Information assuredness, cyber strategy, cyber protection, and cyber warfare are among many terms and ideas currently floating in the ether to describe the desire to keep militarily sensitive information safe and secure. It may be classified information or it may be a system or network which needs to be reliable or protected from an enemy or competitor.
Many feel this is a new arena brought about by the exponential growth in computing power and networking. But the protection and exploitation of information is as old as warfare itself. It is, in fact, Information Warfare and it is happening now across corporate and governmental battle lines. The weaponry and tactics may have changed, but it’s the same warfare waged by our ancestors, and the key to maintaining the upper hand lies in a holistic and comprehensive approach.
The positive control of information access and information flow is at the very heart of every nation’s well being and has been since the beginning of civilization itself. Recent examples are the Gulf War faint in 1991, breaking the Japanese Code in the Pacific Theater of World War II, American Indian code talkers or the capture of the Enigma code machine from the Germans in the Atlantic. Commercial examples include the Coke formula and the recipe for Bush’s baked beans. Control of information goes as far back as the Trojan Wars and the story of Adam, Eve and the Serpent.
hat is new is the massive amounts of information which can be generated and transferred, the varied means of transportation and storage, and the speed of transfer. As the Wikileaks fiasco and recent events in North Africa make all too clear, information is harder to control now than ever before.
What is control?
Currently, most cyber security discussions revolve around the protection of information. The apparent task at hand is to ensure information access is limited to select groups or individuals. It’s the business of keeping secrets secret. Additionally, the “security” of information systems and pathways is also a valid and modern concern. Both of these issues are a part of information warfare, but controlling information goes well beyond these areas. To develop a true “Cyber Strategy” one must consider several other aspects of information warfare. At a minimum, the following five methods of control must be addressed:
1. Information Access: Allowing only those with the “need to know” access to information.
2. System Defense: While the tools used today are different, this concept is not new. It is a daunting task, but not one that is insurmountable if the proper approach is used.
3. Message Assuredness: This topic ventures beyond the security of information and information pathways but can be equally – and in some cases – even more important. Assuring information is received and interpreted correctly is as important as the information itself.
4. Information Manipulation: This is not necessarily as evil as it sounds. Used defensively, information manipulation can be a very good test of an information system’s security and can help protect sensitive information. It does, however, have a particularly powerful offensive capability.
5. Information Gathering: Anther term which may sound evil, but it spans a wide range of possibilities from simple research to covert spying. It happens all the time and it is by no means limited to nation states.
While there are more controls, focusing on these five areas of information is a solid start to the development of Cyber Strategy. These five areas will not come as an epiphany to anyone in the field of Cyber Defense.
While for many, the next step would be the development of hardware and software to combat the threat, I would like to propose a more comprehensive approach. The importance of the proper tools cannot be understated, but there is an often overlooked asset which is as effective as the next generation firewall or super classified network design, sometimes more so: the user. The key to a true Cyber Strategy and information assuredness lies in the proper training and mindset development of the user. As in conventional warfare, it is always nice to have the latest hardware, but in the hands of untrained warriors, even the most sophisticated equipment is ineffective and a waste of resources.
The majority of breaches in information or network security occur because a user did something that was too risky given the accessible information. In the military, there is an information classification system which dictates what can be shared with whom and on what pathways each type of information can travel. Additionally, there are strict rules and regulations guiding the use of networks, computers and information systems. As potential threats are discovered, updated rule sets are distributed and training for the user takes place. In a perfect world, little can go wrong because everyone knows exactly how to handle every bit of information and every system in use. Information is only at risk given an aggressive, offensive attack using methods unknown to our information managers. But our world is not perfect. Even with a highly trained workforce and sometimes draconian disciplinary ramifications, information is mishandled, computer systems are compromised and the wrong people gain access. These failures do not negate the importance of the user understanding and following the proper rule set but they do underscore the importance of the training and the need for taking things a few steps further.
Users must develop the proper defense mindset. Defensive thinking, much like defensive driving, is imperative to avoid an “accident.” This is a cultural shift – separate, but in addition to, normal rote training which must occur if any organization is to be successful at managing and protecting information and information systems. It’s more than establishing and knowing the rule sets. It is even more than following the rules. It’s knowing why the rules are in place, and understanding that while the rules are being followed, the user must be alert to all intentional and unintentional breaches of security.
The empowerment of the user will only help solidify the mindset and the understanding of the importance of protecting the information. Ensuring the user knows the mission, knows the reason for the objective, and knows the message to be sent allows him to act in a proper manner when something does not go as planned or something happens which is not covered by the rule set. Each user must be part of the cohesive team which understands the subtleties of the task at hand.
In the military and other government agencies, classification of information and information systems is an important and effective tool in the cyber battle. As the classification of information increases, the access decreases and the systems and networks on which the information can “ride” becomes more restrictive. Every organization must consider how to classify each piece of information. An organization may find that a piece of information is so valuable, its protection so paramount, that extreme measure must be taken. There may be some bits of information which should not be digitized or should be restricted from networks all together. But even these extreme measures will only be successful if the culture and mindset of the user are in sync with the gravity of the situation.
While our best software designers and hardware engineers develop the physical and intellectual tools for our cyber defense plan, we as leaders of organizations and users of information and information pathways must train for “cyber combat.” We must be cognizant of the environment, know the importance of the information utilized, and aware of the threats to such information to assure success. We must know how to classify information, and then possess a complete understanding and adherence to cyber rule sets. But this is only our starting point. We must develop and foster a mindset, in every user, congruent with the protection of information. We are only as strong as our weakest link.
CAPT Anthony T. Calandra is the Navy Senior Fellow at the Atlantic Council.