United States General Accounting Office GAO Report to the Chairman, Subcommittee on Defense, Committee on Appropriations, House of Representatives August 1999 BATTLEFIELD AUTOMATION Opportunities to Improve the Army’s Information Protection Effort GAO/NSIAD-99-166 United States General Accounting Office National Security and Washington, D.C. 20548 International Affairs Division B-280565 Letter August 11, 1999 The Honorable Jerry Lewis Chairman, Subcommittee on Defense Committee on Appropriations House of Representatives Dear Mr. Chairman: Over the next decade, the Army’s modernization objectives include the integration of information technologies to acquire, exchange, and employ timely information throughout the battlespace. Information technology integration—or digitization—is to be implemented throughout the Army through the development, production, and fielding of over 100 individual systems. According to the President’s fiscal year 2000 budget request, the Army’s digitization efforts will cost $20.8 billion between fiscal year 2000 and 2005. The Army expects this investment to result in increased survivability, lethality, and tempo of operations. However, it also recognizes that reliance on digitization could make its command and control systems more vulnerable to enemy activities such as jamming and computer network attacks and has developed a Protection Plan for Army XXI Information Systems that lays out a general strategy for implementing information protection into the design of the digitized battlefield. This report is in response to a Subcommittee request to evaluate the Army’s development and acquisition plans for command and control systems that will be part of future digitized battlefield units. Specifically, we evaluated the Army’s protection plan to determine whether it ensures sufficient assessments to test and develop the defensibility of the digitized battlefield against command and control warfare attacks. Results in Brief The Army has carried out a number of assessments to test and develop the defensibility of digitized battlefield systems and forces, but its protection plan does not ensure sufficient vulnerability assessments. While the Army’s plan provides a general strategy for implementing information protection into the design of the digitized forces, it does not constitute a detailed implementation plan, one that lays out • the specific systems, networks, and infrastructures covered; Leter Page 1 GAO/NSIAD-99-166 Battlefield Automation B-280565 • their information protection requirements or needs; • the information protection knowledge and knowledge gaps for those systems; and • the tests or other events that will be used to fill specific knowledge gaps and address previously identified weaknesses. Without such a detailed implementation plan, systems vulnerabilities that might otherwise be identified may not be exposed and fixed and the substantial investment made by the Army could be at risk. Additionally, without a plan that identifies specific needed events, adequate funding may not be made available for needed activities, and valuable test opportunities could be lost. Furthermore, systems could be developed and tested under requirements that are not aligned with the goals and needs of the Army’s protection plan. For example, we found that a key digitization effort does not have a minimum requirement for development of the protection concept outlined in the Army’s protection plan. As a result, systems could be developed without providing features needed to achieve that concept. We also found that the system that is the centerpiece of the Army’s digitization efforts has a key performance requirement that is set for a non-jamming environment and is not conducive to judging whether sufficient protection has been achieved. While the Army has already undertaken a number of activities laid out in its protection plan, much remains to be done as its digitization efforts are to extend over the next decade and be implemented through the development, production, and fielding of over 100 individual systems. This report contains recommendations to the Secretary of Defense regarding the management of the Army’s digitization-related information protection activities. Background The Army plans to use vulnerability assessments, including red team activities, to help develop digitization systems and networks. Vulnerability assessments are conducted to determine potential and exploitable weaknesses; red teaming activities are a specialized type of vulnerability assessment in which a group acting as an opposing force conducts offensive actions to generate a reaction or expose a weakness on the friendly side. The Army has defined 16 high-priority systems that, at a minimum, are to be fielded to accomplish its First Digitized Division. (The Army plans to field its First Digitized Division by December 2000 and its First Digitized Corps Leter Page 2 GAO/NSIAD-99-166 Battlefield Automation B-280565 by September 2004.) One of these 16 high-priority systems—the Force XXI Battle Command, Brigade and Below (FBCB2) system—is the centerpiece of the Army’s digitization efforts because of its potential to contribute significantly to achieving the Army’s digitization goals. 