At the heart of "DoD Information System Certification and Accreditation Reciprocity" is the policy that if a system owner from any service hands a certified and accredited system to the network owner from any other service, the network owner should have the confidence that putting that system on his or her network will not result in creating information assurance or related vulnerabilities. Can we handle this?
Network systems are similar to icebergs. Less than 10 percent of their volume is visible to the user of an application. Almost all of the hidden code, measured in hundreds of thousands of lines of logic, is invisible in the operating system, in the database management software, in security safeguards and in communication routines. The problem with such software is that for each application—and the U.S. Defense Department has more than 7,000 major software projects—contractors will develop the hidden coding to suit separate requirements.
For federal chief information officers (CIOs), it is the best of times and the worst of times. The broader, less literary question is: Do CIOs matter?
The preeminence of the expanded use of cyberspace, the desire for more openness in government, and the demands for faster and better information sharing within and among enterprises—particularly in the context of inter-agency and coalition information sharing—have changed fundamentally the demands of information security. The wider reach of our networks and the quest for timely, relevant information have improved decision-making but have made us more dependent on cyberspace and more vulnerable.
Information security has not kept up with information exploitation as the United States fully embraced the information age. The greater reliance on information systems across the entire breadth of government, military and civilian activities has opened the nation to cyberattacks on its military systems, its vital infrastructure and its economy as a whole.
The U.S. Defense Department is shifting its information assurance approach away from denying access to intruders toward surviving intrusions amid operations. This approach acknowledges that cybermarauders—whether mere individual hackers or foreign intelligence operatives—are likely to penetrate defense networks at the worst possible time, and the key to maintaining those networks will be to instill a network resiliency that allows them to operate in less than optimal conditions.
The U.S. Army is responding to base realignment decisions by combining two major command headquarters into a single state-of-the-art facility. The physical proximity of personnel who already work closely together should enhance collaboration in the command and control of soldiers, but an emphasis on entity individuality will remain. The building itself will contain technologies that combine certain aspects of the two tenant organizations while ensuring that separate identities and capabilities are maintained when necessary.
Militaries around the world are partnering with the United States—with an emphasis on “states.” A National Guard Bureau program links states with countries to facilitate the exchange of ideas and practices as well as to form bonds of friendships between nations. The effort has helped countries join NATO, convinced them to participate in coalition activities and expanded into emergency management efforts. The Guard’s stable personnel structure makes it an ideal organization to undertake the task of building long-term relationships with international partners. The expertise gained by the bureau through the project is becoming more desired by the active duty and interagency communities, and now, with its first-ever line of dedicated future funding, the program can plan and expand in ways not possible before.
The U.S. Air Force has embraced cyber as a domain and is intent on using the network as it does its other domains—space and air. From the basic approach that all airmen must do their part for security, to the effort of engaging in aggressive cyberoperations, the military branch is covering the gamut of the virtual battlespace. Success in the cyber realm is tied to victory on the battlefield, making such nonkinetic efforts critical to saving lives, completing missions and ensuring the proper functioning of services to military members and civilians.
The U.S. government is taking a giant leap into the virtual realm with the creation of a parallel world intended for training, education and networking. What began as a platform to improve collaboration of emergency management personnel has evolved into a benefit for all government agencies. The project is government-owned and incorporates techniques and technologies unavailable in civilian efforts, offering a robust, powerful tool for conducting business.
Cloud computing can be a gamble, so one teaching tool uses a casino motif to help information professionals understand the best strategies for incorporating it into their organizations. Using a table and mat that resemble a craps game, teams take on tasks that relate to a real-world scenario. As the competition progresses, participants experience the benefits and risks of deploying traditional information technology, information clouds or a combination of both.
The U.S. economic stimulus package is making waves throughout government and industry. Some experts believe that it represents a sea change in government acquisition in terms of oversight, contractor accountability and transparency, which has been attempted before but never has been fully realized. Companies that wish to benefit from the stimulus package need to move—and move quickly—by positioning themselves as solutions providers and as businesses that are willing to follow the new rules.
Call it hybrid, unconventional or asymmetric warfare, the conclusion is the same: the United States and its allies must be prepared to fight a war against integrated threats posed by traditional and nontraditional adversaries. Accomplishing this task will require simultaneous improvements in almost every area of today’s forces, including training, agility, acquisition, strategy, tactics and cultural awareness. To defeat complex foes and their multifaceted attacks, the U.S. military has developed a framework that sets the course forward. However, this plan is not designed as the be-all and end-all of strategies. Instead, it is meant to address past and current challenges and to propel the military and other government agencies into an unpredictable future.
Coalition forces in Afghanistan are using a situational awareness system that alerts military patrols about mined roads and warns civilian relief convoys about traffic jams and possible insurgent activity. The capability fuses intelligence alerts and real-time tracking information to provide users with the location of civilian and NATO forces.
The Tennessee Army National Guard is using a network change and configuration management technology to monitor its networks proactively and warn administrators about potential trouble. The NetMRI system incorporates devices that integrate hardware and software to provide alerts and to allow problems to be remediated immediately. It also enables a small staff to monitor and manage a statewide network consisting of hundreds of nodes and facilities.
Estonia is the first nation in history to have experienced massive cyber attacks directed at its government and key infrastructure. The event, which took place over a three-week period in April and May 2007, marked the beginning of a new type of amorphous, hard-to-track threat to international security. Coming in successive waves, the attacks almost shut down the Baltic country’s government, which relies extensively upon online transactions and e-commerce. In the aftermath of the incident, the European Union and NATO launched a series of initiatives to strengthen national infrastructures and to improve communications between national and multinational organizations in the event of another cyber attack.
Networks no longer are a tidy complement to the work of defense agencies. As information gathering and processing have become faster and more essential to defense and security operations, those networks have evolved into essential tools. But the very barriers created in the justifiable zeal to protect these networks also are erecting significant roadblocks to information sharing, and the fallout affects the agencies’ ability to collaborate with allies, coalition partners and each other.
Some risks attend all travel in the domains of land, sea, air and outer space, but in those realms the voyager is afforded a patently acceptable measure of protection by laws, rules, sanctions against misbehavior, and social norms and comity. Aviators, firefighters, law enforcement officials, soldiers and others obliged to function in highly contested domains can seek added protection from partners who warn of danger from their rear perspective—their six o’clock.