The DoD's IT Dilemma

By Stacey McDaniel

Our economic, social, military, and commercial infrastructures depend on timely and accurate data from information technology systems. Advances in IT have made information technology systems less expensive and easier to use, leading to widespread use throughout the government. Not surprisingly, this increased reliance on IT makes our national infrastructure a growing target for information warfare attacks. Nowhere is this more evident than at the United States Department of Defense.

The Department of Defense (DoD) knows its systems are an appealing target to adversaries armed with readily available, easy-to-use, low-cost technologies. In response to this, the DoD has implemented the Defense-Wide Information Assurance Program, or Information Assurance (IA) program, which outlines measures needed to protect and defend information systems while "ensuring their availability, integrity, authentication, confidentiality, and non-repudiation." This includes providing for "the restoration of information systems by incorporating protection, detection, and reaction capabilities."

A look at Information Assurance

As every business knows, securing information systems requires an in-depth understanding of complex networks, the specialized nature of cyber threats, and the full spectrum of technologies available to counter such threats. Like other businesses, the DoD stresses a defense-in-depth approach that comprises layers of technical and non-technical solutions. The DoD's 8500 series of publications spell out specific IA recommendations. These include the establishment and implementation of security policies, risk assessment and management, penetration testing, access controls, and ongoing monitoring and adjustment of security measures. The application of those policies requires integrated, multi-tiered technology including intrusion detection, firewall, and antivirus protection applied to the DoD information systems and networks worldwide.

Due to the sensitive/classified nature of DoD information, recipients must be able to rely on it to make decisions quickly. They need to be assured they are acting on information that has not changed, while that information needs to be available wherever and whenever it is needed. Of course, increasing the availability of information also increases the risks to it. The level of security and availability must be maintained at a level appropriate to the risk and the threat.

Achieving a balance between information availability and information security is frequently a challenge for IT professionals -- and it is an increasingly difficult one for DoD IT professionals. On the one hand, IT departments are pushed to provide information availability, using tools to make information accessible to the ends of the earth in support of the Department's goals. Security groups, on the other hand, work to protect and compartmentalize information, making it inaccessible except to the people who need it.

The support of resilient infrastructure

A resilient infrastructure approach recognizes that information security and information availability are much more effective when addressed together instead of separately. In this approach, IT and security groups within the DoD would use the same tools, speak the same language, and work from the same base of information no matter where they are located.

Specifically, a resilient infrastructure combines advanced administration tools -- patch management, provisioning, installation design, license and asset monitoring, backup, recovery, and reporting -- with expertise in early warning systems, intrusion detection, firewall, virus protection, content filtering, compliance assessment, vulnerability assessment, and VPN. The result is that an organization is better able to understand, act, and control its environment:

• Understand means knowing what is needed to be known about your information environment, both inside and outside your organization. It means being aware of electronic threats emerging anywhere in the world before they reach you. It's about identifying possible regulatory compliance issues, assessing the effectiveness of security and administration tools, and constantly monitoring the status of hardware, software, information, and other network assets anywhere in your enterprise.
• Act is about responding successfully to both vulnerabilities and new business needs. It means securing devices, applications, and networks against threats before they happen. It means taking steps to be sure information is up-to-date, compliant, and restorable. And it's about confidently integrating new technologies -- such as wireless devices -- to extend your competitive advantage.
• Control is about managing information resources to prevent disruptions and minimize downtime. That means provisioning new applications, managing software patches, and taking other steps to keep your enterprise up, running, and growing.

Conclusion

The DoD has a daunting task on its hands when it comes to achieving its IA goals. And recent reports indicate that, so far, it is struggling to balance the need to secure information while making it readily available to those who need it. A panel of industry experts selected by the National Security Agency reviewed the Information Assurance requirements of the DoD's network infrastructure in December 2004 and concluded that the Department has a long way to go in securing its data and communications. However, in the face of funding and staffing shortages, and some peoples' reluctance to take on new technologies and support innovation, the DoD has made many worthy improvements in the area of information security.

Making information secure and available to desired users is crucial for the DoD. Using a resilient infrastructure approach to Information Assurance, the Department can confidently deploy and use information while driving innovation, lowering costs, and increasing user satisfaction.

Stacey McDaniel has been writing about high-tech issues for more than six years.