 |
|
This file is available on a Cryptome DVD offered by Cryptome. Donate $25 for a DVD of the Cryptome 10-year archives of 35,000 files from June 1996 to June 2006 (~3.5 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. Archives include all files of cryptome.org, cryptome2.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org. Cryptome offers with the Cryptome DVD an INSCOM DVD of about 18,000 pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985. No additional contribution required -- $25 for both. The DVDs will be sent anywhere worldwide without extra cost. | |||
25 August 2001
Source: Hardcopy from the National Technical
Information Service and
http://www.acq.osd.mil/dsb/dio.pdf (1.3MB)
This file Zipped, text and 26 images: http://cryptome.org/dio/dio.zip (791KB)
See Volume I: Protecting the Homeland - Report of the Defense Science Board - 2000 Summer Study - Executive Summary - Volume I (19 pages; 47KB)
[181 pages.]
NTIS ADA389094
Office of the Undersecretary of Defense
For Acquisition, Technology, and Logistics
Washington, D.C. 20301-3140
This is a product of the Defense Science Board (DSB).
The DSB is a Federal Advisory Committee established to provide independent advice to the Secretary of Defense. Statements, opinions, conclusions and recommendations in this report do no necessarily represent the official position of the Department of Defense.
This report is unclassified.
OFFICE OF THE SECRETARY OF DEFENSE
3140 DEFENSE PENTAGON
WASHINGTON, DC 20301-3140
DEFENSE SCIENCE
BOARD
MAR 28 2001
MEMORANDUM FOR PRINCIPAL DEPUTY UNDER SECRETARY OF DEFENSE (ACQUISITION, TECHNOLOGY & LOGISTICS)
SUBJECT: Final Report of the Defense Science Board (DSB) Summer Study Task Force on Defensive Information Operations
I am pleased to forward the final report of the DSB Task Force on Defensive Information Operations. The Task Force was tasked to review and evaluate DoD's ability to provide information assurance to carry out Joint Vision 2010 in the face of information warfare attack.
In their report, the Task Force states that DoD cannot today defend itself from an Information Operations attack by a sophisticated nation state adversary. To that end, I agree with their belief that if Joint Vision 2020 is to be the path to the future. these vulnerabilities must be addressed.
I endorse all of the Task Force's recommendations and propose you review the Task Force Chairman's letter and report.
[Signature]
William Schneider
DSB Chairman
OFFICE OF THE SECRETARY OF DEFENSE
3140 DEFENSE PENTAGON
WASHINGTON, DC 20301-3140
March 1, 2001
DEFENSE SCIENCE
BOARD
Memorandum for the Chairman, Defense Science Board
Subject: Report of the Defense Science Board Task force on Defensive Information Operations
The Department of Defense has adopted Joint Vision 2020 as its approach to conflict in the future. Both Information Superiority and Decision Superiority are key components of JV2020, and future warfighting plans will be increasingly reliant upon high-speed interconnected information networks to identify targets, create and transmit plans, disseminate and share information, and carry out battles. This construct for the military is based on the ability to detect and track the enemy, move that information across continents, integrate and analyze it, then decide and take action, often under very tight time constraints; sometimes within minutes. It is the protection of this information upon which this Defense Science Board Task Force concentrated its efforts.
The threats to the DoD infrastructure are very real, non-traditional and highly diversified. Within the past year, the Love Bug Virus spread to over one million computers in just five hours: far more rapidly than defenses or law enforcement could respond. Attacks vary widely from those perpetrated by trusted insiders, to remote attacks by individuals, organized groups, or nation states, employing new approaches we do not yet understand. China has made clear its intention to use Information Operations (warfare) as an asymmetric response in any conflict with the United States. Various components of Information Operations, including psychological operations, computer network attack, and computer network defense were used during the Kosovo crisis. More recently, both the Israelis and the Palestinians used cyber attacks as an integral part of heightened conflict in the Middle East. Furthermore, those attacks were magnified by the participation of thousands of civilians "called to cyber arms" by their colleagues.
The vulnerabilities of these United States are greater than ever before, and we know that over twenty countries already have or are developing computer attack capabilities. Moreover, the Department of Defense should consider existing viruses and "hacker" attacks to be to real "Information Operations or Warfare", what early aviation was to Air Power. In other words, we have not seen anything yet! And the importance of this is magnified by the increased reliance the DoD places on having just the right information at the right place, at the right time: JV2020!
These vulnerabilities, inextricably intertwined with our civilian infrastructure,
when coupled with known and expected capabilities of potential adversaries
raise serious questions about the readiness of the DoD to conduct Defensive
Information Operations. To address these challenges, this task force focused
on issues and opportunities in five major areas:
The report is provided in two volumes. Volume I presents the overall observations, findings and primary recommendations for each of the five focus areas -- addressed at the decision maker level. Volume II provides a detailed report for each of the five focus areas, with more specific recommendations including courses of action, cost estimates, and anticipated level of effort -- addressed at the implementation level. While there is no hierarchy implicit in these topics, recommendations pertaining to some will be easier and less costly. Others, like the architecture, will have the greatest impact, take the most time, and be the most expensive. Even so, it is only the successful integration of all of the recommendations that will provide the DoD with the Information Infrastructure needed to achieve the goals the joint vision.
It is the view of this task force, that DoD cannot today defend itself from an Information Operations attack by a sophisticated nation state adversary. If joint Vision 2020 is to be the path to the future, these vulnerabilities and shortfalls must be addressed. The topics and recommendations discussed herein are essential to achieving that goal.
Now is the time to make some difficult decisions and invest the required significant resources. Successful information-intensive industries have shown the way to embrace change. But the DoD challenge is more difficult: not only to embrace change, but also to build trust and security to a degree no business could afford.
Sincerely,[Signature]
Larry Wright
______________________________________________________________
DSB VOLUME I -- DEFENSIVE INFORMATION OPERATIONS
1.1 Terms of Reference
1.2 Today's Threat Environment
1.3 Information Operations
1.4 Joint Vision 2020 and the Importance of Information Assurance
1.5 Progress Since the 1996 DSB Task Force on Information Warfare Defense
1.6 Current Defensive Information Operations Issues
Chapter 2. Building an Effective Security Architecture
2.1 Summary
2.2 The Integrated Information Infrastructure
2.3 The Global Information Grid
2.4 An Effective Information Assurance Architecture
2.5 Operating an Effective Information Assurance Architecture
2.6 The Challenges Associated with Wireless
2.7 GIG Information Assurance Summary and Recommendations
3.1 Technology Drivers
3.2 Promising Technology Areas for Investment
3.3 Recommendations
4.0 Introduction
4.1 Operational Readiness
4.2 Organizational
4.3 Human Resources
4.4 Resources
4.5 Recommendations
5.1 Introduction
5.2 Toward a Common Terminology
5.3 Requirement for Government-Wide Coordination
5.4 Resolve Law Enforcement Information Sharing Roadblocks
5.5 Critical Infrastructure Protection
5.6 Near Term Recommendations
5.7 Conclusions
Chapter 6. Summary Findings and Recommendations
6.1 Findings
6.2 Summary of Recommendations
6.3 Concluding Comments
Appendix A - Terms of Reference
Appendix B - Members and Government Advisor
Appendix C - Briefings to the Task Force
Appendix D - Status of Implmentation of 1996 DSB Recommendations [In progress]
Appendix E - Information fo Decision Superiority
DSB VOLUME II - ANNEXES
[Not available]
A - Architecture
Tab A- 1: GIG Implementation Strategy
B - Technology
C - Organization & Operations
Tab C-1: Red Team Response
Tab C-2: Questionnaire Response
D - Policy
E - Legal
F - 1996 DSB Status Matrix (what has been done/not done)
G - Recommendation Summary Spreadsheet (current report)
(recommendation/POC/time/reference page)
H - Thought Pieces ["Tab G" following in original]
Tab G-1: The Insider Threat & The Low and Slow Attack (Moonlight Maze)
Tab G-2: Data/Information/Knowledge/Understanding
Tab G-3: The Y2K Analogy Tab
Tab G-4: Oversight and Management of the GIG Executive Director
I - Reference Data
Tab I-1: CERT List
Tab I-2: IA POC List
Tab I-3: Glossary
______________________________________________________________
Figure 1. Perimeter Defense
Figure 2. Defense- in-Depth
Figure 3. The Insider Threat
Figure 4. Attacks are Growing Significantly
Figure 5. Long Haul Communications
Figure 6. Information Operations Systemic Issues
Figure 7. Joint Vision 2020
Figure 8. Joint Vision Dependencies
Figure 9. Information Needed to Prosecute the Mission
Figure 10. Current Status of 1996 DSB Recommendations
Figure 11. Current Capability
Figure 12. Vision for the Integrated Information Infrastructure
Figure 13. Global Information Grid
Figure 14. GIG IA Summary of Findings
Figure 15. Recommended Reference Model and Security Protocols
Figure 16. GIG IA Strategies
Figure 17. GIG IA Strategies Concluded
Figure 18. Uniform Defense in Depth Implementation
Figure 19. Suggested IA Functions in the Host
Figure 20. Suggested Secure Net Management
Figure 21. Suggested DoD PKI Strategy
Figure 22. Countering the Insider Threat and Providing Survivability
Figure 23. Countering Denial of Service and Enabling Attribution
Figure 24. Suggested Measures of Merit for IA
Figure 25. Suggested IA Metrics
Figure 26. Test, Evaluate, Improve IA
Figure 27. IA Indications and Warnings
Figure 28. GIG Wireless Concerns
Figure 29. DoD Tactical Wireless
Figure 30. Commercial Intelligent Network Architecture
Figure 31. Emerging Commercial Wireless
Figure 32. Cellular Wireless Architecture
Figure 33. Cellular Reference Model
Figure 34. Utilization of Countermeasures
Figure 35. GIG IA Summary
Figure 36. IO/IA/CIP Organizational Relationships
Figure 37. Information Operations Problems Space
Figure 38. Solving DIO Challenges
Figure E-1. Decision Superiority
Figure E-2. Warfighter's Information Ensemble
Figure E-3. Operational Architecture for Decision Superiority
______________________________________________________________
There is nothing more difficult to take in hand, more perilous to conduct, or more uncertain in its success, than to take the lead in the introduction of a new order to things. - Niccolo Machiavelli
In its 1996 report, the Defense Science Board (DSB) recommended that the Pentagon invest an additional $3 billion to strengthen defenses of its information networks. This report was viewed by some as unrealistic and prophetic by others, but in all cases it faced a readership with a very uneven appreciation of the effects of disruptive technology and discontinuous change. The defense establishment has increased its intellectual capital on the subject of Defensive Information Operations (DIO) considerably since 1996. However, it has yet to fully accommodate the realities of an information intensive future in its architecture, processes, and investments. Technology has continued to evolve and the problems have become much more difficult and complex. DoD must now accomplish more than anyone could have imagined in 1996. Perhaps more important is the dawning realization that incremental modifications to our existing institutions and processes will not produce the adaptation we need.
The reality seems compelling. At some future time, the United States will be attacked, not by hackers, but by a sophisticated adversary using an effective array of information warfare tools and techniques. Two choices are available: adapt before the attack or afterward. This report offers a realistic set of options to adapt before the attack.
A specific example of progress coming hand-in-hand with new vulnerabilities is the Department's embrace of Web-based technologies, which offer great flexibility and ease of operation. On the other hand, the concomitant vulnerabilities of such an approach mean that defensive measures have never been more important.
In Joint Vision 2020 (JV2020), future warfighting plans will be increasingly reliant upon high-speed interconnected information networks to identify targets, create and transmit plans, disseminate and share information, and carry out battles. This construct for the military is based on the ability to detect and track the enemy, move that information across continents, fuse it and analyze it, then decide and take action, often under very tight time constraints, sometimes within minutes. It is the protection of this information upon which this task force concentrated its efforts.
In the view of the task force, DoD is "betting the farm" on having assured information in its information networks, now collectively referred to as the Global Information Grid (GIG). The GIG is a fundamental tenet of the Department's Joint Vision 2020. Without a consider-able effort to provide information assurance, such a complex system will introduce inherent, and perhaps crippling, vulnerabilities into the military force structure.
The Defense Department's networks, both non-classified and classified, as well as its tactical systems, depend on commercially available telecommunications. Rather than laying cable and launching communications satellites itself, the Defense Department leases the vast majority of those services from private industry, which tends to use the most cost-effective option rather than the most secure. Interdependencies are poorly understood and all segments of critical networks are difficult to identify. If there is a weakness in any part of the network, the effect could range from a minor annoyance to disruption of a major military operation.
Together with DoD-unique software and systems, this commercial infrastructure forms the underpinning of the GIG upon which Joint Vision 2020 depends. The GIG is being developed from legacy and new systems, growing in capability with every "node" a system engineer connects to it and becoming increasingly vulnerable. Each components vulnerability to information operations exposes others on the grid to danger as well.
Most will now agree that the Information Operations (IO) threat is very real, and non-traditional. There are numerous examples of the damage that can be done even by simple tools. The Love Bug spread to an estimated one million computers in just five hours, far more rapidly than defenses or law enforcement could respond. Additionally, our defenses are not focused on detecting "low and slow" attacks, so it is certainly possible that such attacks have taken place. Attacks vary widely and include everything from those perpetrated by trusted insiders to remote attacks and new approaches we don't yet understand. U.S. vulnerabilities are greater than in 1996, and in excess of 20 countries already have or are developing computer attack capabilities. DOD should consider existing viruses and low level attacks to be to "real" Information Operations what early aviation was to air power.
Furthermore, DOD is vulnerable in so many other ways: there are several operating systems in use, and in excess of 700 applications -- all collectively using greater than 100 million lines of software code. Few of these have been checked for malicious code, and new hardware and software is installed virtually every day.
This task force concludes that the GIG is a weapon system and must be treated as such. The United States is in an arms race, and experience suggests that as U.S. defensive capabilities increase, so will the adversary's offense. Although the GIG is a powerful management and technical concept and a key enabler of JV2020, there is currently no security or Information Assurance (IA) architecture planned that addresses the emerging threat. The task force identified the need for the Department to develop and implement such an architecture and provides a target architecture and processes for achieving it.
The task force offers a series of recommendations for successful implementation and execution of DIO based on the concept of defense-in-depth (DiD). In other words, complex systems of systems require a variety of defenses. The good news is that some of the most important, such as improved training, coupled with updated policies and procedures, can have an immediate impact without any technical risk. Another important aspect of defense-in-depth is that it will provide some protection against an adversary's denial and deception efforts.
In order to maintain confidence in the information moving on the GIG, DOD must be assured that sources of information and a system's integrity have not been compromised. This cannot be achieved without Department-wide coherence in system design, construction, operation, and evaluation, and a commitment to the necessary investments. For example, in order to evaluate the security and effectiveness of the GIG, DOD needs to establish a distributed test bed to evaluate and improve IA and develop technical metrics of IA effectiveness. The department must be able to measure and evaluate the ability of information systems to detect an attack, react to protect themselves, and recover.
The task force found that the Department is not yet building the means to achieve and retain information superiority in the presence of a robust information warfare threat. Although substantial progress is evident in the perception of the threat, the Department has yet to implement a program of Defensive Information Operations that can underwrite the information superiority needed for success in Joint Vision 2020. Frankly, the risk of failure is high given today's capability and direction. This task force outlines recommendations that would reduce this risk significantly.
Several key recommendations center on the GIG. For example:
The Department has a set of legacy information systems and networks from which the GIG must evolve. Once the security architecture for the GIG has been established as recommended in this report, the Department should identify those legacy systems that are most mission-critical, those that are mission-essential and those that are neither. Such a prioritization was prepared in response to the Year 2000 (Y2K) software concern in DOD systems; this same approach could now be effective in setting priorities for system upgrades, vulnerability assessments and security enhancements to the evolving GIG.
Technology must be a key enabler of the GIG. For decades, sound computer and telecommunications security relied on two fundamental precepts. First, protect the perimeters, the physical environment and equipments. Secondly, protect -- by encryption -- information in transit from one security enclave to another. These precepts are still very necessary, but in the new networked world, they are no longer adequate. Today, DOD must establish a robust defense-in-depth strategy to respond to known and anticipated vulnerabilities in the Defense Information Infrastructure (DII). A critical ingredient of an effective DiD strategy will be investments in high leverage Research and Development (R&D) activities. Examples of areas that must be researched include: scalable global access control, malicious code detection and mitigation, mobile code security, fault tolerance, integrity restoration, recovery and reconstitution, and a number of other important technologies. Regarding scalable access control, Public Key Infrastructure (PKI) with Public Key Enabled (PKE) applications must be a key component of the GIG security architecture. The task force believes that current FYDP funds for incorporation of PKI/PKE must be increased by a factor of two.
Sometimes a shift in requirements will permit a shift in resources to address the new requirements. In the case of computer network defense, however, DOD must continue perimeter defense efforts and developments, and simultaneously provide additional R&D for technologies to support defense-in-depth. While there are some initiatives ongoing under the Defense Advanced Research Projects Agency's (DARPA's) Third Generation Security Initiative, this DSB task force proposes additional R&D over the FYDP (by a factor of two) to develop key technologies for Information Assurance. The task force notes that these technologies are needed by DoD whether it chooses to permit the Services to develop independent service architectures, or whether the GIG is developed as proposed in this report.
Another category of recommendations addresses readiness of systems and people. The readiness of its warfighters to accomplish their missions must be of singular importance to DoD. It is clear that a significant number of nations (more than twenty at present count) are building capabilities for conflict in a cyber world. China has made clear its intentions to use Information Operations (warfare) as an asymmetric response in any conflict with the United States. Various components of Information Operations, including psychological operations, computer network attack and computer network defense were used during the Kosovo crisis. More recently, both the Israelis and the Palestinians have used cyber attacks as an integral part of heightened conflict in the Middle East. Furthermore, those attacks have been magnified by the participation of thousands of civilians "called to cyber arms" by their colleagues. The significant vulnerabilities of the DoD Information Infrastructure, coupled with known and expected capabilities of our potential adversaries to assault the DII, raises serious questions about DoD readiness to conduct Defensive Operations. It is the view of the task force that DoD cannot today defend itself from an Information Operations attack by a sophisticated, nation state adversary.
Further, the task force found that DIO is not adequately integrated into mission planning and execution within the Services and the Unified and Specified Commands. Therefore, the Secretary of Defense (SecDef), through the Chairman of the Joint Chiefs, should issue specific guidance to make DIO a key element of all military planning and operations, and fold that process into the Joint Military Readiness Reporting system. To address the finding that the DoD is not moving fast enough to identify its private sector dependencies and vulnerabilities, the Joint Program Office (JPO), Dahlgren, Virginia should be chartered and resourced to assist local commanders in identifying and assessing key infrastructure dependencies and vulnerabilities.
