DISA officials defend data security measures

Officials at the Defense Information Systems Agency have raised objections to a report critical of its information security practices by the Pentagon's inspector general.

Comment on this article in The Forum.The report said until recently, DISA did not have the means to determine if unauthorized users attempted to enter, manipulate or disable its computer systems and the agency lacks the capability to audit its systems for suspicious activity.

The agency's Center for Computing Services operates 18 data centers, which contain 35 mainframes and more than 6,000 servers hosting sensitive Defense Department applications, including financial, logistics and health record systems.

Mark Orndorff, director of the DISA Program Executive Office for Information Assurance and Network Operations, said the agency's defense against intruders starts at perimeter connections between the Internet and the Defensewide Non-Classified Internet Protocol Router Network (NIPRNET), where the agency has deployed "best in the world systems" to detect intrusions or attacks.

Orndorff declined to identify the technology used to defend the Internet/NIPRNET connection for security reasons, but said, "it's better than anything you can buy in the marketplace," an indication that the technology was at least partially developed in-house.

Defense also has an enterprisewide program to equip 5 million computer workstations with intrusion-detection software developed by McAfee Inc. Orndorff called that "the largest deployment of security products" ever undertaken.

DISA has begun testing intrusion detection software from McAfee for data center servers running on the Unix and Linux operating systems. If the software passes muster, DISA intends to deploy it next January. Orndorff said the agency is so security conscious that it "makes security products go through a security review" before fielding. Data center mainframe computers already come equipped with a robust package of intrusion detection software, he said.

The Defense IG also faulted DISA for its failure to use audit trails, or records of systems activity, to identify whether unauthorized users accessed information. The IG report recommended that DISA develop automated tools to conduct such audits. Orndorff said that would present a significant challenge, because DISA's data centers store terabytes of data. Since the tools required are not available in the commercial marketplace, fielding them would involve a research-and-development effort, he said.

John Garing, DISA's chief information officer, said detecting whether an insider attempted to access or manipulate data would require intimate knowledge of a hosted application, something beyond the capability of DISA.

Garing said the Defense IG report focused on only a small slice of the security DISA has built into its data centers.

"We have better security than any place in the world," he said.