Wireless Security Takes Shape at Defense
New guidelines launch an evolutionary process.
Cpl. Zachary A. Erickson, USMC (l), field wire chief with Combat Service Support Detachment-20, uses a handheld data device to locate supply containers for Brig. Gen. Ron Coleman, USMC, Combined Joint Task Force Haiti commander. While most military wireless systems will fall under the new security guidelines, some radio frequency identification systems and their tags are exempted.
The future of the network may be wireless, but without security there can be no wireless network access for the military, according to the U.S. Defense Department. The department has issued a set of guidelines establishing policy for the use of commercial wireless technologies in the Global Information Grid, or GIG. The goal is to exploit the advantages of emerging wireless technologies without compromising the very core of the military’s network-centric doctrine.
Known as Defense Department Directive 8100.2, the guidelines apply to all commercial wireless devices, services and technologies—including voice and data capabilities—that would operate as part of the GIG or as non-GIG stand-alone systems. They will affect access to the nonsecure Internet protocol router network (NIPRNET) and the secret Internet protocol router network (SIPRNET). Future wireless devices emerging from the commercial sector must meet these security requisites if they are to become part of the defense infostructure.
The new guidelines put in place basic rules of engagement for the department to move forward in wireless security, says Dawn Meyerriecks, former chief technology officer at the Defense Information Systems Agency (DISA). Speaking in an interview before she left the agency, Meyerriecks emphasizes that “we don’t claim that the guidelines are all-encompassing, or that they will fit every particular application requirement that a service or an agency has. What we tried to do with the guidelines is to make them technology-agnostic to the extent that they can be. This is a big ship; and if you’re constantly changing rudder, you don’t make much headway—you just do a lot of swerving.”
All heads of Defense Department components must ensure that all of their commercial wireless procurements comply with this directive immediately. By early October, they must submit to the department chief information officer their implementation timelines for legacy system compliance.
The underlying tenet behind establishing the guidelines is to balance a good policy framework with enough guidance to give users a balanced departure point to make risk management and mitigation decisions, Meyerriecks points out. She allows that Directive 8100.2 has been in the works for 18 months. “Maybe we baked it too long, but we did an awful lot of internal coordination and soul searching before it got to this point,” she declares.
Industry is the target audience for Directive 8100.2, and policy enforcement of its principles will follow. “We are going to use buying power and opportunities like this to say to industry, ‘if you want our business, you have to play in this space.’ We will follow that up with what we buy, what we install, what we operate and what we maintain,” Meyerriecks states.
Joe Boyd, chief, Center for Network Services within GIG combat support at DISA, notes that in the past it was much easier to obtain a waiver for implementing costly security requirements. Now, however, security is a matter of fact. “We must ensure that the security is incorporated into these new capabilities,” says Boyd, who is primarily responsible for sustaining the Defense Information System Network.
Technology guidelines can be a double-edged sword. Either they can speed up the implementation of new technologies through standardization, or they can slow down technology insertion by their restrictions. Meyerriecks believes that these guidelines will help by codifying measures that had been on hold for some time. “The original policy basically said, ‘hold off until we figure this out.’ So, from our perspective, any rules of engagement are better than ‘no.’”
One key aspect of the guidelines is that the Defense Department recently established a department knowledge management portal for community of practice at the worker level. Meyerriecks relates that this will be useful because the department knew that it would not “hit the target perfectly the first time.” Also, the guidelines will generate a lot of dialogue for the community to collectively understand the risks and learn how to move forward as an enterprise. The goal is to ensure that the next major release of security guidelines will represent the collective knowledge and experience of the community.
These guidelines apply to elements of—and adjuncts to—the GIG such as commercial wireless networks, cellular and personal communications system devices, audio and video recording devices, scanners, remote sensors, messaging devices and personal digital assistants. They also cover portable electronic devices such as laptop computers with wireless capabilities as well as other commercial devices capable of storing, processing or transmitting information.
The directive does not cover global positioning system receivers, receive-only pagers, hearing aids or pacemakers or other implanted medical devices. Similarly, the energy between radio frequency identification (RFID) tags and the RFID reader/interrogator does not require encryption, nor does the detection segment of an optical storage medium laser. Neither do the guidelines apply to information systems or sensitive compartmented information facilities, or SCIFs, that fall under director of central intelligence directives 6/9 (reference b) and 6/3 (reference c).
Meyerriecks observes that wireless links change the concept of security boundaries. Nonwireless systems are easy to view in terms of physical boundaries defined by lines and hardware nodes. The first line of defense in depth is physically oriented.
She relates that one of the biggest concerns is rogue access points, “People don’t understand that when they set up something that makes their lives easier in their office, the actual coverage may be much broader than the edge of the building in which they sit,” she explains. “They are doing things that make sense to get their job done, but then they open up whatever network connections they have on the back side to these access points. [These points] do not come secured out of the box, and they’re not easy to secure.
“The person who sticks an access point up in a window because they get clear signal strength there isn’t realizing that it works in both directions,” she says.
|A U.S. Marine Corps lieutenant uses his Dismounted-Data Automated Communications Terminal, or D-DACT, to share battlespace information with higher levels of command via wireless links. The U.S. Defense Department has issued new wireless security guidelines to protect network assets as new technologies are implemented.|
At the core of the new directive is Defense Department Directive 8500.1, an information assurance directive that was released in late 2002 and certified as current in November 2003. Under Directive 8100.2, all wireless devices, services and technologies that are integrated or connected to department networks are considered part of those networks and must comply with Directive 8500.1. The devices’ information assurance capability must be certified and accredited in accordance with Defense Department Instruction 5200.40 (reference f). These measures establish the levels of security necessary for Defense Department information systems and their access points, and wireless devices are pegged to those levels.
But, in addition to Directive 8500.1, the new guidelines add several other key points. For example, unclassified data transmitted to and from wireless devices must be encrypted. Encrypting unclassified voice, while not required, is desirable, and voice over Internet protocol (VoIP) communications must implement identification and authentication measures and encryption that meets Federal Information Processing Standards (FIPS) 140-2.
Another key point is that wireless devices cannot be used for storing, processing or transmitting classified information without explicit written approval of the cognizant designated approving authority (DAA). Even with that approval, only National Security Agency (NSA)-approved encryption can be used to transmit classified information. And, classified data stored on portable electronic devices also must be encrypted using NSA-approved encryption.
Other important points in the guidelines limit or forbid the use of some wireless devices in sensitive areas where classified information is being discussed or transmitted. Both Defense Department and contractor premises must employ active electromagnetic sensing and screening to detect and prevent unauthorized use of department information systems.
These new guidelines tend to build on, rather than supersede, existing regulations. Boyd notes that, “even in these sorts of broad policy directives, systems still must be FIPS 140-compliant.” He adds that wireless fidelity (Wi-Fi) protected access (WPA), the security standard for Wi-Fi 802.11, is acceptable for unclassified information, but it is not FIPS 140-2 compliant. So, its use presents some challenges in terms of compliance with the 8100.2 policy. Boyd observes that FIPS 140-2 currently is not supported commercially.
And, commercial wireless technologies are at the heart of future network connectivity. Meyerriecks notes that many evolving commercial technologies do not consider security or information assurance early in their development. “This is sort of the classic commercial technology cycle, where you get features and functionalities first, and after it starts creeping into mission-critical areas, someone says, ‘wait a minute—you have vulnerabilities here,’ or worse yet, someone exploits it,” she says.
“Thinking about security after you’ve shipped the chipset is not the way we prefer things to be done,” Meyerriecks emphasizes.
The wireless technologies that are high on the Defense Department’s wish list are Wi-Fi 802.11 and WiMAX 802.16, along with cellular technologies. Some work that the Defense Department is doing with industry on free-space optics shows promise for some applications, but results in that area are further out on the timeline.
Boyd offers that once wireless technologies have the approved security capabilities, they can be employed as required on the NIPRNET. But, he warns that wireless access to the SIPRNET is not automatic, even with the new guidelines. “The threats out there are real, and protecting the warfighter’s information is critical,” he says. “It might be a little bit tougher getting access to the SIPRNET. Ultimately, we’re going to make sure the SIPRNET stays a secure infrastructure—that’s the bottom line.
“But, I do see this [connectivity] as an enabler. So, it’s something that the warfighter is demanding,” he adds.
Meyerriecks points out that forces already are getting a taste of wireless Internet connectivity. U.S. Marines are using PDAs to move the common operating picture down to the platoon via the existing tactical radio infrastructure. These Marine Corps PDAs feed data from the SIPRNET to the platoon level, and they communicate their own position information to the SIPRNET for onward distribution to others. In effect, the handheld wireless PDAs are serving as rudimentary gateways to the secure network. However, the devices are not running Hypertext Transfer Protocol Secure Sockets (HTTPS) or Hypertext Markup Language (HTML) queries directly into the SIPRNET. Meyerriecks characterizes this as a single-purpose, very constrained protocol with a well-known port.
“I think we have struck a reasonable risk-based balance between ensuring that the Defense-Department-unique tactical radio system is secure and is not compromising the integrity of the SIPRNET, yet at the same time we are injecting in a reasoned way wireless technologies that support operational mission requirements very safely,” Meyerriecks says. “We have a lot of data points already—RFIDs and AIT [automated information technology] are wireless as well. We clearly have figured out how to do that and not compromise the integrity of the SIPRNET and the information that is protected there.”
Meyerriecks offers that the big question remaining is how the department can leverage the commercial communications infrastructure. “Industry is doing great things, and we just need to figure out how to leverage that in a partnering way,” she states.
DISA has a Skunk Works type of organization that supports the security arena “pretty overtly,” Meyerriecks notes. The agency’s information assurance expert requested that the group, which was piloting these guidelines safely by separating itself from the operational network, perform a penetration test. So the DISA team, in partnership with other agencies, obtained a DAA waiver that allowed it to try to penetrate the NIPRNET.
This group also examines emerging commercial technologies for laboratory evaluation. In addition, partnerships with the services and other agencies enable similar commercial technology evaluations.
Boyd adds that DISA is working toward two key technologies: an effort with the NSA to develop a Type-1 encryption algorithm and ready support work with Internet protocol version 6 (IPv6). Describing IPv6 as “where we’re going,” Boyd offers that industry should want to be prepared to go down that road as well.
Dealing with mobile IP and getting agile community-of-interest support are part of the motivation for what the department hopes to obtain from the move toward IPv6, Meyerriecks notes.