DoD’s Cyber Perfect Storm: The Growing Threat Meets The Evolving Network

Yesterday’s report that the Department of Defense had to shut down the Joint Chiefs of Staff’s unclassified e-mail system should come as no surprise to anyone. DoD networks are under continuous attack, 250,000 a day by some estimates, ranging from curious teens to the advanced persistent threat and malicious insiders. The Director of National Intelligence’s latest Worldwide Threat Assessment warned that the cyber threat was increasing in frequency, scale, sophistication, and severity of impact and that the ranges of cyber threat actors, methods of attack, targeted systems, and victims are also expanding. One particular danger is from advanced, persistent threats seeking long-dwell penetration of networks and capable of designing targeted malware. Based just on recent successful attacks on U.S. public and private networks attributable to foreign countries, it is no stretch of logic to conclude that this country is at war, albeit virtual, with a number of nation-state adversaries.

The Secretary of Defense, Ashton Carter, recently warned that the cyber threat to all U.S. networks, but especially those of his department, is growing and changing:

“… the cyber threat against U.S. interests is increasing in severity and sophistication. While the North Korean cyberattack on Sony was the most destructive on a U.S. entity so far, this threat affects us all. And it comes from state and non-state actors alike. Just as Russia and China have advanced cyber capabilities and strategies ranging from stealthy network penetration to intellectual property theft, criminal and terrorist networks are also increasing their cyber operations. Low-cost and global proliferation of malware have lowered barriers to entry and made it easier for smaller malicious actors to strike in cyberspace. We’re also seeing blended state-and-non-state threats in cyber…which complicates potential responses for us and for others.”

Even were the Pentagon properly organized, equipped and resourced to secure its networks, the evolving threat would pose a serious challenge. But this is not the case today. DoD lacks a coherent architecture, common standards and the system-wide visibility necessary to provide timely threat detection and mitigation. According to the former head of the National Security Agency and U.S. Cyber Command, General Keith Alexander:

“I look at the DoD Architectures today, and defending them is really hard. We have 15,000 enclaves, each individually managed. The consequence of that is that each one of those is patched and run like a separate fiefdom. The people who are responsible for defending them cannot see down beyond the firewalls. Host-based security systems are helping, but practically speaking, Situational Awareness (SA) is non-existent.”

This situation would be bad enough were DoD’s cyber enterprise static. However, it is continually growing and changing. Today there are more than 7 million devices on DoD’s networks; tomorrow there will be more. The use of mobile devices is becoming commonplace, even on the battlefield. Like the private sector, DoD is moving to the Cloud. The Internet of Things based on the proliferation of sensors, ubiquitous computing and instantaneous communications, is coming to DoD too. New devices, network technologies and applications inevitably introduce new security risks.

Security technologies are evolving rapidly to meet the threat. Security experts are in agreement regarding the need to automate much of the network surveillance and threat detection function both to enhance response speed and replace costly, hard-to-train manpower. There is a proliferation of new security software programs. However, there will be no cyber silver bullets, no new app that will magically provide total security. Moreover, while the new and different often appears enticing, it is critical to ensure that these technologies can perform as advertised and do so without introducing new vulnerabilities. Growing, changing networks require orchestrating the extension of legacy cyber security capabilities to new users with the introduction of cutting-edge techniques across the enterprise.

DoD also is challenged in its efforts to expand its use of IT, organize its networks and enhance their security in the face of an evolving threat by a lack of adequate resources. Defense budgets are declining and the demands for more resources from all sides is growing louder. Cyber security is not cheap. It is necessary to maintain and upgrade relevant legacy capabilities while simultaneously introducing new technologies and techniques. DoD needs a smart acquisition strategy that avoids unnecessary expenditures while making judicious investments in next generation capabilities.

Pentagon leadership recognizes that the department faces a “cyber perfect storm” of evolving threats, expanding networks, rapidly changing technologies and declining resources. Part of the solution is building the Joint Information Environment (JIE) with its single security architecture. Another important step is leveraging the experience and capabilities of the private sector, particularly when it comes to managing security for large, complex networks.

Our current advantage in network warfare will be short-lived and the Pentagon’s investments in new network capabilities and organizations such as the JIE are ultimately for naught if the threats discussed above cannot be countered. As our adversaries invest more in IT, victory in future conflicts may go to the side best able to defend their networks from penetration, exploitation and attack.