MAY 10, 1999
Security must include information superiority
By Ronald D. Elliott
As the Defense Department undertakes a program to improve the security of its computer communications network, the Non-Classified Internet Protocol Router Network (NIPRNET), it should keep in mind that security and communications are essentially opposites on a continuum.
Few argue against the need to improve the security of information processing and exchange services critical to our national security. However, taking security to the extreme hinders communications. The most secure communications network is one that minimizes the subscribers and services offered.
The operational concepts espoused by the Joint Staff in its Joint Vision 2010 plan require "information superiority," achievable from maximum communications among a myriad of subscribers. The capability of our government to carry out its integrated mission of warfighting and peacekeeping is highly dependent on a set of information systems and networks extending beyond what is sometimes called the Defense Information Infrastructure. It must include rich interconnectivity to the national information infrastructure and that of U.S. allies.
National security operations in the 21st century rarely will be restricted to U.S. forces and will include support from many nonmilitary institutions in the public and private sectors. Such operations will be conducted as an "enterprise" by organizations of multiple nations extending beyond DOD and military departments.
Proposals such as those attributed to Army Lt. Gen. William Campbell to drastically restrict NIPRNET/Internet interaction appears to be ill-advised. On the contrary, those engaged in national security operations in the future will need increased connectivity to the Internet to access valuable multimedia information and integrated information services. Instead of pulling away from the Internet, our operational units will need to exploit its resources.
Consistent with Joint Vision 2010, efforts at the Defense Information Systems Agency to improve NIPRNET security are taking the wiser path to enable enhanced security while improving access to information and information exchange services among operational units and those supporting them in the future.
DISA is following the recommendations of a group of DISA and National Security Agency experts during the past year to adopt a defense-in-depth technical strategy to provide information assurance consistently across the entire DII. They've made clear that national security information and exchange services must be managed as an enterprise.
The strategy recognizes that absolute security for all elements of the DII is not possible, but that interconnection is essential. Thus, it enables varying levels and types of security to be adaptable to individual computers and local networks. The resulting layered security services would be achieved through continuous attention to not only protect information and services but also to detect attacks to services and resources and make prompt reactions to them.
The result would be to have services at varying levels of assurance in individual enclaves within the overall DII. Generally, the defense-in-depth technical strategy applies management techniques to enable layers, or levels, of assurance of information protection and exchange services to shared and individual resources and services.
This management strategy is technically sound, affordable and capable of phased implementation. But it requires strong management oversight at the departmental and Cabinet levels. This is particularly difficult with the Office of the Secretary of Defense still lacking an assistant secretary for its office assigned responsibility for information technology management.
If the United States is to have information services that maintain our national security units' information superiority in the 21st century, Defense Secretary William Cohen must give the same priority to information technology management he did as a senator.
-- Elliott is a recently retired federal government executive with more than 30 years in the national security arena. Most recently, Elliott was director of the Intelligence Systems Secretariat.