Panel Discussions Focus on Protection and Recovery

August 2004
Maryann Lawlor and Henry S. Kenyon
E-mail About the Author

Les Owens (at podium), senior associate, Booz Allen Hamilton, introduces panelists discussing wireless security (l-r) Dr. J. Greg Hanson, assistant sergeant at arms and chief information officer, U.S. Senate; Capt. Sheila McCoy, USN, team leader for information assurance, Office of the Chief Information Officer, U.S. Department of the Navy; Cmdr. Laurie Boehm, USN, chief engineer, defense information system network security, Defense Information Systems Agency; Rich Folio, director, research and development, government communications systems division, Harris Corporation; Chris Johnson, systems engineering manager, advanced technology team, Cisco Systems Incorporated; and Louis-Nicholas Hamer, security architect, Nortel Networks.
Experts representing many areas of homeland security and defense shared their insights during three panel sessions at TechNet International 2004. Discussion topics varied from wireless device security to infrastructure protection to business continuity. Leaders from industry, government and the military agreed that information technology offers many benefits, but it also poses considerable security challenges.

Panelists at the first session of the conference, titled “Mobile and Wireless Technology—Strategies to Ensure Adequate Security,” proposed that, as the wireless and wired worlds begin to merge, decisions about security must be governed by common sense. The presenters pointed out that government agencies are looking to industry for wireless security solutions that adhere to standards.

“Security must be built into wireless devices from the beginning, just like any other computers,” said Cmdr. Laurie Boehm, USN, chief engineer, defense information system network security, Defense Information Systems Agency (DISA). “The challenge is to ensure protection of the NIPRNET [nonsecure Internet protocol router network] and the SIPRNET [secret Internet protocol router network] while still allowing people to use their wireless devices.” Cmdr. Boehm said that DISA currently is developing a NIPRNET wireless mobile device policy and collaborating with the National Security Agency to develop a policy for wireless devices and their use with the SIPRNET.

Several panelists discussed the differences and similarities in security for wired versus wireless devices. Chris Johnson, systems engineering manager, advanced technology team, Cisco Systems Incorporated, pointed out that wireless networking has become an extension of the wired network, so security managers should leverage the tools they already have. He added that both the devices and users require management.

Louis-Nicholas Hamer, security architect, Nortel Networks, opened his remarks by dispelling the misconception that wireless devices pose a greater security risk than wired devices. “In fact, wireless may be more secure because people are paranoid and actually put protection measures into place,” he said.

Capt. Sheila McCoy, USN, team leader for information assurance, Office of the Chief Information Officer, U.S. Department of the Navy, shared Hamer’s sentiment. “Is your desktop computer system end-to-end encrypted? We have to use common sense. We have to be secure, but not everything requires the same level of security,” she said. “Wireless devices are an extension of the wired network, so be sure to keep wireless in mind when setting up other devices, doctrines, processes and procedures.”

The U.S. Senate is one organization where personnel use a multitude of wireless devices and require reliability both in service and security. Panelist Dr. J. Greg Hanson, Senate assistant sergeant at arms and chief information officer, said that his primary challenge is that the environment is unique—with 138 primary customers and approximately 10,000 users. “Security is complex because there are a lot of different requirements from each senator’s office and no common vision,” Hanson explained.

Hanson not only directs the wireless program for normal usage but also must plan for emergency and contingency operations connectivity. “Senators and their staffs have to have the capability to operate off site. They have to be able to communicate with the president and the members of the House. The business requirements drive the need for a robust wireless infrastructure,” he stated.

Panelists shared their predictions for the future of wireless technology. Johnson proposed that wireless devices will adopt emerging applications such as voice over Internet protocol and radio frequency identification, and that networking of the devices will increase.

Rich Folio, director, research and development, government communications systems division, Harris Corporation, talked about future challenges. “A single solution isn’t economical, and maybe it shouldn’t be because we don’t need a single solution that covers all the bases in security or communications. The problem is that consumers don’t feel threatened, so they don’t feel they should pay for security,” Folio said.

Terry Kees, vice president, homeland security systems, Lockheed Martin, introduced the Wednesday afternoon panel titled “Protecting America’s Critical Infrastructure—Learning Lessons From the Cold War.” She pointed out that the private sector owns 85 percent of the infrastructure assets in the United States and noted that sharing information enhances the economy, improves information assurance and creates a standard for knowledge management.

