5
Information Assurance—Securing the Naval Command and Information Infrastructure

The Naval Command and Information Infrastructure (NCII), as a highly networked system, can be vulnerable to attacks against its communications and computing elements. These vulnerabilities would pose numerous risks for network-centric operations (NCO). This chapter discusses those vulnerabilities and possible approaches to minimizing the associated risk. While the risks are significant, the committee believes they are outweighed by the benefits in operational effectiveness to be gained from NCO. However, this does not mean that the risks can be ignored. Vigilance is required on the part of system designers, implementers, managers, and users to anticipate security vulnerabilities and to address them by technical or procedural means. Constant awareness that portions of the system may be compromised will help warfighters react appropriately to situations. Backup plans should be developed for the most likely compromise scenarios, and warfighters should be trained in these procedures.

This chapter briefly sketches the magnitude of the security problem in today’s systems; discusses the defense-in-depth strategy of prevention, detection, and tolerance; then, describes and assesses what the Department of the Navy is doing today for information assurance; and finally, identifies needed research and discusses some promising research programs that may produce needed technology.

5.1 INTRODUCTION

The Defense Information Systems Agency (DISA) estimates that there are 250,000 attacks on Department of Defense (DOD) computer systems every year.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 175
Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities 5 Information Assurance—Securing the Naval Command and Information Infrastructure The Naval Command and Information Infrastructure (NCII), as a highly networked system, can be vulnerable to attacks against its communications and computing elements. These vulnerabilities would pose numerous risks for network-centric operations (NCO). This chapter discusses those vulnerabilities and possible approaches to minimizing the associated risk. While the risks are significant, the committee believes they are outweighed by the benefits in operational effectiveness to be gained from NCO. However, this does not mean that the risks can be ignored. Vigilance is required on the part of system designers, implementers, managers, and users to anticipate security vulnerabilities and to address them by technical or procedural means. Constant awareness that portions of the system may be compromised will help warfighters react appropriately to situations. Backup plans should be developed for the most likely compromise scenarios, and warfighters should be trained in these procedures. This chapter briefly sketches the magnitude of the security problem in today’s systems; discusses the defense-in-depth strategy of prevention, detection, and tolerance; then, describes and assesses what the Department of the Navy is doing today for information assurance; and finally, identifies needed research and discusses some promising research programs that may produce needed technology. 5.1 INTRODUCTION The Defense Information Systems Agency (DISA) estimates that there are 250,000 attacks on Department of Defense (DOD) computer systems every year.

OCR for page 175
Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities Computer attacks against U.S. systems were up 22 percent from 1996 to 1997, according to a survey by the Computer Security Institute and the FBI. The most recent Computer Security Institute/Federal Bureau of Investigation survey, published in March 1999, confirms this trend.1 The 1999 report notes that denial-of-service attacks were reported by 32 percent of survey respondents, sabotage of data or networks was reported by 19 percent, and virus contamination was reported by 90 percent. Such attacks can be considered as the ordinary background activity that must be dealt with day to day. Some of this activity, when directed against DOD systems, might include information warfare actions to “prepare the battlefield” in the event of a need to interfere with U.S. activity in some future engagement. This is certainly of concern. Of even greater concern, perhaps, is the fact that the United States can expect targeted attacks on DOD systems to increase during hostilities. Both the threat and U.S. vulnerability can be expected to increase, especially as a result of our increased reliance on the technology that network-centric warfare represents. Vulnerability is increasing along with the increasing connectivity among military systems and between military and civilian networks. Thus, vulnerabilities in the networking technology or in any connected system can be exploited by anyone anywhere to penetrate and corrupt DOD systems. Another source of vulnerability is the increased reliance on commercial products. Commercial security is neither designed nor intended to withstand information warfare attacks, and a large number of exploitable flaws in commonly used products are known to a wide community. Furthermore, the increased homogeneity that results from the nature of today’s commercial computer system marketplace leaves DOD open to attacks that can quickly affect a large percentage of its operations. DOD also depends on vulnerable commercial infrastructures such as telephone networks that, although highly reliable, were not designed to withstand information warfare attack. In addition, since the fleet’s operational networks and the naval force business networks will of necessity be interconnected, the shore establishment will provide many attractive opportunities for penetration and disruption that can extend to the fleets and even their tactical networks, as well as their essential shore support. 5.2 THREATS TO THE NAVAL COMMAND AND INFORMATION INFRASTRUCTURE The United States can count upon its adversaries to search for ways to disrupt the NCII. An adversary may be able to perform analysis (such as traffic 1   Rapalus, Patrice. 1999. Issues and Trends: 1999 CSI/FBI Computer Crime and Security Survey. Computer Security Institute, San Francisco, Calif. Available online at <http://www.gocsi.com/prelea990301.htm>.

OCR for page 175
Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities analysis) to identify critical nodes and bottlenecks and may develop attacks on these points. Individual elements attacked to gain access or produce an effect may include links, nodes, people, software, and hardware. Because of the numerous connections, both sanctioned and unsanctioned, with the public Internet that are likely to exist within the NCII, penetration of even a low-level network may permit a skilled information warfare attacker to gain access to far more critical systems. Because of the drawdown in physical assets and forces, an adversary can choose attacks that have magnifying effects, thus significantly degrading the ability of naval forces to conduct operations. For example, in a battle group, which now often consists of a nuclear-powered aircraft carrier (CVN), Aegis ships, and a nuclear-powered attack submarine (SSN), significantly reducing the communications or computing ability of even a single platform could severely impede operations. Marine Corps plans to project forces directly to objectives without building up ground infrastructure are likewise vulnerable to asymmetrical attacks by adversaries. Thus, adversaries who have no traditional military to engage U.S. forces with any hope of success may nevertheless reasonably expect that information attacks will succeed with little risk. The NCII will be an attractive target because naval forces and the success of their operations will depend on the continued correct functioning of the NCII. Such attacks could be on the NCII alone or could be part of an overall military plan of attack against U.S. forces that also includes traditional physical force. In the future, naval forces will increasingly be faced with unconventional threats, which could include international criminal enterprises, terrorists, and sometimes also nongovernmental organizations (NGOs). These potential adversaries can rapidly and cheaply obtain IT-based capabilities as a consequence of the globalization of communication, information, and Internet technologies. Expertise in developing and using these technologies is cheap and available worldwide, which is evidenced by the large number of foreigners employed as technical system developers by the U.S. software industry. Even an economically disadvantaged state or nonstate organization can hire criminal elements or disaffected nongovernment members to complement and extend its own ability to attack the NCII. A near-peer power might aid and encourage rogue states or factions or terrorist groups in penetrating or disrupting the NCII. Enemy ability to penetrate, exploit, and disrupt the NCII could be facilitated by insider support. A malicious insider could, alone or working with outside adversaries, seriously disrupt NCO. Nearly everyone in the naval forces may have access to the NCII, as may interoperable joint peers. As the number of people with access to the NCII grows, it is more likely to include individuals with a desire or motive to cause mischief or engage in sabotage, or who are susceptible to being co-opted by an adversary. Insiders with access to key systems or databases, such as system or security administrators, will be attractive targets for recruiting. One way to minimize this risk somewhat is to reduce

OCR for page 175
Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities the scope of access and control available to any single individual and to require two- (or more) person control of key functions. 5.3 VULNERABILITIES OF THE NAVAL COMMAND AND INFORMATION INFRASTRUCTURE 5.3.1 Use of Commercial Products The NCII, including its protection functions, will be built largely from commercial software and hardware computing and networking components. These commercial products contain numerous security vulnerabilities, which, as they are discovered, are routinely posted to frequently accessed Web sites (e.g., bugtraq). Attacks are developed against many of these vulnerabilities, and software tools to carry out the attacks are posted to hacker Web sites.2 Commercial security products are not built to withstand the strength of attack that can be expected for military systems but to provide protection appropriate for business operations. Known vulnerabilities in these security products, as well as attacks exploiting them, are also posted on the Web. Vendors may respond by issuing patches (which may take weeks) or correcting the problems in scheduled new product releases (which can take months), resulting in a period of exposure during which procedural workarounds must be employed to reduce risk as far as possible. Many system operators may not be aware of the vulnerabilities that have been discovered in the products they are using or of the availability of procedural workarounds or patches. The high rate of release of new products and product upgrades means that at any given time there will be no common software configuration across the NCII. With each new product and product release comes the need to keep up to date on product vulnerabilities and fixes. In addition, policy must be generated about acceptable and safe product configurations, and these configurations must be monitored and enforced across the NCII, because failure to do so would result in unnecessary exposure to vulnerabilities. Additionally, because so much commercial software, including that from the well-known vendors and manufacturers, is produced overseas or domestically using overseas or green-card labor, it is possible for an adversary to plant or co-opt people in product development positions and have them attempt to include malicious triggerable code in commercial products that will be used in the United States and by the DOD. Such hidden features can easily go undetected by the vendor. 2   See, for example, <http://www.hackershomepage.com/index.html> and <http://www.hackcity.de/programme.shtml>.

OCR for page 175
Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities 5.3.2 Reliance on Unclassified or Low-classification Information for Sensitive Functions Sensitive NCII functions may rely on unclassified open source information. Such information sources are vulnerable to tampering and insertion of bad information by malicious entities before the information enters the NCII. 5.3.3 Outsourcing and Contract Personnel Outsourcing of certain functions and the resulting introduction of contract personnel who require access to the NCII increase the possibility of introducing individuals who can cause damage or collaborate with hostile outsiders. 5.3.4 Joint and Coalition Member Access To carry out joint and coalition operations, it may be necessary to give NCII access to joint and coalition personnel. This increases the likelihood of having insiders with motivation to cause damage. This population may also have a much poorer understanding of security, thereby decreasing general security awareness and vigilance among the user and operators of the NCII. 5.3.5 Connectivity to Public Networks The NCII will have connections to the Internet and the Web to gain access to useful information, such as weather, environmental, news, and personal and recreational information. Attacks on these public databases may hinder the NCII. This connectivity also exposes the NCII to viruses and other information warfare weapons in data and code that enter the NCII. Also, NCII users might download arbitrary code, which could be infected with viruses or worms that could spread and cause damage within the NCII. It is also possible for an adversary to disguise hostile code, such as viruses, in attractive, free, software that NCII users may be tempted to download from the Web, thereby compromising the NCII. Another risk of connecting to public networks is the increased use of mobile code, for example to implement so-called intelligent agents. With mobile code, users may be importing code into the NCII without being aware of it. While vendors have been adding security capability into the tools and languages commonly used to build mobile code (e.g., Java), such protections are not commonly in use on the Web. Connectivity to public networks may also allow adversaries to observe the Department of the Navy’s activity on the public networks and infer information about the Navy Department’s operations and plans. To the extent that the NCII uses public networks to convey encrypted classified information, an adversary will be able to perform traffic analysis and infer useful information, including

OCR for page 175
Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities information that will help it to understand useful targets for denial-of-service attacks. In the DOD Eligible Receiver exercise in 1997, red team attackers penetrated sensitive networks by first attacking less sensitive networks to which they were connected. 5.3.6 Homogeneous Technology Market forces and consolidation within the computer industry have meant that a few brands of software and hardware are ubiquitous. The NCII will also be largely homogeneous, with common products in use everywhere. Such homogeneity leads to widespread common vulnerabilities that can be exploited by common attacks. Large-scale networks of such systems are particularly vulnerable to virus attacks that can spread rapidly, because every system is vulnerable to the same virus. The devastating consequences of disease that are possible with homogeneous populations have been long recognized by the agricultural industry, which uses the strategy of crop diversity to limit the spread of disease and its consequences. For information networks, the availability of diverse implementations of common protocols and standards could help provide robustness, although such availability is not expected anytime soon. 5.3.7 Vulnerabilities of Tactical Networks Tactical networks have particular vulnerabilities in addition to those they share with conventional wired networks. Tactical networks are subject to spoofing, jamming, and interception through the air. An adversary can launch a spoofing attack by attempting to introduce false information into a tactical network through false radio transmission. Through-the-air transmissions are vulnerable to jamming by suitably located and directed enemy transmissions. Because tactical transmissions are through the air, they may be subject to interception with greater ease and at a greater distance than those carried over wired networks. An adversary who intercepts U.S. radio signals can attempt to gain an advantage in several ways. It can try to gain intelligence about U.S. forces’ status and intentions by reading the data; it can make inferences about present and future activities by noting the source, destination, and volume of radio communications (that is, by performing traffic analysis); and it can geolocate the transmitting platform. In addition, because tactical networks may be within reach of enemy forces, end instruments are subject to terminal capture. Enemy capture of a network node means that the enemy is inside a naval network. If this seems a remote possibility, it should be remembered that the naval tactical networks will include Marine Corps ground networks and will be closely linked into those for the Army. A tactical node can be overrun as a result of an action as simple as the capture of a single wheeled vehicle. Enemy capture of a functioning network

OCR for page 175
Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities node could take some time to notice and respond to, during which time a great deal of damage could be inflicted, some of which might last far longer than the node itself. For instance, an enemy could spoof the common tactical picture, adding fictitious elements to it, and could also engage in various types of network denial-of-service attacks. Another problem would arise if the United States were unwilling to share its cryptographic apparatus with coalition partners. Either it would not fully benefit from their data or it would risk the introduction of corrupted data. 5.3.8 Interconnection of Networks of Different Classifications The NCII will require the interconnection of networks of different classifications, so that information contained in low networks is available to high networks and also so that appropriately sanitized high data can flow to low networks. There is a risk that unless extreme care is taken in the design and implementation of the boundary controllers that connect such networks, high information could leak into low networks. If there is a hostile insider or hostile code on a high network collaborating with an entity on a low network, high information could be sent covertly using steganographic means. There are no means of detecting such an information flow. Man-in-the-loop security release stations are useless against such a covert flow but pose their own risks, since approving information for release is a tedious task and the operator can routinely and unthinkingly approve the release of information that should not be released. In addition, there is a risk that low code and data that enter a high network can be maliciously tampered with in the low network to corrupt high databases or to introduce malicious code into high networks. 5.3.9 Interference with Critical Functions The indiscriminate interconnection of strategic and tactical information networks with mission-critical networks (e.g., those used for air defense) can have undesirable consequences. First, such interconnection exposes these critical functions to tampering from a large interconnected population. Second, the bandwidth and computing resources for those critical functions may not be available when needed owing to competition from other users and applications. And third, unanticipated interactions between the interconnected networks may result in the failure of critical functions; these interactions can be particularly difficult to diagnose and correct. 5.4 DEFENSE IN DEPTH Experience has shown that many successful attacks on DOD systems are not detected. In these attacks, an intruder may make surreptitious use of a

OCR for page 175
Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities penetrated system; may silently steal data or gather intelligence; may plant malicious code, perhaps for future use; may alter data, perhaps to lead the user or system to an erroneous decision; or may interfere with or degrade system operation. Such attacks could make systems unusable, degrade performance, lead commanders to make poor decisions due to faulty data, leak valuable secrets, or leave behind code that could provide continuing backdoor access or be activated at the occurrence of a predetermined event to take obstructive action. It is clear that such attacks cannot be prevented or even reliably detected. Thus, in addition to erecting access barriers and deploying detection systems, the Department of the Navy must discover how to design its critical systems, using commercially available components, so that they can be relied on to provide continuous correct operation in situations in which they are successfully attacked. The notion that it is not possible to discover all vulnerabilities and use this information to guide a protection strategy is contrary to current thinking in DOD, where the emphasis is on discovery of vulnerabilities, so that appropriate protections can be placed to counter them. This popular vulnerability discovery approach puts protections in place only where there are known vulnerabilities. But because there is no way that all vulnerabilities can be discovered, such an approach will leave the system unprotected from its unknown exploitable vulnerabilities, which, if discovered at all, would be found out only during the operational lifetime of the system. This is a dangerous situation, because an adversary may well discover and exploit vulnerabilities that are still unknown to the Department of the Navy. In fact, the situation is asymmetric, because a determined adversary can decide which part of the system it wants to manipulate or exploit, purchase the commercial products that are used in that part of the system, and spend many months deconstructing these products to discover vulnerabilities that can be profitably and surreptitiously exploited. While such an approach is clearly affordable by an adversary, it is not affordable as a defense, since the defender would have to perform a costly analysis for every system component, whereas the adversary can pick and choose its focus of attack. The Department of the Navy must operate on the assumption that any component of any system may have unknown security vulnerabilities that could be exploited by an adversary. Even the security protections put in place may contain such unknown vulnerabilities. With this in mind, the Department of the Navy will have to add redundant, independent security mechanisms and assume that not all attacks can be prevented, although there must be some means to detect attacks that are successful. Even more so, the Department of the Navy must recognize that its detection technology is far from perfect and that there will be successful attacks that are not detected. Thus, naval systems must be designed, to the extent possible, to be able to continue functioning despite the presence of an attacker. Appropriate strategies such as confusing an attacker who has successfully penetrated naval systems must also be developed. Defense in depth is a threefold strategy that emphasizes prevention, detec-

OCR for page 175
Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities FIGURE 5.1 Defense in depth. SOURCE: Modified from a figure by Sami Saydjari shown during a briefing to the committee, DARPA, Arlington, Va., May 19, 1999. tion, and tolerance (Figure 5.1). But today such a strategy cannot be completely implemented because of technology shortfalls at each level of the defense-in-depth strategy. Many people in DOD and the Department of the Navy use the term “defense in depth” to mean what the committee calls a layered defense (discussed in Section 5.4.1.1). Here, a layered defense is considered to be part of a defense-in-depth strategy. 5.4.1 Prevention To be affordable, naval networks and systems must use commercial products and services to the extent feasible. These products and services were not built to meet the security demands of network-centric operations. They generally have many known security vulnerabilities, and new vulnerabilities are discovered throughout their lifetimes. Because commercial products are so large and complex, it is not generally possible to discover all the vulnerabilities in advance, no matter how much testing is performed. Thus, all components must be treated as vulnerable, and the systems that use these components must be designed bearing in mind that there may be security vulnerabilities in any system component. Even when security functionality is designed into commercial products and services, this security is generally weaker than that required for naval needs. This points to the need to be able to design systems built from insecure components and services so that the systems are secure against threats to naval forces. While the security research community has long recognized the need for

OCR for page 175
Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities viable approaches to building secure systems from insecure components, very little is known about how to do this, and secure system design remains an ad hoc, poorly understood discipline. 5.4.1.1 Layered Defenses The committee does not discourage the Department of the Navy from performing vulnerability assessments. The more one knows about a system, the better. The point is not to rely on vulnerability discovery to guide the protection strategy (this is sometimes referred to as a penetrate-and-patch strategy). A better and safer strategy is to assume that every system component contains unknown security vulnerabilities that can be exploited by an adversary. Where to place protections against such unknown vulnerabilities will depend on an analysis of the consequences if any of these unknown vulnerabilities are exploited. In designing protections, it must also be kept in mind that the protections themselves can contain unknown, exploitable vulnerabilities. Because every system component, including the protection components, must be assumed to contain unknown, exploitable security vulnerabilities, a layered defense strategy must be employed. The idea here is that protections are employed to counter known and unknown security vulnerabilities in the system. Barriers to attack can be employed to counter many types of potential vulnerabilities; however, a single barrier should not be relied on to repel a determined adversary. Because these protection components themselves may contain vulnerabilities (both known and unknown), additional layers of protection must be employed. Such a layered defense reduces the likelihood that an attacker can find an exploitable vulnerability, because for this to happen, not only must the original system contain a vulnerability, but each successive protection layer must also be flawed. Having several layers of defense increases the difficulty for the attacker. Each additional layer increases the odds for the defense and reduces the odds for the attacker. Thus, a layered defense helps to provide additional defenses even if a particular protection mechanism is subverted. 5.4.1.2 Malicious Insiders One important source of vulnerability is the malicious insider. Working alone or with outside adversaries, a malicious insider could seriously disrupt network-centric operations. Monitoring user activities is another risk-reduction technique. Software that tracks downloading and checks for authorization; required use of biometric as well as password identification for users; and continuous record keeping of user log-on and log-off times with subsequent pattern analysis can all add a measure of security and potentially increase the likelihood of detecting malicious insider activities. All of these steps, especially many cascaded together, will add complexity and delay in many system functions. A

OCR for page 175
Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities balance will have to be struck between reducing risk and supporting functionality. The NCII must be able to accommodate ad hoc adjustment by commanders to account for shifting degrees of urgency and penalty for error, while sustaining some essential safeguards. 5.4.1.3 The Limitations of Commercial Product Assessments Many in the DOD are concerned about the widespread use of commercial products in DOD systems and the potential vulnerabilities to the missions that rely on the use of these products. Some of these people advocate that the DOD institute a function that would evaluate commercial products to discover their vulnerabilities, so that appropriate defenses or workarounds can be developed. It will probably not be possible to do a good job of this, no matter how much testing is performed, because of the size (lines of code) and complexity of these products. If an adversary were to plant or co-opt people in product development positions and have them insert malicious, triggerable code into commercial products, such hidden features could go undetected by the vendor’s quality assurance and testing. Detecting such codes would be even more difficult for DOD, which has access only to the object code of these products, despite the advanced reverse-engineering capabilities present in certain parts of DOD. The likelihood of such a scenario can be assessed in light of the fact that it is fairly common for popular programs to have undocumented features that survive in final product releases without the knowledge of the product manager (e.g., special key sequences to bring up hidden games or photographs of the developers). The functionality of these products is simply so extensive that unused hidden functionality is highly unlikely to be discovered by any software evaluation techniques. The committee believes that the Department of the Navy should collect as much information as possible about products it has in widespread use. This information can be collected from an in-house evaluation (of both functional and security aspects) as well as from evaluations performed by other organizations. For example, the National Institute of Standards and Technology has established common criteria for products as well as a common evaluation methodology, and product evaluation information is available for some products.3 DARPA’s Information Assurance Science and Engineering Tools program4 is attempting to develop assurance metrics and evaluation tools for systems. 3   National Institute of Standards and Technology. 1999. Common Criteria Project. Gaithersburg, Md., November 1. Available online at <http://csrc.nist.gov/cc/>. 4   Skroch, Michael J. 2000. IA Science and Engineering Tools. DARPA, Arlington, Va., January 1. Available online at <http://iso.isotic.org/Programs/progtemp/progtemp.cfm?mode=342>.

OCR for page 175
Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities FIGURE 5.4 Network of intrusion detectors and reporting centers. model-based reasoning to infer intent and predict future status, effect correlation to assess damage, and evidential reasoning to assess certainty. Figure 5.4 shows a network of intrusion detectors and reporting centers. The reporting centers are organized roughly into layers, with the local detectors reporting into organizational security centers, which in turn report into regional reporting centers, which report into DOD and National reporting centers. At each layer of this network there would be a security detection and response center, which would have a number of functions (see Figure 5.5). The detection function analyzes and filters events reported from lower layers. The analysis is to find items of interest to this layer as well as items for reporting to higher layers. The assessment function attempts to understand coordinated events of interest to this layer and for reporting to higher layers. The tracing function can initiate tracebacks to attempt to discover the source of an event, or may participate in tracebacks initiated by other centers. The event notification function notifies peers or lower layers of hostile events happening elsewhere so they can prepare a defense. The automated response function can initiate local actions or instruct lower layers to take specific recommended actions to thwart a suspected in-progress attack or to implement specific defensive actions. This function can also exchange information with its peers to help decide what actions to take or to recommend to lower layers. DARPA is beginning to invest in this area with its three new programs: Strategic Intrusion Assessment, Cyber Command and Control, and Autonomic

OCR for page 175
Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities FIGURE 5.5 Security detection and response center. Information Assurance. The Strategic Intrusion Assessment program aims to develop technologies capable of distinguishing significant patterns of events that cross geographic and administrative domains and that indicate a possible information warfare threat. It will develop a capability for peer-to-peer cooperation among detectors, including the ability for detectors to discover each other, negotiate requirements, and collaborate on diagnosis and response. The program will also develop techniques for correlating the output of intrusion detectors to infer the intent of the attacker. The Cyber Command and Control program will develop decision support tools to allow humans to assess the security status of a command and control system. It will assist human beings in ascertaining the activities and goals of adversaries attacking the system and in determining and carrying out the courses of action to counter them that are most

OCR for page 175
Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities effective and that interfere least with the system’s ability to carry out its operational functions. The Autonomic Information Assurance program will develop technologies to allow systems to encode tactics to automatically detect and respond to routine known attacks so that the decision makers can focus on the strategic situation. The program will develop approaches for fast, adaptive defenses against these types of attacks. This should result in the ability to prevent damage from large classes of previously known attacks. 5.7.2 Intrusion Tolerance Intrusion tolerance aims to ensure the continued correct operation of the surviving portion of a system even when it has been partially compromised. Component technologies include the ability to rapidly recognize corrupted data and programs, intrusion detection to recognize a local attack, techniques to constrain an attacker’s resource consumption so as to minimize its opportunity to deny service, resource allocation methods to assign the most important tasks to the remaining resources, and methods to automatically repair damaged processes. Traditional system designs have “central nervous systems” that, if attacked, can completely disable the system. Corrupted or malicious member entities can lead to incorrect functioning of the system as a whole. A possible architecture for an intrusion-tolerant system is one that is highly decentralized, so that the attacker cannot cripple the entire system by attacking one or a few points. The system could comprise many relatively independent processes that are collaborating to achieve a common goal. In highly decentralized systems, the overall behavior is the result of many small decisions made autonomously by member entities. One example of such a system is the Federal Aviation Administration free-flight air traffic control system currently being developed, in which individual aircraft will be able to negotiate with one another for their desired airspace rather than being controlled centrally from the ground. The Internet is another example of a system in which individual entities act autonomously yet collectively provide a global function. Such systems are inherently survivable in that a subset of the entities may be corrupted or lost and the overall system can continue to carry out its global function. (Note that if decentralized control is deemed to be too costly for routine system operation, the system can be designed to switch from centralized to decentralized operation when a threat is detected, and various degrees of decentralization may be designed in.) Protocols among the individual entities can allow them to cooperate to detect and isolate corrupted or malicious member entities. Survivability can be strengthened by the use of artificial diversity techniques, so that no single attack type can disable a large fraction of the processing entities. The system should be capable of self-monitoring, so that it can ensure that the most critical tasks get access to the uncorrupted resources. Self-monitoring can also recognize and trigger appropriate action when the collection of local responses results in some undesired

OCR for page 175
Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities system-level behavior. This collection of strategies can make systems inherently resistant to attack, much as the immune system makes humans resistant to disease. These defenses limit the spread or impact of an attack. Intrusion tolerance requires an intrusion detection and response capability. This in turn requires targeted and possibly redeployable sensors to perform security monitoring; an infrastructure of intrusion detectors that performs analysis on data collected by the sensors; and response elements capable of reacting to alerts issued by the detectors to isolate the attacker, assess the damage, and recover. Economic forces are driving out computational diversity. Market forces and consolidation within the computer industry have resulted in a few major brands of software and hardware being ubiquitous. The NCII will also be largely homogeneous, with common products in use everywhere. Such homogeneity leads to widespread common vulnerabilities that can be exploited by common attacks. DARPA is beginning to investigate means of artificially introducing diversity into homogeneous systems. Introducing diversity into highly decentralized systems can limit the subpopulation susceptible to any given attack and can cause attacks to have only local effects or to die out before they spread widely. Diversity is also a hedge against unanticipated means of attack; at least some system elements will survive and provide a basis for reconstitution. Means under investigation for artificially introducing diversity include self-specializing software that could reconfigure itself for a new specialization in response to attack; compilers that could vary the location of buffers, data structures, and code sequences, making attacks against them nonrepeatable; and multiple diverse implementations of the same functions. Executing processes may fail or behave incorrectly owing to a corrupted program state. Individual processes in a survivable system should be able to detect and repair a corrupt program state so as to tolerate attack and maximize their running lifetime. Processes could check on their own integrity, send out alarms, and restore themselves to a safe state. For example, they could repair dangling pointers, change variable values to maintain invariants, restart failed connections, purge filled buffers, resynchronize with other processes, close unresponsive wait states, restore to a good checkpoint, and reload code or data from disk. DARPA’s new Intrusion Tolerant Systems program is investigating innovative designs for decentralized systems that are inherently resistant to attack. The research will continue and build on research into artificial diversity techniques that were initially investigated in DARPA’s Information Survivability program. It will also develop methods to enable member entities to detect and isolate corrupt entities. Survivable resource allocation methods are being developed to assign surviving resources to the most critical functions so as to allow damaged systems to continue functioning despite the loss of significant resources and even of critical centralized control functions. Monitoring approaches are being

OCR for page 175
Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities developed to give systems the ability to monitor global behavior and to take local action to prevent undesired emergent effects. Integrity techniques are being developed to allow continued correct operation of the surviving portion of the system even when an attack has compromised data and code. These will include techniques to rapidly distinguish intact from corrupted information after penetration, to protect mobile code from corruption, and to maintain the integrity of systems in the presence of attack. 5.7.3 Preventing Denial of Service Attacks that consume system resources or make them unavailable to the legitimate users and processes of the system are known as denial-of-service attacks. These attacks waste system resources and can exhaust them. They can cripple network elements and disrupt network operation. For example, Internet routing protocols commonly in use today have vulnerabilities that allow malicious entities to spoof router table updates. This could result in the propagation of bad routing information throughout the network, with consequences ranging from poor network performance, through the inability to deliver messages to certain destinations, to the collapse of portions of the network. Similar attacks on the Internet domain name service could make the network unable to deliver messages. Attackers also could take advantage of high-cost protocol checks (such as authentication) to consume resources. Denial-of-service attacks can be thwarted by constraining an attacker’s consumption of resources. Techniques are needed that would constrain denial-of-service attackers to a small percentage of system resources and that would slow such attacks sufficiently so that they can be detected. DARPA has announced the new Fault Tolerant Network (FTN) program14 to develop focused technologies that support continued operation in the presence of successful attacks. The program will address in particular the vulnerabilities and issues expected to arise in the highly networked environments envisioned for future warfighting operations. Many network services represent potential points of failure. The FTN program will apply fault tolerance ideas to network services to reduce the amount of damage sustained during an attack and to enable continuous correct service delivery even when the services are under successful attack. This should help ensure continued availability and provide a technical basis for graceful degradation of service under successful attack, as well as help maximize the residual capacity available to legitimate users. 14   This program within the Information Assurance and Survivability program suite focuses on three areas to be studied and evaluated: (1) fault tolerant survivability, (2) preventing denial-of-service attack, and (3) active network response.

OCR for page 175
Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities 5.7.4 Hardening Legacy Systems Naval systems contain a high percentage of legacy and off-the-shelf components that do not provide the properties needed for information survivability. Methodologies are needed to allow the insertion of security functionality into legacy systems to address the vulnerabilities of the large in-place legacy base, which will persist for years to come. Also, because commercial products will not have the security and survivability features required for critical naval applications, a means is needed to allow designers to selectively harden such products. The concept of security wrappers appears promising for retrofitting some security functionality into legacy systems. Wrappers encapsulate an existing component by intercepting all input to and output from the component (see Figure 5.6). This is done so as to require little or, ideally, no change to the wrapped component or to the components that interact with it. Indeed, the wrapped component, as well as those components with which it interacts, will be unaware of the wrapper. The wrapper interposes additional security and survivability functionality. For example, a wrapper may be added to create a security log, which may be analyzed by a separate intrusion detector. Or, wrappers on sending and receiving components can perform encryption/decryption or message integrity checks. As another example, a wrapper can be used to perform access control by filtering access requests to a component. To add fault tolerance, a wrapper could transparently replicate a component. A number of security and survivability functions, such as encryption, access control, security monitoring, message integrity, management and control, and replication, could be provided by wrappers. These basic functions could be implemented in reusable building blocks that could be automatically provided by a wrapper generator according to a wrapper specification. The building blocks might come in several varieties for the same function; for example, there might be several implementations of authentication (passwords, secure ID, Kerberos, Fortezza, and so on), each with different specified strengths and costs. A wrapper specification could provide requirements for strength of mechanisms and constraints on their costs. Such modularity would also lend itself to future upgrading to stronger mechanisms without having to completely reconstruct the wrappers. A significant research challenge is to provide some assurance that the wrappers cannot be bypassed. Another challenge is to develop a methodology that would allow an integrator to predict the security and survivability characteristics of components and wrappers, as well as tools to assist an integrator in assembling components and wrappers in a trustworthy manner. The DARPA Information Survivability program has investigated the use of wrappers for security and survivability and has funded a collection of security wrapper projects that are developing tool kits that allow a developer to automatically generate security wrappers from a set of wrapper specifications.

OCR for page 175
Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities FIGURE 5.6 Concept of security wrappers. SOURCE: Developed from information in Oostendorp, Karen A., Christopher D. Vance, Kelly C. Djahandari, Benjamin L. Uecker, and Lee Badger. 1997. Preliminary Wrapper Definition Language Specification, TIS Report No. 0684, Trusted Information Systems, Inc., Glenwood, Md. 5.7.5 Mobile Code Security In the future, mobile code is expected to be used to deploy new services quickly and cheaply. While there are obvious security challenges inherent in doing this, commercial systems such as Java are rapidly developing many of the necessary security underpinnings for such uses. Continued attention is required to ensure that such security mechanisms are adequate. Mobile code could also be used to more easily deploy new security functionality, as well as to upgrade existing functionality. This will make it easier to evolve and maintain systems. Active networking technology being developed

OCR for page 175
Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities by DARPA will extend similar capabilities to the network, resulting in networks that are extensible. For example, network functionality could be added to log events so that intruders can later be tracked, or to choose routes based on security considerations. To enable future naval uses of such technology, continued research is needed in mobile code security. 5.7.6 Dependability While hardware dependability is a fairly well-understood science, this is not the case for software dependability. Software can have numerous bugs, and systems with large software components frequently fail, lock up, suffer unexplainable performance degradations, and can loose data. Dependability methods for hardware do not work for software, for many reasons. Hardware faults are often the result of parts wearing out or are due to random effects such as stray radiation. Since these types of faults tend to be independent, in that failure in one part does not affect the likelihood of failure in another part, failure models can be developed for commonly used hardware components to predict such characteristics as mean time to failure. The independence of the faults makes the use of redundant hardware components an effective fault tolerance strategy. Software does not share these characteristics of hardware. It does not wear out. The causes for failure come from the humans who designed and wrote it. Failures cannot be assumed to be independent, especially because many copies of the same software are used in a system, but also because it is likely that different software developers will make the same kinds of errors. This makes it is very difficult to use redundancy as a means of software fault tolerance. Detection of and recovery from software faults is a research area that is not receiving much funding in the United States. Much of the research is motivated by the need to build ultracritical systems whose failure has very costly consequences, such as nuclear power generation, flight control, or air traffic control. Solutions that are acceptable for such systems are generally too costly for less critical systems, such as command and control systems. This means that designers of most of the large-scale computing systems in use today must use ad hoc means of obtaining reliability in those systems. 5.8 RECOMMENDATIONS While a technical solution for the information assurance problem does not seem possible in the foreseeable future, the benefits to be gained from network-centric operations nonetheless make such operations imperative. A program of vigilance, testing, and continuing information assurance research will therefore be required. The committee recommends as follows:

