DoD looking to automate its cyberdefenses

What’s the Pentagon’s next big focus in cyber security technology? I’ll give you a hint: it has to do with sifting through reams of data and deciding how to respond at incredibly high speeds. How do you do that? Automation.

The sheer volume of cyber security incidents that the Pentagon must monitor at any given time on its more than 15,000 networks is so staggering that the only way to manage the threat is to have a system that automatically detects suspicious software, quickly decides what type of threat it is, alerts the proper people as to its existence, and helps them figure out how to deal with it. Kind of like your antivirus software on steroids.

"As we’re utilizing more and more automated tools to collect information on behavior on our networks, we can no longer analyze that or bring on, in a time of shrinking budgets, people to do that analysis," Teri Takai, DoD’s chief information officer told Killer Apps on Sept. 4. "What we want to be able to move to is to use Big Data processes to be able to identify trends, to be continuously monitoring to feed Big Data and then, to get to the point where we are correcting and putting in place the measures to defend or prevent [attacks] without having to do that with people." (Big Data processes are the techniques aimed at managing and measuring the massive amounts of data — hence "Big Data" — produced everyday in the online world.)

That’s right, the only way to handle the flood of network information is to automate it.

Sound familiar? That’s because the Air Force has long said that it needs to turn to automated technology to make sense of the thousands of hours’ worth of imagery collected by its drones every day. (Killer Apps reported on one of the air service’s many initiatives to deal with this problem just last week.)

Automation "gives us a chance to keep up" with the onslaught of cyber attacks that are growing more sophisticated, and potentially more damaging, as they move from simple intrusions toward attacks aimed at disrupting information, taking over networks, or even damaging devices linked to a network, according to Takai.

This is all part of DoD’s effort to stop playing cyber defense by building a massive , imaginary wall around its online information — something that many cyber experts have said for years is a failing strategy since an enemy will always figure out how to breach a cyber wall.

"We’re moving away from what I call protecting at the perimeter, which has been a posture that we’ve had," said Takai. "We have to recognize that we are big, we are going to have breaches — both from the outside but also the insider threat — and so the question is, how do we make our networks resilient so that even if we don’t catch them [on the way into the network] that we have places within the network that we can pick up that behavior and not only pick it up but be able to correct it on the fly and to be able to take the necessary action to" deal with the attack.

The Pentagon is working to make its networks more resilient, meaning that the military can be assured that its most important online information is safe and usable even if networks are under attack. It is also moving to dramatically consolidate its thousands of networks — a process designed to make managing and protecting its online infrastructure easier. Fewer networks mean fewer places to protect and fewer areas of vulnerability.

"Our systems are being attacked constantly, and we may not [always] be aware of it, we may not find the forensics on it for months afterwards because we can’t see or get a good situational picture…of what’s going on out there because we have 15,000 different networks in the Department of Defense and 400 different points of presence [places where a physical device connects to an online network] and many [are] boutique type configurations," said Marine Corps Maj. Gen. George Allen during an Aug. 16 speech at an AFCEA sponsored conference.

"We need to get down to one solid JIE-like construct," he said, referring to a consolidated group of cloud-based DoD networks, "so that we can actually see what we’re doing and defend. One law of combat is, if you can’t see the enemy, it’s very difficult to figure out what’s going on. You can’t attack the enemy, you can’t disrupt them, you can’t block what’s going on. That’s one of the basic premises that we still don’t have in our domain."

DoD wants to protect its networks "not just once but multiple times" on multiple levels, according to Takai. This means identifying which data is the most important and giving it elaborate protection measures and having numerous backup ways to transmit and store data if a normal data channel is attacked and compromised.

"If in fact, the commander suspects that he has any kind of a disruption or any kind of a breach that he can move to an alternate channel where he has perhaps slower response, perhaps less data but secure information," said Takai. "The worst thing for a commander isn’t just having it stop or be slow. The worst thing is when he can’t trust the information, where he thinks that there may be corruption because then he or she doesn’t know where to go next."