At Defense, all security is local

One year ago, the Defense Department passed a wireless policy mandating that all DOD personnel, contractors and visitors entering Defense facilities encrypt unclassified information, at both the device and network level, that is transmitted wirelessly.Ronald Jost, director of wireless in the Office of the Assistant Secretary of Defense for Network Information Integration, was instrumental in getting Directive 8100.2 out the door.Prior to his work at DOD, Jost retired as a corporate officer from Motorola after 26 years with the company. Jost was a corporate vice president, Code Division Multiple Access Group general manager and chief architect for Motorola infrastructures.Jost also served as vice president, chief architect and engineer for the Motorola Space and Systems Technology Group and the chief engineer and systems manager for the company's Iridium program.Jost has received numerous engineering awards including the Motorola Distinguished Engineering Award.He earned a Ph.D. in electrical engineering from Arizona State University.GCN senior writer Dawn S. Onley interviewed Jost.Jost: We set the policies for all DOD wireless devices. Most of the devices are military tactical radios. Some policies focus on commercial wireless devices, such as the 8100.2 wireless security policy, but are also applicable to military tactical applications.For instance, the wireless security policy does address all wireless devices, but the main target is commercial wireless devices and networks such as 802.11 applied in either an office or tactical environment. A policy addressing all wireless radio devices but targeted at mostly military deployed units is the JTRS/SCA [Joint Tactical Radio System Software Communications Architecture] policy.Jost: The policy is established to address common devices operating in wireless mode. The idea is to reduce vulnerabilities in the information conveyed and do it in a manner that would still support the user's needs but deny the threat of access to information.The wireless system must use an encryption technology. If it is a DOD appliance, it must abide by the wireless policy. In wireless mode, even a DOD device used in a commercial hot spot for personal use opens up that piece of equipment to intrusion when attached to a DOD network.This allows the services and commanders to have the flexibility that they need, but it ensures us of a good network.Jost: We currently have an architecture study under way with the conclusion expected shortly. We are concerned that the DOD wireless system is the best implementation for the business and warfighting domains. That would allow folks to be mobile, leave the Pentagon, go to a base and still be interoperable'to be remote from the Pentagon and still have connectivity or be in other government agencies and still have Pentagon network access.We thought that the policy would be difficult to generate and implement and there would take a lot of vetting and disruption, [and] that folks wouldn't accept it. It's been almost welcomed because the services realize it's important and involves the integrity of our information and safety of the infrastructure, and that's essential.Folks are actually being very creative and very responsive in the policy generation. Service participation is very active and positive.This year, a wireless architectural study will be completed an architectural guideline generated made up of a series of memorandums that say this is what a subscriber or user is allowed to have, since we're trying to deal with both security and interoperability.We are standing up three knowledge management sites that enable the designated approving authorities to access for advice and guidance and their engineers to access and evaluate the vulnerabilities at the highest security levels. The KM site keeps people from having to hunt for information at many locations.The KM sites are already accessible and supporting the current 8100.2 policy. We are in the process of updating this policy with a new release. The new release has been presented to working groups and currently the group is commenting on the different policy aspects. The policy concentrates on using standards-based wireless technology, adhering to a process of using government-validated wireless products and using robust intrusion detection systems.Jost: Whether the network is wired or wireless doesn't matter. What matters is, it's done in the most cost-effective manner.The policy actually affects officelike environments, such as standard bases. It also affects operational centers.The bases decide the implementation, because they have to be accountable for the way they procure their wireless and IT systems. The KM sites offer the DAA's [designated approval authority's] implementation-recommended systems as well as potential vulnerabilities of different devices.From the perspective that we got great interest from the folks to go wireless, the trend is to go wireless, but to say everything is or must be wireless is inappropriate and not true. Each organization makes a decision to use wired, wireless, or both, depending upon their requirements.This wireless security policy does not say you must use this specific implementation or incorporate a particular technology. It's technology agnostic. When we provide a recommended implementation, it is only a recommendation. The KM sites offer services a means of exchanging their best ideas.Jost: It is the responsibility of the DAAs to ensure that they are abiding by the directive. If they ask for help, we're not going to ignore them.When we look at the transition plans, we will ask for questions on transition milestones. We purposely engineered the policy to allow DAAs flexibility and responsibility for implementing it.There are hundreds of DAAs. Every major base may have one or two. We work for the DOD CIO and therefore have a strong interest to ensure interoperability and security. We are interested in how folks are implementing their systems to abide by the policy while ensuring the security of the network is maintained.We have oversight responsibility and are ensuring the knowledge management sites are implemented to assist the DAAs. We will also query DAAs and if they can't get an answer off the knowledge management sites, we're going to help them out. We are responsible to see that the DAAs are well informed.We are not the police officers to go out and review every implementation; it is the DAA's responsibility to ensure the policy is being properly applied.We set up a framework that covers a certain set of domains: the DAAs, working with the CIOs of their services and others, and that is at their discretion as it should be. The policy establishes the framework for the proper wireless security. The KM sites offer different implementation recommendations. The DAAs use the policy supported by the KM site information to determine the best implementation for their specific wireless application. If the DAAs desire to implement a complex wireless network having high flexibility and multiple access approaches, it is their decision.Jost: It is very difficult to talk about a system's vulnerability without disclosing weaknesses.I can say that the reason for the policy is to ensure that the vulnerabilities are eliminated. We are interested in maintaining the security of DOD information and that's critical.Wireless systems, as an unattached means of accessing information, naturally offer up different vulnerabilities that a wired network would not have. Intrusions and denial of service are very real concerns.We don't want static data to be unencrypted on wireless devices. Most wireless devices are portable and the potential for compromising the data through either potential unintentional wireless access connections, device loss or other means is reduced through encryption of static data.