Cyber Command reevaluating defensive cyber tools

635961448001451280-142895jpg.jpg

A communications officer with the 7th Iraqi army division adds computers to a network during an advanced computer networking class at Camp Mejid, Al Asad, Iraq, Nov. 23, 2008. The training will help build the communication infrastructure within the division. (Photo Credit: Staff Sgt. Chad Simon/Army)

Cyber Command, while still a relatively infant organization with its mission force not yet fully operationally capable, is reassessing capabilities and concepts as operations and threat actors evolve in a space that seems to change at a previously incomprehensible pace.

“One place that we are reassessing is a key capability for each cyber protection reams – the CPTs – that is their service provided Deployable Mission Support System or DMSS,” Brig. Gen. Maria Barrett, deputy of operations J-3 at Cyber Command, said during a keynote address at an AFCEA hosted event in northern Virginia June 1.

The DMSS, she said, is a kit provided to CPTs by each service that consists of  laptops, passive and active sensors and analytic capability provided by either government off the shelf, commercial off the shelf or free and open software. DMSS provides CPTs with a capability to conduct their reconnaissance, security and counter mobility operations, she said.

One key reason for the reassessment, and a point indicative of the rapidly changing nature of the technology and cyberspace domain, is that the requirements document for DMSS was published in January 2016 before most of the CPTs were fully operationally capable, Barrett said.

Based upon ongoing operations and field studies, Barrett acknowledged that this needed to be revisited. “We really feel like if we are going to operate in the split-based configuration, this require out of band communication in order to establish command and control without relying on the network that we actually are operating on,” she said.

Providing greater clarity after her remarks, she told reporters that split-based operations enable the force to not have to send the entire team forward.

“You would send a smaller group forward and then do whatever analytic work or analysis you need to do back at home base be it Fort Gordon or San Antonio or Hawaii or reach back and do some of that work there,” she said, adding, “That kind of facilitates us being a little bit more agile and quick.”

Adm. Michael Rogers, Cyber Command’s commander, recently told Congress that a few years ago one of the fundamental concepts was that they would always deploy forward in full teams.

“One of the things we found with practical experience is we can actually deploy in smaller sub elements, use reach back capability, the power of data analytics, we don’t necessarily have to deploy everyone,” he said. “We can actually work in a much more tailored focus way, optimized for the particular network challenge that we’re working. We’re actually working through some things using this on the Pacific at the moment.”

Barrett also noted that through a field study of CPT operations a comparison between service provided DMSS that additional guidance is necessary require technology specific software such as those need for industrial control systems, or SCADA.

Rogers also told Congress that with the command’s limited acquisition authority, contracts he’s looking to move on are in the way of capabilities for cyber protection teams and defense.

Separate from DMSS, Barrett noted the need for an operational guidance for sensing that would compliment CPT capabilities.

“While acknowledging that we currently optimize for sensing known malicious behaviors, behaviors we’ve seen before, that only satisfies the majority of the challenges we see in cyberspace,” she said, which leaves them less prepared for new or unseen threats and behaviors, a common criticism among what many in the cybersecurity industry deem as an outdated model of threat detection based upon signatures and not behavior.

To this end, Barrett explained the force is nearing completion of a document that outlines the operational guidance for sensing that will provide the foundational concepts for development, selection, deployment and operations of sensing capabilities necessary to support security in defensive cyberspace assigned to the Department of Defense.

This will focus exclusively on detection and collection of data related to adverse activity within DoD cyberspace terrain, to include platform information technology, ICS, SCADA and special purpose networks, she said.

There will be three main goals for this guidance:

  1. Enhance protection of DoD cyberspace terrain by leveraging automated sensing and defensive measures executed from the boundary to the endpoint;
  2. Enhance real time situational awareness by enabling key sensing information at any operational level as to improve cyberspace operations by providing access to accurate, timely and complete information to improve overall decision-making relative to cyberspace; and
  3. Enhance threat specific operations, for which insights are either gathered through intelligence or incidents on the network.

Regarding the third goal, Barrett explained that when learning of a threat through intelligence, it facilitates proactive operations by providing threat-specific information and enables the force to focus action within friendly cyberspace to defeat the adversary. Conversely, reactive operations are necessary when adversary success generates incidents requiring expulsion and remediation. The threat specific nature of either type of operation, proactive or reactive, will require reconfiguration and augmentation of deployed sensing capabilities to increase the breadth, depth and or detail of available situational awareness information, she described.

In addition to these planned changes, Barrett noted an organizational change to the way cyberspace operations are planned. Rather than dividing future operations into two buckets – offense and defense – they will merge the two to facilitate offensive planners that incorporate defensive cyber operation into plans and vice versa.

She explained that she is still surprised when a defender laments the fact that the first part of a meeting was spent talking only about offense. “Why is that a problem,” she responded rhetorically to her example, noting the same reactions come from the offensive operators as well.

Each operator on the cyber mission force is trained to the same joint standards be they offensive or defensive personnel.