Summary

At the request of the Chief of Naval Operations, the Naval Studies Board, under the auspices of the National Research Council (NRC), established a committee to examine a wide set of issues associated with information assurance (IA) for network-centric naval forces.1,2 Owing to the expansion of network-centric operating concepts across the Department of Defense (DOD) and the growing threat to information and cybersecurity from lone actors, groups of like-minded actors, nation-states, and malicious insiders, information assurance is an area of significant and growing importance and concern. Because of the forward positioning of both the Navy’s afloat and the Marine Corps expeditionary forces, IA issues for naval forces are exacerbated, and are tightly linked to operational success. Broad-based IA success is viewed by the NRC’s Committee on Information Assurance for Network-Centric Naval Forces as providing a central underpinning to the DOD’s network-centric operational concept and the Department of the Navy’s (DON’s) FORCEnet operational vision.3 Accordingly, this report provides

1

The NRC’s Committee on Information Assurance for Network-Centric Naval Forces first met in March 2008. The study’s terms of reference are found in Appendix B. This report, the full final report from this study, follows the committee’s interim letter report, dated November 6, 2008.

2

During the course of its study, the committee held meetings in which it received (and discussed) materials that are exempt from release under 5 U.S.C. 552(b). A summary of the committee’s meeting agendas is provided in the Preface of this report.

3

FORCEnet is defined as “the operational construct and architectural framework for naval warfare in the information age that integrates warriors, sensors, networks, command and control, platforms, and weapons into a networked, distributed, combat force that is scalable across all levels of conflict from seabed to space and sea to land.” See National Research Council, 2005, FORCEnet Implementation Strategy, The National Academies Press, Washington, D.C., p. 1.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 1
Summary At the request of the Chief of Naval Operations, the Naval Studies Board, under the auspices of the National Research Council (NRC), established a com - mittee to examine a wide set of issues associated with information assurance (IA) for network-centric naval forces.1,2 Owing to the expansion of network-centric operating concepts across the Department of Defense (DOD) and the growing threat to information and cybersecurity from lone actors, groups of like-minded actors, nation-states, and malicious insiders, information assurance is an area of significant and growing importance and concern. Because of the forward posi - tioning of both the Navy’s afloat and the Marine Corps expeditionary forces, IA issues for naval forces are exacerbated, and are tightly linked to operational suc- cess. Broad-based IA success is viewed by the NRC’s Committee on Information Assurance for Network-Centric Naval Forces as providing a central underpinning to the DOD’s network-centric operational concept and the Department of the Navy’s (DON’s) FORCEnet operational vision.3 Accordingly, this report provides 1 The NRC’s Committee on Information Assurance for Network-Centric Naval Forces first met in March 2008. The study’s terms of reference are found in Appendix B. This report, the full final report from this study, follows the committee’s interim letter report, dated November 6, 2008. 2 During the course of its study, the committee held meetings in which it received (and discussed) materials that are exempt from release under 5 U.S.C. 552(b). A summary of the committee’s meeting agendas is provided in the Preface of this report. 3 FORCEnet is defined as “the operational construct and architectural framework for naval warfare in the information age that integrates warriors, sensors, networks, command and control, platforms, and weapons into a networked, distributed, combat force that is scalable across all levels of conflict from seabed to space and sea to land.” See National Research Council, 2005, FORCEnet Implementation Strategy, The National Academies Press, Washington, D.C., p. 1. 1

OCR for page 1
2 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES a view and analysis of information assurance in the context of naval “mission assurance.” The growing threats to naval networks and computer systems coupled with the DON’s increasing employment of commercial information technology (IT) as a critical part of warfighting systems require the DON to take significant action to reduce its current and emerging IA risks. This will require an IA strategy to guide the Navy and Marine Corps in defining and managing a broad array of interrelated IA activities. It will require that these activities be properly integrated to provide the basis for a naval IA risk management system that can respond to a continu- ously changing set of IA threats. While the study identified many positive naval IA efforts currently underway, it also identified the following areas where new, coordinated IA-focused efforts will be required in order for the naval forces to achieve important levels of risk reduction: • Doctrine development, operational procedures, and operational exercises to provide resilience against successful information system attacks; • Technology research, development, and deployment—including system architecture research; • Education and training for all naval personnel and the development of special- ized career paths; • Intelligence gathering and assessment; • The IT acquisition process; • Risk analysis methods for prioritizing investments; • Dynamic and adaptive network and system reconfiguration; and • Network and system monitoring. The report addresses each of the above areas and related issues associated with information assurance and cyberdefense—issues that in many cases are very intertwined and have impact across the entire spectrum of DON and DOD enterprises. As such, the activities for reducing IA risk cut across many of the DON’s current management domains and face serious organizational obstacles to achieving the needed integration of efforts. Based on presentations to the study committee4 and a review of available documentation related to naval and DOD IA, this report presents its case for action through a discussion of the following subjects: (1) the threats to IA, (2) the technology trends that contribute to potential IA and mission threats, and (3) a review of current DOD and DON IA initiatives deployed to help mitigate these trends and threats. The report then presents arguments for additional actions that the DON should undertake in its longer-term operational and technical response to IA-related mission threats—actions that the committee believes should begin 4 See the Preface for a summary of the committee’s data-gathering sessions.

OCR for page 1
3 SUMMARY immediately owing to the rapidly evolving nature of the threats and consider- ing the time that will be required to mature and regularize the new approaches to IA that will result from the changes. Items such as Non-Classified Internet Protocol Router Network (NIPRnet) and Secret Internet Protocol Router Network (SIPRnet) security, elements of updated potential cyber concepts of operations (CONOPS; including the integration of offense-defense into cyber operations), the impact of network system architecture, advanced IA research and development (R&D) needs, IT acquisition, and cyber workforce development are all discussed in detail. The report also presents evidence and discusses what are believed to be impor- tant shortfalls in the current naval approaches to IA-related risk management. On the basis of the identification of these shortfalls and the analysis of the surrounding IA issues, the committee presents a number of major findings and recommenda - tions that offer necessary and practical approaches for improving matters.5 The DON’s implementation of the committee’s findings and recommenda- tions would require a significant and sustained effort because of the breadth and nature of IA across the naval and DOD enterprise. The committee presents sup - porting evidence indicating that the likelihood of success on each of the report’s recommendations would be greatly enhanced if the DON were to create an organizational structure that would allow the needed IA and related capabilities to be managed with clearer lines of responsibility and authority. The arguments and options for potential organizational changes are presented in the report’s final chapter; these changes are recognized by the committee as being quite significant, but necessary to ensure long-term IA and network-centric operational success. The report suggests that a more centralized IA organizational construct be adopted, with clear responsibilities and authorities that cut across several existing IA governance seams. PRIORITY AREAS FOR ACTION The findings and recommendations in this final report build on the four find- ings and recommendations contained in the committee’s interim letter report. Conclusions from this study can also be viewed in the context of the three general themes for recommended action presented below. Action Area 1: Establish a Framework for Mission-Driven IA Risk Assessment Presentations to the committee indicated that threats to IA are rapidly increas - ing. In addition, performance enhancements and economic opportunities made 5 The chapters of this report contain additional important findings and recommendations as well as the 10 major findings and recommendations included in this Summary.

OCR for page 1
4 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES possible by more aggressive application of commercial IT are serving to increase the IA risks to mission execution being accepted by the Navy. It is not clear whether the trade-offs being made are purposeful or not, as there is little evidence of mission risk analyses accompanying the opportunity analyses for implementing new information system solutions. This study offers the following three major findings and recommendations that are related to this issue. Update IA Operational Doctrine Major Finding 1: Naval operations are highly dependent on information derived through all networks, including the Non-Classified Internet Protocol Router Network (NIPRnet) and legacy networks. The committee has seen evidence to suggest that the NIPRnet and legacy networks are highly vulnerable, and yet mission-critical functions such as managing logistics are being conducted on these shared networks. Major Recommendation 1: To help address and reduce current perceived net- work risks related to the NIPRnet and legacy networks, the Department of the Navy should carry out the following: • Undertake a systematic risk analysis to understand the mission impacts that could be created by information assurance failures. This analysis should be based on an understanding—derived through appropriate doctrinal, operational, procedural, and technical analyses—of the information and applications that reside on the networks and how they contribute to mission success. • Evaluate the implementation of controls that balance operational secu - rity risks in posting information on the NIPRnet with the need for information sharing. • Begin to design, architect, and implement the Department of the Navy’s networks and systems with an objective of better separating the functions of mission-critical command-and-control systems, logistics, supply, and welfare and morale systems in such a way that an IA compromise in one of these functional areas does not create an IA compromise in others. • Begin to develop IA operational doctrine that includes being able to con - duct mission-critical operations with reduced information capabilities, minimize the time for restoration (reestablishing confidence in capabilities and data), and conduct training exercises for fighting through information attacks, including backup plans for the last mile of connectivity.6 6 Major finding and recommendation 1 are found in the section entitled “Addressing NIPRnet and SIPRnet Threats” in Chapter 3 of this report.

