2
The Immediate Response—Current Information Assurance and Cyberdefense Initiatives

Information assurance (IA) is defined in Department of Defense (DOD) instruction documents as “measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.”1

Additionally, the DOD’s long-term vision for an effective network-centric operating environment—and the associated Global Information Grid (GIG)2—present a vision for DOD information assurance capabilities and practices that provide the following:

  • Transactional Information Protection—granular end-to-end security controls that enable protected information exchanges within the variable-trust netcentric environment;

1

Department of Defense. 2003. Department of Defense Instruction 8500.2. Information Assurance Implementation, Washington, D.C., February.

2

As defined in DOD Instruction 8500.2, ibid., the GIG consists of the “globally interconnected, end-to-end set of information capabilities, associated processes, and personnel for collecting, processing, storing, disseminating, and managing information on demand to war fighters, policy makers, and support personnel.” Included are all government-owned and -leased communications and computing systems and services, as well all software, data, security services, and anything else necessary to operate and secure the GIG. Also included are the National Security Systems as defined in Section 5142 of the Clinger-Cohen Act of 1996 (National Defense Authorization Act for FY 1996, Public Law 104-106, formerly called the “Information Technology Management Reform Act,” February 10, 1996). By this definition, the GIG encompasses all DOD and National Security information systems at all levels, from tactical to strategic, as well as the interconnecting communications systems.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 33
2 The Immediate Response— Current Information Assurance and Cyberdefense Initiatives Information assurance (IA) is defined in Department of Defense (DOD) instruction documents as “measures that protect and defend information and infor- mation systems by ensuring their availability, integrity, authentication, confidenti- ality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.” 1 Additionally, the DOD’s long-term vision for an effective network-centric operating environment—and the associated Global Information Grid (GIG) 2— present a vision for DOD information assurance capabilities and practices that provide the following: • Transactional Information Protection—granular end-to-end security con - trols that enable protected information exchanges within the variable-trust net- centric environment; 1 Department of Defense. 2003. Department of Defense Instruction 8500.2. Information Assurance Implementation, Washington, D.C., February. 2As defined in DOD Instruction 8500.2, ibid., the GIG consists of the “globally interconnected, end-to-end set of information capabilities, associated processes, and personnel for collecting, process - ing, storing, disseminating, and managing information on demand to war fighters, policy makers, and support personnel.” Included are all government-owned and -leased communications and computing systems and services, as well all software, data, security services, and anything else necessary to operate and secure the GIG. Also included are the National Security Systems as defined in Section 5142 of the Clinger-Cohen Act of 1996 (National Defense Authorization Act for Fy 1996, Public Law 104-106, formerly called the “Information Technology Management Reform Act,” February 10, 1996). By this definition, the GIG encompasses all DOD and National Security information systems at all levels, from tactical to strategic, as well as the interconnecting communications systems. 33

OCR for page 33
34 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES • Digital Policy-Enabled Enterprise—dynamic response to changing mis- sion needs, attacks, and system degradations through highly automated and coordinated distribution and enforcement of digital policies; • Defense Against an Adversary From Within—persistently monitor, detect, search for, track, and respond to insider activity and misuse within the enterprise; • Integrated Security Management—dynamic automated net-centric secu- rity management seamlessly integrated with operations management; and • Enhanced Integrity and Trust of Net-Centric Systems—robust IA embedded within enterprise components and maintained over their life cycle. 3 Because of the interconnected nature of the GIG, IA is a shared need and capability across the DOD and its Services. Each of the Services is responsible for the development of its own network-related mission and structures, and also for the control and defense of information on its portion of the GIG. Because naval nodes of the GIG are integrated with non-naval nodes, a gap in one area of GIG information assurance capability has the potential to impact other areas. It is broadly recognized, however, that the GIG IA vision stated above is not a current reality; therefore, the Department of the Navy (DON), as well as the DOD and other Services, has information assurance and cyberdefense initiatives under- way to improve protection against the current threats to its networks and to help bring the network-centric enterprise closer to the stated IA vision. Owing to GIG interconnectivity, IA initiatives across broader sectors of the DOD are also very important to the Navy. (See Chapter 6 for a description of DOD, Navy, and Marine Corps network defense responsibilities.) During the course of its data gathering, the committee was briefed on both naval and DOD-wide IA-related initiatives currently underway, and by all of the obvious organizations with direct and indirect information assurance respon- sibilities that might impact naval forces.4 However, in spite of the fact that the achievement of greater information assurance requires the integration of a number of contributing solutions, no one party was able to present the committee with a comprehensive list of naval or DOD-wide initiatives. Rather, each party primarily focused on the initiatives under its individual purview.5 In addition to receiving these presentations, the committee also performed independent research to gain more understanding of the initiatives. The following sections present a summary 3 Department of Defense Chief Information Officer. 2007. Global Information Grid Architectural Vision: Vision for a Net-Centric, Service-Oriented DOD Enterprise, Version 1.0, Department of Defense, Washington, D.C., June, p. 24. Available at < http://www.defenselink.mil/cio-nii/docs/ GIGArchVision.pdf>. Accessed November 17, 2008. 4A description of the committee’s data-gathering sessions is provided in the Preface of this report. 5The committee was briefed by the portfolio manager of the GIG Information Assurance Portfolio program, which is developing such a comprehensive listing (Richard Scalco, GIG IA Portfolio Man - ager, “GIG IA Portfolio Management Office,” presentation to the committee, July 16, 2008, National Security Agency, Fort Meade, Md.).

