Global grid will have data assurance 'baked in'

'It's not only an architecture, it will be products and services,' NSA's Daniel G. Wolf says of the Defense Global Information Grid'a IA.

Courtesy of the National Security Agency

The National Security Agency is revising its 2-month-old, 2,200-page information assurance roadmap for the Defense Department's Global Information Grid.

After considering government and industry feedback, NSA will release a three-phase architectural plan for secure worldwide data sharing among and across military and intelligence agencies over the next two decades.

Daniel G. Wolf, the agency's IA director, said producing the architectural plan has taken 40 staff-years so far. He spoke at this month's Microsoft Security Summit East in Washington.

The plan spells out no specific solutions at this point, but it will ensure that IA is 'baked in' by authenticating credentials, security clearances, roles and situational awareness throughout the GIG, he said. Some form of user token will be part of the security architecture.

'It's not only an architecture, it will be products and services,' he said. For example, NSA will design the initial 1-Gbps backbone encryptors for major GIG communications links. Later phases eventually could scale up to backbone rates of 40 Gbps and then 100 Gbps.

Data traveling on the grid will have two separate suites of encryption algorithms. Wolf said classified data will get 'government high-grade' encryption. For public and unclassified traffic, a second suite incorporates the Advanced Encryption Standard. Both suites are high-assurance, he said, but there still are some potential risks to the GIG from unencrypted IPv6 packet headers and the possibility of traffic disruption.

More than 160 major military systems are supposed to interact via the GIG.

The cost of baking security into the GIG, he said, depends on whether components are counted as part of the security or part of the communications infrastructure. DOD has estimated the cost of expanded GIG bandwidth at around $900 million; the ultimate cost for the entire switched optical grid will probably run to multiple billions of dollars.

As more and more devices and even some IP-addressable weapons join the grid, it could also transport voice packets from wireless phones, he said.

Working with industry

Because NSA lacks the resources to evaluate all the increasingly complex commercial software used by the military, Wolf has formed industry partnerships to make safer software a top priority.

He has taken advantage, for example, of Microsoft Corp.'s offer to let governments examine its source code, which grew from 6 million lines of code in Windows 3.1 to more than 30 million lines in XP.

'It gives us more leverage,' he said. 'We've talked to Microsoft about a scaled-down operating system with fewer bells and whistles. Software complexity increases instability and hinders discovery of malicious code.'

In the quest for trustworthy code, NSA also checks configuration management of new versions to see whether any previous vulnerabilities have reappeared because of backward compatibility.

Wolf's military software agenda calls for using commercial products as much as possible and custom government code 'only when necessary,' he said. 'If there are components critical to system assurance, the government might have to develop that particular piece.'

Buffer overflows are a big source of software failure and vulnerability, said Wolf, who has recruited 59 colleges and universities to set up an IA curriculum and teach safer programming for modularity, layering, abstraction and data hiding.

The Homeland Security Department recently joined DOD as a joint sponsor of the IA curriculum program, with NSA as the executive agent, Wolf said.

Also, the international Common Criteria security levels need updating, he said. Common Criteria focuses only on testing finished pro- ducts, whereas he wants to put more pressure on the developers 'so products come off the assembly line in much better shape than they do today.'

Wolf added, 'It's almost like the Manhattan Project. I see this as the modern equivalent to the national labs set up under the threat of thermonuclear war in the 1940s.'

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above