Outcomes, Not Programs, Will Define DOD’s Cybersecurity Record
The Defense Department is changing how it defines and defends its networks.
In 2019, the Defense Department embarked on two new cybersecurity programs: Automated Continuous Endpoint Monitoring, or ACEM, and Comply-to-Connect, or C2C. These programs are changing the way the Defense defines and defends its networks. The outcome will be a vastly improved enterprise security posture as well as advanced automation that will let Defense redirect limited resources toward higher-order cybersecurity missions.
ACEM and C2C share the common goal of ensuring that the department knows what is connecting to and what is happening on its networks (in agency-speak, “domain awareness”). ACEM is intended to help solve the problem of detecting and profiling Windows-based devices, or endpoints, and account for the software on them. C2C will solve the problem of detecting, profiling and securing non-traditional categories of devices such as internet of things or networked operational technology, including, for example, industrial controllers. Firmly grounded in the National Institute of Standards and Technology’s Cybersecurity Framework and the Center for Internet Security top 20 critical controls, these two programs will give Defense the capability to monitor every single connecting device for its compliance with the department’s security policies and automatically enforce these policies to mitigate risk.
Detecting devices on networks has proven to be exceedingly difficult for all federal departments and agencies. Utilizing a program similar to C2C, called Continuous Diagnostics and Mitigation, federal civilian agencies discovered, on average, 75% more devices on their networks than they previously knew about. Defense faces the same problem. A connected device that is unknown—an unmanaged device—is one that cannot receive patches and updates and therefore introduces major cyber risk to the enterprise. Unmanaged devices present an easy path for adversaries to access and exploit higher-value parts of the network, or to degrade, deny, disrupt or even destroy critical network components.
Between 2016 and 2018, several events occurred that underscored Defense’s lack of cyber domain awareness. In February 2016, in what has become known as the “Eight Star Memo” the Commanders of U.S. Northern and Pacific Commands sent a letter to then-Secretary of Defense Ash Carter asking for more focus on “cybersecurity of DOD critical infrastructure Industrial Control Systems.” Following this, the Homeland Security Department issued a directive to all federal agencies to remove products manufactured by Kaspersky Lab.
In 2018 a scathing Government Accountability Office report highlighted the present reality that cyberattacks could “target any weapon subsystem that is dependent on software.” Also that year, in a discussion of the Defense’s first-ever completed audit, then- Comptroller David Norquist stated: “Our single largest number of findings is IT security around our business systems;” only five of the 21 audits conducted received a “passing” result.
Yet in the background of these alarm bells, however, several important things began. Congress, dissatisfied with the department’s inability to account for the hardware and software on its networks, directed leaders to develop an automated means to determine the security and license status of deployed software, resulting directly in the two programs described here. U.S. Cyber Command then outlined six categories of endpoints to help identify and account for previously overlooked parts of the domain.
The Navy and Marine Corps, which had been testing the C2C concept for some time, stepped forward and agreed to serve as “Pathfinders” for Defense’s planned enterprise C2C program. The anticipated outcomes for these services’ C2C deployments include: comprehensive network-based visibility, discovery and classification of devices; redundant manageability and control of devices; orchestration with mandated security and network management solution; and continuous monitoring and automated remediation. These outcomes are game-changing because they have been neither achieved nor achievable at scale in the past. The Pathfinders will inform the enterprise deployment of C2C across Defense information networks.
Knowing what is on your networks and what is happening on your networks are truly the basics of cybersecurity. In this sense, ACEM and C2C are simple and unremarkable. Yet these programs implement cyber basics in a manner not seen before: comprehensively and continuously. They build upon existing cyber capabilities but pave the way toward future desired end-states: above all, awareness of the true cyber domain and the automation of routine cyber tasks. These outcomes, not a program of record or catchy acronym, will be the legacy of the Defense’s current cyber leaders.
Katherine Gronberg is vice president for government affairs at Forescout.