The necessity of Red Teams to provide a world-class threat evaluation of our defensive capabilities is worthy of special emphasis. During the past three and one-half years, the National Security Agency (NSA) Red Teams have conducted 37 assaults of DoD networks - -99% of which were undetected even though the attacks used tools known by the network operators to exist. Thirty-seven attacks in three and one-half years hardly represents the level of effort envisioned in the 1996 DSB task force recommendations. The Task Force urges that dramatically more effort be placed in this critical area. One approach would be to use the processes, which worked well in the Department's Y2K remediation efforts. Categorizing networks and systems as mission-critical, mission-essential, or otherwise, as was done for Y2K, could help prioritize DoD's assessment efforts. For example, if DoD concluded that it had 500 mission critical systems, and that an assessment must be made on each of those every other year, it would be possible to conduct 100 of those assessments by Red Team and 400 of them by Vulnerability Assessments. Thus, DoD's Red Teams would need to be increased five-fold (roughly ten per year with existing resources, and fifty per year needed to meet the new goals) to implement the new Program. The task force believes the SecDef should formalize and empower DIO Red Teaming throughout DoD by expanding the number, scope and frequency of assessments, specifically including the development and applications of three distinct levels of assessments: Red Teams, Vulnerability Evaluations and Vulnerability Assessments. Vulnerability Evaluation and Vulnerability Assessment teams could be augmented using outsourced resources to implement these programs relatively quickly.
The task force also addressed the human resources problem and found that the DoD shortage of IT professionals is serious and growing. People will continue to be both the principal source of strength in Information Operations, and DoD's greatest potential vulnerability. In highly networked environments, the risk assumed by one is imposed upon many -- with the potential for damage, disruption, denial or corruption of the DII. DoD has over 2,000,000 users on 10,000 networks, managed by 100,000 - 125,000 systems administrators. (No one is certain how many there actually are.) These dynamics raise several issues for DoD about acquiring and retaining skilled staff and operating the DII, while simultaneously preserving the security, integrity and readiness of the Information Infrastructure. In large part, these personnel issues highlighted in the 1996 DSB report remain, and in fact have become more severe in light of the dramatic increase in networked communications and computers with the attendant shared risk and vulnerabilities.
Recommendations for more aggressive recruitment and proficiency pay, as well as training programs, are suggested to redress the shortage of IT professionals. The Department has the authority to provide proficiency pay to IT professionals but has not used it. Given a current shortage of over 800,000 IT professionals in the United States alone, the DoD must pull out all of the stops to acquire and retain key IT staff. Furthermore, a comprehensive program which provides career paths for IT professionals, coupled with outsourcing where feasible, and an innovative program to attract high school graduates into DoD to become systems administrators in exchange for world class training, are all necessary to provide DoD the cadre of IT professionals needed to man and operate the DII.
Insiders are DoD's first line of defense and also potentially the most dangerous cyber threat. The task force believes that the DepSecDef should mandate an innovative and effective security program for critical IT professionals to mediate this threat. Over 100,000 systems administrators provide a diverse and broad opportunity for our potential adversaries to find a weak link, possibly someone susceptible to blackmail or coercion. Additionally, a disgruntled systems administrator could, with high knowledge of internal computer and communications processes, cause very serious damage to the DII at the time most likely to inhibit DoD's ability b achieve its objectives.
The task force found that the DoD workforce at all levels is ill-prepared to execute the DIO mission because training efforts are fragmented, inadequately scoped, and poorly documented. Hence, the SecDef and Military Departments, among others, should establish policy to develop and implement formal Education, Training and Awareness (ETA) programs for DIO throughout DoD.
The task force addressed several policy and legal issues associated with
DIO as well. Some of these issues cannot be meaningfully addressed solely
within DoD, even though DoD will be affected by the outcome of the debate
surrounding them. The task force divided the issues into sets including:
Because so much of military infrastructure is also the civil infrastructure, the DoD, and in fact the nation, needs a national coordinator for Defensive Information Operations. Currently, there is a National Coordinator for Infrastructure Assurance and Counter-terrorism, but his office can do little beyond encourage cooperation. In a major crisis or attack on our critical infrastructures, decision-makers would quickly End that authorities to act and control resources am spread widely throughout government. A truly effective crisis response and proactive defense will require more coherence and concentration of authority. An individual with such authority does not necessarily have to reside within the country's national security apparatus but will have to tap into it through the National Security Council when necessary.
This DSB Task Force report provides a series of recommendations necessary for the successful implementation, execution, and protection of the Defense Information Infrastructure. The recommendations are presented in sections relating to: the implementation of an architecture consistent with the goals of Joint Vision 2010/2020, Research and Development of crucial technologies, Readiness of DoD forces, and Policy and Legal initiatives. While there is no hierarchy implicit in these four topics, recommendations pertaining to some will be easier and less costly. Others, like the architecture, will have the greatest impact take the most time, and be the most expensive. Even so, it is only the successful integration of all of the recommendations that will provide the DoD with the Information Infrastructure needed to achieve the goals of JV2020.
Now is the time to make some hard decisions and invest the required significant resources. Successful information-intensive industries have shown us the way to embrace change. But the DoD challenge is more difficult: not only to embrace change, but also to build trust and security to a degree no business could afford. Like any other weapons system, if we design defenses today, as the GIG is becoming a reality, it will be expensive, but possible. If the Department waits, it will be impossible at any cost.
On the surface, this might seem simply as an endorsement of the current DoD GIG architecture. It is much more. Several years ago the DSB adopted and built upon work of the Army Science Board regarding a Joint Technical Architecture. Several DSB reports now have reiterated the clear need for DoD to adopt and enforce an architecture across DoD which would insure that the systems built by the services would be fully interoperable and secure. Newly identified critical needs for Information Assurance, coupled with DoD's new JV2020 require that the GIG be developed and operated like the critical weapons system it must become.
______________________________________________________________
"The dogmas of the quiet past are inadequate to the stormy present. The occasion is piled high with difficulty, and we must rise with the occasion. As our case is new, so we must think anew and act anew. " - Abraham Lincoln
In 1996, the Defense Science Board (DSB) completed a study of information warfare defense. In that study, the task force argued for greater DoD focus on the emerging information warfare threat and for specific changes in investment organization and policy. The 1996 task force recommended that the Pentagon 'invest an additional $3 billion to strengthen defenses of its information networks. The Department accepted a number of the suggestions made by the 1996 task force, but technology has continued to evolve and significant investment shortfalls persist. With the Department's embrace of Web-based technologies, defensive information operations (DIO) are even more vital now than they were four years ago. The attached report and the supporting volume display today's state of affairs in defensive information operations and offer timely recommendations to meet current DIO needs.1
____________________
1 As defined by Defense Department Instruction 3600.1, Defensive Information Operations includes a broad range of issues such as operations security, electronic warfare countermeasures, counter-deception, counter-propaganda, counter-intelligence, computer-network defense, etc. During the initial sessions of this DSB task force, it was agreed that the principal focus of its deliberations would be on information assurance and computer network defense.
The terms of reference for this DSB task force are found in Appendix A. The task force was requested to accomplish two goals:
1. Evaluate the Department's response to the 1996 DSB task force on information warfare defense, to include:
- What is the status of action on the recommendations?
- Where there are shortfalls, what are the barriers to action and what should be done?
- What important aspects did the 1996 task force miss that should have been addressed?
- What recommendations of other important reports that have addressed information assurance issues should the Department consider?
2. Determine:
- Adequacy of the process toward the information assurance goals needed to carry out Joint Vision 2020.
- Adequacy of the Department's readiness to project and sustain power in the face of information warfare attacks
- The appropriate role(s) and capability of DoD to provide information assurance support of Homeland Defense and in support of Critical Infrastructure Protection
- Recommendations for research and development which are uniquely in DoD's interest, and thus not likely to be accomplished by the private sector in the time required to meet DoD's defensive information operations objectives
- Areas in which DoD should seek strong partnering relationships outside DoD, such as with the Critical Infrastructure Assurance Office (CIAO)
The American Homeland is becoming increasingly vulnerable to non-traditional attack, including information warfare or information operations (IO), the focus of this report. Rapid advances in technology have and will continue to create new vulnerabilities and challenges to U.S. security. Within DoD alone, there are several operating systems and over 700 different software applications comprising between 50 and 100 million lines of code. New commercial-off-the-shelf (COTS) applications are implemented every day, and although some positive testing is performed to determine if the software will do what it is supposed to do, virtually no negative testing is done to determine what unanticipated capabilities may be imbedded in the software. Compound this situation with Murphy's Law, natural events, inadequate configuration controls, and general system fragility, and one realizes the vulnerability of the system upon which DoD depends today.
