Q&A: Richard Hale
IN-DEPTH DEFENDER:
Achieving Mission Assurance and Safe Information Sharing
Richard Hale
Chief Information
Assurance Executive
Defense Information Systems Agency
Richard Hale oversees information assurance (IA) engineering and support for the Defense Information Systems Agency. In this position he is responsible for coordinating the design and implementation of a defense-in-depth strategy across the DISAmanaged information infrastructure and across DISA-developed systems.
He previously worked at the Naval Research Laboratory, where he participated in the design and analysis of a variety of Navy and Department of Defense information and communication systems.
Hale holds bachelor’s degrees in applied mathematics and electrical engineering and a master’s degree in electrical engineering, both from the University of Virginia.
Q: How do you define information assurance?
A: If I had to use two words, I would say information assurance means “mission assurance.” If I had to use one word, I would say it means “dependability.” As the Department of Defense moves to netcentricity and to an ever-increasing reliance on the department’s information infrastructure, it is imperative that the systems that depend on this infrastructure work well and are protected, in spite of numerous and daily attempts to disrupt them.
Q: Can you give an overview of what information assurance means to the Department of Defense’s missions and capabilities, and what it needs to do in the future to maintain the surety of DoD’s systems?
A: DoD’s approach for achieving mission assurance and safe information sharing has several tenets. One is that we must drive out anonymity and improve accountability for information access by using non-forgettable cyber-identity credentials as a means to access information and services, in much the same way we use physical identity cards to access bases and buildings. Another is that we must design, deploy and operate a departmentwide layered defense scheme that uses complementary protections in ways that stop many attacks before the attacks have an effect on the mission.
The third is that we must be able to spot those attacks that get through some of our defenses, and then quickly determine what is going on, develop our possible courses of action and take the optimal action. In order to do this, we need a very robust network operations, or netops capability. This need for detection, diagnosis and reaction also acknowledges the fact that our defenses will never be perfect. As a result, we need to design our business processes so they can operate in degraded modes, and we have to practice this.
We’ve got to develop and follow a single DoD plan for the design, implementation and operation of the information assurance methods necessary to achieve the other tenets. Some of this plan will look something like a building code or a city plan. It will describe a framework of standards and practices that all DoD IT efforts must follow. If we do this right, we can achieve the dependability we need, while allowing for broad and rapid innovation. An important part of making this work is that someone has got to be in charge of this plan across the department, and that someone must have real authority to impose requirements, design constraints and processes throughout DoD. A matching piece is that, in the service of dependability for the customers of the infrastructure, someone must be in charge of the operation of the infrastructure.
We also need to properly balance broad information sharing with secrecy. The military will always need to hold certain information closely in order to protect its missions. At the same time, in order to reduce decision-cycle times, to enable better operational agility, and to improve coordination, we need much broader information sharing within DoD; with other federal, state and local partners; with allies; with suppliers; and with the public. So information assurance must also help establish access control methods that allow the department to find that “sweet spot” between broader sharing and secrecy.
Q: What is DISA specifically doing in ensuring that DoD’s systems are safe from outside attacks?
A: DISA is teamed with organizations within and outside DoD in virtually all of our information assurance efforts. These efforts are focused on building and operating protections and detections, on hardening our programs (such as joint command and control), on providing design and configuration guidance, on providing tools to automate processes and improve protections, and on operating risk management and measurement processes. We are working to do all of this while simultaneously enabling the move to net-centricity and richer information sharing.
Some DISA efforts involve building and operating our part of DoD’s defense-in-depth infrastructure. The protections and the attack detection and diagnosis capabilities at the boundary between the department and the Internet are examples. The demilitarized zones that we operate at this same boundary, which hold servers and tools that must be visible to external partners or to the public, are another example.
A different kind of effort is aimed toward helping solve departmentwide information assurance challenges. For instance, the secure configuration of every component in the department’s information infrastructure is an essential piece of defense-indepth. To help attack this problem, DISA first works with many partners to figure out what a secure configuration actually looks like for many popular operating systems. Then, we publish guidebooks, called security technical implementation guides (STIGs), which describe how to do proper configuration.
Since applying the configuration manually is difficult and slow, we have developed ways to automate the process of configuring and verifying the configuration. One tool that we use is Gold Disk, which helps configure and verify a single machine. Other tools include a suite of commercial vulnerability scanning and remediation tools for which we have purchased departmentwide licenses.
The purchase of departmentwide licenses is done in our role as the acquisition arm of a departmentwide group called the enterprise solutions steering group (ESSG), which operates under a charter from both U.S. Strategic Command and the DoD chief information officer. This group is focused on defining priorities for enterprisewide tool and capability acquisitions. DISA acquires licenses and provide fielding support, while the military services and other department components do the fielding.
DISA also operates departmentwide design and risk management processes. An example of this is the ports and protocols management process. This process is aimed at understanding the risk involved in using different network protocols and services at various places in the information infrastructure, and the process determines departmentwide standards that define which of these protocols is safe to use in applications and should be allowed through the different layers of perimeter defense. The process produces design guidance, which is used to make operational decisions about perimeter defense changes.
We have teams that visit sites throughout the department to verify compliance with community risk standards, and our testing teams and our measurement teams also participate in combatant command exercises that measure mission assurance in the face of attack.
We have a strong operations focus. Our information assurance operations, generally called computer-network defense, is an integral part of our theater netops centers, and we act as a force provider to the Joint Task Force-Global Network Operations (JTF-GNO) to help provide computer network defense at the global level.
Q: How do DoD’s and DISA’s strategies for creating a net-centric environment change things for information assurance?
A: The department’s net-centric strategy and several technology trends have combined to change the information assurance problem by changing the attack surface. In other words, if we do not address the information assurance changes head on, then the trends can mean attackers have new options for disrupting mission and stealing information.
One major trend is that the (information) consumer is king, and there is a dire need for new kinds of access control. For many years, we have used the notion of need-to-know as the primary means of keeping a secret. In this approach, the producer of information generally determines who can access the information. While this method has worked reasonably well as a means of keeping secrets, it has inhibited the development of innovative warfighting and business processes. Consumers often can’t get the information they need in order to respond innovatively to a situation, or worse, they are unaware of the information’s existence.
We are now working to implement a different approach that some call need-to-share, and that I describe as a consumer-driven, information-access model. The idea is that people with information will make the information available on the network, and the information will be easy to find. Using search engines and services similar to yellow pages, consumers will be able to discover the information and will have easy access to it.
In order for this to work, we believe we need several information security technologies. One technology we need is broader use of globally meaningful cyber-identity credentials for people and for organizations. We need this for several reasons: so that producers know who is accessing information; consumers know they are dealing with an authentic information source and not an imposter; consumers can be accountable for the access; and patterns of misuse that span many information services can be discovered. These credentials must be available and usable on the unclassified and on the classified DoD networks. We are currently producing and using these credentials on the unclassified networks via the DoD public key infrastructure (PKI). We do not yet have as robust a PKI infrastructure on the classified networks, but this will be a critical element as we move forward.
The second technology we need is a new access control method. As we share information between parties, we still need to limit access to certain sensitive kinds of information. The access control model we use today generally involves requiring each consumer to register with the information provider in advance. This pre-registration model will not work much longer, since consumers will potentially have access to thousands of information services.
Q: Can you provide further information about how the new access control model will work?
A: Our new access control model will allow a consumer with certain qualifiers to access information, even if the person is not known in advance to the information provider. Qualifiers might be the job a person occupies, or the organization to which the person belongs. The approving official of the information will determine the access policy, which is the definition of which characteristics are required for access to certain information. The approving official will check the consumer’s identity credentials, look up attributes about the consumer, find the access policy, and will compare the attributes with the policy. This new model is called attribute-based access control.
This form of access control means three things. First, it means that we need enterprisewide access to authoritative attributes about people, organizations and information services. Secondly, it means that we must protect the integrity of the attributes so that information providers and consumers can genuinely trust this new access control method. Lastly, it means that certain access policies must be discoverable and available to everyone on the network.
Information is likely to be passed from one consumer to another. The department’s data strategy calls for putting descriptive labels on all information so the information will be easy to interpret. Labeling gives the information assurance community a chance to define standards for security labels and for the cryptographic binding of these labels to the data, so that as data moves from consumer to consumer, the appropriate access control policy can be discovered and applied.
Q: Service Oriented Architecture is a big thing for DISA right now. How do the recent plans for creating a Service Oriented Architecture affect the surety of systems across DoD?
A: In a Service Oriented Architecture (SOA), information and information-transformation tools are provided as services that are available on the network. These services are consumed by other computers, called service consumers. A business process is built via the composition of many of these services. Each service can evolve relatively independently, as long as it maintains compatibility at the service interface, and as long as it conforms to certain DoD standards for security and reliability at the service interface. Security in the SOA is provided by the broad use of identity by both service providers and consumers, by access control standards at the service interface via an attribute-based access control, and by information integrity protections provided in the standards for how service providers and service consumers interact. Mission assurance is also provided by following all of the basics of configuration and defense-in-depth, and via close monitoring of business processes that are built from the composition of many services. DISA has published standards for much of this, and via the Net- Centric Enterprise Services (NCES) program and our Federated Development and Certification Environment (FDCE), we are working to verify that our standards work, and to modify them as we move forward in technological capabilities.
Our primary security quality control process, called certification and accreditation, will likely need to change to accommodate the much more modular nature of the SOA. Service providers will need to be able to ascertain that certain standards for assurance are met so that service consumers can determine whether to use the service. Additionally, service providers may need assertions from consumers so that the service provider can properly protect private information before providing to the consumer. The certification and accreditation process should change to help providers and consumers make and to verify these assertions.
Q: One trend in the IT world is the convergence of voice, video and every other service onto Internet Protocol networks, such as Voice over IP. A second trend is the broad use of commercial products and globalization. How do these trends affect how you do your job?
A: The convergence of voice, video and other services onto IP networks means that attacks against the availability of the IP network have the potential to affect the phones as well as the computers. As a consequence, the robustness of the network in the face of cyber attacks has become one of the central information assurance challenges facing DoD. Since DISA is the designer and operator of the department’s core network, we have a wide variety of efforts to harden the devices, the signaling, the infrastructure services, the remote management and the netops centers of the department.
Secondly, regarding globalization and the use of commercial products, DoD uses commercial technology throughout the information infrastructure. I believe this use is necessary if the department is to keep up with the military innovations the technology enables. Since the same commercial technologies are also available to potential adversaries, we believe some adversaries, in addition to employing the technologies in their information infrastructures, will look for vulnerability in the technologies and develop exploits against these. Globalization has moved the design and manufacture of much of the hardware and software used in the commercial products off-shore. This adds risk in that the provenance of certain components may be very difficult to determine.
The department is addressing these challenges through policies about supplier and software assurance, through the judicious use of government-developed technology, through the use of product evaluation, and via our defense-in-depth vulnerability exposure limitation strategy. We must also improve our strategies for maneuvering the infrastructure so the exposure of a given vulnerability becomes more unpredictable, and we must have very agile processes to continuously refresh technology so latent vulnerabilities are flushed out of the infrastructure regularly.
Q: Are there any additional comments you’d like to make?
A: Just that if you’re looking for more information or if you’d like to obtain free enterprise tools, there are a number of Web sites you can go to: the DoD information assurance portal, at http://iase. disa.mil/index2.html; the DISA Web site at www.disa.mil; and the JTF-GNO Web site at www.jtfgno.mil. ♦
