«DEFENSE SCIENCE BOARD SUMMER STUDY TASK FORCE ON INFORMATION ARCHITECTURE FOR THE BATTLEFIELD DTlC OCTOBER 1994 S ELECTE APR I 0 1995' G i 95-01137 I ...»
- Centralized and distributed (delegated) network access management features which can respond quickly to access constraints on portions of a common network
- Consistent, scalable encryption technology that can support performance ranges from data packets on Kbps lines up to bulk encryption of Gbps backbones
- Detection capability to alert users when networks and connected systems are under attack, and capability to respond to and recover from such an attack
- Phase in of technical solutions via a clear security loss risk management approach information Product Standards * Commercial technology to provide tools and infrastructure that will allow multi-media products which are mo'e intuitive to military operator. This capability permits fusion of many information sources and is essential for rapid decision making.
- Determine what these product standards should be
- Joint effort between military operator, production organizations, and technologists
- One product will not service all customers Essential Information Needs "* What information is critical for the battlefield (continuously evolve). Data architecture/model for information to determine key points of interoperability "* Common data definitions and common standards for the waveform and physical layers of information systems - Base level information infrastructures of the Services must use the same interchangeable components and standard data elements "* Incremental solutions that support information brokers as intermediate translator - combined with longer term strategies that rely on the P31 process On-line Information Sources/Services "* Information providers on the network with a "pull" and profiled "push": Imagery collection processors;
Digital archives/fileservers (imagery, Intel products, etc.); Intelligence providers; Logistics, Medical histories, MC&G products "* Common information services across a broad range of users: Information browse and retrieval, Information storage management and priority setting, User telephone books, Network management "* Prototype services and field in demonstrations via commercial software solutions and then tightly integrate results into the architectural and standards efforts across the DoD Integratd Manaement * Critical for process improvement * Begin developing tools that can automatically task across DoD resources (seamlessly).
For example: Mission Planning Application generates an Air Tasking Order that assigns mission execution responsibilities to multiple squadrons. This message leads to tasking of numerous actions for the imagery enterprise: it kicks off a search of distributed digital archives for available imagery and products for pilot orientation, tasks production organizations for target materials preparation and threats, and tasks collectors to address information gaps and establish a dissemination profile for new information and products as they are generated.
Figure D-9 D-15 The Architect's guiding principles in evaluating the architecture process must acknowledge that due to continuing technical advances and shifting mission needs, organizational structures, and strategies, there is no "final solution" for information infrastructure. Instead, the architecture process must allow continuous transition from what exists to what is more appropriate. We must allow for rapid integration of applications developed outside the system, with software portable across hardware platforms, and systems scalable to meet evolving requirements and multiple users' needs. Our systems should be able to accept "technology advance" infusions, use commercially available technology to reduce risk, and depend on heavy user involvement and feedback, plus operability testing, throughout the development cycle. Finally, evolutionary acquisition/rapid development (as opposed to rapid prototyping) is required, using "open" system/distributed architecture standards and user pull, multimedia, seamless systems.
43 Some Fundamental Information Architectural Considerations Multi-Level Security The enterprise architecture for C41FTW must address security concerns, including multi-level security, information protection, privacy rights, law enforcement objectives, and national security. The requirements for security in a battlefield architecture will drive the security structure to be implemented. We must place priority values on security requirements;
they should not all be treated equally.
It has been difficult to field and obtain approval for Multi-Level Security (MLS)/ Trusted systems that take advantage of available INFOSEC technology because the onerous security processes are based on older technology and the "elimination" of risk. DoD should adopt a philosophy of "risk management" vis-a-vis "risk avoidance"; the benefits of operating in a multi-level mode should be weighed against the residual risk. Available Trusted technology will permit operation of a C4I system with information classified from "Secret" to "Unclassified".
We need to explore non-traditional means to implement secure environments in the information infrastructure, much in the same way as the Copernicus architecture took a nontraditional approach to implementing a more effective system for information-on-demand to military users. DoD must identify functionalities, criteria, standards, and uniformity objectives which will facilitate seamless, secure interoperability from a top level architecture perspective as well as from a multilevel security and information protection perspective. Solutions must be practical for both operational users and product developers.
Better and faster solutions can only be developed effectively as a product of the development and investment strategies suggested in the technology list in Figure D-10. Without a coordinated, standardized, and structured approach, solutions may not anticipate all factors and therefore will only offer a piecemeal response. Solutions must cross institutional lines, i.e.
g&.vernment-commercial to derive optimal effectiveness from investment decisions.
Figure D-10 OSD should require the use of currently available MLS/Trusted technology to allow classified information to reside on interconnected systems at multiple security levels. To maintain protection of this information, mandatory access control is needed to overcome the vulnerability of discretionary access control that permits authorized users to grant their privileges to others at their discretion. Mandatory access control provides a means of controlling access to data based on the sensitivity of the data as represented by labels of operating systems objects (e.g. files, devices, areas of memory, tables, sequences, views, etc.) and on the formal authorization or clearance of the user attempting to access the data. Mandatory access control and information labeling are two essential features of multi-level security systems.
