Preface
Workshop Proceedings: The report summarizes the proceedings
of the Complexity and Critical Infrastructure Vulnerabilities Workshop,
held December 8, 2003, at the National Defense University (NDU), Fort
Lesley J. McNair, Washington, D.C. This was the first in a planned series
that will address complexity and its impact on critical infrastructure
protection. The Cyber Conflict Studies Association (CCSA) and the Center
for Technology and National Security Policy (CTNSP) at the National Defense
University sponsored the workshops. This workshop is the first in a series
of five.
The CCSA is a not-for-profit association of professionals from government,
private industry, and academia, who want to promote education, research,
and dialogue in the area of cyber conflict. The goals of this workshop
were to educate and network and to identify issues centered on critical
infrastructure protection and cyber defense that require further study.
Outcome of Workshop: Panelists and participants made
recommendations in five categories:
Policy—must be resolved as a national mandate requiring
action from senior leaders in national security and homeland defense
Develop appropriate response decision-making approaches and options
in the event of cyber attacks
Pursue international agreements that address monitoring and isolating
for cyber attacks and follow-on actions such as forensics and legal
action
Ensure developers and users are responsible for production and implementing
of vulnerability more secure information and communications technologies
Address the growing automation in the development of software code
and other information technologies that limits the ability of governments
or anyone else to understand how it functions
Develop mechanisms for orchestrating joint government and private entities
funding necessary to implement more effective cyber defense policies
Strategy—affects national planning, protection, or oversight
activities
Develop a National Cyber Red Team and strong command and control functions
for Cyber Conflict. Teaming efforts should include collaborative, inter-disciplinary
decision makers and members
Develop a national program, to address behaviors of complex systems
and responses to serious attacks
Incorporate cyber experts in task forces and other groups addressing
physical security
Develop a national capability to assure the functionality and security
of code produced by whatever means
Tactics—affects operation and management of infrastructure
Develop a methodology and technology approaches to assess that when
critical infrastructure(s) is (are) under cyber attack
Promote operations security strategies that include: diversity of layering,
patch management; system partitioning; and other protection techniques
Research—requires further study and funding
Studies in the applications of traffic analysis and other techniques
to identify internal and external threats and threat agents
Studies to understand emergent behavior and vulnerabilities of complex
critical infrastructures such as the electric grid
Technical studies (and prototype development) in adaptive and self-healing
systems, and other work that supports the concept of “functioning
while injured”
Development of economic and risk modeling as it applies to cyber security
Studies in the behaviors of complex systems, including models from
other disciplines such as the study of thermodynamics and naturally
occurring robust networks
Study the implications of loss of human oversight and governmental
control over automated code development and deployment within cyberspace
Education—requires a better understanding of complexity
and critical infrastructure protection
Formalize and implement an educational effort to develop expertise
to jointly study the area of complexity and critical infrastructure
vulnerabilities/cyber defense
Establishment of programs in information security domain expertise
within other critical infrastructures such as electric power
Continuous and improved Cyber conflict practitioner training that
takes into account emergent social and technical issues of complex systems
Complexity and Critical Infrastructure awareness programs for public,
legislatures, and other stakeholders involved in the complexity and
critical infrastructure discussion
Summaries of the presentations and associated dialogue that provided
the basis for these recommendations can be found in Section II.
|