A platform for recovering from Cyber-Terrorism

Dr. B. Clifford Neuman
University of Southern California
Information Sciences Institute

April 18, 1999

DRAFT

A white paper submitted for the Workshop on Countering Cyber Terrorism

A major concern in any effort to recover from a cyber-terrorist attack is protecting the platform from which recovery can be initiated. The vulnerability of our systems today is a direct consequence of the need for accessibility to the public at large; this accessibility is necessary for the kinds of electronic commerce that are becoming commonplace on the internet.

A goal of a cyber-terrorist attack is to disrupt the efficient and routine function of a community. This goal is achieved through either successful attacks against the infrastructure, or through imposition of requirements for countermeasures against such attacks where the countermeasures are themselves disruptive and prevent efficient function of the community.

A major difficulty in effectively deploying computer security solutions is that many attacks have characteristics that can't be effectively distinguished from legitimate activities. Employing countermeasures against such attacks have a secondary effect of limiting the kinds of legitimate activities that can be used through a computer network, satisfying one of the terrorist's goals. There is also legitimate resistance to deploying such countermeasures on a continual basis because of the negative effect on legitimate activities.

While we would like to impose as few limits on the use of the network for legitimate activities, there is a serious concern that a successful attack on the network infrastructure would immediately prevent all legitimate network activities, and that it would also affect the resources needed to respond to and recover from the attack.

The problem then is to balance these conflicting goals, allowing legitimate network activity in all its forms, while making it possible to respond to and prevent attacks against the network itself. An important part of any network security activity should involve securing the end systems and end networks (the intra-nets connected through the Internet). There are many tools that can be used for this purpose, and continued work on these tools is warranted.

As one moves closer to the end systems, one gains a better perspective on the nature of legitimate network activities involving a node or set of nodes, and this information can help tailor the countermeasures to fit the expected use of the system. As one moves up in the network, however, one knows less about legitimate activities related to end systems, and one should be less willing to impose constraints on such activity.

An overlay network for management and recovery

If we hope to protect the network infrastructure from attack, and provide a means to recover from network wide attacks, we must constrain the legitimate activities affecting the infrastructure. To do this without imposing constraints on the activities using the infrastructure, we must create a separate control structure for the network that is simpler than the applications that are end users of the network. One way to do this is to create a virtual overlay network for use in controlling the infrastructure.

This overlay should have guaranteed bandwidth to isolate it from denial of service attacks mounted from outside the overlay. The kinds of operations affecting the control overlay itself should be limited, and draconian security policies on such operations enforced. Encryption must be employed and the machines capable of controlling this overlay must not be accessible from the open network (let's discuss whether this limitation applies also to access from the secure overlay network). Because we know the intended activities on this overlay network, it becomes easier for us to impose security policies that are consistent with these activities.

In exploring the creation of such an overlay network, we should discuss the functions to be supported on that network. I would include among these activities distribution of new attack countermeasures to end systems outside the overlay. All hosts should be able to monitor the unencrypted but digitally signed traffic on this overlay and should be able to authenticate this traffic and distinguish it from messages on the open network. Organizations with suitably protected systems should be able to send messages downstream through the overlay.

Because normal control operations on networks are highly distributed in nature and often don't orginate from within controlled environments, such operations may be enabled by commands through the overlay, but will not originate from within the overlay itself. Instead, these operation will typically be managed from hosts outside the overlay with appropriate security measures applied. In the event that these security measures are defeated, this will enable to isolation of compromised control centers.

While activities on the control overlay will be greatly constrained, less constrained control activities may be supported through the primary network as long as the network nodes protect the overlay from disruption. Even active network technologies could be deployed in network nodes (with suitable security for updates from the outside) so long as the control overlay is protected by the network nodes from any security breach in the active network control mechanisms. In the event of such a breach, the control network overlay could be used to recover.

Workshop discussion

The creation of such an overlay should be a topic for discussion at the workshop. Among the issues to be considered are what activities should be supported through such an overlay, how to secure the systems that will use the overlay to initiate recovery from network attacks, and what kinds of policies and mechanisms would allow the use of such an overly across administrative domains where no single organization should have the authority to control the entire network.