Intelligence Agency Boosts Information Security IQ

August 2005
By Maryann Lawlor
E-mail About the Author

Operations Spc. 2nd Class Michael Cacese, USN, tracks contacts on a screen in the combined intelligence center aboard the USS Bulkeley. Merging intelligence information from several sources poses challenges to information assurance for the military.
Metrics and training initiatives prepare military to move safely to network-centric environment.

In the constantly changing information assurance realm, security is more often than not a moving target. To confront this challenge, the U.S. Defense Department’s intelligence enterprise is beefing up its efforts to prepare information warriors, to track threats and to provide, not only information assurance but more importantly, mission assurance. Today, the need for agility is as immense and intense in cyberspace as it is on the battlefield.

The responsibility for coordinating such efforts falls primarily on the shoulders of the Defense Intelligence Agency (DIA), Bolling Air Force Base, Washington, D.C.; however, the hands-on work is shared by personnel in the services and agencies throughout the military. While emerging technologies help these information security specialists protect information, at times the technologies also can exacerbate problems. As a result, the agency is making improvements internally to enhance network situational awareness and defense while at the same time seeking solutions from the commercial sector.

According to Mark J. Morrison, chief information assurance officer, DIA, the agency is implementing a number of new programs to identify and fulfill vital information assurance requirements. It then directs the appropriate funding to those areas to ensure the maximum return on investment.

One project involves developing metrics that will allow the DIA to evaluate its information assurance posture continuously. The agency has established a taxonomy to capture the necessary information and is creating a reporting database to improve information assurance assessments. Not only will this activity improve computer network defense, but it also will offer warfighters real-time access to intelligence information. In addition, the metrics program supports Federal Information Security Management Act reporting.

Morrison relates that the DIA is still defining the best types of reviews to conduct. “Right now, we’re not sure what kind of fish we want to catch. We’re catching everything, and then we’re going to throw back the small ones and figure out which are the best ones for us to keep pursuing,” he says.

Developing the information assurance metrics has been a fairly challenging endeavor, Morrison admits. Protection efforts are sprinkled throughout the Defense Department intelligence systems so it is difficult to pull out the information-assurance-specific components. To illustrate the complexity of the task, he uses a grocery shopping analogy. “If someone asks you how much you spent on sugar, you might have bought a two-pound bag of sugar, but you need to count the sugar in the soda, cookies and cake. So it’s difficult because IA [information assurance] is embedded in all of the programs. Every program does access control; every program does audit; everyone does network defense to a certain degree,” he notes. As the military moves from stovepiped systems to a network-centric environment, the DIA is attempting to minimize the redundancy of its information assurance capabilities, he adds.

Another new project aimed at improving information assurance throughout the department involves developing an extensive training and career management program for computer users at all levels. Basic instruction for general users will be provided through techniques such as computer-based training. Morrison points out that 90 percent of enterprise protection is implementing common sense; the other 10 percent is where the true threats lie, and those are much more difficult. “The biggest challenge is stopping what we call ‘stupid human tricks,’ like writing your password down on your computer or using your wife’s name as your password,” he says.

In addition to providing more extensive basic training for all users, the DIA is working with other Defense Department intelligence agencies such as the National Reconnaissance Office and the National Security Agency to develop an intelligence information assurance professionals’ training program. Personnel who spend a significant amount of time in the area of information assurance, including systems administrators, database administrators and information security officers, will receive more intensive instruction.

Professionalizing the information assurance job is necessary today because of recent changes throughout the military, Morrison explains. In the past, a core of information assurance professionals did not exist, so commercial training programs were employed. “The armed services haven’t had a job classification for an information assurance professional. They’ve had systems administrators who are computer operators or communicators or whatever the different job classifications were, but they haven’t had a specific career track for them. It was an ‘other duty as assigned.’ A lot of the direction has been ‘you will be the system administrator for these five databases, and by the way, you’ll be the security administrator as well.’ The person assigned that job is rated on how well the database is set up, not necessarily how secure the database is,” he notes.

This training initiative is especially important now because the DIA is consolidating numerous independent defense intelligence information technology centers into five regional service centers (RSCs). Through these linked full-service centers, defense intelligence community customers will be able to access data repositories, applications, hardware, licensing, core servicing and systems management. The RSC program manager will handle procurement, and the RSC integration and testing facility will perform testing and fielding. Each RSC host site will be responsible for maintenance and will include an information assurance component. The program is scheduled for full operational capability by the end of fiscal year 2006.

Morrison explains that improved training will facilitate operations at the centers. For example, when information security officers transfer from the U.S. Pacific Command to the U.S. European Command, they will be working with essentially the same components, audit trail structure and access control mechanisms. “We won’t have all the re-learning that we’ve been suffering under all these years,” he notes.

In addition to training, the agency is increasing its emphasis on insider threat detection. Morrison stresses that this is not a shift away from focusing on perimeter control but rather another effort to shore up all three pillars of information security: confidentiality, availability and integrity. “For a lot of years, confidentiality has been the pre-eminent concern, and availability and integrity have been dragged along. We’re trying to shift that emphasis, not necessarily to de-emphasize confidentiality but rather to increase the emphasis on integrity and then availability,” he says.

