Realizing the Potential of C4I Fundamental Challenges (1999) / Chapter Skim
Currently Skimming:
3 Information Systems Security
3 Information Systems Security
Pages 130-178
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 130... ...
Information systems security the task of protecting the C4I systems connected to the communications network against an adversary's information attack against those systems is a much more poorly understood area than 130
|
From page 131... ...
The problem of protecting DOD C4I systems against attack is enormously complicated by the fact that DOD C4I systems and the networks to which they are connected are not independent of the U.S. national information infrastructure.3 Indeed, the line between the two is quite blurred because many military systems make use of the civilian information infrastructure,4 and because military and civilian systems are often interconnected.
|
From page 132... ...
132 REALIZING THE POTENTIAL OF Cal: FUNDAMENTAL CHALLENGES
|
From page 134... ...
134 REALIZING THE POTENTIAL OF Cal: FUNDAMENTAL CHALLENGES
|
From page 135... ...
An enemy who overruns a friendly position and gains access to the information network of friendly forces may see classified information with tactical significance or be able to insert bad information into friendly tactical databases. A fourth generic vulnerability is denial of service.
|
From page 136... ...
3.1.2 Security Requirements Needs for information systems security and trust can be formulated in terms of several major requirements: · Data confidentiality controlling who gets to read information in orcrer to keep sensitive information from being disclosed to unauthorized recipients, e.g., by preventing the disclosure of classified information to an adversary; · Data integrity assuring that information and programs are changed, altered, or modified only in a specified and authorized manner, e.g., by preventing an adversary from modifying orders given to combat units so as to shape battlefield events to his advantage; · System availability assuring that authorized users have continued and timely access to information and resources, e.g., by preventing an adversary from flooding a network with bogus traffic that delays legitimate traffic such as that containing new orders from being transmitted; and · System configuration assuring that the configuration of a system or a network is changed only in accordance with established security guidelines and only by authorized users, e.g., by detecting and reporting to higher authority the improper installation of a modem that can be used for remote access.
|
From page 137... ...
is not classified. While its disclosure might not harm national security, alteration or a delay in transmitting it certainly could.6 In other cases, access to unclassified information can present a threat (e.g., access to personnel medical records used to enable blackmail attempts)
|
From page 138... ...
The DOD mission also requires that information be protected while in storage and while being processed, and that the information be protected not only against unauthorized disclosure, but also against unauthorized modification and against attacks that seek to deny authorized users timely access to the information. Cryptography is a valuable tool for authentication as well as for verifying the integrity of information or programs.7 Cryptography alone does not provide availability (though because its use is fundamental to many information security measures, its widespread application can contribute to greater assurance of availability8~.
|
From page 139... ...
Finally, defensive measures must be developed and deployed, a process that takes time, while attackers generally exploit existing security holes. In short, a successful defender must be successful against all attacks, regardless of where the attack occurs, the modality of the attack, or the time of the attack.
|
From page 140... ...
3.2.3 Ease-of-Use Compromises Compromises arise because information systems security measures ideally make a system impossible to use by someone who is not authorized to use it, whereas considerations of system functionality require that the system be easy to use by authorized users. From the perspective of an authorized user, a system with information systems security features should look like the same system without those features.
|
From page 141... ...
, can lead to security problems for a number of reasons: · Increasing functionality and decreasing time to market characterize the COTS software market today often at the expense of security. The reason is simple security features and functionality do not usually play a large role in buyer decisions.
|
From page 142... ...
Because COTS software is developed for a range of application domains, its security mechanisms are usually not tailored to the specific needs of any particular application area. · The growing use of COTS components, from a small set of vendors, throughout all segments of the information technology industry suggests a continuing decrease in heterogeneity in the coming years.
|
From page 143... ...
is only a partial solution, because abuse of the enabled resources is possible. 3.2.7 Passive Defense Legal and technical constraints preclude retaliation against the perpetrator of an information systems attack (a cyber-attack)
|
From page 144... ...
1996. Report of the Defense Science Board Task Force on Information Warfare-Defense (IW-D)
|
From page 145... ...
Mobilization of a foreign nation's key personnel known to have responsibility for information attacks might be another indicator. The notion of an "information condition" or INFOCON, analogous to the defense condition (DEFCON)
|
From page 146... ...
146 REALIZING THE POTENTIAL OF Cal: FUNDAMENTAL CHALLENGES
|
From page 147... ...
