Security Agency Finds Challenges as Varied as Networks

August 2006
By Robert K. Ackerman
E-mail About the Author

 
U.S. Secretary of Defense Donald H. Rumsfeld (l) uses a secure videoconference link aboard his
E-4B airborne operations center aircraft to converse with senior staff members in the Pentagon. The need for secure links—including videoconferencing—is becoming more widespread as network centricity extends connectivity down to lower levels of operations.
Military, commercial information assurance paths both diverge and intersect.

The rush of innovative information technologies is both mandating a greater need for advanced security and spawning a new generation of potential solutions. The explosion in networking and wireless communications brings with it greater security requirements, and computing advances offer the potential for a range of new information assurance approaches.

The result is that government and the commercial sector face similar information assurance challenges. The military is relying on commercial technologies to a greater degree as it strives to link its forces in its Global Information Grid (GIG). And the private sector is finding that its increasing importance in the critical national infrastructure mandates a military-style degree of information security.

But, these common technologies and challenges also complicate efforts at effective information assurance. While differences between the two groups are fewer, they still directly affect elements such as security management and multilevel encryption. And, concerns have been raised about the national origins of software code and its authors.

With many advanced information technologies and networks having commercial pedigree, security solutions must have the ability to operate in the commercial off-the-shelf environment. So, the National Security Agency (NSA) is teaming with the sectors that are driving advances in information assurance and that require its security most of all.

Achieving its information security goals is forcing the NSA to confront a range of varied but related challenges that include determining the best approaches to security management and interoperability across government cyberspace, utilizing commercial technology, making NSA processes work at the cycles at which industry is working and addressing the demand from customers that use the commercial network technology at home, in the office and at war.

Confronting these issues is Richard C. Schaeffer Jr., information assurance director at the NSA. Schaeffer reflects back to 1998 when he was the director of information assurance in the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence. Dr. John Hamre, who was the deputy secretary of defense, asked him what it would take to solve information assurance issues. Schaeffer responded that it would require knowing what the network looks like in terms of configuration management and control, knowing who is on the network and knowing what users are doing on the network. All of these points provide a context for the challenge that the NSA faces today, he contends.

Part of that challenge is the scale of the world in which it must operate, he offers. Networks are pervasive in every aspect of business operations throughout the U.S. Defense Department and the federal government. Operating in the network environment is a major concern because of all of the cyberspace threats in the infosphere.

Just the components that make up this network environment alone increase the complexity of security efforts, Schaeffer continues. Commercial off-the-shelf technology is one of those fundamental components in the network world, and as much as 80 percent of the infostructure across which government and the military operate resides within the private sector.

So the NSA is trying to ensure security across a network and through technologies that are not uniquely government-owned or -operated. And, this network never was designed to meet the levels of assurance that are needed today. The scale and complexity are complicated by the ever-changing technology environment that can be exploited by any of a number of different types of adversaries, Schaeffer adds.

“We always have to be right, and the adversary only needs to find one opportunity where we’re wrong,” he points out.

Security management is one of the NSA’s major challenges. Establishing a security management infrastructure goes beyond key management delivery of cryptographic operating material, Schaeffer notes. It includes identity management, privilege management and policy management, he adds. This encompasses positive control of who is in the network environment, their authorizations or accesses and any of those limits that users might be exceeding.

Part of this involves key management. In 2005 the NSA announced the availability of Suite B Cryptography, which is designed to provide a suite of algorithms that enable operational interoperability. Industry can use the unclassified Suite B algorithms to provide a set of products that can reach across government from as local as serving first responders to as high-level as protecting classified information. Suite A algorithms remain classified for national security information and are not for release.

The key exchange algorithm within Suite B is elliptic-curve based, Schaeffer notes. Also used for signatures, it is the replacement for the RSA algorithm in key management. Schaeffer relates that while RSA did not have any problems, it does not scale well to the crypto-variable lengths encountered in modern      algorithms. So the agency is encouraging vendors to use this new family of curves, which also helps achieve vital interoperability.

 
Two U.S. Navy information systems technicians work on the information security system aboard the USS Ronald Reagan. As Internet protocol becomes the dominant medium for communications traffic, the military will rely to an increasing degree on solutions emerging from the commercial sector.
Schaeffer observes that the NSA’s customers want the agency to help them understand which products can meet their operational needs for the proper classification or sensitivity levels. But it remains a challenge for the agency to evaluate commercial assurance mechanisms quickly enough to support product development and use, he says. The NSA certifies Type 1 cryptographic products, while its National Information Assurance Partnership with the National Institute of Standards and Technology (NIST) applies the Common Criteria Evaluation and Validation Scheme to security-enabled commercial products. Both of these venues take a long time and rarely are consistent with product release into the commercial marketplace, so customers often must use the last generation of security products instead of the newest one. “We need to focus on that problem and bring those processes more in line with the development, marketing, fielding and utilization of those products by our customers,” Schaeffer declares.

The GIG provides a framework for how the Defense Department’s systems need to come together as a global operating space, Schaeffer observes. The NSA has created an information assurance component of that grid architecture enabling the agency to move to a higher level assurance across the department as a whole. It also creates a framework for reusable solutions across the grid’s networks, which should ease the accreditation process.

