Interconnected Networks
Section 923 of the bill requires the Secretary of Defense
take actions to “to substantially
reduce the number of sub-networks and network enclaves across the Department of
Defense, and the associated security and access management controls” {§923(a)}.
There are a number of good reasons given for requiring this action; they
include:
• Visibility for the United States Cyber Command in the operational and
security status of all networks, network equipment, and computers.
• Elimination of redundant network security infrastructure and personnel.
• Rationalization and consolidation of cyber attack detection, diagnosis,
and response resources, and elimination of gaps in security coverage.
• Reduction of barriers to information sharing and enhancement of the
capacity to rapidly create collaborative communities of interest.
• Enhancement of access to information through authentication-based and
identity-based access controls.
• Enhancement of the capacity to deploy, and achieve access to,
enterprise-level services.
• Separation of server and end-user device computing to facilitate server
and data center consolidation and a more secure tiered and zoned network
architecture.
The one thing that seems to be missing from this reasoning
is that if Cyber Command has easy ‘visibility’ of all of these networks, it
means that an adversary who successfully penetrates one of these networks can
achieve that same visibility. Just think about a single low-ranking
intelligence analyst’s unfettered access that lead to Wiki Leaks.
Host Based Cybersecurity
Section 924 requires the DOD CIO to “develop a strategy to acquire next-generation host-based cybersecurity
tools and capabilities” {§924(a)}. This next-gen capability should eliminate
the current problems with signature based threat detection techniques. An
important part of this new system is that it be expandable to include more than
just intrusion detection. That potential tool set, yet to be developed, should
include {§924(b)(2)}:
• Insider threat detection;
• Continuous monitoring and configuration management;
• Remediation following infections; and
• Protection techniques that do not rely on detection of the attack, such
as virtualization, and diversification of attack surfaces.
An additional requirement is that it should be “designed for ease of deployment to
potentially millions of host devices of tailored security solutions depending
on need and risk, and to be compatible with cloud-based, thin-client, and
virtualized environments as well as battlefield devices and weapons systems” {§924(b)(2)}.
While this is the holy
grail of security systems, if anyone has the resources to get one developed
that meets these requirements, it will be DOD and DARPA. Even if they only
half-succeed, it will be a major accomplishment. The only question is since
such a system will undoubtedly classified, will the Government allow its use by
critical infrastructure that needs the same level of protection against similar
attackers.
Improving Software Security
While an improved
cybersecurity system will go a long way to protecting DOD computer systems,
they will only be as secure as the software that runs on those systems. Section
925 would require an improved software acquisition process. This new process
would require:
• Update of development and acquisition models {§(925(b)};
• Requirements for secure code development practices {§(925(c)}; and
• Verification of effective implementation {§(925(d)}.
There is an
interesting sub-paragraph to this section that has the misleading title of “Study
on additional means of improving software security” {§(925(e)}. What it is
really being required is a study to look at ways of ensuring that procured software
meets the security needs of the Department. The methods suggested include:
• Liability for defects or vulnerabilities in software code.
• So-called ‘‘clawback’’ provisions on earned fees that enable the
Department to recoup funds for security vulnerabilities discovered after
software is delivered.
• Exemption from liability for rigorous conformance with secure
development processes.
• Warranties against software defects and vulnerabilities.
Because of the size
of the DOD purchasing pocket book this could be a change in the way that
software security is addressed in the market place. If these types of actions
become the standards for software security assurance, there will be a wholesale
change in the way software is developed and sold; probably an over due change.
Cyber-Operations Facilities
Anyone that has
spent time in the military knows that all services have extensive physical facilities
where the weapons of war are tested, evaluated, and most importantly where
their use is practiced. The Senate Armed Services Committee takes the
Department to task in its report for “its lack of attention to its cyber ranges”
(pg 67; Adobe 87). An extensive discussion covering three pages of the
Committee Report identifies a number of instances where funding and resourcing
of existing and developing cyber ranges have declined in recent years.
The Committee
requires DOD to prepare a report to Congress that identifies a central management
structure for the oversight of cyber range “infrastructure, funding and
personnel” (pg 69; Adobe 91). The report will also identify the sources of
funding and resources for the modernization and operation of the cyber ranges.
Cybersecurity Personnel
Everyone knows that
there is a severe shortage of personnel with a cybersecurity background. The
Department of Defense has a large number of personnel slots that need to be
filled in this area. The Committee Report notes that “that every effort must be
made to successfully recruit, train, and motivate for military service young
people with computer skills to operate and defend the Department of Defense’s
computer networks and infrastructure” (pg 117; Adobe 139).
The Report requires
DOD to provide a ‘letter report’ to Congress within 180 days of this
legislation becoming law that:
• Describes current programs for identifying, recruiting, training, and
retaining young people with outstanding computer skills for military service;
• Reports any human capital or specialty shortfalls in cyber defense
career fields; and
• Describes bonuses or any non-traditional or non-standard recruiting
practices that are employed by the military services to locate and recruit
young people for cyber-related career fields.
Development of Cybersecurity Expertise
The Committee Report
(pg 180, Adobe 202) “encourages the Department of Defense to continue to
support multi-disciplinary programs of study and research that focus on
developing U.S. cyber security expertise and tackling vital cyber security
issues”. Included in those issues, the Committee specifically included the
protection of critical infrastructure “which the Department would be called upon
to defend in the event of a cyber attack on the United States”.
What is not clear
from this discussion is how the Senator’s would expect DOD to impose themselves
between such critical infrastructure and cyber-attackers.