups have made preliminary assessments of how well the dominant systems and technologies of today's NII satisfy the capabilities and features for reliability and security that have been identified in this paper. These assessments are presented in three categories:

These assessments are highly subjective and are intended only to characterize the inherent diversity in the current technologies and highlight potential areas of concern. One observation is that the various technologies complement each other's strengths and weaknesses. For example, the broadcast dissemination of emergency information is a natural attribute of cable and other direct broadcast systems. Thus, the composite NII has this capability and it is not a serious concern that, for example, the PSN does not inherently provide broadcast capability. With this caveat on the use and interpretation of the assessments, the general guidelines that were followed were:

III.SYSTEMS AND TECHNOLOGIES OF THE NII

SYSTEMS AND TECHNOLOGIES OF THE NII

As described above, the NII includes the public switched voice and data networks, the Internet, direct broadcast networks, and numerous other commercial and private networks and information sources. Niche markets for information services are also being developed daily and the expanding roles of competitive access providers who are interconnecting with the public networks have been recognized in court and regulatory decisions. As it evolves, the vast commercial enterprise known as the NII will include a mix of today's dominant service providers who are will established as well as a host of new vendors. There will be a variety of service providers with very different credentials in the reliability and security of their products.

There are other systems and technologies, of course, that may be considered in the future. For example, electric utilities are developing a fiber infrastructure extending to households that can be used to manage billing, demand-side management, and energy efficient use of household systems and appliances. A number of articles in technical journals suggest that these infrastructures could provide telecommunications or other services and would be significant components of the NII. However, for purposes of assessing how well the currently evolving NII provides the capabilities and features for reliable and secure services, the following structure of elements of the NII has been adopted.

The Public Switched Networks (PSNs)

The PSNs have been the backbone of the national telecommunications infrastructure for more than a century and provide communications services today to virtually all U.S. households and businesses. The PSNs offer information services but, as importantly, provide transport for the information services of other competitive access service providers. Over 90% of the government's unclassified traffic transits the PSNs and, consequently, the government has funded the development of certain enhancements to the PSN that would increase the availability of these services to support NS/EP and other emergency functions. The PSNs have historically been highly reliable and have contained restoral mechanisms to increase the robustness and resiliency of their networks. However, they share the vulnerabilities to penetration and disruption of today's computer-based systems, and disruptions have been experienced that were large-scale or national in scope.

The Internet

The Internet is a world-wide computer cooperative that uses public and private networks for a transport backbone. The Internet does not own the communications pipes that it uses and no one owns the Internet. The openness of the Internet and universal acceptance of its protocols have led to its great success. The features and capabilities of applications that have been associated with the Internet have been cited as examples of features and capabilities for the NII. However, at present, the average private user may not have the skills to navigate the Internet. The lack of adequate security and user-friendly standard interfaces may limit the applications of sensitive commercial use. The resolution of issues associated with property rights, security, lack of guaranteed performance and privacy of information are key to the commercialization of the Internet. It is expected that the commercial market forces will drive solutions to these issues and that there will be an increase in service providers that will provide new and sophisticated services for a fee.

Broadcast Cable Systems

Broadcast networks are distinguished from other communication networks in that information is typically sent in one direction from a single source to many users simultaneously. Radio and television broadcasts reach virtually every U.S. household. Cable television, in particular, uses a mix of satellite, fiber optic and coaxial cable transmission and currently serves an increasing market of over 60% of U.S. homes. The reliable and ubiquitous coverage of direct broadcast communications has been exploited in the past for emergency broadcast and information bulletins. The future may include the capability for broadcasters to remotely turn on radios and television sets, select a station, and turn up the volume to alert the community of an impending emergency. Today's broadcast cable technology has a vast information-carrying capacity that makes it a candidate for a significant component in the evolving NII. However, it currently lacks the capability for two-way, interactive applications and is fragmented into commercial franchises using diverse proprietary protocols and systems. This situation is changing with prospective cable mergers among telecommunications switched service providers, and with the development of multi-media interactive services.

