Enable breadcrumbs token at /includes/pageheader.html.twig

Agency Aims to Outmaneuver Cyber Enemies

The burgeoning number of devices, wireless capabilities and social media sites is challenging one of the leading U.S. intelligence organization’s goals to provide the decisive advantage to outmaneuver adversaries in cyberspace. A large hurdle to overcome is the growing use of commercial technologies that often bring with them varying degrees of information security requirements.

 

Richard Schaeffer is the director of the Information Assurance Directorate, National Security Agency.

Maintaining the edge in information assurance calls for constant vigilance.

The burgeoning number of devices, wireless capabilities and social media sites is challenging one of the leading U.S. intelligence organization’s goals to provide the decisive advantage to outmaneuver adversaries in cyberspace. A large hurdle to overcome is the growing use of commercial technologies that often bring with them varying degrees of information security requirements. These are now being addressed through a set of standards that both government and commercial organizations can use when developing new products. These standards not only support information assurance issues but also promote interoperability.

Richard Schaeffer, director, Information Assurance Directorate (IAD), National Security Agency (NSA), admits that it would be unrealistic for his organization to expect to defeat adversaries. Its goal, however, is to stay ahead of enemies in cyberspace through technology and operational changes. To achieve its mission of measurably improving the security of critical operations and to provide the knowledge and technology to its commercial partners and clients, the IAD is focusing on specific areas of information security.

First, because today’s clients primarily use commercial technologies, it is concentrating on the architectural level. Specifically, the IAD is interested in how to support the integration of components of varying assurance levels into a system that enables mission execution. “Understanding the technology and the vulnerabilities that it brings is a huge priority for us,” Schaeffer says. The speed at which technology is changing challenges the IAD as it continually attempts to improve government’s and industry’s understanding of these vulnerabilities, he adds.

The second challenge the IAD faces also is related to technology. An increased emphasis on information sharing across security domains or communities of interest means that information assurance must be a top priority within the U.S. Defense Department and intelligence community. This is a complex problem, Schaeffer admits. It affects not only how his organization thinks about vulnerabilities at the architectural level but also about how to manage users’ identifications and information access privileges.

Policies within this dynamic environment must be balanced to enable information sharing between and among users in the intelligence community and federal government, he notes. And ensuring information assured space—particularly when commercial products are used—always requires some sort of cryptographic capability that provides the security of services and the integrity of the information, he adds.

Cryptographic interoperability in a secure environment can be especially challenging. As a result, the IAD has developed Suite B, a commercial set of interoperability standards that enables technology developers to ensure that their new products will be compatible with other secure capabilities. For the confidentiality piece of security, the organization chose the Advanced Encryption Standard; and for key exchange, it selected elliptical curve cryptography. All of the standards are described in National Institute of Standards and Technology publications. “We have leveraged commercial standards and spent the past 18 months developing policy for usage,” Schaeffer says.

The IAD also has developed and published reference implementation information, because all the standards are based on commercial and opensource material. Vendors now can create products based on cryptographic interoperability because the standards do not carry the old controls that the NSA used to—and in some cases still does—have on some of the cryptographic hardware, he adds.

“You can produce non-cryptographically controlled item [CCI] products that are fully interoperable with any other Suite B product because there is a reference implementation guide against which these products can be tested,” Schaeffer explains.

The Suite B standards are particularly useful to warfighters. Today, troops find themselves fighting next to allies from numerous nations. The equipment and devices these allied troops use are supplied primarily by the United States. However, warfare surely will feature coalition partners well into the future, and the standards enable other nations to build or buy Suite B-compliant devices that will permit them to communicate securely with other coalition troops, including the United States.

On the domestic side, homeland security initiatives often require that federal agencies share sensitive or classified information with each other or with state and local agencies using commercial devices. “We believe we can achieve an information assurance level that enables sharing information at the Secret level using commercial algorithms, so that state and local agencies can obtain the sensitive information they need from the federal government to be able to collaborate,” Schaeffer shares.

The explosion of capability-packed mobile devices poses another challenge to the NSA. The last tactical mile in operations is typically a wireless tether. Even mainstream commercial users now carry a hefty load of weightless resources in the palms of their hands. Whether it is a traditional cell phone, iPhone or some other multidimensional device, the users have gotten used to being disconnected yet still operating on a network. As a result, however, warfighters and intelligence officers also have become accustomed to utilizing these powerful devices.

Schaeffer points out that, while the convenience is compelling, use of commercial wireless products brings with it an entire new set of vulnerabilities that have become a huge challenge. “Vulnerabilities in the wireless environment will have to be overcome if we are going to enable our clients to outmaneuver that new adversary,” he states.

While the IAD’s mission is to provide measurable improvements in the security of critical operations, the metrics to assess these improvements are a bit elusive. Military and intelligence community leaders often ask if an investment in a particular solution will achieve some level of information assurance or capability, Schaeffer notes. “The answer is yes, but what they don’t ask is for how long. As technology changes, what we do for an assured operational mission could be beneficial today, for a month, for six months, for a year. But there could be changes in technology that cause us to go back and say, ‘Here’s something else we have to do.’ Information assurance is a journey, not a destination,” he states.

