DISA struggles to ensure freedom in cyberspace

Monday - 2/21/2011, 5:08pm EST

Richard Hale, chief information assurance executive, DISA

Click to hear the interview.

Download mp3

By Jason Miller
Executive Editor
Federal News Radio

The Defense Information Systems Agency has four goals around information assurance. Three of them, dependability, sharing safely and keeping information secret, are easy for them to get their arms around. The fourth, ensuring freedom of action in cyberspace, is not so clear, said Richard Hale, DISA's chief information assurance executive.

Hale, who spoke at a recent lunch sponsored by AFCEA, said there are trends in the field, including using shared infrastructure and public networks, which are requiring the Defense Department to take a closer look at this issue.

"How do we make it so one combatant command can take mission risks without having that mission risk slop over into another combatant command mission?" he said. "We are struggling with that a little bit. We have a few things going on in the architecture, enterprise services and processes that I think are leading the way in some ways toward some of these goals."

DISA still is early on in looking at this issue, but need to figure out how to get this risk separation. He points to the efforts across the military to create cyber demilitarized zones (DMZs) as an example of how they already are trying to address this issue.

"The ability to set policy by mission rather than assuming you have a one-size fits all perimeter defense policy should be able to give different DoD missions different policies and keep the risks moving from one to another," Hale said. "For the bigger DoD information infrastructure, we still are not sure how this will go."

DISA has been deploying these DMZs over the past few years, but they have had limited functionality. Dave Mihelcic, DISA's chief technology officer, said the initial capabilities were white listing and blocking or limiting inbound traffic to a limited range of machines.

Hale said one model the combatant commands are considering is developing a separate network on which they fight.

"The trick there is to figure out a way to do that and still be able to take advantage of all these great enterprisewide services, standards and structures that we have in the big DoD networks," Hale said. "We don't know what the model is going to look like going forward, except that we have to find ways to make sure that sharing is still smooth between these combatant commands and among all these entities that have to interact to execute mission."

While DoD is figuring out how to overcome the taking, but not sharing of risk challenge, DISA is taking steps to continue to meet the other three cybersecurity goals.

Hale said DISA will lead the implementation of public-key infrastructure (PKI) on the secret or classified network (SIPRNET) later in 2011.

Currently, the SIPRNET requires several different layers of authentication and verification, including physical security.

"This will give us a common identity credential across every single DoD organization and perhaps other federal government organizations," Hale said. "The government has structured PKI as an interagency thing from the start. That means instead of having a lot of local usernames and passwords for different services on the net, I can use this common credential so I think it drives better accountability because everyone will have a globally meaningful identity. We also will be able to use it for improved sharing. I won't know you in advance, but I may decide with some other information about you to give you access."

The end goal is to improve sharing and improve security at the same time.

"Currently, we use a variety of identity credentialing schemes for the classified network," he said. "The highest level access control for those networks is physical security. But we have layers of cybersecurity and we are trying to standardize some of those layers and strengthen them."

DoD's common access cards (CACs) are used only for the unclassified networks.

Hale did not say when DISA would complete the PKI implementation on the SIPRNET.

(Copyright 2011 by FederalNewsRadio.com. All Rights Reserved.)