Tag Archives: cyber defense

Cyber Commander And Senior Advisor Discuss U.S. Plan To Compete in Cyberspace

General Nakasone testifying in Washington
U.S. Cyber Command

“FOREIGN AFFAIRS” By Paul M. Nakasone and Michael Sulmeyr

To compete, U.S. cyber forces should continue to be more proactive and implement the strategy to contest our adversaries’ malicious activity online.

But our actions must also remain consistent with the law of armed conflict and other important international norms. In this way, we are protecting U.S. interests from cyber threats and staying true to the nation’s core values.


“In early October 2019, personnel from U.S. Cyber Command landed in Podgorica, the capital of Montenegro, at the invitation of the country’s government. Montenegro has faced increased harassment from Russia since joining NATO in 2017, and the Cyber Command team was there to investigate signs that hackers had penetrated the Montenegrin government’s networks.  Working side by side with Montenegrin partners, the team saw an opportunity to improve American cyber defenses ahead of the 2020 election.

After a “hunt forward” mission has been completed, Cyber Command works with other parts of the U.S. government to disclose its findings. The findings enable the U.S. government to defend critical networks more effectively and allow large antivirus companies to update their products to better protect their users. The net effect of the many hunt forward missions that Cyber Command has conducted in recent years has been the mass inoculation of millions of systems, which has reduced the future effectiveness of the exposed malware and our adversaries. 

The hunt forward mission to Montenegro represented a new, more proactive strategy to counter online threats that reflects Cyber Command’s evolution over the last ten years from a reactive, defensive posture to a more effective, proactive posture called “persistent engagement.” When Cyber Command was established in 2010, the operative assumption was that its focus should be on trying to prevent the military’s networks from being infiltrated or disabled. But a reactive and defensive posture proved inadequate to manage evolving threats. Even as the military learned to better protect its networks, adversaries’ attacks became more frequent, sophisticated, and severe. We learned that we cannot afford to wait for cyber attacks to affect our military networks. We learned that defending our military networks requires executing operations outside our military networks. The threat evolved, and we evolved to meet it.


In 2008, a cyber attack compromised the Defense Department’s unclassified and classified networks. The incident provided a wake-up call about the need to protect American secrets from foreign hackers and led to the creation of Cyber Command in 2010 to organize that effort. Cyber Command protects U.S. military networks, defends the United States from significant cyber attacks, and directs cyber effects operations abroad. Its force consists of over 6,000 service members, civilians, and contractors who work at its headquarters at Fort Meade in Maryland and at bases in Georgia, Hawaii, and Texas. 

Over the first decade of its existence, Cyber Command learned that merely securing network perimeters does not provide sufficient defense. As a result, we have changed the way Cyber Command defends Department of Defense networks in three ways. First, we have increased our focus on what happens inside our own networks, not just on the walls around them. Our 68 cyber protection teams proactively hunt for adversary malware on our own networks rather than simply waiting for an intrusion to be identified. The cyber protection teams have improved the speed and effectiveness with which we detect, quarantine, and eject intruders from the military’s networks.

Second, we have adopted a different way of thinking about networks: as legendary cryptographer Claude Shannon put it, “assume that the enemy knows the system,” and treat every host, server, and connection as potentially hostile. Although this proactive approach, known as “zero trust” in the cybersecurity community, is not new, we are scaling its adoption across the military’s networks. The goal is simple but strategic. We aim to prevent toeholds from turning into beachheads so that a single compromise will not threaten the military’s ability to accomplish its mission.

Treat every host, server, and connection as potentially hostile.

Third, we are cultivating a mindset of accountability in which military commanders treat the defense of computer networks as an essential requirement, not an afterthought to be dealt with only after something goes wrong. This “command-centric” approach reflects the fact that military commanders cannot assess the readiness of their forces without accounting for the security of the networks on which those forces depend. In 2017, when tensions on the Korean Peninsula were high, we realized that an important Department of Defense network in the area was vulnerable. Proactive leadership ensured that this mission-critical method for commanding and controlling forces was quickly secured. Lessons from this and other incidents have informed our efforts to treat networks as an area of operations led by a single commander. By aligning authority and accountability for network operations, applications, enterprise services, and cybersecurity, commanders have gained improved insight into threats, as well as the capabilities to defeat them.


These proactive defensive measures on our networks have provided an essential boost to our cybersecurity, but they are insufficient in the evolving threat environment. We have learned that we also have to “defend forward,” outside our networks. Every day, more actors execute more sophisticated attacks against more civilian and military targets. The Chinese government uses cyber capabilities to steal sensitive data, intellectual property, and personal data from the U.S. government and U.S. businesses at great cost to the U.S. economy and national security. In May 2020, the FBI and the Department of Homeland Security warned about the People’s Republic of China’s efforts to compromise medical research into COVID-19 vaccines. The PRC supplements those cyberspace operations with influence campaigns to obscure international narratives about their activities. 

Russia uses cyberspace for espionage and theft and to disrupt U.S. infrastructure while attempting to erode confidence in the nation’s democratic processes. Iran undertakes online influence campaigns, espionage efforts, and outright attacks against government and industrial sectors. North Korea flouts sanctions by hacking international financial networks and cryptocurrency exchanges to generate revenue that funds its weapons development activities. Violent extremist organizations have used the Internet to recruit terrorists, raise funds, direct violent attacks, and disseminate gruesome propaganda. 

Russia uses cyberspace for espionage and theft.

In the face of these threats, the U.S. government has changed how it will respond. In 2018, Congress clarified the statutory authority for military cyber operations to enable Cyber Command to conduct traditional military activities in addition to the mostly preparatory operations to which it had been limited previously. That same year, the White House released a National Cyber Strategy, which aligned economic, diplomatic, intelligence, and military efforts in cyberspace.

At the Department of Defense, a new National Defense Strategy in 2018 focused the military on the need to expand the competitive space between the United States and its adversaries. Part of that expansion needed to occur in cyberspace. To that end, Cyber Command was elevated to the status of a unified combatant command, which gave cyber issues a more powerful voice within the Department of Defense. Increased authorities and funding soon followed. DoD also released a new cyber strategy, which for the first time enshrined the concept of defend forward. This updated approach acknowledged that defending the United States in cyberspace requires executing operations outside the U.S. military’s networks and that the country cannot afford to wait for attacks to come its way.

Cyber Command implements this defend forward strategy through the doctrine of persistent engagement. The idea behind persistent engagement is that so much of the corrosive effects of cyber attacks against the United States occur below the threshold of traditional armed conflict. Yet much of Cyber Command’s combat power had been devoted toward preparations in the event of future contingencies. We realized that Cyber Command needs to do more than prepare for a crisis in the future; it must compete with adversaries today. 

The country cannot afford to wait for attacks to come its way.

This doctrine of persistent engagement reflects the fact that one-off cyber operations are unlikely to defeat adversaries. Instead, U.S. forces must compete with adversaries on a recurring basis, making it far more difficult for them to advance their goals over time. For example, publicly releasing adversary malware obtained during hunt forward missions to the cybersecurity community makes that malware less effective because defenses can be tuned to detect and defeat it. Additionally, cyber effects operations allow Cyber Command to disrupt and degrade the capabilities our adversaries use to conduct attacks. 

The persistent engagement doctrine also emphasizes the need for Cyber Command to enable its partners, including by providing indications and warnings to other parts of the government. To that end, we have invested in platforms that facilitate faster sharing of indications and warnings across federal, state, and local governments. One example of this is a new “9-line” incident reporting standard that offers streamlined reporting and response for National Guard units across the country. My goal has been to institutionalize and expedite this kind of enabling assistance. 

Cyber Command needs to do more than prepare for a crisis in the future; it must compete with adversaries today.

Some have speculated that competing with adversaries in cyberspace will increase the risk of escalation—from hacking to all-out war. The thinking goes that by competing more proactively in cyberspace, the risk of miscalculation, error, or accident increases and could escalate to a crisis. Cyber Command takes these concerns seriously, and reducing this risk is a critical part of the planning process. We are confident that this more proactive approach enables Cyber Command to conduct operations that impose costs while responsibly managing escalation. In addition, inaction poses its own risks: that Chinese espionage, Russian intimidation, Iranian coercion, North Korean burglary, and terrorist propaganda will continue unabated. So the question is how, not whether, to act. Just like the rest of the U.S. military, cyber forces abide by widely accepted principles of international law, and when they take direct action, they narrowly tailor the effect.


The National Security Agency is a critical Cyber Command partner. The two organizations are not one and the same: although one of us (General Nakasone) leads both, and although both are headquartered at Fort Meade, they are charged with different missions. The NSA produces signals intelligence and, through its cybersecurity mission, protects National Security Systems.  Cyber Command defends military networks and directs cyberspace operations against adversaries. Yet because of the overlapping nature of the threats they face, the common domain in which they work, and their shared focus on defending the nation, the two organizations work closely together.

The power of this partnership can be seen in how Cyber Command and the NSA worked together to protect against meddling in the 2018 midterm elections. Experts from both organizations formed the Russia Small Group (RSG), a task force created to ensure that democratic processes were executed unfettered by Russian activity. It shared indicators of potential compromise, enabling DHS to harden the security of election infrastructure. It also shared threat indicators with the FBI to bolster that organization’s efforts to counter foreign trolls on social media platforms. And Cyber Command sent personnel on several hunt forward missions, where governments had invited them to search for malware on their networks. Thanks to these and other efforts, the United States disrupted a concerted effort to undermine the midterm elections. Together with its partners, Cyber Command is doing all of this and more for the 2020 elections. 

Cyber Command’s partnership with the NSA also has been central to the online fight against the Islamic State, or ISIS. As part of a previous assignment as head of the army component of Cyber Command, one of us (General Nakasone) led the task force charged with fighting ISIS in cyberspace. The terrorist group’s propagandists used to spread their message on Twitter, YouTube, and their own websites. Today, because of our efforts, they have a much harder time doing so. At the height of its influence, ISIS published magazines in multiple languages, but it now struggles to publish in anything other than Arabic. At the same time as the U.S.-led coalition of conventional forces has prevailed over the physical caliphate, Cyber Command’s efforts have helped defeat the virtual one.

For all their power and results, cyberspace operations are not silver bullets.

For all their power and results, however, cyberspace operations are not silver bullets, and to be most effective, they require much planning and preparation. Cyber Command thus works closely with other combatant commands to integrate the planning of kinetic and nonkinetic effects. Cyber Command’s capabilities are meant to complement, not replace, other military capabilities, as well as the tools of diplomacy, sanctions, and law enforcement. And they are often used in cooperation with foreign military partners, who bring different skills and techniques to the table. The West’s united front against the Soviet Union kept the Cold War cold; likewise, today, the United States and its allies are building unity of purpose to promote respect for widely held international norms in cyberspace.


Militaries succeed when they embrace new technologies aimed at planning for the next war, not fighting the last one. Cyber Command is committed to working with the private sector to harness emerging technologies. Given that some of the most innovative thinking today is happening in the offices of American tech companies, we would be shortsighted if we were not pursuing partnerships with them. Such partnerships should of course be voluntary—companies can decide on their own if and when it makes sense to work with Cyber Command—but partnering with technology companies has been one of Cyber Command’s top priorities.

Many leading U.S. companies find themselves on the frontlines of competition in cyberspace. Working collaboratively where we can allows us to improve collective defense and stay a step ahead of our adversaries. This is all the more important as technology continues to advance. It is not hard to imagine an AI-powered worm that could disrupt not just personal computers but mobile devices, industrial machinery, and more. Like AI, fifth-generation (5G) wireless networks offer promise and peril with exceptionally fast speeds that underpin ubiquitous connectivity. Such networks can enable authoritarian states to monitor and control their citizens. That is why the United States continues to stress the importance of supply-chain integrity and the dangers of relying on technology from authoritarian countries.  

One of the first hurdles to overcome in our effort to increase cooperation with private-sector companies was finding a place to meet their workers. Because so much of what Cyber Command does is sensitive, it proved challenging to host an unclassified meeting at an unclassified location with people who were not affiliated with the U.S. government. Therefore, we created DreamPort, a facility not far from our headquarters at Fort Meade. DreamPort is not just a building; it is a signal that Cyber Command is receptive to outside thinking. In 2019, for example, it served as an incubator for an effort to bring the aforementioned zero trust approach to network security to the Defense Department, allowing private companies with more experience with this concept to offer advice about what would and would not work for the military. DreamPort also hosts promising high school and college interns from nearby schools, who bring fresh ideas and in return, receive mentoring and a chance to return full-time when they finish their studies. 

Many leading U.S. companies find themselves on the frontlines of competition in cyberspace.

Readers may ask: how can Cyber Command compete with private-sector salaries? The answer is that what appeals to so many of our recruits is the opportunity to serve their country in a relatively novel domain of conflict and the chance to avail themselves of world-class training and high-stakes assignments. Where things get complicated, however, is that for those in uniform, professional advancement usually involves rotating to new jobs and assignments every few years. Some view this as a perk, but for many who are forgoing salaries at tech companies, such constant interruption can be frustrating—even a deal breaker.  This is why we value relationships with organizations like the National Security Innovation Network, which provides access to a diverse talent pipeline, from college interns to advanced degree professionals.

The good news is that each of the military’s service branches has made great strides in transforming cyberspace operations into more of a profession and less of a trade. A decade ago, military personnel rotated out of cyber positions frequently, whereas now, the Army, Navy, Air Force, and Marines have encouraged professionalization by offering personnel in this area repeat assignments, specialized training, and incentive pay. But to retain the best of the best, more experimentation and flexibility is needed. When a service member does leave for the private sector, we should take that as affirmation that we are developing people with the right mix of skills. At the same time, we should do all we can to encourage those who leave and make it easier for them to rejoin the national security community down the road.


Ten years ago, Deputy Secretary of Defense William Lynn wrote a prescient article in Foreign Affairs about the military’s growing role in cyberspace. Many of his observations have stood the test of time. Cyberspace remains a domain where adversaries attempt, as he wrote, “to overcome overwhelming U.S. advantages in conventional military power,” attackers still benefit from “low barriers to technological innovation,” and Cyber Command still must “work with a variety of partners inside and outside the U.S. government.”

But much has changed in the past ten years. Our adversaries have abused open platforms for sharing knowledge and views by creating troll farms for disinformation. Terrorists have used the Internet to control forces and recruit new members. Portions of critical infrastructure, such as the power supply in Ukraine, have been disabled. Advances in artificial intelligence, autonomous vehicles, and 5G networks will only complicate this landscape of threats.

In large part to account for these and other changes, Congress established the Cyberspace Solarium Commission in 2019 to prepare for the next ten years and consider new approaches to keeping the United States safe in cyberspace.  Readers of the commission’s extensive report will see thoughtful and deliberate proposals to improve the nation’s approach to cybersecurity and its resilience in the face of the threats we just described.

As threats continue to evolve online, U.S. Cyber Command will remain ready to defend the United States in the years ahead”



  • PAUL M. NAKASONE is Commander of U.S. Cyber Command, Director of the National Security Agency, and Chief of the Central Security Service.
  • MICHAEL SULMEYER is Senior Adviser to the Commander of U.S. Cyber Command.

Defense Department Reorganizing For Information Warfare

Image: “Globalvilliagespace


America’s adversaries have targeted the military’s weaknesses via information warfare in recent years and as a result the Department of Defense has made a series of moves to reorganize and better defend against such threats.


“While each service is undertaking a slightly different approach toward information warfare, Defense officials have said there is a broad buy-in to a larger vision of how to fuse capabilities and better prepare to fight. Collectively, they show the breadth of the movement.

Here are several ongoing efforts within the services and the Pentagon underway.


Upon assuming the service’s top officer in December, Chief of Naval Operations Adm. Michael Gilday issued a fragmentary order outlining a variety of tasks for the Navy. Included in this order was a direction that the Navy will pilot a dedicated information warfare cell within a maritime operations center at Large Scale Exercise 2020 to more effectively execute space, electronic warfare, information operations and special operations forces into all-domain operations.

Large Scale Exercise has been put on hold until next year due to the ongoing pandemic.

Gilday explained that the results from the exercise will refined the requirements and timeline for these IW cells in all fleet maritime operations centers as part of the budget for 2022.

Gilday also required the Navy to develop a plan to field small tactical cyber teams for fleet cyber commanders, however, that also is still forthcoming.


The Army’s primary arm for cyber operations has been working to reorganize and change its name.

Lt. Gen. Stephen Fogarty in August announced Army Cyber Command intended to change its name to Army Information Warfare Command. Similar comments came from Chief of Staff Gen. James McConville. It is still unclear when the official name change will take place.

The tactical manifestation of this name change will exist with the 915th Cyber Warfare Battalion, a relatively new unit consisting of 12 teams that support brigade combat teams or other tactical formations. These “fly away” teams, as some officials call them, would help plan tactical cyber operations for commanders in theater and unilaterally conduct missions in coordination with forces in the field.

The Army has already activated its first two companies under the 915th in the last year and plans to create another within the next year.

On the capability side, the Army is continuing to field its first organic brigade information warfare capabilities. These include the Multi-Function Electronic Warfare Air Large, the first organic bridge aerial electronic attack asset, which is also capable of cyberattacks pod mounted on a MQ-1C Gray Eagle drone, as well as the Terrestrial Layer System Large, the first ground based integrated signals intelligence, electronic warfare and cyber platform.

The Army recently awarded a development contract to Lockheed Martin for MFEW and plans to equip units in 2022.

The TLS is currently in the prototyping phase with two companies competing for the contract. The Army aims to equip units in 2022 as well.

Air Force

In October, the Air Force created its first information warfare command in 16th Air Force, which combined 24th Air Force and 25th Air Force. It now fuses cyber, electronic warfare, intelligence surveillance and reconnaissance, information operations and weather together under one commander.

While the new entity reached fully operational capability this month, there is still more work to be done in getting the right personnel in place and continuing to integrate the disparate entities that existed separately before.

Specifically, 16th Air Force’s commander Lt. Gen. Timothy Haugh said an information warfare cell that will be tied closely with the air components at European and Indo-Pacific Command has been assigned but that leaders still need to hire personnel.

Additionally, he noted during a July 15 event hosted by the Mitchell Institute that the 16th will be partnering with their parent entity Air Combat Command to create a spectrum warfare wing.

Marine Corps

The Marines decided to reorganize their Marine Expeditionary Force headquarters nearly four years ago and create the MEF Information Groups (MIGs).

These entities centralize cyber, electronic warfare, intelligence and information operations into tactical maneuver formations.

These forces are still participating in exercises to better refine structures and concepts.


Congress in last year’s defense policy bill directed the Department of Defense to designate a principal information operations adviser.”


What IT leaders Should Do Now To Prepare For CMMC Compliance



The Department of Defense’s Cybersecurity Maturity Model Certification has been top of mind for federal IT leaders and contractors alike–and compliance is moving forward on the aggressive and necessary timeline.

With more than 300,000 estimated suppliers to the DoD, achieving a consistent level of cyber hygiene–a set of practices for managing the most common and pervasive cybersecurity risks–is critical.


“Most recently, the CMMC accreditation body announced that they are developing a course to train independent assessors who will evaluate contractors’ ability to comply with CMMC requirements, with the first phase expected to kick off in less than six months and formally launch its program by early 2021.

DOD is only as strong as its weakest link. Given that many contractors lack the necessary cyber hygiene processes to meet CMMC requirements, there are some critical steps that must be taken to mind this security gap.

Roadblocks to Basic Cyber Hygiene

Often, contractors address individual cybersecurity vulnerabilities by implementing a complex patchwork of point products that don’t integrate, are difficult to manage and patch, and fail to provide IT leadership with a full view of the threats facing the enterprise. This complexity results in increased risk and additional costs.

If contractors continue to implement disparate point products to resolve individual problems, they will also continue to increase complexity, cost, and risk–and won’t achieve the visibility needed to manage risk and meet CMMC requirements.

One of the primary goals of CMMC is to “reduce risk against a specific set of cyber threats”–and in order to do that, federal agencies and contractors alike need real-time data to make sound risk-based decisions. A decision made on stale or unreliable data may ultimately introduce new or additional risk to the enterprise; and in today’s complex environments, it can be difficult to determine truth between data sets or trace data paths back to the origin for validation. But, decision makers shouldn’t have to worry about the age, accuracy, or integrity of the data. When pulled from a single source in real-time, not only does decision time decrease but the confidence and the efficacy of those decisions increases.

Standing Up a CMMC-compliant Infrastructure

Contractors should consider a holistic approach that integrates IT operations and security more tightly than in the past. If you’ve worked in the DOD for any amount of time then you’re aware of the various efforts to consolidate and unify–from data center consolidation efforts to organizational realignment, but integration and consolidation efforts don’t have to be difficult. IT leaders need a platform–a single pane of glass–to understand and monitor their environment and make decisions in real-time. This platform must provide the capability to integrate endpoint management and security (i.e., gather data from all endpoints, make needed updates, and reduce risk).

The newly distributed workforce means that tighter integration of endpoint management and security is more important than ever. Every organization is managing more endpoints; there are more unmanaged devices; and we see elevated activity from bad actors. A platform approach that integrates endpoint management and security allows you to see your environment, quickly gather data from endpoints, make needed updates, and reduce risk.

The goal is to simplify management of complex hybrid environments–and most importantly, keep teams productive and resilient.

While contractors work to stand up a CMMC-compliant IT infrastructure, it’s important to start with the following questions:

  • How many computers do you have on your network? And are they authorized to be there?
  • What applications are installed? And are they all up to date?
  • What are users doing? And is it authorized?
  • How comfortable are you with your patch/vulnerability/risk posture?
  • Have you recently been breached or had an outage that could have been prevented?

There will always be new, unaccounted for risk–and risk can take many forms. Risk can increase if you don’t protect your data, if you don’t patch your systems, or if a new vulnerability is discovered in the wild. While external factors within any given area might change, organizations have more command over the areas with security controls in place–such as data protection, cyber hygiene, and prevention. In today’s cyber environment, every organization is at risk–some more than others but each has its own level of acceptable risk. That’s why this new certification model was created–to minimize the overall risk to the DoD by enforcing a risk standard to improve basic security practices and administer more stringent practices based on risk levels and the type of data being handled.

When a new threat is identified, look at existing controls, identify where there is risk, and determine how to adapt your security posture to remediate. Historically, this is where many contractors and organizations have turned to multiple point products–but it’s critical that the Defense Industrial Base shift from this approach and instead pursue a single platform so that they are able to not just reduce risk at a single point in time to meet compliance requirements, but they are also able to identify and assess risks on a continuous, ongoing basis for real-time cyber defense.”



Colby Proffitt (@proffitt_colby) | Twitter

Colby Proffitt is a cyber strategist at Tanium.

COVID-19 Enhances Pentagon Cyber Policy Commission Report Recommendations



“The importance of having that one person, that singular belly button in the executive branch who’s coordinating efforts across government .

So that you don’t have to create an ad hoc task force, [so] you’re not scrambling to find who are the right people we need in the room after the crisis has already occurred,” Co-Chairman Rep.Mike Gallagher, R-Wis. Gallagher


“A co-chairman of the Cyberspace Solarium Commission said April 22 that the fiscal 2021 defense policy bill could include about 30 percent of the group’s cyber policy recommendations.

According to Rep. Mike Gallagher, R-Wis., who co-chairs the Cyberspace Solarium Commission, which released a report with more than 75 cyber policy recommendations March 11, said on a webinar hosted by Palo Alto Networks that commission staff is working with the appropriate congressional committees and subcommittees to put about 30 percent of its recommendations into this year’s National Defense Authorization Act.

The report proposed a three-pronged strategy for securing cyberspace, called layered deterrence: shape behavior, deny benefit and impose cost.

The report also takes U.S. Cyber Command’s “defend forward” policy, which allows the military to take a more aggressive approach in cyberspace. It also suggests broadening the policy to encompass the entire federal government.

Gallagher didn’t specifically identify recommendations he thinks will be included in the NDAA, but given that the bill focuses on authorizing Defense Department programs, Pentagon-specific recommendations are the likeliest to be in the legislative text.

The recommendations for the department focus on ensuring that the Cyber Mission Force is adequately equipped; establishing vulnerability assessments for weapons and nuclear control systems; sharing threat intelligence; and threat hunting of the networks of the defense-industrial base.

The spread of the new coronavirus, COVID-19, disrupted the commission report’s rollout, which included congressional hearings on the commission’s recommendation. Those hearings have been canceled. But the pandemic also highlights the need to implement recommendations made in the report, Gallagher said, specifically the establishment of a national cyber director in the White House.

