CHAPTER 8. INFORMATION SYSTEMS SECURITY
Information systems security is the discipline that protects the confidentiality,
integrity and availability of classified and unclassified information created, processed,
stored and communicated on computers and networks. The Commission believes it is
imperative that the Defense and Intelligence Communities focus more attention on
information systems security. It, together with personnel security, is one of two security
disciplines that the Commission believes needs more attention and recommends additional
requirements that will increase costs.
The United States is increasingly dependent on information systems and networks.
Information systems control the basic functions of the nation's infrastructure, including
the air traffic control system, power distribution and utilities, phone system, stock
exchanges, the Federal Reserve monetary transfer system, credit and medical records, and a
host of other services and activities. The world of the future, within which our security
policies and procedures must succeed, will undoubtedly be characterized by even more
widespread use of computers, systems, and networks. It is already apparent that increased
connectivity leads to significant improvements in productivity, improvements that are
necessary if our society is to prosper and we are to continue to lead the world's family
of nations in economic, political, and military strength. Initiatives like the National
Information Infrastructure (NII) intended to be an "information superhighway"
for our nation's commerce and government are based on this emerging reality.
The Defense and Intelligence Communities share this imperative to connect, both within
and between the communities and to the NII. The Department of Defense already depends upon
computers and communications networks in performing every aspect of its complex missions
from command and control, to acquisition of weapons systems, to managing and paying for
the worldwide activities of the department. This dependence will certainly increase. The
DoD envisions a worldwide, seamless web of computers and networks the Defense Information
Infrastructure (DII) operating as a utility in support of the Department's warfighting,
intelligence, and business functions.
The CIA and other intelligence agencies are increasingly tying together internal
systems and are beginning to reach for connections beyond their walls. The increased
productivity that flows from such connectivity is essential to success in this era of
declining resources. Intelligence is, after all, information and must flow in a form and
at rates useful to those who need it. The Commission believes that those who steadfastly
resist connectivity will be perceived as unresponsive and will ultimately be considered as
offering little value to their customers.
There is no doubt that increased connectivity creates greater vulnerability. Electronic
access to vast amounts of data and critical infrastructure control is now possible from
almost anywhere in the world. Networks are so complex and so widespread that the identity
of everyone with access to the networks to which our systems are connected can no longer
be known with any assurance. Moreover, although our classified data is obviously of great
interest to our enemies, our communities depend on extensive data bases of unclassified
information that if destroyed or damaged would cost billions to rebuild and could affect
our ability to deploy and operate a flexible, capable force.
Protecting information transactions within the subinfrastructure or network enclaves
controlled by the DoD and the Intelligence Community requires an approach to security in
which information systems security is seen as part of a balanced mix that also includes
personnel security, physical security and other security procedures. Protecting
information transfers between our enclaves and the rest of the infrastructure where we
cannot count on other types of security requires a more stringent form of information
systems security. In addressing these issues, the Commission examined current threat
information as well as policies and procedures now in place to protect against such
threats. The Commission found our policies outdated, our strategies for obtaining
necessary information systems security technology ineffective, and our general readiness
in terms of awareness and training inadequate.
The Threat to Information and Information Systems
Thirty years ago, computer systems presented relatively simple security challenges.
They were expensive, isolated in environmentally controlled facilities, and their use was
an arcane art understood by few. Consequently, protecting them was relatively easy, a
matter of controlling access to the computer room and clearing the small number of
specialists who needed such access. As these systems evolved, their connectivity was
extended, first by remote terminals and eventually by local and wide-area networks.
As size and price came down, microprocessors began to appear in the workplace, in
homes, and eventually on the battlefield and embedded in weapon systems. What was once a
collection of separate systems is now best understood as a single, multifaceted
information infrastructure operated as a utility. To cope with this new reality, our
paradigm for managing information security must also shift from developing security for
each individual application, system, and network to developing security for subscribers
within the worldwide utility, and from protecting the isolated systems we own to
protecting systems that are connected and depend upon an infrastructure we neither own nor
control.
Despite the enormous impact that could result from the compromise or destruction of our
information systems, the Commission believes that there is little public understanding of
the threat or of the consequences of attacks on our systems. One high-level official
suggested that until there is a major information systems catastrophe, appreciation of the
need for information systems security will remain weak. Attacks against information
systems are becoming more aggressive, not only seeking access to confidential information,
but also stealing and degrading service and destroying data.
The well-publicized Michaelangelo virus destroyed the information and applications
software on the hard disks of the unwary. In another example, a small program appeared on
computers connected to the Internet. This program made copies of itself and sent the
copies along to other computers on the network. The copies made copies in turn and sent
them along, and the copies' copies made copies, and so on. In short order the network was
so busy creating and sending copies of the program that it couldn't do anything else. Some
of the computers were down for most of the following week, and the business enterprises,
academicians, and government and private users were unable to use their computers for
processing or to communicate among themselves.
Networks are already recognized as a battlefield of the future. Information weapons
will attack and defend at electronic speeds using strategies and tactics yet to be
perfected. This technology is capable of deciding the outcomes of geopolitical crises
without the firing of a single weapon. Our security policies and processes must protect
our ability to conduct such infowars while denying our enemies that same advantage.
If, instead of attacking our military systems and data bases, an enemy attacked our
unprotected civilian infrastructure, the economic and other results could be disastrous.
Over 95 percent of Defense and Intelligence Community voice and data traffic uses the
public phone system. The economic consequences alone of a successful attack on the phone
system or the National Information Infrastructure would be significant.
The nine-hour failure of the AT&T public switch network in 1990, although the
result of a reliability failure and not a planned attack, demonstrated how vulnerable we
are. Of the 138 million long- distance and 800-number calls attempted, some 70 million
were rejected by the faulty system. Many of those calls were business calls, and the
failure to connect cost those businesses directly due to orders not being placed and
operations being delayed or halted altogether. There were indirect costs as well due to
decreased efficiency and productivity. Airlines, hotels, and car rental companies lost
reservations. Phoned catalog orders were not placed. Service companies could not support
their customers.
The threat to our information and information systems is increasingly sophisticated,
and comes from both insiders and outsiders. While improving the personnel security methods
used to ascertain the trustworthiness of our people will reduce the insider threat,
personnel security measures alone cannot be relied on to protect our information and
information systems. Foreign intelligence services, including those of some of our
"allies," are known to target US information systems and technologies, using
techniques that can give them access to our information without ever coming into our work
spaces or approaching our people. Some trends and specific incidents help indicate the
scope of the information systems security challenge:
- Computer viruses are growing more common and more dangerous, and may be virtually
undetectable by conventional antiviral software. Trojan horses, logic bombs and other
malicious software are appearing on our systems, and require improved countermeasures and
careful security procedures to defeat.
- Over 4,000 hacker attacks, ranging from attempted password cracking to trying to obtain
control of the system, were detected on one government system during a single three month
period. Some hackers advertise their services for seeking any information, including
classified or sensitive information.
- Eighty-five percent of computer crime is committed by insiders with validated access to
the systems and networks they abuse. Before being fired from a private firm, a disgruntled
employee left a logic bomb in the company's personnel system that destroyed all personnel
records. Careless insiders, ignoring security procedures, have inadvertently inserted
viruses into DoD and Intelligence Community information systems.
- Increasingly cheaper and more powerful commercially available electronics put signals
intelligence intercept and processing capabilities within the reach of the smallest
countries and even drug traffickers. Targeting by signals intelligence of facsimile and
data communications on land-based and satellite systems gives eavesdroppers access to
international communications of US businesses, personal telephone calls of US troops
stationed overseas, computer passwords, and other data.
Dated Policies
The Commission found a number of problems hindering the effectiveness of information
systems security. Problems include ineffectual and conflicting policies, failed strategies
for obtaining the necessary computer security technology, poor mechanisms for obtaining
timely threat information, inherent systems vulnerabilities, lack of effective audit data
reduction techniques, and accreditation processes that are far too slow. The Commission
also believes that there is a need to improve the quality and number of information
systems security professionals and to increase training and awareness programs for
management and non- security personnel.
The policies and standards upon which the Defense and Intelligence Communities base
information systems security services were developed when computers were physically and
electronically isolated. As a result, policies and standards:
- Are not suitable for the networked world of today, having been based on stand-alone
architectures where the security requirements imposed on one system had little or no
impact on the security for another system.
- Were developed based on a philosophy of complete risk avoidance and so do not deal
effectively with information systems security as part of a balanced mix of security
countermeasures in protecting the confidentiality, integrity or availability of our
information assets.
- Do not provide the flexibility needed to address the wide variations among systems in
use today and planned for tomorrow.
- Do not differentiate between the security countermeasures needed within and among
protected network enclaves and those needed when information must travel to and from less
protected or unprotected parts of the infrastructure.
- Are only beginning to combine computer science and public key cryptography effectively
to protect information.
- Are not capable of responding in a timely manner to dynamically evolving information
technology.
The Commission also found a profusion of policy formulation authorities all of whom are
addressing essentially the same issues. The Community Counterintelligence and Security
Countermeasures Office (CCISCMO) is responsible to the Director of Central Intelligence
for information systems security policy and standards for the Intelligence Community. The
DoD intelligence organizations must follow CCISCMO security policies, and all of the DoD
must follow the security regulations promulgated by its chains of command up through the
Office of the Secretary of Defense (OSD). The National Security Telecommunications and
Information Systems Security Committee (NSTISSC) creates policies that overlap those of
both the OSD and the CCISCMO with regard to national security information and extends its
policy authority to other government departments and agencies not covered by DoD or DCI
policies. The Office of Management and Budget casts its policies over all information
systems security activities that expend tax dollars. The National Institute of Standards
and Technology (NIST) is responsible for creating standards for the protection of
unclassified but sensitive information. A result of these numerous policy authorities has
been policies that, although similar, differ sufficiently to create inefficiencies and to
cause implementation problems when organizations must coordinate their security protocols
and procedures in order to interconnect.
Failed Strategies
In addition to dated polices and inadequate standards, the strategy for developing
computer security software, hardware and other security technologies has not served us
well. This strategy has been to encourage the private sector to design, develop, and
manufacture products at their own expense. In return, the government promised that it
would require these products be used in the systems and networks it acquired. However, the
government did not follow through and buy these products when they became available. One
reason is that the products suffered long delays waiting government approval and were
consequently obsolete before being approved for use. In addition, these products are often
too expensive and lack functionality comparable to state-of-the-art, nonsecure
commercially available products. As a result, too few computer security products are
available today and even fewer are in use.
These problems with obtaining commercial computer security products have been
exacerbated by the government's failure to control and coordinate its own R&D
programs. With each agency free to pursue its own R&D initiatives, some attractive
lines of research have been neglected while there have been duplications of effort and
products produced that are not readily interoperable with other computer security
products. Moreover, research has been focused almost exclusively on providing protection
to classified information and systems to the detriment of protecting unclassified
information and our infrastructure assets.
The New Information Systems Security Reality
To meet the security needs of connected information systems using an infrastructure not
completely under our control, the Commission believes that there is a need for new
information systems security policies and standards, new strategies for obtaining
products, a more focused R&D program, and a better understanding of information
security threats and vulnerabilities. Security requirements for evolving Defense and
Intelligence Community information systems include:
- Providing the ability to securely pass classified information over public or open
communication links or networks to authorized users.
- Resisting computer viruses and other malicious software, detecting and controlling
penetration of networks, systems, applications and data bases by hackers, and surviving
full scale infowar attacks.
- Ensuring the authenticity of electronic messages and preventing repudiation of their
receipt.
- Keeping confidentiality and integrity of medical files, payroll records, and other
sensitive but unclassified information.
- Protecting the privacy of personnel files and investigative dossiers as required by law.
- Providing confidentiality of the identities of personnel in sensitive assignments.
- Ensuring integrity in electronic payments to vendors and contractors.
- Ensuring the components of the information infrastructure are designed for the rapid
detection of malicious activities and for the ready restoration of required services.
- Effectively managing and controlling access to information at any protection level on a
global basis.
