DISA, JAIC Developing AI-Enabled Cybersecurity Tool
Automation is key to keeping up with adversaries.
The U.S. Defense Department is developing a machine learning tool that can more quickly detect cyber intrusions and enable a more rapid response.
“Our adversaries in cyberspace are automating their attacks. We need to use that same kind of automation and artificial intelligence and machine learning to counter those attacks whenever and wherever we can,” says Vice Adm. Nancy Norton, USN, the outgoing director, Defense Information Systems Agency (DISA), and commander, Joint Forces Headquarters Department of Defense Information Network. “You can imagine the number of attacks and potential attacks that we get and the scale of those, the volume and speed of those. We’ve got to automate as much of that as we possibly can for our workforce.”
The DISA director describes the pilot project as a co-partnership with the Pentagon’s Joint Artificial Intelligence Center (JAIC). It is designed to “identify efficiencies for early detection and accuracy of detection” on the Department of Defense Information Network, commonly referred to as DODIN. “Early detection helps enable the analysts defend the DODIN proactively instead of reactively and provides an opportunity for them to monitor the data sources to make informed decisions,” Adm. Norton adds.
The two-phased project began in May and recently completed the first phase. “We’re working with defense cyber operators on identifying phase two use cases that will incorporate different data feeds that will test the capabilities of the production environment. In the fiscal year 2021, we’ll determine if this capability could be leveraged in production, not just for DISA but across DOD for enterprise use,” she reports.
The department already is seeing some benefits, according to Adm. Norton. “What we’ve found already is this is reducing the time for our analysts to understand what’s happening on our network. Our analysts can use this capacity as a single dashboard to get a snap of the monitoring data and developing machine learning analytics,” she says.
Tinisha McMillan, division chief for DISA’s Cyber Situational Awareness and NetOps Division, leads the effort for the agency, working closely with personnel from the JAIC. McMillan is responsible for building and providing cyber analytics and tools to enhance the department’s cyber information sharing to protect the DODIN.
DISA has found that analysts must use an array of different systems to gain intelligence about what is happening on the DODIN, and the agency is developing tools to make the process quicker and easier so that analysts become more effective.
“Right now, we have a lot of different tools, and they had to go to a lot of different places to get that, so just having that single dashboard they can operate on saves a tremendous amount of time, and then when you’re able to correlate the data into that data analytics and machine learning analytics, it facilitates response actions that are much, much quicker,” Adm. Norton explains.
She suggests the agency may work with the JAIC on additional projects in the future. “We really look forward to continuing other opportunities to work with JAIC for accelerating our responses in cybersecurity and other mission areas.”
DISA also supports the JAIC with its Joint Common Foundation artificial intelligence development environment, a cloud-based environment for developing artificial intelligence tools. The JAIC used DISA’s systems engineering, technology and innovation (SETI) contract vehicle to award a $106 million task order in August to Deloitte Consulting LLC to build the joint platform.
Adm. Norton compared the contract vehicle to other transaction authority (OTA) contracts, which allow greater innovation and more rapid development of prototypical technologies. “SETI provides contracting flexibilities that are similar to [OTAs], but in a federal acquisition regulation-based environment. It has all the same positive attributes that a requirement owner would pursue, but the risks to schedule, cost and performance are less.”
Other task orders awarded under the SETI contract include a cybersecurity engineering task order known as SharkSeer 2.0 and the Defense Enterprise Office Solution. The former supports an enterprise boundary defense system that uses artificial intelligence to identify and mitigate zero-day cyber attacks and advanced persistent threats to protect Defense Department networks. In partnership with the Defense Department’s chief information officer, the latter aims to develop an enterprise solution for common communication, collaboration and productivity for the combatant commands, defense agencies and field activities.
“In the near term, DISA’s going to replace the commercial virtual remote capability with the enduring solutions known as DOD 365, which will offer a centralized cloud identity and authentication solution. This will evolve over the next three years under the Defense Enterprise Office Solution, or DEOS contract, to include classified, overseas and deployed Microsoft 365 environments for a much wider variety of our warfighters,” she offers. “In this project, we’re expecting at least 76 organizations under the six combatant commands and all of the defense agencies and field activities to join DOD 365 environments with migrations continuing well into 2021.”
While the SETI contract offers some advantages, Adm. Norton indicates the agency will continue to use OTA awards as well. “We definitely should expect more OTAs. Right now, DISA has been working very deliberately using OTAs and will continue to do that for innovative prototypes to solve many of the agency’s and department’s problem sets,” she says.
The agency currently has five such contracts ongoing. The Cloud-Based Internet Isolation and Mobile Endpoint Protection are in production; the other three are prototypes. “The three ongoing prototype OTAs are focused on identity. The first one being identity credentialing and access management; the second one being focused on artificial intelligence and machine learning, and the third a sensor and alert network,” Adm. Norton states.
She also stresses the value of the zero trust weapons architecture, which she describes as a “cybersecurity framework and strategy that represents a total paradigm shift away from the traditional perimeter defense approach.” Network owners can apply the strategy to their systems and embed cybersecurity throughout Defense Department architectures to prevent malicious actors from accessing the military’s most critical assets and prevent any significant data loss if systems are breached.
“We’ve been doing a lot of work within DISA and joining with the National Security Agency to create a zero trust team that has been developing the initial [Defense Department] zero trust weapons architecture, which is intended to be a dynamic document that’s updated as additional use cases are identified,” Adm. Norton notes.
The reference architecture 1.0 is currently being staffed for review within DISA, the National Security Agency, U.S. Cyber Command and the office of the Defense Department chief information officer, and will ultimately be made available to all of the department components. “In 2021, we’re going to be continuing to move this forward with developing and implementing a test environment to evaluate representative zero trust capability to validate the reference architecture, and we’re going to be piloting additional identity efforts,” she says. “In 2021, iterations of the reference architecture will address additional zero trust use cases as well as incorporate real-world results and lessons learned from [Defense Department]-compliant zero trust pilot efforts currently underway.”
DISA is working in an advisory role to support several pilot efforts across the department. “We’re assisting our components in the application of zero trust concepts within their systems and their network and performing an analysis of the architectures against the zero trust reference architecture,” Adm. Norton offers.
The pilot programs are being used to test some of the zero trust principles and build that into the reference architecture, she adds. “The pilots are being used as very much an iterative process to inform other [Defense Department] components of what we’ve seen that is being used, what is most useful—like understanding what the additional overhead would be for our system administrators as they’re administering a very deliberately designed zero trust architecture.”
Lessons learned will be used for the next iteration of the reference architecture. “You can’t buy a zero trust network. You have to pull the pieces together, and of course, in [the Defense Department], we already have our networks. We can’t go out and completely replace stuff from scratch and build it all new,” she points out. “So, one of the big lessons learned is understanding what we can do with the existing network that we have, with the existing devices that we have, and with the kinds of processes that we have to build these zero trust principles into the existing network rather than going through and ripping out and replacing a bunch of different capabilities.”