CHIPS Articles: Changing the DoD Cyberspace Culture

In 2015, senior leadership across the Defense Department initiated multiple cybersecurity efforts in support of the DoD Cyber Strategy signed in April 2015, to instill a disciplined culture, reinforce basic requirements, and provide key metrics to the Secretary of Defense. The principal directives used to implement these goals include:

• The DoD Cybersecurity Culture and Compliance Initiative, released in September 2015;
• The DoD Cybersecurity Discipline Implementation Plan, released in October 2015; and
• The DoD Cybersecurity Scorecard, updated on a monthly basis.

Each one of these initiatives has direct backing from the Secretary of Defense. This top-down leadership direction from the most senior individual in the department is the cornerstone to achieving buy-in from all DoD components. It has also led to a heightened level of collaboration among the military services and agencies, and greater cybersecurity awareness across the operational and acquisition communities.

The purpose of this article is to deliver a high-level overview of the recent DoD initiatives, include references for further understanding, and provide an update on forthcoming cybersecurity-related Department of the Navy (DON) issuances.

The DoD Cyber Strategy (April 2015)

The United States’ dependence on the Internet underpins the threat of offensive cyber operations against its information networks. The DoD maintains responsibility for defending these networks and responding to such malicious activity. In May 2011, the DoD published the Department of Defense Strategy for Operating in Cyberspace to reinforce those responsibilities. The strategy identified initiatives to operate, defend, and achieve DoD’s cyberspace objectives, which have led the department over the last four years.

In order to strengthen those efforts, the Secretary of Defense signed an update in April 2015: The DoD Cyber Strategy. This new strategy focuses on the department’s cyber force, cyber defense, and cyber deterrence postures. It employs five strategic goals: building and maintaining forces for cyberspace operations; defending the DoD Information Network (DoDIN); preparing to defend the U.S. homeland and its interests; building and maintaining cyberspace operations to shape conflict environments; and building and maintaining international alliances and partnerships.

The Joint Staff, the Office of the DoD Chief Information Officer (CIO), U.S. Cyber Command, and other components led various projects to operationalize the DoD Cyber Strategy. The DoD Cybersecurity Culture and Compliance Initiative, the DoD Cybersecurity Discipline Implementation Plan, and the DoD Cybersecurity Scorecard — described below — all support at least one of the five goals. These three directives represent the cybersecurity priorities of the department and will continue to receive senior leadership review for the foreseeable future.

The DoD Cybersecurity Culture and Compliance Initiative (September 2015)

The Department of Defense Cybersecurity Culture and Compliance Initiative (DC3I), signed by the Secretary of Defense and Chairman of the Joint Chiefs of Staff in September 2015, aims to change cybersecurity culture by improving individual human performance and accountability in support of the DoD Cyber Strategy. It recognizes that reliable enterprise cybersecurity cannot be achieved through DoD’s investments in technical solutions alone.

Everyone, users and providers at all levels, has an individual responsibility to protect the DoD’s information networks. A fundamental shift in cybersecurity cultural norms and behavior from the most senior leaders down to the unit and individual level is required. The DC3I mandates implementation of 11 critical tasks with associated timelines focused on training, incident reporting, mission execution, and recruiting and retention.

The DC3I also establishes five operational excellence principles for embodiment across the “DoD Cyber Enterprise” — its leaders, service providers, cyber warriors, and general users. These principles have been drawn from other enterprises that successfully manage critical technical systems, like the U.S. Nuclear Navy. These principles will be part of cybersecurity training, and will be understood and adopted by those who are authorized to use the DoD’s information technology and mission systems. A high level summary of the principles are excerpted below:

• Integrity – The most fundamental cybersecurity principle demonstrated by individuals who are diligent in following cybersecurity best practices and readily bring forward mistakes for reporting up the chain-of-command.
• Level of Knowledge – Enables all other principles and will be cultivated through baseline education and frequent refresher training. This ensures individuals have the information needed to function safely on the network and recognize when something is wrong.
• Procedural Compliance – Means practicing the proper procedures versus taking shortcuts, thinking before taking action, and conforming to known security requirements. Failure to maintain discipline in compliance leads to compromised information and missions, which in turn can result in potential mission failure or loss of life.
• Formality and Backup – Improves resiliency in our mission critical cyber infrastructure and protects against a lax atmosphere that leads to complacency and misunderstandings.
• Questioning Attitude – Is empowered by knowledge to follow warning signals to the source and use experience to take action when there are indicators that something is not right. It means interpreting what we see, rather than just accepting it.

The DoD Cybersecurity Discipline Implementation Plan (October 2015)

Over the last decade, the department has enacted numerous policies, directives, and orders to secure its information systems and networks. However, inspections, evaluations, and breaches have revealed a need to reinforce basic cybersecurity requirements to mitigate preventable vulnerabilities.