Despite the growing number of vulnerabilities and the requirement to be prepared to face the next threat, the resources—both in funding and personnel—have remained relatively flat in both the public and private sectors during the past five to 10 years, Schaeffer notes. This concerns him.

To address the level of funding, the IAD has been working to maximize the value of solutions in which it invests. One activity that supports this effort is the collaboration among government organizations that enables them to share and learn from each other’s experiences.

Schaeffer is even more concerned about the amount of personnel that will be available in the coming years to meet the ever-changing challenges that new technology poses. Most system owners rely on their agencies’ network managers and systems administrators to provide information assurance. But Schaeffer does not believe that the United States’ birth rate is enough to keep up with the need for people to develop the technologies, processes and mechanisms to conduct enterprise-scale vulnerability management. “We collect a lot of information about problems in the network; we can’t solve those on a point-by-point basis,” he explains. Finding the problem and solving it at this level requires smart people using commercial products to develop and implement the architecture, uncover new vulnerabilities and work with vendors.

While the United States maintains its leadership in innovation worldwide, Schaeffer is concerned about the future. “I worry that in 20 or 30 years, if we don’t do something about the feeder system and incentivize innovation ... I don’t believe we can afford to be second,” he states.

One look at the number of students receiving advanced degrees in the areas of science, technology, engineering and mathematics in other nations illustrates why Schaeffer is concerned. The number far outweighs the amount of U.S. citizens achieving those same types of degrees, he notes. Technology innovation and entrepreneurship are the focus of many major universities in India and China to a much greater degree than similar institutions in the United States.

The NSA has been doing what it can to address this issue since 1999. It also began working with the U.S. Department of Homeland Security to create centers of academic excellence and information assurance programs at major universities. These institutions received a five-year certification, and the number of universities involved in the program has grown from seven a decade ago to more than 100 today. However, Schaeffer points out that many of the certified institutions are not being re-certified because they have shifted their curriculum or their faculty members have been lax in keeping up to date.

The challenge of inspiring middle school and high school students with the hard sciences must be addressed. “I worry more than a little about where the people are going to come from in this mission area in the future,” Schaeffer says.

There are additional causes for concern. Schaeffer summarizes the threats to information assurance in two words: real and growing. The rate of Internet usage expansion is mind boggling with millions of e-mails being exchanged every minute and billions of Internet users today. This only increases the number of tools, capabilities and training opportunities for cybermarauders. “It is a force multiplier,” he states.

And while standards are desirable as industry creates new products for government and military use, they can become a detriment to information assurance. The commonality among the devices enables those who wish to do harm to find a single vulnerability that can be exploited against an entire network of devices. Consequently, users must have a much greater sense of their risk whenever and however they use a device, Schaeffer notes.

These conditions require that the NSA views cybersecurity from an entirely different perspective. It must determine what information is critical and how it might be compromised, which calls for a new set of technology and behavioral solutions.

For example, many people are concerned about identity theft, but one look at social networking sites such as Facebook and MySpace demonstrates that many people—particularly teenagers—are willing to put a great deal of personal information on the Internet. By simply viewing this information, a cybermarauder has what is needed to impersonate them. “The ability of someone to create a persona based on information gleaned from across the spectrum of social networking sites is something we should all be concerned about,” he relates.

In addition, once information is placed on the Internet, it is there forever. “Those are the things that lead us to say that threats are growing, not just because of the tools but also because of the ease by which those who might do harm have access to the tools. It is growing because of our individual behavior, the things we do every day,” Schaeffer states. The threat will continue to morph as technology evolves and uses continue to develop, he adds.

Industry has a large part to play in ensuring that systems and information remain secure. Schaeffer calls on the commercial sector to improve its solutions. “Assurance of software is nowhere near where we would like it to be,” he states. While he appreciates the need for speed to move new products to market, he believes companies must conduct more rigorous testing for vulnerabilities.

This is one area where it is imperative that government and industry collaborate. For example, the NSA worked with the U.S. Air Force and Microsoft Corporation to develop a secure configuration for the Windows Vista operating system. Essentially, equipment is delivered with most security features turned on rather than left off. The Office of Management and Budget adopted it, and it became the Federal Desktop Core Configuration (FDCC). A federal government mandate requires that all agencies use the FDCC as a baseline for their systems.

Schaeffer encourages companies to contact the NSA through its Business Affairs Office. He has found that the time invested in meeting with companies is worthwhile. IAD personnel are able to make firms aware of architectural or implementation flaws that are easier and more cost effective to fix prior to production.

The agency’s Web site also is a solid resource of information, Schaeffer notes. It includes the Suite B background information as well as configuration and best practice guides.

WEB RESOURCES
National Security Agency Information Assurance: www.nsa.gov/ia
NSA Suite B Cryptography: www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
NSA Information Assurance Business Affairs Office: www.nsa.gov/ia/business_research/ia_bao/index.shtml
Federal Desktop Core Configuration: http://nvd.nist.gov/fdcc/index.cfm