Recent studies by both the Government Accounting Office (GAO) and the Computer
Security Institute found that the number of cyber security threats to both
the government and the private sector is on the rise. 1he damage, both to
physical infrastructures and to the psychological health of U.S. institutions
that could be caused by a successful attack could prove immense, and the
Department of Defense is not exempt from this danger. Examples of this threat
are listed below:
The Department is facing this non-traditional threat daily. The threat ranges
from attacks by nation-states to attacks by groups of transnational actors
and individuals. The task force finds that this, threat is changing at a
rate faster than that at which the Department is responding. In fact, there
is a belief that the Department is not in a position to know when and to
what extent its information systems have been attacked. The low and slow
attack typically displays the following characteristics:
There is a growing lack of confidence in the information network as well as in the integrity of the data contained therein. The information warfare threat applies to systems within and outside the borders of the United States. A perimeter defense philosophy is currently the predominant solution across DoD. The problem with this approach is that it leads to a strategy of risk avoidance rather than risk management. Perimeter defense does not equal defense-in-depth, as illustrated in Figure 1. Perimeter defense relies on an outer "barrier" that is intended to prevent unauthorized access to a network (top left Figure 1). Once the "barrier" is in place, authorized users must be given access - usually through passwords or other identifiers (top right Figure 1). As work progresses, secondary users are often identified and granted access on a temporary basis, or restricted to specific levels of data (bottom left Figure 1). Finally, due to operational need and "convenience" still others are granted access (bottom right Figure 1). The end result is a network that started out with the expectation of security, and ended up with no clear idea of who is really in the network. This "Swiss Cheese Effect" is a nightmare for network security personnel, as intruders gain access through stolen passwords, backdoors, data manipulation, and corruption of the system. In this regard, it is noteworthy that DoD has authorized over 100 "legitimate" accesses into the SIPRNET from the Non Secure Internet Protocol Router Network (NIPRNET).
|
Figure 1. Perimeter Defense
Defense-in-depth uses a layered approach, with multiple firewalls, intrusion detection devices, and network security tools (see Figure 2). As intrusions are detected, intruders can be, shut down, denied further access, tracked for future legal action, and/or counterattacked. The tolerance level, demonstrated by the left-most layer of Figure 2, represents those intrusions that may be unavoidable - often the insider threat. These are threats that must be managed. Consequence management requires back-up systems, redundancy, heightened awareness, integrity restoration, and recovery and reconstitution. These are the keys to graceful degradation rather than catastrophic failure.
 |
Figure 2. Defense in Depth
The potentially devastating impact of the insider threat wan-ants specific attention. As an example, there are currently between 100,000 and 125,000 system administrators *in DoD alone. Consider the access these individuals have, making them the ultimate insiders, and making personnel reliability a critical factor. The Gartner Group published a report in October 1999, entitled "Information Security Hits the Front Page: How Safe Is Safe Enough?" One highly emphasized point throughout the report was the danger and likelihood of the insider threat. Figure 3 illustrates the group's conclusions.
 |
Figure 3. The Insider Threat
A person with low technical literacy and low internal knowledge is an insignificant threat (bottom right Figure 3). A person with high technical literacy and low internal knowledge can be a bother (demonized) but is insignificant (top right Figure 3). However, a person with low technical literacy and high internal knowledge (the "dumb" insider) is a significant threat (bottom left Figure 3). Finally, a person with high technical literacy and high internal knowledge (the "smart" insider) is the greatest threat (top left Figure 3). These insiders are potentially the most damaging threat, and the hardest to detect.
Finally, the threat pertains to information systems under the ownership of the U.S. Government as well as many that are not under such ownership but are critical to military success. This critical dependency implies that attacks on the commercial infrastructure may have significant impact on operations within DoD. The incidence of attacks is growing significantly in both areas, as illustrated in Figure 4.
|
Figure 4. Attacks are Growing Significantly
The United States has thus far been fortunate not to have been attacked in such a way that its ability to plan, mobilize, deploy, and execute military operations in a crisis has been impaired. However, the use of Information Operations (IO) on both side during the Kosovo campaign and the more recent use of IO by the parties in the Mideast conflict provide insight into the broad spectrum of IO tools and techniques that are evolving. An October 26, 2000 article in the Washington Post makes the point:
"What distinguishes this cyber-conflict from past ones, such as last year's Kosovo war, is that it is not exclusively, or even mainly, a cat-and-mouse game of highly specialized hackers attempting to play havoc with one another's sites.Thousands of Israeli and Arab youngsters apparently have also joined in the contest, sending the other side nasty, racist, and occasionally pornographic & mails and, within their own camps, circulating Web site addresses with simple instructions for how to ping, zap, and crash the enemy's electronic fortress.
One aspect of cyber warfare we did not consider in previous discussions of Strategic Cyber Defense was its ability to empower the average citizen as a warrior. Much as the Internet has truly enabled freedom of speech, it has extended the military fighting force to every citizen with a computer. Now, just as the revolutionary war military consisted of every able-bodied male citizen who owned a gun, the Cyber Military may come to be seen as every able-minded citizen who owns a computer. (A true transition of the military to the information age?)"
 |
Figure 5. Long Haul Communications
At the same time as the number of our potential adversaries has increased, so has the vulnerability of Defense Department systems increased, in substantial measure the result of increased reliance on the private sector. More than 90% of DoD military communications ride on the commercial telecommunications backbone. DoD should not assume that the global commercial services on which it depends will be available, particularly if subjected to a technically advanced Information Operations threat, sponsored and empowered by a nation-state. "The Defense Department has more than 25,000 computer networks that handle everything from weapons systems command and control to inventory to payroll. Roughly 11% of Defense Department networks, such as satellite links, are considered mission- critical."2
____________________
2 Network World, 1/15/01
In many circles within the U.S. defense and broader international security community, the term Information Operations is increasingly being used to encompass a far greater set of information-age "warfare" concepts than was attributed to it in the past. These emerging new warfare concepts are directly tied to the prospect that the ongoing rapid evolution of cyberspace, the global information infrastructure, could bring both new opportunities and new vulnerabilities. At least. one of these vulnerabilities is the prospect that the information revolution could put at risk high-value national assets outside the traditional battle space boundaries, very possibly inside the continental United States. This possibility will affect U.S. national security strategy, and thus U.S. military strategy. Assets that are critical to the conduct of military operations could also be put at risk, compounding this problem.
The spectrum of IO spans from peace, to crisis, to hostilities, and back to peace, and has characteristics actions and effects at the strategic, operational, and tactical levels. Many systemic issues arise when addressing this subject, as shown in Figure 6.
 |
Figure 6. Information Operations Systemic Issues
Information Operations responsibilities cross the boundaries between DoD and non-DoD entities, and complicate the issues of authority, supervision, hand-off, response, and coordination. The task force addressed these issue areas in categories including policy, legal, organization, operations, technologies, architectures, and information assurance.
The concept of Strategic Information Operations warrants further identification and definition In essence, this is the intersection of evolving information warfare and post-cold war "strategic warfare" concepts, and warrants special recognition and attention as a legitimate new facet of warfare, one with profound implications for both U.S. military as well as overall U.S. national security strategy and policy.
A fundamental aspect of Strategic Information Operations is that there is no front line. Strategic targets in the United States may be just as vulnerable to attack as in-theater command, control, communications, and intelligence targets. As a result there exists a need for broadening strategic understanding beyond the single traditional regional theater of operations to four distinct theaters of operation: 1) the battlefield, 2) the allied or regional zone of the interior, 3) the intercontinental zone of communication and deployment, and 4) the U.S. zone of the interior.
The post-cold war "over there" focus contained in the persistent emphasis on the regional component of U.S. military strategy has been rendered incomplete and is of declining relevance to the likely future international strategic environment. When responding to information warfare attacks of this character, military strategy can no longer afford to focus on conducting and supporting operations only in a region of concern. These changing concepts will, and should, drive DoD's concepts for Defense Information Operations.
What are the basic features of Strategic Information Operations as best understood today? The following represent a synthesis of observations about these basic features. There is, most definitely, a cascading effect inherent in these observations; each helps to create the enabling conditions for subsequent ones.
Low Entry Cost: Interconnected networks may be subject to attack and disruption not just by states but also by non-state actors, including dispersed groups and even individuals. Potential adversaries could also possess a wide range of capabilities. Thus, the threat to U.S. interests could be multiplied substantially and will continue to change as more complex systems are developed and requisite expertise is more widely diffused.
Cyber attacks have moved beyond the domain of the mischievous teenager and are now being learned and used by terrorist organizations as the latest weapon in a nation's arsenal. In. June 1998 and February 1999, the Director of the Central Intelligence Agency testified before Congress that several terrorist organizations believed information warfare to be a low-cost opportunity to support their causes. Both Presidential Decision Directive 63 (PDD-63), issued in May 1998, and the President's National Plan for Information Systems Protection, version 1.0, issued in January 2000, call on the legislative branch to build the necessary framework to encourage information sharing to address cyber security threats to our nation's privately held critical infrastructure.3
____________________
3 Statement of Representative Tom Davis on the Introduction of The Cyber Security Information Act of 2000, April 12, 2000.
Effective attribution and swift response to attacks would nullify the appeal of the low cost of entry by making the chances of "getting caught" much higher. Perceived increased risk by the attacker should be an added deterrent to preventing information warfare attacks.
Blurred Traditional Boundaries: Given the wide array of possible opponents, weapons, and strategies, it becomes increasingly difficult to distinguish between foreign and domestic sources of information warfare threats and actions. It may not be known who is under attack by whom, or who is in charge of the attack. This greatly complicates the traditional role distinction between domestic law enforcement, on the one hand, and national security and intelligence entities on the other.
Not only are borders becoming more porous, but they are also increasingly irrelevant in cyberspace. According to a long-time Central Intelligence Agency (CIA) operative and Federal Bureau of Investigation (FBI) consultant, "globalization and technology were lowering traditional boundaries between what constitutes an international or domestic threat, and terrorists, drug cartels, spies, and hackers were all leaping those boundaries with impunity."4
____________________
4 John McGaffin, in Covert Attack, by James Kitfield, National Journal, September 16, 2000 p. 2858.
Expanded Role For Perception Management: Opportunities for information warfare agents to manipulate information that is essential to public perceptions may increase. For example, political action groups and other non-government organizations can use the Internet to galvanize political support, as the Zapitistas in Chiapas, Mexico, were able to do. Furthermore, the possibility arises that the very "facts" of an event can be manipulated via multimedia techniques and widely disseminated. Conversely, there may be decreased capability to build and maintain domestic support for controversial political actions. One clear implication is that future U.S. administrations may include a robust Internet component as part of any public information campaign.
Lack Of Strategic Intelligence: For a variety of reasons, traditional intelligence gathering and analysis methods will be of limited use in meeting the Strategic Information Operations challenge. Collection targets will be difficult to identify using existing national technical means allocation of intelligence resources will be difficult because of the rapidly changing nature of the threat; and vulnerabilities as well as target sets will not be well understood. In sum, the United States may have great difficulty identifying potential adversaries, their intentions, and their capabilities.
Difficulty Of Tactical Warning And Attack Assessment:
Warning and attack characterization/assessment involving information warfare presents fundamentally new problems in a cyberspace environment. A basic problem exists: distinguishing between attacks and other events such as accidents, system failures, or hacking by thrill-seekers. This challenge is exacerbated by the speed of events in cyberspace. The main consequence of this feature is that the United States may not know when an attack is underway, who is attacking, or how the attack is being conducted.
Difficulty With Building And Sustaining Coalitions: Many allies and coalition partners will be vulnerable to information warfare attacks on their core information infrastructures. For example, the dependence on cellular phones in developing countries could well render telephone communications in those nations highly susceptible to disruption or deception. Other sectors in the early stages of exploiting the information revolution, such as the energy or financial sectors, may also present vulnerabilities that an adversary might attack to undermine coalition participation. Such attacks might also serve to sever weak links in the execution of coalition plans.
Vulnerability of the United States Homeland: As stated earlier, information warfare has no front line. Potential battlefields are anywhere networked systems allow access. Current trends suggest that the United States economy will rely on increasingly complex, interconnected network control systems for such necessities as oil and gas distribution management, electric grids, telephone service, air traffic control and much, much more. The vulnerability of these systems is currently poorly understood. This lack of understanding and recognition inhibits a thorough assessment of the vulnerabilities that may exist in both the technology-driven control systems and in the fiscal marketing processes that can directly impact energy distribution systems. In addition, the means of deterrence and retaliation are uncertain and may rely on traditional military instruments in addition to information warfare threats. In summary, the United States homeland may no longer provide a sanctuary from outside attack.
The Department has outlined a vision of the future -- Joint Vision 2020 (JV2020). JV2020 builds upon and extends the conceptual template established by Joint Vision 2010, which guides the continuing transformation of America's Armed Forces.
The primary purpose of those forces has been and will be to fight and win the nation's wars. The overall goal of the transformation described in JV2020 is the creation of a force that is dominant across the full spectrum of military operations -- persuasive in peace, decisive in war, preeminent in any form of conflict. The overarching focus of this vision is still spectrum dominance -- achieved through the interdependent application of dominant maneuver, precision engagement, focused logistics, and full dimensional protection (see Figure 7).
 |
Figure 7. Joint Vision 2020
The evolution of these elements over the next two decades will be strongly influenced by two factors. First, the continued development and proliferation of information technologies will substantially change the conduct of military operations. These changes in the information environment make information superiority a key enabler of the transformation of the operational capabilities of the joint force and the evolution of joint command and control. Second, the U.S. Armed Forces will continue to rely on a capacity for intellectual and technical innovation. The pace of technological change, especially as it fuels changes in the strategic environment, will place a premium on our ability to foster innovation in our people and organizations across the entire range of joint operations. The overall vision of the capabilities required in 2020, as introduced above, rests on the assessment of the strategic context in which U.S. forces will operate.
Information, information processing, and communications networks are at the core of every military activity. Throughout history, military leaders have regarded information superiority as a key enabler of victory. However, the ongoing "information revolution" is creating not only a quantitative, but also a qualitative change in the information environment that by 2020 will result in profound changes in the conduct of military operations. In fact, advances in information capabilities are proceeding so rapidly that there is a risk of outstripping our ability to capture ideas, formulate operational concepts, and develop the capacity to assess results.
The ability to achieve information superiority is a pacing item in realizing the goals of Joint Vision 2020. The inadequacies of current service information infrastructures prevent commanders from realizing the full benefit of the current family of intelligence, surveillance, and reconnaissance (ISR) systems -- space-based, airborne, or surface -- much less profiting from advances in sensors and weapons. Because of uncertainties regarding the availability of crucial information when needed, commanders are driven to develop unique, local-only Reconnaissance, Surveillance, and Target Acquisition (RSTA) systems. Overall, this tendency has resulted in redundant investment in, and proliferation of, "stovepipe" communication and sensor systems. As shown below, there are many interdependencies among force elements, with information systems being the glue that holds such elements together (Figure 8).
 |
Figure 8. Joint Vision Dependencies
Increasingly, the Armed Forces are shifting to an operational concept wherein surveillance and targeting sensors are separated physically from the command node location, which in turn may be remote from the weapons launch platform. In the case of air platforms, for example, no longer will the sensors, commander (pilot), and weapons necessarily be collocated in a single aircraft. Further, third party targeting data sources and weapons magazines are proliferating. Examples of this evolving trend appear in such concepts as forward pass, cooperative engagement capabilities (CEC), the arsenal ship, and the transfer of tactical situation data derived from a variety of off-board sources directly into cockpits.
This evolution promises major improvements in the tactical flexibility and combat effectiveness of forces. The realization of this promise is not without challenges, however. The operational concept is inhibited by the inadequacy of the traditional military communication and information-services infrastructure as well as continuing interoperability problems between military services and between such systems within a given Service.
Information Superiority has qualitative and quantitative aspects as noted by the United States and North American Treaty Organization (NATO) allies experience in the recent Kosovo engagement. During those operations, the United States maintained a substantial information advantage over Serbia. Yet the successful prosecution of the mission appeared hampered in several respects: the ability of the Serbian forces to operate within NATO's observe, orient, decide, act (OODA) loop and the ability of the Serbian forces to successfully hide and protect their tactical field forces from NATO bombing.
This experience raises the question of whether information superiority as defined relative to the adversary is adequate. Instead, a different threshold of information appears to be needed -- one based upon the rules of engagement used and other external constraints such as the unwillingness to accept any U.S. or allied casualties. Additional constraints, such as weapons and tactics, impose a further increase in the required information. Thus the information required for the United States to successfully prosecute a mission can be much greater than the information needed by the adversary. This concept is demonstrated in Figure 9. As illustrated, the United States may have tremendous superiority over the adversary in information, yet still not meet the level required to execute the mission. The adversary operating with a different objective and rules may be able to counter the U.S. initiative with far less information at its disposal.
 |
Figure 9. Information Needed to Prosecute the Mission
Since JV2020 is the driver for emerging technologies, capabilities, and
operational concepts shaping defense capabilities in the 21st century, this
task force raises several overarching questions:
If the nation actually requires DoD to achieve its military objectives at a specific tune and place, the cost will be very high to assure success. The Department must design the force structures to include those information systems and networks essential for success, and such information and capabilities must withstand an attack by a creative adversary.
