█ LARRY GILMAN
Information security, often compressed to "infosec," is the preservation of secrecy and integrity in the storage and transmission of information. Whenever information of any sort is obtained by an unauthorized party, information security has been breached. Breaches of information security can be grouped into five basic classes: (1) interception of messages; (2) theft of stored data; (3) information sabotage (i.e., alteration or destruction of data belonging to another party); (4) spoofing (i.e., using stolen information to pose as somebody else); and (5) denial of service (i.e., deliberate shutdown of cash machines, electric-supply grids, air-traffic control networks, or the like). Individual computer experts ("hackers"), intelligence agencies, criminals, rival businesses, disgruntled employees, and other parties may all seek to breach information security. All these parties, plus law-abiding private individuals who wish to guard their privacy and protect themselves from identity theft, also have an interest in preserving information security.
Messages and secrets have been subject to interception and theft ever since the invention of writing, but the modern situation is especially challenging. Electronic storage, processing, and transmission of information are now ubiquitous in the developed world, creating novel vulnerabilities. People are authorized to withdraw cash or purchase products on the basis of a piece of information (password or credit card number); trade secrets and business plans are electronically transmitted around the globe. In the U.S., over 95% of military and intelligence communications pass through network facilities owned by private carriers (e.g., the telephone system). Private speech may be broadcast locally by a mobile or cellular telephone or transmitted digitally over a network that can be tapped in numerous locations; databases full of confidential data reside in computers that can be accessed, perhaps illegally, by other computers communicating through networks; and so on. Information security—or insecurity—is a pervasive fact of modern life.
Consequently, breaching information security has become a common practice. For example, credit-card fraud costs approximately $20 per card per year. In 1994, an international criminal group used the Internet to penetrate Citicorp's computer system and shift $12 million from legitimate users' accounts to its own. Two ex-directors of the French intelligence agency DGSE (Direction Generale de la Sécurité Extérieure) have confirmed that one of the agency's highest priorities is to spy on non-French corporations and business-related government agencies. United States government agencies such as the Office of the U.S. Trade Representative and high-tech companies such as Boeing, General Dynamics, Hughes Aircraft, and others have been specifically targeted by French espionage—and probably also by other organizations that happen to be less frank (or more prudent) in their public statements.
There are many tools for increasing information security, including software that scans for computer viruses or prevents unauthorized intrusions into computer systems from the networks; password systems of all sorts; physical access security for computers, discs, passcards, credit cards, and other objects containing sensitive information; and encryption of messages and of databases. While all these tools are important to the conduct of business by a large business or government department, passwords and encryption are probably the most important.
Passwords have the advantage of being simple to use. They are not, however, capable by themselves of providing a high level security for large numbers of users. First, most users are asked to supply passwords for many different systems: banking, shopping, e-mail, and so forth. This tempts users to choose short passwords (which are easier to remember but also easier to guess, therefore weaker) and to use the same password for more than one system (causing a domino effect if a password is guessed).
Cryptography—the process by which raw message information (plaintext ) is mapped or encrypted to a scrambled form (ciphertext ) before transmission or storage, then mapped back to its original form again (decrypted ) when an authorized party wishes to read the plaintext—is arguably the ultimate tool of information security. High-quality cryptographic systems that are breachable (if at all) only by resource-rich groups like the U.S. National Security Agency are widely available to businesses, governments, and private individuals. Appropriate cryptography can virtually guarantee the security of messages in transit and of information in databases; it can also, through "authentication," act as a super-password system whereby the identity of a would-be user (or information service supplier) can be positively confirmed. Cryptography has the disadvantages of added complexity, higher cost, and system slowdown.
Cryptography is also politically controversial, despite—or rather, because of—its technical power. Governments, corporations, private individuals, and private groups all have both legitimate and, occasionally, illegitimate motives for information security. Law-abiding persons and groups, or those rebelling against repressive laws, wish to be secure from surveillance by governments; criminals, terrorists, and the like also wish to be secure from surveillance by governments; government agents who are committing crimes wish to avoid public exposure; and so forth. It is generally advantageous to all parties, whether their activities are legitimate or illegitimate in whatever sense, to advocate maximum privacy for their own activities; it is generally advantageous to governments to advocate, in addition, maximum transparency for everyone else. Thus, for example, the U.S. government has sought (with little success) to prevent the spread of high-quality encryption algorithms, such as Pretty Good Privacy, outside the U.S., and inside the country has sought to establish voluntary compliance with "escrowed" cryptography systems. In such systems a government agency stores copies of cryptographic keys that enable it to decrypt communications between private parties using the system. In theory, these escrowed keys would be released to police or other government agents only when the court system had determined that there was a legitimate lawenforcement or national-security need to do so. Because such systems allow for third-party access to encrypted information by design, they are intrinsically less secure than a non-escrowed cryptography system, and therefore predictably unpopular with the private sector.
█ FURTHER READING:
Dam, Kenneth W., and Herbert S. Lin, eds. Cryptography's Role in Securing the Information Society. Washington, DC: National Academy Press, 1996.
Hoffman, Lance J., ed. Building in Big Brother: The Croptographic Policy Debate. New York: Springer-Verlag, 1995.
Information Systems Security Association: The Global Voice of the Information Security Profession. 2003. <http://www.issa.org/> (February 21, 2003).
Information Security (OIS), United States Office of
Information Security (OIS), United States Office of
The Office of Information Security (OIS) is a unit within the General Service Administration (GSA) charged with the protection of computer data for the federal government. It employs a team of skilled technicians and specialists to manage, store, process, and most importantly provide security for electronic information systems. Under the umbrella of the GSA Federal Technology Service (FTS), OIS is part of the critical infrastructure protection system of the federal government.
The mission of OIS is to provide technology security systems to federal agencies to reduce risks and exposure of critical and sensitive information, and to do so in a cost-effective manner. To fulfill this mission, OIS has on staff an experienced group of technical specialists trained in protection and security methods for electronic data. In addition, it is capable of deploying engineers and technicians from the private sector as needed to federal or allied facilities anywhere in the world to meet transmission, storage, and processing requirements.
Among the solutions at the disposal of OIS are firewalls, or systems to prevent unauthorized access of hardware or software to or from a private network. Other techniques and principles applied by OIS include intrusion detection, security planning, risk management, data encryption, contingency planning, configuration management, and network mapping.
In accordance with President Decision Directive (PDD) 63, issued by President William J. Clinton in May 1998, OIS has worked to protect federal critical infrastructure from attacks by computer hackers. In 1999, it began working with firms in the private sector to provide infrastructure security consulting to federal agencies.
Beginning in October 2000, OIS divided its functions between its Information Security Services Center and its new Office of Information Assurance and Critical Infrastructure Protection. FTS took control of the first of these, through which OIS had met customer-service needs with offerings such as the Safeguard Program and the Access Certifications for Electronic Services Program. Meanwhile, the OIS concentrated its efforts in the critical infrastructure protection area, serving the imperatives of PDD–63 by providing cyber attack incident warnings and response services through the Federal Computer Incident Response Capability.
█ FURTHER READING:
Frank, Diane. "GSA Preps Security Pacts." Federal Computer Week 13, no. 6 (March 15, 1999): 1.
Office of Information Security. General Service Administration Federal Technology Service. <http://www.fts.gsa.gov/infosec/> (March 4, 2003).