Rainforests worth of paper and terabytes worth of magnetic storage media have been devoted to describing the impact of proliferation of technology. Notable amongst the effects is the manner in which information is handled and the speed and ease with which it is communicated. Alongside the tremendous benefits of this information – communication revolution comes the associated peril - potential threats to security of information.
This is a key area of concern for the Army, since information revolution has affected it as much as, if not more than most other organisations. Over the last few years, continuous attempts have been made to keep up with this challenge. Instructions have been issued, SOPs formulated and constantly revised to keep up with changes in technology. Despite this, the confidence level in the adequacy of our means to secure information remains low. On one hand the exhaustive procedures and proscriptions are largely viewed as encumbrances to functional efficiency. On the other hand, cases of security breach occur with regular frequency - a few of them serious enough to cause concern.
One reason for this is that we continue to employ yesterday’s mindset and methods to deal with tomorrow’s problems. The rapidly changing environment dictates that our approach to and implementation of information security also evolves constantly. Proliferating means of communication available to individuals in their official as well as personal capacity imply many more potential security hazards are required to be protected. At the same time, while formulating such safeguards, genuine informational and communication aspirations of individual and requirements of functional conveniences need to be preserved. Also, our organisation should not remain bereft of utilising the full potential offered by technological advances merely due to inability to do so in a secure manner. Security measures need to be specifically targeted at identified threats, rather than degenerating into sweeping and generic measures which actually may be counter productive.
Threats to information systems could loosely be grouped as external and internal. The external threats, i.e. attacks on own networks with a view to gain information, deny service, and even destroy data / hardware, could be in the form of malicious software or physical attack / access by hackers. Of these, the most commonly encountered threat is from malicious software, such as viruses, worms and Trojan horses. These are introduced into a system through infected files / emails, and spread automatically from system to system and over networks once unleashed. Their effect can range from mildly annoying to catastrophic. Protection against these is the onus of each and every user, and use of regularly updated virus protection utilities combined with basic precautions in handling all external files can effectively counter this threat. To mount other kinds of external attack high degree of expertise as well as an avenue of access to the network is required. Safeguarding against such attacks would fall in the domain of systems / network administrators and specialized agencies such as CERT rather than the common user. Internal threats constitute breach of security, intentional or otherwise, which result in leakage of information. These falls in the domain of the common user and the scope of this article is restricted to such internal threats.
Computers, Computer Networks and the internet, all are ubiquitous these days. Specialist computers for C4I2 systems are progressively becoming prevalent as these systems are fielded in our Army. These have peculiar security requirements and measures, and are excluded from the present discussion. However, actual widespread usage is of standard standalone or networked PCs. These are being employed primarily for word processing tasks, data management and presentations. Usage of official communication through email or file transfer through FTP on LAN / Intranet has not really caught on so far, possibly due to lack of seamless integration of various networks, and procedural requirement of having written records of all correspondence. Besides, official availability and usage of internet is also increasing in units and HQs. This is primarily for accessing info, and no official communications are permitted on the internet.
Information is of limited utility without requisite portability, and portability of information between different computers or networks is a major potential area for breach of security. This is one of the paradoxes that need to be managed. Files that are created or modified by one user need to be transferred to other users / systems for processing. Similarly, information obtained from the internet needs to be worked upon and converted into a form appropriate for the desired end use. The current status of networking in the Army is extremely fragmented. Secure transmission of files / data over our networks is only partially possible. Also, computers connected to the internet are in standalone modes to prevent possible malicious access to our networks. There is therefore frequent requirement to use secondary storage media for transferring of files between computers. Being a functional requirement, excessively inconvenient restrictions on this in the interest of security would lead to either inefficient functioning, or ‘well intentioned’ breach of instructions. Security solutions need to therefore strike a balance between requirements of security & functional efficiency.
Apart from official usage, almost all officers, and a growing number of PBOR, own a computer and use it extensively. Usage of internet by all ranks is also on the rise, be it for accessing information, communication, entertainment or utilities such as online bookings, banking and investments. The convenience and affordability of email / Instant Messengers as means of instantaneous communication with remotest locations has popularized these immensely. Apart from these, the internet can be used for two-way exchange of ideas through message boards, forums and blogs. It is extremely easy to set up a free web page, post your views on your own or others blogs, and start / join interest groups on social networking sites. Ability to discover long lost friends and convenience of staying in touch with near and dear ones has popularized such activities universally. Expecting Army officers to remain aloof from such activities, therefore, is not entirely reasonable. However, there is a very real risk of breaches in security as a result of such interactions / communications / postings if due care is not taken. Here again, there is a need for a fine balance between security requirements and pragmatism.
Another area of potential security risk that needs careful handling is mobile telephones. Cheap availability of hardware as well as affordable service charges has ensured universal proliferation of mobile telephones. For the soldier serving far away from home, it is a blessing to be able to remain in constant touch with, and more importantly, accessible to his family. Apart from being a morale booster for all ranks, mobile telephones are increasingly becoming a functional necessity as a tool for commanders to remain in communication with the chain of command while on the move.
Indiscriminate usage of mobile telephones does pose risk of inadvertent leakage of information. Besides, with mobile instruments becoming increasingly sophisticated, they incorporate cameras and voice recorders, which have the potential for being misused to compromise security. No comprehensive policy with regards usage of mobile telephone exists, though instructions, guidelines and orders for restrictions in specified areas / occasions have been passed at various levels. Restrictions on usage of mobile telephones and type of instrument permissible to be used have been the standard reactions. However, such measures are also liable to prove ineffective at best and counterproductive at the worst. They would deny persons the opportunity of availing the benefits of technology, compelling them to buy and use only the very basic instruments. At the same time, persons inclined to indulge in espionage would not be deterred by such bans – and with the current pace of technology, could even find numerous tools other than mobile phones for carrying out the same activities.
Components of Policy
It is quite evident that safeguarding information is becoming an increasingly difficult task. Logically, lesser the quantum of information there is to be secured, the easier would be this task. An honest appraisal of the aspects considered as classified (to various degrees) by us would reveal that a large amt of such information is available through open sources. Similarly, we could identify other issues which, although considered classified, could not have any adverse impact on us, or be of tremendous benefit to any adversary, even if revealed. It is also logical to assume that the availability of information with the lower echelons / ranks would generally be of insignificant nature, while information of more sensitive nature would be available with lesser & lesser number of people, generally in responsible positions. Thus, with increase in the quality or damage potential of information, the responsibility level of its custodian also increases. There is, however, a need to pragmatically re-assess our security classifications, grade only selective information as classified, and concentrate on securing the same.
11. Breaches of security would essentially take place under two circumstances. First would be unintentional, due to inadvertent slippages or carelessness, which could be exploited by an opportunistic cyber-adversary or miscreant. The second would be intentional, through malafide intent. While putting our security policies in place, we need to be aware of the distinct differences between these two, and the requirement for the policy to cater adequately for either. It is axiomatic that majority of the security breaches would be of the first kind, though these are likely to be less damaging in terms of actually culminating into an exploitation by an interested party, as also the quality / grade of information that is likely to flow out. The second kind of breach would be far less frequent, but potentially much more damaging. Not only would the information reach into undesirable hands, it is likely to be of sensitive nature, specifically required by such undesirable elements.
A review of our security procedures indicates that these are oriented towards preventing breaches of the first i.e inadvertent kinds. Breaches of the second type would be extremely difficult to prevent, because if an individual with requisite access / privileges decides to betray the trust reposed in him, he could easily choose his target and opportunity to strike. Also, he would have the ability to overcome the safeguards, and disregard for regulations / instructions. This brings us to a chilling realization that our existing security procedures are disruptive to functional efficiency on one hand and quite ineffectual to prevent the most dangerous types of breaches on the other.
We have been typically been adopting an ostrich like approach towards threats to security of information, attempting to meet them by completely cutting ourselves off or burying our heads in the sand. Apart from other disadvantages, such an approach denies us the opportunity to fully exploit the benefits of current technology. If we look around us, we will find that informational threats of different types and magnitudes exist to all information systems in today’s world, and are being dealt with effectively without compromising on any of the conveniences of technology. In organisations such as banks, internal or external breaches can lead to massive financial losses, liable to threaten their very existence. However, the approach adopted by these organisations has enabled them to continue functioning in an efficient manner, even allowing customers to access their accounts via the internet, with all the associated risks. Similar examples abound – ecommerce is booming on the basis of secure networks. This goes to prove that it is possible to ensure adequate security through the right kind of procedures and protocols, and physical denial, isolation, and prevention of usage altogether are not the only options.
Conceptually, therefore, our systems for security of information should aim at the following:-
(a) Identifying high value information that needs to be secured, allowing non-priority information to be freely available, thereby optimizing the efforts towards security.
(b) Preventing inadvertent security lapses / breaches by ensuring systems and procedures designed to provide functional efficiency without compromising on security.
(c) Preventing deliberate security breaches by prophylactic measures, and having inherent structures to ensure damages through such breaches are minimal, through compartmentalization of information.
