ProcessBolt
From the Spring 2022 Issue

U.S. Army C5ISR Center CSSP: Leading the Way to a Defend Forward Stance

Bill Christman
Chief | Defensive Cyber Solutions Branch

Cesar Pie
Strategist | Defensive Cyber Solutions Branch

Clinton Hackney
Strategist | Defensive Cyber Solutions Branch

Greg Weaver
Team Lead | Defensive Cyber Solutions Branch

DOD CSSP Program: A Plateau Difficult to Overcome

Since its establishment in 2001, the Department of Defense (DOD) Cybersecurity Service Provider (CSSP) Program (hereafter Program) has progressively and systematically matured to become one of the most critical components of the Department’s Defense–in–depth strategy. Today, 27 authorized (certified) DOD CSSPs are responsible for provisioning 24x7x365 cybersecurity services to implement and protect the most complex and largest cyber terrain in the world: the Department of Defense information networks (DODIN), which is simply all DOD cyberspace.

While DOD CSSPs focus is the DODIN, it is important to remark that any of these 27 cyber providers may also be directed to protect other non–DODIN blue cyberspace. That is, even though DOD CSSPs have standing orders to protect the DODIN, they are ready on order, and when requested by U.S. Cyber Command (USCYBERCOM) authorities, to defend or cybersecure other U.S. Government or other friendly cyberspace, as well as cyberspace related to critical infrastructure and key resources of the U.S. and partner nations.

Originally, the blueprint for DOD CSSPs was constructed to passively react to computer attacks and exploitation activities. Most DOD CSSPs did not get to respond to a cyber incident or event until the damage had already been done and a subscriber’s mission had been impacted technically and/or operationally. As nation and non–nation actors and other U.S. strategic competitors continue to conduct cyber–enabled campaigns to erode U.S. military advantages and threaten the DODIN infrastructure, DOD CSSPs have worked closely with other departments and agencies, as well as with our allies and partners to evolve cybersecurity services to meet their DODIN subscribers’ mission and operational priorities while more proactively protecting and defending a DOD portion of the cyberspace domain.

Gradually, DOD CSSPs have shifted their cybersecurity services from a reactive to a proactive one, where the focus is to “defend forward” to gain early understanding and warnings of attacker activity, instead of waiting for a breach to happen and then dealing with the consequences. While the initial forward movement was positive and the DOD CSSP Program was able to reach a higher level of performance, the momentum has been lost with most DOD CSSPs reaching a plateau that has proven difficult to overcome.

A Strategic Reform: Layered Cyber Deterrence

The Program is in need of a top strategic revamp. After 20 years, there is a need to reshape the Program to become a more valuable building block to the larger DOD “Layered Cyber Deterrence” strategy. Deterrence, a well–defined concept, has been studied and practiced throughout history. The strategy combines different ways to shape adversaries’ decision making. At its most basic form, the central idea is to increase the effort and decrease the benefits that an adversary anticipates when planning attacks against American interests. While deterrence is an enduring strategy, it must be tailored to meet an organization’s operational threat environment and cyber reality. As it applies to the Program, the strategy requires a whole–of–DOD–CSSP approach, where each DOD CSSP implements proactive enforcement layers and prioritizes cross–CSSP/subscriber–domain collaboration, cooperation, and communication beneath the threshold of cyber conflict to deny, disrupt, deter, delay, and/or deprive emboldened cyber actors targeting the DODIN blue cyberspace.

To construct a meaningful deterrence model throughout the Program, this strategy decomposes each DOD CSSP into 5 pillars: operators (24/7 operators), technologies (used), processes (followed), services (provisioned), and subscribers (protected)—building proactive enforcement layers at each pillar and creating multiplicative non–escalatory conditions that dissuade adversaries from taking unwanted actions:

  • The operators pillar focuses on integrated intelligence (e.g., J–2), operations (e.g., J–3), and C4 (e.g., J–6), as well as cross–CSSP/subscriber–domain/boundary collaboration, cooperation, and communication training for joint decision–making support.
  • The technology pillar focuses on combining enhanced resilience with enhanced attack–attribution capabilities to defend forward proactively with agility, persistency, and speed of cyber.
  • The processes pillar focuses on shaping policies, plans, and procedures to support cross–CSSP/subscriber–domain/boundary deterrence, as well as new guiding principles, practices, and standards to operationalize them.
  • The cybersecurity services (i.e., identify, protect, detect, respond, recover and sustain) pillar focuses on building baseline and target profiles for continuous improvement and optimization, as well as developing joint mission/business continuity of operations (COOP), disaster recovery operations, and cyber exercise programs.
  • The subscribers pillar focuses on collecting and managing CSSP initiated (e.g., surveys), as well as subscribers’–initiated feedback (e.g., positive accolades, negative complaints) for service level management and subscribers’ satisfaction.

