Information Assurance for Network-Centric Naval Forces (2010) / Chapter Skim
Currently Skimming:
4 A Suggested Technical Response to Cyberthreats and Information Assurance Needs
4 A Suggested Technical Response to Cyberthreats and Information Assurance Needs
Pages 72-96
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 72... ...
Intermediate stages of the GIG IA architecture are likely achievable in reasonable time frames and at reasonable cost, but will require substantial improvements to supplement current IA technologies. Recognizing the expected long lifetime of the GIG architecture and its derivatives, the committee's view is that the DON needs to plan actively for the insertion of emerging technologies as part of its architectural plan.
|
From page 73... ...
For the naval forces, EA must be viewed broadly, extending well beyond the traditional boundaries often associated with IT architectures. For the purposes of information security, IA considerations are a critical aspect of the EA.
|
From page 74... ...
2007. Global Information Grid Architectural Vision: Vision for a Net-Centric, Service-Oriented DoD Enterprise, Version 1.0, Department of Defense, Washington, D.C., June, p.
|
From page 75... ...
To allow rigorous audit and response to the data entering and moving through the GIG, IA tools, such as those being developed and deployed for the Comprehensive National Cyber Initiative, should be installed at the edge and broadly across the critical internal systems and services that constitute the GIG, providing the basis for boundary protection within a layered-defense assurance system. Assurance cannot be guaranteed without also pushing IA tools to the hosts and client machines that use and depend on the GIG.4 3 Encryption policies and technology for sensitive information are well defined in DOD policy documents, such as the National Policy on the Use of the Advanced Encryption Standard to Protect National Security Systems and National Security Information (CNSSP-15)
|
From page 76... ...
Example of the Need for IA Principles to Support global Information grid Design Principles Service-Oriented Architectures The design principle of extensibility of the enterprise architecture is largely provided by the traditional object-oriented paradigms that have culminated in a service-oriented architecture (SOA) implementation.
|
From page 77... ...
Although enterprise service buses have been introduced as enterprise-wide containers of Web services, the state of the art in these systems lacks the interoperability policies and protocols required to securely integrate an organization as large as the DON's system of systems. The GIG-influenced architectural design principles envisioned for future naval platforms and systems clearly point toward making use of COTS products within an SOA framework, and possibly cloud computing architectures as well.7 Hence, the committee believes it to be inevitable that future Navy systems will be subjected to new and more complex IA vulnerabilities presented by the use of SOAs and related COTS products.
|
From page 78... ...
should adopt and manage system developments using sets of IA principles that are explicitly specified and required to be incorporated into the naval forces enterprise architecture, including specifically addressing the IA requirements of service-oriented architectures. In addition, these principles need to be embraced throughout the system life cycle and adopted by existing naval systems as they are upgraded.
|
From page 79... ...
In aggregate, these systems address naval forces requirements for communications and networking, data pro cessing, and command and control. With FORCEnet as the context, the challenge now is to get broad user acceptance of the architecture, incorporate various naval 10 Department of Defense Chief Information Officer.
|
From page 80... ...
SOURCE: Adapted from Craig Harber, Enterprise IA Architecture and Systems Engineering Office, Information Assurance Directorate, National Security Agency, 2008, "GIG Information Assurance Architecture, Protecting National Security Enterprises" (viewgraph presentation)
|
From page 81... ...
. SOURCE: Adapted from Department of Defense Chief Information Officer, 2007, Global Information Grid Architectural Vision: Vision for a Net-Centric, Service-Oriented DoD Enterprise, Version 1.0, Department of Defense, Washington, D.C., June.
|
From page 82... ...
Although the naval forces can implement security protection on a service-byservice basis, a more effective IA strategy to securing Web-service-based SOAs is to externalize crosscutting security functionality, such as encryption, authentica tion, auditing, policy enforcement, and so on, into a shared services infrastructure that can be consistently managed, configured, and coordinated by security pro fessionals rather than by individual development teams. An example of a shared security services infrastructure would be the integration of the Navy's CANES Web services implementation with the Net-Centric Enterprise Services (NCES)
|
From page 83... ...
INFORMATION ASSURANCE RESEARCH AND DEVELOPMENT The State of Naval Forces Information Assurance Given the committee's concerns that IA should have equal priority in all current and future enterprise architecture designs, and given the state of IA readiness in current COTS systems, the committee believes that the Navy should imme diately invest in IA research and development initiatives to remain current and capable of deploying IA solutions protecting the Navy's primary missions. Information assurance on naval forces networks today is largely managed by implementing best commercial practices.
|
From page 84... ...
• Current IA strategies do not sufficiently address either current sophis ticated attacks that cannot be handled through use of existing COTS security products, or future projected cyberthreats. Because the cyberthreats that naval networks face include targeted, evasive, sophisticated threats, the DON needs to actively pursue technology to address current and future threats rather than rely ing entirely on best-practice COTS tools.
|
From page 85... ...
While the initiatives of the DOD and the Comprehensive National Cybersecurity Initiative (CNCI) 16 will be useful to the overall IA posture of naval forces, these initiatives by themselves will not address important naval-specific needs such as those enumerated above.
|
From page 86... ...
Leveraging advanced R&D from others could bridge the technical capability gap, enabling the DON to potentially leap ahead of the current cyberthreat and better position naval forces against a clear and present cybersecurity danger that threatens the ability of the naval forces to execute their missions. Given the trends in military information technology and networks, the current and growing sophistication of potential adversaries in cyberspace, the current posture of DON information assurance, and the capability gaps in defending against the cyberthreat, the committee recommends a double-pronged naval IA research strategy: (1)
|
From page 87... ...
2006. Federal Plan for Cyber Security and Information Assurance Research and Development, Executive Office of the President of the United States, Washington, D.C., April.
|
From page 88... ...
27As described in Chapter 2, the Navy ISSP research, development, testing, and evaluation pro gram works to provide the Navy with these essential information assurance elements: (1) assured separation of information levels and user communities, including coalition partners; (2)
|
From page 89... ...
. • Secure composition -- means to ensure security properties of the whole System Level system.
|
From page 90... ...
This Air Force program represents an example IA leveraging activity that can, in theory, provide access to leading-edge IA technology and maximum return on the Navy's IA R&D investment. The current gaps in capability for naval forces information assurance are made even more significant by a lack of strategy for investing in advanced R&D to redress these gaps, and thus should be corrected.
|
From page 91... ...
The Navy should focus its research efforts on addressing capability gaps specifically related to the needs of naval forces that are not being sufficiently addressed elsewhere. Concurrently, the Office of Naval Research should develop a rapid technology insertion program to enable the rapid deployment of solutions for responding to new threats, based on both the leveraging of internal Navy research results and the use of ongoing research results derived from the funding of other R&D organizations, such as at the Defense Advanced Research Projects Agency, National Security Agency, Army Research Office, Air Force Office of Scientific Research, National Science Foundation, Department of Energy, and Department of Homeland Security.
|
From page 92... ...
Correspondingly, in reviewing the R&D and acquisitions for naval forces, the committee gave significant attention to the agility that enables naval forces to conceptualize, acquire, evaluate, implement, and deploy IA tech nology that directly supports naval systems. Indeed, coordination and integration are the strongest enablers for agility in R&D acquisitions.
|
From page 93... ...
2008. "Rapid Development and Deployment Response to Urgent Global War on Terrorism Needs," SECNAV Notice 5000 [Cancelled SECNAVNOTE 5000, dated March 8, 2007]
|
From page 94... ...
Note 5000: "Rapid Development and Deployment Response to Urgent Global War on Terrorism Needs." NOTE: Acronyms are defined in Appendix A Figure 4-3 R01471 uneditable bitmapped image
|
From page 95... ...
• Move Milestone B to preliminary design review, at least for high-IT content programs. ________________________ SOURCE: Reprinted from Daniel Gonzales, Eric Landree, John Hollywood, Steven Berner, and Carolyn Wong, 2007, Navy/OSD Collaborative Review of Acquisition Policy for DOD C3I and Weapon Programs, RAND National Defense Research Institute, RAND Corporation, Santa Monica, Calif.
|
From page 96... ...
, with the support of the Director, Naval Research, to address the timely acquisition and implementation of IA solutions: • Actively participate in DOD efforts to define and establish intelligence that provides predictions about future cyberattack techniques which are sufficient to stimulate development of defensive responses, • Use existing operations and maintenance processes supplemented by design and prototyping activities carried out by naval laboratories to more rapidly develop and implement solutions, • Establish a rapid technology testing and evaluation laboratory and a technology insertion program -- modeled after the Future Naval Capabilities program -- to leverage and accelerate ongoing research in cybersecurity into Navy networks, and • Establish a standard management process styled after the urgent-need process for the Global War on Terrorism (as defined in SECNAV [Secretary of the Navy] Note 5000 on "Rapid Development and Deployment Response to Urgent Global War on Terrorism Needs")
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.