Wireless Access

Mobile and remotely located users of information services are creating an increasing demand for wireless access to the PSN through cellular, land mobile radio, or direct access satellite systems. Cellular and personal communications systems (PCS) extend the PSN to mobile users and interconnect mobile users directly. Although wireless systems can potentially be jammed or intercepted, cellular systems are among the most resilient communications available. For example, cellular telephone handsets have been distributed in large numbers to restore telephone service to local users in natural disasters such as Hurricane Andrew.

Commercial Satellite Systems

Commercial satellites provide broadband communications services in both direct broadcast and point-to-point modes of operation. In addition to the traditional geosynchronous satellite orbit (GEO) systems, many low earth orbit (LEO) satellite networks are planned and may be deployed. Together, the LEO networks will serve as another satellite backbone to link cellular and mobile networks and will complement existing GEO systems. Additionally, constellations of small satellites are planned by several companies to achieve global coverage of voice, data, and position location services. The FCC is also licensing non-voice and non-geostationary LEO system applications.

IV. GENERAL AND ESSENTIAL USERS OF THE NII

CAPABILITIES FOR GENERAL USERS

The NII should provide reliable information services and systems to meet all information needs of commercial, government, and general public users -- under day-to-day and stressed conditions. Capabilities include:

CAPABILITIES FOR USERS OF ESSENTIAL SERVICES

This class of users requires all of the capabilities of general users, plus:

ASSESSMENT OF CAPABILITIES FOR GENERAL USERS AND USERS OF ESSENTIAL SERVICES

The RVWG Subgroup for Reliable Services for General Users assessed the NII capabilities of the five industry categories: public switched network; Internet; broadcast cable; wireless access; and satellite communications. Table 1 shows the results of this assessment.

Table 1. General Users and Users of Essential NII Services

The rationale for the assessments in Table 1 is as follows:

User-Friendly Access

The transparency of access of all categories ranked high except the Internet which was assessed as having a capability level of medium. The Public Switched Network (PSN) has high availability to the general user and affords easy access. The PSN offers a standard dialing plan for access and makes information available through published instructions and information and through assistance services of operators and customer service centers. Except for Internet, the other categories were assessed high because of the way the industry interfaces with the user and the action the user must initiate to obtain access to the services. Those actions, though different for each industry category, do not present major difficulty for the user. The user cannot gain access to the Internet with the ease they can gain access to the other categories. Perhaps this is because the other categories are operated with business incentives and customers are sought. Internet presents some standards to the user, but information, such as addresses, and varying service levels hamper the user.

Performance

The PSN has developed a high level of reliability and availability and provides the user a quality service. The availability of service on demand and the emphasis on the continuity of service under adverse conditions are valuable attributes of the PSN that the user has grown to expect. The companies that provide PSN services maintain an array of service monitoring and management techniques that continue to improve performance. These functions are supported by the collection and analysis of large amounts of data relating to network performance. The PSN presents the recognized benchmark for other segments of the telecommunications industry. These factors are selling points in the highly competitive telecommunications market. The other four categories do not exhibit comparable levels of capability. Generally, they do not fully exercise the ability to monitor their systems and collect and analyze data related to performance parameters. There are varying degrees of performance among the four categories but they do not reach the capability level of the PSN. Therefore, all four have been assessed as having medium capability.

Screen Unwanted Information

This assessment is based on current performance measures. The Internet is very permissive, with no controls, as the assessment indicates. The Internet user has access to, and receives, wanted and unwanted information placed on Internet by others worldwide. It is technically possible to block incoming messages except those from a specified list of users. For individual users this is not a practical solution but it is helpful for identifiable groups of users. Also, users that gain Internet access through a firewall may have the capability of screening incoming traffic. Capability that is available to relative few users is not significant in assessing the capability offered by Internet to the general user population. The assessment reflects that view.

The satellite industry exercises strict control over information they transmit and the user is allowed some screening control. Interactive communications via satellite, that interfaces with the PSN, is subject to the PSN capability. The PSN offers the user some screening capability through caller ID, code blocking and other means. However, the PSN does not screen originating information, therefore, the user must take action to reduce their vulnerability to unwanted information. Wireless users are more vulnerable as caller ID is not available though it may be technically possible. Wireless users can rely upon the PSN for some action against abusive behavior and there are laws governing the PSN that support that action. The broadcast cable assessment is based on the capability of the industry to control what is transmitted to its users and the users capability to block unwanted information. The capability for the user to screen unwanted information can be improved in all categories with greater granularity of choices.

