Information Assurance for NETWORK-CENTRIC NAVAL FORCES
THE NATIONAL ACADEMIES PRESS
THE NATIONAL ACADEMIES PRESS
500 Fifth Street, N.W. Washington, DC 20001
NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance.
This study was supported by Contract No. N00014-05-G-0288, DO #19 between the National Academy of Sciences and the Department of the Navy. Any opinions, findings, conclusions, or recommendations expressed in this publication are those of the author(s) and do not necessarily reflect the views of the organizations or agencies that provided support for the project.
International Standard Book Number-13: 978-0-309-13663-1
International Standard Book Number-10: 0-309-13663-6
Copies of this report are available from:
Naval Studies Board, National Research Council, The Keck Center of the National Academies, 500 Fifth Street, N.W., Room WS904, Washington, DC 20001; and
The National Academies Press,
500 Fifth Street, N.W., Lockbox 285, Washington, DC 20055; (800) 624-6242 or (202) 334-3313 (in the Washington metropolitan area); Internet, http://www.nap.edu.
Copyright 2010 by the National Academy of Sciences. All rights reserved.
Printed in the United States of America
THE NATIONAL ACADEMIES
Advisers to the Nation on Science, Engineering, and Medicine
The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Ralph J. Cicerone is president of the National Academy of Sciences.
The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Charles M. Vest is president of the National Academy of Engineering.
The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine.
The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Ralph J. Cicerone and Dr. Charles M. Vest are chair and vice chair, respectively, of the National Research Council.
COMMITTEE ON INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES
BARRY M. HOROWITZ,
University of Virginia,
NILS R. SANDELL, JR.,
BAE Systems Advanced Information Technologies,
M. BRIAN BLAKE,
CLYDE G. CHITTISTER,
Carnegie Mellon University, Software Engineering Institute
ANUP K. GHOSH,
George Mason University
RICHARD J. IVANETICH,
Institute for Defense Analyses
JOHN W. LINDQUIST,
EWA Information and Infrastructure Technologies, Inc.
MARK W. MAIER,
The Aerospace Corporation
RICHARD W. MAYO,
USN (retired), CACI International, Inc.
ANN K. MILLER,
Missouri University of Science and Technology
DANIEL M. SCHUTZER,
Financial Services Technology Consortium
RALPH D. SEMMEL,
Johns Hopkins University Applied Physics Laboratory
ROBERT M. SHEA,
USMC (retired), Smartronix
JOHN P. STENBIT, Independent Consultant,
SALVATORE J. STOLFO,
EDWARD B. TALBOT,
Sandia National Laboratories
DAVID A. WHELAN,
The Boeing Company
CHARLES F. DRAPER, Director,
Naval Studies Board
BILLY M. WILLIAMS, Study Director
RAYMOND S. WIDMAYER, Senior Program Officer
SUSAN G. CAMPBELL, Administrative Coordinator
MARY G. GORDON, Information Officer
SEKOU O. JACKSON, Senior Project Assistant
SIDNEY G. REED, JR., Consultant
NAVAL STUDIES BOARD
MIRIAM E. JOHN,
DAVID A. WHELAN,
The Boeing Company,
CHARLES R. CUSHING,
C.R. Cushing & Co., Inc.
California Council on Science and Technology
LEE M. HAMMARSTROM,
Applied Research Laboratory, Pennsylvania State University
JAMES L. HERDT,
KERRIE L. HOLLEY,
IBM Global Services
BARRY M. HOROWITZ,
University of Virginia
JAMES D. HULL,
LEON A. JOHNSON,
EDWARD H. KAPLAN,
CATHERINE M. KELLEHER,
University of Maryland and Brown University
JERRY A. KRILL,
Applied Physics Laboratory, Johns Hopkins University
THOMAS V. McNAMARA,
Woods Hole Oceanographic Institution
HEIDI C. PERRY,
Charles Stark Draper Laboratory, Inc.
