Secure Data Centers For America A SOLUTION TO

Transcription

1 Secure Data Centers For America A SOLUTION TO A HOMELAND & NATIONAL SECURITY THREAT AGAINST CRITICAL INFRASTRUCTURE AND KEY RESOURCES IN STATE AND LOCAL GOVERNMENTS By Ralph R. Zerbonia and Universe Central Corporation NOTE: This was part of a project planning document I wrote in December 2006 and began using to try and launch a project to attack the problem discussed. It is the text and notes from the selected items in the table of contents, essentially the definition of the problem, our suggested solution and project steps with early preliminary budget figures. I have removed certain portions relating to the partners (of the project) at the time and the letters of support we received in pursuing the concept. In short, due to what is referred to as local control I discovered that the project was untenable and it became defunct without my personal involvement. This document is available only as a warning for what may be. Times have changed since it was written and some very fine work has been done. I am no longer up to date on the subject, though I keep an eye out. I believe that in coming days we will find this threat to be actuated as it already has been, to an even greater Lex Luthor extent, by pirates, terrorists, crooks and countries. Ralph R. Zerbonia 12/30/08, 02/19/09

2 Contents The Problem Definition of the Solution Next steps Generic budget information This document was prepared by Ralph R. Zerbonia. Document and contents remain the property of Ralph R. Zerbonia, and may not be reproduced in any manner. Intellectual Property owned by Ralph R. Zerbonia and Universe Central Corporation. Secure Data Centers For America and SDC and Secure Data Centers For America and SDC stylized logos are trademarks of Universe Central Corporation in the United States and other countries. All other names are trademarks or registered trademarks of their respective holders. The information in this document is subject to change without notice. Printed in the U.S.A Universe Central Corporation The Problem Local government computer operations are under attack on a multiplicity of fronts populated by criminals, terrorists and nation/states. In 2006 the rate of attacks and probes on [business and] government networked computer systems grew at an alarming rate. 1 Equally alarming is the increase in probes and attacks not detected in a timely or effective manner. These incidences are measured only by after-the-fact discovery and reporting. Indicators for this type of activity rose throughout It is axiomatic that there are yet-to-be discovered occurrences of these silent attacks and that their numbers also increased, continuing to always accumulate and grow. Analysis shows an organized intent to these probes and attacks, with foreign nation/state 3 involvement and complicity. 4 There is ample evidence of foreign intelligence/defense agency s aimed at national security and homeland security assets. 5 One measure, detailed in a U.S. 1 Pentagon: Efforts to steal U.S. tech rising 1/03/07 Reuters 2 Brian Krebs, 12/27/2006 Cybercrooks Deliver Trouble Washington Post 3 Annual Report To Congress Military Power of the People s Republic of China 2006 Office of the Secretary of Defense, Department of Defense page Lisa Myers & the NBC Investigative Unit 11/20/06 U.S. worries about Chinese espionage MSNBC.com 5 Technology Collection Trends in the U.S. Defense Industry 2006 Report published by the U.S. Defense Security Service Counterintelligence Office

3 Pentagon report reveals that over 88% of the occurrences originated from five interconnected regions: East Asia, the Pacific, Near East, Eurasia and South Asia. The whole of Africa and the Western Hemisphere, (not including the United States) accounted for the remaining 11.5 percent. 6 A common and ever-increasing form of computer network/server attacks is the probe. As their name suggests, probe attacks covertly seek out vulnerabilities and weaknesses, points-for-attack in a hosted (networked) system. Automated for unlimited usability, yet designed to remain undetected while carrying out a reconnaissance mission, these probes will continue to report back weaknesses and potential vulnerabilities, cataloguing these points-for-attack, for use by the attacker when they choose. It is hard to overstate the ominous significance and potential-to-harm of such probe attacks. 7 With the virtually unlimited computing resources available to foreign powers, these probe attacks become not just a highly developed intelligence tool but also a military weapon. 8 With infinite automated pre-programmed patience, a probe secretly and silently catalogs critical and non-critical vulnerabilities for a day in the future, when the assembled catalog becomes a target list. This target list can be exploited in any number of ways, efficiently betraying any and all of the discovered vulnerabilities, individually and custom designed to wreak maximum havoc, even in timed conjunction with other (physical, economic, political, criminal, etc.) launched attacks Of the over 74,000 local government entities in the United States, very few have adequate equipment and personnel budgets to secure themselves in any adequate way. Even more important, almost none have the knowledge and expertise to defend their operations against the nation/state probe attacks. 6 Ibid 7 Ben Worthen, 10/1/05 The Sky Really Is Falling Interview with Ed Lazowska Co-chair of the President s Information Technology Advisory Committee published in CIO Magazine 8 David C. Gompert, Autumn 1998, National Security in the Information Age Naval War College Review 9 Ibid 10 Lt. General Kenneth Minihan, Director, National Security Agency, November 1998, Defending the Nation Against Cyber Attack USIA Electronic Journal

