physical security.1 Indeed, DOD systems are regularly attacked and penetrated,2 though most of these attacks fail to do damage. Recent exercises such as Eligible Receiver (Box 3.1) have demonstrated real and significant vulnerabilities in DOD C4I systems, calling into question their ability to perform properly when faced with a serious attack by a determined and skilled adversary.

Such observations are unfortunately not new. A series of earlier reports have noted a history of insufficient or ineffective attention to C4I information systems security (Box 3.2).

The problem of protecting DOD C4I systems against attack is enormously complicated by the fact that DOD C4I systems and the networks to which they are connected are not independent of the U.S. national information infrastructure.3 Indeed, the line between the two is quite blurred because many military systems make use of the civilian information infrastructure,4 and because military and civilian systems are often interconnected. DOD is thus faced with the problem of relying on components of the infrastructure over which it does not have control. While the general principles of protecting networks as described below apply to military C4I systems, both those connected to civilian components and those that are not, the policy issues related to DOD reliance on the national information infrastructure are not addressed in this report. Lastly, C4I systems are increasingly built upon commercial technologies and thus

1.  

Within the information technology industry, the term "information security" encompasses technical and procedural measures providing for confidentiality, authentication, data integrity, and non-repudiation, as well as for resistance to denial-of-service attacks. The committee understands that within many parts of DOD, the term "information security" does not have such broad connotations. Nevertheless, it believes that lack of a broad interpretation for the term creates problems for DOD because it focuses DOD on too narrow a set of issues. Note that information systems security does not address issues related to the quality of data before it is entered into the C4I system. Obviously, such issues are important to the achievement of information superiority, but they are not the focus of this chapter.

2.  

In 1996, the General Accounting Office reported that the DOD may have experienced 250,000 cyber-attacks in 1995 and that the number of cyber-attacks would increase in the future. Furthermore, the Defense Information Systems Agency estimated that "only about 1 in 50 attacks is actually detected and reported." For additional information, see General Accounting Office. 1996. Information Security: Computer Attacks at the Department of Defense Pose Increasing Risks, GAO/AIMD-96-84, General Accounting Office, Washington, D.C.

3.  

The U.S. national information infrastructure includes those information systems and networks that are used for all purposes, both military and civilian, whereas DOD's C4I systems are by definition used for military purposes.

4.  

More than 95 percent of U.S. military and intelligence community voice and data communications are carried over facilities owned by public carriers. (See Joint Security Commission, Redefining Security: A Report to the Secretary of Defense and the Director of Central Intelligence, February 28, 1994, Chapter 8.)



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement