Whether internal or external to the Department of Defense Information Network (DODIN), passive and active Defense Cyberspace Operations (DCO) are Cyberspace Operations (CO) intended to protect and defend the Department of Defense (DOD) or other friendly cyberspace from adversary actions. A key characteristic of DOD’s DCO is the construct of active cyberspace defense. Active cyberspace defense is described as DOD’s synchronized real-time capability to discover, detect, analyze, and mitigate threats and vulnerabilities to defend networks and systems. Simply put, leveraging the full range of DCO, active cyberspace defense builds on the traditional approaches such as layered, adaptive, defense-in-depth approach, with mutually supporting elements of digital and physical protections to defend DOD information systems and networks.
To defend the DODIN, over the past decade, the DOD has trained a large number of DCO operators on a structurally strong, but fragile Command, Control, Communications, and Computers/Cyber (C4) intelligence and operations foundation. Given the size and complexity of DOD information systems and networks, the disparity of organizational business and mission functions, as well as differing operational requirements and priorities, effective and efficient DCO of the DODIN requires a new generation of DCO operators trained to understand the importance of intelligence, operations, C4/cyber collaboration, and decision making integration.
3 Problems Hindering Today’s DOD DCO Operators
Confused by Boundaries
One of the most important, yet challenging problems for DCO operators is understanding the scope of the cyber terrain boundaries they are meant to protect. In accordance with the current Risk Management Framework (RMF) strategy, accreditation boundaries for information systems need to be established before the conduct of initial risk assessments and development of system security plans. This is a very difficult task that is not always performed appropriately and often does not align with operational mission areas.
For instance, a logical boundary that is unnecessarily expansive will make the security certification and accreditation process extremely unwieldy and complex. Conversely, a logical boundary that is unnecessarily limited will increase the number of security certifications and accreditations that must be conducted, which drives up the total cybersecurity cost for the organization. Likewise, a logical boundary defined by a “system owner” without supported “mission owner” input or consideration increases the potential for incorrect categorization and risk determination.
A logical boundary is further convoluted when there are Information Technology (IT) overlays with a geographically or functionally organized DOD component. DOD components are organized geographically (i.e., known as “area of responsibility”, AOR) or functionally. Basically, functional organizations operate world-wide across geographic boundaries and provide unique capabilities to geographic organizations and the DOD, while geographic organizations operate in clearly delineated areas of operation and have a regional military focus. Management of cybersecurity requirements such as implementation of security controls among overlapping logical, geographical and functional boundaries increases complexity and confuses DCO operators.
At its core, a risk picture represented by a logical system-based boundary does not represent the operational mission risk. The confusion at the DCO operator level comes with the lack of clear tactics, techniques, and procedures (TTPs) for when to focus on system(s) risk or the risk associated with the mission enabled by the system(s).
Overwhelmed with the Magnitude of the Cyber Terrain
Understanding the cyber terrain from both a technical and operational perspective is paramount for prioritizing, assessing, understanding, and managing risk.
The current DOD information environment is a complex layering of multiple networks with overlapping, duplicative roles and responsibilities. This wide and deep attack-surface is further complexed by the volume, variety, veracity, and velocity of data generated by a myriad of IT and cybersecurity tools. It is well known that DOD information systems and networks are open to hundreds of thousands of known (and potentially unknown) vulnerabilities for adversaries to exploit. While it was sufficient in the past to focus on network and endpoint protection, today’s applications, cloud services, mobile devices (e.g., tablets, mobile phones, Bluetooth devices, and smart watches), and the Internet of Things (e.g., physical security systems, lights, appliances, as well as heating and air conditioning systems) represent a much broader attack-surface to defend. DCO operators are overwhelmed with what to defend first. In fact, as stated by the Commander, USCYBERCOM, the current network is simply “not defendable.1”
DOD organizations are required to implement an Information Security Continuous Monitoring (ISCM) Program to maintain ongoing awareness of information security, threats, and vulnerabilities. Asset management is the foundation for any ISCM program; all other security automation domains depend on the asset management domain to collect data from assets across an enterprise. The problem, often times, is the data being collected is limited to physical and technical elements (e.g., device location, system make/model/serial number, IP Address, domain, installed software) without consideration of key operational attributes (e.g., supported mission(s), system criticality, accessibility, recoverability, operational dependencies). While the former set of data elements is largely understood by the C4 community, as it serves as the underpinning for managing the cyber terrain, the latter is usually overlooked, even though these data points are equally, if not more, essential to decompose organizational Mission Essential Functions (MEFs) and Mission Essential Tasks (METs). Both are of vital importance to identify mission critical assets, capabilities, and associated Mission Relevant Terrain–Cyber (MRT–C).
To assist DCO operators, DOD needs to not only significantly reduce the attack surface and magnitude of its IT assets. It also needs to operationalize a unified tiered approach to identify the most important assets from all DOD IT. This will help DCO operators narrow the cyber terrain helping them protect the IT considered to be critical to mission execution and success.
A Gap with Available Situational Awareness Visualization Tools
An effective ISCM strategy goes beyond asset management, vulnerability management, configuration management, etc. ISCM is intended to integrate and correlate data from different security domains, often independently operated programs, to provide ongoing observation, assessment, analysis, and diagnosis of an organization’s cybersecurity posture, cyber hygiene, and cybersecurity operational readiness to support organizational risk management decisions.
Today, various existing data visualization dashboards are used to normalize, consolidate, correlate, and present data to support the ongoing monitoring of network operations and cybersecurity. However, most dashboards do not consider correlated threat data and/or operational attributes to deliver an accurate mission impact assessment into risk calculations and decisions.
To operate effectively in cyberspace, DOD DCO operators require shared situational awareness informed by C4 and warning intelligence through all phases of mission operations. Currently, shared visualization or risk picture capabilities that integrate technical and operational feeds from a correlated threat intelligence, vulnerability, and mission impact perspective, are limited. Filling this gap would not only be a giant leap forward for the DOD. It would help mission owners, system owners, and cyberspace operators understand the failures of information systems and networks as well as their dependencies and impacts (technical and operational) during mission execution. It would further provide commanders, directors, cyber defenders, and other intelligence consumers with ongoing and persistent real-time situational awareness as well as the knowledge needed to prioritize efforts and make informed and integrated organizational risk and mission-based decisions.
The Solution: The Next Generation of DOD DCO Operators
It is not a secret that DOD cannot defend every information system and network against every kind of cyber intrusion (the DOD’s total network attack surface is too large to defend against all threats and too vast to close all vulnerabilities). Hence, DOD must take forward steps to identify and prioritize threats, vulnerabilities, and impacts to better protect and defend its most important networks, systems, data, and information. This is so the DOD can carry out its missions effectively and efficiently, even in a degraded state.
To continue to strive to achieve cyberspace superiority in today’s operational threat environment, the DOD needs to develop a new kind of cyber defender. In essence, the linchpin to DOD’s immediate future and dominance in cyberspace is a next generation of DCO operators educated and trained to understand the importance of intelligence, operations, and C4 collaboration. Indeed, DOD’s immediate future in cyberspace involves an integrated intelligence, operations, and C4 workforce operating together with the operators having the overall responsibility for cyber risk within the domain.
It is also important for the DOD to focus research and development efforts to support a joint common operational picture and shared situational awareness environment. New capabilities for providing technical and operational situational awareness need to consider the correlation of technical security controls, the value of assets, data, and information, active and emerging threats, and the potential impact this association may have on the organization’s mission. By linking vulnerabilities, adversary capabilities and intent, with potential mission impact, the DOD will be able to identify high risk areas, prioritize efforts, and take appropriate proactive measures. This capability will provision DCO operators with the required feeds needed to prioritize and make timely, relevant decisions. That is, DCO operators will be capable of making cyber risk decisions within an assigned container that depicts mission impact and acceptable risk, left and right boundaries, and associated parameters for decision making support.
About CSIOS Corporation
CSIOS is certified under ISO 9001:2015 (Quality Management System), ISO/IEC 20000–1: 2011 (Information Technology Service Management System), ISO 22301: 2012 (Business Continuity Management System), and ISO/IEC 27001: 2013 (Information Security Management System) standards under the scope: The “Provision of Cyberspace Operations (Defensive, Offensive, and Information Network Operations) and Cybersecurity services to U.S. Federal customers worldwide.”