1.5.1 Status of the 1996 DSB recommendations
Figure 10 below summarizes the status of implementation by the DoD of the recommendations made by the DSB in its 1996 study. A more detailed portrayal of the current status is found in Appendix D. In most cases, though the understanding of the problem is greater now, the goal post has moved substantially since the 1996 report and there is a need for greater attention and investment. Color Codes are "stop light" assessments:
Green = Substantial progressYellow = Some progress - but much remains to be accomplished
Red = Inadequate progress - serious shortfalls
Current Status of 1996 DSB Recommendations |
||
| 1996 Recommendation |
Current Status |
Remarks |
| 1. Designate an accountable IW focal point | GREEN |
ASD(C31) designated as focal point (with many other organizations formed since then). Funding has been added, but not at the level recommended in the 1996 report (< half). |
| 2. Organize for IW-D | YELLOW |
Initial effort was the set-up of NSIRC, JTF-CND, GNOSC, DoD CERT (with minimal/insufficient funding). The recommendation was for plus-ups averaging $50M per year across a range of areas. Actual funding has been in the range of $2M per year across the same areas. CINCSPACE funding for CND mission is lagging two years behind assumption of the mission. DoD Red Team not yet formed or funded. |
| 3. Increase awareness | YELLOW |
Former DEPSECDEF was strong proponent / Eligible Receiver raised awareness. Funding is still approximately 1/10th of what was recommended in 1996. |
| 4. Assess infrastructure dependencies and vulnerabilities | RED |
CIP analyses and assessments are a beginning. Funding is approximately 1/10th of what was recommended in 1996. JPO funding cuts have resulted in downsizing that activity, directly affecting the study to determine key sites for future assessment. Dependencies and vulnerabilities have grown dramatically |
| 5. Define threat conditions and responses | YELLOW |
Definition of INFOCONS provided a good start. Revisions to CJCSM 6510.01 are still pending. |
| 6. Assess IW-D readiness | RED |
CJCSI 6510.04 (IA Readiness Metrics) issued 15 May 2000. Not yet enforced or included in monthly readiness reporting. IWD (or DIO now) yet to be operationalized in DoD. |
| 7. Raise the bar with high-payoff, low-cost items | YELLOW |
PKI is a very positive stop (the PKE bill may hinder actual employment). Detection of insider threat should be a high priority. As much as $500 million above FYDP needed. |
| 8. Establish and maintain a minimum essential information infrastructure | RED |
Y2K provided a unique opportunity for assessment and for information sharing, but DoD still does not have a clear Picture of what comprises a minimum essential information capability. The restoration process is also an issue -- it is understood by the communications community, but not carried over to the IT community. No significant funding has been applied to this area (1996 report recommended a $100M per year effort). |
| 9. Focus the R&D | YELLOW | Primary efforts are in NSA-IA and DARPA (although the majority of the money goes to pay salaries). Existing R&D is focused on perimeter defense technologies. Substantial additional R&D funds are required. |
| 10. Staff for success | YELLOW | IA Mobile Training Teams, training and certifications are on the rise. Funding remains <1/2 of what was recommended. Retention of trained individuals is also a major issue. |
| 11. Resolve the legal issues | RED |
Legal issues remain unresolved and significant. |
| 12. Participate fully in critical infrastructure protection | YELLOW |
The understanding of what constitutes CIP is much broader today than it was five years ago. There is still much work to do in identifying key information, the infrastructure that passes it, and the true vulnerabilities that exist. |
| 13. Provide the resources | RED |
Bottom line - the money is not there, and asking the Services to take it out of hide will not work. |
Figure 10. Current Status of 1996 DSB Recommendations
1.5.2 Findings Regarding Current Capability
Figure 11 shows this task force's assessment of the current capability of the United States and its military in the five critical capabilities needed for effective Defensive Information Operations.
 |
Figure 11. Current Capability
This figure illustrates that significant research and development remains to be funded and executed to achieve minimal capabilities to detect, protect, respond and reconstitute Department of Defense networked systems.
This DSB task force identified a series of issues, which are crucial to
understanding the Department of Defense Posture for Defensive Information
Operations. They include:
This task force believes the Department and the nation must do more. The discussion that follows outlines specific recommendations in this regard. Chapter Two looks at the needed architecture, while Chapter Three addresses necessary technologies to achieve effective information assurance. Chapters Four and Five focus on issues related to human resources and readiness, as well as the legal and policy roadblocks the Department faces in tying to implement its Defensive Information Operations mission.
______________________________________________________________
"He that will not apply new remedies must expect new evils." - Francis Bacon
The Integrated Information Infrastructure (III), a vision developed for the Department of Defense (DoD) by the Defense Science Board (DSB), is now the foundation of many DoD information infrastructure initiatives. The III sets goals and directions for DoD-wide information services that will be developed from private-sector information technologies.
The first phase in the realization of the III will be the implementation of the Global Information Grid (GIG). The GIG will globally interconnect information capabilities, automated processes, and personnel for collecting, storing, processing, managing, and disseminating information on demand to warfighters, policy makers, and supporters.
The GIG will comprise multiple virtual data networks worldwide that use shared, commercial communications media and information technologies. However, the DoD will not own or control the GIG. Furthermore, the GIG will offer virtually no protection against insider threats, especially to tactical networks. No centralized authority over budgets and execution activities exists. A new organizational structure with a centralized, primary point of responsibility is needed.
The DSB task force recommends an information assurance (IA) reference model
that assumes the use of internet protocols in a wide range of environments
(including tactical and strategic). It parallels the International Organization
of Standardization reference model, with the substitution of a middleware
layer for the presentation layer, and is consistent with the Transmission
Control Protocol/Internet Protocol (TCP/IP) suite. The task force also recommends
a series of IA system architecture strategies:
In Particular, the DSB task force recommends the following measures to support
IA over the GIG:
The GIG will incorporate a number of commercial wireless technologies, which are discussed in detail. The security of wireless networking is essential to the performance of the GIG. Attacks on wireless systems can take the form of interception, denial of access locally and system-wide, and disruption of the entire network.
Although these commercial technologies are attractive and at first glance seem to be infrastructure independent, they are in fact vulnerable extensions of a vulnerable infrastructure. These vulnerabilities must be carefully analyzed and understood, and protection measures must be carefully designed.
Other recommendations include the use of correlated multi-layered Intrusion Detection System (IDS) data as inputs to intelligence-enabled tracing systems and modus operandi detectors.
For the implementation of the above strategies, the task force recommends the formation of a DoD Board of Directors for Information Superiority, and that this Board create an advisory group under Federal Advisory Committee Act Regulations, or as a permanent DSB panel, consisting of senior private-sector IT leaders.
The Board should also create an Executive Office whose director will be responsible for leading the implementation of the DoD-wide common user internetwork on behalf of the Board. The Director's primary responsibility will be to deliver the GIG.
The III vision sets goals and directions for DoD-wide information services that will come about through the exploitation of private sector IT, to include associated IA technologies. The III then sets both a long-term vision and a road map for the evolution of the DoD infrastructure. Figure 12 provides a conceptual view of the III.
 |
Figure 12. Vision for the Integrated Information Infrastructure
To realize the potential benefit of this new concept the future information infrastructure must be capable of reliable, secure transmission, storage, retrieval and management of large amounts of data. Today, all systems are segmented into communications links, computers, and sensors that in turn are stovepiped to support specific functions (e.g., intelligence, logistics, or fire control). Furthermore, these component entities are now constrained by a lack of (1) the bandwidth necessary for high-resolution imagery transfer; (2) the processor capacity needed for target recognition and interpretation; (3) memory sufficient to handle massive amounts of archival data; and (4) software to search the many data repositories quickly in order to provide commanders with tactical information in a timely manner. These constraints are magnified by difficulties in integrating a myriad of legacy information systems with newly developed, service-unique stovepipe and joint systems. These limitations can be overcome, and the full capability of joint forces realized, if the goal is to integrate all military command, control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR) systems into a ubiquitous, flexible, interoperable C4ISR system of systems -- the Integrated information Infrastructure.
The Integrated Information Infrastructure must meet several key requirements if it is to realize its potential to enable future combat operations to support a wide spectrum of missions, threats, and environments. As stated in Joint Vision 2020, a military force must be able to receive or transmit all of the information it needs for the successful and efficient prosecution of its mission, from any point on the globe, in a flexible, adaptive, reconfigurable structure capable of rapidly adapting to changing operational and tactical environments. The information infrastructure must support these needs, while allowing force structures of arbitrary composition to be rapidly formed and fielded. Furthermore, the infrastructure must adapt to unanticipated demands during crises, and to stress imposed by adversaries.
The infrastructure must allow information to be distributed to and from any source or user of information at any time: its architecture must not be constrained to support a force-structure (enterprise) hierarchy conceived a priori. Most importantly, the information and services provided to an end user through the infrastructure must be tailored to the user's needs, and be relevant to the user's mission, without requiring the user to sort through volumes of data or images.
The information infrastructure must include multimode data transport including land-line, wireless, and space-based elements. All of these media must be integrated into a ubiquitous, store- and- forward data internetwork that dynamically routes information from source(s) to destination(s), transparently to the user. This data transport segment of the infrastructure must be self-managed, be adaptive to node or link failure, and provide services to its users based on quality-of-service (QoS) requests. These services include bandwidths, latency, reliability, security, precedence, distribution mechanisms (point to point, point to multipoint), and the like.
The infrastructure interface will link the user to a distributed processing environment that includes all types of computers situated at locations appropriate given their needs for power, environment, and space. This distributed computing environment will be integrated via the transport component of the infrastructure, thus enabling these processors to exchange data dynamically, share computation loads, and cooperatively process information on behalf of and transparent to the user.
The infrastructure should be an adaptive entity that integrates communication systems, computers and information management resources into an intelligent system of systems. Each component of the III will exchange state information with each other, in order to enable the entire infrastructure to adapt to user requirements and any stresses imposed on the network by an adversary. This adaptability will also enable the infrastructure to change its scale as necessary to support force structure(s) of arbitrary size, or to incorporate new processing, network, and communication technologies as they are developed. Thus, this infrastructure is a scaleable computing environment.
The information infrastructure must provide tailored information services to diverse users ranging from a single person to a collection of people, sensors, and/or weapons by means of intelligent agents -- software entities, under the general control of the user, that are goal directed, migratory, and able to create other software entities, and provide services or functions on behalf of the user.
Each user will be served by one or more intelligent software agents that proactively provide and disseminate appropriately packaged information. These agents will perform such functions as fusing and filtering of information, and delivering the right information to the right user at the right time. They will be proactive in the sense that they are aware of the user's situation and needs, and will provide information relevant to those needs without a specific user request.
These agents will multiply the personnel resources available to combat units by gathering and transforming data into actionable information to support unit operations, just as unit members would have to do were the software agents not provided. Warfighters will therefore be freed of routine chores in favor of actual operations.
To the maximum extent feasible, the infrastructure's transport layer will take advantage of commercial technology and networks, by utilizing open-systems standards and protocols, and will minimize the use of service or function- unique hardware and software. For applications where military-unique capabilities (such as antijam, low probability of intercept, spread-spectrum waveforms and the like are required), military products will be developed or adapted to interface with the overall architecture.
As the Department moves towards the realization of the III vision, it will
enable, over time, the following military capabilities:
The first phase for realizing the III is the implementation of the Global Information Grid (GIG). The GIG will incorporate near-term information technologies to provide the warfighting capabilities noted above. The GIG will, over time, evolve into the longer-term vision for the III. As the United States proceeds to implement and secure the GIG, it must keep the evolution toward the III in mind. The near-term vision is shown in Figure 13.
Today's communication infrastructure is highly entwined, with many misunderstood capabilities and limitations - and a false sense of security.
 |
Figure 13. Global Information Grid
Long-haul communications are one clear example. Multiple users may think they have a "unique circuit" when in fact they are only sharing a fiber or a part of a larger fiber optic cable. Assumptions of privacy, dependability, and assured service are often faulty. In most cases, these long-haul communications merge into a distribution switch that further routes the signal to its destination -- making the switch a potential single point of failure. DoD no longer controls many "military only" circuits, but is instead highly dependent on the civilian backbone communications.
Figure 14 provides a summary of this task force's findings regarding an effective information assurance architecture. The Global information Grid will comprise multiple virtual worldwide data networks, the Non Secure Internet Protocol Router Network (NIPRNET), Secure Internet Protocol Router Network (SIPRNET), Joint Worldwide Intelligence Communications System (JWICS) and Service tactical Command, Control, Communications and Intelligence (C3I) systems. These networks use shared commercial communications media and commercial information technologies. In addition, all are cryptographically segmented into virtual networks. However, the task force noted that there is virtually no protection against the insider threat, especially for the classified networks. All Services are adopting a defense-in-depth (DiD) strategy, with different implementations. For example, the Air Force is employing a different strategy from the Army: a different protocol translation architecture; a different location for performing enclave level intrusion; and different measures for enclave access control. While there is a general framework for implementing DiD, there is no engineering discipline that allows for design of a DO solution that provides confidence in security against a variety of attacks.
The current emphasis on information assurance metrics is focused on readiness and is not addressing the metrics needed to assess and measure mission, system or technical level performance. In addition, denial of service measures and attack attribution metrics are not well addressed.
GIG IA: Summary of Findings
|
| Absent an office of primary responsibility, the GIG will not achieve joint weapons system status |
Figure 14. GIG IA Summary of Findings
Finally, the task force believes that today's DoD organizational structure is inadequate to deliver a GIG. Although both the DoD Chief Information Officer (CIO) Executive Panel and the Military Communications and Electronics Board (MCEB) are working on defining and providing guidance for the GIG, the task force believes that a new organizational structure, with a centralized primary point of responsibility, will be required to develop a GIG worthy of weapons system status.
Neither the DoD CIO Executive Board nor the MCEB have the membership or authority over budgets arid execution activities that the task force believes is necessary to ensure the GIG is built and managed effectively. Without that level of authority over all elements of the GIG, the architecture is subject to interpretation by each component based on its needs, rather than the needs of the entire DoD enterprise. Additionally, neither of these two boards has a direct oversight responsibility over any specific office or function that carries out its direction. There is also little incentive to address crosscutting issues in a coherent fashion when the funding for these programs is provided via Title 10 channels without some mechanism to encourage cooperation. Because of the Title 10 and DoD versus Intelligence Community issues, the only level of management senior enough to cross this bridge is at the DepSecDef level.
The IA reference model suggested by this task force is shown in Figure 15. This protocol stack assumes the use of internet protocols in a wide range of environments, including both tactical and strategic. It parallels the International Organization of Standardization (ISO) reference model (ISO 7498), with the substitution of a "middleware" layer in lieu of the presentation layer, and is consistent with the TCP/IP suite. (This substitution seems appropriate because modem systems do not make use of separate presentation layer functions; these functions are assumed by applications.)
 |
Figure 15. Recommended Reference Model and Security Protocols
In this model, physical layer protection is afforded via link KGs (e.g., KG 84, KG 189, etc.) on a hop-by-hop basis, where warranted by threat concerns. No data link security; e.g., Local Area Networks (LAN) security protocols such as IEEE 802.10, is recommended. This technology has not been adopted by product vendors and is generally not wan-anted in switched LANs, when higher layer security protocols are employed. Internet Protocol security (IPsec) is recommended for end-to-end, enclave -to- enclave, or end-to-enclave protection. No transport (e.g., TCP) layer security protocol is recommended because there are no widely used standards yet available, and because the services provided at the IP and session layers obviate the need for transport layer security.
Although the Internet protocol stack does not include a session layer per se, the introduction of Secure Socket Layer (SSL), Secure Shell (SSH), and analogous security protocols has created one. SSL is widely deployed and DoD policy calls for its use for secure web access. The task force recommends its use with client (not just server) certificates, for high quality user authentication and access control, with transition to Transport Layer Security (TLS) (the Internet Engineering Task Force (IETF) standard) as it becomes more widely available.
The task force suggests the insertion of a "middleware" layer to accommodate systems such as Common Object Request Broker Architecture (CORBA), distributed computing environment (DCE), or Enterprise Java Beans (EJB). However, such systems are not universally required and there is no clear appropriate choice among these competing middleware technologies at this time. Finally, several critical protocols exist at the application layer, and more may emerge. For secure e-mail, S/MIME (v3 with enhanced security services) is the preferred protocol, and it is widely available, in Commercial Off-The-Shelf (COTS) products. Secure domain name system (DNS) is an essential infrastructure security component requiring Defense Information Services Agency (DISA) as well as base-level support. Internet Key Exchange (IKE) is the key management protocol used by IPsec. As Extensible Markup Language (XML) becomes more common, the digital signature standards developed for it will become critical elements of more sophisticated web security designs, supplementing, but not supplanting, SSL/TLS.
Figures 16 and 17 outline recommended GIG IA system architecture strategies.
|
Figure 16 GIG IA Strategies
The first strategy is to use a consistent architectural framework and consistent metrics across the entire DoD GIG. This strategy contrasts the current divergence of approaches the Services. It is important to foster interoperability via commercial standards, so that commercial and government off-the-shelf technology can be employed throughout the system. The defense-in-depth approach leads to the strategy of segmentation. Segmentation is recommended between the DoD and the general public Internet, between levels of classification, by enclave (COI), and by individual user within an enclave. hi order to support segmentation, investment will be needed in high-speed in-line IP encryption devices, and in large scale PKI and PKE.
Fine-grained access control (FGAC) is the principle that allows access to computing and communication resources to be shared, in a safe manner, among a large number of users and user communities. Technology is available to enforce FGAC with an acceptable level of computational overhead, but tools must be available to enable local administrators and users to efficiently manage FGAC for Wide Area Networks (WANs), LANs, and individual hosts and servers.
FGAC is supportive of accountability and acts as a deterrent to inside attacks. Fine-grained identification and authentication, e.g. via use of level-4 PKI, provide the inputs needed to make FGAC decisions. Intrusion detection mechanisms help detect attacks that have eluded access controls, or activities that represent inappropriate use of resources by authorized personnel.
The third strategy is intended to counter denial of service. Segmentation, redundancy, diversity, a restricted set of Internet access points, non-switched commercial infrastructure, and improved overall net infrastructure security, such as S-BGP (Secure Boundary Gateway Protocol), used in concert can partially mitigate the denial-of-service threat.
Another important element of the strategy is to enhance indicators and warnings and attack attribution. By correlating multi-layered Intrusion Detection System (IDS) outputs, one can detect patterns of behavior that may indicate a modus operandi. This information can be useful in tracing the sources of unwanted behavior. The correlated outputs of host- and network-based IDS at various levels can also be used to direct attention to potential threats. Resources such as human system administrators and various intelligence assets can be directed in this way. The use of a PKI and PK applications can greatly reduce the noise level of amateur attacks coming into the GIG, and thus increase the signal to noise ratio of the existing indicators and warnings in the GIG.
|
Figure 17. GIG IA Strategies Concluded
The fifth strategy is to establish a DoD-wide GIG IA testbed. This testbed would draw blue team members and current configuration information from GIG operations, and would employ a nation- state-level technical red team. The lessons learned through these exercises should be used to upgrade the IA properties of the testbed, and if successful in defense, should be transitioned to the operational GIG. Building an IA testbed avoids the costs and other issues inherent in red-teaming the live operational GIG.
A sixth strategy is to more stringently qualify suppliers of GIG IA technologies than is current practice in government procurement. It is imperative that the DoD becomes a smart buyer of commercial information and information assurance technology and services. Commercial information services can often be bought with service level agreements (SLAs) and/or warranties. SLAs can cover a variety of service aspects. For example, an SLA for a communications service might cover: 1) communication speed, 2) link availability, and 3) notification of the customer about problems within certain timelines. In the future, we expect that SLAs may also address security issues.
It is also important to assess suppliers' conformance with applicable standards. There are numerous organizations that measure and certify compliance with a wide range of standards, such m Underwriter's Laboratory. In the information security arena, conformance with the Common Criteria, evaluated under the auspices of the National Information Assurance Partnership (NIAP) is particularly important. The NIAP is a collaboration between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). The NIAP encourages the development of commercial products with security features as specified in the Common Criteria, and certifies commercial laboratories to evaluate products against the criteria under NIST's National Voluntary Laboratory Accreditation Program (NVLAP). In implementing the GIG, strong preference should be given to products evaluated under the NIAP.
Another way to qualify suppliers is to gauge their commitment to fixing security-related flaws found in their systems. There are numerous organizations that compile information about vulnerabilities in commercial systems, among them the Computer Emergency Response Team (CERT) at Carnegie-Mellon University, the SANS Institute, Security Focus, and NTBugtraq. In implementing the GIG, strong preference should be given to suppliers who have a track record of quickly fixing reported flaws. Furthermore, preference should be given to products that are compatible with the Common Vulnerabilities and Exposures (CVE) list. CVE is a list of information security vulnerabilities and exposures that alms to provide common names for publicly known problems. The goal of CVE is to make it easier to share data across separate vulnerability databases and security tools with a "common enumeration."
Furthermore, while the vulnerabilities of commercial technology need to be understood, the impact on the overall GIG architecture of adding the technology needs to be weighed before employment. The task force recommends that the GIG IA testbed be used to address this issue. As mentioned above, there is a great deal of publicly available information about technology and product vulnerabilities. The testbed should use this information as a starting point for developing a knowledge base of technology and product benefits and vulnerabilities.
The DoD should develop a deep understanding of how commercial services are provided, so that they can be properly specified when purchased. For example, buying communication lines from multiple suppliers in order to gain redundancy and diversity may not yield the desired results, if each supplier's fiber goes through the same physical switch or runs over the same physical. bridge. Instead, when buying a second communication line, DoD should specify that the line share no physical components or transit mechanisms with the first communication line.
The final strategy recommended is to adequately fund a focused GIG IA R&D program. Current DoD IA R&D does not adequately address the IA needs of the GIG. Countermeasures must be developed in anticipation of attacks. The GIG IA testbed recommended by this task force can be used to experiment with potential fixes before any form of specific attacks are found live on the GIG. The development of self-healing systems that are intrusion-tolerant and fault-tolerant, is an important step in deploying a reliable GIG infrastructure. Self-healing, recovery, and reconstitution of GIG components could provide continuity of operation throughout and after significant attacks. Clear commercial trends point toward mobile code as an increasingly important software distribution and maintenance mechanism. Current practices in some networks of stripping mobile code out of incoming email and disabling Java and JavaScript are stopgap maneuvers. Significant focused research is called for to contain and verify mobile code, to discover new methods of utilizing mobile code to defend against attacks (e.g., throttling incoming traffic at the routers during a denial-of-service attack), and to automatically install good viruses that upgrade system survivability. R&D focused on forensics, tagging, and traceback could provide GIG administrators with the tools necessary to trace attacks back to their source. Non-repudiable identification of malicious attackers and wayward insiders can provide a level of deterrence not currently in evidence.
Figure 18 provides an example of layered defense, or defense-in-depth, from a traffic flow perspective. All DoD common user networks, SIPRNET and JWICS as well as NIPRNET, should reflect this architecture. This is a departure from current practice in which the classified networks do not provide significant barriers to attacks launched from sites in the same community, e.g., other subscribers to the same common user network.
 |
Figure 18. Uniform Defense in Depth Implementation
The outer perimeter represents an interface between a single-level, common user WAN, e.g., NIPRNET, SIPRNET or JWICS, and a less sensitive WAN, e.g., the public Internet. (If a sensitivity level is crossed, e.g., from SIPRNET to NIPRNET, then a guard is employed.) This perimeter is protected by the use of a (stateful) packet filtering firewall (PFF) and an IDS. Non-IPsec- or SSL-protected traffic, e.g., e-mail, DNS, and web traffic, is screened via the PFF and restricted to destinations inside the WAN that are well-defined web servers, e-mail servers etc. The IDS here is used to screen traffic (at very high data rates) to detect patterns of attacks against multiple sites on the WAN, through correlation of analytic data from each of these IDS systems. Virus scanning might even be applied to (non- encrypted) e-mail attachments at this point via the use of implicit mail relays.
At the enclave boundary, IPsec is the primary defense mechanism, preventing unauthenticated connectivity to external sources. A PFF is used for traffic that would not be afforded IPsec protection, e.g., e-mail and DNS services. (As illustrated later, web data designed to be available for public access will be maintained outside of the enclave boundary.) The enclave IDS has access to some plaintext data (except when IPsec or SSL is used all the way to a workstation or server) and thus can perform more analysis than the WAN IDS. Virus scanning can be applied to (non- encrypted) e-mail attachments at this point, if it is not applied at the WAN boundary.
Each workstation or server is equipped with an IDS, which is monitored by the enclave security administrator. IPsec, SSL and S/MIME are available for end-to-end cryptographic security, including authentication, integrity, confidentiality, and access control. A secure DNS resolver interacts with secure DNS servers.
Suggested IA Functions in the Host
|
Figure 19. Suggested IA Functions in the Host
In addition to boundary protection provided by the DO architecture, there are a variety of functions that should be employed to defend the hosts in the GIG. The task force suggests that these be used in all DoD common-user networks, including NIPRNET, SIPRNET, and JWICS.
IPsec, SSL, and S/MIME should be used for end-to-end cryptographic services such as confidentiality, authentication, nonrepudiation, integrity, and access control. A secure DNS resolver should be deployed with secure DNS servers to provide high assurance that a domain name is resolved correctly. A virus scanner, malicious code detector, and mobile code filter should be used to strip any attachments or content violating mobile code policies established within an enclave. In keeping with the defense-in-depth strategy, host-based intrusion detection and anomaly detection tools should also be deployed. When IPsec is used all the way to the host, the host has the only opportunity to apply serious IDS scrutiny to incoming packets. Since the hosts will experience relatively small data rates, the IDS can be tuned to high levels of sensitivity. The host-based IDS should communicate alert information to other enclave IDS services, which can correlate data from network IDS and other host-based IDS deployed in the enclave to obtain a more accurate enclave-wide view of intrusive and other network activity. Signature-based IDS should be kept up-to-date and output monitored by the enclave security administrator.
Suggested Secure Net Management
|
Figure 20. Suggested Secure Net Management
Today, most layer 3 and above network components are managed remotely using a mix of SNMP and Telnet, although some offer web interfaces as well. SNMP v1 offered no security, and so was used only for getting information from managed devices (reading Management Information Bytes (MIB), but not modifying them). Telnet, even if used with plaintext reused passwords, was often employed. SNMP v2 had static, symmetric key cryptographic security added, but was not commercially successful. SNMP v3 has improved security services, but still uses manually distributed, symmetric keys. This is not consistent with our proposed use of PKI for user authentication and authorization everywhere else in the GIG. The use of Kerberos for SNMP v3 security has recently been proposed. Version 5 of Kerberos supports X.509 certificates and thus may provide a means of PKI-enabling SNMP v3.
Telnet, secured by Kerberos, is available and used today in some products for secure Secure Electronic Transactions (SET's), and web interfaces for management can make direct use of SSL/TLS. Telnet also can be secured using SSL/TLS.
For the most part, the GIG will not own or directly manage circuits, but when it does, the circuit switches, SONET switches, and the like often require or offer out-of-band management interfaces, e.g., via the Public Switched Telecommunication Networks (PSTN). These interfaces should be secured via link crypto devices that make use of PKI technology, to provide authenticated, integrity-protected, and confidentiality-secure channels. Some such devices are commercially available, and one can use STU-IIIs (or, preferably, the follow on technology, Secure Telephone Equipment [STEs]) in this fashion as well.
DoD should focus on deployment of level 4 PKI. If this requires delaying Common Access Card (CAC) deployment, the delay should be tolerated. A PKI is a central element of system security and subversion of a PKI can undermine most layers of a defense- in-depth scheme. Thus it is critical that DoD take responsibility for its own PKIs. The DoD should not make use of commercial CAs, although the DoD PKIs must interoperate with commercial PKIs; e.g., to support authentication of DoD contractors.
Suggested DoD PKI Strategy
|
Figure 21. Suggested DoD PKI Strategy
The DoD PKI should be aligned with organizational boundaries, and should use alternate (subject/issuer) name extensions to incorporate DNS names and RFC822 names to facilitate native support of security protocols such as S/MME, IPsec, and SSL/TLS. The NSA Key Management Infrastructure (KMI) could provide a suitable infrastructure for these requirements. It is critical that certificates be issued along organizational boundaries, to constrain the damage that might result from local security compromises. For example, it must not be possible for an Army Certificate Authority (CA) to issue a certificate that purports to be for an Air Force employee. Current plans for the KMI do not necessarily adhere to this principle and should be modified accordingly. Also troubling is the so-called "bridge CA" concept, developed for interorganizational cross certification in the federal PKI. Several important PKI security features do not operate properly when a bridge CA is part of a certification path. A bridge CA should be used only to facilitate acquisition of public key certificates of other organizations, so that local security administrators can issue cross certificates directly to the other organizations with which they need to interoperate.
Domain Name Systems Security (DNSSEC) is a PKI-like system that provides secure name/address translation support for most Internet protocols. The DNS is global in scope and thus the DOD should encourage widespread adoption of DNSSEC. Within the DOD, high assurance (cryptographic) technology should be employed to protect DOD domains, i.e., the DOD should implement DNSSEC for the.mil and.sml domains and sub-domains.
Directories are essential for widespread deployment of e-mail security (S/MIME),
