Enable breadcrumbs token at /includes/pageheader.html.twig

DISA and JFHQ-DODIN's Orchestrated Response to SolarWinds

The organizations relied on their 24/7 cyber operations, supply chain management and partnerships.

Leaders from the Defense Information Systems Agency and the Joint Force Headquarters Department of Defense Information Network, including Gen. Garret Yee, Gen. Paul Fredenburg and Joe Wassel, found that the close working relationship of the two organizations was crucial in responding to the SolarWinds malware attack.

Facing an unprecedented malicious cyber event, the Defense Information Systems Agency, known as DISA, and the Joint Force Headquarters Department of Defense Information Network, or JFHQ-DODIN, sprang into action, leaning on their respective round-the-clock operations, their supply chain management postures, and relying on its industry, Defense Department and government partnerships, leaders say.

Speaking at AFCEA International’s TechNet Augusta Virtual Solutions Series today, the panel of Army Maj. Gen. Garrett Yee, USA, assistant to Lt. Gen. Bob Skinner, USAF, the director of DISA, who is also dual-hatted as the commander of JFHQ-DODIN; Joseph Wassel, director of DISA’s Cyberspace Operations; and Brig. Gen. Paul Fredenburgh, USA, deputy commander, of JFHQ-DODIN; reviewed how the two organizations responded to the attack.

Joseph Wassel, director of Cyberspace Operations @USDISA. “We operate, secure & defend by knowing, assessing & resolving issues every single day around the clock. Our number one job is to support the warfighter, so we plan, enable & advocate." #AFCEATechNet pic.twitter.com/p1LlhUAClm
— Kimberly Underwood (@Kunderwood_SGNL) April 20, 2021

The complex nation state espionage campaign—by Russia—employed malware and leveraged supply chain vulnerability, compromising SolarWinds’ flagship Orion technology management software in a breach that reportedly cost the company $18 million, Gen. Yee shared.

“This of course does not account for the cost laid on all those entities that were compromised,” he stated. “And even those that were not compromised had to expend resources to determine if they were or were not compromised. In the end, the cost of this hack is much bigger than the $18 million hit to SolarWinds.”

And while the DOD did not discover a compromise in its systems, other agencies in the federal government and many private sector firms were impacted. “Yes, the DOD did expend resources to address the Orion hack even though it found no evidence of compromise,” Gen. Yee confirmed.

JFHQ-DODIN, which is a component of U.S. Cyber Command, led the DOD's response when the breach was announced by the cybersecurity firm FireEye in December.

The strong relationship of @USDISA & #JFHQDODIN is a force multiplier, says MG Yee, assistant to DISA director LG Bob Skinner. As the new leader of DISA &dual-hatted as JFHQ-DODIN commander Gen Skinner is emphasizing the ‘velocity of action’ needed to win, says Yee #AFCEATechNet pic.twitter.com/HarZDGtnq7
— Kimberly Underwood (@Kunderwood_SGNL) April 20, 2021

The relationship between JFHQ-DODIN and DISA proved crucial during this time, the leaders said. “The strong relationship between DISA and JFHQ-DODIN is a force multiplier,” Gen. Yee noted.

“I'm just going to highlight our partnership with DISA on this,” Gen. Fredenburgh said. “DISA has a very large terrain, but more importantly, they cover some of the critical avenues of approach that our adversaries have. When you think about the cyber terrain, the forward edge of the battlefield is where the DODIN connects to the Internet. And DISA manages the 12 major Internet access points that we have across the DODIN. So, we were able to work with DISA and develop signatures to not only detect but actually block adversarial activity that could have exploited this. That partnership is absolutely critical.”

The deputy commander characterizes the cyber attack by Russia as a sign of that adversary’s continued cyber warfare maturation. “This was a very sophisticated cyber attack,” Gen. Fredenburgh acknowledged. “You have your standard malicious cyber actors, your hacktivists out there, but this was a nation state-sponsored, highly funded, well researched, planned, executed, kept well under the radar. That level of sophistication, to be able to access a supply chain, insert malware that then is passed out with the certification from the supplier as a known good, a software capability in a patch is extremely sophisticated.”

The general was extremely grateful to FireEye for uncovering the attack. “I will tell you if our partners had not released this and found out about this, we may still be sitting here today not realizing the problem or the extent of the problem,” he stressed. “I can't tell you how important information sharing is from a national perspective between our private sector or other government agencies. Even today you look at how we are imposing costs on adversaries, that publicly release of the malware information is a way to impose a cost on an adversary. If you publicly release what they were using against us, it allows everyone to put in appropriate mitigation measures and it denies that access to our adversaries.”

To address the malware attack, JFHQ-DODIN turned to its “close cooperation with our private sector partners and other DOD agencies, including our DHS, FBI and NSA partners,” Gen. Fredenburgh said. “We were able to leverage our command centric operational framework, our C2 structure, and our DACO [Directive Authorities for Cyberspace Operations] authorities to direct synchronized actions to protect and secure the DODIN at a very rapid pace.”

We are responsible for the C2 that creates the unified action across the entirety of the DODIN to secure, operate and defend the DODIN, says BG Paul Fredenburgh deputy director #JFHQDODIN. Our HQ underpins the mission assurance of all core @DeptofDefense functions #AFCEATechNet pic.twitter.com/4sk39qZHMO
— Kimberly Underwood (@Kunderwood_SGNL) April 20, 2021

JFHQ-DODIN directed immediate disconnect, clearing and patching actions across all of the 44 DOD components tied to DODIN operations. “We also leveraged intelligence and commercial partner information, and gathered that information, those indicators of compromise, and the intelligence to allow us the ability to clear our terrain and share that information with all the 44 DODIN AOs [action officers] so they could continue to look for those indicators of compromise,” he said. He relied on DISA’s technical capabilities and expertise, and working with the agency and partners, they developed a playbook to pass down to the AOs to execute all countermeasures and the mitigation measures at the Tier 2 and Tier 3 boundary layers of the network.

“The last thing we did was to activate our incident response teams and cyber protection teams,” he shared. “We made those teams available to the 44 AOs to go and hunt and find any adversarial activity and support with any clearing actions.”

Meanwhile, over at the Cyberspace Operations directorate, the day that the malware attack was announced Vice Adm. Nancy Norton, USN, then the JFHQ-DODIN commander, directed Wassel and his team to immediately examine for any breach, and “enumerate and clear.”

“I am lucky enough to have about 2,600 cyber warriors in Cyberspace Operations that do just that,” Wassel shared. In addition to operating, defending and securing the DISN [Defense Information System Network] and supporting the 11 U.S. combatant commands, the Cyberspace Operations Directorate oversees the 24/7 Joint Operations Center at DISA headquarters at Ft. Meade, Maryland, as well as DISA’s Global Operations at Scott Air Force Base, Illinois.

To combat difficult cyber-related problems, the director employs a so-called battle drill concept, a rapid response of resources, communication and data to combatant commanders, senior leaders or other key officials as needed to tackle complex communication and data issues. The directorate relied on this battle drill technique during the SolarWinds discovery.

Additionally, DISA’s approach to mission assurance also helped protect the network, Wassel pointed out. As the agency lead for supply chain risk management, he ensures the use of both classified and unclassified tools to review—with the Threat Analysis Center—any software or hardware that might be used on the network. The aggressive supply chain risk management programs from both DOD chief information officer and the Office of the Secretary of Defense’s Research and Engineering office also aided the agency. “Now that we are able to make acquisition decisions based on intelligence and open-source data, and not just ingesting it with blind trust, I think we are in a much better place than we've been,” he stated.

In this “golden age of sabotage,” DISA and JFHQ-DODIN must remain vigilant, Wassel said. “This is not something we can say, ‘Good, we've defeated this and now we can sit back and relax,’” he purported. “The complexity of the hardware, software, middleware that make up this human made domain really just can't be overstated. We're leaning forward to make sure that we can get in front of these. And as soon as we can know, that's where my surge to fix comes in. When Gen. Skinner, with his Joint Force Headquarters DODIN hat on, and Gen. Fredenburgh send that order and give me that direction to clear, secure and continue to defend, we are on it.”