1 When fielded, FBCB2 is expected to provide enhanced situational awareness to the lowest tactical level—the individual soldier—and a seamless flow of command and control information across the battlespace. FBCB2 will be composed of • a computer that can display a variety of information, including a common picture of the battlefield overlaid with graphical depictions (known as icons) of friendly and enemy forces; • software that automatically integrates Global Positioning System data, military intelligence data, combat identification data, and platform data (such as the status of fuel and ammunition); and • interfaces to communications systems. Battlefield data will be communicated to and received from users of FBCB22 through the Tactical Internet—a network of tactical radios3 for the transmission and receipt of data needed for battlefield situational awareness and command and control decisions. The FBCB2 system requires a functioning and protected Tactical Internet to accomplish its mission. Because the FBCB2 system and Tactical Internet are two of the Army’s most important digitization efforts, establishing their ability to withstand attacks is critical. The Army’s near-term information protection efforts have been designed to capitalize on FBCB2 and Tactical Internet development and test events “culminating in a ‘no holds barred’ electronic and computer attack” during the FBCB2 system’s initial operational test and evaluation. This test can serve as a proof-of-concept event to determine whether the Army has achieved its intent of developing a level of 1 Nearly all of the other high-priority Army digitization systems are dedicated to enhancing the Army Tactical Command and Control System. 2 For further information on the FBCB2 program, please see Battlefield Automation: Acquisition Issues Facing the Army Battle Command, Brigade and Below Program (GAO/NSIAD-98-140, June 30, 1998). 3 The Internet’s tactical radios are currently the Enhanced Position Location Reporting System (EPLRS) and Single Channel Ground and Airborne Radio System (SINCGARS). Page 3 GAO/NSIAD-99-166 Battlefield Automation B-280565 information systems protection sufficient to allow its critical functions and operations to continue. Information Protection The Army developed a plan to integrate information protection features and capabilities into its tactical systems, networks, and infrastructure. It Plan Is Not Sufficiently has also carried out a number of assessment activities in keeping with that Detailed plan. However, while that plan lays out a general strategy for integrating information systems protection into the design of the digitized battlefield, it is not a detailed implementation plan. Without a detailed implementation plan, the Army is not as well positioned as it could be to ensure that important test opportunities are not lost, that needed information protection activities are adequately funded, and that digitization systems development and test requirements accurately reflect the Army’s protection needs and goals. The Army’s Protection Plan In September 1997 the Army Digitization Office published the Army’s Protection Plan for Army XXI Information Systems.4 The plan states that the objective of information systems protection is to ensure that friendly command and control capabilities are available to the commander and staff. It then goes on to describe three types of command and control warfare threats that are of concern: physical attacks, electronic attacks, and computer attacks. • Physical attacks involve destruction, damage, overrun, or capture of the physical components of “digitization.” Overrunning and capture facilitate an adversary’s ability to employ computer attacks on friendly forces. • Electronic attacks (also referred to as electronic warfare) include attacks against communications links and “high energy” attacks. Attacks against communications links include (1) signal intercept to effect compromise of data, (2) radio emitter direction finding and geo-location to support signal analysis and attack, and (3) radio jamming, which is usually intended to corrupt data or deny service. High-energy attacks include those by electromagnetic pulse generators (which destroy or damage electronic components within an area by 4 Subsequently, responsibility for oversight and coordination of the efforts outlined in that plan transitioned from the Army Digitization Office to the Army’s Director of Information Systems for Command, Control, Communications, and Computers (DISC4). Page 4 GAO/NSIAD-99-166 Battlefield Automation B-280565 overloading them with energy) and directed energy weapons such as high-energy lasers (which direct large amounts of energy onto a specified target). • Computer attacks are generally (1) aimed at software or data contained in either end-user or network computers; (2) intended to range from unauthorized but unobtrusive access to information and unauthorized modification of software or data to total destruction of software and data; and (3) the least well understood form of attack and may involve the most difficult countermeasures to successfully implement. The protection plan notes that computer attacks can occur in peacetime and wartime and comments that the interconnected nature of the digitization networks may present the opportunity to create widespread service disruption. As a result, the Army plan concludes that computer attacks appear to pose the most serious potential threat to digitization. The Army’s plan lays out an information protection strategy that reflects its belief that complete protection against all known and future vulnerabilities is not feasible. In line with that belief, the Army’s intent is to field a digitized force with a level of protection that is “sufficient” to allow critical functions and operations to continue while under computer attack. To accomplish this level of protection, the Army has adopted a “defense in depth” protection concept consisting of electronically guarded perimeters and active information surveillance. The Army’s “defense in depth”, depicted in figure 1, is to include • an external digital perimeter composed of communications security, firewalls,5 security guards, and where necessary, physical isolation serving as a barrier to outside networks; • similar internal perimeters between echelons and/or functional communities; • a secure local workstation environment, consisting of individual access controls, configuration audit capability, command and control protect tools, and procedures; • intrusion detection systems; • extensions to network management capabilities to provide real-time network surveillance and reaction to network intrusions; and 5 Firewalls are hardware and software components that protect one set of systems resources (e.g., computers, networks) from attack by outside network users by blocking and checking all incoming network traffic. Firewalls permit authorized users to access and transmit privileged information and deny access to unauthorized users. Page 5 GAO/NSIAD-99-166 Battlefield Automation B-280565 • a robust, survivable infrastructure designed to “contain” damage from attacks and to be readily repairable in the event of an attack. Figure 1: Army’s “Defense in Depth” Protection Concept External Digital networks perimeter Network and security management/ Internal surveillance perimeter Robust, survivable Local infrastructure workstation security Source: U.S. Army, Protection Plan for Army XXI Information Systems. The Army’s plan lays out a strategy to translate this “defense in depth” protection concept into action by incorporating lessons learned through vulnerability assessment activities into the design and implementation of digitization systems, networks, and infrastructures. These assessment activities are to be conducted during experiments, training events, and development and test events to Page 6 GAO/NSIAD-99-166 Battlefield Automation B-280565 • determine the level of protection achieved; • identify vulnerabilities; and • provide feedback to impact (1) architecture, design and development efforts and (2) tactics, techniques, and procedures development and training activities. The Army’s Assessment The protection plan describes three phases of vulnerability assessments. Activities Phase I and phase II have been completed. Phase I used computer attacks focused on probing the network for potential vulnerabilities, but did not involve active attacks. During the first phase, electronic attack vulnerability assessments were performed in laboratory and other controlled facilities against individual systems, including EPLRS and SINCGARS. These assessments were conducted as a part of the Task Force XXI Advanced Warfighting Experiment (AWE). Table I.1 in appendix I lists the phase I Task Force XXI AWE Red Team tasks, their objectives, and where and when they were conducted. In one example of the Army’s phase I activities, the Army’s Electronic Proving Ground performed position navigation vulnerability experiments using an early version of FBCB2 software and the Tactical Internet. In a simulated Global Positioning System jamming environment, the Electronic Proving Ground found that the FBCB2 software fluctuated between displaying and reporting inaccurate Global Positioning System and accurate EPLRS position navigation data. The jamming resulted in not only a fluctuating display of inaccurate and accurate positions for the unit’s own location, but also the transmission of both inaccurate and accurate position reporting through the Tactical Internet to other units on the network. As a result of this work, the Electronic Proving Ground concluded that the early version of FBCB2 software tested had a major software design problem. The Electronic Proving Ground recommended that this finding be considered by the system developer. Phase II involved computer attacks focused on intrusions from both outside and inside the network to detect exploitable vulnerabilities. The attackers were allowed to leave “markers”6 but were not authorized to cause any physical impact or to disconnect computers from the network. Electronic attacks were simulated or conducted surgically. Table I.2 in 6 The “markers” left were computer files indicating that unauthorized access had been achieved. Page 7 GAO/NSIAD-99-166 Battlefield Automation B-280565 appendix I lists the September 1997 Army protection plan’s list of phase II Division XXI AWE Red Team tasks, their objectives, and where and when they were to be conducted. One example of red team activities in the Division XXI AWE that is reported to have occurred during phase II was an examination of the impact of jamming the Army’s Mobile Subscriber Equipment.7 The Army reported that it used progressive jamming against the Mobile Subscriber Equipment of the 3rd Brigade Tactical Operations Center and learned that • as expected, the Mobile Subscriber Equipment rerouted traffic around jammed frequencies with no initial impact on situational awareness; • jamming both of the operations center’s main data pipes at artificially high levels caused severe slowing of rerouted data traffic; and • jamming two frequencies with high power for a sustained time would make the perpetrator vulnerable to detection and counterattack by friendly air or artillery. As a result, the Army concluded that jamming the Mobile Subscriber Equipment would not be a high payoff opportunity for the enemy. Overall, the Army reported that the red teaming efforts conducted during the Division XXI AWE provided valuable insights into strategies for protection of information technologies on the battlefield and reinforced the need for a “defense in depth” approach. The Army is currently involved in phase III of the vulnerability assessments outlined in its protection plan for Army XXI information systems. The assessments conducted in this phase are to be progressively more robust, more broadly based attacks intended to apply stress to digitization systems, networks, and infrastructure. Ultimately, this phase is to culminate in a “no holds barred” command and control attack on its digitization systems. The Army, however, has not yet defined the scope and nature of the attacks that are to occur during that event. The Army’s protection plan calls for its phase III activities to capitalize on the FBCB2 system’s development and acquisition program test and evaluation events. While the primary focus of its efforts are to be test and 7 The Army’s Mobile Subscriber Equipment provides secure voice telephone and data transmission to corps and below forces. All of its equipment is classified secret and all personnel operating on the network must have a secret security clearance. Page 8 GAO/NSIAD-99-166 Battlefield Automation B-280565 evaluation events associated with FBCB2 and the Tactical Internet, the Army also plans to take advantage of other events to assess its information systems protection posture, including events associated with the Army Global Command and Control System, the Integrated Combat Service Support System, and the Warfighter Information Network. To date, however, the Army has not detailed the planned use of non-FBCB2 related development and test events. Table I.3 in appendix I lists the Army protection plan’s phase III vulnerability assessment tasks with objectives, events, and responsible organizations. The Army has already carried out some phase III activities. For example, information protection activities occurred as a part of both the FBCB2 Field Test 1 and the FBCB2 Limited User Test. As a part of the Field Test 1 held during May and June 1998,8 the Army subjected the FBCB2 and Tactical Internet to 2 nights of barrage jamming. Additionally, during the last 3 days of the field test, the Army’s Program Manager for Information Warfare with the Army’s Communications and Electronics Command conducted a Command and Control Protection Advanced Technology Demonstration that consisted of localized jamming and information warfare attacks. During the August 1998 FBCB2 Limited User Test, the Army also carried out some “red team” tasks9—mapping10 the Tactical Internet to gain an understanding of its architecture and possible weaknesses and analyzing digitized forces’ susceptibility to signals intelligence efforts. While the Army has already undertaken a number of activities laid out in its protection plan, much remains to be done as the Army’s digitization efforts are to extend over the next decade and be implemented through the development, production, and fielding of over 100 individual systems. For 8 The FBCB2 Field Test 1 consisted of 61 FBCB2 systems spread across the Electronic Proving Ground’s east range. Fourteen of the systems were on mobile platforms. Among its other limitations, the test did not involve as heavy a command and control message load as had been planned. 9 Many of the Army’s “red team” tasks are other forms of vulnerability assessments, not “red teaming” as has been defined. For example, in discussing the FBCB2 Limited User Test information protection efforts, the Army official overseeing those efforts stated that it would be more accurate to call them “blue team” activities (i.e., friendly force efforts) because the individuals carrying them out were working to identify vulnerabilities and point them out to the “friendly” forces, not to exploit them. 10 Mapping involves sending out “requests for service” to try to determine the structure of the network; i.e., who can be identified as being on the Internet. Enemies would use mapping to try to define the structure of friendly networks and identify possible points of exploitation. Friendly forces would use mapping of their own networks to try to determine if unauthorized equipment or connections (which can serve as “back doors” for unauthorized access) are hooked up to the network. Page 9 GAO/NSIAD-99-166 Battlefield Automation B-280565 example, the Army’s report on its Field Test 1 information protection activities stated that FBCB2 and the Tactical Internet must undergo more extensive electronic and information warfare testing during upcoming FBCB2 test events, including Field Test 2, Force Development Test and Experimentation, and its Initial Operational Test and Evaluation. The report also stated that systematic electronic and information warfare test and evaluation of the other First Digitized Division systems and networks must be initiated and completed prior to fielding. Detailed Implementation While the Army has developed a general strategy for integrating Plan Not Developed information systems protection and has conducted a number of assessment activities, it lacks the specificity that would be contained in a detailed implementation plan. The Army’s protection plan does not • define the more than 100 systems that are a part of its overall digitization efforts; • detail their specific information protection requirements, what is known or unknown about