DOD moves network security to the forefront

Call it the "new normal." Constant efforts to breach the Defense Department’s networks and data security, along with attempts to deny access to networks and applications, have put DOD’s network warriors under increasing strain. Unrelenting cyberattacks also are raising the standards for how the military manages information networks.

Late last year, malware attacks, spread at least partially by removable storage devices, infected significant parts of the Unclassified but Sensitive IP Router Network (NIPRnet) and Secret IP Router Network (SIPRnet), leading to a moratorium on USB storage devices. Officials have denied that specific attacks happened or declined to discuss them, including the recently alleged Chinese hacker attack on Lockheed Martin’s F-35 Joint Strike Fighter data. However, DOD's leadership is pushing for rapid changes in how the military secures its data and counters cyberattacks.

The changes come from DOD's realization that the department can no longer protect networks and the data that flows over them simply by building a better firewall, DOD officials say. The department's networks are inextricably tied to public and private networks. And defending the ability to use those networks — and having ways to work around attacks on them — is as important as securing the data in transit on the networks or at rest on systems connected to them.

Meanwhile, DOD's reorganization of network operations will drive some changes.

During a hearing held May 5 by the House Armed Services Committee, Air Force Lt. Gen. Keith Alexander, commander of the Joint Functional Component Command for Network Warfare (JFCC-NW), said the department already has taken initial steps to create a single command structure for network operations. In one of those steps, Air Force Gen. Kevin Chilton, commander of the Strategic Command, placed the Joint Task Force-Global Network Operations (JTF-GNO), which directs the operation of all DOD networks attached to the Global Information Grid (GIG), under JFCC-NW’s operational control in fall 2008.

“This necessary initial realignment is a significant step towards the establishment of a command that is organized to operate and defend vital networks and project power in cyberspace,” Alexander said.

“The next steps in this transformation will require a more substantial reorganization, which is one reason why the DOD is considering the establishment of a new sub-unified command for Cyber, under Stratcom, that would be headquartered at Fort Meade,” he said. DOD officials say a single cyber command under Stratcom would help integrate DOD cyber forces and capabilities.

More accountability

Although a move to a single command has raised numerous operational questions, the underlying requirements are already taking shape. On April 7, at the 2009 Cyberspace Symposium in Omaha, Neb., Chilton outlined the capabilities DOD must develop to continue to operate its networks in the “new normal” conditions. Those critical capabilities include better accountability for what users do on the network, a single common operating picture for network operations, and more automated compliance and security on DOD laptops, desktops and servers.

Although more systems require the Common Access Card for authentication, there are still major gaps in accountability for who is allowed to do what on many DOD networks. Chilton said there is enough legal authority to punish those who fail to follow information assurance policies under the Uniform Code of Military Justice, but “we can’t hold people accountable if we haven’t properly trained and equipped them.”

“We need to do that: Properly train, properly equip, properly educate, conduct mishap investigations when they happen, and then hold people ultimately accountable for their behavior,” he said. “People think the rules don’t apply to them. But there are adversaries out there who are today taking advantage of that misbehavior and that lack of discipline.”

Chilton also said DOD networks do not have centralized network command and control and situational awareness about threats.

“We need common operating pictures, just like commanders in every other domain demand,” he said. “Today, if you look at our common operating picture in cyberspace, you will find places in the United States of America that are black holes [where] we don’t know what’s going on. And you know what’s around those black holes typically? The fences of one of our military installations. [That’s] because we have put up artificial barriers to keep the centralized command-and-control authority outside our perimeter.”

DOD also needs an automated way to keep systems secure instead of relying on administrators to deploy security patches and manage system configurations, he added.

“We need to operate at machine-to-machine speeds,” Chilton said. “We need to operate as near to real time as we can in this domain, be able to push software upgrades automatically, and have our computers scanned remotely with the latest antivirus software.”

Stratcom also has started to look at the training and staffing levels required for military commands to effectively operate in the cyber domain. Navy Capt. Timothy Spratto, group lead for the Joint Forces Command’s Capability Solutions Group, said Stratcom requested that the Joint Forces Command conduct experiments to help develop a methodology for structuring a cyber force.

Those experiments started late last year as news broke about the ongoing malware attack on DOD networks, and they have already produced some tools. Spratto said those tools include a set of templates for combatant commands — such as the Central Command, Southern Command and Africa Command — and Joint Task Force commanders to determine the types of personnel that they would need at their commands to support mission-based cyber operations.

“This is built on previous experiments for Stratcom,” he said. The goal is to build “a manning model, derived from a target-based approach.” The manning model that the Joint Forces Command is creating would take the capabilities that Stratcom wants and determine how many people with specific skills would be required to achieve the desired goal. The upshot is that Joint Forces Command would know the optimal mix of skills required for cyber operations.

"We need to resource this mission area with people — organized, trained and equipped people to do this mission," Chilton said, responding to inquiries about the Joint Forces Command experiments.

"Having dedicated forces to think about this is an area where we need to have increased investment in people. What's really important is that the network is available, the DOD network is available to combatant commanders around the world who have air, sea and space missions to do."

The HBSS foundation

Meanwhile, the Defense Information Systems Agency is developing systems and an architecture to supply the accountability, automated security and situational awareness that Chilton and others want.

The foundation for that work is the Host Based Security System (HBSS), a program run by DISA's Program Executive Office for Information Assurance and Network Operations (PEO-IAN). It seeks to deliver a commercial security solution that prevents intrusion attempts, malware and other potential security threats at a host, such as a desktop PC, laptop PC or server.

