|
27 February 2002
George W. Bush
President of the United States
The White House
1600 Pennsylvania Avenue, NW
Washington, DC 20500
Mr. President,
Our nation is at grave risk of a cyber attack that could devastate
the national psyche and economy more broadly than did the September 11th
attack. We, as concerned scientists and leaders, seek your help and
offer ours. The critical infrastructure of the United States, including
electrical power, finance, telecommunications, health care,
transportation, water, defense and the Internet, is highly vulnerable to
cyber attack. Fast and resolute mitigating action is needed to avoid
national disaster. We urge you to act immediately by former a
Cyber-Warfare Defense Project modeled in the style of the Manhattan
Project.
Consider the following scenario. A terrorist organization announces
one morning that they will shut down the Pacific Northwest electrical
power grid for six hours starting at 4:00 PM; they then do so. The same
group then announces that they will disable the primary
telecommunication trunk circuits between the U.S. East and West Coasts
for a half day; they then do so, despite our best efforts to defend
against them. Then, they threaten to bring down the air traffic control
system supporting New York City, grounding all traffic and diverting
inbound traffic; they then do so. Other threats follow, and are
successfully executed, demonstrating the adversary's capability to
attack our critical infrastructure. Finally, they threaten to cripple
e-commerce and credit card service for a week by using several hundred
thousand stolen identities in millions of fraudulent transactions. Their
list of demands is then posted in the New York Times, threatening
further actions if their demands are not met. Imagine the ensuing public
panic and chaos. If this scenario were to unfold, Americans everywhere
would feel that our national sovereignty had been compromised; we would
wonder how, as a nation, we could have let this happen.
Mr. President, what makes this scenario both interesting and alarming
is that all of the aforementioned events have already
happened, albeit not concurrently nor all by malicious intent. They
occurred as isolated events, spread out over time; some during various
technical failures, some during simple (government-sponsored) exercises,
and some during real-world cyber attacks. All of them, however, could be
effected through remote cyber attack by any adversary who so chooses,
whether individual or state-sponsored. The resources required are modest
-- far less than the cost of one army tank. All that is required is a
small group of competent computer scientists, a few inexpensive PCs, and
Internet access. Even the smallest nation-states and terrorist
organizations can easily muster such capabilities, let alone
better-organized groups such as Al Qaeda.
Many nations, including Iran and China, for example, have already
developed cyber-offense capabilities that threaten our economy and the
economies of our allies.
There is no doubt that such a serious national vulnerability is a
real and present danger. This has been affirmed by a number of
distinguished bodies, including the President's Commission on Critical
Infrastructure Protection (1997), the National Academy of Sciences
(Computers at Risk, 1990; Trust in Cyberspace, 1999), and the U.S.
Defense Science Board on Information Warfare Defense (1996, 2000).
The consequence of successfully exploiting these vulnerabilities
would be significant damage to the U.S. economy, degraded public trust
with concomitant long-term retardation of economic growth, degradation
in quality of life, and a severe erosion of the public's confidence that
the government can adequately protect their security. We have seen the
amplification effects, on our economy and on public apprehension, from a
single event such as the World Trade Center and Pentagon attacks.
Aggregate damages resulting from amateur cyber attacks (e.g., 1998
Internet Worm, Melissa Virus, I-LOVE-YOU virus, Code Red Virus and the
Nimda virus) are estimated to have been $12 billion for the year 2001
alone. Extrapolating from this, a professionally-executed, coordinated
cyber attack on our national critical infrastructure could easily result
in a 100-fold amplification -- 10-fold from being
professionally-executed and another 10-fold from indirect e-commerce
suppression effects. In terms of a dollar value, this could amount to
several hundred billion dollars in damage to the U.S. economy. Moreover,
some community experts and reports (such as those cited above) estimate
a high probability of a serious attack on U.S. critical infrastructure
within the next few years.
The goal of our proposed Manhattan-style undertaking would be to
create a national-scale cyber-defense policy and capability to prevent,
detect, and respond to cyber threats to our critical infrastructure. We
mean Manhattan-style in several senses: national priority, inclusion of
top scientists, focus, scope, investment, and urgency with which a
national capability must be developed. To prevent attacks, we need a
coordinated effort to work with our critical-infrastructure providers in
defending their most critical information systems. To detect attacks, we
need to permeate our critical networks with a broad sensor grid imbued
with the capability to detect large-scale attacks by correlating and
fusing seemingly unrelated events that are, in fact, part of a
coordinated attack. To respond to attacks, we need to devise strategies
and tactics to pre-plan effective actions in the face of major
cyber-attack scenarios; we need to augment our national infrastructure
with mechanisms that support the defined strategies and tactics when
attacks are detected and verified. We believe that all this can be done
with a close partnership between the public and private sectors while
maintaining sensitivity to public concerns about privacy and fairness,
consistent with American values and laws. The result should be a
resilient critical infrastructure that is resistant to cyber attack,
plus next-generation technology which enables our critical
infrastructure to be more easily secured. Given private-sector economic
realities, our nation's economy and well-being will continue to rely on
the existing vulnerable infrastructure for the indefinite future, unless
strong government investment leads the way.
The proposed Manhattan-style cyber-defense project will cost a
fraction of the expense we will incur from a single major cyber attack.
We estimate the project would require an investment of $500 million per
year initially, and could reach the billion dollar level in the
out-years. The project would run over the course of five years to create
a national-scale initial operating capability no later than year three,
and more advanced defensive and offensive capabilities by year five. We
recommend that you appoint a small board of top computer scientists and
engineers to work out the details of a plan, and set the plan in motion
within ninety days. The plan should include an appropriate balance
between engineering and focused research to support the national
capability and the policy, laws, and procedures that would be needed to
deploy and support the cyber-defense technology.
The clock is ticking. We look to you, as America's leader, to act on
behalf of the nation. Your conscientious and effective defense of our
physical homeland should extend into the increasingly vital frontier of
U.S. cyberspace. We anticipate that the nation will fully endorse and
even expect this forward-thinking and courageous action in the face of
such a major threat to national security. We stand ready to help in any
way we can in taking this very important next step to defend our
country.
Very respectfully,
[signed]
|
O. Sami Saydjari
Founder Cyber Defense Research Center
Former Information Assurance Program
Manager, DARPA
Former Fellow, National Security Agency
Dr. Robert Balzer
Chief Technology Officer
Teknowledge Corporation
Terry C. Vickers Benzel
Vice President of Advanced Security Research
Network Associates, Inc.
Thomas A. Berson, Ph.D.
Principal Scientist, Palo Alto Research Center
Past-President, International Association for Cryptologic Research
Past-Chair, IEEE Technical Committee on
Security and Privacy
Bob Blakely
Chief Scientist, Security and Privacy
IBM Tivoli Software
Seymour E. Goodman
Professor of International Affairs and Computing
Co-Director, Georgia Tech Information Security Center
Georgia Institute of Technology
Dr. J. Thomas Haigh
Chief Technology Officer
Secure Computing Corporation
Walter L. Heimerdinger, PhD
Patrick M. Hughes
Lieutenant General, U.S. Army, Retired
President, PMH Enterprises LLC
Former Director, Defense Intelligence
Agency
Former Director of Intelligence (J-2),
Joint Chiefs of Staff
Stephen T. Kent
Chief Scientist -- Information Security
BBN Technologies -- A Verizon Company
(member of "Computers at Risk" & "Trust
in Cyber Space" NRC committees)
Angelos D. Keromytis
Assistant Professor,
Computer Science Dept.
Columbia University
Dr. Marvin J. Langston
Deputy Chief Information Officer,
Department of Defense, 1998-2001
Director Information Systems Office,
Defense Advanced Research Projects
Agency, 1997-98
Chief Information Officer, Department of
Navy, 1996-1997
Karl N. Levitt
Professor of Computer Science
Director of the UC David Security
Laboratory
Department of Computer Science
University of California, Davis
Marcus Ranum
Chief Technology Officer
NFR Security, Inc.
Jaisook Rho
Principal Computer Scientist
Network Associates, Inc.
Dr. Arthur S. Robinson
President, System/Technology
Development Corporation
Formerly Technical Director of RCA
R&D for U.S.N. Aegis Weapons Systems
S. Shankar Sastry
Professor and Chair, Department of Electrical Engineering and Computer Sciences
Formerly, Director, Information Technology Office, DARPA, US DoD | |
Salvatore J. Stolfo
Professor of Computer Science
Columbia University
Dr. Curtis R. Carlson
Chief Executive Officer
SRI International
George Cybenko
Dorothy and Walter Gramm Professor
Thayer School of Engineering
Dartmouth College
John C. Davis
Director of Information Security
Mitretek Systems Inc.
Former Commissioner on PCCIP
Former Director of NCSC/NSA
Matt Donlon
Former Director, Security and Intelligence Office
Defense Advanced Research Projects
Agency
Patrick Lincoln
Member of Defense Science Board Panels
2000-2001
Director, Computer Science Laboratory
SRI International
John H. Lowry
Division Engineer
Technical Director for Information Security
BBN Technologies/Verizon
Stephen J. Lukasik
Consultant, Science Applications
International Corporation
Former Director, Department of Defense Advanced Research Projects Agency
Former Chief Scientist, Federal
Communications Commission
David Luckham
Research Professor of Electrical
Engineering
Stanford University
Dr. Joseph Markowitz
Robert T. Marsh
General, USAF (Retired)
Former Chairman, President's
Commission on Critical Infrastructure
Protection
Terry Mayfield
Institute for Defense Analyses
J.M. McConnell
Former Director, National Security Agency
John McHugh, PhD
Carnegie Mellon University
Fred B. Schneider
Professor of Computer Science and
Director of Cornell/AFRL Information
Assurance Institute
Gregg Schudel
Formerly, Senior Engineer and Manager
of Experimentation, DARPA
Information Assistance Program
Larry J. Schumann
President, EnterpriseTec, Inc.
Member of the President's National
Security Telecommunications Advisory
Committee (1996-2000)
Jonathan M. Smith
Professor
Computer and Information Science Department
University of Pennsylvania | |
Roy A. Maxion, Ph.D.
Director, Dependable Systems Laboratory
Computer Science Department
Carnegie Mellon University
David J. Farber
Moore Professor of Telecommunications and Professor of Business and Public Policy
University of Pennsylvania
Richard J. Feiertag
Manager of Strategic Planning
NAI Labs, Security Research Division
Network Associates, Inc.
Edward A. Feigenbaum
Kumagai Professor of Computer Science
Emeritus
Stanford University, and
Chief Scientist, United States Air Force
(1994-97)
Dr. Tiffany M. Frazier
Director, Advanced Computing
Alphatec, Inc.
Roderick A. Moore
Systems Engineer
Former National Security Council Staff
Pres. Reagan and Pres. Bush
Administrations
Dr. Charles L. Moorefield
Board Chairman,
Alphatech, Inc.
Peter G. Neumann
Computer Science Lab
SRI International
Dr. Clifford Neuman
Sr. Research Scientist and Associate Division Director -- Computer Networks Division
Information Sciences Institute
University of Southern California
E. Rogers Novak, Jr.
Managing Member
Novak Biddle Venture Partners
Allen E. Ott
Orincon Information Assurance
President
Dr. Michael Paige
Former Director, Xerox PARC
Dr. Vern Paxson
Senior Scientist, International Computer Science Institute
Staff Scientist, Lawrence Berkeley National Laboratories
Phillip A. Porras
Program Director
System Design Laboratory
SRI International
Laura S. Tinnel
Deputy Program Manager and Research
Scientist
Information & Systems Assurance Group
Teknowledge Corporation
J. Douglas Tygar
Professor of Computer Science and Information Management
University of California, Berkeley
J. Kendree Williams
Chief Technology Officer
Zel Technologies, LLC
CDR, USN (Ret)
R. James Woolsey
Director of Central Intelligence, 1993-95
Larry T. Wright
Chairman, Defense Science Board
Task Force on Defensive Information Operations
2000-2001 |
| |
