Securing the Net: Information Assurance in the United States
Mr. Robert Lentz
Director of Information Assurance, Office of the U.S. Assistant Secretary of Defense
I am honored and pleased to have the opportunity to tell you about the efforts of the United States Department of Defense to protect and defend our information systems and computer networks. As you all know, the Information Age brings both great opportunities and significant risks. Managing these risks to minimize their effect on the success of our overall mission is essential to achieve revolutions in both military and business affairs. How we will embrace that new interconnected world, however, is the challenge.
The challenge has been visible in both our war fighting and our peacekeeping missions. It has also been visible in our business operations, where our acquisition cycle time has been reduced to 15 months for key information-technology systems and even less for commercial off-the-shelf technologies (COTS). Just look at the breakthroughs in wireless technologies. These new-age capabilities are at the heart of how we will conduct operations-by massing the effects of our highly mobile, widely distributed, self-synchronizing activities when and where desired, what we call netcentricity-to achieve information superiority.
To have information superiority, however, we must have interoperability and information assurance. I am going to focus now on this last element, information assurance, or IA, and what it means to us in the Department of Defense (DOD).
To the Department of Defense, IA is synonymous with "securing the net." Our daily operations are conducted under a risk management philosophy-during peacetime, crisis, and war-and we have recognized that there is steadily increasing dependence on a global information environment over which we have little control. This heightens our exposure and vulnerability to a rapidly growing number of increasingly sophisticated internal and external threats. So we have learned to live on the net to achieve information decision superiority; not doing so would be like refusing to fly an airplane for fear of an accident.
EVOLVING THE DOD INFORMATION INFRASTRUCTURE
Given the risks and the fact that weakness in any portion of Department of Defense networks is a threat to the operational readiness of all of its military services, the Department is moving aggressively to ensure the continuous availability, integrity, authentication, confidentiality, and non-repudiation of its information as well as the protection of its information infrastructure. Exercises and real-life events clearly demonstrate that DOD-wide improvement in information assurance is an absolute and continuous operational necessity. We can no longer be satisfied with reactive static defenses or after-the-fact solutions.
Incorporating New Technologies
As the Department evolves its information infrastructure, it must consider how to continuously infuse new technologies and capabilities to keep pace with the rapid advances in the commercial sector. To that end, the Department is developing partnerships with industry to help us meet DOD's security, operational, and functional needs. Information and, more importantly, attainment of decision superiority demands that all of our mission partners take security seriously and begin to "bake security in" rather than "brush it on" later. We are currently working with major companies to develop IT solutions that are designed with security as an integral part of the technology. We are working with software producers to deliver products with security built in. We have begun to test software as it is developed to measure the security capabilities. In addition, we are partnering with emerging companies to help them define and refine their pre-market products to better address security needs and to exchange information on how the commercial and DOD markets might converge on critical technologies.
Working with R&D Efforts and the Scientific Community
Another key aspect to keeping pace with technology advances is to effectively influence the research and development, academic, and science and technology communities. The Department is actively working with each of these entities by identifying the "hard problems" and challenging them to bring to the table solutions that are scalable and can be implemented.
We can no longer be satisfied with reactive or after-the-fact solutions. While we must continue to address our vulnerabilities to minimize our risks, it will take a concerted effort to raise the security awareness of everyone and to demand products with security as a core component. We all share risk in this "network-centric" world; it is up to us to ensure our mutual safety and protection as we move forward.
Pursuing the Defense-in-Depth Strategy
Achieving information superiority requires a coherent strategy. We call this strategy Defense-in-Depth, in which layers of defense are used to achieve balanced, overall information assurance. The strategy recognizes that no single security element or security component can provide adequate assurance. It is based on layered security solutions that allow us to maximize the use of commercial off-the-shelf technology. The fundamental principle is that we need layers of protection to establish an adequate security posture.
Enclaves, for example, require a strong perimeter to guard against malicious outsiders. Within each enclave, protection is also needed against malicious insiders who have penetrated the perimeter. This concept is relevant whether it is used to protect against potential adversaries gaining access over the Internet or enforcing community-of-interest or need-to-know isolation within an otherwise protected intranet.
Advancing Intrusion Detection
In the area of intrusion detection, we are greatly accelerating the development of technologies to detect and respond to cyberattacks against critical infrastructures. Current intrusion-detection techniques are extremely limited in their ability to identify attacks, particularly large-scale attacks against multiple points in the infrastructure, such as Distributed Denial Of Service (DDOS) attacks against Internet service providers and e-commerce companies. We have been conducting research into a broad variety of concepts that offer the potential to identify the most sophisticated kinds of cyberattacks, analyze the attack method and source(s), and institute protective measures in near real time.
Within the DOD, we have established detailed procedures for coordinating all cyberevents. The Joint Task Force-Computer Network Operations (JTF-CNO) is our focal point for dealing with cyberthreats, and it has the authority to coordinate and direct the defense of the department's computer systems and networks-a mission we entitle Computer Network Defense.
We also are dependent on the International Common Criteria guidelines, which provide a standard methodology for evaluating software products and uncovering vulnerabilities critical to the protection of our networks and computer systems. We realize that the Department of Defense is not an island! There is tremendous pressure to bring more information services to our military customers, and vendors are eager to meet these needs. The challenge we face is that software solutions often are riddled with security problems for the IA specialist to solve. As emphasized earlier, we need to encourage developers to deliver information assurance-enabled products on the front end with a business model that provides a reasonable return on investment.
PARTNERING WITH LAW ENFORCEMENT AND INTERNATIONAL ORGANIZATIONS
The success of the IA framework also depends upon law enforcement's ability to deter future cyberattacks through the successful prosecution of cybercriminals. The international nature of cybercrime, however, impedes law-enforcement efforts. Since a perpetrator may launch an attack from anywhere in the world or route an attack through many countries, international cooperation is necessary for tracing communications back to their source, securing electronic evidence, and extraditing fugitives. The difficulty in apprehending the perpetrator of the "I Love You" virus demonstrates the problems faced by law enforcement: because the actions of the perpetrator did not constitute a crime in the Philippines, the Philippine government did not prosecute or extradite the virus creator.
The Council of Europe Cybercrime Convention removes such obstacles in three ways: by (1) requiring signatory countries to establish certain substantive offenses in the area of computer crime; (2) requiring parties to adopt domestic procedural laws to investigate computer crimes; and (3) providing a basis for international law-enforcement cooperation. We urge all nations to adopt such a framework for effective international assistance so that we may promptly respond to cybercrime.
Regarding both the domestic and international fronts, President Bush recently signed the United States "National Strategy to Secure Cyberspace." The objectives of this strategy are to prevent cyberattacks against America's critical infrastructures, reduce our nation's vulnerability to cyberattacks, and minimize damage and recovery time when cyberattacks do occur. To accomplish these objectives, several critical priorities were established. The first is to establish a National Cyberspace Security Response System. Next, the nation will develop a National Cyberspace Security Threat and Vulnerability Reduction Program. To enhance the first two priorities, a program will be developed and executed to provide the nation with cyberspace security and awareness. The final two priorities call for securing the government's cyberspace, an objective DOD has focused on for many years. Finally, there will be an effort to enhance cooperation in the national security and international cyberspace security arenas.
This U.S. international effort is supported by several other objectives. These include:
- To facilitate a dialogue between government and industry representatives and foreign public and private sectors on global information-infrastructure protection.
- To encourage other nations to develop cyberwatch and cyberwarning capabilities to better inform government agencies, the public, and other countries of impending attacks or viruses.
- To encourage regional organizations such as APEC, the EU, and the OAS to address cybersecurity issues.
- To facilitate technology sharing-today more bilateral.
- And to establish an international network capable of receiving, assessing, and disseminating cybersecurity-related information globally; we in DOD will continue to contribute to the execution of this national strategy and are engaging with allied and coalition partners to enhance the global cybersecurity effort.
TRAINING AND WORKING WITH IT/IA PROFESSIONALS
Finally, we continue to work on the most critical component of protecting the Department of Defense's information resources against modern-day cyberattacks: attracting and maintaining a corps of appropriately trained and experienced IT professionals. We have put a great deal of effort into resolving problems and issues in work-force management and information-technology information assurance education, training, and certification. We must leverage the power of the people!
We are also implementing changes in the way the Department manages its IT work force and are establishing training standards and certification requirements for key IT/IA personnel. Our ability to recruit and retain highly qualified information-assurance specialists is critical to achieving the Department's goal of information superiority.
If we are to defend the infrastructures that allow our information processes to work effectively, we must remain constantly vigilant over our networks, which includes having skilled people and technology working together. Substantial IA progress has been made, but it is a journey, not a destination. As new technology is created, new kinds of attacks will be developed; new countermeasures will need to be adopted.
There is much more that must be done to achieve information superiority, but the good news is that our leaders, from the President to our Secretary of Defense, are emphatic that IA is a core element of defense transformation and homeland security. If we expect to "secure the net," IA must not be a slogan but a major focus of investment and an operational priority.