The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program

IW cuts across national borders, educational background, and cultural views. To ensure a consistent understanding during this discussion, working definitions of IW and many supporting terms will be offered. This does not preclude national interpretations and certainly does not attempt to rationalize, harmonize, and normalize definitions. Common terms of reference (TOR) permit a shared understanding, as well as a point of departure for applying the TOR within specific organizations.

There are as many definitions of IW and related topics as there are people. It's reminiscent of three blind men describing an elephant by touching the animal's various parts. One blind man said, "An elephant is a reptile and is thin and long" as he was touching the tail. Touching the tusks, another blind man said, "An elephant is like a big fish with its smooth and pointed body." The third blind man said, "An elephant resembles a large leaf with a hole in the middle" because he was touching the ears. None of them could extrapolate their interpretations to a real elephant. Similarly, what one sees is not necessarily what one gets. "Quesque c'est?" will be mispronounced if one does not have a basic understanding of French diction. So, too, is it with terms used to describe various practices in the information realm.

In some cases, more terminology only detracts. "Cyber" is too limiting. It's as if, rather than push through difficult points to achieve philosophical insights and technical understanding, people create terms to differentiate themselves without knowing what they are doing.

Information and knowledge are now in vogue. We are in the Information Age, and rapidly transitioning into the Knowledge Age. Acquiring the right data, deriving good information, and applying it to make sound decisions to positively affect the bottom line is essential. Search engines have made finding information on the Internet very simple. Witness during the past 15 years the explosion of terminology related to the protection of information and using information for national security purposes. The most important point is to understand the meaning of these terms and what the different functions can—and cannot—do in order to make an informed decision whether or not to commit resources (i.e., people, money, and time).

Many countries have developed definitions. IW, information assurance, information operations, information superiority, and other constructs popular in the U.S. military are part of the Revolution in Military Affairs (RMA) and Revolution in Security Affairs (RSA). Government organizations and businesses have developed additional terms, and some do not agree with the national version. So there can be a point of departure for this discussion, definitions accepted by many are put forth. In some cases, working definitions will be used. The following definitions are from the U.S. Department of Defense Dictionary of Military and Associated Terms ^[4]:

• Command and Control Warfare (C2W): The integrated use of operations security, military deception, psychological operations, electronic warfare, and physical destruction, mutually supported by intelligence, to deny information to, influence, degrade, or destroy adversary command and control capabilities, while protecting friendly command and control capabilities against such actions. Command and control warfare is an application of information warfare in military operations and is a subset of information warfare. Command and control warfare applies across the range of military operations and all levels of conflict. Also called C2W. C2W is both offensive and defensive.

• Defense in depth: The siting of mutually supporting defense positions designed to absorb and progressively weaken attack, prevent initial observations of the whole position by the enemy, and to allow the commander to maneuver the reserve.

• Information assurance (IA): Information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.

• Information environment: The aggregate of individuals, organizations, or systems that collect, process, or disseminate information; also included is the information itself.

• Information warfare (IW): Information operations conducted during time of crisis or conflict to achieve or promote specific objectives over a specific adversary or adversaries.

Let's expand on this because of the definition of IW. What is IW? It's more than computer network attack (CNA) and defense (CND). That much everyone agrees on. But what else is encompassed by it? Heated debates go on today about what IW should embrace and accomplish. IW is an umbrella concept embracing many disciplines. IW is most effective when performed in a synchronized and coherent fashion. That is why knowledge management (KM) complements it so well. All components of an organization, as well as across the enterprise, need to be included in an IW action plan.

The good news is IW embraces the marketing, public relations, counterintelligence, and other functions you now perform. IW is not these functions renamed. They continue to be run by the subject matter experts. IW is the coherent application and synchronized approach of these functions. What is needed are experts who, by analogy, are conductors of the orchestra. They know where the expertise resides within the organization, understand what the functions can and cannot do, and bring them to bear for optimum performance. At present only the military in a few countries comes close to understanding the relationships and functions of linking the physical domain with the virtual realm, and has begun policy development and allocation of resources. The equivalent does not exist in industry—yet.

The purpose of IW is to control or influence a decision-maker's actions. An area of control can be directly manipulated, whereas an area of influence can only be indirectly manipulated. Control and influence are the essence of power. From a business perspective, sector and industry leading market share and profit are the results of proper IW execution.

What would make a decision-maker act or not act? Perhaps false or misleading information, an analysis of open source information, documents mysteriously acquired, or intelligence from an employee hired away from the competition. IW at the corporate level manifests itself in marketing, public relations, legal, research and development, manufacturing, and other functions. With the introduction of commercial high-resolution satellite photography, some companies have altered their delivery and shipment schedules, including using empty rail cars and semi-tractor trailers to mask inventory, production capability, and customer quantities. IW is a full spectrum of capabilities. Ingredients are carefully selected and tailored to each case.

IW can be conducted without using physical destruction. Military psychological operations (PSYOPS) and commercial advertising both heavily depend on psychology and sociology, the study of individual and group behavior. The implications of this insight are enormous. Businesses engage in IW all the time, or is it that only the effective ones do?

