In response to the danger posed by COVID-19, remote working has become the norm for the Department of Defense (DoD). As a result, there has been an explosion of endpoints (laptops, desktops, tablets, mobile phones, and servers) on Pentagon networks. The challenge is to secure those networks and to identify all endpoints.
Congress is pressing DoD to improve its abilities to monitor endpoints and assure that only legitimate ones are permitted on the networks. DoD needs to address Congressional concerns, starting with the creation of a standard monitoring methodology and set of definitions with which to guide its introduction of cybersecurity tools and applications.
The pandemic radically altered the way DoD conducted business. It rapidly moved to a largely remote working environment with some 87 percent of military personnel and DoD civilians working remotely full- or part-time. At least 1 million defense employees have been working fully remote for more than a year. The number may be much higher. Many are employing multiple endpoints to do their jobs from home.
What is remarkable is that by all accounts, productivity has gone up and absenteeism has declined. This suggests that even after the end of the pandemic many thousands of people will continue to work remotely, at least part of the time. Therefore, DoD will have to secure networks that are experiencing a large-scale and potentially permanent proliferation of endpoints.
Everything DoD seeks to accomplish in terms of enabling warfighters to have faster access to data relies on digital platforms that must be secure and resilient. The department’s vulnerabilities, however, lie in its numerous endpoint devices, with each service and component possibly taking unique approaches toward monitoring them. In addition to the recent challenges created by the COVID-19 pandemic and the need for telework, the dynamic challenges facing DoD IT leaders include securing the larger attack surface created by connected mission-critical infrastructure and weapons systems.
A standard DoD-wide methodology would include, first and foremost, a consistent definition of what constitutes an endpoint. The bigger challenge is how to protect not just networks and their endpoints but everything that is an Information Technology asset. Most of these assets—many of which can be easily deemed as “critical”—are part of Industrial Control Systems, also called Operational Technology (OT), used by the military. Simply put, even if IT networks were protected, every air conditioning unit, power outlet, and water main under DoD, if managed by a computer, is a potential risk to mission readiness at every base, post, camp, and station across the services.
This common methodology would also define the requirements or standards for defense (what must be protected and to what extend) and the approaches or tools to be employed. One set of standards which DoD is implementing is referred to as “zero trust network environments.” Zero trust (ZT) is a cybersecurity framework that continually assesses the trustworthiness of access requests to online resources. Zero trust security presumes that a persistent threat can penetrate any perimeter of a security system with enough time and resources.
DoD has been working towards developing the necessary cybersecurity programs to implement ZT. One such program is Comply to Connect (C2C). C2C is a cybersecurity program first directed by the FY17 National Defense Authorization Act and now established as a program of record managed by the Defense Information Systems Agency. C2C will “establish a framework of tools and technologies operating throughout the network infrastructure that discover, identify, characterize and report on all devices connecting to the network.”
In his testimony before the House Armed Services Committee’s Subcommittee on Cyber, Innovative Technologies, and Information Systems, John Sherman (acting DoD CIO) highlighted the complexity of this undertaking as some of the weapon’s programs are decades old when cyber threats were very different.
“It is clear, that for the future fight, the steps being taken in technology and operations will be fully sufficient for the low-tier threat actors of tomorrow while their margin against near-peer competitors will remain slim and uncertain. The steps being taken by DoD, for instance, to achieve ZT across all mission capabilities of the DoDIN, the modernization of DoD cryptography, and to operationalize defensive cyber operations are in the large placing DoD in the right posture for future conflict.”
Congress has been very clear that it believes DoD needs to do more to secure the thousands of endpoints on its networks. In various reports and hearings, both the HASC and SASC have made it clear that while they think there has been progress, the Pentagon’s networks continue to be vulnerable due to their numerous, unvalidated endpoints and the lack of a shared, standardized methodology or system for endpoint monitoring across the department.
One of the leading proponents of the need for a standardized approach to cybersecurity and network security across the entire DoD is Representative James Langevin, Chairman of the newly created HASC subcommittee on Cyber, Innovative Technologies and Information Systems. In a recent subcommittee hearing on the FY22 IT budget request, Rep. Langevin expressed concern to Acting DoD CIO John Sherman that the services have discrepancies in the way they categorize their cybersecurity and IT investments, making it “nearly impossible to get a comprehensive picture of how resources are being spent.”
The challenge of establishing a standard cybersecurity “playbook” is even more daunting for other federal departments and agencies. The U.S. Coast Guard is under the Department of Homeland Security but works with myriad federal and local law enforcement agencies, each with their own definition of endpoints and concepts for ZT. Broadly speaking, the security standard here is only as high as the chain of custody around data is tight, since it must be admissible in court. The Coast Guard also works with DoD in both peacetime and war.
What DoD, and indeed the entire federal government, requires for effective cybersecurity is standard methodologies couples with flexible approaches to tools, technology, and approaches to implementation. DoD has established and funded a program that is working to enable a standard approach to disparate categories of connected devices, both network endpoints and OT. All DoD elements, not just those responsible for cybersecurity, need to embrace the program.
Dr. Daniel Goure is Senior Vice President with the Lexington Institute, a nonprofit public-policy research organization headquartered in Arlington, Virginia. He is involved in a wide range of issues as part of the institute’s national security program. Dr. Goure is also a new Contributing Editor to 1945 as well.