Beginning in March 2015, the DoD CIO and USCYBERCOM co-led the development of the Cybersecurity Discipline Implementation Plan. Experts across the department identified requirements already existing in policy for which leadership would no longer accept any risk due to non-compliance.

After weeks of deliberation, the team agreed upon approximately 30 requirements, which were categorized into four lines of effort:

• Line of Effort 1 - Enforce Strong Authentication: Eliminate the use of username and password logon in favor of two-factor DoD Public Key Infrastructure (PKI) authentication for both privileged and non-privileged users.
• Line of Effort 2 - Harden Devices: Improve patching practices, reduce email as a vector of attack through spear-phishing, and increase host security across DoD information networks.
• Line of Effort 3 - Reduce the Attack Surface: Contain Internet connections to DoD information networks to approved network demilitarized zones (DMZs) and eliminate back doors and lateral movement within core DoD information networks.
• Line of Effort 4 - Defend Every Computer: Ensure every DoD mission, as well as every computer and network device, is properly defended. Eliminate any gaps in coverage by DoD cyber defense organizations. Align all DoD components with accredited Computer Network Defense Service Providers (CNDSPs) and eliminate gaps in coverage by ensuring components are providing the required information to support incident response procedures.

In October 2015, the Deputy Secretary of Defense signed the Implementation Plan. Since that time, the DoD CIO and Joint Staff continue to collaborate to incorporate these lines of effort into the department’s readiness system. The system will allow commanders and supervisors at all levels to review compliance with the requirements down to the tactical level. In parallel, DoD components are working to ensure they have the necessary funding and to establish timelines to meet the requirements within the lines of effort. Information on compliance feasibility is essential to understanding where components may experience challenges on the road to completing the Implementation Plan.

The DoD Cybersecurity Scorecard (Updated Monthly)

During the development of the Cybersecurity Discipline Implementation Plan, Secretary of Defense Ashton Carter conveyed his need to understand the current cybersecurity “health” of the department. As a result, the DoD CIO reviewed the Implementation Plan and selected a priority set of the requirements to include in the DoD’s first Cybersecurity Scorecard. DoD components are directed to report metrics for the requirements on a monthly basis which are then compiled to form the scorecard. Finally, the scorecard is presented to the Secretary of Defense and other senior DoD leadership to inform them of the progress made across the department.

Though it seems simple on the surface, the process is currently easier said than done. Collecting metrics for the scorecard has reinvigorated the pressing need for additional automated data gathering and reporting tools. Manual data calls are time-intensive and often produce unreliable and incomplete information. To solve this, the DoD CIO is collaborating with other DoD components to chart a way ahead in implementing enterprise-wide automation mechanisms to produce the required metrics.

Ultimately, the scorecard is a living document. In the future, more components will be directed to report and more requirements will be added to capture the next set of priorities. In addition, requirements with a limited lifespan — such as removing assets using a specific operating system — will be removed as they are completed. The Cybersecurity Discipline Implementation Plan and other primary efforts will continue to inform the scorecard throughout its evolution.

Conclusion

More than ever before, the United States and DoD rely on both the Internet and interconnected systems to perform a wide range of critical services and missions. Senior leaders at the highest levels within the DoD, the DON, and the other services are actively engaged to ensure these resources are secure and available when needed. They are equally committed to changing DoD’s cybersecurity culture to one that embodies the operational excellence principles and reinforces the criticality of cybersecurity compliance as an integral part of everything we do. To defend and protect the United States and our networks, everyone must view themselves as a member of the cybersecurity mission and workforce.

The DON will remain aligned with DoD and is committed to communicating strategically to ensure forthcoming changes are publicized, understood, and ingrained. In the coming months, DON CIO will release a new Information Management/Information Technology Strategic Plan in addition to several cybersecurity-related issuances that are already in the pipeline. They include:

• A newly revised Secretary of the Navy (SECNAV) Instruction 5239.3C, Cybersecurity;
• A revised SECNAV Instruction 5239.20A, Department of the Navy Cyberspace Information Technology (Cyber IT) and Cybersecurity (CS) Workforce Management and Qualification;
• A revised SECNAV Manual 5239.2, Department of the Navy Cyberspace Information Technology (Cyber IT) and Cybersecurity (CS) Workforce Management and Qualification; and
• An updated memorandum: Acceptable Use of Department of the Navy Information Technology.

In general, DON CIO will continue working with other DoD components and the DoD CIO to increase user awareness of responsibilities regarding access to, and use of, government information and systems. Collectively, we must all understand what we are accountable for and what we need to do to responsibly use DON information technology.

James Mauck is a Certified Information Systems Security Professional on the Cybersecurity Team in the office of the Department of the Navy Chief Information Officer.

Christopher Pashley is a Certified Information Systems Security Professional providing contract support to the DoD Chief Information Officer as a Cyber Security Analyst.

References
For additional information about the initiatives summarized above, please visit the following links: