CND-JTF Update Capt Jay Healey Bottom Line o CND-JTF 80% to 90% complete o Air Force cannot accept the CND-JTF as currently envisioned - Remaining critical issue is LE CI coordination - All other issues are acceptable Overview - CND-JTF at a Glance - Hot Issues - Determining AFFOR CND-JTF Background o CND-JTF will direct and coordinate DoD reaction to compunter network attacks CNA - Commander will be Maj Gen Campbell o Will have component forces from Services for two key CND functions - Detecting and assessing CNA - Recommending countermeasures and restoring networks post-CNA o AF must determine component force AFFOR and commander COMAFFOR CONOPs in a Nutshell o CND-JTF will - Monitor incidents operations vulnerabilities intel threats o Leverage Intrusion Detection Advisory Compliance System - - - - - Coordinate and Direct actions to stop contain attacks Perform Attack Assessments Develop Intel Requirements for CND Develop Plans procedures to protect DoD networks Participate in joint training exercises o CND-JTF will not initiate offensive action CND-JTF C2 Relationships Always Direct Support Coordinating Authority INFOCON BRAVO TACON SECDEF UNIFIED COMMANDS CND-JTF Intelligence Community NSA DIA NRO Other DoD Agencies Service Components COMAFFOR COMARFOR COMNAVFOR COMMARFOR DSWA DECA etc DISA Collateral Networks GOSC Supporting Agency 6 Timeline o o o o o o o o o 15 to 26 Oct - Second CONOP coordination 20 Oct - VTC with CINCs O-6 level 21 Oct - OPSDEPs Tank for progress review 25 Oct - Charter to SECDEF for signature 26 Oct - AF must name initial cadre to Joint Staff 30 Oct - SECDEF progress review 30 Oct to 9 Nov - Final CONOP coordination NLT 30 Dec - IOC IOC 180 days - FOC Overview - CND-JTF at a Glance - Hot Issues - Determining AFFOR Outstanding AF Comments o CND-JTF must have full-time legal support instead of borrowing DISA's Also support must be SJA not GC o CND-JTF must have full-time law enforcement and counterintelligence o CND-JTF must not rely on DISA GOSC's law enforcement personnel use Services instead SAF GCM SAF IGX Army Concurs SAF GCM SAF IGX ASD C3I Concurs SAF GCM SAF IGX Navy Concurs Personnel Issues o JTF predominantly manned by traditional operators -- will rely on DISA for much of its technical expertise o Commander deputy may both be AF causing Navy to non-concur o Services must give names of initial cadre to Joint Staff NLT 26 Oct Directive Authority o Per draft CONOP CND-JTF will have directive authority over component forces at INFOCON BRAVO - BRAVO significant levels of probes scans targeting of specific DoD entity or attacks with no impact on DoD operations o JTF will have coordination authority only over CINC defensive actions o Navy has resisted any JTF directive authority Overview - CND-JTF at a Glance - Hot Issues - Determining AFFOR Needed AFFOR Capabilities Per Draft CND-JTF CONOP o Notify CND-JTF of attacks o Conduct preliminary attack assessments o Recommend attack countermeasures o Restore Maintain networks after attacks o Provide network status o Correlate incidents o Provide status of ongong investigations Critical Capabilities o Perform Vulnerability Analysis and Assistance Program o Maintain IAVA compliance o Analyze threats to Service networks o Coordinate vulnerability assessments o Conduct 24 x 7 ops o Execute C2 IAW CONOP Other Service Approaches o COMARFOR Army Signal Command - ARFOR Combination of ASC and LIWA o COMNAVFOR Navy Telecommunications Command - NAVFOR Combination of NAVTELCOM and FIWC AFFOR Need Not Match other Service Components AFCERT more capable than other CERTs Meets more needed component capabilities CND-JTF Expected CERTs as Service Components Proposed AFFOR Relationships CND-JTF LE CI AFOSI COMAFFOR AFIWC CC AFCERT NOSCs NCCs Provide Investigation Status CI LE Support Provide Intrusion Detection Info Provide Attack Assessments Recommend Countermeasures Implement Countermeasures AFNOC Correlate Incidents Analyze Threats Maintain IAVA Compliance Coordinate Vulnerability Assessments Provide Network Status Analyze Threats Correlate Incidents Recommend Countermeasures Implement Countermeasures Restore Networks Backup Slides JTF Manpower AF Billets o Intel Analyst O4 14N Cadre o Def IO Officer O4 33SX o Watch Officer O4 13SX Cadre o Def IO Planner O4 11XX o Commander O-8 o Dep Cmdr O-6 Nominated Billets by Specialty o Operators 10 of 19 o Comm 4 of 19 o Intel 5 of 19 Service Totals o USAF 4 2 o USA 6 o USN 5 o USMC 2 Doctrinal Basis for AFFOR AFDD 2-5 o AFDD 2-5 successful military operations must carefully integrate both OCI and DCI elements o AFDD 2-5 AFCERT established as the single point of contact in the Air Force for computer security incidents and vulnerabilities The AFCERT coordinates the AFIWC's techical resources to assess analyze and provide countermeasures for computer security incidents and vulnerabilities reported by Network Control Centers IWS and NOSC AFFOR Tasking Flow CND-JTF Info Copy Info Copy COMAFFOR 3 - JTF-CND Update o JTF will direct coordinate DoD computer defenses - JTF Paperwork 90% Complete IOC no later than 30 Dec 98 o IC very protective of intel networks DCI authorities - IC will submit to JTF coordination authority as well as report network status and incidents to JTF - JTF and CMS will undertake MOA on specifics o JTF purposefully lean J2 cell only 5 people - Will generate PIRs monitor I W help analyze specific attacks Must depend on remainder of IC for all else - AF has one O-4 in the J2 exact person still TBD o AF has one outstanding issue - JTF must have full-time body for LE CI coordination This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu