The commander of U.S Cyber Command says the military has good offensive cyber capabilities and good defensive cyber capabilities. The problem is they’re operating as two separate teams that need to be melded into one.
The Defense Department rarely talks publicly about its offensive cyber capabilities or precisely what its cyber warriors do, but at least as far as how they’re organized, they are largely separated from the workforce that operates and defends the military’s networks, said Gen. Keith Alexander, who commands CYBERCOM and also directs the National Security Agency.
“You don’t have infantry guys who are separated into defender infantry, reconnaissance infantry and attack infantry. Think of how ludicrous that would be. But that’s what we have on our networks today,” Alexander told an AFCEA conference last week. The result, Alexander said, is that military networks are more vulnerable than they should be.
“I’m convinced that we don’t train our people to a standard that’s high enough to defend our systems. We don’t,” he said. “We say we’re going to operate as a team, but each component of our team is trained differently. Our signal community is trained to operate and defend. Our intelligence exploitation team is trained and cleared at a different standard, and that can’t be shared between folks of different security clearances. And then we have an attack community, and everybody’s trained to different standards.”
Alexander said in cyber war, the advantage already goes to the attacker. And DoD isn’t doing enough to use the attack know-how it already has under its belt to inform the way it plays defense.
“We’re training them on how to operate and put up the network without really integrating all of the benefits that the attack and exploit community already have,” he said.
Alexander wants all of the military services to train their entire cyber workforces, particularly managers, to a single set of standards so that everyone has a common understanding of the cyber battlefield.
Offensive cyber warriors, for example, should be able to share what they know about a potential adversary’s networks with U.S. personnel who operate and defend DoD networks from attack, since they’re likely to deal with the same set of enemies.
There are some early examples of that kind of integrated training and organization, Alexander said. The 10th Fleet, the Navy component of Cyber Command, has already brought together jobs that were previously designated as signal communications, computer science or cryptology positions into one community under the new “cyber” banner.
“I think that’s what all the other services need to look at it as a model,” he said. “If we don’t, the communications capabilities we have are going to drop pretty drastically. We’ve seen this happen in the past. We have to transform this force and make them all one team.”
Alexander said changing training schemes for the workforce is one of several initiatives he and the military services that provide forces to Cyber Command have agreed upon.
Another is building a network architecture that’s much easier to defend than what exists today.
“I look at the DoD architectures today, and [defending them] is really hard. We have 15,000 enclaves, each individually managed,” he said. “The consequence of that is that is that each one of those is patched and run like a separate fiefdom. The people who are responsible for defending them can’t see down beyond the firewalls. Host-based security systems are helping, but practically speaking, situational awareness is nonexistent.”
Military services working to implement HBSS
Each of the military services plus the Defense Information Systems Agency have been working to implement the commercially-available host-based software, known as HBSS, on their respective networks. It’s designed to actively monitor for potential threats down to the level of desktop PCs and laptops with such granular detail that a network administrator in Washington can tell that a servicemember in Seattle has violated policy by charging her iPhone’s battery via the USB port on her government computer. Rear Adm. Robert Day, who serves both as the Coast Guard’s chief information officer and commander of its cyber command, said HBSS has made a big difference. The software is now installed on 48,000 workstations and 1,200 Coast Guard servers.
“It’s starting to demonstrate some significant capability,” he said. “I’m able to see things now and have situational awareness on my networks that I didn’t have before, and it’s starting to come in real time, where I can start taking action.”
Up until recently, Day said, his headquarters office would get reports of potential cybersecurity threats from thousands of miles away involving computers that were on Coast Guard network, but since the computers were not visible on the network to the Coast Guard’s cyber command, there was no way to kill the threats remotely.
“It could take upwards of two or three days before that workstation was actually removed from the network. With these tools and with new doctrine and tactics and procedures, people realize the cyber threat is an immediate threat that’s no different from any other threat to the perimeter,” Day said.
To get to that point though, Day said the Coast Guard first had to collapse its various disparate networks and reduce its number of data pipes to the public Internet through the governmentwide Trusted Internet Connections initiative. Day said the entire service now relies on just three trusted connections.
DoD pursues Joint Information Environment
Those tasks will undoubtedly prove more difficult for the Coast Guard’s sister military services, which dwarf it in size and in network complexity.
While the Navy has a single enterprise network that handles most of its day-to-day business IT functions, the Army and Air Force are still trying to bring their various networks under larger, more homogenous umbrellas.
DoD’s long-term goal is to create a construct what the department refers to as the Joint Information Environment, which would bring more commonality to the networks of each of the military branches and provide many current-day IT functions through a cloud-based environment that relies on shared applications and services.
Maj. Gen. Suzanne Vautrinot, the new commander of Air Force Cyber Command, is at the front of the battle against network fiefdoms as the Ari Force tries to merge into a single network structure called AFNET.
She said getting the entire military onto something that resembles one network is going to be a costly and slow process.
“When you move from what you have, which is a heterogeneous, kludged compilation of all the things we developed brilliantly over the past couple of decades, it’s extraordinarily expensive,” she said. “It’s certainly the right way to head, but you have to recognize you can’t move there midstream. You have to get there from what we have.”