In describing a handful of his agency’s top cybersecurity acquisition priorities, the director of the Defense Information Systems Agency said DoD needs new tools to grapple with the fact that cyber adversaries have become much more brazen in recent years, and are no longer concerned with whether or not they’re detected when trying to penetrate Defense networks.
Until relatively recently, Lt. Gen. Alan Lynn said, most cyber attacks looked somewhat like an “intel game,” with enemies quietly burrowing their way into networks and keeping a low profile until they discovered something worth stealing.
“That’s not the world we’re living in today. They don’t care anymore,” Lynn said Wednesday at AFCEA’s cyber defense symposium in Washington. “They are kicking in the doors. It’s loud, it’s fast, it is smash-and-grab. It used to be that going after senior leaders is something you just didn’t do, but they’re going after senior leaders in their offices and at their homes. The gloves are off. This is cyber warfare, and it’s happening on our networks daily.”
Among the technologies DISA is most interested in to protect Defense networks against those sorts of attackers: software defined networking (SDN), which the agency has been spending money on for about 15 months. The technology would let DoD move from network structures that are determined by fixed, physical hardware like routers and switches and toward a virtualized IT topology that can be changed at a moment’s notice.
“If you build out a big software defined network that’s providing capabilities for you, imagine if you will that you don’t just make one copy of it, but you make multiple copies of it,” Lynn said. “If you get attacked, you can move all your applications and users to a new copy of the network, and just keep moving it so an attacker has a hard time keeping up. So we need industry’s help with that. I really see it as part of our future.”
Lynn said DoD also wants industry help to begin planning a new generation of identity management technologies to eventually replace the public key infrastructure and common access cards the department uses for two-factor network authentication. While the PKI approach is much more secure than usernames and passwords alone, the department would like stronger ways to authenticate its users.
As one option, he floated the notion of using ubiquitous mobile devices to help verify that users are who they claim to be. The data collected over time by a smartphone’s sensors — GPS devices for instance — could, in theory, be used to create virtual fingerprints of legitimate users based on their behavior patterns and make it easier to spot an attacker who’s using fraudulent or stolen credentials.
“If we had 100 percent assured identity when people got up on the network, you’d have a lot harder time causing problems,” he said. “You might be able to do it once, but then we’d block you because we’d know who you are. If you take a look at your mobile device, it’s keeping track of you. If you look at an app like Waze, it knows when you were at home, it knows how fast you drive, it has to know all of these things to know how long it’s going to take you to get to work. If you put pieces like that together, that could be a portion of identity.”
Lynn also flagged stronger encryption technologies as a high priority for DoD.
“The power of compute builds each and every day, and so it’s easier and easier for people to break the encryption we have out there,” he said. “We’ve got to get better at that, so if people have novel ideas on how to do encryption differently, we’re all ears.”