Ongoing tests (conducted by groups often known as "red teams" or "tiger teams") are essential for several reasons: · Recognized vulnerabilities are not always corrected, and known fixes are frequently found not to have been applied as a result of poor configuration management.
|
From page 148... ...
Any organization relying on information systems should have a number of routine information systems security activities (e.g., security features that are turned on, security procedures that are followed)
|
From page 149... ...
from the start. For example, the principle of graceful degradation would forbid a system whose continued operation depended entirely on a single component remaining functional, or on the absence of a security threat.
|
From page 150... ...
Providing information systems security for a network or system that has not had security features built into it is enormously problematic. Retrofits of security features into systems not designed for security invariably leave security holes, and procedural fixes for inherent technical vulnerabilities only go so far.
|
From page 151... ...
It is reasonable to conduct organizational research into better processes and organizations that provide more effective support against information attacks and/or reduce the impediments to using or implementing good security practices. Function 11.
|
From page 152... ...
is the principal staff assistant to the Secretary of Defense for C3I and information management and information warfare matters and is the Chief Information Officer for the DOD. Other Office of the Secretary of Defense
|
From page 153... ...
The mission of the Information Assurance Program is to "develop security and survivability solutions for the Next Generation Information Infrastructure that will reduce vulnerability and allow increased interoperability and functionality."~9 The program's objectives include architecture and infrastructure issues, preventing, deterring, and responding to attacks, and managing security systems. Its goal is to "create the security foundation" for the Defense Information Infrastructure and future military C4I information systems.
|
From page 154... ...
In addition, DISA's chief information officers' Information Assurance Division focuses on the implementation of information assurance by developing effective security policy and processes and establishing training and awareness program.22 DISA also hosts the Toint Task Force on Computer Network Defense (Box 3.4) , which is intended to work in conjunction with the unified military commands, the military services, and other Department of Defense agencies to defend DOD networks and systems against intrusions and other attacks.
|
From page 156... ...
For these reasons, prudent planning dictates a serious DOD response to such potential threats, even if they have not yet been part of a concerted national attack on the United States. 3.6 TECHNICAL ASSESSMENT OF C4I SYSTEM SECURITY The available evidence from exercises that the committee observed (e.g., Blue Flag 98-2)
|
From page 157... ...
· Some of the networks used by DOD to carry classified information are protected by a perimeter defense. As a result, they exhibit all of the vulnerabilities that characterize networks protected by perimeter defenses.24 3.7 FINDINGS Finding S-1: Protection of DOD's information and information systems is a pressing national security issue.
|
From page 158... ...
While all red teams operate under certain rules of engagement established by the "white teams" that oversee exercises, the information attack red teams appeared to the committee to be much more constrained than was appropriate. In one exercise, personnel in an operations center laughed and mistakenly took as a joke a graphic demonstration by the red team that their operations center systems had been penetrated.
|
From page 159... ...
By contrast, the commercial sector has taken a largely pragmatic approach to the problem of information systems security. The C4I security practices that the committee observed in many of its site visits were far inferior to the standard set by the best commercial practices for information systems security (e.g., those found in the banking industry)
|
From page 160... ...
The defense of physical spaces and facilities has a long history, while cyberspace is a new area of military operations. In cyberspace, boundaries are fluid, control is distributed and diffuse, and most of what occurs is invisible to the defender's five senses without appropriate augmentation.
|
From page 161... ...
For example, the committee observed the 609th Information Warfare Squadron in action during the Blue Flag 98 exercise. The 609th Squadron had split responsibilities: it was responsible for both red team (attacking)
|
From page 162... ...
Finally, in an organization as large as DOD, recommendations must refer to concrete actions and to specific action offices responsible for their execution. On the other hand, given an ongoing restructuring and streamlining within DOD, especially within the Office of the Secretary of Defense and the Joint Chiefs of Staff, the committee is reluctant to specify action offices with too much confidence or precision.
|
From page 163... ...
In its site visits, the committee observed limited resources devoted to providing operational support for the information systems security mission in some instances, such as the 609th Information Warfare Squadron at Blue Flag 98. But even in these instances (and they were not frequent)
|
From page 164... ...
All users of information and C4I systems must receive some minimum level of training in relevant security practices before being granted access to these systems. Refresher courses are also necessary to remind long-time users about existing practices and to update them on changes to the threat.
|
From page 165... ...
