Q&A: Richard C. Schaeffer Jr.
Security Guide
Operationalizing the IA Component of the GIG
Richard C. Schaeffer Jr.
Information Assurance Director
National Security Agency
Richard C. (Dick) Schaeffer Jr. is information assurance director at the National Security Agency (NSA), serving in that position since April 2006. The Information Assurance Directorate (IAD) is the NSA mission element charged with providing the products and services necessary to protect our nation’s critical information and information systems. IAD is also responsible for defining and implementing the information assurance strategy to protect the Department of Defense’s Global Information Grid (GIG) and supporting ongoing military operations against terrorism by delivering solutions that allow the secure and dynamic sharing of information across security domains at multiple classification levels in today’s net-centric environment.
Schaeffer was interviewed by MIT Editor Harrison Donnelly.
Q: What do you see as your chief accomplishments in office so far?
A: It has been an incredible 11 months! I believe we have established new credibility with both our stakeholders and our clients/ customers. The important work that we do for the nation deserves respect in and of itself, but I believe we have focused our mission, realigned our organization accordingly, and identified critical initiatives meriting special emphasis—all of which has resulted in a new, cohesive story/picture for both our stakeholders and our clients/customers. A story/picture, I might add, that has resulted in some additional Information Systems Security Program [ISSP] funding for information assurance efforts the community has identified as critical to DoD. We have also stepped up to lead the community in a number of areas that serve to tie our work together with larger efforts, again producing real mission impact.
Just this month, we were able to celebrate our Vulnerability Analysis & Operations organization’s receiving SC [Secure Computing] Magazine’s 2007 Editor’s Choice Award. We were cited for our work in providing security guidance and recommendations to our DoD and federal customers, our work in shaping the development of security standards for vulnerability naming and identification, our partnership with NIST and DISA to help federal security professionals automate security compliance and to manage vulnerabilities, and our leadership to other service providers in security analysis and testing. And, just recently, we were congratulated for our contributions as the Advanced Extremely High Frequency [AEHF] communications satellite payload module was delivered 30 days early. We provide extensive COMSEC expertise and Information Systems Security Engineering [ISSE] services to this joint service program [and many other DoD programs], a program that will provide global, secure, protected and jam-resistant satellite communications for high-priority military ground, sea and air assets. Great examples of how varied our mission is, too, aren’t they?
Q: Can you provide some statistics about your work in 2006?
A: Statistics never tell the whole story, but we can offer up some eye openers for 2006. We made and distributed more than 3 million cryptographic key products, conducted 20-plus Red Team exercise/operations, delivered over 130,000 OPSEC products to over 13,000 customers and taught close to 70 OPSEC courses. The numbers, themselves, are impressive, but beyond that they provide some insight into how varied our products and services have become. By the way, a complete and current classified IAD products catalog is now available online for authorized recipients. This electronic catalog replaces the old “Information Assurance Manual,” which was previously distributed just once every two years.
Speaking of OPSEC, the Interagency OPSEC Support Staff [IOSS] established by NSDD 298 is part of the IA mission at NSA. I was especially pleased to see them receive a National Intelligence Community Meritorious Unit Citation for their support to the Base Realignment and Closure [BRAC] Review Team. Also noteworthy are the efforts we undertook in 2006 to educate our customers on the operational security issues and the fact that there is no guarantee to privacy using a wireless device. And while we did not request that Microsoft recently acknowledge our partnership with them in shipping a secure out-of-the-box configuration for Windows Vista that will require few, if any, changes to meet the needs of government customers, we hope the publicity helps to build additional credibility that we are openly working in the public’s interests.
Needless to say, one of our biggest accomplishments has been developing Version 1.1. of the IA component of the GIG integrated architecture and getting it approved. We are focusing on “operationalizing” this work, translating it to specific guidance for individual DoD programs. I am also proud of how we have examined the work we are being asked to do and been able to acknowledge and strengthen our core niche mission, Type 1 cryptography, while recognizing that our customers’ operational environment has changed. Thus, we too must change in order to remain responsive to our customers’ needs. We try very hard to never lose sight of whom we are supporting. So, for example, included in those critical issues that we have identified as needing most senior management attention, are such things as crypto modernization, COTS strategy, secure enterprise management and cross domain solutions.
Q: What are your chief goals for 2007 for the information assurance mission at NSA?
A: My hope is that we will continue to build on the goodwill we have established with our stakeholders and clients, the more efficient and effective functional organizational alignment we have created here at NSA, and the community leadership roles that we have been given. Especially critical will be our efforts to operationalize that IA component of the GIG architecture. Also critical will be our support to the Unified [IC and DoD] Cross Domain Management Office as we work to have an impact on the number one requirement of the military commands: assured information sharing in a coalition environment that is scalable and readily upgraded as new requirements emerge. Moving from a culture of “need to know” to one of “need to share” continues to require a change in our thinking and poses a variety of technical challenges.
Our role in the DoD Public Key Infrastructure [PKI] Program Management Office and our Key Management Infrastructure [KMI] Program Management Office will continue to be important in 2007. We will also be working hard on COMSEC policy standardization. We won’t be doing any of this alone, however—our partnerships across the military services, DoD, intelligence community and federal government, and with industry, academia, and the research community, are critical to everything we do. As we adapt to the changing operational environments, we must be willing to examine and embrace new thinking about the nature of the threat to our national security systems, the risks we’re willing to take, the “risk reduction return on investment,” and the need for warfighters in harm’s way to operate efficiently and effectively. We absolutely must measurably improve the security of critical operations and information by providing our unique know-how and technology to our partners, suppliers and clients, when and where they need it. Nowhere is this more immediate than in support of those in harm’s way in the global war on terror.
Our emphasis for 2007 is to be more selective in pursuing individual development projects and to be more active in providing information, knowledge, insights and expertise that drive the supply, acquisition and effective use of better-assured commercial solutions. We will work to perform value-added analysis that turns information about vulnerabilities in specific components or systems into broad guidance that strengthens whole product categories, influences the choices of broad user communities, and/or solves broad common operational problems. We will concentrate on providing design guidance to suppliers of IT products; acquisition and “goodness” data for IT buyers; threat data and best practices for system operators and defenders; policy/doctrine/standards for IT security authorities; and tools and training for security practitioners. Of course, we also will continue to provide our niche cryptographic solutions, including keying material. I believe that increased awareness of security issues, new standards, better education, expanded information sharing, more uniform practices and improved technology will make a difference.
IA education and training remains a critical imperative. I am very impressed with the IA professionals being graduated from our Centers of Academic Excellence, and also with our IA partners across the U.S. government and among our close foreign allies.
In 2006, we established renewed mission and vision statements for the information assurance mission at NSA, which are embedded in what I’ve been saying. My hope for 2007 is that they inspire and focus our very talented workforce. There is no one more capable to meet the challenges we face and to indeed be the decisive advantage enabling America and its allies to outmaneuver network adversaries.
Q: What IA issues and concerns would you most like the leadership of the military services and other top DoD officials to be more aware of?
A: First and most importantly, IA is everyone’s responsibility. It’s not something that can be totally delegated to the IT professionals, chief information officers or chief information security officers, but takes everyone doing their part. As we move to a future where access to specific data objects becomes more and more important, everyone associated with the operational and business activities will need to understand that it’s the data and what we do with it, and not just the network, that is important. Emerging and future enterprise architectures must enable the concepts of operation [CONOPs] that depend heavily on information sharing and collaboration, which means that we have to develop both the technology and the discipline to label these data objects so that they are appropriately discoverable by authorized entities [human or machine] whenever, wherever and in whatever format needed. This will require unprecedented levels of cooperation and collaboration across, and up and down, all levels of the community.
Q: What is your strategy for developing an improved security management infrastructure?
A: Security management infrastructure is a multi-faceted problem that transcends the more traditional areas we’re used to working in, such as encryption to provide confidentiality and key management. It also includes ways of dealing with data integrity and authentication concerns. The coalition warfighting environment demands both information sharing on a scale previously unseen, and built-in controls that protect the sovereign interests of many participants. Iraq is an excellent example, with troops actively being supplied by at least 20 nations from all over the world. Deployment is occurring more and more rapidly, often without the benefit of long-term planning cycles; operations are being sustained for prolonged periods in difficult political environments, in which coalition membership is dynamic. And, with netcentricity our desired end state, we have a host of cyber-defense issues to contend with. Our potential adversaries live on the net with us.
The major features of our approach will be to move toward greater flexibility in deployment and enterprise reconfiguration; achieve faster adaptation to operational conditions, which are themselves far from static; reduce stovepipes, and the need to translate between systems that have evolved in isolation from one another; maintain security and need-to-know while balancing access decisions against operational needs; and reduce the logistical overhead—for example, the manual ordering and tracking and physical distribution of information assurance devices and services. All of this is essential for ESM to adequately support the speed of today’s battle engagement.
Q: How are you addressing the contention that NSA security certification processes are too slow to keep pace with changes in commercial technology?
A: This is a problem that concerns us greatly. If we are to have a workable COTS strategy, it’s clear that we have to be able to work within the commercial model. That means faster evaluations along with a process that allows certification to track with constantly changing IT technology and products. We’re looking at the current evaluation process, which revolves around the common criteria, to see what parts of that process are most effective and what parts should be addressed in other ways. The current process is one that was created by the international body, and common criteria evaluations at certain levels are mutually recognized internationally. That means that any changes to the process must also be accepted by the international body. We are currently working with industry and our foreign partners to develop the next generation international evaluation process that will be faster and cheaper and will provide more useful information to the consumer as well as the vendors, evaluators and solution implementers. This is a high priority effort for my organization, and one that should provide a significant IA benefit to the nation.
Q: What disruptive technologies do you see coming down the road that will impact NSA’s security efforts?
A: All new products create potential problems for security, because they naturally include new capabilities, and capabilities for a user are opportunities for an adversary. One problem we see is that we have long talked about defense in depth: Use a product from one company here, another company there and a third over there. The hope is that all those products are independent, and weaknesses in one can be countered by features in another. But today, we see that companies are consolidating: Larger companies are buying smaller companies, and the result is that there is far less diversity. A result could eventually be fewer independent products as research feeds from a research center to various divisions, which could hamper the defense-in-depth philosophy. And the international aspect is another aspect of the commercial world that creates potential problems for us.
We’re of course very interested in increases in processor speeds and, as I’ve mentioned from time to time in the past, the Cell technology developed to increase speed through the use of multiple processors shows a lot of potential for becoming a disruptive technology. Instead of relying on the incremental advances brought about by reduced gate architectures, the IBM/ Sony/Toshiba approach calls for heterogeneous processing cores with multiple synergistic processors. At least one of the Centers of Academic Excellence in Information Assurance, Georgia Tech, is right at the forefront of pushing this technology forward, not only through research, but also by sponsoring educational forums, providing remote access to Cell technology hardware, and writing and disseminating software optimized for Cell BE systems.
One of our most daunting tasks in a developmental environment like this, one characterized by work that’s done all over the world and in a collaborative manner by a lot of talented technical people who are not part of the government workforce, is staying ahead of the technology ourselves. It’s exciting and very challenging, and an area in which we have to succeed.
Q: Do you see security problems resulting from the increased offshore development of software?
A: The IT marketplace is increasingly becoming global in nature, and there’s certainly a security challenge inherent in that state of affairs. The government’s computer networks are essential to every one of its functions, and our increasingly distributed production base brings with it more opportunities for access to the supply chain. Our reliance on commercial IT products is growing, and they in turn rely more and more on foreign expertise and manpower in all stages of the product life cycle, including software development and component manufacture. And the notion of a U.S.-centric company is rapidly diminishing. So, yes, there are security concerns, but they’re not insurmountable.
DoD, and particularly the Committee on National Security Systems, have ramped up their efforts to consider the impact of globalization on national security systems. One of the ways we’ll address an increasing threat is through the continual updating of information assurance policies and procedures, ensuring that they are consistent with marketplace realities. And we’ll promote software and other testing, where warranted and within the development cycle, to verify the correct functioning of security enabled products.
Q: What is the current status of the Crypto Modernization Program?
A: The Crypto Modernization Program continues to move forward in replacing more than 1.3 million devices in the inventory that no longer meet the security needs of the U.S. government. Key to its success is the coordination of the program with the military services through the Joint Services Crypto Modernization Working Group [JSCMWG] and with federal civilian agencies in the Committee for National Security Systems [CNSS]. The Crypto Modernization Program is a continuous effort as members of IAD assess the strength of the cryptographic algorithms that secure our nation’s National Security System.
Based on the assessment of vulnerable devices, our people work through the JSCMWG and CNSS to plan and program for the replacement of older, less capable devices with new units that are both more secure and better support the higher data rates that users demand in the GIG.
Members of the working groups are continuously evaluating what would constitute the optimal modernization strategy, one that balances the risk with operational needs. And that optimal crypto modernization roadmap takes into consideration the use of the new and emerging standards under development in enterprise security management and key management infrastructure.
Q: Can you cite any specific examples of how crypto modernization is moving forward?
A: One of the highlights is the effort to consolidate multiple legacy cryptographic devices into two Link Encryption Family [LEF] products. Over the past year we have successfully implemented stronger algorithms while making capability enhancements. At the same time, we have been able to improve data rates from 2 Mb to 50 Mb while reducing size and power requirements, factors that are very important to our military users. Similar efforts are underway with High Assurance Internet Protocol Encryption and Secure Communications Interoperability Protocol families of encryptors.
Q: What is your assessment of the current supply of trained IA professionals, and how are you working to meet personnel needs of the future?
