 |
![Back to [2]](../all_the_pictures/arrow_left.jpg){kind=icon}
[3]
![Forwards to [4]](../all_the_pictures/arrow_right.jpg){kind=icon}
A "MINIMUM ESSENTIAL INFORMATION INFRASTRUCTURE" (MEII) FOR U.S. DEFENSE SYSTEMS: MEANINGFUL? FEASIBLE? USEFUL?
Robert H. Anderson, RAND<anderson@rand.org>
All information systems on which essential functions of U.S. defense and intelligence depend, including those controlled by commercial and international interests, cannot be made secure and completely reliable - especially when faced with major accidents, environmental disturbances, and deliberate information warfare (IW) attacks. In deliberations and IW exercises involving these issues, the concept of a "minimum essential information infrastructure" (MEII) has been proposed. Presumably those information systems deemed truly essential to a unit's or an organization's - or, for that matter, the nation's - functions would be labeled "minimum essential," and extra(ordinary) precautions would then be taken to assure their survivability and operation, at least at some useful level.
When an MEII has been discussed, the questions arise: Is this even a meaningful concept? If meaningful, would "it" be feasible? If feasible, would it be useful for assuring the availability of the essential functionality? The study reported here, conducted during the past year, attempts to address those questions, concentrating on several systems essential for U.S. defense and intelligence operations.
THE "DEMAND" FOR AN MEII: THE VULNERABILITIES
Which information systems, especially within our defense and intelligence operations, are clear examples of the need for MEII-type protections? Although we have argued above that we cannot be exhaustive in listing such systems, there are some infrastructure systems so pervasive that they may be used as exemplars of essential systems. In our discussions with Defense officials, it became clear that our study should focus on next-generation command and control, logistics, and communication systems now being designed and built, rather than existing systems due to be replaced within the next 5-8 years. Only in this way might any of our recommendations have a chance to affect the design and operation of essential systems. We used as a basis for our analysis, therefore, several pervasive and important systems: the Global Command and Control System (GCCS) and Global Combat Support System (GCSS); Defense Information Infrastructure Common Operating Environment (DII COE); Secure IP Router Network (SIPRNET) and Non-Secure IP Router Network (NIPRNET); and the public switched (telephone) network (PSN).
In studying the architecture of these systems and other literature on vulnerabilities and risks in information systems, we have isolated 20 categories of vulnerability attributes on which an MEII-type analysis should focus. We note, however, that each "vulnerability" may under different circumstances be a neutral or even positive attribute; in fact some of our vulnerabilities are opposites (e.g., rigidity, malleability); their importance depends on context. The list of potential vulnerability attributes in a system is shown in Table 1.
| Inherent Design/Architecture | |
| Uniqueness | Unique entities or processes may be less likely to have been thoroughly tested and perfected |
| Singularity | Has a single point of failure, a "lightning rod" for attacks |
| Centralization | All data, control must pass through a central node or process |
| Separability | Components or processes may be isolated from rest of system |
| Homogeneity | A flaw may be widely replicated in multiple, identical instances of an entity |
| Behavioral Complexity | |
| Sensitivity | Specially sensitive to variations in user input or abnormal use, an attribute that can be exploited |
| Predictability | A system's external behavior is predictable; attackers can know the results their actions will have |
| Adaptability and Manipulation | |
| Rigidity | A system cannot easily be changed in response to an attack, or made to adapt automatically under attack |
| Malleability | A system is easily modifiable |
| Gullibility | It is easy to fool the system |
| Operation/Configuration | |
| Capacity Limits | A system near its capacity limits is vulnerable to denial-of-service attacks |
| Lack of Recoverability | Inordinate time or effort are required to recover a system's operation, relative to requirements |
| Lack of Self-Awareness | Systems unable to monitor their own use |
| Difficulty of Management | Difficult to configure and maintain a system, so known flaws may not be found or fixed |
| Complacency/Co-optability | Poor admin procedures, insufficient personnel screening, etc. |
| Indirect/Non-Physical Exposure | |
| Electronic Accessibility | Remote access provides an attack opening |
| Transparency | The ability of an attacker to gain information about a system |
| Direct/Physical Exposure | |
| Physical Accessibility | Attackers can do physical damage to system components |
| Electromagnetic Susceptibility | Attackers can use radiated energy to disable a system |
| Supporting Facilities/Infrastructures | |
| Dependency | Dependence on information feeds, power, etc. |
THE "SUPPLY" OF MEII SECURITY TECHNOLOGIES
What protection, detection and reaction techniques are available to fix, or at least ameliorate, the above vulnerabilities when they are found in an essential information system? We have studied 175 R&D efforts underway within DARPA's Information Technology Office (on Information Survivability), DARPA's Information Systems Office (on Information Assurance), the National Security Agency (on information security techniques), and reports from various "biomimetic" research projects that are attempting to enhance information system survivability by the deliberate use of techniques that have evolved in biological systems. We have also surveyed commercially available information security tools, such as firewalls, "wrappers," and encryption techniques. In our studies, we find that protection techniques fall into the 10 categories shown in Table 2.
