Information Assurance—Train Now or Pay Later

June 2003
By Vice Adm. Herbert A. Browne, USN (Ret.)

Last year, I discussed in my commentary how information must be available—as freely as oxygen in the air—to virtually everyone. In presenting this point of view, I offered that power lies in how one uses information.

The key to having the right information is information assurance. And, this exigency extends throughout the information user community, whether government, military or commercial.

The Free World, especially the coalitions that will form to fight against evil around the globe, must recognize that its dependence on information to win in war is much greater than that of any potential adversary. Therefore, it must spend the lion’s share of its effort protecting its own information, instead of focusing so intensely on bringing down the bad guys’ infostructure.

This is not to suggest that information attack and exploitation tools are not needed. As more enemies, especially nongovernmental entities, turn to information technologies to empower their organizations, offense will become a vital form of defense in cyberspace.

However, what used to be called computer network offense lags in importance compared with information assurance. On a scale of 1 to 10, offense rates about a 2, while information protection rates a 10+.

It is plain to any industry observer that traditional information security measures have centered on firewalls, secure routers, commercial 128-bit encryption and other conventional capabilities. While these measures serve an important role, depending solely on these hardware/software solutions to secure information will not enable government and industry to achieve their goal of protecting both information and the ability to exchange it freely.

Technology alone is not the answer. The main ingredient in this vital discipline is the human element. And, the key aspect of that ingredient—where there is room for improvement across the spectrum of users—is training.

This is a need that is easily quantifiable. Just ask any leader in the corporate world or the military community to report how much time he or she spends training personnel to protect information. I fear that the answer will be “not very much” or even “none at all.”

If all of us in leadership roles do not admit that information assurance in a network-centric arena—whether business or military—is as important as anything else worthy of training, then we will not be able to ensure that all the ones and zeroes are protected from the time we push “send” until they are received on the other end. Even more sobering is that this axiom is valid regardless of the technological tools that will be developed over the next 10 years.

The problem is that many leaders just do not believe that an information attack will happen to them. But, even if they are monitoring their information systems, attacks may be happening without anyone realizing it.

All it takes is an individual who is clever enough both to hack into a system and to operate just below the system’s detection level. For example, this individual could subtly alter or remove amounts of information that are too small to arouse any suspicion. Over time, these bits of purloined information would take a byte out of the organization’s database. This activity could involve industrial espionage or defense information sabotage. A little bit here, a little bit there, and the organization ultimately could find itself suffering death of a thousand cuts.

In a nutshell, the bad news is that there is no easy technological fix. The good news is that the solution does not require a technology-only answer. Just as the human element lies at the crux of the problem, so too is it the key to the solution.

Simply put, corporate and military organizations must spend the lion’s share of their time protecting information tools. And, the key ingredient is to train people.

Ironically, this may turn out to be an enormous lesson learned from the information arena of operation Iraqi Freedom. Information tools undoubtedly will receive high marks for the role they played in enabling that overwhelming victory. Yet, the defeat of Saddam Hussein was not accomplished entirely within his information infrastructure, nor was his downfall a result of how he mishandled his own information assets.

Even with the coalition’s monumental superiority in the information arena, training will prove to be the key enabler of those technologies’ success—especially for information assurance.

The importance of information assurance training extends across the entire spectrum of information exploitation. The entry-level corporate employee is as much a part of the cyberspace chain as a high-level military intelligence officer. Even an activity as simple as password protection often is treated cavalierly, which can open an entire network to interlopers. On a higher level, the problem may lie in not knowing how to use or configure tools—or not even knowing their capabilities. The result is the same: needless vulnerability that can be disastrous to a government, business or military organization.

For too long, budgeters have viewed information assurance as an area of little demonstrable benefit, but after the fact will be a really bad time to prove the point. In the military, cyberspace offense traditionally has gotten a disproportionately high share of information operations funding. In the commercial arena, actual business skills take far greater precedence over ensuring data security. Our government and business leaders now must dedicate their efforts—and their resources—toward information assurance.

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.