Search:  

 Blog     e-Newsletter       Resource Library      Directories      Webinars     Apps     EBooks
   AFCEA logo
 

Wanted: Smart Information Security

August 2005
By Vice Adm. Herbert A. Browne, USN (Ret.)

There should be no debate over the need for effective information security in the information revolution. As digital information becomes more vital with the growth of cyberspace, securing it increases in importance. However, even with broad public awareness of the need for cybersecurity, the infosphere is faced with a serious challenge that is multifaceted and that defies easy solution.

For example, recently my wife’s computer rebelled and refused to cooperate. As the machine’s functions deteriorated and my wife’s frustrations grew, she declared that if the cause were another virus, then she would give up going online and would cede cyberspace to the bad guys.

Ultimately, our troubleshooting indicated a hardware problem. But her initial reaction points out the sad state of affairs in the information arena today. My wife uses her computer extensively to stay in contact with friends, to shop and to perform volunteer work. Given her reliance on the computer, it is remarkable that she would be willing to give up all of these activities and concede defeat to the marauders of cyberspace. Yet that is the point that we have reached in the information age.

As we make investments in information security, we must understand just how important it really is to the future of the information age. Many information technology professionals agree that it is becoming so expensive to keep up with antivirus protection that many people are wishing they could just opt out of the information revolution.

Clearly that is not a solution.

I have always believed that we should treat information as if it were air. It would be available to everyone in the Free World routinely as a right. And, information should be free of risk just as air should be free of pollutants.

But, maybe this is the wrong approach to take. Maybe we should view information as a privilege and not a right. We can protect a privilege more easily than we can a right.

If we are reaching a point in our society that hackers and virus makers are so destructive that intelligent users will throw up their hands and abandon the Internet, then we are failing.

An answer may be strong prosecution laws that put hackers and virus producers in jail. But, punishment always has been a reactive solution to a problem.

The best solution is to prevent the activities of cyberspace marauders through effective security measures. But providing proper protection is far more complex than blanketing networks with stifling security measures. These measures must enable safe and effective use of the information realm without constricting the very infrastructure that they set out to protect.

The potential pitfalls of overly restrictive security are apparent to our military. Panelists at TechNet International 2005 discussed the issues of speed and agility versus security. Many people see those concepts as being at opposite ends of the spectrum—effective security slows the flow of information and operations, while speed and agility largely come at the expense of security. However, security is necessary to ensure the work of enablers of speed and agility. Balancing security with speed and agility will be the key to successful military operations in the information age.

We must view network security in the same light that we view physical security. Government and industry both have roles in ensuring information security. But their roles must go beyond merely recognizing the need for this security. Industry and government must do the equivalent of saying, “We’re mad as hell, and we’re not going to take it anymore.” They must agree to take on the hacker and the nation-states that penetrate computer systems together.

Industry is working hard to stay ahead of the malevolent cyberspace denizens. But the real key is that software developed with greater discipline will offer fewer opportunities for a hacker to enter a network.

However, truly effective built-in security can be expensive. Many of the experts employed by software makers achieve only a 90-percent or 80-percent solution. The 80-percent solution became a benchmark for some firms because the last 20 percent would require a considerable expenditure in money and time, during which time other firms could develop software to supersede theirs.

Industry and government must work together to offer people around the globe secure network operations. First, they both must emphasize to a greater degree the need for security to be built into software. Second, government must stiffen laws against viruses and network intrusions and must prosecute offenders aggressively. For the vital infrastructure, both entities must commit to building a layered defense that covers every node possible.

Meeting these goals is only half the challenge. The other half is to ensure that these security measures don’t cause the slowdowns in speed and agility that heretofore have been the concern of only the military. Security measures that hamstring Internet commerce will hurt the economy, just as measures that hinder internal information exchange in corporations will limit productivity. Overly restrictive security could be even more harmful to the information arena than are hackers and viruses.

The goal of effective information security must be to minimize the effects of cyberspace vandals, not to enhance those effects with our reaction to their activities. These vandals are thieves who steal our time and our freedoms. They should not be allowed to drive users from cyberspace, nor should their tactics lead to measures that serve as disincentives to our fully reaping the benefits of cyberspace. Instead, let’s dishonor them by developing effective information system security that renders them and their activities irrelevant.