OCR for page 33
35 THE IMMEDIATE RESPONSE and discussion of these initiatives, organized according to the major sources of input. DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER INFORMATION ASSURANCE INITIATIVES A presentation to the committee from the office of the Department of the Navy, Chief Information Officer (DON CIO), showed the Department of the Navy to be positively engaged with the DOD in its planning and execution of DOD- wide IA initiatives.6 This relationship appears to be fruitful in that it provides the DON with the ability to leverage DOD capabilities that reside outside the DON (such as the digital signature and encryption capabilities provided by the DOD to help verify user identity). In addition to leveraging DOD-wide capabilities for naval forces, activities such as the promulgation of the Department of the Navy’s vision and plans for its Next Generation Enterprise Network (NGEN) and the implementation of the Navy’s Prometheus7 system for monitoring and analyzing network information are positive steps for improving IA across the Navy’s Net - work Warfare (NETWAR)/FORCEnet Enterprise. The DON Deputy Chief Information Officer (DCIO) serves as the Senior Information Assurance Officer (SIAO) of the Department of the Navy. One particularly interesting initiative that the DCIO briefed to the committee was the effort to establish a cyber task force involving the DON CIO, the Office of the Chief of Naval Operations, the United States Marine Corps, and the Naval Crimi - nal Investigative Service.8 This task force would be chaired by the DON SIAO and have oversight from the Deputy Under Secretary of the Navy/DON CIO. The objectives of the task force would be as follows: • To articulate the process for coordinating computer network attack (CNA), computer network exploitation (CNE), and computer network defense (CND) with the DON, as well as counterintelligence (CI) for these activities; • To ensure feedback from CNA and CNE activities into CND planning and execution, and to ensure that a similar feedback loop exists for CI activities; • To provide a complete and coordinated picture of cyber activities within the DON; • To ensure a synchronized and coordinated investment in cyber activities; and 6 John Lussier, Department of the Navy Deputy Chief Information Officer, “Department of the Navy CIO Organization,” presentation to the committee, March 6, 2008, Washington, D.C. 7 Prometheus is the name given to an information technology system recently implemented by the Navy Cyber Defense Operations Command (NCDOC) to provide both network protection and network situational awareness for NCDOC-defended networks. 8 John Lussier, Department of the Navy Deputy Chief Information Officer, “Department of the Navy CIO Organization,” presentation to the committee, March 6, 2008, Washington, D.C.

OCR for page 33
36 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES • To align roles and responsibilities so as to enable timely execution of cyber-related policies, to aid in the implementation of cyber products, to provide a well-defined governance of cyber practice, and to have a focused, coordinated cyber investment practice. At the time of the briefing by the DCIO (March 2008), establishment of the task force was pending approval by the Secretary of the Navy. If established, the task force could address significant issues, such as the coupling of CND, CNA, and CNE.9 The DCIO provided the committee with a list of other DON IA initiatives, presented in Table 2.1. The DCIO also provided the committee with a list of DOD-wide IA initiatives that are being addressed by naval forces. (The DOD- wide IA initiatives reported by the DON CIO are included in Table 2.2 and are discussed in the subsection on “Defense-Wide IA Initiatives.”) The list of DON initiatives presented in Table 2.1 is not complete, as can be seen by comparing it with the naval initiatives discussed in the subsections below addressing IA initia - tives sponsored by the Naval Network Warfare Command (NETWARCOM), the Navy Information Systems Security Program (ISSP), the Navy’s Space and Naval Warfare Systems (SPAWAR), and other fleet forces operations. NAVAL NETWORK WARFARE COMMAND INFORMATION ASSURANCE INITIATIVES The Naval Network Warfare Command has two major responsibilities: It func- tions as (1) a type commander10 and (2) an operational commander. In the former role its responsibility is to organize, train, and equip for network operation, just as other type commanders do in their respective areas. However, NETWARCOM is not directly involved in acquisition. In its latter role, NETWARCOM manages networks and network security, ranging from the Navy/Marine Corps Intranet (NMCI) down to the Network Operations Center level. In addition to their other discussions with the committee concerning IA issues and policies, NETWARCOM personnel presented the following as NETWARCOM’s major IA initiatives, sev- eral of which are also being implemented by the Marine Corps and the Marine Corps Network Operations and Security Command (MCNOSC):11 9 For example, see Maj Donald W. Cloud, Jr., USAF, 2007, “Integrated Cyber Defenses: Towards Cyber Defense Doctrine,” Master of Arts Thesis, Naval Postgraduate School, Monterey, Calif., December. Available at . Accessed February 26, 2009. 10 In the U.S. Navy, the type commander is the flag officer responsible for all ships of a certain type in the fleet. 11Alan L Rickman, Naval Network Warfare Command, “Decision Superiority for the Warfighter,” presentation to the committee, March 5, 2008, Washington, D.C.

