The US military depends on information as a key part of its competitive advantage. Operation Desert Storm was an object lesson in the critical importance of information in warfare, in that it demonstrated the DoD's ability to obtain and use information effectively while preventing Iraq from obtaining and using comparable information. This object lesson was observed and understood by other nations and organizations, but they also observed that the US did not protect the massive information infrastructure it mobilized for the Gulf War against disruption. If the US military is to maintain a competitive advantage in future conflicts, then the Defense Information Infrastructure (DII) upon which the US military depends must be protected commensurate with its criticality. This analysis shows that:
* The DoD is highly dependent on the accuracy and availability of information. * The DoD is dependent on the DII for information services. * The DII is highly vulnerable to accidental and intentional disruption. * These vulnerabilities are commonly known and widely publicized. * Many individuals, groups, and nations have demonstrated disruption capabilities. * The DoD's current ability to respond to disruption of DII functions is inadequate.
If the Department of Defense is to maintain operational readiness and fulfill its national security responsibilities, the information infrastructure upon which it depends for information services must be strengthened against accidental and intentional events that lead to disruption (corruption of information or denial of services).
In order to sustain US military capabilities, the following information assurance (availability of services and integrity of information) considerations must be given priority attention.
* Information assurance should be recognized and treated as a critical readiness issue. * Defensive information warfare policy, doctrine, strategy, tactics, techniques, and procedures should be developed. * Infrastructure design is different than systems design and should be treated as such. * Existing technical and human vulnerabilities should be addressed. * Information assurance standards, technologies, tools, and guidelines should be developed. * Top level technical management of information assurance should be improved. * Real-time control mechanisms to enhance information assurance should be developed. * Testing programs should be created and used to enhance assurance. * Flexible, automated, prioritized responses to disruption should be implemented. * Information assurance knowledge should be reduced to a usable and teachable form. * Information workers should begin to train as defensive information warriors. * Readiness exercises and war games for defensive information warfare should begin.
Information assurance for the DII must also be cost effective. This analysis shows that the costs associated with these tasks will increase dramatically over time if the DoD does not act now. Furthermore, the efforts made to protect the DII will provide widespread benefits to US commercial industries.
By the timely reinvestment of a small portion of the savings that will be gained from the current consolidation and migration to standard information and communication systems, the US will avoid enormous future expenses, mitigate possibly catastrophic military consequences, and enhance its national competitive edge for years to come.