The cornerstone of future defense programs is information technology,
but that foundation may contain cracks that endanger the entire
effort, according to security experts within the government.
Ensuring that future information exchange in and out of the Global
Information Grid will be done safely will require a new way of viewing
the problem, according to J. Michael Johnson, chief of the information
assurance office of the National Security Agency. “Net-centricity
requires a shift in information assurance strategy.”
The National Security Agency is developing the information assurance
component of the GIG, with support from the Defense Information
Agency and each military service.
The GIG will resemble the Internet, but with more dependence on
space-based and mobile systems to send and receive information.
Those connections will be configured based on the situation. “This
goes beyond the Defense Department. We have to have the ability
to share information across the U.S. government.”
Responding to a weapon of mass destruction attack will require
providing information to government users besides the military and
outside of the federal government, such as local responders to international
players. Each of these new players will come to the situation with
varying levels of trust, but with a pressing need for information.
So the GIG has to be flexible enough to allow access, but designed
to maintain security.
Currently, there are clear divisions between networks of varying
security levels, with the perimeters protected by software, hardware
and protocols. Keeping intruders and other unauthorized people out
of sensitive areas was a matter of denying them access at known
points, he said. In the event a new entity needs access, secure
holes have to be punched in that perimeter and those breaches guarded
by programming, routers and firewalls.
In the more dynamic GIG model, information is flowing between security
levels more seamlessly, with new partners added in an ad hoc fashion.
The concept of perimeter security is not adequate to police such
a model of information exchange, Johnson said.
The shift in strategy must:
“If we don’t do this, we will build significant vulnerabilities
into the GIG which will be very costly to fix,” Johnson said.
One key area of the NSA’s strategy is a Cryptography Transformation
Initiative, meant to design tools to protect sensitive information
transmitted across the network and protect the network from attack.
An investment of nearly $5 billion has been allocated between 2004
and 2009 for this project.
The military services also are working on new technologies to beef
up information assurance, such as Internet protocol encryption,
advanced firewalls, intrusion detection systems and enhanced biometrics.
Another effort, pending Defense Department approval as of press
time, is configuring three secure networks to share information
outside their narrow range of users if the need arises.
The highly secure Secret Internet Protocol Router Network or SIPRNET
will be the first to adopt the new strategy, making it easier for
trusted international allies to access the system. The tentative
timeline for this project’s completion ranges from 2008 to
2012.
The second increment will allow access, when needed, of SIPRNET
information to the less secure Joint Capabilities Integration and
Development System, or JCIDS. Lastly, the unclassified but sensitive
Internet protocol router network, called NIPRNET, will be configured
for new users.
A recent report by the Government Accountability Office highlights
some of the policy-level confusion about the GIG and its development.
“First, the Defense Department has yet to determine how much
information should be posted on the network, when it should be posted
and how and where it should be used,” the report stated. “Once
these factors are determined, it must develop rules of operation
to ensure the network can work as intended without precluding the
benefits … Currently, various offices within the Defense Department
are working through questions on whether unlimited amounts of data
should be made available through the GIG, including unprocessed
intelligence, surveillance and reconnaissance data, without the
benefit of some assimilation and analysis.”
Tools would have to be made available to steer users towards the
best available information, assisting users to pluck out useful
data amid the flow of information from sensors, weapon systems,
intelligence officials and other soldiers.
Part of the solution is empowering the network to autonomously
identify who can be allowed to scan data, Johnson said. “GIG
must be able to recognize and make access control decisions,”
he said.
At the core of the GIG’s infrastructure are communications
satellites, next-generation radios and an installation-based network
with significantly expanded bandwidth.
Still, legacy systems must be hardened, because of financial constraints
do not allow for a network to be built from scratch, Johnson noted.
“This would be easier if we had a clean sheet.”