|Cybersecurity||Cloud Security||Enterprise Security||Global Mission|
Takeaways from Security Solutions 2019
Security Solutions 2019: A new venue, fresh insights into mission assurance for the global enterprise.
Security Solutions 2019 welcomed its guests to Norfolk, Va., part of a vibrant metroplex that hosts the Norfolk Naval Station, the Joint Expeditionary Base Little Creek, Joint Base Langley-Eustis, and other military facilities.
Attendees enjoyed high-quality presentations and breakout sessions, packed with first-hand insights and thought leadership from some of the leading experts in cybersecurity, risk management and compliance, cloud security, and enterprise security.
Telos board member Maj Gen John W. Maluda (USAF, Ret.) opened the proceedings with his usual joie de vivre and good humor. He welcomed the attendees by emphasizing that “Security Solutions is about taking care of our family.” He then introduced Telos Chairman and CEO Mr. John B. Wood, who described the conference as “A way for us to share with you, but more important, for you to share with us what’s important to you.”
GEN Alexander Outlines a Strategy for Effective Cybersecurity
Mr. Wood introduced the event’s featured keynote speaker, GEN Keith Alexander (USA, Ret.), former NSA director and USCYBERCOM commander. His address, “Roadmap to Freedom: The Strategy of Effective Cybersecurity,” drew on his vast experience in both military and intelligence leadership.
GEN Alexander highlighted the challenge of securing an ever-growing volume, velocity, and variety of data in critical areas such as the supply chain, healthcare systems, and critical infrastructure. He emphasized the importance of stopping attacks before they begin rather than responding to incidents after they’ve occurred.
He also observed that signature-based security requires someone to get hit in order to discover and identify threats. He used the analogy of air traffic control using auto detection and management of aircraft in flight: “You wouldn’t wait for an air collision as a data point for managing air traffic.” Instead, cyber operators need to use behavioral analytics to find malware at network speed and leverage machine learning, artificial intelligence, and algorithms to discover “unknown unknowns.”
Making progress here is essential, according to GEN Alexander, given that “theft of intellectual property from the defense industrial base is the greatest transfer of wealth in history.” He also acknowledged companies such as Telos Corporation and Amazon Web Services (AWS) for helping with this effort of developing what he called “a process for collective security for this country.”
Thought leaders from across government share their insights into protecting and managing critical assets.
Several of the keynotes, sessions, and panels during Security Solutions 2019 covered critical issues in cybersecurity, cyber risk management, and IT compliance:
Mr. Peter Gouldmann, the U.S. State Department’s enterprise risk officer for cyber, offered the premise that linking cybersecurity and cyber risk management leads to good business governance and business success. To achieve this, it’s essential to know your mission or business, characterize your specific threats, and to account for the appropriate risk treatments and considerations.
In the federal space, a key element in fielding assured systems is gaining an Authorization to Operate (ATO) via an assessment and authorization (A&A) process that follows the NIST Risk Management Framework (RMF). Ms. Monica Montgomery, risk management chief in the Office of Cybersecurity at the National Geospatial-Intelligence Agency (NGA), offered guidance on how to expedite this process with an overview on “Making the RMF Work for You.”
The NGA has led high-profile efforts to achieve “ATO in a Day” by making use of SecDevOps, controls inheritance, and narrowly focused controls-tailoring to condense processes and hopscotch among the steps of the RMF. Their work is supported by a template NGA has developed for use with Xacta® 360, Telos’ solution for automated continuous risk assessment and reporting for NIST controls and frameworks.
Ms. Montgomery said that NGA also offers new systems the possibility of a “special ATO” if they can show compliance with minimal controls and can show system need. Essentially, they go into operation and then come back to do the full assessment in six months.
Senior Leaders Offer Their Insights into DoD Cybersecurity
Telos Vice President Maj Gen Paul Capasso (USAF, Ret.) sat down for a fireside chat with Air Force Maj Gen Patrick C. Higby on cybersecurity threats, challenges, and opportunities. As director of DevOps and lethality with the Office of the Assistant Secretary of the Air Force for Acquisition, Technology and Logistics, he said it’s important to know whether the Air Force already has a particular cyber solution, whether industry has already developed it, or whether “we have parts of the solution and we only need to finish it.”
