Military mulls battening down net hatches

WASHINGTON, D.C. - Some five years after the military pioneered intrusion-detection systems, the Defense Department may soon require its massive networked systems be protected by round-the-clock intrusion-detection monitoring to defend against hacker or denial-of-service attacks.

The Defense Department is developing a policy that would mandate use of intrusion-detection systems in all military networks. In a move that could have industrywide implications, the agency charged with mapping the security plan could give the military the option to outsource the job. By outsourcing intrusion detection, the Defense Department will go a long way toward legitimizing for the commercial environment the still-controversial idea of handing over large, sensitive security tasks to service providers.

The Defense Department has more than 25,000 computer networks that handle everything from weapons systems command-and-control to inventory to payroll. Roughly 11% of Defense Department networks, such as satellite links, are considered mission-critical.

"Under this draft policy, every Defense Department entity will need to have a computer network-detection service provider, which could be a Defense Department entity or a commercial entity," says Richard Hale, chief engineering executive for information assurance at the Defense Information Systems Agency (DISA). DISA is responsible for defining the intrusion-detection plan.

Whether the Navy, Army or Air Force should buy commercial intrusion-detection software or entrust network protection to an outside service provider should be decided "on a case-by-case basis," Hale says.

The military helped pioneer intrusion-detection systems by building its own software from scratch about five years ago. But since then, various parts of the military have deployed products from vendors that include Internet Security Systems, Axent (just purchased by Symantec), Cisco and Network Ice. Today only a fraction of the military's overall networked systems are guarded by any form of intrusion detection.

When the final decision on the mandatory intrusion-detection systems will arrive is unclear. But deliberations taking place among the military's Joint Chiefs of Staff underscore their determination to do whatever it takes to prevent hackers and denial-of-service attacks from disrupting its networks.

Some defense-related agencies, such as the secretive National Security Agency (NSA) in Fort Meade, Md., already require round-the-clock monitoring of computer hosts and networks.

"Every system within NSA is monitored," says Charles Kolodgy, IDC research manager for Internet security. He left NSA last summer, where he evaluated intrusion-detection products for the intelligence agency, to join research firm IDC, where he now oversees market research on the same subject.

"In the Defense Intelligence Agency, it's the same sort of situation," Kolodgy adds.

One difficulty in deploying intrusion-detection software is that it must be regularly updated to include new "attack signatures," because new hacker exploits are discovered all the time. In addition, intrusion-detection software can record "false positives," a false alarm about trouble, and software occasionally needs to be fine-tuned to work correctly.

These types of challenges, along with the difficulty in hiring security experts to manage intrusion detection, is spurring security services in which intrusion detection is done remotely in the service provider's data centers or with hired help on site.

The NSA, which last year created a stir when it declared it might outsource security for internal servers and networks, is on track to outsource its security, having issued a request for proposal that could be awarded by spring. Due to the sensitivity of the project, only three systems integrators - Computer Sciences Corp. is known to be among them - are allowed to bid on the undertaking.

Not all attempts by the federal government to put large-scale intrusion-detection systems in place have succeeded.

It was a year ago that President Clinton unveiled his goal of creating the Federal Intrusion Detection Network as part of what was called the National Plan for Information Systems Protection. FIDNet, as it was called, was envisioned by the White House as a governmentwide intrusion-detection network to monitor activities across civilian and defense networks.

The idea, though, generated a firestorm of criticism from civil liberties groups that argued FIDNet's monitoring of citizens would constitute an invasion of privacy. Although the General Services Administration issued a draft RFP for FIDNet, GSA says the idea has been shelved.

Others are just not sold on the idea of outsourcing security to services providers.

"We've opted not to go with managed security," says Jeff Hormann, director of information security at Metromedia Fiber Network, which is building its own network-monitoring facility to be manned by its employees around the clock.

"With managed security services, you're giving away the keys to the castle in some respects," he says.

Hormann points out any organization that wants to take advantage of managed security services has to share detailed knowledge about its operations so that intrusion-detection systems can be properly used.

Military mulls battening down net hatches

Related Links