Title: DSLC Rm (3E813) Layout - Mil-Only Session
1Cyber What is that - really? A General
Overview of our Cyber Prioritization Crisis
Information Assurance (IA) for Service-Oriented
Architecture (SOA)
May 20, 2009 Security Summit
Mike Davis The Security Networks Technical
Advisor, TSN Mike_at_sciap.org and Information
Systems Security Association, VP, ISSA, SD
IA Technical Process Owner (TPO), Warrant
Holder (TWH) - SPAWAR 5.0.2 / 5.8 HQ
Michael.H.Davis_at_navy.mil
Easy Button
Good for public release. No distribution
statement needed SPAWAR review tracking number
SR-2009-221.
2What is Cyber?
A global domain within the information
environment consisting of the interdependent
network of information technology
infrastructures, including the Internet,
telecommunications networks, computer systems,
and embedded processors and controllers. -- DoD
Definition of Cyberspace
Cyber space operations employment of cyber
capabilities where the primary purpose is to
achieve military objectives or effects in or
through cyberspace. Such operations include
computer network operations and activities to
operate and defend the GIG
The military strategic goal is to ensure US
military strategic superiority in cyberspace.
-- National Military Strategy for Cyberspace
Operations
It could mean just about anything. But mostly
a balanced IO/CNO IA/CND portfolio
3What makes Cyber different?
- Given Cyber virtual warfare, somewhat
different from the kinetic / physical environment
we all know well - -- Includes ALL Offensive and Defensive IT/IO/IA
capabilities and DOTMPLF, ALL aggregated somehow - -- Essentially a select critical technical
combination of IO/CNO and IA/CND more
integration stuff - -- A different virtual ROE than Kinetic
sometimes reversed, legally constrained (and what
is an act of War?) - -- Shared vulnerabilities mandate a proactive,
dynamic defensive posture a mission kill is
one e-mail away - -- Thus a crisis of prioritization, where
everything is urgent, mandatory and the many CoC
lines are blurred
Many high-level cyber definitions and approaches
abound No definitive enterprise top down action
plans, yet
4Cyberspace Characteristics
- Whats so different?
- Man-made domain complex and insecure by design
- Global stakeholders public, private and
government - Speed of both action and change zero separation
- Transcends physical, organizational and
geopolitical boundaries highly sensitive to
political/legal influence - Anonymity identity/intent of players not always
clear
Global reach impact
RoE / CONOPS Kinetic virtual NO
boundaries Legal aspects rule No clear Cyber
IFF!
AND sensors everywhere, ISR/METOC, SPACE,
Networks, ETC, Etc, etc!
(Source derived from JS Cyber 101 brief)
5Cyberspace Characteristics
In relation to other mission areas
All of the warfighting domains intersect
C2
IA
cyberspace is a blend of exclusive and
inclusive ties The Venn connections / COIs are
extensive
Cyberspace Domain is contained within and
transcends the others
Numerous dynamic COIs dominate
relationships Adding complexity and causing
cross domain data sharing effects
(Source derived from JS Cyber 101 brief)
6Cyber must be E2E!
WE have a natural hierarchy in our enterprise
IT/network environment, where complexities arise
in the numerous interfaces and many to many
communications paths typically involved in
end-to-end (E2E) transactions
Apps
AND people processes
Enterprise
Site
Enclave
Network SoS
System / services
HW/SW/FM CCE
Each sub-aggregation is responsible for the
IA/cyber controls within their boundaries and
also inherits the controls of higher levels and
all weaknesses in any layer!
Thus, the IA/cyber controls and interfaces in
each element / boundary must be quantified /
agreed to upfront!
7Whats a simple IA/Cyber end-state / vision
look like? What are the Requirements
An end-state stresses encapsulation using secure
messaging
8Cyber Prioritization CrisisDraft paper in
circulation highlights are
- -- Cyber is fundamentally enacting a prioritized
and balanced approach between existing IO/CNO
(aka offense) and IA/CND (aka defense)
capabilities, - -- with diminishing resources, while also
addressing dynamic and emerging threats through
targeted RD/ST initiatives to fill gaps of the
cyber vision. - -- The RoE, CONOPS, organization relationships
required are NOT the same as kinetic processes, - -- Where the political / legal aspects of cyber
will impede us all! -
- -- CoC needs an effective situational awareness
capability for "cyber" to enhance our decision
superiority
9Cyber Prioritization CrisisDraft paper in
circulation intended for technical discussions
- Cyber technical foundations (what matters)
- 1 - Enterprise risk management process needed
-
- 2 - Fix/update/simplify what we have (CM too!)
-
- 3 - NO clear IA/security/cyber vision or
end-state -
- 4 - Supply chain security issues are everywhere
-
- 5 - Lack of enterprise SOA IA / security approach
-
- 6 - Enforce a common data strategy, security
built in
10Securing Cyberspace for the 44th Presidency
- A renewed focus on international collaboration,
with more overt / open security methods, - Continued emphasis on partnering government with
industry, better quantifying the legal aspects of
enforcement and proactive responses, - Taking a holistic, overarching, fully integrated
/ meshed approach to security for the full
spectrum IA needed in D.I.M.E. (Diplomatic,
Intelligence, Military and Economic)
- Create a comprehensive national security
strategy for cyberspace - Organize and lead from
the white house (create a national office for
cyberspace) - Reinvent the public private
partnership - Regulate cyberspace (not voluntary
anymore, but not overly prescriptive either) -
Secure the industrial control systems ICS /
SCADA - Manage Identities - Authenticate digital
entities (in an enterprise IDM approach) -
Modernize authorities / laws (e,g, revise
FISMA.. merge NSS and other standards) - Use
acquisitions policy to improve security - Build
the capabilities research, training and
education - Do not start over leverage CNCI
WE must collectively quantify prioritize these
for leadership actions
11cyber security social contractto Obama from
industry
-- We all lack a common enterprise risk
management approach -- Need new internet
protocols / methods to support security --
"Enforceable" CM is mandatory (can reduce 80 of
all attacks!) -- Positive incentives to encourage
/ enforce folks to follow best practices -- Lack
of software quality and assurance --
Multi-organizational coordinated roadmap / vision
is essential -- Map / manage the physical to
cyber security (ICS / PCS / SCADA / etc) --
Supply chain issues better understood, protected
and testing against -- Use / leverage / engage
DARPA, IARPA, In-Q-Tel, etc. -- Move from a
passive, forensic-based defense to an active
posture using real-time intelligence updates to
dynamically adjust our protection levels -- Must
have both privacy and security built in --
Focus on "insider threat (a determined
intruder inside or external) -- Government
embrace / lead the required IA standards that are
effective -- Modern IdM / access control ( where
our ZBAC approach works cross domain) -- Set
clear IA/security priorities then resource,
manage and control
WE must collectively quantify prioritize these
for leadership actions
12Leadership Summary / Recap(Cyber Security
Collaboration Summit SD Nov 08)
- Common vision / end state / master plan where
are we going? - Governance more governance coordinate ALL
those in charge? - Specified requirements and then some top down,
detailed needs - Prescriptive implementation guidance required
fidelity in the what - Whats good enough IA/Security? Must have a
common threshold - Pedigree approach simplify verification and
compliance (build in) - What is the IA business basis / ROI? (AND
success metrics therein?) - What is the future risk environment? Threats,
consequences, etc? - Training at all levels, especially user and SW
development - Standard architectures / standards / profiles
(and a Trust Model!!!)
WE must collectively quantify prioritize these
for leadership actions
13Representative Navy Operator IA issues
- IA Master Plan IA vision clear IA goals
- IA Governance Structure / Consistent Policies
- Workforce Quals / Certs / Training
- "Improve Speed to Capability - Implementing
newer technologies.. HBSS, DAR, etc. - IA Approach, Strategy consistent with SYSCOMs and
DoD - IA Policy/Architecture implementation guidance
- Enterprise Access Control - "Trust Model"
- Certification Accreditation - Aggregation of
systems - Supply Chain Security / Defense in Breadth
- Sustain current IA and CND posture to ensure
readiness
Calling things cyber will not change the
current IA and IO issues These are still the
activities that are needed for protecting the GIG
14Recent IT/Cyber Leadership perspectives
- A - Political / legal cyber paper
- Cyber offense must be strictly monitored
controlled, due to potential escalation state
department implications countries suing each
other - B - Navy IT FLAG/SES meeting results / paper
- -- Greater accountability, completer visibility,
net-centric concepts need to be revisited, can't
protect all networks - ensure the C2 / enterprise
are - -- Need better situational awareness, discipline
in development and acquisition, TTPs... And
training... - -- Senior Advisors major conclusions
Stricter CM SA / inspect traffic - -- FLAG / SES participants guidance
- Common governance and language, eliminate low
to medium threats, focus more resources on
defensive posture and key critical actions (aka -
have a risk management approach), closer
collaboration between Service / agencies,
include space and undersea cables, exercise In
degraded modes, stress education, use the RED
TEAM to better effectiveness, avoid issues NMCI
found, high speed acquisition and address COTS /
supply chain management..
Issues / suggestions are similar to others , but
act collectively WE must!
15NSPD-54/HSPD-23 CNCI 12 Initiatives
Many are still being finessed, and all need
prioritized
Establish a front line of defense
Trusted Internet Connections
Deploy Passive Sensors Across Federal Systems
Pursue Deployment of Intrusion Prevention Systems
Coordinate and Redirect RD Efforts
Focus Area 1
Resolve to secure cyberspace / set
conditions for long-term success
Connect Current Centers to Enhance Situational
Awareness
Develop Govt-wide Counterintelligence Plan for
Cyberspace
Increase Security of the Classified Networks
ExpandEducation
Focus Area 2
Shape future environment / secure U.S.
advantage / address new threats
Define and Develop Enduring Lead Ahead
Technologies, Strategies Programs
Define and Develop Enduring Deterrence Strategies
Programs
Manage Global Supply Chain Risk
Define Federal Role for Cybersecurity in Critical
Infrastructure Domains
Focus Area 3
THESE are the key long-term business
opportunities!
(Source derived from JS Cyber 101 brief)
16What can we expect to help us?
- NSA / GIAP with CNCI better IA stuff
- Support for data/content centric security DCS
- Leaders get it, but we need translate geek speak
- ESM / PvM helps automated systems, reporting
- COTS IA commercial suite B encryption
- Going beyond boundary protection approach
- Effective trust binding between data, layers and
domains - Develop an IA vision -gt enterprise architecture
- Easier to build IA in through a top-down
structure / standards
17Where you can assist
- New technologies, methods, processes (CNCI!)
- Not so niche areas of general systems
engineering, integration, rapid COTS / GOTS
insertion, etc - Collaboration with other innovative companies
- Partner with other security groups, IA/cyber
entities - Cyber packages needed, not un-integrated SW
- Follow issues / concerns they will not go away
- Think tank, study, and discovery support efforts
- Top down risk management, prioritization approach!
18Summary
- There are MANY IA/cyber initiatives in the works
- Follow the CNCI trail, that should prevail
- We still need cyber enterprise Requirements,
just as we do now for IA and IO and CA and . - What is needed now, current issues, will exist in
cyber - W/o an enterprise risk management approach, any /
all paths will do and we stay in the crisis of
prioritization - We ALL need better collaboration DOD on down
- Users / platforms must drive cyber KISS
commodity - Vendors / integrators need to coalesce, drive
the truck
Remember the P6 principle Planning and
communications only gets us part way there Thats
our story whats yours?
19(No Transcript)
20What is Information Assurance (IA)?
Measures that Protect and Defend Information and
Information Systems by Ensuring Their
Availability, Integrity, Authentication,
Confidentiality, and Non-Repudiation. This
Includes Providing for Restoration of Information
Systems by Incorporating Protection, Detection,
and Reaction Capabilities.
Confidentiality
- Assurance that Information is Not Disclosed to
Unauthorized Entities or Processes
Integrity
- Quality of Information System Reflecting Logical
Correctness and Reliability of Operating System
INFOSEC
Availability
- Timely, Reliable Access to Data and Information
Services for Authorized Users
Information Assurance
Authentication
- Security Measure Designed to Establish Validity
of Transmission, Message, or Originator
Non-Repudiation
- Assurance Sender of Data is Provided with Proof
of Delivery and Recipient with Proof of Senders
Identity
20
WHAT parts belong where wrt our collective
enterprise trust model?
21Cyber Protections Overview
(or why IA/IO/Cyber is so complex / hard
because it is ALL of that and more!)
" CYBER"
PKI/CAC ID Mgmt
CIO FISMA Operations IAMs
IO and CNO Defend Attack Exploit
CND
CA
CA Support
IA
CMI/KMI
Policy
Training
IA Services
Multiple players Multiple PEs/Lines Multiple
threats Multiple PMW/S/As
Typical IA Acquisition elements
Requirements
Enterprise Risk Mgmt.
NETOPS
Strategy AND Governance critical to
implementation success!
22An Overall Enterprise Picture(what are the
minimal elements, who owns them, how do they
get integrated?)
SOA Security needs to account for more than
just SOA!
Apps COIs
SOA/ESB/Services
Business processes
There is more to the enterprise IA/CA picture
than just CCE, SOA and Apps, which are hard
enough to integrate
CCE
Dynamic Access Control
ITIL/ITSM SLA execution
Data security strategy / ownership
Hardware / Software Assurance
Data privacy protection and Auditable anonymity
IA/Security strategy must consider the whole
enterprise trust model!
22
23So what really matters in IA/Cyber E2E? A
notional Quality of Protection (QoP)
Hierarchy(Wrt our defense in breadth position
paper but what REALLY matters?)
DATA QoP (C-I-A and N A)
Complex Dynamic
Settings
IAA and CBE / DCS (distributed / transitive
trust model E2E data-centric security and
protections)
Core / Security Services ( WS and other security
policy / protocols / standards (including
versions extensions therein)
Standards
IA devices
network protection CND FW / IDS / VPN / etc
(in general, mature capabilities but multiple
unclear CM processes are persistent and
problematic)
Known Static
IO and ... IA
AE / Policy
CNO/E/A, IW, OPSEC, etc
Crypto, KMI, TSM/HAP, policy, etc
Mainly IA standards, IAA, CBE/DCS and digital
policy!
24GIG IA Protection Strategy Evolution
Transactional Enterprise IA Protection
Model Required level of Information Protection
Specified for each Transaction
Static Perimeter Protection Model Common level
of Information Protection provided by System
High Environment
"Need to SHARE" and Distributed / transitive
trust models
- Common User Trust Level (Clearances) across
sys-high environment
- User Trust Level sufficient across
Transaction/COI varies for enterprise
- Privilege assigned to user/device based on
operational role and can be changed
- Privilege gained by access to environment and
rudimentary roles
Future
Today
- Information authority determines required level
of protection (QoP) for the most sensitive
information in the sys-high environment high
water mark determines IT/IA/Comms Standards for
all information
- Information authority determines required level
of end-to-end protection (QoP) required to access
information translates to a set of
IT/IA/Comms Standard that must be met for the
Transaction to occur
- Manual Review to Release Information Classified
at Less than Sys-high - Manual Analysis and Procedures determine allowed
interconnects
- Automated mechanisms allow information to be
Shared (Released) when users/devices have
proper privilege and Transaction can meet QoP
requirements
We will be loosely connected, sharing information
and protected?
25The Big Picture XML Family of Specifications
"LOTS" of standards and Specs to coordinate
26IA / CA Building blocks
- . The desired end-state is in general one of a
transformed single CA process that accommodates
all CA needs and activities (re TE / VV) - End-state needs to integrate and accommodate
several major perspectives / initiatives - (1) aggregation into some number of larger
systems of systems (SoS) and enclaves /
platforms, - (2) platform IT (PIT),
- (3) the federal CA transformation effort
(bringing together DOD, IC and federal agencies),
and - (4) the new NNWC CA process (for the Navy
aspect). - Develop a "security container" of sorts emulating
the "CC" process (see http//www.niap-ccevs.org/cc
-scheme/ ) that IA devices go through
establishes the same format / needs - Natural to have a limited and controlled set of
IA building blocks for a FEW main classes - IA devices (crypto, EKMS, PKI/CAC, VPN, Firewall,
IDS/IPS, HBSS, HAP/TPM devices, reference
monitor, etc) - IA enabled capabilities (OS, web browsers,
messaging systems, screening routers, etc
)(and we submit the IA/WSS standards need to go
here too prescribe a limited set of IA
profiles with defined standards / protocols!) - Services and Applications ( we think we can
define a standard "security container" for each,
ideally a class - maybe a couple are needed for
SOA/Services we postulate the earlier three CA
types would work well) ) - Critical IA capability devices (any key IT
capabilities, we may have missed and want to
specifically consider) - PIT Platform IT variants (there should be ONE
general PIT super set, then each SYSCOM takes
that and tailors it a little more for HME,
WPNs/CBS, Avionics/Controls, SATCOM/LOS radios,
etc) - Remainder of NIST 95 descriptions Intelligence
activities Cyrptologic activities command and
control weapons and their systems systems for
"direct military / intelligence" missions and
classified systems... Any special cases
defined - AND/OR consider the remainder of 8500.2
categories AIS application enclaves
outsourced IT PIT interconnection (where
Platform IT refers to computer resources, both
hardware and software, that are physically part
of, dedicated to, or essential in real time to
the mission performance of special purpose
systems, such as weapons, training simulators,
diagnostic test and maintenance equipment,
calibration equipment, equipment used in the RD
of weapons systems, medical technologies,
transport vehicles, buildings, and utility
distribution systems)
Just as IT must transition to a commodity
approach, so must Cyber security!
27Cyber Spans Warfare and Business Mission Areas
Net-centric operations as well as the emerging
new joint capabilities and integration
development process is where the DoD is headed in
the Business of Warfighting
Cyberspace
Cyber must effectively integrate Business and
Warfighter Mission Areas
Where GOVERANCE (or lack of it), still rules
Source Secretary of State Hillary Clinton
Statement, January 21 2009 Source SSC Atlantic
Cyber Strategy
(Source notional partially derived from
industry partner brief)
28A National Security Issue
Ubiquitous Presence
Salient Danger
- Cyberspace intrusions and attacks are a real and
emerging threat - U.S. faces a dangerous mixture of vulnerabilities
and adversaries - Cyberspace situational awareness is not mature
(and not at all levels) - PEOPLE, Information and the C4ISR infrastructure
are targets - Exploitation, disruption, exfiltration,
misinformation or destruction are adversary goals
( bragging rights) - Malicious cyberspace activity is increasing in
regularity and severity
- 1.5 billion people on the Internet much of Asia
and Africa still to come - (using wireless, which is cheaper to install)
- Upwards of 200B e-mails per day
- Critical to commerce, government, business
processes, safety, etc. - Exponential demand 8 hours of YouTube uploaded
every minute - Increasing connections global wireless and
cellular usage - Volumetric rise in data everywhere, with no
enterprise data security and tracking approach
(Internet database)
Attacks on Critical Infrastructure could
significantly disrupt the functioning of
government and business alike and produce
cascading effects far beyond the targeted sector
and physical location of the incident. --
2007 National Infrastructure Protection Plan
(Source derived from JS Cyber 101 brief)