Chief Information Assurance Officer
Defense Intelligence Agency
Department of Defense
Subcommittee on Government
Information, and Technology
July 26, 2000
Cyber Attacks - War without Borders
Thank you, Mr. Chairman and members
of the Subcommittee. I am honored to be here and pleased to have this
opportunity to speak on the issue of cyber threat and response.
I am the Chief Information Assurance
Officer for the Defense Intelligence Agency (DIA). I manage the Information
Assurance Program of the Defense Military Intelligence Community, a function
of our Agency's Chief Information Officer. I have been involved with this
program for approximately eight years and have gained practical insight
regarding the cyber security response in the new world of the Information
Age. I will be presenting what DIA views as issues and challenges for
information assurance of our global information infrastructure.
The Defense Military Intelligence
Community is comprised of the intelligence organizations within the Services
and Commands. These organizations are global in mission and interact as
a single community in which DIA has lead role for military intelligence
production. This community is also a member of the National Intelligence
Role of Information Technology
Defense intelligence uses information
technology as an integral tool to perform our intelligence mission of
collection, analysis, production, and dissemination. We operate in a globally
interconnected and interdependent series of networks with high-speed links
providing real time data, video, and voice capabilities. This network
infrastructure is secured from end to end and transmits sensitive intelligence
information to our senior decision-makers, operational forces, and affiliates.
The employment of Information Technology has been a key enabler to our
success and has provided a tremendous return of our investment but, not
without taking on a proportional risk to the security of our information
Because of our intelligence mission
and the inherent sensitivity of our work, we were at one time protected
simply through maintaining network isolation and separation from the rest
of the world and sometimes even within our own Intelligence Community.
Such an isolated mode of operation completely changed with the introduction
and subsequent invasion of networked computers at virtually every level
of our intelligence business. The new interdependent environment has brought
about both opportunities and risks to our information infrastructure.
This means our response to computer threats is now very different from
the traditional approach given that a single attack can potentially affect
an entire information infrastructure. Today's technological dimension
not only requires a coordinated response but also necessitates active
defense, meaning offensive actions must taken to preempt cyber attacks.
Information Assurance is the function
of protecting and defending information and information systems by ensuring
their availability, integrity, authentication, confidentiality, and non-repudiation.
This includes providing for restoration of information systems by incorporating
protection, detection, and reaction capabilities. More than ever before
our Information Assurance business is essential as we contend with unsurpassed
challenges (threats as well as opportunities) to our information infrastructure.
Given the risks and the fact that
weakness in any portion of our network is a threat to the operational
readiness of all connections, our Information Assurance goal is to ensure
the continuous availability of our systems and networks. The technical
strategy that underlies our Information Assurance program is Defense-in-Depth
in which layers of defense are used to achieve balanced, overall protection.
Defense-in-Depth maximizes our ability to protect information and defend
our network infrastructure through the implementation of layers of security
solutions. The security layers are a combination of technical (hardware
and software) capability, policy, and operations. Our overall strategy
for Information Assurance is to achieve enterprise-wide infrastructure
protection, with our defense layers guaranteeing delivery of accurate,
reliable, and timely information.
Opportunities and Threats
The last several world crises demonstrated
our extraordinary reliance on the information infrastructure. Defense
intelligence relies on global networks to support deployed forces involved
in current crises, as well as pre- and post-operations. In providing vital
information to the warfighting units, the information network has become
a combat power. However, our reliance on the network and system strength
can become a point of vulnerability. Consistent and well-defined Information
Assurance objectives are key to defending the network infrastructure and
ensuring our ability to successfully conduct military operations.
We are challenged because the environment
is constantly changing as a result of threats. System and network vulnerabilities
are continuously discovered on the Internet and these same vulnerabilities
can be used to exploit our information networks. Although intelligence
systems operate in a secure environment, they are comprised primarily
of the same commercial-of-the-shelf products used in unclassified environments,
and are subject to the same vulnerabilities.
Another significant threat area
is that of the insider. An insider is anyone who currently has, or has
in the past, been authorized access to a government information system.
