Keeping out the interloper yields to surviving the intrusion.
The U.S. Defense Department is shifting its information assurance approach away from denying access to intruders toward surviving intrusions amid operations. This approach acknowledges that cybermarauders—whether mere individual hackers or foreign intelligence operatives—are likely to penetrate defense networks at the worst possible time, and the key to maintaining those networks will be to instill a network resiliency that allows them to operate in less than optimal conditions.
Other security measures recognize that changing times are rendering traditional information assurance measures obsolete. The nature of intrusions has changed, and the effects they may wreak has changed as well. Security measures must be applied across the breadth of networking activities, including along the entire supply chain.
Ultimately, people largely will be removed from the network security. The growing sophistication of adversaries, coupled with increasing network complexity, mandates automated security systems that can detect and respond to attacks and intrusions faster and more efficiently than humans.
These measures are part of an overall Defense Department thrust of moving away from stand-alone information assurance into cyber information assurance, states Robert Lentz, deputy assistant secretary of defense for cyber, identity and information assurance. Lentz, who also is the chief information assurance officer for the Defense Department, offers that the concept of information assurance was effective in the traditional static environment, but the modern threat and the cyber environment are advancing so quickly that the department must include time and environmental considerations into its security measures.
The department’s information assurance cyber security strategy focuses on moving toward a true cyber security environment. “This is a fundamental sea change because the adversaries have moved so fast and the technology environment is where it is today,” Lentz declares. “We have to be faster than our adversaries, we have to anticipate these attacks as far out in the network as we can, and we have to be able to adjust when these attacks and incidents occur.”
The strategy aims at continuing missions and operations under any cyber situation. This entails ensuring resiliency to network attack while that attack is ongoing. Calling this concept “dynamic defense,” Lentz points out that the network must have a defensive capability that constantly is adjusting to the environment.
“We recognize that the adversary is going to be living inside this network,” he allows. “We can’t prevent an adversary from penetrating this network; we are going to have to understand that adversaries are going to be inside this network in some way or another, and we are going to have to isolate and minimize the damage as much as possible.”
Operating through a cyber degradation or attack will require a network that is resilient to an event of any type, Lentz explains. “We have to understand our network in a way that we can anticipate the fact that there are going to be degraded operations.” His analogy is a mechanized warfighting platform such as a ship or an aircraft. “You have to assume you are going to lose an engine. So, how do you have a network that is like a weapon system? You have to anticipate failure, and to be able to fight through failure is going to be absolutely critical in the future.”
The department is not abandoning network protection, however. Lentz emphasizes that this new approach is part of a goal of anticipating and preventing successful attacks on the data in the networks. He continues that the traditional firewall strategy provides “a form of resistance and deterrence,” but it cannot be an end-all approach.
In effect, the department will lock the front door, but it will have protective measures inside when—not if—an intruder gets in. “We want not just to worry about the adversary at the front door,” Lentz explains, “but we also want to be able to understand the network and the Internet to the point where we can anticipate when someone wants to knock on that front door for nefarious purposes.”
This new approach is a result of two factors. One is that cyberintruders have become increasingly bold and successful at penetrating networks worldwide. The other is that the Defense Department is becoming involved with a greater number of more diverse networks, and it cannot possibly protect every bit of information across these networks.
“It [the new security approach] has become more critical because of the pace of the threat we are facing,” Lentz offers. “It also has become more critical because our requirements for information collaboration are so high nowadays. We must be much more agile and much more capable of integrating all these new technologies just to be able to be effective. Without that, we will find ourselves not being able to execute either in wartime or in peacetime.
“We have a global responsibility,” Lentz continues. “With our diverse missions, if we were just an isolated nation, we would be able to maintain our original strategy in an isolated environment. The reality is that we are going to be out there constantly working to achieve our national security goals around the world, and this puts us in bad neighborhoods where it is very perilous to do business. We have to realize that, in that environment, you have to anticipate that adversaries will be there as well as that the users of our network will make mistakes inside the network.”
The department must be able to access information readily at any given moment to execute command and control worldwide. Having mission-driven access to information requires a strong foundation of identity authentication, Lentz observes, mandating “a finer-grain understanding” of the attributes necessary for an individual to access that information. More importantly, he says, when those attributes are no longer needed, they must be rescinded, depending on the mission partner.
This access becomes even more important with the defense information environment being extended to mission partners around the world. It remains a challenge to ensure information security among different types of international partners, particularly when today’s partner may fall out of favor tomorrow. The department must be able to remove that fallen partner from the network without jeopardizing its data or its remaining operations.
“We’re well ahead of the rest of the world when it comes to identity management—we’re in complete compliance with HSPD-12 [Homeland Security Presidential Directive-12, which sets standards for identity management],” Lentz observes. “But, we still need to do a lot more to move identity management from just a credentialing approach into a true privilege-management, attribute-based access identity strategy—or we’re not going to be successful.”
The department also must be able to move information from Top Secret networks, to Secret networks, to the lowest level of networks—particularly those of state and local first responders and ad hoc coalition partners. One way of achieving this is to use cross-domain solutions that basically are tunnels between sensitive networks, and Lentz emphasizes the need for “absolute confidence” that these tunnels have the highest degree of protection and capacity.
This requirement places identity management and cross-domain solutions at the top of the technology wish list. “A strong identity fabric gives people access to that information, and the secure protected tunnels—the cross-domain solutions—allow the information to flow freely,” he posits. “That is the only way we will be able to move information, until technology catches up with us and we are able to move all that information together into one single cloud—right now, we are not at that point in time … and it is not going to happen in the near term.”
Achieving the department’s security goals will require leveraging commercial technologies rapidly, he says. It will be critical for the department to work with industry on fine-tuning the architecture, and industry must help the department obtain cutting-edge capabilities. The Defense Department must be able to view new technologies “on the horizon,” so that it can anticipate and plan for new capabilities and updates. “We can’t have a process where it takes up to five years to get a capability into the field,” he declares. “We have to literally be putting in drops of technology every six to 12 months.”
Lentz points out that the Defense Department will be leveraging commercial technology to a large degree throughout the network. But commercial technology is not perfect, and the department must adjust to that reality. “Until such time—and I don’t think that time is anywhere near on the horizon, and may never be—where we have commercial solutions and technologies that are perfect, we will have to face the reality that as we import software and hardware to build networks to leverage those types of technologies, you have an increase in vulnerabilities associated with importing those types of technologies.”
Adding Web 2.0 and collaboration requirements increases the complexity of the problem, he notes. However, the majority of the network will be based on an underpinning of commercial technologies, and that is the main issue for network security. “We have to be much smarter at designing these networks, and we have to be able to design them to accept the risks both from within and from outside,” he states.
A related goal is to remove people from operations. Lentz offers that the department ultimately wants to remove as many people from network management as possible. They would be replaced by technology, so the network would feature “devices talking to devices.” This is the only way to achieve the department’s cyber security vision, he states. “With cyber attacks occurring in seconds, people in the loop will slow you down. You need devices to change software; you need devices to change configurations; you need devices alerting when a bad packet is coming to the network; and you need devices telling you when some anomalous behavior is occurring inside the network—even if it is a mistake. These devices must be talking to each other in a very homogeneous, enterprise fashion.”
Lentz notes that industry is moving quickly in enterprise security management, with more capabilities emerging than ever before. These capabilities are starting to converge, especially with corporate mergers and acquisitions. The department will be following industry’s lead, although it will be developing the standards with industry based on minimal security requirements.
Another key security thrust is to ensure that the cyber components of any Defense Department weapons program “have the integrity and the confidence that is necessary” for commanders to use them without hesitation in combat. “We must make sure that all of the capabilities in our arsenal can be leveraged to the maximum degree possible and that we can trust those capabilities without any hesitation,” Lentz says.
The department would be making “a monumental mistake” if it lacked a goal of ensuring cyber component security at the design phase, he states. Describing it as a fundamental priority, Lentz allows that the department’s recent joint policy statement calls for integrating information assurance at “the earliest part in a major defense acquisition program.”
Traditionally, action on information assurance would arise at the Milestone B point in a development. Now, the department is inserting information assurance in the earliest pre-Milestone-A point in the process. Information assurance goals must be achieved early in a program if it is to proceed.
Lentz states, “The bottom line is that we have to emphasize information assurance in the design phase, or—one—we’re going to have to pay a tremendous amount of money to fix these hardware and software and these system designs after the fact, and—more importantly—we are going to find ourselves very vulnerable to the kind of attacks that could steal information from an information system or render that information system unavailable for our warfighters to leverage it.”
And, the department must manage its supply chain. Lentz offers that this applies to the commercial sector as well. “We must leverage the supply chain in as smart a fashion as possible to keep ourselves competitive,” he says. This involves having a supply chain that can enforce itself effectively, along with having deterrence through laws that prosecute offenders aggressively. “We need technologies to inspect the supply chain throughout its life cycle—the origin of that technology or having technology placed on it so that it can be tracked from the point of origin to ensure it is from a trusted source,” he states.
There is no doubt the department will face challenges in funding, Lentz allows. Having easy access to information with confidence that the network will be up and running when needed—along with secure identities and uncompromised information—will cost money. If funding is reduced, then prioritizing will force people “to live with the consequences of a network that is not as robust as it needs to be and has information that is not as trusted as it should be.” Among the consequences will be fewer mission-critical operations coming out of finite resources.