U.S. military should leverage biometrics to secure critical infrastructure
U.S. defense secretary Leon Panetta has warned about the possibility of a catastrophic “cyber Pearl Harbor” attack against critical American infrastructure and strategic assets.
“A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11,” he said in an address to business executives in New York last week. “Such a destructive cyber terrorist attack could paralyze the nation.”
The secretary pointed to denial of service attacks that many large U.S. corporations have suffered in recent weeks, but also cited a more serious attack in Saudi Arabia. In that attack a sophisticated virus infected computers at the Saudi Arabian state oil company, ARAMCO.
Recent media reports have also indicated that Iranian hackers have attacked Bank of America Corp., Citigroup Inc. and JPMorgan Chase & Co. as part of a broad cyber warfare campaign targeting the United States over the past year. These attacks coincide with heavy economic sanctions placed on Iran’s government by the international community in order to pressure the country into halting its nuclear program.
The U.S. military has also noted that the country’s enemies have been targeting computer control systems that operate chemical, electricity and water plants, and guide transportation networks.
“We also know they are seeking to create advanced tools to attack these systems and cause panic, destruction and even the loss of life,” he said.
As a consequence, the U.S. military and intelligence establishment has taken steps to protect critical infrastructure. The army created a “Cyber Command” to plan, coordinate, integrate, synchronize and conducts activities to direct the operations and defense of specified defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to ensure US control of cyberspace.
According to a declassified document released by the U.S. Department of Defense in 2003 purporting to be an “information operations roadmap”, strategies to maintain control of critical infrastructure include the development of “tools on the information infrastructure to effectively monitor and manage networks.”
These tools would ensure that the American defense complex would be able to maintain critical network functionality and provide some protection to networks that had become central to commerce and critical infrastructure.
As an environment, the military perceives of electronic networks as a potential battleground, and therefore has devised plans to assume control over the entire environment. Indeed, a stated goal of the U.S. military is to “provide maximum control over the entire electromagnetic spectrum” including electronic networks. The military wants to maintain maximum control, in order to ensure its own command and control decision cycle superiority through private networks that provide reliable, seamless, and secure communications.
These networks, entitled the “Tactical Internet”, would provide for an integrated communications network in the battlefield, utilizing the same protocols and technologies that enabled the Internet. It would also provide for the defense of critical infrastructure such as domestic transportation systems and energy generation and distribution systems, as well.
In the event that total network control was not possible, the Department of Defense document reveals that as a policy directive, the U.S. is intent to be able “disrupt or destroy the full spectrum of globally emerging communications systems, sensors, and weapons systems dependent on the electromagnetic spectrum”. In real terms, this means that the U.S. military wants to develop the capability to disable every telephone, every networked computer, and every radar system on the planet vis-à-vis computer network attack weapons.
In terms of the U.S. government, its security apparatus also continues to heighten control through enhanced monitoring and advanced management tools. The government attempted to increase top-down control over network resources by implementing intermediary technologies that would assist its criminal justice and espionage requirements.
The National Security Agency (NSA) would patent a step-by-step internetworking method for geo-locating the logical network addresses that indicate where a network user is physically located. The patent, entitled “Method of Geo-locating Logical Addresses” identifies and corrects the problem of verifying the accuracy of network addresses and passwords in the continuously developing, highly meshed Internet.
Further, to exercise total control over a network environment, the U.S. government itself proposed the creation of a separate, private network to protect its information technology assets. In response to the perceived threat of global terrorism and the danger it poses to U.S. information technology deployments, the government moved to establish a secure new network in 2001, dubbed “GOVNET”.
The network would use current Internet protocols, but access to it would be limited to communications between government agencies and other authorized users. According to the U.S. government proposal, the network would have no interconnection or gateway to the Internet or other public or private networks.
The General Services Administration (GSA) planned the network to be deployed as a completely dedicated network based on dedicated physical fiber pairs and full path diversity. This means that all hardware would be exclusively dedicated to network, including all transmission equipment, routers, switches, multiplexing equipment, network management and control equipment. In addition, all management and operational personnel would be fully dedicated to the network in order to ensure required active defense measures, security of network management and control technologies, network capacities, security policies and security management requirements. The network in effect would be a parallel Internet, using its own dedicated telecommunication links.
Unlike the commercial Internet however, the network would be subject to total enclosure in terms of access and security. In effect, the network would be the model intelligent network, specifically designed to ensure data priority, security, and service guarantees. According to the government’s proposal, the network would require that all data transported upon it be encrypted using high-level standards recommended by the NSA and that the network be immune to all forms of attacks, including worms, viruses and denial-of-service attacks. GOVNET would also provide commercial-grade voice communications capabilities within the network among specified users using the data network’s components and protocols. Voice services to that were supported included conferencing and multicast and broadcast capabilities.
Designed not only to support day-to-day employee operations, GOVNET would also be utilized to provide protection to information systems that manage critical physical assets. GOVNET was designed to accommodate “digital control systems”, a category of computer and network systems that manage the delivery of key industrial services including electricity, water and transportation. While GOVNET was first proposed in 2001, it is evident that more such private infrastructure needs to be utilized to secure industrial infrastructure.
More critical assets should be privately networked and access should be granted only with the use of biometric identification or authentication. The use of biometric technology would also toughen up critical infrastructure security. Every human possesses more than one virtually infallible form of identification. Known as biometrics, examples include fingerprints, iris and retinal scans, hand geometry, and other measures of physical characteristics and personal traits. Advances in computers and related technologies have made this a highly automated process through which recognition occurs almost instantaneously. With concern about its information assurance systems and physical access control increasing, the military should continue to undertake assessments of how it can use biometrics to improve security of critical infrastructure installations.