The Defense Intelligence Agency is updating the federal government’s global, top-secret intelligence network, and DIA’s top IT official says cybersecurity assessments, including insider threat monitoring, are a key facet of the network’s continued development.
DIA Chief Information Officer Doug Cossa said the agency is well underway in making some overdue hardware updates to the network.
“This is replacing a lot of the aged network hardware, things like routers and switches and encryptors, that we rely on for the secure connectivity, and updating those that are critical nodes that make up that web of the JWICS network,” Cossa said on Inside the IC.
Beyond the “technical refresh” work, Cossa said DIA is also building redundancy into the top-secret intelligence network.
“So if and when equipment does fail, we have a second stack of equipment at our core nodes that we can failover to,” he said. “And in many cases more than a second stack. We’ve got full redundancy across all the critical network components. That’s really been our focus over the past year, building that up around all of our functional areas that rely on JWICS.”
Cybersecurity is also a key focus area. Instead of conducting just an initial cyber assessment when agencies want to connect to JWICS, Cossa said DIA has now moved to continuous assessments of existing local networks as part of its “JWICS cyber inspection program.”
DIA conducted “several dozen” inspections over the past year, he said.
“That goes through the full, end-to-end realm of cybersecurity, everything from how user accounts are managed to how hardware is managed in the sense of making sure that technical parameters and guidelines are implemented, and patching is done,” Cossa said.
The cyber inspection program doesn’t just test against the possibility of outside hackers penetrating the JWICS-connected networks. DIA also examines how effectively JWICS users are monitoring against insider threats, too.
Insider threat monitoring has received increased attention after a Massachusetts Air National Guardsman allegedly used his access to top-secret intelligence networks at Joint Base Cape Cod, Mass., to leak secrets on the Discord website.
“It’s definitely increased in terms of priority,” Cossa said of insider threat monitoring in the wake of the Discord leaks. “Insider threats are always a significant requirement of the intelligence community and DoD.”
Defense and intelligence officials see “zero trust” security as a key component of defending against both outsider hackers and insider threats in the future. Two years ago, President Joe Biden directed defense and intelligence agencies to develop a plan for implementing zero trust architectures on classified networks.
Cossa said zero trust brings security to the “next level” by allowing local area networks to determine the “entitlements” each of their individual users should be granted for accessing certain data. Those entitlements will be managed and enforced through metadata standards defined by the intelligence community’s chief data officer and DoD’s chief data and artificial intelligence officer.
Once implemented, Cossa said DIA can assess the extent to which agencies are following those metadata standards as part of the JWICS cyber inspection program.
“Traditionally, we have only looked at, are you cleared to see something? But when it comes down to a ‘need-to-know,’ that really relies on data tagging standards, which is going to take some time to do,” Cossa said. “Many agencies are well underway. But certainly the core of the zero trust pillar for data is the entitlements and getting that implemented. The network gives you access. The network itself doesn’t define how that access actually occurs.”