OCR for page 1
5 SUMMARY Reexamine Network Separation Strategy for Critical Systems Major Finding 2: The Global Information Grid (GIG) architecture promises to provide secure information services that are envisioned to be electronically integrated into weapons systems and other mission-critical control systems. This vision is highly dependent on trustworthy commercial off-the-shelf (COTS) technology components. The Department of the Navy, in keeping with the GIG architecture vision, is increasingly dependent on logical (software-based) information isolation rather than on physical separation for highly integrated, warfighting-critical systems composed largely of COTS components. This strat - egy is risky from an IA perspective, given the demonstrated vulnerabilities in COTS components. Major Recommendation 2: The Office of the Assistant Secretary of the Navy for Research, Development and Acquisition (ASN[RDA]), in conjunction with other interested Navy and Marine Corps elements, should reexamine its IA architecture and design strategy, with emphasis on establishing the IA worthiness of the cur- rent systems under development. Special attention should be given to (1) the IA aspects of isolation and separation inherent in the outcomes in the Navy’s Con - solidated Afloat Networks and Enterprise Services (CANES) program and (2) the DDG-1000 onboard communication subsystem.7,8 Develop and Communicate IA Design Principles Major Finding 3: As part of its implementation of network-centric warfare capa- bilities, the Department of the Navy is aggressively embracing integrative COTS technologies such as service-oriented architectures in order to take advantage of potential positive benefits, including wider information availability. However, these adaptations also have the potential to introduce new and possibly serious IA risks into naval systems. Unfortunately, existing naval systems do not appear to have been designed with consideration of the collateral IA risks as a foundational system attribute. Major Recommendation 3: In order to provide the appropriate level of informa- tion assurance, the Office of the ASN(RDA) should adopt and manage system developments using sets of IA principles that are explicitly specified and required to be incorporated into the naval forces enterprise architecture, including specifi - cally addressing the IA requirements of service-oriented architectures. In addition, 7 Network design plans for the CANES program and the DDG-1000 (a planned new class of the U.S. Navy’s multimission ships) are discussed in Chapters 2 and 3, respectively. 8 Major finding and recommendation 2 are found in the subsection entitled “IA Risks of Current COTS Technologies” in Chapter 4.

OCR for page 1
6 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES these principles need to be embraced throughout the system life cycle and adopted by existing naval systems as they are upgraded.9 Action Area 2: Manage and Invest for Mission Assurance Given the current trends related to the increasing vulnerability of informa- tion systems, naval forces face significant and growing risks of being unable to execute assigned missions. Reducing IA risks will require an integrated mixture of technological, procedural, and operational solutions to address possible enemy attacks. Potential solutions will include both enhanced defense to reduce the likeli - hood of successful attacks and enhanced resilience to attacks that are successful. Recognizing the range of possible attacks, efforts must be made to focus solution development to counter the set of attacks that are forecasted to be the most likely and would result in the most serious degradation of mission performance. This study offers the following four major findings and recommendations that are related to this issue. Eliminate Shortcomings from Current IA Initiatives Major Finding 4: The Department of the Navy has underway a diverse set of IA initiatives that are representative of best commercial IT practices. However: • No means of integrated assessment exists for determining the impact of implementing the initiatives; • The implementation of these initiatives will take significant resources and in some cases more than 3 years to implement, leaving a number of naval networks vulnerable to already-known exploitations; and • Even if all of the existing initiatives are implemented and are successful, these networks are still not assured against the different and more sophisticated attacks that are likely to occur. Major Recommendation 4: Because of the immediate and increasingly sophis- ticated nature of cyberthreats, the Office of the ASN(RDA), in collaboration with the Office of the Secretary of Defense and the National Security Agency, should conduct a thorough examination of technical opportunities and architectural options and develop a comprehensive plan for reengineering naval networks and computing enclaves to be resilient through cyberattacks by sophisticated adver- saries. This plan needs to go beyond commercial best practices, incorporating advanced technology procedures that have been developed by DOD research agencies, mission assurance concepts, and active defense. The plan should also 9 Majorfinding and recommendation 3 are found in the subsection entitled “Service-Oriented Architectures” in Chapter 4.

