DOD speeds PKI development

In a sweeping move to improve computer security, the military will require all personnel to use public-key infrastructure (PKI) technologies by midsummer to log on to the Non-secure IP Router Network (NIPRNET), the military’s unclassified network.

The Joint Task Force for Global Network Operations (JTF-GNO), the organization that oversees the operation and protection of military networks, issued guidance last month to military services and agencies on configuring systems and providing training for the PKI implementation.

The initiative requires the use of Common Access Cards, digital signatures, e-mail encryption, and Web server soft certificates for desktop and notebook computers and servers that connect to NIPRNET, according to the JTF-GNO Communications Tasking Order 06-02, Tasks for Phase 1 of the Accelerated PKI Implementation.

“Ongoing intrusion activity has focused on exfiltration of valid user names and passwords for use in further exploitation and access. This situation represents a direct and growing danger to the protection of the Global Information Grid,” states an unclassified but for-official-use-only document released Jan. 17. GIG is the military’s name for its networks.

Since 2003, countries such as China, crime gangs and hackers have increasingly tried to penetrate Defense Department networks, sometimes successfully. They attempt to steal and sell U.S. military secrets and slow DOD networks.

JTF-GNO’s guidelines include target dates for implementing PKI and instructions on the use of passwords for those computers and servers that do not make the deadline.

They also require significant awareness and system configuration training for all DOD systems administrators. Federal Computer Week chose not to publish detailed information in the document for security reasons.

“Compliance with this [task order] will enhance the security of DOD information systems and establish deadlines for training, verification, installation and progress reporting,” said Tim Madden, a spokesman for JTF-GNO.

In response to the order, the Army started implementing PKI last month and plans to have 10,000 workers at Army headquarters using it by March.

Spyware or keystroke-tracking software can steal user names, passwords and personal identification numbers, but they cannot steal Common Access Cards that use electronic information and digital PKI certificates to verify users’ identities, said Lt. Gen. Steven Boutelle, the Army’s chief information officer, in a Jan. 25 Army statement.

“One of the greatest vulnerabilities of our networks is posed by weak user names and passwords,” Boutelle said. The Army has borne the brunt of the attacks.

TKC Integration Services (TKCIS) won a contract last summer worth more than $1 million to oversee the installation of PKI throughout the Army.

The Alaska Native Corporation chose Tumbleweed Communications’ Tumbleweed Validation Authority product to verify whether a user’s PKI digital certificate is valid, said Joel Lipkin, senior vice president of TKCIS’ General Services Administration and Systems Integration Division.