BALTIMORE, Md. — The Army wants to improve the ability of its local network defenders, a move it believes will raise the entire level of the service’s – and by extension, joint – cybersecurity posture.
Currently, the Army and joint force are not optimized holistically to conduct cybersecurity operations. This is largely because there are varying levels of responsibilities, standards and tasks for cybersecurity service providers (CSSPs), who essentially serve as the local or installation level network operators and defenders.
This has led to the need to deploy the very high end and limited cyber protection teams the services provide to U.S. Cyber Command, which act as SWAT teams deploying to networks during significant breaches.
“We need to up the game of the folks that are conducting cybersecurity operations,” Lt. Gen. John Morrison, deputy chief of staff, G6, said during a presentation at TechNet Cyber Oct. 28.
The Army wants to establish roles and responsibilities at each echelon for the cybersecurity operators that actually own their own network terrain in order to get cyber protection teams back to doing what they do best: Hunting on networks and being threat focused, said Morrison.
“This is really about aligning all of our cyber defensive capabilities so we get after that notion of the folks that own the terrain are doing that broader area defense and we get our cyber protection teams back to being very, very threat focused and pinpointed on targets and hunting on our networks,” Morrison said. “Right now, we’re a little out of balance in some regards with that.”
In the past, there have been incidents where these local network owners had to rely on cyber protection teams to conduct traditional incident response, something they weren’t initially designed to do. Now, the military wants those mission owners conducting that first level.
The military is working on establishing standards and baselines across the Department of Defense for these defenders so there is uniformity in what they do to make better use of the limited cyber protection teams and create a more holistic cyber defense posture.
Broadly speaking, this initiative falls beneath one of the lines of effort – security and survivability – established in the Army’s unified network plan released Oct. 8, and it aligns various modernization efforts to provide a network the service needs to share data from the enterprise to the tactical sphere in support of multi-domain operations.
“Without putting this [Department of Defense Information Network] ops framework into place, the reality of the unified network will be challenging because we will be fragmented from an operational perspective,” Morrison said. “That is why there is such tremendous energy inside the Army to get after this very, very complex problem.”
The Army will begin making certain personnel investments for these DoDIN operations to enhance how the service conducts operations in contested and congested environments.
“Now is the time to make sure we level set that as we all transition to fighting in a multi-domain environment,” Morrison said.
To get there, the Army will be placing a lot of attention on improving the abilities of these local defenders by addressing their organizational design, ensuring they have the right capabilities and providing them the requisite training.
For the first time, the Army has established a unified network operations requirements document that will help standardize and outline requirements for operations, maintenance, security and defense of the network across all echelons traversing the tactical to global strategic portion. This oversight will also allow the Army to put personnel in a defensive overwatch position, which takes away complexity at the tactical edge and puts it at higher echelons that can handle it.
“What do we want our brigade combat teams doing? We want them maneuvering. We want them fighting. We don’t want them doing data analytics on the cyber threat,” Morrison said. “But you may want that capability at the division level where they have time, where they can actually do that kind of analysis. You may want to move it all the way back to one of our regional cyber centers where they have lots of time.”
Morrison said if the Army can get these three items of organization, capabilities and training right, “we will get after the notion of the unified network because we will crush the technical barriers that put into place because we have been fragmented over time.”
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.