What's DOD doing to protect its networks?
In light the White House hack, we take a look at some of the department’s recent efforts to defend networks with a "whole of government approach."
The recently reported hack last year of the State Department and White House—believed to have been perpetrated by hackers working for the Russian government—has again raised concerns about the security of government systems, the threat from breaches of even unclassified information and the dangers of insider slip-ups.
As CNN reported, the hack did not gain access to any classified material, but the hackers were able to access sensitive information on an unclassified system, including information from the president’s daily schedule that’s not made public.
And a security brief issued by the Soufan Group, an intelligence security firm headquartered in New York, the term hack as applied to the White House breach is a bit misleading. The breach occurred because the hackers sent an email to personnel at the State Department employing a tactic called spear-phishing, which appears to be from someone the recipient knows are trusts and attaches malware in a link or tries to lure the user to a malicious site. Since someone at State opened the malicious email, “the bad actors didn’t have to hack anything; rather they just got an employee to open the front door to the system and let them in,” the Soufan brief said.
Phishing and the more individually targeted spear-phishing are the most common tactics used against government employees, and the best prevention includes educating users so they don’t fall for phishing’s social engineering tricks. The military services have a number of programs and policies on handling email and social media.
User education aside, what else is the Defense Department and other government agencies doing to protect their networks? Here’s a look at some current steps agencies are taking in the ongoing—and never-ending—realms of cyber defense.
Chain of command
First, it is important to define jurisdictions in defending government infrastructure for national security purposes. As Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations said in a recent podcast, the U.S. Cyber Command defends the military’s networks – those with the .mil domain – while the Department of Homeland Security is tasked with defending the government’s websites – those with .gov domains – as well as certain critical infrastructure. Segal also said that U.S. Cyber Command is responsible for offensive operations in the cyber realm as to “deny our adversaries freedom of maneuver in cyberspace,” quoting Adm. Michael Rogers, Cyber Command’s Commander.
Security in the cloud?
DOD has set its sights for years on cloud computing for reasons of cost, flexibility and interoperability, but concerns over security have slowed progress. Eventually, however, could a cloud computing model actually improve security? The Army’s just-released Cloud Computing Strategy, for one, outlines a vision for improving overall cybersecurity by “transferring security vulnerability and patching management of applications and systems to a secure cloud architecture.”
And the Joint Regional Security Stacks that will underpin the DOD-wide and cloud-based Joint Information Environment is expected to shrink DOD’s attack surface by reducing the security enclaves required for existing network access points from more the than 1,000 to 50.
Going on offense
While Rogers has said in the past that previous cyber deterrent methods were not very successful and that the notion of cyber deterrence is still “relatively immature,” http://www.defense.gov/news/newsarticle.aspx?id=128278 recent actions signify that the U.S. could be ready to go on the offensive. A new executive order issued by the president allows for sanctions to be placed on individuals who commit cyberattacks and/or those who benefit from information gained from cyberattacks. It is still unclear how the new executive order will relate to the Russian hack, which occurred last year.
Helping at home
More on the domestic front, the military sometimes offers its services to assist in operations that have national importance, such as national security, under the Defense Support of Civil Authorities (DSCA). This partnership was most prevalent during the aftermath of Hurricane Katrina, when the military lent a hand in rescue operations. Cyber can also be an area for DSCA as U.S. Northern Command and North American Aerospace Defense Command Commander Adm. Bill Gortney explained during a press briefing Tuesday. “In the cyber realm, my assigned tasks are to defend my own networks at NORAD and Northern Command and to assist the lead federal agency, most likely Homeland Security, in the aftermath in a DSCA-type event,” Gortney said.
This can be described as the “whole of government approach,” which was employed following the Sony hack. In a recent podcast Robert Knake, senior fellow for cyber policy at the Council on Foreign Relations, said the Defense Department remained mostly on the sidelines after the Sony hack, but was involved in contingency planning — meaning that if things became worse or another hack was executed, DOD would step in. Knake also said that DHS was not the prime domestic agency investigating – the FBI handled the detective work approaching the incident as a criminal investigation and foreign intelligence operation on the homeland. DHS’ role was disseminating information about the attack to other companies to ensure greater protection.
Perhaps the most sought-after, and trickiest, element is information sharing on cyberattacks. A reluctance to give up information has hindered past efforts to share information between the public and private sectors. Even the Intelligence Community’s Information Technology Enterprise, designed to link the 17 IC agencies on one cloud-based platform, is running into “cultural resistance.”
Rogers told an audience last week in a keynote address at the AFCEA Cybersecurity Technology Summit that what he wants most from Congress is legislation to spur greater information sharing between the private and public sectors. A current bill in front of Congress that would do just that is getting fresh attention in wake of the White House news, although cybersecurity legislation has a long history of getting stuck in congressional gears.
But all hope is not lost. The newly established Cyber Threat Intelligence Integration Center, or CTIIC, is intended to fill the cybersecurity gaps that exist in the Intelligence Community by collecting all the available information on cyber activity, analyzing it and sharing the results with IC agencies. The president’s homeland security advisor Lisa Monaco, outlined four elements for CTIIC’s strategy in an address at the Woodrow Wilson Center earlier this year: 1) improve defenses by managing cyber risk better under the cyber security framework announced last year; 2) improve the government’s ability to respond and prevent incidents; 3) enhance international responses with greater cooperation while holding those responsible for cyber malice accountable; and 4) make the cyber domain more secure, by, for one example, eliminating standard text passwords.