Defense Issues: Volume 11, Number 71-- The Future of Information Security People, men and women with legitimate or illegitimate access to controlled information, are the responsible agents who commit acts that compromise government secrets.
Volume 11, Number 71
The Future of Information Security
Prepared remarks by Emmett Paige Jr., assistant defense secretary for command, control, communications and intelligence, to the Personnel Security Research Center Security Conference, McLean, Va., June 25, 1996
I am grateful for the opportunity to participate in this important conference. Few issues are more critical for our national survival than the protection of government secrets. I welcome the efforts of the sponsors of this conference to raise critical questions about the security programs that -- even during the Cold War years -- were only partially successful.
Because we live in a crisis-oriented environment, our planning tends to be short term. Vision 2021 is intended to raise the consciousness of policy makers to security issues in the rapidly changing political and technological worlds, and to the effects of these changes on the handling of secrets. In organizing this conference with its futurist theme, the Personnel Security Research Center under the leadership of Dr. Roger Denk, and the Security Policy Board headed by Mr. Peter Saderholm have undertaken an initiative of great importance.
As a fitting introduction to this conference, I wish to share with you my views on some of the challenges we face to support today's warrior and the warfighter of the future, the changes precipitating these challenges, and our vision and road map to meet them.
As the memories of the Cold War continue to fade, we are confronted by the stark realities of a global environment plagued with a new range and variety of threats likely to pose significant problems for us well into the 21st century. Regional conflicts in the Middle East and in the Balkans are examples of recent threats to regional peace and stability.
Nuclear, biological, chemical and conventional weapons throughout the world are proliferating at an unprecedented pace. These capabilities are also potentially available to countries we would never have thought interested, let alone capable, a decade ago.
A wider spectrum of contingencies, including operations other than war, such as humanitarian and peacekeeping missions, has changed the way in which our forces may be employed throughout the world.
New operational locations and environments require us to think about new ways to deploy and employ forces. The Department of Defense is reshaping and refocusing itself to handle all these changes, but the challenges are great. Against the backdrop of an uncertain global environment and evolving technologies, we find ourselves driven to re-examine missions, doctrine and required capabilities on a more frequent basis. I see this conference as a significant forum for re-examining one of these missions -- the structure of secret-keeping.
One of the greatest challenges to creating a new information system, whether to support warfighters or to manage communications, is how to maintain security of information. Now with the administration's national information infrastructure initiative we have even greater challenges in this area. The vulnerability to government networks is increasing as data flow is simplified. The ability of individuals to penetrate computer networks and deny, damage or destroy data has been demonstrated on many occasions. The most recent examples have been the well-publicized intrusions on the Internet. The GAO [General Accounting Office] estimated that last year, Defense may have been attacked as many as 250,000 times.
Extrapolating into the future is an enterprise not limited to the development of warfare technology. To remain competitive in the global village, we must call upon the best minds to help us examine societal, political and technological trends. Such an examination will be an aid to the formulation of policies for identifying what information should be clothed in secrecy and also to the development of practices appropriate to protect such information.
Some of the papers to be delivered over the next two days question the arbitrariness of the bureaucratic separation of information security (the technology for protecting secrets) from personnel security (the procedures for selecting and educating personnel entrusted with secrets). Whether stored in approved filing cabinets or on computer disks, secrets do not get up in the middle of the night and walk into a foreign embassy. People, men and women with legitimate or illegitimate access to controlled information, are the responsible agents who commit acts that compromise government secrets.
When we look at the modus operandi of American citizens who attempted to deliver secrets to foreign powers during the Cold War, it becomes clear that they were working in a culture in which information was written or printed on paper. The problem for the spy was to create a means to carry out the high-risk task of purloining and transferring pieces of paper.
The problem is different in the computer age: Most information is stored in computer networks. The disgruntled employee sitting at his or her keyboard is in a position to copy secret information, to modify it, even to engage in sabotage by infecting systems with viruses, logic bombs and other devices. We must look ahead and prepare for a world where every computer is in effect connected to every other. Are passwords and encryption adequate to protect vital information if authorized users with decryption codes prove to be untrustworthy? Or if hackers and crackers rise to meet the challenges of increasingly sophisticated computer technology?
The information revolution is influencing far-reaching changes in the way individuals communicate one with the other, in the way commercial transactions are conducted, in the way crises are managed and even the way nations engage in warfare. Our ability to provide for the common defense is dependent on our ability to exploit the benefits of the information revolution at the same time managing the dangers inherent in rapid technological change.
We are dealing with a task of monumental proportions. Consider for the moment the impact on the ordinary citizen of disruption or loss of mortgage records, bank accounts, employment history, automobile registration, educational achievements and what the loss, wrongful disclosure or corruption of that information would entail in terms of invasion of privacy and quality of life. Keep this ordinary citizen scenario in mind and compare it with the following illustrations of "the information warfare threat."
A recent attack on a DoD information system transited nations in Europe, South and Central America, Asia and, in a matter of milliseconds, found its target in the eastern United States. Countering this speed-of-light attack is the fact that, legally, to pursue -- not prosecute, just pursue -- the perpetrators across cyberspace, a search warrant is required by law.
The magnitude of the problem becomes immediately apparent when we consider the time required to obtain a search warrant. It goes without saying that cyberspace criminals can continue to inflict damage during the delays involved in obtaining a search warrant. Those officials responsible for pursuing cyberspace criminals will always be faced with the legal/moral question: Given that untold damage can be wrought in a matter of milliseconds, can we afford to wait for the issuance of a search warrant?
The future of our ability to maintain our national identity -- at the same time preserving individual rights and freedoms -- will be shaped by how effectively we can deal with limitless virtual entities and methods of attack that are being created by technological change.
To retain our leadership position, the security community must provide, consistent with law, the tools necessary to engage these virtual threats simultaneously on all fronts -- personal, commercial and national.
Our growing dependence on increasingly sophisticated and globally available information technologies creates vulnerabilities that can be exploited by any individual, group or nation in cyberspace. The millions of computers connected to the global information infrastructure have dramatically increased the availability of computers as weapons as well as the potential to inflict significant damage on our nation's communication systems.
These vulnerabilities exist daily on information and data systems and can manifest themselves at any time and any place -- from the personal computer used at home or in the workplace to the supercomputers of the scientific community to flight control systems that help ensure the safety of commercial and military aircraft. These cyberspace vulnerabilities serve as silent reminders that such metaphors as Fortress America, sanctuary and geographic isolation are no longer useful in today's world.
Unprecedented is the Herculean task of protecting all of the nation's electronic communication systems from unauthorized access, manipulation, corruption and denial of service. It is estimated that the Department of Defense provides end-to-end control of only 5 percent of its communications. The remaining 95 percent rides the public switched networks -- networks over which the Department of Defense has little control. Military defense systems depend heavily on the availability of timely and accurate information. Increasingly, that information is transiting the relatively unprotected, globally interconnected, public switched networks.
As the GAO noted, "Internet connections make it possible for enemies armed with less equipment and weapons to gain a competitive edge at a small price. As a result, this will become an increasingly attractive way for terrorist or adversaries to wage attacks against defense."
We cannot overemphasize the need for awareness of security vulnerabilities. Awareness of the threats posed by information warfare has already demonstrated the need for security products, procedures, practices and training to protect our information systems and infrastructure from both internal and external attack.
We must also continue to pursue research and development of technical and procedural solutions to protect our information systems, including applications that can detect attacks and formulate appropriate responses. We must be ready to employ new innovative security products from firewalls to virus checkers to the multilevel information systems security products of the National Security Agency.
We also need to be aware that these technological changes will also change our institutions. More information will be disseminated through all levels of our institutions, and more people will be tempted to divulge restricted information to unauthorized recipients. The half-life of vital information will be much shorter than today because the ability to control access will be curtailed.
Looking into the future, we can expect that government requirements and increasing demand for commercial and private information security solutions will stimulate market forces to provide higher levels of information protection and personal privacy.
The participants in this conference will raise questions about the security implications of changing geopolitical and domestic events. Will a penetrating re-examination of the whole fabric of national secrets impact on the policies and practices of entrenched government bureaucracies?
Given the recognition that government and contractor employees are fast becoming adjuncts to the impersonal flow of automated information, will the characterization of certain information as "secret" have the power to inhibit employees from unauthorized use of such information? We must address more vigorously than before, "peopleware issues" as well as software and hardware issues.
We are truly participants in the age of information. We are successors to the recently terminated age of the Cold War. We cannot afford the luxury of focusing exclusively on finding ways and means of improving on policies and practices that might have been appropriate for the last generation.
The participants in this conference will make clear that we cannot rest in our efforts to deal with a continuous information warfare threat to the nation's security and our unique quality of life. The competitive race for information is no greater challenge than those faced by previous generations of Americans who were called upon to solve apparently insurmountable problems.
It was largely a social climate that encouraged innovation and technological expertise that made information warfare possible. It is this same social climate that fosters such enterprises as Vision 2021 to encourage the formulation of critical perspectives on information and personnel security issues.
Published for internal information use by the American Forces Information Service, a field activity of the Office of the Assistant Secretary of Defense (Public Affairs), Washington, D.C. Parenthetical entries are speaker/author notes; bracketed entries are editorial notes. This material is in the public domain and may be reprinted without permission. Defense Issues is available on the Internet via the World Wide Web at http://www.defenselink.mil/speeches/index.html.