OCR for page 33
37 THE IMMEDIATE RESPONSE TABLE 2.1 Department of the Navy Current Information Assurance Initiatives: Selected List Fiscal year (Fy) of First Impact Fy 2008 Fy 2009 Fy 2010 Fy 2011 or Beyond Cryptographic Log-on Data at Rest Thin-Client Next Generation Encryption coupled with Enterprise Network Policy Enforcement Tools for Virtual Machine Access (research) Navy/Marine concept Corps Intranet Attribute-Based Access “Sweet 16”a Next Generation Control (pilot) Enterprise Network Security Secretary of the Navy Plan and Concept Warning Orders of Operation Wireless Security Cyber Asset Reduction and Security aThe Navy/Marine Corps Intranet information assurance initiatives—commonly referred to as the “Sweet 16”—are discussed in the subsection entitled “Navy/Marine Corps Intranet” in the present chapter and are presented in Table 2.4. SOURCE: Derived from information presented to the committee by John Lussier, Department of the Navy Deputy Chief Information Officer, “Department of the Navy CIO Organization,” March 6, 2008, Washington, D.C. • Operational Designated Approval Authority. Provides an end-to-end approach for certification and accreditation (C&A) processes. This initiative is targeted at reducing C&A cycle time. • Public Key Infrastructure (PKI). Implements the requirement for cryp- tographic network log-on across all naval unclassified networks. Eliminates “stovepipe” solutions and requires the use of common access cards (CACs) across protected naval systems. Also includes the investigation of biometrics identification. • IA Computer Network Defense. Provides monitoring of all naval networks, analyzes trends, and develops mitigating strategies. Regularly reviews all policy and procedures and provides security relationship with Navy industrial base and contractor networks. • Data at Rest. Provides encryption for all mobile computing devices and removable media processing for controlled unclassified information and Personal Identifiable Information.12 12 Personal Identifiable Information, or PII, is defined by an Office of Management and Budget memorandum (Karen S. Evans, Administrator, Office of E-Government and Information Technology,

OCR for page 33
38 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES TABLE 2.2 Department of Defense-Wide Current Information Assurance Initiatives: Selected List Fiscal year (Fy) of First Impact Fy 2008 Fy 2009 Fy 2010 Fy 2011 or Beyond Department of Defense Department Non-Classified Global Information Demilitarized zonea of Defense Internet Protocol Grid Mission Training Initiative Router Network Assurance Plan Certification and (ongoing) (NIPRnet) Deep Accreditation Dive (Controlled Unclassified Public Key Infrastructure Information (ongoing) Behind Demilitarized Enterprise Standards Across zone After Deep Common Architecture Dive) (ongoing) Supply Chain Risk Trusted Computing Management Consortium (ongoing) Joint Task Force–Global Network Operations Security Awareness Messages aThe Demilitarized zone, or DMz, approach to defending the Global Information Grid provides a separate interface to the Internet and external DOD connections, thus limiting vulnerabilities to mali- cious attacks, worms, and viruses that plague the Internet. SOURCE: Derived from information presented to the committee by John Lussier, Department of the Navy Deputy Chief Information Officer, “Department of the Navy CIO Organization,” March 6, 2008, Washington, D.C. • Cyber Asset Reduction and Security. Reduces the number of legacy net- works and hence reduces the vulnerabilities inherent in those networks. • Wireless Security. Provides technology guidance for wireless solutions and guidance for the resulting expanded mobility of the GIG. This initiative also includes Secure Blackberry, that is, CAC-based PKI to sign and encrypt wireless e-mail. Executive Office of the President, OMB Memorandum for Chief Information Officers, M-06-19, Wash - ington, D.C., July 12, 2006) as “information which can be used to distinguish or trace an individual’s identity such as their name, social security number, date and place of birth, biometrics records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as laptop computers, thumb drives and personal digital assistants (PDAs).”

