Information Assurance for NETWORK-CENTRIC NAVAL FORCES

Committee on Information Assurance for Network-Centric Naval Forces

Naval Studies Board

Division on Engineering and Physical Sciences

NATIONAL RESEARCH COUNCIL OF THE NATIONAL ACADEMIES

THE NATIONAL ACADEMIES PRESS

Washington, D.C.
www.nap.edu



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page R1
Committee on Information Assurance for Network-Centric Naval Forces Naval Studies Board Division on Engineering and Physical Sciences

OCR for page R1
THE NATIONAL ACADEMIES PRESS 500 Fifth Street, N.W. Washington, DC 20001 NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance. This study was supported by Contract No. N00014-05-G-0288, DO #19 between the National Academy of Sciences and the Department of the Navy. Any opinions, findings, conclusions, or recommendations expressed in this publication are those of the author(s) and do not necessarily reflect the views of the organizations or agencies that provided support for the project. International Standard Book Number-13: 978-0-309-13663-1 International Standard Book Number-10: 0-309-13663-6 Copies of this report are available from: Naval Studies Board, National Research Council, The Keck Center of the National Academies, 500 Fifth Street, N.W., Room WS904, Washington, DC 20001; and The National Academies Press, 500 Fifth Street, N.W., Lockbox 285, Washington, DC 20055; (800) 624-6242 or (202) 334-3313 (in the Washington metropolitan area); Internet, http://www.nap.edu. Copyright 2010 by the National Academy of Sciences. All rights reserved. Printed in the United States of America

OCR for page R1
The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Ralph J. Cicerone is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Charles M. Vest is president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibil- ity given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scien - tific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Ralph J. Cicerone and Dr. Charles M. Vest are chair and vice chair, respectively, of the National Research Council. www.national-academies.org

OCR for page R1
COMMITTEE ON INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES BARRy M. HOROWITz, University of Virginia, Co-Chair NILS R. SANDELL, JR., BAE Systems Advanced Information Technologies, Co-Chair M. BRIAN BLAKE, Georgetown University CLyDE G. CHITTISTER, Carnegie Mellon University, Software Engineering Institute ANUP K. GHOSH, George Mason University RAyMOND HALLER, MITRE RICHARD J. IVANETICH, Institute for Defense Analyses JOHN W. LINDqUIST, EWA Information and Infrastructure Technologies, Inc. MARK W. MAIER, The Aerospace Corporation RICHARD W. MAyO, USN (retired), CACI International, Inc. ANN K. MILLER, Missouri University of Science and Technology DANIEL M. SCHUTzER, Financial Services Technology Consortium RALPH D. SEMMEL, Johns Hopkins University Applied Physics Laboratory ROBERT M. SHEA, USMC (retired), Smartronix JOHN P. STENBIT, Independent Consultant, Oakton, Virginia SALVATORE J. STOLFO, Columbia University EDWARD B. TALBOT, Sandia National Laboratories DAVID A. WHELAN, The Boeing Company Staff CHARLES F. DRAPER, Director, Naval Studies Board BILLy M. WILLIAMS, Study Director RAyMOND S. WIDMAyER, Senior Program Officer SUSAN G. CAMPBELL, Administrative Coordinator MARy G. GORDON, Information Officer SEKOU O. JACKSON, Senior Project Assistant SIDNEy G. REED, JR., Consultant iv

OCR for page R1
NAVAL STUDIES BOARD MIRIAM E. JOHN, Livermore, California, Chair DAVID A. WHELAN, The Boeing Company, Vice Chair CHARLES R. CUSHING, C.R. Cushing & Co., Inc. SUSAN HACKWOOD, California Council on Science and Technology LEE M. HAMMARSTROM, Applied Research Laboratory, Pennsylvania State University JAMES L. HERDT, Chelsea, Alabama KERRIE L. HOLLEy, IBM Global Services BARRy M. HOROWITz, University of Virginia JAMES D. HULL, Annapolis, Maryland LEON A. JOHNSON, Irving, Texas EDWARD H. KAPLAN, yale University CATHERINE M. KELLEHER, University of Maryland and Brown University JERRy A. KRILL, Applied Physics Laboratory, Johns Hopkins University THOMAS V. McNAMARA, Textron Systems JOSEPH PEDLOSKy, Woods Hole Oceanographic Institution HEIDI C. PERRy, Charles Stark Draper Laboratory, Inc. GENE H. PORTER, Nashua, New Hampshire JOHN S. qUILTy, Oakton, Virginia J. PAUL REASON, Washington, D.C. JOHN E. RHODES, Balboa, California JOHN P. STENBIT, Oakton, Virginia TIMOTHy M. SWAGER, Massachusetts Institute of Technology JAMES WARD, Lincoln Laboratory, Massachusetts Institute of Technology ELIHU zIMET, Gaithersburg, Maryland Navy Liaison Representatives RADM WILLIAM R. BURKE, USN, Office of the Chief of Naval Operations, N81 (as of September 26, 2007, through August 22, 2008) RADM BRIAN C. PRINDLE, USN, Office of the Chief of Naval Operations, N81 (as of August 25, 2008) RADM WILLIAM E. LANDAy III, USN, Office of the Chief of Naval Operations, N091 (through August 15, 2008) RADM NEVIN P. CARR, JR., Chief of Naval Research/Office of the Chief of Naval Operations, N091 (as of August 16, 2008) v

OCR for page R1
Marine Corps Liaison Representative LTGEN JAMES F. AMOS, USMC, Commanding General, Marine Corps Combat Development Command (through July 2, 2008) LTGEN GEORGE J. FLyNN, USMC, Commanding General, Marine Corps Combat Development Command (as of July 28, 2008) Staff CHARLES F. DRAPER, Director RAyMOND S. WIDMAyER, Senior Program Officer BILLy M. WILLIAMS, Senior Program Officer MARTA V. HERNANDEz, Associate Program Officer SUSAN G. CAMPBELL, Administrative Coordinator MARy G. GORDON, Information Officer SEKOU O. JACKSON, Senior Program Assistant vi

OCR for page R1
Preface Long before naval leaders began articulating network-centric warfare as a concept,1 the U.S. Navy integrated weapons and sensors at diverse locations to perform its missions. For example, in the mid-20th century, antisubmarine warfare operations depended on long-range but limited-accuracy sensors cueing an air platform so that it could deploy shorter-range but more-accurate sensors capable of yielding improved targeting. Today’s accelerating pace of advances in computing and communications capabilities has led to an even broader vision of network-centric operations that includes all military force operations in peace as well as war and in which network-centric operations have been defined as “military operations that exploit state-of-the-art information and networking technology to integrate widely dispersed human decision makers, situational and targeting sensors, and forces and weapons into a highly adaptive, comprehensive system to achieve unprecedented mission effectiveness.”2 One of the key attributes of network-centric operations is a reliable and robust capability to support well-informed and rapid decision making by military commanders at all levels, within a system of flexible and adaptable command relationships. Underlying this attribute, of course, is the need to ensure that accurate information is securely gathered, distributed, and stored in ways that are timely, trustworthy, and not subject to disruption, corruption, or exploitation by 1 For example, see VADM Arthur K. Cebrowski, USN; and John J. Garstka, 1998, “Network-Centric Warfare: Its Origin and Future,” U.S. Naval Institute Proceedings, January, pp. 28-35. 2 Naval Studies Board, National Research Council. 2000. Network-Centric Naval Forces: A Transi- tion Strategy for Enhancing Operational Capabilities, National Academy Press, Washington, D.C. vii

