CHAPTER 8. INFORMATION SYSTEMS SECURITY Information systems security is the discipline that protects the confidentiality, integrity and availability of classified and unclassified information created, processed, stored and communicated on computers and networks. The Commission believes it is imperative that the Defense and Intelligence Communities focus more attention on information systems security. It, together with personnel security, is one of two security disciplines that the Commission believes needs more attention and recommends additional requirements that will increase costs. The United States is increasingly dependent on information systems and networks. Information systems control the basic functions of the nation's infrastructure, including the air traffic control system, power distribution and utilities, phone system, stock exchanges, the Federal Reserve monetary transfer system, credit and medical records, and a host of other services and activities. The world of the future, within which our security policies and procedures must succeed, will undoubtedly be characterized by even more widespread use of computers, systems, and networks. It is already apparent that increased connectivity leads to significant improvements in productivity, improvements that are necessary if our society is to prosper and we are to continue to lead the world's family of nations in economic, political, and military strength. Initiatives like the National Information Infrastructure (NII) intended to be an "information superhighway" for our nation's commerce and government are based on this emerging reality. The Defense and Intelligence Communities share this imperative to connect, both within and between the communities and to the NII. The Department of Defense already depends upon computers and communications networks in performing every aspect of its complex missions from command and control, to acquisition of weapons systems, to managing and paying for the worldwide activities of the department. This dependence will certainly increase. The DoD envisions a worldwide, seamless web of computers and networks the Defense Information Infrastructure (DII) operating as a utility in support of the Department's warfighting, intelligence, and business functions. The CIA and other intelligence agencies are increasingly tying together internal systems and are beginning to reach for connections beyond their walls. The increased productivity that flows from such connectivity is essential to success in this era of declining resources. Intelligence is, after all, information and must flow in a form and at rates useful to those who need it. The Commission believes that those who steadfastly resist connectivity will be perceived as unresponsive and will ultimately be considered as offering little value to their customers. There is no doubt that increased connectivity creates greater vulnerability. Electronic access to vast amounts of data and critical infrastructure control is now possible from almost anywhere in the world. Networks are so complex and so widespread that the identity of everyone with access to the networks to which our systems are connected can no longer be known with any assurance. Moreover, although our classified data is obviously of great interest to our enemies, our communities depend on extensive data bases of unclassified information that if destroyed or damaged would cost billions to rebuild and could affect our ability to deploy and operate a flexible, capable force. Protecting information transactions within the subinfrastructure or network enclaves controlled by the DoD and the Intelligence Community requires an approach to security in which information systems security is seen as part of a balanced mix that also includes personnel security, physical security and other security procedures. Protecting information transfers between our enclaves and the rest of the infrastructure where we cannot count on other types of security requires a more stringent form of information systems security. In addressing these issues, the Commission examined current threat information as well as policies and procedures now in place to protect against such threats. The Commission found our policies outdated, our strategies for obtaining necessary information systems security technology ineffective, and our general readiness in terms of awareness and training inadequate. The Threat to Information and Information Systems Thirty years ago, computer systems presented relatively simple security challenges. They were expensive, isolated in environmentally controlled facilities, and their use was an arcane art understood by few. Consequently, protecting them was relatively easy, a matter of controlling access to the computer room and clearing the small number of specialists who needed such access. As these systems evolved, their connectivity was extended, first by remote terminals and eventually by local and wide-area networks. As size and price came down, microprocessors began to appear in the workplace, in homes, and eventually on the battlefield and embedded in weapon systems. What was once a collection of separate systems is now best understood as a single, multifaceted information infrastructure operated as a utility. To cope with this new reality, our paradigm for managing information security must also shift from developing security for each individual application, system, and network to developing security for subscribers within the worldwide utility, and from protecting the isolated systems we own to protecting systems that are connected and depend upon an infrastructure we neither own nor control. Despite the enormous impact that could result from the compromise or destruction of our information systems, the Commission believes that there is little public understanding of the threat or of the consequences of attacks on our systems. One high-level official suggested that until there is a major information