As the Defense Department pursues programs dependant on global
computer networks, government officials warn that the current methods
of ensuring information security are not commensurate with the threats
against them.
If
these problems are not addressed, the Pentagon could spend $200
billion during the next 10 years on a network with serious vulnerabilities,
according to security experts.
Part of the catchphrase “net-centricity” refers to
the ability to link small units with current information, and in
return quickly derive data from every soldier, vehicle and sensor
in the field. This type of system would change how military operations
are planned and executed, since more information would be available
to users at the moment they need it. Everything from immediate targeting
intelligence to the reordering of supplies would be sped up and
automated.
The ambitious Global Information Grid, meant to connect all of
Defense Department’s information systems to each other and
to civilian entities, depends on secure connections.
“The GIG enterprise offers significant advantages and efficiencies
to war fighters … But all of this requires the users to have
trust in the information,” said J. Michael Johnson, chief
of the information assurance office of the National Security Agency,
which has the lead in securing the network. “Our adversaries
will attack it.”
Threats to the network range from nation-state sponsored hackers,
organized crime groups, terrorist operations, traitors pulling inside
jobs and unintended mistakes by users. Nightmare scenarios include
the enemy’s ability to change coordinates of missiles while
in flight, tamper with automated logistics by routing useless items
to the front or expose the military’s plans for an impending
operation. “Even weather information could be a tip off,”
Johnson warned.
That makes security a key issue. The term “information assurance”
is used to encompass both the availability and safety of the data
flowing between users. Current strategic planning, including the
Quadrennial Defense Review, is taking a more serious look at building
stronger safeguards into military systems and equipment.
“I don’t think you can find information assurance in
a previous QDR,” Johnson said. “This time it’s
a significant topic.”
But officials at a defense technology conference hosted by Infonex
Defense described a military that, from Pentagon brass to contractors,
is having a hard time grasping ways to counter threats to information
security.
In the future, every piece of equipment and every person will need
the equivalent of an identifying IP (internet protocol) address.
But in many cases, the idea of tagging all data, users and hardware
to a common standard is met with service isolationism. “The
technology is there, the policy is there, but the people aren’t
there yet,” said Navy Capt. Jeffrey Burtch, director of the
information assurance program at the office of the secretary of
defense. “People are still in a rice bowl. ‘That’s
my network. You can’t touch it.’ ”
Burtch described his effort to bring greater information security
to the Pentagon as an uphill struggle, but one in which he painfully
is gaining ground.
The future may witness significant funding, he revealed, citing
a figure hovering at about $500 million for a dedicated, department-wide
effort. “That number changes every time I get back to my email,”
Burtch said. “I spend much of my time fighting budget wars.”
The 2006 budget slated $30.1 billion for Pentagon IT programs.
Many of these are GIG-related, such as the Global Information Grid-Bandwidth
Expansion program ($877 million), Transformational Satellite Communication
($836 million) and Net-Centric Enterprise Services ($79 million.)
Estimates of the GIG’s total cost over the coming decade
tip the scales at $200 billion.
Education and awareness are important, he said, but money is critical
to improving information assurance. Even though the commercial financial
services markets have a lower, but still robust, number of threats
against their information technology, they spend an average of 14
to 25 percent of their IT budgets on security.
By comparison, the Department of Defense spends only 7 percent
of its IT budget on security, even though it must contend with intrusions
from foreign powers, terrorist networks and spies, as well as the
same slew of crooks and hackers who target banks.
Asked if the military is leveraging commercial technologies used
to protect civilian nets, Johnson responded, “We are dependant
on it.”
He added that Pentagon teams evaluate where government funds could
best be spent to tackle problems unique to defense and intelligence
information security.
The level of awareness in the military to the risk of cyber attacks
is growing courtesy of tough education during war games, when “red
teams” simulating adversaries wreak havoc by compromising
networks. It isn’t necessary to take down an entire system
to damage military operations, the experts at the conference agreed.
Once the system is shown to be hacked, no information on it can
reliably be trusted. In a net-centric operation, that could mean
total calamity.
Burtch said that prior to his assignment protecting systems, he
worked with the Navy to attack enemy networks. As an example of
this tactic’s usefulness, he cited the targeting of communications
of the Iraqis during Operation Desert Storm. By disrupting the Iraqis’
secure networks, the United States was able to push communications
into less secure channels and clogged their limited bandwidth, providing
keen advantages to U.S. troops, he said.
But the possibility that such techniques could be used against
the United States is one not eagerly faced by program managers,
contractors and mid-level military officials. For example, the Army
must overcome cultural dilemmas in securing its systems, and officials
often treat information assurance requirements as mere paperwork
that has to be filled out to achieve certification, said Ted Hendy,
director of information assurance and security engineering at U.S.
Information Systems Engineering Command.
“We need to put security back in information assurance,”
he said. “It’s not there.”
Many Army program officials do not think to build information assurance
into an Army system from the start, he said. This is the unintended
consequence of the structure adopted by the Pentagon to certify
military information technology, Hendy said.
By aligning the Defense Department’s Information Technology
Security Certification and Accreditation Process with another authorization
agreement, “information security got pushed way to the back,”
he said.
This occurred because security became lumped into the same paperwork
as overall accreditation—just another bureaucratic hoop for
contractors and program managers to jump through on the way to developing
and fielding a piece of equipment.
Lost in the process was the role of security specialists who could
help engineers design software, hardware, equipment and training
procedures that would tighten security from a product’s inception,
he said. Also forgotten, he added, was planning for updating and
sustaining security on the product through its lifespan.
This is increasingly important in a networked environment, in which
“a risk taken by one is shared by all,” Hendy said.
“We need to know not just what risks are to your system, but
what risks your system imposes on the rest of the GIG.”
Other consequences of lax security include a lack of forensic tools
to assist the 1st Information Operations Command in tracing back
the source of an attack, he said.
Hendy highlighted more problem areas, including a lack of centralized
Pentagon tracking of the risks to networked systems, an overall
dearth of recovery plans, little enforcement of information assurance
provisions in private sector contracts and a dependence on commercial
technology that does not meet military standards.
To those worries, Burtch added a reliance on foreign workers. “Ninety
percent of the code running on our machines is written off-shore,
mostly in friendly countries, for now,” he said. “Who
knows in five years?”
The U.S. military is faced with state-of-the-art equipment rendered
useless on the battlefield by a hacker halfway around the world,
making the financial investments necessary, Burtch said. This is
a message he said he delivered to officials at the Pentagon: “I’d
like you to have one less tank to have this done the right way.”