their individual vulnerabilities, or the specific test or other events to be used to fill identified knowledge gaps and ensure satisfactory resolution of previously identified weaknesses; • define specific information protection aspects or issues to be tested during specific tests and events or who is responsible for carrying out and funding those specific activities; and • identify the cost of specific protection plan activities or the parties responsible for funding those activities. A detailed implementation plan that provides this information could help the Army identify test opportunities, address funding issues, and ensure that requirements are aligned with the goals and needs of its protection plans. Identification of Test Because its protection plan lacks sufficient implementation information, Opportunities and Funding the Army could lose valuable testing opportunities. For example, during Issues our review, we found that guidelines (in draft form as a security annex to the Army Digitization Master Plan of January 1999) that would charge involved parties with specific tasks contained no more information than the Army’s overall protection plan itself. Specifically, the September 1997 Protection Plan and the security annex both state that follow-on assessments will be included in their next updates and that those assessment plans will address test and evaluation events such as the Maneuver Control System’s Initial Operational Test and Evaluation, the Page 10 GAO/NSIAD-99-166 Battlefield Automation B-280565 M1A2 (Abrams Tank) System Enhancement Program Initial Operational Test and Evaluation, the M2A3 (Bradley Fighting Vehicle) Initial Operational Test and Evaluation, and other events as appropriate. In June 1998 the Maneuver Control System11 (MCS) Block III software underwent an initial operational test and evaluation, but that test was not used for protection plan activities. The opportunity to use this test for protection plan activities was lost because the Army’s protection plan lacked sufficient implementation information including specific identification of activities to be carried out during that MCS test and because no such details were subsequently developed. The Army’s protection plan is based on an assumption that sufficient resources will be made available to implement a prudent amount of information systems protection in the first digitized division and beyond. As mentioned, however, the plan provides no funding details. Development of a detailed implementation plan could help the Army avoid funding shortfalls. For example, last year the Army’s Test and Evaluation Management Agency put in a funding request for unfunded requirements of over $6 million in fiscal year 1999 and $7 million in each of fiscal years 2000 through 2006 for the Army’s Survivability/Lethality Analysis Directorate (SLAD) to perform information warfare vulnerability assessments of digitized battlefield systems and related activities. The Army was unable to locate funds for those activities and included them on a list of unfunded requirements sent to Congress. Congress subsequently increased the SLAD’s fiscal year 1999 budget for vulnerability assessments by $4 million. These funding issues have not disappeared, however, as the unfunded requirement for fiscal year 2000 SLAD-led, information warfare vulnerability assessments and related activities has grown to $10.2 million. Ensuring Requirements Are A detailed implementation plan could help the Army ensure that digitized Aligned With Plan’s Goals and battlefield systems have requirements that are aligned with its protection Needs plan’s goals and needs. Two key components of the Army’s digitization efforts—the FBCB2 system and the Tactical Internet—have requirements that are not in line with the goals and needs of the Army’s Protection Plan for Army XXI Information Systems. Specifically, the Capstone 11 The MCS program is intended to develop and field a computer system that provides automated critical battlefield assistance to maneuver commanders and their battle staff at the corps-to-battalion level. MCS—a key component of the Army Tactical Command and Control System—is 1 of 16 systems considered to be critical elements within the Army’s digitization effort because of the expected contribution they will make to achieve the required capabilities of the digitized battlefield. Page 11 GAO/NSIAD-99-166 Battlefield Automation B-280565 Requirements Document for the Tactical Internet12 sets an objective, not threshold, requirement for the “defense in depth” protection concept envisioned in the Army’s protection plan. The capstone requirements document states that a “threshold” value is the minimum acceptable value necessary to satisfy an operational need and that an “objective” value is the desired performance above that threshold.13 To be able to judge whether sufficient protection has been achieved, systems’ performance criteria need to be set and systems need to be judged for performance in the hostile environment in which they may need to operate. The capstone requirements document appropriately sets criteria for performance in a tactical environment that includes radio jamming, but the program most clearly tied to the Tactical Internet—FBCB2—has criteria set for performance in a non-jamming environment. Specifically, a key FBCB2 performance requirement, Information Exchange, has not been set to demonstrate attainment of a minimal level of performance in a jamming environment—a type of threat that the Army protection plan seeks to address. The FBCB2 operational requirements document states that the requirement for Information Exchange, listed as a Key Performance Parameter 14 for the system, is to provide a capability for the timely and reliable exchange of information between a sender and recipient. The document lists four categories of messages by type and assigns speed of service requirements for the transmission of those messages based on their type. For example, as a threshold value, 90 percent of category one messages sent—defined as Alerts and Warnings—are to be successfully received within 6 seconds. 