NAT I O NA L C Y B E R S YST E M S I N F R A ST R U C T U R E S E C U R I T Y R E V I E W C O NC E P T PA P E R

T R U ST WO RT H Y & RESILIENT CYBER SYSTEMS SECURIT Y REVIEW

The U.S. national cyber systems infrastructure is comprised of the following system compo-
nents: (1) manufactured computer hardware; (2) manufactured and custom computer soft-
ware; (3) network servers, routers, and software; (4) the network infrastructure including satel-
lites, land lines, switching stations and data messaging protocols; (5) various levels of informa-
tion services (IS) and network administration; (6) human operators; (7) human and machine
receivers of data produced by the system; and (8) data stores that include the hardware, soft-
ware and the stored data accessible to the cyber system. This cyber systems infrastructure has
been built-up piecemeal over the past 40 years, with the primary growth in the system over the
past 20 years. To be trustworthy and resilient to collapse, each system component must be
maintained and regularly replaced by a new upgrade of the system component (e.g. moving
from IPv4 to IPv6 minimum Internet protocols; 64-bit chip/OS architecture). Human operators
require ongoing training to be able to operate the cyber systems infrastructure securely.

T H E P R I M A RY SOUR CES OF INSECURE CYBER SYSTEMS

The estimated ongoing operating and maintenance (O&M) costs and repair and replacement
(R&R) costs for the nation’s cyber infrastructure is $248 billion annually.1 On an annual basis,
the deferred O&M and R&R costs are approximately $126 billion. The size and ongoing nature
of these deferred investments in adequate O&M and R&R result in a highly vulnerable system
that is prone to compromise and partial system collapse for a variety of known and unknown
factors. Probabilistic annualized threat estimates of partial cyber system collapse from mishaps
due to human error 40%; deliberate attack of the national infrastructure 30%; and emergent
causes (black swans) are 20% 2 and faults in the national electricity grid 10%. Sources of threats
to the national infrastructure are global and follow a power distribution in number and sever-
ity of system related threats over time (i.e. only a few threats will be severe and large scale).

C Y B E R S YST E MS SECURIT Y REVIEW FINDINGS

The network configuration (e.g. Internet or intranet connectivity) is not necessarily the
most vulnerable component of the U.S. cyber systems infrastructure. Total system vulner-
ability results from the combination of the probability for disruption from each compo-
nent of the system. With their contributions to a probabilistic forecast of system disrup-
tion, human operators, manufactured and custom computer software, and manufactured
computer hardware each contribute more relative vulnerability than does the network
infrastructure. Human operators often are inadequately trained and do not routinely per-
form even minimal ongoing O&M to the software and hardware under their control or
use. Even with adequate O&M, some hardware and software is so out-of-date due to lack
of timely R&R, that adequate security cannot be maintained. The fact that this outdated
hardware and/or software is connected to the network and that human operators may not
address even minimal O&M requirements creates a situation of heightened vulnerability
to other network users whether this is a highly secured or unsecured network.

Lack of adequate investments in O&M and R&R are the primary limiting factors for pro-
tecting the nation’s cyber infrastructure from mishaps, deliberate attacks, and collapses.
The opportunity cost of not making these annualized investments in adequate O&M and
R&R may result in an Incremental Capital Output Ratio (ICOR) that equates to a loss of
about $500 billion in GDP annually, on average.3

There is a statistically higher probability for catastrophic damage to sectors of the nation’s
economy from cyber system infrastructure collapse due to inadvertent system failures
than in deliberate malicious attacks against the national cyber systems infrastructure.

1 All numbers in this draft are placeholders, requiring additional analytical work for accuracy.
2 Emergent behavior is difficult to predict from an analysis of the system and its components.
3A metric that measures the marginal amount of investment capital necessary for an improve-
ment in the national economy’s level of production efficiency.

LYLE A. BRECHT --- DRAFT --- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- Friday, June 12, 2009 PAGE 1 OF 6
NAT I O NA L C Y B E R S YST E M S I N F R A ST R U C T U R E S E C U R I T Y R E V I E W C O NC E P T PA P E R

Network vulnerability is exacerbated by out-of-date computer hardware, routers, and

operating system software being connected via an Internet based on out-of-date data mes-
saging protocols, user anonymity, and often user-choice of level of network security en-
gaged. Thus, practically speaking, the network’s vulnerability is often determined by the
lowest common denominator of capabilities determined by out-of-date computer hard-
ware, routers, operating system software, end-user training, and Internet messaging pro-
tocols.

The single greatest bang-for-the-buck from a cyber systems infrastructure perspective

would be to upgrade minimum Internet data messaging protocols to IPv6. However, with
this Internet upgrade all computers and routers connected to the Internet should be re-
quired to be minimum 64 bit chip/operating system architectures. It is unlikely that for
the foreseeable future an affordable one-time fix to the national cyber systems infrastruc-
ture’s vulnerabilities will be found. Successive waves of new technology will be required
to stay ahead of the curve to prevent inadvertent system failures and collapses due mali-
cious attacks. Maintaining a less vulnerable national cyber system infrastructure requires
the capability and intention to rapidly adopt new technology and maintain minimum
network connectivity standards. Normal new technology adoption cycles are typically 15-
30 years. A great deal of additional security could be established if these technology adop-
tion cycles were reduced to 7-10 years for system components of the national cyber sys-
tems infrastructure.

However, the inherent vulnerabilities of the U.S. national electricity grid to withstand
powerful solar storms 4 and EMP (electromagnetic pulse) attack5 disruption or shutdown
due to inherent system design limitations, as well as from human error introduces another
significant level of risk.6 The national cyber system infrastructure relies on clean, depend-
able electricity sources to function at all.

R E C O M M E N DATIONS TO UPGR ADE THE SECURIT Y OF THE NATIONAL

C Y B E R S YST E M INFR ASTRUCTURE

Implement the National Unified Smart Grid Initiative. This will bring the U.S. electricity grid
up to standards necessary to withstand powerful solar storms and EMP (electromagnetic
pulse) attack disruption or shutdown, to reduce transmission losses, and to enable lower
EROI (energy return on investment) energy sources that reduce GHG (greenhouse gas)
emissions to be connected to the national grid.

Set up a national Internet Connectivity Registry and require an annual connectivity fee be
paid either by user or by connection device. Set standards for all Internet connectivity, e.g.
require all connection devices to be capable of IPv6 data protocol operations. Provide re-
bates of the annual connectivity fee to all users who upgrade their hardware and software
to IPv6 compatibility. Every two years, add additional connectivity standards that reduce
system vulnerabilities. Continue to provide connectivity fee rebates to those users who
upgrade their cyber systems technology.

Set up the National Cyber Systems Threat Center in the ODNI to set standards and fee.

4 The consequences of a future solar storm like the Carrington Event of August-September
1859 are extensive and involve a range of potential economic impacts not unlike a major Force
5 hurricane or tsunami that could cripple the present national electricity grid for an extended
period. See National Research Council, “Severe Space Weather Events--Understanding So-
cietal and Economic Impacts Workshop Report” (NASA, 2008).

5See Dr. William R. Graham, et. al., “Report of the Commission to Assess the Threat to the
United States from Electromagnetic Pulse (EMP) Attack, Volume 1: Executive Report (2004).”
6 The national grid, 164,000 miles of high-voltage transmission lines and 5,000 local distribu-
tion networks is outdated, highly vulnerable, inefficient, and unsuitable for fluctuating renew-
able power sources.

LYLE A. BRECHT --- DRAFT --- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- Friday, June 12, 2009 PAGE 2 OF 6
NAT I O NA L C Y B E R S YST E M S I N F R A ST R U C T U R E S E C U R I T Y R E V I E W C O NC E P T PA P E R

TO: MELISSA HATHAWAY

FROM: LYLE BRECHT (LBrecht@gmail.com - 410.963.8680)
DATE: FRIDAY, JUNE 12, 2009
SUBJECT: CYBERSPACE POLICY REVIEW MEMORANDUM

Melissa, thank you and your team for assembling an excellent report. Many
in government and the private sector do not yet realize that we now have the
possibility of threats not just from weapons of mass destruction, but from
knowledge-enabled mass destruction (KMD) weapons. Cyber weapons are
potentially so powerful that accidents, abuses, and deliberate malicious at-
tacks are capable of producing circumstances whereby, for example, instead
of global GDP going from $60 to $240 trillion (in $2005 purchasing power
parity) by 2050, it declines to $6 trillion. Your report and its recommendations
move us in the direction of addressing this new threat (and global networked
information society opportunity). Thank you!