Panelist Larry Clinton, chief operating officer of the Internet Security Alliance, stated that the number of security breaches to information systems has increased sharply during the past two years because the technologies required to launch attacks have become more sophisticated and user friendly. New technologies require novel approaches to security, he said, offering that organizations must develop risk management methods.

Clinton suggested that one way to improve security is to create incentives for organizations to keep information safe. For example, when systems are compromised, liability could be reduced for organizations that perform due diligence in protecting the information that has been entrusted to them. In addition, liability insurance rates could be lowered for companies that have extensive information security processes in place.

Calleen Torch, information technology technical adviser, U.S. Department of Defense intelligence information system, and program manager for Intelligence Community information management, U.S. European Command, said that after the terrorist attacks, the Defense Department as well as other organizations examined information protection and recovery issues and found that information was not protected in significant areas. In businesses, some of the data itself was safe, but the applications that were needed to access the information were not protected.

Funding is one of the obstacles to protecting data, Torch said. Immediately following September 11, 2001, funds were plentiful. However, because additional attacks did not occur immediately, funding was reduced even though more work remained.

Dale L. Watson, principal, global strategic security, Booz Allen Hamilton, stated that people responsible for safeguarding assets must keep in mind terrorists’ goals. Terrorists are after targets that would result in mass casualties, have a significant economic impact or represent icons of the United States, such as large events and prominent buildings. In addition, once al Qaida has designated a target, it remains a target until it is destroyed. For this reason, he believes the Pentagon, the Capitol, the White House and Los Angeles Airport are still on the terrorist organization’s hit list.

Because every possible target cannot be identified or protected, priorities must be set, he added. One solution is for the private and public sectors to come to a consensus about how to protect facilities, and industry must be ready with recovery plans.

The U.S. Department of Homeland Security (DHS) also is trying to determine priorities for securing the country’s information infrastructure. James McDonnell, director, protective security division, information assurance and infrastructure protection directorate, DHS, said that his agency is evaluating systems to ascertain the most likely targets. The department must have a common operating picture of U.S. systems that affect public health and safety, the economy and national security. It also must understand the adversary’s tactics, techniques and procedures in attack planning and not just assess the impact an attack would have on them, he added.

The Thursday morning panel session, “Business Continuity and Emergency Management,” focused on how organizations can remain operational after a natural disaster or terrorist attack. Panelists agreed that contingency planning and the placement of communications and computer resources at remote sites are important to preserving vital business processes.

U.S. Army Deputy Chief Information Officer Vernon Bettencourt outlined how the Army has expanded its computer network beyond the Pentagon after servers and network subsystems were lost in the attack. The greater Pentagon common computing area now extends to facilities located within several miles of the Pentagon itself, he said.

Paul Schuessler, a principal at Booz Allen Hamilton and a lead security engineer on the firm’s global resilience architecture team, outlined five areas for organizations to consider in contingency planning: continuity planning, a common operating picture, risk, life-cycle management and adaptive capacity. Schuessler recommended that firms and agencies look beyond network survivability and develop situational awareness that encompasses the well-being of their personnel and services.

This all-encompassing approach to security management was reiterated by Kay Goss, a senior adviser for homeland security, business continuity and emergency management with EDS Corporation. Once viewed as local events, disasters now have international repercussions, she said. To properly plan for such situations, public and private organizations must share security information and focus on protecting assets and personnel, detecting potential threats and reacting in an emergency. Once a disaster or terrorist attack has occurred, mitigation and business continuity plans also are vital. Goss noted that 40 percent of businesses hit by disasters do not reopen.

Offering a local perspective on disaster preparedness was Mark Penn, director for emergency management for the city of Alexandria, Virginia. Penn described how he responded to the 2001 terrorist attack on the Pentagon. At that time, he was the emergency management coordinator for the city of Arlington, where the Pentagon is located. Immediately after the attack, the city activated its year 2000 emergency response plan, which featured contingencies for events such as an aircraft crash in an urban area and communications outages. Penn noted that a lesson learned at the community level was the interdependency of systems, managers and local officials as well as the agreements between municipal governments and first-response organizations.

Brian Fitzpatrick, Northrop Grumman’s director of homeland security, described how the company is working with the DHS to develop the Homeland Security Data Network. When complete, the network will consist of 600 sites designed to share sensitive information between state and local governments. The company also is involved in building a multiagency communications system that will link government agencies in the event of an emergency.

Once again this year, the Defense Information Systems Agency (DISA) participated in TechNet with presentations and an exhibit, highlighting current projects and alerting attendees about changes taking place at the agency.

Dawn Meyerriecks, chief technology officer, DISA, and program director, Network Centric Enterprise Services, spoke about efforts to make the agency more responsive to customers and accelerate the pace of getting technologies into the field. One of the agency’s initiatives, Network Centric Enterprise Services, is a key aspect of this effort.

Meyerriecks emphasized that standards must be established so that interoperability is not an issue. In addition, control of the information technology equipment will be the responsibility of specific domain owners, so they can decide how to use the technology and take the risks they feel are worth taking.

During Tuesday afternoon’s second DISA session, Tony Montemarano, program director, Global Information Grid–Bandwidth Expansion (GIG-BE), talked about how the program aims to create a ubiquitous bandwidth-available environment to improve national security intelligence, surveillance and reconnaissance. The agency is enhancing the Defense Information System Network, and the GIG-BE will provide increased bandwidth and diverse physical access to approximately 90 sites in the continental United States.

Wednesday’s first DISA presentation featured Diann McCoy, DISA’s component acquisition executive. McCoy emphasized that the agency is interested in seeing solutions—not systems—from industry. She explained that these solutions must support DISA’s vision and must be part of a product line rather than a single-point solution. Testing will be part of the development process and must provide robust connectivity. Although the agency is interested in total solutions, the components must be able to support different types of missions, she said.

Evelyn DePalma, director, procurement and logistics, and chief, Defense Information Technology Contracting Organization, the final DISA speaker of the conference, spoke about the agency’s Mentor-Protégé Program. The program matches large and small companies so that entrepreneurs have access to resources they may otherwise have to wait years to afford. In addition, the effort allows large firms to familiarize themselves with the capabilities small companies offer.

AFCEA’s Professional Development Center offered two sessions of two courses during TechNet this year. The free mini-courses were designed to give attendees a glimpse of the full-length courses offered at AFCEA headquarters.

In a course titled “Middle East Cultural Recognition,” Pierre C. Ghazal described some of the intricacies of Islam, emphasizing that Muslims begin being indoctrinated in the tenets of their faith at a very early age. While European and Western civilizations tend to view laws as a way to establish societal order for life events such as marriage and divorce, Muslims believe their laws—derived from the Koran, the Hadith and the Sunna—legislate every aspect of their lives. Some of the fundamental differences in beliefs often lead to misunderstandings between the two cultures, and that is why it is important for the military as well as law enforcement and emergency personnel to become familiar with Islam, he said.

On Wednesday, Dr. Bhavani Thuraisingham shared a brief overview of the data mining course she teaches. Focusing on how data mining can help in counterterrorism efforts, Thuraisingham described several datamining techniques such as market basket analysis, intelligence searching and pruning, automatic cluster detection and link analysis. In discussing the advantages and disadvantages of each, she explained how the techniques can help information officers sift through mounds of data. Using practical examples from real life such as grocery shopping, Thuraisingham relayed that these same principles can be applied to identifying terrorist activity.


 Dale L. Watson (at podium), principal, global strategic security, Booz Allen Hamilton, presents his views during a panel examining ways to protect U.S. critical infrastructure along with panelists (l-r) Terry Kees, vice president, homeland security systems, Lockheed Martin, and Larry Clinton, chief operating officer of the Internet Security Alliance.  
  During a panel discussion about business continuity and emergency management, U.S. Army Deputy Chief Information Officer Vernon Bettencourt (at podium) describes the information systems work that has been done since September 11, 2001. Members of the panel include (l-r) Barry West, chief information officer, Federal Emergency Management Agency; Paul Schuessler, principal at Booz Allen Hamilton; Kay Goss, senior adviser for homeland security, business continuity and emergency management, EDS Corporation; Mark Penn, director for emergency management for the city of Alexandria, Virginia; and Brian Fitzpatrick, director of homeland security, Northrop Grumman.
 Pierre C. Ghazal, instructor, AFCEA Professional Development Center (PDC), describes the differences between Christian and Islamic beliefs during a mini-course offered at TechNet International 2004.
 At the second PDC mini-course offered during TechNet 2004, Dr. Bhavani Thuraisingham, instructor, PDC, AFCEA, explains data mining techniques that could be used to detect terrorist activity.
 Dawn Meyerriecks, chief technology officer, Defense Information Systems Agency (DISA), describes the changes underway at the agency in the DISA Theater on the TechNet 2004 exhibit floor.
  Diann McCoy, DISA’s component acquisition executive, discusses the agency’s acquisition strategies during one of four DISA presentations at TechNet 2004.