Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 51
Information Assurance for Network-Centric Naval Forces 3 Mission Resilience—Viewing the Threat in Operational Terms The Department of the Navy (DON) has continued to move toward its network-centric operations vision, depending on commercial information technology (IT) solutions as a principal enabler. The evolving combination of people; weapons; concepts of operations (CONOPS); tactics, techniques, and procedures (TTPs); and advancing information system capabilities continues to enhance naval capabilities across a broad range of missions. The use of integrated commercial off-the-shelf (COTS) IT and interconnected network infrastructures for network-centric command-and-control (C2) systems has helped the department gain many advantages (more informed decision making, improved shared situational awareness, improved information sharing, speed of action, efficiency and synchronization of operations, precision, and cost efficiencies). Future plans extend the use of such COTS IT products into combat weapons systems and bring about an increased convergence between and among C2 capabilities and combat weapons systems.1 The resulting COTS-based capabilities are anticipated to remain at the heart of DON operations and mission capability. It has been known for some time that these complex COTS-based capabilities are vulnerable to exploitation and attack.2 As described elsewhere in this report, it is now apparent that potential adversaries are vigorously working to exploit these vulnerabilities in a variety of ways, including the creation of vulnerabilities 1 Examples include the Aegis cruiser’s open architecture, which uses commonly available computer resources, and the DDG-1000 (a planned new class of the Navy’s multimission ships), which has a single, commercially based network infrastructure supporting all shipboard functions. 2 For example, see “The State of Offensive Affairs in the COTS World” at <http://www.fastcompany.com/magazine/127/nexttech-fear-of-a-black-hat.html>. Accessed February 26, 2009.
OCR for page 52
Information Assurance for Network-Centric Naval Forces through the global electronics and software supply chains (for example, a foreign adversary embedding malware into a device before shipping).3 One can categorize the cyber vulnerabilities of military systems by the type of opportunities that these systems provide to adversaries: Espionage or theft of intellectual property, and Cyberwarfare (attacks on information capabilities to degrade warfighting capability; such attacks can be in the form of denial of service or manipulation of information and, in the extreme, manipulation or denial of weapons systems). ADDRESSING NIPRNET AND SIPRNET THREATS Based on presentations to this committee, most of the current attempted network intrusions that the Department of Defense (DOD) is experiencing are focusing on espionage and intellectual property theft. However, it is widely recognized that adversaries with the capability to exploit military systems for information theft can also apply these capabilities to cyberwarfare.4 The remainder of this chapter addresses the operational response to cyberwarfare from the perspective of mission assurance. Naval forces are equipped with a variety of communications and information capabilities that are critical to their warfighting capabilities. (A current general layout for such systems and their computer network defense-in-depth structure is shown in Figure 3.1.) Among the communications networks available to naval forces is the Non-Classified Internet Protocol Router Network (NIPRnet), an unclassified network that, among other things, provides users with access to the Internet. It is widely recognized that the Internet/NIPRnet connection provides an avenue for adversaries to conduct cyberattacks, including denial-of-service attacks.5 The widely reported 2006 cyber penetration that disabled the Naval War College’s information network is but one such example.6 Today, loss or degrada- 3 Defense Science Board. 2007. Mission Impact of Foreign Influence on DOD Software, Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics, Washington, D.C., September. 4 See Jason Sherman, 2008, “DOD Draws Lessons from Cyber Attacks Against Georgia,” Inside Defense, Washington Defense Publishers, November 10; and John Markoff, 2008, “Before the Gunfire, Cyberattacks,” New York Times, August 13. Also, Office of the Secretary of Defense, 2008, Annual Report to Congress: Military Power of the People’s Republic of China, Washington, D.C., pp. 3, 4, and 21, warned that China appears to be aggressively pursuing cyberwarfare capabilities as a key part of its asymmetric “noncontact” warfare strategy. See <http://www.defenselink.mil/pubs/pdfs/China_Military_Report_08.pdf>. Accessed February 26, 2009. 5 For example, see Erica Naone, 2008, “The Flaw at the Heart of the Internet,” MIT Technology Review, Vol. 111, No. 6, November/December, pp. 63-67. 6 “Computer Attack Shuts Down Naval War College Networks,” 2006, Inside Defense, Washington Defense Publishers, Washington, D.C., November.
OCR for page 53
Information Assurance for Network-Centric Naval Forces FIGURE 3.1 Naval forces’ defense-in-depth computer network defense for shore and afloat infrastructure. SOURCE: Michael Davis, Space and Naval Warfare Systems/Program Executive Office for Command, Control, Communications, Computers and Intelligence (SPAWAR/PEO C4I) Public Presentation, “Information Assurance, What Every Manager Needs to Know,” January 10, 2008. Available at <http://www.afcea-sd.org/docs/smallbusiness/IA_Security%20overview1a%20Rev%201_Mike%20Davis.ppt>. Accessed November 10, 2008. NOTE: Acronyms are defined in Appendix A.