Privacy and Confidentiality

The PSN offers the best capability for privacy and confidentiality because of direct connection between users and the technology deployed. Digital wireless systems incorporate coding that offers protection against casual eavesdropping. Broadcast Cable and Satellite systems are subject to interception of unencoded information but their deployment of encoding technology is increasing. Users are protected by laws and regulations that have developed over time for these categories. Technically, the systems deployed by industry to provide user services can be compromised, but not easily, and could require a fairly high level of sophistication. The information transmitted on Internet and analog wireless systems is quite vulnerable to others, who with little effort, can intercept and interrupt communications. Internet is the worse case for intrusion and analog wireless interception has proven costly to the user. Therefore, the assessment for these two categories is low.

Integrity of Information

The PSN delivers a service quality that assures the user that information transported will not be altered. The performance measures focus on this attribute and internal management controls support goals that are consistent with maintaining integrity. The PSN, wireless, and satellite categories have been in existence longer and have developed a track record with the users. This experience and technological advances have produced a high level of capability. The broadcast cable category is assessed as medium because of the interactive nature of services that are developing (shopping for example). The Internet is assessed low because of the vulnerability that it presents.

Authentication/Non-Repudiation

As satellites offer a system that is more fixed the assessment is high even though the transmission is airborne. Wireless offers no capability because of system design, the dependency of airborne transmission, and its versatility. Because of the lack of confidence of identifying the sender of information, the PSN and broadcast cable is assessed medium and to a greater degree Internet suffers and is assessed low. The limited ability to verify receipt contributed to the assessment.

Availability of Essential Services

The PSN, broadcast cable and satellites have a high level of capability in providing users with essential services in their markets. All provide the users with readily available service and are responsive to the users in times of stress. They can initiate controls to assure services that are considered essential. This high level of availability makes these categories sufficiently reliable for lifeline services, E911 and other essential services. The availability of wireless service is subject to demand and is reduced sharply when increased call volumes overload the system. Internet is also subject to overload that effects availability. Therefore, these two categories are assessed as having low capability.

Emergency Priority Treatment

Through network controls and management action, the PSN can provide priority treatment in response to emergencies. Contingency planning and the ability to flex with conditions are key attributes of this high level of capability. Satellites provide a similar, but lower, capability. The wireless category is subject to abusive use by customers and when coupled with the lack of sufficient controls in emergencies, the capability level falls to medium. In some areas it may fall lower. Internet may be capable of providing some priority treatment but cannot be relied upon and is thus assessed as having low capability. Broadcast cable may respond to emergency feeds or mobile capability but generally has no capability for the user.

Local Emergency Dissemination

Broadcast cable and satellites have a high capability to disseminate information to users but they lack the ability to sound an alarm if the user is not in the receive mode. The footprint of satellite systems provides the capability for wide dissemination. The low capability for dissemination via the PSN, Internet and wireless is based on required user action rather then notification from a central point. Generally, dissemination depends upon the user initiating a call to access emergency information. Internet could be used to broadcast a message but its reliability in emergencies is questionable and it is restricted to Internet users.

V. NS/EP USERS OF THE NII

ASSURED CAPABILITIES FOR NS/EP USERS

All of the capabilities of general and essential users are required, plus the requirement to provide assured and timely transfer of information among federal, state, and local government participants as they respond to any emergency situation, including natural disasters, terrorist attacks, civil disturbances, and war. Capabilities required to support NS/EP users of the NII include:

ASSESSMENT OF CAPABILITIES FOR ASSURED SERVICES FOR NS/EP USERS

Certain members of the government and, in some cases, the private sector, have designated responsibilities in response to various circumstances as shown in Table 2. These users may be users of general or essential information services under other circumstances and may be using the same systems and terminal equipment in both roles. In NS/EP conditions, however, the necessary information support must be assured to the extent possible and must be restored on a priority basis when failures do occur.

Table 2. Assured Service for NS/EP Users

The rationale for the assessments in Table 2 is as follows:

Assured Quality Services

Quality telecommunications and information service available for authorized NS/EP users whenever and wherever it is needed.

