The first step in providing protection is performing a protection posture assessment. Over the last several years, I have worked with a group of well-seasoned information protection specialists doing top-level qualitative analyses of the protection posture of many organizations. For this book, portions of several of these studies have been extracted and identities disguised to illuminate the topics discussed earlier.

Several people have asked how these studies can be done so that the same quality results can be attained with lower quality personnel. They ask for checklists and all sorts of other short cuts, but in the end, this is just not how you do a really good protection posture assessment. That is not to say that you cannot do a lower quality assessment with things like checklists and, in fact, many companies offer such a service.

In response to one request, I prepared a draft document describing what it takes to do such an assessment. What follows is a variation on that document in which company-specific information and references to previous studies are removed. This discussion concentrates on studies for large organizations, but many of the points apply to all organizations. This discussion is also oriented toward a 30-day study addressing a situation in which losses could have high value. This seems to be the norm for this sort of study in a large organization. It should be helpful both to those readers who are interested in performing these sorts of studies for others and for those readers who are considering hiring someone to do such a study.

Personnel

The information protection posture assessment requires a team of expert personnel with general knowledge and experience in a wide variety of areas, and special expertise in all of the aspects of information protection. Specifically:

• Consultants with 10 or more years of professional experience in the areas covered by the assessment are required in order to assure that their breadth and depth of knowledge is adequate. Since no single individual has this much experience in a broad range of areas, a team of well-seasoned professionals is required. The use of a team also implies the ability to work together and the use of a team leader who is in charge of writing the assessment document. Because of the highly technical nature of this sort of study and the requirement for the team leader to make technical and management decisions, this person must have substantial management and consulting experience and a great deal of expertise in all areas of information protection.
• Because this sort of assessment is done over a very short time frame and covers a wide range of topics, it is best done by a team of 3 or 4 people who have worked together before. Because this assessment involves the top-level people in the organization under study, the team members must be more knowledgeable about protection issues than the people working for the client in order to justify the use of outside expertise. This means that the people must be very good at what they do. They need the necessary experience in the proper set of interrelated areas, they have to be able to relate to the client, and they have to be able to get the necessary information quickly, efficiently, and without offense.
• Because the study must involve issues of protection, understanding of the computing environment, detailed understanding of the hardware, software, operating systems, networks, telecommunications equipment, standards within the industry, and other similar matters, it is important that each team member have a thorough background in computer hardware and software, a good working knowledge of how systems and networks work, understanding of the historical context of many current technologies, and deep understanding of information protection issues.
• At least one team member should be a specialist with more than 10 years of experience in the specific industry being studied. This background should include consulting work for a variety of companies in the industry, a good working knowledge of the standards and practices used by others in the industry, intimate knowledge of the hardware and software platforms used in the industry, their shortcomings, their features, their vulnerabilities, and methods used to protect them.
• By its very nature, the protection posture assessment is a qualitative analysis, not a quantitative one. For this reason, it depends heavily on the quality of the people doing the assessment. The people must not limit themselves to things like checklists or the result will almost certainly be poor. The people doing these assessments must understand many different viewpoints that may exist in the organization and reconcile the meaning of what different people say. They have to be able to judge the people in the organization by the way they act and make qualitative decisions about how to weigh their words. It is often necessary to ask a lot of questions in order to get a vital piece of information and, because each of the people interviewed has different biases, it helps to have experience interacting with similar people in similar situations.
• The people who do these assessments must be hard to push around or lead astray. This is hard to find in a large corporation because there is a tendency to promote those who don't make waves. By its very nature, such an assessment must make waves in the organization being assessed. If it does not make waves, either the organization was already very well protected, or the study didn't find the things it was supposed to find. That means that the people doing the assessment must expect and be able to deal with some hostility, lies, bizarre behavior, and other such things. It also means that they are there to make waves of a particular sort for a particular group within the client's organization. People who are afraid of losing their jobs by making a misstatement with a client are not going to do a good job of getting the necessary information.

Areas Covered

The areas covered (protection management, protection policy, standards and procedures, documentation, protection audit, technical safeguards, incident response, testing, physical protection, personnel issues, legal considerations, protection awareness, training and education, and organizational suitability) are detailed elsewhere in this book and I will not take the time to reiterate them here. It is important to have people who are well-versed in all of these areas because the language used by people in different corporate roles is quite different. In order to communicate effectively and be viewed as a professional, you must be able to switch languages while speaking to different people and understand the nuances of these different languages. For example, the term wire room means something very different to a facilities manager than to someone in charge of electronic funds transfers. Similarly, the abbreviations used are very different for different people with different backgrounds, so it is vital to have enough knowledge of these areas to be understood and understand properly.

Process

The assessment process consists of the following steps:

• Site visit: This should take one or two days and should be scheduled so that client representatives that know how each part of the environment under consideration operates at the most detailed level are available for interview. Typically, the top-level manager and technical experts in each unique environment should be present. If there are tours to be taken, they should be taken on that day. Although experiencing everyone's job may be useful, it is far more important to have the details available in a concise form. The client should also provide copies of all relevant documentation at the site visit.

  The members of the assessment team should be well prepared to ask any question related to their areas and a very thorough record of what was said by whom should be kept. The goal of this effort is to reconnoiter the client operation. That means that, like a grand jury, it is appropriate to go anywhere and ask anything.

  For lack of a better analogy, this is very much like a tiger team where you get the best experts to tell you how they could attack. The difference is that you don't touch anything, you just ask questions and make observations that allow you to assess the current situation. If the client doesn't know the answers to the questions, this is an area they should do more work on. If they do know the answers, these answers will reveal the weaknesses and strengths.

• Visit write-up: In the write-up, each team member provides a copy of their notes to the team leader who combines them to provide as accurate a depiction of the site visit as is possible. This is then returned to the team members for verification of factual accuracy and to resolve any disputes between different viewpoints. The result is a detailed description of the visit that the client team members should agree is an accurate depiction of what they said. The visit write-up should be completed and agreed to by the end of the first week of the study. It is vital to do the write-up as soon as possible after the site visit because this will assure, to as high a degree as possible, that the write-up is accurate. Contemporaneous notes are the best resource.
• Analysis and Findings: Each team member should concentrate on their areas of specialty as assigned by the team leader and perform a detailed analysis describing all of the weaknesses detected in the assessment process. In this phase, we rely on the experience and expertise of the team members to accurately and quickly detail the known weaknesses in the technologies in use. If the team members do not know this ahead of time, they cannot normally look it up at this point in the time frame of such a study, however, a good research team can help assure that these results are up-to-date. An important aspect of this activity is that the presentation not include all possible attacks, but rather systemic issues with examples of how systems can be exploited.

  Another critical factor to the success of the findings is that they relate the results to comparable organizations so that the client gets a feel for what is normal and prudent, what is critical, etc. In the findings, it is the responsibility of the assessment team to make value judgments about the relative import of different issues. For example, in a glass factory, if a particular router is used to connect the Internet to a file server which is used for advertising, it is vital to understand that regardless of the potential for abuse, this component is inherently less critical to this particular company than the temperature control in the ovens. This combination of technical and business understanding is what makes the findings valuable to the organization being assessed.

  In order to meet the typical 30-day time frame, the analysis and findings must be completed in draft form by the end of the second week of the study. Thus, the team members get only one week to generate, write up, and initially integrate their findings.

• Plan of Action and Findings Review: Once a draft of the site visit and findings is available, the team members have to read the total document with an eye toward catching any errors, omissions, or poorly stated items. This should include each team member cross-checking other team member results, the team leader resolving disputes, and a copy edit to review the document for writing, spelling, sentence structure, and presentation. In the meanwhile, the team leader has the dual job of generating a proposed plan of action to mitigate the problems revealed in the findings. This is done at two levels. Since this is only a qualitative assessment, an overall plan separating the most time-critical changes from the long term issues is appropriate. Then, a sample scenario for implementing this plan and estimates of costs are generated. This process should be completed by the end of the third week of the assessment.
• Closure: The draft document is now ready for review by members outside the assessment team. These reviewers should read the entire document with a critical eye. Final document preparation should be done. The executive summary should be written to summarize the report. Overhead viewgraphs should be made to summarize the document for a 15-minute presentation to top-level management. All of these should be completed and reviewed by the assessment team before the end of the fourth week so that the final presentation can be made on the last day of that week.

Alternatives

This sort of assessment is designed to provide a very rapid, low-cost, top-level, qualitative assessment. For that reason, it depends on extremes in expertise. Some alternative approaches that are widely practiced in the industry include:

• A common alternative approach is to spend several months trying to get the same results by using less qualified people for the assessment. The net effect is a lower assessment quality, a much longer delay in results, more inconvenience to the client, and a cost increase to the client of about one order of magnitude.
• Another common alternative is the use of a whole series of checklists that the client fills out and returns. This list is then analyzed and a report is generated (almost automatically). In some cases, even the data gathering for this checklist is automated. This type of assessment is less expensive in terms of assessment team time, but takes a lot more of the client's time, is often filled out by different people than would participate in the high-quality short-term assessment, misses many of the issues detected by a high-quality assessment, and is less satisfying to most clients I have encountered.
• Many of the major CPA firms have done assessments using a team of EDP auditors. These auditors are generally well-trained and interact primarily with the internal auditors of the client. They usually understand less about the business and more about the technical protection issues and spend several months in assessment. Another version simply reviews the internal auditor documents for completeness and accuracy.

Selling (and Buying) a Posture Assessment

``Nothing happens till someone sells something,'' is a famous quote from a well-known expert on marketing. Unfortunately, selling a protection posture assessment has not historically been a very easy task. Some have equated it to pulling teeth, but I must have a better dentist or a higher threshold of pain than they have because selling a posture assessment has always been much more painful in my experience.

Political Documents

Despite their technical content and reasonable accuracy, all protection posture assessments are essentially political documents from the point of view of the customer. In particular, they are designed to address the specific desires of the client to make changes in their organization.

Why Organizations Don't Get Posture Assessments

Many people have legitimate concerns about information protection, but of those, very few do much about it. In some cases, the cost of an assessment prevents it from being done. In other cases, the person who wants the assessment done is not powerful enough to get it done without approvals that can never be attained.

Probably the dominant reason that such a study is a rarity is that the person in charge of information protection doesn't want to have a report hanging around that describes inadequacies. Here are just some of the reasons such a report may be seen as undesirable:

• If the report demonstrates a weakness that is exploited at some later time, it will be impossible to claim that nobody knew such a weakness existed. Thus, it may force the people who requested the report to do something about protection, and nobody wants to have their hand forced in this way.
• In a substantial number of cases, computer crime in the form of embezzlement has been committed by high executives in companies. The last thing they want is some way to detect what they have been doing.
• If the report finds that a current way of doing things is inadequate, or worse yet, that a recent decision was not a very good one, then the person who made that decision may get into trouble. For that reason, the people in charge of protection are almost certain to claim that no such study is required and that they have things well in hand.

There is a fundamental issue in here somewhere. And I think the issue is that people in most organizations are punished for being less than perfect. This means that it is better for the individual to cover up possible problems than it is to expose them and correct them. But a study of protection, by definition, is designed to expose problems. Even worse, it costs money to have such a study done, so you are spending money and identifying shortcomings, the two worst things you can do as an individual in an unenlightened organization.

Why Organizations Do Get Assessments

Over the years, I have encountered five main exceptions to the rule of never buying trouble in the form of a protection posture assessment:

• The first exception is in cases when an attack has just taken place and it is impossible to cover it up. In this case, people are anxious to show that they are reacting strongly to the attack and are really clamping down. They already have trouble, so it's an ideal time to reveal all of the problems at once.
• The second exception is when an organizational change has just taken place. In this case, as part of the process of the organizational shakeup, a protection posture assessment can be used as a political tool to advance certain factions and consolidate control. It is politically acceptable to generate a report that documents the evils of the previous administration if the new one is interested in doing something about protection.
• The third exception is when someone who is high enough up in the organization has a legitimate concern about protection and a desire to address it. In a private corporation, this is the owner. In a public corporation, it is usually the CEO, or in rare cases when supported by the CEO, the chief information officer (or equivalent).
• The fourth exception is when someone is a lame duck and wants to do one last thing before departing. In the case of the lame duck, this sort of report is usually motivated by either revenge or an honest desire to do some good that couldn't be done while their career was still viable in the company.
• The fifth exception is during the early phases of a new system development project. This is fairly rare, but, in some cases, designers will have the foresight to consider protection in a serious way from the start of a project. When this is done, it dramatically improves protection and lowers protection costs, but few designers have enough knowledge or foresight today to take this approach. Even fewer work on large enough projects to have the budget for doing more than the minimum design required to get functional operation.

This information was extracted from a study done for a small restaurant corporation as a side effect of looking at other issues in their information technology area.

This situation is typical in that this business is not interested in keeping secrets, but they have a vital need for availability of information services and integrity in those services. They have a small network used in one location and they are considering using elements of the NII as a conduit for connecting a second location to their first location, but this is not emphasized in the particular report.

This study is also typical in that it is presented in the language used in the organization. For example, ``servers'' are the people that go out to the tables and ``the system'' consists of several PCs, a network, a file server, several printers in various locations, the point of sale terminals used by cashiers, and some office systems interconnected to the network. Many of the product names are known to those at this restaurant and several technologies are familiar to them, but in other areas, they know very little.

Executive Summary

• Critical repairs: Before the system will be fully suitable for the environment at Rest-O-Rant Corp, several issues must be addressed. These items are listed under ``Critical Repairs''.
• Important changes: Even though the system can be operated suitably in the Rest-O-Rant Corp environment once the critical repairs are completed, there are several important changes that should be made for the system to operate in a manner normally associated with such an environment. These items are listed under ``Important Changes''.
• Aggravating factors: Assuming the system is changed as described above, there are still substantial aggravating factors which make its use unduly difficult. These items should be changed, but the restaurant can continue to operate indefinitely even if they are not changed, without any obvious consequences other than the day-to-day inconvenience associated with them. These items are listed under ``Aggravating Factors''.
• Long-term limitations: There are long-term limitations to the suitability of this system due to design and implementation decisions. These limitations cannot reasonably be expected to change in the foreseeable future unless the vendor chooses to completely reimplement the product using more appropriate means. These limitations are particularly applicable to the long-term growth of Rest-O-Rant and the ongoing costs of operating the computer system in that environment. These items are detailed under ``Long-Term Limitations''.

Critical Repairs

Software:

1. There must be a way to quickly and safely ``reset'' the system to allow it to start processing a new day's activities regardless of other circumstances. When an error in closing the last day's activity prevents the business from opening the next morning, there must be an easy way to restart operations. As an example, on the Sunday morning after Christmas (one of the busiest shopping days of the year), the system could not be used because the ``close'' from the previous day had failed.
2. There appears to be a problem related to holidays that causes the system to fail when a day passes without the system being operated. This condition occurred on Thanksgiving and again on Christmas. This indicates that there may be many other date-related problems such as leap-year errors, leap-century problems (the year 2000 is a leap-century), and other similar problems. This is almost certainly related to design errors.
3. There are cases where the user is told to not change anything and contact the vendor representative in the morning. A restaurant cannot be out of business until the next morning because of a software failure of this sort. The system should be able to log errors and attempt to restart by saving critical files in a backup area and restoring the system to a usable state.
4. When components fail and those failures directly effect the moment-to-moment operation of the business, the system must adequately notify the affected users so as to cause them to act to repair these failures in a timely fashion. An example is the incident where the kitchen printer had an out-of-paper condition when it was not fully out of paper, and gave no other indication of the problem. For more than 10 minutes, the kitchen staff was unaware of many orders placed by the servers because the system did not notify either of the failure. Any and all known conditions of this sort must be addressed before the system will be suitable.
5. Software errors in noncritical functions must not prevent other critical functions from operating. An example is the software-induced error that prevents users from using the order entry system. In this case, the limited key pad used by servers is not capable of entering the necessary keystrokes to clear the error condition (i.e., `y' in response to the DOS critical error handler to continue the batch file processing used for menu start-up). On a full keyboard, it is possible to clear the error condition and continue the order entry process, but the interaction of the limited key pad with the software's failure to properly handle the error condition causes the system to become unusable.
6. Security is cumbersome and inadequate. Specifically, it is trivial for anyone with access to a standard keyboard to bypass all protection by interrupting the system start up process. Thereafter, all information on the file server is open to arbitrary examination and/or modification. For example, a cashier with minimal DOS user experience could easily delete all business records without a trace and without recourse. This is particularly disturbing considering the extensive requirements for using passwords throughout the system and the ease of implementing stronger access controls through the network software. In light of the substantial protection capabilities provided by the LANtastic software used for networking in this environment, it would be an easy matter to implement controls limiting nonback-office users and computers from accessing those functions and files.
7. Backup and recovery facilities are nonexistent. In an environment such as this, a single disk failure (typical mean time to failure is only 2 operating years) will cause the entire business to stop operating and may result in total loss of all historical data other than that printed out in daily reports. The software vendor apparently didn't specify or provide for this requirement. This is clearly an accident waiting to happen.
8. All data collected and stored by the system should be made available for use by outside analysis programs in DBase compatible form to allow further analysis via programmed means. This is critical to using the business information now being gathered by the system in ways not anticipated by the existing product.

Hardware and Operations:

1. Operation critical floppy disk drives and keypads must not be left unprotected in areas where they are exposed to food, drinks, spillage, smoke, and other similar environmental factors. These disk drives will almost certainly fail in 3 to 6 months in the present environment unless steps are taken to protect them from environmental exposures. Since these are critical to operations, the problem should be addressed post-haste. The best solution may be the use of mechanical barriers for the disks and plastic covers for the keypads.
2. The file server is currently in a very hazardous location and is in a high traffic area. It is not adequately protected from environmental factors and is particularly critical to operations. This machine should be moved to the office area immediately.
3. The floppy disks used to bootstrap the computers are not write-protected. They should be.

Important Changes

Software:

1. The software fails when a multitude of different menus are used in the course of a single user session. This causes the user to have to reboot the computer and test previous operations to assure that they were properly performed before continuing on. This sort of severe inconvenience should not be necessary at all, but in the worst case, should happen only in limited and well documented situations. Software interlocks should be provided to detect this condition before it happens and prevent it, even if in the process it requires the user to take remedial steps.
2. The software-induced warning message that states that only one user may perform a particular function at a time, requires that the user determine that no other terminal is currently using these functions. The result of a problem in this area can apparently be severe and there is no reason not to provide proper software interlocks or capabilities for simultaneous access by authorized users. This is clearly a case of poor design that could be easily resolved in a well-designed system. It also adds stress to the users and eventually causes them to ignore the warning because of the high rate (nearly 100 percent) of false positives.
3. Data is often lost when the system is used in a seemingly reasonably manner. For example, when two checks are combined, both are apparently lost. Many other examples are cited by those who have spent time using the system.
4. The system seems unable to undo erroneous steps easily. The general lack of editing capability is a minor inconvenience in some cases. For example, a server has to finish a bill and remember any incorrect entries instead of continuously being in an edit mode. In other circumstances, it results in substantial inconvenience and eventually will result in substantial limits on system use. For example, when the number of employees reaches the maximum, you can never add another employee because old employees cannot be removed.
5. Numerous bugs and unnotified dependencies prevent users from completing an operation which should not have been started without the appropriate preconditions existing. For example, you might enter a whole series of items before finding out that the entire process failed because some file that these operations depend on does not yet exist. The system should identify and, where possible, correct these conditions before permitting data entry to proceed.
6. Inadequate notice on error conditions causes users to ``quest'' for the cause of a problem rather than being directed to it or, better yet, being allowed to resolve it and continue the interrupted process. For example, doing end-of-day summaries often yields an error if a customer check is not closed. The user then has to search through all servers to find the unclosed check, and even then, the reason it is not closed may not be obvious and may require further effort. Similarly, people cannot check out until they have satisfied the computer. The computer doesn't provide them with the ability to resolve problems as they prepare to leave, rather it requires them to figure out the source of a problem that the computer has already identified. If the computer can identify that there is a problem, it should be able to provide that information to the user so that, at a minimum, the user can resolve the problem. Ideally, the specific problem should be identified and its cure made directly available to the user attempting the operation.
7. Error messages are often presented in cryptic form and, in some cases, leave users in a position where they can type commands into the Basic command interpreter while files are opened. This presents substantial risks to data integrity. Furthermore, users with limited data entry key pads cannot recover without rebooting the computer.
8. Schedules don't provide information such as dates. Other reports are not easily reformatted by the user to suit specific reporting requirements of management. All functions that produce reports should be able to provide the same information in ``DBase''-compatible format so that external programs can be used to manipulate it.
9. The networking package is unable to contend with momentary server failures and reboots. This, in turn, forces the users to reboot all of the workstations whenever the server has to be restarted. The workstations should be able to determine that this condition has taken place and automatically recover via periodic retries until successful.
10. There should be a way to enter orders via item numbers rather than via menu selections so that servers can enter a series of numbers and produce a whole check without having to look at the screen to find items.

Hardware:

1. A short-term power failure, power spike, or lightning strike could cause the entire network to become unusable for a substantial period of time, and the resulting data loss could be catastrophic. The use of an uninterruptable power supply is advised.

Aggravating Factors

1. When examining information, the user is often returned to an unrelated on-line menu rather than a related one. For example, to look at current server activities requires repeated movement between three menus, when it could easily be made to return one menu level to allow the next person's information to be examined without the intervening steps. This seems to be common, in that you cannot reliably predict where you will end up when you finish an operation. This seems to stem from a lack of a well-designed system structure.
2. Different menus and data entry types work differently. For example, passwords do not require an $<$enter$>$ after entry but most other data does. Different menus appear differently, causing momentary confusion. This inconsistency again reflects a poor overall design strategy.
3. There is no universal escape from an on-screen menu, so that in each menu, a different strategy must be used to leave. This makes it hard to undo an error and, in many cases, makes it hard to figure out what to do. The delays caused by this are expensive.

Long-term Limitations

1. The underlying environment is not really suitable for a commercial product of this sort. Most critically, the use of Basic for implementing the system has resulted in very high error rates, poor design, inadequate structuring, terrible inconsistencies, and poor expansion of function. It is clear that the original design was augmented again and again to add new functions and features, and that in the process, a badly needed redesign was never done. It is unlikely that this problem can ever be resolved without a complete product redesign. For the foreseeable future, the problems encountered now will continue unabated. When combined with the selection of the networked DOS environment, this design decision caused the product to be more expensive, harder to maintain, and far less reliable than would be expected from a well-designed and well thought out implementation.
2. Inconsistencies in design likely stemmed from the choice of Basic as the implementation language and the design process previously described. These inconsistencies lead inevitably to the ongoing stream of errors, the inconsistency in user interface, the many user inconveniences, the inability to unify protection decisions, the difficulty in handling error conditions, the inability to resolve problems when they are found, and many of the other problems identified in this report.
3. The system is at or near its operational limits. For example, the vendor had problems adding drivers for a new printer. If they cannot add a new printer without problems, major problems are likely in adding interfaces and features. Anticipate problems with automated process control, new user interfaces, Lotus and Dbase integration, new analysis and presentation methods, operation between multiple stores, and so on. It is unlikely that the system will be able to integrate well or adapt easily to these future events. Expect to have to replace the system in a few years unless a major redesign is done.

This study was done for the information systems manager of a small manufacturing automation firm over a very short period of time. It represents a realistic view of the position of many small- to medium-sized companies today with respect to protection. The engineering orientation of this company places more emphasis on confidentiality than many other businesses.

Again, the language of the study is oriented toward the words and phrases used in this company. The study was done for the head of the Information Systems department and the entire firm is engineering-oriented. Little is provided in the way of explanation and many terms are used without explanation. The President of the company at the time this study was done had an engineering background and was familiar with these terms and phrases as well.

One of the important issues detected in this study was the changing nature of their dependency on different portions of their information technology. This sort of change often creeps up on companies, and before they know what happened, their environment has completely changed and their protection plans are no longer meaningful.

Introduction

This report summarizes and comments on a brief review of information protection at ABCorp. The review was performed in the form of an interview with Mr. John Smith, the manager of information systems at ABCorp, and his chief system administrator. The review consisted of discussions of protection issues and a brief tour of facilities.

In addition to the normal business systems used by most modern corporations of substantial size, ABCorp survives as a company because it has unique information technologies and engineering expertise. To a large and increasing extent, it is information technology that differentiates ABCorp from its competitors. This is especially true in three areas:

• ABCorp has a standardized high-speed product that is based, to a large extent, on unique algorithms and implementation features that differentiate it on a cost and efficiency basis from competitors.
• ABCorp has a database of designs and design capabilities that make it more efficient than competitors at performing the engineering functions required for customized applications.
• ABCorp is now moving into the automated and integrated materials handling market. This market is driven very heavily by the efficiency of information technology. In order to remain competitive, it will be increasingly important to have efficient, properly operating, and proprietary information technology capabilities.

At present, the information requirements of these engineering areas balance with or slightly exceed the more common information technology requirements of business and operations. It is highly likely that within the next 3 to 5 years, information technology requirements in the engineering areas will come to far outweigh other business requirements. Correspondingly, the financial values associated with the engineering applications of information systems at ABCorp will come to far exceed the values associated with other areas.

This shift from business applications of information technology to engineering applications is not uncommon and is not proceeding without pain. The increasing use of PCs in the engineering functions is only one example of this shift. Another example is the movement toward far more complex and integrated information systems performing control and analysis functions in products. While the problem of providing backups for PC-based engineering workstations is becoming somewhat of an inconvenience, there is currently little or no centralized control over systems used for complex applications and no central storage of software provided to customers. These problems will only get worse as this shift continues, and without a well thought out plan, it is likely that the situation will get out of control within 2 years.

This study is primarily concerned with assuring that the right information gets to the right place at the right time, taking into account accidental and intentional events that may tend to prevent this from happening. This concern is usually considered in terms of three components: confidentiality of information, integrity of information, and availability of services.

In the case of ABCorp, there are substantial lapses that affect all of these areas, and yet from an overall perspective, the information systems specialists seem to have things reasonably in control. To the extent that the specific findings outline inadequacies, it appears that the people in the information systems department are ready, willing, and able to make reasonable improvements within reasonable time and cost constraints. Unfortunately, the trend seems to be toward a loss of control in the areas where responsibility is poorly defined, and even more unfortunately, this is the engineering area that will soon come to dominate the information component of ABCorp as a business.

The most important finding of this short review is that top-level management must work with engineering and information systems management to arrive at a well-defined policy and plan for this shift in information technology emphasis and that these people must come to work together as a team to regain and maintain control over this vital and growing area of concern.

Findings

It is important to note that the vulnerabilities detected in this review are not particularly unusual, that the presence of vulnerabilities does not necessarily indicate the presence of attacks, that exposures resulting from vulnerabilities are not always exploited, and that not all vulnerabilities have to be addressed by technical defenses or at high cost. In many cases, awareness of a potential problem may be an adequate defense.

Policy ABCorp has no written security policy that documents and describes responsibilities of personnel. This is a critical problem that must be corrected in order to address overall protection issues. Among other problems, there is no clear line of responsibility for the proliferating personal computers, and the lack of adequate long-range planning, if left uncorrected, may result in increased cost and ineffective protection as the client-server model of computing becomes more dominant in the ABCorp environment.

People ABCorp has no formal mechanism for mapping people to job function and relating job function and changes to authorization. Without such a formal mechanism, it is very difficult to properly manage protection in automated information systems. Notably, personnel and information systems do not have adequate communication and procedural safeguards. For example, when people leave ABCorp or go on vacation, the information systems department should be notified in a timely enough fashion to disable computer accounts over the period of inactivity.

Procedures ABCorp has no documented procedures and checklists for performing protection-related functions. Without documented procedures, implementation depends on people remembering what to do. Without checklists or some other form of tracking, there is no mechanism for documenting what was done by whom and when and assuring that responsibilities are properly carried out.

Physical Physical access to the main computer is relatively open. Minor improvements are apparently under consideration and the risk currently seems to be in the acceptable range. An uninterruptable power supply would have a positive effect on reliability, however, backup procedures and recovery contingency planning appear to provide an adequate, but poorly documented, recovery process.

Operating System Operating system protection is inadequately maintained, primarily because of inadequate manpower and/or automation, a lack of well documented procedures, and too much reliance on applications for protection that is more appropriately implemented by the operating system. Password protection as implemented is inadequate, and the protection features provided for VAX VMS are not being used as effectively as they could be.

Protection Enhancements Specific enhancements in the form of an outside vendor product called Watcher have been put in place to provide added protection for dial-in lines and the payroll application, but the internal VMS mechanisms that can also greatly enhance this protection are not being fully or properly exploited. Since internal VMS mechanisms are normally far more effective than third-party enhancement products, VMS protection should be set properly first, and then vendor enhancements should be used to provide added coverage which VMS is not capable of providing or to provide additional layers of coverage in vital areas. The enhancements specified for the Watcher product appear to be reasonable and appropriate, and are likely to be generally beneficial, but they should not be treated as a panacea and should not be used in place of proper VMS protection.

Networks Current networks are not well protected, but it is unclear that substantial protection enhancements would be cost effective in the short run. Some inexpensive enhancements would seem appropriate, but because ABCorp is not connected to outside networks, this is not a high priority. Some concern exists for the lack of adequate backup for PCs on the LAN, lack of controls over information leakage and/or corruption in the LAN, inadequate computer virus protection on the PCs in the LAN, inadequate protection against illegal copies of software, and a general lack of control and assigned responsibility for LAN-based PCs.

Applications Access to and within applications is the first line of defense against unauthorized activity at ABCorp, but this is inadequate for several reasons, including fundamental limitations on that technology, a lack of adequate protection in most vendor software, and well known methods for breaking out of the application into the command interpreter. Application-based protection should not be the first line of defense and should be treated as an auxiliary limitation more for convenience than for protection.

Users Users are not always given unique identities on ABCorp systems, their passwords are far too easily guessed, and inadequate controls and checks are in place to assure that only authorized activities are performed by authentic users. Inadequate tools are provided to assist users in behaving properly and to assure that errors or omissions don't result in problems.

Legalities Inadequate notice is provided for users entering and using the system. All users should be properly informed of their rights and responsibilities and should sign documents asserting their knowledge, understanding, and agreement to the rules of the road. Login screens should accurately describe the presence of monitoring and other restrictions on use. Users should be made aware of legal implications to the corporation and to themselves of their use of ABCorp systems.

Training ABCorp employees have inadequate education, training, and awareness of information protection. A properly designed regular awareness program, consuming only 15 to 30 minutes per quarter for most users, is required in order to keep protection in an appropriate perspective.

Personal Computers Personal computers are predominantly used by engineering staff at this time, but as the process of moving toward a client-server environment proceeds, it will place increasing burdens on the information systems staff, and if not well thought out, may result in inadequate protection, poor performance, expensive retrofits, and many other long-term problems. In addition, management control over personal computing facilities is inadequate and is not properly defined. A top-level policy decision must be made and implemented regarding how these computers are managed, controlled, used, disseminated, connected, backed up, restored, repaired, replaced, stocked, purchased, paid for, and every other aspect of their use. Responsible parties must then be made aware of their responsibilities and provided with adequate tools, training, and budget to manage those facilities.

Major Concerns The major concerns expressed were over the movement of all remaining financial functions from an outside corporate information-processing environment into the local environment. Further concern was expressed over the increasing value associated with information distributed on PCs, over the LAN, and over centralized databases stored on the VAX. In several cases, the conflict between usability and protection came up. These cases must be addressed on a case-by-case basis using innovative techniques. In many cases, people solutions appear to be overlooked in favor of technical solutions. It is important to find a more appropriate mix of automated and human solutions in order to afford the best protection at the lowest cost.

Budget There appears to be adequate budget in information systems to implement a reasonable program of protection if management can display appropriate resolve and if protection is made a key component of overall information systems and corporate planning. Affordable and well-conceived protection can only be implemented by making protection an integral part of overall information systems planning.

Perspective

A substantial amount of effort will be required in order to address the protection problems outlined in the findings of this report. A reasonable estimate is that 3 person-months worth of effort over the next 6 months will be required by the current information systems manager and staff in order to make appropriate improvements to existing information protection, and that an ongoing effort of 1 to 2 person-weeks per quarter will be required in order to maintain the enhanced protection levels once they are attained. In addition, a budget of $5,000 to $10,000 may be required in order to purchase software enhancements to address specific concerns that effect current networked systems.

The long-term planning requirement is somewhat more difficult to define in terms of costs because proper long-term planning which incorporates protection may not cost more, but it will probably lead to different planning decisions that affect corporate operations over a long period of time. A key component will be the increased awareness of the value of information and the requirement for information protection as a part of the corporate culture at ABCorp.

The change in corporate culture is key for two reasons. The first reason is that it brings the subject into the foreground, which increases the exchange of information, affects how people react when they see things that they used to ignore, changes what people talk about at lunch, and so on. The second, and perhaps more important, reason is that, if properly done, the cultural change creates an environment where people are brought into the protection process rather than disenfranchsied.

Conclusion

This cursory review of protection revealed some simple problems with simple and inexpensive solutions, some more complex problems that require ongoing attention by the information systems staff, and some corporate challenges that are important to the long-term well being of ABCorp.

Although a more thorough review may be appropriate at some future date, it is unlikely that such a review would be appropriate until information systems has time to address the issues pointed out in this study and management takes the time to consider and plan for the long-term implications of the changing information environment.

It is nearly impossible to get permission to publish even disguised versions of studies done for a big business. Since this is infeasible, a pseudo-case study is used. This is done by taking several reports and combining them together, altering numbers to reflect similar deviations from average statistics, and then generating a report suitable for the case study. In other words, this report could come from any firm of a similar sort, but actually comes from no such firm. Any similarity between the people, places, or incidents in this case study and any actual people, places, or events, is purely coincidental.

In this study, language differences are even more stark. There is a very different language used in the executive summary than in the detailing of what their personnel told us, and a still different language is used in our findings. This is intentional.

• The executive summary was designed for the director of information technology, the chief executive officer, and the board of directors of this firm. They all have extensive background in the securities business and a lot of knowledge and experience in auditing and finance.
• The description of the site visit is designed to allow those who participated to read and agree or disagree on the accuracy of our depiction of their statements and to allow their managers to review what they said in detail.
• The findings section is in a protection-oriented language. It is designed so that technical mangers can understand the issues and protection experts can act on the results. It is better organized than the site visit section because it reflects analysis rather than raw data.

Because this case study is quite extensive, only the executive summary is included here. The remainder of the study is included in Appendix B. It is well worth reviewing.

Executive Summary

We were asked to perform an initial protection assessment of XYZ Corporation. This assessment was accomplished by direct observation, interviews with key personnel, and comparison with comparable organizations.

Summary of Findings

XYZ Corporation is highly dependent on information, highly vulnerable to attack, and at great risk of substantial information protection-related losses. Furthermore, substantial losses have been sustained in the past year and ongoing losses are being sustained as of this writing.

XYZ Corporation's assets are at great risk and immediate action is required to address this situation. XYZ Corporation's current overall protection posture is inadequate as the following summary assessment details:

• Protection Management is Inadequate
• Protection Policy is Inadequate
• Standards and Procedures is Inadequate
• Documentation is Inadequate
• Protection Audit is Marginal
• Technical Safeguards is Inadequate
• Incident Response is Inadequate
• Testing is Inadequate
• Physical Protection is Inadequate
• Personnel is Inadequate
• Legal is Inadequate
• Protection Awareness is Inadequate
• Training and Education is Inadequate
• Organizational Suitability is Adequate

In order for the protection situation to be properly resolved, significant enhancements must be made to XYZ Corporation's information protection posture. We recommend that the following program be undertaken:

1. Immediate controls are required to cover exposures currently being exploited and exposures with extreme potential for loss.

• Secure the fungibles transfer capability
• Make a comprehensive set of backups and store them off-site
• Install audit reduction and real-time audit analysis
• Perform a detailed protection audit of select information systems
• Place sensors and alarms in key areas
• Perform a comprehensive audit for illegal copies of software
  

1. Planning is required in order to institute a corporate information protection environment suitable to long-term protection of assets.

• Form and implement a corporate information protection policy
• Form an information protection advisory council
• Generate a cost-effective suitable information protection plan
• Incorporate information protection planning into overall planning
• Train select staff members in relevant information protection areas
  

1. After the first two phases are completed, a substantial set of technical, procedural, and personnel measures should be implemented to provide proper protection.
2. After appropriate protective measures have been instituted, the third and ongoing phase of activity will begin. In this phase, protection will be maintained and updated to reflect changes in environment, technology, and organizational priorities.

This study analyzes protection for a military system that is currently being fielded. In order to understand the issues at play, it is important to understand that in military endeavors, the stakes are peoples' lives, and in extreme cases, the lives of nations. In a war, the enemy may send bullets, bombs, missiles, mortars, and/or martyrs in the normal course of events. When pressed, any biological, chemical, nuclear, or other sort of weapon might be used. In providing defenses, the military must also consider cost. For example, a system that will have a useful lifecycle of only 10 to 20 years (a long time by modern information system standards) may never see a substantial combat role. If it never encounters a nuclear threat, it is unlikely that the protection from electromagnetic pulses (EMP) will be significant. On the other hand, if everything is designed to ignore the nuclear threat just because it hasn't been used in 50 years, the entire force may be wiped out by a single nuclear device blown up 25 Km above the battlefield.

When it comes to language, the military is in a world of its own. A multilevel secure (MLS) operating system may be used to implement a trusted Guard application which extracts Unclassified (U) information from a top secret (TS) database using government off-the-shelf (GOTS) hardware and commercial off-the-shelf (COTS) software. The military also has a myriad of standard operating procedures (SOPs) that specify everything from when Tempest (emanations) protection is required to how to do risk analysis. This particular system (called Alma in this book) is also required to connect to other military systems. In keeping with this long tradition, this report also makes up a series of words of its own to identify threats and countermeasures for the purposes of making charts and performing analysis.

