Let's Bite the Bullet and Pay For Information Security

Auust 2002
By Vice Adm. Herbert A. Browne, USN (Ret.)

The challenge of providing secure information is not new. Since the early days of computer networking, we have been striving to ensure the sanctity of bits and bytes. As computer and communications technologies advanced exponentially, so did the security challenges facing our information community. Now, information systems are everywhere and have become essential elements in the daily operations of industry, civil government, the intelligence community and military forces.

We must view information in today’s world much like we think of oxygen in the air. It is an essential part of life, it is ubiquitous, and its denial or contamination can be life-altering or even fatal.

Carrying this metaphor further, the user’s ability to gain the most value from oxygen in the air depends on how well he or she processes it. For example, a young athlete processes it much better than an older sedentary person does. Yet, the same amount of oxygen in the air is available to both people, and its use by one does not deny use by the other.

Information should be considered in the same manner. Today, information sharing must be recognized as an international resource—its use gives it its greatest value.

Of course, as with anything of value, there are proprietary elements of information. Companies, individuals, governments and militaries all will have information they wish to keep secret by controlling its access. I consider these security requirements a necessary exception to the rule of making information available to everyone.

Concurrent with this security requirement is the need to ensure the fidelity of all information. We must recognize that in many areas the need for information assurance transcends both security and access issues. Similarly, we should view contaminating our information supply in the same way we would view contaminating the oxygen content of our air supply—as an absolutely unacceptable act.

These analogies beg the question, What price are we willing to pay to protect our great information resource?

In virtually all areas of our lives, risk management plays a key role. The central tenet of risk management involves determining how much time, effort and money is devoted to an area that entails some degree of risk. Drivers employ it when setting out on the road; sports enthusiasts do it when engaging in outdoor activities; and even stay-at-home people resort to it when planning and executing budgets.

However, risk management has little or no place in information security. Just as the oxygen we breathe must be unadulterated and undenied, so must information remain pure and secure.

The only solution to information security challenges is to demand full information assurance. Whether the information comprises bank accounts, medical records, tax data, corporate business assets or military databases, it is so vital that we cannot afford to settle for less than complete security.

There are several reasons for demanding information assurance instead of risk management. One of these is that lower expectations produce lower results. Setting the bar too low will result in a less-than-ideal solution that is no real solution at all—just another way of defining the problem.

An 80-percent solution leaves a 20-percent target of opportunity. This constitutes an open invitation for all manners of malevolent cybernauts. And, just like the weakest link in a chain, it is a vulnerability that will define the effectiveness—which is to say the lack—of security.

A full assurance solution need not choke off our oxygen. Just as environmental measures have improved our air—and our outdoor activities have burgeoned—so will security measures improve the exchange of information by guaranteeing its fidelity. The key to this type of success is to resolve not to accept less than the best efforts. If we put the effort into both technology and policy, then information assurance is doable.

Needless to say, information assurance has its price. And, it does not come cheaply. However, it is one expense that is worth the cost. The undesirable goal of an 80-percent solution probably would end up costing as much as the 100-percent solution.

My good friend, Adm. Archie Clemons, USN (Ret.), often remarked to me, “We have the money to do it right, but we don’t have enough money to do it twice.” As difficult as it will be to put a price tag on information assurance, my guess is that the cost of having information lost, stolen or altered will be many times higher.

So, the solution is clear. Set the bar at full information assurance. Let both industry and government recognize that this is the requirement. Have the people of the world who are dependent on information systems realize that the bill that comes with this must be paid. In the long run, full information assurance will be to the benefit of the generations that follow.