INFORMATION & IDENTITY ASSURANCE
INFORMATION & IDENTITY ASSURANCE
Cyber-Security Focus Today is on Securing the Networks
That Our Warfighters Depend on to Perform Their Missions.
by Robert Lentz
It was probably not long after the first roads were built that thieves began to lie in wait of those who traveled them. The past decade has brought a variety of “highwaymen” to the information highway, and we have watched a surge in cyber-crime.
Each day, there are millions of scans of the Department of Defense’s Global Information Grid. DoD is targeted by adversaries in search of specific information. Sometimes these adversaries are hackers looking for bragging rights or foreign governments in search of sensitive information. Sometimes they are criminals who want to steal money or computer time, similar to the threat posed in the commercial world.
The Information Age has brought us many great advantages as well as quite a few challenges. These challenges, which involve powerful asymmetric threats, are constantly evolving and require new, innovative approaches to achieve success. In this new strategic environment, a responsiveness and agility never before demanded of our warfighters is suddenly critical. It’s not good enough to simply respond to threats. We must be proactive and prevent incidents from happening. We must protect and defend the network at Internet speed. We do this through a defense-in-breadth approach, integrating capabilities of people, operations and technology to establish a multi-layer, multi-dimension protection.
Information is at the center of network-centric operations. Serious compromises to the information that warfighters rely on daily could have devastating results. Providing trusted and timely access to information is a key component of the Office of the Deputy Assistant Secretary of Defense for Information and Identity Assurance (ODASD-IIA) organization. The DoD chief information officer, John Grimes, created the DASD structure last year, signifying the growing importance in the work we do across the department. Assistant Secretary of Defense for Networks and Information Integration Grimes and I both believe that information is our greatest critical asset and that the ability to access and share information lies at the heart of our future security.
Networks have become a key source of national power just as cyber security has become a top priority for the United States. It is an issue that has the attention of the president himself. The recently established National Security Presidential Directive 54/Homeland Security Presidential Directive 23 pulls together many of the pieces needed to secure key network capabilities and protect U.S. national security and economic interests. In 2003, President Bush signed the National Strategy to Secure Cyberspace policy, which emphasized training and education and the need for international standards. ODASD-IIA has been working towards solutions to many of the initiatives contained in the president’s directive for the past seven years. Cyber security has also become a priority issue across the globe.
GLOBALIZATION
DoD constantly receives incident reports on malicious activity. We investigate these incidents aggressively and work with other governments, global computer security organizations and international law enforcement to combat cyber crime and terrorism.
Our nation’s ability to foster a more secure global technology base will be enhanced through working with our allies and partners (to include industry) to make sure global standards support advanced security solutions and costeffective implementation. While globalization offers a broad range of benefits in terms of cost and interoperability, we need to be aware of the risks.
NET-CENTRICITY
The way that the ODASD-IIA addresses cyber security is quite different than a decade ago, when Vice Admiral Arthur Cebrowski first coined the term “network-centric warfare” and former Defense CIO, John Stenbit, led work to implement net-centric concepts. Back then, the emphasis was on connectivity. Today, an even greater focus is on securing the networks that our warfighters depend on to perform their missions. Today, Mr. Grimes is leading the charge to operationalize informationcentric concepts. This work relies more on protecting information content in an era where our ability to access and share information can literally save lives.
One effort that has driven improvements in the protection of information content has been the DoD Data at Rest Tiger Team, which was created to address the technical requirements of protecting data at rest. Another has been the DoD Enterprise-wide Information Assurance and Computer Network Defense Solutions Steering Group (ESSG), which has become the centerpiece of our effort to transition to a core content-centric architecture and common solution set. ESSG manages deployment of hostbased security and a new insider threat tool, in partnership with industry, to help strengthen the edge of the network while improving collaboration at the user level, especially the COCOMs.
Richness, reach and relevancy: These are the three R’s that DoD networks must achieve to operate in this new content-centric paradigm.
PROTECT IDENTITIES AND INFRASTRUCTURES
President Bush has mandated the use of a common identity card that requires users to possess a physical identification card and card-associated password to access a government network. This twofactor authentication approach is a huge security enhancement. In DoD, we are creating uniform standards consistent with Homeland Security Presidential Directive-12 (HSPD-12). For example, DoD requires personnel to use the public key infrastructure (PKI) and the Common Access Card (CAC) when logging onto networks. Although we are still in the process of implementing HSPD-12, we have already seen a drastic reduction in password-based attacks.
Part of protecting information is assuring its availability. The DoD increasingly relies on commercial communications systems to conduct national security. More than 80 percent of our satellite connectivity comes from commercial providers. We’ve seen attempts to disrupt GPS signals or manipulate power grid control systems essential to satellite operations in Iraq and Afghanistan.
