The Growing Threat to the Information Infrastructure
The nation's growing dependence on computer networks for communications, data management and the operation of critical infrastructures renders it increasingly vulnerable to computer-based, or cyber, attacks against our information infrastructure, including the Internet, telecommunications backbones, and interconnected computer networks. The last few years have witnessed an exponential increase in damaging attacks, including viruses and worms such as Code Red, the Melissa and ILOVEYOU viruses, and distributed denial of service (DDoS) attacks against e-commerce websites. Malicious code (viruses, worms and Trojan horses) caused over $30 billion of damage worldwide in 2000 and 2001, according to Computer Economics. The CERT Coordination Center indicates that the number of reported computer security incidents has more than doubled during each of the past three years. Experts predict that these problems will continue to increase.
Attacks on computer networks now threaten not only our information infrastructure but also other critical infrastructures-such as banking and finance, transportation, and energy-that rely on information technology. In 1998, a teenager hacked into a Federal Aviation Administration control tower at a Massachusetts airport, disrupting essential systems for six hours. More recently, an Australian man was found guilty of hacking into his municipality's computerized waste management system and causing at least one million liters of raw sewage to spill into local parks and rivers and a Hyatt hotel. But these attacks on discrete nodes of a single infrastructure sector do not convey the full danger associated with cyber attacks on critical infrastructures. Because these nodes are highly interdependent, attacks on a part of one infrastructure can damage other parts of that infrastructure as well as other infrastructures altogether. An expert on the North American power industry has observed that the loss of one particular core switching station could severely impact the flow of natural gas in the United States; a scarcity of natural gas to fuel electricity generators could cause large sections of America's power grid to fail; and power failures could crash this country's financial and transportation systems (and other key infrastructures.) As National Security Advisor Condoleezza Rice recently stated: "The President himself is on the record as stating that infrastructure protection is important to our economy and our national security and therefore it will be a priority for this administration."
Significantly, the problem is not confined to the stereotypical teenage hacker who attacks systems for the mere challenge of it. Rather, recent years have seen a growth in attacks coming from much more sophisticated actors, such as organized crime groups seeking illicit financial gain and politically motivated groups attacking U.S. government websites. Cyber attacks by terrorist groups bent on coercing U.S. policymakers are an all-too-real possibility. Perhaps most significantly, foreign nations are developing cyber attack techniques for activities ranging from covert espionage against U.S. government agencies or U.S. industry to information warfare against the United States. As a recent Defense Science Board report stated: "At some future time, the United States will be attacked, not by hackers, but by a sophisticated adversary using an effective array of information warfare tools and techniques. Two choices are available: adapt before the attack or afterward."
Cyber security is also vital to protecting personal privacy, an issue that the American public is increasingly concerned about. The Federal Trade Commission recently observed that Americans are especially worried about "the specter of identity theft." Available statistics suggest that this concern is justified. According to TransUnion, a leading credit reporting agency, the number of calls or complaints about identity theft grew from 35,000 in 1992 to over 550,000 in 1998. Thieves may use stolen personal information to access a victim's existing accounts, create new accounts in the victim's name, or commit other types of fraud. A May 2000 survey of identity theft victims by the California Public Interest Research Group (CALPIRG) and the Privacy Rights Clearinghouse found that "[i]n 15% of the cases, the thief actually committed a crime and provided the victim's information when he or she was arrested." Since terrorists use identity theft to facilitate their movements and operations, identity theft is one of several areas in which privacy and national security concerns overlap.
But while the cyber security problem continues to grow, and public concern increases commensurately, the state of our technical defenses is not keeping pace. Indeed, the widening knowledge gap between cyber attackers and defenders led William Schneider, Chairman of the Defense Science Board, to conclude that the "DoD cannot today defend itself against an Information Operations attack by a sophisticated nation state adversary." Yet, the Office of Management and Budget (OMB) reports on computer security at federal agencies have consistently identified the Department of Defense as a relative bright spot. The OMB recently reported that "many [other] agencies have virtually no meaningful systems to test or monitor system activity and therefore are unable to detect intrusions, suspected intrusions, or virus infections." Even private companies that employ sophisticated intrusion detection systems and other computer security measures find that their vulnerabilities are increasing. On the one hand, the core technologies underlying the Internet were not built with security in mind. On the other hand, the growing complexity of computer technologies multiplies attack routes and makes it harder to anticipate how problems will cascade through information networks. In the words of Richard Clarke, Special Advisor to the President for Cyber Security, "Our infrastructure is fragile." The United States urgently needs new technologies that will "harden" and protect our information infrastructure, making it more robust and resilient in the face of attacks.
The Origin of the I3P
In 1998, the President's Committee of Advisors on Science and Technology (PCAST) recognized that investments in information security research and development (R&D) were made primarily on a tactical basis-to fulfill an immediate perceived need for private sector commercial reasons. There was no institution or collection of institutions that looked at the landscape defined by the state of the art in information security and the existing body of ongoing public and private R&D, and identified the gaps in the national information security R&D portfolio. It recommended that the government fund an independent, non-governmental and non-commercial laboratory that would accomplish this important task-by articulating the nation's information security requirements, cataloguing ongoing R&D efforts, and identifying gaps in the country's R&D portfolio. It recommended that this institution have $100 million available to fund these activities.
At the request of the Department of Defense, the Institute for Defense Analyses (IDA) analyzed this problem further and in April 2000 published a report recommending the establishment of an Institute for Information Infrastructure Protection (I3P) that would perform the functions described by the PCAST. It recommended funding the mature institute at a rate of $100 million per year. The institute, it suggested, would disburse most of this money to outside cyber security researchers.
In early 2000, the White House National Security Council (NSC) staff and the Office of Science and Technology Policy (OSTP) began developing a white paper on the I3P concept. Together with key members of the PCAST, OSTP developed a recommendation to establish the I3P. They proposed that it be a non-governmental agency funded through the National Institute for Standards and Technology (NIST) in the U.S. Department of Commerce and that it perform the basic functions outlined by the PCAST and the IDA. The white paper projected that the I3P would initially be funded at $50 million per year.
The OSTP Director and some PCAST members conveyed the proposal to key members of Congress in July 2000. The proposal to create the I3P also appeared in the President's 2001 budget. In response, Congress appropriated funding in 2001 and 2002 to the Institute for Security Technology Studies (ISTS) at Dartmouth College to establish the I3P.
The I3P identifies critical challenges in information infrastructure protection, and sustains a collaborative community of multi-disciplinary researchers to address them. The I3P serves as a trusted partner for industry and government, and provides an independent forum that facilitates the open exchange of ideas.
To fulfill its purpose, the I3P shall establish a consortium of relevant academic and not-for-profit centers of excellence and maintain strong ties with key institutions in government and industry.To develop a national research agenda, the I3P shall:
To promote collaboration and information-sharing, the I3P shall:
To facilitate research and development of cyber security technologies, the I3P shall:
Consortium member organizations are not-for-profit research and academic institutions actively engaged in significant research and development of cyber security and information infrastructure protection technology in the national interest. Member organization representatives will be qualified senior researchers.The definitions of specific terms include:
Last Updated: 7/2/12