The DoD Centralized Cyber Command and the Challenges Ahead

Major kudos to the Department of Defense for creating the DoD Cyber Command last week. Centralizing the defense of the DoD’s war against cyber crime and creating enforceable standards will be a huge step forward in protecting the IT backbone of our physical defenses.  The challenge is huge, with one report citing over 100 foreign intelligence operations bombarding the DoD network with millions of exploit attempts per day.   There is also a cost factor – human costs as well as dollars – with the DoD recently reporting that they spent over $100M remediating compromised machines over a six month period, and that 1,500 machines had to be taken offline.

We have had the opportunity to work with various elements of the DoD over the past several months, and seen firsthand what will be at least part of the agenda of this new Cyber Command.

The first challenge is continually ensuring the security readiness of every endpoint machine.  Sounds elemental (which it is) but given the diversity of equipment, software, policies and geographies represented by the DoD, this is no small task.  This includes ensuring that the defensive software and standard configurations and policies are enforced on every machine, every day.  The defensive software must be properly stood up, properly configured, and checked to detect if it has been compromised in any way.  I have not served in the military, but I believe that would fall under the concept of establishing and protecting the perimeter.  While it sounds elemental, it is often the first failure point in a defense in depth strategy.

The second challenge is keeping endpoint machines free of applications that directly or indirectly create vulnerabilities on these machines.  Unauthorized software such as peer-to-peer applications has already been identified as the source of breaches of sensitive data, and even the most seemingly innocuous software must be identified and removed from machines on an ongoing basis.  And applications must be removed surgically – not through uninstall programs – to ensure that there are no malicious payloads left behind.

The third challenge is situational awareness and response to the evolving attack vectors bombarding the DoD networks and machines.  The networks are a focal point and are continuously hardened, but the real fight may be at the endpoint.  The expectation must be that attacks will come at critical times at critical places, and that these attacks will be engineered to evade signature based protections.   The DoD machines must be able to identify such an attack in real-time, analyze the threat level and root cause, and remediate it as quickly as possible.   The remediation must be situational, holistic, and surgical, and return the endpoint machine to working order without rebooting or re-imaging.  All of this would likely happen in an environment where cyber experts will not be at the ready and there will be no time to do analysis and research to write a new signature or a remediation script.

At this point those of you who know our product are likely concluding that this is a thinly veiled marketing message, as these three challenges fit neatly into what our product can deliver.  It is actually the opposite, as these challenges have emerged after numerous conversations with members of the defense and intelligence communities.  After showing what our product can do, the feedback from these meetings is represented in these challenges, so they naturally fall along the lines of our capabilities.  DoD audiences certainly like the idea that Triumfant will enforce configurations and policies on a daily basis, returning every machine to audit readiness every day.   We are already on the job at the Pentagon identifying and removing unauthorized software from approximately 12,000 machines.  And the collective eyes at DoD briefings get pretty large when they see our ability to detect, analyze and remediate a malicious attack in three to five minutes without the need for prior knowledge of the attack or the need to write a script or re-image the machine.

What we see consistently in our dealings with the DoD is need, and we see multiple organizations working to address those needs, and we therefore see the benefit of having a centralized command for cyber security.   It is clearly the right strategy, but as in all things, success will be measured by results and not concepts.  There are a lot of moving parts, diverse requirements, and multiple initiatives within any one branch of the DoD, much less the entire DoD structure.  So bringing all of these stakeholders together will be a challenge.  But it is certainly a noble undertaking and one that is critical to the protection of the country, because advanced warfare technology is quickly neutralized without the computer systems we rely on for command and control.