The first step in providing protection is performing a protection posture assessment. Over the last several years, I have worked with a group of well-seasoned information protection specialists doing top-level qualitative analyses of the protection posture of many organizations. For this book, portions of several of these studies have been extracted and identities disguised to illuminate the topics discussed earlier.
Several people have asked how these studies can be done so that the same quality results can be attained with lower quality personnel. They ask for checklists and all sorts of other short cuts, but in the end, this is just not how you do a really good protection posture assessment. That is not to say that you cannot do a lower quality assessment with things like checklists and, in fact, many companies offer such a service.
In response to one request, I prepared a draft document describing what it takes to do such an assessment. What follows is a variation on that document in which company-specific information and references to previous studies are removed. This discussion concentrates on studies for large organizations, but many of the points apply to all organizations. This discussion is also oriented toward a 30-day study addressing a situation in which losses could have high value. This seems to be the norm for this sort of study in a large organization. It should be helpful both to those readers who are interested in performing these sorts of studies for others and for those readers who are considering hiring someone to do such a study.
Personnel
The information protection posture assessment requires a team of expert personnel with general knowledge and experience in a wide variety of areas, and special expertise in all of the aspects of information protection. Specifically:
Areas Covered
The areas covered (protection management, protection policy, standards and procedures, documentation, protection audit, technical safeguards, incident response, testing, physical protection, personnel issues, legal considerations, protection awareness, training and education, and organizational suitability) are detailed elsewhere in this book and I will not take the time to reiterate them here. It is important to have people who are well-versed in all of these areas because the language used by people in different corporate roles is quite different. In order to communicate effectively and be viewed as a professional, you must be able to switch languages while speaking to different people and understand the nuances of these different languages. For example, the term wire room means something very different to a facilities manager than to someone in charge of electronic funds transfers. Similarly, the abbreviations used are very different for different people with different backgrounds, so it is vital to have enough knowledge of these areas to be understood and understand properly.
Process
The assessment process consists of the following steps:
The members of the assessment team should be well prepared to ask any question related to their areas and a very thorough record of what was said by whom should be kept. The goal of this effort is to reconnoiter the client operation. That means that, like a grand jury, it is appropriate to go anywhere and ask anything.
For lack of a better analogy, this is very much like a tiger team where you get the best experts to tell you how they could attack. The difference is that you don't touch anything, you just ask questions and make observations that allow you to assess the current situation. If the client doesn't know the answers to the questions, this is an area they should do more work on. If they do know the answers, these answers will reveal the weaknesses and strengths.
Another critical factor to the success of the findings is that they relate the results to comparable organizations so that the client gets a feel for what is normal and prudent, what is critical, etc. In the findings, it is the responsibility of the assessment team to make value judgments about the relative import of different issues. For example, in a glass factory, if a particular router is used to connect the Internet to a file server which is used for advertising, it is vital to understand that regardless of the potential for abuse, this component is inherently less critical to this particular company than the temperature control in the ovens. This combination of technical and business understanding is what makes the findings valuable to the organization being assessed.
In order to meet the typical 30-day time frame, the analysis and findings must be completed in draft form by the end of the second week of the study. Thus, the team members get only one week to generate, write up, and initially integrate their findings.
Alternatives
This sort of assessment is designed to provide a very rapid, low-cost, top-level, qualitative assessment. For that reason, it depends on extremes in expertise. Some alternative approaches that are widely practiced in the industry include:
Selling (and Buying) a Posture Assessment
``Nothing happens till someone sells something,'' is a famous quote from a well-known expert on marketing. Unfortunately, selling a protection posture assessment has not historically been a very easy task. Some have equated it to pulling teeth, but I must have a better dentist or a higher threshold of pain than they have because selling a posture assessment has always been much more painful in my experience.
Political Documents
Despite their technical content and reasonable accuracy, all protection posture assessments are essentially political documents from the point of view of the customer. In particular, they are designed to address the specific desires of the client to make changes in their organization.
Why Organizations Don't Get Posture Assessments
Many people have legitimate concerns about information protection, but of those, very few do much about it. In some cases, the cost of an assessment prevents it from being done. In other cases, the person who wants the assessment done is not powerful enough to get it done without approvals that can never be attained.
