Defense IT security can't rest on COTS

Defense's Linton Wells II says he expects better performance on information assurance than DOD is currently getting from vendors.

Courtesy of DOD, Helene C. Stikkel

'We think industry can do a lot better,' DOD's network and integration chief says

It's the equivalent of a techie Catch-22: The Defense Department must use commercial, off-the-shelf hardware and software to fill core IT needs for the military, even though it cannot meet DOD security demands.

'We've been singularly unimpressed with commercial security. COTS will never get there,' said Linton Wells II, acting assistant secretary of Defense for networks and information integration.

Wells said strengthening commercial products to the security level needed by Defense would be too difficult and costly for most commercial vendors.

Even so, he said he expects better performance on information assurance than DOD is currently getting from vendors. 'We think industry can do a lot better,' he said at a forum held this month by the Multi-Sector Crisis Management Consortium in Arlington, Va.

For its part, DOD is working to make systems breaches difficult by adding several layers of protection that an enemy would have to pierce to attack military systems.

Alan Paller, director of research for the SANS Institute of Bethesda, Md., said the Defense conundrum is complicated by the fact that securing systems is similar to an arms race.

'No matter how safe either commercial or [military] systems are ... the bad guys are at all times engineering workarounds for each of the defenses, and from time to time they'll be successful,' Paller said. 'All of the systems are connected. Even the most secure system can be exploited by jumping from an insecure system.'

Despite security shortfalls, DOD is committed to using commercial products to take advantage of their flexibility, standardization and cost-effectiveness.

The Air Force, Army and Navy all have enterprise initiatives under way to move to standardized desktop PC and communications environments.

'No backtracking'

The Air Force, for instance, recently announced the awardees for its $9 billion Network-Centric Solutions contract, which calls for the service to adopt 'commercially standardized networking solutions.' The Air Force also negotiated an enterprise license agreement to use Microsoft's Windows, Office, Exchange and other commercial products on all of its 525,000 PCs.

'We clearly have a strategy that is very much dependent on COTS. There's no backtracking from that overall methodology,' said Robert Lentz, director for information assurance in the Office of the Secretary of Defense for command, control, communications and intelligence.

'I think we've made a clear judgment that commercial technology will always be the right way to keep us moving in a positive direction on this journey,' he said. 'By the time we [build] a government-developed solution, there's already been three revisions in commercial technology.'

The military spends about $2 billion each year on information assurance overall, on such things as encryption systems for tactical radios, operations and maintenance costs for emergency IA response teams, and R&D for new capabilities.

The system architecture is seeded throughout the military with a blend of COTS and so-called government off-the-shelf technologies, Lentz said. GOTS products are commercial products customized to meet unique government requirements, such as protection of satellite and telemetry systems.

Ultimately, achieving security is a journey without a final destination, Lentz said. New technologies are emerging all the time that carry their own security needs.

Within the overall information assurance architecture, the department is trying to put in more sophisticated capabilities, to become more flexible and agile in responding to threats. For instance, military security experts will use simulated systems as honeypots, deceptively attractive elements that appear more valuable than they are to lure attackers into dead ends or even to nab them and serve as security alarms.

Also included in the $2 billion fund is an unspecified amount for building the Global Network-Defense, a system of sensors to monitor all military networks in near real time.

'If somebody breaks [in], we're putting in a very sophisticated sensor grid, and we're going to be monitoring the entire network, so if we see anomalous activity we'll have alarm bells go off, so to speak,' Lentz said. 'We are in the beginning decision stages of deploying this sensor grid.'

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above