Vulnerability and accessibility are also critical elements to the targeting process. There is an interdependence between both these elements and capability. Any potential vulnerability that is also accessible cannot be exploited unless the attacker has the requisite capability.
There is also an interdependence between vulnerability and accessibility. As for capability, any known or potential vulnerability cannot be exploited unless some relevant component is accessible.
Vulnerabilities include:
Identified weaknesses in a system due to inadequate security procedures or processes designed to prevent unauthorised access (e.g. passwords, level of encryption).
Weaknesses due to the failure of a person or persons to follow proper security procedures to prevent unauthorised access (e.g. improper disclosure of passwords or security procedures, disclosure of classified information over open line telephones or the Internet, failure to secure buildings or security containers housing critical hardware or software).
Physical access to parts of the infrastructure that are not protected by physical or electronic barriers of some kind (e.g. fibre-optic cable runs or radio/microwave transmission towers outside protected establishments).
Nodes or physical choke points where different parts of an infrastructure are concentrated and which, therefore, offer a rich assembly of targets. Nodes can offer the benefits of economy and concentration of force, and the outcome, if attacked, of more significant damage and delays in restoring functionality than if an individual component only was attacked.
Vulnerability may be a product of interdependence and complexity, i.e. the more interdependent and complex the infrastructure, the more vulnerable the information or systems if almost any part of the infrastructure is destroyed, disrupted or manipulated.
Vulnerability may also be a product of the time required to repair the infrastructure or reinstate business continuity, e.g. the longer the time it takes to repair or replace hardware, software or human components to restore functionality, the more vulnerable the target. Critical components that significantly affect functionality and require extended time to repair or replace are the preferred targets.
Accessibility is multifaceted. It may seek to target one or more of the key criteria of IA, e.g. availability, integrity or authentication. It could also target any one component of hardware, software, information, the people who operate and maintain, or power supply, or it may be a combination of these. Targeting might be by direct access to the infrastructure, or indirect access in or from third countries.
Examples of direct access in order to destroy or disrupt key hardware could range from a missile strike, to sabotage by resistance forces or Special Forces. Direct access in order to intercept the enemy’s communications may require ‘tapping’ into accessible fibre-optic cables. It might also include destroying an enemy’s primary communications route that is inaccessible to tapping or other forms of intercept, in order to force the target to use an alternative communications route that is accessible. HUMINT assets, potentially, could assist directly in all the above situations.
Indirect access to degrade, corrupt or manipulate data within a critical enemy intelligence or logistic database could be achieved by hacking into that database through third countries. Important information about an enemy’s intentions might also reside in, for example, their embassy or an axis partner’s embassy in a third country. That information might be accessible in that country, but not elsewhere, through HUMINT, signals intelligence (SIGINT) or CNO operations mounted there.
A final example could be ‘disruption’ at a critical time to enemy communications across a foreign-owned satellite, through cooperation by the foreign owners/operators of the satellite service, or a HUMINT asset among those who operate or maintain that facility.
All information infrastructures are potentially vulnerable in some way. The issue is where and how. While an initial assessment might suggest a particular objective is impossible, it might actually prove to be possible with the application of lateral thinking. The issue then is whether the risk and resources are worth it.