GAO/NSIAD-98-132R Information Assurance
B-280243
June 11, 1998
The Honorable Curt B. Weldon
Chairman, Subcommittee on Military Research and Development
Committee on National Security
House of Representatives
Subject: DOD's Information Assurance Efforts
Dear Mr. Chairman:
As requested, we are currently reviewing certain aspects of the Department of
Defense's (DOD) efforts to attain information superiority. In preparation for a
Subcommittee hearing this week, your office asked that we provide the results
of a subset of that work--our evaluation of DOD's efforts to protect and defend
its information and information systems, an activity it characterizes as
information assurance. In response, this letter addresses (1) the actions DOD
has taken to implement the recommendations contained in the Defense Science
Board task force's November 1996 report 1 [1 Report of the Defense Science Board Task Force on Information Warfare-Defense (IW-D) (Nov. 1996), Defense Science Board, Washington, D.C.]
on information warfare defense,
(2) DOD's development of an information assurance management process, and
(3) DOD's adoption of a new information assurance certification and
accreditation process. We expect to issue a report on the department's
progress in implementing information superiority in the near future.
BACKGROUND
In 1996, the Chairman of the Joint Chiefs of Staff articulated a conceptual
template for DOD's future warfighting, called Joint Vision 2010, that depends on
information superiority over opposing forces as a key enabler. DOD defines
information superiority as "the capability to collect, process, and disseminate an
uninterrupted flow of information while exploiting or denying an adversary's
ability to do the same." It believes the implementation of this concept, and the
information systems on which it critically depends, has the potential to provide
significant advantages over adversaries in conflict and add efficiencies to
peacetime and wartime operations. However, increasing reliance on
information systems also exposes DOD's warfighting capabilities to significant
potential vulnerabilities through attacks on those systems. The importance of
protecting those systems was reflected in a recent DOD task force report that
stated that information assurance is critical to attaining information superiority
and commented that without it, it is increasingly likely that U.S. forces will fail
to accomplish their mission.
The importance of DOD's providing protection and defense for its information
and information systems is further evident when one considers the investment
DOD plans in information superiority related systems. Based on its analysis of
the fiscal year 1999 through 2003 Future Years Defense Plan, DOD estimates
that it has budgeted an average of $43 billion a year on the Command, Control,
Communications, Computers, Intelligence, Surveillance and Reconnaissance
(C4ISR) systems and activities--systems and activities on which attaining
information superiority will depend.
SUMMARY
Since the Defense Science Board task force's November 1996 report on
information warfare defense, DOD organizations have undertaken a variety of
efforts to establish information assurance. For example, DOD has initiated a
project to develop a standard methodology and management process by which
opposing force (Red Team) assessments will be conducted to help identify
vulnerabilities in DOD systems and networks and to determine the readiness
posture and preparedness of the fighting forces. Also, the Office of the
Assistant Secretary of Defense for Command, Control, Communications and
Intelligence recently began implementing a program to bring an integrated
management structure and process to information assurance activities and
initiated a process for certifying and accrediting systems for information
assurance. How effective these new initiatives will be, however, remains to be
demonstrated.
DOD'S RESPONSE TO
TASK FORCE RECOMMENDATIONS
In October 1995, the Under Secretary of Defense for Acquisition and Technology
established a Defense Science Board Task Force on Information Warfare-Defense.
Its purpose was to focus on the protection of information interests of
national importance through the establishment and maintenance of credible
information warfare defensive capabilities. In its November 1996 report, the
task force concluded that there is an increased risk posed by the networked
environment of DOD information systems that could seriously affect DOD's
ability to carry out its missions. It also concluded that there is a need for
extraordinary action to deal with the present and emerging challenges of
defending against possible information warfare attacks on facilities, information
systems, and networks. It recommended over 50 actions designed to better
prepare DOD against the threat of information warfare.
According to DOD officials, information assurance efforts have not been
specifically organized around responding to the task force recommendations.
Rather, the efforts have been driven by a combination of the task force report,
other reports,2 [2 For example, The Report of the Joint Security Commission (Feb. 1994), The Report of the
Commission on Protecting and Reducing Government Secrecy (Mar. 1997), Improving
Information Assurance: A General Assessment and Comprehensive Approach to an Integrated IA
Program for the Department of Defense (Mar. 1997), The Quadrennial Defense Review
(May 1997), DOD Inspector General draft Audit Report on DOD Management of IA Efforts
(July 1997), and Information Security: Computer Attacks at the Department of Defense Pose
Increasing Risks (GAO/AIMD-96-84, May 22, 1996).] and events that have increased DOD's awareness about potential
information security vulnerabilities. The events include DOD-simulated and
actual outsider intrusions into DOD networks and an information security
workshop hosted by the Defense Information Systems Agency in January 1997.
The workshop focused on addressing task force recommendations and included
participants from many DOD organizations.
Although DOD has not organized its information assurance activities solely
around the Defense Science Board task force's November 1996 report, we
worked with staff of the DOD's Information Assurance Directorate in an
attempt to draw a general assessment of DOD's position relative to the task
force's recommendations. We found the following:
- Several of the task force's recommendations did not fall entirely within
DOD's scope of operations and were dealt with through the President's
Commission on Critical Infrastructure Protection. For example, the task
force recommended establishing a center to provide Intelligence Indications
and Warning, Current Intelligence, and Threat Assessments. DOD officials
stated, and we verified, that this issue was addressed by the President's
Commission.
- Some of the task force's recommendations were considered and then
rejected. For example, the task force recommended that DOD fund,
establish, and maintain a minimum essential information infrastructure that
would include a fail-safe restoration capability. DOD officials told us that the
Quadrennial Defense Review determined that action on this recommendation
should not be taken until the information warfare threat to DOD's systems
matures.
- Certain efforts that will address some of the task force's recommendations
are underway. For example, the task force recommended the establishment
of an opposing force (Red Team) for conducting independent assessments of
new systems' and services' vulnerabilities and for conducting simulated
information warfare attacks to verify the readiness posture and preparedness
of the fighting forces. DOD has initiated a project to develop a standard
methodology and management process by which opposing force (Red Team)
assessments will be conducted. Additionally, DOD officials told us that the
Defense Intelligence Agency will be providing concept validation of the
methodology by following it step by step in an activity beginning this month.
- Some of the recommendations will be addressed through the implementation
of recently adopted plans and processes. For example, a central theme of
the task force's report was the need to organize and provide defensive
information warfare capabilities. The recently adopted Defense-wide
Information Assurance Program, as described below, is intended to provide a
management process that is to bring coordination and cohesion to DOD's
various information assurance activities and to provide more effective
management of its information assurance resources.
DEVELOPMENT OF DOD'S INFORMATION
ASSURANCE MANAGEMENT PROCESS
Despite the many efforts by the various organizations, DOD's information
assurance needs are not being met in certain key areas. A recent Assistant
Secretary of Defense for Command, Control, Communications and Intelligence
report 3 [3 A Management Process for a Defense-wide Information Assurance Program (DIAP), Nov. 15, 1997, Assistant Secretary of Defense for Command, Control, Communications and Intelligence.
This report was directed to be developed by the Fiscal Year 1999-2003 Defense Planning
Guidance.] stated that the complexity of managing DOD's information assurance
efforts had increased due to the proliferation of networks across DOD and that
its decentralized information assurance management could not deal with it
adequately. As a result, it noted that some information assurance efforts were
only minimally effective. The report further stated that DOD lacked effective
processes to (1) assess the operational readiness of its information systems and
networks, (2) identify its information assurance requirements, and (3) ensure
that those requirements are programmed and executed in accordance with
DOD's priorities.
To deal with these issues and better manage DOD's increasing dependence on
globally networked information systems, the report recommended an
information assurance management process for a Defense-wide Information
Assurance Program. In January 1998, the Deputy Secretary directed the
Assistant Secretary of Defense for Command, Control, Communications and
Intelligence to develop and implement the program. How effective the new
program will be however, remains to be demonstrated. According to the report,
metrics will need to be developed, collected, and analyzed to demonstrate
results, such as determining where and how its information assurance
investments are enhancing the protection of its information systems.
Additionally, DOD's information assurance efforts are moving forward without
the benefit of a completed and approved C4ISR architecture--an issue that we
plan to address more fully in our upcoming report on DOD's progress in
implementing information superiority. The importance of this issue is reflected
in the March 1997 report of a DOD information assurance task force. In its
report, that task force stated that DOD's enterprise [DOD-wide] information
architectures must support its information security needs and that DOD must
address security in an integrated fashion with other system attributes at the
time of system design rather than as add-on products or services after design
completion. It further stated that DOD must explicitly link security throughout
the operational, systems, and technical architectures, noting that the operational
architecture must show what, when, where, and why security should be applied;
the system architecture must show where, what, and how security will be
applied; and the technical architecture must provide the "building codes and
standards" for what and how security will be applied.
ADOPTION OF A NEW CERTIFICATION
AND ACCREDITATION PROCESS
In addition to the new information assurance management process, DOD has
recently adopted a new Information Technology Security Certification and
Accreditation Process. In December 1997, the Assistant Secretary of Defense
for Command, Control, Communications and Intelligence issued DOD
Instruction 5200.40 that established this process as a standard DOD-wide
approach to protecting and securing the entities comprising the Defense
Information Infrastructure, including automated information systems, networks,
and sites. The process requires comprehensive information assurance
evaluations of all information technology systems in accordance with specified
analytical procedures, including vulnerability risk assessments and acceptance
determinations. In addition, it specifies that certification and accreditation will
be done at "applicable systems level" and involve systems program or operation
management and senior staff, users, and working level security managers.
As with the new management process, successful operation of the new
certification and accreditation process remains to be seen, pending its full
implementation. Because of the possibility of inconsistent application of the
procedures, aspects of the process may warrant attention. Specifically, because
the process disperses certification and accreditation responsibilities among
organizations and systems, standards could be interpreted and applied
inconsistently among various organizations. If such inconsistencies occur, the
process may not meet its objective.
Similarly, the process permits dispersed decision-making for accepting risk
levels posed by individual systems. However, when systems approved on an
individual level become interconnected through a network, the most vulnerable
system would set the risk level for the other systems in the network. As a
result, security of some systems that need higher levels of protection by virtue
of their use and the kind of information maintained on them may unknowingly
take on additional and unacceptable risks.
AGENCY COMMENTS
In oral comments on a draft copy of this letter, DOD provided one technical
correction, but otherwise agreed with its contents. This letter reflects the
technical change DOD suggested.
SCOPE AND METHODOLOGY
To evaluate what actions DOD and the services had undertaken to implement
the recommendations of the Defense Science Board task force on information
warfare defense, we reviewed the task force report and discussed specific
actions taken regarding the report's recommendations and current and planned
information assurance activities with appropriate level senior and other DOD
officials. These officials were responsible for information assurance and
information operations oversight within the offices of the Assistant Secretary of
Defense for Command, Control, Communications and Intelligence; Defense
Information Systems Agency; Joint Staff; military services; and the National
Security Agency. From these officials, we obtained and reviewed key
documents relevant to information assurance actions and plans, including a
November 15, 1997, Secretary of Defense report to Congress on Information
Security Activities of the Department of Defense; a November 15, 1997,
Assistant Secretary of Defense for Command, Control, Communications and
Intelligence report to the Deputy Secretary of Defense on a Management
Process for a Defense-wide Information Assurance Program (DIAP); and DOD
Instruction 5200.40 on DOD's Information Technology Security Certification and
Accreditation Process.
We also met with the Chairman of the Defense Science Board task force and a
former Defense Information Systems Agency director to obtain their views on
DOD's responses to the task force's recommendations and the problems facing
DOD with respect to information assurance. Finally, we received briefings from
appropriate officials at the U.S. Atlantic Command, Army Training and Doctrine
Command, U.S. Central Command, and the National Security Agency on the
results of wargame simulation exercises and network security events that
demonstrated significant information network security problems, and we
received a briefing on and tour of Defense Information Systems Agency's Global
Operations and Security Center.