Probably the dominant reason that such a study is a rarity is that the person in charge of information protection doesn't want to have a report hanging around that describes inadequacies. Here are just some of the reasons such a report may be seen as undesirable:
There is a fundamental issue in here somewhere. And I think the issue is that people in most organizations are punished for being less than perfect. This means that it is better for the individual to cover up possible problems than it is to expose them and correct them. But a study of protection, by definition, is designed to expose problems. Even worse, it costs money to have such a study done, so you are spending money and identifying shortcomings, the two worst things you can do as an individual in an unenlightened organization.
Why Organizations Do Get Assessments
Over the years, I have encountered five main exceptions to the rule of never buying trouble in the form of a protection posture assessment:
This information was extracted from a study done for a small restaurant corporation as a side effect of looking at other issues in their information technology area.
This situation is typical in that this business is not interested in keeping secrets, but they have a vital need for availability of information services and integrity in those services. They have a small network used in one location and they are considering using elements of the NII as a conduit for connecting a second location to their first location, but this is not emphasized in the particular report.
This study is also typical in that it is presented in the language used in the organization. For example, ``servers'' are the people that go out to the tables and ``the system'' consists of several PCs, a network, a file server, several printers in various locations, the point of sale terminals used by cashiers, and some office systems interconnected to the network. Many of the product names are known to those at this restaurant and several technologies are familiar to them, but in other areas, they know very little.
Executive Summary
Critical Repairs
Software:
Hardware and Operations:
Important Changes
Software:
Hardware:
Aggravating Factors
Long-term Limitations
This study was done for the information systems manager of a small manufacturing automation firm over a very short period of time. It represents a realistic view of the position of many small- to medium-sized companies today with respect to protection. The engineering orientation of this company places more emphasis on confidentiality than many other businesses.
Again, the language of the study is oriented toward the words and phrases used in this company. The study was done for the head of the Information Systems department and the entire firm is engineering-oriented. Little is provided in the way of explanation and many terms are used without explanation. The President of the company at the time this study was done had an engineering background and was familiar with these terms and phrases as well.
One of the important issues detected in this study was the changing nature of their dependency on different portions of their information technology. This sort of change often creeps up on companies, and before they know what happened, their environment has completely changed and their protection plans are no longer meaningful.
Introduction
This report summarizes and comments on a brief review of information protection at ABCorp. The review was performed in the form of an interview with Mr. John Smith, the manager of information systems at ABCorp, and his chief system administrator. The review consisted of discussions of protection issues and a brief tour of facilities.
In addition to the normal business systems used by most modern corporations of substantial size, ABCorp survives as a company because it has unique information technologies and engineering expertise. To a large and increasing extent, it is information technology that differentiates ABCorp from its competitors. This is especially true in three areas:
At present, the information requirements of these engineering areas balance with or slightly exceed the more common information technology requirements of business and operations. It is highly likely that within the next 3 to 5 years, information technology requirements in the engineering areas will come to far outweigh other business requirements. Correspondingly, the financial values associated with the engineering applications of information systems at ABCorp will come to far exceed the values associated with other areas.
This shift from business applications of information technology to engineering applications is not uncommon and is not proceeding without pain. The increasing use of PCs in the engineering functions is only one example of this shift. Another example is the movement toward far more complex and integrated information systems performing control and analysis functions in products. While the problem of providing backups for PC-based engineering workstations is becoming somewhat of an inconvenience, there is currently little or no centralized control over systems used for complex applications and no central storage of software provided to customers. These problems will only get worse as this shift continues, and without a well thought out plan, it is likely that the situation will get out of control within 2 years.
This study is primarily concerned with assuring that the right information gets to the right place at the right time, taking into account accidental and intentional events that may tend to prevent this from happening. This concern is usually considered in terms of three components: confidentiality of information, integrity of information, and availability of services.
In the case of ABCorp, there are substantial lapses that affect all of these areas, and yet from an overall perspective, the information systems specialists seem to have things reasonably in control. To the extent that the specific findings outline inadequacies, it appears that the people in the information systems department are ready, willing, and able to make reasonable improvements within reasonable time and cost constraints. Unfortunately, the trend seems to be toward a loss of control in the areas where responsibility is poorly defined, and even more unfortunately, this is the engineering area that will soon come to dominate the information component of ABCorp as a business.
The most important finding of this short review is that top-level management must work with engineering and information systems management to arrive at a well-defined policy and plan for this shift in information technology emphasis and that these people must come to work together as a team to regain and maintain control over this vital and growing area of concern.
Findings
It is important to note that the vulnerabilities detected in this review are not particularly unusual, that the presence of vulnerabilities does not necessarily indicate the presence of attacks, that exposures resulting from vulnerabilities are not always exploited, and that not all vulnerabilities have to be addressed by technical defenses or at high cost. In many cases, awareness of a potential problem may be an adequate defense.
Policy ABCorp has no written security policy that documents and describes responsibilities of personnel. This is a critical problem that must be corrected in order to address overall protection issues. Among other problems, there is no clear line of responsibility for the proliferating personal computers, and the lack of adequate long-range planning, if left uncorrected, may result in increased cost and ineffective protection as the client-server model of computing becomes more dominant in the ABCorp environment.
People ABCorp has no formal mechanism for mapping people to job function and relating job function and changes to authorization. Without such a formal mechanism, it is very difficult to properly manage protection in automated information systems. Notably, personnel and information systems do not have adequate communication and procedural safeguards. For example, when people leave ABCorp or go on vacation, the information systems department should be notified in a timely enough fashion to disable computer accounts over the period of inactivity.
Procedures ABCorp has no documented procedures and checklists for performing protection-related functions. Without documented procedures, implementation depends on people remembering what to do. Without checklists or some other form of tracking, there is no mechanism for documenting what was done by whom and when and assuring that responsibilities are properly carried out.
Physical Physical access to the main computer is relatively open. Minor improvements are apparently under consideration and the risk currently seems to be in the acceptable range. An uninterruptable power supply would have a positive effect on reliability, however, backup procedures and recovery contingency planning appear to provide an adequate, but poorly documented, recovery process.
Operating System Operating system protection is inadequately maintained, primarily because of inadequate manpower and/or automation, a lack of well documented procedures, and too much reliance on applications for protection that is more appropriately implemented by the operating system. Password protection as implemented is inadequate, and the protection features provided for VAX VMS are not being used as effectively as they could be.
Protection Enhancements Specific enhancements in the form of an outside vendor product called Watcher have been put in place to provide added protection for dial-in lines and the payroll application, but the internal VMS mechanisms that can also greatly enhance this protection are not being fully or properly exploited. Since internal VMS mechanisms are normally far more effective than third-party enhancement products, VMS protection should be set properly first, and then vendor enhancements should be used to provide added coverage which VMS is not capable of providing or to provide additional layers of coverage in vital areas. The enhancements specified for the Watcher product appear to be reasonable and appropriate, and are likely to be generally beneficial, but they should not be treated as a panacea and should not be used in place of proper VMS protection.
Networks Current networks are not well protected, but it is unclear that substantial protection enhancements would be cost effective in the short run. Some inexpensive enhancements would seem appropriate, but because ABCorp is not connected to outside networks, this is not a high priority. Some concern exists for the lack of adequate backup for PCs on the LAN, lack of controls over information leakage and/or corruption in the LAN, inadequate computer virus protection on the PCs in the LAN, inadequate protection against illegal copies of software, and a general lack of control and assigned responsibility for LAN-based PCs.
Applications Access to and within applications is the first line of defense against unauthorized activity at ABCorp, but this is inadequate for several reasons, including fundamental limitations on that technology, a lack of adequate protection in most vendor software, and well known methods for breaking out of the application into the command interpreter. Application-based protection should not be the first line of defense and should be treated as an auxiliary limitation more for convenience than for protection.
Users Users are not always given unique identities on ABCorp systems, their passwords are far too easily guessed, and inadequate controls and checks are in place to assure that only authorized activities are performed by authentic users. Inadequate tools are provided to assist users in behaving properly and to assure that errors or omissions don't result in problems.
Legalities Inadequate notice is provided for users entering and using the system. All users should be properly informed of their rights and responsibilities and should sign documents asserting their knowledge, understanding, and agreement to the rules of the road. Login screens should accurately describe the presence of monitoring and other restrictions on use. Users should be made aware of legal implications to the corporation and to themselves of their use of ABCorp systems.
Training ABCorp employees have inadequate education, training, and awareness of information protection. A properly designed regular awareness program, consuming only 15 to 30 minutes per quarter for most users, is required in order to keep protection in an appropriate perspective.
Personal Computers Personal computers are predominantly used by engineering staff at this time, but as the process of moving toward a client-server environment proceeds, it will place increasing burdens on the information systems staff, and if not well thought out, may result in inadequate protection, poor performance, expensive retrofits, and many other long-term problems. In addition, management control over personal computing facilities is inadequate and is not properly defined. A top-level policy decision must be made and implemented regarding how these computers are managed, controlled, used, disseminated, connected, backed up, restored, repaired, replaced, stocked, purchased, paid for, and every other aspect of their use. Responsible parties must then be made aware of their responsibilities and provided with adequate tools, training, and budget to manage those facilities.
Major Concerns The major concerns expressed were over the movement of all remaining financial functions from an outside corporate information-processing environment into the local environment. Further concern was expressed over the increasing value associated with information distributed on PCs, over the LAN, and over centralized databases stored on the VAX. In several cases, the conflict between usability and protection came up. These cases must be addressed on a case-by-case basis using innovative techniques. In many cases, people solutions appear to be overlooked in favor of technical solutions. It is important to find a more appropriate mix of automated and human solutions in order to afford the best protection at the lowest cost.
Budget There appears to be adequate budget in information systems to implement a reasonable program of protection if management can display appropriate resolve and if protection is made a key component of overall information systems and corporate planning. Affordable and well-conceived protection can only be implemented by making protection an integral part of overall information systems planning.
Perspective
A substantial amount of effort will be required in order to address the protection problems outlined in the findings of this report. A reasonable estimate is that 3 person-months worth of effort over the next 6 months will be required by the current information systems manager and staff in order to make appropriate improvements to existing information protection, and that an ongoing effort of 1 to 2 person-weeks per quarter will be required in order to maintain the enhanced protection levels once they are attained. In addition, a budget of $5,000 to $10,000 may be required in order to purchase software enhancements to address specific concerns that effect current networked systems.
The long-term planning requirement is somewhat more difficult to define in terms of costs because proper long-term planning which incorporates protection may not cost more, but it will probably lead to different planning decisions that affect corporate operations over a long period of time. A key component will be the increased awareness of the value of information and the requirement for information protection as a part of the corporate culture at ABCorp.
The change in corporate culture is key for two reasons. The first reason is that it brings the subject into the foreground, which increases the exchange of information, affects how people react when they see things that they used to ignore, changes what people talk about at lunch, and so on. The second, and perhaps more important, reason is that, if properly done, the cultural change creates an environment where people are brought into the protection process rather than disenfranchsied.
Conclusion
This cursory review of protection revealed some simple problems with simple and inexpensive solutions, some more complex problems that require ongoing attention by the information systems staff, and some corporate challenges that are important to the long-term well being of ABCorp.
Although a more thorough review may be appropriate at some future date, it is unlikely that such a review would be appropriate until information systems has time to address the issues pointed out in this study and management takes the time to consider and plan for the long-term implications of the changing information environment.
It is nearly impossible to get permission to publish even disguised versions of studies done for a big business. Since this is infeasible, a pseudo-case study is used. This is done by taking several reports and combining them together, altering numbers to reflect similar deviations from average statistics, and then generating a report suitable for the case study. In other words, this report could come from any firm of a similar sort, but actually comes from no such firm. Any similarity between the people, places, or incidents in this case study and any actual people, places, or events, is purely coincidental.
In this study, language differences are even more stark. There is a very different language used in the executive summary than in the detailing of what their personnel told us, and a still different language is used in our findings. This is intentional.
Because this case study is quite extensive, only the executive summary is included here. The remainder of the study is included in Appendix B. It is well worth reviewing.
Executive Summary
We were asked to perform an initial protection assessment of XYZ Corporation. This assessment was accomplished by direct observation, interviews with key personnel, and comparison with comparable organizations.
Summary of Findings
XYZ Corporation is highly dependent on information, highly vulnerable to attack, and at great risk of substantial information protection-related losses. Furthermore, substantial losses have been sustained in the past year and ongoing losses are being sustained as of this writing.
XYZ Corporation's assets are at great risk and immediate action is required to address this situation. XYZ Corporation's current overall protection posture is inadequate as the following summary assessment details:
In order for the protection situation to be properly resolved, significant
enhancements must be made to XYZ Corporation's information protection posture.
We recommend that the following program be undertaken:
This study analyzes protection for a military system that is currently being fielded. In order to understand the issues at play, it is important to understand that in military endeavors, the stakes are peoples' lives, and in extreme cases, the lives of nations. In a war, the enemy may send bullets, bombs, missiles, mortars, and/or martyrs in the normal course of events. When pressed, any biological, chemical, nuclear, or other sort of weapon might be used. In providing defenses, the military must also consider cost. For example, a system that will have a useful lifecycle of only 10 to 20 years (a long time by modern information system standards) may never see a substantial combat role. If it never encounters a nuclear threat, it is unlikely that the protection from electromagnetic pulses (EMP) will be significant. On the other hand, if everything is designed to ignore the nuclear threat just because it hasn't been used in 50 years, the entire force may be wiped out by a single nuclear device blown up 25 Km above the battlefield.
When it comes to language, the military is in a world of its own. A multilevel secure (MLS) operating system may be used to implement a trusted Guard application which extracts Unclassified (U) information from a top secret (TS) database using government off-the-shelf (GOTS) hardware and commercial off-the-shelf (COTS) software. The military also has a myriad of standard operating procedures (SOPs) that specify everything from when Tempest (emanations) protection is required to how to do risk analysis. This particular system (called Alma in this book) is also required to connect to other military systems. In keeping with this long tradition, this report also makes up a series of words of its own to identify threats and countermeasures for the purposes of making charts and performing analysis.
This particular report was one small part of a larger report provided to the designers of Alma so that they could evaluate how to modify Alma for use in the field. It may be that in the fielded version, none of the identified protective measures are taken. For example, many of the threats considered in this write-up are threats not generally addressed by military protection systems, and Alma is competitive with other projects throughout the DoD. Since price is a critical issue in the military (after all, we can buy a lot of bullets for this much money), the designers of Alma may decide that providing this protection will price Alma in a range where other less able systems will be chosen instead. It may be a better strategy to simply provide Alma as is, wait until a hundred of them are fielded, and then tell all the users that additional precautions are appropriate.
Only the executive summary of this report is included here. Much of the rest of this report is included in Appendix B.
Introduction and Executive Summary:
We did an informal review of policies, procedures, and technical safeguards for Alma. During that visit and since that time, protection techniques to cover those threats cost effectively have been considered. This introduction and executive summary outlines the methods applied, the overall concerns that remain, and the conclusions of this analysis. The second part of this study details the identified vulnerabilities, available techniques that could be used to protect Alma and the approximate costs associated with those protection techniques. The third part of this report details the method used to analyze Alma, and results of the analysis.
Findings
Alma is a prototype system being deployed. As a prototype, the system demonstrates proper functional capabilities and a reasonable degree of protection, but in a deployed situation, far more care and consideration is warranted in the information protection area. Specifically, the following problem areas were identified and should be addressed:
{|l|l|} \hline \hline Area & Rating
\hline Tempest & Poor
\hline Reliability & Poor
\hline Protocols & Poor
\hline Data exchange & Poor
\hline Integrity protection & Poor
\hline Security administration & Inadequate
\hline Auditing & Inadequate
\hline Availability protection & Inadequate
\hline Rapid adaption & Inadequate
\hline Future networking & Inadequate
\hline Secure distribution & Inadequate
\hline
How Findings Were Analyzed
The findings were analyzed by creating and analyzing a covering chart which lists vulnerabilities along one dimension and defenses that cover those vulnerabilities along another dimension. Costs of defenses are approximated, and an efficient search of all single covers is performed to find the most cost-effective defense that would cover all of the threats at least once. The result is provided below.
Because of the interdependence of protection techniques and their synergistic effects, this analysis was performed for each of two distinct architectures. One architecture considers the existing Alma environment with enhancements performed on a step-wise basis. The other architecture considers the effect of moving to a multilevel secure implementation wherein Alma internals are redesigned to provide for protection enhancements. These two alternatives were chosen because they represent two key alternatives for future Alma systems.
Inherent in this analysis is the assumption that several Alma systems are to be implemented. In the cost analysis, it is assumed that 50 Alma systems are to be deployed over time, and that factor is used to amortize initial costs as opposed to unit costs. If fewer systems are to be implemented, the tradeoffs favor less redesign effort, while for larger numbers of systems, redesign has less effect on overall costs. Effects of inflation and the time value of money were not computed in this analysis, but the results are sufficiently clear that this will not substantially alter the end result.
The Two Architectures
The two architectures under consideration are pictured here:
In the multi-level secure (MLS) version of Alma, a redesign centralizes all database access to the 3 redundant Alma database servers, thus eliminating a multiplicity of Oracle licenses, and saving several thousand dollars per license eliminated. These servers run under multilevel security, and have two partitioned databases for secret and unclassified data respectively. The secret and unclassified sides of each MLS are linked to 2 of the 3 redundant LANs at each of the two security levels, providing a secure and reliable bridge between the security levels without any additional hardware. An automated guard on the MLS systems automatically declassifies the appropriate portions of secret database transactions so that unclassified databases are automatically and rapidly updated, while unclassified entries are automatically available for secret access by the normal operation of the MLS system. Thus, all redundant data entry is eliminated and security becomes completely transparent to the Alma users. Physical security need only be applied to the secret side of this system and the MLS secure systems containing the database, thus dramatically reducing the need for tempest coverage and other expensive protection requirements for nodes processing only unclassified data.
In the non-MLS version of Alma, the basic Alma system is left running system high, and external devices and software are added to allow for declassification, incorporation of unclassified data, and so on. This has the advantage of requiring less effort in the redesign of Alma because only performance and stylistic changes are required, and the security enhancement of the database is easier. Database access is centralized so as to reduce Oracle license costs, but more systems are secured with physical protection. There is a single MLS system of smaller size and lower performance for the automated guard application, and unclassified Alma components are kept at system high. Similar reliability and redundancy are attained, and a lot of automated guard downgrading of information is used to reduce redundant data entry.
The basic difference in these architectures is the tradeoff between (1) the cost of physical security and custom protection implementations for the non-MLS version, and (2) the cost of designing to operate in an MLS environment and the added costs of MLS systems in the MLS design. Many components of this architecture can be changed without altering this basic difference, and these are not intended as final designs, but rather as the two most obvious alternatives from a cursory examination of the Alma design and function.
What the Analysis Showed
The following table summarizes the recommended protection and approximate costs associated with implementing this protection. It should be noted that several of these recommendations are badly needed for the wide-scale deployment of Alma for reasons not solely related to security (i.e., reliability, reduced life cycle costs, and so on).
{l|r|r|r|r|r|} Design Choice & Initial cost & Unit cost & ea.(1) & ea.(10)
& ea.(50)
\hline MLS w/shield & 3,140,000 & 74,000 & 3,214,000 & 388,000 & 136,800
MLS w/o shield & 4,390,000 & 54,000 & 4,444,000 & 493,000 & 141,800
NonMLS w/shield & 2,690,000 & 184,200 & 2,874,200 & 453,205 & 238,000
NonMLS w/o shield & 3,940,000 & 54,200 & 3,994,200 & 448,200 & 133,000
At quantity 50, the cost difference between an unshielded non-MLS version of Alma and a shielded MLS version of Alma is only $3,000, which is far less than the added life-cycle cost of maintaining a system-high classified information processing environment without shielding. Since an MLS environment with shielding costs less at this quantity level than an equivalent environment without shielding and a shielded environment is more effective, the MLS shielded version of Alma is the clear choice.
Further savings can be afforded by only protecting half of the Alma implementations (those deployed outside of the continental United States) with shielding. In this case, we don't have to design a special nonshielded version for the continental United States, but rather use the standard version without shielding.
