Combating Cyber Vulnerabilities

The Department of Defense Cyber Crime Center, known as the DC3, is expanding to address the increase in cyber attacks and vulnerabilities.

The DC3’s Vulnerability Disclosure Program is expanding exponentially over the next several years to combat cyber weaknesses on Department websites and networks. In addition, the department’s Defense Industrial Base (DIB) Collaborative Information Sharing Environment (DCISE) is evolving to safeguard the complex network of large and small companies that support U.S. military technologies.

The DC3 is a unique federal cyber center based in Linthicum, Maryland, that delivers innovative capabilities and expertise to the department and the defense industrial base and helps enable and inform law enforcement, cybersecurity and national security partners about threats and vulnerabilities. In addition to including the Vulnerability Disclosure Program and DCISE, the DC3 includes the Cyber Training Academy, the Operations Enablement Directorate and the Cyber Forensics Laboratory, among other offices. 

The DC3’s Vulnerability Disclosure Program developed out of an ethical hacking program about eight years ago from an early software “bug bounty” effort by then-Secretary Ash Carter, which identified cyber issues. It presents solutions to remediate discovered vulnerabilities regarding the Department of Defense Information Network (DODIN). 

The DC3’s Vulnerability Disclosure Program is now the world’s largest federal vulnerability disclosure program, said Melissa Vice, director of the program.

“I think in the beginning they thought we would work ourselves out of a job,” said Vice. “But as you know, there’s always new vulnerabilities to go after. And because it is a secretary of defense-level organization and program, there is no ‘opt in or opt out.’ So, anything that touches the DoD’s network that fits within our scope is automatically in range to be researched.”

The program’s original scope was to address vulnerabilities on DoD public-facing websites. And naturally with the growth of the internet, the program found “lots of things out there,” especially on websites that organizations or companies had created and only thought they had taken down but had not.

An order from then-Secretary of Defense Jim Mattis in 2021, however, transformed the Vulnerability Disclosure Program, expanding the scope to all publicly accessible DoD information networks and systems. 

“We are basically codified as the sole focal point for vulnerabilities of the Joint Force Headquarters DODIN and U.S. Cyber Command,” Vice explained. And overnight, the program’s scope jumped from about 2,400 units to 24 million units, the director noted. “It is a very vast and broad spectrum of assets for the DoD that our ethical hackers will have to go out and research, day in, day out, to reduce that vulnerability space,” she said. 

To find digital weaknesses, program officials research and identify vulnerabilities, triage and validate the vulnerability reports, and then send the related information to Joint Force Headquarters DODIN, to identify the specific system owner who will then need to take action to remediate the cyber vulnerability.

“Once those corrections are made, it comes back to our internal team, and we revalidate that the fix action was done correctly, and if not, rinse, repeat, give them some more information, do whatever we need to do,” Vice stated. “But we do not close out those vulnerability reports until they are 100% remediated. That is the value of this enduring program, that we are remediating those vulnerabilities prior to any adversarial attack.”

The officials rely on a tracking system called the Vulnerability Report Management Network, sent on the classified Secret Internet Protocol Router Network, or SIPRNET. And the amount of time that a system owner has to remediate their vulnerabilities is based on the program’s Common Vulnerability Scoring System, which applies the criticality. A critical vulnerability needs to be addressed in seven days. A medium-level issue is allotted 21 days, while a low-level finding gets 60 days, Vice continued. 

With the private sector and companies from the DIB supporting the Department of Defense, and increasingly with digital, internet-based or networked solutions, the DC3’s Vulnerability Disclosure Program has grown to include the DIB.

In 2022, the program’s officials, with help from the DoD’s Defense Counterintelligence and Security Agency, ran a one-year pilot effort to increase protections to the DIB after a nine-month feasibility study with Carnegie Mellon University’s Software Engineering Institute. About 40 companies participated, putting information in about their DoD-related networks and digital assets. Vulnerability Disclosure Program officials and ethical hackers then searched for any vulnerabilities and helped remediate any issues. The pilot mostly focused on small to medium-sized companies.

“It is a challenge to stand up a new federal program,” Vice said. “It takes money and there are a lot of other processes you have to go through. And after the pilot, we did an after-action report. We had over 1,000 vulnerability reports submitted, and 403 of those were actionable. It was really successful.”

With the protections put in place in light of the 403 found vulnerabilities, the director estimates that the pilot saved $61 million, based on an estimated cost avoidance of $4.3 million per breach, according to findings from IBM.

“We saw that there is a real value in not only making sure that the defense industrial base is protected but also helping to educate companies about cybersecurity, especially small to medium companies,” Vice emphasized. 

As such, the Vulnerability Disclosure Program in June of 2024 stood up a full DIB program based on the pilot. A feasibility study, conducted with the help of George Mason University, helped confirm that the program could reasonably grow from 41 companies to the 300,000 estimated to be part of the DIB. The officials also learned that artificial intelligence and machine learning tools applied specifically to the enrollment process would ease the manual burden and time constraints of adding more companies, allowing the program to scale more quickly.

“They identified that it was taking about two federal employees eight hours a day just to get all the details together to onboarding a company,” Vice stated. “We look at a lot of factors—is it the right fit, do they have publicly available assets and what are those assets. And then we test them out before putting them in for vulnerability research. It is a very manual and time-consuming process, even just the emailing and conversations with the companies back and forth and identifying and explaining what a Vulnerability Disclosure Program is, and then getting to that onboarding.”

