NEWS FROM THE 2009 BLACK HAT BRIEFINGS
Better ID assurance is essential for the new online world, DOD deputy secretary says
LAS VEGAS—Just as the Defense Department is getting used to working in a network-centric world, it has begun moving into a newer content-centric environment, said Robert F. Lentz, DOD's chief information assurance officer.
Leveraging interactive Web 2.0 applications and cloud services in a secure way, “that’s the biggest challenge,” Lentz said Thursday at the Black Hat Briefings security conference. “That race is daunting.”
Doing this requires moving from the current whack-a-mole process of static defenses to a more agile, strategy-based take on risk management.
“We are in a paradigm shift right now,” Lentz said. A necessary element in that shift is reducing online anonymity and improving the assurance of identity online. “In my opinion, there needs to be a cyber czar just for identity, because without it, we’re going to be done.”
Lentz outlined recent changes in the world of cybersecurity, saying that the Internet has become essential not only to our economy, but to our national security and well-being. Protecting the online environment is a joint responsibility of government and the private sector, he said.
“We have to think of cyberspace as a global common that touches everything we do,” he said. “Securing the global common is the joint responsibility of everyone.”
Currently, however, the Internet is a “very fragile ecosystem,” he said.
Among the major challenges facing DOD in securing its online presence is deployment of Domain Name System Security Extensions and transitioning from IPv4 to IPv6. The department must also leverage virtualization to minimize its attacks surface, Lentz said. But the management of identity, which is essential to control access and understanding activity online, is the foundation for a reliable networking environment.
DOD operates one of the world’s largest public key infrastructures, based on its Common Access Card, but that technology is not adequate, Lentz said.
“It’s still not easy to use,” he said. Directory services remains an Achilles' heel for DOD, and the department must provide a better system for federated identity management and embrace better multifactor authentication to take advantage of a new environment.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.