DOD information security takes big strides but still lags behind threats
The threat of hackers breaking into sensitive military computer networks and destroying critical information is still serious despite several different technology programs aimed at keeping data safe
By Charlotte Adams
Information security continues to be a major concern at all levels of the U.S. Department of Defense (DOD), as experts emphasize defensive information warfare (IW) as well as more traditional information security approaches.
Information technology is the highest technology priority for the DOD in this decade, says Anita Jones, who as director of defense research and engineering manages the DOD science and technology program. Key security priorities include encryption, large system management, system survivability, system attack techniques, and single-system management.
Jones won`t rank these thrusts in any particular order. "For national security, there can`t be a single highest-priority thing," she says, quoting former Defense Secretary Caspar Weinberger.
"Defensive IW is of high priority," she says. What`s new is, "we now have a broader focus on systems and systems that survive under unfriendly behavior," she says. "That`s a very positive change."
The military depends on public switched networks - 95 percent of its communications employ them, say researchers at Science Applications International Corp. DOD also depends on innumerable commercial off-the-shelf (COTS) computers, assets which experienced as many as 250,000 attacks in 1995, according to a GAO report issued in May 1996. "Attackers have seized control of entire defense systems, many of which support critical functions," the GAO report states.
Increasing use of the Internet for military communications poses sizable risks, the GAO report adds. DOD, for example, used the Internet during the Persian Gulf war "to communicate with U.S. allies and gather and disseminate intelligence and counter-intelligence information." According to official estimates, "more than 120 countries already have or are developing ... computer attack capabilities."
Despite highly publicized hacker attacks, DOD still operates primarily in a reactive mode, GAO finds, with "no uniform policy for assessing risks, protecting its systems, responding to incidents or assessing damage." Worse, "only about one in 150 attacks is actually detected and reported," the agency finds.
Although these statistics may have improved since last summer, DOD officials are unprepared for infrastructure attacks, according to a recent report by the Defense Science Board (DSB). The DSB recommends large budget increases and the sure-to-be-controversial right of DOD to intervene in the protection of nongovernmental infrastructure elements.
DOD intervention in the public networks is unlikely, however, unless its officials can win over public opinion in advance. Witness the fire storm associated with the Clipper chip several years back.
"It would be a major step, in my view, to ask DOD to protect the publicly switched networks," Jones says. "I think it is counter to the way national policy is proceeding right now."
Perceived infrastructure threats have captured high-level attention. A recent Executive Order set up a Commission on Critical Infrastructure Protection. This government and industry panel - including DOD representation - will examine threats to and develop a strategy for protecting the telecommunications, electric power, gas and oil systems, water supply, transportation, emergency services, continuity of government operations, and finance/banking infrastructures.
Panel members will study the interdependence of these infrastructures and the possible "cascading effect" of failures, says Nelson McCouch, the commission`s public relations director. A report to President Clinton is expected next summer and public hearings will be conducted.
But action isn`t lacking. A major three-year advanced concept technology demonstration focusing on intrusion detection, protection, and reaction will involve more than 30 different organizations, including the national laboratories, Defense Information Systems Agency (DISA), National Security Agenecy (NSA), and Defense Intelligence Agency. The demonstration is set to go forward next October, says an official with the DOD Joint Staff.
Alluding to 24 different security technologies - among them firewalls, guards, intrusion detection, vulnerability databases, network mapping, attack correlation, intelligence, software integrity, risk management integration, and metrics - the Joint Staff official points out that "nothing latches them all together," to provide "defense in depth. That`s what we`re going to do in the demo."
DOD`s multilevel-security (MLS) program is taking a broad perspective, as well, "working with NSA, OSD and the Joint Staff to develop minimum essential criteria for guards," says program manager Army Lt. Col. Kenneth Poindexter. Guards are the software and hardware protecting the interfaces between networks of different security levels.
The MLS program office is "focusing on the assurance of guards in the DOD infrastructure ... to ensure that they are not offering undue vulnerability to the infrastructure," Poindexter explains.
He says he will attempt to establish a common level of assurance, a baseline among the 58 guard types. DOD officials are trying to be proactive in this effort, Poindexter says, "validating the assurance that we think we have."
NSA officials, meanwhile, are pushing to focus IW efforts in a coordination center at their facilities in Washington, observers say, "to promote better cooperation among elements within NSA as well as with other agencies." Staffing it would be as many as 700 people - mostly from the NSA, but including representatives from the Justice Department and CIA.
Dominating defensive IW research is the Defense Advanced Research Projects Agency (DARPA) Information Survivability (IS) program. One recently augmented focus is on wrappers - small chunks of new code placed around other software applications that carry out duties such as intercepting system calls, making copies, or encrypting data.
Wrappers promise to protect legacy systems, says Teresa Lunt, DARPA`s program manager for assurance and integration. Other emphases include high- confidence computing and networking and large-scale system survivability.
Firewalls, the fairly coarse filters that guard interfaces between corporate networks and the Internet, are wrappers in a sense, Lunt says. But they can be circumvented.
Wrapper technology implies a "radical departure from traditional" security theology, which requires protection to be built in rather than added on, Lunt says. It may be possible to design security into emerging off-the-shelf software; DARPA experts are trying to do that for operating systems, "but if you have a huge investment in legacy systems, you can`t replace the whole thing," she says.
"We don`t have the luxury of starting from scratch," Lunt says, "so we have to put new technology into legacy systems."
Two immediate issues are encapsulation - "how to make [a wrapper] so it can`t be bypassed, spoofed or tampered with" - and pinpointing the insertion locale. In the global telephone network, for example, if you want to add authentication and access control, how can you determine the best location of the appropriate wrappers?
One wrapper project at Trusted Information Systems Inc. (TIS) in Glenwood, Md., is looking at "how you can add extra assurance and reliability" to a network infrastructure when you put it together," says Lee Badger, TIS principal computer scientist.
"The goal is to make wrapping practical," Badger says. TIS engineers would like to make wrappers fine-grained enough to catch interactions, such as systems calls, crossing components, even within the same system. Moreover, he wants "wrappers to be loadable and unloadable" at the behest of system administrators at configuration time.
TIS researchers will work to specify a Wrapper Description Language, or WDL, to model wrappers and how they behave, Badger says. They will also build demonstrations to show that the tools work.
Engineers will write the "first cut" wrappers for the Unix environment, but there will be "a parallel effort to explore the Java runtime environment," Badger says. Java offers the promise of portability - "We want to show that these ideas are not specific to one operating system," he says.
Another TIS security project funded by DARPA involves domain type enforcement (DTE), "an access control technology for partitioning computer systems into multiple safe boxes within which individual programs can run while being protected from each other," Badger explains.
The project framers envision going beyond individual DTE implementations to coordinating DTE protection between different network endpoints, Badger explains. Phase 1, now complete, concentrated on firewalls and selected hosts beyond the security perimeter. The idea was for the firewalls to send "dangerous traffic" only to DTE-equipped hosts.
Phase 2, now taking place, involves a wide area network connecting LANs guarded by DTE firewalls. The nets would have different security policies, but "some level of agreement" between them so that they can talk to each other, Badger says. Using TIS`s DTE Language called DTEL, network administrators "can specify that policy intersection."
Phase 3 will implement a network service like the Internet`s Domain Name System that will distribute DTE modules to hosts that want to communicate, Badger says. The idea would be for two hosts to negotiate a joint security policy or basis for communication on the fly.
DARPA officials are also looking at intrusion-detection systems, which today are fairly crude - they may "look for 10 to 12 bad things," Lunt says. Moreover, they are limited to looking for signatures of known attacks, a tactic that "may not be effective in an IW attack," she says. "We want to scale up to national-scale systems."
One approach is to use software agents - intelligent, mobile code - "roaming around the network, looking for unusual activity, [performing some] analysis and reporting back," Lunt says. Agents possibly could not only isolate intruders but also repair damage.