One example of the importance of information integrity is pre-mission flight planning, Morrison relates. When pilots prepare for air missions, they rely on intelligence information to determine where missile sites are located, for instance. If someone accesses a system and inadvertently or maliciously changes the location information, the pilots would base their route on inaccurate information. “We want to make sure that the integrity is 100 percent whenever possible,” he says.

To accomplish this task, the DIA looks at how large companies prevent insider intrusions. And although the agency receives many questions about modeling its methods after the financial industry, which has a reputation for extensive security, Morrison says the model has limitations. For example, in risk management, banks set a level of acceptable losses. These are based on the size of the financial institution. “When you try to bring that model into Defense Department intelligence and ask the commander, ‘What percentage of your information are you willing to compromise?’ Well, the answer is obviously zero. Or ask the commander, ‘How many military folks are you willing to sacrifice through a data integrity flaw or compromise?’ Obviously, the answer is zero. So the models break down at a certain point,” Morrison states.

Among the phenomena driving the agency’s transformation initiatives are the increasing emphasis on information sharing, a growing familiarity with computer systems, the growing volume of information assurance assessment data and the desire to provide intelligence information directly to warfighters.

Experts warn that as intelligence is pushed farther out into the field, new information assurance issues arise. Here, Spc. Robert Tilley, USA (foreground), intelligence analyst, and 1st Lt. Sean A. Libby, USA, assistant intelligence officer, 4th Brigade, monitor progress on the battlefield from the brigade tactical operations center.
The push for information sharing among intelligence agencies poses some interesting challenges for the intelligence community, Morrison says. In the past, analysts produced information then marked it with the appropriate dissemination controls. The systems’ information assurance features enforced the controls. Although this process works well when facing a single adversary, it is not as effective in an environment of asymmetric threats. When intelligence information must be shared with nontraditional partners such as other federal and state agencies, all intelligence community members must determine how to mark information effectively, persistently and accurately within information systems. While tagging information at the highest security level assures analysts that they will not inadvertently disclose too much data or wrong information, it hinders information sharing. This is a difficult problem to solve using only technology, Morrison says. However, the intelligence community is working aggressively with its analysis sections to get analysts to be more reflective when classifying information.

Compounding this problem is the aggregation issue. While individual pieces of data may be unclassified, combining them could produce intelligence information that should be classified at a higher level. “That’s been a problem ever since we established security marking. It’s a very real issue that the analysts have to look at and we have to be able to control. We’re working with industry and our own analysts to develop fairly sophisticated algorithms to help define when a threshold is reached so it bumps the classification to a different level. And it’s not necessarily the classification level. It may be the dissemination controls,” Morrison explains.

Ensuring that each piece of data retains its classification marking as it is combined with others for an all-source intelligence report is another problem. “It’s easy to say, ‘push all the information out and clean up the mess afterward.’ We’re hoping the pendulum doesn’t swing too far that way,” he says.

The DIA also faces information overload issues, Morrison allows. “Audit eats our lunch. We collect massive amounts of audit information—and when I say massive, we’re talking teraflops across the community. That’s collecting everything from who is accessing a system to which files they looked at and in some cases, depending on the protection level, keystroke monitoring. Sometimes, when we’re doing cross-domain monitoring, we actually keep the contents of items flowing across domains.

“The problem is not the collection; it’s what you do with the information after you collect it. Depending on the level of protection, our policies require everything from weekly to monthly reviews. Keeping in mind that information assurance is an ‘other duty as assigned,’ we’re not doing a lot of very proactive auditing. We’re looking for good tools coming out of the commercial or government off-the-shelf environments to be able to do a more effective automated review of the audit information,” Morrison says.

Commercial tools are available that send automatic alerts about unusual activity to security officers, he notes, but false alarms can hinder their effectiveness. “Human nature takes over. The first five false positives, they investigate. Six through 10, they may look at. After 10 false positives, they ignore the alerts, and it’s the 12th one that you’re worried about. These are issues that we’re trying to address. How do you pull the wheat out of all that chaff in audit information? That’s a huge challenge for us,” he offers.

Finally, Morrison notices two additional trends that affect information assurance efforts. Because today’s users are more computer savvy, they experiment with their systems in an effort to make their jobs easier. Unfortunately, users do not always understand the unintended consequences of their actions, which increases the nonmalicious insider threat.

In addition, the desire to disseminate information down to handheld devices in the battlefield is raising significant information assurance issues, Morrison says. Techniques for positively and uniquely identifying individual soldiers must be found and implemented so access to information can be controlled. Biometric devices offer a potential solution, he notes, but encryption would still be necessary to prevent an adversary from using the fingerprint of a battlefield casualty to access the information.

One way to address this issue could be creating thin-client handheld devices; however, this solution could stifle information sharing if available bandwidth inhibits quick access to information.

To prepare for future threats, the DIA constantly monitors where technology is headed, Morrison says. The fast pace of improvements challenges information assurance professionals but at the same time helps them by increasing agility. “Now, we’re much more modular. We can actually shut down pieces of systems, and we have more redundancy built in for availability. There’s certainly many more adjustments that can be made on a much finer granularity than in the past when we would have to pull the plug on the whole system. Like fighting an infection in the body, we want to be able to target and send antibodies to the exact place where the wound is and then fill the gap and not necessarily impact the rest of the network,” he states.


Web Resources
Defense Intelligence Agency:
Intelligence Community: