DOD taking steps to secure secret network further

SALT LAKE CITY—Looking to protect its classified information network from internal security threats, the Defense Department is considering a new policy that will limit strictly network users' access to information.

DOD uses the Secret Internet Protocol Routing Network, or SIPRNET, as a secure intranet for sharing information classified as secret. Though SIPRNET provides no direct connections to the Internet, some DOD officials worry that giving personnel access to too much information could pose a security risk. The new policy would create "communities of interest" within the network, in which users would have access only to information required by their work.

"You don't want to give anybody access to all of your [organization's] information," said Richard Hale, an information assurance engineering executive with the Defense Information Systems Agency. "We are concerned that 500,000 of our closest friends are looking at our secrets," said Hale, referring to the approximate number of government personnel who have access to some sort of classified information.

Speaking at the Software Technology Conference here, Hale said senior DOD officials are expected to brief Deputy Secretary of Defense John Hamre today on the possibility of including the new policy as part of DOD's overall public-key infrastructure security initiative.

PKI solutions combine encryption, digital certificates and other technologies to authenticate a user's identity and to ensure that data and transactions are not tampered with during transmission over the Internet. DOD announced plans last month to use PKI solutions to secure both internal and external communications.

But PKI "doesn't solve anything itself," said Hale. Rather, because many of today's commercial security products "are not that good," DOD needs to devise a common set of policies governing both access and standards, he said.

In addition, Hale said the department needs to address the "hodgepodge" of Internet connections and protection policies that make up the DOD security architecture and process, which he described as "just a mess." As a solution, Hale recommended formulating a set of standard policies that spell out what type of information will be allowed to enter and leave DOD networks.

Hale said the modern way of dealing with adversaries, whether cyber-based or otherwise, remains "essentially unchanged" since the construction of the Great Wall of China, when nations erected stone embankments to protect their citizens against invading forces. "I do not think this can continue if we're really going to be serious about fighting wars using [COTS systems]," he said.