Section III

Summary of Workshop Discussions

Welcoming Remarks: Lt Gen Dunn began his welcoming remarks by emphasized the importance of the CCSA effort. Dunn noted that securing the interconnected military information technology (IT) systems that form the framework of military transformation has long been of vital importance to him. Government reform and downsizing has encouraged greater partnerships with industry and Dunn expressed his concern over the lack of understanding of the complexity of our shared infrastructure, in terms of both design and interconnectivity. Dunn pointed out that adoption of commercially used protocols, such as Internet Protocol (IP), windows platforms, and, where economically viable, using commercial networking and communication components to meet the military mission all introduce risk to these systems and, thus, to our national and homeland defense.

Drawing on his vast experience in this area, Dunn spoke of his participation in the 1997 DOD Eligible Receiver exercise focused on cyber defense. At that time, the United States did not realize how unprepared for cyber conflict we were. The U.S. government had few policies in place regarding cyber attacks then and that this problem persists. For example, there is no policy that helps determine when to categorize a cyber attack as an act of war. The United States still has few systems to detect cyber attacks. America’s role in pre-emptive or defensive cyber warfare, especially as it applies to use of this shared infrastructure, is a subject of much debate as we evaluate defense and privacy issues in these challenging times. He emphasized the need for a national red team effort to address cyber conflict/defense and preparedness.

We live in a connected world and Dunn believes systems are vulnerable based on how much we use them and how critical they are. Cyber conflict is a very complex area without many experts. One of the reasons he was so supportive of the CCSA effort is that it gives NDU the opportunity to help educate civilian and military leaders on the subject and to encourage further study and work in this area. Dunn advised that the four pieces to cyber defense that should be addressed are technology, organization, policy, and law and hopes that the CCSA efforts will be instrumental in supporting that effort.

The discussion addressed concerns about the applicability of commercial off the shelf (COTS) products to DOD, especially products developed overseas. The assumption being that such products pose a greater risk of back-door installation of Trojan horses and time bombs. The attendees noted that vulnerability is a function of the inter-dependence of the systems involved. It was agreed that the current U.S. cyber policy is one of risk management, rather than anticipatory or preventive solutions.

• A coherent national framework that addresses cyber conflict from a policy, legal, organizational and technical perspective must be developed
• An educational effort to develop experts in the area of complexity and critical infrastructure vulnerability issues must be formalized
• The methodology and technology to “identify when we are under attack” must be developed
• A strong command and control (C2) is needed to combat cyber attacks
• A National Red Team for Cyber Conflict issues should be established
• A policy that determines America’s reaction to cyber attacks and our role in pre-emptive or defensive cyber warfare is needed

Introduction of CCSA Objectives: John Casciano, President of the CCSA, advised the audience that the CCSA was a recently-established professional association designed to support active research in the field of cyber conflict. The CCSA sponsors studies in ethics, morality, law, policy, strategy, tactics, and technologies and is seeking to increase membership and sponsors. Casciano briefly touched on the objectives and workshop agenda and that the workshop activities were a follow on to the initial CCSA conference held at the Massachusetts Institute of Technology (MIT) in the spring of 2003. Pointing out that the problems Lt Gen Dunn mentioned are real, Casciano noted that eighty to ninety percent of the critical infrastructures are owned by the private sector, and the nation needs to explore methods to improve the private/public relationship in cyber conflict and defense. Casciano suggested that the dialogue could begin around protecting the nation’s economic security, which was the real potential impact of cyber attacks on the nation.

Casciano left the audience with the following recommendations:

• A private/public policy and techniques to jointly protect the infrastructure must be developed
• A dialogue must be established around the viability of the nation’s economic security under cyber attack

The Ground Rules: The moderator, Michael Schrage, who played a vital role in establishing a collaborative workspace throughout the day, encouraged the participants to engage in collaborative interaction by engaging in an open if not confrontational dialogue to identify important issues quickly. Schrage pointed out that critical infrastructure protection is inherently a complex and multi-disciplinary issue and reminded the audience that the workshop goal was to produce products that would be useful to decision makers.

• What kinds of resource will complexity provide in resolving cyber conflict issues, what will its currency be in government, and where will it be most useful in application?
• What insights from complexity can be used to support better understanding of infrastructure vulnerability?

