National Security Classified Information

When one thinks of information valuation in the national security arena, one has just as difficult a time determining its value as is the case in the corporate world. However, there is no doubt that the value of information of national security interest is obviously much greater than that of any corporation. If a corporation's information is not adequately protected and defended, the corporation may go out of business. However, if the same thing were to happen to a nation's national security information, the nation may cease to exist except as part of another nation.

National security classified information is one of the most important categories of information, and it must be safeguarded by all in the interest of national security. It is mentioned here briefly because the process used to place a value on that information goes through more stringent analysis than personal, private, and business information.

In the United States, as an example, national security classified information is generally divided into three basic categories: confidential: loss of this information can cause damage to national security; secret: loss of this information can cause serious damage to national security; and top secret: loss of this information can cause grave damage to national security.

There is also national security information that is not classified, like that stated above, but requires some lesser degree of controls and protection because it has value, though less value. These include:

• For Official Use Only;

• Unclassified But Sensitive Information; and

• Unclassified Information.

There is also a category of classified information that is considered black or compartmented. Such information is further protected by not only requiring a security clearance and the need-to-know, but also often an additional background investigation and special briefing. Such information is often termed Special Access Required information, Special Access Program information, and Sensitive Compartmented information. In these compartments, InfoSec must include some of the most stringent processes, as this information can truly be considered the "crown jewels" of a nation.

InfoSec Requirements in the National Security Arena

There are many similarities between the InfoSec requirements in the corporate world and those in the world of national security as practiced by government agencies and defense industry-related corporations. Of course, such things as initial and recurring background investigations of employees are more stringent, as well as physical security requirements and the implementation of the need-to-know principle. This section will concentrate on those related directly to information and information systems protection and defense requirements. The information systems are sometimes called automated information systems (AIS).

In the case of a defense-industry-related corporation, the InfoSec requirements are incorporated into the contract between the government agency and the contractor. A defense-industry-related corporation would then include such InfoSec requirements in contracts with subcontractors, associated contractors, team members, etc., where those businesses will also be handling government information. This is logical, as it does no good to provide InfoSec in one corporation while another uses the same information and is not required to do likewise.

The main emphasis of InfoSec deals with compromise of national security information. Unless there is a state of war, information that is destroyed or inappropriately modified may be reconstructed, though this may take a great deal of time. However, the compromise of national security information may make the product being developed of little use, since the adversary has the information and can build similar products or products of a defensive nature. The worst-case scenario is when a compromise occurs and no one knows that it has occurred. Time, money, and other resources are expended to develop products that will be of little use if they are needed since, as noted earlier, using the compromised information the adversary has developed defensive systems against those products. The InfoSec requirements are implemented so that:

• National security information is protected from compromise that would allow an adversary to compete in building similar systems, developing countermeasures, or delaying operational use of the systems.

• The compromise or delays in product development would be accomplished through manmade, hostile acts of:

  • Espionage through authorized or unauthorized accesses to information, such as theft; and Sabotage through fire (destruction), water (destruction), or software (e.g., destruction, theft, manipulation) using such malicious codes as Trojan horses, viruses, and logic bombs.

• InfoSec in a national security environment must also protect and defend against natural acts such as fire, water, earthquakes, and windstorms.

It is the responsibility of the InfoSec specialists to understand the national security requirements, especially those specified in the contract. The InfoSec specialists must provide an InfoSec program for the defense-industry-related corporation that includes increasing awareness of the need for an effective InfoSec program in the government environment, and that also provides basic guidance and understanding necessary for the development of the InfoSec program in that environment.

The fundamental national InfoSec requirements are as follows:

• InfoSec policy: the set of laws, rules, and practices that regulate how a defense industry-related corporation manages, protects, defends, and distributes national security information.

• Accountability: individual and information accountability is the key to protecting, defending, and controlling any system that processes, stores, and transmits national security information on behalf of individuals or groups of individuals.

• Assurance: guarantees or provides confidence that the InfoSec policy has been implemented correctly and the InfoSec elements of the system accurately mediate and enforce that policy.

• Documentation: development documentation records how a system is structured and what it is supposed to do, and also gives the background information upon which the design is founded. Control documentation records the resources used in developing and implementing a system that will process, store, and transmit national security information.

InfoSec Objective in the National Security Environment

The overall objective of InfoSec in the national security environment is to prevent unauthorized access to classified information during or resulting from information processing and prevent unauthorized manipulation that could result in national security information being compromised. This is done by:

• protecting and defending information stored, processed, and transmitted by an automated information system (AIS);

• preventing unauthorized access, modification, damage, destruction, or denial of service; and

• providing assurances of:

  • compliance with government and contractual obligations and agreements;

  • confidentiality of private, sensitive, and classified information;

  • integrity of information and related processes;

  • availability, when required, of information; and

  • use for authorized business and by authorized personnel only of information and AIS; and

• identification and elimination of fraud, waste, and abuse.