Once that has been determined, Maj Gen Higby emphasized the importance of solution providers “coding with us, not for us” in a concerted effort to rapidly deliver and iterate solutions rather than delivering years from now. He too stressed the need for fast ATOs to maintain this pace of software delivery, citing the NGA’s streamlined A&A process that establishes a baseline process for SecDevOps.
ATOs were also part of the wide-ranging conversation during a panel on DoD cybersecurity hosted by Telos Vice President Col Dave Kovach (USAF, Ret.). Their session focused on cybersecurity vulnerabilities, capabilities, and tactics, techniques, and procedures (TTPs).
Panel members included Col Rick “Rico” Johns, deputy director for Air, Space and Cyberspace Operations & chief information officer, Headquarters Air Force Materiel Command; Col Jeffery Sorrell, deputy director for Operations and Communications, Headquarters Air Education and Training Command; and Col Oscar (Oz) Delgado, cyberspace division chief for the Joint Staff, J6.
The panelists brought a wealth of planning and implementation experience to the ideas they shared about how to speed the RMF for DoD IT, obtain ATOs more rapidly, and provide more value in the fight. Each offered opinions about whether the DoD RMF adds value to the acquisition process or is merely a “paperwork drill” that impedes the rapid fielding of needed capabilities. A related point of discussion was whether fielded systems need to be “near perfect” from a cybersecurity standpoint or just “good enough” with follow-on work to be done in the lifecycle.
They also offered a range of differing views on whether the Air Force and DoD effectively leverage industry experience and capabilities in cybersecurity – specifically, where the military has succeeded, where there are still deficiencies in their engagement, and how to continue to evolve and improve.
The Lexicon Project – Words Matter
Clarity is essential in policy and legislation, never more so than when it comes to regulations driving cybersecurity programs. Mr. John McCumber, director of cybersecurity advocacy for the professional association (ISC)2, shared the essential work the organization is doing to ensure a common and understood language for discussing, and regulating, this area so vital to our common welfare. The Lexicon Project strives to codify the terminology necessary to communicate clearly and develop meaningful policy and legislation. He pointed out that regulation based on slang, the word “hack” for example, is meaningless, and even dangerous.
“You Can’t Exploit What You Can’t See”
One straightforward way to protect systems and applications is to keep adversaries from seeing them in the first place. That was the idea behind the session led by Telos Senior Product Manager Mr. Tom Badders, who offered an overview and demonstration of Telos Ghost®, a secure network solution that lets organizations minimize or eliminate the attack surface with obfuscation and managed attribution.
Obfuscation eliminates digital exhaust by using dynamic IP routing to send data through a seemingly random number of virtualized cloud-based nodes to the exit node, eliminating source and destination IP addresses from node to node. The data is also protected with up to four layers of cryptographic tunnels.
Managed attribution lets users choose their point of presence and persona while conducting threat research or cyber operations on the internet. Technical attribution lets users control the technical details including specifying their location, swapping end-point IP addresses, and changing their point of presence on demand. Personal attribution lets users establish a convincing online persona and ensure all of their activities are consistent with this persona.
These capabilities are valuable for cyber threat intelligence research, incident response, penetration testing, supply chain security validation, and for private voice/video/chat while hiding your current location. Together, they offer an anonymous way for enterprises to do business, connect global resources, and conduct research online.
Strategies for deploying, leveraging, and securing the cloud were among the topics at Security Solutions 2019.
This year’s Security Solutions featured a variety of speakers on issues relating to cloud strategy and cloud security. Conference guests could select from a variety of sessions and panels, including the benefits of accelerating cloud security, the DoD perspective on cloud, and the challenges of FedRAMP authorization.
Driving Cloud Adoption with Security Compliance Automation
At one time, the use of commercial clouds for government applications seemed to be a contradiction. How could a resource designed for accessibility and intended to host all manner of data and applications be safe enough for sensitive and even classified requirements?
Today’s leading commercial cloud providers have made great strides in assuring the security of the cloud, especially in enclaves designed specifically for government applications. Mr. David Levy, vice president of US government for Amazon Web Services (AWS), compared this work to 19th-Century architect Frederick Law Olmsted’s vision for Central Park as a place where excellent design and rules for decorum would create a zone of peace and quiet in the heart of a chaotic city.
Going further, Mr. Levy suggested that security and compliance automation are now driving the adoption of the commercial cloud even for classified requirements. That was certainly true for the CIA, which turned to AWS for its Commercial Cloud Service (C2S) cloud region. The Intelligence Community wanted to accelerate technology innovation to match the speed of commercial enterprises. The C2S cloud allows them to do this, with EC2 delivering server capacity at scale with instant provisioning and scalability.
To provide the critical security compliance piece of C2S, Mr. Levy explained, AWS worked with Telos Corporation on a solution that “revolutionized the process of getting an ATO,” with workloads that can inherit specific controls, support for instant updates to security controls, and other capabilities that streamline the A&A process. Some 160 services that support automated controls inheritance are now available to the IC in the C2S/SC2S environment.
Telos has been a key partner since day one in this work, according to Mr. Levy, and is today a resource in the “ATO on AWS” program for FedRAMP, DFARS, and other security compliance requirements.
Going Deeper into Cloud Security
We were privileged to have cloud security expert Mr. John Nicely back at this year’s Security Solutions to provide his insights on accelerating security in the cloud. As former director of cloud security for a U.S. government agency whose cloud environment uses Xacta, he offered his personal experience with challenges and opportunities for streamlining cloud security compliance.
Mr. Nicely began with a profile of the ideal solution for managing risk and validating ongoing security compliance in a cloud environment leveraging data science techniques to achieve true continuous monitoring. He was looking for expertise with the NIST Risk Management Framework and related NIST frameworks; a COTS solution that would support rapid updates of the NIST standards and leverage inheritance from common control providers; the ability to automate as much of the assessment and authorization process as possible; and the ability to provide the data needed for threat-informed risk management.
The solution chosen was Xacta, a solution suite for all decision-makers to use that’s optimized for cloud security compliance and designed to support ATO reciprocity among agencies with automated controls inheritance, reporting, and documentation. This approach complements the shared responsibility model for cloud security, in which the cloud provider manages the security of the cloud, whereas the customer is in charge of security in the cloud.
By building out “provider projects” from which customers’ projects could inherit pre-vetted controls, Mr. Nicely explained, a cloud-based user community could save time and effort getting to their ATOs – in some cases, eliminating a majority of the control requirements in the process. The Xacta solution supports this “Continuous Risk Engine” capability on an ongoing basis to support the continuous monitoring requirements of the NIST RMF, FedRAMP, and other federal A&A processes.
Managing Costs and Compliance in Cloud-driven Enterprises
Another popular session at Security Solutions was “Governance@Scale,” a panel on assuring and managing cloud security, compliance, and cost on the scope required to support today’s enterprise requirements.
The panel members included Mr. Brett Miller, AWS technical program manager and chief architect for Compliance Quick Starts and Governance@Scale; Mr. Brian Price, senior vice president, cloudtamer.io, and Telos VP Mr. Stephen Horvath.
The panel noted that as migration to the cloud continues apace, some common themes are arising among cloud users. These include the need to gain and keep control over cloud resource usage and related costs, concerns over the lengthy ATO process, and the ability to manage security operations and compliance requirements.
The panelists then offered insights into ways that AWS’s Governance@Scale initiative helps enterprises gain control of their cloud usage with capabilities for account management, budget and cost management, and security and compliance automation.
DoD Cloud: Strategies for Success
The role of the cloud in DoD is a major topic in the federal IT community. We were fortunate to have two authorities in the field to brief this year’s Security Solutions conference.
Mr. Jason Howe is the AF/A1 CTO and chief cloud architect in the A1 CIO Support Division, Plans and Integration Directorate, Manpower, Personnel and Services, Headquarters Air Force in the Pentagon. Col Ross Morrell is chief, Cyber Operations Division, and director, JCC, NORAD & USNORTHCOM.
Mr. Howe observed that a culture shift is necessary to embark on a cloud journey, especially in organizations as large as the military. He also noted that convincing partners is a challenge, and there’s a double-edged sword being wielded in all risk decisions – technology vs. business or mission outcome.
Col Morrell advised against going to the non-technical people in a component and saying, “I can solve your problems” with the cloud. Success calls for carefully crafted messaging and education throughout the enterprise. He also stressed that executive sponsorship is the most important key to a successful cloud journey, but that a grassroots effort is also needed.
The colonel advised a phased approach to the cultural change – starting with small problems that lead to quick wins, and going to people who have a significant pain point that the cloud can help. Eventually others will want to share in their success.
With sponsorship at the top and grassroots support below, the hard part is penetrating the “frozen middle,” of which the acquisition process is part. Col Morrell said that taking a three-year view, as traditional acquisition does, deters scalable solutions and discourages innovation. He suggests using prototypes and pilots to prove a business case, and that “safe” failures as part of that process should be rewarded.
FedRAMP Authorization: Challenges and Opportunities for Acceleration
FedRAMP compliance continues to be a burning topic in the federal cloud world. While improvements have been made, it is still a very expensive and time-consuming process.
A Security Solutions panel on FedRAMP acceleration helped shed some light on the issues involved. Its members included Mr. Brad Schulteis, Rackspace director of government solutions; Mr. David Trout, SecureIT president and CEO; and Telos compliance expert Ms. Milica Green. The moderator was Telos VP Mr. Tom Ryder.
The panelists agreed on the need for applying as many automation capabilities to the process as possible. Automated controls inheritance, content management, and report generation are among the capabilities offered by cloud compliance automation solutions that can help reduce the time and cost involved in FedRAMP certification.
However, not everything can be automated. The members agreed that people are needed throughout the process, and that technology-enabled guardrails help but don’t replace human expertise and intervention. The use of a managed secure cloud hosting service adds value with subject matter expertise, 24/7 security center, and support for continuous monitoring.
An interesting point of their conversation was noting that there are two basic categories of ISVs looking for FedRAMP authorization: traditional ISVs that want to introduce cloud versions of their products to the federal market, and “born in the cloud” SaaS providers that want to begin marketing their offerings for federal use. Ironically, the “cloud-native” providers may have the more difficult time since they may already have made development decisions that would be hard or impossible to reverse.
The panel also said they wouldn’t recommend the JAB (Joint Authorization Board) approach to most customers because JAB won’t accept any risks, making it the more time-consuming and difficult path to authorization. For most aspiring ISVs, it usually makes more sense to go the agency route.
Sessions on the DoD enterprise, Zero Trust approaches, and critical infrastructure were among the offerings.
This year’s Security Solutions conference brought together a variety of perspectives on solutions for securing the enterprise in both the public and private sectors.
Mr. John (Jack) W. Wilmer, DoD’s deputy CIO for cybersecurity, provided an overview of the DoD CIO perspectives on enterprise security. He went over how the National Defense Strategy is helping the department to focus on digital modernization. This focus is practically demonstrated by the appointment of deputy secretaries for artificial intelligence (AI), cloud, C3, and cyber.
In his review of the DoD Enterprise Cloud Strategy, he said that cost-savings is no longer as much a focus of the cloud as is the increasing agility it offers in providing IT solutions. His group “can do things better” by leveraging the cloud, thanks to the effectiveness and speed of delivering services.
The strategy calls for leveraging a combination of general-purpose and fit-for-purpose clouds along with the advantages provided by multiple commercial cloud providers. He also observed that JEDI – the Joint Enterprise Defense Infrastructure, DoD’s proposed cloud infrastructure network – will lead to other cloud contracts based on that template.
The move to the cloud is also bringing new lessons about security and accreditation. It doesn’t help, he said, to have a great cloud environment if assessment and authorization is still dragging. These processes can be expedited through SecDevOps, controls inheritance, and other approaches and technologies.
Hardening the Next Generation Attack Surface
The federal IT enterprise offers an intimidating number of challenges to those charged with its protection. Mr. Cameron Chehreh, CTO for Dell EMC Federal, presented “Mission to Modernize: Hardening the Next Generation Attack Surface.”
Noting that increased spending on cyber protection hasn’t resulted in increased security, he advocates focusing on application security and network virtualization to make security intrinsic and mission-centric rather than bolted on as an afterthought.
Network virtualization creates “a ubiquitous layer between the physical infrastructure and applications into which we can inject security.” He also suggested that enterprises adopt five principles of mission-centric cyber hygiene that can move the enterprise to more effective security:
#1 Least Privilege – Users and components should be allowed the minimum access they need to perform their job or purpose. A Zero Trust architecture is hard to implement, Mr. Chehreh said, but it is a necessity. An example of where it’s indispensable is supply chain risk management (SCRM), which is “one of the most fundamental important issues our country faces.”
#2 Micro-segmentation – Dividing the IT environment into small parts makes it more manageable to protect and to contain the damage if one part is compromised. In this model, every workload is its own security perimeter, which supports enforcing security policies at an extremely granular level. Software-defined networks (SDN) help make it possible for micro-segmentation policies to be fully automated and location-independent.