“The importance of having that one person, that singular belly button in the executive branch who’s coordinating efforts across government so that you don’t have to create an ad hoc task force, [so] you’re not scrambling to find who are the right people we need in the room after the crisis has already occurred,” Gallagher said

Before the spread of the coronavirus, congressional committees had planned to host hearings on the commission report, but those were canceled after the coronavirus spread throughout the United States. Congress is currently wrestling with how to remotely conduct voting and committee business, as the pandemic is restricting gatherings of large groups of people.

“Even though coronavirus has complicated some of … our commission rollout, we’re continuing the legislative process right now, and I’m pretty optimistic about our ability to shape this year’s NDAA,” Gallagher said.

As for the other recommendations, Gallagher said they aren’t germane to the NDAA and will take “some time.”


Small Business Focus – Cyber Security Maturity Model Certification (CMMC)

Image: DAU.edu


Forthcoming cybersecurity controls are designed to help DoD and small business work together to protect sensitive data and help industry comply in a fairer way depending on the types of systems they’re asked to defend.


“Small businesses are increasingly being targeted digitally by nation states, according to Department of Defense officials, who say more must be done specifically to evaluate and reinforce the security of contractors battling cyberattacks.

“We’re losing,” said Katie Arrington, special assistant to the assistant secretary of defense for acquisition for cyber within the office of the undersecretary of defense for acquisition and sustainment, speaking Oct. 7 at an AFCEA-hosted event.

Arrington explained that adversaries cost the country $600 billion a year and that, with 5G on the horizon, that amount must be multiplied by “umpteenth” in 2025 given the near-unlimited bandwidth for cyber campaigns technology promises. As a result, Arrington said, the forthcoming cybersecurity maturity model certification (CMMC) was designed specifically for small businesses.

The CMMC is a framework that grades company cybersecurity on a scale of one (least secure) to five (most stringent). What small businesses will be asked to do is comply with a tiered rating system depending on the systems they’ll be working on.

What this means is if a company is working on janitorial services, they may only need to comply with level 1 of CMMC as opposed to level 3, which is equivalent to NSIT 800-171 regulations, or level 4 that is reserved for exquisite systems.

In the past, there was a two-tiered system for small businesses to be compliant, Arrington described. A company could be compliant with 80 controls under NIST 171 and have a Plan of Actions & Milestones (POA&Ms) to do the other 30, while another company could be doing all the 110 controls and both are technically acceptable.

“That isn’t right, because our adversaries aren’t taking a cup of coffee and saying, ‘I’m going to come back to you when your POA&M is done,’” said Arrington. “They’re walking through those POA&Ms like they’re Swiss cheese.”

As a result, Arrington made the case that the CMMC is really about leveling this playing field and protecting sensitive systems that require additional cybersecurity controls.

Some have noted that these new requirements, while meant to protect the defense industrial base against loss from external forces, could hit smaller companies harder within the market.

“This would have severe unintended consequences on small businesses that do not have the resources and sophistication to obtain a high CMMC level, producing market entry barriers and limiting competition,” the Professional Services Council said in a Sept. 25 letter to DoD following the September draft release of the CMMC.

“Until we see the whole scope of who it’s going to apply to and why it’s going to apply to them, it could impact a lot of small companies,” Alexander Major, partners and co-leads for government contracts at McCarter & English LLP, told FCW following the same draft release.

Major’s co-lead, Franklin Turner, also told FCW that Arrington’s assertion that the CMMC would cost only a few thousand dollars is “utterly foolish,” adding it would “likely be an impediment” for small companies.

However, as Arrington and others have pointed out, top nation states are targeting these smaller companies, necessitating the initiative. Trying to sympathize with the audience, Arrington touted her background contracting with utilities, water and weather services where she herself was guilty of poor cybersecurity practices as a program manager.

“I knew where the weather was, the water was and the electric was. It was all on my laptop,” she said.

She did much of her work at coffee shops because, “I needed to network and I needed to communicate with my peers to drive new business and I needed to be seen, because as a small business you have a lot of people who telework from home.”

But even using a VPN to tunnel into work accounts has the potential to be exploited, Arrington acknowledged. “I was taking everything around me in the pipe.”

Recent events have put a spotlight on the fact data doesn’t have to be classified to be sensitive. Several Navy breaches — largely attributed to China — targeted contractors that were determined to have information that wasn’t itself classified, but in aggregate disclosed sensitive capabilities. It is the increase in campaigns to exploit a higher percentage of lower-level vulnerabilities that the CMMC framework addresses.

“Our adversaries are not trying to get at us at the … top of the nuclear triad,” said Arrington. “You don’t have the aperture to defend yourself against a nation state and we don’t want you to. I need to be able to help you protect us because when 80 percent of my data lives on your network, it’s no longer a you or a me — it’s a we thing. This is a we problem.

“I need to know exactly what I’m asking you to protect and at what level. Right now, you’re all just doing a bunch of different disparate things, but there’s not a level set. [Cybersecurity] controls do not equal requirement,” Arrington continued.

It is expected that in fall 2020 CMMC requirements will be included in requests for proposals and will be a go/no go decision.”


Government Improving The Sharing Of Cyber Security Threat Information

Image: “Fifth Domain”


“A new joint report from inspectors general across the government found that information sharing among the intelligence community and the rest of government “made progress.”


“Over and over cybersecurity officials in the civilian government, the intelligence community and the Department of Defense say the same platitude: information sharing is important. Often, however, little insight, or metrics, back up exactly how well they are doing it.

The report, titled “Unclassified Joint Report on the Implementation of the Cybersecurity Information Sharing Act of 2015” and released Dec. 19, found that cybersecurity threat information sharing has improved throughout government over the last two years, though some barriers remain, like information classification levels.

Information sharing throughout government has improved in part because of security capability launched by the Office of the Director of National Intelligence’s Intelligence Community Security Coordination Center (IC SCC) that allowed the ODNI to increase cybersecurity information all the way up to the top-secret level. The capability, called the Intelligence Community Analysis and Signature Tool (ICOAST), shares both indicators of compromise and malware signatures that identify the presence of malicious code. According to the report, the information from the platform is available to “thousands” of users across the IC, DoD and civilian government.