OCR for page 33
39 THE IMMEDIATE RESPONSE Many of these NETWARCOM information assurance initiatives are also reflected in the DON information assurance initiatives presented in Table 2.1. INFORMATION SYSTEMS SECURITY PROgRAM INITIATIVES The Information Systems Security Program is the Department of the Navy’s research, development, testing and evaluation (RDT&E) program element, which includes the DON’s individual information assurance projects.13 The program is projected to be funded at approximately $30 million per year for the period fiscal year (Fy) 2008 through Fy 2013 and includes both research and development (R&D) and technology implementation funds. The Navy’s ISSP is described as follows in the document prepared for Fy 2009 budget justification: The Navy ISSP RDT&E program works to provide the Navy with these essen- tial Information Assurance elements: (1) Assured separation of information levels and user communities, including coalition partners; (2) Assurance of the telecommunications infrastructure; (3) Assurance of Joint user enclaves, using a defense-in-depth architecture; (4) Assurance of the computing base and informa- tion store; and (5) Supporting assurance technologies, including a Public Key Infrastructure (PKI) and directories. The goal of all ISSP RDT&E activities is to produce the best USN operational system that can meet the certification and accreditation requirements outlined in DoD Instruction 5200.40 (new DoDI 85xx series pending). Modeling DoD and commercial information and telecom - munications systems evolution (rather than being one-time developments), the ISSP RDT&E program must be predictive, adaptive, and technology coupled. The program develops frameworks, architectures, and products based on mis - sion threats, information criticality, exploitation risks, risk management, and integrated Joint information system efforts.14 The key ISSP projects listed in the Navy Exhibit R-2 RDT&E program are summarized and described in Table 2.3. The single largest individual Fy 2009 budgetary item in the Navy’s ISSP is the Navy Cryptographic Modernization Program and its associated secure communications, budgeted at $8.75 million in this particular program element.15 13The ISSP effort is a naval enterprise-wide responsibility derived from requirements outlined in the Secretary of the Navy Instruction 5239.3A, Department of the Navy Information Assurance Policy (INFOSEC) Program, Washington, D.C., December 20, 2004. 14 Department of the Navy. 2008. “Department of the Navy Exhibit R-2 RDT&E Budget Item Justification,” Washington, D.C., February, p. 2. 15 The budget numbers in this R&D exhibit reflect only a limited portion of the total budget for the Navy Cryptographic Modernization program. The $8.75 million is referred to here only to show its size in relation to the $30 million RDT&E total for this ISSP program element mentioned earlier.

OCR for page 33
40 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES TABLE 2.3 Information Assurance (IA) Initiatives in the Navy’s Information Systems Security Program IA Project Name Project Description Computer Network Defense Develops and implements an integrated system of filters, firewalls, intrusion prevention systems, patch management, encryption, and other vulnerability remediation tools and policies for fleet and ashore networks. Cryptographic Modernization In coordination with Joint Services and the National Security Agency, provides development support, specifications, acquisition documentation, and testing for identified and selected cryptographic products to provide secure communications. Replaces decertified systems in accordance with Joint Chiefs of Staff modernization schedule. IA Readiness Provides systems security engineering support to all Department of the Navy organizations in the certification and accreditation of information systems. Secure Voice Completes the development and integration test of the Secure Communication Interoperability Protocol Inter-working Function for off-ship secure communication capabilities while underway. Cross Domain Solutions Provides system security engineering development, testing, and evaluation for multilevel security solutions (databases, Web browsers, routers/switches, etc.), for allied and coalition participation. Key Management Infrastructure Develops advanced key management security testing, certification, and accreditation for various naval systems. Emerging Technologies Supports the development of Department of the Navy information assurance architectures and the transition of new technologies addressing Navy information assurance challenges. SOURCE: Department of the Navy. 2008. “Department of the Navy Exhibit R-2 RDT&E Budget Item Justification,” Washington, D.C., February, p. 2. INFORMATION TECHNOLOgY AND NETWORK PROgRAMS INFORMATION ASSURANCE INITIATIVES Much of the Navy’s information assurance activity is embedded in informa- tion technology (IT) and network programs associated with large specific naval program activities, in addition to the targeted IA-focused projects of the ISSP. The committee was briefed in detail on three such major programs: the Navy/Marine Corps Intranet, the planned Next Generation Enterprise Network (a follow-on to NMCI), and the Navy’s Consolidated Afloat Networks and Enterprise Services (CANES). The information assurance components of these major programs, as highlighted for the committee, are summarized below.