#3 Encryption – For critical business processes, all data should be encrypted in transport and at rest, all the way to the tactical edge. In the event of a data breach, stealing critical files should only result in obtaining unreadable data.
#4 Multi-factor authentication – The identity of users and system components should be verified using multiple factors (not just simple passwords) and be commensurate with the risk of the requested access or function.
#5 Patching – Systems should be kept up to date and consistently maintained. Any critical system that is out of date is a meaningful security risk.
Ultimately, an organization’s crown jewels are its mission-critical business applications and the data they access and interact with. The compromise of these assets represents significant risk for the organization. A focus on application-centric security coupled with a virtualized network environment are major factors in modernizing the IT enterprise and hardening the next-generation attack surface.
A Deeper Look at Zero Trust
The Zero-Trust security model holds that enterprises shouldn’t trust anything inside or outside the perimeter by default. Instead, they should positively confirm any attempt to connect before permitting access. The concept has been around for nearly a decade, but is rapidly being taken up as attacks become more sophisticated and the results more devastating.
Mr. Tom Conklin, a security specialist with Aruba Networks, offered his thoughts on “The Trouble with Trust” from the perspective of the mobile enterprise.
It isn’t surprising that Zero Trust would be of interest in secure mobility, given that the traditional enterprise network perimeter has seemingly melted away. Today’s mobile workforce operates with an “anyplace, anytime” mentality, empowered by BYOD policies and the growing power and sophistication of mobile devices and the apps that run on them.
However, those same dynamics also lead to a nearly infinite attack surface, exposing the enterprise to greater vulnerabilities that bad actors can quickly exploit. Mobile security practitioners need to be able to manage security based on user, location, device, apps and data being accessed, and a host of other parameters.
The Zero Trust philosophy (and the architecture supporting it) assumes the worst about anyone or anything trying to access enterprise resources, requiring them to validate their authorization to proceed at each step. That’s especially valuable in mobile communications, where the number of people and devices that need access to the enterprise is nearly limitless.
Implementing Zero Trust security, tailored to protect today’s mobile workplace and workforce, helps enforce IT policies across all elements of the wireless-enabled enterprise. It enables the IT department to identify all traffic by user, device, and application, providing full visibility into and control over the use of network resources. It protects both corporate and guest Wi-Fi networks and enables the safe use of all mobile devices, whether owned by the organization, the employee, or guests such as vendors and contractors. It also assures the security of IoT devices.
AHMS plays a key role in the world’s mission-critical enterprise communications.
One of the most robust communications solutions used by mission-critical organizations is the Telos Automated Message Handling System (AMHS), which provides a secure web-based application for DISA’s Organizational Message System (OMS). The OMS lets government enterprises transmit and receive command-and-control and other official correspondence that requires the authority of an organization rather than an individual sender.
Mr. Jeff Bentley, chief of the National Gateway Branch for DISA, returned to this year’s Security Solutions conference with an update on the OMS. He explained that organizational messaging and directory services enable the exchange of official information between military organizations as well as supporting interoperability with allied nations, non-DoD activities, and the Intelligence Community. OMS operates in both strategic/fixed-based and tactical/deployed environments.
He reviewed the history of OMS, going back to its days as the DMS (Defense Messaging System) and covering some of the technologies it was intended to complement or replace. Many of those technologies have survived to the present day, which means OMS continues to support a half-century’s worth of network, communications, and messaging protocols.
Mr. Bentley said that senior leaders are often surprised to learn just how much OMS does, which adds up to “all the stuff your email can’t do at DoD.” Because it supports quick and reliable delivery for authoritative communications, its applications read like something out of a spy thriller: terrorist warnings; “eyes-only” messages; military execution orders; intelligence information; overflight clearances; and Emergency Action Messages for nuclear C2 are just a few examples.
With Telos AMHS as its front end, OMS users are able to send and receive rich-text messages across domains and in different formats using plain language addresses. They can search messages, archive messages, and send attachments of up to 200MB to accommodate photos and videos of terrorists, most wanted notices, maps, and satellite images.
In addition to an overview of OMS’s current capabilities, Mr. Bentley covered the progress made to improve existing OMS services and to enhance its technical performance going forward. These improvements will support modern data transports and directories, enhanced interoperability, and secure cross-domain capabilities for communications among coalition partners.
Securing Critical Infrastructure: Defending the Homeland
The protection of critical infrastructure is among the signal issues in today’s cyber risk management landscape. Telos Vice President Maj Gen Paul Capasso (USAF, Ret.) moderated a session that touched on some the highlights of critical infrastructure protection. Featured panelists included Mr. Dennis Brouwer, who works in cybersecurity business development for the Loudoun County (Va.) Department of Economic Development; Mr. John Halinski, senior aviation advisor, Global Security and Innovative Strategies; and Ms. Allison Ressler Tsiumis, section chief of the Cyber Intelligence Section, FBI Cyber Division.
Mr. Brouwer brought insights from his more two decades of experience as a senior leader in technology-focused business roles in the Northern Virginia region. Loudoun County is home to Ashburn, Va., one of the major hubs for worldwide internet traffic, and the county’s economy relies on critical infrastructure such as including power, transportation and the supply chain for effective operation.
With a deep background in aviation security, Mr. Halinski shared a variety of experiences that inform the constant vigilance needed to assure the safety of the transportation sector in critical infrastructure. He joined TSA in 2004 and left a decade later as its deputy administrator, helping it grow as a high-performance counterterrorism agency and spearheading an operational and cultural change that stressed a risk-based approach to security.
Ms. Tsiumis presented on the FBI’s approach to securing critical infrastructure in the face of highly sophisticated global adversaries using cyber operations against U.S interests. These threats are made more complicated as the lines between nation state actors and cyber criminals are blurred. To counter these threats, the FBI has distinct authorities as the federal lead for investigations and domestic intelligence operations, including the responsibility to investigate, disrupt, and attribute threats, collect and share intelligence, and prosecute offenders.
Ms. Tsiumis stressed the importance of sharing information with the private sector, critical infrastructure, and the defense industrial base. She also cited the criticality of partnerships between the federal government and the private sector, citing the need to bring together their data and insights in a real-time, back-and-forth flow of information.
Cyber risk management, accelerated ATOs, personnel excellence are keys to global mission success.
The importance of cybersecurity and risk management in achieving the global mission is brought to life when warfighters explain how critical it is to balance security risk with the needs of the mission. As at past conferences, this year’s Security Solutions featured keynote addresses and panel discussions with distinguished thought leaders from the military.
The first day’s closing keynote speaker, Lt Gen Christopher P. Weggeman, offered his insights into the challenges of information superiority in a high-velocity networked world, and how to ensure that our forces can compete, deter, and win in such an environment.
As deputy commander for Air Combat Command, he observed that the Air Force (and more broadly the DoD) have lately realized that they are a “software company” far more than a “hardware company.” ACC’s assets comprise a lethal yet vulnerable “Intranet of Things.” Thus, a critical task is to optimize all resources – personnel, technologies, and processes – for hardware and software integration in order to foster agility, innovation, assurance, and lethality.
The Bottom Line: Without Cyber Space Superiority, You Lose.
Achieving that level of dominance creates a challenge in systems security and mission assurance in an era where our adversaries are becoming more capable and more effective in their attacks. Thus the Air Force and ACC are fielding Mission Defense Teams – trained and equipped by Joint Cyber Protection Teams – to perform functional mission analysis to identify the key cyber terrain they need to defend.
Lt Gen Weggeman emphasized that the service’s greatest competitive advantage is its people. In such a competitive sector for human resources, this calls for a focus on education even more than on training as well as creating an environment with mission- and readiness-driven accountability. “We have to focus on our people and on creating a culture that fosters the largest, most expansive defense possible.”
Maj Gen Robert Skinner offered an address on warfighting in a cyber-contested environment. He is commander, 24th Air Force, commander, Air Forces Cyber, and commander, Joint Force Headquarters-Cyber.
Calling this “the most important year in Cyber Command history,” Maj Gen Skinner cited the 2019 National Defense Authorization Act (NDAA) as offering wide-ranging authorities on cybersecurity, from boosting the military’s ability to respond to cyber attacks to defending the IT supply chain and fostering greater public-private cooperation.
The NDAA also supports the DoD’s partnerships with federal agencies, academia, and U.S. allies to allow a holistic and coordinated response to threats and to build communities of interest for innovation. In short, it empowers American and allied forces to impose costs on our adversaries through persistent engagement, persistent presence, and persistent innovation.
This is also the rationale for the recently announced merger of the 24th and 25th Air Forces. The synergy among cyber, ISR, electronic warfare, and information operations will increase unity of effort across these capabilities to both improve the quality and speed of decision-making and deliver improved effects for commanders.