Information sharing within the IC has also improved due to the creation of several websites within its top-secret networks that contain threat indicators and several different types of summary reports on cyber activity and vulnerabilities.

Technological change is molding the future of information sharing within the government. With the rise of cloud computing at various classification levels throughout the government, the IC SCC told IGs that it plans to expand the ICOAST threat intel capability to work in secret and unclassified clouds. That is in the “planning and development” stages, according the report.

“At the secret and unclassified levels, the ICOAST instances will interface with multiple DoD components and other federal entities that have the responsibility for distributing cyberthreat information to federal, state and local entities and the private sector,” the IGs wrote.

According to the report, an IC SCC official told the IGs that they wanted to deploy ICOAST in those environments by the end of calendar year 2019. A spokesperson for the ODNI didn’t immediately respond to a question about the availability of ICOAST.

The IC SCC is also working with the Department of Homeland Security’s cybersecurity arm, the Cybersecurity and Infrastructure Security Agency, to improve information within CISA’s threat intelligence platform, Automated Indicator Sharing (AIS), for integration with ICOAST.

Barriers to sharing

Though the government has made marked improvements in its info sharing, the IG noted several ongoing challenges to better information sharing.

CISA’s AIS solution, a system through which the federal government and the private sector can share threat intelligence in near-real time, has its own participation challenges. In December 2018, the IGs found, there were 252 federal and non-federal organizations signed up for AIS. But in June 2019, only four agencies and six non-federal entities were using the platform for information sharing. DHS told auditors that the lack of participation hindered improvement.

“DHS reported that the limited number of participants who input cyberthreat information to AIS is the main barrier for DHS to improve the quality of the indicators with more actionable information to mitigate potential cyberthreats,” the IGs wrote.

The most common complaint was that AIS threat information lacked proper context to be actionable, a complaint similar to that heard from state governments receiving threat intelligence from DHS and the FBI during the 2016 election. Therefore, cybersecurity officials at several agencies couldn’t “determine why the indicator was an issue.”

“As a result, the entities did not know what actions to take based on the information received from AIS without performing additional research,” the IGs wrote.

CISA officials told the IGs that they were working on improving the quality of information with AIS.

Meanwhile, agencies also noted that the classification levels of certain threat intelligence prevented widespread info sharing. Aside from officials lacking proper clearance being prevented from viewing certain information, auditors also noted that classified threat information couldn’t be uploaded into the sharing platforms that aren’t cleared for storing that information, further hampering sharing efforts. Some agencies have worked with the owners to downgrade the classification level, according to the report.

“Sharing cyberthreat indicators and defensive measures increases the amount of information available for defending systems and networks against cyberattacks,” the IGs wrote.”


Contractor Input Requested For Federal Cloud-Based Centralized Vulnerability Disclosure Platform

Image: Shuttersstock


In a request for information released late December, the agencies asked industry for feedback on how to set up a system that could serve as a primary point of entry for security researchers warning about bugs in their internet-accessible systems.


“The Department of Homeland Security and the General Services Administration want to know what it would take to develop a cloud-based centralized vulnerability disclosure platform for the federal government.

While the platform would be managed by the Cybersecurity and Infrastructure Security Agency at DHS, agencies might have to kick in some of their own funding and participation would be voluntary. CISA is looking at a centralized software-as-a-service platform that can track incoming submissions, validate each report for legitimate bugs while filtering out errant ones, enable web-based communication between the reporter and agency during remediation efforts and allow agencies to create separate role-based accounts for their main organization and component agencies.

While federal civilian and military systems are often riddled with bugs, the document points out that the system could be beneficial to many agencies that will likely be starting vulnerability disclosure management from scratch.

“Most federal agencies currently lack a formal mechanism to receive information from third parties about potential security vulnerabilities on their systems,” the RFI notes. “Many agencies have no defined strategy for handling reports about such issues shared by outside parties. Only a few agencies have clearly stated that those who disclose vulnerabilities in good faith are authorized.”

The platform would also track a number of metrics around each agency’s disclosure program, such as the number of reports submitted, number of valid vulnerabilities identified and the median time needed to respond, validate and mitigate issues. Automatic alerts would be sent out to all parties as different stakeholders complete their tasks, and the web application would allow CISA to intervene in instances where the affected agency is unknown or unresponsive to a pending bug.

The RFI overlaps with a request from CISA for feedback from security researchers on a draft Binding Operational Directive that would compel civilian agencies to set up their own vulnerability disclosure programs.

Some security researchers have expressed concerns around legal protections and how easy it would be to contact and communicate with affected agencies. Over the years internal audits by the Government Accountability Office and agency inspectors general have found hundreds of security vulnerabilities and spotty patch management practices for U.S. weapons systems, airport screening systems, the electrical gridunclassified nuclear systems and a host of other critical IT systems managed by the federal government.”


CISA Requests Public Input On Civilian Agency Mandatory Cyber Security Order



“The Department of Homeland Security’s cybersecurity division is trying something new. Instead of simply ordering civilian agencies to take a specific action to shore up their cybersecurity, it is asking the public to weigh in on the order first.


“DHS’ Cybersecurity and Infrastructure Security Agency issued a draft Binding Operational Directive (BOD) that compels civilian agencies to establish programs to work with outside security researchers to find and fix software flaws in agency websites and applications.

The appeal for public input is in the collaborative spirit of vulnerability disclosure policies (VDP), which crowdsource an organization’s security by asking ethical hackers to improve it. VDPs are common in the private sector, but much too rare in government for DHS’s taste. When CyberScoop first reported last month that CISA had prepared the directive, officials estimated that, out of scores of civilian agencies, just 10 had VDPs in place.

“[I]t’s the public that will provide those reports and will be the true beneficiaries of vulnerability remediation,” Jeanette Manfra, CISA’s assistant director for cybersecurity, wrote in a blog post explaining the unusual decision to seek feedback on a DHS cybersecurity order.

Outside experts on VDPs have a month to offer their feedback.

The draft order tasks agencies with setting up VDPs within six months of the order being released. It adds a sense of urgency to the issue by requiring agencies to add one new system or service to the scope of their VDPs every 90 days. The draft BOD  also “draws a line in the sand” for agencies to embrace VDPs, as Manfra put it, in that agency systems that come online after the directive must be included in the disclosure program.

