FAA takes the offensive on cyberdefense

Agency's 'Android' aims to emulate human resilience

Federal Aviation Administration

At first glance, the portrayal resembles something from movies such as "The Matrix" or "The Terminator" — a futuristic machine with high-tech circuitry inside a human form. Even the name of the Federal Aviation Administration's security framework has a Space Age ring to it.

But a closer look at the FAA's Android Cyber Defense system reveals the program for what it really is: a comprehensive, proactive approach to preventing and removing intrusions in the agency's computer network.

The Android conceptualization was completed in September and born from the idea of practicing a multilayered strategy of defense. According to FAA chief information officer Daniel Mehan, the vision was to "emulate the most resilient defense in the world, which is the human body."

To do this, FAA officials developed six key elements within the Android model, each of which corresponds to an aspect of the human body.

These elements range from boundary protection (skin) to dealing with cyber infections such as viruses (the immune system) and include streamlining the architecture (nutrition and exercise), protecting major organs, network monitoring (vital signs) and informed recovery (antibiotics and surgery).

"What the FAA is attempting to do with this model is to be as much ahead of the curve as we can be for more sophisticated cyber challenges coming down the road," Mehan said. "The important thing is that it looks at cyberdefense from an overall standpoint."

The efforts thus far have garnered praise and support throughout the Transportation Department.

"The FAA, while continuing to address current policy requirements such as completing certification/accreditation, is also assuming a thought leadership role within the department in the area of cybersecurity through the design of the Android strategy," said Lisa Schlosser, DOT's associate CIO.

According to Mehan, the need for improved security results from the increased risk of cyberattack.

Alan Paller, research director at the SANS Institute, supports this risk assessment. There are "tens of thousands of operating programs using the Internet to search for vulnerable systems," Paller said.

Mehan cites the speed of cyberattacks as a significant challenge, noting that January's Slammer virus doubled in size every 8.5 seconds compared to the 2001 Code Red virus, which took about 37 minutes to double in size.

"In terms of potential cyber events, there's more of them, they're faster, and over time, they'll become more sophisticated," he said. "We have to be ready for events that are much more instantaneous. The challenge for us, and all of industry, is to be prepared for that over the balance of the decade."

A critical step is to improve standards in developing technologies to keep pace with the adaptive nature of intrusions, according to Mehan.

"The standards bodies in this country have to get security engineering and the development of software that is much more resistant to cyber intrusion," Mehan said. "The standards have to be set so [software developers] write the code in the most efficient manner."

Paller agrees that software vendors can play a significant role in advancing cyberdefense. He feels new solutions must be delivered either in an invulnerable state or with the capability to be hardened immediately.

According to Paller, an infection problem exists now throughout federal networks because weaknesses in past software allowed multiple intrusions to occur — many of which technology officials believe remain undetected.

"The challenge is that vendors were delivering systems that were vulnerable right out of the box," Paller said. "So you probably have thousands of federal systems that are already infected, and no agency yet that we know of has a strategy for cleaning out the systems that were infected before they were hardened."

The FAA's Android model is based on architecture simplification. Designed to trim the fat from the system, this idea stresses having the minimum number of lines of code necessary to create a "lean operating environment," according to Mehan.

The security certification and accreditation process has also been streamlined. Mehan said that since 2000, no new software goes into the network without the approval of the CIO office, the system developer and system operator.

To help protect its boundary, FAA officials limit the number of entry points into the system, both via Internet access points and the network's mail system.

"Those entry points, we harden them, we monitor them and that protects the whole system of systems," Mehan said. "It's not just perimeters, but the extent that it is protecting subparts of the network."

The Android's immune system involves quarantining infected segments of the network. Break points are built into the system, creating open spaces where intrusions are isolated.

"There are things you need to do when you're healthy and things you need to do that are proactive in addition to reacting later," Mehan said.

Detected intrusions are dealt with by the FAA's Computer Security Incident Response Center. Initiated in 2001, the center arose from officials' realization that cyberdefense was a growing concern.

Through this response center, the FAA successfully repelled well-publicized cyberattacks that plagued many agencies in recent months.

"We've been working on these things over time and we've made some progress," Mehan said. "In the era of the Slammer, Blaster and SoBig viruses, we did reasonably well. We don't ballyhoo that, but we think we've made some progress."

This combination of past success and forward progress is helping push the FAA into a leadership role in the area of cybersecurity.

"This type of leadership will enable us to minimize risks to our critical [information technology] operations while increasing service to the citizen through the secure implementation of our e-government initiatives," Schlosser said.

According to Mehan, the strategy has also received support from CIO-level colleagues outside DOT. Regardless, he readily admits that cybersecurity will be a continuous area of concern and development.

"Despite what you do, you can still get an infection," Mehan said. "Nobody can tell you that you'll never catch a cold. You just have to make sure it doesn't go to pneumonia." n

FAA adopts Common Criteria

According to chief information officer Daniel Mehan, the Federal Aviation Administration is falling in line with the federal push to use the Common Criteria Evaluation and Validation Scheme to improve information technology security.

"The FAA does use Common Criteria, or equivalent, to ensure appropriate security levels for our systems," Mehan said.

Common Criteria is a set of security tests used as a guide for commercial software purchases. The tests are designed to ensure that any security-related product performs the way a vendor claims it does. The national security community and the Defense Department use the tests.

The Bush administration's National Strategy to Secure Cyberspace includes plans to review the use of Common Criteria. That review is expected to become a key reference in determining how to improve IT security at civilian agencies.

***

Cyberdefense 'Android'

The Federal Aviation Administration's Android Cyber Defense emulates the human resilience system.

Among the elements:

Nutrition and exercise: Establish a workable, streamlined information technology architecture.

Antibiotics and surgery: Have disaster recovery practices and backup plans in place in the event an infection does get past defenses.

Skin: Create boundary protection, including adding firewalls and limiting the number of access points.

Immune system: Have break points in systems so the agency can isolate problems and keep them from infecting the entire organization.

Major organs: Harden the existing infrastructure to protect it from infection.

Vital signs: Have systems in place to monitor the network's health.