Contact us for more information about our business solutions and capabilities
 

spacer
About CACI CACI Careers CACI Investor Info Contact CACI spacer
Search
spacer
blackline
Dr. J.P. London Article, 2/4/03
Proven Industry Performance.

Using Familiar Triad to Combat Cyber Terror

As President Bush and his advisors have reminded us time and again, we are engaged in a long campaign against terrorism. By classic definition, a campaign is an operation or series of operations designed to achieve a specific goal. The military campaign against al Qaeda was clearly defined and mostly accomplished; yet skirmishes remain. And the long struggle against Saddam Hussein's tyranny has been going on for well over a decade.

As we can see today's military campaigns are messy at best, and physically and emotionally devastating. We are faced with asymmetric villains who challenge conventional means of defense: adversaries of inferior strength who have, nonetheless, found a way to exploit a specific vulnerable target to achieve a horrific, crippling impact. Today's terrorists are pan-national, originating from many different countries or no country at all. Their ultimate goal is not victory or conquest, but absolute devastation: the USS Cole, the World Trade Center and Pentagon, the resort attacks in Bali and Kenya.

Yet as frightening as these physical attacks are, we face an equally great threat from within our increasingly vital, increasingly networked information technology infrastructure. As our country's - and the world's - financial and knowledge assets become more and more reliant upon IT networks, these networks become an increasingly tantalizing target for terrorist attacks.

The effective flow of essential information can be disrupted, penetrated, compromised, and manipulated by a growing variety of threat elements. Complacency in assuming that any given network is inherently safe also invites unwelcome, potentially damaging access. A well meaning but negligent employee may open up a company's entire network to outside penetration.

To achieve campaign victory in the war on cyber terrorism we must achieve a level of information security that gives us the confidence to conduct operations within a hostile information environment. This is no small task, to say the least. I believe the answer to securing our networked borders against malicious or even casual adversity lies not only in acquiring the newest, grandest technology, but the same combination of essential properties used to drive many of the Information Technology world's earliest initiatives and concepts:

People - Processes - Technology

People, processes and technology are critical building blocks and necessary components of any Information Assurance plan. While there are many definitions these days of Information Assurance, perhaps the most elementary is that of enabling technology to conduct business and mission operations securely in a hostile information environment.

This triad - a combination of technology supporting trained and aware people who are following thoughtful, well written and enforceable security policies - will be even more critical given the broad threats we face today. We must be able to detect not only the attack once it starts, but, more importantly, the signs that something may potentially occur, as well as the form it may take.

First, people are - and always will be - number one. People are necessary for brainpower, innovation, creativity and the experiential knowledge to solve technical problems. Research has proven that an effective team can achieve far more than even the individual "bests" of all its members, and that teams are more creative and productive when they can achieve high levels of participation, cooperation and collaboration among members ("two heads are better than one").

In a networked world, this sense of collaboration takes on an even greater urgency. We need to closely align our national policy for combating cyber terror with the activities of the infrastructure owners (not the government in most cases) and the business community. What is required is an effective partnering of private innovation with federal implementation.

Second, strong, culturally acceptable and enforceable security policies and processes must be installed and used to achieve success. If a solution is not adhered to by each and every user, it is a worthless solution. "Back doors" may be left open, inviting unauthorized parties to pillage your accounts, sensitive files, records and other vital information. On the smallest scale an effective password policy with strong authentication protocols is often a minimal step to maximize the security posture of an organization. Policy can often be reduced to simple, observable and enforceable actions with very high payoffs in terms of network defense.

On a larger scale overall information security will only be achieved if the will of the people is aligned with national policy and national policy supports the needs of the people. Therefore, the government must provide the motivation and will to attain a coherent national Information Assurance plan. President Bush recently took the first steps toward this by signing the Cyber Security Research and Development Act. This legislation dedicates more than $900M over five years to security research and education in an effort to protect the nation's technology infrastructure against hackers and cyber terrorists, and it is much needed.

According to a recent Washington Post report the House Government Reform subcommittee on government efficiency gave a failing grade to 14 of the 24 largest federal departments and agencies whose computer security efforts were reviewed by the General Accounting Office (GAO). Another seven agencies earned a "D" and two were given a "C." The GAO, echoing earlier studies, said, "Poor information security is a widespread federal problem with potentially devastating consequences."

The Post report went on to say that, "many of the failures involved inadequate access controls, leaving sensitive information systems and data vulnerable to tampering by disgruntled workers or attack by thieves or terrorists."

It is clear that advanced technological infrastructures, equipped to protect an agency's or organization's collective knowledge and electronic assets, are needed to support human innovation and progress. A sound Information Assurance architecture depends on proper systems design and implementation, especially with legacy systems; network vulnerability evaluation and testing; operational support and maintenance; as well as routine upgrades.

Technological sophistication allowed America to achieve success in Afghanistan with precious few casualties. But just as crucial as the technology employed - perhaps even more so - were the sound principles and practices drilled into our military personnel, as well as the dedication and sound character of those men and women. Again, the triad must be applied. Technology is only as good as the people that set it up, monitor it, react to it and service it. They must apply the rules and configurations that are called for in a sound organizational policy.

Given all of this, however, we still have not stopped the external threat of an asymmetric villain operating outside the confines of any government structure or border. Since cyber terror only requires a computer and Internet link, it can literally be conducted from anywhere in the world. I believe a global coalition of governments, policies and technologies is needed to truly put a stop to this crippling threat, an even more challenging goal.

As a retired Navy officer I have a great appreciation for history and, in particular, history's great military leaders and thinkers. The Prussian military theorist Carl von Clausewitz - widely acknowledged as the most important of the major strategic theorists - said, "One country may support another's cause, but will never take it so seriously as it takes its own." I find this relevant to our discussion because countries not so dependant on information and lacking information dependant infrastructures are not likely to make information security a priority. Therefore, effective global coalitions can only be built over time, and must begin on the national level. It is, indeed, a long campaign requiring remarkable innovation and tireless effort.

By integrating key information security steps into our daily internal processes we will begin to win the battles that will eventually lead to success in the long campaign. CACI has already committed vast resources to researching and developing new and better defenses against cyber attacks, including Information Assurance solutions for both wired and wireless systems to ensure that systems and information transmissions are secure and maintain their integrity. We provide implementation and management strategies to meet intrusion detection and response requirements, as well as advanced firewall and cryptographic support.

Unfortunately, new and better offensive weapons are also being released daily - usually at a far less cost than the defense - so we must be vigilant and support government initiatives that strengthen our cyber borders.

Another favorite history lesson of mine is that of Hernan Cortez, the Spanish Conquistador who, after landing at Vera Cruz in 1519, set fire to all of his own ships. His troops were stunned but received an unmistakable message from their leader: there would be no turning back until they had achieved complete success in their campaign. Our "campaign" is to help bolster the confidence necessary to conduct critical missions in a hostile information environment through the depth of people, processes and technology.

More Details on CACI Homeland Security Solutions

Key CACI HLS Initiatives

Dr. London's speeches