4 The U.S. Dept. of Homeland Security has designated these local government operations as Critical Infrastructure and Key Resources. These local government units run everything in daily life from water supply to emergency response to real property financial records to justice and penal systems. While there are many sensitive areas within the workflow of local government that are highly vulnerable, there are also greater risks when one considers the possibility of the disruption of that daily life within the context of other simultaneous attacks against the nation. Most of the solutions proposed for this area of homeland security have centered on the protection of data alone. We suggest that is not sufficient in an increasingly electronic society: there must be a more complete protection of the local government system, its applications, hardware and software as well as the data itself, in real time, and with no downtime. Consider that each and every computer that has Internet access, or phone line access, or comes in contact with another computer that has any such access is immediately vulnerable to manipulation of varying degrees by criminal and political nation/state enemies. This threat includes not just the data, but the operating systems, application software, and hardware. Because of low local funding availability/priority, lack of high-level cybersecurity expertise and lack of physical and operational security and expertise, local government critical infrastructure and key resources are vulnerable and are in clear and present danger. The source of the danger is such (nation/state 13 ), that the local government entities are inevitably unable to fashion any credible defense. Definition of the solution: Against nation/state level of attacks there must be a nation/state level of cyberdefense. The solution is to create a set of secure data centers, utilizing existing full security and information technology best practices from the IT industry, with federal level oversight and 11 As a Critical Infrastructure Sector, from a U.S. Department of Homeland Security publication: 2003, THE NATIONAL STRATEGY FOR PHYSICAL PROTECTION OF CRITICAL INFRSTARUCTURES AND KEY ASSETS. 12 National Infrastructure Protection Plan 2006 U.S. Dept. of Homeland Security 13 Annual Report To Congress Military Power of the People s Republic of China 2006 Office of the Secretary of Defense, Department of Defense

5 protection. This integrates well with Federal Homeland Security goals and objectives for local and state government. Secure Data Centers for America, a non-profit government services corporation, will develop secure data centers for local government entities and their computer operations providing high level secure hosting and the provision of security oversight. Federal and state involvement in cybersecurity protection and defense will be fully integrated, providing the economy of knowledge currently unavailable. This proposal seeks to consolidate local government server room operations into these centers, using the economies of scale and scope now available to provide the same/better information technology services and an increased security quality, at a lesser cost than local governments are currently paying. As this nation/state level of cyberdefense is primarily knowledge and best practices oriented and already is an existing process for many federal government information system defense systems, it is without a need for scale, and can be easily provided and used, to identified and enabled systems without additional effort or cost other than those incurred in its original creation. This means that if you consolidate the (74,000) local government units computer server room operations) into a much smaller order number (10) of service delivery centers, you can use the already available and superior federal knowledge to create and maintain cyberdefense for the whole. This plan would assist the U.S. Department of Homeland Security in the performance of several key goals of The National Strategy to Secure Cyberspace, especially those covered under Priority IV Section C State and Local Governments. 14 The Dept. of Homeland Security has been charged with providing a focal point for federal outreach to state, local, and nongovernmental organizations. 15 The mission of this program is consistent with and integrates into the five National Priorities of the Federal program. 16 Additionally this project assists in the achievement of goals and objectives stated in 2006 Homeland Security National Infrastructure Protection Plan The business model is to utilize existing federal/state grants to build the secure data centers and bring the operating plan to where a critical mass of local government communities then begin paying a consortium-like fee for service to cover all costs. It is expected that such fee for service 14 The National Strategy To Secure Cyberspace February 2003 U.S. Department of Homeland Security 15 Ibid Page x. Executive Summary 16 Ibid Page x. Executive Summary

6 will be less than what the local government is currently paying for similar service even without the added benefit of high level effective security. The initial steps would involve the creation of two secure data centers, the number of centers expanding with local government integration up to an including virtually all local government server room operations and server based operations. It is currently estimated that several thousand local technology jobs will be created at each location, with an annual pay range of $40- $50, annually, with benefits and ongoing skill training. Next steps: Phase 1 - Acquire funding to deliver a full project proposal document. The project requires funding to produce a project proposal document describing the plan and approach of the project as well as the detailed roles of the major partners and contractors to the project: Inclusive of merit evaluation, development of business models, project management plan to carry out the planning process and a description of phases and deliverable of the overall project and its ongoing operations as well as planning for development of process and procedure. Phase 2 - Acquire funding to deliver project specification and bid documents; Upon delivery of Phase 1, the project can proceed to the development of detailed engineering and specifications, operational processes and procedures, and necessary bid documentation. Inclusive of an Overall Project Plan, design specifications and bid process documentation for: Best Practices Management Plan, Service Levels Documentation, project management process, knowledge management plan and process, and Evaluation process plan, IT Operations documentation, Security, Physical Infrastructure, Staffing, Administration, Command and Control and integration with existing federal Homeland Security planning/operations. Phase 3 - Acquire funding to build initial two centers in two separated locations.

7 The initial proposal is to build two geographically separated secure data centers. The project headquarters and 1 st site is proposed to be located in northeast Ohio. The Ohio Supercomputer Center provides this northeast Ohio location with multiple 2 nd location possibilities as they have direct connections with other supercomputer centers. It is anticipated that each secure data center will be in partnership with a supercomputer center. Each facility will require large sites with adequate space for security provisioning. Additionally, sites with water and/or other non-traditional power generation potentials are favored. Generic budget information Phase 1 Development of project definition and planning documents, project proposal documents, overall project and operational plan, a clearer estimate of Phase 2 & 3 costs - $175,000 - $325,000. Phase 2.a Project Specifications & Bid Documents including full security and data center engineering - estimated - $1,500, $2,250,000. Engineering and documentation for multiple areas of secure data center construction. Phase 2.b Operations process and procedures specifications and budget estimates including staffing and organization parameters - estimated - $1,000, $2,000,000. Best Practices management, Operations management, process and procedure. Phase 3 Build initial two secure data centers in two separated geographical areas to delivered specifications - estimated - $400,000, $500,000,000. Land, bricks, security, equipment, construction and initial startup.