6
Organizational Considerations
In previous chapters the committee described the challenge that cyberthreats present to the Department of the Navy’s (DON’s) use of network-centric operations and its dependence on commercial off-the-shelf (COTS) information technology (IT). Potential operational and technical responses that the DON might take to maintain information assurance (IA) in the face of this challenge and how it might orchestrate those responses through a risk-based management approach were also discussed.
This chapter examines potential organizational responses. It will be seen that there are many organizations, inside and outside the DON, that impact IA with respect both to the operations of naval networks and to the acquisition of naval network-based capabilities. Given this organizational complexity as well as the operational and technical complexity inherent in addressing the growing IA risks, it is recommended that the DON consider organizational realignments to better focus on the IA issues related to naval information systems and networks.
JOINT SERVICE NATURE OF INFORMATION ASSURANCE
The issues of information assurance and, more broadly, mission assurance from an information perspective for the Navy and Marine Corps are not solely Navy and Marine Corps issues. For parts of their information network infrastructure, the Navy and Marine Corps are highly dependent on joint capabilities and sometimes on systems provided by the other Services. Thus, in general, the Navy and Marine Corps will achieve mission assurance only through joint participation. Likewise, joint capabilities systems of systems are dependent on the Navy and
Marine Corps for building and operating their elements of the joint construct in ways that support the policies of the whole.
Key Trends in Cross-Service Integration
A key trend in the U.S. military is joint network-centric operations. The long-term vision is to decouple the various operational functions (e.g., sensing, targeting, weapons delivery, transport, and logistics) from individual Service platforms. A Navy ship should be able to launch a weapon on a target located by national means, provide target designation for a weapon launched by the Air Force, and draw on any Service’s (or commercial) logistics stores and systems. While full network-centric capabilities are still years away, some capabilities are current and are being continually improved.
The key enabler for joint network-centric operations is information sharing. The U.S. satellite communications architecture already provides services to all Services over the same satellite links, and the Defense Information Systems Agency (DISA) provides a global communications backbone to all of the Services. Another element of cross-Service convergence is technical—namely, the increasing integration of different information service types onto fewer technical platforms. This integration is a two-edged sword. On the one hand, it leads to superior information sharing, greater efficiency, lowered costs for a given level of service, and fewer types of technical platforms to defend. On the other hand, extensive system integration could permit the possibility of losses of large-scale capabilities from single attacks. Some particular examples include the following:
-
Extensive use of commercially hosted fiber-optic and wideband satellite communications—which has provided global broadband communications at low cost, but is significantly vulnerable to disruption and jamming;
-
Network layer convergence to everything-over-Internet Protocol (IP) and the ongoing phaseout of switched network infrastructure—which greatly enhances network manageability and allows use of the rapidly innovating commercial IP services. However, it also opens military networks to the vulnerabilities of IP and single points of failure;1 and
-
The convergence of unclassified and classified networks onto shared IP bandwidth enabled by cryptographic separation—which facilitates large upgrades in bandwidth, especially for classified services; reduces the costs of providing
1 |
As pointed out in the classic paper of Bellovin, the vulnerabilities of IP are intrinsic in the protocols and are not simply due to implementation issues. See Steven M. Bellovin, 1989, “Security Problems in the TCP/IP Protocol Suite,” ACM SIGCOMM Computer Communication Review, Vol. 19, No. 3, pp. 10-19, July. See also Steven Bellovin, 2004, “A Look Back at ‘Security Problems in the TCP/IP Protocol Suite,’ ” presented at the 20th Annual Computer Security Applications Conference, December. Available at <http://www.cs.columbia.edu/~smb/papers/ipext.pdf>. Accessed May 1, 2009. |
-
network services by eliminating many legacy systems; and improves network manageability. However, it opens classified networks to denial-of-service attacks hosted on unclassified networks and provides an opportunity (albeit a slim one) for a compromise of the separation mechanism.
Joint Support to Navy and Marine Corps Systems
The examples above illustrate the dependence of the Navy and Marine Corps on joint systems. Without communications systems shared with the other Services (and in some cases with commercial industry and foreign partners), the capabilities of the Navy and Marine Corps would be reduced. Understanding how much they could be reduced is itself an important element of risk management and mission assurance that was highlighted earlier in this report.
The Department of Defense (DOD), as a whole, must act to ensure that plans assigned to each command are adequately supported by department-wide decisions. The Navy needs to be proactive in ensuring that plan elements assigned to the combatant Navy and Marine Corps are effectively supported in capability acquisitions. The committee finds that there are several areas where these issues are particularly evident, and there is evidence that strategies and decisions are not consistent across the whole stakeholder set.
For scenarios in which cyberattack is likely but extensive jamming and kinetic attacks are not, the most operationally effective and cost-effective approach to communications acquisition is to buy commercial fiber-optic and satellite capacity. For scenarios in which the full spectrum of threat attacks is likely, the most effective course is to acquire protected communication capabilities. The current mixed strategy being pursued by the DOD is to acquire some of each of these capabilities.
The DON must recognize the complexities inherent in pursuing the current mixed strategy. Applications that work well when high-bandwidth communications are available may not work well (or at all) in a reduced-bandwidth environment. An application and concept of operations (CONOPS) set that is designed to work well in a low-bandwidth environment must be extensively tested and exercised within that low-bandwidth environment. The operational reality might require neither the unattacked high-bandwidth services nor the secure core of low-bandwidth services, but rather a dynamically changing intermediate state. It may be that neither of the configurations that works well at either end of the service levels will work well in a dynamically changing middle ground. Moreover, the dynamically changing case is likely to be the most difficult to simulate and test.
The spectrum of potential threat environments from low to high poses a basic strategic challenge to deployed Navy and Marine Corps forces. The DON should study, in conjunction with the intelligence and research communities, whether alternative approaches to communications and application development could
yield capabilities that are robustly functional across the spectrum of threat levels. This may require a partial reversal of the march toward all-COTS products, but might yield an operational system that is more robust, secure, and maintainable than the current approach of multiple fallback modes.
The DON must also strongly advocate within the joint community for the development of the capabilities that are uniquely important to Navy and Marine Corps forces. The Navy, in particular, has a dependence on mobile satellite communications that is deeper than that of the other Services. It is particularly important to the Navy that secure and protected communications capacity suitable for Navy platforms be deployed adequately for the Navy to realize the benefits of network-centric operations.
DON Support to Joint Systems
Due to the interdependence among DOD and DON systems, each Service has responsibility for keeping its own equipment and technology up to date and operational. The Joint Task Force–Global Network Operations (JTF–GNO) monitors the joint enterprise, but depends on the Services to maintain their connected systems adequately. With regard to low-sophistication cyberattacks, the updating process is central. For high-sophistication attacks, continuous patching and upgrades may yield little additional assurance. For the high-sophistication case, the DON needs an entirely different class of monitoring techniques and a science and technology (S&T)-based estimation approach, such as described in Chapter 5, to develop threat models and mitigations.
The Navy and Marine Corps are dependent on joint capabilities, but so too are those joint networks and applications dependent on the Navy and Marine Corps. If the participants in the joint network fail in their individual responsibilities, they may impact the network as a whole and the other participants. In consequence, the Navy and Marine Corps, as organizations, must consider the broader impact of their own policies and acquisitions on the health of the joint capabilities as a whole.
DOD AND DON RESPONSIBILITIES FOR INFORMATION ASSURANCE
DOD Information Assurance Responsibilities
Providing IA in the context of joint network-centric operations is the responsibility of a number of DOD organizations including the DON. The IA responsibilities of the DOD and the DON are defined in public law and in various DOD and DON instructions, directives, and memoranda.
The DOD is required to have a defense IA program under Section 2224, “Defense Information Assurance Program,” of Title 10, United States Code. Under
the provisions of the Clinger-Cohen Act of 1996,2 the DOD is required to have a chief information officer (CIO) reporting directly to the Secretary of Defense. In DOD Directive 5144.1,3 the Secretary has designated the Assistant Secretary of Defense for Networks and Information Integration (ASD[NII]) as the DOD CIO. DOD Directive 8500.14 establishes DOD IA policy and assigns organizational responsibilities. DOD Instruction 8500.25 provides guidance and describes procedures for implementing DOD Directive 8500.1. DOD Instruction 8580.16 describes how IA is integrated into the defense acquisition system.
The ASD(NII)/DOD CIO develops and promulgates IA policies, oversees appropriations for and manages the Defense Information Assurance Program (DIAP), and works with the Under Secretary of Defense for Acquisition, Technology and Logistics (USD[AT&L]) to ensure that the DOD acquisition process incorporates IA considerations consistent with the Clinger-Cohen Act requirements. The Deputy Assistant Secretary of Defense for Information and Identity Assurance (DASD[IIA]) reports to the ASD(NII) and is responsible for the DIAP and the Global Information Grid (GIG) IA portfolio, among other responsibilities. The Director of DISA assists the ASD(NII) in executing his or her responsibilities—including, in particular, the development of a single IA approach for protection of the Defense Information Systems Network (DISN).
The USD(AT&L) is tasked to ensure that IA is considered in all acquisition milestone decisions, program decision reviews, and contract awards. With the assistance and advice of the Director, Defense Research and Engineering (DDRE), the USD(AT&L) monitors and oversees IA research and technology investments, including those of the National Security Agency (NSA) and the Defense Advanced Research Projects Agency (DARPA).
The Chairman, Joint Chiefs of Staff (CJCS), provides advice and assessment of military IA capability needs and develops, coordinates, and promulgates IA policies, doctrines, and procedures for joint and combined operations.
The Commander, U.S. Strategic Command (USSTRATCOM), coordinates and directs DOD-wide computer network defense (CND) operations.
2 |
National Defense Authorization Act for FY 1996, Public Law 104-106, formerly called the “Information Technology Management Reform Act,” February 10, 1996. |
3 |
Department of Defense. 2005. Department of Defense Directive No. 5144.1, Washington, D.C., May 2. Available at <http://www.dtic.mil/whs/directives/corres/pdf/514401p.pdf>. Accessed May 1, 2009. |
4 |
Department of Defense. 2002. Department of Defense Directive No. 8500.1, Washington, D.C., October 24. Available at <http://www.niap-ccevs.org/cc-scheme/policy/dod/d85001p.pdf>. Accessed May 1, 2009. |
5 |
Department of Defense. 2003. Department of Defense Directive No. 8500.2, Washington, D.C., February 6. Available at <http://www.niap-ccevs.org/cc-scheme/policy/dod/d85002p.pdf>. Accessed May 1, 2009. |
6 |
Department of Defense. 2004. Department of Defense Directive No. 8580.1, Washington, D.C., July 9. Available at <http://www.defenselink.mil/cio-nii/docs/DoDI_8580.1pdf>. Accessed May 1, 2009. |
The Director, NSA (DIRNSA), provides IA support to the DOD components, including the providing of IA and Information System Security Engineering (ISSE) services; manages the development of the IA Technical Framework (IATF); and establishes criteria and processes for evaluating and validating all IA and IA-enabled IT products used in DOD information systems. With the Director, Defense Intelligence Agency (DIA), the DIRNSA provides an IA intelligence capability. The DIRNSA is also the agent for the GIG Information Assurance Portfolio (GIAP); the GIAP management office is located at NSA and staffed with NSA and DISA personnel.
The heads of the DOD components are responsible for developing and implementing an IA program focused on DOD component-specific information and systems.
DON Information Assurance Responsibilities
Responsibilities for the IA program of the DON are defined in Secretary of the Navy Instruction 5239.3A.7
The DON CIO is responsible for carrying out for the Secretary of the Navy (SECNAV) the IA responsibilities assigned to the Navy by public law and by DOD directives and instructions. In particular, the DON CIO issues IA policies, integrates IA requirements with DON planning and into the DON major system acquisition management process, and serves as the focal point for IA coordination with other elements of the DOD. The DON CIO is assisted by a senior IA official (SIAO), as required by the Federal Information Security Management Act of 2002 (Public Law 107-347), and by the DON Deputy CIO (Navy) and DON Deputy CIO (Marine Corps). The Deputy CIO (Navy) is the Deputy Chief of Naval Operations for Communication Networks (OPNAV N6) and the Deputy CIO (Marine Corps) is the Director, Command, Control, Communications, and Computers.
The Assistant Secretary of the Navy for Research, Development and Acquisition (ASN[RDA]) integrates IA requirements into acquisition management of all DON IT systems and maintains an S&T program in information assurance.
The Chief of Naval Operations (CNO) develops and implements IA programs and procedures for information systems supporting Navy operations and assets, serves as the resource sponsor for Navy IA, appoints designated approving authorities (DAAs) for information systems under Navy authority, and develops Navy IA education, training, and awareness programs.
7 |
Secretary of the Navy. 2004. SECNAV Instruction 5239.3A re: Department of the Navy Information Assurance Policy, Department of the Navy, Washington, D.C., December 20. Available at <http://doni.daps.dla.mil/Directives/05000%20General%20Management%20Security%20and%20Safety%20Services/05-200%20Management%20Program%20and%20Techniques%20Services/5239.3A.pdf>. Accessed May 1, 2009. |
In Office of the Chief of Naval Operations Instruction 5239.1C,8 the CNO assigned responsibility to OPNAV N6 for the Navy IA program, in coordination with the ASN(RDA) and the Deputy Assistant Secretary of the Navy for Command, Control, Communications, Computers and Intelligence/Electronic Warfare/Space (DASN[C4I/EW/Space]). OPNAV N6 sponsors, authorizes, and budgets for IA requirements and is instructed to “adopt an Information Technology (IT) lifecycle risk management program….” The Commander, Naval Network Warfare Command (NETWARCOM), gathers and prioritizes Navy IA operational requirements from all echelon II commands. The Program Executive Office for Command, Control, Communications, Computers and Intelligence (PEO C4I) serves as the IA acquisition program manager and overall systems security engineering lead. The Director, Office of Naval Intelligence (ONI), assists OPNAV N6 and PEO C4I in the risk management process by gathering relevant threat information to assist in defining system security requirements.
The CNO has appointed the Commander, NETWARCOM, as the Navy operational DAA (ODAA) for all operating Navy collateral/General Services (GENSER) information systems, networks, and telecommunications systems and has assigned the Navy echelon II commanders as the developmental DAAs.9 He has appointed the Commander, Space and Naval Warfare Systems Command (SPAWAR), as the Navy certification authority for collateral/GENSER classified and unclassified, information, telecommunications, and network systems.
Other important responsibilities of the Commander, NETWARCOM, as defined in Office of the Chief of Naval Operations Instruction 5239.1C include computer network vulnerability testing and providing training to fleet units. As discussed below, NETWARCOM also has an operational role in conducting and directing CND.
The Commandant of the Marine Corps (CMC) has IA responsibilities parallel to those of the CNO.
The process by which naval IA policies are translated into system capabilities is illustrated in Figure 6.1. A DON program manager receives IA policy guidance from a number of sources, including the FORCEnet Enterprise Architecture, the DOD IT Standards Registry (DISR), and the GIG IA Technical Framework (GIATF). As indicated above, a number of DOD and Navy organizations are involved in setting these policies.
Each program’s ISSE activity is responsible for discovering users’ information protection needs and then designing and making information systems to safely resist the threats to which the program may be subjected. According to
8 |
Chief of Naval Operations. 2008. OPNAV Instruction 5239.1C., Department of the Navy, Washington, D.C., August 20. Available at <http://www.fas.org/irp/doddir/navy/opnavinst/5239_1c.pdf>. Accessed May 1, 2009. |
9 |
OPNAV 89 was appointed as the DAA for special access programs, and the Director, ONI, as the Navy liaison to the NSA DAA for all sensitive compartmented information (SCI) program systems. |
DOD Instruction 8580.1, for any acquisitions of Automated Information Systems (AIS), outsourced IT-based processes, and platforms or weapon systems with IT interconnections to the GIG, the program manager needs to appoint an IA manager. The IA manager determines the system mission assurance category (MAC) and confidentiality level, identifies and implements appropriate system baseline IA controls, and plans and executes the certification and accreditation (C&A) process. For acquisitions that are designated as “mission-critical” or “mission-essential” systems, the IA manager must also prepare and submit an acquisition IA strategy.10
Acquisition IA strategies for all acquisition category (ACAT) IAM, ACAT IAC, and ACAT ID programs11 must be approved by the DOD component CIO and submitted to the DOD CIO for review prior to all acquisition milestone decisions, program decision reviews, and acquisition contract awards. The heads of the DOD components are delegated the authority to conduct reviews of acquisition IA strategies on behalf of the DOD CIO for all other acquisitions, and may delegate authority to approve acquisition IA strategies.
10 |
DOD Instruction 8580.1 provides definitions and guidance for “mission essential” and “mission critical” designations for IT systems. Such designations must be made by a Component Head, a Combatant Commander, or their designee. Available at <http://www.defenselink.mil/cio-nii/docs/DoDI_85801.pdf>. Accessed February 11, 2009. |
11 |
Acquisition Category (ACAT) I programs are major defense acquisition programs. For ACAT ID programs, the USD(AT&L) is the Milestone Decision Authority (the “D” in “ID” refers to the Defense Acquisition Board). For ACAT IAC programs, the head of the DOD component is the Milestone Decision Authority (the “C” in “IAC” refers to the Component CIO). For ACAT IAM programs, the ASD(NII)/DOD CIO is the Milestone Decision Authority (the “M” in “IAM” refers to the Major Automated Information Systems Review Council). |
The PEO C4I and the Navy PEO for Enterprise Information Systems (EIS) under the ASN(RDA) manage most programs involving IT. However, PEO Ships (e.g., DDG-1000, LPD 17 [landing platform dock]) and PEO Aircraft Carriers (e.g., CVN-76 [nuclear-powered aircraft carrier]), and the Marine Corps Systems Command manage several programs in which computing and networking infrastructure are being procured along with ships. The program management offices for the PEO C4I and the PEO EIS are staffed largely with personnel drawn from SPAWAR.
According to Secretary of the Navy Instruction 5400.15C, the commanders of Naval Air Systems Command (NAVAIR), Naval Sea Systems Command (NAVSEA), SPAWAR, and Marine Corps Systems Command (MARCORSYSCOM) exercise technical authority (TA)12 and certification authority for weapons and IT systems. In particular, program managers must obtain certification from SPAWAR or MARCORSYSCOM that a weapon and/or information system being developed has satisfied information assurance requirements. As mentioned above, operational system accreditation resides with the Commander, NETWARCOM, as the ODAA.
From an operational perspective, at the DOD level, USSTRATCOM has been assigned responsibility for coordinating and directing CND. The JTF–GNO is the USSTRATCOM element that implements this responsibility. The DISA commander is dual-hatted as the JTF–GNO commander. Navy CND is the responsibility of the NETWARCOM and of its subordinate element, the Navy Cyber Defense Operations Command (NCDOC), which is the Navy CND service provider. The Marine Corps network defense falls to the Marine Corps Network Operations and Security Center (MCNOSC).
From the above descriptions, it is apparent that numerous DOD and DON organizations are involved in IA. These organizations are endeavoring to work collaboratively, and have developed various forums such as the Naval NETWAR FORCEnet Enterprise (NNFE)13 and the Cyber Asset Reduction and Security (CARS) Task Force to facilitate this collaboration. Nevertheless, the committee is concerned that there is too great an opportunity for debilitating delays in responding to IA problems and for critical errors in responding to IA problems—both due to seams in the process of developing IA policy, developing requirements for IA, funding the acquisition of IA capabilities, developing and acquiring systems requiring IA, and operating these systems.
The next section addresses more centralized organizational options for the Navy to consider in order to avoid these seams. (See Table 6.1 for a summary of current Department of the Navy information assurance responsibilities.)
TABLE 6.1 Current Naval Information Assurance (IA) Responsibilities
Functional Area |
Organization |
Responsibilities |
Operational requirements |
OPNAV N6 |
Assure overall IA program execution in coordination with ASN(RDA) and DASN C4I; sponsor, authorize, and budget for IA requirements. |
|
NETWARCOM |
Serve as Navy Computer Network Defense (CND) Service Provider and coordinate defense of Navy computer networks as directed by JTF–GNO; provide CND training to fleet units as requested by fleet commanders; prioritize Navy IA operational requirements via input from Echelon II commands. |
|
OPNAV N89 |
Computer Network Defense Service Provider for special access systems. |
|
MCCDC/HQMC |
Identify USMC IA requirements and capabilities. |
|
JTF–GNO |
Direct and coordinate the defense of all DOD computer networks. |
|
DISA |
Establish connection requirements and approval for the Defense Information Systems Network. |
|
ONI |
Provide threat input and IA risk management assistance to OPNAV N6 and PEO C4I. |
Policy |
DON CIO/DASN C4I |
Provide overall DON IA policy guidance and focal point for IA; coordination with other elements of the DOD. |
|
OPNAV N6/HQMC |
Approve and issue IA policy, systems management, and metrics documents for Navy and USMC. |
|
NETWARCOM |
Provide guidance for implementation of Navy C&A policy; write safeguarding and accounting policies for DON COMSEC materials. |
Manpower and training |
OPNAV N6 |
Oversee Navy IA training requirements and provide requirements to the Personnel and Training and Standing Team (PTST). |
|
OPNAV N1 |
Develop Navy schoolhouse IA training and education; ensure that IA training is incorporated into pertinent Navy training and appropriate formal schools. |
|
NETWARCOM |
Manage the DON communication security training program. |
|
PTST |
Identify Navy IA billet and establish IA training requirements for military and civilian personnel. |
|
HQMC/MCCDC |
Develop USMC IA training, manpower, and education requirements. |
Functional Area |
Organization |
Responsibilities |
Acquisition |
ASN(RDA) |
Oversee acquisition of all DON IA capabilities and ensure compliance. |
|
OPNAV N6 |
Draft and maintain Navy’s IA acquisition master plan; coordinate fleet requirements for acquisition of communications security. |
|
PEO C4I |
Manage the Navy’s IA acquisition programs and projects, including R&D and full life-cycle support. |
|
PEOs |
Oversee program acquisition execution in area of jurisdiction. |
|
SYSCOMs |
Oversee program acquisition execution in area of jurisdiction. |
|
MARCORSYSCOM |
Procure USMC IA programs. |
|
DISA |
Direct the procurement of DOD-wide IA products and licenses. |
Certification and accreditation |
SPAWAR |
Serve as Navy’s certification authority for information and network systems. |
|
NETWARCOM |
Serve as Navy’s accreditation authority for information and network systems. |
|
PEOs |
Apply IA architectures and IA requirements in program execution. |
|
SYSCOMs |
Integrate IA requirements in design of information systems. |
|
MARCORSYSCOM |
Serve as USMC certification and accreditation authority for systems. |
|
HQMC |
Serve as USMC certification and accreditation authority for networks. |
NOTE: Acronyms are defined in Appendix A. SOURCE: Derived from Office of the Chief of Naval Operations Instruction 5239.1C, Department of Defense Instruction 8500.2, and Department of Defense Instruction 8580.1. |
INTEGRATED POLICY DEVELOPMENT AND ORGANIZATIONAL SUPPORT
The previous chapters of this report offer the background and context in which information assurance should be viewed by the DON for today’s and tomorrow’s warfighting environment. The subsections in this final major section of Chapter 6 illuminate IA policies and processes as currently addressed and implemented, and identify weaknesses in achieving the necessary IA posture and
readiness that the department requires. Suggestions and specific recommendations for organizational integration that has promise to achieve more effective information assurance are offered.
For purposes of clarity and precision, the term “networks” is used in what follows to refer to large general-purpose or enterprise systems such as the Navy/Marine Corps Intranet (NMCI), the Marine Corps Enterprise Network (MCEN), shipboard local area networks (LANs), aviation general-purpose networks, and DOD networks such as the Non-Classified Internet Protocol Router Network (NIPRnet) and the Secure Internet Protocol Router Network (SIPRnet) and so on, used for command, control, and intelligence purposes. But the term “networks” is not used to refer to combat system networks such as the Joint Tactical Information Distribution System, Multi-functional Information Distribution System, or Cooperative Engagement Capability. In a Venn diagram of networks and applications, applications are included in the network set only for considerations of hosting, transport, and policies relative to degradation of performance. In practice, a network designated approving authority would accredit the use of a certified application to use a network. However, the network authority would not get involved with the application’s function—that is the purview of the application’s process owner.