The elements of the national information infrastructure (NII) have no severe deficiencies in supporting assured quality services, and are expected to get stronger across the board as all the elements face growing competition and market demand for better reliability, ubiquity, and survivability. The public switched network (PSN), with its strong network management controls, network reconfiguration capabilities, and robust routing features, offers a high level of support for this requirement.

Satellites also offer a high level of support for this requirement, with their broad geographic coverage, redundancy, and alternate routing features. Satellites do, however, suffer from higher vulnerability due to ground station vulnerability to natural disasters or electronic attack.

Wireless, broadcast, and Internet networks all support this requirement moderately, with substantial positive features and less significant drawbacks. Wireless will supplement its broad coverage when global mobile satellite services (MSS) systems begin operating in the next few years. In addition, wireless systems share much of the PSN's robust operations, administration, management and provisioning (OAM&P) systems. However, except for MSS, wireless systems are significantly more vulnerable to natural disasters than the PSN.

Broadcast systems offer ubiquitous and survivable service, but have broadly variant reliability in different types of systems. The television and radio infrastructures, for example, use technology and architectures that have been stable for years. Cable systems, on the other hand, suffer from widespread reliability problems, though they are expected to become more reliable as they begin competing in the telephony market and implement more advanced broadband technologies.

Finally, the Internet offers good survivability (it was designed with that goal in mind) and ubiquity. But it, too, suffers from reliability problems, due to the same feature that makes it so survivable: its flexible routing capabilities, which allow the system to address congestion and out-of-service conditions. Since there is no assurance that data will be transmitted at or by a certain time, service suffers when congestion increases. While congestion problems only occur at peak times now, network traffic is growing substantially (currently at 6 % per month).

Priority Treatment

The capability to recognize authorized NS/EP users and provide end-to-end priority treatment for the transmission of voice and data information.

Priority treatment is a feature that is being supported by the PSN and broadcast systems. It is currently being developed for wireless, is technically possible in the Internet, and is not significantly supported in satellite systems. The PSN offers the Government Emergency Telecommunications System to bypass congestion and provide enhanced call completion features, and can also configure virtual private networks to handle specific user traffic separate from general network traffic.

Wireless priority is currently a mix of formal and informal agreements between state and local governments and carriers, as well as on-the-scene arrangements between emergency response officials and carriers. In the near future, however, cellular carriers are expected to offer a federally approved nationwide priority access scheme. In addition, MSS systems are being designed with priority services, and the Priority Access and Channel Assignment standard has been approved for personal communications services (PCS) networks (though no service implementation plan has been established yet).

The Internet does not currently support priority treatment, but its data transmission protocols do support quality of service provisions that could be used for that purpose.

Broadcast networks have the ability to "ruthlessly" preempt non-PSN traffic for important transmissions -- terminating calls without warning -- a service that is against the law in PSN and wireless systems.

Priority Provision and Restoration

A process that requires and legally authorizes vendors to initiate, modify, and restore telecommunications and information services for NS/EP customers on a priority basis.

As mentioned earlier, PSN carriers have substantial network control capabilities, which also help them offer effective provisioning and restoration services. In addition, the Telecommunications Service Priority program identifies critical PSN and satellite circuits and allows them to be restored or brought into service first after a disaster.

Both wireless and broadcast networks offer moderate support for this requirement. Cellular carriers have demonstrated a willingness to help emergency responders, and have the ability to bring cell sites on wheels to disaster scenes or dynamically change cells' transmitting wattage. However, formal coordination is limited, except in high-risk areas. Broadcast networks can also meet this requirement on an ad hoc basis.

The Internet has the technical features to support this requirement, but suffers from its decentralized network control, which makes coordination among the multitude of network operators difficult.

Emergency Broadcast

The capability to provide emergency information to the public via imagery, data, voice, and other means.

The country's current emergency notification process was designed for broadcast systems, and its support of them is robust. In addition, cable systems have capabilities that allow system administrators to turn on televisions remotely and even set them to a certain channel and adjust the volume.

The satellite system benefits from the strong emergency broadcast features of direct broadcast satellite (DBS) systems, but suffers from a lack of similar capabilities in fixed systems. However, DBS systems are not good for local emergencies, as viewers rarely receive their local programming from DBS systems.

Wireless networks offer limited support for this requirement. MSS systems will offer broadcast services, while terrestrial-based wireless systems have features that could be used for such services, but are not.

The Internet offers some point-to-multipoint transmission capabilities, such as those used by list server services, that could be used to support this requirement. However, delivery cannot be guaranteed.

Interoperable Services

The ability for authorized NS/EP users to effectively exchange information independent of device and network.

One of the Internet's strongest features is its ability to support a number of technologies and protocols. However, the other NII elements have interoperability limitations.

Broadcast cable systems use a similar architecture and therefore are largely interoperable with each other. Cable systems offering Internet access, however, have experienced connection and transmission problems. As broadcast networks implement broadband technologies, which are expected to be the same as those used to upgrade the PSN, interoperability should improve.

Fixed satellites offer robust support for this requirement, carrying a range of traffic from a range of sources. DBS systems, though, are proprietary and closed.

Wireless systems have not had significant interoperability problems in the past, since cellular systems all used the Advanced Mobile Phone Service protocol for analog transmissions. However, digital systems are expected to have some difficulty. Seven air interface standards are competing in the nascent PCS market. Additionally, in MSS systems, tests have shown that quality degrades significantly in transmissions using competing low-rate voice coders (which translate signals between the analog and digital domains). Wireless providers are counting on the need for all carriers to interconnect with the PSN to provide a common interface among different technologies.

The PSN has shown robust capabilities for connecting with a range of technologies and systems, with limitations that are expected to diminish as broadband technologies are incorporated.

Encryption Support

The capability to accommodate user-encrypted information.

Encryption is generally a feature implemented by the user; it is necessary that the network only support the user's encryption methods and carry the transmission intact. In that respect, the PSN, Internet, and satellite networks have demonstrated an ability to support a range of encryption techniques.

Analog cellular systems suffer because their channels have limited bandwidth, and have problems handing off encrypted calls between cells. Evolving wireless technologies, however, support commercial-grade encryption, and technical committees are working to improve wireless capabilities in this area.

Broadcast networks can carry scrambled programming, but their support for commercial or military encryption is uncertain.

Sustainable Coordinating Mechanism

An all-hazard industry/government management mechanism to ensure NS/EP telecommunications and information services is available to support mitigation, response, and recovery efforts.

The sustainable coordinating mechanism requirement comprises several capabilities, including an information-sharing function, an ongoing coordinating function, and a real-time attack-response function. The PSN has two formal organizations that support this requirement. The Network Security Information Exchange facilitates sharing incident data among carriers. The National Coordinating Center for Telecommunications (NCC) brings together PSN carriers, and a small number of wireless and satellite carriers, to facilitate effective response to emergency responders' communications needs. Though individual carriers have response functions in their network control centers, they have no formal forum for coordinated, real-time attack response.

The Internet's Computer Emergency Response Teams (CERT) offer real-time response capabilities and their activities are coordinated through the CERT Coordination Center. Those services are supplemented by the information-sharing activities of the Forum of Incident Response and Security Teams.

Broadcast operators have no formal forum to coordinate network activities, while wireless and satellite carriers' only capabilities in this area come from their limited involvement in the NCC.

Network Security

Protection against unauthorized physical or electronic intrusions, manipulations, or attacks, preserving end-to-end integrity of the network, and transmitted information.

Network security requires defenses against several types of disruptions, including electronic attack, physical attack, human error, and natural disaster. None of the NII elements could serve as a model for network security, though the PSN and satellite systems offer the greatest degree of support for this requirement.

The PSN benefits from extensive network monitoring features and redundancy, but carriers have weak intrusion detection and incident-handling systems, have been successfully attacked electronically, and do not have standards for protecting OAM&P systems. In addition, two other PSN trends threaten network security: carriers are allowing more direct access to network elements, in order to offer customer-definable services such as call forwarding; and software is becoming increasingly important to network operations, offering hackers opportunities to capture user information, monitor traffic, and remotely manipulate the network.

Satellite systems offer features to mitigate human error and are generally secure physically because of their Cold War importance. However, they have few control centers, are susceptible to electronic attack, and generally do not encrypt their command channels, making the systems vulnerable to hackers copying their commands and disrupting service.

The Internet's decentralized network control allows it to defend against natural disasters and physical attacks. However, decentralization also makes it difficult to protect against electronic intrusion and manipulation, since hackers can attack the weakest system and launch further efforts from there. That fault is exacerbated by inadequate intrusion detection systems. The Internet has tried to overcome these weaknesses with a number of fora focused on sharing information on network security and vulnerabilities and coordinating attack response. Commercialization of the Internet should bring better network security, since breaches will hurt carriers' and access providers' profitability. The growing use of firewalls is an example of this trend. On the other hand, commercial Internet carriers may implement more intelligent routers to support volume-based (rather than the current flat-rate) pricing. Without adequate protection, greater control and accounting capabilities in the network would bring greater vulnerability.

Wireless systems are susceptible to frequency jamming and physical attack. On the other hand, their networks feature many of the same protections as the PSN and have proven resilient in some natural disasters.

Broadcast systems have been focused primarily on preventing fraud rather than protecting their networks. Their defenses against the range of disruptions are minimal.

VI. PROTECTION OF THE NETWORK

CAPABILITIES FOR PROTECTION OF THE NETWORK

Protection of the network includes security of the NII networks, including protection of network information and measures to minimize loss of service.

ASSESSMENT OF CAPABILITIES FOR PROTECTION OF THE NETWORK

As the government, private sector, and general public become increasingly dependent on information services to support the nation's economic well-being and lifestyle, the reliability and security of these information services will become increasingly critical. The networks that provide and deliver information services must have provisions to protect against catastrophic failure or loss of service from a range of threats or conditions. There must be provisions to monitor the health of the networks and to rapidly restore services when failures do occur. Table 3 summarizes an assessment of the capabilities of NII elements for protection of security of the networks.

Table 3. Protection of the Network

The rationale for the assessments shown in Table 3 will examine the threats faced by the networks which comprise the NII, evaluate their vulnerability to these threats, and identify shortfalls in the countermeasures currently employed.

Threats

There are four general types of threats faced by every class of network:

Natural Disaster

Events outside of human control can disrupt communications by damaging network media, communications systems, or network management systems. Such events include earthquakes, hurricanes, ice storms, tornadoes, and thermal noise.[1] In most cases, such events will also result in damage to property and perhaps threaten lives as well. These events must be considered during the design of communications networks to ensure that service is available during times of crisis.

For the purposes of this document, power outages will also be considered a natural disaster. Power outages are a byproduct of many natural disasters, although they may also result from overuse on hot days, automobile accidents, or other incidents.

Human Error

Human action may unintentionally result in the disruption of communications. These actions may be categorized as procedural errors, or design errors in the development of communications software or hardware. The most common procedural error is the "cable dig-up," where a shovel or backhoe accidentally severs a communications cable. Procedural errors may also involve network administrators or technicians who do not maintain or configure equipment appropriately.

Physical Attack

Physical attacks pose a worrisome threat to the communications infrastructure. High-tech attacks employing explosives could cause long-term disruption of service as well as loss of life and damage to property. Less sophisticated attacks, such as deliberate cable cuts, could also severely disrupt service.

The bombings at the World Trade Center in New York and the Federal Building in Oklahoma City demonstrate that such attacks are feasible. Such attacks have never targeted the communications infrastructure. However, alleged plans targeting the Holland and Lincoln Tunnels show that infrastructure targets are attractive to terrorists.

Electronic Attack

Electronic attacks can take several forms. The most common class of attack is electronic intrusion, where the attacker gains access to network control or network management systems. Another form is the denial-of-service attack, where the network is flooded with information preventing others from obtaining service. This may be performed by jamming the airwaves, or attempting to set up thousands of simultaneous connections. Finally, an electromagnetic pulse (EMP) attack might be available to extremely well-financed attackers.

Vulnerabilities

In this section, we will examine the vulnerability of the classes of networks comprising the NII to each category of threats. The classes of networks are:

PSN. The PSN is reasonably resilient in the face of certain disasters. End users may find that their phone continues to work even though a local power outage leaves them without lights or heat. However, power outages in switching centers may also result in widespread outages. Above-ground lines commonly used to deliver service to the end-user are also vulnerable to natural phenomena (especially ice storms), resulting in localized outages.

Human error is an important source of disruption for the PSN. Accidental cable dig-ups remain a common source of outages, including a major outage on the East Coast. Software design errors have been identified as the cause of widespread network failures.