IW enables direct and indirect attacks from anywhere around the world in a matter of seconds. Physical proximity to a target is not necessary. How is this possible? Because we have made conscious and unconscious decisions to have speed and connectivity without complementary security. In Sun Tzu's and Genghis Khan's eras, physical, personnel, and operational security were all that was needed for protection. Today we have fiber optics, satellites, personal digital assistants (PDAs), infrared and laser communications, interactive cable television, mobile phones, and a host of other technology marvels that allow us in a few seconds to reach anywhere. Now in seconds our information can be intercepted, modified, manipulated, and stolen.

No simple sentence or paragraph effectively describes IW. There are broad and narrow interpretations within national and international government, business, and academic communities, and some even totally reject the notion of IW. The overall view of IW must be expansive. Information is everywhere. We find information, for example, in mass media such as radio, television, and newspapers, at World Wide Web (WWW, or Web) sites, in communications systems, and in computer networks and systems. Any and all may be subjected to attack via Offensive IW (OIW). It follows that all these areas must be defended with Defensive IW (DIW):

• Offensive IW can make a government, society/nation, or business bend to the will of the attacker. Attacks can be very large, devastating, and noticed, such as economic or social disruption or breakdown, and denial of critical infrastructure (e.g., power, transportation, communications, and finance) capabilities. They can also be small, low key, and unassuming, such as a request for publications and telephone calls (as the basis for social engineering). Businesses do not have the deep pockets of a government, but that does not restrict them from engaging in IW. A business wants to deny the competition orders, customers, and information about its research and development (R&D). Industrial espionage has its share of illegal activities: theft, monitoring communications, and denying use of servers to conduct electronic commerce. Governments engage in psychological operations (with the subsets of mis-/disinformation, propaganda using leaflets, television, and radio broadcasts). Businesses must identify when disinformation is being used to lure customers away and have the means to counter it. Of course, that's starting from a position of weakness. What is a proactive, defensive IW approach to counter the attack? Inoculate the customers, suppliers, business partners, and others in the IE.

• Defensive IW is the ability to protect and defend the IE. Defense does not imply reactive. Measures can be taken to forewarn of attacks and to preposition physical and virtual forces. Examples of virtual forces are software and brainpower. The acme of skill is to present a posture to prevent a competitor from attacking and to achieve victory without having to attack. Perception management is as important as demonstrable physical and virtual capabilities.

Information operations (IO) as described below is included in IW: Actions taken to affect adversary information and information systems while defending one's own information and information systems. Also called IO.

• Defensive IO: The integration and coordination of policies and procedures, operations, personnel, and technology to protect and defend information and information systems. Defensive information operations are conducted through information assurance, physical security, operations security, counter-deception, counter-psychological operations, counterintelligence, electronic warfare, and special information operations. Defensive information operations ensure timely, accurate, and relevant information access while denying adversaries the opportunity to exploit friendly information and information systems for their own purposes.

• Offensive IO: The integrated use of assigned and supporting capabilities and activities, mutually supported by intelligence, to affect adversary decision makers to achieve or promote specific objectives. These capabilities and activities include, but are not limited to, operations security, military deception, psychological operations, electronic warfare, physical attack and/or destruction, and special information operations, and could also include computer network attack.

• Information superiority: The degree of dominance in the information domain, which permits the conduct of operations without effective opposition. Information superiority is the relative state of influence and control of the IE between two or more actors. Some argue the opposite of "superiority" is "inferiority." This is not the case. All actors have equal access to open source information. Restricted, sensitive, and classified information can be acquired through overt or covert operations. Having the data, information, and knowledge is not the key to attaining and maintaining information superiority. What is done with the information and the speed at which it is done is the gold nugget. Information sharing, automation, cross platform information sharing, automating processes (such as air traffic control; sales-manufacturing/production-inventory-transportation; and military intelligence-platform maneuver-weapons selection and release-battle damage assessment) are essential in order to have execution cycles faster than those of the competition.

• Operations Security: A process of identifying critical information and subsequently analyzing friendly actions attendant to military operations and other activities to: (a) identify those actions that can be observed by adversary intelligence systems; (b) determine indicators that hostile intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries; and (c) select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation. Also called OPSEC.

In addition to the above definitions, U.S. National Security Telecommunications and Information Systems Security Committee (NSTISSC) 4009, National Information Systems Security (INFOSEC) Glossary ^[5] offers the following:

• Attack: Type of incident involving the intentional act of attempting to bypass one or more security controls.

• Confidentiality: Assurance that information is not disclosed to unauthorized persons, processes, or devices.

• Critical Infrastructure: Those physical and cyber-based systems essential to the minimum operations of the economy and government.

• Integrity: Quality of an IS reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of data structures and occurrence of the stored data. Note that, in a formal security mode, integrity is interpreted more narrowly to mean protection of unauthorized modification or destruction of information.

• Nonrepudiation: Assurance the sender of the data is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the data.

• OPSEC: Process of denying information to potential adversaries about capabilities and/or intentions by identifying, controlling, and protecting unclassified generic activities.

• Probe: Type of incident involving an attempt to gather information about an IS for the apparent purpose of circumventing its security controls.

^[4]Department of Defense Dictionary of Military and Associated Terms, April 12, 2001.

^[5]National Security Telecommunications and Information Systems Security Committee Publication 4009, September 2000.