Ask someone in federal IT what zero trust means and you’re likely to hear that it’s about access control: never granting access to any system, app or network without first authenticating the user or device, even if the user is an insider. The term “Never trust; always verify” has become a common way to express the concept of zero trust, and the phrase is first on the list of the Defense Information Systems Agency’s (DISA’s) explanation.
SIGNAL Media Blog
Challenge after challenge, women overcome barriers in traditionally male-dominated fields and organizations. Allow me to tell you my story. I am Technical Sgt. Bonnie Rushing in the United States Air Force and I am a woman warrior. I faced challenges from the very beginning of my time in the military, during training, and in operations. Not only have I overcome every obstacle along the way, I have come out on top. Let me take you through my journey as a woman warrior and plead for your aid in continued culture change.
I take no joy in writing this article, but it is a desperate plea for improvement.
From 1995-2001, I worked for the Department of the Army as a contract specialist procuring advanced communications and electronics systems, equipment and services.
The Department of Defense (DOD) is dramatically increasing its digital security expectations for defense contractors and subcontractors. Having been on both sides of the partnership between government and the public sector, I am happy to see DOD is not only raising the bar on cybersecurity but also providing guidance on the implementation of cybersecurity best practices within the defense industrial base.
Recently, I had the privilege of attending a ceremony and presenting an award to a local high school Junior Reserve Office Training Corps (JROTC) cadet on behalf of another organization for this cadet’s superior performance and leadership. Looking around the stage, I noticed representatives from multiple organizations all eager to recognize the efforts of these amazing young leaders with their respective groups’ awards.
The rising prominence of the Cyber branch in the U.S. military, and namely the Army, begs the question “What will the Cyber branch be used for?” Citing the Defense Department’s plan for the Cyber branch, as well as the Signal branch’s shifting roles in the realm of cyberspace, the responsibilities of both branches are becoming clear. It is evident that as time goes on, the Cyber branch will become focused mainly on the defense of the military domain and cyberspace.
As people around the world practice self-isolation in an effort to reduce exposure and spreading of the COVID-19 virus, the need to maintain a strong cybersecurity posture arguably has never been higher. Millions of people have shifted their daily lives to an environment relying on telework, distance learning, Internet-enabled social engagement, streaming news and entertainment and other activities.
This “new normal” is facilitated by the robust capabilities of the Internet. Yet it presents a significant cyber risk. During the COVID-19 crisis, we’ve seen bad actors stepping up their game with increased incidents of phishing, disinformation, watering hole attacks and other criminal activity.
By now, federal agencies universally recognize that data is an asset with seemingly limitless value as they seek to reduce costs, boost productivity, expand capabilities and find better ways to support their mission and serve the public.
A mushroom cloud explosion in the New Mexico desert on July 16, 1945 forever changed the nature of warfare. Science had given birth to weapons so powerful they could end humanity. To survive, the United States had to develop new strategies and policies that responsibly limited nuclear weapon proliferation and use. Warfare is again changing as modern militaries integrate autonomous and semiautonomous weapon systems into their arsenals. The United States must act swiftly to maximize the potential of these new technologies or risk losing its dominance.
By 2030, artificial intelligence (AI) is projected to add $13 trillion to the global economic output. In government, AI applications promise to strengthen the federal workforce, safeguard our nation against bad actors, serve citizens more effectively and provide our warfighters the advantage on the battlefield. But this success will require collaboration and advancements from government and industry.
It’s easy to forget that in the midst of a catastrophe, physical safety isn’t the only thing that’s important. As technology’s role in disaster response and relief becomes more and more prevalent, cybersecurity becomes an essential part of the process. Here’s why.
Few people are more vulnerable than those impacted by a crisis. Whether a man-made attack or a natural disaster, the widespread destruction created by a large-scale emergency can leave countless individuals both destitute and in need of medical attention. Protecting these men, women and children requires more than a coordinated emergency response.
Cloud computing can quicken U.S. Department of Defense (DOD) efforts toward information dominance, but agencies must be measured and deliberate in the march toward the cloud.
Last year was a banner year for cyber fraud. In just the first six months of 2019, more than 3,800 breaches exposed 4.1 billion records, with 3.2 billion of those records exposed by just eight breaches. The scale of last year’s data breaches underscores the fact that identity has become the currency of the digital world and data is the fuel that powers the digital economy. What’s also clear looking back on 2019 is that digital identities are continually being compromised on multiple levels.
There are certainly similarities between network resilience and cyber resilience. The foundation for both is the ability to maintain business or mission capabilities during an event, such as a backhoe cutting your fiber cables or a nation-state actively exploiting your network. But there are also significant differences.
Supply chain security has been of concern to government leaders for decades, but with attacks now originating in industrial control systems (ICS) from supply chain vulnerabilities and with an increasing reliance on the Internet of Things (IoT), Congress is stepping up its involvement. For example, legislators have promised that more stringent standards will soon be enforced.
When it comes to artificial intelligence (AI), the Department of Defense (DOD) has put a firm stake in the ground. The department’s AI strategy clearly calls for the DOD “to accelerate the adoption of AI and the creation of a force fit for our time.”
The May 7th ransomware attack against Baltimore has crippled much of the local government’s IT infrastructure while holding its network hostage. Not since the March 2018 attacks against Atlanta has a major U.S. city been so digitally impaired.
The subsequent media coverage of Baltimore’s struggle has generated some misplaced criticism of the U.S. government. Initial news reports erroneously claimed that the ransomware leveraged an NSA-developed exploit to compromise Baltimore’s municipal systems. Unfortunately, this snowballed into numerous sources placing blame on the NSA, claiming that they mismanaged their cyber weaponry.
This is grossly incorrect.
Anyone who has worked in the Pentagon or on almost any military installation can attest to wireless connectivity problems. Whether dealing with a dearth of cellular service, inadequate Wi-Fi or security blockers, service members and civilians have felt the frustration of not being able to access information or communicate effectively.
The U.S. Army is leading the charge on the military’s multidomain battle concept—but will federal IT networks enable this initiative, or inhibit it?
The network is critical to the Army’s vision of combining the defense domains of land, air, sea, space and cyberspace to protect and defend against adversaries on all fronts. As Gen. Stephen Townsend, USA, remarked to AFCEA conference attendees earlier this year, the Army is readying for a future reliant on telemedicine, 3D printing and other technologies that will prove integral to multidomain operations. “The network needs to enable all that,” said Townsend.
The response to the Chief of Naval Operations (CNO) Adm. John Richardson’s repeated request to “pick up the pace” of developing and implementing breakthrough technologies for our warfighters has gone, in my opinion, largely unheeded.
This is not the result of a lack of innovative solutions. A myriad of research and development programs exists to support the development of new technologies or to adapt existing commercial technologies to defense applications. Rather, it’s the result of an arcane acquisition process that is burdensome, expensive and lacking vision. Acquisition reform is where we need to pick up the pace!
When the Department of Defense (DOD) launched its Everything Over IP initiative nearly 10 years ago the focus was to bring traditional telecommunications technology—phone calls, streaming video and even faxes—to the digital world.
At that time, unified communications (UC), especially in the government workplace, was a relatively new concept. Remember, this was a time when voice over Internet Protocol (VoIP) phones were still seen as cutting edge. Now, though, UC has become not just a business tool, but a strategic offering that can connect employees in disparate locations, including the frontlines.
More than a year has passed since the Modernizing Government Technology (MGT) Act was signed into law, cementing the establishment of a capital fund for agencies to support their special IT projects. The MGT Act prompted defense and intelligence agencies to accelerate the replacement of legacy systems with innovative and automated technologies, especially as they explore new ways to mitigate security risks like those experienced all too often by their private sector counterparts.
The military continues to focus its efforts on developing the most sophisticated technologies and capabilities needed to sustain tactical advantage and achieve mission objectives. But the most critical component to success on the battlefield continues to lie with the warfighter.
Open source containers, which isolate applications from the host system, appear to be gaining traction with IT professionals in the U.S. defense community. But for all their benefits, security remains a notable Achilles’ heel for a couple of reasons.
First, containers are still fairly nascent, and many administrators are not yet completely familiar with their capabilities. It’s difficult to secure something you don’t completely understand. Second, containers are designed in a way that hampers visibility. This lack of visibility can make securing containers extremely taxing.
Layers upon layers
The U.S. defense industrial supply chain is vast, complex and vulnerable. Organic components, large-scale integrators, myriad commercial service providers, and tens of thousands of private companies sustain the Defense Department. According to the SANS Institute, the percentage of cyber breaches that originate in the supply chain could be as high as 80 percent.
Implementing a new system can be an exciting time, but the nagging questions and doubts about the fate of data you’ve literally spent years collecting, organizing and storing can dampen this excitement.
This legacy data often comes from a variety of sources in different formats maintained by a succession of people. Somehow, all the data must converge in a uniform fashion, resulting in its utility in the new solution. Yes, it is hard work and no, it is not quick. Fortunately, this scrubbing and normalization does not have to be a chaotic process replete with multiple failures and rework.
It comes as no surprise that U.S. adversaries continue to target and successfully exploit the security weaknesses of small-business contractors. A successful intrusion campaign can drastically reduce or even eliminate research, development, test and evaluation (RDT&E) costs for a foreign adversary. Digital espionage also levels the playing field for nation-states that do not have the resources of their more sophisticated competitors. To bypass the robust security controls that the government and large contractors have in place, malicious actors have put significant manpower into compromising small- and medium-sized businesses (SMBs).
Artificial intelligence can be surprisingly fragile. This is especially true in cybersecurity, where AI is touted as the solution to our chronic staffing shortage.
It seems logical. Cybersecurity is awash in data, as our sensors pump facts into our data lakes at staggering rates, while wily adversaries have learned how to hide in plain sight. We have to filter the signal from all that noise. Security has the trifecta of too few people, too much data and a need to find things in that vast data lake. This sounds ideal for AI.
Every time federal information technology professionals think they’ve gotten in front of the cybersecurity risks posed by the Internet of Things (IoT), a new and unexpected challenge rears its head. Take, for instance, the heat maps used by GPS-enabled fitness tracking applications, which the U.S. Department of Defense (DOD) warned showed the location of military bases, or the infamous Mirai Botnet attack of 2016.
Historically, the U.S. Department of Defense (DOD) has been the driver of technological innovation, inventing remarkable capabilities to empower warfighter mission effectiveness and improve warfighter safety. Yet over the past 25 years, a transformational shift has taken place in several key technology sectors, and technology leadership in these sectors is no longer being driven by the military, but rather by the private sector.
A special operations officer who needed secure network connectivity to transmit data anywhere on the globe gained the capability in less than a minute by using Cyberspace Operations Infrastructure, or CSOI.
That officer was able to send data securely across the open network because CSOI uses the 256-bit Advanced Encryption Standard (AES) encryption mode. A 128-bit header uses a series of standards built out in the 1990s initially to secure drones. It also is used to cloak energy grids and older military architectures that will not attain IPv6, according to Robert Osborne, chief technology officer at IMPRES, the developer of CSOI.
The need for next-generation networking solutions is intensifying, and for good reason. Modern software-defined networking (SDN) solutions offer better automation and remediation and stronger response mechanisms than others in the event of a breach.
But federal administrators should balance their desire for SDN solutions with the realities of government. While there are calls for ingenuity, agility, flexibility, simplicity and better security, implementation of these new technologies must take place within constraints posed by methodical procurement practices, meticulous security documentation, sometimes archaic network policies and more.
As edge technologies continue to get smarter, faster, and more connected, incredible opportunities have emerged for the public sector to accelerate time to value and reduce costs. These mission-specific solutions are also simpler and faster to deploy!
Government IT professionals have clear concerns about the threats posed by careless and untrained insiders, foreign governments, criminal hackers and others. For the government, cyber attacks are a matter of life. We must deal with them as a common occurrence.
Never before has there been such an intense focus on data security and privacy. With data breaches increasing exponentially and the European Union’s recent implementation of the General Data Protection Regulation (GDPR), data security has been at the forefront of news stories over the past several months, with both businesses and consumers suddenly paying very close attention. With this increased attention has come an understanding that data continues to exist even when it is no longer needed or used. Due to this newfound understanding and GDPR’s “Right to be Forgotten,” the eradication of data has new urgency and has become critical to a successful data security program.
Fraud, waste, and abuse (FWA) remains a major challenge to the federal government. From 2012 to 2016, the 73 federal inspectors general (IGs), who are on the frontline of fighting FWA, identified $173 billion in potential savings and reported $88 billion in investigative recoveries and 36,000 successful prosecutions and civil actions.
In February 2018, the Department of Defense (DOD) Defense Digital Service (DDS) relaunched Code.mil to expand the use of open source code. In short, Code.mil aims to enable the migration of some of the department’s custom-developed code into a central repository for other agency developers to reduce work redundancy and save costs in software development. This move to open source makes sense considering that much of the innovation and technological advancements we are seeing are happening in the open source space.
It has become increasingly evident that artificial intelligence (AI) and machine learning (ML) are poised to impact government technology. Just last year, the General Services Administration launched programs to enable federal adoption of AI, and the White House encouraged federal agencies to explore all of the possibilities AI could offer. The benefits are substantial, but before the federal government can fully take advantage of advancements like AI, federal agencies must prepare their IT infrastructure to securely handle the additional bandwidth.
Traffic on optical transport networks is growing exponentially, leaving cyber intelligence agencies in charge of monitoring these networks with the unenviable task of trying to sift through ever-increasing amounts of data to search for cyber threats. However, new technologies capable of filtering exploding volumes of real-time traffic are being embedded within emerging network monitoring applications supporting big data and analytics capabilities.
With the arrival of June, we’re at the halfway point of an already busy year for the cybersecurity industry. With each passing year, our sector continues to demonstrate its evolving approach to fighting cyber threats, as cyber crime itself continues to evolve.
As both business and government move forward with digital transformation initiatives to improve processes and efficiency, the overall security attack surface continues to expand with more potential points of access for criminals to exploit. However, our industry is tackling these challenges head-on, with numerous innovative solutions continuing to come to market.
As a result of recent federal legislative and administrative activity, government agencies are expected to launch significant modernizations of their cybersecurity systems, get offensive with hackers and take a more strategic approach to risk. Combined, these policy directives promise to transform our government into a robust digital society, gaining greater resiliency to cyber threats by leveraging opportunities while reinforcing standards and procedures.
Here’s a breakdown of the key components of the four policies:
The days of the United States’ stature as a force without equal appear to be over. The threat of near-peer competition with increasingly sophisticated adversaries is growing. As Secretary of Defense James Mattis says in the National Defense Strategy, "America has no preordained right to victory on the battlefield."
The Department of Defense (DOD) Operational Test and Evaluation Fiscal Year 2016 Annual Report indicates that while there has been significant cybersecurity progress over the past few years, network defense as a warfighting function continues to be undervalued.
Despite the department’s concerted and progressive network modernization efforts, many networks are built on outdated legacy architectures that were never designed to address the challenges posed by continually evolving threat vectors. Neither agile nor flexible enough to be able to adjust, they are vulnerable to the security risks posed by increasingly intelligent, nimble and enterprising hackers.
The Home Station Mission Command Center technology refresh, generally called the HSMCC tech refresh, is part of my portfolio for the modernization of command centers under the U.S. Department of the Army’s Installation Information Infrastructure Modernization Program. In fiscal year 2017, the Army performed an HSMCC tech refresh on four command centers to establish an interim technical baseline while the service finalizes the system requirements, standardizing the disparate, off-the-shelf technology at the division and corps headquarters.
The government’s effort to balance cybersecurity with continued innovation was underscored last year with the publication of the Commission on Enhancing National Cybersecurity’s Report on Securing and Growing the Digital Economy. The report included key recommendations for cybersecurity enhancements, while also serving as a sobering reminder that “many organizations and individuals still fail to do the basics” when it comes to security.
Today, government agency leaders have been tasked to identify and follow multiple modernization initiatives with the possibility of driving private-sector customizations and delivery practices and the associated business efficiencies into the public sector.
Spanning from the policies circulating through Congress to initiatives set forth by the Trump administration, it’s clear that the federal government has big changes in store when it comes to integrating new forms of innovative technology.
Cyberspace is an operational domain, and cybersecurity is essential to the operational readiness of military units to achieve the mission, defeat the adversary and win wars. Our increasing reliance on cyberspace for command and control and operations in all domains, the explosion of networked digital technologies within combat and support systems, and the growing capabilities of adversaries to threaten the United States and its allies in cyberspace mean greater risks to our mission and to national security.