Defense Department Assuming Growing Cyber Security Role
The Defense Department sees cyber as a domain that spans air, land, sea and space, but it struggles with how to handle it as a warfighting domain to best protect the nation. DoD has responsibilities to protect U.S. critical infrastructure, with a significant focus on collaboration with the defense industrial base.
The department is taking steps to protect critical infrastructure with a particular focus on cyber resiliency and targeting threats. It also will increase cyber security information sharing with civilian agencies. The Department of Homeland Security, the National Institute of Standards and Technology, the General Services Administration and the Defense Department are collaborating on the software and supply chain assurance forum to strengthen cyber security via supply chain risk management.
DoD will coordinate with the Office of Personnel Management, DHS, the Department of Justice and other non-defense agencies to review the security clearance process, particularly as it relates to information security, and modernizing security controls on the actual systems themselves with an eye toward preventing insider threats.
DoD has taken steps recently toward enhancing critical infrastructure protection. The Defense Security Service is in the process of standing up the Defense Insider Threat Management and Analysis Center, with the idea of analyzing DoD employee data to predict, and ultimately prevent, insider attacks.
The continuous evaluation program also aims to mine data for insider threats as an improvement to the security clearance process. Although the organization was formed to respond to violent insider attacks, analysis will extend to looking at cyber espionage threats across the globe.
The Pentagon continues to plan out response scenarios, coordinating with other agencies tasked with critical infrastructure protection, as it continues to develop the department’s cyber strategy. The White House’s pact with China to stop state-sponsored cyber attacks on the United States is another potential way to prevent threats as the government works to determine consequences for cyber espionage. It remains to be seen if this will deter foreign hacking.
The U.S. government is also exploring sanctions as a cyber deterrent. Last December’s Sony email hack ultimately required government intervention because of concerns that not responding would imply future attacks would face no consequences. The White House imposed new financial sanctions on North Korea after an investigation suggested its involvement in the breach.
Sanctions, of course, won’t work on non-state actors. This underscores DoD’s difficulty in knowing exactly how to respond commensurately to an attack, particularly when the perpetrators are unknown. Defense and other government officials are still not sure their response to the Sony attack would prevent a devastating attack on, say, a sole-source supplier of sensitive military equipment.
Along with planning cyber response scenarios, the Pentagon is attempting to strengthen cyber protection through information sharing with civilian agencies and defense contractors. Recognizing the susceptibility of industry partners to cyber espionage and data breaches, DoD recently updated requirements to centralize cyber security via the Defense Federal Acquisition Regulation supplement, or DFARS.
This update should strengthen the defense industrial base cyber security and information assurance program that started back in 2011 and is intended to facilitate information sharing between DoD and industry about cyber threats. The new regulations require contractors to report cyber incidents via the cyber incident reporting and cyber threat information-sharing portal.
The DFARS interim ruling was issued Aug. 26 and will affect both prime and subcontractors that handle “covered defense information.” The new ruling loosely defines what constitutes both a breach and covered defense information, which is incredibly problematic for contractors. First, the expanded definition of covered defense information raises more questions than answers about what information needs to be protected, as almost any piece of data on a contractor’s network might meet these vague definitions. Second, the same issue extends to the DFARS definition of what constitutes a data breach. With the definition expanded, contractors are left to interpret that on their own, which could result in non-compliance.
Though this regulation outlines how cyber incident reporting must occur, it does not address the most important piece, which is how this information should be protected. That guidance will not be issued until the final ruling.
Lawmakers recognize the urgency and are faced with tough challenges to update not only laws and regulations, but also the actual facilities and installations remaining under DoD’s purview. The DFARS update was issued prior to a proposed rule for comment, which is unusual, and demonstrates the government’s desire to move forward quickly with a strategy to improve cyber incident reporting.
As far as updating infrastructure facilities, physical updates to the buildings to offset the effects of a cyber attack — like installing pressure relief values — is the easy part. Cyber requires a multi-faceted strategy looking at both prevention and responsive action. Cyber protection for critical infrastructure still requires better, more defined legislation and a legal framework for information protection. Information sharing about cyber incidents can potentially help prevent future attacks, and will help to figure out the best way to protect information as it moves around a contractor’s network.
Finally, further definitions of cyber warfare are still needed for DoD to establish an effective cyber deterrence strategy. Only after officials are able to clearly determine what constitutes an attack can they determine the appropriate response. DoD needs to continuously update its strategy in order to stay ahead of adversaries. Sharing information about cyber breaches, best practices for information protection and risk management, and legislative momentum to update legacy systems and infrastructure will be critical to strengthen cyber posture for critical infrastructure protection.
Stephanie Meloni is a market intelligence senior analyst with immixGroup (an Arrow company). She can be reached at Stephanie_Meloni@immixgroup.com or connect with her on LinkedIn at www.linkedin.com/in/stephaniemeloni.