Although the committee was briefed and saw evidence on the convergence of combat system command and control with intelligence networks, its deliberations were premised on the continued separation of these networks in naval warfare.
Mention is also made of “life-cycle information assurance.” By this term, the committee is referring to the need to provide information assurance capability throughout the life cycle of a system. This especially becomes significant when a system transitions from the acquisition community to the operating forces and is subjected to operations and maintenance (O&M) resource pressures.
The discussion below articulates the reasons why information assurance is critically important for future naval warfighting success—and, correspondingly, why the Department of the Navy needs to place its development and management in the hands of a dedicated cadre, provided with appropriate educational and training support.
Intellectual Property
The DON does not currently own or control the designs of the critical technology components that comprise the information capabilities designed and operated as part of the network-centric command-and-control systems. However, the DON does design how commercial off-the-shelf components are integrated and used to achieve desired warfighting and system capabilities. The use of COTS components offers significant economic and performance advantages, but they come with inherent IA risks outlined and discussed in previous chapters. In order to respond to the high level of IA risk associated with a COTS component strategy,
the committee believes that the DON will need to have a cadre of officers, enlisted personnel, government civilians, and contractors who can responsibly integrate COTS components into sensitive network-centric warfare applications, with sufficient attention to IA so as to manage the trade-offs between IA and mission performance in system design and mission operations. The IA management team must develop the strategies to cope with changing disruptive threats during the life subcycles of design, development, and field support.
The committee’s opinion is that the department is not structured to accomplish this objective effectively today. There currently exist multiple stakeholders, including acquisition authorities, resource sponsors, systems commands, PEOs, and operational commands, with varying authorities relative to achieving information superiority. This structure results in the knowledge, authority, and accountability being very broadly dispersed—in the committee’s view, too broadly dispersed to deal with the recognized complexities associated with IA in a timely manner, with time controlled by ever-changing adversarial capabilities.
Architectural Alignment
Information assurance today suffers from a “traditional” and overly limiting definition of practice. Information assurance is more than simply ensuring proper password practices, guarding against network intrusions by installing firewalls, and providing patch updates when required. In its broadest sense, IA can be described as the absolutely essential, always ongoing process, involving people, procedures, and technology, required to protect a highly networked naval force against attacks to its communications capabilities and the data therein. A successful cyberattack will put critical DON data and information in jeopardy and thus potentially reduce the capability of the DON to execute its missions. In that sense, the committee, through its deliberations, assesses that there are multiple seams across the information assurance area in the DON that might prevent the development and execution of a unified, integrated information assurance strategy. Coordination among policy, acquisition, financial resource allocation, operations, and manpower and training functions and authorities is greatly complicated by these seams. As an example and consequence, the synchronization of software architecture, hardware architecture, and organizational design/enterprise architectures either does not routinely occur or is accomplished with difficulty. This results in the lack of an authoritative information assurance architecture that is adequately scoped and programmed and in a lack of configuration control relative to information assurance. It also does not easily permit adjustments related to unanticipated changes in threat, potentially rendering newly developed capabilities as higher-than-desired risk elements for the naval forces structure. This misalignment can exist within the DON and across the agencies and the other military Services.
As with many other system attributes, information assurance cannot be “installed” at system testing. The needs and requirements for information assur-
ance and its effect on the hardware, software, and the operational environment must be continuously considered as a system is being designed and developed. Information assurance, including the potential need for adjustments due to changing threats, has to be considered in the early design decisions and trade-offs at the front end of the life cycle or it will be very difficult and costly to deal with later during development or in operation.
Outsourcing and Acquisition
The acquisition of major naval networks from industry is clear recognition that the intellectual property for these networks does not wholly reside in the DON or DOD. Moreover, the lack of a fully authoritative and effective DON information assurance CONOPS and information assurance enterprise architectures complicates major network acquisitions such as the NMCI, the DDG-1000 Total Ship Computing Environment, the LPD 17 Shipboard Wide Area Network, the USS Ronald Reagan CVN 76 Integrated Communication Advanced Network, and the Littoral Combat Ship network platforms, including both its hardware and software. Potential implications include the following:
-
The life-cycle information assurance and the required strong configuration control handoff from systems commands and PEOs to the fleet degrading over time. Operational and resource pressures can negatively impact IA system upgrades and personnel training and can create challenges to life-cycle configuration management;
-
The Navy’s losing the capability to understand or effectively manage network-centric technology processes owing to the dispersion of know-how regarding threats, system IA architecture and design, system development, and system field operations. The lack of a dedicated, coherent “network workforce” community at all of the systems commands and in the fleet amplifies this trend; and
-
The Navy’s not fully integrating contractors into its operational processes although it has outsourced much of its required technological capabilities to industry. Of even greater concern is how much second- and third-level outsourcing has occurred, resulting in additional vendors and correspondingly reduced visibility.
Organizational Structure
Structurally complicating the complete elimination of the IA seams resulting from differing policies, requirements, financial resource allocations, acquisitions, operations, and manpower and training functions is that there are two military Services within the DON. This necessarily involves consideration of multiple and varied requirements affecting network-centric operations. Priority differences within the Navy and the Marine Corps can often yield different results for network-centric capability, which often must be reconciled at the SECNAV level
or go unresolved. For policy and acquisition issues, this is typically accomplished by two different organizations within the department that address network-centric, IA issues: (1) the DON CIO organization and (2) the ASN(RDA) organization.
A depiction of the many entities involved in the IA process for the DON was presented previously (see Table 6.1). The committee assesses the information assurance governance in the department to be too complicated and far less than optimal. In fact, as a National Research Council committee concluded in 2000, “Currently no single individual within the Department of the Navy has IA governance responsibility and authority.”14 This remains the case today.
Need for Organizational Realignment
The reasons cited in this chapter, combined with the above cited description of information assurance governance in the DON, suggest the need for organizational realignment. The department should examine alternatives to acquiring and managing networks that provide tightly controlled IA discipline with respect to architecture conformance, life-cycle support, and configuration management; an ability to accommodate technology insertion; and a structure to facilitate risk management. In an effort to gain insight into organizational models that might help to accomplish these objectives, the committee examined the Naval Nuclear Propulsion Program (NNPP) and the Department of the Army Chief Information Officer/Assistant Chief of Staff for Information Management (DOA CIO/G6) organization.