We also rely on the commercial defense industry to develop and field many of our advanced military capabilities. The information housed on many defense contractor systems is increasingly targeted by potential adversaries. However, we are working with our defense industry partners to improve information sharing, network incident reporting and the development of security policies. We are also working to ensure the U.S. National Infrastructure Protection Plan addresses nation-state and terrorist cyber threats to all critical government sectors—including the defense industrial base.
DEFEND SYSTEMS AND NETWORKS
Imagine a world where a military unit in the field can access any information within seconds of its collection. Rapidly accessible information gives troops a strong advantage on the battlefield, as long as warfighters can depend on the information. If the adversary intercepts or compromises information, missions fail and lives may be lost.
Today, it is possible to link sensors and decision-support systems, to push video and imagery to users in near-realtime and to leverage the capabilities of coalition partners in times of crisis and conflict. We must be able to use such capabilities with confidence in their security and resilience.
Moving from a net-centric concept to a content-centric one, our defense-indepth strategy has changed from securing the perimeter of selected systems and capabilities to embedding security across the DoD enterprise, down to the data element—or defense-in-breadth.
What will this new mission-centric information assurance paradigm look like? It will adopt a philosophy of advantage over perfection. It will bring commercial technology to warfighters more quickly with the mindset that we need to factor time into our IA evaluation calculations. The ability to deploy and redeploy quickly puts us at a better advantage than the ability to deploy perfectly the first time.
Injecting this new thinking into our current institutions will take time and creativity, but if we’re successful, we’ll greatly increase our freedom to maneuver. This work should keep us busy over network-centric warfare’s next decade.
PROVIDE INTEGRATED PLANNING
Another key component involves developing standardized architectural concepts for securing and enabling the Global Information Grid by baking information assurance capabilities into the basic framework. This is our defense-inbreadth approach, where the emphasis is on network resilience and designing and building IA into systems throughout their life cycles.
The size and scope of such efforts demands coherent, integrated planning across DoD. The Global Information Grid Information Assurance Portfolio Office (GIAP), one of the directorates under the ODASD-IIA, has been able to provide an interactive forum for the DoD community to socialize critical dependencies and interoperability issues which will enable the synchronization of deliverables and help customers plan for the integration of IA capabilities.
The GIAP provides perspective for achieving GIG IA capabilities by recommending the best mix of synchronized investments over time. Through the use of the Capability Thread Implementation Plans and the Systems Technology Evolution Plan, the GIAP informs about the expected availability of solutions necessary to implement GIG IA Joint Capability Areas.
As the Global Information Grid transitions to a service-oriented architecture while also keeping multiple levels of security and confidentiality, numerous policies and implementation guidance have come down from the CIO’s office to ensure DoD, its agencies and services are in sync in a wide variety of areas—ranging from how we manage IT investments and secure wireless devices, services and technologies to how we implement PKI and train, certify and manage our IA workforce. The suite of DoD IA policies is important for our work to succeed.
IA COMPLIANCE AND ACCOUNTABILITY
The Defense-wide Information Assurance Program (DIAP) office, another component of the ODASD-IIA, is leading a holistic approach to IA risk management that includes codifying DoD IA best practices from across the department and developing an IA Compliance and Enforcement Plan. The DIAP has developed a compliance and enforcement framework to promote a structured, repeatable process. This utilizes the six elements of the CAMTAM approach (compliance, assessment, monitoring, tracking, accountability and metrics), as looked at from three different perspectives— policy, operations and programs (POP).
The DIAP’s goal is not only to formalize the CAMTAM-POP framework, but also to institutionalize it across the enterprise for identifying, assessing, monitoring and tracking compliance as well as accountability for compliance and enforcement. Going forward, decision-makers must be able to base their IA risk management decisions on knowledge of risks assumed for their organization as well as others connected to the GIG.
MOVING FORWARD
Our ability to communicate and collaborate with our partners is essential, whether we are responding to a devastating cyclone in Burma, a tsunami in Indonesia, an earthquake in Pakistan, or supporting combat operations in Iraq and Afghanistan. Networks have given us the global reach needed to help save lives, deliver aid, stabilize and restore governance, normalize local commerce, and return lives disrupted by tragedy back to normal. As the international community looks to increase security, stability and peace around the world, securing cyberspace will be critical to success. The work we believe in and work so hard on simply can’t get done without the networks we have come to rely on—they must be protected.
What does the future hold? I believe what can be foreseen is the need for a “whole nation” and “whole government” response to the contest over information. Moving forward, I see more international partnerships and I see a greater movement across DoD and its services and agencies to move from network-centric to content- and mission-centric. ♦