Commanders and high-ranking officials, in particular, are often willing to compromise security practices for their own convenience and ease of use, and may not give the subject due attention in their oversight roles. It is thus not unreasonable that system administrators and their commanders, given the necessary tools, training, and resources, be held accountable for keeping systems configured securely and maintaining good operational security practices with respect to information systems security.29 Because this recommendation calls for an across-the-board cultural change within DOD, many different offices must be involved.
|
From page 166... ...
Atlantic Command as the force provider, have operational responsibilities, and the Joint Chiefs of Staff must cooperate in the promulgation of policy in this area because such testing has a direct impact on operational matters. The committee also notes that the Information Warfare Red Team of the Joint Command and Control Warfare Center in San Antonio, Texas,30 was created to improve the readiness posture of the DOD by identifying vulnerabilities in information systems and vulnerabilities caused by use of these information systems and then demon 30For additional information about the Information Warfare Red Team, see the OSD Web page online at |
From page 167... ...
Establishing the Information Warfare Red Team is an important step in the right direction to support the intent of this recommendation, but the scale of the activities undertaken by the Information Warfare Red Team is incommensurate with the much larger need for such testing. Recommendation S-4: The Assistant Secretary of Defense for C3I should mandate the immediate department-wide use of currently available network and configuration management tools and strong authentication mechanisms.
|
From page 168... ...
A second aspect of configuration control is more difficult to achieve. Good configuration control also requires that every piece of executable code on every machine carry a digital signature that is periodically checked as a part of configuration monitoring.
|
From page 169... ...
It also has particular value in the protection of remote access points (Box 3.5~. Biometric identifiers complement hardware-based authentication devices.
|
From page 170... ...
Some network management/configuration systems allow configuration control that would support fine-grained access controls. But most do not make it easy for a network administrator to quickly establish and revoke these controls.
|
From page 171... ...
The information security policy is within the purview of the DOD's Chief Information Officer, who today is also the Assistant Secretary of Defense for C3I. Finally, given its history of involvement with information systems security, the National Security Agency is probably the appropriate body to identify the best available authentication mechanisms and configuration tools.
|
From page 172... ...
Some network management/configuration systems allow configuration control that would support fine-grained access controls. But most do not make it easy for a network administrator to quickly establish and revoke these controls, and DOD-sponsored research and development in this area could have high payoff as well.
|
From page 173... ...
The basic technology and underlying premises of biometrics have been validated, but biometric authentication mechanisms are still sometimes too slow and too inaccurate for convenient use. (For example, they often take longer to operate than typing a password, and they sometimes result in false negatives (i.e., they reject a valid user fingerprint or retinal scan)
|
From page 174... ...
As noted above, better tools developed for DOD use are also likely to have considerable application in the commercial sector, a fact that places a high premium on conducting research and development in this area in an unclassified manner. Note that Trust in Cyberspace also outlines a closely related research agenda.36 Recommendation S-6: The Chairman of the Joint Chiefs of Staff and the service Secretaries should direct that a significant portion of all tests and exercises involving DOD C4I systems be conducted under the assumption that they are connected to a compromised network.
|
From page 175... ...
. The lack of constraint is intended to stress friendly forces in much the same way that very well trained opposition forces such as those at the Army's National Training Center, the Air Force's Air Warfare Center, and the Navy's Fighter Weapons School stress units that exercise there.
|
From page 176... ...
Recommendation S-7: The Secretary of Defense should take the lead in explaining the severe consequences for U.S. military capabilities that arise from a purely passive defense of its C4I infrastructure and in exploring policy options to respond to these challenges.
|
From page 177... ...
The committee is not advocating a change in national policy with respect to cyber-retaliation. Indeed, it was not constituted to address the larger questions of national policy, i.e., whether other national goals do or do not outweigh the narrower national security interest in protecting its military information infrastructure, and the committee is explicitly silent 38Press reports indicate that DOD authorities are "struggling to define new rules for deciding when to launch cyber attacks, who should authorize and conduct them and where they fit into an overall defense strategy." See Bradley Graham, "Authorities Struggle with Cyberwar Rules," Washington Post, July 8, 1998, page A1.
|
From page 178... ...
But it does believe that DOD should take the lead in explaining the severe consequences for its military capabilities that arise from a purely passive defense, that DOD should support changes in policy that might enable it, perhaps in concert with law enforcement agencies, to take a less passive stance, and that a national debate should begin about the pros and cons of passive versus active defense. The public policy implications of this recommendation are profound enough that they call for involvement at the highest levels of the DODthe active involvement of the Secretary of Defense is necessary to credibly describe the implications of passive defense for C4I systems in cyberspace.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.