Section 6: Protection

An information society faces a terrible problem with protecting its intangible "information" assets from losses due to both deliberate and accidental means. Cyber-crimes already are costing this country untold billions in losses. As an example, the phone companies collectively suffer about $8 billion annually in stolen phone services. The World Trade Center bombing could be viewed as a denial-of-service attack in which business interruptions cost far more than the actual physical damage to the building.

To protect against deliberate attacks and accidental loss, businesses and military organizations are implementing various types of defensive measures. This "defensive information warfare" is a tremendously difficult undertaking. All aspects of friendly information acquisition, processing, and communication must be protected. The physical information systems and infrastructure must be protected from damaging power surges or losses, spurious noise, environmental conditions, or outright theft and misappropriation. Data must be protected from theft, destruction, or alteration. Virus checks and other security measures must be performed on software, even shrink-wrapped brand name versions.

Communications must be protected from interference, interception, interruption, or denial. Attacks against any aspect of our information can come from an infinite variety of sources, including external agents, Internet connectivity, software bugs, modified computer chips, and even our own people. Defensive information warfare, in short, must anticipate all possible ways that our own information can be attacked, and then try to put protective measures in place.

Offensive information warfare, by contrast, only has to find one chink in an opponent's armor.

As the world in general, and our potential adversaries in particular, become more sophisticated in information warfare techniques, we are becoming more and more vulnerable to information attacks. We are spending billions on high-tech collection, processing, and communication systems. Budgets for information security, however, are often very small. When there is no perceived threat, security measures aren't a high priority, don't contribute much to business profit/loss statements (or military readiness), and are often among the first items to go in a round of budget cuts. Yet security systems and security managers are the only things standing between our extremely valuable information and our opponents.

In the mid-to-late 80's, a young computer hacker in Germany managed to break into a large number of U.S. government, military, defense industry, and university computer systems. He was not a computer genius; in fact, he had only a fair working knowledge of UNIX and a plodding, mechanical approach. But by diligently applying known holes in the UNIX system, using default or commonly used passwords, and persistently trying different approaches until something worked, he broke into a lot of systems. The stolen information was then sold to the KGB. The story of how he was detected, tracked, and finally caught (documented in "The Cuckoo's Egg", by Clifford Stoll) does not paint a very pretty picture of information security.

Unfortunately, the situation has not really improved since then. The Defense Information Security Agency (DISA), among other duties, conducts vulnerability studies of military and government computer systems. Their figures are truly alarming. Extensive studies have found that 88% of defense computer systems are easily penetrated. Of the successful penetrations, 96% are not detected. Even worse, 95% of the detected penetrations are not reported or responded to in any way. Even when an intrusion is detected, it is usually impossible to determine who did it. DISA's studies indicate that there were possibly 300,000 intrusions into government computer systems in 1994 alone. Robert Ayers, chief of the Center for INFOSEC at DISA, stated succinctly: "We are engaged NOW in information warfare. We don't know who our enemies are. We're losing."

This does not mean that the game is over and we have already lost. Security measures exist which can significantly improve our chances of maintaining control of our information and computer systems. The burgeoning commercial industry in information security is continually inventing or updating tools such as system firewalls and data encryption algorithms. All the military services have data security policies and procedures that, if followed, will reduce a system's chances of being successfully penetrated. The key is to have a sharp, aggressive system administrator, an effective training program for everyone with access to the system, and command support. These three items will do more to protect an organization's data and computer systems than any expensive technical installation.

Defensive information warfare is a difficult and often thankless task. However, if we are to prevail on the information battlefield, we have to have effective armor around our information systems and we have to ensure that the armor is used.

Previous Section | Article Main Page | Next Section