“In seeking public comment, we’re also nodding to the fact that, to our knowledge, a requirement for individual enterprises to maintain a vulnerability disclosure policy has never been done before, and certainly not on this scale,” Manfra, who is leaving CISA by the end of the year, wrote in her blog post.

The big changes in how agencies deal with software vulnerabilities will be coordinated through the Office of Management and Budget, which has issued its own guidance to agencies as they prepare to establish VDPs.

“As the federal government’s digital footprint has expanded, the risks to its networks and information have also grown,” the OMB guidance states.”

NDIA Survey Shows Industry Must Do More For Cybersecurity

Photo: iStock


The 2019 DFARS 7012 Cybersecurity Survey provides a glimpse into industry’s perspective on cybersecurity regulations current as of mid-2019.

Participation from industry varied in sector, size and geographic location to provide a representative cross-section of the defense industrial base.


“Adoption and deployment of cyber technologies have improved the effectiveness of U.S. warfighters across the globe. From reducing the cost and lead-time for high-tech weapons production, to ensuring reliable communications across the battlefield, cyber underlies many defense innovations.

However, despite the numerous advantages of a cyber-connected world, the proliferation of cyber tools presents an array of threats and vulnerabilities that deserve the attention of decision-makers across the defense enterprise. Cybersecurity breaches are increasingly common across industry and government, with the defense industry being no exception. With the cost of these breaches reaching into the billions of dollars, demand for more robust cybersecurity controls and regulations comes from the highest levels of government and Congress.

The Defense Department seeks to address these concerns by placing a more intentional focus on data that falls outside of classified controls but remains valuable to an adversary.

Technical data, ordering information, and instructional materials are examples of data deemed “controlled unclassified information,” or CUI.

While a more exhaustive definition of CUI is still in development, requirements to protect it have been included in contracts since late 2018. The DFARS 252.204-7012 clause requires contractors abide by the 100-plus cybersecurity controls developed by the National Institute of Standards and Technology in Special Publication 800-171. The effectiveness of these controls and their impact on industry is the focus of recent research by NDIA.

The survey was developed in conjunction with NDIA’s San Diego Chapter and was distributed via email and to NDIA members. The survey opened in April and ran until July. Approximately 300 responses were collected from industry representatives across the country.

Results measured notable differences in experiences across large versus small companies, primes versus subcontractors, and new entrants versus established actors. Questions gathered data about company financials, information technology processes and corporate views on current policy.

One finding is that cybersecurity breaches are pervasive across industry but range in cost and severity. Some attacks go unnoticed while others debilitate business. The defense industry has experienced a range of cyber-attack events, according to the study results. Overall, one quarter of participants have been prior victims of cyber attacks, with a concentration on businesses larger than 500 employees. Forty-four percent of these companies suffered attacks and an additional 30 percent of this group responded that they were unsure if they had been attacked.

If even half of these unsure respondents are victims, the attack rate for larger firms stands greater than 50 percent. The high frequency of attacks across the defense industry demonstrates the seriousness of the cyber risk. The question is increasingly moving away from if a company has been the victim of an attack, to when a company will experience an attack.

As the number of cyber attacks grows, so does the range of cyber-related threats. Of a list of current threats facing industry, a cyber attack from an outside actor was ranked by 43 percent of respondents as the most threatening, followed by the fear of a dismissed employee wreaking havoc on the company’s systems. Industry participants viewed threats of contract revocation or retribution for the mishandling of sensitive material as comparatively much less threatening, signaling that current mechanisms for discouraging contract violations are not viewed as a serious threat in comparison to other cyber vulnerabilities.

The growing risk to industry from cyber attacks has driven growth in information security companies offering tools and services to prevent or recover from these attacks.

Companies now have a litany of fortification products and consulting services available to help them fend off attackers in the cyber arena. These tools, of course, offer varying levels of protection and range in cost, thus adoption of them across industry varies widely.

Of the security measures presented, the presence of a firewall was cited as the most common for both small and large businesses. A similar level of adoption was seen for the use of multi-factor authentication and VPNs for remote work for large businesses, but the response saw a large drop-off of utilization of these tools among smaller companies.

Across the board there is evidence that small businesses use security measures at a rate of approximately 20 percent less than their large counterparts. Cost, lack of experienced personnel to implement secure practices, and the belief that these tools provide little benefit compared to the cost potentially explain this lower level of implementation. It is worth noting, however, the NIST 800-171 standard requires a number of these security measures, indicating many of these companies may currently fail to meet requirements.

While the lack of compliance may cause concern, one area that’s more worrisome is the levels of preparedness across industry for an attack. Only 40 percent of respondents expressed lack of confidence in their company’s ability to recover from a cyber attack within 24 hours, 30 percent claimed to not have a good sense of the cost of recovering from an attack, and small businesses are trailing large ones by 15 percentage points in agreement with the statement that “our employees are well prepared to understand and respond to cybersecurity threats.” These indicators should alert government and industry to the continued presence of significant cyber vulnerabilities across the defense industrial base.

Those in government tasked with monitoring cyber threats are clearly concerned about weaknesses in industry’s cyber fortifications. The Defense Department has focused on and actively promoted development and implementation of cyber regulations for the past few years, and continues to debate the best approaches to protecting America’s critical cyber infrastructure.

Despite this attention, a large portion of the defense industrial base remains unprepared for DFARS 7012 compliance. When asked if their company was prepared to comply with DFARS 7012, 72 percent of large businesses agreed they were prepared while only 54 percent — a slight majority — of small businesses reported readiness. Rates of actual compliance drive greater concern. Currently, 44 percent of prime contractors do not have system security plans from their subcontractors, a central tenant of DFARS 7012 compliance, and only 5 percent of prime contractors have taken corrective action against their subcontractors, allowing the risk to continue unchecked.

While adoption and compliance levels with current cybersecurity standards may concern government officials, industry’s perspective on the impact of these policies is a notable bright spot. Data from NDIA’s survey show signs senior defense industry managers are prioritizing DFARS 7012 compliance and large and small companies believe implementing DFARS 7012 standards will help them achieve a comprehensive level of security. Industry also assessed government regulations as superior to their security policies, and felt implementing these regulations would help to deter and prevent attacks from even the most determined adversaries.

While the current state of cybersecurity across the defense industrial base needs improvement and will remain a focus area for policymakers in the Pentagon and Congress, there are some clear initial steps that can immediately strengthen cyber infrastructure.

The government should begin by increasing communication and access to resources available to lower-tier, smaller members of the defense industrial base. Communication should focus on the business case for compliance. Resources should help companies achieve and maintain compliance. Pairing individual compliance requirements with communications about risk and reward strengthens the case for implementation.

For industry, prime-level contractors should amplify government communications about risk and reward. Primes should routinely and broadly share best practices, cost-saving efforts, and methods of cyber regulation compliance with not only their supply chain, but with their competitors. Overall, defense industrial base members both large and small must increase their level of preparedness to deter, defend and recover from cyber attacks. In this era of the hyper-connected battlefield, delivering superior, uncompromised capabilities to our war­fighters begins by ensuring availability and reliability.

For more information about this survey and to read the full results, visit NDIA.org/CyberStudy2019. “


When Espionage Skills Are For Sale, So Is Your Security



Anyone with the intent, interest and budget to buy espionage tools and expertise can now acquire the capability to steal a specific piece of information. 

It can thus be presumed that any national intelligence agency, large corporation or organized crime group can access whatever data they deem valuable enough to pay for.


“Reports emerged Oct. 16 that UAE-based cybersecurity company DarkMatter recruited officers who had previously worked for Israel’s elite cyber intelligence outfit, Unit 8200. Interestingly, the story also noted that many of the Unit 8200 personnel had first worked at the Israeli cybersecurity company NSO Group before reportedly departing the company for larger salaries at DarkMatter. Both NSO Group and DarkMatter have generated a great deal of media coverage for allegedly arming governments with intelligence tools to spy on potential dissidents and journalists, among other targets. These cases, however, undoubtedly only scratch the surface of a much larger threat — that is, the increasing proliferation of intelligence tools and skills on the open market. Today, more actors than ever can purchase advanced intelligence capabilities, forcing us to reconsider the way we think about, analyze and protect against corporate espionage threats.

An Emerging Black Market

When assessing the corporate espionage threat posed by a hostile actor, Stratfor has long used a three-pronged model that gauges the actor’s interest, intent and capability. Over the course of my career, I’ve encountered numerous cases in which an actor had the interest and intent to conduct espionage, but lacked the innate capability to effectively steal some piece of proprietary information or monitor a private organization’s activities and communications. State sponsors have helped intelligence services punch far above their weight class in decades past. The training and equipment that the Soviet KGB and the East German Stasi provided Cuba in the 1960s and 70s, for example, helped propel its intelligence agency to top-tier status. Likewise, Jordanian intelligence has become quite competent thanks to its long association with U.S. counterparts. Many other nations and other espionage actors simply did not possess, and largely could not obtain, world-class intelligence capabilities. 

But that is changing under this new model of intelligence capabilities proliferation. Certainly, the United Arab Emirates has taken a very big jump in its capabilities by creating DarkMatter and employing some of the world’s most elite intelligence officers. Meanwhile, other countries such as Mexico and Saudi Arabia have allegedly purchased and used tools developed by the Israel-based NSO Group to ostensibly spy on journalists, opposition politicians and human rights organizations seen as threats to the regime. China’s partner governments in Africa are also reportedly using technology manufactured by tech giant Huawei to track political opponents and other targets.

But while these cases involving Huawei, NSO Group and DarkMatter have garnered headlines, the threat extends far beyond the cyber realm. It has become increasingly common for intelligence professionals to parlay the tradecraft skills they acquired during their government service into high-paying, private sector jobs. This not only includes cyber skills used for hacking, but human intelligence know-how such as source recruitment and handling, as well as other esoteric tradecraft skills such as conducting black-bag jobs. As a result, the full array of espionage tools — including human intelligence tradecraft — is now available for purchase. 

In some cases, the price tag for such tools and skills can be relatively steep. The base fee for NSO Group’s Pegasus software used by the Mexican and Saudi governments reportedly cost $500,000 — with an additional $650,000 to hack the phones of 10 targets. But while expensive, these fees are certainly well within the budget of not only the intelligence agencies of even small countries, but private companies and large organized crime groups. Drug cartels in Mexico, for example, have hired hackers to help them gather information on their enemies. The notorious Sinaloa cartel also purchased state-of-the-art encrypted cellphones from the Canada-based Phantom Secure to protect both its operations and Joaquin “El Chapo” Guzman Loera’s communications with his various wives and mistresses. 

The Limitations of Outsourcing  Expertise

This new model of intelligence capabilities outsourcing, however, is not without risk. First, as we’ve seen in Saudi Arabia’s alleged killing of journalist Jamal Khashoggi, it can bring a great deal of unwanted attention upon the instigator when intelligence tools are used to help facilitate atrocities or otherwise violate international norms. Since the two stories first broke in late 2018, the Saudi and Mexican governments’ use of the NSO Group’s software have also resulted in a public uproar and court cases in both countries.

Second is the concern of loyalty. Intelligence providers will know who their clients are targeting, which can grant valuable insight into the internal dynamics of a country or its foreign affairs. There will thus always be some unease over the possibility that the providers of these intelligence capabilities could be double agents who are either still reporting to their former employers, or sharing that information with others — including those being targeted by the client. Take the case of Saudi Arabia: Even if the cyber tools are being employed by Saudi personnel, can the kingdom be positive that the software isn’t reporting back to the NSO Group through some sort of backdoor channel where it can then be passed on to Israeli intelligence?

And last but not least, the intelligence tools and techniques up for purchase are either industry-standard or one-size-fits-all, and thus may be somewhat outdated and less effective in going after truly hard targets. Such capabilities are therefore unlikely to grant clients capabilities that rival those of first-tier intelligence agencies, such as the U.S. National Security Agency or the Chinese Ministry of State Security. But they can — and indeed have — sufficed when used to target less difficult targets, such as companies, journalists or nongovernmental organizations. And we expect to see them used increasingly against such softer targets going forward. 

Because of this new reality, it is imperative that we update the way we think about the intelligence threat triad. Now, if an actor has interest in a piece of information and the intent to use espionage tools to obtain it — as well as the resources to afford outsourced tools and tradecraft — we must believe that they can acquire the capability to do so; to presume otherwise in an era where anyone can buy advanced espionage proficiency is as foolish as it is dangerous.