Information Systems Security Policy for Tomorrow
The Commission believes that information systems security policy must better address
current and future electronic environments. The network architecture of the future will
comprise a seamless global web of unsecured electronic highways linked together to provide
a common infrastructure operated as a utility. Subscribers will be a heterogeneous group
of individuals and organizations tied into the network to communicate with each other and
to obtain various services offered by some portion of the network. The Department of
Defense and the Intelligence Community also will be subscribers and their networks will be
subnets or "enclaves" within the larger infrastructure. Subscribers will use
common standards in supplying and obtaining services, although security standards may vary
from enclave to enclave. But security standards must permit subscribers to benefit from
authorized connectivity and services provided by the infrastructure and other authorized
subscribers.
The new policies must be network oriented, recognizing the need for coordination and
cooperation between separate organizations and enclaves connected via the infrastructure.
Policies must be sufficiently flexible to cover a wide range of systems and equipment.
They must take into account threat, both from the insider and the outsider, and espouse a
risk management philosophy in making security decisions. And given the knowledge that
unclassified information can be just as important and is even more vulnerable than
classified information, the new policies, strategies and standards must also ensure its
protection. Information that has no requirement for confidentiality may still require
protection to ensure that it is not illicitly modified or destroyed and is available when
needed.
To alleviate the overlap, redundancy, and conflicts inherent in the existing policy
formulation process, responsibility for generating the new policy must be given to a
centralized security executive policy committee that represents both the Department of
Defense and the Intelligence Community. Furthermore, in developing the new policy,
representatives from outside these communities may need to be included to assure that a
governmentwide perspective will be used.
The Commission recommends that policy formulation for information systems security
be consolidated under a joint DoD/DCI security executive committee, and that the committee
oversee development of a coherent network-oriented information systems security policy for
the Department of Defense and the Intelligence Community that also could serve the entire
government.
The Investment Strategy for Information Systems Security
A coherent set of policies is of no use if effective information systems security
products are not available and programs can not be implemented that use them. Given the
problems with the current strategies and programs, the Commission recommends a new
approach based on a well-considered investment strategy that includes a more focused
R&D program. It must obtain and use threat and vulnerability information in managing
risk. And finally, it must result in a more robust, efficient, and responsive program for
applying and managing information systems security in our systems and networks.
A new investment strategy is needed to ensure that products are available that will
ensure the availability and integrity of both classified and unclassified data. Within an
information systems enclave, security officials can rely on physical security to deny
access to unauthorized users, personnel security to provide some assurance that those who
do have access are trustworthy, and procedural security to manage access to and use of
their subnets. However, protection against the outsider threat where the enclave connects
to the outside infrastructure may require more stringent levels of protection. There must
be assurance that, as information enters and leaves the enclave, highly protected data
does not cross the boundary to lesser cleared subscribers and that information can flow
into the enclave from the outside infrastructure without permitting access to unauthorized
users or the introduction of malicious software.
The new strategy also must identify capabilities and products that are needed to permit
implementation of systems and networks providing various degrees of protection. Many in
the private sector currently rely on insurance to protect against losses to hackers,
criminals, and malicious software. The Commission expects that increased awareness of the
economic risks inherent in connecting to or exchanging data with the information
infrastructure will lead to an understanding that it is cheaper to protect information
assets and information systems with technology than with insurance. This will, in turn,
encourage the development of secure products by the private sector. Widespread use of such
products will bring the cost down, permitting security to be used as a marketing
discriminator as consumers will prefer secure products to those without security so long
as the difference in price is not great. This process should result in the ready
availability of affordable commercial off-the-shelf information systems and networks
offering moderate levels of security assurance. However, the private sector is not
expected to commercially develop those security products with the very high levels of
assurance essential to some government systems and networks. Accordingly, the new
investment strategy must provide for allocation of government funding to promote the
development of high assurance products.
Computer security exists today that is deemed sufficient to permit connectivity within
secure enclaves, as is the case at the CIA and the NSA. However, these same security
countermeasures may not be considered sufficient when outside connections are established.
Worse, interconnecting two secure enclaves that use different protection features may
result in the failure of the security of both enclaves. Technology that would control
information transfers across enclave borders is on the drawing boards and in the labs, but
has not yet matured to a point where it can be used to protect connections between
enclaves responsible for highly sensitive data and the unprotected infrastructure.
Providing such technology at the earliest possible date must be a high priority for the
new investment strategy.
