Army DCO using streamlined acquisition, data analytics to defend cyberspace

The end goal of streamlining DoD’s acquisition systems is always, first and foremost, about providing the warfighters as much capability as possible.

This premise is just as true in cyberspace. The Army’s new framework for a rapid process to acquire cyber defensive tools is a good example.

Lt. Col. Scott Helmore, the product manager for Army Defensive Cyberspace Operations, told Federal News Radio that his office had just completed an eight-day acquisition to add new analytic capability to its Big Data Platform (BDP) — from identifying the need to delivering the capability to the cyberwarriors.

“We did it very expedited because of the need,” Helmore said.

There was a single cyber event categorized as a Tier One, of the highest importance, and DCO didn’t have the automated tools to respond.

“When we quickly awarded a contract to more than quadruple our analytics capability, we were able to look globally … and see how to remediate it,” he said. “It made us very happy.”

Helmore explained that during that eight-day period, the vulnerability was still defended, but it was done by the cyber teams themselves.

“There are manual ways around it. [The teams] don’t wait for a material solution, they build one on the spot,” he said. “We give them the capability to write, build, test and deploy, or modify open source software. When they’re doing this, they don’t have time to build from scratch.”

The increased power of DCO’s analytics tools makes it easier to identify patterns.

For example, “as [adversaries] ramp up for an operation, there might be a very quick, one- or two-second deployment capability,” Helmore said. “That’s them testing out their [tactics, techniques and procedures] and our response. Then we’ll get a gigantic spike across multiple locations.”

The analytics platform helps DCO spot the pattern, which also helps the cyberwarriors design algorithms to incorporate the tell-tale signs into other parts of the cyber early warning system and prepare responses.

As the cyber domain evolves, DCO is working more and more closely with its intelligence counterpart, Helmore said. In the course of cyber defense, DCO sometimes has the opportunity for counter-infiltration, entering the adversary’s asset while cloaking itself.

“On the intelligence side, we’re meeting almost weekly … We’re in the process of combining our analytics platforms — [not all our] operators may see everything, but an operator cleared on both sides can, [and] the platform can make the connection and elevate the information to a person with the right clearance,” he said.

When DCO first started, it began building deployable, hardware-based platforms.

“We’re now moving into user activity monitoring, forensics, [using] tactical advanced sensors — that’s sensors that may already be in the tactical domain [that] we modify to feed back to our platforms,” Helmore said.


Patience Wait is a freelance journalist.