12 User requirements may be documented as capstone requirements, which are common systems’ requirements (such as overarching inter-operability requirements or standards) that apply to a family of systems. 13 Army Regulation 71-9 states that the “minimum acceptable value (threshold) requirements will be truly essential and minimum needs for successful operations and not desires or artificial contract or acquisition values.” 14 A key performance parameter is that capability or characteristic so significant that failure to meet the threshold can be cause for the concept or system selection to be reevaluated or the program to be reassessed or terminated. Page 12 GAO/NSIAD-99-166 Battlefield Automation B-280565 It also includes, however, an assumption of no jamming for the defined “Information Exchange” requirements.15 Conclusions The Army’s digitization efforts hold the promise of providing its fighting forces with operational improvements. However, they will also provide potential enemies new avenues of attack and greater opportunities to exploit existing vulnerabilities. Although, the Army has developed a general strategy for implementing systems protection into the design of the digitized battlefield, its plan lacks sufficient detail. Given the substantial digitization work that remains to be done (the integration of information technologies into over 100 systems), we believe a detailed implementation plan is needed to help ensure that the Army (a) fields a digitized force that can carry out its critical functions and operations and (b) is cognizant of any residual vulnerabilities—a factor than could prove important in recognizing enemy information system attacks. Furthermore, we believe such a plan could help ensure that sufficient funding, oversight, and effort are applied to developing the needed information protection. To be effective, the implementation plan should be a “living” document that will extend beyond the First Digitized Division and First Digitized Corps—a plan that is continually updated as circumstances dictate. We believe that the absence of such a plan places the substantial investment the Army is making in digitization at greater risk. In addition to developing a detailed implementation plan, we believe the Army has further opportunities to enhance its information protection effort. The Army’s successful implementation of its “defense in depth” concept will depend, in part, on how well that concept is reflected in requirements placed on individual systems. In our opinion, the threshold Tactical Internet information protection requirement should be aligned to the Army protection plan concept, that is, Tactical Internet related systems should be required to support the development of the “defense in depth” called for in the Army protection plan. Also, to help ensure that the digitized forces that are fielded provide sufficient protection allowing critical functions and operations to continue, the Army needs to set minimum performance criteria for systems’ performance in such an environment, including setting minimum performance for FBCB2 in a jamming environment. We believe that setting such performance standards 15 The FBCB2 operational requirements document is not entirely clear, and the assumption of a no jamming environment may apply to other key performance parameters also. Page 13 GAO/NSIAD-99-166 Battlefield Automation B-280565 will help ensure that systems that cannot carry out critical functions and operations when under attack are not fielded. Recommendations We recommend that the Secretary of Defense direct the Secretary of the Army to: • Develop a detailed implementation plan for the Army’s protection efforts for Army XXI information systems to include information such as a system by system breakout of tested and untested (known and unknown) areas of vulnerabilities; the specific test events to be used to look for systems vulnerabilities or to confirm fixes to previously identified, significant vulnerabilities; and responsible performing and funding parties. • Require the Tactical Internet to have threshold information protection requirements consistent with the Army’s “defense in depth” protection concept. • Set performance requirements for and test FBCB2 in a jamming environment. Agency Comments DOD generally concurred with the recommendations contained in a draft of this report. DOD concurred with our first recommendation stating that the Army has already initiated an effort to develop a detailed implementation plan for its information protection activities. Regarding our second recommendation on tactical internet security, DOD generally concurred and stated that the Army will review requirements documents for all First Digitized Division systems to determine whether their security requirements are consistent with the Army’s “defense in depth” concept. DOD generally concurred with our third recommendation, stating that the Army will revise performance requirements