Over time, the realization of these pillars matures each DOD CSSP into a high performing one, collectively and individually reducing the overall severity and frequency of cyberattacks of significant consequence.

C5ISR IMAGE
Operationalizing Layered Cyber Deterrence Through a Defend Forward Stance

The DOD introduced the terms “defend forward” and “persistent engagement” in the 2018 U.S. Cyber Command vision “Achieve and Maintain Cyberspace Superiority.” The defend forward approach was strategically infuse throughout the DOD in its “2018 DOD Cyber Strategy” and furthered commented in the “2020 U.S. Cyberspace Solarium Commission.” For DOD CSSPs, defending forward is simply the act of proactively monitoring and hunting for adversary operations to stop threats at, or as close as practicable to its source, within the DODIN blue cyberspace before they reach or cause disruptions to subscriber’s data, information systems, and networks. Defending forward is a proactive rather than reactive approach to adversaries’ cyber threats. The concept entails the active observing, pursuing, and countering of adversary operations. It also entails layering barriers in day–to–day competition to disrupt and defend ongoing malicious adversary cyber campaigns, deter future ones, and reinforce favorable norms of behavior using all of the instruments available to the Program.

The approach relies on concurrent, continuous, collaborative, and persistent engagement of defending forward measures tailored to each subscriber’s environment and operational priorities to contest adversaries selectively. This allows DOD CSSPs and subscribers to continually reset their technical and operational conditions in order to place the adversary at a disadvantage, or to force the adversary to maneuver through a less advantageous cyber battle ground. Over time, these persistent engagements become constant and reliable sources of intelligence and early warning, enabling agility and cyber speed responses from a more advantageous position should conflict break out. If operationalized adequately, the whole–of–DOD–CSSP approach of defending forward preserves the Program’s critical role in the DODIN Defensive Cyberspace Operations (DCO) realm, while promoting effective and efficient shared warning intelligence, attack sensing and warning, and other indicators and tactics to address the range of malicious adversary behavior occurring in and through a selected DOD portion of the cyberspace domain.

C5ISR Center CSSP: Leading the Way

To incorporate Layered Cyber Deterrence principles under the services pillar, the Command, Control, Communications, Computers, Cyber, Intelligence, Surveillance and Reconnaissance (C5ISR) Center CSSP has fused its DCO services with U.S. Government cyber doctrine and requirements, as well as with globally recognized International Organization for Standardization (ISO) 9001, Quality Management System (QMS) standards—the world’s best–known quality management standard. Currently, the C5ISR Center CSSP is the only DOD CSSP that has attained ISO 9001 certification status under the scope: “The provision of Defensive Cyberspace Operations services to U.S. Federal subscribers worldwide in accordance with Executive, National, Federal, DOD, and U.S. Army cyber doctrine and requirements.”

Through ISO 9001 standards, the C5ISR Center CSSP has established a custom and DCO made–to–measure QMS designed to regularly measure (e.g., daily, weekly, monthly, quarterly, annually) mission critical elements associated with its CSSP DCO mission (i.e., operators, technology, processes, cyber services, and subscriber’s satisfaction) for decision making support. Leveraging periodic spot assessments, pre–inspection assistance visits, and annual mock inspections, the C5ISR Center CSSP has tailored its QMS to build baseline and target profiles which generate periodic reports that include lessons learned, best practices, findings and recommendations for continuous improvement and optimization.

