The preeminence of the expanded use of cyberspace, the desire for more openness in government, and the demands for faster and better information sharing within and among enterprises—particularly in the context of inter-agency and coalition information sharing—have changed fundamentally the demands of information security. The wider reach of our networks and the quest for timely, relevant information have improved decision-making but have made us more dependent on cyberspace and more vulnerable.
A delicate balance exists between expanded access and security. These critical elements should not be viewed as competitors, but users must manage risk effectively in a high-threat environment while maintaining mission focus.
More than ever, because of the pervasiveness of information flow and the interdependence of networks, information security is everyone’s problem. Our adversaries will exploit weaknesses wherever they find them. Therefore, we need to focus on information security for the entire community, both inside and outside government. Industry must work with network, application and data owners in near real time to address vulnerabilities and to evolve security approaches to meet the new demands.
One area on which we must focus attention is cross-domain issues that have become paramount in the global security community. In many cases, security solutions work effectively within an enterprise but will not scale or bridge organizational boundaries when addressing cross-domain information sharing. The problem is that virtually everything we do today is cross-domain. This is true in the
Owners and operators of networks, applications and data must make frequent decisions to grant or deny access to their information resources. Trust is necessary between the person or organization requesting access and the decision maker who must grant or deny that access. This can be either a human decision or a machine decision, depending on the scenario. But, this brings up several quandaries. On what basis is the trust established? How does someone gain the information to make a good decision? Within an enterprise, the identities of employees are known and can be stored and accessible to decision makers. Similarly, the attributes of all employees can be managed effectively and determined at the point of decision. But how do you provide this information to people not in your enterprise? Other organizations are unlikely to be willing to release sensitive data about their employees.
Federated identity and attribute solutions have been developed and are available. These solutions validate identity and attribute data at the point of storage so that sensitive information does not have to be released outside the owning organization. The largest example of such a solution is the Defense Department’s Common Access Card (CAC) and its supporting infrastructure. Other compatible federations are emerging within and outside the government environment. Provided that they are fully standards compliant—HSPD-12, FIPS-201, PIV 1 and 2—these solutions can work together to provide effective cross-domain support. So why aren’t such solutions used more broadly? Because organizations must agree to work together and to adopt common business rules to achieve this end. Such adoption and agreement are slow. Some progress has been made, but more is needed.
Similar cooperative issues exist with electronic signature, public key infrastructure (PKI) and other supporting services. The technology is not the pacing factor. We simply need to agree on common approaches and to work together on implementation.
It is time to take action on this. I encourage all of you to become engaged. Whether you are in government, industry or academia, you have a role in the process. The threat in cyberspace is real. We need to leverage those solutions available today through cooperation and focus on the gaps in capability. Do not let organizational or even international boundaries be an obstacle to success.