New threats compel DOD to rethink cyber strategy

 

Connecting state and local government leaders

The Defense Department's diversity remains its Achilles' heel in the race to improve information assurance.

The Defense Department’s widely heralded decision to create a new Cyber Command by October 2009 is still languishing in limbo. Confirmation hearings have yet to be scheduled for the prospective commander, National Security Agency director Army Lt. Gen. Keith Alexander. And efforts to kick-start the organization have been delayed by congressional concerns over the organization.

Meanwhile, adversaries working in the cyber domain aren’t sitting still. In December, hackers reportedly stole a classified PowerPoint slide deck that details South Korean and U.S. strategy for fighting a war with North Korea. And in Iraq, it was revealed that insurgents had intercepted Predator feeds using software they downloaded from the Internet.

Regardless of how quickly the Cyber Command moves forward, DOD is starting to shift its philosophic focus on network operations from information assurance to mission assurance — recognizing that as the Global Information Grid (GIG) comes under perpetual attack, efforts to deliver information services essential to operators will also need to shift from a focus on total network security to one of risk management.

To achieve that, information assurance experts say, DOD will need to concentrate on significant organizational and training issues as much as it does new technology. And it will need to address the lack of effective command and control for information assurance. That’s partially a technical issue, exacerbated by the diversity of network systems on which the GIG relies. But it also comes down to how DOD manages its networks and develops a concept of operations.

“With IA going forward, there are a lot of challenges,” only part of which is technology, said Tom Conway, director of federal business development at security software company McAfee. “You've got to have enough of the right trained people to do this. How do you get those people? That's a huge issue for everybody, not just in the military. Then, if you've got the trained people, how are they organized, how are they equipped, what are they supposed to be doing in their jobs? And that's something Cyber Command has to [decide] because before it was sort of left to the individual services to do what was best.”

Threats on the Move

Meanwhile, each of the services continues to move forward with its own cyber organizations, with the goal of supporting the new overall subcomponent command under the aegis of Strategic Command. The Air Force has officially formed the 24th Air Force, its “cyber-NAF” (numbered air force), and ground was broken Dec. 11 for the cyber operations center of the new 688th Information Operations Wing.

The Navy, for its part, is forming the 10th Fleet, which will be co-located with the Army Network Warfare Battalion and the Cyber Command at Fort Meade, Md. It is also moving to merge the roles of intelligence and communications under a new staff-level position, with its proposed 10th Fleet and a merged communications and network warfare role at the staff level with the assistant chief of naval operations for Information Dominance (N2/N6).

The Army activated the 704th Military Intelligence Brigade’s Army Network Warfare Battalion in June 2008.

But although the services push ahead in developing their own organizations, adversaries have been enhancing their capabilities as well.

“The tradecraft of the attackers has really advanced in the last few years,” said Thomas Fuhrman, senior vice president at Booz Allen Hamilton. “And they're also very agile. There’s a whole range of threats, but the threats that matter — where we see exfiltration, threats of compromising national security command and control systems — this comes from a very sophisticated adversary.” And based on what analysts see, he said, “They respond to fixes we implement very rapidly.”

In addition, Fuhrman said, there is the proliferation of tools that make it easier for adversaries to attack DOD and other networks — as evidenced by the Iraqi insurgents’ interception of Predator video. “So you expand the range of people who are in this space by the availability of the tools to the work.”

Bailing and Bailing

Part of the problem that DOD faces is that because cyber threats have evolved so quickly, information assurance specialists tend to be in a perpetual catch-up mode in dealing with holes as they’re discovered. “We're still in the mode of … bailing out the ship,” Fuhrman said. “But you bail and bail to no avail because the attacker is always getting better. So the question [becomes] how do we get ahead of this … so we're not always reacting?"

Fuhrman said a central problem is the tendency of information assurance to be viewed as a forensic science, discovering what has already happened: What data was lost; what has gotten onto the network; and were protective measures overcome?

