DOD programs to protect systems against cyberattacks

The Army this month kicked off a plan to deploy to 400 of its bases worldwide a system that will monitor and detect intrusions to networks, marking one of the first uses of an enterprisewide information assurance solution in the Defense Department.

As part of its Command and Control Protect (C2 Protect) program, the Army will feed data from its installations worldwide into one of three regional network operations centers in Europe, the United States or the Pacific region. The centers then will send the data to a central facility at Fort Huachuca, Ariz., for centralized monitoring and administration.

The program is part of an active push in DOD to protect its vital information technology systems from hackers and foreign intelligence agencies interested in accessing sensitive command and control data. The three services and some DOD agencies, including the Defense Advanced Research Projects Agency (DARPA), are developing information assurance projects that are designed to lessen the risks of managing information across DOD's highly distributed, network-centric computing environment.

For its C2 Protect program, the Army selected Internet Security Systems Inc.'s RealSecure security management software to help detect and respond to cyber-attacks before the attacks happen. RealSecure is part of ISS' SAFESuite line of security software solutions that analyze information as it travels through the network and recognize patterns in network activity that may indicate a hostile attack.

Rich Smith, director of federal operations for ISS, said the Army selected RealSecure because of the "comprehensiveness of the product, its ease of use and the fact that we are able to maintain a current list of attack signatures."

"These systems work, but there's no silver bullet when it comes to security," said Patrick Taylor, ISS' director of strategic marketing. "They can do a lot to reduce your overall risk, [but] you're never going to have zero vulnerability."Army officials could not be reached for comment.

Researchers at DARPA are developing technologies that make computer systems and networks "fundamentally more intrusion tolerant," according to Teresa Lunt, assistant director for the agency's information technology office.

In DARPA's Information Survivability program, developers are studying ways to design and engineer commercial off-the-shelf systems that provide a high degree of security. Commercial technology is not always engineered to the levels of security and robustness required by DOD's mission-critical systems, said Lunt.

Lunt and her team also have a new proposal on the table that will shift the Information Survivability program's focus from re-engineering COTS systems to creating "strategic intrusion-assessment" tools. The program will run from fiscal 2000 through fiscal 2003 and will seek to provide DOD with the capability to discern patterns of activity out of thousands of possible indications that somebody or some group is trying to penetrate a system or network.

The vision of both programs is to create technologies that have strong barriers to attack and that can "detect malicious and suspicious activity...and can guarantee minimum essential continued operation of critical system functions in the face of concerted information attacks," Lunt said.

The Navy is taking a "defense in-depth" approach to information assurance, according to Capt. Dan Galik, program manager for the Navy Information Systems Security program at the Space and Naval Warfare Command.

He said this approach will include a private intranet to connect naval sites, central firewall and intrusion-detection systems, secure configuration of operating systems, access control for network infrastructure management, COTS vulnerability assessment tools and network encryption products for Internet protocol and Asynchronous Transfer Mode-based networks.

The plan also calls for the fielding of a medium-assurance, COTS-based public-key infrastructure in support of Navy World Wide Web servers, Galik said. The Navy also is fielding a high-assurance PKI to support the fielding of the Defense Message System and already has fielded more than 100 firewalls throughout the infrastructure, including ships at sea, Galik said.

These initiatives "are being accomplished in coordination with providing information assurance for major Navy programs," such as Information Technology for the 21st Century and the Base Level Information Infrastructure (BLII) program, Galik said.

Air Force officials declined to comment on the details of their information assurance plans, however, an official did say the Air Force is in source selection for an information warfare vulnerability assessment and risk management program. According to the Air Force solicitation, the program will include "protection measures as well as offensive needs."

Overall, DOD has pieces of the information assurance puzzle in place but there are definitely gaps in its cyberdefenses, Lunt said. Unfortunately, "it's going to take a while for the research to turn into commercially available technology," she said.

However, the information assurance posture of the United States is much better than it used to be, according to Anthony M. Valletta, vice president of SRA Federal Systems and former acting assistant secretary of Defense for command, control, communications and intelligence. "The structure that's being put together at the [secretary of Defense] level is a 1,000 percent improvement" over what the country used to have, Valletta said.

According to Valletta, who was responsible for obtaining approval for the Defense-wide Information Assurance Program before he left government, information assurance solutions are continually evolving, but the leadership in DOD is taking steps to put the right infrastructure in place at the right time.

"The DOD leadership has seen the tremendous vulnerability" we face, Valletta said. But DOD "has really stood up to its commitment" to information assurance and infrastructure protection, he said.