A: I’m very encouraged by what I’m seeing in the education and training of IA professionals. There was a time when you had to learn these skills on the job, and I’m happy to note that it’s possible now to get a concentration in IA. In addition, NSA, DoD and the Department of Homeland Security [DHS] are actively promoting that sort of educational foundation for future employees both of the government and industry with incentives and technical leadership for the academic institutions and the students. Our Leadership and Workforce Development Office manages several programs designed to help us do this. These programs promote IA as a discipline in higher education, recruit graduates and experienced personnel to NSA, and provide continuing development and on-the-job experience for all employees once on board.
This entire process is driven by a skills mix strategy that takes into account proficiencies in the workforce in key technical and leadership competencies and compares the current state to what is needed to accomplish the IA mission over the next five years. Gaps are then identified and interventions developed. These interventions might include hiring specific skill sets, retraining personnel with related skills, providing funding for further academic work, or spending time in a development program to gain needed experience.
Our own hiring is focused on graduates from the National Center of Academic Excellence in Information Assurance Education [CAEIAE] program—an outreach program sponsored jointly by NSA and DHS. The goal of the program is to reduce vulnerabilities in the national information infrastructure by promoting higher education in IA, and producing a growing number of professionals with IA expertise in various disciplines.
Under this program, four-year colleges and graduate-level universities are eligible to apply to be designated as a National Center of Academic Excellence in IA Education. Each applicant must pass a rigorous review demonstrating its commitment to academic excellence in IA education. Currently there are 75 schools in 32 states and the District of Columbia that have been designated as a CAEIAE. The goal is to eventually have at least one CAEIAE in each state and the District of Columbia.
CAEIAEs receive formal recognition from the government, as well as opportunities for prestige, publicity and networking, for their role in securing our nation’s information systems. Students attending CAE schools are eligible to apply for scholarships and grants through the DoD Information Assurance Scholarship Program [IASP] and the Federal Cyber Service Scholarship for Service Program [SFS].
It’s a remarkable win-win situation when we train high caliber information assurance professionals in this way, whether they remain in government service or apply their skills in the private sector.
Q: You have referred to the importance of partnerships with a capital “P” with industry. How are you working with the private sector to improve the security of networks not designed with military-level assurance?
A: The information space is overwhelmingly based on commercial capabilities, services and technologies, and it’s the aggregate set of products and services that provides users with the communications, computing, information access and security capabilities— deeply intertwined—that information assurance providers are so concerned with. Customers subscribe and pay for bundles of services that are composed of stacks of systems, services, and capabilities. Dynamic commercial market forces direct more than $1 trillion of annual investment that develops these bundles. This development is fast and relentless, with frequent updates and version upgrades. The costs of developing major new capabilities have far exceeded government funds for such activities.
We’re working with key industry members to raise the assurance of their products, creating design guidance, based on many years of experience, that will be available to developers and users alike. We created a Suite B set of algorithms and ask that industry standardize on it for cryptographic needs—encryption, key management, signatures and hashing. The correct use of Suite B—we’ll work with industry on the implementation—adds greatly to security and will facilitate interoperability, potentially from the president all the way down to first responders.
We’re also evaluating commercial products to understand their strengths, weaknesses and capabilities, so that we can work with vendors to improve the products and work with customers to build the right solutions from the right commercial pieces. And we are creating configuration guidance, in conjunction with the private sector, so that the products can be used in ways that provide the best assurance.
To stay inside the IT development cycle and marry NSA’s expertise with that of industry, the agency now has a Commercial Solutions Center. Through it, we’re adapting IA solutions to take advantage of the great diversity of products available, so that we can create the right solution, with the right capabilities and the right assurance, from the myriad of commercial components that are out there now. We’re able to learn from our commercial partners what the current state of technology and services is, and which technical and market trajectories are most likely to change. Understanding these vectors, we identify and manage the way we apply our resources to new technologies.
Q: Is there anything else you would like to add?
A: The cyber challenges facing our nation are daunting. Every day gives us a new opportunity to read about intrusions in a variety of places, government and commercial, to read about things like identity theft or other malevolent acts. This is a multifaceted problem, and the solution isn’t going to come from some single, new miracle technology. It will come from new technologies, improved policies and operations, many people in a number of professional disciplines, and most importantly from an awareness on everyone’s part that they have a direct impact on the overall security and assurance of their operational and business environments. The challenges affect every user, whether they’re relatively benign things like phishing or potentially disastrous attacks on the nation’s infrastructure. The solutions, too, come from a large community of stakeholders. The IAD is ready to stand at the forefront of that effort, getting solutions out there in a timeframe that supports the need. ♦
