Effort replaces old equipment, educates customers, promotes new standards.
A major goal of the National Security Agency’s Cryptographic Modernization Program is to promote the use of new cryptography applications designed to enhance interoperability and communications. During coalition operations such as this joint U.S.-Japanese naval exercise, incompatible cryptographic standards often limit secure communications and data sharing between allied forces.
The Cryptographic Modernization Program is a joint effort by the National Security Agency (NSA) and the U.S. Defense Department to transform and modernize
An important reason for this major equipment realignment is the military’s adoption of network-centric warfare in the 1990s, says Richard George, technical director, NSA Information Assurance Directorate,
Another factor behind the NSA’s transformation is the accelerating pace of technological change, which is moving too quickly to allow the agency to customize solutions constantly, explains John Centafont, director of the Cryptographic Modernization Program,
Centafont notes that as program manager he represents both the NSA and the Defense Department. Part of his job is coordinating the program’s goals with each of the services, which all operate their own cryptographic modernization offices. All of the participating members also meet on a regular basis to discuss cryptographic issues such as requirements and testing. “It’s a very tight relationship with the services. It’s not a monopoly. We work very closely with them,” he maintains.
The NSA also works closely with civilian government agencies through the Committee for National Security Systems. Centafont says that education is a key part of these monthly meetings. The agency is a source for customers and vendors to review and learn about cryptography systems. Both civilian and military customers can obtain advice about what functionalities may be available to meet their needs and requirements. “We let them know what’s coming down the road, what equipment they may have and when it will need to be taken out of their inventory,” he explains.
A key partner is the U.S. Department of Homeland Security (DHS) because of its role in defending national infrastructure and providing national security. George notes that the DHS can leverage critical infrastructure and link with state and local governments. “There are a lot of big [civilian] players. The problem is those players don’t really know enough about technology and encryption. They’re relatively new to this game. I think that we can provide them with advice and get them started, and over time they’ll learn more and they can actually take advantage of what we provide,” he says.
The Cryptographic Modernization Program began in 2000 when it became evident that ongoing technology changes were moving too quickly for established development and procurement processes. Centafont explains that it became untenable to develop bespoke cryptographic systems in a piece-by-piece fashion. “It wasn’t supportable by the government, and it wasn’t supportable by industry,” he says.
Perhaps the most important thing the Cryptographic Modernization Program has done since its launch, Centafont notes, is to educate the Defense Department community. He explains that cryptography must be constantly examined and considered as to how it fits into a user’s specific environment. “That education leads to properly funding the cryptographic modernization initiative. It’s not a matter of simply replacing one box with another. That’s actually hard to justify these days because it’s hard to fund and keep up,” he shares.
Another important role recently undertaken by the program is to promote Suite A and B cryptography. Both sets of algorithms are designed to interoperate across joint and coalition systems, removing the impediments to data sharing caused by incompatible security applications. In the wake of Hurricane Katrina, various military, first-responder and state relief groups had difficulty communicating among themselves, George explains. “We never want cryptography to be the reason that you can’t communicate. If there’s any other reason, you’ve got a chance of fixing it. But if crypto is the problem—if it doesn’t match up—it’s very difficult to allow interoperability,” he says.
Released in 2005, Suite B is based on the American Encryption Standard and features a key exchange capability and cryptographic algorithms for hashing digital signatures. The suite is designed to protect both classified and unclassified data. Suite B also is a subset of algorithms approved by the National Institute of Standards and Technology, making it suitable for use throughout the federal government. The NSA is using efforts such as the Cryptography Modernization Program to provide industry with a common set of algorithms for its government products.
Suite A algorithms already are widely in use. George describes the suite as a set of “new-old” government proprietary algorithms for niche markets. Suite B is new, but it is available in a growing number of products. The NSA is working with vendors to make sure the algorithms are being implemented correctly. “The driving force behind our move to Suite B was the realization that we could not produce government products that had the functionality and the time to market that commercial products had. That drove us to understand that our customers were going to need to use commercial technology,” he says.
