DSLC Rm (3E813) Layout - Mil-Only Session

1
Cyber What is that - really? A General
Overview of our Cyber Prioritization Crisis
Information Assurance (IA) for Service-Oriented
Architecture (SOA)
May 20, 2009 Security Summit
Mike Davis The Security Networks Technical
Advisor, TSN Mike_at_sciap.org and Information
Systems Security Association, VP, ISSA, SD
IA Technical Process Owner (TPO), Warrant
Holder (TWH) - SPAWAR 5.0.2 / 5.8 HQ
Michael.H.Davis_at_navy.mil
Easy Button
Good for public release. No distribution
statement needed SPAWAR review tracking number
SR-2009-221.
2
What is Cyber?
A global domain within the information
environment consisting of the interdependent
network of information technology
infrastructures, including the Internet,
telecommunications networks, computer systems,
and embedded processors and controllers. -- DoD
Definition of Cyberspace
Cyber space operations employment of cyber
capabilities where the primary purpose is to
achieve military objectives or effects in or
through cyberspace. Such operations include
computer network operations and activities to
operate and defend the GIG
The military strategic goal is to ensure US
military strategic superiority in cyberspace.
-- National Military Strategy for Cyberspace
Operations
It could mean just about anything. But mostly
a balanced IO/CNO IA/CND portfolio
3
What makes Cyber different?

• Given Cyber virtual warfare, somewhat
  different from the kinetic / physical environment
  we all know well
• -- Includes ALL Offensive and Defensive IT/IO/IA
  capabilities and DOTMPLF, ALL aggregated somehow
• -- Essentially a select critical technical
  combination of IO/CNO and IA/CND more
  integration stuff
• -- A different virtual ROE than Kinetic
  sometimes reversed, legally constrained (and what
  is an act of War?)
• -- Shared vulnerabilities mandate a proactive,
  dynamic defensive posture a mission kill is
  one e-mail away
• -- Thus a crisis of prioritization, where
  everything is urgent, mandatory and the many CoC
  lines are blurred

Many high-level cyber definitions and approaches
abound No definitive enterprise top down action
plans, yet
4
Cyberspace Characteristics

• Whats so different?
• Man-made domain complex and insecure by design
• Global stakeholders public, private and
  government
• Speed of both action and change zero separation
• Transcends physical, organizational and
  geopolitical boundaries highly sensitive to
  political/legal influence
• Anonymity identity/intent of players not always
  clear

Global reach impact
RoE / CONOPS Kinetic virtual NO
boundaries Legal aspects rule No clear Cyber
IFF!
AND sensors everywhere, ISR/METOC, SPACE,
Networks, ETC, Etc, etc!
(Source derived from JS Cyber 101 brief)
5
Cyberspace Characteristics
In relation to other mission areas
All of the warfighting domains intersect
C2
IA
cyberspace is a blend of exclusive and
inclusive ties The Venn connections / COIs are
extensive
Cyberspace Domain is contained within and
transcends the others
Numerous dynamic COIs dominate
relationships Adding complexity and causing
cross domain data sharing effects
(Source derived from JS Cyber 101 brief)
6
Cyber must be E2E!
WE have a natural hierarchy in our enterprise
IT/network environment, where complexities arise
in the numerous interfaces and many to many
communications paths typically involved in
end-to-end (E2E) transactions
Apps
AND people processes
Enterprise
Site
Enclave
Network SoS
System / services
HW/SW/FM CCE
Each sub-aggregation is responsible for the
IA/cyber controls within their boundaries and
also inherits the controls of higher levels and
all weaknesses in any layer!
Thus, the IA/cyber controls and interfaces in
each element / boundary must be quantified /
agreed to upfront!
7
Whats a simple IA/Cyber end-state / vision
look like? What are the Requirements
An end-state stresses encapsulation using secure
messaging
8
Cyber Prioritization CrisisDraft paper in
circulation highlights are

• -- Cyber is fundamentally enacting a prioritized
  and balanced approach between existing IO/CNO
  (aka offense) and IA/CND (aka defense)
  capabilities,
• -- with diminishing resources, while also
  addressing dynamic and emerging threats through
  targeted RD/ST initiatives to fill gaps of the
  cyber vision.
• -- The RoE, CONOPS, organization relationships
  required are NOT the same as kinetic processes,
• -- Where the political / legal aspects of cyber
  will impede us all!
• -- CoC needs an effective situational awareness
  capability for "cyber" to enhance our decision
  superiority

9
Cyber Prioritization CrisisDraft paper in
circulation intended for technical discussions

• Cyber technical foundations (what matters)
• 1 - Enterprise risk management process needed
• 2 - Fix/update/simplify what we have (CM too!)
• 3 - NO clear IA/security/cyber vision or
  end-state
• 4 - Supply chain security issues are everywhere
• 5 - Lack of enterprise SOA IA / security approach
  
• 6 - Enforce a common data strategy, security
  built in

10
Securing Cyberspace for the 44th Presidency

• A renewed focus on international collaboration,
  with more overt / open security methods,
• Continued emphasis on partnering government with
  industry, better quantifying the legal aspects of
  enforcement and proactive responses,
• Taking a holistic, overarching, fully integrated
  / meshed approach to security for the full
  spectrum IA needed in D.I.M.E. (Diplomatic,
  Intelligence, Military and Economic)

- Create a comprehensive national security
strategy for cyberspace - Organize and lead from
the white house (create a national office for
cyberspace) - Reinvent the public private
partnership - Regulate cyberspace (not voluntary
anymore, but not overly prescriptive either) -
Secure the industrial control systems ICS /
SCADA - Manage Identities - Authenticate digital
entities (in an enterprise IDM approach) -
Modernize authorities / laws (e,g, revise
FISMA.. merge NSS and other standards) - Use
acquisitions policy to improve security - Build
the capabilities research, training and
education - Do not start over leverage CNCI
WE must collectively quantify prioritize these
for leadership actions
11
cyber security social contractto Obama from
industry
-- We all lack a common enterprise risk
management approach -- Need new internet
protocols / methods to support security --
"Enforceable" CM is mandatory (can reduce 80 of
all attacks!) -- Positive incentives to encourage
/ enforce folks to follow best practices -- Lack
of software quality and assurance --
Multi-organizational coordinated roadmap / vision
is essential -- Map / manage the physical to
cyber security (ICS / PCS / SCADA / etc) --
Supply chain issues better understood, protected
and testing against -- Use / leverage / engage
DARPA, IARPA, In-Q-Tel, etc. -- Move from a
passive, forensic-based defense to an active
posture using real-time intelligence updates to
dynamically adjust our protection levels -- Must
have both privacy and security built in --
Focus on "insider threat (a determined
intruder inside or external) -- Government
embrace / lead the required IA standards that are
effective -- Modern IdM / access control ( where
our ZBAC approach works cross domain) -- Set
clear IA/security priorities then resource,
manage and control
WE must collectively quantify prioritize these
for leadership actions
12
Leadership Summary / Recap(Cyber Security
Collaboration Summit SD Nov 08)

• Common vision / end state / master plan where
  are we going?
• Governance more governance coordinate ALL
  those in charge?
• Specified requirements and then some top down,
  detailed needs
• Prescriptive implementation guidance required
  fidelity in the what
• Whats good enough IA/Security? Must have a
  common threshold
• Pedigree approach simplify verification and
  compliance (build in)
• What is the IA business basis / ROI? (AND
  success metrics therein?)
• What is the future risk environment? Threats,
  consequences, etc?
• Training at all levels, especially user and SW
  development
• Standard architectures / standards / profiles
  (and a Trust Model!!!)

WE must collectively quantify prioritize these
for leadership actions
13
Representative Navy Operator IA issues

• IA Master Plan IA vision clear IA goals
• IA Governance Structure / Consistent Policies
• Workforce Quals / Certs / Training
• "Improve Speed to Capability - Implementing
  newer technologies.. HBSS, DAR, etc.
• IA Approach, Strategy consistent with SYSCOMs and
  DoD
• IA Policy/Architecture implementation guidance
• Enterprise Access Control - "Trust Model"
• Certification Accreditation - Aggregation of
  systems
• Supply Chain Security / Defense in Breadth
• Sustain current IA and CND posture to ensure
  readiness

Calling things cyber will not change the
current IA and IO issues These are still the
activities that are needed for protecting the GIG
14
Recent IT/Cyber Leadership perspectives

• A - Political / legal cyber paper
• Cyber offense must be strictly monitored
  controlled, due to potential escalation state
  department implications countries suing each
  other
• B - Navy IT FLAG/SES meeting results / paper
• -- Greater accountability, completer visibility,
  net-centric concepts need to be revisited, can't
  protect all networks - ensure the C2 / enterprise
  are
• -- Need better situational awareness, discipline
  in development and acquisition, TTPs... And
  training...
• -- Senior Advisors major conclusions
  Stricter CM SA / inspect traffic
• -- FLAG / SES participants guidance
• Common governance and language, eliminate low
  to medium threats, focus more resources on
  defensive posture and key critical actions (aka -
  have a risk management approach), closer
  collaboration between Service / agencies,
  include space and undersea cables, exercise In
  degraded modes, stress education, use the RED
  TEAM to better effectiveness, avoid issues NMCI
  found, high speed acquisition and address COTS /
  supply chain management..

Issues / suggestions are similar to others , but
act collectively WE must!
15
NSPD-54/HSPD-23 CNCI 12 Initiatives
Many are still being finessed, and all need
prioritized
Establish a front line of defense
Trusted Internet Connections
Deploy Passive Sensors Across Federal Systems
Pursue Deployment of Intrusion Prevention Systems
Coordinate and Redirect RD Efforts
Focus Area 1
Resolve to secure cyberspace / set
conditions for long-term success
Connect Current Centers to Enhance Situational
Awareness
Develop Govt-wide Counterintelligence Plan for
Cyberspace
Increase Security of the Classified Networks
ExpandEducation
Focus Area 2
Shape future environment / secure U.S.
advantage / address new threats
Define and Develop Enduring Lead Ahead
Technologies, Strategies Programs
Define and Develop Enduring Deterrence Strategies
Programs
Manage Global Supply Chain Risk
Define Federal Role for Cybersecurity in Critical
Infrastructure Domains
Focus Area 3
THESE are the key long-term business
opportunities!
(Source derived from JS Cyber 101 brief)
16
What can we expect to help us?

• NSA / GIAP with CNCI better IA stuff
• Support for data/content centric security DCS
• Leaders get it, but we need translate geek speak
• ESM / PvM helps automated systems, reporting
• COTS IA commercial suite B encryption
• Going beyond boundary protection approach
• Effective trust binding between data, layers and
  domains
• Develop an IA vision -gt enterprise architecture
• Easier to build IA in through a top-down
  structure / standards

17
Where you can assist

• New technologies, methods, processes (CNCI!)
• Not so niche areas of general systems
  engineering, integration, rapid COTS / GOTS
  insertion, etc
• Collaboration with other innovative companies
• Partner with other security groups, IA/cyber
  entities
• Cyber packages needed, not un-integrated SW
• Follow issues / concerns they will not go away
• Think tank, study, and discovery support efforts
• Top down risk management, prioritization approach!

18
Summary

• There are MANY IA/cyber initiatives in the works
• Follow the CNCI trail, that should prevail
• We still need cyber enterprise Requirements,
  just as we do now for IA and IO and CA and .
• What is needed now, current issues, will exist in
  cyber
• W/o an enterprise risk management approach, any /
  all paths will do and we stay in the crisis of
  prioritization
• We ALL need better collaboration DOD on down
• Users / platforms must drive cyber KISS
  commodity
• Vendors / integrators need to coalesce, drive
  the truck

Remember the P6 principle Planning and
communications only gets us part way there Thats
our story whats yours?
19
(No Transcript)
20
What is Information Assurance (IA)?
Measures that Protect and Defend Information and
Information Systems by Ensuring Their
Availability, Integrity, Authentication,
Confidentiality, and Non-Repudiation. This
Includes Providing for Restoration of Information
Systems by Incorporating Protection, Detection,
and Reaction Capabilities.
Confidentiality

