(A Forthcoming Lexington Institute Study)
The Department of Defense (DoD) is at an inflection point with respect to its information networks and their security. The U.S. military is more dependent than ever on its networks which are continually expanding, incorporating new technologies such as mobile devices and Cloud services and adding new features. In order to more effectively, efficiently and securely exploit the advantages inherent in a networked force, DoD wants to change how its networks are organized and managed. The goal of this effort is greater standardization, end-to-end visibility, improved situational awareness, economies of scale, reduced operating costs and improved security in the face of an evolving threat.
As recent events have demonstrated, the threats to DoD’s networks are increasing in numbers and sophistication. It is imperative that DoD create a next generation cyber security system, one that can counter evolving threats, including malign insiders, provide security from the chip to the Cloud, improve both the speed and effectiveness of defenses and do all this while reducing costs. The goal should be to achieve a seamless network defense, a single pane of glass, with end-to-end visibility, situational awareness, rapid information sharing and threat detection and mitigation at network speed.
The Defense Information Systems Agency (DISA), DoD’s premier combat support agency, is responsible for, among other missions, joint defensive cyberspace operations. DISA invested more than a decade and significant resources in providing DoD’s network with its first coordinated, department-wide security system, the core of which is the Host-Based Security System (HBSS). HBSS is a commercial off-the-shelf (COTS) based application that has undergone rigorous security, functionality and compatibility testing that proved its effectiveness on more than 7 million endpoints. When properly managed, with trained operators, kept up to date and fully implemented, HBSS is reported to be extremely effective against today’s spectrum of threat. In order to have secure networks in the 21st Century, DoD must pursue a six step strategy:
Build on existing investments in security. It is important that a new security system builds on DISA’s current successful investments and experience with HBSS. DoD is simply too large and complex an institution to start from scratch each time a new generation of security is required. Moreover, the current capabilities are still relevant. They have been thoroughly tested and vetted in the real world. If properly maintained, they permit new investments in security to be focused on more challenging tasks such a mitigating the advanced persistent threat. In addition many currently deployed security controls can be leveraged and repurposed to provide additional support for the single security architecture. A decision to start anew, from the ground up, could add hundreds of millions of dollars to the cost of this project, impose significant time penalties (potentially years), require retraining of personnel and, most significantly create the potential for adding new vulnerabilities.
Create a single security architecture. This architecture must eliminate stovepipes, reduce access points (the so-called attack surface), consolidate network administration, ensure configuration control and coordination of upgrades, enable end-to-end situational awareness, provides the mechanism for information sharing and supports threat detection and mitigation at network speed. This must be an open architecture of connected security, able to incorporate new applications but based on a single scalable platform and unified framework. A new security architecture presents a unique opportunity to build security into the network from the initial stage of system design. Now is the time for DoD to think strategically and optimize the enterprise, networks and security architecture for long-term growth, reduced risk of surprise and the maximum operational flexibility.
Establish an overall system manager for the new architecture. Given the scale, complexity and changing character of DoD’s networks, it is imperative that there be an overall system manager (with policy coordination responsibilities), a single responsible entity that can maintain configuration control while advancing security capabilities across networks. The single manager also would assist DoD in realizing its goals of increased overall enterprise effectiveness and efficiency in the provision of services, particularly security. In close collaboration with the government, the single manager can find its way across the very challenging landscape of DoD enterprise security. In particular, looking ahead, the single manager would support the efficient allocation of resources while avoiding redundancies.
Build in plans that will allow for growth and adaptation as threats change. Cyber security is the quintessential competitive strategy in which each offensive action produces a corresponding defensive measure which, in turn, propels the offense to renew its search of another avenue of advance. The need for newer, more capable cyber solutions will be driven first and foremost by changes in threats, but also by the development of new network designs and management strategies, the addition of new network technologies and even by changes in cyber security capabilities such as next-generation non-host-based security technologies. Security must be more pro-active rather than reactive and cover the entire network life cycle. New technologies and tactics, techniques and procedures are needed to detect anomalous behavior, minimize the duration of successful intrusions and mitigate the effects of successful attacks.
Empower the new architecture through increased automation. It is clear that the key to successful network security rests with the speed at which anomalies can be detected, prospective threats analyzed, mitigation efforts initiated and adversaries’ dwell times on the network reduced. The sheer size of DoD’s array of networks, their state of constant flux, the increasing speed at which information is moving on its networks and the growing sophistication of threats has already made it impossible to provide the required level of situational awareness and timely sense and response to intrusions solely with human security personnel. The ability to counter sophisticated threats employing purpose-built tools and targeted malware will require the extensive use of automated detection and response systems and adaptive threat prevention routines operating at network speeds. Automation can reduce manpower costs while reserving critical, highly trained personnel for the most important cyber missions.
Exploit the strength of the commercial market. Expanding the effectiveness and coverage of cyber security systems in a timely manner and at an affordable cost will necessitate exploiting commercially driven research and development and commercially available products. The private sector has demonstrated an ability to rapidly develop, field and integrate new solutions. Given the pace at which the threat is evolving, this is critically important to managing the problem. DoD must leverage commercial IT products and services if it is to reduce the costs for cyber security and improve overall security effectiveness. Where possible, DoD needs to acquire COTS capabilities because government off-the-shelf technologies lag in effectiveness, are not developed in cybertime, and are not cost effective in 2015. The Pentagon also needs to study the methods employed by the private sector to reduce manpower usage and other costs associated with cyber security.
Find Archived Articles: