Action Items

Copyright(c) Management Analytics, 1995 - All Rights Reserved

This study points out the many areas that have to be considered in order to achieve the level of information assurance required for the DII. Specifically, the following action items are critical, and to keep costs as low as possible, they should be pursued in all haste.

• \ORG/ should take steps to ensure that information assurance is recognized and treated as a critical readiness issue: The DoD should make information assurance issues a more central component of its readiness evaluation process in order to get a realistic appreciation of its impact on the ability of the US military to prevail in conflict.
• \ORG/ should oversee the development of information assurance policy, doctrine, strategy, tactics, techniques, and procedures.
• Infrastructure design should be considered differently than systems design: \ORG/ should support efforts to understand the differences between infrastructure design and standard information system design, and use these understandings to improve DII design decisions.
• \ORG/ should ensure that existing technical and human vulnerabilities are addressed: The current situation is one where inadequately trained people operate inadequately protected equipment, and are unaware that attacks are taking or have taken place. This is a recipe for disaster, and it must be addressed to have any reasonable expectation of the availability or integrity of information that is critical to the defense of the nation.
• \ORG/ should ensure that new standards, technologies, and tools to protect against disruption are developed: In the information age, information infrastructure will be the target of attacks just as industrial infrastructure was the target of attacks in the industrial age, and the information infrastructure of potential adversaries is already a primary target in US military doctrine. If the US military is to defend itself against this sort of attack, it must develop new standards for dealing with intentional disruption. The benefits of this will extend far beyond information warfare defense, and will ultimately make the US stronger as an economic force in the world, because in an economic war, the national information infrastructure is also a major target.
• \ORG/ should recommend activities to strengthen top level technical management of information assurance: In order to deal with the problem of horizontal consistency and integration and to prevent unnecessary duplication, it is necessary to have top level technical management that considers and addresses the implications of interconnecting diverse information infrastructure components. Current management is essentially limited to addressing individual systems and their compliance with standards. This is inadequate and costly.
• \ORG/ should sponsor the development of real-time control mechanisms to enhance information assurance: When disruption takes place, a unified, coordinated, management and operational control capability must be in place to detect attack, differentiate attack from accident or mischief, and warn the affected DoD components that an attack is underway, limit the spread of damage through responses, and manage the recovery process.
• \ORG/ should create testing programs and ensure that they are used to enhance information assurance: Current testing programs do not address disruption, and this is a root cause for the current inadequacies in this area. To this end, the DoD should establish a suitable clearinghouse mechanism to ensure that developers of these testing programs have a comprehensive technical understanding of the full range of offensive information warfare techniques that have been encountered or have been postulated.
• \ORG/ should ensure that flexible, automated, prioritized responses to disruption are implemented: In the current and anticipated information warfare environment, human reaction times are not adequate to make moment to moment decisions about the control of information in a global network, and even if they were, the decision processes are far too complex for people to do right.
• \ORG/ should sponsor the reduction of information assurance knowledge to a usable and teachable form: This should include the creation of technical books and course materials, manuals for managers and operators, and other similar educational and training materials. As a high priority, these materials should be used to ensure that the architects, designers, and system engineers responsible for developing and fielding the elements of the DII are trained in information assurance design principles and practices.
• \ORG/ should provide training materials and requirements so that Information workers can begin to train as defensive information warriors: The first line of defense today is the people operating and using the existing information systems, and they are inadequately prepared for information warfare. The DoD must begin in earnest to train its information workers in the area of information warfare, or they will continue to be inadequately prepared to handle the task at hand.
• \ORG/ should work with the Joint Staff and the Joint Warfighting Center to ensure that readiness exercises and war games for defensive information warfare begin: Training alone is not enough. In order for training to be effective in a battle situation, readiness exercises must drive that training home. The DoD must train as it will fight so that it can fight as it trains. In the same way as readiness exercises prepare the warrior for tactical operation, war games prepare planners for strategic and doctrinal decision making. War games are a necessary component in the high level decision processes that will lead to long term success on the information battlefield.