Security First

Holistic acquisition approach builds in agility to protect networks.

Six and a half years ago, John M. Gilligan, who was the Air Force's chief information officer, told an assembly of 200 military and civilian IT managers that the dangerous state of federal cyber-security had to change. Few people in his audience realized they were witnessing the beginning of a quiet revolution. While Gilligan was addressing security problems, Charlie Williams Jr., the deputy assistant secretary for procurement and acquisition at the time, was developing strategies that would shape Air Force buying behavior and leverage its purchasing power to reduce total cost of ownership. The result: a consolidated approach to security technology and acquisition that targets a critical national security challenge.

"America's failure to protect cyberspace is one of the most urgent national security problems facing the new administration," the Center for Strategic and Inter-national Studies' Commission on Cybersecurity for the 44th Presidency wrote in a December 2008 report. "It is a battle we are losing." Nation states are stealing terabytes of sensitive military data, including some of the most advanced technology. Cybercrime groups are taking hundreds of millions of dollars from bank accounts and using some of that money to buy weapons that target U.S. soldiers. The attacks are gaining in sophistication, and U.S. defenses are not keeping up.

A central theme in the report is ensuring that security is "baked in" to the hardware, software and services the government procures, which means building security into equipment and software code as they are assembled. Trying to add it after systems are developed and deployed is a failed strategy, according to the commission. Sens. John Rockefeller, D-W.Va., and Olympia Snowe, R-Maine, introduced a bill in April to establish a Federal Secure Products and Services Acquisition Board to identify the most important technologies and how security can be built in during the acquisition process. The Air Force, which established a similar group, has demonstrated why and how such an approach would work-and more important, how it resulted in tighter security for its networks.

The results speak for themselves: Centralizing the management of security and standardizing security settings have enabled Air Force IT managers to block 85 percent of cyberattacks that are launched against Air Force systems, shorten the time to deploy critical patches from 57 days to just three, reduce user problems and calls to the help desk, respond faster to new threats, and save hundreds of millions of dollars at the same time.

Flexible Fliers

Gilligan, now president of the IT consulting firm Gilligan Group, and Williams, who has since left the Air Force to become director of the Defense Contract Management Agency, joined forces in 2004 to establish the Information Technology Commodity Council. The idea was to consolidate the purchase of PCs, software, printers and cellular devices across the Air Force to not only save money but also to defend the service's networks against cyberattacks. After all, firewalls, antivirus patches and other security capabilities are largely ineffective if users' computer configurations fail to address risks. On the buying side, purchasing equipment piecemeal raises costs, diverts resources and makes daily maintenance nearly impossible as technicians try to find bugs in hundreds of different hardware and software configurations.

The council included members from each major command who set strategy, centralized contracts, and tracked the prices, technology and performance of IT products to negotiate better deals with vendors. The goal was to buy technology that could be updated every quarter at a lower cost-even compared with agencies buying less technologically advanced systems.

Gilligan recognized that PCs must be configured safely, but also knew experts usually disagreed on just what constituted "secure." To avoid any ambiguity, he asked the National Security Agency to tell him what configurations it would use to stop as many cyber- attacks as possible. NSA made recommendations based on its experience and that of other groups, such as the Center for Internet Security, the Defense Information Systems Agency, the National Institute of Standards and Technology, and Microsoft Corp.

The Air Force then developed the Standard Desktop Configuration, a set of specifications for enterprise licenses and support contracts with Microsoft. Gilligan says suppliers such as Microsoft are enthusiastic about offering compatible hardware and pre-installing software, but only if their customers can specify the proper configurations.

As officials planned for the rollout of the Standard Desktop Configuration, they discovered the Air Force had thousands of legacy software applications and hundreds of configurations. What if the standard setup meant these applications wouldn't work? The familiar refrain from critics was: "One size does not fit all." To alleviate their fear, Gilligan started a phased rollout at four bases, testing the compatibility of every application. Most worked fine, while a few had to be customized or isolated on their own network segments.

Computers require frequent upgrades for new applications, updates to existing applications, security patches and other changes to thwart cyberattacks. Quick and comprehensive action is a must before hackers figure out how to exploit vulnerabilities. The Air Force's centralized network command-and-control function uses automated tools for updates and maintenance, installing upgrades in hours instead of months.

The Bottom Line

The Air Force's success story led the Defense Department, and later OMB, to require common configurations across all computer systems. When Defense standardized, it improved joint operations among the military services. Governmentwide standardization allowed agencies to build software applications for a few core configurations that are widely used and known to work, reducing the need for nonstandard configurations. More important, the standard configurations, available for Windows Vista and Windows XP and coming soon for other operating systems, give software developers a common, safe platform for their development. Common patches need be tested only one time and can be installed quickly-before attackers have time to exploit the vulnerabilities.

Theoretically, the entire nation could move toward more reliable and secure computing. But cost savings in acquisition and operations must be a priority for government. To meet those goals, several things must happen:

• Establish an organization similar to the Federal Secure Products and Services Acquisition Board proposed in the Senate bill with a broad mandate and a short deadline to ensure all agencies buy IT products with security baked in.
• Expand the General Services Administration's information security line of business to take in not only software and hardware purchases but also the adoption of secure configurations of those technologies across government, including its supplier base and computing cloud. The expansion should go beyond operating systems to include applications of all kinds, including databases, middleware, browsers and tools to automate security controls, and should cover all federal acquisition even if it is done outside GSA.
• Stop measuring how much paper agencies produce describing their security efforts and focus on whether their network infrastructures and people are reliable, secure and resilient. This requires real-time feedback from network operators who use automated tools daily to enforce the security policies and monitor compliance.

By baking security into its systems and its buying power, the Air Force generated huge security improvements, more operational flexibility and savings. Using standard configurations allows commercial and government software developers to reduce the time and cost devoted to testing upgrades, maintaining a complex system and certifying products are secure. Also, enterprisewide initiatives can be deployed faster. When the Office of Management and Budget and the Environmental Protection Agency issued energy management policy and guidance, for example, the Air Force was better positioned to make the necessary hardware, software and process changes, saving $10 million per year The Air Force now has harmonized 90 percent of its IT inventory-more than 750,000 desktops and tens of thousands of servers-supporting all aspects of operations from warfighting to facilities management, health care to education, communications to logistics. At first, many employees resisted changes that required them to carry a common access card to log on to their computers and prohibited them from installing or changing software on their own. But weeding out compatibility issues has gone a long way toward alleviating employee frustration, reducing help desk calls by 40 percent. The result is a consistent infrastructure across the enterprise that can be changed dynamically in response to actual or potential threats.

Alan Paller is director of research at the SANS Institute of Bethesda, Md.