Information Operations Condition (INFOCON) is a threat level system in the United States similar to that of DEFCON or FPCON. INFOCON is a defense system based primarily on the status of information systems and is a method used by the military to defend against a computer network attack.
The Structure of the System
The INFOCON level is ultimately decided by the Commander of U.S. Strategic Command (CDRUSSTRATCOM). The system extends across all Department of Defense Information systems on the Non-classified Internet Protocol Routing Network (NIPRNET) and the Secret Internet Protocol Router Network (SIPRNET).
A “For Official Use Only” directive from 2006 describes the INFOCON system as:
. . . including responsibilities, processes, and procedures, applies to Non-classified Internet Protocol Routing Network (NIPRNET) and Secret Internet Protocol Router Network (SIPRNET) systems under the purview of the Joint Chiefs of Staff and all DoD activities within the unified commands, military services, and DoD Agencies, as well as the non-DoD NetOps COI (NetOps CONOPS, Joint Concept of Operations for Global Information Grid NetOps). It is executed by unified and service commanders, base/pos /camp/station/vessel commanders and agency directors with authority over information systems and networks (operational and/or support) (hereafter collectively referred to as “commanders”).1
The same directive describes the system as “a framework within which the Commander USSTRATCOM (CDRUSSTRATCOM), regional commanders, service chiefs, base/post/camp/station/vessel commanders, or agency directors can increase the measurable readiness of their networks to match operational priorities.”2
INFOCON Threat Levels
There are five levels of INFOCON, which recently changed to more closely correlate to DEFCON levels. They are:
- INFOCON 5 is characterized by routine NetOps, normal readiness of information systems and networks that can be sustained indefinitely. Information networks are fully operational in a known baseline condition with standard information assurance policies in place and enforced. During INFOCON 5, system and network administrators will create and maintain a snapshot baseline of each server and workstation in a known good configuration and develop processes to update that baseline for authorized changes.
- INFOCON 4 increases NetOps readiness, in preparation for operations or exercises, with a limited impact to the end-user. System and network administrators will establish an operational rhythm to validate the known good image of an information network against the current state and identify unauthorized changes. Additionally, user profiles and accounts are reviewed and checks conducted for dormant accounts. By increasing the frequency of this validation process, the state of an information network is confirmed as unaltered (i.e., good) or determined to be compromised. This level of readiness may or may not be characterized by an increased intelligence watch and strengthened security (port blocking, increased scans) measures of information systems and networks. Impact to end-users is negligible.
- INFOCON 3 further increases NetOps readiness by increasing the frequency of validation of the information network and its corresponding configuration. Impact to end-users is minor.
- INFOCON 2 is a readiness condition requiring a further increase in frequency of validation of the information network and its corresponding configuration. The impact on system administrators will increase in comparison to INFOCON 3 and will require an increase in preplanning, personnel training, and the exercising and pre-positioning of system rebuilding utilities. Use of “hot spare” equipment can substantially reduce downtime by allowing rebuilding in parallel. Impact to end-users could be significant for short periods, which can be mitigated through training and scheduling.
- INFOCON 1 is the highest readiness condition and addresses intrusion techniques that cannot be identified or defeated at lower readiness levels (e.g., kernel root kit). It should be implemented only in those limited cases where INFOCON 2 measures repeatedly indicate anomalous activities that cannot be explained except by the presence of these intrusion techniques. Until such time as more desirable detection methods are available, the most effective method for ensuring the system has not been compromised in this manner is to reload operating system software on key infrastructure servers (e.g., domain controllers, Exchange servers, etc.) from an accurate baseline.
Rebuilding should be expanded to other servers as resources permit and intrusion detection levels indicate. Once baseline comparisons no longer indicate anomalous activities, INFOCON 1 should be terminated. The impact on system administrators will be significant and will require an increase in preplanning, personnel training, and the exercising and pre-positioning of system rebuilding utilities. Use of “hot spare” equipment can substantially reduce downtime by allowing rebuilding in parallel. Impact to end-users could be significant for short periods, which can be mitigated through training and scheduling.3