Cyber Command puts its philosophy into action

The Defense Department in 2010 established a unified Cyber Command and set to work on a new philosophy on how to defend networks.

The establishment of a Cyber Command (Cybercom) this year — delayed nearly a year by congressional resistance in approving the nomination of Army Gen. Keith Alexander as its commander — marks an important milestone for the Defense Department’s cyber operations, according to observers in the security field.

Although the efforts of the individual services to transform their cyber defense and operations structures have been under way well before the beginning of 2010 — including the 24th Air Force, the cyber component of the Air Force's Space Command, which achieved full operational status Oct. 1 — the establishment of Cybercom at Fort Meade, Md., raises the visibility and emphasizes the importance of cyber as a domain for all of DOD.

That domain extends beyond the boundaries of DOD's networks. “Cyberspace has become a critical enabler for all elements of national and military power,” Alexander said in a June 3 speech at the Center for Strategic and International Studies. “As President Obama’s national security strategy states, our digital infrastructure therefore is a strategic national asset. And protecting it, while safeguarding privacy and civil liberties, is a national security priority."

The challenge of that task was illustrated early in 2010 in dramatic fashion. Aurora, a highly sophisticated cyberattack on a number of technology-related companies, resulted in the theft of intellectual property and precipitated a standoff between Google and the Chinese government. The attack was highly advanced and targeted — much like the sort of threat DOD faces every day, said David Marcus, director of security research at McAfee. The attack was traced to two universities in China, though government officials denied involvement.

“The bad guys have really stepped up their game,” Marcus said. “Aurora's a really great example of it.” The attack used a zero-day vulnerability in Internet Explorer that didn't have a readily available fix, he said. It targeted people who were most likely to have high-value information on their computers.

The attackers did “a high level of target profiling and social engineering,” Marcus said. “That's what we see with targeted attack these days — they've done so much profiling [of targeted people] and set up work that they're essentially assured of at least a level of success when they launch their attack.”

Fittingly, the end of 2010 coincides with DOD’s organizational response to ongoing threats, as Cybercom nears certification of its full operational capability.

Along with the creation of Cybercom, DOD has started institutionalizing a new philosophy for defending networks. This is the year that information assurance was supplanted by mission assurance, focusing network defenses on being able to support combat and other operations in the face of an all-out cyberattack. That not only assures access to DOD network assets but also provides for collaboration between DOD and other agencies, nongovernmental agencies and coalition partners via whatever network is necessary.

HBSS Provides Building Blocks

First and foremost, DOD needs to protect its networks to carry out its core missions. And 2010 saw several major milestones in cyber defense capabilities.

One of the critical building blocks to constructing those capabilities is the Host-Based Security System, the Defense Information Systems Agency’s security framework. This year, HBSS was widely deployed across DOD networks, said Mark Orndorff, DISA's program executive officer for mission assurance.

“I think the highlight over the past year is the progress we've made in getting the HBSS capability deployed across the full spectrum of DOD networks,” Orndorff said. “And while I'd be the first one to say it wasn’t painless, we've come a long way with HBSS, and I think it’s going to be a foundation for a lot of the things that we're going to do in the future. I think we're now at the point where it's a fundamental capability that we are able to rely on and a building block that we can do much more with as we progress into next year."

Maj. Gen. Richard Webber, commander of the 24th Air Force, said the service has made tremendous progress on HBSS during the past 18 months. “It's one of those things that requires other foundation parts to be in place before you can make good progress,” he said.

HBSS offers the ability to more rapidly check networks for compliance with security policies through an element named Policy Auditor. “Policy Auditor will push the policy out across the enterprise, test everything to see if it's compliant, and then collect the results in a way that we can use for lots of different decisions," Orndorff said. "I think over the years, one of the fundamental lessons learned has been that if you can just get your systems configured correctly and keep them configured correctly, a lot of the attack vectors go away. But when you try to get that same compliance across 5 million computers, it can get pretty complicated.”

DISA's deployment of HBSS wasn't as smooth as envisioned. “We started out with a really optimistic plan to go straight at the objective with HBSS,” Orndorff said. “And in doing that, we had some operational impact that set us back a bit. So we stepped back from that approach into a safer phased implementation, where we would do a little, learn, move forward a little bit, and monitor for the next step while we took the first step. And then in that monitoring phase, we would have a better approach to the next level that we wanted to achieve.”

As HBSS' contract nears its end, DISA and DOD are “near the completion of the phases we had laid out,” Orndorff said. The next three phases, which DISA will begin pursuing next year, will build on the foundation that the HBSS program established, he said.

Flexibility at the Edge

Another area that Orndorff said has seen significant improvement during 2010 is DOD's ability to share information outside its networks.

"We've got a lot of capability in place today that wasn't there a year ago," Orndorff said. "We've had the architecture redesigned to make it much easier for us to put in additional capabilities as new requirements are identified moving forward.”

The changes in DISA and DOD's approach to protecting the boundary between DOD's Unclassified but Sensitive IP Network (NIPRNet) and the Internet are a reflection of how important the Internet has become to DOD.

"Obviously, if you look at recent history, DOD is not executing operations in a vacuum," Orndorff said. “We're working with industry partners, nongovernment agencies, with other federal agencies. That NIPRNet/Internet boundary is incredibly important to virtually any type of engagement that we would need to support. So having that boundary set up so that we can maneuver to support mission priorities and provide the best capabilities we need to to support whatever is going on at the time is very important."

The improvements in the NIPRNet/Internet boundary, which formerly were part of DISA's NIPRNet hardening program, make it possible for DOD to adjust what can cross between the networks and at what priority based on mission support priorities. “In the past, you could do specific brute-force actions," Orndorff said. “You'd block something or allow something. But now we're building out a boundary that's much more tunable, so if we're in the middle of military operations and we have to deploy forces forward, at that point [the Transportation Command's] use of the NIPRnet Internet boundary is a whole lot more important than someone checking on sports scores, for example. So we can prioritize the traffic across the boundary in ways that are much more flexible than they ever were before."

Synchronized C2

DOD is beginning to truly centralize situational awareness of its networks through the creation of a clear authority over cyber operations at Cybercom and each military branch's component cyber organizations. Although Cybercom and the services still lack fully centralized command and control, they have begun to put tools in place that will give leaders a better understanding of activity on DOD's networks and urgent actions needed to meet mission requirements.

However, the tools don't yet measure up to the task at hand. “We face a dangerous combination of known and unknown vulnerabilities, strong adversary capabilities and weak situational awareness,” Alexander said in June. "We must first understand our networks and build an effective cyber situational awareness in real time through a common, shareable operating picture. We must share indications in warning threat data at net speed among and between the various operating domains. We must synchronize command and control of integrated defensive and offensive capabilities, also at net speed."

Orndorff said the state of global situational awareness was a highlight for 2010 and a shortcoming. “One of the big changes that we did in the past year was approach all of our projects with the idea that we look at each one and see how we can pull information from each program and provide better situational awareness to the network operators at all levels. So today, it's a little bit fragmented in a sense that each program has its own rollup or own picture that we're producing. But we have the data collection in place and information coming together to provide a situational awareness picture that's going to be fundamental to building out the common operational picture that we need to provide to Cybercom and operations in the future.”

NEXT STORY: NATO mulls cyber alliance proposal

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.