Implication of Complexity for Shared Infrastructure: Dr. Harold Morowitz addressed the issue of whether our knowledge of biology and biochemistry was useful in protecting the critical infrastructure. Morowitz began his talk by presenting a chart of intermediary metabolism. The chart represents all known reactions among small molecules, which occur in most organisms. There are 20 million species with multiple metabolisms. These primary metabolisms are made of 300 - 400 molecules that build organisms. Focusing on the core or primary metabolism processes, Dr. Morowitz talked about the extraordinary degree of robustness of the metabolic process, universal to all organisms, that traces back 3 ½ to 4 billion years. Morowitz discussed how large changes in the environment of an organism do not adversely affect the metabolism of the organism. As an example of this robustness, he noted that bacteria are able to reproduce within a large temperature range and even when solvents replace a large percentage of their aqueous environment. Morowitz advised that two primary approaches to studying the network properties of metabolism exist. Most studies have focused on the topology of the networks, whereas studies on robustness focus on thermodynamics such as reaction rates, enzyme substrate binding, and other physical chemical features. He drew an analogy from the biological network topology approach to that of the topology of scale-free networks and the Kirchoff’s law representing classical electrical networks and suggested that topology features are analogous to the Internet.

Morowitz suggests that thermodynamic features of biological networks, however, may provide a closer analog to infrastructures, which depend on mass, energy and information transfer. Metabolic networks have a core and that all reactive pathways, including the citric acid and the reductive citric acid cycle, have termini in that core. He compares this to the primary production in an economic network, where every innovation at the hierarchical level above the core is selected by its ability to reinforce the core. Morowitz talks about the multiple emergences that occur with these interactions, such as products that lead to catalytic reactions or products that result in new structures such as membranes that, in turn, lead to compartmentalization. He suggested that emergent properties of infrastructures be examined by studying the emergent properties of biochemical networks and that interdisciplinary activities between theoretical biologist and infrastructure stability experts might prove useful.

The workshop participants explored the analogy between biological network and an electric network. It was noted that a biological network has at is core the transfer of mass, energy, and information similar to infrastructure with one difference, a core property of information networks was independent agents (people). It was proposed that this feature negates any analogy to biology. Morowitz suggested that a solution might lie in building networks to minimize the influence and actions of people and suggested this might be a path for emergent studies. A discussion followed of how the ability to control selection within networks applies to the infrastructure. Again, Morowitz pointed out the need for further study. It was noted that the biological infrastructure has existed for 3½ billion years without failure and, if possible, would be a “perfect model” for any cyber infrastructure to be built upon.

A question was posed regarding who was building software packages to emulate biological networks. Although no company came to mind, this is an area that needs further investigation. Another question was posed about how lessons from the robustness of biological metabolism and processes could be applied to information and communications infrastructures. While no conclusions were reached, group agreed this was an area warranting further study.

Morowitz left the audience with the following recommendations:

• Emergent properties of infrastructures be examined by studying the thermodynamics and emergent properties of biochemical networks
• Interdisciplinary activities between theoretical biologist and infrastructure stability experts be established
• Further studies were need regarding core differences between biological and infrastructure networks to understand role and control of non-predictive behavior

Power Grid Interconnectivity, Failures, and Regulatory Interaction: Dr. Dejan Sobajic, Director of Grid Reliability and Power Markets at the Electric Power Research Institute (EPRI), started his talk with the provocative statement that the power grid system the largest man made machine ever built. This system has been in existence for over 100 years and is composed of thousands of elements that are interconnected to 2, 3, or 4 other elements in a one to few model. The outcome of a compromise against a system's vulnerability, especially if it has a cascading effect, is an outage – simply put - the machine goes down and service is interrupted. Sobajic pointed out that the cause of these outages varies. Some are nature driven (exposure to elements – lightning, wind, rain) and others are manmade (operator error, manmade interruption).

According to Sobajic, vulnerabilities are designed into the current system. The behavior of Transmission Networks, categorized as large, non-linear, uncertain, and time dependent, is not fully understood. Additionally, the diversity of equipment installed from various international vendors often present major maintenance problems. New types of transformers are needed that can adapt or be easily repaired instead of the current scenario where spares and appropriate maintenance skills are needed for every system. Most new power grid systems receive upgrades through modem dial up, and the systems, especially those used for monitoring and control, rely heavily on the Internet. These dial-up and Internet connections introduce much vulnerability into the system and present a target for attacks. The speed at which network attacks occur makes this a very high risk, according to Sobajic.

The power grid is a very dynamic system. Failures in the grid result from cascading events where weaknesses combine to make the system more vulnerable to unforeseen problems. Sobajic points out that light loads masks problems in the power grid. At full capacity more problems are evident and the system behaves differently than at lower capacity. He attributes this to the lack of understanding of the power grid and its complex behavior. For this same reason, Sobajic states that once vulnerabilities start to cascade, there is little intervention that can take place. Sobajic categorizes the sequences of cascading events into the following three phases:

• The Sequential Phase – Problem goes unnoticed early on, it allows for progressive weakening of the grid
• The Transition phase – Failures speed up and grid is out of balance
• The Parallel and Terminal phase – Performance failures are obvious, it is too late for human interaction and there is a loss of supply.

Sobajic reminded the participants that the existing transmission machine was not designed for today’s use. The grid must absorb all energy generated or the system experiences problems. To address cascading events, Dr. Sobajic notes the following much needed requirements for avoidance:

• Development and installation of early warning systems
• Better system designs (marketing efficiency vs. failure resistance)
• Improved control and mitigation.

On preventing cascades, he recommends improved transition scheduling, near time system operations, and protection relaying.

EPRI is taking positive steps to address these problems. EPRI began an infrastructure security initiative in 2001. Techniques such as immediate replacement of failed transformers are being explored. Transformers link regional grids and their reliability are important to the system. Unfortunately, Sobajik points out, the lack of commonality in transformer equipment makes quick replacement difficult. Industry has also response to electric grid vulnerabilities by partnering in the following joint efforts:

• DOD/EPRI complex interactive networks/systems initiative (1998-2001)
• EPRI reliability initiative (1999-2002)
• EPRI infrastructure security initiative (2001-)
• DHS/EPRI/NERC North American Electricity Infrastructure Security Monitoring System

Sobajic discussed his concerns regarding the lack of qualified power engineers and advised that many programs for this discipline have been dropped from universities. He works closely with universities’ power engineering programs to help initiate new concepts for thinking about the infrastructure problems. Thinking in terms of machines is how power engineers are trained. Sobajic asked the question, “If one cannot avoid the event, can one control an event after is has started?” He questions whether a structured, power engineering discipline-method to resolving this problem will work. New approaches to resolving the power infrastructure network vulnerabilities are essential because the current process of thinking about the network as a set of machines can’t continue and is only masking problems. Countermeasures aimed at preventing cascading events have not been effective and at some point the system must be capable of absorbing natural phenomena and adjusting/adapting while under attack. Sobajic proposed to the participants that out-of-the-box thinking, such as looking at biological models, might be necessary.

The workshop participants explored several concepts regarding power infrastructure protection with Sobajic. The question was asked if cascading events might be avoided by design. Sobajic stated that market efficiencies make this difficult as it is at odds with implementing failure resistance. Market driven systems are inherently steady state, are more difficult to control and thus more susceptible to unplanned events. To date, this approach has not been successful in the power grid operation. The lack of research in this area was a topic of interest and Sobajic concluded the discussion by stating that funding in R&D for the power industry has been decreasing and that collaborative research with other infrastructures domains may provide an economy of scale, but even more so, establish a dialogue with policy makers about complexity of systems and the need to support research. He notes the most complex systems equal the most dangerous systems and posed the question, “Can a system threaten you even if you are capable of understanding it?”

Sobajic left the audience with the following recommendations:

• Research needs to be performed in understanding the behavior of complex systems, especially the power grid
• Funding of research is essential to understand the network and cascading events. Multi-discipline collaboration should be investigated
• Shift thinking about the power grid as a machine to that of a network, and increased education and training in power grid design and maintenance

Impact of Sound Security Practices on Mitigating Risks from Cyber Attacks: Mr. Alan Paller, Director of Research for the SANS Institute, began his presentation by posing the following questions:

• What are the elements of the problem in cyber security?
• Where does heterogeneity fit?

To help participants in addressing those questions, Paller talked about the current status of worms, viruses, and other attacks against the Internet and IT systems. The problem was framed by providing the following data about recent attacks:

The Slapper Worm (Sept.13-17, 2002) took over 29,000 LINUX machines. (Linux Slapper Worm is a family of worms that use an Open SSL buffer overflow exploits to run a shell on a remote computer.) Seven days later, on Sept. 20, 2002, 330 Slapper victim systems attacked the U.S. intelligence agency web site.

Paller proposed that one aspect of the success of the Slammer worm is that technologists “lied” to their management and indicated that their systems were not susceptible, i.e., not directly connected to the Internet. Interestingly, Paller pointed out, the Slapper worm affected 29,000 systems and only 1 percent of the machines infected (335) had sufficient firepower to disable a U.S. intelligence agency’s machines for more than 24 hours. The moral is that damage to the infrastructure does not always require a large number of processors in the infrastructure to be involved or a significant number of processors to be compromised.

Paller claimed that it is the system vendors that make systems vulnerable, and this situation could and should be fixed. To explain this further, the following example was provided: a federal government CIO purchased an Oracle system and wanted it delivered to certain specifications with known system vulnerabilities turned off. Additionally, she wanted to make sure that any patches that came out would not override these configurations. At first Oracle did not want to do this but eventually gave in and they are now offering this option in their sales package.

Customer demand does not always win out, especially against vendors with extremely large customer bases. In their initial efforts into concepts of self-healing networks, the NSA came up with an idea of compartmentalized LINUX SE. The idea was originally offered to Microsoft for NT, but they said it was too late to get it into the system.

Paller stated the greatest threat to the infrastructure today is the threat of compromise of financial information and extortion and cited some basic facts about threats to the Internet:

Illegal exploitation of Internet and attached business applications is not preventable by law enforcement. The state of forensics is not sufficient to locate offending parties. Law enforcement agencies advise paying extortion fees, because they cannot protect a business from an Internet-based extortion. To prove his point, Paller quoted Pat Morrissey, former Chief of Cyber Crime Investigations for the U.S. Secret Service as saying: “Any criminal organization that is not using this technique [Internet extortion] should be sued for malpractice!”

Remote maintenance and control operations, which use IP protocols, are subject to being hacked with root access compromised. Paller provided data from a report by FBI agent E. Brent Rasmussen demonstrating root access to the control system of the Shasta Lake/Sacramento Dam and every other dam in the northern part of California. The Shasta dam incident provides an interesting example, because as a security mechanism, Dam security personnel wanted “backup controls” in order to prevent terrorist attacks. Those very same backup controls were more susceptible to attack (less-well protected) than the main system and became targets for terrorist attack.

Paller warns that the policy of connecting administrative computers on the same networks as systems that have critical functions – like control systems for dams – not only demonstrates weak security policy but can also put lives at risk.

The mantra for the talk was “vendors increase risk to the Internet by delivering bad software.” Hackers then exploit these deficiencies to the point that hacker sites exist on the Internet where all necessary technology is available for an exploitation of the software vulnerability. Hacker sites compete on ease of use. To support this statement further, Paller provided a demonstration of how to use existing hacker sites. Very little knowledge of the Internet nor an understanding of the software was required: The only necessary skill was the ability to operate a mouse.

Paller suggested that a possible mitigation is to promote diversity in “layers” to limit damage. Further work in defining the term layer might be performed. One simple method to provide diversity of layers is the simple policy of implementing diversity of operating systems to avoid cascading vulnerabilities introduced by use common operating system (OS) for an entire enterprise. For example, an enterprise can use a firewall that has a different OS than the platform(s) it is protecting. Another example would be to add an extra layer between Windows boxes and Linux boxes.

Based on available cyber protection techniques, Paller suggested a first place to start limiting the vulnerabilities of an enterprise is in the firewalls, which can be misconfigured and have their own vulnerabilities.

The workshop participants commented that the computer industry has vulnerabilities due to the fact that it hasn’t used paradigms of other industries, which have to model and reduce risk, e.g., the nuclear power industry. A suggestion was made that private industry must catch up to DOD in traffic analysis in order to reduce infrastructure risk. Traffic analysis does not involve any assumptions about insider or outsider threats, as do many of the solutions for risk reduction in the computer industry today.

Paller left the audience with the following recommendations:

• We must promote a security strategy of diversity “in layers"
• Don’t try to “fix everything” at first. Pick the most critical vulnerabilities and allow those to be your first target
• We need vendor-delivered system vulnerabilities wiped out
• A patch cannot solve all vulnerabilities; they must be solved by design
• Partitioning is needed—multiple tasks should not be assigned to single systems (a firewall should just be a firewall)

A Machine-Dominated Future? Mr. Richard Clarke, President of Good Harbor Consulting and former Presidential Special Advisor on Cyberspace Security, began his presentation by reminding attendees that authors of books and Hollywood scripts have always been concerned about the infrastructure failing due to its complexity. He used the following three examples from popular culture:

• Terminator 3: cell phones, ATMs, radio stations do not work and the DOD controls the civilian critical infrastructure
• Matrix Reloaded: nobody really cares about this infrastructure until it stops working/man’s dependence on machines
• Deutsch’s A Subway Named Mobius: people have forgotten how to add, subtract, and multiply

Clarke posited a future wherein machines are at a best a ubiquitous necessity and at worst, control mankind; he posed the question, “Where are we in the march towards a machine world?” Society has been taken over by cyber devices to an extent that we are not aware of. The idea of complexity has emerged more and more over recent years. Around the world last year, people created 5 billion megabytes of info equaling ½ million Libraries of Congress per year. Clarke pointed out that today we can not insure that data is not corrupted and cited the following statistics to support his view. Last year 114,000 virus incidents happened. The damages from Trojans and viruses cost $45 billion last year and cost $38 billion for the month of August this year. This year over $126 billion in losses occurred due to worms and viruses. There has been a 400 percent increase in damages this year to vulnerabilities in software. There are 10 coding errors in every 1000 lines of code. Unless we begin to fix these vulnerabilities, we cannot even attempt to catch up.

The cause of the problem, Clarke stated, is that humans make too many mistakes. Software vulnerabilities are a result of the inability of humans to write code well. To reduce software errors, research and development projects have been proposed to have software write software. Products are available today that claim to check software for errors. Clarke posed the following questions to the participants:

• Is this the path we want to be on?
• Should we put the brakes on computer technology?
• What will our dependencies be like in ten years with respect to software and global controls?

Clarke asked the rhetorical question, “Is the U.S. government doing enough to protect U.S. citizens and businesses?” He suggested that the Federal Government utilize cyber capabilities offensively as well as defensively and pointed out that the terrorists know how to use the Internet to communicate and raise money. Al Qaeda, for example, has a disturbing number of people with graduate degrees in Computer Science, many of them obtained in some of the best U.S. schools. The September 11th attacks demolished infrastructure and sent the economy into a tailspin (ripple effect and interdependencies evident). Other examples of events affecting the U.S. economy were the Anthrax mailings and the Washington Metropolitan area sniper attacks, which not only caused loss of life but immense economic damage based on building and business closures, police activities, and clean-up. Even after September 11th, Clarke pointed out, we still have folks in the intelligence community who are not focused on these problems. Al-Qaeda isn’t the only organization that wants to cripple the U.S. economy. Chinese Generals have publicly stated that, if a conflict arose with U.S., they would use cyber attacks to attack the civilian infrastructure. He asked, “Why aren’t we heeding these warnings?”

Clarke advised that protection of the infrastructure is dependent on obscurity of interconnections. Knowledge of the machinery is power. Collaboration between government and industry is needed if the predominantly privately owned infrastructure is to be protected. Assurance of privacy of information regarding infrastructure topology and design, system breaches, vulnerabilities and other issues are paramount for private industry to trust the government. Clarke pointed out that it is necessary to get the private sector to understand their own infrastructure. On closing, Clarke repeated the warning of John Casciano that ”the civilian economy is the target.”

