Sunday, November 12, 2006

Safety of information: problems and solutions

Currently the number and quality of tactical-level automated systems and information-handling hardware are much higher than they were before. The same applies to the amount and importance of information as well as the range of threats capable of impacting on the immunity of military information systems and, by extension, the mode and results of actions by military units. Moreover, certain threats, if realized, are likely to have disastrous effects both on everyday tactical-level operations and in wartime. All of that makes it essential to clarify the main contradictions between the current state of computer systems (networks) and information security capabilities.

To provide for assured information protection inside such systems, it is necessary to formulate the aims of information protection work and to map out measures that can assure the protection. That, in turn, necessitates consideration and systematization of all possible causes (threats) capable of leading to the loss, pilfering, counterfeiting, unauthorized obliteration, modification, corruption, copying and blocking of information.

Considering the existing development level of computer systems (networks), there are two groups of threats (which can be defined as external and internal) imperiling military automated systems. The first group embraces hostile influences (pilfering and masquerade, malicious software; intentional unauthorized operations; terrorism, etc.), and natural phenomena (fires, flooding, natural calamities). The second group is about the following: malfunctioning of communication and processing hardware; software failings; unauthorized database access; routing errors committed by the operating personnel; power failures; user errors, and other things.

One journal article is too short to deal with all possible information safety threats, which is the reason why we shall dwell only on some, while being fully conscious of the importance of each single one.

As the present writers see it, one of the gravest threats is information leakage via different types of telecommunications equipment and side radiations (guideline documents term the latter as technical information leakage channels). There is a number of laws, guideline documents of the RF Ministry of Defense, and methodological recommendations explaining in sufficient detail how to protect information from being leaked via the technical channels. On the whole they offer minute enough instructions as to what should be done to have computer facilities in place in line units and how to operate these. At the same time, it is much more difficult to ensure information safety against the background of the existing political-economic situation, the rapid computerization of all aspects of military activities, miniaturization, broad-scale introduction of different-purpose computer networks, as well as the huge range of computer systems and the dynamic rate of their replacement.

Originally the system of information protection measures was geared to domestic producers manufacturing an overwhelming majority of computer systems and equipment from home-produced electronic components. It was assumed that the computer facilities would be limited in number and used mostly in a centralized fashion as elements of computer centers. It was also held that there would be an assignment order to operate the main part of the computer equipment, while additional specialized investigations would be on a limited scale.

But the situation changed radically by the mid-1990s, making the domestic producers no longer capable of supplying the armed forces with enough certified computer equipment possessing the required information-handling potential.

Foreign-made equipment came into use when computerization started on the national scale. Simultaneously, the range and complexity of electronic components grew rapidly, this leading to a rise in the amount and cost of special checks and special research encompassing all computer equipment.

The situation came close to a breach of the guideline requirements for putting into service computer facilities designed to handle state secret data. Among other things, the appropriate special research was simplified so as to provide the command and control elements with at least some of the needed certified computer facilities and to speed up their becoming operational. There were cases where uncertified foreign-made computer equipment was employed to handle classified information. On top of that, the small size of modern computers, which makes them easily concealed during checks, is a factor that considerably complicated the work done by the appropriate verification agencies to identify and obviate such breaches.

Things being what they were, the procedure itself for putting the computer facilities into operation was affected. Rates of delivery or replacement of various computer systems and equipment were such as to significantly increase the annual needs of the tactical echelons in these measures. Each year military units, staffs, and military establishments of the RF Ministry of Defense put into operation dozens and occasionally hundreds of computer facilities designed to handle classified information. In a number of cases, however, both the amount of work that had to be done to put a facility into operation and the list and content of documents the process involved proved more than the verification agencies issuing operational permissions and agencies operating the appropriate equipment objectively could cope with. For example, it is hard to implement the requirements as to the content, execution and management of the Information Protection Log both at a facility with just one PC and where dozens (hundreds) of workstations forming a local web are concerned.