Computer Network Defense Update to the Defense Science Board Major General John H Campbell USAF Vice Director Defense Information Systems Agency Commander Joint Task Force-Computer Network Defense 18 January 2000 Information Superiority The capability to collect process exploit and disseminate an uninterrupted flow of information while exploiting or denying an adversary's d ' ability bilit to t do d the th same Enhanced Command Control Fused all-source Intelligence Accurate Enemyy Locations Precise Knowledge of Friendlyy Locations Globally Interconnected End to End Capabilit Capability Information on Demand Information Superiority is the Key to 21st Century Warfighting Trust in Cyberspace KG KG JWICS KG TS SCI INE INE KG KG SIPRNET KG SECRET INE INE INE NIPRNET UNCLAS INTERNET Interconnection Utility Vulnerability The Challenge Growing dependence on information systems p growth g p Rapid in computer networks Vulnerability to internal and external attack NIPRNET Growth 20% customer growth 400% growth in traffic 1554 customers 4 000 dial-up users Defense Department Systems 2-3 2 3 Million Computers 100 000 Local Area Networks 100 Long-distance Networks SIPRNET Growth 200% customer growth 600% growth in traffic 811 customers 1 200 dial-up users The Internet Bill Cheswick Lucent Technologies Since 1996 The Target The Defense Department relies on the DII for Targeting Command and Control Support Everything E thi we do d Cyber attacks offer an asymmetric capability to Disrupt power distribution and telecommunications network Destroy banking and financial records and systems and destroy public faith in them Exploit sensitive private sector and government databases Delay or stop transportation systems Degrade ability to deploy employ and support military forces The Threat is Increasing High The Insider is the Wildcard State Sponsored 2005 Potential Damage 2002 Terrorist 2000 Espionage Criminal Low Low Source 1997 DSB Summer Study Probability of occurrence Hacker High Increasing Level of Detected Activity 22144 5844 225 559 730 780 '94 '95 '96 '97 '98 '99 2000 DOD Unclassified Networks JTF Operations Floor DISA Global Network Operations Security Center More Detection oIntrusion Detection g p g oOrganization Reporting oAwareness Training oNetwork Hardening More I t i Intrusions oMore Tools oBetter Organization oPublicity oPolitics Protest Watershed Events Joint Vision 2010 How we'll fight in the 21st Century Jul 96 Information Superiority is the key enabler Eligible li ibl Receiver i 97 Jun 97 Demonstrated US infrastructure vulnerabilities President's Commission on Critical Infrastructure Protection P i O Oct 97 Administration position on CIP Solar Sunrise Feb 98 Demonstrated real world problems predicted in ER 97 Joint Vision 2010 Presidential Decision Directive 63 May 98 National CIP Plan National Infrastructure Protection Center NIPC Moonlight Maze Jan - Jun 99 Publication of National Plan Jan 00 PCCIP Report What IA Incidents Told Us The Defense Information Infrastructure Inherent Vulnerabilities Network of networks Built for convenience not security Unclassified networks vital to support and operations Inadequate Configuration control or visibility System administrator and user training Built-in security or intrusion detection Awareness of the threat No one responsible for defense no one with authority to direct defense DOD Organization for Defense The Interim Step Joint Task Force - Computer Network Defense JTF-CND will in conjunction with the Unified JTFCommands Services and Agencies be responsible for coordinating and directing the defense of DOD computer systems and computer networks This mission includes the coordination of DOD defensive actions with non - DOD government agencies and appropriate private organizations - JTF JTF--CND Charter Charter 4 December 1998 DOD Organization for Defense Organization for the Future United States Space Command U USSPACECOM's responsibilities include effective 1 Oct 99 99 serving as military lead for computer network defense CND and effective 1 Oct 2000 computer p network attack CNA to include advocating the CND and CNA requirements of all CINCs conducting CND and CNA operations operations planning and developing national requirements for CND and CNA and supporting i other h CINCs CINC for f CND and d CNA - Unified Command Plan 99 S JTF--CND Organization JTF C d Commander Vice Director DISA Deputy Commander DISA Supported o o o o Legal Counsel Admin PAO Logistics Resource Management Reserve Cell LE CI LNO LE CI Cell J1 4 8 o 1 - Chief o 1 - Admin Joint Web Risk Assessment Cell J2 o 1 - Chief o 5 - Analysts o 2 - Contractors o 1 - NSA Integree J3 6 J5 7 o 1 - Chief o 1 - Chief o 5 - Watch Officers o 4 - CND Planners o 3 - CND Analysts o 1 - Canadian Exchange Off o 1 - Contractor support Total authorized Total authorized 24 Total 24 present 35 Relationships SECDEF CJCS National Infrastructure Protection Center C Info Sharing Policy Coordination Operational Coordination Unified Commands USSPACECOM JTF-CND Private Sector Log Tech Admin Support DISA National Comm System Information Sharing and Analysis Centers Private Sector Critical Industries ARMY LIWA ACERT NAVY NCTF CND NCTF-CND NAVCIRT AIR FORCE AFIWC AFCERT MARINES MAR CND MAR-CND MIDAS DISA GNOSC DOD CERT JWRAC TACON Coordinating authority Intel Community Intel Networks Other DOD Agencies JTF-CND Component Forces JTF-CND Component Forces provide visibility and directive authority over the DoD global backbone and service networks plus reporting fusion reporting fusion and analysis capabilities CINCS Coordination TACON TACON COMARFOR COMAFFOR GNOSC COMNAVFOR COMMARFOR LIWA AFIWC DISA NCTF-CND NCTF- MARFOR-CND MARFOR CND NAVY ACERT AFCERT DoD CERT NAVCIRT MIDAS Armyy Component p ARFOR Chief ACERT COL Jim Gibbons Dir LIWA Dir Operations ACERT Vulnerability Assessment Div Army Signal Command Network Operations Center Field Support Teams ACERT Coordination Center Computer Defense Assist Branch CDAP Ft Belvoir VA Assigned Force R i Regional l CERTS Coordination Air Force Component p AFFOR AFIWC COL Richard Stotts AFCERT Ops Div Chief Deputy Chief AFOSI Liaison AFNOC Operations Branch Ops Spt Branch NOSCS Realtime Alerts 24x7 Sys Admin Help Desk QA Stan-Eval Batch Review ASIM Tech Spt AFOSI NCCs Coordination TACON IW Flight Spt Kelly AFB TX Incident Response Planning Staff Navyy Component p NAVY NAVFOR Navy CND Task Force CAPT Arbogast NCIS LNO N1 4 8 N2 NCTC NOC Pearl Washington DC SJA RITSC S D RITSC YOKO RITSC P S N3 6 GITSC NOC NORVA N5 7 NAVCIRT FIWC NOC Naples RITSC JAXa RICSC Bahrain RITSC NorEast Marine Component COMMARFOR HQMC C4I BrigGen Shea USMC Command Center Network Operations Center Quantico VA MIDAS MCEN Washington DC Quantico VA Deputy Commander S1 4 S2 S3 6 S5 7 NCIS PAO SJA DISA Component Global Network Operations and Security Center GNOSC COL Huffman Field Security Ops Arlington VA DOD CERT Operations Branch GNOSC Ops p Contingency Operations Support B Branch h The CND Problem Recognition what how do we know something is happening Characterization what is it Is it an intrusion outage or an attack How widespread is it Is it malicious Assessment so what What's the effect on our ability to deploy support and employ military forces Attribution who individual hacker organized group transnational group nation-state sponsored group Response what authorities and processes Law enforcement counter-intelligence traditional military operations Getting to Attribution Law Enforcement Activity involves US citizens Pen register trap and P i t t d trace wiretap Title III FISA EO 12333 DODD 5240 1-R FBI NIPC DCIOs Other Fed State Orgs Technical analysis of intrusion characteristics ID log analysis forensics ECPA Service Provider exception Intelligence CI Foreign sources are involved FISA EO 12333 DODD 5240 1-R CERTs DIA NSA CIA FBI Service CI Attribution Getting to Attribution Law Enforcement Activity involves US citizens Pen register trap and P i t t d trace wiretap Title III FISA EO 12333 DODD 5240 1-R FBI NIPC DCIOs Other Fed State Orgs Effective CND requires efficient Technical analysis of synchronized intrusion characteristics use of all available tools and processes and appropriate CERTs ID log analysis forensics enabling laws and regulations ECPA Service Provider exception Intelligence CI Foreign sources are involved FISA EO 12333 DODD 5240 1-R DIA NSA CIA FBI Service CI Attribution Why We're Concerned About Hackers The real threat to DOD is not the hacker but the structured state-sponsored organization However However Sometimes it's hard to tell the difference - both use the same tools Growing g sophistication p and availability y of tools increases concern We have to assume the