OCR for page R1
viii PREFACE the opposition.3 Ensuring such a capability implies protecting the network and the enabling information infrastructure, not only the information itself. Indeed, the profound importance of information assurance (IA) for network-centric opera- tions is highlighted in the Department of Defense’s (DOD’s) 2006 Quadrennial Defense Review: “Achieving the full potential of net-centricity requires viewing information as an enterprise asset to be shared and as a weapon system to be pro - tected.”4 More fundamentally, there is increasing recognition that the very nature of network-centric operations—which implies the interconnection of everyone and everything—introduces threats and vulnerabilities, allowing many points of potentially harmful entry and paths for propagation of opposition attacks on information. Indeed, the damaging effects of isolated domestic or international hackers on common commercial Internet grids are all too common; for example, a 2006 computer attack at the Naval War College forced the campus to shut down its con- nection to the Internet.5 The impact then of a concerted attack by an enemy nation or state against U.S. computing and communications resources and infrastructure is not only potentially drastic in scope, but also increasingly more likely to occur. In this regard a key issue is the abundant use of vulnerable commercial off-the- shelf technologies, and further complicating this trend is the growing movement toward a homogeneous information system infrastructure, presenting one “target.” Such realities present a threat to information assurance. In recent years the Department of the Navy (DON) has established its “FORCEnet” vision as the Navy’s approach to implementing network-centric operations.6 This vision presents an operational view of capabilities, architectures, and concepts inclusive of the entire naval force—a view that is heavily dependent on the assured security and reliability of the Navy’s information infrastructure. Also, the FORCEnet vision and systems for naval forces are both heavily inte - grated with and influenced by related information systems and networks across the entire DOD enterprise. The present study was motivated by this FORCEnet vision for naval network-centric operations, by recognition of the growing threats to information certainty, and by the need for better understanding and management of the many information assurance issues and influences both by naval forces and across the DOD. A basic premise of the study is the belief that in the FORCEnet/ network-centric world of the DON and the DOD, information assurance cannot 3 Naval Studies Board, National Research Council. 2000. Network-Centric Naval Forces: A Transi- tion Strategy for Enhancing Operational Capabilities, National Academy Press, Washington, D.C. 4 Department of Defense. 2006. 2006 Quadrennial Defense Review, Washington, D.C., February. 5 James Sherman. 2006. “Computer Attack Shuts Down Naval War College Networks,” Inside Defense, Washington Defense Publishers, Washington, D.C., November 27. 6 For additional background on FORCEnet, see National Research Council, 2005, FORCEnet Imple- mentation Strategy, The National Academies Press, Washington D.C.; and National Research Council, 2006, C4ISR for Future Naval Strike Groups, The National Academies Press, Washington, D.C.

OCR for page R1
ix PREFACE be treated as an isolated subject. Information assurance is not just about ensuring proper password practices, installing firewalls, and applying software patches, viewed in isolation from actual operations. Rather, information assurance as a critical requirement for operational success has to be fused with and subsumed into broader operational thinking, since the success of operations is the ultimate objective and measure of information assurance. Failure to accomplish informa - tion assurance would inevitably have a high negative impact on the ability of naval forces to achieve their missions. TERMS OF REFERENCE A letter dated December 7, 2007, from ADM Gary Roughead, Chief of Naval Operations, to Dr. Ralph J. Cicerone, President of the National Academy of Sci - ences, requested that the National Research Council’s (NRC’s) Naval Studies Board (NSB) conduct a comprehensive study on information assurance issues for U.S. naval forces. The purpose of the requested study was to review and address specific information assurance issues critical to network-centric naval operations, including vulnerabilities and potential mitigating actions that might be taken by the Department of the Navy.7,8 Accordingly, the National Research Council, under the auspices of its Naval Studies Board, established the Committee on Information Assurance for Network- Centric Naval Forces in February 2008.9 The study’s terms of reference, formu- lated by the Chief of Naval Operations’ staff in consultation with the NSB chair and director, charge the committee to produce two reports over a 12-month period. First, after its second full meeting, the committee was to produce a letter report that did the following: • Summarized the key information assurance initiatives underway within the Naval NETWAR/FORCEnet Enterprise,10 • Recommended any near-term information assurance needs for network- centric naval forces, and • Identified defense-related efforts that the naval forces should take advan- tage of and/or ensure compatibility with. 7Acronyms and abbreviations are provided in Appendix A. 8 The study’s full terms of reference are provided in Appendix B. 9 Biographical information for the committee members is presented in Appendix C. 10 The Naval NETWAR/FORCEnet Enterprise includes the Office of Chief of Naval Operations; the Naval Network Warfare Command; the Space and Naval Warfare Systems Command; the Program Executive Office for Command, Control, Communications, Computers, Intelligence (C4I) and Space; and others who provide C4I and information operations support to the naval forces.

OCR for page R1
x PREFACE The committee was requested to produce a comprehensive final report, follow- ing the letter report, that addresses the full terms of reference. The requested letter report was delivered to the Chief of Naval Operations in November 2008 and was briefed to multiple constituents during which discussions were held on many of the immediate IA issues. This report—the committee’s comprehensive final report—builds on the important areas identified in the letter report. The committee believes that it has responded productively and has provided a comprehensive analysis and solid recommendations for actions to help position network-centric naval forces for their continued mission assurance. THE COMMITTEE’S APPROACH In accomplishing its task, the committee took on a wide range of information assurance topics as requested in the terms of reference. The committee organized itself first to understand the nature of the naval information assurance issues and threats, then to understand current IA actions and responsibilites across both the DON and the DOD, and finally to formulate suggested IA responses and actions for naval forces that take into consideration operational, technical, and organiza - tional viewpoints and needs. The findings and recommendations in this final report are based on wide-ranging input from experts and documents, both internal and external to naval operations and the DOD, and on the committee’s own analysis, which draws on the expertise and experience of its members. The committee was first convened in March 2008. After its first two meet- ings, the committee drafted its interim letter report. It held additional meetings and site visits over a period of 6 months, both to gather input from the relevant communities and to discuss its findings and recommendations. An outline of the committee’s meetings is provided below: • March 5-6, 2008, in Washington, D.C. First full committee meeting. Brief- ings on information assurance issues, responsibilities, initiatives, strategies, and studies: Office of the Deputy Chief of Naval Operations for Communications Networks; Office of the Deputy Department of the Navy Chief Information Officer; Information Assurance Directorate, Naval Network Warfare Command; Office of the Deputy Assistant Secretary of Defense for Information and Identity Assurance; Director, C4, and Chief Information Officer, U.S. Marine Corps; Office of the Department of the Navy Chief Information Officer; and Office of the Director, Information, Services and Integration; Secretary of the Air Force Office of Warfighting Integration and Chief Information Officer; Air Force Scientific Advisory Board; and Defense Science Board. • April 10, 2008, at Fort Meade, Maryland. Site visit. Briefings on informa- tion assurance initiatives and strategies: National Security Agency, Information Assurance Directorate.

OCR for page R1
xi PREFACE • April 28-29, 2008, in Norfolk, Virginia. Second full committee meeting. Briefings on computer network defense, defense in depth, information assurance initiatives, Navy/Marine Corps Intranet, and naval information assurance strate - gies: Naval Network Warfare Command (including Navy Cyber Defense Opera- tions Command and Navy Global Network Operations and Security Center); and Network Systems Personnel—USS Normandy (CG-60). • May 29-30, 2008, in Washington, D.C.; Ashburn, Virginia; and Arlington, Virginia. Third full committee meeting. Briefings on the Next Generation Enter- prise Network, the Consolidated Afloat Networks and Enterprise Services, and the Comprehensive National Cyber Initiative: Office of the Deputy Chief of Naval Operations, Communications Networks; and Office of the Director of National Intelligence. Site visit. Briefings on network security and information assurance commercial best practices: Verizon Government Network Operations and Secu- rity Center. Site visit. Briefings on DOD global network operations, cyberdefense, and information assurance initiatives: Joint Task Force–Global Network Opera- tions (JTF–GNO). • June 17-18, 2008, in Washington, D.C. Fourth full committee meeting. Briefings on information assurance/cyberdefense-related programs, studies, and research and development: United States Marine Corps Network Operations and Security Command; Office of Information Assurance Division, Headquarters U.S. Marine Corps; Office of Deputy Chief of Naval Operations for Manpower, Personnel, Training and Education; the Defense Advanced Research Projects Agency; Office of Naval Research; the Naval Reseach Laboratory; and Office of Program Management, Program Executive Office (PEO) Ships. • July 16, 2008, at Fort Meade, Maryland. Follow-up site visit. Briefings on information assurance and cyberdefense-related initiatives: National Security Agency, Information Assurance Directorate. • July 17-18, 2008, in Washington, D.C., and Arlington, Virginia. Fifth full committee meeting. Briefings on information assurance and cyberdefense-related initiatives, studies, and commercial best practices: Chief of Naval Operations Strategic Studies Group; Computer Science and Telecommunications Board, the National Research Council; Office of the Chief Technology Officer, Defense Information Systems Agency; Office of Naval Intelligence; Citigroup Inc., IT Risk and Program Management; Verizon, Security Solutions Division; and Office of the Commander, U.S. Pacific Fleet. • August 4-5, 2008, in San Diego, California. Site visit. Discussion of IA- related issues, strategies, and initiatives: U.S. Navy Space and Naval Warfare Systems Command, PEO-Command, Control, Communications, Computers, and Intelligence (C4I); and the Office of the Commander, U.S. Third Fleet. • August 18-22, 2008, in Woods Hole, Massachusetts. Sixth full committee meeting. Committee deliberations and report drafting.

OCR for page R1
xii PREFACE • October 10, 2008, in Washington, D.C. Site visit. Office of the Director, Naval Nuclear Propulsion Program. The months between the committee’s last meeting and the publication of the report were spent preparing the draft manuscript, gathering additonal information, reviewing and responding to the external review comments, editing the report, and conducting the security review needed to produce an unclassified report.