for FBCB2 to reflect performance in a jamming environment and will test in that environment. We believe that the actions outlined in DOD’s response should enhance the Army’s information protection efforts. DOD’s comments are reprinted in their entirety in appendix II. Scope and To evaluate the Army’s protection plans to determine whether they ensure sufficient assessments to test and develop the defensibility of the digitized Methodology battlefield, we reviewed the Army’s overall protection plans by analyzing Page 14 GAO/NSIAD-99-166 Battlefield Automation B-280565 key Army information protection related documents (including the Army’s Protection Plan for Army XXI Information Systems and its draft security annex for the Army Digitization Master Plan) and considering them in the context of the Army’s larger digitization efforts. In evaluating the Army’s near-term plans to develop and test its “defense in depth” protection concept, we reviewed its plans to use FBCB2 and Tactical Internet development and test events and examined key development and test documents for those efforts to determine whether their approach was in line with the Army’s protection plan. We obtained briefings from and discussed issues with parties directly involved in the development and oversight of Army information protection efforts, program managers for high-priority digitization systems, and testers. In the course of our work, we were briefed by and interviewed officials responsible for management and oversight of the Army’s digitization-related information protection efforts; program managers for high-priority digitization systems; officials responsible for planning, carrying out, and overseeing system vulnerability assessments; and other Army and DOD representatives. We examined DOD and Army information protection documents, system requirements, test plans, and other program documents. We performed our work primarily with officials from the Army Office of the Director of Information Systems for Command, Control, Communications, and Computers. We also gathered data from the Army Communications-Electronics Command, Fort Monmouth, New Jersey; the Office of the Director, Operational Test and Evaluation, Alexandria, Virginia; the Army Training and Doctrine Command, Fort Monroe and Fort Eustis, Virginia; the Army Operational Test and Evaluation Command, Alexandria, Virginia; the Army National Training Center, Fort Irwin, California; the Army’s Electronic Proving Ground, Fort Huachuca, Arizona; the Army Survivability/Lethality Directorate, Aberdeen Proving Grounds, Maryland; the Defense Information Systems Agency, Falls Church, Virginia; the Army Land Information Warfare Activity, Fort Belvoir, Virginia; and the 4th Infantry Division and 3rd Corps, Fort Hood, Texas. We performed our review from July 1998 to July 1999 in accordance with generally accepted government auditing standards. We are sending copies of this report to Representative JohnP. Murtha, Ranking Minority Member of the Subcommittee; Representative C.W. Bill Young, Chairman, and Representative David R. Obey, Ranking Minority Member, House Committee on Appropriations; and other interested Page 15 GAO/NSIAD-99-166 Battlefield Automation B-280565 congressional committees. We are also sending copies of this report to the Honorable William S. Cohen, Secretary of Defense, and the Honorable Louis Caldera, Secretary of the Army. Copies will also be made available to others upon request. Please contact me at (202) 512-4841 if you or your staff have any questions concerning this report. Key contributors to this assignment were Charles F. Rey, Bruce H. Thomas, and Gregory K. Harmon. Sincerely yours, Allen Li Associate Director Defense Acquisitions Issues Page 16 GAO/NSIAD-99-166 Battlefield Automation Page 17 GAO/NSIAD-99-166 Battlefield Automation Contents Letter 1 Appendix I 20 Red Team Tasks Appendix II 24 Comments From the Department of Defense Tables Table I.1: Phase I (Task Force XXI) Red Team Tasks 20 Table I.2: Phase II Division XXI AWE Red Team Tasks 21 Table I.3: Planned Phase III Vulnerability Assessments During FBCB2 Test Events 22 Figures Figure 1: Army’s “Defense in Depth” Protection Concept 6 Abbreviations DOD Department of Defense FBCB2 Force XXI Battle Command, Brigade and Below EPLRS Enhanced Position Location and Reporting System SINCGARS Single Channel Ground and Airborne Radio System DISC4 Director of Information Systems for Command, Control, Communications, and Computers AWE Advanced Warfighting Experiment MCS Maneuver Control System SLAD Survivability /Lethality Analysis Directorate Page 18 GAO/NSIAD-99-166 Battlefield Automation Contents Page 19 GAO/NSIAD-99-166 Battlefield Automation Appendix I Red Team Tasks Appenx Idi Table I.1: Phase I (Task Force XXI) Red Team Tasks Red Team task Objective Location Dates • Position/navigation vulnerability To determine the impact of loss of Global Fort Huachuca, AZ Apr. 1996 assessment Positioning System signal on the Task Force Fort Huachuca, AZ Dec. 1996 information network • Hacker/virus vulnerability To determine the vulnerability of the Task Force Fort Hood, TX Dec. 1996 assessment information network to hacker, virus, and other Fort Irwin, CA Mar. 1997 non-traditional threats • Operations security evaluation To determine new/increased operational Fort Hood, TX Dec. 96 security vulnerabilities due to digitization of the Fort Irwin, CA Mar. 97 battlefield • Signal intelligence/ measurement To determine unique pattern and signatures of Fort Hood, TX Dec. 1996 and signatures