GENE H. PORTER,
Nashua, New Hampshire
JOHN S. QUILTY,
J. PAUL REASON,
JOHN E. RHODES,
JOHN P. STENBIT,
TIMOTHY M. SWAGER,
Massachusetts Institute of Technology
Lincoln Laboratory, Massachusetts Institute of Technology
Navy Liaison Representatives
RADM WILLIAM R. BURKE,
USN, Office of the Chief of Naval Operations, N81 (as of September 26, 2007, through August 22, 2008)
RADM BRIAN C. PRINDLE,
USN, Office of the Chief of Naval Operations, N81 (as of August 25, 2008)
RADM WILLIAM E. LANDAY III,
USN, Office of the Chief of Naval Operations, N091 (through August 15, 2008)
RADM NEVIN P. CARR, JR.,
Chief of Naval Research/Office of the Chief of Naval Operations, N091 (as of August 16, 2008)
Marine Corps Liaison Representative
LTGEN JAMES F. AMOS,
USMC, Commanding General, Marine Corps Combat Development Command (through July 2, 2008)
LTGEN GEORGE J. FLYNN,
USMC, Commanding General, Marine Corps Combat Development Command (as of July 28, 2008)
CHARLES F. DRAPER, Director
RAYMOND S. WIDMAYER, Senior Program Officer
BILLY M. WILLIAMS, Senior Program Officer
MARTA V. HERNANDEZ, Associate Program Officer
SUSAN G. CAMPBELL, Administrative Coordinator
MARY G. GORDON, Information Officer
SEKOU O. JACKSON, Senior Program Assistant
Long before naval leaders began articulating network-centric warfare as a concept,1 the U.S. Navy integrated weapons and sensors at diverse locations to perform its missions. For example, in the mid-20th century, antisubmarine warfare operations depended on long-range but limited-accuracy sensors cueing an air platform so that it could deploy shorter-range but more-accurate sensors capable of yielding improved targeting. Today’s accelerating pace of advances in computing and communications capabilities has led to an even broader vision of network-centric operations that includes all military force operations in peace as well as war and in which network-centric operations have been defined as “military operations that exploit state-of-the-art information and networking technology to integrate widely dispersed human decision makers, situational and targeting sensors, and forces and weapons into a highly adaptive, comprehensive system to achieve unprecedented mission effectiveness.”2
One of the key attributes of network-centric operations is a reliable and robust capability to support well-informed and rapid decision making by military commanders at all levels, within a system of flexible and adaptable command relationships. Underlying this attribute, of course, is the need to ensure that accurate information is securely gathered, distributed, and stored in ways that are timely, trustworthy, and not subject to disruption, corruption, or exploitation by
the opposition.3 Ensuring such a capability implies protecting the network and the enabling information infrastructure, not only the information itself. Indeed, the profound importance of information assurance (IA) for network-centric operations is highlighted in the Department of Defense’s (DOD’s) 2006 Quadrennial Defense Review: “Achieving the full potential of net-centricity requires viewing information as an enterprise asset to be shared and as a weapon system to be protected.”4 More fundamentally, there is increasing recognition that the very nature of network-centric operations—which implies the interconnection of everyone and everything—introduces threats and vulnerabilities, allowing many points of potentially harmful entry and paths for propagation of opposition attacks on information.
Indeed, the damaging effects of isolated domestic or international hackers on common commercial Internet grids are all too common; for example, a 2006 computer attack at the Naval War College forced the campus to shut down its connection to the Internet.5 The impact then of a concerted attack by an enemy nation or state against U.S. computing and communications resources and infrastructure is not only potentially drastic in scope, but also increasingly more likely to occur. In this regard a key issue is the abundant use of vulnerable commercial off-the-shelf technologies, and further complicating this trend is the growing movement toward a homogeneous information system infrastructure, presenting one “target.” Such realities present a threat to information assurance.
In recent years the Department of the Navy (DON) has established its “FORCEnet” vision as the Navy’s approach to implementing network-centric operations.6 This vision presents an operational view of capabilities, architectures, and concepts inclusive of the entire naval force—a view that is heavily dependent on the assured security and reliability of the Navy’s information infrastructure. Also, the FORCEnet vision and systems for naval forces are both heavily integrated with and influenced by related information systems and networks across the entire DOD enterprise. The present study was motivated by this FORCEnet vision for naval network-centric operations, by recognition of the growing threats to information certainty, and by the need for better understanding and management of the many information assurance issues and influences both by naval forces and across the DOD. A basic premise of the study is the belief that in the FORCEnet/network-centric world of the DON and the DOD, information assurance cannot
be treated as an isolated subject. Information assurance is not just about ensuring proper password practices, installing firewalls, and applying software patches, viewed in isolation from actual operations. Rather, information assurance as a critical requirement for operational success has to be fused with and subsumed into broader operational thinking, since the success of operations is the ultimate objective and measure of information assurance. Failure to accomplish information assurance would inevitably have a high negative impact on the ability of naval forces to achieve their missions.
