New threats compel DOD to rethink cyber strategy
The Defense Department's diversity remains its Achilles' heel in the race to improve information assurance.
The Defense Department’s widely heralded decision to create a new Cyber Command by October 2009 is still languishing in limbo. Confirmation hearings have yet to be scheduled for the prospective commander, National Security Agency director Army Lt. Gen. Keith Alexander. And efforts to kick-start the organization have been delayed by congressional concerns over the organization.
Meanwhile, adversaries working in the cyber domain aren’t sitting still. In December, hackers reportedly stole a classified PowerPoint slide deck that details South Korean and U.S. strategy for fighting a war with North Korea. And in Iraq, it was revealed that insurgents had intercepted Predator feeds using software they downloaded from the Internet.
Regardless of how quickly the Cyber Command moves forward, DOD is starting to shift its philosophic focus on network operations from information assurance to mission assurance — recognizing that as the Global Information Grid (GIG) comes under perpetual attack, efforts to deliver information services essential to operators will also need to shift from a focus on total network security to one of risk management.
To achieve that, information assurance experts say, DOD will need to concentrate on significant organizational and training issues as much as it does new technology. And it will need to address the lack of effective command and control for information assurance. That’s partially a technical issue, exacerbated by the diversity of network systems on which the GIG relies. But it also comes down to how DOD manages its networks and develops a concept of operations.
“With IA going forward, there are a lot of challenges,” only part of which is technology, said Tom Conway, director of federal business development at security software company McAfee. “You've got to have enough of the right trained people to do this. How do you get those people? That's a huge issue for everybody, not just in the military. Then, if you've got the trained people, how are they organized, how are they equipped, what are they supposed to be doing in their jobs? And that's something Cyber Command has to [decide] because before it was sort of left to the individual services to do what was best.”
Threats on the Move
Meanwhile, each of the services continues to move forward with its own cyber organizations, with the goal of supporting the new overall subcomponent command under the aegis of Strategic Command. The Air Force has officially formed the 24th Air Force, its “cyber-NAF” (numbered air force), and ground was broken Dec. 11 for the cyber operations center of the new 688th Information Operations Wing.
The Navy, for its part, is forming the 10th Fleet, which will be co-located with the Army Network Warfare Battalion and the Cyber Command at Fort Meade, Md. It is also moving to merge the roles of intelligence and communications under a new staff-level position, with its proposed 10th Fleet and a merged communications and network warfare role at the staff level with the assistant chief of naval operations for Information Dominance (N2/N6).
The Army activated the 704th Military Intelligence Brigade’s Army Network Warfare Battalion in June 2008.
But although the services push ahead in developing their own organizations, adversaries have been enhancing their capabilities as well.
“The tradecraft of the attackers has really advanced in the last few years,” said Thomas Fuhrman, senior vice president at Booz Allen Hamilton. “And they're also very agile. There’s a whole range of threats, but the threats that matter — where we see exfiltration, threats of compromising national security command and control systems — this comes from a very sophisticated adversary.” And based on what analysts see, he said, “They respond to fixes we implement very rapidly.”
In addition, Fuhrman said, there is the proliferation of tools that make it easier for adversaries to attack DOD and other networks — as evidenced by the Iraqi insurgents’ interception of Predator video. “So you expand the range of people who are in this space by the availability of the tools to the work.”
Bailing and Bailing
Part of the problem that DOD faces is that because cyber threats have evolved so quickly, information assurance specialists tend to be in a perpetual catch-up mode in dealing with holes as they’re discovered. “We're still in the mode of … bailing out the ship,” Fuhrman said. “But you bail and bail to no avail because the attacker is always getting better. So the question [becomes] how do we get ahead of this … so we're not always reacting?"
Fuhrman said a central problem is the tendency of information assurance to be viewed as a forensic science, discovering what has already happened: What data was lost; what has gotten onto the network; and were protective measures overcome?
“The question of how we get ahead is very relevant. The problem is, there's no easy answer because of the abilities of the adversary,” he said.
“In DOD, they call it the advanced persistent threat,” McAfee’s Conway said. “It’s advanced in that these are very complicated things being done by sophisticated people, and it’s persistent — and the rate is going up. There is a lot of data exfiltration that's going on and continues to go on. There are data loss prevention technologies that can stop that sort of thing, and that's something DOD can start to roll out now. I think they understand they have a problem, but fixing it is complicated because they're so big, diverse and widespread.”
In fact, DOD’s diversity of configurations remains its biggest information assurance Achilles' heel. Although the services move forward with initiatives to consolidate networks, such as the Navy’s Next Generation Enterprise Network (NGEN) and Consolidated Afloat Enterprise Networks and Enterprise Services (CANES) programs, the sheer magnitude of different configurations make it difficult to manage the risk to the entire GIG, Fuhrman said. “It's hard to enforce consistent configurations and manage those configurations,” he said. “When you have huge networks with such a diversity of platforms, it is very, very difficult to identify the right configurations and then constantly manage them. DOD is taking good measures to improve it, there are standards and components that are being deployed that continually monitor configuration, but this is an unsolved problem — it's very difficult to keep up with that.”
Just the task of delivering a response to a new virus threat creates a major challenge right now, said Steve Hawkins, Raytheon’s vice president of information security solutions. “If you're Cyber Command, you've got to find a way to find — maybe do an antivirus and a signature — for it and get that deployed over literally hundreds of thousands of desktops and laptops and servers,” he said. “I think the scale of the problem for coordinated solutions and the speed they need to detect and put out a defensive measure is their largest challenge, where you'll see them really push hard. The organizational challenge, that's one side of it; but that needs to be focused on facilitating an operation that moves very rapidly to fix problems that you find.’’
Finding the problems in the first place requires something that DOD doesn’t have: situational awareness over the entire GIG. “What that requires is a set of technologies that give them total situational awareness, so they can see what all's going on and in a matter of milliseconds be able to eradicate the offensive malware,” Hawkins said. “It's more challenging than ever to do that because with social engineering, just the acceptance of an e-mail by someone can allow malware into your system. You also have to be able to detect anomalous behavior within your own networks, be able to see it and stop it. There's a whole realm of technologies that are starting to emerge that will allow them to address that part.”
Situational awareness is the core of what the services are trying to create with cyber operations centers — an extension of the operations center model from more traditional warfighting combatant commands to the cyber realm. But just having situational awareness in a cyber operations center isn’t enough, Fuhrman said.
“We see cyber ops centers springing up all the time, and in principle, that's not a bad idea," Fuhrman said. "But the reality all too often is that we throw technology at the problem and say we're going to monitor the heck out of our networks. And the result is operators sitting around consoles 24/7 that indicate line upon line of anomalies that some centers are picking up, and the operators are trying to understand what that means. That's very rudimentary.”
Fuhrman said the next step is going beyond monitoring and moving to true command and control — and understanding how to apply situational awareness to the overall mission. “We need to advance the state of the art and recognize that this, like so many parts of information assurance, is a multidimensional problem. What are we trying to achieve in this ops center? What sort of decisions do we expect the op centers to make? How do those decisions relate to the mission? And how do we get the right tools in the hands of the operators so that they have the leverage to affect those decisions to cause things to happen?”
One role ops centers might best take on is deploying security patches and handling configuration management as an integrated part of network defense, Furhman said.
But another way to look at it would be for DOD and the Cyber Command to view the GIG as a weapons system, he said. “And that means being able to implement configuration control centrally. We don't have that today. It means being able to make decisions that are mission-related and informed by mission requirements but that effect network configuration — what ports are open, what nodes are made accessible or inaccessible.”
With most situational awareness existing at the level of the services’ individual networks, the Cyber Command would hopefully make collaboration across the services’ cyber operations a priority, said Adam Vincent, Layer 7 Technologies’ chief technology officer for the public sector.
“Coordinating cyber activities between NSA and services will be necessary for adequate cyber defense and response," Vincent said. "The need to share cyber-related information will be paramount, and the Cyber Command will need to put practices and solutions in place to adequately address this need. I hope to see social networking and collaboration technologies to enhance the ability to find relevant expertise and disseminate information within the Cyber Command, with the services and with external agencies.”
An emerging school of thought that many DOD cyber leaders have adopted during the past few years is moving from the idea of overall information assurance to a more focused goal of mission assurance — from a forensic approach of patching holes to more of a risk management model aimed at sustaining critical services to support DOD's mission.
“Security isn't the mission,” Conway said. “Security is an enabler of the mission. That's one of the things Cyber Command is hopefully going to get their arms around to present a choice to the operator: Here's your risk if you don't do any security, here's your risk if you do everything secure, and here's a spectrum of everything in between. That’s a really complicated thing, but the operator needs to know how dependent they are on cyber” and make a decision on what risks are acceptable, he said.
To address an advanced persistent threat, mission assurance focuses on what it calls CIA: confidentiality, integrity and availability — the three aspects of the GIG that allow operators to conduct their missions. “Confidentiality means I can make sure I keep my secrets secret. Integrity means knowing I'm going to protect someone from getting inside my information systems and changing things. And availability means making sure there’s not a denial of service so I can’t use my information systems.”
Tools in Hand
DOD already has many of the technologies required to better manage these risk areas but for one reason or another has yet to deploy them. For example, although there’s been a great deal of energy expended on securing USBs in the wake of the 2008 malware attack on the GIG, data-at-rest protection has failed to be widely deployed. Although data-at-rest protection was supposed to be fully deployed by 2009, only a fraction of the services’ systems have a solution deployed, such as the Host-Based Security System, Conway said.
Data protection technology and insider threat protection are another area in which the technology is already available to help reduce the risk of confidential data loss or the undermining of data in critical information systems. With insider threats, “there's a fair amount of things that are going on across the defense and intelligence communities,” Raytheon’s Hawkins said. In August 2009, the Defense Information Systems Agency selected Raytheon’s insider threat management tool as the Insider Threat Focused Observation Tool for DOD, and Raytheon has been contracted to provide an enterprise license to DOD for the technology.
“They've proven the technology, and the technology is in wide use,” Hawkins said. “But they need to be in use across the entire enterprise to make them effective.
The Cyber Workforce Gap
Part of what might be causing DOD’s information assurance reach to exceed its grasp is what experts describe as a shortage of qualified information assurance professionals inside and outside the services and a huge unmet need for training. Workforce management across DOD will be a major issue for the new Cyber Command.
“A very important part of this is not just putting technology in place but being able to have some formalized training to allow people to use the tools,” Hawkins said. “We've had several recent retirees come to work for us, and they say one of the more frustrating things is they can get a lot of technology, but they have to be trained on how to use it."
Although the Cyber Command will draw on the services for capabilities, the new command will need to play a major role in driving how the services build their cyber ranks. “Information assurance is only as good as the person who's actually operating it,” Conway said. “Security tools need to be continually updated and adapted because the threat continues to update itself and adapt itself. It's a spy vs. spy game. You need to have a better spy at the end of the game.”
“The basic question of workforce is facing all of us,” Furhman said. “We as contractors are competing for the same talent pool as not only the other contractors but the government itself because the field of cyber warriors is very small.”
DOD is addressing the problem in part through DOD Directive 8750, which mandates that military personnel, civilian employees and government contractors be certified as information assurance professionals before they can have administrative access to DOD networks and systems. “We have to recognize that getting a certification doesn't necessarily give a person the right skills,” Fuhrman said. “Getting this framework in place is good. But the objective for the future has to be to continually raise that bar…and make sure that the cyber workforce really is a professional workforce with the right skills.”