As part of a response to growing government concern over the threat of cyber attacks directed against critical national infrastructures, the National Security Agency (NSA) contracted with Stanford University in 1998 to undertake a multi-track program to provide a forum, develop information, and to analyze options for addressing this threat.
The Stanford program became known as CRISP (Consortium for Research on Information Security and Policy) and involved several university organizations (primarily, the Center for International Security and Cooperation, the department of Management Science and Engineering, the department of Computer Science, and the Hoover Institution.) CRISP's work was considerably assisted by contributions from other academic and research institutions: the Sam Nunn School of International Relations and the College of Computing, both part of the Georgia Institute of Technology; many companies involved in information technology development and products; several U.S. government agencies; and people from other countries.
International Diffusion of the Internet
The longest CRISP project is the detailed, nation-by-nation assessment of the adoption of the Internet--one of the framing issues for the vulnerability of cyberspace. These studies examine the size, growth, makeup, and sophistication of the using community; the backbone infrastructure, exchanges, and ISP's; regulation and control; security; government attitude and forces for enlargement and change; and other factors that shape universal connectivity. The focus of the work during the course of this contract was on the Middle East and Asia. The results are presented in a series of reports and articles covering China, India (in press), Turkey, Pakistan, Nepal, the Persian Gulf, Thailand, and Bangladesh; and are augmented by several articles that outline the purpose and methodology of this research (see the accompanying list of publications.)
Providing and Leading a Forum for Cyber Security Issues
At the time when CRISP was launched, cyber security at the level of a national concern was simply not on the screen of private infrastructure owners and commercial IT organizations. Stanford undertook to bring together representatives from these communities, academia, and the government to identify and engage the stakeholders, improve mutual understanding of the problem, and explore the issues and barriers to finding solutions. While our emphasis was on our local community, there were many participants from elsewhere, including from other countries. This process has continued over the three years of the program and, in our estimation, has been a useful part of the effort to create a national dialogue.
The results of these exchanges, augmented by analyses by Stanford personnel, is given in a number of reports (see Malpass et al. Workshop on Protecting and Assuring Critical National Infrastructure; Soo Hoo et al., Workshop on Protecting and Assuring Critical National Infrastructure: Setting the Research and Policy Agenda; Alderson et al., Workshop on Protecting and Assuring Critical National Infrastructure: Next Steps; Soo Hoo et al., Workshop on Regional Interest Group on Information Security: Sharing Information and Exploring Collaborative Opportunities; and Leiner and Drozdova, Critical Infrastructure: The Path Ahead XIWT Symposium on Cross-Industry Activities for Information Infrastructure Robustness.)
Developing and Examining New Policy Directions and Being a Sounding Board for Government Plans
The protection of critical national infrastructure, particularly of the information infrastructure, poses many difficult public policy problems. The infrastructures are largely privately owned, and the owners are unaccustomed to thinking in terms of, let alone acting on, national security risks. There are limitations on government-industry cooperation, and where there is some degree of government regulation, it usually does not relate to cyber security. The IT industry that supplies the infrastructures' cyber systems has not found a robust market for security technology. And the medium for information transfer is borderless and overseen by volunteers, making it hard for unilateral national actions to be effective, and there is little applicable international law.
This environment has greatly slowed the government's efforts to formulate and implement a strategy for protecting critical infrastructure. In all of the CRISP work, we have examined these hurdles and explored policy options at levels from detailed to comprehensive to overcome them. These analyses are to be found in all of our publications, and are the focus of several (see, for example, Keller et al., The Effects of Information Technology on the Role and Authority of the Government; Lukasik, Public and Private Roles in the Protection of Critical Information-Dependent Infrastructure; and Lukasik, A Framework for the Formulation of National Strategies for Infrastructure Protection. We have also given consideration to the downside risk of controlling cyberspace too restrictively in the name of security, see Drozdova and Goodman, On Liberty in Cyberspace: Impact of the Internet on Human Rights, and Drozdova, Civil Liberties and Security in Cyberspace).
During the three years of our work, the government moved through a number of steps aimed at achieving an acceptable national strategy and implementation plan for strengthening the protection of critical national infrastructure. The CRISP participants, at the government's invitation, reviewed the drafts of some of these key documents and provided analyses and recommendations to enhance their effectiveness. These inputs were often conveyed directly in meetings, though some of the work was published (see Lukasik, Review and Analysis of the Report of the President's Commission on Critical Infrastructure Protection; and Lukasik et al., Review of the National Information Systems Protection Plan Version 1.0 March 5, 1999 Draft.) In addition to reviews of the national level plans, we also worked directly with the Depatment of Defense and critiqued their internal plans for their contribution to the national effort.
Because cyber attacks can have their origins virtually anywhere in the world, and efforts to control them in most instances will require the cooperation of other states, CRISP undertook to explore the environment for such cooperation and to propose means to achieve it. There were three main areas of work:
First, the development of an international convention to control cyber crime, which involved a year-long project with the Hoover Institution and included inputs from many foreign contributors. The results are published as a CISAC report (Sofaer, Goodman, et al., A Proposal for an International Convention on Cyber Crime and Terrorism) and as a book now in press (Sofaer and Goodman, et al., The Transnational Dimension of Cyber Crime and Terrorism.)
Second, in collaboration with the International Institute for Strategic Studies (London), the exploration, through meetings and exchanges of papers, of other states' approach to a strategy for protecting critical infrastructure against cyber attack, with focus on the UK, Canada, and Sweden. Much of this analysis is incorporated in an Adelphi Paper now in preparation (Lukasik, Goodman, and Longhurst (UK MOD), Strategies for Protecting National Infrastructures Against Cyber Attack.)
And third, a recent dialogue organized by CRISP in Washington among government, industry, and the academic community on the potential roles and mechanisms for international cooperation to enhance protection against cyber attack, the results of which will appear in Putnam et al., Protecting Cyberspace: The International Dimension, now in preparation.
The Technology and Economics of Protection
What can technology and system design do to prevent, blunt, deter, or punish cyber attacks remains a key question, and was one of the central issues in a three-day international conference held under CRISP/Hoover auspices in 1999. The synopsis of these analyses can be found in Kahn and Lukasik, "Fighting Cybercrime and Terrorism: The Role of Technology, and Lukasik, Current and Future Technical Capabilities", in the book The Transnational Dimension of Cyber Crime and Terrorism. Other work was reported by Brunner and Abrams, Information Warfare: Using Artificial Intelligence for Information Warfare Detection, and by Lukasik in Systems, Systems of Systems, and the Education of Engineers, and in Educating Designers of Complex Systems.
Companies, including infrastructure companies, view protection of their cyber systems from a business perspective. An important part of our workshops was devoted to understanding this economic imperative and its effect on the government's initiatives to encourage better security. The detailed work of Stanford's Kevin Soo Hoo has been a very useful addition to this endeavor (see Soo Hoo, How Much Is Enough? A Risk Management Approach to Computer Security.)
Many of the questions and limitations on actions to enhance the protection of cyberspace turn on legal issues. The CRISP program was fortunate to have strong legal contributors. They have provided analyses that will be a valuable heritage of our program (see Greenberg et al., Old Law for a New World? The Application of International Law to Information Warfare; Goodman, Why the Police Don't Care About Computer Crime; Greenberg et al., Information Warfare and International Law; Grove, The U.S. Military and Civil Infrastructure Protection Restrictions and Discretion Under the Posse Comitatus Act; de Villiers, Technological Risk and Issue Preclusion; A Legal and Policy Critique; Grove et al., Cyber Attack and International Law; Goodman, Making Computer Crime Count; and de Villiers, Virus ex Machina Res Ipsa Loquitur.)
The NSA contract ended on June 30, 2001. The product of the work is mainly in the form of written reports and articles that incorporate the results of many studies and the findings of a number of workshops.