CSCE 727 National Security

1
CSCE 727 National Security
2
Reading

• Reading for this lecture
• Required
• Denning Chapter 15
• http//www.rand.org/pubs/monograph_reports/MR964/M
  R964.ch1.pdf
• Recommended
• G. Rattray Strategic Warfare in Cyberspace,
  chapters 1,2
• http//www.au.af.mil/au/aul/bibs/infowar/if.htm
• http//www.iwp.edu/programs/courseID.12/course_det
  ail.asp
• http//www.rand.org/pubs/monograph_reports/MR661/M
  R661.pdf
• http//www.rand.org/pubs/research_briefs/RB7106/in
  dex1.html
• http//www.au.af.mil/info-ops/infowar.htm

3
National Training Standards

• Committee on National Security Systems (CNSS) and
  the National Security Agency (NSA) ? National
  Training Standards
• NSTISSI-4011, National Training Standard for
  Information Systems Security (INFOSEC)
  Professionals
• CNSSI-4012, National Information Assurance
  Training Standard for Senior Systems Managers
  (SSM)
• NSTISSI-4013, National Information Assurance
  Training Standard For System Administrators (SA)
• NSTISSI-4014, Information Assurance Training
  Standard for Information Systems Security
  Officers (ISSO)
• NSTISSI-4015, National Training Standard for
  Systems Certifiers (SC)
• CNSSI-4016, National Information Assurance
  Training Standard For Risk Analysts (RA)

4
NSTISSI-4011

• National Training Standard for Information
  Systems Security (INFOSEC) Professionals
• provides the minimum course content for the
  training of information systems security
  (INFOSEC) professionals in the disciplines of
  telecommunications security and automated
  information systems (AIS) security.

5
NSTISSI-4011

• National Security Telecommunications and
  Information Systems Security Directive No. 501
  establishes the requirement for federal
  departments and agencies to implement training
  programs for INFOSEC professionals.
• INFOSEC professionals responsible for the
  security oversight or management of national
  security systems during phases of the life cycle.

6
NSTISSI-4011

• Training Standards two levels
• Awareness Level Creates a sensitivity to the
  threats and vulnerabilities of national security
  information systems, and a recognition of the
  need to protect data, information and the means
  of processing them and builds a working
  knowledge of principles and practices in
  INFOSEC.

7
Awareness-level

• Instructional Content
• Behavioral Outcomes
• Topical Content

8
Program of Instructions

• a. COMMUNICATIONS BASICS (Awareness Level)
• b. AUTOMATED INFORMATION SYSTEMS (AIS) BASICS
  (Awareness Level)
• c. SECURITY BASICS (Awareness Level)
• d. NSTISS BASICS (Awareness Level)
• e. SYSTEM OPERATING ENVIRONMENT (Awareness Level)
• f. NSTISS PLANNING AND MANAGEMENT (Performance
  Level)
• g. NSTISS POLICIES AND PROCEDURES (Performance
  Level)

9
Information Systems Security Model

• acknowledges information, not technology, as
  the basis for our security efforts. The actual
  medium is transparent in the model. This
  eliminates unnecessary distinctions between
  Communications Security (COMSEC), Computer
  Security (COMPUSEC), Technical Security
  (TECHSEC), and other technology-defined security
  sciences. As a result, we can model the security
  relevant processes of information throughout an
  entire information system automated or not.

10
NSTISSI-4011

• Performance Level Provides the employee with
  the skill or ability to design, execute, or
  evaluate agency INFOSEC security procedures and
  practices. This level of understanding will
  ensure that employees are able to apply security
  concepts while performing their tasks.

11
Security Model
Characteristics
Confidentiality
Third Dimension
Integrity
Education, training, awareness
Policy
Availability
Technology
State
Transmission
Storage Processing
12
National Security and IW

• U.S. agencies responsible for national security
  large, complex information infrastructure
• 1990 defense information infrastructure (DOD).
  Supports
• Critical war-fighting functions
• Peacetime defense planning
• Information for logistical support
• Defense support organizations
• Need proper functioning of information
  infrastructure
• digitized battlefield

13
National Security and IW

• Increased reliance on information infrastructure
• Heavily connected to commercial infrastructure
• 95 of DODs unclassified communication via
  public network
• No boundaries, cost effectiveness, ambiguous

14
National Security and IW

• Vital human services
• Law enforcement
• Firefighters
• Emergency telephone system
• Federal Emergency Management Agency
• Other Government Services and public utilities
• Financial sector
• Transportation
• Communications
• Power
• Health system

15
Information Warfare

• Persian Gulf War first information war
• After the war
• U.S. concern about own vulnerability for IW
• strategic level of information warfare
• No clear understanding of objectives, actors, and
  types of activities
• What is IW?
• Academia, national security community,
  intelligence community, etc.

16
Strategic Warfare

• Cold War single class of weapons delivered at a
  specific range (Rattray)
• E.g., use of nuclear weapons with
  intercontinental range
• Current variety of means can create
  strategic effects, independent of
  considerations of distance and range.
• Center of gravity
• Those characteristics, capabilities, or sources
  of power from which a military force derives its
  freedom of action, physical strength, or will to
  fight (DOD)

17
Strategic IW

• means for state and nonstate actors to
  achieve objectives through digital attacks on an
  adversarys center of gravity. (Rattray)

18
SIW Operating Environment

• Man-made environment
• Increased reliance on information infrastructure
  ? new center of gravity

19
Strategic Warfare vs. SIW

• Similar challenges
• Historical observation centers of gravity are
  difficult to damage because of
• Resistance
• Adaptation

20
Dimensions of Strategic Analysis

• Threads
• Need to related means to ends
• Interacting with opponent capable of independent
  action
• Distinction between
• grand strategy achievement of political object
  of the war (includes economic strength and man
  power, financial pressure, etc.)
• military strategy gain object of war (via
  battles as means)

21
Waging Strategic Warfare

• Creates new battlefields and realms of conflict
• Need identification of center of gravity
• WWI
• German submarines strangle U.K. economy
• Airplanes tactical use reconnaissance and
  artillery spotting. 1915 German zeppelin
  striking cities in England

22
Strategic Air Power

• Targets center of gravity
• WWI
• Deliver devastating strikes
• Civilian morale
• WWII
• U.S. targets German economic targets
• Massive bombing campaigns
• Crushing civilian morale
• Paralyzing economy
• Problems
• Difficulty to achieve general industrial collapse
• Grossly overestimated the damage

23
Other Weapons Cold War

• Military capacity as means to achieve political
  leverage through strategic attacks
• E.g., nuclear weapons, ballistic missile,
  satellite capability, WMD
• Massive retaliation
• Ability to use is limited, e.g., 1956 Soviet
  invasion of Hungary

24
SW Past

• Focused on offensive actions
• Largely ignored
• Interaction between adversaries ? difficult to
  determine utility of offensive action
• Defense capabilities, vulnerabilities, and
  commitment

25
Necessary conditions for SW

• Offensive freedom of action
• Significant vulnerability to attack
• Prospects for effective retaliation and
  escalation are minimized
• Vulnerabilities can be identified, targeted, and
  damage can be assessed

26
SIW

• Growing reliance ? new target of concern
• Commercial networks for crucial functions
• Rapid change
• Widely available tools
• Significant uncertainties
• Determining political consequences
• Predicting damage, including cascading effects

27
SIW

• Complexity and openness
• Weakness
• Strength
• Difficult to distinguish offensive from defensive
• Public information
• Vulnerabilities
• Incentives