OCR for page 54
Information Assurance for Network-Centric Naval Forces tion of the NIPRnet aboard ship and ashore, through a denial-of-service attack, would degrade operations. The primary warfighting areas impacted by NIPRnet loss would be logistics and administrative capabilities.7 However, closed radio-frequency voice and data communications networks supporting, for example, air wing (aviation) and expeditionary combat capabilities are physically separated from the NIPRnet and would not necessarily be directly impacted by NIPRnet loss. Navy ship crews as well as Marines indicate that they could work around a NIPRnet loss by shifting many NIPRnet users and capabilities onto other available on-ship information networks, such as the Secret Internet Protocol Router Network (SIPRnet), the Joint Worldwide Intelligence Communications System (JWICS), tactical data links, and secure single-channel radio and secure voice systems. However, such shifting would take time and prior coordination, would use channel capacity that may have been designated for other uses, and would likely be effective for a limited time period. If these alternatives are to be used, standardized CONOPS and procedures must be developed across all naval forces and supporting organizations that recognize and practice communications workarounds and autonomous operations with organic sensors on a regular basis. In addition to allowing those involved to “practice as one will fight,” these procedures would serve to better inform the operational forces of the true impact of denial-of-service attacks and, through practice, would likely result in better backup procedures.8 Successful attacks on SIPRnet/JWICS could be much more debilitating than loss of the NIPRnet would be. Today’s networked force relies on the SIPRnet and JWICS for a host of primary warfighting functions, including secure command and control, shared situational awareness, synchronization of joint efforts, access to imagery and other intelligence, mission planning and execution, precision targeting, fires, and battle damage assessment. An example that raises concern is based on committee briefings and public reports which suggest that the DOD’s NIPRnet used by naval forces has been penetrated. A recent report to Congress from the U.S.-China Economic and Security Review Commission states: “China can access the NIPRnet and views it as a significant Achilles’ heel and as an important target of its asymmetric capability 7 While the impact of the loss of the NIPRnet over time should not be minimized, most immediate real-time warfighting capabilities reside on the Secret Internet Protocol Router Network (SIPRnet) and Joint Worldwide Intelligence Communications System (JWICS). One of the potential consequences of a denial-of-service attack on the NIPRnet is that much of the traffic that ordinarily rides this network might revert to the SIPRnet or JWICS for those users with access to these networks. This could result in traffic-flow congestion on those networks, forcing them to operate at a reduced capability unless some form of network traffic control was imposed. 8 Potential new backup procedures should also explore approaches for exploiting those parts of the naval forces structure that can offer potential resilience and restoration benefits, be they the submarine force and its covert capabilities to carry out special functions or the nuclear-powered vessels with the ability to operate autonomously for long periods of time.
OCR for page 55
Information Assurance for Network-Centric Naval Forces [emphasis added].”9 It also appears that classified networks such as the SIPRnet face many of the same risks as those confronting the NIPRnet.10 On the basis of presentations that it received, the committee holds the view that discussions on information assurance (IA) policy across many sectors of the DON are currently centered on how to manage and protect information on networks without reference to the actual use of the information—that is, IA protection policies are not sufficiently being related to the criticality of operations being supported. In the view of the committee, it is important to understand the inventory of mission-critical functions residing on the NIPRnet, SIPRnet, JWICS networks, and the Internet, as well as to assess and understand the consequences of the reduced warfighting capabilities that would result should these networks and systems become degraded. Obvious questions are raised, such as, What is the impact on logistics and other warfighting capabilities should there be a major event that denied access to the NIPRnet and Internet? For example, according to current operational procedures, support contractors, suppliers, and logistics information must be able to directly access the Internet to do their jobs. One must also consider the operational significance if, for example, logistics support was diverted to an unintended location through malware’s tampering with network-based information. In addition to the risk of Internet Protocol (IP) network attacks, today’s TDLs (such as Link 16), and secure single-channel radio links, including secure satellite communications, are also potentially at risk. However, these networks are believed to be more secure because of the closed nature of their architecture and—except in the case of a potential kinetic attack—would likely continue to operate independent of cyber events associated with IP networks (such as the NIPRnet). Of particular concern through the next decade is the need for both more broadly available and more-protected satellite communications capabilities to support users without terrestrial connections such as ships afloat.11 9 2008 Report to Congress of the U.S.-China Economic and Security Review Commission, 110th Congress, 2d Session, November, p. 166. Available at <http://www.uscc.gov/annual_report/2008/annual_report_full_08.pdf>. Accessed February 26, 2009. 10 For example, the Los Angeles Times reports that at least one highly classified network was compromised in a recent severe malware attack at the DOD. See Julian Barnes, 2008, “Cyber-Attack on Defense Department Computers Raises Concerns,” Los Angeles Times, November 28. 11 In a related effort, the Transformational Satellite Communications (TSAT) System has been proposed by the DOD; if delivered as currently specified, it would provide military services with high-data-rate military satellite communications and Internet-like services. Touted by the DOD as the spaceborne element of the Global Information Grid (GIG), the TSAT system of satellites is intended to extend the GIG to users without terrestrial connections, such as naval afloat forces, and has been projected by the DOD to vastly improve satellite communications for the warfighter. However, the TSAT program has been not been fully funded by Congress, and the date of its availability is uncertain. (Andy Pasztor, 2008, “Pentagon Delays Program to Build New Satellite System,” Wall Street Journal, October 21, p. 7, reports that TSAT has been indefinitely delayed.) Meanwhile, the Navy purchases a significant portion of its bandwidth from commercial satellites.
OCR for page 56
Information Assurance for Network-Centric Naval Forces An important example of the dependence on widely available secure communications is the emphasis by the Marine Corps on the use of commander’s intent and mission-type orders. The loss of communications would have a detrimental impact on the operating capability and effectiveness of the Marine Corps, particularly when it is working with joint and coalition forces. In the committee’s view, for mission resilience the Marine Corps needs to consider establishing multiple diverse reach-back facilities, where the operating forces can access “protected” enclaves of key protected data such as intelligence and logistics information that are critical to the mission. The Marine Corps also needs to conduct an end-to-end review of the original sources of its information to determine the vulnerability of those sources to denial of service or misinformation insertion. In another example, the committee’s discussion with representatives of the Pacific Fleet indicated a relatively recent move to place a strong focus on this mission-resilience topic and the assurance of continuous “last mile” connectivity. The Pacific Fleet initiative is a good exemplar for the DON at large.12 As discussed in Chapter 2, threat data, coupled with the importance of information to network-centric warfare, have caused the DOD and the DON to consider new IA management arrangements and to set in motion new initiatives related to IA. Threats and attempted intrusions across all DOD networks are documented to be growing rapidly in both number and level of sophistication over recent years.13 However, from an operational point of view, because the IT networks are considered to be central and critical to the warfighting mission of naval forces, the committee finds the pace of implementing solutions to the growing threat to be inadequate. Confounding the ability to assess the vulnerabilities and consequences of attacks on naval systems is the myriad of hardware and software configurations that are in use, especially in the cases of legacy systems that may not have the latest security updates or that may lack the proper C2 security structures. The Navy’s Cyber Asset Reduction and Security (CARS) initiative14 will assist in 12 Examples briefed to the committee by the Pacific Fleet for robust network capability include the application of split IP. In this approach, end-to-end, two-way communication is accomplished through the use of a narrowband highly protected uplink such as Military Strategic and Tactical Relay (MILSTAR) and a robust wideband downlink such as the Global Broadcast System to complete IP transactions. 13 For example, the committee has been briefed on data showing that across the Navy sensor grid in 2007 there were hundreds of thousands of alarms characterized as high-level alarms, which, after analysis, generated hundreds of reportable incidents or events. Approximately 10 percent of these reportable events were found to have been caused by actions generally attributed to sophisticated adversarial activities. (CAPT Roy Petty, USN, Commanding Officer, Navy Cyber Defense Operations Command, “Overview of Navy Cyber Defense Operations Command,” presentation to the committee, April 28, 2008, Norfolk, Va.). 14 Directed by the Chief of Naval Operations (CNO), CARS is a Navy-wide mission under the operational direction of the Naval Network Warfare Command, assigned to reduce the Navy’s total ashore IT assets that are classified as secret or at a lower level by at least 51 percent by September
OCR for page 57
Information Assurance for Network-Centric Naval Forces improving this inconsistent posture by reducing the number of legacy networks across naval forces, providing an inventory of their use, and improving total system security through reducing the potential entry points for external threats. In addition, from a material development perspective, new systems are being developed throughout the DON that are crucially dependent on software for their operation. Even if these systems are not intended to operate on the Global Information Grid (GIG), many may be connected to it for support functions (logistics, maintenance, or training), creating a potentially significant source of IA vulnerabilities. Because of the immediate nature of the threat to critical information shared on the NIPRnet and legacy networks, the committee recommends that the following mitigating actions be initiated immediately. MAJOR FINDING: Naval operations are highly dependent on information derived through all networks, including the Non-Classified Internet Protocol Router Network (NIPRnet) and legacy networks. The committee has seen evidence to suggest that the NIPRnet and legacy networks are highly vulnerable, and yet mission-critical functions such as managing logistics are being conducted on these shared networks. MAJOR RECOMMENDATION: To help address and reduce current perceived network risks related to the NIPRnet and legacy networks, the Department of the Navy should carry out the following: Undertake a systematic risk analysis to understand the mission impacts that could be created by information assurance failures. This analysis should be based on an understanding—derived through appropriate doctrinal, operational, procedural, and technical analyses—of the information and applications that reside on the networks and how they contribute to mission success. Evaluate the implementation of controls that balance operational security risks in posting information on the NIPRnet with the need for information sharing. 2011 and to improve IT security, interoperability, and return on investment. Additionally, by December 2008, it is planned that CARS will deliver full insight into the Navy’s total IT asset inventory and the costs associated with delivering and maintaining business and warfighting IT systems and networks. Charles Kiriakou, Head, Cyber Asset Reduction and Security Solution and Security Division, NETWARCOM, “Operations Cyber Asset Reduction and Security, Excepted Network IA/CND Suite Strategy,” presentation to the committee, April 28, 2008, Norfolk, Va. (A January 2009 update of CARS reported that of the 1,200 individual Navy networks present when CARS was initiated, only 350 remain to be terminated. Also, during 2008, the CNO accelerated the mission completion time line from September 2011 to September 2010 and raised the bar for total network reduction from 51 percent to 90 percent. SOURCE: Naval Network Warfare Command. 2008/2009. InfoDomain, a publication of the Naval Network Warfare Command, Winter, p. 26.)
OCR for page 58
Information Assurance for Network-Centric Naval Forces Begin to design, architect, and implement the Department of the Navy’s networks and systems with an objective of better separating the functions of mission-critical command-and-control systems, logistics, supply, and welfare and morale systems in such a way that an IA compromise in one of these functional areas does not create an IA compromise in others. Begin to develop IA operational doctrine that includes being able to conduct mission-critical operations with reduced information capabilities, minimize the time for restoration (reestablishing confidence in capabilities and data), and conduct training exercises for fighting through information attacks, including backup plans for the last mile of connectivity. LAYING OUT A LONG-TERM OPERATIONAL APPROACH Operational Response It is generally recognized that a goal of developing an information assurance capability that would completely eliminate all risk of service disruption and tampering is unrealistic and infeasible. As a result, there is need for a risk-based approach15 that provides the basis for the DON to develop an integrated cyberattack, exploit, and defend strategy, coupled with a campaign of operational misinformation directed at potential adversaries. However, in addition to adopting a risk-based process for addressing specific IA issues, a well-defined strategy for addressing ongoing network-centric operations is also needed. Taking into account known and projected threat trends, the following operational areas will need ongoing IA-related attention and resources for assured naval network-centric success: Cyberdefense Concept of Operations. Naval forces tactics, techniques and procedures for fighting through a cyberattack need to be updated. Such TTPs form the basis for training and exercising against the increased likelihood of such events. Threat-Based Intelligence Analysis. There is a need for dedicated, all-source intelligence analysis directed at achieving a better understanding of U.S. adversaries and the threats that they pose—including the intent and capability to develop exploits and the ability to conduct large-scale and sophisticated cyber-attacks. A set of directed collection needs must be developed to address important unknowns regarding potential adversaries’ intent, and corresponding cyberwar plans must be developed. Results must be coupled with naval mission risk analyses to aid in designing improved mission strategy and tactics, to reduce IA risks, and to maximize the ability to fight through the IA threats. These results would not only be used to stimulate operational responses, but would also stimulate research into the means of achieving the needed collection. 15 Such an approach is described in Chapter 5.