HBSS is primarily a combination of products from McAfee: the company's ePolicy Orchestrator management suite, VirusScan Enterprise, AntiSpyware Enterprise and McAfee Host Intrusion Prevention.

Although DISA is implementing HBSS in its present form, the program is not receiving funding as fast as Chilton would like. “We need the host base security system deployed this year,” Chilton said in Omaha, “not five years from now when we can afford it because we can ill afford not to have these technologies available for us today.”

HBSS is a critical component of the overall information assurance capabilities that DISA is moving to provide, said Mark Orndorff, program executive officer of PEO-IAN. The programming interfaces and reports generated by HBSS — its instrumentation, as Orndorff calls it — will provide situational awareness data about the health and status of systems and the sorts of attacks they are experiencing, and the system can pass along that information to help with network command and control.

“We’re building an enterprisewide data architecture around the Host Based Security System so the HBSS implementations throughout DOD will all publish information up using what we call the NetOps Data Strategy," Orndorff said."Then we will collect that in DISA enterprise computing centers and provide this capability to JTF-GNO, the combatant commands and the services so they'll have a whole new level of visibility into the infrastructure supporting the Global Information Grid."

That system health data will have some limits, Orndorff said. Because HBSS is Microsoft Windows-based, it can provide data only on Windows systems. "But it will give us a lot of information in terms of asset inventory, asset status, and also events and alarms as activity happens on the network," he said.

DOD can use HBSS data in many ways to get better situational awareness. "We first want to get the maximum benefit out of what we have,” Orndorff said. “For example, something as simple as antivirus alarms — you can draw a pretty good picture of what's going on a network just by correlating AV alarms, which historically we've kept fairly localized."

Also, initiatives are under way to expand HBSS' capabilities. For example, DISA has a partnership with the National Security Agency, he said. That might result in government software development work, but "we'd also look for some additional products to help us" get more value across the entire GIG from HBSS event data.

Meanwhile, HBSS data isn't the only situational awareness data DISA's PEO-IAN is working on delivering. Orndorff said DISA is in the process of replacing its Joint Computer Emergency Response Team incident reporting database with a more modern, fully featured tool for attack detection and analysis.

The lack of a common view on attacks was a big issue recently, "when we saw an event that had large numbers of actions required across all of DOD,” Orndorff said. “We just don't have the tools and capabilities to manage that workflow and have good status of the progress” about security breaches needed to improve command and control information.

Knowing the terrain

Understanding the network's terrain is another piece of the situational awareness puzzle.

Orndorff said DISA has expanded efforts to map the SIPRnet to include the NIPRNet. The plan is to make that capability more robust and available to all network defenders. Today, that capability is primarily targeted to support JTF-GNO and DISA.

“It's a capability that all of us need,” he said. “So we'll have that set up in the future, so the services can use this infrastructure to map their portion of the network and help them as well as the objectives of JTF-GNO and DISA."

Orndorff added that these steps are just a few of the unclassified highlights of DISA's situational awareness efforts. There is “other classified work from GIG situational awareness and command and control" that complement the unclassified efforts, he said.

Safeguarding networks

However, merely protecting client systems doesn’t help with attacks that try to deny access to data by attacking the network itself. To tackle those threats, DISA is working on what Orndorff calls a defensible perimeter area.

"The high-level description of the project is NIPRnet hardening," Orndorff said. DISA is creating demarkation zones for all DOD applications and services that connect to the Internet. DMZs put those services in a network partition that is separated from the rest of the network by a firewall, thus protecting most of the network from intrusion attempts.

DMZs also will have "attack protection and diagnosis capabilities" and some ability to respond to attacks “built into the DOD perimeter to the Internet," he said.

By creating a series of protected connection points to the Internet, DISA will give cyber commanders a way to fight through major attacks on the network.

“The intent is, as we build out these DMZs, we will have them [generating reporting data] in a way that if we're under an attack, we can decide which missions are most important, and turn knobs at the DMZ that would ensure those missions were supported while we divert resources away from some lower-priority missions," he said. "Or we had the mission that had been compromised under attack, we'd be able to contain that in a way that we aren't currently able to do."

DISA also is adding Web content-filtering capabilities as part of the increased security efforts for the NIPRnet. Content filtering will allow cyber defenders to look for malicious code and other lines of attack that come through NIPRnet users who access external Web sites. In addition, DISA is developing an e-mail security gateway to perform similar checks on e-mail content.

"We're also hardening our [Domain Name Service] infrastructure” to reduce potential denial-of-service attacks that exploit gaps in the way Internet domain names are resolved, Orndorff said.

However, the perimeter between NIPRnet and the Internet isn’t the only network border that needs attention, he added.

"We also have perimeters between classification levels, so we're putting together a cross-domain enterprise service as another defensible perimeter that passes information between, say, the SIPRnet and the NIPRnet and between DOD networks and coalition networks," he said.

Those cross-domain services, which assist in integrating information across classification environments, also need to be protected. Varying level of attribution and security on those services create potential security holes that cyber attackers could use to exfiltrate data from classified to unclassified networks.

"All of those together — the DMZs, the web content filter, the DNS changes and the e-mail security gateway — are going to give us a much better defensible perimeter that allows the JTF-GNO and other operators of the network to engage in an attack with a number of capabilities to [help us] decide what's most critical and ensure that the most critical missions are still supported," Orndorff said.

If it all comes together as planned, the “new normal” promises substantially greater network protection and response capability than what was considered normal until just recently.