Michael Pflueger, Defense Intelligence Agency
Which emerging technology will have the biggest impact on your organization in the future?
As asymmetric threats to the United States continue to increase in number and expand in complexity, the protection of critical U.S. Intelligence Community and Defense Department information systems is a vital concern for the DIA. In consonance with the vision set forth by Vice Adm. Lowell E. Jacoby, USN, Defense Intelligence Agency (DIA) director, the DIA will have a major role in ensuring that intelligence information is successfully and securely communicated to the warfighter and to decision makers.
The avenue through which this critical protection and secure sharing of information is achieved is information assurance—the protection of information and information systems against unauthorized access and against the denial of service to authorized users, including those measures for detecting, reporting and responding to cyberthreats. To deal with these threats, organizations within the Defense Department, Intelligence Community, Department of Homeland Security and law enforcement must develop a coordinated approach to collect, analyze and disseminate critical information securely to the appropriate individuals regardless of their native operating environment. Therefore, the DIA is going to extend the traditional information assurance model that heavily relies on computer network defense and excessively restrictive access control policies. It will incorporate advanced information assurance technologies designed to facilitate the secure sharing of information—especially across security protection domains.
An emerging threat to U.S. national security is adversaries’ increasing resolve to access, modify and disable the data within U.S. systems. Rather than reacting to such tactics by reducing functionality, we must act smarter. We are accomplishing this by imbedding information assurance into our information management strategy, and by doing so, we will increase the security of our cyberinfrastructure by providing comprehensive perimeter protection, deterring insider attacks and lessening the chance for human error, which time and again has proven to be our Achilles’ heel.
The ability to integrate information assurance into an overall network-centric information technology architecture is highly dependent on continuing breakthroughs in commercial information assurance technology. Specific challenges we must confront as we evolve the DIA’s information technology architecture include advances in trusted operating systems, implementation of cross-domain collaboration services, and the ability to uniquely identify and authenticate users and policy-based access control points that can mediate access to all information and services.
To break away from stovepipe solutions and integrate information assurance capabilities on an enterprise level, information assurance efforts align the different agency network infrastructures. They act as the backbone of the intelligence body and operate efficiently, validating that its dependence on technology as the prime means for processing, storing and transmitting important intelligence data is not in vain. Information assurance is the infrastructure and process for assuring that technology will not fail those who need it in order to preserve national security.
The greatest leadership goal for information assurance in 2005 is to fully integrate information assurance as part of the overall DIA mission. Historically, information assurance has been viewed as a separate discipline within the information technology environment. Many of the current systems and applications have been developed without coordinated information assurance involvement, and we are going to change that approach this year. The DIA office in charge of handling information assurance will be identifying and publishing minimum information security standards for every program to ensure seamless integration into the overall Defense Department Intelligence Information System enterprise. Information assurance is more than just the final security certification and accreditation testing that occur immediately before system deployment. It is a critical part of the DIA mission and will be managed as such.
Another major objective for information assurance this year is to implement the Enterprise Risk Management System. This will provide a comprehensive set of information assurance tools such as vulnerability assessment, system patch management, information assurance vulnerability-alert compliance verification, configuration management control and malicious code scanning that will be available as general services at each of the regional service centers.
Today, we are dealing with adversaries who do not recognize any conventional rule sets; they do not share our sense of what is appropriate or inappropriate, what is fair or unfair nor what is right or wrong. To counter this unpredictable mentality, our information assurance posture and overall strategy must change from one of risk avoidance to one of risk management. The challenge, however, is to accomplish this without limiting or scaling back functionality—data enabling, not data disabling.