In other words, (and per regulations) we can protect the Alma installations outside the continental US with shielding, not provide an alternative to shielding for Alma systems in the continental United States, and get the best of both worlds. This then is our recommendation:
Implement the MLS Alma design shown earlier, placing Tempest protection (shielding) only in systems deployed outside the continental United States, and design for the following protection techniques (detailed descriptions are provided later in this report):
{l|r|r|} Protection technique & Initial cost & Unit cost
\hline Cryptographic Checksums & 200,000 & 0
Computer Misuse Detection System & 250,000 & 20,000
Decentralized administration & 20,000 & 0
Field installation requirements & 0 & 5,000
Custom Alma Guard on MLS & 500,000 & 0
MLS licensing fees & 0 & 2,000
Multiple LAN configuration & 20,000 & 2,000
New protection tools & 100,000 & 0
New training programs & 40,000 & 5,000
Alma redesign & 1,500,000 & 0
MLS redesign overhead & 500,000 & 0
Shielding & 10,000 & 40,000(/2)
\hline Overall Program Estimate & 3,140,000 & 54,000
The total cost for a program of 50 Alma systems comes to $116,800 per Alma.
Conclusion
All of the items listed above should be implemented before Alma is deployed into widespread use.
System designers can only do so much on their own. Obtaining information protection for the entire nation will require resources and hard work on a national scale. It will not come about as a serendipitous feature of the development of an information infrastructure based on open systems. The longer this matter sits on the back burner or is treated as a matter of academic interest, the greater the eventual costs will be to add resiliency to the infrastructure. Ultimately, neglect of this matter could result in major economic loss, the loss of military capability, and military defeat.
The study from which these results were extracted was done for the Defense Information Systems Agency (DISA) to address the question of information assurance in the Defense Information Infrastructure (DII). [DISAdoc] The full study is not included in the appendices because of its substantial length and because everything covered in that study is reflected elsewhere in this book. Rather, the executive summary is provided here, and a more extensive summary is included in the appendices.
The DII is more than 90 percent comprised of the NII, so DII requirements are key to the NII design and operation. Information assurance in this context refers to the availability and integrity issues discussed earlier.
Executive Summary
The United States depends on information as a key part of its competitive advantage. Operation Desert Storm was an object lesson in the critical importance of information in warfare, in that it demonstrated the DoD's ability to obtain and use information effectively while preventing Iraq from obtaining and using comparable information. This object lesson was observed and understood by other nations and organizations, but they also observed that the U.S. did not protect the massive information infrastructure it mobilized for the Gulf War against disruption. If the U.S. is to maintain a competitive advantage in future conflicts, then the National Information Infrastructure (NII) upon which the U.S. depends must be protected commensurate with its criticality. This analysis shows that:
If the Department of Defense is to maintain operational readiness and fulfill its national security responsibilities, the information infrastructure upon which it depends for information services must be strengthened against accidental and intentional events that lead to disruption (corruption of information or denial of services). If the U.S. as a nation is to compete economically, the NII must be protected.
In order to sustain U.S. capabilities, the following information assurance (availability of services and integrity of information) considerations must be given priority attention.
Information assurance for the NII must also be cost effective. This analysis shows that the costs associated with these tasks will increase dramatically over time if we do not act now. Furthermore, the efforts made to protect the NII will provide widespread benefits to U.S. commercial industries.
By the timely reinvestment of a small portion of the savings that will be gained from the current consolidation and migration to standard information and communication systems, the U.S. will avoid enormous future expenses, mitigate possibly catastrophic military consequences, and enhance its national competitive edge for years to come.
Is Information Assurance an Unsolvable Problem?
NO! We can not make people immortal, but that does not mean we should abandon medicine. Nobody can provide perfect information assurance, but that does not mean that we should ignore a problem that may result in catastrophic consequences.
The issues that must be considered for proper information assurance in the NII span a wide range and a wide range of solutions exist to address these issues. There are some challenges in information assurance that are now and will likely remain imperfectly addressed for some time to come, but the vast majority of the challenges today can be adequately addressed with a reasonable amount of well-directed effort.
Perhaps a more enlightening view of this issue is the question of how much it will cost to address information assurance, and how much the United States will save as a result of wisely spending that money. In this limited report, we cannot even begin to address the specific issues for specific solutions in specific systems, but we advocate financial and military analysis before undertaking costly action. We also believe that early investment will pay enormous dividends in both the short-term and the long-term:
The information assurance challenge is not only one that can be met, but one that must be met, if the United States is to attain and retain a competitive edge in both the DoD and national information arenas.
Based on our study, we believe that the following three items are the most vital things the nation can do in order to provide a NII with adequate information assurance.