OCR for page 33
41 THE IMMEDIATE RESPONSE Navy/Marine Corps Intranet The Navy/Marine Corps Intranet, with more than 650,000 users, is reported to be the largest corporate intranet in the world, and also to represent the single largest government IT contract.16 Although NMCI is currently managed through a contracted outsource organization, the Navy’s NETWARCOM, through its Global Network Operations Center, provides IA and network defense oversight for the Navy enclave of NMCI, and MCNOSC provides IA and network defense oversight for NMCI’s Marine Corps enclave. Thus, while NMCI daily operations are managed externally, many of the current DON and DOD IA initiatives are being applied, where appropriate, to the NMCI system. A list of the top 16 current NMCI network security initiatives is provided in Table 2.4; all are scheduled to be implemented before NMCI transitions to NGEN in 2010. Next-generation Enterprise Network Current plans are for the Next Generation Enterprise Network to encompass the current Navy/Marine Corps Intranet, plus the Overseas Navy Enterprise Network (ONE-Net), the remaining “legacy” networks, the Navy’s shipboard IT for the 21st Century (IT-21) networks, and the Marine Corps Enterprise Network (MCEN).17 Thus, many of the security features that have recently been added to NMCI will likely be integrated from the beginning and enhanced for NGEN. (See Figure 2.1 for a visual diagram of the relationships among these currently existing naval network systems.) As reported to the committee, it is anticipated that future NGEN upgrades will transition NMCI, ONE-Net, IT-21, and MCEN from four separately man - aged environments to a globally integrated, network-centric DON enterprise to support network operations (NETOPS) and leverage the DOD Global Informa- tion Grid and available DOD enterprise services. This integration effort promises to improve information assurance for the largest network across the entire naval network-centric enterprise. Also, a key IA advancement of NGEN over NMCI is 16Terrelle C. Bradshaw, Naval Network Warfare Command, Global Network Operations Center, “NMCI IA Overview,” presentation to the committee, April 29, 2008, Norfolk, Va. NMCI also is reported to support more than 100 million e-mail messages per month and 124 million browser transactions per day, and to provide connectivity for approximately 11,000 wireless communication devices. The running of NMCI daily operations is contracted to Electronic Data Systems in a 10 year contract, extending from October 2000 to October 2010. 17 RADM(S) David G. Simpson, USN, Director, Navy Networks, Deputy Chief of Naval Opera - tions, Communication Networks (N6), “Next Generation Enterprise Network (NGEN) and Consoli - dated Afloat Networks and Enterprise Services (CANES),” presentation to the committee, May 29, 2008, Washington, D.C. The planned baseline for NGEN is 340,000 workstations; approximately 650,000 user accounts; support for mobile devices; and the associated network operations command and control. NGEN is currently scheduled to phase into operation at the end of the NMCI contract, which expires in October 2010.

OCR for page 33
42 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES TABLE 2.4 Current Information Assurance (IA) Initiatives for the Navy/Marine Corps Intranet Initiative Description Intrusion Protection System Upgrades intrusion detection infrastructure. Logging Infrastructure Integrates logging infrastructure to support network audits and incident response. Firewall Suites Implements improved firewall protection. Improved Public Key Implements Service-wide e-mail signing and encryption. Infrastructure (PKI) Improved IA Vulnerability Alert Improves reliability of IA vulnerability patching and Management implements Network Access Control. Host Based Security System Implements the DOD enterprise-wide automated and standardized tool to provide end-point (server, desktop, and laptop) security against both insider threats and external threats that are able to penetrate boundary defenses. Provides centralized management of host-based capabilities. Data At Rest Encryption Provides encryption for all mobile computing devices and removable media. Network Configuration Provides and maintains current network configuration data and Management assures continuous access for security testing and evaluation. Two Factor Authentication Enables system administrator to provide improved authentication for all accounts. PKI for Blackberry Provides PKI support for Blackberry e-mail. Network Forensics Establishes a network-based forensics tool for imaging system hard drives involved in an IA incident. Security Event Management Implements system to provide security information management compatible with other Navy and Marine Corps systems. Common Access Card Support Provides Web access authenticated by the common access card. Secure Configuration Implements DOD-recommended tools to discover assets Compliance Validation Initiative and identify known security vulnerabilities (SCCVI), and (SCCVI)/Secure Configuration implements corrective actions to mitigate a vulnerability Remediation Initiative (SCRI) (SCRI). Uniform Resource Locator/ Provides advanced-application firewall technology to update Content Filtering and replace aging, existing system application. Global Access List Updates access directories and provides certificates allowing synchronization across military components. SOURCE: Derived from information presented to the committee by Terrelle C. Bradshaw, Naval Net- work Warfare Command, Global Network Operations Center, “NMCI IA Overview,” April 29, 2008, Norfolk, Va.

