DOD orders info-assurance review

With electronic information playing an ever-larger role in Defense operations Secretary of Defense William Cohen last month formed a panel to look at how DOD manages its critical data and protects against information warfare and system vulnerabilities.

DOD is tackling a concept called "information assurance" (IA) - ensuring that information is not only protected and secure against outside attacks but also that it gets delivered and its integrity is maintained.

In a memo issued last month Cohen called for the formation of an integrated-process team to "help develop recommendations for comprehensive process changes that will improve IA practices across the department." Cohen asked the undersecretary of Defense for policy to lead the effort and to collaborate with the assistant secretary of Defense for command control communications and intelligence.

The review effort is key to DOD's increasing reliance on information systems to fight wars and operate defenses. DOD is "transitioning to a vision of warfighting where information is increasingly important for successful operations " said a senior DOD official who asked not to be named. "We have to assure our own information and protect it and make sure it gets to where it needs to be in a timely fashion."

Richard Power a spokesman for the San Francisco-based Computer Security Institute said DOD's move to improve IA practices indicates the agency has shed the common myopic vision that information security is solely the act of protecting internal systems from hackers or attacks from disgruntled employees.

A comprehensive security policy also must include guarding the integrity of data and ensuring the availability of systems. Policy-makers have to plan for loss of availability due to Internet traffic jams brown-outs or natural disasters among other things he said.

"Information assurance is all about scale of risk " Power said. "There's no greater scale of risk than your country's ability to defend itself. All considerations have to start there. It's good to see at the national level and the leadership level a commitment to a broader more comprehensive view of information assurance."

Joe Vangieri director of federal markets for Tampa Fla.-based Digital Secured Networks said that IA also known as data integrity is probably the most important portion of securing information particularly in information warfare situations. For example IA policies and products are designed to prevent a subversive group from intercepting a message sent from one DOD official to another he said. If a message is not adequately protected - most commonly with encryption and authentication - that message could be altered without the recipient's knowledge.

While the exact number of these so-called "man-in-the-middle" attacks is not widely known because victims do not routinely report them and because they usually are tracked by the secretive National Security Agency Vangieri said the establishment of the DOD team indicates the department probably is suffering from these types of attacks.

The team had its first organizational meeting late last month and will continue to meet during September. The group's goal is not to introduce programmatic changes but to look at how best to give guidance and form policies against which DOD components can measure their progress the DOD official said.

"One of the motivations is that about 95 percent of unclassified communications rides on public switched networks " the official said. "DOD is increasingly dependent on an infrastructure that we don't control and so we need to take a look at how to ensure that the information gets delivered."Mark Adams head of the newly formed Life-Cycle Information Integration Office is a member of the team reviewing information assurance practices. Because the group focuses on cross-functional issues and on systems life cycles "it's in our best interest to be a part of the team " Adams said. "Information assurance is critical for us."