DOD wants to stop playing 'whack-a-mole' on cyber

Cyber forces across all the services are lending a hand to defend DOD networks as part of a more proactive approach, officials say.

The Defense Department is looking to get more proactive in defending its information network, rather than simply responding to attacks.

“In the past, as different incidents have happened across the DODIN, we have been playing whack-a-mole – something pops up, we send a team,” said Air Force Lt. Col. Patrick Daniel, deputy director for Strategy and Plans at Joint Force Headquarters-DOD Information Networks (JFHQ-DODIN). “So we want to take a strategic look at this.”

Daniel, speaking at an AFCEA-hosted event April 21, said there are plans for a first-ever DODIN defense strategic plan – something he described as “very significant.” By looking at and understanding adversarial capabilities and intent, U.S. forces can be better postured to get ahead of them. “So now we’re taking this deliberate strategic look going to plan, which will ultimately become an operation that governs our day-to-day DODIN operations and DCO-ICM activities globally,” he said.

JFHQ-DODIN, a subordinate command of U.S. Cyber Command, is responsible for defending DOD networks and has been described by its commander, Lt. Gen. Alan Lynn, as the operational arm of Cyber Command. Since achieving its initial operating capability 15 months ago, it has been in 17 named operations, which, according to Daniel, are “either threats that we have faced or actual incidents or intrusions into the DODIN that have warranted a named operation in response to that particular threat or that particular incident.”

“To take it one step further,” Lynn said at the AFCEA event a day earlier, JFHQ-DODIN has “actually deployed forces just like you deploy people within land, sea and air, [we] actually deploy people in cyberspace. That means actually moving them to other parts of the globe and we’ve done that already in a joint fashion.”

Lynn said that during some of these named operations in which forces were deployed, “we’ve had Air Force teams in Navy cyberspace, what would be normally a Navy mission and we had Air Force people on it, so it’s truly joint.”

“In this particular case, in support of that combatant command’s mission, the Navy had an issue, but the Navy did not have resources to confront that issue. So we from a Joint Force Headquarters perspective, [say] hey, we can use an Air Force team here to get at this Navy problem,” Daniel described of Lynn’s example April 21 in an appearance at the same AFCEA conference. “Was it smooth and easy and perfect? Absolutely not because you have a team from one service trying to operate on a combat platform for another service, and that’s unheard of, [but] we figured out how to do it.”

Daniel said that the joint headquarters, having command authority over the entirety of the services, provides unprecedented capabilities. “The Navy could bring all the Navy’s forces to bear to counter a certain problem [on a Navy network] and can request help from someone…and we quite frankly haven’t seen that in the past,” he said. “But now with Joint Force Headquarters-DODIN as a supported command for global DODIN operations in defense, the Navy comes to us and [if they’re out of teams], let’s get a different service’s team on that, because we have the authority to do that.”

JFHQ-DODIN has two important mission sets, Daniel said: DODIN operations and defensive cyber operations – internal defensive measures. DODIN operations, he said are “those things that you have to do every day because you have a network. You have to apply patches as they go out. You have to have passwords on certain things. There are certain things you have to do by virtue of operating and maintaining a network.”  On the other hand, DCO-IDM “are specific actions that we take in response to either intelligence, a threat or an incident that occurs.”

These two missions can easily blend together. For instance, when performing routine patching as part of maintaining a network, intelligence might indicate that a particular threat or adversary is looking to exploit software or servers. “So now that DODIN operations action that everyone is supposed to be doing now becomes a DCO-IDM action because we have some threat or some information that says an adversary is going to try to exploit this,” he said adding that forces will be deployed right away to address this concern. 

The joint headquarters also supports combatant commanders and is lending a hand currently to Central Command in its fight against ISIS, also known as ISIL. “Inside U.S. Central Command right now we have Operation Inherent Resolve online, the fight against ISIL. We – Joint Force Headquarters-DODIN – are operating in support of U.S. Central Command and Operation Inherent Resolve,” Daniel said, although he declined to offer specifics on what types of services JFHQ-DODIN provides CENTCOM as part of this effort. “In general, non-state actors are one group that we look at as far as the defense of the DODIN in whole,” he told Defense System’s following his talk. While Defense Secretary Ashton Carter has directed Cyber Command to conduct offensive cyber operations against ISIS, JFHQ-DODIN only performs defensive operations. Moreover, many experts have asserted that non-state groups lack the capabilities to conduct destructive cyber activity. 

“Just like any other adversary, we monitor their capabilities,” Daniel said of non-state groups. “We want to make sure that we are understanding kind of what their intent is, what their goals are and that we are adequately defended against those things based off what we can do internal to DOD networks … We know they like to use social media, those kinds of things, that’s really outside of our realm, that’s outside of DOD networks so there’s not a whole lot we at JFHQ-DODIN can do there. So we just have to be aware of what things they are maybe trying to do to DOD networks. Things like website defacements, things like that, we’re keenly aware of and we’re going to make sure our networks are defended as best we can do.”

In terms of reaching a full operational capability for JFHQ-DODIN, Daniel said there is not an exact date because FOC will be conditions-based. “Right now at our IOC, we’re able to do a certain number of functions…As we grow, as we gain more personnel, we’ll be able to do a larger range of functions that will take us into our full mission capability,” he said, adding there is a conditions-based approach of how the force will get to FOC, though he did not elaborate further.