As DISA Modernizes Systems, Cyber Remains its Top Concern
The Defense Information Systems Agency (DISA) heads into 2016 with plans for a completely outsourced private military cloud, increased use of software-defined networks and expanded enterprise email services. But looming over everything the agency does are heightened concerns about cyber security, top agency officials said.
“We’re in a fight. We’re in a fight every day,” said John Hickey, DISA Cyber Security Authorizing Official, during an AFCEA gathering January 12. “The threat is real and we’re reacting to that, and what we’re focused on is: What is that current threat? What is that threat going to evolve to?”
Central to DISA’s strategy is the development of a series of Joint Regional Security Stacks (JRSS) that will be the first line of defense between the World Wide Web and Defense Department networks. But Hickey said he wants to go beyond passively defending networks to be able to “move around the information battlefield, just like you would on a modern battlefield.”
David Mihelcic, DISA chief technology officer and principal director, Global Information Grid Enterprise Services Engineering, said defense networks are under constant attack and automated systems stop most attempted intrusions. “Eighty percent of inbound email is stopped because it’s got a known detected threat,” he said.
Now DISA is looking to add capabilities that will increase its security posture, Hickey said. The agency is working with the Defense Department Chief Information Officer and the NSA to assess its needs and requirements. “What’s the enemy doing today? What are those tools that provide us the biggest return from a security standpoint on our investment?”
What that means, he said, is “Looking at the boundaries, it’s looking at the regional JRSS, looking at the endpoint piece of that … and what are the challenges that we need to do with big data analytics that look at that environment, normalize it and then look for change?”
DISA does not engage in offensive operations. But Hickey said that doesn’t mean DISA security staff lay in wait for threats to come to them. “The biggest change in DoD … is we’re going out and hunting for the enemy on a daily basis.”
DISA is currently defining requirements for a major series of initiatives, ranging from mobile technology to its next-generation cloud, dubbed MilCloud 2.0.
Alfred Rivera, director of DISA’s Development and Business Center, said DISA aims to offer a more flexible, commercial-style cloud offering this time around. “We’re going to look at MilCloud 2.0 as a potentially completely outsourced vendor capability but, in our case, inside our defense networks.”
Similarly, he said DISA intends to broaden its cloud-based email service, Defense Enterprise Email (DEE), with a next-generation upgrade. Feedback is now being evaluated, he said, and that points to adding additional collaboration services.
For all new DISA systems and technologies, Mihelcic said, security must be built in from the ground up. “The best investment we can make is upfront, ensuring our systems are built in a reliable and robust and secure way, as opposed to trying to bolt on security at the end,” he said. “We really do need that deep experience in computer science or system administration and then, on top of that, practical expertise in the cyber aspect.”
DISA is also focused on finding ways to increase security on the administrative end of its systems. Perimeter security is aimed at keeping attackers out of the network in the first place. But Hickey said DISA needs help ensuring that if a penetration does occur, the infiltrator can’t hop from device to device or system to system once he’s inside the wall.
“The enemy likes to move laterally across the network,” Hickey said. “That’s the threat today.”
Improved multi-factor authentication for administrators is one way to combat that threat. DISA needs “enterprise capability for privilege management that we can deploy across multiple products,” Hickey said. “Our admins have to support multiple devices in the deck, so how do they get away from usernames and passwords?
“The enemy likes to move laterally across the back end of the network. Think of it in the same way as what we used to do in the Cold War: You do a lot of destruction in the back end of the battlefield.”
He said he’s seen good examples of that in the commercial cloud and that DISA is working on adapting those concepts for its private cloud.
On the front end, where users are, Mihelcic said DISA also looks for ways to harden users and their workstations against pervasive phishing and spear-phishing attacks. Just as stronger authentication can be used to hinder an attacker’s ability to move within the network should he manage to get inside, he believes DISA has ways to keep hackers from fully compromising a workstation even if a user succumbs to a data-driven attack.
Biometrics: Vulnerability or Advantage?
Compounding the challenge for network administrators is the increasing number of endpoints on networks, which ultimately might include not only communications with systems and vehicles in the field, but also biometric sensors that report back to commands on the situational health and performance of individual soldiers.
The trouble is, every new node on the network is a potential new vulnerability – especially if classified data is involved.
“Any end user is going to be exposed to these same kinds of threats,” Milhelcic said. “You have to understand the risks associated with deploying these technologies: Just because you can do something, doesn’t mean you should.”
Hickey introduced an alternative concept: There is power in wearable technology from a security perspective. Providing a system admin with a Fitbit device, for example, could help authenticate that user with a high level of security, he said. “That’s the type of tech we’re very interested in because it provides another factor that identifies who you are.”