Unit commanders are on the front lines in the war to protect the Navy’s information systems. They must take the lead in developing strong information security problems.
There is ample evidence that hackers, foreign nations, and terrorist organizations are testing and probing Navy information systems for vulnerabilities. The number and complexity of cyber attacks against the Department of Defense (DoD) has more than doubled each year since 1998.
The greatest source of attacks on DoD systems still appears to be hackers, but according to recent congressional testimony by former FBI officials, "we are picking up increased signs that terrorist organizations are looking at the use of this technology" to attack the United States.
The Navy has made significant managerial and financial commitments to improve its information assurance programs over the past five years, which will be effective only if information security programs at the unit level are developed, assessed, and matured. Each command must mass the knowledge and experience to formulate a comprehensive cyber security strategy, one that encompasses prevention, preparedness, and incident response. A solid approach to information assurance should be centered on three pillars: policy, personnel, and technology.
Policy Approaches
Risk mitigation is the principal objective of a command's information security policy. A key reason for the Navy's improvement in information security since 1998 has been the implementation of the Information Assurance Vulnerability Alert (IAVA) program, which allows rapid response to incidents or threats and repair of known software faults. IAVA warnings are distributed by the Navy Component Task Force-Computer Network Defense (NCTF-CND) and provide near-real-time alerts to system administrators, identifying possible attack techniques or targets and known-threat Internet service provider addresses. The Achilles' heel of this program is the pace of IAVA adherence at the local level because of the system's reliance on manual implementation. IAVA alerts are received via message traffic or e-mail, recommended actions are evaluated by the unit's system administrator (many alerts are not applicable to individual units), and appropriate protective actions are taken. Only when they implement IAVA actions are commands taking full advantage of DoD, intelligence community, and law enforcement warning systems.
Another effective risk mitigation and security program led by NCTF-CND is the Information Systems Readiness Condition (InfoCon) system. InfoCon levels are raised and lowered depending on the degree of cyber security threat. Individual commands determine how to conform procedurally to various levels of InfoCon readiness, evaluate the effect InfoCon actions will have on connectivity and mission accomplishment, and train and exercise on InfoCon within their systems.
Once security management and risk mitigation efforts are in place, a command must be able to evaluate their effectiveness. To this end, several government "red teams" have been organized. The Navy's red team, which is provided by the Naval Computer Incident Response Team (NavCIRT) at the Fleet Information Warfare Center, possesses the technical skills to evaluate the cyber security of individual units, identify vulnerabilities, train operators, and provide Navy-wide feedback on best practices and common vulnerabilities. These red team capabilities need to be expanded and more frequently employed.
Information security also can be improved by a policy of strict standards implementation in security program management and information technology (IT) system procurement. The commander must ensure strict adherence to security regulations and should conduct frequent assessments. Simple issues such as poor password control expose the information system to root access compromise. (The most common DoD password is "password.") The supply officer must ensure that only approved IT hardware and software are purchased, and the information systems security officer must ensure a qualified system administrator accomplishes all IT installations.
The command's reconstitution policy—the ability to absorb a cyber attack, reconfigure a system or systems, and reestablish network control—is the ultimate sign of information system resilience. Efforts to train and exercise information systems to establish this capability can identify points of failure and remedies that may have significant budget implications.
Personnel Approaches
Training and education are paramount in solving the information security challenge. A strong information security awareness program should be established throughout the command. This includes effective security techniques (such as passwords) and the need to limit access to systems for personnel who do not have proper clearances. Awareness training should be conducted on a recurring basis and be tied to a service member's computer access.
Commands must ensure that IT security work force members (system administrators) have the proper training and certification for operating the unit's information systems. This normally is provided in pipeline training and is transparent to the command. However, system administrators need recurring training to ensure they remain current with installed systems and upgrades.
Finally, the unit commander should ensure he or she has a trained and focused information security management team. With the relatively recent development of information security schoolhouse programs, it is possible that managers (chief petty officers, limited duty officers, and department heads) may not have enough training or experience in security management. This is especially relevant considering the seniority of many IT system chiefs, whose last schoolhouse training predates information security courses, and the merger of the data processing technician and radioman ratings, in which most IT chiefs have a predominantly "Radio Shack" background. The information security training provided in commanding officer pipelines is cursory at best, and increased concentration there would be highly effective.
Technology Approaches
The Navy's greatest IT investment over the past five years has been in modernizing and developing its shipboard and shore-based information management systems, IT-21 and the Navy Marine Corps Intranet. This has included significant investments in information security tools. Unit commanders should ensure the appropriate security technology is employed on these systems.
A critical technology that assists in establishing information systems readiness is a centralized intrusion detection and warning system. Equipment in this system provides indications of ongoing or impending attacks and, with the proper fire walls installed, can block known attack techniques. Most important, the intrusion detectors and fire walls must be aligned properly to establish readiness and preparedness levels as InfoCon levels are altered on the unit's information systems. If the fire wall settings are not secure, the system is vulnerable to attack; if the settings are overly restrictive, the equipment can cause a self-inflicted denial of service.
An equally important risk-mitigation effort is to rapidly install software patches. Patches are software codes developed by vendors to correct known flaws in operating systems. The period between distribution of the patch by the vendor and installation of the patch by the system administrator is the most vulnerable time for an operating system, as the hackers will now have warning about the existence of the flaw. Currently, the process calls for centralized notification by NCTF-CND and manual intervention at the unit level by the system administrator, who must determine applicability and then manually apply the patch. DoD must continue to develop automated tools to help with distribution of vulnerability alerts and patch identification and installation.
The system administrator must stay alert to the need to install and frequently update the system's antivirus software. NCTF-CND, NavCIRT, and vendor Web sites are the best sources of current virus information. Viruses are the hacker's preferred tools and through denial-of-service attacks can have the greatest impact. It is crucial that antivirus software be upgraded regularly and installed rapidly.
It is a matter of time before the convergence of "bad guys" and "good technology" occurs in the cyber security world. System failures because of malicious action or equipment failure are inevitable. Restoring systems and quickly providing continuity following cyber attacks will diminish incentive to engage in them. A strong information security program focused on policy, personnel, and technology processes is a unit commander's best tool for computer network defense.
Commander Montgomery is commanding officer of the USS McCampbell (DDG-85), a destroyer based in San Diego. He recently was director for transitional threats at the National Security Council.