DoD’s NSCSAR cyber program revs up

The Department of Defense (DoD) is undertaking a continuing review of the operational systems that ensure cybersecurity is spearheaded by the offices charged with maintaining information superiority.

The on-going effort is formally known as the Non-secure Internet Protocol Router Network (NIPRNET) and Secret Internet Protocol Router Network (SIPRNET) Cybersecurity Architecture Review. To make the name easier to swallow, insiders are using the acronym NSCSAR (and pronounce it like the auto racing association).

The Defense Information Systems Agency (DISA), the National Security Agency (NSA), and the Department of Defense chief information officer (DoD CIO) are running the review.  It compares the current set of cybersecurity capabilities against known tactics and techniques used by adversaries.

“NSCSAR is our framework for reasoning about cybersecurity from end point to the internet,” said Pete Dinsmore, DISA’s risk technology executive, on the Federal Drive with Tom Temin.

Republicans gearing up for major changes to federal pay and benefits

Advertisement

NIPRNET is the unclassified IP data service for internet connectivity and information transfer that supports applications such as e-mail, web services, and file transfer. SIPRNET provides centralized and protected connectivity to the federal intelligence community for collaborative planning and numerous other classified applications.

In essence, the process will help DoD determine which cybersecurity tools and techniques are needed, how much is enough, and where risks can be taken.

“At the end of the day the budgets available for cybersecurity capabilities are either stagnant or decreasing. And we need to figure out how to best use our dollars,” Dinsmore said.

And while NIPRNET and SIPRNET are “air-gapped”—not connected directly to the internet or to any other computers that are connected to the internet—hackers and foreign governments work to bypass such protections.

Both security networks date back to the 1990s, and have gone through numerous reviews.  NSCSAR, according to Dinsmore, is the next step in that process.

Normally, such “upgrades” in security systems are made after much analysis and debate.  But Dinsmore said NSCSAR has taken a cue from agile software development in implementing a so-called “spin” concept. A new spin cycle begins four times a year. With each new spin, NSCSAR is reassessing the environment to determine what facets need to be changed.

Congress asks: Are federal employees overpaid?

“Every 90 days were taking a new look; adding capabilities, adding questions, adding ability for analysis, and adding new threats. This allows us to be reactive, rather than saying ‘We’ll be back to you in a year with a new report’,” Dinsmore said. “NSCSAR is an enduring process because the threats continue to change, because the investments we might possibly make continue to change as industry brings us new ideas, and because our adversary’s focus continues to change. So as we continue to learn of new threats and cyber capabilities, we need to continue to do this holistic analysis to see how we want to change our investment profile,” he added.

NSCSAR completed its first spin cycle in April. DoD planned to complete the second by June 30.

“We’re asking ‘What’s the next best change to make?’, given the adversary’s perspective,” said Dinsmore.

That includes determining possible weaknesses in the networks.  And Dinsmore added the term “adversary” extends beyond a potential enemy state.

“We use the term in a very broad sense,” said Dinsmore.  The process not only includes outside threats or a domestic person trying to penetrate the networks.

“We also worry about insider threats,” he said, “and we have insider threats on both NIPRNET and, unfortunately, SIPRNET.”

Dinsmore said the analysis does not involve testing network security for vulnerabilities. Rather, he said, the process uses information collected from public sources, as well internally-sourced data about attempts to breach the networks.  The information is analyzed with support from U.S. Cyber Command, the Defense Cyber Crime Center (DC3), as well as some contractors.