Revision of US Information Security Policy.
National Defense.- 1994 .- December.- P. 24, 25.
Revision of US Information Security Policy.
The Security Policy Board, chaired by the Deputy Secretary of Defense and the Director of the Central Intelligence Agency (CIA), prepares legislative and administrative recommendations to manage classified information procedures and to improve the reliability and effectiveness of security systems. The Board includes Deputy Secretaries or their equivalents from the Joint Staffs of the Armed Forces, the National Security Council, the Departments of State, Energy, Justice, and Commerce.
The Board's recommendations apply to military, intelligence, industrial, and commercial security systems that have some impact on U.S. national security.
President Clinton, in his directive, tasked the Committee with «ensuring the security of the nation's information technology through the creation of simplified, unified, and cost-effective security systems. The Committee shall find a reasonable compromise between the need to simplify the flow of information and to protect the confidentiality of information.»
The Gulf War demonstrated that some information was so highly classified that it was inaccessible to those who desperately needed it. Most existing security systems are obsolete. They are designed to protect against threats that cannot actually exist (such as detecting a Russian agent climbing over a fence in broad daylight). However, these same systems ignore the possibility that a staff member might carry classified documents in a briefcase to hand over to potential adversaries of the United States.
The commercial and industrial sectors spend a lot of money on unnecessary duplication.
Other shortcomings included the lack of effective threat assessment methods, measures to provide information about threats to those who need it, and a lag in developing effective measures to counter security threats.
During the Cold War, information security issues were considered by the government sporadically. As a result of this fragmented approach, a number of problems arose.
With the upcoming changes in information security policy, the basic defense industry is expected to benefit greatly. However, the industry faces complex and often conflicting requirements from the MoD, intelligence agencies, and other government agencies. The industry's requirements for security tools and systems often exceed the government's requirements for information protection. There are too many inspections and acceptances of the same technology by different government security agencies using different standards. For example, development firms are required to report every classified document related to the development. This is time-consuming and expensive. There needs to be a single body that conducts all inspections, tests, and acceptances and is guided by uniform standards,
The Information Security Policy Committee is expected to pay particular attention to preventing malicious actions by information technology and security personnel, especially those who have already received access to classified information. According to available data, the majority of crimes threatening U.S. national security in recent decades have been committed by such individuals. This was especially clearly demonstrated by the A. Ames case, the details of which were included in one form or another in the Committee's recommendations.
The main direction of solving this problem should be the study of the financial status of persons with access to classified information, especially those who occupy responsible positions. Strict delineation of information by categories of secrecy and improvement of computer security systems should help to identify employees who are trying to collect information that they should not know due to their official position. Foreign business trips of employees and marriages with persons holding citizenship of other states should also be taken into account.
Personnel security work should be centralized and automated. The Joint Investigative Service would be an ideal body for examining the backgrounds of military and intelligence personnel and periodically updating and updating their personal files. A program should be adopted to help employees in difficult situations and solve their problems, since experience shows that many Americans become spies in an attempt to get out of a difficult situation in this way.
The practice of issuing security clearances is of great importance for improving personnel security and screening personnel with access to classified information. It should be based on common standards, which would simplify the interaction of various departments in this area. Clear and simple procedures approved by the government should be adopted instead of complex and often contradictory procedures that make it difficult to complete tasks. Currently, government departments and industrial organizations use 45 different forms that must be filled out when issuing security clearances. All of these forms essentially require answers to the same questions. Security clearances should be checked through a central channel. Access tokens should also be standardized. These two measures alone can significantly reduce the time and money lost when security personnel check the clearances of visitors from other organizations.
To simplify the structures of security systems, a methodology for assessing the costs of applying security measures and tools should be developed. At present, no one can say how much money is spent on security, so it is difficult to manage what cannot be measured.
The security of information and computing systems is becoming increasingly important. Computers and communication networks are the most vulnerable to threats, and protecting them will remain a major challenge well into the next millennium. According to the Information Security Policy Committee, the nation's information resources have never been more accessible and more vulnerable. Not only is government information vulnerable, but so is the information, technology, and intellectual property held by companies, organizations, and individuals. Although interconnectedness across industries and organizations is essential to economic progress, it increases the vulnerability of information systems. Current security procedures designed to protect the isolated computing systems of yesteryear are proving ineffective against today's and tomorrow's systems.
Bridging this gap will require a thorough threat assessment, a prudent investment strategy, highly trained security professionals, and adequate funding for research and development to find effective and cost-effective solutions to protect classified and unclassified information systems. Although the immediate military threats to the United States have decreased, it should be taken into account that the world is full of other threats, since the United States is an important target for the intelligence services of many countries. There are many people in these countries who want to gain access to US secrets. Their interests are not limited to political and military information. They are showing an ever-increasing interest in economic, scientific, technical and commercial information. Therefore, it is necessary to strengthen the protection of such information and solve this problem using the latest advanced methods and technical means with the least financial costs.