Information Note Number: IN02-005
Securing Publicly Available Information
31 May 2002

The purpose of this document is to assist security professionals in identifying risk management strategies for sensitive information that, if in the public domain, could place critical infrastructure (CI) at greater risk. Owners and operators of CI are encouraged to consider these criteria when deciding whether information should be made available to the public via the Internet or through other means.

Introduction
Following the September 11 attacks, critical infrastructure protection (CIP) and emergency management professionals became increasingly concerned that publicly available information could be misused by actors with malicious intent to damage critical facilities, operations or individuals.

Richard Clarke, the President's Special Advisor for Cyber Security in the United States, recently stated that al-Qaeda was gathering useful information about U.S. critical facilities from public web sites. "If you put all the unclassified information together, sometimes it adds up to something that ought to be classified," he said. Clarke also stated that there is evidence that other terrorist groups and nations may be engaged in similar information gathering activities. The White House ordered all federal offices to review the content of their web sites for sensitive information and to report back to the Office of Homeland Security by 19 June 2002.

The Office of Critical Infrastructure Protection and Emergency Preparedness (OCIPEP) recognizes that government and industry must seek a balance between information in the public realm and information that is secured. In an effort to increase awareness about the risks associated with having sensitive information in the public domain, OCIPEP issued an advisory on 17 January 2002 entitled "Potential Threats Arising from Web Site Information Gathering" (http://www.ocipep-bpiepc.gc.ca/emergencies/advisories/AV02-002_e.asp) and an information note on 30 January 2002 entitled "Terrorist Interest in Water Supply and SCADA Systems" (http://www.ocipep-bpiepc.gc.ca/emergencies/info_notes/IN02_002_e.asp).

Publicly Available Sensitive Information
OCIPEP reminds CI owners and operators that an information security policy is an integral part of any critical infrastructure protection (CIP) strategy. The policy should address the production, storage, transmission and disposal of both physical and electronic information. The recommendations that follow are intended to complement an existing information security policy.

Publicly available information can appear in many forms including company reports, media releases, brochures and other promotional materials; Internet web sites and on-line documents; automated or personally-conveyed information; and public records.

In this assessment, the term "sensitive information" refers to any information that would allow a malicious actor to select, or gain information about, a target without the need to physically access it. The following questions will assist security professionals in reviewing sensitive information that has been, or could be, made publicly accessible.

• Has the information been cleared and authorized for public release?
• What impact could the information have if it was inadvertently transferred to an unintended audience?
• Does the information provide details concerning enterprise security?
• Does the information contain personnel information such as biographical data, addresses, etc.?
• How could someone intent on causing harm misuse the information?
• What instructions should be given to legitimate custodians of sensitive information with regard to disseminating the information to other parties such as contractors?
• Could this information be dangerous if it were used in conjunction with other publicly available information?
• Could someone use the information to target personnel, facilities or operations?
• Could the same or similar information be found elsewhere?
• Does the information increase the attractiveness of a target?

Knowledge concerning the threat environment will assist CI owners and operators in deciding on the level of vigilance with which they review sensitive information. Risk from the public availability of sensitive information comes from both determined and opportunistic threats.

Factors Increasing the Risk from Determined Threats
For the purpose of this discussion, "determined threats" occur when a malicious actor intends to cause harm to a predetermined, specific critical infrastructure (CI) target. The risk to a specific CI target from a determined threat increases with the sensitivity of the information available in the public domain.

The primary objective of the determined threat actor is to decide how to deploy its limited resources to cause the greatest impact against a very specific target. The malicious actor will have already devoted considerable forethought to target selection and how to create the maximum visual or operational impact. The choice of target may have been influenced by a number of pre-existing factors including ideology, personal grievances, strategic objectives, and desire for notoriety.

Once a target has been determined, the malicious threat actor will dedicate substantial time and effort in acquiring as much sensitive information as possible about the chosen target and its environment. Often the actor will not have the means or inclination to obtain specific information from clandestine sources, and will instead rely on open sources, such as the Internet, media and libraries to provide a wealth of information that may be obtained with relative anonymity. The information collected will be scrutinized for any particulars that could help plan an attack on the target, including details about target security and vulnerability.

The table in Appendix 1 identifies generic categories of sensitive information that, if released to the public domain, could place CI elements at greater risk from determined threats. CI owners and operators are encouraged to use these categories to identify occurrences of relevance to their own facilities and operations.

Factors Increasing the Risk from Opportunistic Threats
For the purpose of this discussion, "opportunistic threats" occur when a malicious actor intends to cause harm, but has not yet determined or identified a specific target. The risk to a specific CI target from this type of actor increases with the relative attractiveness of sensitive information available in the public domain.

In contrast with a determined threat actor, an opportunistic malicious actor's primary objective is to decide where to deploy its resources in order to cause the greatest impact against targets perceived to have similar value. This type of actor attempts to acquire significant quantities of comparative information about potential targets and environments. The choice of target is likely to be influenced more by practical considerations than by ideological, personal or strategic objectives.

An opportunistic threat actor is more likely to seek comparative information about potential targets from open sources, such as the Internet, rather than engage in resource-intensive, covert information-gathering activities. The malicious actor will collect information about a range of similar assets to determine the most attractive target to attack.

The criteria that make an asset an attractive target of opportunity include comparative information about the target's relative criticality, accessibility, recoverability, vulnerability, recognizability or interdependency. The risk to an asset posed by a particular piece of sensitive information may be affected by factors such as:

• the availability of equally or more attractive sensitive information about similar assets;
• the availability of other publicly available information that could be used in conjunction with the sensitive information for malicious intent; and,
• the availability of sensitive information that could be used to rank an asset as more attractive than others.

Having identified a particular target through comparative analysis, the opportunistic threat will unfold in one of two ways. First, the malicious actor may strike impulsively at its target with minimal additional planning. Second, the opportunistic threat may develop into a determined threat, with methodical and extensive planning.

Risk Management Strategies
OCIPEP recognizes that threat environments are varied and subject to change. The Office does not recommend that separate risk management strategies be devised for opportunistic and determined threats. An opportunistic threat is likely to become a determined threat once a specific target has been identified. OCIPEP recommends that risk management strategies acknowledge the risk continuum posed by the public availability of sensitive information and the presence of opportunistic and determined threats.

OCIPEP recommends that critical infrastructure (CI) owners and operators review their public availability of sensitive information, considering both determined and opportunistic threats. CI owners and operators should be aware that there may not be sufficient time to remove potentially compromising information from the public domain once a threat has been identified. There may also be instances, such as archival sites on the Internet or in public facilities, where it is impossible to permanently remove information from the public domain. CI protection objectives will be reinforced by recognizing the risk engendered by such occurrences and by adjusting protection plans accordingly.

Appendix 1: Categories of Potentially Sensitive Information

*The term "critical assets" denotes the data, communications, energy and operational systems or structures necessary to sustain business continuity.