OCR for page 59
Information Assurance for Network-Centric Naval Forces Mission Planning and Analysis. An effort is needed to model the information dependencies for various naval mission(s), both those conducted solely by naval forces and those conducted as a component part of a joint task force or a coalition force. Models should support the evaluation of degradation in warfighting capabilities owing to current and projected or likely future enemy cyberattack vectors.16 Mission planning and analysis include (1) the development of integrated cyberattack scenarios; (2) models for exploitative and defensive responses, as well as service restoration strategies and tactics;17 (3) models related to the use of deception as a cybersecurity strategy;18 and (4) the use of built-in diversity and fallback strategies and tactics that could permit operation in the face of debilitating cyber and physical activity. Based on these analyses, mission plans and system information assurance requirements need to be developed and prioritized by their impact on the risk of naval forces failing to accomplish their mission objectives. Minimum and Essential Backup Systems. Where necessary—and as defined by potential mission risks—naval forces need to be prepared to revert to a minimum essential capability that is as immune to information denial, exploitation, or manipulation as is reasonably possible (analogous to the Minimum Essential Emergency Communications Network used for command and control of nuclear forces).19 This most basic capability could be as simple as a secure voice-based order wire and/or command wire, independent of normal Internet Protocol networks, augmented with a simple situational display capability. Should new backup systems be developed, consideration should be given to the development of products that are different from the naval standard selections (e.g., different operating systems, different database systems, and so on) to provide diversity that reduces the likelihood of common attack modes. Resilient Systems. Naval weapons and information systems, mission strategies, and tactics need to be designed to be more resilient and effective in the face of known and projected IA threats. The Pacific Fleet initiative discussed previ- 16 A discussion of potential kinetic capabilities for disrupting satellite communications can be found in Shirley Kan, 2007, China’s Anti-Satellite Weapon Test, Congressional Research Service, Washington, D.C., April 23. 17 Additional discussion on the merits of integrating offensive and defensive cyber operations is included in the final section of this chapter. 18 A discussion of military deception as a core capability of information operations is provided in DOD Joint Publication 3-13.4, Military Deception, July 2006. Available at <http://www.dtic.mil/doctrine/jel/new_pubs/jp3_13_4.pdf>. Accessed February 23, 2009. 19 The Minimum Essential Emergency Communications Network is designed to provide secure, high-fidelity, jam-resistant, and survivable communications links between the National Command Authorities and the Strategic Nuclear Forces throughout all phases of strategic conflict. Supporting efforts assure an informed decision-making linkage between the President, the Secretary of Defense, and the Commanders of the Unified and Specified Commands. (See Defense-Wide/07 Appropriation/Budget Activity, 2005, Exhibit R-2, RDT&E Budget Item Justification, R-1 Line Item No. 167, February, p. 1. Available at <http://www.dtic.mil/descriptivesum/Y2006/DISA/0303131K.pdf>. Accessed February 20, 2009.)
OCR for page 60
Information Assurance for Network-Centric Naval Forces ously provides a start for a communications system oriented toward addressing this need. This focus on communications systems needs to be expanded to include building resilience for network systems, and it also needs to be expanded beyond the Pacific Fleet. Training and Exercise. There is a need for development of significantly enhanced training materials and exercises aimed at improving the proficiency of the DON in utilizing available resources to meet mission objectives in the face of current and projected IA threats. These training materials and exercises should focus on attack recognition and recovery, depending on alternative means of providing command, control, intelligence, and logistics to provide the needed resiliency to successful attacks. They should also include a regular schedule of realistic red- and blue-team exercises based on intelligence estimates of adversary doctrine and CONOPS. Integrated Wargaming. Through the years, the Navy and Marine Corps have been leaders in conducting war games that simulate future scenarios and threats. These war games serve to educate and inform current and future leaders on evolving threats, validate naval doctrine and concepts, introduce new and controversial thought, and help formulate budget decisions. The committee believes that expanding the scope of these types of games to include heavy emphasis on cyber operations and mission assurance, using a broad range of cyber experts to formulate the exercises, would serve to better position Navy and Marine Corps leaders to make better operational and IA investment decisions in the future. Increased Use of More Secure Networks. There is a need to move critical functions and sensitive information to more restrictive, better-protected communications channels, such as the SIPRnet, where possible. Multiple independent sources for key information elements (to hedge against malicious data manipulation) need to be employed wherever practical. Movement of more information to the SIPRnet may also require movement of the software systems that manage the information. As a general IA practice, only inspected, pristine instances of software packages should be installed on the SIPRnet, and systems currently operating on the NIPRnet should be regarded as infected. Addition of More Diversity into the Naval Information System Architecture. Over time, the consolidation of what once were physically separated network nodes and facilities (e.g., satellite terminals, technical control facilities, and so on) has taken place, so as to achieve more efficient and economical operations. This consolidation has often been achieved at the expense of operational diversity. Consequently, there has been the unintended creation of network-wide single modes of failure that could have major direct impacts on operations. The committee believes that an end-to-end review of the current and planned network architecture (to include the IA-related weapons platforms and centralized information nodes) is in order. This review should include a risk assessment of the total command, control, communications, computers, and intelligence (C4I) infrastructure, supporting a
OCR for page 61
Information Assurance for Network-Centric Naval Forces prioritization of investments that would add diversity to the overall naval system architecture. Reduction of Risks Related to Insider Threats. Cybersecurity threats from insiders can pose an IA challenge for even the most secure network system. In addition to concerns associated with the potentially harmful accidental actions of insiders, lessons from past insider malicious actions in naval systems are also instructive.20 The Navy and Marine Corps need to deploy insider monitoring capabilities to detect malicious (or poorly trained) insiders operating within their privilege—or suborned computers operating with legitimate user privilege—but conducting activities outside their normal responsibilities or outside their established and approved patterns of behavior. It should be possible to leverage ongoing activities in counterintelligence and law enforcement to further develop tools for effective monitoring. Insider monitoring can also be extended to correlate physical usage issues (such as accessing computing enclave areas at odd hours) with computer usage.21 Improvement of Attribution Capability. Better capabilities are needed to enable confident attribution of attacks to sources, thereby permitting the initiation of stronger responses, when appropriate, from both a political and a military perspective. In addition, better attribution could potentially serve to facilitate legal recourse. Updating of Cyberwar Doctrine. Both the Navy and the Marine Corps need to review their warfighting doctrine and concepts to ensure that the actions, effects, and reactions to computer network attacks, including computer network defense and computer network exploitation, are adequately addressed in the appropriate documents. Policies and lines of authority in these areas must be unambiguous. 20 For example, see Laura J. Heath (Georgia Institute of Technology), 2005, “An Analysis of the Systematic Security Weakness of the U.S. Navy Fleet Broadcast System, 1967-1974, as Exploited by CWO John Walker,” Master of Military Art and Science Thesis in Military History, Army Command and General Staff College, Fort Leavenworth, Kans., September 14. Available at <www.stormingmedia.us/03/0396/A039634.html>. Accessed February 24, 2009. 21 Recent reports describing strategies for insider risk mitigation include Insider Threat Study: Illicit Cyber Activity in the Government Sector (Eileen Kowalski, Tara Conway, Susan Keverline, and Megan Williams of the National Threat Assessment Center, U.S. Secret Service, Washington, D.C., and Dawn Cappelli, Bradford Wilkie, and Andrew Moore of the CERT® Program, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pa., January 2008); and Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis (Stephen R. Band, Dawn M. Cappelli, Lynn F. Fischer, Andrew P. Moore, Eric D. Shaw, and Randall F. Trzeciak, Technical Report CMU/SEI-2006-TR-026, ESC-TR-2006-091 CERT® Program, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pa., December 2006). These studies, along with additional case analysis, statistics, and best practices related to insider threat reduction, are available at <www.cert.org>. Accessed February 26, 2009.
OCR for page 62
Information Assurance for Network-Centric Naval Forces Culture Change A significant change in organizational outlook regarding the importance of information assurance is required if the recommendations of this report are to be meaningfully addressed. In turn, an organizational culture change in the way that systems are built and operated is a key to achieving important IA risk reduction. The committee recognizes that achieving desired improvements in IA will require substantial time and effort and that it is thus important to get the necessary organizational realignment efforts started as soon as possible. In the view of the committee, the required efforts include addressing the following subjects: Raising awareness of the cyberthreat by educating, training, and sensitizing the entire leadership and the general workforce to the importance that senior leadership attaches to information assurance in naval organizations; Designating senior officers who are held accountable for protecting the valuable information resources that support individual naval operations; responsibilities should be unambiguous, with commensurate authorities (see Chapter 6 for a discussion of IA organizational authority and recommendations); Regularly reviewing and/or revising information policies to ensure that they are clear and commensurate with the current threat, state of technology, and operational importance of the information assets that they govern; Providing the educational courses, tools, and skills that senior officers need in order to make informed risk management decisions regarding the tradeoffs between IA and opportunities to improve the efficiency of a network infrastructure. The underlying risk analysis methods must be designed to standard assumptions across platforms, so that judgments of individuals are normalized across the Department of the Navy; Extending the view that IA and cyberdefense need to employ the full suite of available tools, including deterrence, deception, resilience, and continuity of critical operations while under attack;22 Raising the bar of entry against any adversary attempting to introduce vulnerabilities throughout the system life cycle and supply chain. Given the growing reliance on foreign commercial IT partnering and outsourcing, this threat has become increasingly likely (see the Chapter 4 sections entitled “Architectural Views for Navy Information Assurance Risk Mitigation” and “Information Assurance Research and Development” for technical strategies for raising the bar of entry). Developing and deploying deterrents and deception techniques in order to increase the difficulty of exploitation. 22 Joint Staff (LTG Walter L. Sharp, USA, Director). 2006. Joint Publication 3-13, Information Operations, February 13, provides further guidance for military information operations planning and execution in support of joint operations. Available at <http://www.fas.org/irp/doddir/dod/jp3_13.pdf>. Accessed February 23, 2009. The committee also argues in Chapter 6 for organizational changes to help drive the DON’s integrated approach.
OCR for page 63
Information Assurance for Network-Centric Naval Forces FINDING: Given the current trends related to increasing information system vulnerability, naval forces face significant and growing risks of being unable to execute assigned missions. RECOMMENDATION: The Department of the Navy should undertake a systematic effort to understand, assess, and strengthen mission capability in light of threats to communications, networking, and information processing systems. This effort should be threat-based; it should include increased operational training and exercises to improve proficiency in working through degraded information environments, using advanced red teams to represent adversarial actions; and it should emphasize educating, training, and the holding of commanders accountable for the protection of the information and networks over which they have responsibility. INCREASING LEVELS OF INTEGRATION AND SUPPLY CHAIN RISKS The Department of the Navy’s ongoing movement toward integrating information networks (such as the NIPRnet and SIPRnet) with combat weapons systems increases the risk of cyberattacks’ disrupting of weapons systems as well as command-and-control functions. In addition, the Navy’s open-architecture approach, which uses commonly available commercial products as the computing infrastructure for weapons programs such as Aegis, increases the vulnerability to supply chain attacks of the type described in Chapter 1.23 Commercial electronics hardware and software supply chains are increasingly subject to the possibility that adversaries will intentionally incorporate vulnerabilities into hardware and software somewhere in the life cycle between the original equipment development, manufacture, and shipment and the procurement of replacement parts. The risk is greatly exacerbated by the global sourcing of IT hardware and software development, manufacturing, and fielding that takes place today.24 Currently, nearly all key components used in commercial IT products are developed abroad, with many developed in China, for example. Recognizing the supply chain risk, the DON may need to revert for certain critical mission applications to a much more trusted supply chain, which could lead to unattractive cost and availability implications. Solutions to resolve this issue should be the focus of naval policy analysis that reconciles cost and other adverse implications with the corresponding reductions in mission risks. In addition to adopting a risk management approach to the supply chain, some specific 23 Commonly available commercial computers and infrastructure, planned for use in weapon systems such as the DDG-1000 and the next-generation Aegis may contain malicious functionality, which increases the risk that weapons systems may not perform as expected in combat. 24 For example, see Brian Grow, Chi-Chu Tschang, Cliff Edwards, and Brian Burnsed, 2008, “Dangerous Fakes,” BusinessWeek, October 2.
OCR for page 64
Information Assurance for Network-Centric Naval Forces operational mitigation techniques for reducing supply chain risks are suggested below: Know the provenance of suppliers, Protect purchasing information, Hide the buyer’s identity, Have a diverse set of suppliers, Mandate transparency in design and manufacturing for buyer protection, Limit access for external maintenance and service providers in order to make this avenue of modification harder, Minimize the time required between the decision to purchase an item from a particular supplier and the delivery of the item in order to shorten the adversary’s window of opportunity, Implement trusted distribution processes, and Test components after upgrading to increase the odds that a covert modification will be found. While the IT software and hardware supply chain issue is a DOD-wide issue, the DON should be aware of the concerns and the mitigating operational actions listed above as it develops and implements new mission-critical systems. A recent Defense Science Board report discusses many of these supply chain concerns and outlines potential courses of action for the DOD enterprise-wide organization.25 FINDING: In light of current and evolving IA threats, the trends of increasing functional integration and reliance on commercial off-the-shelf IT represent a significant increase in risk to mission operations going forward. RECOMMENDATION: The management of evolving IA risks requires more attention from the Department of the Navy. For example, the committee believes that it is important to maintain physical separation between the command-and-control information networks (for example, the NIPRnet and the SIPRnet) and combat weapons systems (such as the Aegis, F/A-18, F/A-35, and others). This would reduce the risks of weapons systems being adversely impacted by Internet Protocol network attacks. The committee recommends that the risks associated with the current trend toward highly converged network infrastructure be examined in the context of evolving cyberthreats, including both network-borne and supply chain risks, and that mitigation techniques be developed to address these risks. 25 See Defense Science Board, 2007, Mission Impact of Foreign Influence on DOD Software, Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics, Washington, D.C., September, for a more detailed discussion of issues raised by the growing use of COTS products developed offshore and DOD programs currently underway to address the associated assurance issues.
OCR for page 65
Information Assurance for Network-Centric Naval Forces The committee recognizes that in selected cases, direct connections may be appropriate (such as using Link 16 to connect targeting information from the SIPRnet to strike platforms such as Tomahawk or tactical fighters), provided appropriate cyber risk analysis is conducted and the appropriate interface has been established. THE HUMAN ELEMENT As the Department of the Navy becomes more network-centric in both its warfare and business processes, the need for increased expertise in cyber and IA technologies and application areas is critical. The network infrastructure has become a major support element for processes within the department, whether warfighting or support functions. In light of the emerging and evolving threat, the department needs to provide the same level of leadership, management, and resourcing to cyber-related issues that it provides to other critical warfighting technology support areas.26 Accordingly, the committee views the cyber- and IA-related education and training of officers, enlisted personnel, and civilians as a major challenge that needs to be addressed, with the results having a large impact on the degree of information assurance that naval forces can expect. The challenge is heightened by the fact that this education and training must be accomplished within the overall naval education and training program that supports more than 350,000 people.27 Education and Training For the purposes of this report, the committee uses the term “education” to represent formal college and postgraduate education that is principally directed toward the officer community; the term “training” is used to focus on job-specific process learning that is principally, although not exclusively, acquired by enlisted personnel. The committee believes that there is a current and growing need for increased awareness, education, and training in the DON for information assurance. To meet these awareness, education, and training needs, different approaches are required for various personnel at different levels: Improving awareness to provide broad exposure to the IA subject to high-level officers and civilians who constitute the leadership and operational team; Education to provide a deeper understanding of the IA subject for officers, select enlisted personnel, and civilians with careers dedicated to the information 26 For example, the Navy provides dedicated training, management, and resourcing in its Naval Nuclear Propulsion Program. 27 U.S. Government Accountability Office. 2006 Information Technology: DOD Needs to Ensure That Navy Marine Corps Intranet Program Is Meeting Goals and Satisfying Customers, GAO-07-51, Washington, D.C., December, p. 5.
OCR for page 66
Information Assurance for Network-Centric Naval Forces operations community, and for the research, development, and acquisition community; and Training to provide process-oriented teaching for dedicated officer, enlisted, and civilian personnel supporting computer network defense and system administration, and satisfying the requirements of DOD Instruction 8570 requiring specific levels of information assurance training throughout the DOD.28 Identifying and Supporting the Cyber Workforce Today, the DON’s cyber workforce (or “information operations career force” to use current naval terminology) is a mixture of dedicated and “as-assigned” personnel. It is composed of three distinct segments—officer communities, enlisted ratings, and civilian specialists, who possess the preponderance of appropriate skill sets to deliver information operations capabilities. For example, in the Navy, the officer designators include the following: 1610 (Information Warfare Special Duty Officer); 6440 (Limited Duty Officer, Information Warfare); 7440 (Warrant Officer, Information Warfare Technician Specialty); and 1600 (Information Professional Special Duty Officer). These are communities in which officers spend their entire careers supporting information operations, afloat and ashore. Additionally, those designated 1320 (unrestricted line officers) can support the area of electronic warfare (EW) when assigned to billets that require this skill if they have been trained. Out of 1,460 total billets for 1610 and 1600 officers, the Navy currently fills 1,196.29 Enlisted ratings that support the Navy’s information operations career forces include cryptologic technicians (CTs) and information systems technicians (ITs). The CTs have further subcategories, chief among which, in the information operations area, is cyptologic technician, networks (CTN), consisting of operators who play a primary role in conducting information operations. An IT’s primary role in the information operations area is computer network defense, in which a person may serve in a key role as a system administrator afloat. In the Navy today, there are 7,805 CTs and 787 ITs, and a small number of personnel from selected other ratings, who perform a computer network defense mission. The officer and enlisted groupings referred to above are the primary component of the Navy’s information operations career force. Other personnel groupings may hold notable, specific information operations expertise, but their specific information operations capability is not considered to be their primary area of 28 Assistant Secretary of Defense for Networks and Information Integration/Department of Defense Chief Information Officer. 2005. Information Assurance Workforce Improvement Program, DOD Instruction 8570, Department of Defense, Washington, D.C., December 19 (updated 8570.01-M, May 15, 2008). 29 Patrick McLaughlin, Assistant Deputy Chief of Naval Operations for Manpower, Personnel, Training, and Education, N1B, “Overview of U.S. Navy Information Assurance Related Training and Education,” presentation to the committee, June 17, 2008, Washington, D.C.
OCR for page 67
Information Assurance for Network-Centric Naval Forces expertise. Personnel in these groupings are assigned information operations-related tasks as a single-tour assignment, or as a collateral duty alongside other areas of warfare expertise. A variety of factors must be considered in developing and supporting the Navy’s current information operations career force of 1,196 officers and approximately 8,600 enlisted personnel, as cited below: Current DOD guidance makes no distinction between computer network defense and information assurance. However, the Navy does distinguish between computer network defense and information specialists (CTNs and ITs, respectively) and is currently preparing proposed changes to the DOD to introduce a difference between the two.30 The Navy/Marine Corps Intranet (NMCI) relies on a contracted workforce for the largest outsourced network in the world, which has approximately 650,000 users; however, the Navy does not appear to have good insight into the personnel specialties within the contracted workforce for the NMCI. Updating the workforce strategy for supporting NMCI’s anticipated replacement system, the Next Generation Enterprise Network (NGEN), will be an operational necessity, especially if current plans for managing key portions of NGEN with in-house DON civilian and enlisted IT personnel are to be successfully realized. The Marine Corps has developed a baseline training and education program, for both their command, control, communications, and computers (C4) enlisted personnel and officers, that needs to be further developed to meet the current and evolving threat. The Corps has an established enlisted occupation field for networking/communication/technical personnel and information assurance personnel, including opportunities for select enlisted personnel to attend programs granting master’s degrees in information assurance. These steps have been taken because the environment of widely dispersed forces and distributed operations creates the need to provide network support to the force structure down to the platoon level, and even below in some cases. The increased warfighting emphasis and mission dependencies that are being placed on networked forces, coupled with the time required to develop a more educated and trained workforce and the rapidly changing technology field, lead the committee to believe that it would be appropriate for the Marine Corps to increase its efforts in IT-related training and education with its enlisted personnel, civilians, and officers. With the exception of the few officers attending graduate-level programs at institutions, such as the Naval Postgraduate School, for most Marine Corps officers their formal education in information technology stops at the company-grade level. While many officers attain additional training at their own initiative, 30 Patrick McLaughlin, Assistant Deputy Chief of Naval Operations for Manpower, Personnel, Training, and Education, N1B, “Overview of U.S. Navy Information Assurance Related Training and Education,” presentation to the committee, June 17, 2008, Washington, D.C.
OCR for page 68
Information Assurance for Network-Centric Naval Forces such as through off-duty education, this in done on an ad hoc basis with no formal structure. The committee believes that there is a need to afford more C4 systems officers the opportunity to attend postgraduate-level education by establishing a formal, continuing-technical-education program for all C4 systems officers beyond the company grade, thereby providing a strong technical core knowledge in information technology and IA requirements. There appear to be important gaps in the understanding of the cyberthreat situation among many senior Navy and Marine Corps personnel. To help address this concern, the committee suggests taking full advantage of the information technology program established by the DON for senior personnel, such as the Navy Flag and Senior Executive Service information technology programs, to address cyberdefense and other IA topics.31 This will help senior officers better understand what information technology can do for them and what the corresponding IA risks are, while also providing a foundation for developing better policies and operational constructs based on the employment of information technology. The above suggestion is made in addition to the committee’s recommendation that the Navy and Marine Corps seek more actively to recruit and develop a cadre of future naval leaders with formal degrees in computer science and related information technologies. Career Paths Career paths are well laid out for the dedicated officer and enlisted components of the Navy and Marine Corps information operations workforce. The DON’s Strategic Studies Group XXVII has recommended a dedicated cyber unrestricted line-officer community. The Studies Group’s long-term vision projects a cyber-based warfare community of equal status with the aviation, surface, and subsurface unrestricted line-officer communities. The committee views cybersystems to be a critical component of a future commander’s warfighting capability—comparable to the propulsion, weapons, and logistical systems. Accordingly, commanders must be thoroughly trained and tested in all aspects of the information systems onboard their ships, submarines, aircraft, unit combat operations centers, and carriers, from both a maintenance and an operational perspective. The commander must be able to include integration of cyberwarfare (defensive and offensive) operational strategies with corresponding tactics into their warfighting operations and plans. For the committee, this means that IA considerations should, in the near future, be included in the training and exercising of officers, as well as in consideration of rotational assignments. Furthermore, proficiency in the art of cyberwarfare should be included as one of the prerequisites for career advancement. 31 U.S. Department of Defense. 2006. Strategic Plan for Joint Officer Management and Professional Military Education, Washington, D.C., April 3.