From this vantage, the report, however, may not highlight in sufficient detail
three areas of concern and potential for high level policy coordination across
the cyberspace domain:

Military Use of Cyberspace. You may have seen the NYT article on May
28th, “Pentagon Plans New Arm to Wage Wars in Cyberspace.” 7 What
caught my attention is the notion that cyberspace is considered just an-
other war-fighting domain by the Pentagon: e.g. “We need to be able to
operate within that domain just like on any battlefield, which includes
protecting our freedom of movement and preserving our capability to
perform in that environment.” While the blowback from such loose ‘cal-
culated ambiguity’ talk may be unwanted (e.g. loss of credibility and
needed cooperation with the private sector and another very expensive
arms race, this time in cyberspace), there are two conceptual problems
with this approach to cyber defense/warfare:

With cyber weapons, there presently is no countervailing strategic

‘game’ doctrine for cyberspace, like MAD (mutual assured destruc-
tion), that has the potential to actually ‘deter’ First Use. The notion
that the doctrine of nuclear deterrence can be retrofitted and used to

7 http://www.nytimes.com/2009/05/29/us/politics/29cyber.html?_r=1&th&emc=th

LYLE A. BRECHT --- DRAFT --- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- Friday, June 12, 2009 PAGE 3 OF 6
NAT I O NA L C Y B E R S YST E M S I N F R A ST R U C T U R E S E C U R I T Y R E V I E W C O NC E P T PA P E R

deter cyber attacks is absurd.8 Because cyberspace threats can be initi-

ated easily by privatized transnational groups, without the knowl-
edge of national governments by rogue elements within the state, and
the originating location of the attack readily masked and even trans-
posed to a predetermined DNS, the threat of nuclear armageddon in
response appears both unwarranted and unproductive;

The notion of attacks and counterattacks in the digital environment

are not directly transferable from the analogue environment of con-
ventional war fighting. For example, the development and deploy-
ment of offensive weapons in cyberspace have a higher probability of
mimicking HIV i.e. the release into the environment a wild-strain ret-
rovirus that cannot be effectively inoculated against than of deterring
attacks or ‘punishing’ supposed attackers;

NSA Use of Cyberspace. My concern is the NSA move from passive lis-
tening to communication signals (analogue and digital) and data mining
to an active gathering of data in cyberspace through the use of digital
agents released into the wild. While I recommended the use of digital
agents across the data sets owned by the intelligence community post 9/
11 to address certain information pooling problems, 9 there is a potential
problem with the use of such digital agents to collect data across all of
cyberspace. The potential for a serious problem is in the capture of the
digital agent by a hostile force and the alteration of the code to infect NSA
data stores, as well as other government or private sector data stores.
With the potential for self-replication, and modification of basic code sets,
once these sophisticated agents are released in the wild, it may not either
be affordable or feasible to turn them off easily;

Lack of a Clearly Articulated Process to Develop Capital Budgets for Pro-

tecting Cyberspace. In the report, you make a solid case for a central co-
ordinating function in the White House, and the President has wisely de-

8Gen. Kevin Chilton, the head of U.S. Strategic Command, said “I think you don’t take any
response options off the table from an attack on the United States of America,” Chilton said.
“Why would we constrain ourselves on how we respond?.... “I think that’s been our policy on
any attack on the United States of America.... “And I don’t see any reason to treat cyber any
differently.” (“U.S. General Reserves Right to Use Force, Even Nuclear, in Response to Cyber
Attack,” Global Security Newswire May 12, 2009).

9Unclassified:
http://www.scribd.com/doc/9862402/Homeland-Security-Data-System-Schematic-August-2
002

LYLE A. BRECHT --- DRAFT --- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- Friday, June 12, 2009 PAGE 4 OF 6
NAT I O NA L C Y B E R S YST E M S I N F R A ST R U C T U R E S E C U R I T Y R E V I E W C O NC E P T PA P E R

cided to appoint this coordinator. However, what concerns me is the

process whereby budgets are decided and funds employed to implement
policy across multiple, often competing jurisdictional boundaries. What I
am imagining is a PRA (probability risk assessment) methodology ap-
plied across the cyberspace domain that helps to establish high level pol-
icy discourse to set budget priorities analytically.10 But, maybe more im-
portantly, my hope is that the use of PRA across the entire cyberspace
domain will highlight private sector capital investment requirements and
spur federal policy that supports making these investments in a timely
fashion. 11 Otherwise, my concern is that the policy coordinating function
will fail against agency budgeting by the politically powerful for ideas
that are topical (or popular), the private sector will be left to their own
devices, and we will be in reactive mode as crises (real or perceived) ma-
terialize. As outlined in my previous brief that I sent you for the 60-day
review12 my suspicion is that if a PRA was performed for the cyberspace
domain, we would discover that:

~90% of cybersecurity resides in the private sector and the task will be
to establish polices that promote rapid technology adoption and capi-
tal investment at scale;

more than 80% of the annual $20 billion military budget for cyber
warfare might be best allocated toward defensive cyber weapons and
much of that should be allocated to infrastructure upgrades and end
user training. Thus, much of the cyber warfare outsourcing work by
the Pentagon may not be well formulated nor money well-spent;

the greatest achilles heel to cyberspace may be the current design and
physical shape of the national electricity grid, problems that will not
be solved by Band-Aids, and that the grid’s digital switches need to

10Probabilistic Risk Assessment (PRA) is an analytical process that begins with two system
design counterfactuals: (1) the magnitude (severity) of the potential adverse consequences of
system failures; and (2) the likelihood (probability) of the occurrence of each potential conse-
quence. The objective is not as a predictive exercise, but as a disciplined descriptive process
that may identify and highlight budget requirements for a secure national cyberspace envi-
ronment.

11My thought is that strategic policy analysts such as at BAH and SCIC might be able to per-
form this work.

12 Unclassified:
http://www.scribd.com/doc/12659947/National-Cyber-Systems-Security-Review-Discussion

LYLE A. BRECHT --- DRAFT --- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- Friday, June 12, 2009 PAGE 5 OF 6
NAT I O NA L C Y B E R S YST E M S I N F R A ST R U C T U R E S E C U R I T Y R E V I E W C O NC E P T PA P E R

be secured not only from anomalies, but also from solar storm spikes
and EMP in order to be secure;

we probably do not yet have our arms around the full range of large
scale structural risks of cyberspace.13 Essentially, its like 1980 and the
USEPA has noticed that enforcement of NPDES permits for point
source pollution is not producing clean water. The bigger problem
than the 40,000 point source attacks in cyberspace, is non-point
pollution-like potential for system collapse from Black Swan-like
sources, an emergent problem based on that we are dealing with a
complex system whose behavior and expression of full properties over
time are non-linear. Thus, many of the policy frameworks, policy co-
ordination, and cyberspace protective initiatives identified or pro-
posed in the Report do not go far enough to address the threats to cy-
berspace that may/will be encountered over time.

Melissa, I hope that some of this might be helpful to you and whomever be-
comes the White House cyberspace security coordinator as you recommend
in your report.

Lyle Brecht

13 A recent example of not addressing structural risk is the use of CDO (collateralized debt ob-
ligations) financial instruments by Wall Street. These instruments’ individual risk was hedged
via complex. financially engineered derivatives, but the structural risk to the entire CDO mar-
ket was not managed. Thus, the Federal government has pledged, lent, provided guarantees,
and provided tax relief to the tune of $12,800 billion since 2008, and the collapse of the CDO
market has produced $50,000 loss of value in financial assets worldwide to date.

LYLE A. BRECHT --- DRAFT --- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- Friday, June 12, 2009 PAGE 6 OF 6