| Heterogeneity | Heterogeneity may be functional (multiple methods for accomplishing an end), anatomic (having a mix of component or platform types), and temporal (employing means to ensure future admixture or ongoing diversity) |
| Static Resource Allocation/Selective Hardening | The a priori assignment of resources preferentially, as a result of past experience or perceived threats, to preclude damage |
| Dynamic Resource Allocation | Some assets or activities are accorded greater importance as a threat develops; use directed, real-time adaptation to inclement conditions |
| Redundancy | Maintaining a depth of spare components or duplicated information to replace damaged or compromised assets |
| Resilience/Robustness | Sheer toughness; remaining serviceable while under attack, while defending, and/or when damaged |
| Rapid Recovery & Reconstitution | Quickly assessing and repairing damaged or degraded components, communications and transportation routes |
| Deception | Artifice aimed at inducing enemy behaviors which may be exploited |
| Segmentation/Decentralization/Quarantine | Distributing assets to facilitate independent defense and repair; containing damage locally and preventing propagation of the damaging vector |
| Immunologic Identification | Self/nonself discrimination; partial matching algorithms (flexible detection); memory and learning; continuous and ubiquitous function |
| Self-Organizing and Collective Behaviors | Valuable defensive properties can emerge from a collection of autonomous agents interacting in a distributed fashion |
We found that the majority of projects studied fall within the category of "Resilience/Robustness;" for example, work on firewalls, "wrappers," and encryption techniques.
CONCLUSIONS
The conclusions reached by our study can be summarized as follows.
- There is no monolithic, hardened "thing" that constitutes an MEII. Rather, each unit must apply a methodology to determine those information assets essential to its functions.
- We believe our main contribution to the study of the concept of "MEII" has been the development of a methodology to assist in developing MEII-like characteristics in systems. It consists of: (1) determining what information functions are essential to the unit's mission; (2) determining what information systems are essential to accomplishing those functions; (3) searching for vulnerabilities within those systems' components (using our list of 20 categories as a starting point); (4) for vulnerabilities found at varying system levels, applying relevant protection, detection and reaction techniques (using our 10 security categories as a guide); for those not under a unit's control, higher headquarters or authorities should be called upon to aid in increasing security; and (5) playing protections against a set of threat scenarios to check their robustness. We believe this methodology is useful in the operation and development of systems, and leads to insights regarding R&D priorities for information protection.
0
- As a result of various units applying this methodology, a form of MEII will result that is a set of systems in nested or layered enclaves of security.
- It is critical that the MEII behavior of essential systems should be testable; units must "train as they fight" and have the courage to disable essential information system components during realistic exercises.
- In many essential DoD systems, such as GCCS, GCSS and the like, we find two vulnerabilities to be particularly pervasive: homogeneity (e.g., common system components, many of them commercial products whose interior details and behaviors are not totally known, are being replicated on tens of thousands of servers and desktops throughout DoD); and transparency (the source code for essential systems such as UNIX and Netscape, and the protocols and signaling system commands for telephone networks, are published and widely known, especially within hacker communities).
[3]