OCR for page 69
Information Assurance for Network-Centric Naval Forces Along these lines, the committee was briefed on work underway at Corry Station (Pensacola, Florida) that is aimed at taking a more strategic and aggressive approach toward addressing cyberdefense workforce development.32 This program provides career pathways, training and education curriculum, and career progression roadmaps for network cyber warriors—from apprentice through master-level skill sets. The program also defines strategic throughput goals across the Services, growing from today’s approximately 400 personnel to double that amount over the next 5 years.33 The Corry Station program is a joint Services effort, including not only Navy and Marine Corps, but also Army, Air Force, and Coast Guard cryptologic and cyberdefense group participation. The Navy leads the joint effort and should be recognized for its vision in this area, as the committee views the Corry Station program to exemplify the type of strategic workforce development planning needed for future cyber operations.34 The committee recommends that the Corry Station program be aggressively supported and funded. In the committee’s view, the program would be further strengthened by engaging a set of external advisers to conduct a regularly scheduled review of the program curriculum. Such an external review is especially important to help the Corry Station program keep abreast of fast-paced developments in the cybertechnology world. MAJOR FINDING: The Department of the Navy’s workforce, consisting of officers, enlisted personnel, and civilians, has not been required to possess a uniform, prerequisite set of knowledge and IT-related experience. Today’s IA-related threats and trends point to a need for the Navy and Marine Corps to address education, training, and career paths as part of the needed response to the growing IA risks and the growing importance of naval cyber operations. The Navy’s Corry Station cyber operations training program provides a strong and positive start toward meeting this need. MAJOR RECOMMENDATION: The Office of the Chief of Naval Operations (CNO) and the Office of the Commandant of the Marine Corps (CMC) should establish a dedicated cyber workforce strategy to include all elements of personnel management (accession, reenlistment, retention, and assignment). Since cyber-related technology continues to evolve rapidly, the cyber workforce program for 32 Although the committee did not directly address the needs or current composition of the workforce for the civilian professionals, a credible naval cyber workforce strategy must also address the future makeup and competency requirements for this segment of the naval workforce. 33 Richard Matthews, Chief, National Information Assurance Research Laboratory, National Security Agency, “CNO Workforce Development Projections,” presentation to the committee, July 16, 2008, Washington, D.C. 34 The U.S. Air Force has also recently published its proposal for cyber workforce training and education; see Karen Petitt, 2008, “Cyberspace Career Fields and Training Path,” U.S. Air Force Public Affairs Memorandum, Scott Air Force Base, Ill., July 2.
OCR for page 70
Information Assurance for Network-Centric Naval Forces naval forces should also include measures to continuously modernize the Navy and Marine Corps training and education curriculum, including the development of formal relationships with universities and external advisers for guiding and supporting naval needs in cyber education and training.35 INTEGRATING CYBER OPERATIONS In testimony before Congress, General Kevin P. Chilton, USAF, indicated that the United States Strategic Command (USSTRATCOM), through the Joint Task Force–Global Network Operations and the Joint Functional Component Command for Network Warfare, is leading the planning and execution of the National Military Strategy for Cyberspace Operations. In this role, USSTRATCOM will coordinate and execute operations to defend the GIG and project power in support of the national interests. General Chilton also testified: “As we continue to define the necessary capabilities to operate, defend, exploit, and attack in cyberspace, we ask for increased emphasis on DOD cyber capabilities.”36 Within this context, as the DOD defines policy and capabilities to defend, exploit, and attack in cyberspace as part of the overall cyberspace operations strategy, the DON must continue to ready itself both to receive the greatest naval advantage from such capabilities and to effectively support and be supported by joint functions.37 In particular, new relationships between emerging cyber offense, exploitation, and defense will be established, requiring underlying concepts for integration, with supporting analysis. For example, integration could include cyberattack warriors imparting general knowledge and understanding to the cyberdefense warriors, perhaps suggesting specific system vulnerabilities that warrant attention. It may be that cyberattack warriors bring a specific attack goal orientation to the IA plan, whereas cyberdefense brings a possibilities portfolio orientation to the IA plan. Also, it may be that as these capabilities are defined, the cyber exploitation warriors can support intelligence collection and analysis regarding insight into what exploits adversaries may use in the future, and the cyberdefense warriors support intelligence efforts by pointing to areas of concern based on naval mission risk analyses. Also, cyber exploitation and cyberattack warriors may be able to inform exercises that include emulation of enemy CONOPS and TTPs. As these capabilities are defined, the DON needs to assess the following: the pros and cons of various levels of defend, exploit, and attack operations integration; the mechanisms and procedures that would be most 35 In developing its cyber workforce strategy, the Navy should consider the personnel practices of the Navy Nuclear Propulsion Program as described in Chapter 6 of this report. 36 Gen K.P. Chilton, USAF, Commander, USSTRATCOM, public testimony before the Strategic Forces Subcommittee of the House Armed Services Committee, February 27, 2008. 37 The committee believes that the Navy is well positioned to lead the way on integrated cyber operations with the Naval Network Warfare Command and its subordinate commands, the Navy Cyber Defense Operations Command and the Navy Information Operations Command.
OCR for page 71
Information Assurance for Network-Centric Naval Forces effective; and the appropriate balance of investment among these activities. These assessments should serve to guide the relationships that support the broader DOD activities as well.38 Another aspect of integration relates to the multi-Service sensor information and communications network dependencies that specific weapon systems rely on. The naval forces require the support of non-naval information systems assets and must supply comparable information for other Services to use. Satisfaction of this need demands that the configuration of individual naval systems, including support systems from other Services, be accurately known and that sensor information on a system-by-system basis be made available to the Navy and Marine Corps, so that both technical and operational reconfiguration can be dealt with in a timely manner. Similarly the corresponding naval information should be made available to support joint commanders and the other Services as their systems require it. The committee believes that the DON can contribute certain assets and capabilities to a more strategically integrated cyber operations effort that can add significant value to its own IA operations as well as to the broader DOD joint effort. As the needs for new integrated cyber-related operational capabilities have expanded, the Department of the Navy’s initiatives to create and expand the Naval Network Warfare Command have provided a solid foundation for evolving toward a more integrated approach to IA involving defense, offense, and intelligence. However, the committee sees an important opportunity to build on the existing foundation through the development of new concepts and plans that gain additional advantages through greater integration. MAJOR FINDING: The four cyberspace IA-related domains of protecting, exploiting, attacking, and intelligence do not appear to be closely integrated in the Navy. In particular, the Department of the Navy does not appear to be aggressively considering and assessing alternatives to gain greater IA advantages through such integration. MAJOR RECOMMENDATION: The Office of the CNO and the Office of the CMC should consider approaches for reducing the separation and enhancing the integration across emerging offense, defense, and intelligence organizations related to IA. 38 Chapter 6 presents a more detailed discussion of naval forces cyber relationships and interdependencies with DOD joint operations.