Information Assurance (IA) is not just a paperwork drill. There are dangerous adversaries out there capable of launching serious attacks on our information systems, which can result in severe or catastrophic damage to the nation’s critical information and ultimately threaten our national security.

Given DoD’s complex information infrastructure (all the systems and equipment used to transmit, store, and process the information DoD needs to accomplish its mission) coupled with the rapid escalation of computer hackers, the increasing sophistication of computer system attacks, and the degree to which DoD computer systems are targeted, every DoD organization and installation should remain under constant alert and vigilance.

DoD has been transitioning from isolated or stand-alone information systems to a globally integrated information structure, linking thousands of computers with the Internet and other networks. This increasing dependence on computer and network technology raises a number of concerns.

For example, a Commander or Commanding Officer, who must quickly react to a threat and make decisions based on sound and timely information, requires rapid access to this vast network of systems and connections. Yet this operational interoperability – highly dependent upon information system interoperability – has exploited design flaws and system vulnerabilities that have lead to some Computer Network Attacks (CNA).

CNAs are operations to disrupt, deny, degrade, or destroy information resident in computers and computer networks or the computers and networks themselves. There are many methods and tools to accomplish attacks and there are many countries and individuals engaged in developing computer attack capabilities. These attacks have implications across tactical, operational, and strategic environments in terms of coordinated attacks against targeted information systems. Just because a massive attack has not happened doesn’t mean it can not or will not occur.

There are two typical attack approaches:

Passive attacks: In a passive attack, the adversary attempts to discover valuable information by listening to the routing traffic or monitoring network traffic to learn avenues of approach or proprietary information. These attacks can be either network- or system-based. Everyone should keep in mind that passive attacks are the most difficult to detect, and therefore, it is relatively easy for someone to “eavesdrop” on Internet activities.

Active attacks: During an active attack, the adversary tries to break through defenses and gain access into information systems and networks. There are several types of active attacks: ‘system access’ in which the adversary attempts to exploit system security vulnerabilities to gain access and control; ‘spoofing’ whereby the adversary attempts to break through defenses by masquerading as a trusted agent and persuading users to send proprietary information; ‘denial of service’ wherein an adversary tries to interfere with or redirect traffic; and ‘cryptographic’ in which the adversary attempts to guess or steal passwords or tries to decrypt encrypted data.

DoD faces serious challenges with regard to information assurance. Resolution of these issues is paramount to the Department’s current defense structure and its ability to assure the availability, integrity, and confidentiality of information. To aid in the assurance of these capabilities, the Joint Task Force for Global Network Operations (JTF-GNO), under US Strategic Command, is identifying such threats and possible mitigation strategies to protect DoD information systems and networks, and to direct the defense of the Global Information Grid (GIG) by leading the DoD Computer Network Defense (CND) organization.

DoD expects there will be some attacks that are more successful than others, and as such, the information infrastructure must be resilient. Securing the infrastructure requires a multi-faceted effort. CND is a supporting part of that effort, as it embodies both incident detection and response – a critical part of DoD’s layered defense-in-depth strategy.

To combat a CNA, an adequate CND program must employ response actions – defensive measures used to protect and defend computer systems and networks under attack or targeted for attack. Defense response actions involve both passive and active strategies.

Passive defenses can be effective, but they are reliant upon the internal monitoring and the vigilance of system administrators and users. These defenses include internal use of various technologies, such as firewalls and cryptography, and procedures to protect DoD’s enclaves and assets. By definition, passive defense does not impose a risk or penalty on the attacker. With only passive defensive measures in place, a potential attacker is free to conduct attempts to infiltrate the system. Given the vulnerabilities of most information systems and the low cost of most attacks, a skilled and determined attacker is likely to eventually succeed if given free rein to keep trying.

On the other hand, active defenses impose some risk or penalty to the attacker. These may include identification and exposure, investigation and prosecution, or pre-emptive or counter attacks of various sorts. There are three types of active defense measures: preemptive attacks, counter attacks, and active deception. Both active and passive defense measures should be used in tandem.

There is no ‘silver bullet solution’ for CND. Rather a robust, flexible and living CND framework methodology should be developed and tailored to meet organizational requirements.

NAVAIR Information Assurance Office takes all security compromises seriously. NAVAIR personnel are required to report all IT-security related vulnerabilities and incidents so they can be quickly and appropriately addressed. If you become aware of a security compromise, you must immediately notify your Information Assurance Officer (IAO) or your Information Assurance Manager (IAM). If you would like more information, contact your local IAO, IAM, the NAVAIR 7.2.6 Information Assurance office, or the NAVAIR 7.4.1 security office. A list of IA POCs is located on the Office of CIO Web site https://cio.navair.navy.mil.

About the author: Chris Dosch, a regular contributor to Office of CIO communications, is an employee of Smartronix Corporation, Information Assurance Division.