«DEFENSE SCIENCE BOARD SUMMER STUDY TASK FORCE ON INFORMATION ARCHITECTURE FOR THE BATTLEFIELD DTlC OCTOBER 1994 S ELECTE APR I 0 1995' G i 95-01137 I ...»
Current standards, policies, procedures, and tools are designed to mitigate an attack on the information and information infrastructure mounted for the purpose of destroying or disabling the functions that depend upon the information and/or information infrastructure without regard to the classification of the information.
If the U.S. military is to maintain a competitive combat advantage in further conflicts, the information and information services upon which the U.S. military depends must be protected commensurate with the intended use. Analysis shows that all of the Department of Defense military and support functions are highly dependent upon the information and information services provided by the Defense Information Infrastructure (DII). The DII is highly susceptible to attacks which disrupt information services (availability) or corrupt the data (integrity) within the infrastructure. Many nations and groups have the capability to cause significant disruption (both availability and integrity) to the DII and, in turn, cripple U.S. operational readiness and military effectiveness. The design factors used to protect against normal breakage and natural disasters or attacks to obtain access to sensitive information content are inadequate to deal with the levels of disruption that can readily be caused by malicious actions. For example, an encrypted signal can protect the content of information. An attack that upsets the synchronization of the encryption device will not expose the content of the information, but may stop the flow of the information and thus stop the function using the information.
If the Department of Defense is to maintain a suitable level of military preparedness to meet the U.S. national security requirements, the information infrastructure upon which it depends for information services must be strengthened against malicious attack.
This must address protection against attacks, detection of attacks and the ability to react to attacks.
-31A key problem is the vulnerability of national and DoD infrastructures and the A Program Objective defensive aspects of dealing with those vulnerabilities Memorandum (POM) issue paper on a defensive IW alternative exi!'s. Also, the Joint Security Commission recommended spending 5-10% of the infrastructure costs to protect the civil infrastructure. These estimates not withstanding, the Task Force's judgment is that no comprehensive analysis has been completed of the cost and effectiveness of defensive weapons for DoD systems to establish where the knee of the cost/benefit curve is, nor how far beyond the knee DoD should be willing to spend, considering the gravity of the vulnerabilities for defense activities in both peace and war.
Despite the absence of such an analysis, this Task Force is persuaded that DoD is currently spending far too little on defensive IW, and that the gravity and potential
urgency of the problem deserves redress. We therefore recommend that:
"*The Secretary of Defense support immediate increases in funding for defensive IW, focusin attention on protection of critical information services;
detailed part of the Net Assessment process recommended above, the "*As a Ir
Secretary of Defense should direct ASD (C31) to carry out:
- An assessment of DoD's critical information needs;
- Threat development as part of the National Intelligence Estimate (NIE) process;
- A risk assessment and a risk management strategy to apportion actions during procedures, processes and systems.
-32Red Team to Evaluate Information Warfare Readiness and Vulnerabilities Red Teams that imitate the capabilities of potential DoD adversaries have been used in the past to determine vulnerabilities and countermeasures to a wide range of threat types. IW Red Teams are needed to operate against IW protection afforded to individual weapons systems, elements of information systems, and full information systems that support defense operations (Figure 4-9). The results of Red Team actions and analyses could be incorporated into the modeling and simulation recommendation (Section 3.11), and Red Teams could be an active player in the BITF. Red Team methodologies and results could also be an integral element of the recommended net assessment. An IW Red Team should be incorporated in DoD instruction 5000.1, 3600.1, and other applicable instructions and directives.
4.10 Joint DoD Strategy Cell for Offensive and Defensive Information Warfare An 1W strategy that integrates offensive IW, defensive IW, and intelligence operations must also integrate IW with information in warfare and take adversary actions, reactions, and evolution into account. This Task Force recommends that, as shown in Figure 4-10, the VCJCS create an integrated, joint DoD IW strategy cell. This cell should include, at a minimum, representatives of the J-2, J-3, J-5, J-6, and J-7 staff elements; the U.S. Special Operations Command; the Services; the DISA; and the intelligence agencies. It should be led by a Flag level officer and report directly to the VCJCS.
-33A major function of this cell would be to speed up the process by developing a focused operational strategy to implement the information warfare technology revolution.
4.11 Major Policy Issues Information warfare issues are larger than DoD but there is no national IW policy (Figure 4-11), although a PRD is in draft. The vulnerabilities of the national use of information, coupled with the global spread of information warfare capabilities, raise the prospect of strategic information war with potentially grave implications for U.S. interests.
This possibility should be a focus of the national policy review, based on inputs from DoD.
There is a DoD policy on Information Warfare whose basic strategy is to seek "dominance" in both the use of information as warfare and in Information Warfare.
Below this basic strategy, there are fundamental questions as to how to achieve "dominance" within available resources. The questions and issues for DoD are very similar to the issues at the national level. This is not surprising, since the prospects for "civil" information warfare in "peacetime" have much in common with DoD concerns.
Alternatives or building blocks for both national and DoD strategy all have cost and effectiveness issues, and some, especially in regards to the civil infrastructure, have legal and/or other policy implications.
Figure 4-11 There are several common issues between the national and the DoD problems.
First, widespread protection of the civil and military informatioy, enterprise, or making it more robust against degradation would be a lengthy and extremely costly process, and there is a fundamental technical question as to their effectiveness. Substantial protection of the civil information enterprise would entail a "cultural change" in the private sector side of the enterprise. The development of the information infrastructure has been based on ease of use and access. Software has stressed "friendliness" and a trend toward openness.
These increase vulnerabilities. System intrusions by hackers and the growing incidence of industrial software espionage and fraud are beginning to cause change, but there will continue to be a tension between utility and security. Further, to have high confidence that the vulnerabilities would be reduced below the level of strategic concern, the Government would have to insert itself more and in new ways.
This also means that unclassified but "not sensitive" federal data could be left totally unprotected. For example: medical, financial, economic, or air traffic control system data may be deemed in this unprotected category.
In both the civil and DoD cases, potential adversaries' strategies and capabilities need to be taken into account. So also does the evolution of the global technology base as it shapes both U.S. and adversaries' capabilities, especially because generation changes in information technology happen so fast. The interplay between offensive and defensive information warfare, both that of the United States and that of potential adversaries, must be addressed.
-35DoD has begun to address information warfare related questions, but has devoted more attention to offensive IW than to defensive IW. Of particular note is the fact that the majority of DoD communications pass through the highly vulnerable Public Switched Network (PSN).
The NSA possesses the critical expertise needed to help protect the PSN and the larger Nil, but is limited by existing authorities, e.g., the Computer Security Act of 1987, to dealing with federal systems handling classified information. The same Act assigns the National Institute of Standards and Technology (NIST) the role of protecting federal-only unclassified but sensitive information. No one is responsible for protecting the commercial, public and private systems upon which national viability now depends. This must be addressed in the national policy review.
Likewise, acquisition and export policy related to 1W systems currently fanls into several areas of responsibility. A coherent unifying policy is needed to bring all aspects of IW into focus and avoid wasting decreasing resources.
SECDEF is in a good position to draw upon DoD's IW experience and lead the effort to develop an effective national IW policy. The Secretary of Defense should review the draft PRD and the related issues. The net assessment recommended earlier in this report should be expedited to provide a basis for these reviews. The Secretary of Defense should also direct ASD (C31) to lead development of DoD policy for treating IW in acquisition and in export policy.
-36BUSINESS PRACTICES 5.0 our Warfighter Information Infrastructure Management
5.1 Strengthening Processes This section of the report summarizes the assessment of DoD's business practices for
information systems. Business practices are defined broadly in this assessment to include:
modeling and simulation for use in training, exercise and requirements definition; the requirements definition process for information systems; net assessments in information in warfare and information warfare; and the roles and mission of the various organizations involved in information systems development and use, with special attention regarding the need for, and role of, an architect for DoD military information, and the acquisition process.
Figure 5-1 In reviewing U.S. battlefield information systems, the Task Force concluded that DoD has built a system of systems that collectively does not adequately support the warfighters, especially where they fight in joint operations (Figure 5-1). There are shortfalls in interoperability, information dissemination and the rapid reconfigurability of battlefield information systems. For example, U.S. forces encountered difficulties in preparing, coordinating, and disseminating the Air Tasking Order during Desert Storm;
had problems in disseminating imagery to tactical users in Desert Storm, especially national imagery; and encountered chronic problems when trying to equip an ad hoc Joint Task Force with appropriate information system capabilities.
-37However, the DoD has recently established a number of management process initiatives which ought to significantly rectify these deficiencies as these processes mature
and become a part of the DoD's management mechanisms. These initiatives include:
"* The C4I for the Warrior Vision;
"* The implementation of the Global Command and Control System;
"* The VCJCS' expanded Joint Requirements Oversight Council OROC) Joint Capabilities Assessment, and the more vigorous plan for the JROC in articulating military requirements;
"* Interoperability initiatives within the DISA, including the Technical Architecture Framework for Information Management (TAFIM), the Defense Information Infrastructure; the Joint Interoperability Test Center and others;
"* The DEPSECDEF's initiative to establish an Enterprise Integration Board and an Enterprise Integration Council to oversee the interoperability and cross-functional management of DoD's Corporate Ini,. -iation Management (CIM) systems;
"* Information architecture initiatives that are underway in each of the services; and finally, of course, "* The DoD Acquisition Reform and commercial-off-the-shelf (COTS) initiatives already underway.
However, even taking into account these constructive initiatives, some major concerns remain. First, the roles and responsibilities for our warfighter information systems are more diffuse than the roles and responsibilities assigned for our functional component information systems, such as logistics, health and finance. The mechanisms that produce information architectures and information system acquisition processes suffer from a lack of adequate input from the joint warfighter community. And, the DoD acquisition system is unable to keep pace with the rapid evolution of information technology which is occurring today in the commercial sector.
Structure Concept for Improvinc Our Warfirhter Information Infrastructure 5.2 Management In seeking constructive and viable management structure changes to improve our warfighter information processes, the Task Force first reviewed the existing authorities and responsibilities of the major entities who oversee warfighter information systems in DoD, including statutory responsibilities, and examined the initiatives the DoD currently has underway to deal with the concerns identified on the previous chart. As depicted in Figure 5-2, the DEPSECDEF, in April 1994, created the EIB and EIC to achieve the goals of Corporate Information Management and to undertake an enterprise integration approach to the accelerated implementation of migration of our legacy information systems, and establishment of data standards and process improvements. This structure provides a forum for interoperability and cross-functional issues but the charters of the Board and Council do not include warfighter information systems.
Also, within DISA there is an ongoing initiative to establish a technical architectural framework of interoperability guidelines, interface specifications, and standards - such as data element definitions - which are beginning under the general auspices of the TAFIM.