INFORMATION WARFARE - DEFENSE

APPENDIX E

THINK PIECES

The following discussions were a part of the Task Force deliberations and judged worthy of inclusion in the Task Force Report for reference only.

E.1 INFORMATION INFRASTRUCTURE ASSURANCE PRINCIPLES

Information assurance is a term which can be used to describe the needed IW-D capabilities (and associated protection) of an information infrastructure. Some basic definitions are needed to understand the principles:

Availability of Service - An assured level of service, capacity, quality, timeliness, and reliability.

Denial of Service - The opposite of availability of service.

Information Integrity - Complete, sound, unaltered, and unimpaired information.

Corruption of Information - The opposite of information integrity.

Information Assurance - The availability of services and information integrity.

Disruption - Denial of service or corruption of information resulting from a single event, cause, or source; whether direct or indirect; whether accidental, intentional, rare or common.

Stress Level - Military situations under which the infrastructure is expected to operate. These include:

-Peacetime (natural disasters, sabotage, equipment and service failures, unintentional acts)
-Crisis/mobilization (terrorism, low intensity conflict, conventional war)
-Simultaneous two-theater engagements
-Limited nuclear war (nuclear terrorism, uncoordinated/accidental, theater nuclear) Expanded nuclear (coordinated attack)
-Post-attack (recovery and reconstitution).

In the traditional systems engineering context, availability is a function of the reliability and maintainability of the system while integrity of data is a function of the quality (or grade of service) of the system transporting the data. In addition, these measures of system performance are traditionally based on design assumptions that disruptions are random in nature (e.g., component failures, human errors, and acts of nature).

Information assurance is not just a function of the reliability, maintainability, and quality of the network or infrastructure. Information assurance addresses the capability of an infrastructure to endure a variety of disruptions ranging from natural disasters to accidents to intentional disruptions by the enemies or by insiders. For example:

A lightning strike on a critical node in the network can cause node failure; or, an earthquake or hurricane cannot only physically disrupt the network but can also cause network congestion, another source of disruption.

Inadvertently erasing a data base containing terrain data critically needed for a cruise missile strike can compromise a key part of an offensive strike.

Corruption of key network management data by a network manager can cause many networks to fail.

An enemy agent located in a safe haven can introduce viruses that can cause a network to become overloaded and ineffective or cause the entire network to break down at a critical juncture.

This perspective on disruptions poses challenges for the intelligence, operations, and training communities in defining the threat, which is essential for a reasonable articulation of information assurance principles.

There are substantial differences between designing a typical information system and designing a resilient information infrastructure capable of enduring in the face of intentional disruptions. A typical information system design assumes that all of the system components will normally operate properly, with the common failure mode being failure of individual components. A resilient information infrastructure design must be based on the assumption that only some of the components will operate properly at any point in time. A typical information system design will incorporate central control mechanisms, synchronized clocks, and other techniques to use resources efficiently. A resilient information infrastructure design must be based on some decentralization of control and independent operation of portions of the infrastructure. Information system design is typically based on efficiency while a resilient information infrastructure design must be based on effectiveness. For example, the entire field of fault tolerant computing is based on the introduction of redundancy into otherwise efficient systems in order to make them more effective, particularly against random disruptions. Similarly, the design of a resilient infrastructure will assure diversity of hardware and software so that a common failure mode will not result in an infrastructure failure.

In the context of information assurance, network operation, management, and maintenance should be viewed from a war fighting perspective. Personnel performing these functions (and users in some cases), should be able to detect, differentiate among, warn of, respond to, and recover from disruptions. Recovery from disruptions resulting from failures or attacks might involve repair, reconstitution, or the employment of reserve assets. In some cases, network managers may have to isolate portions of the network to preclude the spread of disruption. Given the speed with which disruptions can propagate through networks, these capabilities may need to be available in automated form within the network itself. Finally, there must be some means to manage and control these capabilities.

The underlying philosophy in information assurance and in satisfying the IW-D need must be that of risk management and not of risk avoidance. There are not enough resources to armor plate the infrastructure. Risk management suggests that the threat be defined, that measures be undertaken to reduce the realization of the threat, that countermeasures to threat occurrence be based on realistic application of resources and that response to and recovery from threat occurrences be part of the infrastructure. Finally, it will be necessary to assume some degree of risk while maintaining some minimum infrastructure operating capability.

Based on a review of existing documentation, a list of information assurance principles has been developed and is presented below. Because the infrastructure and the concept of information assurance are still under development, the list is not exhaustive.

The following operational information is required from CJCS and the Commanders-in-Chief (CINCs) of the Unified and Specified (U&S) Commands to quantify some of the principles:

Information Transfer Priorities - Priorities for the transfer of voice, data, imagery, and video information based on a process developed by the JCS and based on the existing process used to establish priorities for voice and messages.

Minimum Operating Capability - The minimum set of fixed and deployed capabilities required for each stress level, based on operations tempo and forces supported.

Normal Operating Capability - A specified set of fixed and deployed capabilities required for peacetime and crisis/mobilization stress levels, based on operations tempo and forces supported. (In coordination with CJCS and the CINCs, DISA will, in its role as the central manager of the DII, specify this set.)

Expected Disruptions - The expected level of disruptions to be sustained over time at each stress level. (This is normally based on intelligence estimates of enemy capabilities, insider threats, natural disasters, and other anticipated causes.)

Minimum Assured Resiliency - The capability to sustain a specified number of simultaneous, worst-case disruptions at each stress level while still maintaining the Minimum Operating Capability.

Desired Resiliency - The capability to sustain Expected Disruptions while maintaining a Normal Operating Capability. (In coordination with CJCS and the CINCs, DISA will, in its role as the central manager of the DII, specify this set.)

Information Assurance Principles:

The infrastructure shall be considered a potential battlefield.

The infrastructure shall provide Minimum Resiliency.

The infrastructure shall detect substantial disruption, differentiate accidental disruption from intentional disruption, provide ample warning of disruption, respond to and recover from disruption, and be repairable at a rate sufficient to sustain Minimum Operating Capability under Expected Disruptions.

The infrastructure shall detect large classes of event sequences that are likely or anticipated to lead to disruption and provide mechanisms so that disruptions from these events are:

-Prevented when possible within cost constraints
-Limited in the extent of their effect when prevention is not feasible
-Responded to prior to actual disruption when detected in time
-Traced to their source whenever possible within cost constraints.

The infrastructure network and system control functions shall be designed to operate without dependence on the normal operation of the network or processes being controlled.

The infrastructure responses to disruption shall be prioritized and shall take into account factors such as time, value, criticality, and locality as related to the information being transported.

Changes to the infrastructure shall be analyzed and simulated prior to implementation to ensure that the infrastructure maintains assurance attributes during and after these changes.

The infrastructure operations, management, and maintenance personnel and information assurance capabilities shall be regularly tested under realistic conditions to ensure that they perform and operate properly. Prior to testing, proposed tests must be simulated to assess expected behavior and ensure that the tests do not unduly degrade the infrastructure. After testing, expected and actual behavior must be reconciled and addressed.

The infrastructure shall be designed to be flexible with respect to information assurance attributes so that as requirements, technologies, and processes are altered over time, the infrastructure will retain the Desired Resiliency specified by DISA.

The infrastructure shall be capable of retaining the Desired Resiliency during infrastructure expansion, contraction, modification, and connection to combined forces infrastructures.

New infrastructure components shall be designed such that:

-If they are disrupted, they do not react so as to disrupt neighboring components
-Disrupted neighboring components do not disrupt the new component regardless of the neighboring component's behavior
-Disrupted components are quarantined until they return to normal operating behavior
-Network and system management services are notified of disruptions and quarantines.

Techniques for limiting the spread of disruptions (e.g., firewalls) shall be used where applicable, particularly in the design of network protocols and in gateways between networks.

The infrastructure training and readiness programs shall be designed to ensure that personnel tasked with operating, managing, and maintaining the infrastructure are prepared for operations under stress, and that ample personnel and resources are available to operate and sustain the infrastructure at the Minimum Operating Capability during Expected Disruptions.

Sufficient inventory of and/or manufacturing capability for parts, equipment, tools, supplies, and support systems shall be maintained to enable operation, repair, and reconstitution of the infrastructure under all stress levels.

The infrastructure users shall be licensed to operate on the information highway. Licensing procedures shall include knowledge of the network, rules of the road, information assurance, and incident response processes and capabilities.

The goal in postulating these information assurance principles is to eventually outline a set of specifications (on the order of A-Level specifications) that will shape the design and integration of the infrastructure or that can be used as a part of the specifications for the acquisition of services from the local and long-distance carriers and from information processing vendors. In order to bridge the gap between the information assurance principles and a set of specifications, it will be necessary to develop strategies for providing the attributes. Some elements that might be considered in developing those strategies include:

Capacity

Diversity

Co-location of network components at hardened subscriber sites

Provision of uninterruptable power to selected sites

Selected redundancy in network components

Use of diverse transmission media

Redundant network access links for key subscribers

Precedence (priority) mechanisms

Congestion control mechanisms

Transportable reserve assets for reconstitution of damaged portions of the network

Infrastructure restoration and reconstitution

Multiple inter-network gateways

Personal reliability program for network managers

End-to-end network control (that does not depend on the network to operate)

Scalable infrastructure components

Repairability.

Successful implementation of information assurance will require a multi-disciplinary team capable of formulating a comprehensive set of requirements, knowledgeable of current and emerging technologies, capable of overseeing the design of the infrastructure from an information assurance perspective, and capable of managing the implementation of information assurance in the infrastructure.

E.2 "Raise the Bar" Exercise

The goal is to maximally improve DoD's information assurance as quickly as possible but "do it on the cheap" without involving unnecessarily complex technology, and without awaiting the outcome of R&D efforts now underway or that could be imagined.

It can be played two ways:

1. Assume that a given pot of money is available, take as a goal maximizing the protection of DoD information assets and internal systems soonest (i.e., little or no R&D), and decide how and on what to spend it.

2. As above in item [1] except first compile a reasonable list of actions to be taken, and then estimate the cost to do them.

Below are some options from which to select, but not a comprehensive or complete list by any means. The sequence in the list is happenstance.

1. Provide users of the most sensitive systems commercially available tokens of some sort to improve the user identification/ authentication act of logging on; e.g., SecurID cards.

2. The same as item [1] except do it for all users in an operational entity; e.g., the command-control chain, tactical logistics, forward air bases.

3. Increase the level of effort in the USAF program (briefed to us) by a factor of 3 to get it done sooner. Alternately, pick a different factor of speedup.

4. Examine the other military services to ascertain whether corresponding programs would be effective for them, or whether variations on the USAF approach would be more sensible.

5. Implement [4] with a projected time-to-complete of X years.

6. Industrial organizations who have had serious intrusions into their systems and who appreciate the importance of protecting against them have mounted massive internal programs to make every employee aware of the issue, of individual responsibility, and of the actions being taken by the organization. Notable among such examples is Citibank.

Mount an intensive all-hands awareness program of information assurance in some/all/each of the military services. Alternately, confine the program to those organizational entities that are "closest" to the information assets and in best position to take appropriate steps if informed.

7. Survey all installed info-systems in the military structure that are based on COTS software and/or hardware. Compile a corresponding list of the known security flaws and fixes for each of them, and institute an aggressive effort to make sure that all such fixes are properly installed, tested, and made operational in (say) 18 months, and that the relevant operational staffs are also well informed and trained.

8. Make the recently published NIST Handbook of computer security required reading for all personnel associated with the operations, maintenance, installation, design, procurement and upgrade of both hardware and software in key [or: all] information systems [Alternate: do this initially for all information systems based on COTS; but later, add the embedded systems as well].

Make this handbook also required reading for every training or educational course given to military personnel.

9. Survey all acquisitions of information systems and computer-containing weapon systems now underway and take such steps as necessary to guarantee that up-front design consideration has been given to information assurance, netsec, infosec and opsec.

10. Compile an inventory of all weapon systems that contain embedded computers and for each, define and characterize the line of responsibility, organization(s) and physical locations which support the deployed system. Hence, identify vulnerabilities and weak spots that might be exploited by an opponent; create plans to remedy these risks on a quick response basis.

11. Survey all deployed weapon systems that are computer-based with especial attention to all phases of maintenance and upgrades of software and hardware and to daily operations. The object is to identify places and means by which subversive actions could be taken to degrade or perturb weapon performance. The level of effort might be such that candidates for this examination will need to be ranked in order of importance and operational vulnerability.

12. As in item [11] but do for all support systems, whether CONUS or field deployed, that are not COTS-based but use specialized software and/or hardware.

13. As in [12] but for COTS-based systems.

14. Reconsider any/all of the prior suggestions from the point of view of likely geographic, cultural and infrastructure circumstances in which U.S. military forces might have to operate in the next (say) decade; e.g., SWA, Adriatic theater, mid-East, Korea. Object: to judge whether a different prioritization of effort would be suggested or warranted.

15. Begin an assessment of the civilian-infrastructure aspect of the issue; e.g., identify the military bases essential for an OCONUS deployment and do so for several different durations of engagement (e.g., weeks, months, years). Identify for each the present arrangements for provision of electrical power, of other energy sources, of communications -- especially telephone and PSN-based, and of off-base medical, personnel, or commissary requirements.

16. As in [14], but for long-term overseas bases; e.g., Europe, Japan/Korea/Okinawa.

17. Any/all of the above for the intelligence systems (sensors, ground stations, antenna farms. electronic establishments) rather than for the operational forces and the support structure.