“We need a total investment in information warfare, as our adversaries have,” he maintained, emphasizing capabilities that are multi-domain, multi-function, and multi-discipline. In addition, dynamic security needs to be planned into systems rather than bolted on afterward as in years past. Finally, we need to focus on making our workforce more effective and more lethal.
Projecting Power Requires Powerful Cyber Protection
Brig Gen Robert Lyman, the C4 director for U.S. Transportation Command, gave compelling insights into these issues from the perspective of projecting and sustaining military forces around the world. USTRANSCOM’s growing mission leverages a wide-ranging logistics network that encompasses airports, seaports, third-party shippers, and other elements.
Their mission also relies heavily on Guard and Reserve elements and on commercial transportation services. Because so much of this coordination takes place on NIPRNet or even unclassified commercial networks, cybersecurity is critical; in fact, cyber domain mission assurance is Priority 2 for USTRANSCOM, immediately following warfighter readiness in their mission and priorities statement.
Brig Gen Lyman also said that their “sprint to the cloud is now a disciplined march,” suggesting a tempo that’s moderated by the rigor of sound migration processes and procedures. He also averred that USTRANSCOM will be an early adopter of JEDI. That capability will help power the big-data analytics capabilities needed to assure dominance in their decision space.
In a panel on joint cyber operations, Telos Chief of Cyber Strategy Col Stephen P. Corcoran (USMC, Ret.) also explored these and related themes with Col Desmond A. Reid Jr., Commanding Officer, Marine Corps Cyberspace Warfare Group, MARFORCYBER, and COL Jeff Worthington, JSOC J6.
COL Worthington explained that he runs 10 networks that offer many attack vectors; a single one of those networks has 41,000 endpoints. Their threat hunters haven’t found any APTs or other significant hostile incursions, but internal threats are always a concern – “that mouse finger is dangerous,” he mused in reference to “opening the wrong email.” He also suggested that there’s a cultural and generational shift toward security awareness that is helping to maintain generally better cyber hygiene.
Col Reid’s threat landscape is also complicated. Because of the rapid change in technology, there’s a constant need to keep up with new requirements for cyber defense. And because of the relatively low barrier of entry for bad actors in the cyber domain, it remains a potent channel for asymmetrical attacks on U.S. interests.
Thus, baking in security is critical, “otherwise we tend to forget about security.” A well-censored network with logging helps maintain cyber vigilance, as well as persistent engagement – “we learn by doing,” as he put it. He also cited relationships built with other federal agencies, the Intelligence Community, and commercial threat intelligence services as helping to maintain that level of vigilance.
COL Worthington stressed the importance of compliance in real-time, which he characterized as “detect in seconds, mitigate in minutes.” With automatic notifications, his people can go to work immediately to address issues on the network. In a recent example, 19 critical highs were discovered for a month-old application, and 14 were fixed within 24 hours. He added that there had been a half-million reported events on their networks the prior week, with only five needing operator attention, and just two being true issues that needed remediation. Their average response time is a little over three minutes.
Learning from Air Force Senior Warfighter Cybersecurity Perspectives
A panel discussion moderated by Telos Vice President Col Dave Kovach (USAF, ret.) focused on cyberspace as an operational, contested domain. Its members included Col Scott Solomon, deputy director of operations and communications, and CIO, Global Strike Command; Col Wade D. Rupper, commander, 251 Cyber Engineering Installation Group; and Col Gregory Davis, director of communications and chief information officer, Headquarters Air Mobility Command.
Each panelist brought a lifetime of experience in planning and executing combat support and combat operations in the Air Force and DoD. Col Davis specifically addressed how cyberspace operations have impacted career field development and the successes and challenges associated with evolving from a “support force” to a “combatant force.” Col Rupper described persistent concerns regarding “what we leave behind” in terms of professional rigor, adherence to standards, and procedure-based training as we focus on domain-centric weapon systems and outsource legacy missions.
Each panelist expressed confidence in our military’s ability to fight and win against peer-state and non-state actors, but also offered sobering insights into the narrowing gap in capabilities. Other topics during a rapid-fire, thought-provoking discussion included the panelists’ perspectives on military roles and responsibilities in growing non-military mission arenas, and Total Force (Active Duty, AF Reserve and Air National Guard) integration in the cyberspace warfighting domain.