“The question of how we get ahead is very relevant. The problem is, there's no easy answer because of the abilities of the adversary,” he said.

“In DOD, they call it the advanced persistent threat,” McAfee’s Conway said. “It’s advanced in that these are very complicated things being done by sophisticated people, and it’s persistent — and the rate is going up. There is a lot of data exfiltration that's going on and continues to go on. There are data loss prevention technologies that can stop that sort of thing, and that's something DOD can start to roll out now. I think they understand they have a problem, but fixing it is complicated because they're so big, diverse and widespread.”

In fact, DOD’s diversity of configurations remains its biggest information assurance Achilles' heel. Although the services move forward with initiatives to consolidate networks, such as the Navy’s Next Generation Enterprise Network (NGEN) and Consolidated Afloat Enterprise Networks and Enterprise Services (CANES) programs, the sheer magnitude of different configurations make it difficult to manage the risk to the entire GIG, Fuhrman said. “It's hard to enforce consistent configurations and manage those configurations,” he said. “When you have huge networks with such a diversity of platforms, it is very, very difficult to identify the right configurations and then constantly manage them. DOD is taking good measures to improve it, there are standards and components that are being deployed that continually monitor configuration, but this is an unsolved problem — it's very difficult to keep up with that.”

Just the task of delivering a response to a new virus threat creates a major challenge right now, said Steve Hawkins, Raytheon’s vice president of information security solutions. “If you're Cyber Command, you've got to find a way to find — maybe do an antivirus and a signature — for it and get that deployed over literally hundreds of thousands of desktops and laptops and servers,” he said. “I think the scale of the problem for coordinated solutions and the speed they need to detect and put out a defensive measure is their largest challenge, where you'll see them really push hard. The organizational challenge, that's one side of it; but that needs to be focused on facilitating an operation that moves very rapidly to fix problems that you find.’’

Broader Visibility

Finding the problems in the first place requires something that DOD doesn’t have: situational awareness over the entire GIG. “What that requires is a set of technologies that give them total situational awareness, so they can see what all's going on and in a matter of milliseconds be able to eradicate the offensive malware,” Hawkins said. “It's more challenging than ever to do that because with social engineering, just the acceptance of an e-mail by someone can allow malware into your system. You also have to be able to detect anomalous behavior within your own networks, be able to see it and stop it. There's a whole realm of technologies that are starting to emerge that will allow them to address that part.”

Situational awareness is the core of what the services are trying to create with cyber operations centers — an extension of the operations center model from more traditional warfighting combatant commands to the cyber realm. But just having situational awareness in a cyber operations center isn’t enough, Fuhrman said.

“We see cyber ops centers springing up all the time, and in principle, that's not a bad idea," Fuhrman said. "But the reality all too often is that we throw technology at the problem and say we're going to monitor the heck out of our networks. And the result is operators sitting around consoles 24/7 that indicate line upon line of anomalies that some centers are picking up, and the operators are trying to understand what that means. That's very rudimentary.”

Fuhrman said the next step is going beyond monitoring and moving to true command and control — and understanding how to apply situational awareness to the overall mission. “We need to advance the state of the art and recognize that this, like so many parts of information assurance, is a multidimensional problem. What are we trying to achieve in this ops center? What sort of decisions do we expect the op centers to make? How do those decisions relate to the mission? And how do we get the right tools in the hands of the operators so that they have the leverage to affect those decisions to cause things to happen?”

One role ops centers might best take on is deploying security patches and handling configuration management as an integrated part of network defense, Furhman said.

But another way to look at it would be for DOD and the Cyber Command to view the GIG as a weapons system, he said. “And that means being able to implement configuration control centrally. We don't have that today. It means being able to make decisions that are mission-related and informed by mission requirements but that effect network configuration — what ports are open, what nodes are made accessible or inaccessible.”

With most situational awareness existing at the level of the services’ individual networks, the Cyber Command would hopefully make collaboration across the services’ cyber operations a priority, said Adam Vincent, Layer 7 Technologies’ chief technology officer for the public sector.

“Coordinating cyber activities between NSA and services will be necessary for adequate cyber defense and response," Vincent said. "The need to share cyber-related information will be paramount, and the Cyber Command will need to put practices and solutions in place to adequately address this need. I hope to see social networking and collaboration technologies to enhance the ability to find relevant expertise and disseminate information within the Cyber Command, with the services and with external agencies.”

An emerging school of thought that many DOD cyber leaders have adopted during the past few years is moving from the idea of overall information assurance to a more focused goal of mission assurance — from a forensic approach of patching holes to more of a risk management model aimed at sustaining critical services to support DOD's mission.

“Security isn't the mission,” Conway said. “Security is an enabler of the mission. That's one of the things Cyber Command is hopefully going to get their arms around to present a choice to the operator: Here's your risk if you don't do any security, here's your risk if you do everything secure, and here's a spectrum of everything in between. That’s a really complicated thing, but the operator needs to know how dependent they are on cyber” and make a decision on what risks are acceptable, he said.

To address an advanced persistent threat, mission assurance focuses on what it calls CIA: confidentiality, integrity and availability — the three aspects of the GIG that allow operators to conduct their missions. “Confidentiality means I can make sure I keep my secrets secret. Integrity means knowing I'm going to protect someone from getting inside my information systems and changing things. And availability means making sure there’s not a denial of service so I can’t use my information systems.”

Tools in Hand

DOD already has many of the technologies required to better manage these risk areas but for one reason or another has yet to deploy them. For example, although there’s been a great deal of energy expended on securing USBs in the wake of the 2008 malware attack on the GIG, data-at-rest protection has failed to be widely deployed. Although data-at-rest protection was supposed to be fully deployed by 2009, only a fraction of the services’ systems have a solution deployed, such as the Host-Based Security System, Conway said.

Data protection technology and insider threat protection are another area in which the technology is already available to help reduce the risk of confidential data loss or the undermining of data in critical information systems. With insider threats, “there's a fair amount of things that are going on across the defense and intelligence communities,” Raytheon’s Hawkins said. In August 2009, the Defense Information Systems Agency selected Raytheon’s insider threat management tool as the Insider Threat Focused Observation Tool for DOD, and Raytheon has been contracted to provide an enterprise license to DOD for the technology.

“They've proven the technology, and the technology is in wide use,” Hawkins said. “But they need to be in use across the entire enterprise to make them effective.

The Cyber Workforce Gap

Part of what might be causing DOD’s information assurance reach to exceed its grasp is what experts describe as a shortage of qualified information assurance professionals inside and outside the services and a huge unmet need for training. Workforce management across  DOD will be a major issue for the new Cyber Command.

“A very important part of this is not just putting technology in place but being able to have some formalized training to allow people to use the tools,” Hawkins said. “We've had several recent retirees come to work for us, and they say one of the more frustrating things is they can get a lot of technology, but they have to be trained on how to use it."

Although the Cyber Command will draw on the services for capabilities, the new command will need to play a major role in driving how the services build their cyber ranks. “Information assurance is only as good as the person who's actually operating it,” Conway said. “Security tools need to be continually updated and adapted because the threat continues to update itself and adapt itself. It's a spy vs. spy game. You need to have a better spy at the end of the game.”

“The basic question of workforce is facing all of us,” Furhman said. “We as contractors are competing for the same talent pool as not only the other contractors but the government itself because the field of cyber warriors is very small.”

DOD is addressing the problem in part through DOD Directive 8750, which mandates that military personnel, civilian employees and government contractors be certified as information assurance professionals before they can have administrative access to DOD networks and systems. “We have to recognize that getting a certification doesn't necessarily give a person the right skills,” Fuhrman said. “Getting this framework in place is good. But the objective for the future has to be to continually raise that bar…and make sure that the cyber workforce really is a professional workforce with the right skills.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.