• Assurance that Information is Not Disclosed to
  Unauthorized Entities or Processes

Integrity

• Quality of Information System Reflecting Logical
  Correctness and Reliability of Operating System

INFOSEC
Availability

• Timely, Reliable Access to Data and Information
  Services for Authorized Users

Information Assurance
Authentication

• Security Measure Designed to Establish Validity
  of Transmission, Message, or Originator

Non-Repudiation

• Assurance Sender of Data is Provided with Proof
  of Delivery and Recipient with Proof of Senders
  Identity

20
WHAT parts belong where wrt our collective
enterprise trust model?
21
Cyber Protections Overview
(or why IA/IO/Cyber is so complex / hard
because it is ALL of that and more!)
" CYBER"
PKI/CAC ID Mgmt
CIO FISMA Operations IAMs
IO and CNO Defend Attack Exploit
CND
CA
CA Support
IA
CMI/KMI
Policy
Training
IA Services
Multiple players Multiple PEs/Lines Multiple
threats Multiple PMW/S/As
Typical IA Acquisition elements
Requirements
Enterprise Risk Mgmt.
NETOPS
Strategy AND Governance critical to
implementation success!
22
An Overall Enterprise Picture(what are the
minimal elements, who owns them, how do they
get integrated?)
SOA Security needs to account for more than
just SOA!
Apps COIs
SOA/ESB/Services
Business processes
There is more to the enterprise IA/CA picture
than just CCE, SOA and Apps, which are hard
enough to integrate
CCE
Dynamic Access Control
ITIL/ITSM SLA execution
Data security strategy / ownership
Hardware / Software Assurance
Data privacy protection and Auditable anonymity
IA/Security strategy must consider the whole
enterprise trust model!
22
23
So what really matters in IA/Cyber E2E? A
notional Quality of Protection (QoP)
Hierarchy(Wrt our defense in breadth position
paper but what REALLY matters?)
DATA QoP (C-I-A and N A)
Complex Dynamic
Settings
IAA and CBE / DCS (distributed / transitive
trust model E2E data-centric security and
protections)
Core / Security Services ( WS and other security
policy / protocols / standards (including
versions extensions therein)
Standards
IA devices
network protection CND FW / IDS / VPN / etc
(in general, mature capabilities but multiple
unclear CM processes are persistent and
problematic)
Known Static
IO and ... IA
AE / Policy
CNO/E/A, IW, OPSEC, etc
Crypto, KMI, TSM/HAP, policy, etc
Mainly IA standards, IAA, CBE/DCS and digital
policy!
24
GIG IA Protection Strategy Evolution
Transactional Enterprise IA Protection
Model Required level of Information Protection
Specified for each Transaction
Static Perimeter Protection Model Common level
of Information Protection provided by System
High Environment
"Need to SHARE" and Distributed / transitive
trust models

• Common User Trust Level (Clearances) across
  sys-high environment

• User Trust Level sufficient across
  Transaction/COI varies for enterprise

• Privilege assigned to user/device based on
  operational role and can be changed

• Privilege gained by access to environment and
  rudimentary roles

Future
Today

• Information authority determines required level
  of protection (QoP) for the most sensitive
  information in the sys-high environment high
  water mark determines IT/IA/Comms Standards for
  all information

• Information authority determines required level
  of end-to-end protection (QoP) required to access
  information translates to a set of
  IT/IA/Comms Standard that must be met for the
  Transaction to occur

• Manual Review to Release Information Classified
  at Less than Sys-high
• Manual Analysis and Procedures determine allowed
  interconnects

• Automated mechanisms allow information to be
  Shared (Released) when users/devices have
  proper privilege and Transaction can meet QoP
  requirements

We will be loosely connected, sharing information
and protected?
25
The Big Picture XML Family of Specifications
"LOTS" of standards and Specs to coordinate
26
IA / CA Building blocks

