U S Department of Defense Information Assurance Colonel Gene Tyler Director Defense-wide Information Assurance Program Office of the Assistant Secretary of Defense Networks and Information Integration Gene Tyler@osd mil 703-602-9988 1 Information Assurance IA • IA U S Definition Measures that protect and defend information and information systems by ensuring their availability integrity authentication confidentiality and non-repudiation This includes providing for restoration of information systems by incorporating protection detection and reaction capabilities Protect - Provides for the availability integrity authenticity confidentiality and non-repudiation of information or transactions Detect - Provides for the ability to detect efforts to disrupt and deny services React - Provides for reconstitution of information and services in case of a successful disruption or denial 2 Definitions • Availability - Information and information systems are available when needed to support mission critical mission support and administrative purposes • Integrity - Data is unchanged from its source--has not been accidentally or maliciously altered • Authentication - Data and their originators are authentic and that a recipient is eligible to receive specific categories of information • Non-Repudiation - Strong and substantial evidence of an information exchange or transaction • Confidentiality - Information can be read only by authorized entities e g encryption 3 Information Assurance – Emphasis Starts at the Top SECDEF’s Transformational Goals  First to defend the U S homeland and other bases of operations and defeat nuclear biological and chemical weapons and their means of delivery  Second to deny enemies sanctuary—depriving them of the ability to run or hide—anytime anywhere  Third to project and sustain forces in distant theaters in the face of access denial threats  Fourth to conduct effective operations in space  Fifth to conduct effective information operations and  Sixth to leverage information technology to give our joint forces a common operational picture “… Protect our information networks from attack” Use information technology to link up different kinds of US forces so that they can in fact fight jointly ” 4 From Secretary Rumfeld’s speech to the National Defense University 21 Jan 2002 Information Assurance – Senior Leadership Emphasis Our ability to leverage the power of information will be key to our success in the 21st Century I am committed to • Make information available on a network that people depend on and trust • Populate the network with new dynamic sources of information to defeat the enemy • Deny the enemy information advantages and exploit weakness to support Network Centric Warfare and the transformation of DoD business processes 5 John P Stenbit ASD NII Information Security Global Networks • Global Economy • Global Information Environment • Electronic Security Must Be Global • U S Cannot “Solve” Problem Unilaterally • International Cooperation Required Think Global 6 Malicious Activity Continues to Climb Detected “Events” Virus Growth Per Month Internet - “Wild List” As of 1 Jan 03 240 220 200 40 076 40 000 35 000 2001 2000 2002 30 000 22 144 23 662 25 000 20 000 15 000 180 160 140 120 46 057 45 000 280 260 As of 1 Jan 03 50 000 300 10 000 1999 5 000 0 Jan Mar May Jul Sep Nov Information Networks must be controlled protected and managed as effectively as weapon systems” 5 844 225 559 730 780 94 95 96 97 98 99 00 01 02 Unauthorized DoD Intrusions 314 Category 1 2 Intrusions as of 1 Jan 03 20% 36% 14% Lt Gen Harry D Raduege DISA Director 30% 7 IAVA Bulletins “Poor Security Practices” “New” Intrusion Method or Under Analysis “Multiple Vulnerabilities” Net-Centric Warfare In NCW the Network is the center of gravity the focus on which all elements of combat power depend C2 INTEL Sensors Network Transportation Logistics Weapons Systems 8 Scope of the IA Mission Sensor-to -Shooter Weapon Systems Logistic systems Information is used everywhere and is vital to Warfighters and Operational Readiness Sustaining base Systems and Business systems 9 Command Control C2 systems Situation awareness Infrastructure Power projection platforms and communications The Changing Technology Environment • • PAST – dedicated circuits – stovepiped systems – government developed and produced solutions – “risk avoidance” – limited cooperation with industry – government-owned and – controlled security mgt infrastructure SMI PRESENT – highly interconnected – interdependent – commercial technology forms the basis for solutions – “risk management” – full and open cooperation with industry – global interoperable public key-based SMI • FUTURE – – – – – – – genetic algorithms neural networks intelligent agents nano-technologies distributed computing wireless changing architectures operations technology all aimed at leveraging the “richness and reach” of the internet – where are the boundaries We cannot afford to “stay the course” 10 IA Mission and Strategy IA Mission Goals Objectives Assure DoD’s Information Information Systems and Information Infrastructure and Support DoD’s Transformation to Network and Data Centric Operations and Warfare Protect Information Promulgate IA Architecture Provide Situational Awareness IA C2 Defend Systems Networks Establish GiG Network Defense Architecture To Be Baseline Establish timely Intelligence and I W information to enterprise SA Define Protection Criteria for Netcentric Opns Develop Enforce CND Policies Create SA Visualization capabilities Develop Deploy Protection Capabilities Evaluate Deploy CND Tools and Capabilities Coordinate IA ops decisions Establish vertical horizontal defense mechanisms w I CND RAF Harmonize NETOPS IO CNA CND relationships Transform SMI 11 Transform and Enable IA Capabilities Create an IA Empowered Workforce Ensure IA is integrated sustained in all programs throughout the lifecycle Standardize baseline certifications Improve strategic decision making Provide trained skilled personnel Expedite dynamic IA capabilities through innovation Enable Information sharing collaboration Enhance IA skill levels Infuse IA into other disciplines The DoD IA Strategy OPERATIONS TECHNOLOGY No Single Solution PERSONNEL • Solution requires a multidimensional approach • Trained and disciplined personnel • Improved operations including updated policies • Innovations in technology • Solutions must address importance of Information Technology in elements of the Critical Infrastructure for example Power Transportation other 12 I WAN You for INFORMATION ASSURANCE 13 1 My ll re BACKUP 14 Personnel • Cyber security training and awareness – Platform Training – Computer Based Training CBT – Video • Certification of information system operators administrators and maintainers • Career field management - focus on retention • Partnership with industry for cooperative internships • National InfoSec Education Training Program • Academic Centers Of Excellence 36 today 15 Operations • Integrated Information Assurance Policy • Information Assurance Vulnerability Alert IAVA Process – Positive Control • Service and Agency Computer Emergency Response Teams • Joint Task Force - Computer Network Operations JTF-CNO – Coordination within the Department of Defense and with other government departments and agencies • Continuous Vulnerability Analysis and Assessment Program • Exercises to test protection detection and response capabilities 16 Technology • Full spectrum Information Assurance solutions – Layered Information Assurance strategy Defense-in-Depth – Deployment of intrusion detection technology – Strategic partnership with industry • Security-enabled commercial products • Open security framework – National Information Assurance Partnership NIAP • Common Criteria evaluations • Global interoperable Security Management Infrastructure • R D for highly assured products and systems • R D for real-time monitoring data collection analysis and visualization 17 IA Strategy and Defense-inDepth DiD Interface Defense-inDepth Establishes our defenses in place and gives DoD a basic defensive framework 18 IA Strategy Takes concepts of DiD and brings the warfighter into the IA arena