EDS faces security problem with US Navy

Building a more secure network infrastructure was one of the driving forces behind the US Navy's quest to build the Navy/Marine...

Building a more secure network infrastructure was one of the driving forces behind the US Navy's quest to build the Navy/Marine Corps Intranet (N/MCI). But with only a few months left before the majority of N/MCI seats are deployed, questions and concerns about security remain.

During a Navy/Marine Corps intranet industry symposium, officials from both the Navy and its prime contractor EDS, touted N/MCI as "the most secure network in the Department of Defense" and possibly in all of government.

"Today, N/MCI is an industry standard," said Al Edmonds, president of EDS Government Solutions.

But some users, senior officials and even EDS business partners raised concerns about the N/MCI program's approach to security.

 Some argued that EDS's regional deployment approach fails to address the Navy's enterprise requirements. Others said the current security landscape sometimes hampers performance and even prevents on-site contractor support from communicating with corporate headquarters.

"N/MCI is the most secure network in DOD? It's kind of hard to judge that," said Cathy Baber, director of information assurance at the Naval Network and Space Operations Command, a command formed last year by the Navy that has security oversight responsibility for N/MCI. "There are still concerns. There are a lot of things that weren't thought about."

One such issue is managing the certification process for connecting N/MCI users to the current Defense Information Systems Network (DISN), the Pentagon's main telecommunications backbone for both classified and unclassified data.

Vanessa Hallihan, program manager for information systems security at the Space and Naval Warfare Command, manages the DISN connection process. "We haven't yet come to grips with (N/MCI) as an enterprise process," she said. "The workload is very intense, and I don't have the resources."

Bart Abbott, director of information assurance programs at Raytheon, a subcontractor to EDS on the program, said he feels as if the team has delivered on the Navy's need for a more secure network but acknowledged there are still wrinkles in the N/MCI security fabric that need to be ironed out.

He also acknowledged that there are performance issues due to various security mechanisms, such as e-mail and web content filtering at the connection points between N/MCI and the Defense Department's unclassified network, which is known as the Non-secure Internet Protocol Routing Network. Users also reported full disc scans taking place during the log-on process.

Rear Admiral Charles Munns, director of N/MCI, said a security policy board will decide next month if existing content filters need to be adjusted.

"We've looked at the mobile user in particular," said Abbott, adding that EDS is trying to "significantly improve" network performance for remote access. It will take EDS and the Navy several months to improve remote access and make other network security adjustments, including updating virus protection package to include a spam filter.

Several industry representatives also raised concerns about the inability of commercial contractors to communicate with external entities, such as their own corporate offices.

"It's a difficult proposition because the corporate environment is an untrusted environment from the Navy's perspective," said Abbott.

Leutenant Colonel Ken Buetel, director of the Marine Corps Information Technology and Network Operations Center, said some of his supporting suppliers are asking about the same problem, and he has been forced to tell them that "we really don't trust the corporate domain".

Dan Verton writes for Computerworld

Read more on IT risk management