The Defense Department is taking steps to increase the security of its internal computer systems, after incidents and inspections that found the agency deficient in basic cyberhygiene.
CIO Terry Halvorsen recently released an amended version of a comprehensive plan, the “DOD Cybersecurity Discipline Implementation Plan,” to reduce cybersecurity risks.
“Inspection reports and lessons learned from recent network intrusions have revealed Department-wide, systemic shortfalls in implementing basic cybersecurity requirements established in policies, directives, and orders,” the plan states. “Most successful cyberspace intrusions exploit preventable and generally well-known vulnerabilities. The mission is at risk, and every individual must understand their roles, responsibilities, and actions necessary to maintain a high, persistent state of cybersecurity readiness required to deliver mission assurance.”
The plan includes four courses of action (“lines of effort”) to guard against departmental attacks and intrusions. Each aspect of the plan focuses on an area of cybersecurity defense that the Pentagon says hackers are exploiting to gain network access.
The plan also establishes a process to ensure that each DOD component carries out the required tasks; this includes using a scorecard to judge how well divisions are following through. As FierceGovernmentIT reports: “Each of the Lines of Effort also demand commanders and supervisors of systems meet required scorecards that are mostly all-or-nothing, wherein if one aspect is not met then the review is seen as a failure.”
According to the plan, “by including cybersecurity compliance in readiness reporting, this campaign forces awareness and accountability for these key tasks into the command chains and up to senior leadership, where resourcing decisions can be made to address compliance shortfalls.”
Hardening Cybersecurity Defenses in Networks and Hardware
The four activities outlined in the plan are as follows: require strong authentication, to prevent hackers from getting into computer networks and to increase user transparency; harden devices, to make it more difficult and expensive for hackers to infiltrate; reduce the “attack surface,” to decrease the ability of criminals to access DOD networks; and coordinate with cybersecurity and computer network defense service providers, to better detect and respond to attacks.
Commanders and supervisors will continue to report their status on meeting these requirements through the Defense Readiness Reporting System, “allowing leadership to review compliance down to the tactical level,” as the plan explains.
The new Cybersecurity Scorecard will enable Defense Secretary Ashton Carter “to understand cybersecurity compliance at the strategic level by reporting metrics” from the DOD’s components and the armed services. The department intends to use the scorecard and the Defense Readiness Reporting System to report cybersecurity progress “as soon as possible.”
Multipronged Response to Cyberthreats
The goal of the plan is to have the DOD be in a “persistent state of high enterprise cybersecurity readiness” on all its IT systems and networks.
The department’s leaders will be “responsible for ensuring the information capabilities they own, manage, or lease have implemented the requisite level of cybersecurity.”
As part of the plan’s emphasis on strengthening authentication, commanders and supervisors will “focus attention on protecting high-value assets, such as servers and routers, and privileged system administrator access.”
Another goal, device hardening, aims to thwart those who seek to steal information, modify DOD systems, install malicious code and prevent authorized users from accessing systems. “Commanders and Supervisors must prevent common exploitation techniques through proper configuration, vulnerability patching, and disabling active content in emails,” the plan states. Further, “a number of widely deployed operating systems have become obsolete and must be removed from the network.” (The DOD is in the process of upgrading millions of its computers to Windows 10.)
The plan’s call to reduce the attack surface means department leaders will eliminate Internet-facing servers from the DOD information network core and ensure that only operationally necessary Internet-facing servers are used in demilitarized zones.
Expanding on the fourth course of action, the plan notes that coordination with cybersecurity and computer network defense service providers is necessary “to mitigate cybersecurity threats and enable the provision of accurate, timely, and secure information to the warfighter.” Accordingly, DOD supervisors will give service providers “standardized information,” who will in turn “exercise response plans to validate the processes, subscriber documents, contact information, and communication mechanisms.”