Cyber warfare. Critical infrastructure. Increased threat. Information assurance—or information security—is not the endeavor it used to be. The democratization of the Internet has had the same, albeit unwelcome, effect on criminal cyberspace activities. The extensive incorporation of information systems and networks into every facet of our lives has created a web of vulnerability across the spectrum of society. A threat can emerge from anywhere at any time in virtually any form.
We used to focus primarily on information networks and on perimeter defense to safeguard our information. Now, the demands for greater information sharing and new architectural approaches that emphasize services over systems provide better support for decision making, but they also place new demands on information assurance.
Today, a more holistic approach is taken to address threats both inside and outside—denial of service, theft of data, system capture and destruction or alteration of data. And, the targets defended include information networks, but they also extend to communications systems, power grids, water works and any other critical infrastructure elements controlled by online computers. Attackers comprise both state and nonstate actors, both professionals and amateurs.
This new environment and the need to defend it have brought about a robust organizational structure across government and industry along with a skill set that is growing and changing as necessary to meet new threats. This partnership between government and industry is necessary to develop the new technologies, processes and skills needed to protect critical information and systems. But how do we work together?
First, we need to share all the threat data we have—and in real time. As fast as protections are developed, the attackers respond by creating new tools and methods. This information becomes known at points of attack, either in industry or in government. Mechanisms have been established to share this emerging threat data, but everyone in both government and industry must be open and willing to share whatever he or she knows to address the threat. We also must treat this as an international problem—because it is. Attackers know no national or political boundaries. Governments must work together to solve this challenge, and global industry must support the effort.
Second, we must bring our very best resources to bear on this problem. Attackers are smart, innovative and well funded. They also are capable of bringing their own incredible computing resources to bear on their endeavors. We must be smarter and more innovative and make available the resources necessary to stay ahead of the threat. Collaboration is needed to make this happen because no single organization—government or industry—has the required resources to act independently. Research and development priorities and resource allocations need to be coordinated across government and industry to ensure that maximum benefit is obtained in critical areas of need.
Third, a risk management approach must be adopted to address the full spectrum of information assurance. From an enterprise perspective, risks must be prioritized so that those with the greatest potential impact will be mitigated. Enterprises in both government and industry must share best practices to gain the greatest benefit.
Certification and accreditation (C&A) must be strengthened and adapted to the new service-oriented environments. C&A must reinforce potential risks so that enterprise managers can focus on areas that will provide the most leverage. Training and compliance programs must be emplaced to address the areas of greatest risk. The increased use of commercial off-the-shelf (COTS) systems and services introduces the need for COTS evaluation programs along with software and hardware assurance.
Finally, we must accept that, despite our best collective efforts, the attackers sometimes will be successful. This means that we have to put mission assurance programs in effect to allow mission completion amid degraded resources. Continuity of operations for networks and critical infrastructure requires detailed planning and redundancy. All of this, including protection of the supply chain, must be coordinated fully among government and industry.
If all of this seems complicated, that’s because it is. It will take the best efforts of all of us to combat this growing problem. We cannot over-communicate at every level. Every employee needs to understand the seriousness of the threat so that each person will be vigilant. Every leader must keep this problem at the top of the priority list for effort and funding. All of us must share as much threat data as possible to ensure focus on this plague. The threat is serious and growing, and the consequence of failure is great.