Clarke left the audience with the following recommendations:

• The U.S. government needs to be doing much more than it is vis-à-vis offensive or defensive proactive infrastructure defense
• The government will need to keep more information secret to limit “danger” to infrastructure
• We cannot underestimate our enemy or the ripple effect on the U.S. infrastructure and economy of an adverse action in one area
• People do not understand the issues involving critical infrastructure, so they do not spend money on protecting it.

Cascading Effects and Ubiquitous Use of Common Platforms and Protocols: Dr. Daniel Geer, Principal, Geer Risk Services, discussed the health of our ubiquitous Internet and IT systems: the prognosis was poor and, more importantly, poorly understood. Geer addressed the risks and vulnerabilities of our cyber infrastructure, which permeates all aspects of the society. He began by discussing the impact of a computing infrastructure monoculture, especially where that monoculture is complex and already shown to be permeated with security faults. For example, if the source of security faults is in any way related to complexity, then it is necessary to note that Microsoft XP represents a new high water mark in complexity at over forty million lines of code. Not only has Microsoft’s code size grown over the past twelve years, but so has the installed base of system vulnerabilities. Geer illustrated all these points with available data noting that there is not nearly enough data to perform detailed analysis.

Geer pointed out that vulnerabilities represent a good example of emergent problems. A combination of two vulnerabilities, which independently are annoying, can together be devastating. For instance, had anyone opportunistically mounted a computer attack combining the NIMBA worm and the emergency 911 (E911) vulnerability, the result would have disabled the entire 911 service a week after September 11th – clearly an example of avoiding a collapse of public confidence by nothing more than blind luck. Having survived a virus or worm attack, computer users should not be complacent, Geer points out, because most worms and viruses can re-infect the same or different systems at later dates. This is partially the result of incomplete patching of systems. He walked the audience through a series of statistics on the state of the cyber infrastructure that was frightening and demanded a call for action. The following is an overview of the statistical analysis presented on cyber vulnerabilities:

• Best practices do not get rid of twenty percent of the worst risks
• Patching is not one hundred percent effective, and one must assume that old worms/viruses will re-infect computers at later dates
• Access control fails to scale. These systems cannot support large systems effectively and present management and maintenance resource overload
• Reverse engineering of patches issued by a vendor can be used to generate an exploit heretofore unavailable to the hacker
• Patches that go up on the Internet are essentially advertisements for how many people are vulnerable, leading to a footrace between the customers and the bad guys
• The bundling of patches under one name that covers multiple exploits is misleading. This strategy, driven by cost and convenience, delays installation of patches as they are developed and can prevent the installation when the title of the patch does not match the user function and installation is ignored

Geer predicted that the future of network designs is changing. This is a security-cognizant future, where systems are interconnected via loose interfaces with small modules, which are very different from a large, complex system. This future, with more and smaller computers networked together, will require different countermeasures than today.

Geer pointed out that security risks are addressed in terms of best practices, guidance, and other qualitative processes that are very subjective. The industry must incorporate sound measurement as part of cyber conflict reporting if the infrastructure is to be successfully protected. There is a great need for a cyber risk model. He suggested that the cyber world look at other bodies of developed, quantitative knowledge, such as public health, portfolio management, the insurance industry, and accelerated failure time testers to see how risk is handled in these environments. A sound risk model will not only predicate changes to cyber security policy but will support the work of quality practitioners and researchers. The lack of sound measurement techniques and reporting and an accepted risk model has a negative effect on funding of research and security product development. Today industry is driven by demands for reliability over security because a sound case cannot be made for the latter. Geer pointed out the need for more qualified people in the field. Without measurement and trained practitioners, the charlatans win.

Geer ended his talk by advising the participants that if all the code attacks to date have been conducted on known vulnerabilities, it is safe to assume that someone has a reserve of vulnerabilities that are yet to be acted upon. The lack of quality assurance in the development and management of code, off-shore development of software and software maintenance, and the problems of human error, should be of concern to all those concerned about infrastructure protection.

The workshop participants engaged in a healthy discussion regarding the implications of Geer’s statistics and about the use of patching as immunization. A discussion of a policy that requires mandatory patching and methods to implement it took place and is definitely an issue that needs further study.

Geer left the audience with the following recommendations:

• Quantitative cyber risk techniques must be developed
• The price of security is privacy just as the price of privacy is security, and subsequent work is needed in addressing privacy policy and legal issues
• Techniques for protecting critical infrastructure such as quarantines, filtering of data, mandatory patching must be addressed and, if viable, effectively mandated
• Training and an increase in competent practitioners is needed

Challenges for Securing Shared Infrastructure Against Large Scale Cyber Attack: Col (S) Gregory Rattray, Ph.D., began his talk statement that securing government and private sector shared infrastructure against a large-scale cyber campaign will prove extremely challenging. Rattray posited that adversaries who use cyber conflict as a method for political or economic coercion will not necessarily use types of attacks we are witness day-to-day, either in form or magnitude of intended effect. In particular, a cyber conflict could occur over long time periods, rather than the minutes or hours characterizing the problematic period of most disruptive cyber events today. One part of a better understanding of how the nation's cyberspace will stand up to a series of large-scale attacks is deeper insight into the complexity of the infrastructure and all the actors who contribute to its vulnerabilities, are responsible for protection and might be attackers. Rattray stated that complexity sciences can provide the following insights regarding cyber conflicts and suggested the following:

• Environment opaqueness (uncertainty concerning which elements are of most dire interest for both defenders and attackers)
• Nonlinearity of effects (loss of specific functionality and associated, yet unknown, cascades effects or the ability of the system to adapt and minimize disruptions)

Rattray suggested that answers to the following might help us understand the value of such fundamental questions:

• What sorts of systems are inherently adaptive and/or recover easily?
• How does sophistication of human operators play into this?

Today, Rattray pointed out, defenders often lack the ability to predict if a system will fail totally or partially as a result of some perturbation. In general, penetration testing indicates that sophisticated attackers can generally find ways to enter systems due to the inherent multiple vulnerabilities in interconnected systems. Rattray believes concerns about insider attacks should be increasing technologies and operational approaches to identify such behavior require more attention.

Rattray pointed out that there is a need for more creative defensive techniques. Improved technological countermeasures alone will not provide comprehensive solutions. New ideas and research is needed to develop networks addressing, controls and edge systems that can adapt under attack, increasing the challenge for attackers to target and disrupt critical functionality. Rattray suggested research and field-testing of network topology changes that support a more defensive posture, when an attack is in progress. Other research might include the capability to clean up a network by sweeping for security flaws to improve confidence in its security and ability to resist attack before an organization enters a period where network and system confidentiality and reliability is at a premium. For example, such a sweep might occur prior to a period of active field operations for a military unit or during conduct of an extremely sensitive test for an R&D laboratory.

Rattray suggests that a better understanding of combined cyber and physical attacks and what, if any, is the role and effect of the cyber-dimension in physical attacks. Cyber expertise will be increasingly important as part of efforts used to prevent physical attacks and limit their consequences.

Rattray recognized positive ongoing efforts in the infrastructure protection arena. The consolidation of the functions to secure the cyber infrastructure protection functions under the Department of Homeland Security was an important step to improving protection strategies. The State Department has international outreach programs on Critical Infrastructure Protection focusing on actions to improve cooperation in warning and protection against cyber threats.

Rattray calls for a much-needed change in the cyber defense mindset. Network operators and the senior management of most organizations that rely on information and communications infrastructures must understand the fundamental vulnerability of these technologies systems. It must be assumed that sophisticated adversaries can infiltrate and create the capacity for disruption of most systems and networks given motivation and time. Therefore, we need to be capable of “functioning while under attack.” Col. Rattray finally proposed that understanding the effectiveness of practices of organizations to protect, defend and recover from cyber attacks and sharing these techniques within government and industry is essential for improved defense.

Closing Remarks: John Casciano ended the conference by summarizing the goals and mission statement for the newly formed CCSA. Casciano advised that there would be four additional workshop on the area of critical infrastructure protection as well as two conferences this year. The organization is forming committees in research, membership, publication, programs, and finance and looking for volunteers to support these activities. Success of the workshop efforts and the Association as a whole rely on the participation of members. He also noted that NDU had offered their widely distributed and recognized Defense Horizons publication series as an outlet for CCSA publications. The workshop ended with Mr. Casciano reminding everyone that the nuclear age began with much scholarly input into the management of the science. The same should be possible for Cyber Conflict Infrastructure Challenges.