Identity Management Operations to Improve Cybersecurity
By Sonya Smith - Published, February 26, 2010
The December 2008 report written by the Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency, "Securing Cyberspace for the 44th Presidency," began with one central finding: "The United States must treat cybersecurity as one of the most important security challenges it faces."
The report went on to state, "Creating the ability to know reliably what person or device is sending a particular data stream in cyberspace must be part of an effective cybersecurity strategy." The report urged
the government to accelerate the adoption of identity authentication.
The administration's Cyberspace Policy Review, released in April 2009, stated very clearly that: "We cannot improve cybersecurity without improving authentication, and identity management is not just about authenticating people."
The National Security Telecommunications Advisory Committee's "Report to the President on Identity Management Strategy" of May 2009 states: "… this lack of trusted identification enables harmful and/or malicious activity and diminishes national security/emergency preparedness capabilities, endangering national and homeland security as well as individual privacy and security."
The Department of Defense understands the magnitude of the threat we face in cyberspace. The threat is advanced, persistent and constantly changing. In addition, the increasing popularity of collaborative web applications, such as blogs, social networks, podcasts and wikis, and mobile devices, has brought a new set of challenges to cybersecurity.
There is a clear appreciation of the relationship between cybersecurity and identity management; we must be able to authenticate entities, as either human or nonhuman, with DoD resources and then be able to manage access privileges.
A major vulnerability on DoD networks is the use of usernames and passwords. Therefore, the DoD has increased assurance of user authentication by replacing the requirement for usernames and passwords with the DoD Common Access Card (CAC) and associated public key infrastructure (PKI) to cryptographically logon to DoD unclassified networks. This effort is now being extended to the classified network as well.
The DoD has seen the benefits of this effort. Retired Air Force Lt. Gen. Charles Croom, when director of the Defense Information Systems Agency and commander of the Joint Task Force - Global Network Operations, said in January 2007 that successful intrusions to DoD unclassified networks had declined 46 percent due to CAC use. The DoD is now also requiring PKI-based user authentication to access the majority of its private web sites.
Those same PKI certificates are being used to encrypt personally identifiable information (PII) and sensitive information to ensure its confidentiality while in transit. Digital signatures, also using PKI, provide nonrepudiation services, enabling a higher level of assurance that the e-mail users receive is authentic. Digital signatures also help thwart e-mail spoofing attempts. In the Department of the Navy (DON), these protections are being extended to mobile personal electronic devices such as BlackBerrys.
Identity management initiatives utilizing the CAC with PKI certificates have changed the way the Defense Department does business. But, as with all things, there is always room for improvement. The use of Homeland Security Presidential Directive-12 (HSPD-12) and Federal Information Processing Standards-201 (FIPS-201) are mandatory across the Federal Government and provide a common language and standard to improve identity assurance.
The CAC is the DoD's vehicle to HSPD-12 compliance, and improvements are being made to the CAC to comply with FIPS-201. These include making the card/token itself more resistant to tampering and counterfeiting, meeting interoperability requirements, improving the vetting process before card issuance to ensure the applicant's eligibility and uniqueness within the database, and the addition of biometrics to the CAC.
The CAC improvements to comply with the FIPS-201 standard are helping to raise the confidence level within the CAC infrastructure. Issuance is the critical point of identity management and because of the FIPS-201, DoD now requires:
- an individual's eligibility for a CAC;
- verification of DoD affiliation from an authoritative data source instead of a paper form;
- completion of the FIPS-201 required background check; and
- verification of a claimed identity per FIPS-201.
The enterprise authentication solutions for cybersecurity are currently PKI-based. The DoD has deployed a significant number of "next-generation CACs," or CACs that are being used as part of the HSPD-12 transition.
As part of the transition, some biometrics information is being stored on the next-generation CACs. At a minimum, the fingerprints information on the CAC could be utilized as a stronger form of multifactor authentication.
The focus of identity management must build on successes to date and move forward to a more all-encompassing approach to include meeting the requirements of interoperating with other HSPD-12 compliant federal credentials and securely sharing information with other mission partners.
The new CAC contains advanced technology that will enhance the security of federally controlled facilities and computer systems and ensure a safer work environment for all federal employees and contractors.
For more information about the Defense Department's next-generation Common Access Card, go to the CAC web site at www.cac.mil
Sonya Smith is the director of the DON CIO Cybersecurity and Critical Infrastructure Team.