Fortifying DOD's network defenses

Incremental steps will not do, security experts say

Defense Department officials can implement a mixture of technologies and procedures to fortify the department's computer networks, but real protection requires designing a new generation of systems and security tools, a leading computer scientist said.

Eugene Spafford, a computer sciences professor at Purdue University who has testified before Congress on cybersecurity, questions whether it's possible to develop new systems without investing in long-term research.

Attacks on DOD computer networks are on the rise as adversaries attempt to bypass the United States' formidable defenses and launch attacks from the inside out, experts say.

Defending DOD's networks will require a combination of efforts, Spafford said.

He outlined six steps DOD could take to strengthen the department's network defenses. They are:

  • Buying systems based on security features rather than cost.
  • Limiting access to systems.
  • Removing systems from networks unless those systems are absolutely necessary.
  • Restricting who can add hardware and software to networks.
  • Requiring proper training and supervision for network managers and computer users.
  • Establishing careful network-monitoring practices.

But Spafford said incremental changes will not strengthen existing networks and a whole new approach is needed.

"Unfortunately, the government is not funding much research in cybersecurity and almost none in long-range research," said Spafford, who is also executive director of Purdue's Center for Education and Research in Information Assurance and Security. He cited President Bush's decision in June to let the President's Information Technology Advisory Committee expire without reappointing current members or selecting new ones.

Spafford said the threat to DOD networks is varied and complex. "In large part, the systems used are based on commercial products that were never written for high-security environments," he added.

Spafford said misconfigured or misapplied patches create vulnerabilities that are exacerbated by having systems linked together.

"It means that any weak point can be accessed from all sorts of places and can in turn reach out to damage lots of other military systems," he said.

Clint Kreitner, president and chief executive officer of the Center for Internet Security, a nonprofit organization that helps government and industry officials better manage computer security risks, said DOD should limit access to certain networks.

Alan Paller, director of research at the SANS Institute, said government and industry should avoid using new information assurance technologies that vendors claim are impervious to attacks. Instead, he said, they should anticipate new threats 18 months in advance and develop technologies and policies to address them.

A Defense Information Systems Agency official said DOD relies on a sophisticated approach to information assurance. The official added that the department is changing how it builds systems by moving to a service-oriented architecture that will make IT services widely available on the network and improve data sharing governmentwide.

"We are doing this in order to make more and better data available to more people in DOD and to our partners, and as a way of increasing our agility and our ability to innovate in the development of warfighting processes based on these services," the DISA official said.

DOD also changed its approach to network operations. The official said the department has moved to a structure that puts the Joint Task Force-Global Network Operations in charge of operating, managing and defending DOD's information infrastructure, with organizations in the military services reporting to the joint task force.

DOD relies on its global networks and IT to achieve its mission, and the country's adversaries recognize DOD's dependence on networks and electronic information, the DISA official said.

"The DOD networks are very large," the official said. "So we have many challenges in synchronizing the many IT efforts and security for these across this vast infrastructure."

Protecting the network

The Defense Department has a multifaceted approach to information assurance that it has followed for many years. It has processes for:

  • Designing, configuring and securing systems.
  • Operating information technology systems appropriately and securely.
  • Training and certifying network operations employees.
  • Developing and deploying infrastructure protections.
  • Fielding methods to measure security compliance.
  • Detecting, diagnosing, reacting to and assessing network attacks.

Source: Defense Information Systems Agency

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group