EXECUTIVE SUMMARY

In today's globally networked environment, organizations such as the Department of Defense (DoD), Intelligence Community (IC), Department of Homeland Security (DHS), and financials institution such as the Federal Deposit Insurance Corporation (FDICís) information systems are increasingly vulnerable to information warfare (IW) attacks from adversaries with readily available, easy-to-use, low-cost technologies. Compounding the challenge is the exponential growth of information, data, and technology. Securing information systems requires an in-depth understanding of the complexity of networks, the specialized nature of cyber threats, and the full spectrum of emerging technologies available to counter such threats.

The United States is vulnerable to Information Warfare attacks because our economic, social, military, and commercial infrastructures demand timely and accurate as well as reliable information services. This vulnerability is complicated by the dependence of our DoD information systems on commercial or proprietary networks which are readily accessed by both users and adversaries. The identification of the critical paths and key vulnerabilities within the information infrastructure is an enormous task. As stated above, recent advances in information technology have made information systems easier to use, less expensive, and more available to a wide spectrum of potential adversaries.

The security of our nation depends on the survivability, authenticity, and continuity of these DoD information systems. These systems are vulnerable to external attacks, due in part to the necessary dependence on commercial systems and the increased use of the Internet. The survivability, authenticity, and continuity of DoD information systems is of supreme importance to the Warfighter. With the increasing amount of concern and Information Warfare activities requiring rapid responses, it is difficult to ensure that all appropriate agencies and organizations are given the knowledge and tools to protect from, react to, and defend against Information Warfare attacks.

"NIACORP provides the experience and capabilities to successfully complete advanced tasks for DOD, Federal, and Commercial customers"

Security mission has evolved through three very distinct stages: Communications Security (COMSEC), Information Systems Security (INFOSEC) and Information Assurance (IA). IA is defined as the set of measures intended to protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.  Post WWI and the Korean War, COMSEC efforts focused primarily on cryptography (i.e., designing and building encryption devices to provide confidentiality for information). The introduction and widespread use of computers created new demands to protect information exchanges between interconnected computer systems. This demand created the Computer Security (COMPUSEC) discipline. With the introduction of COMPUSEC came the recognition that stand-alone COMSEC and stand-alone COMPUSEC could not protect information during storage, processing or transfer between systems. This recognition gave rise to the term INFOSEC and the information protection mission took on a broader perspective. IA emerged and focused on the need to protect information during transit, processing, or storage within complex and/or widely dispersed computers and communication system networks. IA includes a dynamic dimension where the network architecture is itself a changing environment, including the information protection mechanisms that detect attacks and enable a response to those attacks.

In moving Information Assurance forward to protect the National Information Infrastructure (NII), a National Information Assurance Strategy (NIAS) was formed to encourage mutual cooperation and acceptance of common objectives. This strategy, built upon the following five cornerstones, articulated the IA pillar concepts into a national framework that unified the U.S. Government's IA efforts:

  • Cyber security awareness and education

  • Strong cryptography

  • Good security-enabled commercial information technology

  • An enabling global Security Management Infrastructure

  • A civil defense infrastructure equipped with an attack sensing and warning capability and coordinated response mechanisms

In addition, a Defense-In-Depth strategy was developed to integrate People, Operations, and Technology capabilities to establish information assurance (IA) protection across multiple layers and dimensions. Successive layers of defense will cause an adversary who penetrates or breaks down one barrier to promptly encounter another Defense-In-Depth barrier, and then another, until the attack ends.

.

© National Information Assurance Corporation

.