Information Systems Security 1 3. Information Systems Security Draft of Chapter 3 of Realizing the Potential of C4I: Fundamental Challenges, National Academy Press, 1999. Written mainly by T. Berson, R. Kemmerer, and B. Lampson Security section of Executive Summary Goal: C4I systems that remain operationally secure and available for U.S. forces in the face of attacks by adversaries. The greater the military leverage that C4I systems provide for U.S. forces, the larger the incentives are for an opponent to attack those systems. Indeed, it makes little sense for an opponent to challenge the U.S. “symmetrically”, i.e., force-on-force. More likely avenues of challenge are “asymmetric”, i.e., avenues that exploit potential U.S. vulnerabilities. Attacking U.S. C4I systems – whether directly or indirectly (e.g., through the U.S. civilian information infrastructure on which DOD C4I systems often depend)—is only one of many asymmetric attacks, but such an attack is one for which the U.S. must be adequately prepared. Principles • Information systems security begins at the top and concerns everyone. Security is all too often regarded as an afterthought in the design and implementation of C4I systems. In fact, the importance of information systems security must be felt and understood at all levels of command and throughout the DOD. • Cyber-attack is easier than cyber-defense. An effective defense must be successful against all attacks while an attacker need only succeed once,. Cyber-attack is easier, faster, and cheaper than cyber-defense. Paradoxically, cyber-attack is also more highly rewarded in U.S. military culture. Consequently, those expert in cyber-attack are more numerous than those skilled in cyber-defense. Today, the need for cyber-defenders far outstrips the supply, and defenders must be allocated wisely and encouraged in their efforts. • Cyber-attackers attack the weakest points in a defense. (“An army is like water it avoids obstacles and flows through low places.”) Thus, the security of a system—any system—can never been guaranteed. Any system is always compromised to some extent, and a basic design goal of any system should be that it can continue to operate appropriately in the presence of a penetration. Vulnerabilities include fraudulent identification and authorization, abuse of access privileges, compromises in the integrity of data, and artificially induced disruptions or delays of service. Implementation of good system security depends on several principles: • A culture of information security is required throughout the organization. The culture of any organization establishes the degree to which members of that organization take their security responsibilities seriously. Organizational policies and practices are at least as important as technical mechanisms in providing information assurance. Policies specify the formal structures, ensure responsibility and accountability, establish procedures for deploying and using technical means of protection and assigning access privileges, create sanctions for breaches of security at any level of the organization, and require training in the privacy and security practices of an organization. Furthermore, senior leadership must take the lead to promote information assurance as an important cultural value for the organization. Top-level commitment is not sufficient for good security