(d) Allow maximum possible freedom for functional efficiency and personal aspirations.
Reassessment of Security Classification. A search on the internet will reveal that a vast amount of information about the US Army is openly available. This includes their training manuals, unclassified doctrines, official histories etc. In fact, websites hosted by units / sub units, forums for veterans, sites for army wives and similar activities abound. In these, information such as a units’ identify and locations are openly available. There is a need for us to similarly become more permissive in the information that is allowed to be shared, and concentrate our energies on zealously guarding information of real value. Sharing of Indian Army Doctrine on the internet and similar initiatives are therefore steps in the right direction. However, a lot more effort needs to be put in to arrive at a truly pragmatic security classification system. A decided advantage of downgrading our security classifications would be that in doing so, bulk of the routine correspondence which actually comprises majority of the files being processed, would be out of the ambit of elaborate security procedures. This would improve functional efficiency and further reduce scope for lapses that could be construed as inadvertent breaches.
Customized Software. Security breaches, both advertent and inadvertent, are greatly facilitated by the fact that commercially available operating systems and applications are being used on bulk of our computers. A document copied from an official computer, can therefore be subsequently opened on almost any other computer. On the contrary, if Army’s computers run customized software on a customized operating system, files would be saved in a proprietary format which would not be accessible through any other software commercially available. The installation disks of such software could have the highest security classification, and be held in extremely limited numbers by systems administrators at various levels. Adequate checks and balances in the form of an audit trail could be built in to prevent unauthorised installation / copying. This would ensure that even if inadvertent breaches occur, exploiting them would be extremely difficult.
Copying of Files on Secondary Storage Media. Proscribing use of secondary storage media such as pen drives has been resorted to as a means of preventing security breaches as of now. This is an extreme step, and obviously not a very tidy solution. Technological means will continue to become available faster than we can ban them, and we should attempt to find ways to employ them in a manner commensurate with our security considerations. Firstly, by ensuring a seamless, secure interconnectivity of networks within the army, we can considerably reduce the necessity of copying files to secondary media. Also, since copying of files either on the network or secondary media is a functional requirement, we need to find ways of doing so without compromising security. For example, the customized software suggested above could have suitable logging features built in. Each time a new document is created, it would be mandatory to accord it a security classification, and a unique identifying number would be automatically accorded by the system. Privileges of according higher classifications could be reserved for specified users or appointments by means of passwords / hardware locks. Once a higher classification is accorded to a document, copying it would not be allowed, or only allowed through specific authentications. Also, the system could automatically keep a record each time any document is copied, which could be maintained on the server. Since copying of files would require an individual’s user key or password to be entered, accountability trail would be maintained. Each document and subsequent copy could also be given a unique identifying number, akin to a copy number, which would further maintain the accountability trail. Such measures would prevent inadvertent breaches and act as deterrents for deliberate breaches without hampering functional efficiency, and ensure greater care in handling files by all users.
Secure Individuals Rather Than Means. Most important aspect of security is ensuring that the individual, rather than means, are secured. As already pointed out, no amt of procedures or checks can safeguard information against an individual who breaches security with malafide intent. If vetting and identification of information to be classified as sensitive is carried out as suggested, the number of persons required to be thus secured would also reduce considerably. Securing individuals will encompass ensuring adequate training and awareness to prevent inadvertent lapses. Higher awareness amongst users can be inculcated through constant usage and hands on experience of all available means of information / communication. Also, steps suggested above and other measures to ensure security which do not hinder functional efficiency would encourage greater compliance, leading to fewer inadvertent lapses.
Restrictions in Personal Domain should be Exceptions rather than the Norms. Be it of mobile telephones or the internet, restrictions on personal usage should be exceptions rather than the norm. Having taken adequate measures for ensuring against inadvertent breaches, security of individuals and high degree of awareness, responsible usage of these means should be expected. As we mature to an adequate level of self regulation, there should be no harm in encouraging greater exploitation of available means within the ambit of security, such as allowing units to host websites on the internet to enable their veterans to remain in touch. Similarly, usage of mobile telephones should come under self regulation rather than regulation through enforcements.
We need a paradigm shift in the way security of information is ensured. Innovative means are required to avoid inadvertent breaches and deliberate leaks. The measures suggested are merely indicative, and many better steps could be identified, as long as we recognise the necessity for change in our mindset. Any measures that we take must keep in mind that while the essentials are secured, such means do not unnecessarily impose on functional efficiency or personal freedom. Nor should we deny ourselves the use of the latest offerings of technology for lack of finding means to do so without threatening our security.