Cyber Command puts its philosophy into action

The establishment of a Cyber Command (Cybercom) this year — delayed nearly a year by congressional resistance in approving the nomination of Army Gen. Keith Alexander as its commander — marks an important milestone for the Defense Department’s cyber operations, according to observers in the security field.

Although the efforts of the individual services to transform their cyber defense and operations structures have been under way well before the beginning of 2010 — including the 24th Air Force, the cyber component of the Air Force's Space Command, which achieved full operational status Oct. 1 — the establishment of Cybercom at Fort Meade, Md., raises the visibility and emphasizes the importance of cyber as a domain for all of DOD.

That domain extends beyond the boundaries of DOD's networks. “Cyberspace has become a critical enabler for all elements of national and military power,” Alexander said in a June 3 speech at the Center for Strategic and International Studies. “As President Obama’s national security strategy states, our digital infrastructure therefore is a strategic national asset. And protecting it, while safeguarding privacy and civil liberties, is a national security priority."

The challenge of that task was illustrated early in 2010 in dramatic fashion. Aurora, a highly sophisticated cyberattack on a number of technology-related companies, resulted in the theft of intellectual property and precipitated a standoff between Google and the Chinese government. The attack was highly advanced and targeted — much like the sort of threat DOD faces every day, said David Marcus, director of security research at McAfee. The attack was traced to two universities in China, though government officials denied involvement.

“The bad guys have really stepped up their game,” Marcus said. “Aurora's a really great example of it.” The attack used a zero-day vulnerability in Internet Explorer that didn't have a readily available fix, he said. It targeted people who were most likely to have high-value information on their computers.

The attackers did “a high level of target profiling and social engineering,” Marcus said. “That's what we see with targeted attack these days — they've done so much profiling [of targeted people] and set up work that they're essentially assured of at least a level of success when they launch their attack.”

Fittingly, the end of 2010 coincides with DOD’s organizational response to ongoing threats, as Cybercom nears certification of its full operational capability.

Along with the creation of Cybercom, DOD has started institutionalizing a new philosophy for defending networks. This is the year that information assurance was supplanted by mission assurance, focusing network defenses on being able to support combat and other operations in the face of an all-out cyberattack. That not only assures access to DOD network assets but also provides for collaboration between DOD and other agencies, nongovernmental agencies and coalition partners via whatever network is necessary.

HBSS Provides Building Blocks

First and foremost, DOD needs to protect its networks to carry out its core missions. And 2010 saw several major milestones in cyber defense capabilities.

One of the critical building blocks to constructing those capabilities is the Host-Based Security System, the Defense Information Systems Agency’s security framework. This year, HBSS was widely deployed across DOD networks, said Mark Orndorff, DISA's program executive officer for mission assurance.

“I think the highlight over the past year is the progress we've made in getting the HBSS capability deployed across the full spectrum of DOD networks,” Orndorff said. “And while I'd be the first one to say it wasn’t painless, we've come a long way with HBSS, and I think it’s going to be a foundation for a lot of the things that we're going to do in the future. I think we're now at the point where it's a fundamental capability that we are able to rely on and a building block that we can do much more with as we progress into next year."

Maj. Gen. Richard Webber, commander of the 24th Air Force, said the service has made tremendous progress on HBSS during the past 18 months. “It's one of those things that requires other foundation parts to be in place before you can make good progress,” he said.

HBSS offers the ability to more rapidly check networks for compliance with security policies through an element named Policy Auditor. “Policy Auditor will push the policy out across the enterprise, test everything to see if it's compliant, and then collect the results in a way that we can use for lots of different decisions," Orndorff said. "I think over the years, one of the fundamental lessons learned has been that if you can just get your systems configured correctly and keep them configured correctly, a lot of the attack vectors go away. But when you try to get that same compliance across 5 million computers, it can get pretty complicated.”

DISA's deployment of HBSS wasn't as smooth as envisioned. “We started out with a really optimistic plan to go straight at the objective with HBSS,” Orndorff said. “And in doing that, we had some operational impact that set us back a bit. So we stepped back from that approach into a safer phased implementation, where we would do a little, learn, move forward a little bit, and monitor for the next step while we took the first step. And then in that monitoring phase, we would have a better approach to the next level that we wanted to achieve.”

As HBSS' contract nears its end, DISA and DOD are “near the completion of the phases we had laid out,” Orndorff said. The next three phases, which DISA will begin pursuing next year, will build on the foundation that the HBSS program established, he said.

Flexibility at the Edge

Another area that Orndorff said has seen significant improvement during 2010 is DOD's ability to share information outside its networks.

"We've got a lot of capability in place today that wasn't there a year ago," Orndorff said. "We've had the architecture redesigned to make it much easier for us to put in additional capabilities as new requirements are identified moving forward.”

The changes in DISA and DOD's approach to protecting the boundary between DOD's Unclassified but Sensitive IP Network (NIPRNet) and the Internet are a reflection of how important the Internet has become to DOD.

"Obviously, if you look at recent history, DOD is not executing operations in a vacuum," Orndorff said. “We're working with industry partners, nongovernment agencies, with other federal agencies. That NIPRNet/Internet boundary is incredibly important to virtually any type of engagement that we would need to support. So having that boundary set up so that we can maneuver to support mission priorities and provide the best capabilities we need to to support whatever is going on at the time is very important."

The improvements in the NIPRNet/Internet boundary, which formerly were part of DISA's NIPRNet hardening program, make it possible for DOD to adjust what can cross between the networks and at what priority based on mission support priorities. “In the past, you could do specific brute-force actions," Orndorff said. “You'd block something or allow something. But now we're building out a boundary that's much more tunable, so if we're in the middle of military operations and we have to deploy forces forward, at that point [the Transportation Command's] use of the NIPRnet Internet boundary is a whole lot more important than someone checking on sports scores, for example. So we can prioritize the traffic across the boundary in ways that are much more flexible than they ever were before."

Synchronized C2

DOD is beginning to truly centralize situational awareness of its networks through the creation of a clear authority over cyber operations at Cybercom and each military branch's component cyber organizations. Although Cybercom and the services still lack fully centralized command and control, they have begun to put tools in place that will give leaders a better understanding of activity on DOD's networks and urgent actions needed to meet mission requirements.

However, the tools don't yet measure up to the task at hand. “We face a dangerous combination of known and unknown vulnerabilities, strong adversary capabilities and weak situational awareness,” Alexander said in June. "We must first understand our networks and build an effective cyber situational awareness in real time through a common, shareable operating picture. We must share indications in warning threat data at net speed among and between the various operating domains. We must synchronize command and control of integrated defensive and offensive capabilities, also at net speed."

Orndorff said the state of global situational awareness was a highlight for 2010 and a shortcoming. “One of the big changes that we did in the past year was approach all of our projects with the idea that we look at each one and see how we can pull information from each program and provide better situational awareness to the network operators at all levels. So today, it's a little bit fragmented in a sense that each program has its own rollup or own picture that we're producing. But we have the data collection in place and information coming together to provide a situational awareness picture that's going to be fundamental to building out the common operational picture that we need to provide to Cybercom and operations in the future.”