Defending the DODIN

Providing an information network that enables warfighters to perform global missions is not easy given the network itself is besieged constantly by cyber attacks. All U.S. Defense Department organizations use the complex technical infrastructure known as the Department of Defense Information Network (DODIN), and the responsibility to protect it 24/7 falls squarely on the shoulders of Joint Force Headquarters–Department of Defense Information Network (JFHQ-DODIN).

This is a relatively new organization, explained Ignatius Liberto, chief of staff, JFHQ-DODIN, speaking at the AFCEA Defensive Cyber Operations Symposium in Baltimore. “We were stood up as a component command of the U.S. Cyber Command back in 2015 but just achieved full operational capability in January,” Liberto said. Given the enormity of the cyber threat, “it essentially means that we are DOD’s defensive cyberspace operations arm,” he added.

Col. Nathan Iven, USAF, director, Strategy, Engagements and Plans, JFHQ-DODIN, explained that they work on a level of war short of armed conflict campaign. “So instead of talking about deny, disrupt and defeat, we talk about things like improve and counter and contest, because that’s where we have to operate every day,” he said.

“We are kind of reactive right now,” admitted Col. Casimir Carey, USA, director, Intelligence, J-2, JFHQ-DODIN. Col. Carey’s team is looking to industry to help the DODIN defenders get ahead and become more predictive. The first step, he said, would be the ability to engage reporting mechanisms—called red reporting—to analyze and pull out trends.

Where we’ve gotten the most value is by putting reserve personnel on duty. We’ve had some tech people come in with mad skills, and we’re getting the most of them.—Col. Casmir Carey, USA, J-2, JFHQ-DODIN #AFCEACyber DCOS Coverage 2018 @USDISA

— Bob Ackerman (@rkackerman) May 16, 2018

Adding automated solutions to predictive intelligence, including behavioral analytics, also would be important, Col. Carey said. Since January, the JFHQ-DODIN has been using the Integrated Cyber Intelligence Platform encoding capability. Starting with commercial intelligence data, the staff will be fusing that data and proving it works from a behavioral analytics standpoint, the colonel stated. “This will give us some predictability,” he noted. Once that work is complete, they will look at integrating the capability with the Defense Information Systems Agency’s big data platform.

We need to find a way to have a more sharing relationship with our coalition partners.—Col. Casmir Carey, USA, J-2, JFHQ-DODIN #AFCEACyber DCOS Coverage 2018 @USDISA

— Bob Ackerman (@rkackerman) May 16, 2018

Col. Paul Craft, USA, J-3, director of operations, JFHQ-DODIN, explained that the directive authority for cyberspace operations authorizes the JFHQ-DODIN to synchronize, integrate and direct the 42 Defense Department networks. As part of its work, the organization is conducting operation Gladiator Shield, an organization of the Defense Department's information network battlespace.

Having predictive intelligence models in place is of high value.—Col. Paul Craft, USA, J-3, JFHQ-DODIN #AFCEACyber DCOS Coverage 2018 @USDISA

— Bob Ackerman (@rkackerman) May 16, 2018

“We are laying out what each organization’s network looks like, who the network operators are and the network security providers that secure that battlespace,” Col. Craft said. Then, they identify clearly the critical assets that they must defend and the mission relevant cyber terrain that they must secure. At this point, they ask the services, the combat commands and the agencies to conduct a risk assessment for their portion of the network. JFHQ-DODIN then prepares an aggregated risk assessment of the entire network.

Col. Craft added that as part of its protection duties, the JFHQ-DODIN is treating the cloud just like any other part of the Defense Department's information network—similar to traditional infrastructure such as routers, switches or servers.

We get a lot of commercial intelligence from our industry partners, and we load that into our grid.—Col. Paul Craft, USA, J-3, JFHQ-DODIN #AFCEACyber DCOS Coverage 2018 @USDISA

— Bob Ackerman (@rkackerman) May 16, 2018

According to Liberto, the JFHQ is already “creating and erecting significant change in the cyberspace warfighting domain and in the areas of command and control.” In terms of intelligence, Col. Carey concluded that the organization does have a better relationship with Cyber Command’s Intelligence Directorate, including in data collection management and coordination, as well as better coordination with the National Security Agency and improved intelligence support for planning. “In particular, there is a huge demand signal now from Cyber Command for our operational information,” the colonel noted. “All that data that comes off of the sensors, they are saying ‘We need that, and we need it now.’ It’s been a big, big breakthrough.”

Col. James Matlock, ANG (Ret.), director, Department of Defense Information Network Readiness and Security Inspections, JFHQ-DODIN, who oversees command cyber readiness inspections, stated that inspections have evolved as well. Before, a compliance-based DODIN inspection was about information assurance and vulnerability management. “That criteria has been strengthened,” he said. Now it centers around getting a picture of the operational risks for mission owners and their defensive cyber operational effectiveness.

We don’t need to own everything, sometimes we just need access to information.—Dr. James Matlock III, director, DODIN Readiness and Security Inspections #AFCEACyber DCOS Coverage 2018 @USDISA

— Bob Ackerman (@rkackerman) May 16, 2018