systems catastrophe, appreciation of the need for information systems security will remain weak. Attacks against information systems are becoming more aggressive, not only seeking access to confidential information, but also stealing and degrading service and destroying data. The well-publicized Michaelangelo virus destroyed the information and applications software on the hard disks of the unwary. In another example, a small program appeared on computers connected to the Internet. This program made copies of itself and sent the copies along to other computers on the network. The copies made copies in turn and sent them along, and the copies' copies made copies, and so on. In short order the network was so busy creating and sending copies of the program that it couldn't do anything else. Some of the computers were down for most of the following week, and the business enterprises, academicians, and government and private users were unable to use their computers for processing or to communicate among themselves. Networks are already recognized as a battlefield of the future. Information weapons will attack and defend at electronic speeds using strategies and tactics yet to be perfected. This technology is capable of deciding the outcomes of geopolitical crises without the firing of a single weapon. Our security policies and processes must protect our ability to conduct such infowars while denying our enemies that same advantage. If, instead of attacking our military systems and data bases, an enemy attacked our unprotected civilian infrastructure, the economic and other results could be disastrous. Over 95 percent of Defense and Intelligence Community voice and data traffic uses the public phone system. The economic consequences alone of a successful attack on the phone system or the National Information Infrastructure would be significant. The nine-hour failure of the AT&T public switch network in 1990, although the result of a reliability failure and not a planned attack, demonstrated how vulnerable we are. Of the 138 million long-distance and 800-number calls attempted, some 70 million were rejected by the faulty system. Many of those calls were business calls, and the failure to connect cost those businesses directly due to orders not being placed and operations being delayed or halted altogether. There were indirect costs as well due to decreased efficiency and productivity. Airlines, hotels, and car rental companies lost reservations. Phoned catalog orders were not placed. Service companies could not support their customers. The threat to our information and information systems is increasingly sophisticated, and comes from both insiders and outsiders. While improving the personnel security methods used to ascertain the trustworthiness of our people will reduce the insider threat, personnel security measures alone cannot be relied on to protect our information and information systems. Foreign intelligence services, including those of some of our "allies," are known to target US information systems and technologies, using techniques that can give them access to our information without ever coming into our work spaces or approaching our people. Some trends and specific incidents help indicate the scope of the information systems security challenge: o Computer viruses are growing more common and more dangerous, and may be virtually undetectable by conventional antiviral software. Trojan horses, logic bombs and other malicious software are appearing on our systems, and require improved countermeasures and careful security procedures to defeat. o Over 4,000 hacker attacks, ranging from attempted password cracking to trying to obtain control of the system, were detected on one government system during a single three month period. Some hackers advertise their services for seeking any information, including classified or sensitive information. o Eighty-five percent of computer crime is committed by insiders with validated access to the systems and networks they abuse. Before being fired from a private firm, a disgruntled employee left a logic bomb in the company's personnel system that destroyed all personnel records. Careless insiders, ignoring security procedures, have inadvertently inserted viruses into DoD and Intelligence Community information systems. o Increasingly cheaper and more powerful commercially available electronics put signals intelligence intercept and processing capabilities within the reach of the smallest countries and even drug traffickers. Targeting by signals intelligence of facsimile and data communications on land-based and satellite systems gives eavesdroppers access to international communications of US businesses, personal telephone calls of US troops stationed overseas, computer passwords, and other data. Dated Policies The Commission found a number of problems hindering the effectiveness of information systems security. Problems include ineffectual and conflicting policies, failed strategies for obtaining the necessary computer security technology, poor mechanisms for obtaining timely threat information, inherent systems vulnerabilities, lack of effective audit data reduction techniques, and accreditation processes that are far too slow. The Commission also believes that there is a need to improve the quality and number of information systems security professionals and to increase training and awareness programs for management and non-security personnel. The policies and standards upon which the Defense and Intelligence Communities base information systems security services were developed when computers were physically and electronically isolated. As a result, policies and standards: o Are not suitable for the networked world of today, having been based on stand-alone architectures where the security requirements imposed on one system had little or no impact on the security for another system. o Were developed based on a philosophy of complete risk avoidance and so do not deal effectively with information systems security as part of a balanced mix of security countermeasures in protecting the confidentiality, integrity or availability of our information assets. o Do not provide the flexibility needed to address the wide variations among systems in use today and planned for tomorrow. o Do not differentiate between the security countermeasures needed within and among protected network enclaves and those needed when information must travel to and from less protected or unprotected parts of the infrastructure. o Are only beginning to combine computer science and public key cryptography effectively to protect information. o Are not capable of responding in a timely manner to dynamically evolving information technology. The Commission also found a profusion of policy formulation authorities all of whom are addressing essentially the same issues. The Community Counterintelligence and Security Countermeasures Office (CCISCMO) is responsible to the Director of Central Intelligence for information systems security policy and standards for the Intelligence Community. The DoD intelligence organizations must follow CCISCMO security policies, and all of the DoD must follow the security regulations promulgated by its chains of command up through the Office of the Secretary of Defense (OSD). The National Security Telecommunications and Information Systems Security Committee (NSTISSC) creates policies that overlap those of both the OSD and the CCISCMO with regard to national security information and extends its policy authority to other government departments and agencies not covered by DoD or DCI policies. The Office of Management and Budget casts its policies over all information systems security activities that expend tax dollars. The National Institute of Standards and Technology (NIST) is responsible for creating standards for the protection of unclassified but sensitive information. A result of these numerous policy authorities has been policies that, although similar, differ sufficiently to create inefficiencies and to cause implementation problems when organizations must coordinate their security protocols and procedures in order to interconnect. Failed Strategies In addition to dated polices and inadequate standards, the strategy for developing computer security software, hardware and other security technologies has not served us well. This strategy has been to encourage the private sector to design, develop, and manufacture products at their own expense. In return, the government promised that it would require these products be used in the systems and networks it acquired. However, the government did not follow through and buy these products when they became available. One reason is that the products suffered long delays waiting government approval and were consequently obsolete before being approved for use. In addition, these products are often too expensive and lack functionality comparable to state-of-the-art, nonsecure commercially available products. As a result, too few computer security products are available today and even fewer are in use. These problems with obtaining commercial computer security products have been exacerbated by the government's failure to control and coordinate its own R&D programs. With each agency free to pursue its own R&D initiatives, some attractive lines of research have been neglected while there have been duplications of effort and products produced that are not readily interoperable with other computer security products. Moreover, research has been focused almost exclusively on providing protection to classified information and systems to the detriment of protecting unclassified information and our infrastructure assets. The New Information Systems Security Reality To meet the security needs of connected information systems using an infrastructure not completely under our control, the Commission believes that there is a need for new information systems security policies and standards, new strategies for obtaining products, a more focused R&D program, and a better understanding of information security threats and vulnerabilities. Security requirements for evolving Defense and Intelligence Community information systems include: o Providing the ability to securely pass classified information over public or open communication links or networks to authorized users. o Resisting computer viruses and other malicious software, detecting and controlling penetration of networks, systems, applications and data bases by hackers, and surviving full scale infowar attacks. o Ensuring the authenticity of electronic messages and preventing repudiation of their receipt. o Keeping confidentiality and integrity of medical files, payroll records, and other sensitive but unclassified information. o Protecting the privacy of personnel files and investigative dossiers as required by law. o Providing confidentiality of the identities of personnel in sensitive assignments. o Ensuring integrity in electronic payments to vendors and contractors. o Ensuring the components of the information infrastructure are designed for the rapid detection of malicious activities and for the ready restoration of required services. o Effectively managing and controlling access to information at any protection level on a global basis. Information Systems Security Policy for Tomorrow The Commission believes that information systems security policy must better address current and future electronic environments. The network architecture of the future will comprise a seamless global web of unsecured electronic highways linked together to provide a common infrastructure operated as a utility. Subscribers will be a heterogeneous group of individuals and organizations tied into the network to communicate with each other and to obtain various services offered by some portion of the network. The Department of Defense and the Intelligence Community also will be subscribers