We have all been reading about the increasing number of cyber attacks in today's news, with increasingly more menacing—and successful "worms" dispensed against government and industry networks. As alarming as these attacks are, they represent just one aspect of the dramatically changing nature of modern-day vandalism and, on a larger scale, modern day warfare.
Ensuring operational readiness for Naval warfighters within this changing environment has led, via National and DoD initiatives, to the formation of the Department of the Navy's Critical Infrastructure Protection (DON CIP) Program.
Today's Defense Environment Emphasized the Need for CIP
The world of the black and white, bipolar balance of power that shaped our defense efforts in years past is gone. We now face a new, more insidious threat called asymmetric warfare. This new brand of warfare is unconventional, and brings the danger of being promulgated not only by large or small groups, but by just a single person with a computer and modem.
As the threat has grown in complexity, so has the business of national defense. Today, our defense establishment includes the following realities:
•Over 90% of the services required for day to day and war fighting operations of defense components now come from the private/commercial sector. (Many were previously "inherently governmental.")
•Mergers and acquisitions within the international defense industry have led to the globalization of weapon systems sustainment.
•Old defense mechanisms are no longer sufficient.
These realities, with the increasing potential for asymmetric/unconventional warfare, led to the 1998 approval and release of Presidential Decision Directive/NSC-63 (PDD-63) titled "Critical Infrastructure Protection."
PDD-63 initiated the CIP evolution.
What is DON Critical Infrastructure Protection?
Critical infrastructures are those physical and cyber-based systems needed to operate the economy and government. These systems include telecommunications, energy, banking and finance, transportation, water systems, and emergency services—both government and private. As part of National/DoD implementation of PDD-63, the DON CIP program was designed to develop, administer, and coordinate an enterprise-wide CIP effort.
For the Department of the Navy, CIP is a comprehensive, enterprise-wide initiative to:
•Identify infrastructures, both cyber and physical, essential to Naval warfighters
•Assess their vulnerability to loss
•Develop a coordinated physical and cyber indications and warnings capability against acts of terrorism, natural disaster, or error
•Take necessary action to ensure achievement of Navy/Marine Corps objectives during critical infrastructure loss.
Each of these six phases has its own set of activities, summarized in Table 1.
DON CIP Goals Flow From DON Policy
There are six primary DON CIP Goals, each with its own separate set of implementing actions and organizational leads.
DON CIP GOALS
•Ensure the Development of an Integrated CIP Capability
•Support the Development of Sector Assurance Plans
•Integrate the Efforts of Other Related DON Programs Into CIP
•Support the Development of an Integrated Indications and Warning Capability
•Establish a Web-Based Clearinghouse for DON CIP Specific Information and Guidance
•Establish Long Term Programmatic Objectives for DON CIP
Achieving these goals involves teamwork from many quarters. Key participants include: DON CIO; Navy and Marine Corps Infrastructure Leads; Naval Criminal Investigative Service (NCIS); Headquarters Marine Corps Security and Law Enforcement Branch; Fleet Information Warfare Center (FIWC); and the Joint Program Office for Special Technology Countermeasures.
The foundation for these goals is the DON’s policy in this area, which it to: Protect those infrastructure capabilities that are deemed critical to DON force and materiel readiness and operations in peace, crisis and war; mitigate the effect of their loss or disruption; and/or plan for timely restoration or recovery.
- Recognize that DON equipment, facilities, utilities, services, weapons systems, and mission accomplishment are highly dependent on non-DON assets.
- Understand that, in peacetime, responsibility for protecting non-DON infrastructure and assets rests primarily with the private and non-military asset owners and with local, state, and federal law enforcement authorities.
- Elevate the awareness of and promote CIP through a variety of activities, such as information sharing, cooperative agreements, and outreach.
- Analyze and mitigate the risk to mission-critical systems and processes that support logistics and acquisition, in particular, commercial infrastructures and services utilized by the program executive offices, direct reporting program managers, and systems commands.
DON CIP Approach to Date
In August 1999, the Under Secretary of the Navy established a senior level DON CIP Council and assigned the DON CIO Dan Porter the role of DON Chief Infrastructure Assurance Officer (CIOA), responsible for implementing CIP throughout the DON enterprise.
To facilitate DON responsiveness to DoD CIP programs and to implement DoD and DON CIP initiatives, the DON CIO established a working group of subject matter experts reflecting the CIP sector construct—the DON CIP Working Group.
Under the auspices of the DON CIO this team has implemented a multi-step approach to CIP—as reflected in the DON CIP Implementation Plan, released in May 2001.
Infrastructure Analysis and Assessment. Following the national and DoD construct, the DON divided the enterprise into 10 sectors: personnel; financial; transportation; defense information infrastructure; intelligence, surveillance, reconnaissance; health affairs; logistics; space; command, control and communications; and public works.
This initial sector analysis was completed in February 2000. An initial DON Critical Asset List will be completed by the end of FY01.
DON CIO sponsored a special study to determine the pervasiveness of the use of commercial sources for operational sustainment of Navy/Marine Corps weapons systems. Every program reviewed currently relies, or is planning to rely, predominately on commercial sources. Findings, presented to the council in December 2000, prompted the council to direct a more detailed review of specific weapons programs. The objective of the second review will be to assist in developing acquisition policy that ensures protection of commercial infrastructures on which Navy/Marine Corps weapons systems will be reliant. This review will be completed in late September 2001, with findings presented to the council in early FY02.
DoD and DON vulnerability assessment teams (inside the fence) and the Joint Program Office for Special Technology Countermeasures (outside the fence) conducted scheduled vulnerability assessments on an installation and regional basis to identify single points of service that could be vulnerable to loss through natural causes, human error, or deliberate attack.
Remediation. Remediation includes employing risk management techniques to remove (or lessen) identified vulnerabilities. Actions may include coordination with private sector providers such as power companies, railroads, and state and local governments.
Indications and Warnings. Development of a comprehensive CIP information sharing and warning mechanism is coordinated by the DON CIO, NCIS, FIC, Navy Computer Incident Response Team, Marine Corps Information Technology Network Operations Center, and DoD and national response centers. The DON CIP Indications and Warnings Plan is scheduled for public release in spring 2002.
The last three phases of CIP: mitigation, response, and reconstitution, are post-event activities. For Y2K, DON shore commands were directed to prepare general mission Continuity of Operations Plans. It is the intention of the DON CIAO to incorporate CIP considerations into these existing Continuity of Operations Plans.
Assuming proper funding by FY 2003, the DON CIP program will have ushered in a paradigm shift in the management and evaluation of Navy and Marine Corps installations and weapon systems sustainment operations.
Instrumental achievements/products being used to bring about this revolutionary change include:
- Implementation of the Naval Integrated Vulnerability Assessment process that encompasses antiterrorism and force protection; operational and information security; mission survivability; and mission critical commercial infrastructures—in both assigned team and self-assessment versions.
- Development of a DON Critical Infrastructure Vulnerability Databased and Remediation Plan.
- A fully integrated counterintelligence information sharing construct.
- Qualification of the value of each DON installation relative to warfighting operations.
- Policy for ensuring commercially provided weapon system sustainment operations.
Being able to objectively rank the contribution of installations and infrastructures to warfighting operations will enable DON senior leadership to deal more effectively with issues such as base realignment and closure.
We would not be surprised to see the focus of shore-based commands evolve from emphasis on “installation size and population” to emphasis on “installation contributing to operating plan.” Traditionally, force size was the key; today, because of the changing warfare environment, brains are as important as brawn.
Ultimately, DON CIP strives to be integrated into and become a major contributor to a national CIP protective network that optimizes the positive power of the federal sector to protect citizenry, institutions, and continuity of government operations.
Go to the DON CIO Web site for more information: www.doncio.navy.mil/
Cmdr. Lynne D. Gaudreau is serving as the DON special assistant of CIP. A survivor of the Y2K wars, she now leads the DON CIP Working Group.