Information Warfare: An Emerging and Preferred Tool of the People’s Republic of China

What should be done?

Policy makers, government administrators, infrastructure owners and operators need to become more aggressive when protecting our country against the information warfare that is being conducted.  The following policy recommendations are made:

1. All contractors, universities and outsourced agents who interface with the federal government’s information infrastructure should be required to be ISO 17799 certified.

ISO/IEC 17799 is a set of international information security practices and standards. They specify accepted security practices related to securing information assets.  TheISO/IEC 17799 standards (to become ISO 27000 in the future) seek to serve as “a starting point for developing organization specific (information security) guidelines.”¹³

The ISO standards cover the following twelve domains:  risk assessment and treatment, security policy, organization of information security, asset management, human resources security, physical and environmental  security, communications and operations management, access control, information systems acquisition, development and maintenance, information security incident management and business continuity management and compliance.

Security analysts responsible for protecting sensitive information can be relatively confident if an organization is ISO 17799 compliant.  A high degree of information assurance (security) is likely to be a characteristic of the data set being used.  The reverse may be true if the organization is out of compliance with ISO 17799.¹⁴

2. The Department of Homeland Security must promote, as a matter of policy, a sector-bysector information security awareness training program.

A majority of the private and government organizations in this  country are woefully unaware of the threats and vulnerabilities associated with the use of the information infrastructure (computer networks, the Internet, etc).  The focus of a DHS information security awareness training program should go beyond posting a series of web pages and reports that are tucked away in the third or fourth levels of a web site.

A cadre of well-trained DHS employees should be sent into each state in the nation to train a sufficient number of state homeland security staff in the essentials of information security.  An information security awareness-training program should be funded for each sector of the interlinked critical infrastructure.  Employees in each sector should be aware of their responsibilities for information security.

3. All sensitive national research and development programs should be required to implement an information security plan that  includes vigorous personnel screening practices, security training and monitoring practices.

Millions of dollars of critical research and development programs are spread across the nation.  Most programs lack even the most basic components of a cohesive information security program……“People don’t appreciate the true nature of what information has value.  Without an understanding of value, businesses and people will not be able to adequately determine the risk that is faced and justify the countermeasures that need to be implemented.”¹⁵

The methods and means used by unfriendly competitors or hostile nation states and the nature of modern day information processing technology dictate that we must be vigilant in protecting critical information assets and our national research infrastructure.

4. Access to the Internet by federal employees should be severely restricted and isolated

Access to the Internet by federal employees should be severely limited or denied.  Many individuals would consider restricting access  to the Internet in the workplace to be bordering on heresy.  A reality check, however, is necessary.  The Internet and its services bring threat vectors to the desktop computing environment and ultimately internal networks.  Employees in both the public and private sector are unaware.  Threats are typically programmed to seek out vulnerabilities that exist in a system for the ultimate purpose of stealing or damaging the target’s information infrastructure.

Only a limited number of employees need to have direct access to the Internet for browsing to perform basic job tasks.  An individual who needs Internet access should have his or her workstation completely isolated from the internal network using a combination of customized telecommunications equipment and software to reinforce isolation from the internal production network.

Isolating workstations from the Internet can be accomplished by either blocking selected services such as the transfer of files or  (FTP) and “instant messaging” or  separating workstations that have Internet access from critical portions of the internal network.