Following the unauthorized release of classified documents (e.g. Wiki Leaks) the Director of the Defense Intelligence Agency stood up an Information Review Task Force to assess the security of DoD SIPRNET data. The task force found that: units maintained an over-reliance on removable electronic storage media; the processes for reporting security incidents were inadequate and there was a limited capability to detect and monitor anomalous behavior (e.g. exfiltration of data).
DoD is now proceeding with the installation of the Host Based Security System (HBSS) by June of 2011 provided by COTS vendors. This will provide for central monitoring and control over all computers and their configurations. HBSS includes a Device Control Module (DCM), which can be used to disable the use of all removable media. 48,000 to 60,000 computers will be exempted from DCM restrictions and will be able to continue relying on removable media.
DoD will also continue to issue a Public Key Infrastructure (PKI)-based identity credential on a hardened smart card, which is more robust than the Common Access Card (CAC), which is used on unclassified networks. The PKI cards require positive identification of anyone who is accessing data. This would be completed by mid 2013.
The key to HBSS – and what represents its weakness – is the ultimate dependency on a human policy auditor who can set up access restriction policies. The policy auditor will receive real-time messages to aid in the recognitions of any actions outside of the limits set by policy.
Despite the strengthening of controls, the detection of insider compromises still depends on audits performed by human operators located at many separate SIPRNET locations.
The problem is how to identify selected events as “anomalies” security policies that would indicate questionable behavior. Though the implementation of HBSS offers a strengthening in the identification of information retrieval, ten thousands of individuals will still have the potential to ex-filtrate classified information by “write” actions that are not unauthorized. How to identify such instances still remains an unresolved challenge. HBSS may provide more tools, but cannot prevent a Wiki-Leaks incident from happening again.
The implementation of HBSS imposes on DoD operations large additional costs. The installation and maintenance of HBSS software is labor intensive. It is a task that adds to the work of hundreds of contractors that already maintain SIPRNET configurations. That cannot be done without more funding and without additional headcount.
Training is not trivial. HBSS requires at least a two-day course. To staff HBSS Policy Auditor positions, that watch operations around the clock, will require an incremental staff with a higher grade of skills. Personnel records will have to be expanded to include descriptions of what tasks an individual is permitted to perform and under what conditions, which is subject to frequent changes. Administrative policies and processes will have to be put in place to determine who should (and should not) have access.
Clearly, HBSS is a costly short-term “patch” on an already overburdened system. Whether DoD will be able to staff and then deploy a sufficient number of Policy Auditors has not been as yet included in plans for FY12-13. How the auditors will be supplied with the intelligence that is necessary for the discovery of anomalies is yet to be established.
So far the HBSS fix has not examined how to evolve from the currently proposed short-term improvement to a longer-term solution. Instead of relying on each SIPRNET enclave to set up its own rules for auditing its desktops and laptops, a “cloud” method for the management of secure networks offers lower cost options.
The key to such an approach is to give up on adding more COTS software to already overburdened desktops. HBSS is a very expensive and manpower-intensive desktop-centric solution. It is unlikely to be implemented by FY13 on a timely basis because of budget and organizational limitations.
Instead of the HBSS add-ons to ten thousands of existing desktops, security monitoring and audit should be relocated to a few hundred virtual servers on a secure private cloud. Central policy can be then administered more economically and consistently from a handful of Network Control Centers (NCC). Specialized headcount at the NCCs can operate with less manpower and with a much greater reliance on advanced diagnostic software.
Security should be added to a few servers, rather than to many desktops. Cloud servers can host sophisticated surveillance software more effectively and can be deployed much faster.