TERMS OF REFERENCE
A letter dated December 7, 2007, from ADM Gary Roughead, Chief of Naval Operations, to Dr. Ralph J. Cicerone, President of the National Academy of Sciences, requested that the National Research Council’s (NRC’s) Naval Studies Board (NSB) conduct a comprehensive study on information assurance issues for U.S. naval forces. The purpose of the requested study was to review and address specific information assurance issues critical to network-centric naval operations, including vulnerabilities and potential mitigating actions that might be taken by the Department of the Navy.7,8
Accordingly, the National Research Council, under the auspices of its Naval Studies Board, established the Committee on Information Assurance for Network-Centric Naval Forces in February 2008.9 The study’s terms of reference, formulated by the Chief of Naval Operations’ staff in consultation with the NSB chair and director, charge the committee to produce two reports over a 12-month period. First, after its second full meeting, the committee was to produce a letter report that did the following:
Summarized the key information assurance initiatives underway within the Naval NETWAR/FORCEnet Enterprise,10
Recommended any near-term information assurance needs for network-centric naval forces, and
Identified defense-related efforts that the naval forces should take advantage of and/or ensure compatibility with.
Acronyms and abbreviations are provided in Appendix A.
The study’s full terms of reference are provided in Appendix B.
Biographical information for the committee members is presented in Appendix C.
The Naval NETWAR/FORCEnet Enterprise includes the Office of Chief of Naval Operations; the Naval Network Warfare Command; the Space and Naval Warfare Systems Command; the Program Executive Office for Command, Control, Communications, Computers, Intelligence (C4I) and Space; and others who provide C4I and information operations support to the naval forces.
The committee was requested to produce a comprehensive final report, following the letter report, that addresses the full terms of reference. The requested letter report was delivered to the Chief of Naval Operations in November 2008 and was briefed to multiple constituents during which discussions were held on many of the immediate IA issues. This report—the committee’s comprehensive final report—builds on the important areas identified in the letter report. The committee believes that it has responded productively and has provided a comprehensive analysis and solid recommendations for actions to help position network-centric naval forces for their continued mission assurance.
THE COMMITTEE’S APPROACH
In accomplishing its task, the committee took on a wide range of information assurance topics as requested in the terms of reference. The committee organized itself first to understand the nature of the naval information assurance issues and threats, then to understand current IA actions and responsibilites across both the DON and the DOD, and finally to formulate suggested IA responses and actions for naval forces that take into consideration operational, technical, and organizational viewpoints and needs. The findings and recommendations in this final report are based on wide-ranging input from experts and documents, both internal and external to naval operations and the DOD, and on the committee’s own analysis, which draws on the expertise and experience of its members.
The committee was first convened in March 2008. After its first two meetings, the committee drafted its interim letter report. It held additional meetings and site visits over a period of 6 months, both to gather input from the relevant communities and to discuss its findings and recommendations. An outline of the committee’s meetings is provided below:
March 5-6, 2008, in Washington, D.C. First full committee meeting. Briefings on information assurance issues, responsibilities, initiatives, strategies, and studies: Office of the Deputy Chief of Naval Operations for Communications Networks; Office of the Deputy Department of the Navy Chief Information Officer; Information Assurance Directorate, Naval Network Warfare Command; Office of the Deputy Assistant Secretary of Defense for Information and Identity Assurance; Director, C4, and Chief Information Officer, U.S. Marine Corps; Office of the Department of the Navy Chief Information Officer; and Office of the Director, Information, Services and Integration; Secretary of the Air Force Office of Warfighting Integration and Chief Information Officer; Air Force Scientific Advisory Board; and Defense Science Board.
April 10, 2008, at Fort Meade, Maryland. Site visit. Briefings on information assurance initiatives and strategies: National Security Agency, Information Assurance Directorate.
