Definitions[edit | edit source]
China[edit | edit source]
The PLA defines information security (信息安全, xinxi anquan) as
|“||The protection of information collection, processing, transport, and use from disruption, destruction or theft; the protection of normal use of information by its legitimate owners. Information security includes information content security, information systems security, information infrastructure security, information exchange security and information security awareness.||”|
Export control law[edit | edit source]
Information security is
|“||[a]ll the means and functions ensuring the accessibility, confidentiality or integrity of information or communications, excluding the means and functions intended to safeguard against malfunctions. This includes "cryptography," "cryptanalysis," protection against compromising emanations and computer security.||”|
FISMA[edit | edit source]
The Federal Information Security Management Act of 2002 defines information security as:
|“||[p]rotecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide —
General[edit | edit source]
Information security (INFOSEC) is a "generic term covering the following aspects of
- a. Personnel security
- b. Physical security
- c. Radiation security
- d. Transmission security
- e. Crypto security
- f. Computer security."
Information security is
|“||[t]he protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide confidentiality, integrity, and availability.||”|
U.S. copyright law[edit | edit source]
Under U.S. copyright law, information security consists of those
|“||activities carried out in order to identify and address the vulnerabilities of a government computer, computer system, or computer network.”||”|
Overview[edit | edit source]
The role of information security in managing risk from the operation and use of information systems is critical to the success of an organization in achieving its strategic goals and objectives. Information security is a strategic capability and an enabler of missions and business functions across an organization.
The need for information security is not new. It dates back hundreds, even thousands, of years. Methods for conveying confidential messages were used in ancient Greece and much of the Western world by kings, generals, diplomats, and lovers. Today, the governments of most developed nations make extensive use of encoding techniques to keep their sensitive electronic communications secret.
Technology itself has long played a leading role in causing certain attributes of information security to become highlighted. The introduction of the telegraph brought concern about eavesdropping. Inexpensive sound and video recording capabilities raised concerns about unauthorized reproduction. And the proliferation of electronic storage quickly brought questions of how to prevent misuse of electronic data. Indeed, most of the attributes of information that are of concern today — confidentiality, accuracy, accountability — have long existed. Technological advances have not only modified their importance but have also introduced fundamentally new issues.
As society has become more dependent on computer and communications systems for the conduct of business, government, and personal affairs, it has become more reliant on the confidentiality and integrity of the information these systems process. Information security has become especially important for applications where accuracy, authentication, or secrecy are essential.
The need for information security has existed for thousands of years, but the advent of electronic information systems — telegraph and telephone, sound and image recording, and computers, databases and the Internet — has reemphasized the need for traditional safeguards and created a need for new ones. Early concerns tended to focus on controlling access to information and protecting its confidentiality.
Modern computer and communications systems are being used in ways that often require those using them to authenticate the accuracy of data, verify the identity of senders and receivers, reconstruct the details of transactions, and control access to sensitive or private data. As the use of these systems increases, the vulnerabilities, threats, and risks of misuse have become clearer, and information security has become a prominent issue for many Government agencies and private users.
The computer and communications technologies on which these information systems are built, however, were not developed originally with information security in mind. They were designed for efficient and reliable service in the presence of accidental error, rather than intentional misuse, and little attention was given to protecting confidentiality. As one result, the public communications network has always been vulnerable to exploitation by those with appropriate resources.
Technology can increase or decrease the vulnerability of communications to misuse. Microwave radio and cellular telephones have both increased vulnerability; optical fibers have decreased it. Greater vulnerabilities have arisen with the widespread use of digital communications. Increases in computing power and decentralization of computing functions have increased the vulnerability of computer and communications systems to unauthorized use. Two types of misuse should be distinguished: misuse by those not authorized to use or access systems and misuse by authorized users. For many public and private organizations, the latter problem is of greater concern.
The level of effort, expense, and technical sophistication needed to gain unauthorized access to computer or communications systems, even when the system being attacked employs no special safeguards, can vary widely. Some forms of covert access, such as wiretaps, intercepting mobile telephone conversations, or logging into computers with easily-guessed passwords, can be achieved with very limited resources. Others, such as those intended for targeted and consistently successful unauthorized access, can require greater resources due to inherent barriers in the design of these systems. Systems protected by appropriate safeguards can deny access even to dedicated foreign intelligence agencies. Users of computer and communications systems have widely different perceptions of the threats against which protection is needed. Some users protect their systems only against unintentional error or amateur computer hackers. Others guard against misuse by their own employees, outsiders, or the sophisticated intelligence agencies of foreign countries.
"Ineffective information security controls can result in significant risks, including:
- loss or theft of computer resources, assets, and funds;
- inappropriate access to and disclosure, modification, or destruction of sensitive information, such as national security information, personally identifiable information (PII), or proprietary business information;
- disruption of critical operations supporting critical infrastructure, national defense, or emergency services;
- undermining of agency missions due to embarrassing incidents that erode the public's confidence in government;
- use of computer resources for unauthorized purposes or to launch attacks on other systems;
- damage to networks and equipment; and
- high costs for remediation."
There are few publicized cases of communications interception and most of these deal with the interception of government communications by foreign intelligence agencies. Not surprisingly, most commercial and private users, under ordinary circumstances, are not greatly concerned about their communications, particularly within the United States, being intercepted by foreign governments or others. Indeed, many businesses are concerned primarily with the integrity of certain of their business information and, in other cases, with the confidentiality of their sensitive information.
Early computer systems were designed to be used by trained operators in reasonably controlled work environments; therefore, only local access to the systems was of concern. Today's systems, in contrast, are often designed to be used by, almost literally, anyone from anywhere. With this ease of access to computers, new problems have emerged, both from hackers and other unauthorized users, and from employees authorized to use the systems. Available data suggest that the damage done by computer hackers to poorly safeguarded systems is less severe than originally thought, and that actual and potential misuse from employees who are authorized to use the systems is far more significant.
On the other hand, NSA is concerned with foreign intelligence gathering, a concern that has motivated it to launch programs to improve the security of nondefense computer and communications systems. Thus, even though virtually all users have concern for some combination of confidentiality, integrity, and continuity of operations, the business community and the Government agencies that deal with it often have a very different outlook and need than defense and intelligence agencies when it comes to safeguarding information in computer and communications systems. This difference is one reason why some of the business community has been reluctant to accept safeguard technologies based on NSA's assessment of needs or that are tightly controlled by NSA.
References[edit | edit source]
- Warring State: China’s Cybersecurity Strategy, at 14.
- U.S. Export Administration Regulations, Part 772 (15 C.F.R. §772.1).
- 44 U.S.C. §3542(b)(1); see also 44 U.S.C. §3552(b)(3).
- Glossary of Communication Electronic Terms, at 2-85.
- Cybersecurity A Primer for State Utility Regulators, App. B.
- 17 U.S.C. §1202(d).
- Cybersecurity: Actions Needed to Address Challenges Facing Federal Systems, at 2-3.
See also[edit | edit source]
- Information Security: Challenges in Using Biometrics
- Information Security and Identity Management Committee
- Information Security and Privacy Advisory Board
- Information Security and Privacy in Network Environments
- Information security assessment
- Information security incident
- Information security laws
- Information security management
- Information Security Officer
- Information Security Oversight Office
- Information security policy