OCR for page 1
7 SUMMARY establish operational metrics, baseline these metrics, and set goals for their improvement.10 Improve Naval-Specific Cyberthreat Projections Major Finding 5: The Navy has not comprehensively translated adversary capabilities into risk analysis assumptions or into an operational threat, and it does not routinely share the risk analyses and threat models that exist across the various Navy and Marine Corps organizations that have responsibility for infor- mation assurance. Based on the information briefed to the committee, there does not appear to be adequate emphasis on understanding how adversaries intend to or could use their capabilities and DOD network vulnerabilities to disrupt naval operations. Major Recommendation 5: The Director, Naval Intelligence, in collaboration with the Defense Intelligence Agency and national intelligence organizations, should support cyber risk analysis by collecting and analyzing all source intelligence to improve the Department of the Navy’s understanding of adversaries’ mission intent, strategy, and tactics and to illuminate how these could impact the ability of the Navy and Marine Corps to accomplish their missions and objectives.11 Also, threat and risk analysis, specifically including CONOPS and operational capabilities of adversaries, should be shared across the many Navy and Marine Corps organizations with significant dependencies on information assurance. Standard scenarios and measures of effectiveness should be used by organizations responsible for information assurance. Improve the IT Acquisition Process Major Finding 6: Cyberthreats change on a timescale much shorter than the DOD acquisition life cycle for developing and deploying cybersecurity technologies. There are increasing risks from these cyberthreats, including risks of being unable to respond to assigned warfighting missions. Rapid acquisition and fielding of IA solutions are critical, but the committee did not see processes being put into place to support this need. Major Recommendation 6: The committee recommends that the following specific actions be undertaken by the ASN(RDA), with the support of the Direc- 10 Major finding and recommendation 4 are found in the section entitled “Summary Assessment of Initiatives” in Chapter 2. 11 Major finding and recommendation 5 are found in the section entitled “Findings and Recom - mendations” in Chapter 5.

OCR for page 1
8 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES tor, Naval Research, to address the timely acquisition and implementation of IA solutions: • Actively participate in DOD efforts to define and establish intelligence that provides predictions about future cyberattack techniques which are sufficient to stimulate development of defensive responses, • Use existing operations and maintenance processes supplemented by design and prototyping activities carried out by naval laboratories to more rapidly develop and implement solutions, • Establish a rapid technology testing and evaluation laboratory and a technology insertion program—modeled after the Future Naval Capabilities program—to leverage and accelerate ongoing research in cybersecurity into Navy networks, and • Establish a standard management process styled after the urgent-need process for the Global War on Terrorism (as defined in SECNAV [Secretary of the Navy] Note 5000 on “Rapid Development and Deployment Response to Urgent Global War on Terrorism Needs”).12 Increase Naval IA R&D Funding Major Finding 7: The Department of the Navy has not established a sufficiently robust research program in IA. The funding level requested by the Office of Naval Research (ONR), approximately $2 million per year, is inadequate even to ensure that the DON effectively leverages the research investments of other agencies. Current gaps in information assurance capability for naval forces are made even more significant by a lack of strategy for investing in advanced R&D to redress these gaps. Major Recommendation 7: The Director, Naval Research, should develop—and the Chief of Naval Operations (CNO) and the Commandant of the Marine Corps (CMC) should ensure funding for—a robust science and technology research program in information assurance. An order-of-magnitude increase in funding levels through ONR’s Naval Research Laboratory would establish the Navy as a full participant in IA technology R&D, providing the knowledge base to guide and prioritize naval implementation choices and allowing the Navy to draw from the work of outstanding members of the academic and industrial research com - munities. The Navy should focus its research efforts on addressing capability gaps specifically related to the needs of naval forces that are not being sufficiently addressed elsewhere. Concurrently, the Office of Naval Research should develop a rapid technology 12 Major finding and recommendation 6 are found in the subsection entitled “Existing Naval Research and Development and Acquisition Processes” in Chapter 4.

OCR for page 1
9 SUMMARY insertion program to enable the rapid deployment of solutions for responding to new threats, based on both the leveraging of internal Navy research results and the use of ongoing research results derived from the funding of other R&D orga - nizations, such as at the Defense Advanced Research Projects Agency, National Security Agency, Army Research Office, Air Force Office of Scientific Research, National Science Foundation, Department of Energy, and Department of Home - land Security.13 Action Area 3: Rethink IA—Suggested Doctrinal and Organizational Responses The range of activities required to reduce the growing IA risks is very broad, involving the application of new technology and new operational doctrine. This range of activities is based on risk assessments that cut across the various naval missions and organizations, and they must be accomplished in coordination with the broader DOD activities addressing IA. In particular, IA cannot be treated in isolation, but rather must be considered in the broader context of military operations. Recognizing that IA requires addressing the “weakest links” in the overall naval system of systems, a prioritization of IA enhancement activities is critical. Recognizing the speed with which new attacks can be designed, developed, and propagated, rapid-response solutions inserted into practice are required. The com- mittee believes that new approaches are required for addressing naval IA needs into the future. It offers the following three major findings and recommendations related to this issue. Develop Doctrine for Offense-Defense Integration Major Finding 8: The four cyberspace IA-related domains of protecting, exploit- ing, attacking, and intelligence do not appear to be closely integrated in the Navy. In particular, the Department of the Navy does not appear to be aggressively considering and assessing alternatives to gain greater IA advantages through such integration. Major Recommendation 8: The Office of the CNO and the Office of the CMC should consider approaches for reducing the separation and enhancing the inte - gration across emerging offense, defense, and intelligence organizations related to IA.14 13 Major finding and recommendation 7 are found in the subsection entitled “Current Naval Information Assurance Research and Development Budget” in Chapter 4. 14 Major finding and recommendation 8 are found in the section entitled “Integrating Cyber Operations” in Chapter 3.

OCR for page 1
10 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES Update the Department of the Navy Cyber Workforce Strategy Major Finding 9: The Department of the Navy’s workforce, consisting of offi- cers, enlisted personnel, and civilians, has not been required to possess a uniform, prerequisite set of knowledge and IT-related experience. Today’s IA-related threats and trends point to a need for the Navy and Marine Corps to address education, training, and career paths as part of the needed response to the grow - ing IA risks and the growing importance of naval cyber operations. The Navy’s Corry Station cyber operations training program provides a strong and positive start toward meeting this need.15 Major Recommendation 9: The Office of the CNO and the Office of the CMC should establish a dedicated cyber workforce strategy to include all elements of personnel management (accession, reenlistment, retention, and assignment). Since cyber-related technology continues to evolve rapidly, the cyber workforce program for naval forces should also include measures to continuously modern - ize the Navy and Marine Corps training and education curriculum, including the development of formal relationships with universities and external advisers for guiding and supporting naval needs in cyber education and training.16 Adopt New Naval IA Organizational Structure Major Finding 10: The governance of information assurance is widely distributed across naval forces, with many parties playing roles, resulting in many governance seams. In particular, there is no centralized authority or organizational mechanism in place in the Department of the Navy for governing IA and end-to-end cyber operations. For example, a shared scope of governance of security policy and fis - cal authority for naval networks resides throughout the DON, including with the Department of the Navy Chief Information Officer; the Deputy CNO for Network Operations; Headquarters, Marine Corps; Naval Network Warfare Command; Echelon II Chief Information Officers; Commander–Naval Installation Command; Program Executive Officers; and Navy Systems Command. Major Recommendation 10: The leadership of the Department of the Navy should examine more-centralized IA-related organizational structures for integrat - ing its information assurance strategies and plans across all naval communities (surface, subsurface, expeditionary, air, space, and cyberspace), as well as for integrating those same strategies and plans with joint communities (Combatant 15 The Navy’s Corry Station cyber operations training program, operated as part of the Center for Information Dominance at Corry Station, is discussed in the subsection entitled “Career Paths” in Chapter 3. 16 Major finding and recommendation 9 are found in the subsection entitled “Career Paths” in Chapter 3.

OCR for page 1
11 SUMMARY Command, Office of the Secretary of Defense). The examination should address the needed IA governance and fiscal authorities for sustaining both current and future readiness levels, as well as which DON organizations are critical to defend- ing against evolving cyberthreats—from the strategic to the tactical level.17 While cost considerations were explicitly excluded from the committee’s terms of reference, cost implications are an obvious consideration for addressing many of the findings and recommendations presented above. However, the com- mittee believes that several of the major recommendations can be acted on with minimal additional capital or operating expenditures. Owing to the immediacy of the issues involved with information assurance for naval forces, the committee urges the consideration of all recommendations in a timely fashion. 17 Major finding and recommendation 10 are found in the “Summary Discussion” of the subsection entitled “Alternative Organizational Models” in Chapter 6.