The World Needs an International Approach to Information Security
If knowledge is power and information is a force multiplier, then security is the key to defense and commercial supremacy in the information age. Any kind of strength, whether military or economic, represents a target for adversaries or competitors. Information, however, is to modern civilization what fire was at the dawn of humankind: an unlimited asset that, if not controlled, quickly can be turned against its user.
One problem people have in understanding information security is that they often view it with blinders on. Frequently, users think of security as protecting their own valuable interests—“the family jewels” of a company, conglomerate or government agency. Even macro-oriented thinkers usually consider security from no larger than a national perspective. However, even that is no longer sufficient.
With today’s interconnected world built around reliance on the Internet and web-related technologies, it is foolish to think of security in any term other than international. No nation can protect its own secrets, its sensitive data or even its civilian infrastructure without considering how to safeguard against a parade of hostile information warriors or even a single international hacker.
This is especially true in the defense arena. The countries constituting the North Atlantic Treaty Organization (NATO) realize that virtually all future military mobilizations are likely to involve coalition operations. Accordingly, the United States is gearing its defense posture around this doctrine, and NATO is reorganizing much of its force structure around information systems. This approach opens up a host of new vulnerabilities, however, that could be exploited by an opportunistic adversary.
Fragmented information security also raises other key issues. Article 5 of the NATO charter maintains that an attack on one of its members is an attack on all. Yet, no one has fully addressed this article’s relevance to information operations in cyberspace. If one of NATO’s members suffers an attack on its information infrastructure from a foreign source, how should all the NATO allies respond? Is it credible to expect this type of unified response, especially in light of the potential ambiguities inherent in determining and defining a cyberattack?
During the 1970s, U.S. Secretary of State Henry Kissinger advocated replacing the longtime U.S. nuclear umbrella over Western Europe by shifting to a measured response against possible Soviet aggression. It was no longer credible, he declared, to believe that the United States would launch an all-out nuclear attack against the Soviet Union if the Red Army poured through the Fulda Gap. Mutual assured destruction had obviated that doctrine, and the Soviet leadership knew that the United States would not condemn its own populace to atomic destruction because of the outbreak of conflict in Western Europe. As a result, NATO deployed a new series of tactical nuclear weapons to serve as deterrents to a massive invasion.
Now, however, the same type of credibility gap may be looming in information operations. To convince a budding adversary that individual information security measures can stop a cyberattack strains the bounds of believability. The smorgasbord of security measures being implemented around the world will, by definition, create inequities that could be exploited by hostile information forces. The result is a greater likelihood of an information attack, rather than a deterrence effect.
This cyberattack need not come through a nation’s military system. Civilian government and economic infrastructures are targets enough. Crippling the infrastructure of even one NATO nation could blunt, or even stop, an alliance mobilization or deployment. History has taught that enemies always seek to exploit their target’s weakest link. For the Free World, that might not be the country with the weakest military, but instead the country with the most porous information security.
For example, any warehoused data that is accessible to international partners through databases can be corrupted while it is in the recipients’ hands. A nation with poor security could be the Achilles’ Heel to an alliance operation. Far from deterring attack, information systems instead may pose tempting targets to adversaries that respond with a Pavlovian reflex to weak security measures.
The globalization of information security must be built around two thrusts. First, of course, is military security. NATO nations must agree on alliance-wide information assurance standards for their own internal systems, not just those in the NATO infrastructure. Separate and distinct information Maginot Lines will not prove to be an effective barrier to hostile cyberspace warriors.
Second, and no less important, is civilian infrastructure security. This is especially vital as militaries increasingly rely on commercial information assets. Billions of dollars are transacted electronically every day, which is a tempting invitation to a cyberspace would-be Willie Sutton. The notorious bank robber justified his actions by noting that banks “are where the money is.” Spotty security standards present targets of opportunity.
The Internet already has become a de facto standard for anyone seeking to participate in the information revolution. From a procedural standpoint, however, a global organizational entity is necessary for functional management, as well as advocacy, of security standards.
The United Nations (UN) affords us the best opportunity for beginning to establish international security standards. This organization already has the connectivity with all the world’s nations that is necessary to implement global information security rules. The UN could establish a global information infrastructure security body akin to its International Telecommunications Union, which allocates bandwidth and establishes related standards. A UN global information security organization would institute standards and provide guidance for security that would permit high-confidence electronic commerce.
The technological means for effective information security are well within reach. What is required is the will to implement them. Only through a coordinated international effort will the countries with the most to lose have an effective base for information security.