Network Session III
From AFCEAWiki
Contents |
[edit] Session III: Information and Communications Technology and the Global Marketplace
JOIN THE ONGOING SOLUTIONS DIALOGUE ON THE GOOGLE GROUP SITE
[edit] Abstract
The global information and communications technology (ICT) marketplace brings innumerable benefits to the DoD and the extended Defense Industrial Base. Unknown supply chains have created an environment where trustworthiness in commercial products are no longer implicit. Risk and risk mitigation must be considered across the entire lifecycle of the product or system, from requirements development to retirement and requires close partnership between the USG and industry.
[edit] Moderator
- Mr. Perry Luzwick
[edit] Panel
- Mr. Robert Dix, Juniper Networks
- Mr. Richard Hale, Chief Information Assurance Executive, Defense Information Systems Agency
- Mr. Mitch Komaroff, OASD/NII
- Ms. Cheri McGuire, Principal Security Strategist, Microsoft
The panelists were introduced and each gave brief comments regarding the session topic.
Mitch Komaroff
Provided big picture view of situation. Good guys and bad guys are occupying the same Network and supply chain. This leads to a number of problems. Not all cultures have the same sensibilities about ownership. Sophisticated nation-state/competitor who have time and resources to exploit vulnerabilities/flaws in the supply chain. Flaws are discovered or built in later to be exploited, thus data can be stolen, integrity of data can be affected. How do we ensure that the force multiplication of technologies doesn’t drop below one? The Department is developing, in addition to traditional defense in depth techniques, defense in breadth techniques which understand mission dependence on system and allocate accordingly.
Competitive and vibrant world market where U.S. businesses thrive so that we can balance trust and value proposition.
Cheri McGuire
Global supply chain can provide security challenges, but do not want to restrict U.S. companies in global market. How balance need to protect U.S. systems and global posture of U.S. companies?
Industry groups/organizations formed to address issues.
SAFECODE – established a year ago to increase trust in communications through software assurance/development. We look at best practices, etc. Group is focused on secure development processes.
A second group was established on the response-side of the question.
Microsoft is working to improve security and response to threat.
Robert Dix
Globalization supply chain security is very interesting issue. Regarding topic title, if supply chain is unknown, that is part of the problem and contributes to challenge we have had.
Juniper has developed brand integrity verses brand protection which is reactive. Integrity looks at it from beginning to end. Integrate security/product risk assessment from idea phase on. Human capital piece is also huge part. Issue includes manufacturing/distribution/acquisition pieces.
Need to understand what our vulnerabilities are that are open to exploitation and we need to do a better job of sharing that information.
Richard Hale
Problem that we are all trying to solve is assured mission execution for DoD and our mission partners in the face of cyber warfare. Old definition of security - secret keeping – we focused way too much on confidentiality. We need to keep secrets while sharing as much as we can with industry partners. We need to enable jointness and push some common standards/processes across DoD that will allow us to utilize new information technologies. We’re trying to figure out what questions to ask during acquisition to see if a company is thinking/have a security discipline. What is your supply chain approach, who are your partners, who are their ties, etc? We need better industry standards so establishing consortia is a great idea. We’re trying to do more source code review within the government. We’re doing more due diligence and monitoring. He is a strong advocate of commercial technologies in warfighting space, but we are going to be forced to be working to develop our own as well.
Q: A question was asked about how far you should go back in the supply chain? How much “trust but verify” do you do to ensure the integrity of product? A1: Microsoft manages through contracts, annual risk assessments of suppliers, assessments of supplier sites, incident response responses for trace back if something happens. A2: What needs to happen is a common base of what is needed and done to protect supply chain. Industry needs to do is show what we are doing. A3: DoD perspective: We are not going to turn certain commercial entities into defense contractors. At the systems level, the use of commercial components within a system design must anticipate that the processes are commercial grade – Industry needs to tell us as risk managers what is necessary to meet our needs.
Q: A question was asked about what happens if you notice something bad in your supply chain? Do you call police/do a reverse sharing? A1: We do. Part of our incident response, we take the appropriate response.
Q: Regarding software, is anyone looking at what degrees of certification is needed? Taking steps and advertising those steps? CMM? A1: The work that SAFECODE and other industry orgs are doing is trying to address that issue. They do not know if that will result in a new industry certification – that remains to be seen.
Q: Creativity open source code? How does government regulate the community of open source code developers? A1: Policy to treat it on even footing with commercial, required to meet same requirements. A2: We have potential for transparency there, but source code analysis only gets you so far. Some of the software design/system engineer best practices - like accountability if code I write introduces vulnerability - are an issue. We will probably have to address design flaws.
Q: Source code analysis: Is NSA initiating standardized approach in short term? A1: There are a number of efforts underway in this area.
Q: Hearing a lot about need to develop new sets of code based best practices…What makes coming up with a new standard better than what we have? Is there a timeline for addressing threats?
A1: We’re not talking about a new standard or dumping previous standards, but pulling disparate/complimentary standards. A2: Customers (DoD) finally are starting to get it. We care about component/system assurance. We are trying to say that with COTS, we have to have better confidence…
Q: A question was asked about 8570. A1: 8570 has been a win, but we’re still not getting it completely right. We are working further with 8570. A2: It was pointed out that acquisition professionals need information assurance/technology/security (ex: what to ask for and how to demand particular properties) training.
Q: Security life cycle – 1) A question was asked regarding how do you see trusted computer platforms fitting into security life cycle?; 2) How do you feel about NSA working close with industry; how does it play in broader commercial venue? A1: Trusted computer platforms are huge for the future. They are significant to the SDL. They are complimentary. A2: We do work with NSA, and we embrace it. We need to introduce metrics to improve upon our collaboration. A3: We need to have a conversation regarding risk with our respective users’ community.
Q: A gentleman announced a new certification for individuals, CSSLP.
Q: How can we make it easier to make sure what we introduce to the GIG is trusted? A1: We need a standard set of acquisition questions that everyone asks so that we have a complete picture of what we have. We are gradually fixing by policy/process the business of certification reciprocity – need to standardize so we are not reevaluating things. We want PMs to be a more demanding customer that demands that supplier has coherent global supply chain strategy.
Follow-up: Is it feasible to have a team of people who vet products centrally?
A2: We have discussed this in past. Problems have been that people want to own own process, and how do you build a process large enough to work for everyone? We are not working this now but perhaps it is worth considering centralizing the issue. A3: We are going to need higher level of assurance from information assurance products we receive.
Q: A question was asked regarding whether there is a way to certify a process? A1: The panel will put the question in touch with the right person.
Q: A question was asked regarding new, cutting edge technology that is needed to achieve a mission. A1: Tactical environment will always be one of innovation. The Department tries to make sure that nothing it does at the systems architecture level hurts the warfighter’s ability to achieve mission. However, the converged world introduces risk.
Discussion took place regarding the issue that we need to understand how the GIG is composed, understand relationships.
Think of assurance argument at the beginning of cycle.
