What is INFOSEC & Why Do We Need It?
By RADM Tom Stone As told to Diane Hamblen
INFOSEC will marshal SPAWAR’s resources to assist Naval customers in implementing Department of the Navy INFOSEC policy and will provide users with significantly more secure systems.
By I’ve come to realize that a lot of people don’t really undestand what INFOSEC is and what it’s supposed to do. Before we get into the meat of this article, here’s a definition to use as a guidepost:
INFOSEC is simply the protection of information and information systems during processing, storage, transfer and display.
It results from combining Computer Security (COMPUSEC) and Communications Security (COMSEC) into a secure systems engineering process; the application of INFOSEC products; and the integration of related disciplines such as transmission security, control of compromising emanations, physical security, personal security and operations security.
The mission of our new Naval INFOSEC organization is to be a single point of contact for planning, development, acquisition implementation and lifecycle support of standard INFOSEC products. In combining the COMSEC and COMPUSEC resources, we’ll be able to provide true end-to-end system security that the individual disciplines cannot give the Naval community today. In every way, the creation of this office underscores the Department of the Navy’s commitment to strengthen its tactical INFOSEC capability. This is the primary objective for INFOSEC Executive Director, Mr. Ralph Allen, in developing the INFOSEC Master Plan and in guiding the broad efforts applicable to each element of the INFOSEC organization.
We’re the pointed end for whatever the Secretary of the Navy decides is our information systems security policy. To meet SECNAV’s requirements, we’re using the communications security and computer security disciplines to form a true systems approach to meet the security needs of the 21st century.
Why are we harping on information security while everyone else is talking about the reduced threat? In the old days, we could identify the bad guys very easily, and to protect against the well-defined threats, we had well-defined security measures. Today, we’re not always sure who or where the adversaries are. It might be a hacker having fun or someone going after an industrial secret to gain a competitive edge. It could be any one of a dozen countries.
Today folks have computers sitting on their desks, and I know in many cases they have access to local area networks that are part of wide area networks and the Defense Data Network (DDN) and so on. It’s getting complicated. The boundaries are shifting, widening and blurring. In fact, the boundary isn’t there any more. You can’t really be sure who or what has access to your computer.
Our Naval INFOSEC office will acquire and support a complete line of INFOSEC products for Naval tactical and shipboard mission-support systems. One of the products we’re currently developing is a Navy Key Management System that will perform all the functions of the CMS custodian – electronically. It proved its value during Desert Shield when one of our carriers was directed to go into the Red Sea by way of the Suez Canal. The communications officers suddenly found themselves in a new Naval area that had its own COMSEC key list. Naval INFOSEC was able to send to that ship the keys for its crypto gear electronically.
Naval INFOSEC will also provide a complete set of services including systems engineering/certification support to program managers of weapons systems and operators of fielded systems.
Currently, we have approximately 30 people on the headquarters staff. I’m the Director, and Ralph Allen is the Executive Director. We’re also using the assets of the NAVELEX Security Engineering Center (NESSEC) to form what we’re calling our INFOSEC Engineering Division. In total, nearly 150 people are involved.
A consistent thread throughout our organization is the shared commitment to rigorous customer support as the basis for program prioritization and execution at all levels. The Navy must have one organization that centralizes resources and is the target that people aim for with their arrows, darts, laurels, security questions or problems. Also significant is the application of a master plan and investment strategy as the basis for resource allocation to programs. These steps are all necessary and consistent with the shifting INFOSEC paradigm – a shift from the current black box approach to fully integrated security systems.
There have been some extensive changes in how DoD and the services will handle information security. DMRD 918 established a central point for information security under the Defense Information Systems Agency (DISA). DISA, in turn, created an office under their Joint Interoperability Engineering Office called the Defense Information Systems Security Program (DISSP). That’s a joint National Security Agency (NSA)/DISA organization, and it will be the central point of contact for the Army, Navy and Air Force.
However, DISSP has only been in existence for two years, and we’ve only been around since December 1992. The process and the cooperation methods are still in the embryonic stage. It will take time.
Don’t misunderstand what I’m telling you. Naval INFOSEC can’t and doesn’t want to operate in a vacuum. Although we’re primarily concerned with tactical systems because they’re rather Department of the Navy unique, we don’t want every Naval ADP security officer with a problem calling DISSP and saying, "A hacker has invaded my system. I need help!" DISSP would be overwhelmed. We’ll be working closely with DISSP, but they can’t do everything for everybody.
As Mr. Robert Ayres, Director of DISSP, said in a recent issue of his newsletter, DISSPATCH, "Difficult decisions are ahead; marginal or redundant INFOSEC expenditures must be eliminated or consolidated, and new, cost-efficient approaches must emerge."
I agree with Mr. Ayres, and we’re already working closely with the other services, DISSP and industry. OSD is presently conducting work groups on multi-level security, and, of course, we’re participating in that. However, to me, one of the most effective working arrangements will be to use DISSP as a lessons-learned clearing house. For example, if we find a solution to a hacker problem, we’ll pass the solution to DISSP who can quickly spread the word to the other services.
With all this cooperation going on, people may get confused about who to call in case of a problem. It boils down to this: Naval personnel will call SPAWAR 00I first. We will either have the assets ourselves or work through DISSP to solve your particular problems. There will be several avenues of help available. One of them is our Naval Computer Incident Response Team (NAVCIRT). They’ve been staying busy for a number of years helping Naval personnel with virus and hacker problems, and they will continue to assist activities that need help. When a customer has a large hacking problem or a virus problem, NAVCIRT is our task force on the scene.
NAVCIRT helped develop the Navy’s Toolbox program which was the first INFOSEC computer security product distributed to every Navy command. It was primarily designed to combat against Michelangelo, Stoned and No-INT. We purchased the right to distribute IBM’s Viruscan in the form of Toolbox to the Navy.
Users will always need support. When a sailor turns on a PC and finds a cascading virus or the computer says, "You’ve been stoned," that sailor must know where to get help. (Editor’s Note: Look at the article by LT Ted Wackler, NAVCIRT Team Leader and Project Officer in this edition of Chips. We printed another article by Wackler in the January 1992 edition.)
One of the biggest challenges I see right now, for DISSP and for the individual services is that people need to be educated about the current types of threats as well as some of the methods and tools available to combat them. That came out clearly at our INFOSEC Users Conference that we held in Washington in May. Technology is advancing so rapidly that our ADP security officers are truly challenged just to stay abreast. We must assist them in keeping up with today’s threats, vulnerabilities and solutions.
I’d like to have our lessons learned published in Chips which is read by probably every ADP security officer in the Navy. In fact we’ll give you examples of problems that have been experienced by some commands and how they were solved. I’m making the commitment to give you input for each edition.
Naval INFOSEC has some big challenges ahead. Naval INFOSEC has some big challenges. We intend to meet the needs of the fleet users as well as the program managers with a customer service orientation. Business is already picking up.
Naval INFOSEC Goals
- Work closely with other services, agencies (e.g., DISA, NSA).
- Establish a continuing process of improvement (standards, technology, systems engineering, products, implementation).
- Strengthen and enhance knowledge base.
- Expand scope & applicability of available INFOSEC methods & training.
- Address special needs of individual project managers & operational users.
- Establish use of best available INFOSEC solutions.
Need help? Call: SPAWAR (OOIC) (703) 602-8271, EXT 183 DSN 332-8271, EXT 183 NESSEC IED (202) 282-2037 NAVCIRT 1-800-759-8255 PIN 18737 DSN 292-2020
(Editor’s Note: In the October 1993 edition, we’ll publish our first lessons learned article from RADM Stone’s INFOSEC. DISSPATCH Editor is Ray Olszewski. The Editorial Offices are located at 3701 North Fairfax Dr., Arlington, VA 22203-1713. The telephone numbers are: Commercial (703) 696-1897/1904; DSN 496- 1897/1904; FAX (703) 696-1900: E-MAIL DISSP@DDN-CONUS.DDN.MIL.)
About the Author: By RADM Tom Stone As told to Diane Hamblen .