The use of agents, however, raises new security issues in addition to the more traditional ones, says Fred Schneider, a professor of computer science at Cornell University in Ithaca, N.Y.
A chief requirement is a guarantee that agents won`t corrupt hosts they visit, that agents will accomplish their goals even if the sites they visit fail, and that agents are not "molested" or modified en route, he says.
Schneider is working these issues - with some DARPA funding - as part of Tacoma (Tromsoe and Cornell Moving Agents), a collaboration between his Cornell research group and one at Norway`s University of Tromsoe. This project is the only one he is aware of that is attacking agent fault-tolerance, Schneider says.
Tacoma`s strategy is to create multiple agents "so that when agents get subverted, there are other copies around to do the task," he explains. But, with multiple replicas of agents around, a "voting scheme" is necessary "to combine the results of these replicas."
For example, a "voter" - the process that collects agents` information - might choose "the median or the majority of the values produced by the replicas to be the output of the replicated computation, ensuring that the corruption of a few replicas will not affect the output of the voter," Schneider says.
"This works, however, only if agents authenticate themselves to the voter," Schneider explains. And authentication naturally leads to public key cryptography, so that the techniques for classical security purposes dovetail with those necessary for agent fault-tolerance and large-scale systems survivability.
A second part of the Tacoma effort involves supporting security at the host, Schneider says. This involves implementing a software wrapper on the host to receive and start agents, as well as providing a runtime component for agents to use in communicating and synchronizing with host software and with other agents, he says.
The Tacoma effort has deliberately avoided limiting the languages in which agents can be written, Schneider says. Tacoma supports agents in C, Meta Language (ML), Tcl/TK, Scheme, Perl, Python and even Java, although Java agents are inherently limited in some ways.
Java agents, for example, "have to be pulled into the sites they visit," whereas agents written in ML and the other languages "can be pushed out to sites" and can "go to places because of what they`ve learned" elsewhere, he says.
Air Force research
More near-term security work is proceeding at the U.S. Air Force Rome Laboratory in Rome, N.Y., and at the Electronic Systems Center at Hanscom AFB, Mass.
One thrust concerns database security and intrusion detection. Because current technology is not fine-grained, it may be possible "to make subtle changes ... within the legal range of [existing] integrity constraints," changing things like coordinates in a mission-critical targeting database, explains Joe Giordano, defensive IW program manager at Rome.
Another direction is the application of "formal methods" and high-assurance design and development techniques to the building of secure network components, he says.
"Formal techniques, for example, enable one to describe the critical properties of a system," Giordano says. Formal methods also enable designers "to describe behaviors systems should adhere to," along with providing "a process to prove that a system embodies those qualities."
Defense Message System
The largest secure networked application coming online now is the Defense Message System (DMS), to include 2 million users. Officials of DISA and the Air Force have pilots up at the unclassified level and the intelligence community has TS/SCI pilots at six different agencies in the Washington area.
DISA officials are also setting up a technology insertion net for follow-on experiments, says Art Dertke, DMS information security technology manager.
DISA experts are also working on a secret-level pilot, starting in the National Capital Region and expanding to the unified and specified commanders-in-chief next year.
As far as production systems go, "We have IOT&E [initial operational test & evaluation] limited rate deployment for services and agency sites that have bought commercial versions" of the DMS messaging packages, Dertke explains. They will upgrade to DMS-compliant software as soon as product testing concludes.
First deliveries of Fortezza-plus cards, for protecting classified information, are expected early in 1998, he says. These will be 100 percent backwards compatible with other versions of the card.
DMS is also "looking at using Fortezza technology to ensure system availability," Dertke says. This mechanism would sign and authenticate management traffic - such as updating routing tables - between components so that a hostile process could not somehow "reroute traffic to other destinations," he explains.
Mail list agents could also use Fortezza to send messages in bulk, he says. But the program is looking at commercial alternatives to Fortezza for these chores as well.
The sheer scale of the DMS infrastructure - the dynamically changing databases supporting authentication of 2 million users - "will be plowing new ground," Dertke says.
Although NSA officials will control the Policy Approving Authority "where trust originates" and the Policy Creation Authority, there will be multiple Certification Authorities. "Scalability is an issue," he says. "That`s why we`re starting out small."
Working together with Rome Lab and the Air Force`s Theater Battle Management Core Systems program, officials of the Security Products Transition Analysis Facility at Hanscom AFB, Mass., have moved guard technology to the field - including accreditation - in 12 to 18 months, says Jack Wool, project manager.
A third-generation, Imagery Support Server Environment, or ISSE, releasability guard has been deployed over the last 12 months to several service locations, including the Coalition Air Operations Center in Vicenza, Italy, serving the allies in the Bosnian theater. (ISSEs separate U.S. secret and NATO secret releasable and U.S. top secret and NATO secret releasable information levels.)
The upgraded guard handles imagery and annotations, graphics, text and mail, Wool says. It is technically capable of dealing with voice and video, but does not do so in the Vincenza implementation.
Increased automation has accelerated data release, in some cases reducing cycle times from 3 hours to minutes. And because ISSE is based on earlier technology, the investment was around $250,000 rather than in the millions of dollars, he says.
In the coming year Wool anticipates work on "secure boundary mechanisms" with "more efficient electronic interfaces," allowing more continuous and flexible information flow, rather than the typical "chunky guard data flow."
The new work relates to "securing a Distributed Air Operations Center," in operations such as collaborative planning, he says. Research will seek to devise a "mechanism to share information at a very high rate, yet still protect the [security] policies of each player as far as information that is released," Wool explains.
Part of the work will focus on more fully automatic "data bridges" which enable the "controlled release of information" between clusters of computers at different security levels.
Scientists at Rome Lab are also working on object technology, which promises the ability to send not only data, but executable objects as well, such as "a set of data that can be converted into [map] coordinates" - along with information about the objects` attributes, such as security and timeliness, Wool says. This could make possible the movement of MLS objects between systems of different security levels, he says.
Security technology is also advancing in the form of compartmented-mode workstations, or CMWs. The last two Joint Warrior Interoperability Demonstrations (JWIDs) have featured CMWs connecting networks at different security levels. A timely example of MLS capability is the MLS Server, a product based on Digital Equipment Corp.`s CMW platform.
"The goal is to have TS/SCI, SCI/releasable, [U.S.] secret, and secret-allied releasable" information in a single box, Poindexter explains. It will live in a Secure Compartmented Information Facility, but its information will be available to users at various levels, he says. The server will be profiled by NSA and then accredited by a joint body, he says.
The MLS Server "will be the closest thing we`ve ever done to `true MLS` because you won`t have [to have] that highest clearance to get to the server," Poindexter explains. The application involves "true risk management" rather than risk avoidance, balancing commanders` requirements with the risks involved, he says.
The Army`s Joint Intel Fusion Office in McLean, Va., together with Trusted Computer Solutions (TCS) of Herndon, Va., for example, developed an All-Source Analysis System (ASAS) Trusted Workstation. The trusted workstation can work simultaneously with SCI, secret and secret-releasable information.
The platform is a Sun Sparc Workstation running Trusted Solaris, the Trusted Oracle database and Trusted ELT 3000, an imagery software package, says Kevin Toohey, software engineering systems manager for the Intel Fusion Office.
At JWID 96 Intel Fusion also demonstrated an MLS Server developed by TCS, hosting a Java-enabled, MLS database. "Any time new information came into the database related to a user profile, the server would notify the user" via a Java applet, says Mike Burgoon, TCS president.
TCS is developing a follow-on ASAS MLS Intellink Server, which Burgoon predicts "will be easier to accredit than the workstation" because "the only extra network service is HTTP."
The Digital Alpha-based MLS+ Releasability Service, shown at the U.S. Department of Defense Joint Warrior Interoperability Demonstration, is one example of layered security for a wide variety of forces who have different levels of "need to know" when it comes to tactical information.
The Digital Alpha Server 2100 is one platform that DOD officials are eying for multi-level secure computing applications.