The Fifth Column Forum
Not logged in [Login - Register]
Go To Bottom

Printable Version  
Author: Subject: How The Pentagon Tries To Stay Ahead Of Cyberattacks

Posts: 6899
Registered: 13-8-2017
Location: Perth
Member Is Offline

[*] posted on 5-6-2018 at 12:56 PM
How The Pentagon Tries To Stay Ahead Of Cyberattacks

Jun 5, 2018

Jen DiMascio | Aviation Week & Space Technology

The U.S. military owns more than 13,000 aircraft and many more weapon systems, each with multiple subsystems. From an airpower standpoint, it represents an overwhelming advantage. But from a hacker’s perspective, those numbers represent limitless points of entry.

With so many vulnerabilities, the Pentagon faces an ongoing battle about the best way to add resilience to its network systems.

In 2016, the Defense Science Board issued a report pointing out a major inadequacy in the military’s approach to cybersecurity. Until then, services had focused on setting a system of rules for behavior and judging organizations on how well they complied with those rules.

- Military developed system of prioritizing risks to focus its efforts
- Companies now helping to protect programs, systems and system of systems

But the corporate world—including the Pentagon’s top contractor Lockheed Martin and financial giant Goldman Sachs—had moved beyond such simplistic measures of success, the report said. Instead, they had created ways to use data from cyberattacks to learn lessons about their own soft spots and analyze and prioritize how to fix them.

Congress liked the idea and intervened, directing the military to systematically assess the vulnerabilities of its major weapon systems by the end of 2019 and provide quarterly reports on progress in the meantime. Along with that effort, the military has established a method of sorting each system—based on mission type, dependence on networks, threat from adversaries and impact level of a potential compromise— to create categories of risk for each weapon and allow the Defense Department to prioritize its effort. That feeds into scorecards that can help bake cybersecurity into ongoing requirements for the system.

Kenneth Rapuano, the Pentagon’s principal cyber adviser, says the military is making progress toward its assessment goal. “The wartime cybersecurity of our systems and networks will mean little if the qualitative advantage of our weapons platforms has been eroded during peacetime by the exfiltration of sensitive military information,” Rapuano says.

Engility Corp. is one company at the forefront of helping the military audit risk for hundreds of U.S. Air Force command-and-control systems, as well as Navy ship and Naval Air Systems Command programs.

Engility is working to improve the security of the U.S. Marine Corps’ CH-53E helicopters. Credit: Lockheed Martin

The company has devised a data analytics engine it calls Synthetic Analyst to review and spot when a system is operating incorrectly. It uses secure systems engineering to define the requirements a system must have to design in cybersecurity that includes resilience to attack, isolation and diversity. Last fall, the company won a $30 million contract to modernize the Naval Air Warfare Center Aircraft Division Facility’s engineering and aircraft launch-and-recovery equipment needs.

John Sahlin, chief technology officer of Engility’s Defense and Security Group, has created cyber-risk assessments for the Navy’s new frigate program office and assists the company’s assessment efforts at Naval Air Systems Command.

Sahlin says their work builds on a simple concept. The analogy is spending money on a high-end security system, then leaving your windows open in the summer. “You may wind up with a false sense of security,” he says. “The same is true with military platforms. If a system for the radar is highly secure but you have a vulnerability that’s left open for convenience, it could turn into something that someone could exploit.”

Much of the focus on cybersecurity to date has been on individual platforms. The Navy’s Space and Naval Warfare Systems Command, for example, created cyber-related standards for all of the Navy’s acquisition shops—at both the systems and platform levels.

Engility drew on those standards for its work on the Navy’s frigate, and its Aegis weapon system goes beyond that to look at how these systems of systems interact with each other. “We ensure we don’t have a patchwork quilt that frays at the seams,” Sahlin says.

Now Engility’s work on the frigate serves as a reference architecture, and the company is applying the same kind of systems engineering lessons at Naval Air Systems Command on multiple systems, including Lockheed Martin’s CH-53E helicopter.

Report after report shows program managers continuing to worry about cybersecurity. That includes the Defense Science Board, which reported in 2017 that cybersecurity can degrade once weapons are fielded, parts become obsolete, and maintainers turn to potentially suspect corners of the supply chain.

An analysis of the supply chain is part of Engility’s Risk Management Framework evaluation, Sahlin says. The company’s Cyber ENnovation Center brings together experts in all facets of cybersecurity—including the supply chain.

Ultimately, Sahlin says, the government’s approach is helping ensure overall security. But in the cat-and-mouse game of cybersecurity, that is never enough. “Continuous monitoring is a critical element,” he says. “We want to constantly reevaluate to make sure they are keeping up with the best practices.”
View user's profile View All Posts By User

Posts: 6899
Registered: 13-8-2017
Location: Perth
Member Is Offline

[*] posted on 17-7-2018 at 04:47 PM

Military Cyber Training Still Tough Problem To Solve

Jul 17, 2018

Angus Batey | ShowNews

Exercises such as NATO’s Locked Shields bring military cyber operators together with civilians.

The increasingly sharpened focus on cyber-warfare capabilities across the world’s militaries underlines that the sector is important – and that both defense departments and political leaders are willing to allocate significant resources to the sector.

But one area where there still seems to be a gap between reality and institutional understanding is that of cyber training.

The U.S. defense department’s chief weapons tester, the Director of Operational Test and Evaluation, has consistently warned of the problems the U.S. military may be creating for itself by its inability to include realistic and representative cyberattacks as part of large combined exercises. It is understandable why these do not generally happen: commanders tasked with running a weeks-long exercise involving hundreds of personnel will be reluctant to find that the comms network goes down on the morning of the first day after the cyber red team carries out a successful attack.

As a result, military cyber exercises today tend to involve cyber warriors only. But a failure to train the whole force will lead to inadequate preparation for a future conflict, in which adversaries are certain to deploy cyber effects – which can cause significant impact for minimal risk and cost – often and early.

“We need to be looking at combined operations that include cyber and physical, and we need to be looking at training environments that do it all,” says Martin Hill. “We need to make sure we don’t do it with the cyber stuff happening over here and the physical stuff happening over there and some of the people talking to each other occasionally. It needs to be part of a combined, planned operation, so that you know what you’re defending against and what the risks are.”

Hill is a corporal in the UK Army reserves and has been an intelligence analyst within the British military for eight years. In civilian life he works as an information-systems architect, so is well placed to analyze the structures that militaries need to put in place if they are to be able to train in cyber defense effectively.

“You need to know what your weak spots are, so you can allocate resources – whether it’s to the PR end of things, or whether it’s the cyberattacks that need to go alongside your physical attacks,” he said during a panel discussion at the military training and simulation conference, ITEC, held in May in Stuttgart. “That’s going to require the right kind of training beforehand, so that we build the right vocabularies – because people who work with maps don’t work very well with cyber; people who work in cyber don’t work very well with maps.

There’s all kinds of sorts of things that we need to thrash out, but we don’t have very much time – because lots of nations and groups are already doing this very well. And this is something we’re quite far behind on.”

The U.S. Army is looking to address this through a project being run by its Program Executive Office for Simulation, Training and Instrumentation. Initial contracts for prototype components of an overarching system – the Persistent Cyber Training Environment (PCTE) – were awarded in January, though a complete solution is still some way off.

“You’ve got to train like you fight, and in cyber it’s really hard,” Bruce Caulkins, a former U.S. Army colonel who is now program director for modeling and simulation of behavioral cybersecurity at the University of Central Florida, told the same ITEC audience. “Things like the PCTE will be important, because it means you’ll be able to have an always-on cyber-training environment.”

Industry has a role to play in conceptualizing and delivering appropriate solutions. Part of the problem may be that established providers of military training will need time to reconfigure themselves to provide this – be that by partnering with IT companies to acquire specialist cyber skills, or simply in understanding how their military customers wish to operate in what remains a new and somewhat confusing domain.

“Training cyber professionals to enable them to fight the cyber war means you’re taking network engineers and training them to think like analysts, and having analysts think more like network engineers,” says Gene Colabatistto, president of training specialist CAE’s defense and security division. “At the moment, we don’t do that. We are looking, as part of our business, and in particular as a training company, at the cyber environment as another domain we would like to actually be training operators in – but we don’t do that today.”
View user's profile View All Posts By User

Posts: 6899
Registered: 13-8-2017
Location: Perth
Member Is Offline

[*] posted on 18-7-2018 at 11:26 AM

Pentagon Wants Industry to be Smart on Cyber, But No Plan Yet

Under constant cyber attack, the Pentagon is struggling to find ways to incorporate cyber security as part of the contracting process.

By Paul McLeary

on July 17, 2018 at 9:53 AM

Seven autonomous cybersecurity systems face off for the DARPA Cyber Grand Challenge in 2016.

FARNBOROUGH AIR SHOW Despite a series of high-profile hacks targeting US defense contractors, the Pentagon still doesn’t have a workable plan to convince companies they work with to harden their cyber defenses.

“Because of a couple of recent events, we realized that that is not good enough,” Kevin Fahey, the assistant secretary of defense for acquisition, told reporters here.

Fahey said Monday afternoon that companies often self-report on whether they meet federal contracting regulations. Given the constant attacks on defense contractors from state and non-state hackers, the Pentagon is looking for ways to clamp down.

“We have to develop a way that we evaluate people’s capability in cybersecurity,” from the start, Fahey said. There is talk of making cyber hygiene part of the contracting process and including it as a deciding factor in awarding contracts just like cost, schedule, and performance.

“The only way you make it serious to industry is you make it part of the competition,” Fahey said. “We know it’s really serious now that we need to make that as a priority.”

Fahey briefed alongside Eric Chewning, deputy assistant secretary for Manufacturing and Industrial Base Policy. Chewning said that the government also may conduct Red Team exercises to test new parches and assess vulnerabilities.

While there has been some movement, there is still a very long way to go before any real programs and rules are in place. Deputy Defense Secretary Patrick Shanahan warned companies in February that they need to take network security more seriously, or potentially lose business.

In June, Kari Bingen, the Pentagon’s deputy secretary for intelligence, testified at the House Armed Services Committee that “we must establish security as a fourth pillar in defense acquisition,” while making security “a major factor in competitiveness for U.S. government business.”

The plan, dubbed “Deliver Uncompromised,” is looking for ways the Pentagon can work with the defense industry on a case by case basis to toughen security and head off threats, adding security and counterintelligence assets “to augment our collection and analysis capabilities, gain a more comprehensive understanding to threats against our technologies.”

The announcement came days after reports emerged that China had hacked into a U.S. defense contractor, stealing classified information about undersea warfare technologies, including plans to develop a supersonic anti-ship missile for use on U.S. submarines by 2020.

Ideas about incorporating cybersecurity in acquisition decisions and policy formation will be part of the much-anticipated Defense Industrial Base report, which the Pentagon hoped to have been made public by Farnborough. But the report continues to bounce around the White House, where it has been since April, an official told me.

Industrial base chief Chewning, who headed up the drafting of the industrial base report, said that in the past, “our industrial policy essentially was our acquisition policy. It was what we bought and how we bought it,” Chewning said, “what I’d like to be able to do is get out in front of that and think about, how do we help inform acquisition policy with an industrial policy in support of our modernization objectives.”
View user's profile View All Posts By User

Posts: 6899
Registered: 13-8-2017
Location: Perth
Member Is Offline

[*] posted on 18-7-2018 at 11:42 AM

Pentagon Rolls Out Major Cyber, AI Strategies This Summer

"We’re getting ready to make a big announcement, coming out in weeks," acting deputy CIO Thomas Michelli. "Watch this space. Stay tuned."

By Sydney J. Freedberg Jr.

on July 17, 2018 at 4:44 PM

A DISA schematic of the Department of Defense Information Networks (DoDIN).

ARLINGTON: The Pentagon is “weeks” away from rolling out official strategies on cyberspace, cybersecurity, and artificial intelligence that will create new capabilities and funding streams, the acting deputy CIO said this morning.

“Soon to be published — I would say in weeks — is the cyber strategy that supports the National Defense Strategy,” Thomas Michelli said this morning. “Shortly after that we’ll publish the cybersecurity strategy, (and) we are about ready to announce an artificial intelligence strategy.”

“When you see that, you’ll see we’re moving dollars and resources to artificial intelligence,” Michelli promised. “We’re setting up several capabilities within the Department (of Defense).”

Michelli didn’t divulge details. “I’m tapdancing a little bit here, because we’re getting ready to make a big announcement, coming out in weeks, and I don’t get ahead of that,” he said during Q&A at a CXO Tech Forum. “Watch this space. Stay tuned.”

That said, there’s plenty of existing guidance from the Pentagon CIO, Dana Deasy, and Defense Secretary Jim Mattis himself to give us the broad strokes. Everything starts with the National Defense Strategy Mattis issued in January, Michelli said — if you haven’t read it yet, he said, you should — from which derives the general cyber strategy, from which in turn derives the cybersecurity strategy: “All these things are mutually supporting.”

CIO Deasy has already set four intertwined priorities for Pentagon information technology in particular:

- artificial intelligence and machine learning;
- cybersecurity, for which AI is particularly critical;
- command, control, & communications (C3) network infrastructure, how the military transmits everything from top secret intelligence to orders for spare parts; and
- cloud computing — “we’re moving to cloud as fast as we can,” Michelli said.

The emphasis on AI comes from the top: “Secretary Mattis realized this is something that will enhance lethality, so he’s put a strong emphasis on artificial intelligence,” Michelli said. “He’s been out to Silicon Valley several times as well as other tech corridors.” Human brains can’t cope with the sheer volume of data pouring into the Pentagon, be it cybersecurity alerts or drone surveillance video, and in areas like cyber and electronic warfare, humans can’t keep up with the pace of events, either, forcing the military to a new reliance on AI. “We have to have a way to respond in milliseconds,” Michelli said.

Yes, there are risks in militarizing artificial intelligence, Michelli acknowledged. But those risks are manageable, he argued, if “we have trusted partners to develop it and are aware of the risks ….when we implement it.” And if we don’t invest in military AI, the alternative isn’t staying at some safe status quo, because the status quo is already fraught with risk and our adversaries are busily making it riskier. “We need to recognize, especially in cyber, that we accept risk everyday (already),” Michelli said. “There are already folks in our networks and systems.”

“We have move forward or else we’ll lose competitive advantage,” Michelli said. “Both China and Russia, our major competitors in the National Defense Strategy, are investing heavily in artificial intelligence.”

Echoing Mattis and other senior leaders, Michelli emphasized that the Defense Department needs to take a new attitude towards risk, one that focuses on understanding and managing it, but still taking some, rather than a bureaucratic effort to eliminate risk all together. The military needs to take some of the courage and risk-tolerance it shows on the battlefield and apply it to technological innovation.
View user's profile View All Posts By User

  Go To Top

Powered by XMB 1.9.11
XMB Forum Software © 2001-2012 The XMB Group
[Queries: 16] [PHP: 47.4% - SQL: 52.6%]