OCR for page 33
FIGURE 2.1 System relations for the Next Generation Enterprise Network (NGEN). NOTE: Acronyms are defined in Appendix A. SOURCE: RADM(S) David G. Simpson, USN, Director, Navy Networks, Deputy Chief of Naval Operations, Communication Networks (N6), “Next 43 Generation Enterprise Network (NGEN) and Consolidated Afloat Networks and Enterprise Services (CANES),” presentation to the committee, May 29, 2008, Washington, D.C. Figure 2-1 R01471

OCR for page 33
44 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES postulated by NGEN program management to be the inherently improved security governance for NGEN, as DON will have full visibility into the network. This will likely be the case if IA and network defense for NGEN are managed in-house, as is currently planned according to public reports, rather than managed through a contract organization as is the current situation with NMCI. Consolidated Afloat Networks and Enterprise Services The Navy’s Consolidated Afloat Networks and Enterprise Services program is primarily a system redesign and acquisition program for afloat networks; however, it can also be viewed as a broad initiative designed to consolidate and reduce network infrastructure,18 reduce legacy systems aboard ships, and provide increased network capability to the afloat platform enclaves. Key IA-related initiatives included in the CANES common computing environment are its built- in computer network defense capabilities, its cross-domain solutions, and its utilization of service-oriented architectures (SOAs). The committee recognizes both advantages and disadvantages of such a network architecture approach, 19 and thus it devotes additional dedicated sections to IA architecture and SOAs in Chapter 4. The CANES program time line, as reviewed with the committee, is multiyear, with a planned 2008-2016 implementation. However, CANES “early adopters,” beginning in 2009, will be permitted to test the program’s key IA architectural features, allowing an opportunity to adapt the required SOA IA program features and to address requirements for hardening the NIPRnet architecture. The com - mittee views CANES early adopters as providing an opportunity to establish an important testbed for IA advancements for security afloat, with great potential leverage. 18Today there are four primary shipboard infrastructure networks—NIPRnet, SIPRnet, the Joint Worldwide Intelligence Communications System, and the Combined Enterprise Regional Information Exchange System—each operating at different security levels. 19 Many of the existing solutions to IA problems (and many of the requirements in existing IA regulations) assume that both clients and servers are located on the same physical or logical network. The clients and servers rely heavily on perimeter or boundary protection such as demilitarized zones, firewalls, and intrusion detection to prevent security threats. However, the interoperability and loose coupling requirements of an SOA necessitate additional security capabilities to complement those security models. For example, see the report on Net-Centric Enterprise Solutions for Interoperability, a collaborative activity of the U.S. Navy Program Executive Office for Command, Control, Com - munications, Computers and Intelligence and Space, the USAF Electronic Systems Center, and the Defense Information Systems Agency, 2006, Net-Centric Implementation Framework, V1.3, June 16. Available at . Accessed November 19, 2008.

OCR for page 33
45 THE IMMEDIATE RESPONSE SPACE AND NAVAL WARFARE SYSTEMS COMMAND AND PEO C4I INFORMATION ASSURANCE INITIATIVES Naval system commands must be aware of and respond to IA initiatives and architecting requirements as dictated by Navy and/or DOD instructions. Thus the committee was briefed by the Navy’s engineering command at SPAWAR and its Program Executive Office for Command, Control, Communications, Com- puters and Intelligence (PEO C4I) personnel for discussion of key information assurance-related initiatives and associated issues. SPAWAR/PEO C4I personnel are responsible for IA architecture for their domain of responsibility, ranging from the ashore network operating centers to ships afloat, and are working to build out “defense in depth” for that domain. As such, initiatives are also being led by SPAWAR personnel to cope with potential degradations due to attacks on various components of the information architecture. For the purposes of this activity, the IA competencies drawn upon at SPAWAR evolve from their expertise in information system security engineering. Such system security engineering concepts have been applied to the technologies associated with a host of development systems, including CANES, satellite com - munication platforms, and the Joint Tactical Radio Systems. Major IA initiatives reported to the committee by SPAWAR’s information assurance organization are reflected in those initiatives previously discussed and reported in Tables 2.1, 2.2, and 2.3. For the purpose of brevity, these initiatives are not listed separately in this report. However, in addition to the previously reported naval initiatives, SPAWAR’s PEO C4I and PEO Space personnel are also the primary responsible Navy party for designing and engineering system-wide defense-in-depth concepts; they are also the responsible party for developing IA architecture guidance as it relates to the execution of SOA implementation in naval systems.20 FLEET INFORMATION ASSURANCE INITIATIVES The committee held discussions with the Commander, U.S. Pacific Fleet, and Pacific Fleet senior technical advisers; senior staff representatives, U.S. Third Fleet; and with command and network personnel on the USS Normandy (CG-60), to better understand the impact of information assurance on fleet operations and fleet missions. Several initiatives are currently underway that should be benefi - cial at the fleet level for operating through cyberattacks and degraded network capabilities. Specifically, the committee believes that the cyber-defense-related work underway in the Pacific Fleet, and its associated engineering developments 20 For example, see the report on Net-centric Enterprise Solutions for Interoperability, a collabora - tive activity of the U.S. Navy PEO C4I and Space, the USAF Electronic Systems Center, and the Defense Information Systems Agency, 2006, Net-Centric Implementation Framework, V1.3, June 16. Available at . Accessed November 19, 2008.

