The Defense Department is the sector-specific department safeguarding the defense industrial base sector, defined as the "worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts" by the Homeland Security Department.
However, the department considers its role in protecting critical infrastructure to be even broader. Various DoD organizations are training troops to operate in cyberspace with the goal of building up U.S. Cyber Command's cyber mission forces, which will eventually comprise more than 100 teams.
The vulnerabilities, the methods, the sheer quantity of networks, agencies, departments and bureaucracy in general – the idea of trying to steel all of that, to bring all of that together in a uniform effort to secure critical infrastructure that was never built for the cyber era, is daunting, to say the least. Some aren't sure it's possible. That's not a sentiment you'll hear Defense Department leaders share, but many of them do admit to the significant challenges they face in defending critical infrastructure from cyber attacks.
Special Multimedia Report
CYBERCOM's No. 2 himself said as much in a June hearing on Capitol Hill. When asked by lawmakers specifically about his forces' ability to respond to a range of cyber attacks on critical infrastructure, Lt. Gen. James McLaughlin, CYBERCOM deputy commander, acknowledged potential shortfalls.
"I would not be able to say I'm confident we would be able to respond to all of those," McLaughlin said. "Control systems are different than platforms like airplanes and tanks, which are different from networks."
Industry itself has a key role in protecting the defense industrial base. According to DHS, more than 100,000 companies and their subcontractors are part of the sector. Companies that usually compete for work are sharing more information between them – and with the government – than ever. In the earliest stages of efforts like the Defense Industrial Base group — launched by DoD in 2011 — it wasn't easy to get competitors to share data like threat signatures and malicious network activity with each other and with the government. But over time, the group has grown, as have the benefits of the partnerships.
"We're going to need to have the aggregate. The data that corporations see from attacks that used to just be malware or [phishing] may be different. This is where we need to share the data between corporate and government…it's only through there we can bolster our security systems to defend against threats," said Peder Jungck, vice president and chief technologist, intelligence and security, at BAE Systems. "I think sharing of standards from government has been absolutely critical because as government systems have had to stand up to the worst, we do have security architecture designs and ways of designing our networks…they can actually make themselves much more resilient. That's where we really need to get to – this much more open approach on how we defend."
According to Jungck, it's more than information that needs to be shared in order to combat a military-grade threat. In an era where companies are attacked for their ties to government and industrial control systems are vulnerable to cyber-borne breaches, a cohesive effort and top-notch systems to defend against those threats are essential.
"One part is who we're defending against, but also, how do we defend such that we can raise the strength of all parties?" Jungck said. It has to be "commercial alongside government to defend against any kind of attack…we can't draw a line that a commercial company needs commercial tools to defend against commercial threats, or vice versa. That's where sharing everything from architectures to threat data" emerges as the key to defending the military's critical infrastructure.
Closing malicious loopholes
Cyber-focused military forces aside, there are other parts of the problem getting tackled in other parts of DoD, including in partnership with the Homeland Security Department, which has aided in efforts to combat counterfeit parts in the supply chain. For more than five years Operation Chain Reaction's mission has been to prevent counterfeit or compromised parts from making their way into troops' hands – including into their devices through counterfeit – and potentially malicious – computer chips.
It's a problem that's only growing in complexity as new technologies expand in use and the military becomes increasingly reliant on IT to carry out missions. At the Defense Information Systems Agency there are new efforts targeting risk management in the supply chain, according to Reagan Duguid, supply chain risk management lead in the office of the risk management executive at the Defense Information Systems Agency.
"Networks and systems are increasingly complex and interconnected, and that means that small issues with particular components have ripple effects and can have wide ranging impact – and they're very difficult to mitigate once systems are deployed," Duguid said. "The flip side to the issue is supply chains are increasingly complex. Global supply chains are dynamic and multi-tiered and, frankly, huge. The first tier might include a handful of suppliers, second tier could be dozens, third and a beyond could be hundreds. Maintaining visibility into that supply chain can be very difficult."
The government is only becoming more reliant on commercial products, though – not only does it reduce costs, it introduces innovation into the federal space and boosts efficiency, Duguid noted. But those benefits come with trade-offs – potentially to include security.
"The challenge to that is we have reduced visibility into how those products are made and reduced ability to really reach in and not just see, but manage it and implement security controls," she said, emphasizing the need for partnership with industry to mitigate risks.
To that end, Duguid said DISA is implementing efforts across the acquisition lifecycle, particularly secure systems engineering that evaluate products and components in the design process to identify potential risks and vulnerabilities. Depending on the outcome, changes to design or engineering may be made to minimize risks – with the emphasis on getting that done in the early stages of development. DISA also is establishing criteria implemented through contracts that standardize security requirements.
"It's much more efficient to stop something from becoming a vulnerability than trying to mitigate it once it's already fielded," she said. The contracting side will "level the playing field so all of the partners are writing to the same standard. And we have to be sensitive because sometimes how a supply chain is used flips into the realm of intellectual property. The tricky part of this is we want to write criteria that is specific enough to meet our needs, but not get into intellectual property and respect that everyone's supply chain is different."