OCR for page 175
Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities Recommendation: The Department of the Navy should endeavor to use all available technologies to secure the NCII. NRL could be tasked to help the Department of the Navy maintain an awareness of available technologies and also to follow in-progress research and select promising new technologies to develop and disseminate throughout the Department of the Navy. Earlier in this chapter in section 5.6, the committee identifies possible near-term technologies for consideration. Recommendation: The Department of the Navy should take steps to ensure that systems are continuously maintained in a secure state. Even with suitable technologies installed, continuous effort is required to maintain systems in a secure state. This can be accomplished by a combination of technical and procedural means, including regular internal use of red teams to test system configurations. System managers must keep up to date with the latest patches, fixes, and recommended configurations. A central source of this information within the Department of the Navy would help with this effort. Recommendation: The Department of the Navy should take steps to increase and maintain security at all levels of personnel. Red teaming exercises are valuable as a security awareness tool, especially to bring security to the attention of management. In addition, all naval personnel should be made aware of and trained in information assurance. Recommendation: In designing the NCII, the Department of the Navy should use a defense-in-depth strategy to address unknown vulnerabilities. In designing the NCII, it is not safe to take a risk management approach that assumes that all system vulnerabilities can be discovered and thereby will provide a basis for protection strategy. Instead, all components must be treated as vulnerable, including any protection mechanisms. Layered protection and a defense-in-depth strategy are required. Procedural and physical security measures should be developed to further reduce the risk where the available technology is not adequate. Recommendation: The NCII should be designed to address security and assurance for tactical links. Although cryptography makes spoofing difficult, attention must be paid in the tactical portion of the NCII to reducing the hazards arising from an adversary’s capture of equipment, to providing a way to incorporate coalition

OCR for page 175
Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities partners in the NCII, and to defeating traffic analysis. The roles of spread spectrum and directional antennas in defeating jamming and interception are well understood, but existing spread-spectrum devices and multibeam directional antennas are expensive. In the near term, programmable modular radios should be programmed to adapt their waveforms and data rate to instantaneous jamming conditions. In the long term, affordable, high-gain, multibeam antennas should be sought. Recommendation: The CNO and the CMC should take steps to ensure that fleet and Marine training encompasses situations with impaired information and NCII functionality, and that fallback positions and capabilities are prepared to meet such eventualities. Network-centric operations will depend for their success on the correct functioning of the NCII. But NCII functionality may deteriorate or malfunction or be unavailable due to attack or failure. Because it is likely there will be attack on the NCII, it is imperative that naval forces train for situations with impaired NCII function. By this the committee means not only that the system staff should train to quickly restore service, it also means that operational forces should train to deal with system failure situations. The Department of the Navy has a tradition of developing operational workarounds for loss or degradation of radio frequency communications in tactical operations. The same should be done for the NCII. Without this, naval forces will be unprepared to deal with these situations, which are likely to arise. Recommendation: When mission-critical networks and functions are considered for interconnection, the Department of the Navy should weigh the risks against the benefits. A prominent feature of the NCII is its ability to connect disparate networks and functions. The NCII designers should recognize that while this brings great benefit, it also brings risks. When mission-critical networks and functions are considered for connection, it is essential to weigh the risks against the benefits. For example, certain functions may be considered so critical that any risk to their timely and correct functioning during a crisis is intolerable. In such cases, the decision may be to not connect, and to use an air-gap defense. Recommendation: The Secretary of the Navy, the CNO, and the CMC should assign responsibility for information assurance at a high enough level within the Navy and the Marine Corps, and with sufficient emphasis, to ensure that adequate and integrated attention is paid to all aspects of this problem in the design and operation of the NCII.

OCR for page 175
Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities Information assurance is not receiving appropriate attention at high levels within the Department of the Navy. Currently no single individual within the Department of the Navy has this responsibility and authority. Recommendation: The Department of the Navy should push for research to address its critical NCII information assurance needs. Because there is a large shortfall of current security technologies relative to naval needs, the Department of the Navy must be an advocate within the DOD for long-term research in several areas not being addressed by industry, including intrusion assessment, intrusion-tolerant systems, prevention of denial of service, approaches to retrofitting legacy systems with some security and reliability functionality, mobile code security, extending the capabilities of virtual private networks, and dependability. There is also a need to develop DOD-specific solutions for areas that industry is not addressing because there are no common commercial analogues, particularly in tactical networking.