Does this, however, make the protection of the NII a matter of national security? Yes, to some extent.

• The more a nation depends on the integrity of its information infrastructure, the more it can be held at risk by attacks there. The threat of information warfare's massive disruption has been posited as a potential successor to nuclear warfare's massive destruction. A milder variation holds that an asymmetric competitor may keep the U.S. out of its backyard (and thus stymie our advantage at conventional warfare) by holding the NII at risk.

• Information warfare is terrorism writ less bloody but with wider effect. As the U.S. to bad people it is even more porous to bad bitstreams. A phone or E-mail connection suffices to access a wide variety of computers, hop-scotching from one node to another until an important vulnerability is found and exploited. Because the risk of detection is low and the risk of apprehension and punishment is even lower, a cyberspace attack is relatively cheap and risk-free.

• The DoD is growing dependent on the NII (95 percent of its communications go outside its own systems at some point) as its assets are repatriated and off-the-shelf becomes the rule. An unprotected infrastructure permit foes to undermine conventional military operations.

Systems abuse comes in many forms. Some are commonplace; they rely on normally present motivations (e.g., greed, thrills) and are no more than a high-tech version of carjacking and joyriding. Others are uncommon, difficult to anticipate, and serious. Systems owners can be normally expected to protect themselves against commonplace threats whose future probability and patterns can be predicted from their past. Uncommon but nonetheless serious threats are less likely to be watched for because they arise from less commonly acted-on human motives.

Deliberate systems abuse, many of which could be hacker attacks, comes in roughly six forms:

• theft of service (e.g., cellular phone call fraud),

• acquisition of objective data (e.g., research results),

• acquisition or alteration of subjective data (e.g., a person's credit history),

• theft of assets (e.g., embezzlement),

• corruption of data in storage or motion (e.g., sabotage), and

• disruption of information services (e.g., telephony) or attached services (e.g., electric power distribution) for its own sake or for secondary purposes (e.g., corrupting medical data to hurt individuals, seeking control for the purpose of blackmail).

The first four types of attacks are or could be commonplace because they can be undertaken by individuals with something to gain. Because greed is eternal, for instance, the motive for breaking into and robbing a bank is everpresent. Ditto for stealing services. Threats against individuals (see the 1995 movie, "The Net"), although a potential tool of guerilla war, are more likely to be motivated by private grudges and gripes. A fourth case, stealing objective data, is the high-tech version of protecting classified information -- something the DoD already takes seriously every day.

The last two, corruption and disruption, best characterize the unexpected and malevolent nature of information warfare. Attackers require an external goal, and, for the most part, a concerted strategy and the time to carry it out.

Systems that face a known threat pattern (and whose owners would bear most or all of the cost of an attack) can determine an optimal level of protection. There is no reason to believe that they provide less protection against information attacks than they do against other threats to their well-being (e.g., shoplifting, embezzlement, customer lawsuits). The real worry is an attack that rarely is seen in the background environment -- and thus one for which there is less natural protection.

Systems can generally be attacked in one of three basic ways: (1) through corrupted system hardware or software (2) by using an insider, or (3) by external hacking -- plus combinations thereof (e.g., having an insider reveal vulnerabilities that facilitate subsequent hacking). An information infrastructure can also be attacked through physical means (e.g., jamming, microwaves, shot and shell) but only for the purpose of physical denial and associated blackmail. Such attacks require on-site presence and as such are considered akin to acts of well-understood terrorism. They carry far greater risks for the user.

The first, corrupted hardware or software, may be epitomized by the myth of the rogue employee of a U.S. microprocessor firm queering some circuits in every PC chip which then goes bad simultaneously just when most needed. How to ensure simultaneity without premature discovery is never explained. A slightly more plausible threat is a planted bug in a specific system (e.g., a computer that is disabled by an external signal or other preset conditions).

Even though many computer systems run with insufficient regard for security, they can nevertheless be made quite secure. The fundamental theory is that protection is a point to be sought on a two-dimensional space (see table 1). One dimension is the degree of access: from totally closed to totally open. A system that secures itself only by keeping out every bad guy will make it difficult or impossible for good guys to do their work. The second dimension is resources (money, time, attention) versus sophistication. A sophisticated system keeps bad guys out without keeping so many good guys out and visa versa.

Security Choices   Scrimp on Security   Spend on Security

Tighten Access     Users are kept out   Users can get in
                   out or must alter    with effort, but
                   their work habits.   no hackers can

Loosen Access      Systems are          Users can get in
                   vulnerable to        easily but most
                   attack.              hackers cannot.

To start with the obvious method, a computer system that receives no input whatsoever from the outside world ("air-gapped") cannot be broken into (and no, one cannot spray a virus into the air in the hopes that a computer acquires it). If the original software is trusted (and the National Security Agency [NSA] has developed multilayer tests of trustworthiness), the system is secure (efficiency aside). Such a closed system is, of course, of limited value but for some systems the benefits of freer access are more than outweighed by even the small chance of security vulnerabilities (e.g., nuclear systems).

The challenge for most systems, though, is letting them accept external input without putting important records or core operating programs at risk. One way to prevent compromise is to handle all inputs as data to be parsed (a process in which the computer decides what to do by analyzing what the message says) rather than as code to be executed directly. Security then consists of ensuring that no combination of computer responses to messages can affect a core operating program, directly or indirectly (almost all randomly generated data tend to result in error messages when parsed). To pursue a trivial example, there are no button combinations whose pressing will insert a virus into an automatic teller machine.

Although important computer systems can be secured against hacker attacks at modest cost, that does not mean that they will be secured. Increasingly common and sophisticated attempts may be the best guarantor that national computer systems will be made secure. If the absence of important incidents lulls systems administrators into inattention, entr‚e is created for some group to launch a broad, simultaneous, disruptive attack across a variety of critical systems. The barn door closes but the horses are gone. For this reason, a sequence of pinpricks, or even a steadily increasing crescendo of attacks is the wrong strategy for an attacker; it creates its own inoculation. Strategic effectiveness requires that a nation's infrastructure be attacked in force all at once. No such attack has ever happened, but as of 6 December 1941, no country had every been attacked across the Pacific Ocean either.

A key distinction needs to be made between a purposeless attack and a purposeful one. The problem with Japan's attack on Pearl Harbor was not so much sunk ships and dead sailors as it was U.S. strategic immobility while Japan conquered large chunks of Southeast Asia and Oceania. An attack on the NII which leaves an opening for strategic mischief is of far greater note than one which does merely causes damage. A strategic motive for a Digital Pearl Harbor could be to dissuade United States from military operations (e.g., against the attacking country), or hinder their execution by hindering a mobilization, deployment, or command-and- control.

How much damage can a Digital Pearl Harbor cause? Suppose that hackers could shut down all phone service (and, with that, say, credit card purchases) nationwide for a week. The event would be disruptive certainly and costly (and more so every year), but as long as recovery times are measured in hours or even days they are

Because even the privately owned NII is, in some sense, a public resource, a role for the Government is not entirely unwarranted. But this role must be carefully circumscribed and focussed. This section makes ten suggestions.

This section details what is more important: seven things to avoid.

1. Avoid harping on information warfare to the extent that warfare becomes the dominant metaphor used to characterize systems attacks (much less all systems failures). Porting the precepts of inter-state conflict to computer security tends to remove responsibility for self-defense from those whose systems have been attacked. It is not at all obvious that protection from attacks in cyberspace should be yet one more entitlement.

Why? Promoting paranoia is poor policy -- especially when systems still crash often enough on their own. Once something is called war, a victim's responsibility for the consequences of its acts dissipates. A phone company that may have to recompense customers for permitting hackers to harm service should not be able to claim force majeure because it can argue that it was a war victim. Characterizing hacker attacks as acts of war also creates pressure to retaliate against hackers real or imagined. Reasonable computer security is not so expensive that the United States should be forced to go to war to protect its information systems. If, though, the United States needs an excuse to strike back (say, to forestall nuclear proliferation), the supposition that the target has sponsored information terrorism can be summoned as needed.

2. Don't waste much more effort on traditional intelligence collection for hacker warfare. Crime requires means, motives, and opportunity. Means -- cadres of hackers with some access to connectivity (e.g., not sitting in Pyongyang) -- may be easily assumed. Sixty percent of all Ph.Ds awarded in computer security by U.S. universities went to citizens of Islamic or Hindu countries. Put some effort into motive, to understand plausible patterns of attack by other nations (so as to know what needs security work most urgently). Spend the rest of the time on opportunity, which is to say, finding vulnerabilities so that they can be fixed.

Will 21st century warfare consist of alternating attacks on enemy information infrastructures? Such an attack may happen -- even if its perpetrators may come to understand how little is to be gained and how much is to be lost by doing so. The more important point is that they need not happen if a modicum of attention -- and that probably suffices -- is paid to the possibility.

So, who should guard the NII? If it's yours, then you should. The alternative is to have the Government protect systems, which, in turn requires knowing the details of everyone's operating systems and administrative practices -- an alternative which, even if it did not violate commonly understood boundaries between private and public affairs, is anyway impossible. Forcible entry in cyberspace does not exist -- unless misguided policy mandates it.