worst until proven wrong So We take k seriously i l all ll unauthorized h i d activity i i We will use all technical and law enforcement tools to respond and deter We will seek legal prosecution where appropriate o Malicious and intentional hacking that causes more than $5 000 damage is punishable by a maximum of five years in federal prison o Hackers H k also l can b be charged h g d with ith violating i l ti g federal f d l wiretap i t laws l punishable i h bl by up to a 10-year prison term Intel Community Partnership NAVY Component Service Intel Centers Intel Elements NIPC DOD LEA CI J O I NT DIA CH IE F F S OF S TA - DHS - DI - DO F NMCC NMJIC DOD CERT CIA NSA Threat Characterization FIRST GENERATION Common hacker tools and techniques used in a non-sophisticated non sophisticated manner manner Lone or possibly small groups of amateurs without large resources SECOND GENERATION Non state-sponsored espionage or data theft theft Common tools used in sophisticated manner manner Individuals or small groups supported by resources of a business criminal syndicate or other trans-national group including terrorists THIRD GENERATION State-sponsored espionage More sophisticated threat supported by institutional processes and significant resources FOURTH GENERATION Sophisticated state-sponsored CNA State of the art tools and covert techniques backed-up by the resources of a nation-state Actions being conducted in coordination with other arms of the nation CND Process USSPACECOM Implementation Plan Respond USSPACECOM CONOPS Joint Task Force Computer Network Defense J5 7 Zenith Star Exercise Update Defensive measures INFOCON change Offensive actions request August 1999 CJCSI 6510 01B Identify Strategic CNA Source Nature Objective Plan Monitor Coordinate Coordinate Direct Cordinate Assess Provide Inform Joint Staff CINCS Components Agencies NIPC Assess JTF TTP Operational impact V1 FOR OFFICIAL USE ONLY JTF Charter SECDEF FOR OFFICIAL USE ONLY V2 FOR OFFICIAL USE ONLY V3 JTF CONOPS Joint Staff CND Takes Place at All Levels Unified Commands Joint Staff NIPC Respond Global Strategic Regional Operational Inform Identify J O I NT Respond Respond IE F S OF S TA FF Agencies Service Components Inform Identify Assess Respond CH Assess CINCs Service Regional CERTs CIRTS Components Service Staffs Local Tactical DII Respond Respond Internet Inform Identify Bases Post Camp Stations Intrusion Detection Assess JTF Operations Center 24x7 watch Co-located with DISA Global Network Operations Center and DOD CERT Convenient to NCS National Coordination Center Reporting fusion analysis response capability Law enforcement center and intelligence section with agency liaisons Extensive communications network JTF--CND SIPRNET Homepage JTF Trinitron WWW JTFCND IA SMIL MIL WWW JTFCND IA SMIL MIL SIPRNET This medium is classified SECRET U S Government Property Protect it from unauthorized disclosure in compliance with applicable executive orders statues and regulations INFOCON Process Parallel to THREATCON process Authorized by SECDEF DOD level Recommended by CJTF-CND Set by USSPACECOM Subordinate commanders can set higher levels Establishes defensive posture Proactive based on assessed threat Reactive based on observed threat Some problems Confusion over process Specificity of measures Conflicts in jurisdiction A value-added tool Refinement Ongoing Achieving Information Assurance OPERATIONS Planning o Organization o Coordination Education Certification Retention Reliability INFORMATION ASSURANCE Availability TE ECHN NOLO OGY Training PE ERSONNEL L Configuration o Command Control Encryption Intrusion Detection Fi Firewalls ll Unclassified Networks Classified Networks We Must Implement Each Piece DOD Approach Defense In Depth People Technology Internet Our Networks KG KG KG Enclaves N System Administrators H Operations Security o Firewalls o Intrusion Detection o Encrypted Circuits o Procedural P d l Restrictions R t i ti o Router Control o Host Network Monitoring o Secure Facilities o Secure Configuration o Trained Certified Personnel o Security Clearance o Connection Approval o PKI o JTF-CND GNOSC CERTS Users 33 Government Industry Academia l z u cT ih B o v rje a S The Future IA Situational Awareness Rapid Realistic and Accurate Location of intruder or red team activity This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu