Latest Strategies for IT Security

Margaret MyersPrincipal Director, Deputy CIO

United States Department of Defense

North American Day 2006

How does the DoD define information assurance (IA)?

Availability

Confidentiality

Integrity

Identification & Authentication

Non-Repudiation

Secure the information and the information environment

– Encryption and crypto keys– Computer network defense– Identify protection/PKI

Red team– Independent assessments

of vulnerabilities

Educate/train– Building the IA-

empowered workforce

How it HappensWhat it is

Information available to

authorized users when and where

they need it

Trust in the information

Confidence in the

information environment

Why does it matter?

We rely on our information and information environment to:

– Reduce decision-kill chain

– Provide real-time access to mission relevant information

– Facilitate functional integration of dispersed command, targeting, weapons delivery

– Support operations with our Allies and other partners, government and non-government

– Enable force projection and information reach back

– Provide user defined common operational picture

Compromised information and information environment can lead to devastating consequences

Information assurance cannot be the Achilles heel of the DoD

Reported Events on NIPRNet

0

20000

40000

60000

80000

2001 2002 2003 2004 2005

Information is foundational for all DoD missions

DoD depends on information sharing across the enterprise (warfighting, intelligence, and business mission areas) and with our external partners (government, coalition, commercial, and non-government organizations)

Our network infrastructure is vulnerable– Attacks are increasing and time to

exploitation is decreasing (shorter “flash to bang”)

– Reported security events on DoD networks are rapidly increasing

– There is HW / SW of unknown pedigree throughout the information value chain

Threat actors are increasingly sophisticated

– We believe sophisticated adversaries could exfiltrate information and disrupt operations

– We lack capabilities to detect and respond to many malicious activities

The underpinnings of our network are vulnerable

0

50

100

150

200

250

2001 2002 2003 2004 2005

Average Time to Exploitation

Days

Sources: Roundstone; Symantec

Events

As of April 1, 2005

1000+ serious incidents

An Information Age approach to net-centricity

Fundamental Shift: Requires ENTERPRISE, not stovepipes Requires ACCESS, not exclusivity Requires TRUST

Trust in the Environment (availability) Trust in the Information (assurability) Trust in the Participants (identity)

Confront Uncertainty with Agility

User “gets what he gets” User “takes what he needs” and “contributes what he knows”

Net-centric framework

• Data Strategy: – How to “share” the data

• Information Assurance: – How to keep it “dependable”

• Enterprise Services: – How to “access” the data

• Information Transport: – How to “move” the data

• Net Ops: – How to “manage” the environment

01NOV05/0050

Data: Discoverable, Accessible, Understandable

Information assurance (IA) strategy

• Protect information– Data protection requirements– Protection mechanisms– Robust mechanisms

• Defend the information environment– Engineered defenses– Ability to react and respond– Activities to assess and evaluate

• Provide situational awareness/IA command and control

– User-defined operating picture– Coordinated IA operations and decisions– Collaboration

• Transform and enable IA capabilities– IA integration into programs– Dynamic IA capabilities– Improved strategic decision-

making– Information sharing

• Create an IA-empowered workforce– Baseline skills– Enhanced IA skill levels– Trained/skilled personnel– Infusion of IA into other disciplines

Vision – Dynamic IA in support of net-centric operationsMission – Assure DoD’s information, information systems, and information environment

Our IA strategy has two thrusts – Securing today’s operations and tomorrow’s net-centric environment from evolving threats

• Security embedded into each transaction (e.g. individuals, discrete content and specific assets)

• Strong data content security both in storage and in-transit

• Authentication and near real-time monitoring and response

• Real-time risk management to the edge

Defense-in-Depth dominated by perimeter defense

Physical separation of sensitive networks and systems

Highly specialized connections between networks of different security levels

IA to Sustain Today’s Mission & Operating

Environment

IA to Enable Tomorrow’s Net-

Centric Operations

We are making good progress, but much work remains

Acc

ompl

ishm

ents

Cha

lleng

es

Enforceable enterprise IA policies

Strategic and operational metrics

IA awareness training ( 80%)

Joint Task Force (Global Network Operations)

Enforce IA policies across the Department

Obtain funding to build IA Architecture

Harden SIPRNet

Mitigate insider threat

Certify IA skills

Global Information Grid IA Architecture

IA investment portfolio structure

Identity management (PKI, biometrics)

Expand partnership with industry for IA R&D

Mitigate the risk of unknown hardware/software

Increased coordination and collaboration with federal, coalition, and allied IA partners

Today’s Enclaves

Tomorrow’s Enterprise

For more information…

Dr. Margaret MyersPrincipal Director, DoD Deputy CIO

(703) 695-0871margaret.myers@osd.mil