April 28-29, 2008, in Norfolk, Virginia. Second full committee meeting. Briefings on computer network defense, defense in depth, information assurance initiatives, Navy/Marine Corps Intranet, and naval information assurance strategies: Naval Network Warfare Command (including Navy Cyber Defense Operations Command and Navy Global Network Operations and Security Center); and Network Systems Personnel—USS Normandy (CG-60).
May 29-30, 2008, in Washington, D.C.; Ashburn, Virginia; and Arlington, Virginia. Third full committee meeting. Briefings on the Next Generation Enterprise Network, the Consolidated Afloat Networks and Enterprise Services, and the Comprehensive National Cyber Initiative: Office of the Deputy Chief of Naval Operations, Communications Networks; and Office of the Director of National Intelligence. Site visit. Briefings on network security and information assurance commercial best practices: Verizon Government Network Operations and Security Center. Site visit. Briefings on DOD global network operations, cyberdefense, and information assurance initiatives: Joint Task Force–Global Network Operations (JTF–GNO).
June 17-18, 2008, in Washington, D.C. Fourth full committee meeting. Briefings on information assurance/cyberdefense-related programs, studies, and research and development: United States Marine Corps Network Operations and Security Command; Office of Information Assurance Division, Headquarters U.S. Marine Corps; Office of Deputy Chief of Naval Operations for Manpower, Personnel, Training and Education; the Defense Advanced Research Projects Agency; Office of Naval Research; the Naval Reseach Laboratory; and Office of Program Management, Program Executive Office (PEO) Ships.
July 16, 2008, at Fort Meade, Maryland. Follow-up site visit. Briefings on information assurance and cyberdefense-related initiatives: National Security Agency, Information Assurance Directorate.
July 17-18, 2008, in Washington, D.C., and Arlington, Virginia. Fifth full committee meeting. Briefings on information assurance and cyberdefense-related initiatives, studies, and commercial best practices: Chief of Naval Operations Strategic Studies Group; Computer Science and Telecommunications Board, the National Research Council; Office of the Chief Technology Officer, Defense Information Systems Agency; Office of Naval Intelligence; Citigroup Inc., IT Risk and Program Management; Verizon, Security Solutions Division; and Office of the Commander, U.S. Pacific Fleet.
August 4-5, 2008, in San Diego, California. Site visit. Discussion of IA-related issues, strategies, and initiatives: U.S. Navy Space and Naval Warfare Systems Command, PEO-Command, Control, Communications, Computers, and Intelligence (C4I); and the Office of the Commander, U.S. Third Fleet.
August 18-22, 2008, in Woods Hole, Massachusetts. Sixth full committee meeting. Committee deliberations and report drafting.
October 10, 2008, in Washington, D.C. Site visit. Office of the Director, Naval Nuclear Propulsion Program.
The months between the committee’s last meeting and the publication of the report were spent preparing the draft manuscript, gathering additonal information, reviewing and responding to the external review comments, editing the report, and conducting the security review needed to produce an unclassified report.
Acknowledgment of Reviewers
This report has been reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise, in accordance with procedures approved by the National Research Council’s Report Review Committee. The purpose of this independent review is to provide candid and critical comments that will assist the institution in making its published report as sound as possible and to ensure that the report meets institutional standards for objectivity, evidence, and responsiveness to the study charge. The review comments and draft manuscript remain confidential to protect the integrity of the deliberative process. We wish to thank the following individuals for their review of this report:
Brig “Chip” Elliott, BBN Technologies,
Carl E. Landwehr, McLean, Virginia,
Frank T. Leighton, Massachusetts Institute of Technology,
Dawn Meyerriecks, Purcellville, Virginia,
John E. Rhodes, LtGen, USMC (retired), Balboa, California,
Jonathan M. Smith, University of Pennsylvania,
William D. Smith, ADM, USN (retired), Fayetteville, Pennsylvania, and
William O. Studeman, ADM, USN (retired), Severna Park, Maryland.
Although the reviewers listed above provided many constructive comments and suggestions, they were not asked to endorse the conclusions or recommendations, nor did they see the final draft of the report before its release. The review of this report was overseen by Robert J. Hermann of Global Technology Partners, LLC. Appointed by the National Research Council, he was responsible for making