Security Takes the Offensive

To protect your house,
open its doors. As
counterintuitive as that
may sound, it's what the
technology-savvy U.S.
intelligence community
is doing to share—and
also protect—sensitive data with federal
agencies, as well as homeland security
and law enforcement organizations.

It's a delicate balancing act.

Today more than ever, cybersecurity is
critical to protect the systems that gather
and analyze intelligence that could thwart
terrorist actions and attacks. Of course, not
everyone is sure the government—or the
technology—is up to the task.

Experts say that installing even the
best firewalls and encryption software
isn't enough to keep systems safe. An
additional conundrum is that, while
plugging any chinks in systems'
cyberarmor, intelligence organizations
must simultaneously allow entry to
those systems in order to share the
information they're protecting with
organizations that need access.

"This flies in face of traditional security
rules and practices," says Kevin O'Connell,
director of the Intelligence Policy Center
for the Rand Corp., a Santa Monica, Calif.,
think tank. And it creates a new role for
the communications networks used by
intelligence professionals.

"We need architectures that protect
sensitive data, but which also allow for the
free flow of information between people
who may not know each other until 20
minutes before their conversation takes
place," O'Connell adds. "That's a very
tough challenge."

One effort that is meeting this
challenge head on is the Department of
Defense (DOD) Global Information Grid
(GIG), a secure, high-speed network that
is being built in stages over the next 15
years. Experts predict that when the
international communications platform is
complete, it may be an essential tool for
protecting the country, while also offering
a model for how other agencies should
implement cybersecurity without
shackling their core missions.

Striving for Better Grades

Some observers believe that the federal
government needs help in jump-starting
its cybersecurity efforts. The House's
Subcommittee on Technology, Information
Policy, Intergovernmental Relations and
the Census has publicly criticized the
federal government's pace in shoring up
cybersecurity.

Last December, the subcommittee gave
the government an overall grade of D for
its IT security efforts in 2003, based on
self-evaluations agencies provided to the
Office of Management and Budget to meet
requirements of the Federal Information
Security Management Act. While two
agencies earned A's, the Defense and
Homeland Security departments scored
only a D and an F, respectively.

One cybersecurity bright spot in DOD
is the National Security Agency (NSA), says
Chip Walker, who was a subcommittee
staff member until March and is now
deputy director of the Cyber Security
Industry Alliance (CSIA), a Washington,
D.C., consortium of security service and
product providers.

"We would have meetings in the
subcommittee to talk about security for
nonclassified systems, and NSA was very
useful in helping us come up with
technological and other types of solutions,"

Walker reports. "They've been doing this a
lot longer than most agencies, so they have
a lot of experience in technologies that other
agencies are just now beginning to use."

This expertise helped NSA get the
nod from DOD to develop the especially
challenging cybersecurity elements of GIG.
To ensure interoperability with the vast
number of public and private sector
networks, GIG will have an Internet
Protocol (IP) network backbone. This
common platform will make it possible
for officials with the highest security
clearances to communicate with each other
and, when necessary, to communicate
with nonclassified collaborators both in
and out of the government.

The project, now in its architecture-definition stage, is expected to handle
communications from satellites, PCs,
handheld devices, cell phones and
mobile radios. "When you're talking
about something as complex as the
GIG, you're talking about significant
[information assurance] and information
technology challenges," says Daniel Wolf,
information assurance (IA) director at
NSA. His group is developing specifications
for GIG's architecture and the security
components that will be integral to it.

Among the many security challenges
GIG faces is its prominence: The network
will be a prime target for the world's
terrorists and hackers. "NSA's information
is a very lucrative target," says Wolf. "We
know that adversaries will go to great
lengths to exploit it."

In addition to basic security elements,
such as firewalls and intrusion-detection
technologies, the GIG will incorporate
high-speed encryptors, new identity
management technology, and security
policies and procedures that have yet to
be developed. Among the latter will be a
system that provides dynamic access to
information based on each user's ID,
security clearance and the sensitivity of
the requested data.

To ensure that users have access only to
information they're authorized to see, GIG
will use a multilayer authentication system.
Before gaining access to information, Wolf
says, "you'd have to have a set of credentials
that say who you are. Plus, the system may
want two or three other things," such as
an electronic security key, a biometric proof
of identity and a password.

Security concerns extend to protecting
the data after it's been downloaded from
GIG. "The computer to which you
download information has to be secure
enough to match your clearance level,"
Wolf explains. "The GIG will validate you
based on its knowledge of those extra
devices and who you are."

The fact that much of GIG's technology
will come from commercial security
products represents a cultural shift in NSA.
The push to use commercial products, a
departure from the intelligence sector's
long-standing practice of creating its
own custom programs, is a nod to
collaboration-enhancing interoperability.

Lessons for All

NSA's cybersecurity strictures, which are
necessary to protect the integrity of its
classified data, are more than most
civilian agencies usually need, but the
technologies and procedures it develops
may still apply, says CSIA's Walker.

Social engineering aspects of NSA's
work on GIG will likely increase
compliance with security guidelines. To
work effectively, security first must be
unobtrusive, Wolf points out. However, if
information assurance isn't easy for users,
"they'll get frustrated and won't use it, or
they'll find ways to get around it," he says.

And, finally, IT managers should not
look at security as something to bolt onto
existing networks or systems. "Many
times, information assurance is thought of
after the fact," he says. "Then it's much
more difficult to do it effectively.

"We like to bake in IA at the start
rather than spread it on after everything
else is done, which is one of the real
advantages of being able to define the
components of GIG's architecture."