The Pentagon’s main body for defending its network is taking a three-pronged approach to improving how it protects from malicious activity and improves the readiness of its force. And for the first time, the DOD has outlined training requirements for cybersecurity service providers.
“It’s a daily effort to get readiness at a higher state … as we operate and maneuver the domain, how do we make it more effective and efficient for them to be more compliant, which leads to readiness?” Lt. Gen. Robert Skinner, commander of Joint Force Headquarters-Department of Defense Information Network and the director of the Defense Information Systems Agency, said at the annual DAFITC conference Wednesday.
JFHQ-DODIN is a subordinate headquarters under U.S. Cyber Command responsible for protecting and defending the Pentagon’s network globally.
Skinner noted that adversaries are still often using rudimentary tactics, and much of what JFHQ-DODIN is doing is to raise the bar so officials don’t have to worry about the easy intrusions anymore.
“You know what they’re using,” he said of adversaries. “They’re using basic stuff. Why go to really unique and really powerful [tactics, techniques and procedures] when you can use the basic ones getting in using misconfigurations and the sort?”
JFHQ-DODIN is piloting the third iteration of its Command Cyber Readiness Inspections (CCRI) at three places, Skinner said. A CCRI is essentially a technical inspection of an organization’s network and security practices.
The focus now is shifting to risk, he said, adding that he expects CCRI 3.0 to roll out to all the services and agencies in the next quarter.
The new concept focuses on forward-facing devices and terrain given that’s the easiest way an adversary can gain access.
“How are you controlling access, elevated privileges? How are you managing those who have elevated privileges? How are your system administrators?” Skinner said.
From there, leaders need to think about incident response.
“No matter what kind of protection and security you have, something’s always going to happen … Do you have a minimum defensive posture?” Skinner said.
Based on these areas, leaders will be assessed on how at risk they are and if they need to do something as an enterprise to mitigate or drive down that risk.
The second main focus area for improving overall reediness and security of the DODIN is training.
While U.S. Cyber Command has focused heavily on the training of the cyber mission force — the teams each service provides to Cybercom to conduct offensive and defensive cyber operations — the department will now turn its attention to cybersecurity service providers (CSSPs) for the first time. CSSPs are essentially the local defenders and maintainers of a network at any given organization or installation.
“The department just signed out two months ago the joint mission essential task for CSSPs. First time we’ve ever had that,” Skinner said.
Five CSSPs this month will be reporting readiness based on those essential tasks, and next month there will be even more.
Overall, there’s roughly 30 CSSPs across DOD. And in the next few months, they’ll be looking closely at how to understand their respective readiness levels.
Additionally, the department will be looking at training standards for the system administrators that have elevated privileges. Currently, there aren’t standards in this regard.
“Then we can holistically look at this thing we call the DODIN and go from a force posture standpoint and force training readiness [and say], ‘Here’s the standards, here’s how we’re going to assess against those standards based on readiness and then understand what the risks [are].’ So you got risk of the terrain and risk of the force to support that terrain and protect that terrain and secure that terrain all together,” Skinner said.
The last aspect of improving the DODIN that Skinner described is the ability to “maneuver” the cyber domain. The key aspect that sets that domain apart from the other four domains of warfare — such as sea, land, air and space — is that it’s manmade and can be completely changed in a split second.
“How do we virtually maneuver the domain itself? How do we use military deception or even deception writ large to [do] that if we do have a vulnerability that could be exploited but somebody who’s scanning from the external cannot see that?” Skinner said.
JFHQ-DODIN is looking at a few pilots within the maneuverability portfolio, including one focused on the boundary and security-as-a-service for the boundary.
“Everybody usually hears we have 10 internet access points. You think, ‘Well that’s not that tough to manage.’ There’s actually about 70 then that DISA controls. But there’s 60ish across the enterprise where there’s internet access into the broader internet. That makes it a lot more unmanageable,” Skinner said.
Security-as-a-service “takes a lot of the, I’ll say, convoluted and complex IP that we have today and makes it less complex, because it’s all packaged into one. You don’t have the collisions that you have today,” he added.
Another “powerful” pilot being worked by some of the services includes automation and validation of protection.
“The security appliances, the security apparatuses, all those capabilities that you have throughout the environment. Is it operating nominally? Because right now, we just say, ‘Well, yeah, it is because it’s on and it’s protecting some things.’ But is it protecting everything that you want?” he explained. “Leveraging the TTPs that our adversary uses and that we know that they use, we’re testing it through all the way from the boundary and all the way to the endpoint — that’s pretty powerful if we get that moving.”
Other changes for JFHQ-DODIN
JFHQ-DODIN has seen a few changes in the last several months. For one, its deputy commander, Rear Adm. William Chase, retired Aug. 18.
Brig. Gen. Heather Blackwel took over in that role the same day.
Additionally, JFHQ-DODIN recently inherited responsibility for coordinating authority of cyber operations on behalf of U.S. Transportation Command.
This coordinating authority provides each supported combatant command a single commander that is responsible for planning, synchronizing and coordinating cyber support and ops. Previously, the service cyber components to Cybercom — through what is known as their Joint Force Headquarters-Cyber — only had coordinating authority for combatant commands they supported.
Now, for the first time, JFHQ-DODIN assumed this and supports Transcom, which primarily conducts defensive cyber operations, not offensive ones like geographic combatant commands.
Sources indicated to DefenseScoop that JFHQ-DODIN was a natural fit to support Transportation Command given Transcom has a heavy requirement and focus on defensive cyber, which is part of JFHQ-DODIN’s core mission.
The shift in coordinating authority was done, mainly due to the standup of U.S. Space Command. In 2019, Cybercom assigned coordinating authority of Spacecom to Joint Force Headquarters-Cyber Air Force, which was already supporting European Command, Strategic Command and Transportation Command.
However, supporting four combatant commands placed a burden on Cyber Command, and the decision was made to give the authority for Transcom to JFHQ-DODIN.
“In an effort balance the Coordinating Authority relationships and responsibilities across all CYBERCOM direct subordinate commands, CYBERCOM realigned Coordinating Authority for U.S Transportation Command from JFHQ-C Air Force to JFHQ-DODIN,” according to a Cybercom spokesperson.