Naval Nuclear Propulsion Program
The Naval Nuclear Propulsion Program is known for its effective management and accountability for safety assurance. For example, after the Columbia Space Shuttle accident in 2003, the Director, NNPP, was called to testify before Congress on the NNPP and its culture of safety “that has allowed Naval Reactors to be successful for the last 55 years.”15 More recently, the Director, NNPP, was assigned by the Secretary of Defense to investigate the mistaken delivery by the U.S. Air Force of fuses used in intercontinental ballistic missiles to Taiwan.16
Under Executive Order 12344,17 the NNPP was established as a program carried out by the DON and the Department of Energy (DOE) and led by a director with technical background and experience in naval nuclear propulsion who serves for a term of 8 years.18 The director, if a Navy officer (all directors have been Navy officers so far), is an admiral reporting directly to the CNO and having direct access to the Secretary of the Navy, and is also an assistant secretary of the DOE. The NNPP has total responsibility for all aspects of Navy nuclear propulsion, including research, design, construction, testing, operation, maintenance, and ultimate disposition of naval nuclear propulsion plants; the safety of reactors, including the prescribing and enforcement of standards and regulations; personnel, including training and concurrence in the selection of all personnel who operate reactors; and administration, including oversight of procurement, logistics, and fiscal management.
The NNPP and the position of Director, NNPP, are certainly unique aspects of the Navy management structure, in response to the high-priority need for specialization and safety accountability. Because of the authorities granted the director, the potential seams between policy, requirements, budgeting, research, acquisition, operations, and training and personnel management that the committee observed for IA and networking are not present for nuclear reactors. The committee understands that there are significant differences between providing reactors and networks for ships and that the governance structure of the NNPP is due to unique factors—including the legacy of Admiral Hyman Rickover, USN—that could not simply be replicated for IA and networks.
Nonetheless, the committee believes that there are strong parallels between the nuclear propulsion area and the IA area. In the analysis of the committee, the parallels—which include the need for strong alignment of authorities and responsibilities; the need for strong leadership and continuity (in the case of the NNPP, facilitated by the qualifications, high rank, and long tenure of the director); the emphasis on selection and training of technically qualified personnel; and the need for strong, continuing technical support (in the case of the NNPP, provided by the DOE laboratories)—call for a similar organizational response. A takeaway lesson from the NNPP model is that there is a clear and strong sense of ownership of the nuclear propulsion mission and the applicable authorities.
Department of the Army Chief Information Officer
The DOA CIO/G-6 provides architecture, governance, portfolio management, strategy, C4 IT acquisition oversight, and operational capabilities to enable joint
network-centric operations for the Army.19 The DOA CIO/G-6 is a lieutenant general who reports to the Secretary of the Army and provides staff support to the Chief of Staff of the Army. The DOA CIO/G-6 organization is depicted in Figure 6.2.
The Army’s Network Enterprise Technology Command (NETCOM) reports directly to the DOA CIO/G-6 and operates and defends LandWarNet—the Army’s portion of the GIG. The NETCOM commander is a major general. Composed of more than 17,000 soldiers, civilians, and contractors, the signal commands and brigades of NETCOM are stationed and deployed worldwide, supporting Army, joint, interagency, and multinational operations, and the Pentagon.
The PEO EIS develops, acquires, integrates, deploys, and sustains network-centric information technology, business management, communications, and infrastructure systems. PEO EIS reports on a solid-line basis directly to the Assistant Secretary of the Army for Acquisition, Logistics and Technology (ASA[ALT]) and on a dotted-line basis to the DOA CIO/G-6.
The DOA CIO/G-6 is the principal focal point for the Army for information management matters with external organizations; it has authority over policy, requirements, budgeting, operations, and training and personnel management; it is the DAA for Army information systems20 (with the exception of Army sensitive compartmented information [SCI] systems); and supports the ASA(ALT) acquisition of information systems and parts of other major capabilities. While the mission, organization, and culture of the Department of the Army are not the same as those of the Department of the Navy—in particular, as noted above, the
DON has two Services—the DOA CIO/G-6 organization provides an example of an alternative organization and governance structure for networks and IA, with the DOA CIO/G-6 explicitly tasked to fill the seams between the various Army organizations with a specific role regarding IA and networking.
Alternative Organizational Models
Based on its analysis of the current organizational structure of the Navy for networking and IA21 and after consideration of models such as the NNPP and the DOA CIO/G-6, the committee considered various new alternative organizational constructs. In anticipation that the DON may contemplate the inclusion of an organizational response in its efforts to address the information assurance challenges outlined in this report, the committee has developed four naval IA organizational model alternatives, which are presented below.
The most comprehensive organizational approach is considered in Option 1; Options 2 through 4 would involve somewhat less change. A chart depicts the structure of each. Elements of these options could also be selectively implemented.
IA Organizational Model—Option 1
Option 1 (Figure 6.3) would establish a new senior flag/general officer position, entitled Director, Naval Networks (DNN), to rotate between the Navy and Marine Corps, as the single authority for naval networks. The DNN would provide the strong leadership that is needed for secure operation of naval networks in a similar fashion to the strong leadership provided by the Director, Naval Reactors, for the secure operation of naval reactors. A uniformed officer is preferred over a civilian to emphasize clearly the operational importance of the position. This dual-reporting position would assume the current functions of the DON CIO and the DASN(C4I/EW/Space) and would report directly to the Secretary of the Navy, for acquisition oversight of naval network systems and fulfilling Clinger-Cohen Act responsibilities.22 The position would also report to the CNO and the CMC with responsibility for life-cycle management of information systems afloat and
ashore and for the education and training of a dedicated officer, enlisted, and civilian cyber workforce. The office would be appointive for at least the duration of the Program Objective Memorandum (POM) cycle (5 years) to ensure policy and execution continuity and accountability.
