The module learning objective:
- To define the concept of National Information Assurance and
identify related national policy issues.
Before we continue with this module, let's review the previous
Module 1 Review
Then: Money was available through DoD sponsored research. Now:
Commercial demands drive development.
The birth of ARPANET evolved into a basic requirement.
Then: Public trust of government was high. Now: Public trust of
government is low.
Module 2 Review
IW is more than technical, i.e. Somalia.
In the past, network links were the primary targets for exploitation,
and links and nodes were targets for denial and destruction. Classic
In this new world, nodes and information are the primary targets
for hackers and foreign intelligence.
There are now two new concerns: radical groups and commercial,
off-the-shelf software (COTS).
Module 3 Review
DoD is now dependent on the civilian infrastructure.
DoD must share the responsibility with the civilian sector for
defense of the national information infrastructure.
The President, Congress, Supreme Court and the commercial sector
will divide the baby.
Government departments and agencies will have to develop a strategy
for leading from behind.
In this module we will address these major points on Information
- Who, what, when and why (roles perspective).
- DoD's role (past attempts).
- Risk management (nodes, links, and information).
- Defense strategies: red team approach vs active defense.
- Management challenges.
From the National Security Strategy, February 1995:
The threat of intrusions to our military and commercial information
systems poses a significant risk to national security and must
That, by now, should be obvious. The real concern is:
Are we under attack right now? And if so, from whom?
Redefining and maintaining security is a national concern. DoD
and the Intel community must design a method that will provide critical
threat and technical knowledge. They must also cooperate with the
Who Are The Real Players?
Some of the real players who will influence the political process
and build the solutions:
- Sun Micro Systems
- And many others...
With DoD leading from behind!
Past DoD attempts in securing the information infrastructure mainly
involved an accreditation process. This, unfortunately, did not
work well because of these shortfalls:
- Inconsistent accreditation decisions were made independently
for interdependent systems. This resulted in non-uniform protections
across common DoD infrastructure. Also, the weaknesses in one
community undermined the security of others.
- Security assessments are costly, time-consuming processes.
- Security was not adequately addressed during the development
and maintenance of the systems, which resulted in ineffective
or inefficient security.
- Inefficient integration across DoD efforts resulted in duplication
and approaches that did not meet common DoD needs.
The shortfalls of a DoD accreditation system led to the following
- Erratic protection for DoD information systems.
- Cost of protection too high.
- No means to cope with new technology.
- Once accredited, a false sense of security exists, that is until
the next detected attack.
Defensive IW Implementation
Any proposed defensive IW implementation must encompass all of
- Organizational Infrastructure
- Education & Training
If accreditation does not work, what about an active defense? This
implementation also has shortfalls. Most importantly, an active
defense would violate U.S. criminal code on computer crime, e.g.,
18 USC 1030 (a)(5)(A).
Consider also the following scenario: What if the hacker is using
his/her parent's business computer or is using an assigned computer
at the Washington Post, Sony, or the Pentagon?
Using an active defense would damage not only the hacker's files,
but also the files of the legitimate computer owner/user. What if
a computer being used by a hacker, doctor's son, belonged to your
doctor and the files destroyed by an active defense were your patient
- Both good guys and hackers use the Internet.
- Hackers use sniffers.
- Hackers loop & weave.
- Hot pursuit and active defense may not be options.
If Active Defense is not an Option...
There are recommended strategies to deal with hackers who enter
your network. Once intrusion is detected, you have several options:
Sometimes the best offense is a good defense...
IW Defensive Strategy
- Manage your security - set policy for what is allowed, and what
behavior is prohibited.
- Banners that announce monitoring to be read by everyone logging
onto your system.
- Red Teaming - Controlled "hacking" by security professionals
who your organization has contracted for the identification of
- Risk management - plan for the attack.
Note: You must have Netscape version 2.0 or higher to run the post