By Geoff Fein
While it might seem that advances in information technology require similar efforts to secure those systems, it is really more about policies and procedures than hardware or software, according to a Navy official.
The Navy, as do all the services, have processes in place to ensure that systems are tested, certified, and accredited before they get connected to the network, Jim Granger, technical director Navy cyber defense operations command, told Defense Daily in a recent interview.
“It’s not just about new hardware or new software, it’s about new procedures…policies…about how do we operate, how do we make our business more efficient,” he said. “It’s more about how do our procedures, how do our policies, how do our methods, evolve.”
It is those procedures and policies that in part help secure networks, by making sure users understand what they are doing on the network and how they are doing it, Granger added.
For example, if there is a phishing e-mail, is the user following the established procedures? Is the user ensuring there is a digital signature before they open the e-mail, Granger said. “We have procedures in place to do that sort of thing.”
Other issues can arise when a user connects to his or her computer a piece of mobile media, such as a USB card, or a CD they may have received, that is embedded with a malicious code, he added.
A user may inadvertently download a malicious code from visiting some websites, or send information that might be classified via unsecure means, Granger noted.
“The technology has changed some of the procedures and things…the issues haven’t,” he said.
But inattentive users are by no means the only threat facing military computer systems.
“The networks have a myriad of threats, bad user behavior is just one of them,” Granger said. “You can look at the range of threats…from the malicious insider all the way up through state sponsored activity. I can also look at the malicious backhoe where the guy cuts your cable…it’s just as big a threat as well.
“We face a variety of threats and try to do our best to mitigate their impacts and defend against them to the best of our abilities,” Granger added.
The move toward more commercial-off-the-shelf systems (COTS) also pose a security concern, Granger noted.
“You’ve got to look at how much software is in there, how many bugs and potential vulnerabilities are in there, where is that software produced, how reliable is it…all those things are a concern,” he said. “You want to go for the gee whiz bang technology…well that may have some significant security flaws.”
For example, Granger points to the move toward wireless technologies that are commonly available today at coffee houses and Internet cafes.
“How secure is that? It is well known, publicly published, that open wireless like in a caf� is very easy to compromise,” Granger said. “How many people get their identifications stolen in that manner? You certainly have to be aware of the risks, aware of the vulnerabilities, before you operate in the environment.”
And trying to keep pace with the hackers, whether those just fooling around on the Internet, or those with a more criminal intent in mind, is becoming more difficult, he added.
“One of the things is, we have to guard against every single possible type of everything, where an adversary only has to find one way in. If you are in a building with five million doors, you have to keep all those doors closed and the adversary only has to find one that’s open. That’s certainly a challenge,” Granger said.
“You establish a baseline defense in-depth where you put measures in place, where if one of them fails, ideally another one will pick it up,” he added.
And Granger doesn’t see things improving in the future.
“First off, the threats are going to become more sophisticated and they are going to come faster…[be] more agile. We have to do the same thing,” he said. “Right now we are moving toward a more centralized enterprise network…NGEN (Next Generation Enterprise Network)…centrally managed…a coordinated degree of security…higher degree of security across the board. The central management enables us to respond quicker and have a more homogenous environment…[it is] easier to defend.
“I see more layers of security, multiple layers of security, so you can talk at different levels and ensure that each individual has the right access to the right information at the right time,” Granger added. “We are going to definitely have more bandwidth in the future. It’s information-centric, the way the world is going. I see challenges ahead.”