Action Items
Copyright(c) Management Analytics, 1995 - All Rights Reserved
This study points out the many areas that have to be considered in
order to achieve the level of information assurance required for the
DII. Specifically, the following action items are critical, and to keep
costs as low as possible, they should be pursued in all haste.
- \ORG/ should take steps to ensure that information assurance is
recognized and treated as a critical readiness issue: The DoD should
make information assurance issues a more central component of its
readiness evaluation process in order to get a realistic appreciation of
its impact on the ability of the US military to prevail in conflict.
- \ORG/ should oversee the development of information assurance
policy, doctrine, strategy, tactics, techniques, and procedures.
- Infrastructure design should be considered differently than
systems design: \ORG/ should support efforts to understand the
differences between infrastructure design and standard information
system design, and use these understandings to improve DII design
decisions.
- \ORG/ should ensure that existing technical and human
vulnerabilities are addressed: The current situation is one where
inadequately trained people operate inadequately protected equipment,
and are unaware that attacks are taking or have taken place. This is a
recipe for disaster, and it must be addressed to have any reasonable
expectation of the availability or integrity of information that is
critical to the defense of the nation.
- \ORG/ should ensure that new standards, technologies, and tools to
protect against disruption are developed: In the information age,
information infrastructure will be the target of attacks just as
industrial infrastructure was the target of attacks in the industrial
age, and the information infrastructure of potential adversaries is
already a primary target in US military doctrine. If the US military is
to defend itself against this sort of attack, it must develop new
standards for dealing with intentional disruption. The benefits of this
will extend far beyond information warfare defense, and will ultimately
make the US stronger as an economic force in the world, because in an
economic war, the national information infrastructure is also a major
target.
- \ORG/ should recommend activities to strengthen top level
technical management of information assurance: In order to deal with the
problem of horizontal consistency and integration and to prevent
unnecessary duplication, it is necessary to have top level technical
management that considers and addresses the implications of
interconnecting diverse information infrastructure components. Current
management is essentially limited to addressing individual systems and
their compliance with standards. This is inadequate and costly.
- \ORG/ should sponsor the development of real-time control
mechanisms to enhance information assurance: When disruption takes
place, a unified, coordinated, management and operational control
capability must be in place to detect attack, differentiate attack from
accident or mischief, and warn the affected DoD components that an
attack is underway, limit the spread of damage through responses, and
manage the recovery process.
- \ORG/ should create testing programs and ensure that they are used
to enhance information assurance: Current testing programs do not
address disruption, and this is a root cause for the current
inadequacies in this area. To this end, the DoD should establish a
suitable clearinghouse mechanism to ensure that developers of these
testing programs have a comprehensive technical understanding of the
full range of offensive information warfare techniques that have been
encountered or have been postulated.
- \ORG/ should ensure that flexible, automated, prioritized
responses to disruption are implemented: In the current and anticipated
information warfare environment, human reaction times are not adequate
to make moment to moment decisions about the control of information in a
global network, and even if they were, the decision processes are far
too complex for people to do right.
- \ORG/ should sponsor the reduction of information assurance
knowledge to a usable and teachable form: This should include the
creation of technical books and course materials, manuals for managers
and operators, and other similar educational and training materials. As
a high priority, these materials should be used to ensure that the
architects, designers, and system engineers responsible for developing
and fielding the elements of the DII are trained in information
assurance design principles and practices.
- \ORG/ should provide training materials and requirements so that
Information workers can begin to train as defensive information
warriors: The first line of defense today is the people operating and
using the existing information systems, and they are inadequately
prepared for information warfare. The DoD must begin in earnest to
train its information workers in the area of information warfare, or
they will continue to be inadequately prepared to handle the task at
hand.
- \ORG/ should work with the Joint Staff and the Joint Warfighting
Center to ensure that readiness exercises and war games for defensive
information warfare begin: Training alone is not enough. In order for
training to be effective in a battle situation, readiness exercises must
drive that training home. The DoD must train as it will fight so that
it can fight as it trains. In the same way as readiness exercises
prepare the warrior for tactical operation, war games prepare planners
for strategic and doctrinal decision making. War games are a necessary
component in the high level decision processes that will lead to long
term success on the information battlefield.