and their networks will be subnets or "enclaves" within the larger infrastructure. Subscribers will use common standards in supplying and obtaining services, although security standards may vary from enclave to enclave. But security standards must permit subscribers to benefit from authorized connectivity and services provided by the infrastructure and other authorized subscribers. The new policies must be network oriented, recognizing the need for coordination and cooperation between separate organizations and enclaves connected via the infrastructure. Policies must be sufficiently flexible to cover a wide range of systems and equipment. They must take into account threat, both from the insider and the outsider, and espouse a risk management philosophy in making security decisions. And given the knowledge that unclassified information can be just as important and is even more vulnerable than classified information, the new policies, strategies and standards must also ensure its protection. Information that has no requirement for confidentiality may still require protection to ensure that it is not illicitly modified or destroyed and is available when needed. To alleviate the overlap, redundancy, and conflicts inherent in the existing policy formulation process, responsibility for generating the new policy must be given to a centralized security executive policy committee that represents both the Department of Defense and the Intelligence Community. Furthermore, in developing the new policy, representatives from outside these communities may need to be included to assure that a governmentwide perspective will be used. Recommendation 64 The Commission recommends that policy formulation for information systems security be consolidated under a joint DoD/DCI security executive committee, and that the committee oversee development of a coherent network-oriented information systems security policy for the Department of Defense and the Intelligence Community that also could serve the entire government. The Investment Strategy for Information Systems Security A coherent set of policies is of no use if effective information systems security products are not available and programs can not be implemented that use them. Given the problems with the current strategies and programs, the Commission recommends a new approach based on a well-considered investment strategy that includes a more focused R&D program. It must obtain and use threat and vulnerability information in managing risk. And finally, it must result in a more robust, efficient, and responsive program for applying and managing information systems security in our systems and networks. A new investment strategy is needed to ensure that products are available that will ensure the availability and integrity of both classified and unclassified data. Within an information systems enclave, security officials can rely on physical security to deny access to unauthorized users, personnel security to provide some assurance that those who do have access are trustworthy, and procedural security to manage access to and use of their subnets. However, protection against the outsider threat where the enclave connects to the outside infrastructure may require more stringent levels of protection. There must be assurance that, as information enters and leaves the enclave, highly protected data does not cross the boundary to lesser cleared subscribers and that information can flow into the enclave from the outside infrastructure without permitting access to unauthorized users or the introduction of malicious software. The new strategy also must identify capabilities and products that are needed to permit implementation of systems and networks providing various degrees of protection. Many in the private sector currently rely on insurance to protect against losses to hackers, criminals, and malicious software. The Commission expects that increased awareness of the economic risks inherent in connecting to or exchanging data with the information infrastructure will lead to an understanding that it is cheaper to protect information assets and information systems with technology than with insurance. This will, in turn, encourage the development of secure products by the private sector. Widespread use of such products will bring the cost down, permitting security to be used as a marketing discriminator as consumers will prefer secure products to those without security so long as the difference in price is not great. This process should result in the ready availability of affordable commercial off-the-shelf information systems and networks offering moderate levels of security assurance. However, the private sector is not expected to commercially develop those security products with the very high levels of assurance essential to some government systems and networks. Accordingly, the new investment strategy must provide for allocation of government funding to promote the development of high assurance products. Computer security exists today that is deemed sufficient to permit connectivity within secure enclaves, as is the case at the CIA and the NSA. However, these same security countermeasures may not be considered sufficient when outside connections are established. Worse, interconnecting two secure enclaves that use different protection features may result in the failure of the security of both enclaves. Technology that would control information transfers across enclave borders is on the drawing boards and in the labs, but has not yet matured to a point where it can be used to protect connections between enclaves responsible for highly sensitive data and the unprotected infrastructure. Providing such technology at the earliest possible date must be a high priority for the new investment strategy. Adequate funding for information systems security is essential. In keeping with the understanding that the information infrastructure is an essential element of the national