These can be military members, federal employees, or employees of the
private sector. In a recent example, an investigation concluded that the
insider threat accounted for 87% of identified intrusions into Department
of Defense information systems. This is truly alarming. It is a concern
for all government organizations and it requires immediate preventive
actions for mitigating the threat. These measures include strengthening
personnel security, detection and response to problems, and protecting
There are a number of information
assurance activities that will continue to be challenging in the dynamic
world of technology and cyber security response. By concentrating on a
few basic tactics we can, however, make progress in implementing effective
short-term proactive measures to protect the infrastructure. These priority
security measures address the immediate threats we face today. The Defense
Intelligence Community is concentrating its resources on five defensive
areas in part of our efforts to institute a comprehensive and effective
Risk Management as a Business
Process: A critical factor is our ability to identify and mitigate
risks to our information infrastructure. Herein lies the role of
risk management for aiding us in understanding infrastructure vulnerabilities
and making important decisions as to what is or is not an acceptable
security posture. Risk management is integral to the information
technology cycle and must be incorporated as a business process.
People Focus: The
most important element of our Information Assurance program is the
human factor. Personnel -- both users and information technology
professionals -- are the first line and most important defense.
Information Assurance professionals responsible for security management
must be trained and certified with a prerequisite level of skills
and competencies. While we can implement sophisticated security
technology, without trained professionals who understand the technology,
even our best security defenses will not be effective.
Mitigate Insider Threat:
Minimizing the potential damage by an insider requires specific
strategies that are part of an active security program. This includes
identifying critical information, establishing trustworthiness,
strengthening personnel security, detecting insiders, and taking
Implement Intrusion Detection
Systems: Implementing intrusion detection systems provides attack
sensing and preempting serious incidents. However, intrusion detection
technology has not yet advanced to the stage of detecting and responding
to a sophisticated, organized attack[er]. Additionally, there are
challenges in supporting the operations of intrusion detection systems
since they require a skilled individual who can quickly and accurately
distinguish an anomaly from an attack.
Vulnerabilities and Exploits
Awareness: We are faced daily with new vulnerabilities to our
systems and networks. Many of these vulnerabilities are exceptionally
dangerous and cause significant concern. To further challenge us
many of these exploits are publicly discovered and globally distributed
via the Internet. Our response is to diligently be aware of vulnerabilities
via public and private security advisories and take offensive action
to mitigate potential exploits.
Technology has brought us to the
point where global interconnections of the information infrastructure
are a permanent and irreversible business aspect. This reality incorporates
threats for all infrastructures. Hence the realization of shared risk.
Effectively addressing the threats and vulnerabilities to systems and
networks requires a constant level of sensitivity and awareness to computer
attacks, exploitation techniques, and coordinated response.
There are several obstacles in coordinating
a response. These include conflicting protection policies as well as authorities
of the information infrastructure. At the least, this makes execution
of defensive actions difficult. The "worldwide" nature of threats
-- attacks from anywhere at anytime -- is also a reality. Not only are
these attacks difficult to detect but, more importantly, they present
an attribution problem when sophisticated attackers are involved. Additionally,
our reliance on commercial-off-the-shelf products places our infrastructure
at risk because much of the vendor software contains publicly known [exploits]
that are then used against us. Finally, the interconnected world that
provides valuable information sharing capabilities also presents the means
for conducting large-scale attacks with tremendous speed.
Improving coordinated responses
between the private and public sectors is essential since both are stakeholders
of the national, critical infrastructures. These are the same infrastructures
that are vulnerable to the same threats mutually faced by all today. To
succeed in protecting our information networks, both the private and public
sectors must work together and coordinate efforts in planning and responding
to the constant challenge of information protection.
Recognizing the need for coordinated
response, the Department of Defense has stepped out aggressively to address
a global, computer network defense. The United States Space Command and
its Joint Task Force for Computer Network Defense (JTF-CND) was established
with the primary mission for coordinating such responses. JTF-CND's mission
is to coordinate and direct the defense of Department of Defense computer
systems and networks. This includes the coordination of defensive actions
with non-Department of Defense government agencies and appropriate private
Response to computer security threats
is indeed a challenge and should not be misconstrued as a one-time issue.
Hence, we must commit to the information assurance mission with constant
vigilance in protecting the information infrastructure. This demands skilled
people and crucial security technology for defending our global systems
and networks. For maximum results our defensive efforts must be comprehensive
in nature and include coordinated strategies between the private and public
The business of information infrastructure
protection is a never-ending journey. We have attained several goals for
improving our ability to defend the network but there is much that remains
to be achieved. The challenge is continuous, incorporating the dynamics
of technology and the global magnitude of the infrastructure. This perpetual
challenge is best characterized as a business of risk management balanced
against threats, vulnerabilities, and ultimately the return of our investment.