DISA Director Forecasts Future Cybersecurity Safeguards
Lt. Gen. Alan Lynn, USA, calls on industry to help the Defense Department safeguard its networks.
The cyber attack into a key unclassified email server of the U.S. Joint Chiefs in August helped indoctrinate and shape missions at the new centralized office erected to defend the Defense Department’s cyber networks, said Lt. Gen. Alan Lynn, USA, commander of Joint Force Headquarters–Department of Defense Information Networks (DODIN).
The nation-state-sponsored attack was a bit of a shock in its aggressiveness, said Gen. Lynn, who also serves as the director of the Defense Information Systems Agency (DISA). “For three weeks, we went after this cyber event and worked it to figure out how we now work as this new command.”
While the office gained its initial operating capability, or IOC, in January, it still is relatively new by federal standards. “It’s still in its infancy … but the enemy doesn’t know that,” Gen. Lynn noted Tuesday at an AFCEA D.C. Chapter event. “They want to attack now, so we had to play now. Game on.”
The incident helped shape his approach to the job after he took the helm in July, said Gen. Lynn, offering attendees a forecast of future requirements and needed solutions. Protections to defend the Defense Department’s cyber infrastructure will include software-defined networking, virtual desktop infrastructure and commercial cloud solution optimization, Gen. Lynn offered.
“We absolutely need industry with us, otherwise we can’t function,” Gen. Lynn said. “I want to innovate with industry. I want to open our doors to greatness.”
Software-defined networking (SDN) solutions should mirror what the Defense Department has done to secure voice communications through a practice he called frequency hopping. “Imagine you can build a network, move applications over to it, move clients over to it and then drop that network and start building a new one. Now you’re an adversary trying to get into a network that just dropped,” Gen. Lynn explained. “It’s hard to be persistent with software-defined networking that’s changing all the time.”
Migrating to a virtual desktop infrastructure (VDI) could mitigate sources of the greatest number of network breaches. “The big attack vectors, when you look at them, are email—where you double click on a phishing expedition and it opens yourself up to attack—and actually touching the Internet,” Gen. Lynn said. “It’s dirty out there. The chance of bringing something back home is pretty good.”
Additionally, the Defense Department is focused on a robust push toward moving data to commercial clouds and seeking hybrid solutions in which industry providers supply services from locations housed on Defense Department property. Moving data that does not need stringent security requirements reduces the number of networks the military must protect.
“I’m starting to think of this is a long game plan, kind of like the Cold War,” Gen. Lynn told the attendees. “It doesn’t cost them that much to attack us. It costs money to fix it. It costs a lot of money to fix it. If you’re looking to just chip away at the United States and its infrastructure and its economy, what a neat way to do it—just a little bit at a time.”
Gen. Lynn also announced that as DISA embarks on its Encore III mammoth contract vehicle for IT goods and services, he hopes to uncover contracting methods that will not penalize the small businesses that perform well and grow as a result of government work. “I want to design something into Encore III that, if you’re a small business going in, you can still compete if you break that small business barrier,” he said.
Encore III is the follow-on to the $12 billion Encore II contract that expires in 2018, though Gen. Lynn said the process likely will be expedited so that the next evolution is delivered sooner. He did not specify when.
DISA's new operational role in the cyber domain as network defender alleviates some of the burden on U.S. Cyber Command and the military service components, a marriage and way forward that will be the focus at the 2016 AFCEA Cyber Defensive Operations Symposium in Washington, D.C., as will be talks of budget shortfalls. Last year, DISA reduced overall costs by 9 percent. As leaders brace for additional budget cuts, this year they have a goal to reduce costs by another 7 percent, he said. “We’re doing that with efficiencies, but I tell you, industry partners can help.” One example was the Defense Department Enterprise Email (DEE) service, which provides secure cloud-based email for the whole department.
“Now we’re looking for a way to do [DEE] in a more efficient way,” Gen. Lynn said. “We’re thinking industry can provide it better, cheaper and faster than we can. As we get back to the bottom line, our funding is being reduced, and we’re looking for our partners to help us drive down costs.”