We present briefly below our recent background on cyberspace security studies and our interests in a specific topic that should be considered as part of a study of information survivability: the concept of a U.S. "minimum essential information infrastructure."

RAND Background in Cyberspace Security Issues

For the past seven years, members of RAND's staff have conducted a series of investigations on the cyberspace security problem. We have interviewed members of law enforcement communities, legal scholars, computer scientists, CERTs, national security and intelligence sectors, public and private sector information infrastucture providers, and users of information systems and networks. These interviews and discussions were held in the U.S., the United Kingdom, Germany, the Netherlands, Australia, Japan and South Korea. In April '96 we held an international conference (co-sponsored by the Ditchley Foundations of the U.K.) at which varying countries' perspectives on cyberspace security and safety issues were discussed in depth by relevant senior government and industry representatives.

In addition, a series of high-level policy exercises -- termed "The Day After...in Cyberspace" -- have recently been conducted by RAND to define the essential features of defensive information warfare and identify associated policy issues for participants.

As a result of these activities, we have developed a broad perspective regarding vulnerabilities, threats from different classes of perpetrators, and associated cyberspace risks to various segments of society. We have also come to understand that there are a set of impediments to improved security in cyberspace that any protective strategy, such as "information survivability" strategies, must take into consideration to be successful.

The Concept of a Minimum Essential Information Infrastructure

One of the conceptual cyberspace risk mitigation measures identified during the "Day After..." exercises was that of a "Minimum Essential Information Infrastructure," or MEII. Whatever the MEII might be, it would be designed and constructed to assure information survivability and the effectiveness under adverse conditions of key infrastructure and military-related systems.

The concept of a MEII has been the subject of much high-level discussion, both during and since "The Day After..." exercises. In spite of this discussion, however, fundamental questions remain: What would a U.S. MEII look like? Is it feasible and practical? Could it be useful in enhancing the survivability of information systems and networks playing vital roles in U.S. society? RAND is embarking on a research program to address these questions.

Our investigation is designed to begin developing answers to the following questions. We will not of course answer all of them, but we hope to structure the discussion enough so that some answers become clear, and a national dialog about these issues can proceed.

• Essential for what? What are the essential functions whose survivability are most important to U.S. society? Is there a hierarchy of essential functions, that might lead to a hierarchy of MEIIs?
• How much is enough? For functions deemed essential, what portion or fraction of their operational capability is needed? How long before this limited functionality becomes unacceptable?
• What does "minimum" mean? What level of survivability of information system and network support do each of the essential functions require in order to obtain the needed fraction of their functionality? How is this "minimum" level likely to evolve as our society becomes more dependent on critical information systems?
• What would a U.S. MEII look like? We propose to investigate various architectural options that are available to meet these minimum levels of information system/network support, both today and in the future, with substantially reduced security vulnerabilities and a much more robust response to adverse situations. Some of these architectural options might well be provided by contractors studying the "information survivability" options for DARPA or other funding sources.
• Is such an MEII practical? Is it useful? Is it acceptable? Given a set of architectural options, it must then be asked whether any implementation of that architecture is feasible and cost-justified by the protection it would offer.
• Does such an MEII represent a useful reduction (compared to the overall U.S. information infrastructure) in the totality of information systems and networks that the U.S. must defend from antagonists? That is, if the MEII represents a subset of various network and computational facilities in any sense, is it easier to protect that subset from attack than the entire system?
• What are the public-versus-private-sector implications of an MEII? Many of the information systems and networks that would probably be contained (to some degree) within an MEII are currently owned and operated by the private sector, with minimal governmental control. What leverage and incentives could be used to induce the formation of an MEII, given the rapid evolution underway in our information infrastructure and the private ownership of its key assets?

To begin forming answers to these questions, we will look at each of the U.S. critical infrastructure sectors (e.g., financial trading systems, energy distribution, public telecommunications network, transportation control) as the answers may differ among them. There are also significant interrelationships among these infrastructures that must be investigated.

We do not at this time know whether even the concept of an MEII can be made sufficiently rigorous to withstand scrutiny. The answers to key questions above might well be "no," or the answer might be that any MEII is really a "meta-structure" or virtual system existing on top of the underlying wires, switches and routers.

We believe this investigation of the idea of an MEII is a critical adjunct to studies of technical means of obtaining information survivability within systems. At the information survivability workshop in February 1997, we propose to present our initial approach to our study and ask for feedback and recommendations from the other attendees.

Anderson, Robert H. and Anthony C. Hearn. "An Exploration of Cyberspace Security R&D Investment Strategies for DARPA: 'The Day After ... in Cyberspace II'"". RAND MR-797-DARPA, 1996.

Anderson, Robert H. and Richard O. Hundley "Security in Cyberspace: An Emerging Challenge for Society" RAND P-7893, 1994.

Beroggi, G.E.G., R.O. Hundley, R.H. Anderson "Managing the Risks of Cyberspace: New Approaches for New Challenges", Proceedings of the Annual Meeting of the European Section of the Society for Risk Analysis, Stuttgart Germany, 1995.

Hundley, Richard O. and Robert H. Anderson. "Emerging Challenge: Security and Safety in Cyberspace" RAND RP-484, 1996. (Originally published in: IEEE Technology and Society Magazine, v.14, no.4, Winter 1995-1996).

Hundley, Richard O., Robert Anderson, John Arquilla, and Roger Molander. "Security in Cyberspace: Challenges for Society: Proceedings of an International Conference" RAND CF-128-RC, 1996