DOD cyber official cites 'critical gap' in network defense

Adequate network defense requires proficient understanding of the network. However, as the cyber mission forces are building out, one of the lessons from six years of formal operations is a dearth of network understanding. 

“We don’t understand our networks,” Rear Adm. Michael Gilday, director of operations for U.S.  Command, told an audience at AFCEA NOVA”s Naval IT Day May 12, noting this is indicative of industry as well as government. “The adversary is looking to understand your networks better than you do. We don’t understand them ourselves.”

Gilday compared it to a sailor stepping aboard a ship without a piping diagram that shows where everything is connected and where it goes. With a diagram, “If there’s a leak or if there’s a fire you could isolated it very quickly, contain it and move on,” he said. Without one would be another story. 

“If you can’t understand [your networks], you can’t defend them – it’s as simple as that,” he said.  “It’s not uncommon for us to show up to clean up and incident and we don’t have a piping guide or we don’t have that fuel diagram, we don’t know what valves to close, we don’t know what that network’s potentially connected to.”   

Gilday said that cyber protection teams serve a critically important role. “One of the things that we’ve learned over the past couple of years as we’ve built the force, at least with the cyber protection teams, is that we really needed an incident response capability,” he told the audience.  “So these teams are really designed to assess networks, do penetration testing on these networks, understand these networks, to sensor these networks and to help the network operators defend them…we really had to develop within those teams the ability to have a 9-1-1 capability to respond very quickly and to be able to contain that adversary inside the networks and ultimately eject that adversary from the networks.”

In order to address these situational awareness problems, a primary challenge is understanding  legacy networks, how they come together and what they touch. It is then important to “understand very quickly what the state of that network is and understand what normal looks like so that you have indications on whether or not you have an adversary inside of your systems,” he told Defense Systems following his remarks. “So we don’t necessarily have that across the board right now for all of our systems. Certainly we don’t have it holistically, so it’s a huge challenge for us because you find yourself behind in terms of…containing that adversary in a system and then ejecting them out of the system.”

“We do not have great situational awareness holistically over the battlespace, over the networks – we just don’t. It does not exist. That’s a critical gap,” he continued, adding that the force is starting to address the issue but it’s a very complex problem set to “get our arms around.”

Gilday also provided a threat briefing of sorts as it applies to what he described as the three watch words that drive everyday cyber operations – speed, precision and flexibility – using the backdrop of two recent high-profile intrusions.  “If you take a look at what happened at [the Office of Personnel Management], it took that particular adversary six months to get to the point where they were able to exfiltrate all of that information. For the Joint Staff intrusion, the actor that we had to face there moved much quickly.

“So the actor in that penetration did in 24 to 48 hours what it took the OPM adversary to do in six months. That’s speed, precision and flexibility – you have to be able to move fast,” he said referencing the theft of millions of records from OPM – thought to be conducted by China – and an intrusion into the email system of the Joint Chiefs of Staff – though to be conducted by Russia. “But when you show up and you don’t know what the network looks like it becomes a problem.”