Adequate funding for information systems security is essential. In keeping with the
understanding that the information infrastructure is an essential element of the national
security structure, funds must be provided for the development of the technology needed to
secure the infrastructure, both within secure enclaves and across the networks. Moreover,
sufficient funding must be included in the agencies' and departments' budgets to ensure
that program managers can buy computers, systems and networks that provide the security
needed to protect the confidentiality, integrity and availability of information assets
and information systems.
For the Department of Defense, the information infrastructure will be managed by the
Defense Information Systems Agency (DISA), which must develop system and network security
management capabilities as well as audit and alarm capabilities. The DISA is ideally
situated to perform these functions and has created the Center for Information Systems
Security to ensure the successful performance of its security responsibilities. The
Center, although newly formed, has been doing an excellent job to date. Any necessary high
assurance technology for securing information and information systems will be provided by
the NSA. In reviewing the best practices of government and industry, the Commission finds
that an investment strategy that allocates five to ten percent of the total cost of
developing and operating information systems and networks is appropriate and needed to
ensure that those systems and networks are available when needed and safe to use. Smaller
investments are inadequate to achieve acceptable levels of risk. Larger investments are
unrealistic given the expected budgetary environment facing our communities.
The Commission recommends that the Secretary of Defense and the Director of Central
Intelligence develop an information systems security investment strategy including an
emphasis on commercial production of computer security components at affordable costs. The
goal should be to use 5 to 10 percent of the costs of infrastructure development and
operations to ensure availability and the confidentiality and integrity of our information
assets.
Research and Development-A Need to Consolidate
As part of implementing the new information systems security strategy, a carefully
planned and well- managed research and development program is required. Information
systems technology is evolving much faster than information systems security technology.
The Defense and Intelligence Communities must reassess, refocus and adequately fund our
information systems security research and development efforts to design and develop the
highly technical products needed if our countermeasures are to provide sufficient defense
to responsibly manage the risk to our information systems. However, the Commission has
observed that there is no communitywide focal point for information systems security
research and development. Each agency implements the R&D activities needed for its own
mission and, as a result, there have been both duplication of effort and products made
that are of very limited use.
In addition, research in the DoD and Intelligence Communities has been focused almost
exclusively on providing solutions to protection of classified assets. As discussed
earlier, the threats are changing, and targets in the future may well be found in the
country's unclassified infrastructure power grid controls, transportation systems, the
public switched networks, stock exchanges, and Federal Reserve monetary transfer system.
A new emphasis on developing solutions for threats to the unclassified infrastructure
also is needed. The Commission believes that a community-wide mechanism to determine
priorities for information systems security research and development of products is needed
as part of the information systems security investment strategy.
The Commission recommends that:
a) Research and development programs be given high priority in creating the secure
products which the DoD and the Intelligence Community need for protection of their
classified and unclassified information networks and systems.
b) The Secretary of Defense and the Director of Central Intelligence assign the NSA as
the executive agent for information systems security research and development for both
classified and unclassified information for the Department of Defense and the Intelligence
Community.
Infrastructure Security Management
Like other aspects of information systems security, the processes used to assess the
security of our computers, systems and networks must evolve. With stand-alone systems,
individual organizations not only own the information that is created, stored, and
processed on their systems, they also own the systems themselves. In connected
environments, information, resources, and processes are shared. Our methods for assessing
the security of and deciding acceptable levels of risk must change. The existing processes
are so slow that products and systems are frequently obsolete before we are satisfied that
they are safe to use.
Infrastructure security managers must be able to detect when their networks and
connected systems are under attack and respond appropriately. If necessary, it must be
possible to perform triage and sever infected portions of the network or systems to save
unaffected portions of the infrastructure. Hygiene measures must be implemented to prevent
problems. Automated tools and security management workstations must be developed and
implemented within our networks.
We must accommodate technology life cycles and provide for variations in the degrees of
assurance required for differing applications and missions. Automated tools that support
security administration (such as automatic monitoring and malicious code detection and
eradication) and management are badly needed and must be developed as part of the new
strategy. Our standards and processes should be compatible with international standards,
processes and protocols that influence the technical design of the worldwide telecomputing
infrastructure upon which our nation increasingly depends.
Auditing Infrastructure Utilization
Even though we place a high degree of reliance on the trustworthiness of cleared
personnel given access to our systems, we must still be able to determine if any portions
of the infrastructure are being abused, either by insiders or outsiders. This
determination can be made by recording and analyzing the information and control
transactions that take place on the system, a process called auditing or, if conducted in
real time, monitoring. Through auditing and monitoring, one can establish normal operating
patterns, characterize trends, detect aberrations, and identify unusual activities. If
insiders or outsiders are attempting to obtain, alter, or delete information to which they
are not entitled, make unauthorized connections to the networks, or penetrate computer
systems or applications, auditing and monitoring provides a means to detect their
activities.
However, despite the importance of auditing and monitoring, the Defense and
Intelligence Communities currently are unable to conduct these activities effectively and
efficiently. Too much data in too many forms is being collected. One hour of collected
audit data requires an average of six hours of analysis for adequate review. Nor are audit
capabilities user friendly. All too often audit records are left unopened or the audit
capabilities are never activated. To increase our ability to detect unauthorized activity,
the Defense and Intelligence Communities must develop common auditing and monitoring
record formats and automated tools to assist in the reduction and analysis of these
records. A focal point is needed for this activity. The DISA is the logical choice for
executive agent. As the network manager for the DII, the DISA is already involved in the
identification of requirements and the development and use of automated security analysis
systems for networks.
The Commission recommends that the DISA be the executive agent for the Department of
Defense and the Intelligence Community for development of operational security management
tools for infrastructure operations, including more powerful audit reduction tools,
automated tools for use in assessing the security of our networks and connected systems,
and improving security management support technology.
Managing the Risk to Information Systems
The Commission believes that a central data base containing security-related events
should be established. This data base would support the analysis of threats and
vulnerabilities regarding information systems in the Defense and Intelligence Communities
and will be useful in helping to frame risk management decisions. To ensure the most
comprehensive information is available to risk management decision makers, contributing
threat and incident information to the data base must be mandatory.
Because of the sensitivity of reporting vulnerabilities of, and attacks on information
systems, the issue of whether to classify the database is contentious. If unclassified, it
is feared that vulnerability information could be accessed and used by hackers, foreign
intelligence agents and others to gain a better understanding of exploitable weaknesses.
However, the use of a classified data base places restrictions on dissemination that would
prevent use of vulnerability and threat information by those who need it to protect their
systems.
The Commission recommends that the Secretary of Defense and the Director of Central
Intelligence jointly establish and maintain an information systems security threat and
vulnerability data base. The data base should be available to all Defense and Intelligence
Community organizations, including industry, and it must be mandatory that Defense and
Intelligence Community organizations contribute all relevant information to it.
Emergency Response-The Need for Help
The Commission recommends that in addition to creating a threat and vulnerability data
base, a central organization be identified to have the responsibility of working with
system managers to prevent and protect against attacks, to respond in a timely and
effective manner if attacks occur, and to alert others when a problem is recognized. Such
a capability should cooperate with the Computer Emergency Response Team (CERT) efforts now
underway in private industry and academia and with other government agencies. The DoD has
created the Automated Systems Security Incident Support Team (ASSIST) Program at the
Defense Information Systems Agency to perform these functions. The Intelligence Community
should support and rely on the DISA's ASSIST program and we recommend establishing the
Program as executive agent for this function governmentwide.
The Commission recommends that the Secretary of Defense and Director of Central
Intelligence appoint the DISA's ASSIST program as the executive agent for emergency
response functions for the DoD and the Intelligence Community.
Information Systems Security Professionals
The Commission's final recommendation deals with our most important information systems
security resource: people. The Commission recommends creation of a professional corps to
execute the information systems security responsibilities. The Commission also recommends
that a vigorous training program be established to provide for the professionalization
needed by the local security professional while maintaining security consistency across
our networked environment in both government and industry. The national cryptologic school
is a good model for such professionalization training.
The information systems security problem is part of the larger security training and
professionalization considerations discussed elsewhere in this report.
The Commission recommends the DoD and the Intelligence Community establish an
information systems security professional development program as part of the overall
development of security professionals.
To proceed to Chapter Nine click here.
|