• . The desired end-state is in general one of a
  transformed single CA process that accommodates
  all CA needs and activities (re TE / VV)
• End-state needs to integrate and accommodate
  several major perspectives / initiatives
• (1) aggregation into some number of larger
  systems of systems (SoS) and enclaves /
  platforms,
• (2) platform IT (PIT),
• (3) the federal CA transformation effort
  (bringing together DOD, IC and federal agencies),
  and
• (4) the new NNWC CA process (for the Navy
  aspect).
• Develop a "security container" of sorts emulating
  the "CC" process (see http//www.niap-ccevs.org/cc
  -scheme/ ) that IA devices go through
  establishes the same format / needs
• Natural to have a limited and controlled set of
  IA building blocks for a FEW main classes
• IA devices (crypto, EKMS, PKI/CAC, VPN, Firewall,
  IDS/IPS, HBSS, HAP/TPM devices, reference
  monitor, etc)
• IA enabled capabilities (OS, web browsers,
  messaging systems, screening routers, etc
  )(and we submit the IA/WSS standards need to go
  here too prescribe a limited set of IA
  profiles with defined standards / protocols!)
• Services and Applications ( we think we can
  define a standard "security container" for each,
  ideally a class - maybe a couple are needed for
  SOA/Services we postulate the earlier three CA
  types would work well) )
• Critical IA capability devices (any key IT
  capabilities, we may have missed and want to
  specifically consider)
• PIT Platform IT variants (there should be ONE
  general PIT super set, then each SYSCOM takes
  that and tailors it a little more for HME,
  WPNs/CBS, Avionics/Controls, SATCOM/LOS radios,
  etc)
• Remainder of NIST 95 descriptions Intelligence
  activities Cyrptologic activities command and
  control weapons and their systems systems for
  "direct military / intelligence" missions and
  classified systems... Any special cases
  defined
• AND/OR consider the remainder of 8500.2
  categories AIS application enclaves
  outsourced IT PIT interconnection (where
  Platform IT refers to computer resources, both
  hardware and software, that are physically part
  of, dedicated to, or essential in real time to
  the mission performance of special purpose
  systems, such as weapons, training simulators,
  diagnostic test and maintenance equipment,
  calibration equipment, equipment used in the RD
  of weapons systems, medical technologies,
  transport vehicles, buildings, and utility
  distribution systems)

Just as IT must transition to a commodity
approach, so must Cyber security!
27
Cyber Spans Warfare and Business Mission Areas
Net-centric operations as well as the emerging
new joint capabilities and integration
development process is where the DoD is headed in
the Business of Warfighting
Cyberspace
Cyber must effectively integrate Business and
Warfighter Mission Areas
Where GOVERANCE (or lack of it), still rules
Source Secretary of State Hillary Clinton
Statement, January 21 2009 Source SSC Atlantic
Cyber Strategy
(Source notional partially derived from
industry partner brief)
28
A National Security Issue
Ubiquitous Presence
Salient Danger

• Cyberspace intrusions and attacks are a real and
  emerging threat
• U.S. faces a dangerous mixture of vulnerabilities
  and adversaries
• Cyberspace situational awareness is not mature
  (and not at all levels)
• PEOPLE, Information and the C4ISR infrastructure
  are targets
• Exploitation, disruption, exfiltration,
  misinformation or destruction are adversary goals
  ( bragging rights)
• Malicious cyberspace activity is increasing in
  regularity and severity

• 1.5 billion people on the Internet much of Asia
  and Africa still to come
• (using wireless, which is cheaper to install)
• Upwards of 200B e-mails per day
• Critical to commerce, government, business
  processes, safety, etc.
• Exponential demand 8 hours of YouTube uploaded
  every minute
• Increasing connections global wireless and
  cellular usage
• Volumetric rise in data everywhere, with no
  enterprise data security and tracking approach
  (Internet database)

Attacks on Critical Infrastructure could
significantly disrupt the functioning of
government and business alike and produce
cascading effects far beyond the targeted sector
and physical location of the incident. --
2007 National Infrastructure Protection Plan
(Source derived from JS Cyber 101 brief)