The U.S. Defense Department is refocusing efforts to protect military communications from computer network threats. By shifting its network operations emphasis from exclusively defensive to a more offensive stance, the government seeks to ensure the integrity of coalition operations. Preparations for projecting a greater disruptive potential to adversaries are underway.

With more than 3 million computers and 10,000 networks to defend against both external and internal compromise, the Defense Department must delegate authority over these systems across its component agencies. One such organization, the U.S. Space Command (USSPACECOM), Peterson Air Force Base, Colorado, is spearheading the department's computer network defense (CND) initiative. USSPACECOM is concentrating on personnel training and readiness to address localized and departmentwide threats.

In October 1999, USSPACECOM took charge of the Defense Department's CND program. Within a year, the program evolved into two branches: one addressing CND and the other computer network attack (CNA). According to Lt. Col. John Pericas, USAF, chief officer for computer network defense operations, USSPACECOM, the idea is to simultaneously protect and facilitate defense information systems network activities so that both defensive and offensive measures can be maximized to support mission success. "With this two-pronged approach, we not only defend our data from threats that would steal it, but project our own capabilities to disrupt enemy operations," Col. Pericas adds.

Providing soldiers with the necessary information to carry out their missions is a key thrust of the CNA initiative. "The CNA side is of great importance to the continued existence of our systems operability through the maintenance of a constant lookout for ways to disturb our opponents systems," the colonel says.

To counter possible threats, the command is attempting to restructure Defense Department information operation condition (INFOCON) system planning. "The main objective is to provide the capability for raising the level of defensive posture within the defense information systems infrastructure to meet security threats before they can penetrate our networks," Col. Pericas explains. Under the direction of the commander in chief of USSPACECOM, the INFOCON initiative will revamp a proactive hierarchical system designed to ensure that commands maintain access to the information needed for mission execution.

Another initiative within the CND program is the efficient use of a system of information assurance vulnerability alerts (IAVAs). These alerts are the principal method of Defense Department-wide notification in response to suspected system weaknesses. IAVAs are recommended to the department by computer emergency response teams (CERTs) after system operators and administrators report a potential vulnerability. "In either localized or networkwide situations, an IAVA allows for the seamless communication of [information about] potential trouble before a full-scale attack can occur," the colonel remarks. "During wartime operations, getting the word to a tactical command center so that personnel can inform units of a system vulnerability is essential to establishing connective security between allied forces."

On the strategic operations level, improving information dissemination methods throughout the chain of command is a prerequisite to integrating Internet-based systems into a communications architecture such as the Global Information Grid. The development of a concept plan for synchronizing efforts across all command levels is a current endeavor, Col. Pericas indicates. As the centerpiece for standardizing defensive actions and response measures throughout all Defense Department commands, the proposed plan allows for enhanced coordination during joint task force operations.

Establishing interconnectivity between coalition forces is also a key effort at USSPACECOM. "The goal is to nail down the communications architecture between allied forces in the planning phase, before it can be jeopardized during a conflict," the colonel explains. "The last thing you want is to have a different idea of communications security than an ally [does] during a critical mission situation."

Internet-based virtual training sessions are helping to connect U.S. forces with European and Asian allies using near-real-time battlefield scenarios. These exercises depict actual network breaches so that attack responses can be evaluated, he says.

Network monitoring of both structured and unstructured security threats is another of the command's priorities. "Being able to differentiate between the large organization or state-oriented attack and the individual hacker or viral attack is important to responding appropriately to a given situation," Col. Pericas explains. "In each case, however, the primary course of action is the rapid localization of the attack through proper procedural training."

The Joint Task Force (JTF)-CND sector of USSPACECOM is the center for network security within the Defense Department. Charged with maintaining the overall situational awareness of the department's network infrastructure, the JTF-CND receives and processes CERT reports from each military service on the state of network operations. The information collected is then validated using standard classification procedures to determine each report's threat level. Based on this evaluation, an IAVA may be issued and a determination made to change the department's INFOCON level.

The JTF-CND is continually exploring network defense techniques such as patterned and patternless threat detection. Patterned detection integrates recorded network histories with current system activities, allowing operators to monitor trends. With a blueprint of how the network is expected to behave, operators can program systems to detect any functional deviations.

Patternless threat detection involves collecting and analyzing raw data to develop a virtual map of a network for comparison with similar systems. The goal is to map a network's performance under varying conditions so that it can be more intelligently monitored for changes in communication content and quantity. The JTF-CND will be experimenting with the Raytheon Company's SilentRunner software, one of two gold nuggets chosen at the Joint Warrior Interoperability Demonstration 2000 (SIGNAL, February, page 57). Aside from assisting firewall and intrusion detection systems, the SilentRunner program could help the Defense Department locate attacks originating from inside its networks.

According to Col. John Boynton, USAF, director of operations, JTF-CND, the intent of these capabilities is to stop attacks, and this needs to be accomplished before any information is compromised. "Detecting intrusions after they've occurred is no longer good enough. Our number one directive is to serve the needs of the warfighter. Getting vital data between the command center and the battlefield can only be ensured if the enemy's attack capabilities are taken away. On offensive measures," Col. Boynton continues, "the command is pursuing the development of technology that will enhance its ability to project cyberwarfare to potential attackers before they can strike."

Proposals are being explored for incorporating smaller command and control programs to create a standard model for conducting offensive and defensive network operations throughout the Defense Department. The U.S. Joint Forces Command may pursue the development of a fully integrated command nervous system for the coordination of offensive and defensive networking capabilities in cases of cyberspace conflict. "The future success of network operations will lie not only in the ability to protect your own data movements, but to disrupt those of potential adversaries," Col. Boynton adds.

Training computer operators remains a key Defense Department objective. "From high-ranking command staff to localized system administrators, the best way to protect proprietary information is by instilling a strong sense of responsibility in the people who mind it," the colonel notes. "Network defense begins and ends at the personnel level." To foster this, the department is using mandatory computer refresher courses to standardize operative methodology.

Additional information on USSPACECOM's computer network defense program is available on the World Wide Web at http://www.spacecom.af.mil/.