security structure, funds must be provided for the development of the technology needed to secure the infrastructure, both within secure enclaves and across the networks. Moreover, sufficient funding must be included in the agencies' and departments' budgets to ensure that program managers can buy computers, systems and networks that provide the security needed to protect the confidentiality, integrity and availability of information assets and information systems. For the Department of Defense, the information infrastructure will be managed by the Defense Information Systems Agency (DISA), which must develop system and network security management capabilities as well as audit and alarm capabilities. The DISA is ideally situated to perform these functions and has created the Center for Information Systems Security to ensure the successful performance of its security responsibilities. The Center, although newly formed, has been doing an excellent job to date. Any necessary high assurance technology for securing information and information systems will be provided by the NSA. In reviewing the best practices of government and industry, the Commission finds that an investment strategy that allocates five to ten percent of the total cost of developing and operating information systems and networks is appropriate and needed to ensure that those systems and networks are available when needed and safe to use. Smaller investments are inadequate to achieve acceptable levels of risk. Larger investments are unrealistic given the expected budgetary environment facing our communities. Recommendation 65 The Commission recommends that the Secretary of Defense and the Director of Central Intelligence develop an information systems security investment strategy including an emphasis on commercial production of computer security components at affordable costs. The goal should be to use 5 to 10 percent of the costs of infrastructure development and operations to ensure availability and the confidentiality and integrity of our information assets. Research and Development-A Need to Consolidate As part of implementing the new information systems security strategy, a carefully planned and well-managed research and development program is required. Information systems technology is evolving much faster than information systems security technology. The Defense and Intelligence Communities must reassess, refocus and adequately fund our information systems security research and development efforts to design and develop the highly technical products needed if our countermeasures are to provide sufficient defense to responsibly manage the risk to our information systems. However, the Commission has observed that there is no communitywide focal point for information systems security research and development. Each agency implements the R&D activities needed for its own mission and, as a result, there have been both duplication of effort and products made that are of very limited use. In addition, research in the DoD and Intelligence Communities has been focused almost exclusively on providing solutions to protection of classified assets. As discussed earlier, the threats are changing, and targets in the future may well be found in the country's unclassified infrastructure power grid controls, transportation systems, the public switched networks, stock exchanges, and Federal Reserve monetary transfer system. A new emphasis on developing solutions for threats to the unclassified infrastructure also is needed. The Commission believes that a community-wide mechanism to determine priorities for information systems security research and development of products is needed as part of the information systems security investment strategy. Recommendation 66 The Commission recommends that: a) Research and development programs be given high priority in creating the secure products which the DoD and the Intelligence Community need for protection of their classified and unclassified information networks and systems. b) The Secretary of Defense and the Director of Central Intelligence assign the NSA as the executive agent for information systems security research and development for both classified and unclassified information for the Department of Defense and the Intelligence Community. Infrastructure Security Management Like other aspects of information systems security, the processes used to assess the security of our computers, systems and networks must evolve. With stand-alone systems, individual organizations not only own the information that is created, stored, and processed on their systems, they also own the systems themselves. In connected environments, information, resources, and processes are shared. Our methods for assessing the security of and deciding acceptable levels of risk must change. The existing processes are so slow that products and systems are frequently obsolete before we are satisfied that they are safe to use. Infrastructure security managers must be able to detect when their networks and connected systems are under attack and respond appropriately. If necessary, it must be possible to perform triage and sever infected portions of the network or systems to save unaffected portions of the infrastructure. Hygiene measures must be implemented to prevent problems. Automated tools and security management workstations must be developed and implemented within our networks. We must accommodate technology life cycles and provide for variations in the degrees of assurance required for differing applications and missions. Automated tools that support security administration (such as automatic monitoring and malicious code detection and eradication) and management are badly needed and must be developed as part of the new strategy. Our standards and processes should be compatible with international standards, processes and protocols that influence the technical design of the worldwide telecomputing infrastructure upon which