The PSN appears vulnerable to physical security attacks, such as car bombings or deliberate cable dig-ups. Switching centers represent an attractive target to persons wishing to disrupt the phone system. Cutting a trunk line could severely reduce network capacity, or cause widespread outages.

The PSN has proven vulnerable to electronic attacks. Phone hackers are increasingly sophisticated, well organized, and well financed. They have successfully attacked most categories of network elements and have used the PSN to attack networks connected to it. Phone hackers appear to be primarily interested in theft of service, but have shown an interest in the E-911 service and other emergency response services. They have also targeted the network information bases to disable accounting or enable other services.

Wireless. Wireless networks may be more resilient in natural disaster, but when failure occurs it will be catastrophic. A hurricane, tornado, or ice storm will not affect a wireless system unless the antenna array or tower itself is damaged. In that case, all service to that region will be disrupted.

Wireless networks are less vulnerable to human error than the PSN, since they are not subject to cable dig-ups. Wireless systems are vulnerable to software errors or mis-management in the same ways as the PSN, though.

Wireless networks face a serious threat of physical attack upon the infrastructure, although this threat has not yet materialized. Wireless systems depend upon antenna arrays which constitute a single point of failure and appear vulnerable to car bombings and other related attacks. Wireless systems face a more immediate threat of physical attack upon the end system. Wireless systems place certain security-relevant information in the end system. The end system is rarely protected from physical security attacks. Theft of an end system or the security-relevant information stored in that end system will facilitate theft of service attacks or electronic intrusion.

Wireless networks are subjected to electronic intrusion, but the attacks primarily have targeted theft of service. The impact on reliability of wireless networks has been quite low. Wireless systems may be vulnerable to "jamming" of frequencies, but such attacks have not been documented.

Cable Television (CATV). CATV is more vulnerable to the threat of natural disaster than the PSN, since the typical cable feed does not supply power. Even if the cable system survives, a power outage will disrupt services.

CATV is vulnerable to the same procedural and software errors that plague other systems. Current uni-directional systems are fairly simple, so design errors appear to have had minimal impact to this date.

CATV physical security has not been emphasized. Amplifiers and distribution hubs are generally unprotected and the central distribution facility offers a single point of failure for most architectures. Physical security attacks against CATV installations have not materialized to this point, though.

CATV has not experienced an electronic intrusion threat (except theft of service attacks) due to the uni-directional nature of current CATV services. This threat is expected to materialize as CATV networks begin to support interactive services.

Satellite (Very Small Aperture Terminals (VSAT), C-band, Direct Broadcast Systems (DBS)). Satellite systems are more resilient in natural disaster. A hurricane, tornado, or ice storm will not affect a satellite-based system. However, satellite communications are vulnerable to less spectacular natural phenomena: thermal noise and rain fade. Thermal noise affects earth station receivers approximately two weeks a year; outages are predictable but not preventable. Rain fade can occur when signals pass through moisture in the atmosphere; satellite communications are more reliable in arid locales. Satellite systems are also susceptible to earth station power outages.

Satellite systems are vulnerable to the same procedural and software errors that plague other systems. These systems are highly complex, which increases the likelihood of software design errors.

Satellite systems are not especially vulnerable to physical threats. Killer satellites and large meteorites are the only threats to the satellites themselves. Base stations could be attacked to disrupt service causing localized outages, but the failure of a single base station should not affect overall system reliability. The sheer number of base stations should discourage attempting a coordinated attack against the infrastructure.

Current satellite-based systems require expensive end systems (terminals). These systems have not experienced substantial electronic intrusion threats due to the cost and scarcity of these terminals. As the next generation of satellite-based networks comes on-line, terminal costs should fall. This may increase the threat faced by satellite-based systems.

Internet. The Internet relies upon the PSN and leased lines to provide basic connectivity, but relies upon a system of redundant networks to maintain interconnectivity. As a result, failures within the PSN will not prevent communication between systems unless an outage is severe or local to one of the end-systems.

The Internet is not especially vulnerable to natural disaster. However, the Internet is dependent on local power for most equipment, so outages may indirectly result from storms.

The Internet is vulnerable to human error. A poorly written program, such as the Internet Worm[2] , can cause the network to fail by using all of the available bandwidth. Administrative errors can generate error messages, reducing the available bandwidth.

