Security as a fringe benefit

As the Navy continues to roll out its massive enterprise network to some 360,000 desktops, one of the benefits Navy officials foresee is heightened network security.

Security experts say the Navy Marine Corps Intranet has inherent benefits that should improve upon the Navy's traditionally disjointed way of operating its networks.

Even though the NMCI network will face the same under.lying security issues confronting all networks, having a consolidated centralized network puts the responsibility "on one bellybutton," said retired Col. John Thomas, former chief of the Defense Information Systems Agency's Global Operations and Security Office and now head of John Thomas Information Assurance Consultants.

Both Navy officials and security experts believe NMCI will streamline the Navy's network functions by centralizing management of the network.

"Any time you have a large network where the security controls are not under central management, you have the potential of having vulnerabilities at some part that the central managers are not aware of," said David Keyes, who oversaw the creation of the FBI's worldwide computer intrusion, investigations and infrastructure protection capabilities.

That's pretty much the case in the Navy today, said Capt. Jim Newman, who leads the Navy's "Red Team," the 20 sailors and civilian personnel who attempt to breach network defenses by acting as malicious attackers. Currently, the scores of Navy networks are operated independently, and they often have different security policies and standards. Without standardization, adding applications or updating software can create security vulnerabilities, Newman said.

NMCI, he said, "is building a defensible network structure."

Vulnerable and Visible

Navy officials acknowledge that some of the existing, less critical networks have little or no protection and that there is significant disparity among the Navy's cybersecurity efforts. Some of the service's networks are well-protected — especially those used at sea for warfighting — but other Navy networks have virtually no protection from cyberattacks, Newman said.

The Navy is a regular target. During the past 11 months, the Navy has tracked some 16,000 incidents in which someone attempted to access a Navy system. Of those, about 400 were considered significant attempts to obtain root access — the level at which someone can access the network's functions. And of those attempts, about 40 were successful, and some of those intrusions took days to detect, Newman said.

In a typical test of the Navy's existing shore-based networks, the Red Team can find 40,000 to 150,000 vulnerabilities in a network of about 8,000 machines, Newman said in a briefing with reporters.

Although NMCI is still in its early stages — two network operations centers and about 650 seats have been rolled out so far — the Red Team could not find any vulnerabilities in its initial tests. "That's NMCI," Newman said.

Beyond centralizing security management, the NMCI program calls for a team of highly qualified security personnel to oversee the network, said Rick Rosenburg, NMCI program executive for Electronic Data Systems Corp., which leads the NMCI Information Strike Force contracting team.

Under the Navy's traditional network, each individual network would need its own security experts to harden its systems. Under NMCI, however, security experts will be concentrated at the four network operations centers, where they can monitor operations across the intranet, said Bart Abbott, NMCI program manager for Raytheon Systems Co., the security subcontractor.

The NMCI contract also has specific requirements for regular training, part of which will focus on the importance of security, Newman said, something that has not existed previously.

NMCI's security benefits

* Personnel: Skilled security personnel will be concentrated in select centers.

* Standard configurations: Because the network will be managed across the enterprise, the NMCI Information Strike Force will be able to monitor the configurations of PCs, firewalls, intrusion-detection systems and other security tools.

* Standard applications: Using standard applications across the enterprise limits the number of security vulnerabilities and the need for patches.

* Rapid response: The Information Strike Force will be able to quickly disseminate security patches or new versions of virus-protection software to users.

* Public-key infrastructure: NMCI will make it easier for the Navy to begin using PKI.