Defense approach to cybersecurity includes greater separation from Internet

Based on details about IT security spending in the publicly available fiscal 2011 budget estimates for the Defense Information Systems Agency (DISA), one area of emphasis for improving cybersecurity for military networks is to reduce their connectivity to the Internet. More specifically, the justification for the $14.625 million DISA Information Systems Security Program (ISSP) budget is to “procure the necessary hardware and software to reduce the attack surface of the DoD network to prevent the exploitation by hackers and adversaries” as well as to improve capabilities and security of information sharing within Defense networks. One notable initiative is the almost $6 million proposed to fund the creation of a new DMZ between the military’s unclassified network (the NIPRNet) and the Internet. In theory, the goal of reducing points of connectivity to the Internet should also be facilitated by the government-wide Trusted Internet Connections (TIC) initiative, which seeks to reduce federal Internet points of presence to from over 2750 in 2008 to fewer than 100. Nevertheless, the stated intent for the NIPRNet DMZ is to eliminate the need for direct connections to the Internet. Other initiatives in the 2011 budget estimate include:

  • Almost $1.8 million for an expansion of the Host-Based Security System (HBSS), developed in collaboration with security vendor McAfee, that will “provides a consistent way to accomplish configuration and management control across all endpoints” and enhance the system’s capabilities to support greater situational awareness and provide better defense against emerging threats.
  • New hardware and maintenance support to the tune of $2.3 million for strengthening the externally-facing firewall infrastructure protecting the SIPRNet, the military’s classified network.
  • A little under $2.2 million to augment DISA’s insider threat capability “to help with the automation of detecting and mitigating DoD’s insider threats” stemming from individuals with authorized access to the network environment.
  • An additional $2.5 million to expand the Cross Domain Enterprise Service (CDES), which supports information transfers between DoD’s classified and unclassified networks.