Information sharing has long been a hallmark of information technology. We have proven its worth on the battlefield as directly contributing to the commander's ability to make more agile and better decisions. More than ever before, information has to be shared securely with those who need it — across the Department of the Navy (DON), throughout the Department of Defense and with other government agencies, coalition and allied partners. Therefore, our days of living in stove-piped or silo environments are over. A net-centric strategy with interconnectivity of our networks has enabled increased access to information, but we must always be mindful to balance access with security. This balancing act is the premise of information assurance, which combines information security with information availability, and it has become vitally important in this information age.
Protecting networks and information, especially in the face of the ostensible popularity of malware and cyber terrorism, has become a challenge for all federal agencies. The DON has made great strides in this area over the last several years. The Navy Marine Corps Intranet (NMCI) was the launching point for the greatly enhanced security posture of the nearly 700,000 Sailors, Marines and civilians who rely on it. Each month it blocks approximately 9 million spam messages and detects more than 1,200 intrusion attempts and an average of 60 viruses before they can infect the network. NMCI has implemented and enforced the DoD Public Key Infrastructure (PKI) cryptographic logon (CLO) mandate; usernames and passwords have been replaced by the use of DoD PKI to cryptographically log on to DON networks.
In addition to the security enhancements afforded by NMCI, the department has improved security through the use of public key-enabled Web sites and role-based access. Most of these enhancements require no more effort for the user than logging on to the computer using CLO, but the benefits are immense. Using PKI, users can access secure Web sites, digitally sign forms, and encrypt and digitally sign e-mails. BlackBerry users can now use secure Bluetooth BlackBerry Common Access Card readers for digital signature and encryption capability, to ensure the proper protection of information contained on those devices which are simply an extension of our networks. While this may seem to be a burdensome layer, adding to the time it takes to respond to e-mails securely, it is worth it.
Some of the areas in which the department has beefed up security are not as transparent as the NMCI/CAC/PKI solutions. These include encryption of data at rest (DAR) and the decision to block access to sites such as Gmail, YouTube, Second Life, Hotmail and Yahoo mail to decrease the likelihood of network vulnerabilities.
Encrypting data at rest is a solution that responds to the loss of personally identifiable information (PII) — the information that can be used to identify and steal the identity of a Sailor, Marine or DON civilian and wreak financial havoc. Identity theft is a real and growing trend that we must take seriously. There are three main types of media that are vulnerable to loss: hardware, which usually translates to the loss or theft of laptops or thumb drives; paper, which is usually the loss of PII printed on paper; and electronic, which is the erroneous posting of PII on Web sites or contained in e-mail.
We must take every precaution necessary to minimize the amount of PII collected and shared, and make it accessible to only those with a need to know. We have implemented a number of policy initiatives designed to modify behavior and improve privacy awareness across the DON. However, our DAR effort is also important in protecting DON sensitive information which includes more than PII.
As we move from NMCI to the Next Generation Enterprise Network (NGEN), protection of our networks and information will continue to be a priority. The threat environment to IT networks has changed significantly over the last eight years since NMCI was implemented. The NGEN design and operations will be flexible enough to adapt and change with evolving threats and accommodate new technologies and capabilities as they become critical to operations.
Security will be a key component of all aspects of NGEN. Security will come from every user who connects; each of us is a cyber-warrior and must understand facets of IT never before required. This will be true for services and functions provided by industry, as well as those managed by the government. The government must have visibility into, and control of, network operations to ensure this critical asset is fully supporting user needs. Therefore, ultimate responsibility for security of DON networks will reside with the government.
We don't know what the next cyber security issue of significance will be. But just as the combination of NMCI and other solutions has successfully defended our networks up to this point, we are working to make sure that security under NGEN will be just as strong.