Personnel, physical, procedural and technical measures have been identified for secure systems. These measures are reasonably easy to implement and all of the necessary components are available now to provide MLS/Trusted information systems security. Examples include: LANs, operating systems, compartmented work stations, databases, a Tessera product which employs the new Digital Signature Standard, and a Navy-certified system that can provide any combination of sanitization, down grading, transliteration, and high- to-low or lowto-high guard functions.
Information and Information Systems Protection If the U.S. is to maintain a competitive combat advantage in future conflicts, then the information and information services upon which it depends must be protected commensurate with the intended use. All of the DoD military and support functions are highly dependent upon the information and information services provided by the Defense Information Infrastructure. The DII is highly susceptible to attacks which disrupt information services (availability) or corrupt the data (integrity) within the infrastructure; many nations and groups have the capability to cause sufficient disruption (both availability and integrity) to the DII and in turn cripple U.S. operational readiness and military effectiveness.
it is important to understand that INFOSEC and Defensive Information Warfare share many attributes but the two are not the same. Existing INFOSEC policies and activities are content-centric. That is, they are focused on the need for protection based on the sensitivity of the content of the information to be protected. The design factors used to protect against normal breakage and natural disasters or attacks to obtain access to sensitive information content are inadequate to deal with the levels of disruption that can be readily caused by D-17 malicious actions. (For example, encryption can protect the content of a signal; an attack that upsets the synchronization of the encryption device will not expose the content of the information but may stop the flow of information and thus stop the function using the information.) If the Department of Defense is to maintain a suitable level of military preparedness to meet the national security requirements of the U.S., the information infrastructure upon which it depends for information services must be strengthened against malicious attack. This must address protection against attacks, detection of attacks, and the ability to react to attacks.
Examples of refocus investment areas are listed in Figure D-11.
Refocus Investment Areas in Information & Information Systems Protection " Protection
- Provide sufficient redundancy so that functions do not depend upon the uninterrupted operation of any particular information system or communications service. What functional events have to happen when and what information is needed to obtain the objective at the desired operational tempo?
- Provide sufficient protection that "over-the-wire" attacks cannot exploit known flaws in operating systems
- Develop security processes and devices (fire walls, etc.)
- Develop metrics to portray the relative value of a function or process to the mission(s) as a function of time during peacetime, force deployment, force employment, and force sustainment
- Conduct the necessary research to enable the network data manager to protect information in a mobile environment
- Develop defensive information warfare exercise capability to stress the information systems supporting the forces so that the military learns how to operate under varying time / bandwidth and error rate ratios "* Detection
- Develop tools to monitor network operations, detect and audit inappropriate behavior, and detect abnormal operating patterns
- Develop tools and techniques for validating the integrity of the data held in a database
- Develop tools to aid in the detection of malicious software code and aid in repair of damaged code * Reaction
- Provide robust capability to perform triage functions and manage restoration of operations FigureD-11 At a minimum ASD (01) should task DISA to develop a roadmap to implement auditing capabilities that can locate and isolate malfeasance, develop tamper-resistant network security components and develop and field technologies that protect the information systems from untrusted software and/or active agents.
Abandon the Grand Design Approach The architect's processes for information systems must abandon physical "Grand Design" approaches. As depicted in Figure D-12, each of the elements that make up an information system has a life-cycle of its own. Attempting to apply one acquisition strategy to components that may have a life that varies by two orders of magnitude has been proven to be unworkable.
FigureD-12 Software applications are (or should be) inexpensive, should serve local needs (as long as they can't fiddle with the data structure) and should be rapidly built using standard software components and objects. The life span of a generation of commercial computing hardware is currently under two years. After four to five years it is now cheaper to replace rather than repair hardware components. The useful life span of software applications can vary from one-time-use to about ten years, occasionally even longer. But usually the functional process that uses a software application changes more rapidly than once a decade, so the software application must be redone or it will inhibit functional progress.
Data can have a very long life. (Most people would like their medical record to retain its viability for a century.) Although some data is transient, much is retained. The design of databases and the maintenance of data integrity is where much of the cost of information systems is accumulated and where standardization and central management attention pays.
DoD Directive 8120.1, Life-Cycle Management of Information Systems and the companion instruction (DODI 8120.2) recognize these different cycles and established the policy that the acquisition of these components should be done separately and using rapid prototyping and evolutionary acquisition procedures. However, too many are still trying to buy information systems using the outdated physical "Grand Design" approach.
Common Data Definitions and Waveform Standards Joint Pub 1 makes it dear, the doctrine of Joint Warfare ana _.e Joint Task Force are the organizing principle for the U.S. military. This is supported by the C4I For The Warrior concept that calls for the vertical and horizontal sharing of information. Note from Figure Dnotwithstanding the desire to drop military specifications, data elements, formats and waveforms rLust be standardized or we will continue to have the Tower of Babel seen in all recent wars.
Since our previous discussions have twice highlighted the need for establishing joint information needs and design of databases as the fundamental starting point for the objective capability, the information sharing envisioned in C4IFTW will not happen unless data element standardization remains a high priority effort and dissimilar and redundant terms are ruthlessly rooted out. The Air Force "Horizon" concept and the Army "Enterprise Strategy" recD-19 ognize that force projection will be anchored at the CONUS base. We are convinced that if terminology and information technology piece-parts are not interchangeable in garrison the information systems that deploy forward will not "plug and play" on the battlefield.