The program created a separate DIB Vulnerability Report Management Network so as not to comingle any DoD vulnerability data. Officials aggregate the vulnerability details to completely anonymize corporate information to protect the companies. 

And the goal, Vice shared, is to have about 1,500 companies onboarded in the first one to three years, and then beyond that, to scale up more substantially. “We are really excited to be able to bring this to the defense industrial base,” she noted.

Meanwhile, over at DCISE, the organization works diligently to safeguard intellectual property and military information on unclassified contractor networks. The organization also facilitates public-private cyber threat information sharing and collaboration events with industry and government and offers cybersecurity-as-a-service tools to the DIB at no cost, explained the director, Terry Kalka. 

Kalka, who has a long history of driving improvements and innovations to strengthen military data and DIB networks, including in his former role at the U.S. Army’s Communications-Electronics Command (CECOM) when he was the senior cyber professional advisor to the CECOM commanding general, sees the great impact that DCISE’s threat analysis, mitigation strategies, best practices and information exchanges are having across the DIB.

“We began 16 years ago with 16 companies,” he said. “We now support over 1,100 companies, and we add to that roster every month. These are defense contractors that support a wide variety of efforts in the DoD–large companies, small companies, all points in between. And the foundation of what we do in DCISE is share cyber threat information so that they can help defend themselves against cyber threats.”

The DIB companies are responsible for developing and manufacturing everything from weapons systems to electronics, and they are considered part of the nation’s critical infrastructure, essential technology that our adversaries are eagerly seeking to compromise, Kalka emphasized. 

And like the Vulnerability Disclosure Program’s need to greatly expand, DCISE’s mandate evolved further in April 2024 to include noncleared defense contractors. This means any company that stores controlled, unclassified information or other sensitive, unclassified technical military data.

“The department recognized a number of years ago the need to expand our outreach to the noncleared defense community, because they are an equally significant part of the supply chain, and they are targeted just like the cleared companies,” the director stated. 

This expansion could bring the number of companies under DCISE’s efforts to about 80,000.

The director’s goal in 2025 is to bring these companies all the capabilities that DCISE offers, in addition to supporting DoD’s Cybersecurity Maturity Model Certification 2.0 program (CMMC 2.0).

“CMMC 2.0 in my view represents a security controls baseline that we need every company to meet, and we know anecdotally that most of them do not meet those requirements today,” Kalka noted. “That is one of the reasons that CMMC is coming into being, and those requirements are the beginning of a cybersecurity journey. And if a company does not meet those requirements, they are not going to be able to do business with the government. So we are asking ourselves now, what we have already in our portfolio, and what we can bring in to help our partner companies reach that baseline level so that they can continue to do business and support the warfighter.”

And similar to the Vulnerability Disclosure Program’s pilot that initially targeted small and medium companies, DCISE is targeting its help to small businesses—companies with 250 or fewer employees. DCISE has created several innovative tools to support these smaller companies, which frequently lack the resources for robust cybersecurity measures. 

One such offering is DCISE³, a system that analyzes companies’ firewall logs to detect malicious activity. The program works with a third-party vendor to perform the analysis, including both automated and manual examinations of network traffic. 

“When the company signs up, they ship their firewall logs to a secure repository,” Kalka stated. “We get a pretty good view of what’s moving in and out of the company’s network. We don’t see inside the network, but we can see what’s going on before that, and we are able then to tie that to known adversarial activity. And we have been able to help companies identify malicious activity going on in their networks in real time.”

The tool offers DoD tremendous insight into the cybersecurity landscape and is putting DCISE in a position to give early warnings to companies, Kalka continued. The service is easy to use, with each company having its own dashboard that can autoblock suspicious activity.

Another offering for DIB companies is the adversary emulation test, a tailored penetration test. Officials also look at external digital assets and networking to find vulnerabilities. In addition, DCISE’s recently launched pilot program—known as Enhanced Network Sensor & Intelligent Threat Enumeration, or ENSITE—is exploring the use of network sensors to detect threats.

“This is new territory for us, and we’re starting to look at what we can discover in terms of malicious traffic,” he said.

Looking ahead, Kalka sees the continued growth of public-private partnerships as crucial to defending against future cyber threats. “The government does not have all of the answers to defend everybody,” he acknowledged. “Industry, by itself, does not have all of the information it needs. Public-private partnerships are the key to solving this problem of adversarial theft of sensitive information.”

He encouraged companies to also look at the National Security Agency’s Cybersecurity Collaboration Center, which helps with cybersecurity on the classified, encrypted side of things. “I know that it can be strange to think that you’re looking at two different defense agencies for these things but that’s the way we are right now,” Kalka said. “NSA and DC3 are in very close partnership, and even though we’re two different agencies, what we are offering is not duplicative, and so there are advantages to be found in both services.”

For companies in the defense industrial base, the director said, the message is clear: you play a vital role in national security, and resources are available to help you defend against cyber threats. 

“If you are part of the DoD supply chain, if you are a contractor or subcontractor for DoD, you are part of our nation’s critical infrastructure,” Kalka said. “And I think that’s a significant responsibility that I hope our companies appreciate and take to heart.”