The Aerospace Corporation has worked closely with the NSA since the 1980s to assess the security of computer information systems and space cryptography equipment. Today, the broader focus is on the protection of critical information and systems with the need to operate through potential cyber incidents.
The Aerospace Corporation has worked closely with the National Security Agency (NSA) since the early 1980s. From the outset, both parties have assisted national security space stakeholders with the protection of the information, systems, and technology associated with their missions. NSA and Aerospace have partnered with government acquisition agencies, contractors, and operators to provide information assurance for space systems. The overall objective is to assure that mission-critical information acquired or transmitted through space is available only to authorized personnel, without modification or degradation, when and where needed to support the interests of the nation.
Two specific historic examples of the Aerospace collaboration with the NSA are the Trusted Product Evaluation Program and the integration of cryptography in space systems.
Aerospace and the Trusted Product Evaluation Program
In the early 1980s, NSA, the Department of Defense (DOD), and many other organizations recognized the potential of Arpanet, the predecessor of the Internet, to interconnect what had been previously isolated computing enclaves. However, with the impending opportunities to improve information distribution, network survivability, and productivity, it was also recognized that the new technology introduced significant security challenges. NSA’s response was to form the National Computer Security Center (NCSC) and to engage a team of military service, DOD agency, and federally funded research and development center (FFRDC) representatives to develop a series of documents describing the requirements for trusted computing systems, trusted networks, and trusted security products, both hardware and software. This series of documents later became known as the “rainbow series,” named for the colors of the covers associated with each of the volumes.
The Trusted Computing System Evaluation Criteria (TCSEC) (the Orange Book), the Trusted Network Interpretation (the Red Book), and the Trusted Database Management System Interpretation of the TCSEC (the Purple Book) together with more than three dozen smaller guidebooks became the foundation for evaluating candidate hardware and software products to determine what level of trust could be assigned to the system when used in a national security context. Even though these documents were developed in the 1980s the majority of the theory contained in them still stands as the foundation for security systems within the Internet today. Several of Aerospace’s current information assurance and cyber engineers were involved in the original theoretical and policy work that comprised the rainbow series.
The rainbow series guides became the basis of a formal validation process that the U.S. government (and some private firms/industry) required when purchasing computer technology. The objective was to achieve wide availability of hardware and software systems that were built with security features as a core component of their functionality. The approach was to have computer manufacturers incorporate into their hardware, operating systems, and databases the security principles and mechanisms that had been researched and developed by NSA at the NCSC.
Aerospace began directly supporting the NCSC in 1982 under the Trusted Product Evaluation Program (TPEP). Aerospace functioned, and continues to function, as a trusted agent evaluating operating and database management systems and security networking devices and helping to improve security vendors’ practices. Aerospace’s role has evolved to include leading evaluation teams comprised of other trusted agents and government personnel, participation on the trusted computing board (which measures the progress of evaluations across the industrial base), writing interpretations of the TCSEC, and developing documentation on how to conduct trusted system evaluations.
Aerospace’s early involvement with NSA on the definition and evaluation of trusted systems and products has allowed the corporation to understand the strengths and weaknesses of a wide variety of products. This has contributed towards improvements of products in the industrial base, and an intimate understanding of how products proposed for use in mission-critical space systems would behave under stress.
Through the course of hundreds of trusted product evaluations, two common axioms for acquisition programs have been recognized. The first is that the earlier you can incorporate security the better. Fixing security problems late in a program tends to be both technically and monetarily difficult. Second, designs that are overly complex tend to be difficult to analyze and often do not function as advertised. With respect to security designs, the concept of keeping it simple works best.
Aerospace and Cryptography for Space Systems
NSA is responsible for determining the adequacy of the equipment, devices, networks, and processes used in the protection of U.S. classified and sensitive information. NSA determines which cryptography algorithms can be used in what applications and assesses whether a device will be certified for the protection of classified and sensitive information in an intended environment and application. With assistance from Aerospace, cryptographic equipment is integrated into space and ground systems for the protection of telemetry, tracking, and command data, mission data links, and/or transmission security (TRANSEC).
By the early 1990s, military systems, especially space missions, had built a record of success. Space system deployments had become routine, but increasingly expensive. In 1994 the DOD implemented a performance-based acquisition process (acquisition reform) to reduce costs. With this model government and FFRDC oversight was reduced and contractors’ responsibilities were increased. While the intent was to save time and money, the consequence was a dramatic increase in untracked risks, ultimately leading to expanded schedules and costs, and launch and post-launch mission failures. During this era, NSA introduced a new crypto-acquisition process for space. The Commercial COMSEC Endorsed Product (CCEP) model, later renamed the Commercial COMSEC Evaluated Product (CCEP), created a unique government-vendor partnership. Under the CCEP process, a vendor would propose development and production of a crypto device to be sold to one or more U.S. government programs. If NSA determined there was a business case to support the proposal, it provided resources to evaluate the product for cryptographic certification. The CCEP developer was responsible for all design, development, production, and lifecycle support. If cryptographic certification were granted, the vendor would be allowed to sell the device to specific U.S. government programs. The other crypto acquisition model was the User Partnership Agreement (UPA). The UPA is similar to the CCEP except that a space program would now request NSA support and evaluation for certification of a program office-developed crypto device for use by the program.
At the same time, NSA significantly downsized its space crypto office. A long run of successful space missions suggested that NSA had developed stable capability, and at that time there were few new space programs on the horizon. With need apparently diminishing and the new crypto acquisition processes shifting responsibilities to contractors and program offices, the agency opted to reassign much of its space information security workforce to other mission areas. With less government oversight, program information security issues began to escalate. Aerospace and NSA began to focus anew on programs having difficulty integrating security requirements and solutions with space systems. Aerospace assigned a new cadre of systems engineers and information assurance specialists to the NSA, to help the agency’s space crypto organization better understand space systems acquisition and operation, ensuring that NSA did not impose security processes that were unworkable for space systems.
The DOD Crypto Modernization Initiative (CMI) began in February 2001. Shortly thereafter, authority for the acquisition and provisioning of modernized space crypto was assigned to the Air Force Hanscom Cyber/Netcentric Cryptologic System Division (CPSD) at Lackland Air Force Base, Texas. Today, requirements and funding for the development and production of cryptographic equipment flow from the headquarters of Air Force Space Command to the Air Force Network Integration Center and then to CPSD. Responsibility for evaluation and certification of crypto devices remains with NSA. Aerospace currently provides onsite engineering expertise to both CPSD and NSA for crypto modernization efforts. Engineering efforts for NSA are provided through the Aerospace office in Columbia, Maryland, and crypto acquisition and space integration efforts for CPSD are provided through the Aerospace office in San Antonio, Texas.
Formation of the National Space Information Systems Security Steering Council
In response to the space program issues that began in the late 1990s, the Air Force and NSA asked Aerospace to develop a plan for a communications-security (COMSEC) working group between the two organizations. Aerospace recommended the formation of the National Space Information Systems Security Steering Council (NSISC) as a facilitator organization with charter members representing the Air Force Space and Missile Systems Center, NSA, the National Reconnaissance Office (NRO), and the Air Force Cryptologic Systems Division. The primary emphasis of the NSISC is on space crypto and information systems security (INFOSEC) with attention on cybersecurity and information assurance. The organization provides advice and recommended approaches to the space community in the selection, acquisition, and application of systems security processes and devices for space systems. NSISC’s objective is to focus space information systems security and information assurance requirements, resources, and activities to provide the best systems security solutions for the United States and its partners, and to ensure effective space operations.
The first annual NSISC Space INFOSEC Symposium was held in the fall of 2000. Each year, the three-day meeting is held at Aerospace, the primary sponsor of the meeting. The intent is to bring together specialists in information security, cybersecurity, and information assurance along with the space community to discuss space systems security, to share new and forthcoming changes, and to provide networking opportunities.
The NSISC also conducts semiannual community-wide COMSEC working group meetings. Updates to crypto equipment, new crypto developments, technical and security issues impacting multiple programs, and changes in crypto-related policies and procedures are presented.
Another NSISC function is the semiannual Space COMSEC Requirements Reviews (SCRR). The SCRR collects information for the NSISC annual report, which is distributed to senior levels of the DOD and intelligence community. The report is a summary of each program and the INFOSEC status of the program. There are also chapters on threats and future trends. The two other major SCRR activities are reconciling space program need dates for crypto equipment and key material against the planned availability and delivery by CPSD or vendors, and the establishment of a mutually agreed upon INFOSEC status for each program. When possible, the SCRR also attempts to identify new technologies, capabilities, processes, and procedures that may benefit existing and planned space programs.
The impacts of NSISC are far reaching in the space community. Its members now include representatives from NASA, U.S. Strategic Command, Air Force Space Command, the DOD Executive Agent for Space, the Naval Space and Warfare Systems Command, and U.S. Cyber Command.
Since the early 1980s, Aerospace’s relationship with the NSA has broadened to include contributions to space information assurance policy, training and standards, cross-domain architectures, key management, and supply-chain risk management. The evaluation of trusted products and the application of space cryptography continue to be Aerospace areas of expertise. With the recognition of increased cyber threats, the Aerospace-NSA collaboration is invaluable to ensuring mission success for current and future space systems.
The authors would like to thank Frank Belz, Randy Blaisdell, and Valerie Lang for their contributions to this article.
S. Lipner, “Twenty Years of Evaluation Criteria and Commercial Technology,” 1999 IEEE Privacy and Security Conference (McLean, VA, 1999), http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=766905 (as of Dec. 19, 2011).