31 August 2001
Source: Hardcopy from the National Technical Information Service.
Excerpted from Annex G - Thought Pieces of Report of the Defense Science Board Task Force on Defensive Information Operations, Volume II-Part 2, Annexes, June 2001, 327 pages. Additional excerpts will be offered here in the future.
The Volume II report is supplement to Report of the Defense Science Board Task Force on Defensive Information Operations, Volume I, March 2001: http://cryptome.org/dio/dio.htm
Recently, ASD(C3I) has asked where the Discover Vulnerabilities (DV) process and IO Red Teaming fits into the larger picture of DoD "force readiness protection" and Defensive Information Operations (DIO). ASD(C3I) has also asked the question; "Does DoD actually have a standing DIO Red Team? The answer to that question is yes. NSA is DoD's Red Team, and is the team of choice to do adversarial Red Teaming within DoD. The larger issue of a total look at cyber force readiness as well as Red Teaming is a timely one as the DV process begins to take shape in DoD. Questions like, where does DV belongs in DoD; who is the lead organization; who leads overall technical training of the force; how do we measure readiness; what are the standards/metrics for Readiness; and the question of Defense contractors assisting in meeting the extensive tasking are of importance.
This white paper will describe:
NSA and the Services.
The NSA Red Team, as part of NSA's Information Systems Security Organization's (ISSO) mission, is to improve the Operational Readiness (OR) & Defensive Information Operations (DIO) posture of DoD and its components. The NSA Red Team is an interdisciplinary and sophisticated "opposing force" (OPFOR) that utilizes active and passive, as well as technical and non-technical capabilities to expose and exploit customer IO vulnerabilities in order to improve operational readiness. Based on Red Team findings, timely feedback is provided directly to the customer consisting of their vulnerabilities as well as specific recommendations and countermeasures to thwart potential real-world exploitation of their computer and network systems.
Organizations "stressed"' by NSA's Red Team operations gain a sense of their general cyber readiness by measuring effectiveness in protection, detection, response, and reconstitution during Red Team exercises. Upon customer request and negotiated between the customer and the NSA Red Team (also incorporated into the "Rules of Engagement" (ROE)), the NSA Red Team may use cooperative partners & alliances to work as a true OPFOR covering more than one pillar of IO. In the past, the NSA Red Team has partnered with other internal NSA organizations, as well as CIA, DIA, JTF/CND, NIPC, DHS, AFIWC, LIWA, FIWC, SOCOM, and the Military Services.
It is an overstatement to say that the readiness posture of individual DoD organizations varies widely across the Department. Some of the component organizations within the CINCs, Services, or Agencies maintain highly effective DIO programs, while others place less emphasis on securing of their networks. Reasons vary for this dilemma, but are telling. For the Services, the total number of people who are highly skilled at discovering and exploiting vulnerabilities remains small, and their time and efforts must be managed wisely. Further, the quantities of such persons are uneven across the Services. For this reason, the Services play up to their strengths, offering a range of assessment services that maximizes their skill usage. The bottom line for the Services is that they cannot yet muster the critical mass of personnel skilled in the area of DV. The CINCs are not in much better shape, as they draw on the Military Services for their technical manpower. Currently, NSA is the only DoD entity that has the ability to focus full-time on computer and network vulnerability discovery at all levels of the process. It is NSA's view that it should be designated as DoD's EA for Discovering Vulnerabilities (DV). We have the talent and know-how to organize DoD in the DV process. However, it is also our view that the DV process requires refocus and a relook on where DoD needs to concentrate limited [sic].
We see the DV methodology as a cyclic process composed of 3-levels of service surrounded by OPSEC. The process is called "THE CYBER OPERATIONS READINESS TRIAD (CORT), and its main goal. is to improve the cyber security of DoD. The initial level, called a Vulnerability Assessment or Infosec Assessment, provides a high-level review of a customer's automated information system (AIS) security policies, plans, and procedures to determine if a minimal level of protection is in place. This is what is known as a Level I assessment. No legal authority is required to conduct this assessment. These people are responsible to support DoD and DoD/NII-associated partners. Due to increased customer request for this service, and working with the National Institute of Standards (NIST) and the DIAP, we have initiated the Information Security System Capabilities Maturity Model (ISS-CMM) process. This process invites the Defense contracting community to become "authorized", via a validated training program, to conduct Level I assessments to the same level as NSA. The only difference in the end result is the customer and Contractor negotiate a price for the assessment conducted. For this level of assessment, the contracting community is technically suited to conduct Level I assessments and is a workable solution to PDD-63 customer concern over DoD evaluators in their systems. The second level of assessment (Level II) is called a Security or Vulnerability Evaluation. This process looks past the basics and provides an in-depth technical analysis of a customer's information system(s). The objective is to identify any and all vulnerabilities (not just those associated with a specific threat agent) and assist the customer organization in addressing them. This type of DV evaluation requires NSA general counsel (AGC(I)) and DDI approval to touch a DoD customers networks or computer systems. In order for final approval, the customer must meet certain criteria and standards when requesting NSA to actually "touch" the network. This is an extremely technical operation and requires a certain skill-set to complete the task. Heretofore, NSA has been the only DoD element to conduct this in depth testing on a system or network. It is our experience that the Military Service elements conduct varying degrees of Level I and Vulnerability Evaluations and each conducts these services to a component with their own set of standards. IO Red Teaming is the third (Level III) and final level of service. It is normally reserved for larger DoD elements and other customers who are looking to test their networks and cyber security in an exercise environment, either as a no-notice Red team-only evolution or as part of a larger exercise; e.g., the Marine exercise URBAN WARRIOR. SECDEF approval is required to conduct these operations and due to the complexity and technical nature of Red Teaming operations, NSA remains the only operative element to conduct this type of Red Teaming. Further dialogue is required to come to closure on where the Military Services and the Defense Contracting community play in the Vulnerability Evaluation (Level II) process and Red Teaming and what standards/metrics are required.
Once Red Teaming is performed on a system and/or network(s), the customer would optimally reevaluate where they are in their respective security environment and then via the Vulnerability Assessment Vulnerability Evaluation, or Red Teaming process, relook at what is required to secure their networks. This continuous process is a strong and proven force in "raising the bar for readiness" on computer and network security. It is this paradigm under which the NSA DV process operates, and that we believe should be required within all DoD Components.
A Red Team, as defined in the draft of DoD Directive 3600.3 "Dod Information Operations Red Teaming" is:
"An independent, threat-based, and simulated opposition force that uses passive, active, technical, and non-technical capabilities on a formal, time-bounded basis to expose and exploit information system vulnerabilities of friendly forces."
The directive further states that:
"The goal of Red Teaming is to improve the readiness and defensive IO posture of DoD Components."
In general, a large portion of the Defense community concurs with the DV process, however, there remains many entities throughout the Department, other government agencies, and the private sector who do not subscribe to, define as, or conform to conducting vulnerability discovery in this manner. It is our sense that the DV process be standardized across the board. Should NSA be given the EA responsibility for DV in general, it is our view that we would further refine and adjust the process for use in DoD.
THE PRIVATE SECTOR:
The DV process covers three levels of service. We believe the private sector can play a pivotal role in filling the Departments needs in the DV process where we (NSA, DoD Services, Agencies, etc) are over tasked and lacking, in some areas, skilled personnel. It is our sense that the VA and VE process, where appropriate, can be assisted by the Defense contracting community if trained and certified appropriately. Although a relatively new endeavor, the ISS-CMM for the VA process is proving a workable alternative. Equally, we believe if structured properly, and a system set up to assure the results are equal to the existing VE process, that private sector could assist in that part of the DV process, as well. However, NSA has not yet initiated an effort to begin the training and certification process for vulnerability evaluation (Level II) work. If tasked, the strategy is to slowly build-up competencies for Level I assessments within Industry, and then grow additional expertise from. there. Our vision is to ultimately share with the private sector requirements for Level II evaluations. (I deleted the last sentence)
With regard to Red Teaming, we believe there should be measured involvement by the Defense Contracting community. Contractors are involved in Red Teaming now, however, only as working under NSA authorities. There may come a time, because of the growing concern over cyberattack that we reevaluate contractor play across the board as it applies to Red Teaming. The Red Team is an opposing force. We "attack" U.S. systems. We succeed at breaking into U.S. systems. We have a very elaborate structure in place to handle our mission and/or if our mission goes awry. We have a trusted agent network, deconfliction process, classified tools and techniques, access to real world threat and resource information, sophisticated laboratory testing procedures, cover program, legal authorities and most importantly, a dedicated cadre and critical mass of career personnel with TS/SCI clearances. It also should be stated that we are creating lasting relationships & liaisons with other military departments, Agencies, and others that would simply be extremely difficult for private industry to emulate. Lastly, the "trust and ethical" issues would be most acute. We do not believe that system owners of the most sensitive DoD networks (SIPRNET, MCS, etc) would feel comfortable with private industry performing the DoD's most sensitive vulnerability evaluations without a DoD cover or operational authority. Since this service is performed at the local as well as the "remoted" level, we envision huge conflicts with private industry performing such services, since they do not have the legal authority to use "jump-points" throughout DoD networks and Agencies.
Exercise planning for Red teaming in the outyears:
IO capabilities of DoD's adversaries are growing and becoming more sophisticated. These adversaries include hackers and other unstructured groups intent on supporting political objectives, and structured groups such as terrorists, rogue nations, or nation states. In addition, the strategies of our adversaries are becoming increasingly clever, drawing from across the spectrum of IO techniques. With the growing number of hacking groups and the ease with which a terrorist group or nation state can obtain the tools necessary to conduct an IO campaign, the threat is harder to identify and stop without proper training and readiness. It is essential that the United States have the capability and experience necessary to counter such threats. Issues such as Solar Sunrise, which almost stopped a US troop deployment, the I Love You Virus, as well as the well publicized intrusion called Moonlight Maze, highlight just some of the growing threats. Red Teams and the DV process can "hone" the DoD's DIO capability and provide the experience required to enhance the security awareness and readiness posture; necessary elements to dominate in conflicts where IO represents a strategic advantage.