In Network Defense, Time Is of the Essence
Information warfare has raised the stakes for securing cyberspace.
The organization tasked with protecting U.S. Defense Department networks is looking to accelerate its ability to detect and respond to enemy cyber attacks. While detection and response are not new, they have assumed greater importance as cyber attacks are combined with kinetic operations throughout the battlespace.
At the heart of this defensive approach is command and control (C2) of network defense for the department. This effort is run by the Joint Force Headquarters-Department of Defense Information Network (JFHQ-DODIN), which is a component of the U.S. Cyber Command. Facing millions of attacks daily from a broad scope of adversaries, the JFHQ-DODIN is extending its reach to assume more functions protecting defense networks.
Rear Adm. Kathleen M. Creighton, USN, deputy commander, JFHQ-DODIN, emphasizes the need for rapid action in network defense. “We need to defend, but quickly,” she says. “[With] the rate at which new malware is developed and released, our ability to patch quickly is something we have to do fast. With a network of this scope and scale, it’s challenging.”
A quick response will require more automation and greater cooperation among the joint force, she says. Tapping expertise across the entire Defense Department is a must. The JFHQ-DODIN is partnering within the military as well as in other parts of government and in industry and academia. “To get faster … you need new ideas. It’s just a growing area,” Adm. Creighton indicates.
Cyber defense is the first priority of the Cyber Command, which is being elevated to combatant command status. “Our mission space is growing as we understand the risk more,” the admiral states. “Our adversaries are getting bolder and more willing to attack us. So we have a growing mission, and we need a motivated, trained workforce that wants to work in this area.
“The threat just keeps getting bigger as we look at new technologies like cloud,” she continues. “Defense of the cloud now will be a huge challenge to us.”
The DODIN comprises many defense networks, and the admiral points out that adversaries attack them millions of times a day. The JFHQ-DODIN is trying to become more proactive in anticipating attacks and predicting attackers. “We want to understand the attack when it’s offshore versus when it’s at our door,” states Adm. Creighton, noting that she is referring to putting more space between the adversary and the DODIN rather than defining an attack in geographic terms. As a result, the JFHQ-DODIN is looking at new defense strategies and potential partners.
The DODIN has a layered defense with many levels of protection, the admiral points out. “A lot of forethought went into the defensive structure of the network … and those many layers are what has protected from many of the major cyber attacks that have happened,” she says.
This layered approach plays out as the Cyber Command incorporates the JFHQ-DODIN into planning elements with individuals to coordinate offensive and defensive cyber effects. These cells, which will include planners from the JFHQ-DODIN, are forward extensions of both offense and defense in the command. They can integrate cyber offense and defense into operations plans and other warfare areas, including kinetic operations, the admiral explains.
Overall, defending the DODIN poses three challenges, Adm. Creighton offers. The first is developing true network situational awareness. Supporting this effort is Operation Gladiator Shield 17, a defensewide order to define network boundaries, understand the battlespace and prioritize its defense. “It’s a very challenging thing that we’re asking the Defense Department to organize itself to do,” the admiral states.
Another challenge is to manage the vast amount of defensive cyber information generated by all these defense organizations. Each one has its own data pond, Adm. Creighton points out, and for maximum effect, this information must be aggregated and shared among network owners. The goal is to create a single lake from these many ponds, she analogizes.
The third challenge is attracting and retaining an effective workforce. Technology is moving fast, and the profession is moving faster as defense organizations compete with the private sector for skilled cyber workers.
The JFHQ-DODIN Operations Center, known as the JDOC, is organized to provide the necessary C2 for cyber defense. The center includes battle stations that focus on each of the services, combatant commands and defense agencies—the DODIN’s organizational customers—to generate network situational awareness. “We’ve created a battle rhythm in which we’re synchronizing with all of the 42 areas of operation, so we have touchpoints with them multiple times a day,” she relates. “We’re using automation to maintain that situational awareness.”
An inspection branch, the DODIN Readiness and Security Inspections (DRSI), ensures that networks are in compliance and helps understand their operational risk. Knowledge about adversaries’ activities is incorporated into DRSI inspections quickly, the admiral reports. Depending on the nature of the information, it could be cause to launch immediate inspections rather than the standard procedure of adding it to regularly scheduled visits.
Six cyber protection teams are under the operational control of the JFHQ-DODIN. Adm. Creighton describes them as the organization’s maneuver forces, and they are employed based on operational priorities. These defensive forces are an important part of the JFHQ-DODIN’s C2, she adds.
While the intelligence and operations elements of the JFHQ-DODIN often work together, the organization also has created a group that represents the fusion of the two disciplines. This new group is important to the JFHQ-DODIN’s development of its approach to defense, Adm. Creighton offers. Its understanding of the technical piece, along with intelligence, is critical to the JFHQ-DODIN’s success, she emphasizes.
The DODIN cyber sensor grid—which has provided an understanding of what the adversary was trying to do to the network—used to be the driver for defensive operations, the admiral continues. Now, the goal is to incorporate more of a predictive intelligence capability to help drive these operations. The JFHQ-DODIN is tapping commercial capabilities in this area as well as exploring efforts by the intelligence community to support cyber operations. She notes that this effort is still under development.
Several commercial technologies will be vital to the JFHQ-DODIN’s future, especially those that increase operational speed. These include artificial intelligence, advanced analytics and capabilities that allow networks to be constructed in a more defensible form, Adm. Creighton offers. Other technologies include virtual environments that permit quicker defense without having to touch every endpoint—a single solution can be pushed out across the network. Also on the list are new methods of multifactor authentication that are more complex than current card systems.
The ability of the JFHQ-DODIN to harness new technologies and implement them quickly and uniformly may be the organization’s most daunting task, the admiral suggests. With responsibility for hundreds of defense networks, deciding on a capability and moving it into place is difficult.