OCR for page 33
46 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES in SPAWAR/PEO C4I, should be strongly supported and adopted more broadly across naval forces as these current initiatives prove themselves. DEPARTMENT OF DEFENSE-WIDE INFORMATION ASSURANCE INITIATIVES The DON CIO provided the committee with a list of DOD-wide IA initiatives currently impacting naval forces (see Table 2.2 for the list, organized by year of major impact for naval forces). In addition to these activities, the committee was also briefed on DOD infor- mation assurance and current DOD-sponsored IA initiatives from the Office of the Deputy Assistant Secretary of Defense for Information and Identity Assurance (ODASD[I&IA]). IA initiatives information received from the ODASD(I&IA) is summarized in Table 2.5. As of the writing of this report, the ODASD(I&IA) is preparing a more comprehensive strategic approach to IA initiatives. Related to but separate from this effort is a DOD-wide GIG IA portfolio man - agement program—the GIG Information Assurance Portfolio, or GIAP—currently being undertaken to help analyze and give input to DOD and military Services regarding strategic IA investments. While the GIAP is organized under the Office of the Assistant Secretary of Defense, Networks and Information Integration, its management is currently headquartered at the National Security Agency (NSA), the designated lead agency for defining DOD GIG IA architecture. The GIAP uses a set of broad strategic categories to track IA initiatives slightly different from the categories provided to the committee by ODASD(I&IA). Also, in this program, the GIAP claims responsibility for leading the “enterprise enabling” IA initiatives, such as the Public Key Infrastructure and the Key Management Infrastructure, across the DOD. The list of IA initiatives presented to the committee from the GIG IA portfolio viewpoint is contained in Table 2.6. The committee also received information assurance briefings from the U.S. Strategic Command’s Joint Task Force–Global Network Operations (JTF–GNO) and from the Defense Information Systems Agency (DISA). JTF–GNO directs the operation and defense of the Global Information Grid in support of DOD’s full spectrum of missions.21 DISA serves as a DOD enterprise-wide organization with an agenda to help provide information assurance tools and services in sup - port of DOD network-centric operations. DISA has responsibility for coordinating with other federal agencies and industry to provide security configuration guides, checklists, scanning tools, and other standards to properly configure and manage applications, devices, and enclaves across the GIG for U.S. military command. DISA also plans for, acquires, and deploys enterprise-wide tools and capabilities that improve defense, attack sensing and reaction, and situational awareness. In its 21 For additional information, see JTF–GNO fact sheet at . Accessed October 21, 2008.

OCR for page 33
47 THE IMMEDIATE RESPONSE TABLE 2.5 Office of the Deputy Assistant Secretary of Defense for Information and Identity Assurance: Summary of Information Assurance (IA) Initiatives IA Strategic Area Example IA Initiatives Protecting Core Networks Demilitarized zone, Firewalls, Network Sensors Network Resiliency Architecture for Resilience Assured Information Access Privileged Management IA Systems/Platforms IA Acquisition Cyber Operations Computer Emergency Response Teams Cross Domain Sharing Coalition Forces Interoperability and Assurance Globalization/Supplier Assurance Supply Chain Risk Management, Software and Hardware Assurance Defense Industrial Base Vulnerability Reporting Process Identity Assurance Public Key Infrastructure Deployment Research Technology Insertion Defense Advanced Research Projects Agency and IA Research Training/Education IA/Personnel Readiness Workforce Certification International Readiness International IA Best Practices Cryptographic Modernization High Assurance Internet Protocol Encryptor Key Management Key Management Infrastructure SOURCE: Derived from information presented to the committee by Robert Lentz, Deputy Assistant Secretary of Defense for Information and Identity Assurance, “Overview of Department of Defense IA-Related Responsibilities, Initiatives, Strategies, and Studies,” Washington, D.C., March 5, 2008. TABLE 2.6 DOD and DON Information Assurance (IA) Initiatives from the GIG IA Portfolio Perspective IA Strategic Area Example IA Initiatives Confidentiality (Protect Data and Networks) Cryptographic Modernization, High Assurance Internet Protocol Encryptor, Secure Voice, Edge Systems Computer Network Defense (Defend the Demilitarized zone, Host-Based Security Systems Global Information Grid [GIG]) Assured Information Sharing Cross Domain Sharing, Multinational Information Sharing Enterprise Security Management Key Management Infrastructure, Pubic Key Infrastructure, Privileged Management Foundational IA Training, Enterprise-Wide Certification and Accreditation, Best Practices SOURCE: Derived from information presented to the committee by Richard Scalco, GIG IA Portfolio Manager, “GIG IA Portfolio Management Office,” July 16, 2008, Fort Meade, Md.

OCR for page 33
48 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES strategic document, DISA reports several key IA initiatives underway, including IA-related initiatives to accomplish the following:22 • Provide standard coalition information-sharing capabilities; • Deploy cyber identity credentials throughout the GIG for safer and broader sharing; • Continually assess the Public Key Infrastructure architecture for effectiveness; • Redesign the NIPRnet and SIPRnet, including certain shared components (e.g., the Domain Name System), to dramatically enhance security and improve sharing; • Develop and operate strengthened gateways between DOD and the Internet and between DOD, other U.S. networks, and coalition networks; and • With the Services and agencies, plan and execute the movement of all publicly visible and partner-facing applications and services into demilitarized zones to improve sharing and security. Based on the committee’s collective inquiries, it appears that a single, com - prehensive view of IA initiatives across the DOD does not exist. Although none of the groups referred to above provided the committee with a single, comprehensive view of DOD-wide IA initiatives, the committee constructed its own compre- hensive view by piecing together the information received from these separate sources. As solutions start to move into the application layer of DOD informa- tion systems, the gaining of a comprehensive view will become more difficult, because these solutions might then reside with individual enclave managers. It will require significant efforts to achieve this comprehensive view—something that the committee views as necessary in order to select and synchronize integrated IA solutions. OTHER INFORMATION ASSURANCE INITIATIVES In addition to previously discussed information assurance initiatives, the committee was also briefed on work underway at the Defense Advanced Research Projects Agency and at NSA, and it received an overview of research currently included in the Comprehensive National Cyber Security Initiative. Although the details of work in these three areas cannot be discussed in this nonclassified report, the Navy should make every effort to stay abreast of and leverage these developments into its systems. 22 Defense Information Systems Agency. 2007. Surety, Reach, Speed, Washington, D.C., March, pp. 26-27. Available at . Accessed October 21, 2008.

OCR for page 33
49 THE IMMEDIATE RESPONSE SUMMARY ASSESSMENT OF INITIATIVES A major observation obtained by reviewing the work reported on above and referring back to the threat discussion in Chapter 1 is presented in the following finding and recommendation. MAJOR FINDINg: The Department of the Navy has underway a diverse set of IA initiatives that are representative of best commercial IT practices. However: • No means of integrated assessment exists for determining the impact of implementing the initiatives; • The implementation of these initiatives will take significant resources and in some cases more than 3 years to implement, leaving a number of naval networks vulnerable to already-known exploitations; and • Even if all of the existing initiatives are implemented and are successful, these networks are still not assured against the different and more sophisticated attacks that are likely to occur. MAJOR RECOMMENDATION: Because of the immediate and increasingly sophisticated nature of cyberthreats, the Office of the Assistant Secretary of the Navy for Research, Development and Acquisition (ASN[RDA]), in collaboration with the Office of the Secretary of Defense and the National Security Agency, should conduct a thorough examination of technical opportunities and architec - tural options and develop a comprehensive plan for reengineering naval networks and computing enclaves to be resilient through cyberattacks by sophisticated adversaries. This plan needs to go beyond commercial best practices, incorporat - ing advanced technology procedures that have been developed by DOD research agencies, mission assurance concepts, and active defense. The plan should also establish operational metrics, baseline these metrics, and set goals for their improvement. The cyber task force being promoted by the DON CIO, as noted earlier, raises the important point of the need for integrating strategies and activities across cyberdefense, cyberattack, and cyber exploitation. This point was also made in several other discussions that the committee had that are not publicly releasable. The committee does present in Chapter 3 a brief general discussion on the opera - tional merits of integrating cyber offense with cyberdefense. The committee also found that the acquisition and development community often view information assurance in isolation. On the operational side, the committee found that the inte - gration point was well appreciated at the upper echelons, but less so at the lower echelons. These observations led to the following finding and recommendation, which stand as a major overall theme in this report.

OCR for page 33
50 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES FINDINg: Information assurance can no longer be treated as an isolated subject, as has traditionally been the case. RECOMMENDATION: Information assurance should be integrated more broadly with mission assurance to achieve the desired effects—that is, maintain - ing the availability of networks and the integrity of data and at the same time establishing a broad set of approaches for fighting through successful attacks. The defensive capability provided by information assurance should be supported and augmented by cybersurveillance and cyberattack—just as defense in “traditional” naval warfighting operations is integrated with surveillance and attack. The remaining chapters of this report elaborate on these findings and recom - mendations and provide additional recommendations for improving matters.