«DEFENSE SCIENCE BOARD SUMMER STUDY TASK FORCE ON INFORMATION ARCHITECTURE FOR THE BATTLEFIELD DTlC OCTOBER 1994 S ELECTE APR I 0 1995' G i 95-01137 I ...»
DISA has recently published a second revision of the TAFIM and is in the review process now. It represents a preliminary, first-generation technical architectural framework
-38within which individual systems can be developed which will possess the attributes of interoperability and interconnectivity. Finally, current systems are designed based on requirements from the appropriate functional community, Service, or agency. Jointness is not a major driver, and developers arenot now required to comply with cross-functional and interoperability requirements.
The EIB/EIC structure is charged with responsibilities in the following areas:
o Information system technical requirements definition;
o Incorporation of legacy systems within information system modernization plans;
* Information system interoperability;
Definition of a technical architectural framework for DoD information systems; and o * Policies and procedures for implementing tnis framework.
The difficulties in the existing EIB/EIC structure include the following: warfighter information systems are not included in the current charter; and the warfighter input to these processes was not adequate. Therefore, the Task Force recommends that the DEPSECDEF augment this Enterprise Integration Board/Council structure to coordinate the integration of warfighter requirements and the technical architecture framework for warfighter information systems just as it does for functional component systems. This requires a change to the charter of the Board and Council.
-39Secondly, the Task Force recommends that the DEPSECDEF clarify that the Board's responsibility and authority include oversight and conflict resolution of interfaces, standards, interoperability, and cross-functional issues which are associated with information systems which must operate in a joint environment. Systems design, system architecture and development are not a part of this charter.
Third, the director, DISA, should review the TAFIM initiatives currently underway and ensure that they are brought to a satisfactory state of maturity to serve as part of an iterative process to evolve better interface standards and interoperability requirements.
Fourth, the JROC should include in its expanded processes the infusion of its validated joint warfighting requirements into the DoD-wide information architecture process. A Warfighter Information Requirements Architecture Framework, based on a yet-to-be-developed "Functional Architecture Framework for Information Management" (FAFIM) compatible with the TAFIM, should be developed and formalized. This Warfighter Information Requirements Framework should be used to develop the warfighter systems' technical requirements which will, in turn, provide integrated and joint requirements to systems developers.
Finally, the Battlefield Information Task Force recommended earlier in this presentation should be tasked to dynamically identify cost effective and timely actions for improving the reconfiguration, evolution, acquisition, test and fielding of warfighter information systems using the mechanisms described earlier. The BITF should provide ongoing input to the development of warfighter information requirements, architectures, and systems, and when necessary, support the Enterprise Integration Council in its oversight and conflict resolution roles.
The Task Force believes that these changes to the existing EB/EIC management structure will allow implementation of a dynamic process that will result in much improved interoperability of our warfighter information systems, and better exploitation of the leverage that those systems can potentially provide to our combat forces.
_Rapid Commercial Information Technology Evolution Must be Infused into 5.3 DoD Systems Figure 5-3 depicts the startling disparity in development cycles and life cycles associated with commercial information systems hardware and software contrasted with DoD weapon systems. The horizontal axis represents the duration of these cycles in elapsed time measured in years, on a logarithmic scale. Reading from the bottom up, one can note that typical commercial hardware and software development cycles for information systems range from a few months to a few years at most, and further, that typical life cycles for use of these same commercial systems ranges from a few months again to only a few years - certainly less than a decade. For most commercial hardware and software systems, after four to five years it is now cheaper to replace them than to repair their components, since one or more generations of hardware/software serving the same purpose with better capabilities have likely been fielded by that time.
In stark contrast, the typical DoD weapon system development cycle ranges from about seven to fifteen years - a decade or more. The lifetime for most of our DoD weapon systems is measured in decades. This is due in part to the fact that the technologies that
-40drive our weapons systems - airframe and propulsion technologies for military aircraft, for example - are evolving at a much slower pace, and acquisition and life cycles of these durations can accommodate them in most cases.
Figure 5-3 The challenge facing DoD is to take advantage of this very rapid evolution in commercial information technologies in order to achieve and sustain information dominance on the battlefield. For example, if a DoD weapon system life cycle is thirty years, six to ten generations of commercial hardware and software could be inserted into the weapon if DoD could make information system acquisition timelines as short as the commercial development cycles. In order to do this DoD must develop new acquisition processes to reconfigure, evolve, acquire, test, and field both embedded and stand-alone warfighter information systems at a rate that takes full advantage of these rapid, commercially driven, technology generational cycles.
The ongoing acquisition reform initiatives are crucial for information system dominance, but more is needed to allow DoD to buy commercial products ands services directly and to '"buy into" commercial acquisition practices.
5.4 Reform Warfighter Information Infrastructure Management
Figure 5-4 summarizes the specific actions that the DEPSECDEF must direct in order to accomplish the structural process improvements described previously. Briefly, the Enterprise Integration Council must be assigned the added responsibility to provide
-41oversight and conflict resolution for warfighter infoimztion systems. The warfighter must make a broader, more comprehensive and timely input to this entire process, and the Task Force proposes that the BITF be used to provide dynamic recommendations for improvements, and that the JROC and Joint Staff play art expanded role in the infusion of their requirements. The Task Force endorses the activities already underway in DISA to achieve a dynamic architectural framework for our joint warfighter information systems.
In order to take advantage of the significant opportunities and leverage which battlefield information systems can provide, the Task Force recommends that the Undersecretary of Defense for Acquisition and Technology undertake an initiative to identify and implement the unique aspects of the reconfiguration, evolution, acquisition, testing, and fielding processes that can be used to exploit the unique aspects of information systems. The Task Force recommends that this initiative draw upon the excellent work done in the recent acquisition process studies cited earlier, and recent information systems acquisition process successes such as the Mobile Subscriber Equipment; that the process take full account of the warfighters' views and perspectives; that DoD exploit the unique and rapid evolution in commercial information technologies; and finally, that DoD ensure adequate protection against potential vulnerabilities in evolving information systems.
These changes can be implemented almost immediately and the costs associated with this recommendation consist only of the opportunity costs of rationalizing the evolution of a system of interoperable information systems
While the Task Force found no breakthrough R&D efforts, it is dlear that since potential adversaries have access to the same moderm information systems technologies as the United States, leveraging of commercial technology through unique military valueadded- exploitation and investment in defense-peculiar needs will be critical to attaining and maintaining information dominance of the battlefield. In that light, as is indicated in Figure 6-1, two special needs of military information systems relate to enhanced reconfigurability and information and information systems protection. Commercial systems are designed to work in relatively static locat.ions, with predictable communications and repeatable infoa rrtion sielitary needs. r y to g sca erstr re and aise to make a system designed under these assumptions acceptable. While the commercial world has security concerns, most are focused on protecting access to information. The military has this concern plus the possibility for network disruption. In addition, the mobilization of military systems complicates the ability to authenticate users and their uses of systems.
There are three factors that should differentiate U.S. military information systems from those of a capable adversary: sensors, ability to reconfigure under stress, and ability to conduct information warfare. When coupled with advanced U.S. simulation capability, the warfighter can develop and tune the skills and techniques necessary to establish and
Information and Information Systems Protection 6.2 The DoDgs reliance on increasingly sophisticated information systems provides numerous opportunities for penetration and disruption by both sophisticated and unsophisticated adversaries. Currently, data security can be costly and a major constraint on timely information flow to the user. Consequently, low cost ways must be found to implement security so that it does not limit the value that can be provided by the information system.
Two recommendations are made. First, DoD should harmonize its current practices with the recommendations of the Joint Security Task Force and the recommendations made in the R&D for the NIl: Technical Challenges report. Second, DoD should field
-46available security components and make further investments in several specific technologies that are critical to support DoD's information and information systems protection needs, which at a minimum must provide for the development of capabilities and tools for protection against attack, detection of attacks, and the ability to react to attacks.
These technologies fall into three broad categories: enterprise security, network security, and data security. Each of these described in turn below.
Figure 6-3 Enterprise Security. It is important to preserve the security needs of the enterprise while maintaining a flexible information system that supports the needs of the warrior.
An appropriate strategy of risk management is needed which provides protection for secret to unclassified information, based on COTS and government-off-the-shelf (GOTS) products being assumed to be adequate protectors unless shown otherwise. Technologies
needed to support enterprise security are:
"* Automated classification downgrading procedures: Programs such as Radiant Mercury provide an automated way to downgrade certain information for distribution. These tools should be expanded to cover broadcast systems and be made available as network tools.
"• Tools for risk management: Tradeoffs between the need for information protection and the benefits of broad information distribution systems are inevitable. Tools for risk assessment and management are needed to make these tradeoffs in relevant manners.
"* Component level authorization, authentication and access control: Techniques are needed to authenticate components, verify that they are acting functionally as they are authorized, and control their access to the information system.
-47Information systems depend heavily on telecommunications Network Secutri.
Few technologies exist to assess these networks with significant vulnerabilities.
vulnerabilities or to cope with catastrophic failures to the networks. Technologies needed
to support network security are:
" Vulnerability models and metrics: Networks have many sources of vulnerability and users need models, metrics and tools to assess these vulnerabilities. These models and tools should build on experiences with actual attacks.
" Failure detection, containment, and recovery procedures: Simple systems failures (power grid and the telephone system) and overt attacks (Internet worm) have lead to catastrophic failures in our infrastnrcture. Research is needed to develop methods to detect, isolate and contain the impact of failures within or attacks on our infrastructure.
" Infrastructure protection: To protect the integrity of the infrastructure, security measures such as configuration control and prevention of unauthorized modification, tamper-proof routing protocols, protection against denial of service, protection of switches and communications circuits, and protection against unauthorized traffic analysis are needed.
Data un±. Data security requires that data be protected from unintended disclosure while maintaining full confidence that the data has not been compromised.
Technologies needed to support data security are:
"* Classification management for data objects: Techniques are needed to ensure that data maintains the appropriate security classification even when processed, fused or extracted from other sources.
"* Data integrity: Techniques are needed to provide information about one's data to help establish the data's integrity, including pedigree, currency and confidence levels.
" Contamination recovery procedures: Data may be compromised because of system failure, tampering or through the use of inaccurate or incomplete data. Techniques
-are needed to allow the syste-n to recognize and isolate contaminated data items and recover from data contamination.