This passive defense kept the honest user honest, but did not do much to stop the more computer-literate user such as the hacker, cracker, or phreaker. Management support was not always available unless something went wrong. Then, management became concerned with information systems security — albeit only until the crisis was over. This passive approach, supported by short-lived proactive efforts, was and continues to be “how information security is done.”

With the advent and concerns associated with information warfare, government agencies, businesses, and the U.S. in general can no longer afford to take such a passive approach. As a profession, the possibility of an information systems Pearl Harbor is discussed. Most of the time, this is dismissed as rhetoric, and that security people are trying to justify their budgets. This approach will no longer work, and security professionals would be remiss in their responsibilities if they did not start looking at how to “information warfare-harden” (IW-H) computerized systems. IW-H means to provide a defensive shield — an early warning countermeasures system to protect government and business information infrastructures in the event of IW attacks.

Attacking a Commercial Target May Be a Prelude to War

In a time of war, would government systems be the primary target? A new age in warfare, commonly known as the Revolution in Military Affairs (RMA), is being entered. As previously discussed, there is a worldwide economic war being waged, where balance of trade statistics determine the winners and losers, along with the unemployment trends and the trends indicating the number of businesses moving overseas. In the information systems business, that trend also continues and may be increasing. Microprocessors are made in Malaysia and Singapore, software is written in India, and systems are integrated and shipped from Indonesia, for example. No one checks to determine if malicious code is embedded in the firmware or software, waiting for the right sequence of events to be activated to release that new, devastating virus or to reroute information covertly to adversaries.

Consideration must also be given to networking with other information systems security professionals to establish an IW early warning network, as well as to share IW defensive and IW countermeasures information. This can be equated somewhat with the early warning radar sites that the Department of Defense has scattered throughout the U.S.’s sphere of influence. These systems warn against impending attacks. If such a system was in place on the Internet when the Morris Worm was initiated, the damage could have been minimized and the recovery completed much quicker. If the U.S. is the object of all-out IW attacks, the Morris Worm type of problem would be nothing compared with the work of government-trained IW attack warriors.

SUMMARY

When a government agency or business computer system is attacked, the response to such an attack will be based on the type of attacker. Will the attacker be a hacker, phreaker, cracker, or just someone breaking in for fun? Will the attacker be an employee of a business competitor, or in the case of an attack on a business system will it be a terrorist or a government agency-sponsored attack for economic reasons? Will the attacker be a foreign soldier attacking the system as a prelude to war?

These questions require serious consideration when information systems are being attacked, because it dictates the response. Would one country attack another because of what a terrorist or economic spy did to a business or government system? To complicate the matter, what if the terrorist was in a third country but only made it look like as though he or she was coming from a potential adversary? The key to the future is in information systems security for defense and information warfare weapons. As with nuclear weapons used as a form of deterrent, in the future, information weapons systems will be the basis of the information warfare deterrent.