Funding for new cryptographic technologies is more profitable when it is included in the development of new information technology and communications systems. Centafont says that the Cryptographic Modernization Program seeks to find commonalities to help government and industry develop standards, protocols and devices to satisfy customers.
|The Cryptographic Modernization Program is replacing legacy cryptographic equipment with modern systems and applications. It also is promoting new encryption algorithms, such as Suite B, which is designed to interoperate with military, civilian government and coalition systems. Suite B applications would allow disaster relief personnel, such as these U.S. Marines responding to a landslide in the Philippines, to communicate securely with local government representatives.|
When the initiative began, the Suite A and Suite B algorithms did not exist. Centafont says that the program initially replaced old equipment because of the constant need to upgrade legacy devices. However, he believes that the effort’s future lies in the development of Suite B algorithms and in a closer relationship with industry. “Five or six years ago, it initially was about trying to take the GOTS [government off-the-shelf] products that we had and making them better with the introduction of industry. Now we’re maturing that industrial relationship with Suite B,” he notes.
But keeping up with changes in technology or operational philosophy remains an unending cycle, Centafont observes. As the relationship with industry grows, it will affect how cryptographic systems are developed and coordinated. He believes that the NSA will maintain this commercial partnership even more closely into the future.
Legacy equipment issues also will remain in the Defense Department for many years to come. “Old stuff never seems to go away. It just gets moved somewhere else and used for different purposes,” George says. He adds that the modernization effort affects everything from management to equipment repairs. Interoperability is key to these efforts. Older equipment is moved to areas where it does not have to interoperate, while new algorithms such as Suite B are promoted. George notes that in the past, the goal was to have cryptography distributed across many individual platforms, but in a network-centric world, this is not possible because the interoperability is too critical.
The logistics of maintaining legacy equipment is another challenge. Parts are no longer manufactured, which limits equipment life span. Centafont notes that part of the education process is encouraging the military to see this as an opportunity to redesign its communications systems with better, more commercial technology. He explains that these improvements will provide more flexibility and reduce life-cycle costs. “There are a lot of advantages to improving the whole infrastructure in communications systems. Along with that is developing better crypto,” he says.
Working and interoperating with coalition allies also is important. Besides coordinating with the services, Centafont notes that the program’s working groups also are open to organizations such as NATO. He adds that the NSA or NATO often sends representatives to the other’s sessions to keep both organizations apprised of interoperability needs.
Part of the Suite B algorithm is designed to meet the international interoperability issue. George explains that government proprietary algorithms make information sharing and interoperability with other nations more difficult. The concept behind public algorithms is that they can operate on a range of equipment, enhancing interoperability.
Funding remains a challenge because of the scale of the project. George admits that it is difficult to send out technologies fast enough with both the needed security and functionality. “Technology is moving so quickly. Every time there’s just a mention of a new feature, it’s really hard to work fast enough to evaluate new technology, know its strengths and weaknesses and put it in the right place to mitigate problems. It tends to get out there faster than we’re ready to deal with it,” he says.
Another issue is system composition. Instead of stand-alone equipment, firms are producing components that are assembled into systems. George explains that the challenge is knowing how to piece components together to provide customer security. “Trying to provide the customers with the level of assurance that they need—that is the real goal. There are people out there who are depending on us to give them the solution that they need in the field. We feel a tremendous amount of pressure to deliver to that customer,” he says.
Customer needs also change on a daily basis. Centafont explains that the cryptographic aspect of a technical problem may present more of a long-term rather than a short-term issue. He says that the agency’s warfighter customers have immediate equipment and systems purchases they must make. But cryptography is a long-term solution that is harder for users to appreciate. He admits that for these reason, education is as important as integrating cryptography into systems. “Warfighters need communications capability now, but you don’t turn crypto around on a dime. It takes a while to fully get that functionality, so we run into a time crunch. Once we get something out there, the technology has moved on,” he says.
National Security Agency: www.nsa.gov