This particular report was one small part of a larger report provided to the designers of Alma so that they could evaluate how to modify Alma for use in the field. It may be that in the fielded version, none of the identified protective measures are taken. For example, many of the threats considered in this write-up are threats not generally addressed by military protection systems, and Alma is competitive with other projects throughout the DoD. Since price is a critical issue in the military (after all, we can buy a lot of bullets for this much money), the designers of Alma may decide that providing this protection will price Alma in a range where other less able systems will be chosen instead. It may be a better strategy to simply provide Alma as is, wait until a hundred of them are fielded, and then tell all the users that additional precautions are appropriate.

Only the executive summary of this report is included here. Much of the rest of this report is included in Appendix B.

Introduction and Executive Summary:

We did an informal review of policies, procedures, and technical safeguards for Alma. During that visit and since that time, protection techniques to cover those threats cost effectively have been considered. This introduction and executive summary outlines the methods applied, the overall concerns that remain, and the conclusions of this analysis. The second part of this study details the identified vulnerabilities, available techniques that could be used to protect Alma and the approximate costs associated with those protection techniques. The third part of this report details the method used to analyze Alma, and results of the analysis.

Findings

Alma is a prototype system being deployed. As a prototype, the system demonstrates proper functional capabilities and a reasonable degree of protection, but in a deployed situation, far more care and consideration is warranted in the information protection area. Specifically, the following problem areas were identified and should be addressed:

{|l|l|} \hline \hline Area & Rating
\hline Tempest & Poor
\hline Reliability & Poor
\hline Protocols & Poor
\hline Data exchange & Poor
\hline Integrity protection & Poor
\hline Security administration & Inadequate
\hline Auditing & Inadequate
\hline Availability protection & Inadequate
\hline Rapid adaption & Inadequate
\hline Future networking & Inadequate
\hline Secure distribution & Inadequate
\hline

How Findings Were Analyzed

The findings were analyzed by creating and analyzing a covering chart which lists vulnerabilities along one dimension and defenses that cover those vulnerabilities along another dimension. Costs of defenses are approximated, and an efficient search of all single covers is performed to find the most cost-effective defense that would cover all of the threats at least once. The result is provided below.

Because of the interdependence of protection techniques and their synergistic effects, this analysis was performed for each of two distinct architectures. One architecture considers the existing Alma environment with enhancements performed on a step-wise basis. The other architecture considers the effect of moving to a multilevel secure implementation wherein Alma internals are redesigned to provide for protection enhancements. These two alternatives were chosen because they represent two key alternatives for future Alma systems.

Inherent in this analysis is the assumption that several Alma systems are to be implemented. In the cost analysis, it is assumed that 50 Alma systems are to be deployed over time, and that factor is used to amortize initial costs as opposed to unit costs. If fewer systems are to be implemented, the tradeoffs favor less redesign effort, while for larger numbers of systems, redesign has less effect on overall costs. Effects of inflation and the time value of money were not computed in this analysis, but the results are sufficiently clear that this will not substantially alter the end result.

The Two Architectures

The two architectures under consideration are pictured here:

An MLS Secure Alma Architecture

In the multi-level secure (MLS) version of Alma, a redesign centralizes all database access to the 3 redundant Alma database servers, thus eliminating a multiplicity of Oracle licenses, and saving several thousand dollars per license eliminated. These servers run under multilevel security, and have two partitioned databases for secret and unclassified data respectively. The secret and unclassified sides of each MLS are linked to 2 of the 3 redundant LANs at each of the two security levels, providing a secure and reliable bridge between the security levels without any additional hardware. An automated guard on the MLS systems automatically declassifies the appropriate portions of secret database transactions so that unclassified databases are automatically and rapidly updated, while unclassified entries are automatically available for secret access by the normal operation of the MLS system. Thus, all redundant data entry is eliminated and security becomes completely transparent to the Alma users. Physical security need only be applied to the secret side of this system and the MLS secure systems containing the database, thus dramatically reducing the need for tempest coverage and other expensive protection requirements for nodes processing only unclassified data.

A nonMLS Alma Architecture

In the non-MLS version of Alma, the basic Alma system is left running system high, and external devices and software are added to allow for declassification, incorporation of unclassified data, and so on. This has the advantage of requiring less effort in the redesign of Alma because only performance and stylistic changes are required, and the security enhancement of the database is easier. Database access is centralized so as to reduce Oracle license costs, but more systems are secured with physical protection. There is a single MLS system of smaller size and lower performance for the automated guard application, and unclassified Alma components are kept at system high. Similar reliability and redundancy are attained, and a lot of automated guard downgrading of information is used to reduce redundant data entry.

The basic difference in these architectures is the tradeoff between (1) the cost of physical security and custom protection implementations for the non-MLS version, and (2) the cost of designing to operate in an MLS environment and the added costs of MLS systems in the MLS design. Many components of this architecture can be changed without altering this basic difference, and these are not intended as final designs, but rather as the two most obvious alternatives from a cursory examination of the Alma design and function.

What the Analysis Showed

The following table summarizes the recommended protection and approximate costs associated with implementing this protection. It should be noted that several of these recommendations are badly needed for the wide-scale deployment of Alma for reasons not solely related to security (i.e., reliability, reduced life cycle costs, and so on).

{l|r|r|r|r|r|} Design Choice & Initial cost & Unit cost & ea.(1) & ea.(10) & ea.(50)
\hline MLS w/shield & 3,140,000 & 74,000 & 3,214,000 & 388,000 & 136,800
MLS w/o shield & 4,390,000 & 54,000 & 4,444,000 & 493,000 & 141,800
NonMLS w/shield & 2,690,000 & 184,200 & 2,874,200 & 453,205 & 238,000
NonMLS w/o shield & 3,940,000 & 54,200 & 3,994,200 & 448,200 & 133,000

At quantity 50, the cost difference between an unshielded non-MLS version of Alma and a shielded MLS version of Alma is only $3,000, which is far less than the added life-cycle cost of maintaining a system-high classified information processing environment without shielding. Since an MLS environment with shielding costs less at this quantity level than an equivalent environment without shielding and a shielded environment is more effective, the MLS shielded version of Alma is the clear choice.

Further savings can be afforded by only protecting half of the Alma implementations (those deployed outside of the continental United States) with shielding. In this case, we don't have to design a special nonshielded version for the continental United States, but rather use the standard version without shielding.

In other words, (and per regulations) we can protect the Alma installations outside the continental US with shielding, not provide an alternative to shielding for Alma systems in the continental United States, and get the best of both worlds. This then is our recommendation:

Implement the MLS Alma design shown earlier, placing Tempest protection (shielding) only in systems deployed outside the continental United States, and design for the following protection techniques (detailed descriptions are provided later in this report):

{l|r|r|} Protection technique & Initial cost & Unit cost
\hline Cryptographic Checksums & 200,000 & 0
Computer Misuse Detection System & 250,000 & 20,000
Decentralized administration & 20,000 & 0
Field installation requirements & 0 & 5,000
Custom Alma Guard on MLS & 500,000 & 0
MLS licensing fees & 0 & 2,000
Multiple LAN configuration & 20,000 & 2,000
New protection tools & 100,000 & 0
New training programs & 40,000 & 5,000
Alma redesign & 1,500,000 & 0
MLS redesign overhead & 500,000 & 0
Shielding & 10,000 & 40,000(/2)
\hline Overall Program Estimate & 3,140,000 & 54,000

The total cost for a program of 50 Alma systems comes to $116,800 per Alma.

Conclusion

All of the items listed above should be implemented before Alma is deployed into widespread use.

System designers can only do so much on their own. Obtaining information protection for the entire nation will require resources and hard work on a national scale. It will not come about as a serendipitous feature of the development of an information infrastructure based on open systems. The longer this matter sits on the back burner or is treated as a matter of academic interest, the greater the eventual costs will be to add resiliency to the infrastructure. Ultimately, neglect of this matter could result in major economic loss, the loss of military capability, and military defeat.

The study from which these results were extracted was done for the Defense Information Systems Agency (DISA) to address the question of information assurance in the Defense Information Infrastructure (DII). [DISAdoc] The full study is not included in the appendices because of its substantial length and because everything covered in that study is reflected elsewhere in this book. Rather, the executive summary is provided here, and a more extensive summary is included in the appendices.

The DII is more than 90 percent comprised of the NII, so DII requirements are key to the NII design and operation. Information assurance in this context refers to the availability and integrity issues discussed earlier.

The DoD has put a lot of effort into secrecy systems, but with the exception of a few very expensive special purpose systems, almost no effort has been put into availability and integrity of information systems under malicious attack.

Executive Summary

The United States depends on information as a key part of its competitive advantage. Operation Desert Storm was an object lesson in the critical importance of information in warfare, in that it demonstrated the DoD's ability to obtain and use information effectively while preventing Iraq from obtaining and using comparable information. This object lesson was observed and understood by other nations and organizations, but they also observed that the U.S. did not protect the massive information infrastructure it mobilized for the Gulf War against disruption. If the U.S. is to maintain a competitive advantage in future conflicts, then the National Information Infrastructure (NII) upon which the U.S. depends must be protected commensurate with its criticality. This analysis shows that:

• The nation is highly dependent on the accuracy and availability of information.
• The nation is dependent on the NII for information services.
• The NII is highly vulnerable to accidental and intentional disruption.
• These vulnerabilities are commonly known and widely publicized.
• Many individuals, groups, and nations have demonstrated disruption capabilities.
• The current ability to respond to disruption of NII functions is inadequate.
  

If the Department of Defense is to maintain operational readiness and fulfill its national security responsibilities, the information infrastructure upon which it depends for information services must be strengthened against accidental and intentional events that lead to disruption (corruption of information or denial of services). If the U.S. as a nation is to compete economically, the NII must be protected.

In order to sustain U.S. capabilities, the following information assurance (availability of services and integrity of information) considerations must be given priority attention.

• Information assurance should be recognized and treated as a critical readiness and economic survival issue.
• Defensive information warfare policy, doctrine, strategy, tactics, techniques, and procedures should be developed.
• Infrastructure design is different than systems design and should be treated as such.
• Existing technical and human vulnerabilities should be addressed.
• Information assurance standards, technologies, tools, and guidelines should be developed.
• Top level technical management of information assurance should be improved.
• Real-time control mechanisms to enhance information assurance should be developed.
• Testing programs should be created and used to enhance assurance.
• Flexible, automated, prioritized responses to disruption should be implemented.
• Information assurance knowledge should be reduced to a usable and teachable form.
• Information workers should begin to train as defensive information warriors.
• Readiness exercises and war games for defensive information warfare should begin.

   

Information assurance for the NII must also be cost effective. This analysis shows that the costs associated with these tasks will increase dramatically over time if we do not act now. Furthermore, the efforts made to protect the NII will provide widespread benefits to U.S. commercial industries.

By the timely reinvestment of a small portion of the savings that will be gained from the current consolidation and migration to standard information and communication systems, the U.S. will avoid enormous future expenses, mitigate possibly catastrophic military consequences, and enhance its national competitive edge for years to come.

Is Information Assurance an Unsolvable Problem?

NO! We can not make people immortal, but that does not mean we should abandon medicine. Nobody can provide perfect information assurance, but that does not mean that we should ignore a problem that may result in catastrophic consequences.

The issues that must be considered for proper information assurance in the NII span a wide range and a wide range of solutions exist to address these issues. There are some challenges in information assurance that are now and will likely remain imperfectly addressed for some time to come, but the vast majority of the challenges today can be adequately addressed with a reasonable amount of well-directed effort.

Perhaps a more enlightening view of this issue is the question of how much it will cost to address information assurance, and how much the United States will save as a result of wisely spending that money. In this limited report, we cannot even begin to address the specific issues for specific solutions in specific systems, but we advocate financial and military analysis before undertaking costly action. We also believe that early investment will pay enormous dividends in both the short-term and the long-term:

• By assuring the United States is able to win on the information battlefield.
• By dramatically reducing the long-term cost of information assurance.
• By reducing the costs of disruptions in the NII.

The information assurance challenge is not only one that can be met, but one that must be met, if the United States is to attain and retain a competitive edge in both the DoD and national information arenas.

What Are the Top Priorities?

Based on our study, we believe that the following three items are the most vital things the nation can do in order to provide a NII with adequate information assurance.

1. Design the NII for automated detection, differentiation, warning, response, and recovery from disruptions. It is absolutely vital that these capabilities be designed in from the start and that they be sufficiently automatic that they are effective without human intervention. Without these capabilities, the NII will not be able to sustain operation during substantial disruption attack.
2. Design the data centers, network components, and network control centers for repairability. Without the ability to recover from disruption of these facilities, under attack, the NII and the nation will grind to a halt and will not be able to reconstitute capabilities in any meaningful time frame.
3. Train today's information workers to become defensive information warriors capable of defending the NII against information attack. Without trained information warriors, the nation will not be able to sustain the NII no matter how automatically the NII reacts or how well it is designed.