intelligence the digitized force Fort Irwin, CA Mar. 1997 characterization • Security policy evaluation To assess the needs for revised and/or Fort Hood, TX Dec. 1996 additional security policy due to digitization Ft. Irwin, CA Mar. 1997 • Tactical Internet components To determine unique vulnerabilities of the Fort Monmouth, NJ June 1996 vulnerability assessment individual systems comprising the Tactical Fort Monmouth, NJ Nov. 1996 Internet (e.g., SINCGARS and EPLRS) Source: U. S. Army, Protection Plan for Army XXI Information Systems. Page 20 GAO/NSIAD-99-166 Battlefield Automation Appendix I Red Team Tasks Table I.2: Phase II Division XXI AWE Red Team Tasks Red Team task Objective Location Dates • Electronic warfare To determine the impact of loss of selected Simulation Exercise II Sept. 1997 communication links on the Division XXI AWE Fort Hood Nov. 1997 experimentation information network • Operations security evaluation To determine new/increased operational security Fort Hood Nov. 1997 vulnerabilities due to digitization of the battlefield • Computer attack vulnerability To detect exploitable vulnerabilities of attacks from Simulation Exercise II Sept. 1997 assessments both outside and inside the Division XXI AWE Fort Hood Nov. 1997 information network • Capture/exploitation of the To determine vulnerabilities to the Mobile Fort Hood Nov. 1997 mobile subscriber equipment Subscriber Equipment network resulting from node capture of Small Extension Node • Measurement and signatures To determine unique patterns and signatures of the Fort Hood Nov. 1997 intelligence characterization digitized force Source: U. S. Army, Protection Plan for Army XXI Information Systems. Page 21 GAO/NSIAD-99-166 Battlefield Automation Appendix I Red Team Tasks Table I.3: Planned Phase III Vulnerability Assessments During FBCB2 Test Events Responsible Red Team task Objective Event organization System assessments To assess performance of individual systems to electronic warfare and command and control attack and characterize their signatures • Electronic attack To assess vulnerabilities of new Laboratory assessments of Near PM TRCS/CECOM communication systems to jamming Term Digital Radio, High Capacity Trunk Radio, and others as required • Computer attack To assess vulnerability of Army Tactical Vulnerability assessments of • PM Applique Command and Control System component FBCB2, Maneuver Control • PM ATCCS systems to command and control attack System, other command and • Other PMs control systems • SLAD Technical Network To assess the vulnerabilities of the network to assessment attack and characterization in a controlled environment • Electronic attack To assess vulnerability of battalion- and • Field Test I EPG brigade-level communication • Field Test II systems/networks to jamming • Computer attack To assess vulnerability of information and • Laboratory and testbed PM IW/SLAD Command and Control systems to attack assessments • Field Test I • Field Test II • Characterization To assess the ability to identify friendly nodes Laboratories CECOM/SLAD/ through unique signatures INSCOM/EPG Operational network To assess the vulnerabilities of the network to assessment attack and characterization in an operational environment • Electronic warfare attack To assess vulnerability of battalion- and IOT&E OPTEC/SLAD/ brigade-level communication PM IW systems/networks to near-peer live electronic warfare attack • Command and control To assess vulnerability of information and • Limited User Test OPTEC/LIWA/PM IW/ attack Command and Control systems to live attack • FDT&E SLAD culminating in a full-up near-peer computer • IOT&E attack during IOTE • Characterization To assess the ability to identify friendly nodes Limited User Test CECOM/ through unique signatures in an operational INSCOM setting • Operations security/ To assess operational and computer security • Limited User Test INSCOM computer security procedures and training • FDT&E • IOT&E Page 22 GAO/NSIAD-99-166 Battlefield Automation Appendix I Red Team Tasks Legend: ATCCS Army Tactical Command and Control System CECOM Communications and Electronics Command EPG Electronic Proving Ground FDT&E Force Development Test and Experimentation INSCOM Intelligence and Security Command IOT&E Initial Operational Test and Evaluation IW Information Warfare OPTEC Operational Test and Evaluation Command PM Program Manager, Product Manager, Project Manager LIWA Land Information Warfare Activity SLAD Survivability/Lethality Analysis Directorate TRCS Tactical Radio Communications Systems Source: U. S. Army, Protection Plan for Army XXI Information Systems. Page 23 GAO/NSIAD-99-166 Battlefield Automation Appendix II Comments From the Department of Defense AppenIx di Page 24 GAO/NSIAD-99-166 Battlefield Automation Appendix II Comments From the Department of Defense Now on p. 14. Now on p. 14. Now on p. 14. (707347) Lert Page 25 GAO/NSIAD-99-166 Battlefield Automation Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary, VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with “info” in the body to: firstname.lastname@example.org or visit GAO’s World Wide Web Home Page at: http://www.gao.gov United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. GI00 Official Business Penalty for Private Use $300 Address Correction Requested
Battlefield Automation: Opportunities to Improve the Army's Information Protection Effort
Published by the Government Accountability Office on 1999-08-11.
Below is a raw (and likely hideous) rendition of the original report. (PDF)