With regulatory—compliant and—mission—ready DCO services in constant improvement cycles, the C5ISR Center CSSP is now overlaying its services with ISO 22301, Business Continuity Management System (BCMS) standards. Through ISO 22301 standards, the C5ISR Center conducts impact/risk assessments and analysis to prioritize threat actors and the attack surface of its subscribers, thereby narrowing the Mission Relevant Terrain–Cyber to interdependent systems, networks, and other IT considered to be critical to subscriber’s Mission Essential Functions and Mission Essential Tasks. The CSSP then uses this information to exercise cyber incident handling, continuity of operations, disaster recovery operations, and other joint mission/business continuity actions—operationalizing lessons learned, best practices, findings, and recommendations gained from these events. The attainment of ISO 22301 certification status not only provides clear, conclusive, and tangible evidence the CSSP is in a unique position to meet its own mission/business continuity objectives but also assists other DOD CSSPs in rebounding from a continuity/disaster in the aftermath of a major attack of a significant impact to their subscribers.

The Way Forward

First, the Program needs to expand its current CSSP Evaluator Scoring Metrics to cover 5 metric groups: operators, technology, processes, services, and subscribers. As previously stated, the DODIN is simply all DOD cyberspace. This wide and deep attack–surface is ever—growing and further complexed by the volume, variety, veracity, and velocity of data generated by a myriad of cybersecurity tools. Today, it is well known that the size and magnitude of the DODIN makes it an undefendable target. It is also no secret DOD CSSPs cannot protect every information system and network against every kind of cyber intrusion (the DOD’s total network attack surface is too large to defend against all threats and too vast to close all vulnerabilities). Hence, the Program must take preemptive steps to continuously improve and optimize operators, technologies, processes, services, and subscribers’ pillars to deter threat actors, while proactively protecting and defending its most important subscriber’s networks, systems, data, and information so that it can carry out its missions effectively and efficiently, even in a degraded state.

Second, DOD CSSPs’ ability to defend forward with agility, persistency, and speed of cyber will send the right signals to cyber actors that have become more undeterred, if not emboldened, to target the DODIN. In the face of cyberwarfare with capable adversaries, all 27 DOD CSSPs need to operate in synergy and within a common strategy to threat response to enable a joint force capable of employing cyberspace operations throughout the spectrum of conflict. The Program needs to harmoniously and swiftly shift from responding to malicious behavior after it has already occurred to proactively observing, pursuing and countering adversary operations and imposing calls to change adversary behavior. Integrating defend forward at the Program level, as part of a broader DOD “Layered Cyber Deterrence”, benefits the joint power of USCYBERCOM, which is ultimately responsible for protecting and defending the DODIN. A defending forward stance gives DOD CSSPs the capacity and capabilities to jointly and methodically collect, collaborate, create, communicate, contest cyber activities, and compete with adversaries on a more advantageous cyber battle ground.

Finally, defending forward requires a closer partnership among DOD CSSPs and with subscribers. As it relates to DOD CSSPs, a closer partnership allows the sharing of protection, monitoring, detection, analysis, diagnosis, and response tactics, tools, techniques, and technologies. As it relates to Program subscribers, a closer partnership facilitates the Program to anticipate the battlefield or identify clear front lines traversing multiple DOD CSSPs areas of responsibility. That is, subscriber’s systems, networks, and infrastructure operating in the DODIN are interdependently connected and open to thousands of known (and unknown) vulnerabilities for adversaries to exploit. Because subscribers own their networks; they deserve a seat at the table and their voices heard, hence the importance of a subscriber pillar. Together, CSSPs and subscribers can develop and implement better cyber norms based on shared interest and values. If proven effective and efficient, these norms have the potential to become Program best practices, shaping behavior DODIN-wide by encouraging responsible behavior; strengthening the security and resilience of the DODIN that contribute to current and future U.S. military advantages; bolstering cyber capacity and capabilities; expanding combined cyberspace operations; and/or increasing bi—directional information sharing that advances the Program, USCYBERCOM, and our national interests. lock

Bill Christman and Greg Weaver of the U.S. Army Combat Capabilities Development Command C5ISR (Command, Control, Computers, Communications, Cyber, Intelligence, Surveillance and Reconnaissance) Center; Engineering and Systems Integration Directorate; Defensive Cyber Solutions Branch oversee the U.S. Army C5ISR Center CSSP.

Bill Christman, Clinton Hackney, Cesar Pie, and Greg Weaver

Leave a Comment