The evolution of the Defense Innovation Unit’s cyber portfolio has naturally tracked the evolution of the Defense Department’s approach to cyber and IT issues.

It started out as an IT-focused portfolio focused mostly on modernization and other enterprise IT issues. But DoD organizations five years ago began to broadly adopt commercial capabilities like cloud and enterprise compute applications, and DIU officials realized they needed to shift their focus.

At the same time, U.S. Cyber Command was continuing to build out its Cyber Mission Force and focusing its efforts around a 2018 national cyber strategy that put a premium on the ability to “defend forward” and see cyber threats abroad before they hit U.S. networks.

In 2019, DIU partnered with CYBERCOM’s Cyber National Mission Force to develop its internal threat intelligence data with commercial intelligence feeds.

“It’s no surprise that there’s a myriad of threat intelligence data that’s out there,” Patrick Gould, the director of DIU’s cyber and telecommunications portfolio, said on Federal News Network. “And it’s also no surprise that a lot of the data that and a lot of the intelligence that the commercial industry is seeing is the same stuff that the military is seeing.”

Officials realized if they could take what U.S. cyber forces were seeing and correlate it with commercial data, they could build threat intelligence platforms and services that would allow analysts to observe, collect, process, and share information about cyber threats more quickly.

And the key is they can quickly talk about it with other operators and analysts.

“As someone who used to do a mission similar to that, it really drove me crazy when I was sent physically to a location to secure a system or to analyze an incident and do incident response with threat hunting,” Gould explained. “In order to talk about what I was seeing, I had to beg, borrow and steal my way onto a classified phone or a classified facility, where I had to call home, wait a few days for someone to call me back, to verify what I was seeing,”

The DIU project brings together commercial threat intelligence feeds, provides a platform for processing and displaying the feeds, and integrates analytics, as well.

“It allows that, but it also allows these military operators and analysts to talk about it because it was collected from an unclassified, commercially readily available source,” Gould said.

Matt Lembright, the director of federal applications at Censys and a former Army intelligence officer, also sees the importance of combining government and commercial threat intelligence feeds.

“The confluence is really important, because we’re starting to learn that they’re not disparate data sets that have discrete functionalities,” Lembright said. “One sometimes queues another.”

In cybersecurity, the time to detect and identify a threat on network is crucial in terms of defending data and systems. That means increased information sharing across government and commercial feeds can help cyber defenders when “time is of the essence,”Lembright said.

“The more they can have an open flow of communication with some of that unclassified information, it cuts down on the time an adversary can leverage to attack,” he said. “That gives the defenders more time to locate or defend against some of those threats that might be counting on that information delay.”

The collaboration between DIU, CYBERCOM and the Cyber National Mission Force is continuing to supplement threat intelligence feeds and telemetry providers.

“With this growing suite of solutions, DoD is now able to gain previously unavailable context into cyber attacks against critical infrastructure while also prioritizing responses in a more efficient manner,” DIU’s fiscal 2022 annual report states.

Gould says DIU most recently helped lead similar project to deliver a cryptocurrency analysis capability to a DoD customer.

“The datasets that are coming out of crypto exchange, out of blockchain technology, the department had an unrealized need there with how are our adversaries using cryptocurrencies? Not just for ransomware attacks, but to hide the funding of their operations, to disguise through blockchain technology the actions that they’re taking or communications that they’re taking,” Gould said.

“There was no inherent DoD capability of how to analyze that, so we had to quickly onboard some commercial solutions that help with that,” he continued. “And now there’s a very robust, internally capable DoD ability to analyze those types of technologies, exchanges, transactions and activities and communications.”

Learning objectives:

• Cyber overview at DIU
• Cyber and modernization initiatives
• Industry analysis

Complimentary Registration
Please register using the form on this page or call (202) 895-5023.