DOD to invest heavily in cyber, although details are murky

The Defense Department is increasing its investment in cyber defense, although the nature of cyber operations means that success depends on more than just throwing money at the problem.

“From a standpoint of cybersecurity, right now we’re on the wrong side of the financial spectrum here. We’re losing,” Defense Department CIO Terry Halvorsen said at a September conference. “The truth is, you can spend a little bit of money and a little bit of time and exploit some our weaknesses, and cause us to have to spend a lot of money, a lot of time.”

With several high profile hacks and data breaches within the last year, the government has a sharp eye toward hardening cyber defenses and tipping this balance. In fact, Secretary of Defense Ashton Carter announced in a Tuesday appearance at the Economic Club of Washington that DOD will be spending nearly $7 billion in fiscal year 2017—up from $5.5 billion last year—with almost $35 billion going towards cyber in the next five years. Carter said that, among other things, the investment in cyber “will help to further DOD’s network defenses, which is critical, build more training ranges for our cyber warriors and also develop cyber tools and infrastructure needed to provide offensive cyber options.”

DOD refused to elaborate on the specifics of investment in cyber, saying instead to keep an eye out for the release of the White House fiscal year 2017 budget, which is scheduled to be released Feb. 9.

However, both military officials and outside commentators have provided some insight into where investments can be made to help tip the balance Halvorsen described to provide some direction to where investments could be made. One option is to give adversaries a moving target. It’s hard to launch persistent attacks on a “software-defined network [SDN] that’s changing all the time… So I want to get to that point where we’re developing something that’s really hard to attack,” Lt. Gen. Alan Lynn, director of the Defense Information Systems Agency and head of the Joint Force Headquarters-Department of Defense Information Networks, said in November. “Imagine networks that would spin up, drop, spin up and drop, and now you’re an adversary trying to get into a network that just dropped.”

“I’m interested in SDN from the ability to move around what I call the information battlefield to execute and stay ahead of the enemy and put up systems and take them down and move them and – just like you would on a modern battlefield,” John Hickey, DISA’s cyber security authorizing official said in January.  

Judson Walker, systems engineering director for Brocade Federal, also believes it’s important to bring in more software than hardware and leverage the new software-defined movement. “I think that really the key to our evolution when it comes to resiliency and survivability is to now leverage this new software-defined movement,” he told Defense Systems, noting that this will help contribute to tipping the balance Halvorsen spoke about. 

Resiliency and redundancy is another critical aspect of security that many have spoken about as well, though not always in a good light. “So when much of what we use today was built, redundancy, resiliency and defensibility from a cyber prospective were just not core design characteristics,” Adm. Michael Rogers, head of the U.S. Cyber Command, said in a January appearance at the Atlantic Council. “That is not unique to the Department of Defense. I see that same challenge every day in the corporate sector and the rest of the government.” Rogers added that defense of the networks remains his number one priority going into 2016. 

Col. William Bryant, deputy director of Task Force Cyber Secure on the Air Staff, argued in a recent paper in “Strategic Studies Quarterly” that “the tendency has been to pour a disproportionate amount of resources into offense while not focusing enough on defense.”  Countering a common saying, he said the best defense is not a good offense, but, rather, a good defense. 

He compared cyber defense to bamboo, as described in an old Japanese proverb that says bamboo stands after storms while the oak tree is felled. He offered a three-pronged approach to cybersecurity: flexibility, relying on network segmentation as well as diverse software and operating programs; reducing the attack surface through limiting access points: and having the ability to respond dynamically to cyberattacks through better intelligence, situational awareness and backing up important information.

Bryant was careful, however, to note that, “While resilience is the key to success for cyberspace defenders, it is important that defenders not neglect traditional network defenses.” 

The Defense Department’s research arm has taken aim at the matter of resiliency, issuing a solicitation for help in not only early detection of threats, but rapidly reducing recovery time from potentially debilitating attacks on critical infrastructure, an increasing reality as evidenced by an investigation by the Associated Press recently that discovered vulnerabilities in the nation’s infrastructure and reports that Iranian hackers gained access to the systems of a New York dam. 

In terms of cyber tools, Hickey, the DISA cyber authorizing official, mentioned a raft of tools he’d like, including big data analytics and greater partnership with the Intelligence Community to see what the enemy is doing. He also mentioned strong two-factor authentication for system administrators. “How do I enable strong authentication on the backside for system administrators is something that we’re looking at—an enterprise capability for privileged management that we can deploy across multiple products,” he said. There’s a new vulnerability uncovered almost every day that administrators must address across multiple devices on the backend. “How do they get away from user name and password?” he asked.

The Defense Department holds its cards very close to the vest in terms of offensive cyber operations and capabilities, much to the dismay of lawmakers. Carter has called on Cyber Command to step up its fight against ISIS in cyberspace, though, to what extent is still unclear. 

Such offensive capabilities can include access to networks for espionage, criminal activity, theft, disruptive or defacement such as distributed denial of service or at the most extreme, destructive such as the Stuxnet virus that damaged Iranian centrifuges.

  “At all levels, cyberattacks aim to deny, disrupt, or degrade enemy capabilities, either directly or indirectly (e.g., through deception). At the strategic level, commanders are more likely to be interested in large nodes or those with outsized ‘leverage’ in the minds of potential adversaries.  Temporary disruption or deception may be sufficient to shape adversary action, but destruction could also be a goal,” a 2013 report published by the Center for Strategic and International Studies said. 

The Obama administration defines offensive cyber operations through Presidential Policy Directive 20  – which was disclosed by former NSA contractor Edward Snowden – as “Operations and related programs or activities—other than network defense, cyber collection, or DCEO [defensive cyber effects operations]—conducted by or on behalf of the United States Government, in or through cyberspace, that are intended to enable or produce cyber effects outside United States Government networks.” These operations can “offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging,” the directive said, noting that they will take significant investments and might not even exist. Operations such as Stuxnet fall under the category of “significant consequences,” which are cyberattacks that can cause “[l]oss of life, significant responsive actions against the United States, significant damage to property, serious adverse U.S. foreign policy consequences, or serious economic impact on the United States.”