The Cyber-Posture of the National Information Infrastructure

  • Willis H. Ware
Part of the IFIP — The International Federation for Information Processing book series (IFIPAICT, volume 26)


The infrastructure of every nation is vulnerable to physical and cyber-based attacks. While there is no evidence that “the sky is falling in” or that there is imminent danger of a massive disruption from such attacks, a country cannot be complacent about the issue. Each country has a natural resilience stemming from many sources to offset the effects of such attacks, but more directed and extensive examination of the matter is essential.

Key words

Cyberwar Cyber Attacks Critical Infrastructure Protection 


  1. [1]
    The final draft of this document was completed on the same day but prior to the announcement that the President’s Commission on Critical Information Protection had posted its final report on its web site. Since the Commission report had not then been read or studied, we have not modified our discussion to reflect what it said. On the other hand, we did have knowledge of that report, derived as described below. Any overlap or similarity of position between this document and the Commission report is a result of coincidence of interests and a common understanding of the issues. This discussion intentionally includes supplementary and background discussion to make it complete and readable in itself.Google Scholar
  2. [2]
    See the Commission web site at for the text of the executive order, the mission objectives, and related documents.Google Scholar
  3. [3]
    For an analytical treatment of these larger aspects, see R. C. Molander, A. S. Riddile, and P. A. Wilson, Strategic Information Warfare: A New Face of War,Santa Monica, Calif.: RAND, MR-661-OSD, 1996, which sets information attacks in the context of game exercises as a tool to help policymakers understand the effects and implications of an infrastructure attack; and J. Arquilla and D. Ronfeldt, In Athena’s Camp: Preparing for Conflict in the Information Age,Santa Monica, Calif.: RAND, MR-880OSD/RC, 1997, a collection of essays to set the context of such attacks and innovate measures against them. For a fictionalized treatment, see John Arquilla, “The Great Cyberwar of 2002,” Wired,February 1998, p. 122ff., a vivid, cautionary short story.Google Scholar
  4. [4]
    Willis H. Ware, ed., Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security, Santa Monica, Calif.: RAND, R-609–1, published by RAND for the Department of Defense in February 1970 as a classified document and republished as an unclassified document in October 1979.Google Scholar
  5. [5]
    DOD Computer Security Center, Department of Defense Trusted Computer System Evaluation Criteria,National Security Agency, CSCSTD-001–83, August 15, 1983. While the document is characterized in its preface as “a uniform set of requirements and basic evaluation classes,” the TCSEC really filled the role of a standard and was subsequently adopted as a United States Government Department of Defense standard.Google Scholar
  6. [6]
    Bernard Peters, “Security Considerations in a Multi-Programmed Computer System,” AFIPS Conference Proceedings,Vol. 30, 1965, p. 283ff.Google Scholar
  7. [7]
    See, for example, Cybernation, The American Infrastructure in the Information Age,Office of Science and Technology Policy, Executive Office of the President, p. 18. This document has an internal date of April, 1997, but it was embargoed until November 12, 1997. It is subtitled A Technical Primer on Risks and Reliability,is tutorial in nature, and presents an overview of the infrastructure issue. It concludes by suggesting areas for public policy attention.Google Scholar
  8. [8]
    Terminology to describe national status following a major attack is of concern. One might be tempted to call it wartime footing or possibly semi-wartime footing but such phrases can imply that military forces or actions are involved, that Congress has taken some action, or that particular federal agencies have become active. The phrase national emergency or perhaps regional emergency would seem to be preferable.Google Scholar
  9. [9]
    Formally, from the viewpoint of physics, energy and power are different concepts. In ordinary usage, they are often used loosely as synonyms; and in some cases energy is thought of as a generalized word for power. In this discussion, it is not necessary to distinguish between the two, and each is used as it commonly would be for the topic under consideration.Google Scholar
  10. [10]
    The three items we have discussed map into two of the sectors identified by the PCCIP.Google Scholar
  11. [11]
    Telephone jargon for the cables on pole lines, microwave towers and facilities, satellite ground stations, buried cables-in short, largely everything in a telephone system except for the switching centers and the administrative support facilities.Google Scholar
  12. [12]
    Such an analysis is explored more fully in “Action 4” in Chapter Four. It is there referred to as “homework” to be done at the national level.Google Scholar
  13. [13]
    Willis H. Ware, A Retrospective on the Criteria Movement, Santa Monica, Calif.: RAND, P-7949, 1995; New Vistas on Info-System Security, Santa Monica, Calif.: RAND, P-7996, May 1997.Google Scholar
  14. [14]
    Under the regime established by the TCSEC (Orange Book), vendors can submit products incorporating security safeguards to the National Computer Security Center (formerly the Department of Defense Computer Security Center) for “evaluation.” This process is in addition to testing and product examination done by the vendor and includes extensive testing; examination of the engineering development process, especially for software; and review of the design process and its documentation. It is both expensive and time-consuming-typically, two years at minimum. Hence, an evaluated product, because of such a thorough post-vendor analysis, would generally be much improved relative to its preceding commercial version and could bring a market premium.Google Scholar
  15. [15]
    R. H. Anderson and A. C. Hearn, An Exploration of Cyberspace Security RandD Investment Strategies for DARPA: “The Day After… in Cyberspace II, Santa Monica, Calif.: RAND, MR-797-DARPA, 1996.Google Scholar
  16. [16]
    For fuller discussion of some of these items, see Ware (1997).Google Scholar
  17. [17]
    From a private conversation with Mr. Colin Crook, retired Chief Technology Officer of Citibank, New York City.Google Scholar

Copyright information

© IFIP International Federation for Information Processing 1999

Authors and Affiliations

  • Willis H. Ware
    • 1
  1. 1.The Rand CorporationUSA

Personalised recommendations