IA is another key consideration of NII/DII and GII targeting. Effective IA is a critical element in the information society, and underpins both the functionality and efficiency of all information infrastructures.
IA comprises five essential criteria for the protection of information and friendly systems against unauthorised access: availability, integrity, confidentiality, authentication and non-repudiation:
availability applies to the information itself, its supporting technology and the people who operate and serve the infrastructure;
integrity refers to the trustworthiness of information and system/process reliability;
confidentiality is about denying access to the information and sensitive aspects of supporting technology, to those persons without authorisation;
authentication refers to assuring that those who do access the information or supporting systems have the requisite authorisation; and
non-repudiation is linked to authentication and, effectively, is the digital signature.
The principle that applies to functionally-interdependent systems, whereby the failure of one component can impact on the functionality of one or more other components, also applies to IA. Thus, if any of the above IA criteria are compromised for any reason, at least some element of information and/or functionality and efficiency of related information infrastructures is also likely to be compromised. The more significant the compromise, particularly in key areas or system choke-points or nodes, the more significant the impact will be on functionally and efficiency. Identifying existing vulnerabilities, or creating vulnerabilities that will enable IA to be compromised, is an important part of the targeting process.
The effective implementation of IA involves a wide range of security processes and procedures, as well as physical measures. One important measure is redundancy and diversity, which is intended to counteract the effects of any failure within, or compromise of, a system, or at least to minimise those effects. However, the high-end functionality and efficiency of many of the processes, systems, services and capabilities we rely on and take for granted is dependent, or largely dependent, on current-generation hardware and software. For high-tech systems in particular, the rapid changes in technology resulting in increasingly more powerful hardware and software, means that planned redundancy and diversity to provide effective backup and continuity, must also largely keep pace technologically with primary-use hardware and software.
In Australia and other developed and many developing countries, redundancy and diversity across critical infrastructure has been significantly hardened since the 11 September 2001 terrorist attacks on the United States, but at a cost. However, even high-quality redundancy and diversity might struggle to provide a full service if challenged to do so. But where that quality of investment is not made, or made in depth, technologically-dated backup systems may simply be incapable of maintaining even a basic level of services over a short period to meet national or sector needs, if put to the test.
Redundancy and diversity, however robust, must be recognised as part of the IA equation. They must therefore be factored into targeting considerations.