As the NSA begins to implement the GIG’s information assurance component, the agency will learn much about how to increase interoperability and security, Schaeffer offers. The GIG architecture will serve as a model for other communities—such as intelligence—because it takes into account both the warfighter and the business operating environments.

“As technology continues to evolve, we’ll see new and better ways of achieving some information assurance capability across that space,” Schaeffer declares.

The U.S. military is operating in an environment rife with dozens of coalition partners. Even within the department, the concept of sharing information across that broad network space requires ensuring that anyone who needs information can get it—even if it means reaching across the barriers between classified and unclassified environments. Moving information across domains must be achieved in operation time, Schaeffer relates, and this temporal nature affects security measures.

And, military users in a highly mobile environment must have effective security that does not impinge on their operations. The global war on terrorism has increased emphasis on moving information down to the individual warfighter. This information may be sensitive but unclassified, and it often is time-sensitive. Many soldiers and U.S. Marines are using wireless devices that the NSA would not want operating in a classified environment, but these devices serve the need for moving time-sensitive information to the warfighter. Schaeffer reports that the NSA is working to enable those users to operate in a classified environment with the same level of information assurance and protection in today’s unclassified environment. This constitutes a significant part of the agency’s efforts, he says.

“As we look to the future—and both the vulnerabilities of the networked environment become more well-known and we move into situations where the network becomes a much more critical piece of the warfighting environment—the need to operate with a much higher level of assurance is going to be absolutely necessary,” Schaeffer predicts. “And it is driving some of the work that we have ongoing today.”

The new technologies that are emerging are spawning demands for greater connectivity. While this increases the security challenge, it also provides the NSA with some advantages in meeting that challenge. New computer processor speeds enable the agency to increase the complexity of some of the functions that it uses for protecting various classes of information, Schaeffer notes.

The next disruptive technology to have a dramatic effect on the communications world likely will be the new Cell microprocessor technology developed by IBM, Sony and Toshiba, he predicts. Originally developed for games, this new computing technology generates significantly higher processor speeds and capabilities that are being extended across the commercial and military arenas. This in turn will allow the NSA to increase the complexities of functions that it places in communications technologies.

But, above all, the NSA must follow the commercial sector’s lead. “We have to follow the direction that industry is going,” Schaeffer imparts. “We have to try to ensure that we are far enough ahead to have appropriate solutions available as our customers adopt new commercial offerings in their network environment.

“We have to look ahead, see where commercial industry is going to be, see where the telecommunications industry is going to be, and ensure that we are far enough ahead in terms of solutions to enable the operations that our customers have to execute,” he states.

As bandwidth improvements take place in the commercial infrastructure, the agency can take advantage of those developments. Schaeffer observes that the dominant communications traffic today is going across the Internet protocol (IP) network. The direction taken by IP will be the road that NSA must follow to produce solutions for customers to operate safely in that environment, he emphasizes.

The NSA’s operational environment undergoes dramatic changes constantly, Schaeffer relates. Warfighting today is very different from the warfighting of five years ago as the network plays a larger role in both strategic and tactical activities. The demands that these customers have for new technology are fueling the commercial sector’s innovation and creativity in producing solutions, he offers.

“This is a huge partnership among government, industry and academia,” Schaeffer observes. “There is no silver bullet to solve this challenge. There isn’t even a sunset date or a point where we would say, ‘Okay, we can put all that behind us.’ As technology continues to evolve, we have to continue to evolve, and that isn’t something that government can do on its own.”

So, the NSA counts on private industry to help it succeed in its mission. Schaeffer relates that the agency depends on the innovation emerging from industry today. What the agency needs, however, is for industry to address a major facet of its products.

Industry must improve the assurance level of its devices and systems. This applies to private sector systems as well as those of the U.S. government and the military. While the banking industry does not have the same types of security classifications prevalent in government, the financial sector is important to the nation’s security. “The assurance of those products has a lot to do with the software that is being created or being acquired today,” Schaeffer observes.

He notes that U.S. industry is doing more of its software development offshore, and that clearly is a concern. In addition, significant domestic software development is being performed by foreign nationals in the United States. “As we try to sort through some of the challenges associated with the pedigree of the software, it sometimes is hard to distinguish which category that software fits in. We have to create processes, we have to create architectures, we have to create implementations that allow for the fact that we do not have explicit knowledge about where every line of code in any commercial product is created,” he states.

“We have to provide an information assurance environment that takes into account the fact that we don’t know [where software code originates] to a degree that would make us totally comfortable.”

But the origin of software code is just part of the assurance issue, Schaeffer maintains. “Irrespective of where the software is created, just the security/safety/quality of that software needs to improve dramatically,” he warrants. Industry must improve the overall assurance of its products, and this goes beyond better software practices to include many open vulnerability issues.

 

Web Resources
NSA Information Assurance: www.nsa.gov/ia
Suite B Cryptography: www.nsa.gov/ia/industry/crypto_suite_b.cfm?MenuID=10.2.7
NSA Information Assurance Business Affairs: www.nsa.gov/ia/industry/indus00007.cfm
IBM Cell Microprocessor: www.research.ibm.com/cell/home.html