Rear Adm. Kathleen Creighton, the deputy commander of the Joint Force Headquarters — Department of Defense Information Networks (DoDIN), said the order signed in October is all about helping DoD be more organized when it comes to defending its networks and data. JFHQ-DoDIN is the secure, operate and defend arm of the U.S. Cyber Command.
“The first part of it is understanding our terrain so we have to define our terrain, networks and defenses in cyberspace,” Creighton said at an AFCEA DC event in January. “What are our boundaries, including the cloud? How do you protect that terrain? What forces do you have? Cyber protection teams, incident response teams and who are we using to assess risk in each of these areas of operations?”
“The goal is to roll all that up for the entire DoDIN to understand the overall risk, and that would help influence decisions on where to put forces and potentially where to invest in areas that need increased protection,” Creighton said. “The first phase is six months to have an initial understanding. Across DoD, we will better understand our vulnerabilities, where we are taking risks and ensure that commanders understand that and can make decisions if they want to take on that risk or invest to close that gap.”
Creighton said the order for Operation Gladiator Shield is tied back to JFHQ-DoDIN reaching full operating capability this year and increase situational awareness for the entire network.
“If you want to command and control something, you first have to understand your battle space, your area of operations. On the operational side in the other domains, land, air, sea and space, they define an area of operations or a joint areas of operations,” she said. “What is our areas of operations we are C2ing? We realized we can’t do that if we don’t understand the terrain. It’s part of the maturation process of us standing up as a headquarters and understanding we had to do that first.”
Creighton said Operation Gladiator Shield will complement a new campaign plan that Adm. Mike Rogers, commander of the U.S. Cyber Command, recently approved.
“We are working to maturing our processes on how to defend faster. It’s all about speed, agility and lethality so we need to do these things faster. Technologies like artificial intelligence, big data analytics are key to that,” she said. “We are looking at how the services and many organizations have developed data lakes, and how do we link those data lakes. We aren’t looking at creating a huge data ocean, but be able to access all of those data lakes.”
Creighton said DoDIN helping the Pentagon understand the cyber risks from a holistic approach. She said the military developed networks by individual service or command, but no one was in charge of the hole or understood the risk as a hole.
In that same vein, DoD is moving toward a new risk management framework and out of the DoD Information Assurance Certification and Accreditation Process (DIACAP) process by March.
Roger Greenwell, DISA’s risk management executive, said DoD signed out an instruction in 2014 and gave services and agencies 18 months to transition to the new RMF. After realizing the challenges of moving to the new framework, the new goal was March 2018.
He said the authorization packages of systems must be transitioned to the new framework.
“In my case, I have over 300 different systems that I serve as the authorizing official for,” Greenwell said. “We are looking at those controls and safeguards in place, knowing systems always are at risk. So how do we put that framework in place to guard against vulnerabilities and manage it that way.”
But this is more than a paperwork exercise.
Greenwell said authorizing officials must categorize the cyber controls first and then demonstrate the evidence that shows these controls are in place.
“It gives stronger assurances that these systems are able to operate and be defended,” he said. “It has been challenging. There are a limited number of people, the information system security managers working with program people on the transition. In many cases, we will give a short term authorization to be able to allow people to slowly progress and we continue to look at a combination of vulnerability management and then also bringing in those controls to make sure all of those mitigation safeguards are in place.”
Creighton said Operation Gladiator Shield is just one of several ongoing priorities.
“We are looking at more work in the space of weapons systems, not just the traditional IT networks, if you will. But networks that are part of the SCADA and weapons systems,” she said. “We want to broader our partnerships with industry and academia. We want to have more predictive intelligence and help our cyber protection teams to better inform them.”