Over the last 5 years, the world has changed dramatically. The breakup of the Soviet Union, government financial considerations, and many other factors have caused the US to shrink the size of its military. In order to accommodate this change and still maintain US effectiveness as a military power, the DoD has looked more and more toward technological solutions that make it more efficient. The increasing prominence of computer networks, the shrinking price of high performance computers, and the proliferation of high speed digital communications have led to fighting styles that are both more effective and less costly than previous military methods. US fighting forces are faster and more agile than ever before, US weapons are more accurate and effective and cause less collateral damage, and US technological intelligence capabilities are unmatched.
Information warfare is now US military doctrine: Recent changes in US military doctrine have stressed information warfare as a central component of joint forces operations. [JP1] [Powell92] [BotUp93] The US Army, [Army93] Navy, and Marines [SONATA89] [FTS92] have all responded with their own expressions of policy based on that doctrine.
Offensive and defensive components of information warfare: Information warfare consists of offensive and defensive components. Offensive components were demonstrated in the Gulf War, where the US disabled Iraq's state and military command and control structures to the point where Iraq's military was literally paralyzed. [Campen92] Although this is by no means the first example of offensive information warfare, [Mackay92] [Arquilla] it is certainly a startling demonstration of information warfare's effectiveness.
Defensive components of information warfare include such diverse areas as counter-intelligence, counter-deception, information security, and others. Information security is intended to provide data confidentiality, information integrity, and service availability. DISA's mission revolves around computation, communication, and information services, and thus information security is a primarily concern. This study addresses the informational aspects (as opposed to the physical aspects) of information integrity and service availability.
Within this paper, the term ``information assurance'' is used to mean information integrity and service availability. The term information assurance applies to the use of information.* The ultimate goal of information assurance is to protect users, business units, and enterprises from the negative effects of corruption of information or denial of services. For example, if the financial data in a payroll database is valid in the sense that it could be correct, but is not in fact correct, there may be no negative impact on the information system, but the enterprise may suffer when people get the wrong amount of money in their paychecks. Similarly, if an order for an engine part in a supply and logistics system is lost in the part of the system that dictates which pallets get loaded onto which boat, the information system continues to operate, but the supply service is denied to the person requiring the parts. Naturally, if the information systems processing, storing, or communicating information become corrupt or unavailable, that may also affect the enterprise as a whole, but simply protecting the systems without protecting the information, processing, and communication is not adequate. (* Within DoD 5200.28-STD ``Department of Defense Trusted Computer System Evaluation Criteria'', the terms `assurance', `life cycle assurance', and `operational assurance' are used in technical policy statements that apply primarily to trusted, commercially available, automatic data processing systems. These terms should not be confused with the usage of ``information assurance'' in this paper.)
Within this paper, the term ``disruption'' is used to mean corruption of information or denial of services. The term disruption applies to a wide variety of events. Disruption applies to events whose impacts are felt immediately, over a period of time, and even events that are never noticed. Disruption applies to effects at many different levels: information systems, the information infrastructure, users, business units, or the enterprise as a whole. Disruptions can be obvious, as in the case of complete failures of information systems, subtle, as in the case of wrong part numbers in a catalog resulting in wrong part orders, or extremely subtle and indirect, as in the case of a change of address card causing a wrong address to be put into a shipping database, causing the mis-shipment of air conditioning rechargers, causing air conditioning to fail in a computer center, causing computers processing supply and logistics information in that computer center to fail, thus making it impossible to order the air conditioning rechargers needed to restore services. Disruptions can be caused by a wide range of sources, from random and naturally occurring events, through mischief, to malicious acts by military adversaries. Information assurance addresses all facets of disruption.
The DII is required to support the DoD in modern warfare: Over the past decades, the DoD, defense agencies, and industry have developed elements of the defense information infrastructure in a highly decentralized manner. This has led to the fielding of many proprietary, duplicative, and stand-alone information systems. This resulted in suboptimization, inefficiencies, and a lack of interoperability. To obtain efficiency, improve effectiveness, reduce costs, increase interoperability, and meet the coordination requirements of joint deployments, the DoD has undertaken the transition to a modern open-system information infrastructure. [NMSD-94] This multi-year transition is being guided by centralized policy from the Office of the Secretary of Defense while the execution will be carried out in a decentralized fashion.
DISA has been assigned the responsibility for promulgating design requirements for the migration of DoD information systems into an integrated, resilient, global network capable of providing all appropriate information: [DISA-arch] [DMRD918-92]
* To anyone properly requiring it. * In a timely and accurate fashion. * For reasonable costs. * From peacetime to global war.This objective integrated information network is called the Defense Information Infrastructure (DII).
Prudence demands the DoD assume battle damage: National security decision makers must assume that in future conflicts the DII will be attacked and sustain battle damage, both by `hard kill' destructive weapons, and by `soft kill' informational attacks. The designers of the DII should assume that the DII will be subjected to greater operational stresses than those experienced in the Gulf War to support a two theater engagement as called for by the current national defense strategy, [BotUp93] and anticipate hard and soft kill attacks while under this level of stress.
``It is a doctrine of war not to assume the enemy will not come, but rather to rely on one's readiness to meet him; not to presume that he will not attack, but rather to make one's self invincible'' (Sun Tsu) [Tsu] )
Defense against disruption is a critical readiness requirement: To provide information to anyone properly requiring it in a timely and accurate fashion is to require availability of services and integrity of information. Providing information services in a military context must include a recognition of the outcomes of hostile action to disrupt those services. The loss of information services in the context of the DII could result in military defeat.
``The Director Defense Information Systems Agency, as central manager of the Defense information infrastructure (DII), shall ensure the DII contains adequate protection against attack'' [DoD-TS3600.1]
Thus, DISA has a clear responsibility to defend the DII against intentional disruption. In non-combat situations, the DII is also required to operate despite accidental incidents, so the DII has a requirement to defend against these events as well.
While the process is already underway to integrate legacy systems into a DII, and there are already criteria in place for protecting classified and sensitive data and managing permanent and transient faults, there are fundamental issues that have not yet been adequately addressed. Specifically, no one fully comprehends what the intentional disruption implications are for such a large, complex, and critical system operating under the stressful conditions of information warfare.
Intentional disruption is not adequately addressed by current techniques: Existing efforts are primarily oriented toward preventing the illicit disclosure of both classified and unclassified but sensitive data, and preventing random or naturally occurring faults from resulting in failures. Government standards, policies, techniques, and procedures for information security address the disclosure problem, while standard engineering design practice, and in the case of more stringent requirements, the field of `Fault Tolerant Computing' address the accidental disruption problem.
Standards, procedures, tools, and techniques for providing secrecy, standard engineering practice, and the field of fault tolerant computing do not and were never intended to address intentional disruption. Thus, the requirement for information assurance `fell through the cracks' in most current information processing and transport designs. Intentional disruption needs to be addressed by information assurance, which should underpin defensive information warfare.
There are a small number of research groups around the world that have been working on the information assurance problem for a number of years. Known foreign research locations include The People's Republic of China, Russia, Germany, Israel, Australia, Denmark, England, and Japan.
Benefits of information assurance extend beyond the DoD: As the nation's information systems are being tied together, whether in the DII or the NII, the points of entry and exposures increase, and thus risks increase. The technological advancement toward higher bandwidth communications and advanced switching systems has reduced the number of communications lines and further centralized the switching functions. Survey data indicates that the increased risk from these changes is not widely recognized. [Loch92] [Thyfault92] [Violino93] Efforts made by DISA to promulgate standards for the DII will have a positive impact on information assurance that will extend beyond the DoD and impact all segments of the national economy. As DoD standards become the basis for product designs, the savings gained by reducing downtime and exposure to intentional disruptions will have a positive financial benefit on the US.
Cost factors greatly favor selective immediate action: Data from cost studies shows that the cost of providing information assurance to the DII in the design and specification phase can be up to several orders of magnitude less than the cost of providing the same protections after integration is substantially completed. This savings will come in two forms: it will reduce the cost of implementing whatever protection is deemed appropriate, and it will guide the architectural structure of the DII to facilitate protection at lower cost. This approach applies to all new components of the DII.
For legacy systems, the cost of injecting information assurance may be astronomical, so a different approach should be considered. A timeframe should be established for replacement or enhancement of legacy systems, and DISA should plan on requiring appropriate information assurance features in replacement systems over that timeframe. Based on normal replacement cycles, this process should be completed over the next 10-12 years.
History shows that the cost of incremental improvement increases as perfection is approached. Rather than strive for perfect information assurance, risks should be managed in a reasonable way that balances cost with the protection it provides.
Based on these factors, it is the conclusion of this study that the most cost effective overall approach to providing information assurance to the DII will be to immediately incorporate information assurance requirements into design standards, and to provide network-based tools and techniques to detect and respond to disruptions.
Summary: By recognizing information assurance as a critical readiness issue and addressing it immediately, the DoD and the nation as a whole will greatly benefit:
* By assuring the US is able to win on the information battlefield. * By dramatically reducing the cost of achieving protection. * By reducing DoD costs due to disruption of the DII. * By reducing current losses impacting the US national economy.
The DoD must recognize the threat of disruption and DISA must provide adequate information assurance guidelines for the DII.
In this initial study, information assurance issues are discussed in a qualitative manner. Based on these qualitative understandings, \ORG/ should be able to begin the considerably longer and more complex task of quantifying these results and generating detailed information assurance criteria for defensive information warfare.