The distributed nature of the Internet reduces its vulnerability to physical threats. Destruction of a single link router would result in heavy loading of remaining links, but most traffic would still be completed. A coordinated attack would be necessary to cause a network outage.

The vulnerability of the Internet to electronic intrusion is well documented. In one well-publicized incident, a major segment of the Internet was compromised and security-relevant information (user passwords) was obtained for users all over the country.[3] This was not an isolated attack, just a particularly successful one. While this attack did not directly affect reliability of the Internet, it facilitated a variety of attacks which could have adversely impacted reliability.

Countermeasures

The ability of the NII to provide reliable service depends on technical controls, legal and regulatory policies, and managerial institutions.

Technical controls are needed to:

Legal and regulatory policy must be established to:

Managerial institutions must:

TECHNOLOGY

Technical controls are available to protect network elements from electronic attacks. Examples include smart cards and biometrics for strong authentication, encryption algorithms for protection of administrative transmissions, and firewalls for selective traffic control. However, these controls are not widely implemented due to cost.

The security provided by network protocols is inadequate. Basic protocols, such as SONET and ATM, are deployed without adequate security testing. Higher level protocols, such as those employed on the Internet, show similar lack of foresight. Standards for future protocols must consider security as a critical feature.

Technology for monitoring and restoring networks is generally available for the NII. Such technology is widely used in the PSN, satellite systems, and cellular networks. The Internet also has such tools in place.

CATV networks are the notable exception. Technology for monitoring centrally distributed signals is well-understood but has not been deployed. (Many cable systems rely on the end-user to report outages.) Technology for monitoring signals from the end-user to the central office is not available for the most common CATV architectures.

The PSN, wireless networks, satellite systems, and Internet are designed to survive isolated or even regional failures and provide service to the remaining customer base. The central design of traditional CATV systems makes them more vulnerable. Emerging network architectures are introducing redundant paths that enhance the network's survivability.

Rapid reconfiguration and restoration after network failure is an important feature of the PSN and Internet. Satellite-based systems and wireless networks do not have a particularly rich infrastructure, but can reconfigure networks to eliminate failed earth stations.

LEGAL AND POLICY

Legal deterrents are in place to combat electronic intrusion, physical attacks, and cable dig-ups. The laws regarding electronic intrusion are evolving as cases are brought to court, but appear too vague and too weak to provide a substantial deterrent. The laws addressing physical attacks are not specific to the NII; additional penalties for attacks on information infrastructure components may be appropriate. Persistent problems from cable dig-ups suggest that these laws should also be strengthened.

Government policy should encourage development of highly reliable networks through directed procurement activities. This requires establishing and enforcing appropriate standards for network reliability. This would require cooperative efforts from numerous government agencies, including OMB, GSA, NIST, and NTIA.

The FCC currently requires the PSN vendors to report large-scale outages (30,000 or more users for more than 30 minutes). Outages in rural areas rarely meet these thresholds, and small CATV vendors may not have that number of subscribers. The reporting requirement should be extended to all NII network suppliers, and the number of users should be gradually reduced.

NII MANAGEMENT

The FCC monitors, reviews, and reports network outages in the PSN. The FCC is the appropriate agency for this task, but should perform this function for the entire NII.

The Network Security Information Exchanges (NSIEs) and Forum of Incident Response and Security Teams (FIRST) facilitate the exchange of security-related information. The NSIEs focus upon the PSN but have expanded to include cellular providers as well. FIRST is focused upon computer networks such as the Internet and computer-related security problems. Since much of the PSN infrastructure is computer based, several PSN vendors participate in FIRST as well. Industry-specific groups perform this function for other industries. A government forum for exchange of security-related information will probably be established by NIST as a result of the rewrite of OMB A-130.

The exchange of security-related information should be encouraged. Mechanisms for reporting and disseminating this information should be formalized. Liaisons should be established between the various industry and government groups to ensure information is distributed to all appropriate communities.

The NII is not centrally managed or operated. As a result, no central contact point exists. In most cases, it is unclear where to report network failures or other security events. The NSIEs, FIRST, and government agencies should coordinate the establishment of a central reporting mechanism to accept and disseminate reports of network outages.