The DNN would have dotted-line relationships with OPNAV N6 and Headquarters, Marine Corps (HQMC) for requirements and resource issues; with NETWARCOM, MCNOSC, and the Marine Corps Information Operation Center for operational issues; and with the ASN(RDA) for acquisition issues. The DNN would also be responsible for integrating IA strategies and plans across all naval communities (surface, subsurface, expeditionary, air, space, and cyberspace), as well as with joint communities. The Director, Naval Networks, would have the authority to establish network “safe-to-operate” criteria to use as enforcement authority if a naval network was judged to be so impaired as to potentially harm naval operations.23
This model would retain the Naval Network Warfare Command (NETWARCOM) at the Echelon III level as the functional and operational type commander for Navy networks, but would also grant NETWARCOM and HQMC C4 the authority to certify as well as accredit software and hardware systems on naval networks. This alternative would consolidate significant responsibility for IA policy, acquisition, financial resource allocation, operations, and manpower and training functions under the DNN.
Establishing the position of DNN would recognize the critical importance of networking to current and future naval capabilities. It would also represent a historic step comparable to the establishment of the NNPP.
The committee believes that acquiring network capability for the DON and providing the necessary life-cycle support and the needed education and training must be executed at the highest levels within the department to achieve the right organizational response. The DNN would also be given post-program, post-budget adjustment authority to accommodate exigencies that might occur during the development, production, and fielding of information and network systems, specifically to coordinate IA capabilities. This organizational alignment would afford great benefits by merging the DON CIO and the DASN C4I responsibilities. It would permit the DNN to employ both Clinger-Cohen Act and DOD Directive 5000 acquisition directives to optimal benefit for the DON. The combination of the offices would also bridge the transition of networks from the acquisition domain into the operating forces by the office’s reporting to SECNAV and to the CNO and CMC. This would give the Director, Naval Networks, the responsibility to ensure life-cycle support of networks.
Like the Director, Naval Reactors, the DNN would have to have ready access to technical expertise to provide technical depth and continuity of knowledge. This would be provided by SPAWAR and the Navy laboratories, augmented as necessary by support from Federally-Funded Research and Development Centers and contractors.
Sole execution authority within the DON would be given to NETWARCOM and HQMC C4 to both certify and accredit information systems, thus centralizing authority for this most critical IA requirement. NETWARCOM would designate certification authorities and establish independent verification and validation teams for periodically and frequently checking approved certifications in both the acquisition and operational stages. The DNN would coordinate with naval operational and intelligence agencies to develop cyberthreat analyses.
Due to the DNN’s stature, tenure in office, and technical support, the DNN would be well positioned to address other key issues identified in this report, including energizing the Navy’s research program in IA and CND, integrating offensive and defensive cyber operations, and integrating all aspects of IA through a risk management approach.
IA Organizational Model—Option 2
Option 2 (Figure 6.4) would establish a Network Programs Office (NPO) as a Direct Reporting Program Manager (DRPM) reporting to the ASN(RDA), transferring or adding required support resources as needed from the Navy’s PEO C4I and PEO EIS and appropriate USMC PEOs, to ensure a high level of attention to challenging acquisitions and strict acquisition discipline for the delivery of afloat and ashore networks and for their life-cycle management and information assurance readiness.
In this model, NETWARCOM is retained at the Echelon III level as the functional and operational type commander for Navy networks; likewise, MCNOSC retains its current authorities and responsibilities in the Marine Corps. As in Option 1, this option would also grant NETWARCOM and HQMC C4 the sole authority to certify as well as accredit software and hardware systems on naval networks. This alternative therefore modifies naval IA policy and acquisition only. It does not change financial resource allocation, operations, or manpower and training functions.
The establishment of the Network Programs Office as a Direct Reporting Program Manager would provide the special scrutiny and oversight necessary for significant, challenging new acquisitions in the network domain. Sole authority within the DON is given to NETWARCOM and HQMC C4 both to certify and accredit information systems, thus centralizing authority for this most critical IA requirement.
IA Organizational Model—Option 3
Option 3 would elevate NETWARCOM to the Echelon II level reporting to the CNO, thus recognizing the Navy-wide criticality of information assurance and networks (Figure 6.5). This model also grants NETWARCOM and HQMC C4 the sole authority to certify as well as to accredit software and hardware systems on naval networks. This alternative modifies policy and potentially financial resource allocation, and also modifies manpower and training functions. It does not change acquisition and operations.
Placing NETWARCOM as an Echelon II command would recognize the Navy-wide importance of information assurance and make this important function report directly to the CNO. Establishing NETWARCOM as an Echelon II command would give NETWARCOM the clear enforcement responsibility for network IA policy and operations across the entire Navy enterprise. Increased influence with OPNAV in the Program Planning and Budgeting System process would result, as NETWARCOM will provide information and network requirements directly to the OPNAV staff. As in Options 1 and 2, sole authority within the DON would be given to NETWARCOM and HQMC C4 both to certify and to accredit information systems, thus centralizing authority for this most critical information assurance requirement.
IA Organizational Model—Option 4
The committee’s Option 4 model represents the least amount of change with respect to current naval IA operations. This option would grant NETWARCOM and HQMC C4 the sole authority to certify as well as to accredit software and hardware systems on naval networks (Figure 6.6). Thus, this alternative would only modify naval IA policy responsibilities. It would not change acquisition, financial resource allocation, operations, and manpower and training functions. (See Table 6.2 for a summary comparison of each option discussed above.)
Summary Discussion
The committee consulted with several senior naval officials who were selected on the basis of their potentially providing the committee with new insights concerning possible organizational recommendations. These officials included the current Director of Naval Nuclear Propulsion, the former ASN(RDA), and the current Commander of NETWARCOM. They were also chosen to help the committee understand issues associated with the currently “federated” approach for governing naval IA and addressing IA issues. On the basis of its discussion with the selected officials, the committee’s own analysis and experienced-based personal views, and the Navy’s projections regarding the growing threats to information assurance, the committee believes that Option 1
TABLE 6.2 Comparison of Alternative Organizational Model Constructs and Their Impact on Naval Information Assurance Functional Areas
Proposed Organizational Construct |
Naval Information Assurance Functional Area Impacted |
||||
Policy |
Acquisition |
Resource Allocation |
Operations |
Manpower and Training |
|
Naval Networks (Option 1) |
Combine DON CIO and DASN (C4I/EW/Space) |
Combine DON CIO and DASN C4I |
Combine DON CIO and DASN C4I |
Safe to operate |
Directs naval networks manpower and training |
|
Adds cyberthreat analysis to NETWARCOM, MCNOSC |
||||
|
Coordinate with OPNAV N6 |
||||
|
|
|
Manager, cyber workforce |
||
|
Sole authority for C&A to NETWARCOM, HQMC C4 |
|
|
|
|
Direct Reporting Network Programs Office (Option 2) |
Sole authority for C&A to NETWARCOM, HQMC C4 |
DRPM ASN(RDA) |
No change |
Adds cyberthreat analysis to NETWARCOM, MCNOSC |
No change |
NETWARCOM Echelon II (Option 3) |
Sole authority for C&A to NETWARCOM, HQMC C4 |
No change |
Program Objective Memorandum (POM) Major actor |
Adds cyberthreat analysis to NETWARCOM, MCNOSC |
Directs naval networks manpower and training |
NETWARCOM, HQMC C4 Additional IA Authorities (Option 4) |
Sole authority for C&A to NETWARCOM, HQMC C4 |
No change |
No change |
Adds cyberthreat analysis to NETWARCOM, MCNOSC |
No change |
NOTE: Acronyms are defined in Appendix A. |
would best position the Navy and the Marine Corps to address current and future information assurance and cyber-related challenges and to facilitate rapid IA progress. The committee does not suggest that the models described above are exhaustive in their scope; of the four organizational models presented, however, Option 1 provides the most clear and comprehensive naval IA governance authority and responsibility for addressing the IA issues outlined throughout this report, including the previously discussed governance seams between naval IA functions of policy, acquisition, financial resource allocation, operations, and manpower and training. The Option 1 model provides a clear and strong signal for the ownership and accountability of the bedrock DON information assurance mission.
With the appropriate assignment of authority and responsibility to the Director of Naval Networks, Option 1 would more closely resemble the clear cyber command lines of authority and responsibility found in the Headquarters (HQ) U.S. Army.24 The Army HQ’s model for managing cyber-related activities is in contrast to the current DON federated approach for managing naval IA and networking, and would appear to provide the opportunity for clearer governance responsibilities and cleaner, unambiguous lines of authority.25 By providing a single focal point for naval cyber matters, the proposed naval Option 1 construct would also facilitate relationships with joint organizations, ensuring that the DON speaks with a single voice.
As a less dramatic potential naval IA organizational approach, a “strong federated” governance model—an option in which each of multiple parties has well-defined responsibilities with a clear understanding of the relations among those responsibilities, an improvement over the current “weak federated” model—is also recognized by the committee to provide a partial solution to naval IA governance issues. However, a federated approach lacks clear accountability for many crosscutting IA and network operations-related issues, and it leaves unreconciled potentially critical IA issues such as (1) the need for fast response and decision making in the time of crisis, (2) the development and continuity of deep knowledge and properly trained manpower in crosscutting cyber technical areas, (3) the ongoing requirement for IA resource prioritization with different organizational points of impact, and (4) the development of required expertise to manage and balance more systematically the high-level IA-related trade-offs and operational risks.
24 |
See Army Regulation 25-1, Headquarters, Department of the Army, Washington D.C., December 4, 2008; and Capt Carla Pampe, USAF, 8th Air Force Public Affairs Office, 2006, “Air Force Officials Consolidate Network Ops,” Department of the Air Force, Barksdale Air Force Base, La., July. Available at <http://www.af.mil/news/story.asp?id=123023090>. Accessed May 1, 2009. |
25 |
Note, however, that Army cyber field support operations are distributed between NETCOM and the Intelligence and Security Command (including its subordinate element, the 1st Information Operations Command [Land]), whereas the Navy’s cyber operations are consolidated under NETWARCOM. |
As with any suggested organizational model, the preferred centralized command model for naval IA presented by the committee will have disadvantages as well as advantages. For example, centralized organizational structures are sometimes viewed as less innovative, and perhaps less adaptive, than structures in which multiple or occasional competing authorities coexist. Also, less centralized structures are typically better at horizontal and multiple-direction communication than are the centralized structures, which are sometimes dominated by hierarchical, top-to-bottom communications.
Nonetheless, the committee’s opinion is that the organizational structure required to address the four potentially critical IA issues just listed, coupled with the growing cyberthreat and the resulting need for clear IA accountability, point to Option 1 as the preferred model. While Options 2, 3, and 4 are less-extensive variations of the theme expressed in Option 1, the committee’s opinion is that IA and related network operations will demand more clear governance authority and single-line accountability than are provided by Options 2, 3, and 4, especially as network-centric operations, information assurance, and cyberwarfare all grow in importance over the coming years.26
A DON decision and potential implementation of Option 1, or of any model outlined above, would obviously require further in-depth study and deliberation. However, the urgency of addressing information assurance and cyberdefense needs calls for a new organizational model on which serious examination should begin immediately. The committee recognizes that an organizational change to the recommended Option 1 would be a major step for the DON; however, the committee also believes that, as suggested by one senior Navy leader, such a change is better achieved through the vision and drive of a determined group of naval leaders than in response to a major cyber-related catastrophic event.
MAJOR FINDING: The governance of information assurance is widely distributed across naval forces, with many parties playing roles, resulting in many governance seams. In particular, there is no centralized authority or organizational mechanism in place in the Department of the Navy for governing IA and end-to-end cyber operations. For example, a shared scope of governance of security policy and fiscal authority for naval networks resides throughout the DON, including with the Department of the Navy Chief Information Officer; the Deputy CNO for Network Operations; Headquarters, Marine Corps; Naval Network Warfare Command; Echelon II Chief Information Officers; Commander–Naval Installation Command; Program Executive Officers; and Navy Systems Command.
MAJOR RECOMMENDATION: The leadership of the Department of the Navy should examine more-centralized IA-related organizational structures for integrating its information assurance strategies and plans across all naval communities (surface, subsurface, expeditionary, air, space, and cyberspace), as well as for integrating those same strategies and plans with joint communities (Combatant Command, Office of the Secretary of Defense). The examination should address the needed IA governance and fiscal authorities for sustaining both current and future readiness levels, as well as which DON organizations are critical to defending against evolving cyberthreats—from the strategic to the tactical level.