OCR for page R1
Acknowledgment of Reviewers This report has been reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise, in accordance with procedures approved by the National Research Council’s Report Review Committee. The purpose of this independent review is to provide candid and critical comments that will assist the institution in making its published report as sound as possible and to ensure that the report meets institutional standards for objectivity, evidence, and responsiveness to the study charge. The review comments and draft manuscript remain confidential to protect the integrity of the deliberative process. We wish to thank the following individuals for their review of this report: Brig “Chip” Elliott, BBN Technologies, Carl E. Landwehr, McLean, Virginia, Frank T. Leighton, Massachusetts Institute of Technology, Dawn Meyerriecks, Purcellville, Virginia, John E. Rhodes, LtGen, USMC (retired), Balboa, California, Jonathan M. Smith, University of Pennsylvania, William D. Smith, ADM, USN (retired), Fayetteville, Pennsylvania, and William O. Studeman, ADM, USN (retired), Severna Park, Maryland. Although the reviewers listed above provided many constructive comments and suggestions, they were not asked to endorse the conclusions or recommenda - tions, nor did they see the final draft of the report before its release. The review of this report was overseen by Robert J. Hermann of Global Technology Partners, LLC. Appointed by the National Research Council, he was responsible for making xiii

OCR for page R1
xiv ACKNOWLEDGMENT OF REVIEWERS certain that an independent examination of this report was carried out in accor- dance with institutional procedures and that all review comments were carefully considered. Responsibility for the final content of this report rests entirely with the authoring committee and the institution.

OCR for page R1
Contents SUMMARy 1 1 BACKGROUND—NAVAL NETWORK-CENTRIC OPERATIONS, INFORMATION ASSURANCE, AND CURRENT CyBERTHREATS 12 Network-Centric Operation and Its Dependencies, 12 Nature of the Cyberthreat, 15 Assessment of Current Cyber Vulnerabilities, 26 Important Findings from Related Studies, 31 2 THE IMMEDIATE RESPONSE—CURRENT INFORMATION ASSURANCE AND CyBERDEFENSE INITIATIVES 33 Department of the Navy Chief Information Officer Information Assurance Initiatives, 35 Naval Network Warfare Command Information Assurance Initiatives, 36 Information Systems Security Program Initiatives, 39 Information Technology and Network Programs Information Assurance Initiatives, 40 Space and Naval Warfare Systems Command and PEO C4I Information Assurance Initiatives, 45 Fleet Information Assurance Initiatives, 45 Department of Defense-Wide Information Assurance Initiatives, 46 Other Information Assurance Initiatives, 48 Summary Assessment of Initiatives, 49 xv

OCR for page R1
xvi CONTENTS 3 MISSION RESILIENCE—VIEWING THE THREAT IN OPERATIONAL TERMS 51 Addressing NIPRnet and SIPRnet Threats, 52 Laying Out a Long-Term Operational Approach, 58 Increasing Levels of Integration and Supply Chain Risks, 63 The Human Element, 65 Integrating Cyber Operations, 70 4 A SUGGESTED TECHNICAL RESPONSE TO CyBERTHREATS AND INFORMATION ASSURANCE NEEDS 72 Architectural Views for Navy Information Assurance Risk Mitigation, 73 Information Assurance Research and Development, 83 Specific Considerations for Naval Research and Development and Acquisitions with Respect to Information Assurance, 92 5 APPLICATION OF RISK ANALySIS AS A BASIS FOR PRIORITIzING NEEDS 97 Overview and Background of Risk Analysis, 98 Past Navy Mission Risk Analysis Consequences, 99 Risk Analysis and Information Assurance in the Field, 100 Possible New Approaches, 102 Findings and Recommendations, 103 6 ORGANIzATIONAL CONSIDERATIONS 110 Joint Service Nature of Information Assurance, 110 DOD and DON Responsibilities for Information Assurance, 113 Integrated Policy Development and Organizational Support, 120 APPENDIXES A Acronyms and Abbreviations 141 B Terms of Reference 149 C Biographies of Committee Members 151 D Summary of Recent Naval Operations and Department of Defense Reports Related to Information Assurance 157 E Naval Information Assurance Architectural Considerations 165 F Suggested Elements of a Naval Information Assurance Research and Development Program 174