No easy fix for DOD security issues
Report warns that it will be difficult to secure Global Information Grid
- By Bob Brewin
- Mar 20, 2005
A panel of industry experts formed by the National Security Agency reviewed the
information assurance requirements of the Defense
Department's Global Information Grid, (GIG) last December and concluded that providing security for it depends on 'technologies that do not exist and may not be feasible.'
The assessment was based on a preliminary draft of the information assurance strategy for the grid, but 'does not, and never has represented NSA's view of the GIG,' an NSA spokeswoman said. 'NSA believes that the current draft of the GIG [information assurance] strategy will help ensure DOD is able to deploy a robust, survivable GIG well into the future.'
But 'in order for the GIG to move forward, new capabilities will need to be developed that address the security challenges inherent in any enterprise architecture as complex as the GIG,' she said.
The grid essentially forms the backbone of the Pentagon's concept of network- centric operations, where data is made readily available to the people who need it. Deputy Defense Secretary Paul Wolfowitz defined the grid in September 2002 as DOD's enterprise-level architecture to provide computer and communications services to commands worldwide. Former DOD chief information officer John Stenbit has said that if such data is posted on networks, information security becomes even more critical.
The grid includes the GIG-Bandwidth Expansion, designed to provide gigabit-speed networks worldwide, the Joint Tactical Radio System and satellites for last-mile connectivity, top DOD officials have said.
The NSA spokeswoman added that securing the grid 'will require significant investments by the community in [information assurance] solutions. However, NSA has capabilities in place and under development to address some of these challenges.'
Warren Suss, president of Suss Consulting, said providing information assurance for the grid 'is a leading-edge challenge because the GIG is something that has never been done before.'
Besides protecting data transmitted via GIG-BE fiber-optic networks, NSA and DOD also have to develop gear to protect information that flows to and from battlefield systems, such as unmanned aerial vehicles transmitting live video feeds, Suss said.
Despite the challenges, Suss said he believes officials in the Pentagon's CIO office and at NSA 'are working hard to resolve the problems.'
GIG-BE's wideband, gigabit circuits required development of a new class of gigabit Ethernet encryptor devices that comply with federal High Assurance IP Encryption standards for GIG-BE.
A Congressional Budget Office report released last month said that development of high-speed encryption devices is essential to take advantage of GIG-BE's broadband capabilities.
'GIG-BE's capability to transport classified data is [based] on the speed of high-assurance IP encryptor devices available,' the report said. The Defense Information Systems Network, which uses GIG-BE for transport, currently has 16 nodes that can operate at rates of up to 10 gigabits/sec and eight nodes that operate at 2.5 gigabits/sec, the CBO report states.
The NSA spokeswoman said development of an information assurance strategy for the grid is a long-term project that has undergone a great deal of change since the agency completed its first draft. Developing an information assurance architecture is so complex that NSA has already completed a 2,000-page draft document for the grid, Federal Computer Week has learned.
'DOD is expected to approve the GIG [information assurance] architecture documents in the near future,' said Michael Johnson, chief of NSA's information assurance architecture office. 'Once approved, this work will be integrated into existing DOD compliance documents, processes, policies and regulations.'
For example, plans are under way to integrate the architecture strategy into the GIG Architecture, Net-Centric Operations and Warfare Reference Model, Net-Centric Key Performance Parameter and Net-Centric Checklist, Johnson said.