our nation increasingly depends. Auditing Infrastructure Utilization Even though we place a high degree of reliance on the trustworthiness of cleared personnel given access to our systems, we must still be able to determine if any portions of the infrastructure are being abused, either by insiders or outsiders. This determination can be made by recording and analyzing the information and control transactions that take place on the system, a process called auditing or, if conducted in real time, monitoring. Through auditing and monitoring, one can establish normal operating patterns, characterize trends, detect aberrations, and identify unusual activities. If insiders or outsiders are attempting to obtain, alter, or delete information to which they are not entitled, make unauthorized connections to the networks, or penetrate computer systems or applications, auditing and monitoring provides a means to detect their activities. However, despite the importance of auditing and monitoring, the Defense and Intelligence Communities currently are unable to conduct these activities effectively and efficiently. Too much data in too many forms is being collected. One hour of collected audit data requires an average of six hours of analysis for adequate review. Nor are audit capabilities user friendly. All too often audit records are left unopened or the audit capabilities are never activated. To increase our ability to detect unauthorized activity, the Defense and Intelligence Communities must develop common auditing and monitoring record formats and automated tools to assist in the reduction and analysis of these records. A focal point is needed for this activity. The DISA is the logical choice for executive agent. As the network manager for the DII, the DISA is already involved in the identification of requirements and the development and use of automated security analysis systems for networks. Recommendation 67 The Commission recommends that the DISA be the executive agent for the Department of Defense and the Intelligence Community for development of operational security management tools for infrastructure operations, including more powerful audit reduction tools, automated tools for use in assessing the security of our networks and connected systems, and improving security management support technology. Managing the Risk to Information Systems The Commission believes that a central data base containing security-related events should be established. This data base would support the analysis of threats and vulnerabilities regarding information systems in the Defense and Intelligence Communities and will be useful in helping to frame risk management decisions. To ensure the most comprehensive information is available to risk management decision makers, contributing threat and incident information to the data base must be mandatory. Because of the sensitivity of reporting vulnerabilities of, and attacks on information systems, the issue of whether to classify the database is contentious. If unclassified, it is feared that vulnerability information could be accessed and used by hackers, foreign intelligence agents and others to gain a better understanding of exploitable weaknesses. However, the use of a classified data base places restrictions on dissemination that would prevent use of vulnerability and threat information by those who need it to protect their systems. Recommendation 68 The Commission recommends that the Secretary of Defense and the Director of Central Intelligence jointly establish and maintain an information systems security threat and vulnerability data base. The data base should be available to all Defense and Intelligence Community organizations, including industry, and it must be mandatory that Defense and Intelligence Community organizations contribute all relevant information to it. Emergency Response-The Need for Help The Commission recommends that in addition to creating a threat and vulnerability data base, a central organization be identified to have the responsibility of working with system managers to prevent and protect against attacks, to respond in a timely and effective manner if attacks occur, and to alert others when a problem is recognized. Such a capability should cooperate with the Computer Emergency Response Team (CERT) efforts now underway in private industry and academia and with other government agencies. The DoD has created the Automated Systems Security Incident Support Team (ASSIST) Program at the Defense Information Systems Agency to perform these functions. The Intelligence Community should support and rely on the DISA's ASSIST program and we recommend establishing the Program as executive agent for this function governmentwide. Recommendation 69 The Commission recommends that the Secretary of Defense and Director of Central Intelligence appoint the DISA's ASSIST program as the executive agent for emergency response functions for the DoD and the Intelligence Community. Information Systems Security Professionals The Commission's final recommendation deals with our most important information systems security resource: people. The Commission recommends creation of a professional corps to execute the information systems security responsibilities. The Commission also recommends that a vigorous training program be established to provide for the professionalization needed by the local security professional while maintaining security consistency across our networked environment in both government and industry. The national cryptologic school is a good model for such professionalization training. The information systems security problem is part of the larger security training and professionalization considerations discussed elsewhere in this report. Recommendation 70 The Commission recommends the DoD and the Intelligence Community establish an information systems security professional development program as part of the overall development of security professionals.