1 July 2016

Cybersecurity not just the domain of cyber pros, DISA officials say

Carten Cordell
June 15, 2016

While the spotlight on cybersecurity has been magnified and the Internet of Things has made almost any item connectable to a network, ownership of protecting the network can no longer be limited to just cybersecurity professionals.

That was the message of a panel cyber experts from the Department of Defense, Defense Information Systems Agency and the U.S. Navy; gathered at the Armed Forces Communications and Electronics Association’s DC chapter meeting on June 15.

“Cybersecurity people can’t really do cybersecurity,” said Richard Hale, DoD deputy chief information officer for cybersecurity.

“Given that computers are in everything now, and given that everything is cyber-attackable, it has to be everybody that has anything to do with designing, building, owning and operating — all these folks have to help do this stuff.”

The panel discussed the future of cybersecurity and efforts by the federal government to adapt its rapidly changing environment.

As the pace of connectivity spurs forward, the job of protecting the networks has also expanded, often beyond the resources of the people meant to protect them. DISA Chief Technology Officer David Mihelcic said that because of the speed and adaptability of bad actors, cybersecurity has now moved to a kind of horizontal altruism that affects multiple elements of the information technology industry.


“Security cannot be the sole domain of cybersecurity specialists,” he said. “It has to be owned by everyone, to include the program managers and engineers who are developing and acquiring the system, the system administrators charged with operating the systems.

“We are going to have specialists. We’re going to have the CPTs — the cyber protection teams. We’re going to have offensive information and our cybersecurity forces as well, but cybersecurity cannot be the sole domain. We, the developers, the technologists and you, our mission partners, need to ensure that the [whole thing] is secure.”

To that effect, the panel identified a number of challenges and ongoing initiatives that affect the government’s cybersecurity strategy, including:
Acquisition

One of the top hindrances to cybersecurity leading edge development appears to be the time it takes to navigate the acquisition process.

“We have built a system that tries to ensure that everything is fair,” Mihelcic said. “We’ve also put in place a system that requires us to plan five years in advance for what we want to spend money on, that requires us to upfront our requirements for what we want to buy and requires lots of independent testing and validation. The bottom line is that it could be years.”

Mihelcic estimated that from establishing a requirement for new cyber tools to contracting and testing, that it could take six years to approve, by which time, the cyber tool has become outdated.

The solution, he said, is to shift acquisition from a requirement-driven process to a needs-driven one. To achieve that would require an abbreviated IT acquisitions process that identifies agency needs.

“I still do want competition,” he added. “I don’t want to just say, ‘I see one spoon, therefore, I’m going to buy this spoon.’ Now I know that the spoon exists, so I want to say, ‘Anybody that’s got a thing that’s like the spoon, please send me a copy, and I will see which helps me eat cereal the best.’”

Mihelcic said that a rapid acquisition process, coupled with risk management and iterative testing could achieve these goals, some of which is currently happening at Defense Innovation Unit Experimental.
CYBERSAFE

Vice Adm. Ted Branch, the Director of Naval Intelligence and Deputy Chief of Naval Operations for Information Warfare, said one way the Navy was steering through its acquisition challenges was its CYBERSAFE program.

Inspired by the SUBSAFE — a 1963 quality control program started after the loss of the U.S.S. Thresher — CYBERSAFE debuted in 2015 and applies a set of standards through the entire lifespan of an IT procurement, from acquisition through deployment.

“That was the model that we used for CYBERSAFE,” he said, “to come up with a subset of critical components. The most critical components in certain systems that you can think of where there is a single point of failure, it might be a CYBERSAFE article.”

Branch said CYBERSAFE not only incorporates specific standards but secure supply chains and quality control.

“By using all of that, we establish that secure set of components and the cultural change that goes along with it,” he said.

It’s the defined standards that help streamline the process, and Branch said that the Navy has finished 18 standards with 29 still in progress.
Analytics 

Another tool in the cybersecurity arsenal is the use of analytics. By using new ways to crunch large amounts of data, DISA deputy chief technology officer for enterprise services Jack Wilmer said that the agency has been able to increase threat detection.

“There are certain use-cases that we’ve done, one of them is called Fight by Indicator, which is where we receive reports of malicious activity,” he said. “What happened prior to our analytics is we’d receive these reports and then by hand, we would have to go and translate these reports to figure out the various countermeasures.

“We were able to automate a lot of that, and I think there was a 500 percent increase in the amount of countermeasures that each analyst could implement basically per day.”

Wilmer added that DISA is investing a lot in analytics with the hope of eventually developing real-time defenses.

Mihelcic added that some “quantum leaps” in deploying new analytics would soon be on the horizon, including an August update to DISA’s big data platform.

“That’s the technology that underlies [Cyber Situational Awareness Analytic Cloud],” he said. “What’s going to come out in August is the ability to essentially fork a copy of some or all the data that’s in the data cloud and be able to run custom analytics on top of it that can be mission-focused and not necessarily interact with the rest of the cloud platform.”

No comments: